Windows Analysis Report
AutoHotkey.exe

Overview

General Information

Sample name: AutoHotkey.exe
Analysis ID: 1592721
MD5: a88db4d095e6d5a0b43ba59a20e5bf5d
SHA1: 41f930f89dfc7573d4a9746fa097abdd63267a44
SHA256: 993fcb15d8eb9197f71826d7b60ba86ad407c2c3d31801be2a7e4bac8e1abac3
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Contains functionality to register a low level keyboard hook
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.5% probability
Uses 32bit PE files
Source: AutoHotkey.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00480580 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose, 0_2_00480580
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0045E1A0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0045E1A0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0044D4F0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose, 0_2_0044D4F0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004804F0 FindFirstFileW,FindClose,GetFileAttributesW, 0_2_004804F0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0044D7F0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime, 0_2_0044D7F0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00437AD0 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose, 0_2_00437AD0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0047BAE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle, 0_2_0047BAE0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0044DB30 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_0044DB30
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0045EE20 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose, 0_2_0045EE20
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0045DB10 __wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetReadFile,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,InternetReadFileExA,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileW, 0_2_0045DB10
Source: AutoHotkey.exe String found in binary or memory: https://autohotkey.com
Source: AutoHotkey.exe String found in binary or memory: https://autohotkey.comCould

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0040E7E0 SetWindowsHookExW 0000000D,Function_00009E00,?,00000000 0_2_0040E7E0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00405390 GetTickCount,IsClipboardFormatAvailable,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard, 0_2_00405390
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004050C0 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard, 0_2_004050C0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00482940 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard, 0_2_00482940
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00405290 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData, 0_2_00405290
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00444260 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free, 0_2_00444260
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004160A0 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState, 0_2_004160A0
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004181B0 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState, 0_2_004181B0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004014E4 GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,DragQueryFileW,DragFinish,GetTickCount,DragFinish,DragFinish,_wcsncpy,_wcsncpy,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW, 0_2_004014E4
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00414920 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId, 0_2_00414920
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00414B96 GetKeyboardLayout,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput, 0_2_00414B96
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00414D66 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput, 0_2_00414D66
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00449AF0: __swprintf,CreateFileW,DeviceIoControl,CloseHandle, 0_2_00449AF0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0045F390 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_0045F390
Detected potential crypto function
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00426070 0_2_00426070
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004A22CD 0_2_004A22CD
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0048B2EB 0_2_0048B2EB
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0042A340 0_2_0042A340
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0040D3B0 0_2_0040D3B0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0042B4E0 0_2_0042B4E0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004014E4 0_2_004014E4
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004A6509 0_2_004A6509
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004A95EE 0_2_004A95EE
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00411640 0_2_00411640
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0049C648 0_2_0049C648
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004A7655 0_2_004A7655
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0040D680 0_2_0040D680
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00451760 0_2_00451760
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004A1776 0_2_004A1776
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00488700 0_2_00488700
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0041F7E4 0_2_0041F7E4
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00429780 0_2_00429780
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00414920 0_2_00414920
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00443A50 0_2_00443A50
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00448AF0 0_2_00448AF0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00438A90 0_2_00438A90
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00497AA0 0_2_00497AA0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0048BBF5 0_2_0048BBF5
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00411C80 0_2_00411C80
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00492C8E 0_2_00492C8E
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00468E60 0_2_00468E60
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004AAE60 0_2_004AAE60
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0048BE65 0_2_0048BE65
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0048DE10 0_2_0048DE10
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00426070 0_2_00426070
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00401EF4 0_2_00401EF4
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00419EA0 0_2_00419EA0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0043BF60 0_2_0043BF60
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00412F30 0_2_00412F30
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0047EFC0 0_2_0047EFC0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004A5FB8 0_2_004A5FB8
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: String function: 0047F770 appears 70 times
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: String function: 0047F810 appears 53 times
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: String function: 00499409 appears 404 times
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: String function: 0043A0A0 appears 82 times
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: String function: 0043A380 appears 259 times
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: String function: 00499B8A appears 56 times
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: String function: 00408FA4 appears 37 times
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: String function: 0049A399 appears 35 times
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: String function: 0049EB30 appears 34 times
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: String function: 004A7840 appears 49 times
Uses 32bit PE files
Source: AutoHotkey.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal48.spyw.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0043B080 GetFileAttributesW,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,__swprintf,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW, 0_2_0043B080
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0045F390 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_0045F390
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00449790 _wcsncpy,GetDiskFreeSpaceExW, 0_2_00449790
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0045F5A0 CreateToolhelp32Snapshot,Process32FirstW,__wcstoi64,Process32NextW,__wsplitpath,__wcsicoll,Process32NextW,CloseHandle,CloseHandle,CloseHandle, 0_2_0045F5A0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0045E1A0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0045E1A0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0041F3CB _wcsncpy,CharUpperW,lstrcmpiW,lstrcmpiW,FindResourceW,LoadResource,LockResource,SizeofResource,FindResourceW, 0_2_0041F3CB
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: *#1 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: /restart 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: /force 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: /ErrorStdOut 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: /script 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: /include 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: /iLib 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: /CP 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: /Debug 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: $mM 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: 9000 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: localhost 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: 9000 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: A_Args 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: A_Args 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: AutoHotkey 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: AutoHotkey 0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe Command line argument: Clipboard 0_2_00404290
Source: AutoHotkey.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AutoHotkey.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: AutoHotkey.exe String found in binary or memory: GCan't open clipboard for reading.GlobalLockGlobalAllocCan't open clipboard for writing.EmptyClipboardSetClipboardDataLink SourceObjectLinkOwnerLinkNativeEmbed SourceMSDEVColumnSelectMSDEVLineSelectABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/sourcetypemap_getstderrstdoutbreakpoint_listbreakpoint_removebreakpoint_updatebreakpoint_getbreakpoint_setfeature_setfeature_getproperty_valueproperty_setproperty_getcontext_namescontext_getstack_depthstack_getstatusdetachstopbreakstep_outstep_overstep_intorunfreeaddrinfogetnameinfogetaddrinfoudptcp65535%u\ws2_32\wship6exceptionerror -startingrunning<response command="status" status="%s" reason="ok" transaction_id="%e"/>language_supports_threads0nameAutoHotkeyversion1.1.36.02 (Unicode)encodingUTF-8protocol_versionsupports_async1breakpoint_typesline exceptionmultiple_sessionsmax_datamax_childrenmax_depth<response command="feature_get" feature_name="%e" supported="%i" transaction_id="%e">%s</response><response command="feature_set" feature="%e" success="%i" transaction_id="%e"/>enableddisabledAnyline<response command="breakpoint_set" transaction_id="%e" state="%s" id="%i"/><breakpoint id="%i" type="line" state="%s" filename="%r" lineno="%u"/><breakpoint id="%i" type="exception" state="%s" exception="Any"/><response command="breakpoint_get" transaction_id="%e"></response><response command="breakpoint_list" transaction_id="%e"><response command="stack_depth" depth="%i" transaction_id="%e"/><response command="stack_get" transaction_id="%e">Auto-execute<stack level="%i" type="file" filename="%r" lineno="%u" where="%e thread%e()%e sub"/><response command="context_names" transaction_id="%e"><context name="Local" id="0"/><context name="Global" id="1"/></response><response command="context_get" context="%i" transaction_id="%e"><response command="typemap_get" transaction_id="%e" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><map type="string" name="string" xsi:type="xsd:string"/><map type="int" name="integer" xsi:type="xsd:long"/><map type="float" name="float" xsi:type="xsd:double"/><map type="object" name="object"/></response>object<base> Alias Builtin Static ClipboardAllstringintegerfloatundefined<property name="%e" fullname="%e" type="%s" facet="%s" children="0" encoding="base64" size="</property>.%s%u">.[<exception>Object(base.<base><response command="property_get" transaction_id="%e"><property name="%e" fullname="%e" type="undefined" facet="" size="0" children="0"/></response><response command="property_get" transaction_id="%e"><response command="property_value" transaction_id="%e" encoding="base64" size="<exception><response command="property_set" success="%i" transaction_id="%e"/><response command="source" success="1" transaction_id="%e" encoding="base64"><response command="source" success="0" transaction_id="%e"/><response command="%s" success="1" transaction_id="%e"/><stream type="%s"></stream><response command="%s" transaction_id="%e"><er
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe Section loaded: wintypes.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00473130 LoadLibraryW,GetProcAddress,FreeLibrary,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSysColor,SendMessageW, 0_2_00473130
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0049EB75 push ecx; ret 0_2_0049EB88
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004AAD28 push eax; ret 0_2_004AAD46
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0046C100 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsnicmp,__wcsnicmp,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsnicmp,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,MulDiv,MulDiv,__wcsnicmp,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcstoi64,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect, 0_2_0046C100
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00444260 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free, 0_2_00444260
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00473350 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect, 0_2_00473350
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0045C320 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,__swprintf, 0_2_0045C320
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0046F4D0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus, 0_2_0046F4D0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0046F4D0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus, 0_2_0046F4D0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00442760 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,__swprintf,GetModuleHandleW,GetProcAddress,__swprintf, 0_2_00442760
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00483810 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow, 0_2_00483810
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00483940 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop, 0_2_00483940
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00443A50 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,__swprintf,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC, 0_2_00443A50
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00446B40 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows, 0_2_00446B40
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00480B70 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen, 0_2_00480B70
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00480BD0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen, 0_2_00480BD0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00445CB0 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW, 0_2_00445CB0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00468E60 MulDiv,MulDiv,MulDiv,_wcschr,__wcsicoll,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,_wcschr,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetWindowLongW,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,CreateWindowExW,CreateWindowExW,CreateWindowExW,CreateWindowExW,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,MulDiv,MulDiv,MulDiv,MoveWindow,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints, 0_2_00468E60
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\AutoHotkey.exe API coverage: 1.0 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0040C260 GetKeyboardLayout followed by cmp: cmp dword ptr [004db3c4h], edi and CTI: je 0040C434h 0_2_0040C260
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00419230 GetKeyboardLayout followed by cmp: cmp cl, 00000019h and CTI: ja 0041932Ch country: Russian (ru) 0_2_00419230
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00480580 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose, 0_2_00480580
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0045E1A0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0045E1A0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0044D4F0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose, 0_2_0044D4F0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004804F0 FindFirstFileW,FindClose,GetFileAttributesW, 0_2_004804F0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0044D7F0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime, 0_2_0044D7F0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00437AD0 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose, 0_2_00437AD0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0047BAE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle, 0_2_0047BAE0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0044DB30 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_0044DB30
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0045EE20 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose, 0_2_0045EE20
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004164C0 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput, 0_2_004164C0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004A1767 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004A1767
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00473130 LoadLibraryW,GetProcAddress,FreeLibrary,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSysColor,SendMessageW, 0_2_00473130
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004A8CEE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_004A8CEE
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004A1767 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004A1767
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0049DD65 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0049DD65
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_004A3DA2 SetUnhandledExceptionFilter, 0_2_004A3DA2
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0043B080 GetFileAttributesW,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,__swprintf,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW, 0_2_0043B080
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00418090 keybd_event,GetTickCount,GetForegroundWindow,GetWindowTextW, 0_2_00418090
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_00417360 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event, 0_2_00417360
Source: AutoHotkey.exe Binary or memory string: Program Manager
Source: AutoHotkey.exe Binary or memory string: Shell_TrayWnd
Source: AutoHotkey.exe Binary or memory string: Progman
Source: AutoHotkey.exe Binary or memory string: Gp6A08ATextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWR{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllUnreachableClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1InitialWorkingDirIndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAll...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:REG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264MasterSpeakersHeadphonesDigitalLineMicrophoneSynthCDTelephonePCSpeakerWaveAuxAnalogVolVolumeOnOffMuteMonoLoudnessStereoEnhBassBoostPanQSoundPanBassTrebleEqualizerRegExFASTSLOWMonitorCountMonitorPrimaryMonitorMonitorWorkAreaMonitorNameAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightShowAddRenameCheckUncheckToggleCheckEnableDisableToggleEnableStandardNoStandardColorNoDefaultDeleteAllTipIconNoIconMainWindowNoMainWindowSubmitCancelHideMinimizeMaximizeRestoreDestroyMarginFontListViewTreeViewFlashNewMoveMoveDrawFocusChooseChooseStringPosFocusVEnabledVisibleHwndNameButtonCheckboxRadioDDLDropDownListComboBoxListBoxUpDownSliderTab2Tab3GroupBoxPicPictureDateTimeMonthCalStatusBarActiveXLinkCustomPriorityInterruptNoTimersCloseWaitCloseStyleExStyleShowDropDownHideDropDownTabLeftTabRightEditPasteCheckedFindStringChoiceListLineCountCurrentLineCurrentColSelectedEjectLockUnlockLabelFileSystemFSSetLabel:SerialTypeStatusSt
Source: AutoHotkey.exe Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0041EF1D GetFileAttributesW,SetCurrentDirectoryW,GetSystemTimeAsFileTime, 0_2_0041EF1D
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0044F3D0 GetComputerNameW,GetUserNameW, 0_2_0044F3D0
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0041A04E RtlGetVersion,__snwprintf, 0_2_0041A04E
OS version to string mapping found (often used in BOTs)
Source: AutoHotkey.exe Binary or memory string: WIN_XP
Source: AutoHotkey.exe Binary or memory string: ?*A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingleWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003WIN_2000%04hX0x%Ix*pPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkCountarraypcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCallbackCcFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapi
Source: AutoHotkey.exe Binary or memory string: WIN_VISTA
Source: AutoHotkey.exe Binary or memory string: WIN_7
Source: AutoHotkey.exe Binary or memory string: WIN_8
Source: AutoHotkey.exe Binary or memory string: WIN_8.1
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0041D920 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,CoUninitialize,_free,_free,_free, 0_2_0041D920
Source: C:\Users\user\Desktop\AutoHotkey.exe Code function: 0_2_0041E370 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain, 0_2_0041E370
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1592721 Sample: AutoHotkey.exe Startdate: 16/01/2025 Architecture: WINDOWS Score: 48 8 AI detected suspicious sample 2->8 5 AutoHotkey.exe 2->5         started        process3 signatures4 10 Contains functionality to register a low level keyboard hook 5->10
No contacted IP infos