Edit tour

Windows Analysis Report
AutoHotkey.exe

Overview

General Information

Sample name:	AutoHotkey.exe
Analysis ID:	1592721
MD5:	a88db4d095e6d5a0b43ba59a20e5bf5d
SHA1:	41f930f89dfc7573d4a9746fa097abdd63267a44
SHA256:	993fcb15d8eb9197f71826d7b60ba86ad407c2c3d31801be2a7e4bac8e1abac3
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to register a low level keyboard hook

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

Process Tree

System is w10x64

AutoHotkey.exe (PID: 6236 cmdline: "C:\Users\user\Desktop\AutoHotkey.exe" MD5: A88DB4D095E6D5A0B43BA59A20E5BF5D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Source: AutoHotkey.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00480580 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	0_2_00480580
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0045E1A0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	0_2_0045E1A0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0044D4F0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose,	0_2_0044D4F0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004804F0 FindFirstFileW,FindClose,GetFileAttributesW,	0_2_004804F0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0044D7F0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	0_2_0044D7F0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00437AD0 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose,	0_2_00437AD0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0047BAE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	0_2_0047BAE0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0044DB30 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_0044DB30
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0045EE20 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	0_2_0045EE20

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_0045DB10 __wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetReadFile,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,InternetReadFileExA,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileW,

0_2_0045DB10

Source: AutoHotkey.exe	String found in binary or memory: https://autohotkey.com
Source: AutoHotkey.exe	String found in binary or memory: https://autohotkey.comCould

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_0040E7E0 SetWindowsHookExW 0000000D,Function_00009E00,?,00000000

0_2_0040E7E0

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_00405390 GetTickCount,IsClipboardFormatAvailable,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,

0_2_00405390

Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004050C0 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,		0_2_004050C0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00482940 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard,		0_2_00482940

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_00405290 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData,

0_2_00405290

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_00444260 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,

0_2_00444260

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_004160A0 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

0_2_004160A0

Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004181B0 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,	0_2_004181B0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004014E4 GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,DragQueryFileW,DragFinish,GetTickCount,DragFinish,DragFinish,_wcsncpy,_wcsncpy,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,	0_2_004014E4
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00414920 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,	0_2_00414920
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00414B96 GetKeyboardLayout,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,	0_2_00414B96
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00414D66 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,	0_2_00414D66

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_00449AF0: __swprintf,CreateFileW,DeviceIoControl,CloseHandle,

0_2_00449AF0

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_0045F390 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_0045F390

Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00426070	0_2_00426070
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004A22CD	0_2_004A22CD
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0048B2EB	0_2_0048B2EB
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0042A340	0_2_0042A340
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0040D3B0	0_2_0040D3B0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0042B4E0	0_2_0042B4E0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004014E4	0_2_004014E4
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004A6509	0_2_004A6509
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004A95EE	0_2_004A95EE
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00411640	0_2_00411640
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0049C648	0_2_0049C648
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004A7655	0_2_004A7655
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0040D680	0_2_0040D680
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00451760	0_2_00451760
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004A1776	0_2_004A1776
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00488700	0_2_00488700
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0041F7E4	0_2_0041F7E4
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00429780	0_2_00429780
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00414920	0_2_00414920
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00443A50	0_2_00443A50
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00448AF0	0_2_00448AF0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00438A90	0_2_00438A90
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00497AA0	0_2_00497AA0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0048BBF5	0_2_0048BBF5
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00411C80	0_2_00411C80
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00492C8E	0_2_00492C8E
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00468E60	0_2_00468E60
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004AAE60	0_2_004AAE60
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0048BE65	0_2_0048BE65
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0048DE10	0_2_0048DE10
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00426070	0_2_00426070
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00401EF4	0_2_00401EF4
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00419EA0	0_2_00419EA0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0043BF60	0_2_0043BF60
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00412F30	0_2_00412F30
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0047EFC0	0_2_0047EFC0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004A5FB8	0_2_004A5FB8

Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: String function: 0047F770 appears 70 times
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: String function: 0047F810 appears 53 times
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: String function: 00499409 appears 404 times
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: String function: 0043A0A0 appears 82 times
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: String function: 0043A380 appears 259 times
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: String function: 00499B8A appears 56 times
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: String function: 00408FA4 appears 37 times
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: String function: 0049A399 appears 35 times
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: String function: 0049EB30 appears 34 times
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: String function: 004A7840 appears 49 times

Source: AutoHotkey.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.spyw.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_0043B080 GetFileAttributesW,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,__swprintf,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,

0_2_0043B080

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_0045F390 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_0045F390

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_00449790 _wcsncpy,GetDiskFreeSpaceExW,

0_2_00449790

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_0045F5A0 CreateToolhelp32Snapshot,Process32FirstW,__wcstoi64,Process32NextW,__wsplitpath,__wcsicoll,Process32NextW,CloseHandle,CloseHandle,CloseHandle,

0_2_0045F5A0

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_0045E1A0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0045E1A0

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_0041F3CB _wcsncpy,CharUpperW,lstrcmpiW,lstrcmpiW,FindResourceW,LoadResource,LockResource,SizeofResource,FindResourceW,

0_2_0041F3CB

Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: *#1	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: /restart	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: /force	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: /ErrorStdOut	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: /script	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: /include	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: /iLib	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: /CP	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: /Debug	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: $mM	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: 9000	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: localhost	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: 9000	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: A_Args	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: A_Args	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: AutoHotkey	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: AutoHotkey	0_2_00404290
Source: C:\Users\user\Desktop\AutoHotkey.exe	Command line argument: Clipboard	0_2_00404290

Source: AutoHotkey.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AutoHotkey.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AutoHotkey.exe

String found in binary or memory: GCan't open clipboard for reading.GlobalLockGlobalAllocCan't open clipboard for writing.EmptyClipboardSetClipboardDataLink SourceObjectLinkOwnerLinkNativeEmbed SourceMSDEVColumnSelectMSDEVLineSelectABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/sourcetypemap_getstderrstdoutbreakpoint_listbreakpoint_removebreakpoint_updatebreakpoint_getbreakpoint_setfeature_setfeature_getproperty_valueproperty_setproperty_getcontext_namescontext_getstack_depthstack_getstatusdetachstopbreakstep_outstep_overstep_intorunfreeaddrinfogetnameinfogetaddrinfoudptcp65535%u\ws2_32\wship6exceptionerror -startingrunning<response command="status" status="%s" reason="ok" transaction_id="%e"/>language_supports_threads0nameAutoHotkeyversion1.1.36.02 (Unicode)encodingUTF-8protocol_versionsupports_async1breakpoint_typesline exceptionmultiple_sessionsmax_datamax_childrenmax_depth<response command="feature_get" feature_name="%e" supported="%i" transaction_id="%e">%s</response><response command="feature_set" feature="%e" success="%i" transaction_id="%e"/>enableddisabledAnyline<response command="breakpoint_set" transaction_id="%e" state="%s" id="%i"/><breakpoint id="%i" type="line" state="%s" filename="%r" lineno="%u"/><breakpoint id="%i" type="exception" state="%s" exception="Any"/><response command="breakpoint_get" transaction_id="%e"></response><response command="breakpoint_list" transaction_id="%e"><response command="stack_depth" depth="%i" transaction_id="%e"/><response command="stack_get" transaction_id="%e">Auto-execute<stack level="%i" type="file" filename="%r" lineno="%u" where="%e thread%e()%e sub"/><response command="context_names" transaction_id="%e"><context name="Local" id="0"/><context name="Global" id="1"/></response><response command="context_get" context="%i" transaction_id="%e"><response command="typemap_get" transaction_id="%e" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><map type="string" name="string" xsi:type="xsd:string"/><map type="int" name="integer" xsi:type="xsd:long"/><map type="float" name="float" xsi:type="xsd:double"/><map type="object" name="object"/></response>object<base> Alias Builtin Static ClipboardAllstringintegerfloatundefined<property name="%e" fullname="%e" type="%s" facet="%s" children="0" encoding="base64" size="</property>.%s%u">.[<exception>Object(base.<base><response command="property_get" transaction_id="%e"><property name="%e" fullname="%e" type="undefined" facet="" size="0" children="0"/></response><response command="property_get" transaction_id="%e"><response command="property_value" transaction_id="%e" encoding="base64" size="<exception><response command="property_set" success="%i" transaction_id="%e"/><response command="source" success="1" transaction_id="%e" encoding="base64"><response command="source" success="0" transaction_id="%e"/><response command="%s" success="1" transaction_id="%e"/><stream type="%s"></stream><response command="%s" transaction_id="%e"><er

Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\AutoHotkey.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_00473130 LoadLibraryW,GetProcAddress,FreeLibrary,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSysColor,SendMessageW,

0_2_00473130

Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0049EB75 push ecx; ret		0_2_0049EB88
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004AAD28 push eax; ret		0_2_004AAD46

Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0046C100 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsnicmp,__wcsnicmp,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsnicmp,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,MulDiv,MulDiv,__wcsnicmp,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcstoi64,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,	0_2_0046C100
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00444260 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,	0_2_00444260
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00473350 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,	0_2_00473350
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0045C320 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,__swprintf,	0_2_0045C320
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0046F4D0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	0_2_0046F4D0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0046F4D0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	0_2_0046F4D0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00442760 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,__swprintf,GetModuleHandleW,GetProcAddress,__swprintf,	0_2_00442760
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00483810 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,	0_2_00483810
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00483940 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,	0_2_00483940
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00443A50 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,__swprintf,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,	0_2_00443A50
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00446B40 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows,	0_2_00446B40
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00480B70 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_00480B70
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00480BD0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_00480BD0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00445CB0 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,	0_2_00445CB0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00468E60 MulDiv,MulDiv,MulDiv,_wcschr,__wcsicoll,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,_wcschr,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetWindowLongW,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,CreateWindowExW,CreateWindowExW,CreateWindowExW,CreateWindowExW,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,MulDiv,MulDiv,MulDiv,MoveWindow,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints,	0_2_00468E60

Source: C:\Users\user\Desktop\AutoHotkey.exe

API coverage: 1.0 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0040C260 GetKeyboardLayout followed by cmp: cmp dword ptr [004db3c4h], edi and CTI: je 0040C434h		0_2_0040C260
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00419230 GetKeyboardLayout followed by cmp: cmp cl, 00000019h and CTI: ja 0041932Ch country: Russian (ru)		0_2_00419230

Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00480580 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	0_2_00480580
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0045E1A0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	0_2_0045E1A0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0044D4F0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose,	0_2_0044D4F0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004804F0 FindFirstFileW,FindClose,GetFileAttributesW,	0_2_004804F0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0044D7F0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	0_2_0044D7F0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_00437AD0 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose,	0_2_00437AD0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0047BAE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	0_2_0047BAE0
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0044DB30 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_0044DB30
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0045EE20 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	0_2_0045EE20

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_004164C0 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput,

0_2_004164C0

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_004A1767 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_004A1767

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_00473130 LoadLibraryW,GetProcAddress,FreeLibrary,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSysColor,SendMessageW,

0_2_00473130

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_004A8CEE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_004A8CEE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004A1767 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004A1767
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0049DD65 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0049DD65
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_004A3DA2 SetUnhandledExceptionFilter,	0_2_004A3DA2

Source: C:\Users\user\Desktop\AutoHotkey.exe

0_2_0043B080

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_00418090 keybd_event,GetTickCount,GetForegroundWindow,GetWindowTextW,

0_2_00418090

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_00417360 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event,

0_2_00417360

Source: AutoHotkey.exe	Binary or memory string: Program Manager
Source: AutoHotkey.exe	Binary or memory string: Shell_TrayWnd
Source: AutoHotkey.exe	Binary or memory string: Progman
Source: AutoHotkey.exe	Binary or memory string: Gp6A08ATextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWR{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllUnreachableClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1InitialWorkingDirIndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAll...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:REG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264MasterSpeakersHeadphonesDigitalLineMicrophoneSynthCDTelephonePCSpeakerWaveAuxAnalogVolVolumeOnOffMuteMonoLoudnessStereoEnhBassBoostPanQSoundPanBassTrebleEqualizerRegExFASTSLOWMonitorCountMonitorPrimaryMonitorMonitorWorkAreaMonitorNameAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightShowAddRenameCheckUncheckToggleCheckEnableDisableToggleEnableStandardNoStandardColorNoDefaultDeleteAllTipIconNoIconMainWindowNoMainWindowSubmitCancelHideMinimizeMaximizeRestoreDestroyMarginFontListViewTreeViewFlashNewMoveMoveDrawFocusChooseChooseStringPosFocusVEnabledVisibleHwndNameButtonCheckboxRadioDDLDropDownListComboBoxListBoxUpDownSliderTab2Tab3GroupBoxPicPictureDateTimeMonthCalStatusBarActiveXLinkCustomPriorityInterruptNoTimersCloseWaitCloseStyleExStyleShowDropDownHideDropDownTabLeftTabRightEditPasteCheckedFindStringChoiceListLineCountCurrentLineCurrentColSelectedEjectLockUnlockLabelFileSystemFSSetLabel:SerialTypeStatusSt
Source: AutoHotkey.exe	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_0041EF1D GetFileAttributesW,SetCurrentDirectoryW,GetSystemTimeAsFileTime,

0_2_0041EF1D

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_0044F3D0 GetComputerNameW,GetUserNameW,

0_2_0044F3D0

Source: C:\Users\user\Desktop\AutoHotkey.exe

Code function: 0_2_0041A04E RtlGetVersion,__snwprintf,

0_2_0041A04E

Source: AutoHotkey.exe	Binary or memory string: WIN_XP
Source: AutoHotkey.exe	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingleWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003WIN_2000%04hX0x%IxpPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkCountarraypcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCallbackCcFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapi
Source: AutoHotkey.exe	Binary or memory string: WIN_VISTA
Source: AutoHotkey.exe	Binary or memory string: WIN_7
Source: AutoHotkey.exe	Binary or memory string: WIN_8
Source: AutoHotkey.exe	Binary or memory string: WIN_8.1

Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0041D920 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,CoUninitialize,_free,_free,_free,		0_2_0041D920
Source: C:\Users\user\Desktop\AutoHotkey.exe	Code function: 0_2_0041E370 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,		0_2_0041E370

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	1 System Time Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Access Token Manipulation	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	121 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Process Injection	1 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	14 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AutoHotkey.exe	3%	Virustotal		Browse
AutoHotkey.exe	0%	ReversingLabs

Name	Source	Malicious	Antivirus Detection	Reputation
https://autohotkey.com	AutoHotkey.exe	false		high
https://autohotkey.comCould	AutoHotkey.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592721
Start date and time:	2025-01-16 13:18:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AutoHotkey.exe
Detection:	MAL
Classification:	mal48.spyw.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 12 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
Report size exceeded maximum capacity and may have missing disassembly code.

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5039798413394365
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AutoHotkey.exe
File size:	912'384 bytes
MD5:	a88db4d095e6d5a0b43ba59a20e5bf5d
SHA1:	41f930f89dfc7573d4a9746fa097abdd63267a44
SHA256:	993fcb15d8eb9197f71826d7b60ba86ad407c2c3d31801be2a7e4bac8e1abac3
SHA512:	d7b9a4b0affbc19b7ecec0d1b7bc4df0cd4a918bc8846b921325c3f52d3afa693e20271276f8177e6f42ec8ffc7ef5377bd74193b8a894d73d5891268d6ab9c6
SSDEEP:	24576:eIv5QimqIakPrYsMdX3gU22+c5c6apVuXgQ:JOXUXwF2Nrg
TLSH:	0A157B62B3C3C1B2EFA219F2C5B957721938BC39173889CB73D4382DC9A16C16A75356
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b..............bMv.......E.......D......{m......{}...............p.......A.......t.......s.....Rich...........................

File Icon


Icon Hash:	7ccec4e4cc4cce3d

Static PE Info

General

Entrypoint:	0x49cd80
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x639071AF [Wed Dec 7 10:57:51 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	843075fba28109153465b53d9d36a319

Entrypoint Preview

Instruction
call 00007F5974CD6768h
jmp 00007F5974CCF0FEh
int3
int3
int3
int3
int3
int3
push esi
mov eax, dword ptr [esp+14h]
or eax, eax
jne 00007F5974CCF29Ah
mov ecx, dword ptr [esp+10h]
mov eax, dword ptr [esp+0Ch]
xor edx, edx
div ecx
mov ebx, eax
mov eax, dword ptr [esp+08h]
div ecx
mov esi, eax
mov eax, ebx
mul dword ptr [esp+10h]
mov ecx, eax
mov eax, esi
mul dword ptr [esp+10h]
add edx, ecx
jmp 00007F5974CCF2B9h
mov ecx, eax
mov ebx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
mov eax, dword ptr [esp+08h]
shr ecx, 1
rcr ebx, 1
shr edx, 1
rcr eax, 1
or ecx, ecx
jne 00007F5974CCF266h
div ebx
mov esi, eax
mul dword ptr [esp+14h]
mov ecx, eax
mov eax, dword ptr [esp+10h]
mul esi
add edx, ecx
jc 00007F5974CCF280h
cmp edx, dword ptr [esp+0Ch]
jnbe 00007F5974CCF27Ah
jc 00007F5974CCF281h
cmp eax, dword ptr [esp+08h]
jbe 00007F5974CCF27Bh
dec esi
sub eax, dword ptr [esp+10h]
sbb edx, dword ptr [esp+14h]
xor ebx, ebx
sub eax, dword ptr [esp+08h]
sbb edx, dword ptr [esp+0Ch]
neg edx
neg eax
sbb edx, 00000000h
mov ecx, edx
mov edx, ebx
mov ebx, ecx
mov ecx, eax
mov eax, esi
pop esi
retn 0010h
sub eax, 000003A4h
je 00007F5974CCF294h
sub eax, 04h
je 00007F5974CCF289h
sub eax, 0Dh
je 00007F5974CCF27Eh
dec eax
je 00007F5974CCF275h
xor eax, eax
ret
mov eax, 00000404h
ret
mov eax, 00000412h

Rich Headers

Programming Language:

[C++] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd0814	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xde000	0x96c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xad000	0x790	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xab841	0xaba00	49007dab1fd4f005b00b36d5f3fbaa96	False	0.5545751206300072	data	6.638215405104396	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xad000	0x26008	0x26200	5854b9415cf618760d4fb32cd4718864	False	0.24284707991803278	data	4.831260526504402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd4000	0x9198	0x3400	3b9431e45e5924d792453855b5f14555	False	0.3563701923076923	data	4.0970723998280505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xde000	0x96c0	0x9800	3c3cbf9adbd54624c90598a118bf67b2	False	0.2845651726973684	data	5.651176473876978	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xdec40	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.47349906191369606
RT_ICON	0xdfce8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.22468879668049793
RT_ICON	0xe2290	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7039007092198581
RT_ICON	0xe2728	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6941489361702128
RT_ICON	0xe2ba8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6622340425531915
RT_ICON	0xe3028	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6453900709219859
RT_ICON	0xe34a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.22396810506566603
RT_ICON	0xe4550	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.15228215767634853
RT_ICON	0xe6af8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.40425531914893614
RT_ICON	0xe6f60	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.43548387096774194
RT_MENU	0xde978	0x2c8	data	English	United States	0.46207865168539325
RT_DIALOG	0xe7288	0xe8	data	English	United States	0.6206896551724138
RT_ACCELERATOR	0xe7370	0x48	data	English	United States	0.8194444444444444
RT_GROUP_ICON	0xe26f8	0x30	data	English	United States	0.875
RT_GROUP_ICON	0xe7248	0x3e	data	English	United States	0.8870967741935484
RT_GROUP_ICON	0xe2b90	0x14	data	English	United States	1.25
RT_GROUP_ICON	0xe3010	0x14	data	English	United States	1.25
RT_GROUP_ICON	0xe3490	0x14	data	English	United States	1.25
RT_VERSION	0xe73b8	0x304	data	English	United States	0.4533678756476684
RT_MANIFEST	0xde480	0x4f4	ASCII text, with very long lines (1268), with no line terminators	English	United States	0.4755520504731861

Imports

DLL	Import
WSOCK32.dll	WSACleanup, recv, socket, getservbyname, WSASetLastError, WSAAsyncSelect, closesocket, gethostbyaddr, gethostbyname, send, getservbyport, gethostname, inet_ntoa, connect, inet_addr, WSAStartup, ioctlsocket, htonl, WSAGetLastError, htons, ntohs, shutdown
WINMM.dll	waveOutGetVolume, mixerGetLineInfoW, mixerSetControlDetails, mixerGetControlDetailsW, mixerGetLineControlsW, mixerGetDevCapsW, waveOutSetVolume, mixerClose, mixerOpen, mciSendStringW, joyGetDevCapsW, joyGetPosEx
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
COMCTL32.dll	ImageList_GetIconSize, ImageList_Create, ImageList_Destroy, ImageList_AddMasked, ImageList_ReplaceIcon, CreateStatusWindowW, InitCommonControlsEx
PSAPI.DLL	GetModuleBaseNameW, GetModuleFileNameExW
WININET.dll	InternetReadFile, InternetOpenUrlW, InternetCloseHandle, InternetReadFileExA, InternetOpenW
KERNEL32.dll	GlobalFree, GlobalUnlock, GetEnvironmentVariableW, FreeLibrary, WideCharToMultiByte, GetSystemDirectoryA, GetProcAddress, LoadLibraryA, GetCurrentThreadId, lstrcmpiW, GetStringTypeExW, CreateThread, SetThreadPriority, GetExitCodeThread, CloseHandle, CreateMutexW, GetLastError, LoadLibraryW, GetModuleHandleW, GetVersionExW, DeleteCriticalSection, GetModuleFileNameW, GetFileAttributesW, GetFullPathNameW, GetSystemTimeAsFileTime, LoadResource, LockResource, SizeofResource, GetShortPathNameW, FindFirstFileW, FindNextFileW, FindClose, FileTimeToLocalFileTime, SetEnvironmentVariableW, Beep, MoveFileW, OutputDebugStringW, CreateProcessW, MultiByteToWideChar, GetExitCodeProcess, WriteProcessMemory, ReadProcessMemory, GetCurrentProcessId, OpenProcess, TerminateProcess, SetPriorityClass, GlobalAlloc, GetLocalTime, GetDateFormatW, GetTimeFormatW, GetDiskFreeSpaceExW, SetVolumeLabelW, CreateFileW, DeviceIoControl, GetDriveTypeW, GetVolumeInformationW, GetDiskFreeSpaceW, GetCurrentDirectoryW, CreateDirectoryW, ReadFile, WriteFile, DeleteFileW, CopyFileW, SetFileAttributesW, LocalFileTimeToFileTime, SetFileTime, GetFileSizeEx, GetSystemTime, GetSystemDefaultUILanguage, GetComputerNameW, GetSystemWindowsDirectoryW, GetTempPathW, EnterCriticalSection, LeaveCriticalSection, VirtualProtect, QueryDosDeviceW, CompareStringW, RemoveDirectoryW, GetCurrentProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetPrivateProfileStringW, GetPrivateProfileSectionW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, WritePrivateProfileSectionW, SetEndOfFile, GetACP, GetFileType, GetStdHandle, SetFilePointerEx, SystemTimeToFileTime, FileTimeToSystemTime, GetFileSize, VirtualAllocEx, VirtualFreeEx, EnumResourceNamesW, LoadLibraryExW, GlobalSize, GlobalLock, FindResourceW, SetErrorMode, InitializeCriticalSection, GetCPInfo, SetCurrentDirectoryW, Sleep, GetTickCount, MulDiv, ExitProcess, HeapSize, HeapQueryInformation, GetCommandLineW, HeapSetInformation, GetStartupInfoW, InterlockedIncrement, InterlockedDecrement, HeapAlloc, HeapFree, HeapReAlloc, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStringTypeW, HeapCreate, InitializeCriticalSectionAndSpinCount, RaiseException, SetHandleCount, IsProcessorFeaturePresent, LCMapStringW, RtlUnwind, GetConsoleCP, GetConsoleMode, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, FlushFileBuffers, SetFilePointer, WriteConsoleW, SetStdHandle, GetProcessHeap, SetLastError, VirtualQuery
USER32.dll	SetFocus, SetWindowRgn, SetWindowPos, SetLayeredWindowAttributes, InvalidateRect, EnableWindow, GetWindowTextLengthW, EnumWindows, IsZoomed, IsIconic, EnumDisplayMonitors, RegisterWindowMessageW, GetSysColor, GetSysColorBrush, DrawIconEx, FillRect, DefWindowProcW, SetForegroundWindow, DialogBoxParamW, SendDlgItemMessageW, GetDlgItem, SetDlgItemTextW, MessageBeep, GetCursorInfo, GetLastInputInfo, GetSystemMenu, GetMenuItemCount, GetMenuItemID, GetSubMenu, GetMenuStringW, ExitWindowsEx, SetMenu, FlashWindow, GetPropW, SetPropW, RemovePropW, MapWindowPoints, RedrawWindow, SetParent, GetClassInfoExW, DefDlgProcW, GetAncestor, UpdateWindow, GetMessagePos, GetClassLongW, CallWindowProcW, CheckRadioButton, IntersectRect, GetUpdateRect, PtInRect, CreateDialogIndirectParamW, CreateAcceleratorTableW, DestroyAcceleratorTable, InsertMenuItemW, SetMenuDefaultItem, RemoveMenu, SetMenuItemInfoW, IsMenu, GetMenuItemInfoW, CreateMenu, CreatePopupMenu, SetMenuInfo, AppendMenuW, DestroyMenu, TrackPopupMenuEx, CopyImage, SetActiveWindow, CreateIconFromResourceEx, EnumClipboardFormats, GetWindow, BringWindowToTop, GetTopWindow, GetQueueStatus, LoadImageW, ChangeClipboardChain, IsWindowVisible, LoadAcceleratorsW, EnableMenuItem, GetMenu, CreateWindowExW, RegisterClassExW, LoadCursorW, DestroyIcon, DestroyWindow, IsCharAlphaW, MapVirtualKeyW, VkKeyScanExW, MapVirtualKeyExW, GetKeyboardLayoutNameW, ActivateKeyboardLayout, GetGUIThreadInfo, GetWindowTextW, mouse_event, WindowFromPoint, GetSystemMetrics, keybd_event, SetKeyboardState, GetKeyboardState, GetCursorPos, GetAsyncKeyState, AttachThreadInput, SendInput, UnregisterHotKey, PostQuitMessage, SendMessageTimeoutW, UnhookWindowsHookEx, SetWindowsHookExW, PostThreadMessageW, IsCharAlphaNumericW, IsCharUpperW, IsCharLowerW, ToUnicodeEx, GetKeyboardLayout, CallNextHookEx, CharLowerW, ReleaseDC, GetDC, MessageBoxW, OpenClipboard, GetClipboardData, GetClipboardFormatNameW, CloseClipboard, SetClipboardData, EmptyClipboard, PostMessageW, FindWindowW, EndDialog, IsWindow, DispatchMessageW, TranslateMessage, ShowWindow, CountClipboardFormats, ClientToScreen, EnumChildWindows, MoveWindow, GetWindowRect, GetMonitorInfoW, MonitorFromPoint, GetClientRect, SystemParametersInfoW, AdjustWindowRectEx, DrawTextW, SetRect, GetIconInfo, CreateIconIndirect, SetWindowTextW, SetWindowLongW, ScreenToClient, IsDialogMessageW, SendMessageW, IsWindowEnabled, GetWindowLongW, GetKeyState, TranslateAcceleratorW, KillTimer, PeekMessageW, GetFocus, GetClassNameW, GetWindowThreadProcessId, GetForegroundWindow, GetMessageW, SetTimer, GetParent, GetDlgCtrlID, CharUpperW, IsClipboardFormatAvailable, BlockInput, SetClipboardViewer, CheckMenuItem, RegisterHotKey
GDI32.dll	GdiFlush, CreateDIBSection, EnumFontFamiliesExW, SetBrushOrgEx, SetBkColor, GetPixel, BitBlt, CreatePatternBrush, SetBkMode, GetCharABCWidthsW, GetClipBox, FillRgn, GetClipRgn, ExcludeClipRect, GetDeviceCaps, DeleteObject, CreateFontW, CreateSolidBrush, CreateCompatibleBitmap, GetSystemPaletteEntries, GetDIBits, CreateCompatibleDC, CreatePolygonRgn, CreateRectRgn, CreateRoundRectRgn, CreateEllipticRgn, DeleteDC, GetObjectW, GetTextMetricsW, GetTextFaceW, SelectObject, GetStockObject, CreateDCW, SetTextColor
COMDLG32.dll	CommDlgExtendedError, GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetUserNameW, LockServiceDatabase, OpenSCManagerW, RegEnumKeyExW, RegEnumValueW, RegQueryInfoKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, CloseServiceHandle, RegConnectRegistryW, UnlockServiceDatabase
SHELL32.dll	DragQueryPoint, SHEmptyRecycleBinW, SHFileOperationW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetDesktopFolder, SHGetMalloc, SHGetFolderPathW, ShellExecuteExW, Shell_NotifyIconW, DragFinish, DragQueryFileW, ExtractIconW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, CoInitialize, CoUninitialize, CLSIDFromString, CLSIDFromProgID, CoGetObject, StringFromGUID2, CreateStreamOnHGlobal
OLEAUT32.dll	OleLoadPicture, SafeArrayUnaccessData, SafeArrayGetElemsize, SafeArrayAccessData, SafeArrayUnlock, SafeArrayPtrOfIndex, SafeArrayLock, SafeArrayDestroy, GetActiveObject, SysStringLen, SysFreeString, SafeArrayCreate, VariantClear, VariantChangeType, SysAllocString, SafeArrayCopy, VariantCopyInd, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetDim

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	07:19:21
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\AutoHotkey.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AutoHotkey.exe"
Imagebase:	0x400000
File size:	912'384 bytes
MD5 hash:	A88DB4D095E6D5A0B43BA59A20E5BF5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.9%
Total number of Nodes:	398
Total number of Limit Nodes:	15

Executed Functions

Function 00404290 Relevance: 81.0, APIs: 28, Strings: 18, Instructions: 518
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(004D8588), ref: 004042A9
SetErrorMode.KERNELBASE(00000001), ref: 004042B1

Part of subcall function 0044B870: GetCurrentDirectoryW.KERNEL32(00008000,?,?,004042BE), ref: 0044B887

FindResourceW.KERNELBASE ref: 00404351
__wcsicoll.LIBCMT ref: 00404383
__wcsicoll.LIBCMT ref: 00404399
__wcsicoll.LIBCMT ref: 004043AF
__wcsicoll.LIBCMT ref: 004043C5
__wcsnicmp.LIBCMT ref: 004043DD
__wcsicoll.LIBCMT ref: 00404415
__wcsicoll.LIBCMT ref: 0040443B
__wcsicoll.LIBCMT ref: 00404471
__wcsnicmp.LIBCMT ref: 004044DA
__wcsnicmp.LIBCMT ref: 0040450D
_wcsrchr.LIBCMT ref: 0040453A
FindWindowW.USER32(AutoHotkey,00AD0200), ref: 00404751
FindWindowW.USER32(AutoHotkey,00AD0200), ref: 004047BB
PostMessageW.USER32(00000000,00000044,00000406,00000000), ref: 004047D2
Sleep.KERNEL32(00000014), ref: 004047E2
IsWindow.USER32(00000000), ref: 004047E5
Sleep.KERNEL32(00000014), ref: 0040481E
IsWindow.USER32(00000000), ref: 00404821
Sleep.KERNEL32(00000064), ref: 0040482D
SystemParametersInfoW.USER32(00002000,00000000,004D81D4,00000000), ref: 00404843
SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040485D
_setvbuf.LIBCMT ref: 00404881
_malloc.LIBCMT ref: 0040489A
_memset.LIBCMT ref: 004048AF
InitCommonControlsEx.COMCTL32 ref: 004048D5

Strings

Out of memory., xrefs: 00404307
/restart, xrefs: 00404393
/CP, xrefs: 004044D4
*#1, xrefs: 0040435B
Could not close the previous instance of this script. Keep waiting?, xrefs: 00404803
Clipboard, xrefs: 0040492F
$mM, xrefs: 0040455E
/Debug, xrefs: 00404507
An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta, xrefs: 00404787
/force, xrefs: 004043BF
/include, xrefs: 00404435
/script, xrefs: 0040440F
A_Args, xrefs: 00404603, 00404631
localhost, xrefs: 00404593
9000, xrefs: 00404582, 004045A2
/ErrorStdOut, xrefs: 004043D7
AutoHotkey, xrefs: 0040474C, 004047B6
/iLib, xrefs: 0040446B

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll$Window$FindSleep__wcsnicmp$InfoParametersSystem$CommonControlsCriticalCurrentDirectoryErrorInitInitializeMessageModePostResourceSection_malloc_memset_setvbuf_wcsrchr
String ID: $mM$*#1$/CP$/Debug$/ErrorStdOut$/force$/iLib$/include$/restart$/script$9000$A_Args$An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta$AutoHotkey$Clipboard$Could not close the previous instance of this script. Keep waiting?$Out of memory.$localhost
API String ID: 696512241-776061993
Opcode ID: 0f33e5f75049e0f1379862a92f8fa95a18f327c97ef91bafaa9be28a13da8f4a
Instruction ID: 5b431fe97f201099b494706444d3f0a2dfa8c005fa9ced425c77ebfff6bf694d
Opcode Fuzzy Hash: 0f33e5f75049e0f1379862a92f8fa95a18f327c97ef91bafaa9be28a13da8f4a
Instruction Fuzzy Hash: 73F104B1A05201ABDB20AB65AC42B6B3794ABD1705F14453FFF05A73D1EB7CDC0186AE

Function 0041D920 Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 264
windowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E4B0: CreateThread.KERNEL32(00000000,00002000,0040E7E0,00000000,00000000,004D85A0), ref: 0040E50A
Part of subcall function 0040E4B0: SetThreadPriority.KERNEL32(00000000,0000000F,?,00408CE2,?,00408938,An internal error has occurred in the debugger user.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E520
Part of subcall function 0040E4B0: PostThreadMessageW.USER32(?,00000417,004062BD,00000000), ref: 0040E544
Part of subcall function 0040E4B0: Sleep.KERNEL32(0000000A,?,00408CE2,?,00408938,An internal error has occurred in the debugger user.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E550
Part of subcall function 0040E4B0: GetTickCount.KERNEL32 ref: 0040E567
Part of subcall function 0040E4B0: PeekMessageW.USER32(?,00000000,00000417,00000417,00000001), ref: 0040E58A

Shell_NotifyIconW.SHELL32(00000002,004DA93A), ref: 0041D969
IsWindow.USER32(00000000), ref: 0041D987
DestroyWindow.USER32(00000000,?,?,?,00000000,00000000), ref: 0041D994
DeleteObject.GDI32(?), ref: 0041D9A2
DeleteObject.GDI32(?), ref: 0041D9AC
DeleteObject.GDI32(?), ref: 0041D9B6
DeleteObject.GDI32(?), ref: 0041D9DD
DestroyIcon.USER32(?,?,?,?,?,00000000,00000000), ref: 0041D9E1
IsWindow.USER32(?), ref: 0041D9EB
DestroyWindow.USER32(?,?,?,?,?,00000000,00000000), ref: 0041D9F9
DeleteObject.GDI32(?), ref: 0041DA07
DeleteObject.GDI32(?), ref: 0041DA11
DeleteObject.GDI32(?), ref: 0041DA1B
DeleteObject.GDI32(?), ref: 0041DA72
DestroyIcon.USER32(00000000,?,?,?,?,00000000,00000000), ref: 0041DA8D
DestroyIcon.USER32(00000000,?,?,?,?,00000000,00000000), ref: 0041DA96
IsWindow.USER32(00000000), ref: 0041DAC7
DestroyWindow.USER32(00000000,?,?,?,00000000,00000000), ref: 0041DAD4
DeleteObject.GDI32(?), ref: 0041DAEF
ChangeClipboardChain.USER32(?,00000000), ref: 0041DB36
mciSendStringW.WINMM(status AHK_PlayMe mode,?,00000208,00000000), ref: 0041DB63
mciSendStringW.WINMM(close AHK_PlayMe,00000000,00000000,00000000), ref: 0041DB78
DeleteCriticalSection.KERNEL32(004D8588,?,?,?,00000000,00000000), ref: 0041DB7F
CoUninitialize.COMBASE(?,?,?,00000000,00000000), ref: 0041DB85
_free.LIBCMT ref: 0041DBBB
_free.LIBCMT ref: 0041DBF7

Part of subcall function 0049996D: HeapFree.KERNEL32(00000000,00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499983
Part of subcall function 0049996D: GetLastError.KERNEL32(00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499995

_free.LIBCMT ref: 0041DC36

Strings

close AHK_PlayMe, xrefs: 0041DB73
status AHK_PlayMe mode, xrefs: 0041DB5E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Delete$Object$DestroyWindow$Icon$Thread_free$MessageSendString$ChainChangeClipboardCountCreateCriticalErrorFreeHeapLastNotifyPeekPostPrioritySectionShell_SleepTickUninitialize
String ID: close AHK_PlayMe$status AHK_PlayMe mode
API String ID: 2490927285-1474590089
Opcode ID: 43dbf4e48762742fef1c2bc3ea25bc63398a652a321cc9a88617ff32132107d1
Instruction ID: c16290384eefa07a878c0c2939a52c9d199cf07a1a4ec102613a24c0f1cf8a08
Opcode Fuzzy Hash: 43dbf4e48762742fef1c2bc3ea25bc63398a652a321cc9a88617ff32132107d1
Instruction Fuzzy Hash: 399159F1E042019BDB20DF69DC54BAB77E8AB05744F09052BA846D7390DB78E880CBAD

Function 00480580 Relevance: 12.2, APIs: 8, Instructions: 164
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcschr.LIBCMT ref: 0048064A
FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,0040468E,?,004DA6C0), ref: 00480672
FindClose.KERNELBASE(00000000,?,?,?,?,?,?,?,0040468E,?,004DA6C0), ref: 0048068A
_wcschr.LIBCMT ref: 004806DD
FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,0040468E,?,004DA6C0), ref: 00480702
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,0040468E,?,004DA6C0), ref: 00480712

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Find$CloseFileFirst_wcschr
String ID:
API String ID: 1717823228-0
Opcode ID: cfc661adc62f4a664a7de936f81ba0ba435efa7efdb94d626c25a0ce4c116b76
Instruction ID: dfaa348b6580a408bfe2c43741ce18e000110445171fc820590134c92dd95946
Opcode Fuzzy Hash: cfc661adc62f4a664a7de936f81ba0ba435efa7efdb94d626c25a0ce4c116b76
Instruction Fuzzy Hash: E8512C72510301ABC710EB60CC85EAF7768EF84315F45893AEC459B291F778E90D8BA9

Function 0041EF1D Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0041EF2C

Part of subcall function 0047F770: _vswprintf_s.LIBCMT ref: 0047F789

Strings

Script file not found:%s, xrefs: 0041EF38
8dK, xrefs: 0041EFE1
ErrorLevel, xrefs: 0041F1AD

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AttributesFile_vswprintf_s
String ID: 8dK$ErrorLevel$Script file not found:%s
API String ID: 2221781580-3487874214
Opcode ID: fb9c14654248a28cf56c45bb0033611481ed713e50cb2cf65d948dd73110b614
Instruction ID: f4e2ec3fad65c8a1b450c8b60d885b6fd44048817847264217b9680abc4d3a9b
Opcode Fuzzy Hash: fb9c14654248a28cf56c45bb0033611481ed713e50cb2cf65d948dd73110b614
Instruction Fuzzy Hash: 8891B270700201ABD310DF65DC81BAAB7A4BB49314F14856FFA18CB382D779EC96CB99

Function 0041DC60 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00008000,00000000,00000000,?,0040468E,?,?,?), ref: 0041DC89
_wcsrchr.LIBCMT ref: 0041DCD2
_wcsrchr.LIBCMT ref: 0041DD19
_wcsrchr.LIBCMT ref: 0041DD2E
GetFileAttributesW.KERNELBASE(?,?,?,?,?,?), ref: 0041DD89
GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?), ref: 0041DDF4
SetCurrentDirectoryW.KERNEL32(00AD011C,?,?,?,?,?,?,?), ref: 0041DE02
GetFileAttributesW.KERNELBASE(AutoHotkey.chm,?,?,?,?,?,?,?), ref: 0041DE0D

Strings

.ahk, xrefs: 0041DD5A
hh.exe, xrefs: 0041DE2B
"ms-its:AutoHotkey.chm::/docs/Welcome.htm", xrefs: 0041DE25
*#1, xrefs: 0041DF74
AutoHotkey v1.1.36.02, xrefs: 0041DFB6, 0041DFBF
AutoHotkey.chm, xrefs: 0041DE08
- %s, xrefs: 0041DFC0
Max, xrefs: 0041DE1C
*, xrefs: 0041DE5C

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: File$Attributes_wcsrchr$CurrentDirectoryModuleName
String ID: - %s$"ms-its:AutoHotkey.chm::/docs/Welcome.htm"$*$*#1$.ahk$AutoHotkey v1.1.36.02$AutoHotkey.chm$Max$hh.exe
API String ID: 2778565868-3399481994
Opcode ID: 9e68479f51a00ae8f758d4450cdf7ee49f1d3ac785b6d94936910b4b76d36acc
Instruction ID: 226d298e90dafb0c3e9c10e142ef802e37ce3473124fcb04110cf17cae68d0dd
Opcode Fuzzy Hash: 9e68479f51a00ae8f758d4450cdf7ee49f1d3ac785b6d94936910b4b76d36acc
Instruction Fuzzy Hash: 3191C8F1A0070157DB249F248C41BEB3295AF61315F04893EE94A8A2C5FBB9D9C5C7AA

Function 0048476F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcsncpy.LIBCMT ref: 004847A8
_wcsncpy.LIBCMT ref: 004847C5
PostMessageW.USER32(?,00000044,00000403,?), ref: 00484873
MessageBoxW.USER32(?,?,?,?), ref: 00484895

Strings

AutoHotkey v1.1.36.02, xrefs: 00484795, 004847BB

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Message_wcsncpy$Post
String ID: AutoHotkey v1.1.36.02
API String ID: 3297763708-707666996
Opcode ID: 7fd0fe01e84696fbf03889ca7da8a7c03f2cacdeb1e2ad78a736fed6f1d8447d
Instruction ID: d9b83466be83e03b00888ec822628e9419df6b8456b0b2f635eff82c30401239
Opcode Fuzzy Hash: 7fd0fe01e84696fbf03889ca7da8a7c03f2cacdeb1e2ad78a736fed6f1d8447d
Instruction Fuzzy Hash: 3131D3719043829AD720AF50D808B9F77E4FF85700F058C7EE9C98B294EB794845C79E

Function 0041D660 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0041D8AA
OleInitialize.OLE32(00000000), ref: 0041D8F4

Strings

Tray, xrefs: 0041D8B7
No tray mem, xrefs: 0041D8D1

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Initialize_memset
String ID: No tray mem$Tray
API String ID: 2068092829-3325046031
Opcode ID: 235be9339536805bca876fa1045b45f48dc7e2ccc53cdedf4f18878eba330db5
Instruction ID: bd1cbd455a58ce2ebad4239875577231f32ed096459b0e04762bf3c33dfe75bb
Opcode Fuzzy Hash: 235be9339536805bca876fa1045b45f48dc7e2ccc53cdedf4f18878eba330db5
Instruction Fuzzy Hash: 2D6153B1907391DAC700CF1AADA5649BBA4F71AB94B9A857FD09883371C7784050CF9E

Function 0044F750 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,00000000), ref: 0044F762

Strings

\, xrefs: 0044F795

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: FolderPath
String ID: \
API String ID: 1514166925-2967466578
Opcode ID: fbb941a4df02fda069c8100d9e10cae35da7d487901ab616eeb19f79d00ba770
Instruction ID: ee5ece9708c3204c9d01c7cf3a394f63bf188d4b79b533206dbb2743d2a32bed
Opcode Fuzzy Hash: fbb941a4df02fda069c8100d9e10cae35da7d487901ab616eeb19f79d00ba770
Instruction Fuzzy Hash: 3201A73190871186FB349B18C806BBB73F4EF98B40F45893ED996C7294F66C590DC28A

Function 0048480C Relevance: 3.1, APIs: 2, Instructions: 54
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000044,00000403,?), ref: 00484873
MessageBoxW.USER32(?,?,?,?), ref: 00484895

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Message$Post
String ID:
API String ID: 3307098700-0
Opcode ID: df11833aae91cd253d3206e9bcb1bb6997275be244b6e73869746042a0ba15df
Instruction ID: 7402ac32e5850f81717a1303a8d4096a9d446ff10b234e161abcdba22b47ed65
Opcode Fuzzy Hash: df11833aae91cd253d3206e9bcb1bb6997275be244b6e73869746042a0ba15df
Instruction Fuzzy Hash: 9921C374109382CEE710EF10D848F9A77E4FB85701F048D7EE9C98B295DB3A8506CB1A

Function 00499C53 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 00499C5B

Part of subcall function 00499C28: GetModuleHandleW.KERNEL32(mscoree.dll,?,00499C60,00401234,?,004998FD,000000FF,0000001E,00000001,00000000,00000000,?,0049EF67,00401234,00000001,00401234), ref: 00499C32
Part of subcall function 00499C28: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00499C42

ExitProcess.KERNEL32 ref: 00499C64

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 0421b0f6985088203354d7304d323f15193487efa1ea1addf572502a8f722d9b
Instruction ID: 5590524d49bf4f990dd4fcb4c8ba04263fd2375fb5636a45117137aeae6aa19c
Opcode Fuzzy Hash: 0421b0f6985088203354d7304d323f15193487efa1ea1addf572502a8f722d9b
Instruction Fuzzy Hash: D7B0923200010CBBDF052F16DD0A88E7F6AEB813A0B504479F80909071DF72ED92DA88

Function 0047C7F0 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00499F62: _malloc.LIBCMT ref: 00499F7C

_malloc.LIBCMT ref: 0047C80D

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049EF67,00401234,00000001,00401234,?,0049E60D,00000018,004CFCF0,0000000C,0049E69D), ref: 00499913

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID:
API String ID: 680241177-0
Opcode ID: 4d9829b255e766318dbf7f9cdad7c2dd47de7ce1eca084a6aef08ba39aa5b808
Instruction ID: 60f2fd2570567d015b206eb534049d340f51144caf1b3675b57728f96f651861
Opcode Fuzzy Hash: 4d9829b255e766318dbf7f9cdad7c2dd47de7ce1eca084a6aef08ba39aa5b808
Instruction Fuzzy Hash: 9BE065B19016114AD750AB15B8153977AD49B14755F01843FF889D6305E678D8848BC6

Function 00499EAB Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 00499EB7

Part of subcall function 00499D6B: __lock.LIBCMT ref: 00499D79

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __lock_doexit
String ID:
API String ID: 368792745-0
Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction ID: 99c31e5998016d6f27103a6cdbf36e4da01be5af98a3ac658741d2cbdf203ba4
Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction Fuzzy Hash: A1B0923258460873DA212546AC03F463E0D87C0B64E280025BA0C191A5A9A6A9618089

Non-executed Functions

Function 0042B4E0 Relevance: 451.3, APIs: 137, Strings: 120, Instructions: 1502COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0042B536
__wcsicoll.LIBCMT ref: 0042B572
__wcsnicmp.LIBCMT ref: 0042B5AC
__wcsicoll.LIBCMT ref: 0042B5C6
__wcsicoll.LIBCMT ref: 0042B5FB
__wcsicoll.LIBCMT ref: 0042B61D
_wcsncpy.LIBCMT ref: 0042C7AA
_memmove.LIBCMT ref: 0042C8F9

Strings

IsSet, xrefs: 0042C6BB
IsObject, xrefs: 0042C077
Destroy, xrefs: 0042B93A
Round, xrefs: 0042BDEC
ACos, xrefs: 0042BF35
WinExist, xrefs: 0042BDB8
StrReplace, xrefs: 0042BAF7
OnMessage, xrefs: 0042BFDD
Push, xrefs: 0042C12F
ASin, xrefs: 0042BF1B
RTrim, xrefs: 0042BA6B
RemoveAt, xrefs: 0042C1A0
SetCapacity, xrefs: 0042C2AD
Name, xrefs: 0042BB78
GetChild, xrefs: 0042B7FA
State, xrefs: 0042BB58
FileExist, xrefs: 0042BD98
Exception, xrefs: 0042C5F9
OnError, xrefs: 0042C03A
StrGet, xrefs: 0042BC41
OnClipboardChange, xrefs: 0042C020
StrLen, xrefs: 0042B9F1
Asc, xrefs: 0042BBE2
InputHook, xrefs: 0042C696
Get, xrefs: 0042B884, 0042C4C2
DeleteCol, xrefs: 0042B718
BindMethod, xrefs: 0042C33A
LV_, xrefs: 0042B59F
StrPut, xrefs: 0042BC64
Sin, xrefs: 0042BEBB
SetImageList, xrefs: 0042B738, 0042B8B0
RegExReplace, xrefs: 0042BAD1
GetNext, xrefs: 0042B5C0, 0042B862
Flags, xrefs: 0042C564
Obj, xrefs: 0042C09E
Pop, xrefs: 0042C1C6
FileOpen, xrefs: 0042C460
MenuGetHandle, xrefs: 0042C61C
Query, xrefs: 0042C5AD
GetText, xrefs: 0042B617, 0042B89A
Log, xrefs: 0042BFA9
Chr, xrefs: 0042BBFC
SB_SetText, xrefs: 0042B984
Length, xrefs: 0042C206
GetKey, xrefs: 0042BB42
Out of memory., xrefs: 0042C859, 0042C8B7
HasKey, xrefs: 0042C266
Ceil, xrefs: 0042BE26
WinActive, xrefs: 0042BDD2
VarSetCapacity, xrefs: 0042BD75
Type, xrefs: 0042C524
Count, xrefs: 0042C1E6
Delete, xrefs: 0042B6AE, 0042B7BE, 0042C157
TV_, xrefs: 0042B75E
ComObj, xrefs: 0042C488
Modify, xrefs: 0042B689, 0042B79B
Release, xrefs: 0042C37C
Connect, xrefs: 0042C4E2
NumGet, xrefs: 0042BC87
Array, xrefs: 0042C439, 0042C587
Value, xrefs: 0042C544
AddRef, xrefs: 0042C362
IL_, xrefs: 0042B8FF
Create, xrefs: 0042B915, 0042C4A2
RegExMatch, xrefs: 0042BAAB
d, xrefs: 0042C886
GetCount, xrefs: 0042B5F5, 0042B82E
ModifyCol, xrefs: 0042B6F3
Ord, xrefs: 0042BBC8
Exp, xrefs: 0042BF6F
Clone, xrefs: 0042C31A
Tan, xrefs: 0042BEFB
IsLabel, xrefs: 0042BCD0
SB_SetIcon, xrefs: 0042B9CE
SetBase, xrefs: 0042C404
MenuGetName, xrefs: 0042C636
RawSet, xrefs: 0042C396
RawGet, xrefs: 0042C3BD
IsFunc, xrefs: 0042BD10
GetSelection, xrefs: 0042B848
InsertAt, xrefs: 0042C107
ect, xrefs: 0042C0B8
Func, xrefs: 0042BCF0
Trim, xrefs: 0042BA37
Max, xrefs: 0042BE81
NewEnum, xrefs: 0042C2FA
Error, xrefs: 0042C502
DllCall, xrefs: 0042BD50
VerCompare, xrefs: 0042C6D8
OnExit, xrefs: 0042C006
ATan, xrefs: 0042BF4F
Min, xrefs: 0042BE67
MinIndex, xrefs: 0042C226
Function name too long., xrefs: 0042C783
LTrim, xrefs: 0042BA51
GetPrev, xrefs: 0042B814
SubStr, xrefs: 0042BA11
NumPut, xrefs: 0042BCAA
GetBase, xrefs: 0042C3E4
Insert, xrefs: 0042B664, 0042C0DF
Remove, xrefs: 0042C17D
GetAddress, xrefs: 0042C2D3
Sqrt, xrefs: 0042BF8F
GetCapacity, xrefs: 0042C28D
Format, xrefs: 0042BC1C
Hotstring, xrefs: 0042C673
LoadPicture, xrefs: 0042C650
Mod, xrefs: 0042BE40
IsByRef, xrefs: 0042BD30
StrSplit, xrefs: 0042BB1D
Floor, xrefs: 0042BE0C
InsertCol, xrefs: 0042B6D0
GetParent, xrefs: 0042B7E0
Abs, xrefs: 0042BE9B
RegisterCallback, xrefs: 0042C054
MaxIndex, xrefs: 0042C246
Cos, xrefs: 0042BEDB
SB_SetParts, xrefs: 0042B9A7
InStr, xrefs: 0042BA85
Add, xrefs: 0042B63D, 0042B778, 0042B95A

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll$_wcsncpy$__wcsnicmp_memmove
String ID: ACos$ASin$ATan$Abs$Add$AddRef$Array$Asc$BindMethod$Ceil$Chr$Clone$ComObj$Connect$Cos$Count$Create$Delete$DeleteCol$Destroy$DllCall$Error$Exception$Exp$FileExist$FileOpen$Flags$Floor$Format$Func$Function name too long.$Get$GetAddress$GetBase$GetCapacity$GetChild$GetCount$GetKey$GetNext$GetParent$GetPrev$GetSelection$GetText$HasKey$Hotstring$IL_$InStr$InputHook$Insert$InsertAt$InsertCol$IsByRef$IsFunc$IsLabel$IsObject$IsSet$LTrim$LV_$Length$LoadPicture$Log$Max$MaxIndex$MenuGetHandle$MenuGetName$Min$MinIndex$Mod$Modify$ModifyCol$Name$NewEnum$NumGet$NumPut$Obj$OnClipboardChange$OnError$OnExit$OnMessage$Ord$Out of memory.$Pop$Push$Query$RTrim$RawGet$RawSet$RegExMatch$RegExReplace$RegisterCallback$Release$Remove$RemoveAt$Round$SB_SetIcon$SB_SetParts$SB_SetText$SetBase$SetCapacity$SetImageList$Sin$Sqrt$State$StrGet$StrLen$StrPut$StrReplace$StrSplit$SubStr$TV_$Tan$Trim$Type$Value$VarSetCapacity$VerCompare$WinActive$WinExist$d$ect
API String ID: 3867594672-75078419
Opcode ID: 78dc1d7d097d09ae15feca79cdcebcf3695cf65ad7862e5e8b10cc6faccdd74e
Instruction ID: 97684d11d6f9231503d311fa771f68fb3032c94a8f007bc9b456bea239ad184a
Opcode Fuzzy Hash: 78dc1d7d097d09ae15feca79cdcebcf3695cf65ad7862e5e8b10cc6faccdd74e
Instruction Fuzzy Hash: 96B2DDB2A0435157CF10D7659C81A6B72986ED430AF95493FFC08D7242F76CEE0AC6AE

Function 0041F7E4 Relevance: 163.7, APIs: 45, Strings: 47, Instructions: 2690COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0041F86F
_memmove.LIBCMT ref: 0041F918
_memmove.LIBCMT ref: 0041FA47
_wcschr.LIBCMT ref: 0041FC05
_wcschr.LIBCMT ref: 0041FC6F
__wcsnicmp.LIBCMT ref: 0041FD88
_wcschr.LIBCMT ref: 0041FDCB
__wcsnicmp.LIBCMT ref: 0041FE9E
_wcsncpy.LIBCMT ref: 0041FEBC
_memmove.LIBCMT ref: 0041FFB6
__wcsnicmp.LIBCMT ref: 0041FFCD
__wcsnicmp.LIBCMT ref: 0041FFEC
_memmove.LIBCMT ref: 00420435
_free.LIBCMT ref: 00420494
_wcsrchr.LIBCMT ref: 004204D8
__wcsnicmp.LIBCMT ref: 00420569
__wcsnicmp.LIBCMT ref: 0042057D
_wcschr.LIBCMT ref: 004205F9

Part of subcall function 00429780: _wcschr.LIBCMT ref: 0042979F
Part of subcall function 00429780: __snwprintf.LIBCMT ref: 004297D2

Strings

<>=/|^,:.+-*&!?~, xrefs: 0041FC00
Not a valid property getter/setter., xrefs: 00421A4A
AltTabAndMenu, xrefs: 00421145
LTrim, xrefs: 0041FFC7
Missing "{", xrefs: 004219D4, 004219F4
%s::, xrefs: 004217A2
and, xrefs: 0041FD82
Duplicate label., xrefs: 0042143F
Set, xrefs: 00420577
AltTab, xrefs: 004210F4
#CommentFlag, xrefs: 0041F85B
This hotstring is missing its abbreviation., xrefs: 00421AC5
if not GetKeyState("%s"), xrefs: 004217FE
?*- , xrefs: 0041FC6A
Missing ")", xrefs: 00421B72
{LCtrl up}, xrefs: 0042184D
RTrim, xrefs: 0041FFE6
Hotkeys/hotstrings are not allowed inside functions., xrefs: 00421A87
@, xrefs: 00420D68
<>=/|^,:, xrefs: 0041FDC6
AltTabMenuDismiss, xrefs: 0042115E
ShiftAltTab, xrefs: 00421110
8dK, xrefs: 00420E5A
{RCtrl up}, xrefs: 00421846, 00421862
This line does not contain a recognized action., xrefs: 00421B4F
Out of memory., xrefs: 00421473, 00421693, 00421B2E
& , xrefs: 0041FCBB, 00420DAD
Note: The hotkey %s will not be active because it does not exist in the current keyboard layout., xrefs: 00421292
OnClipboardChange, xrefs: 00421660
hDeK, xrefs: 0041F81C
Continuation section too long., xrefs: 004219B5
Duplicate hotkey., xrefs: 00421B06
Invalid single-line hotkey/hotstring., xrefs: 004210A0, 00421AE4
Return, xrefs: 00420F52
{Blind}{%s Up}, xrefs: 00421939
Static, xrefs: 004207D2
Functions cannot contain functions., xrefs: 00421A25
{Blind}%s%s{%s DownR}, xrefs: 00421863
Get, xrefs: 00420563
Default, xrefs: 00421343
@, xrefs: 00420C32
%s up::, xrefs: 004218A4
AltTabMenu, xrefs: 0042112C
%s%s%s, xrefs: 00420E66
Not a valid method, class or property definition., xrefs: 004219FB, 00421A08, 00421A62
IfWin should be #IfWin., xrefs: 00421AAB
Join, xrefs: 0041FE90

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsnicmp$_wcschr$_memmove$__snwprintf_free_wcsncpy_wcsrchr
String ID: & $#CommentFlag$%s up::$%s%s%s$%s::$8dK$<>=/|^,:$<>=/|^,:.+-*&!?~$?*- $@$@$AltTab$AltTabAndMenu$AltTabMenu$AltTabMenuDismiss$Continuation section too long.$Default$Duplicate hotkey.$Duplicate label.$Functions cannot contain functions.$Get$Hotkeys/hotstrings are not allowed inside functions.$IfWin should be #IfWin.$Invalid single-line hotkey/hotstring.$Join$LTrim$Missing ")"$Missing "{"$Not a valid method, class or property definition.$Not a valid property getter/setter.$Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.$OnClipboardChange$Out of memory.$RTrim$Return$Set$ShiftAltTab$Static$This hotstring is missing its abbreviation.$This line does not contain a recognized action.$and$hDeK$if not GetKeyState("%s")${Blind}%s%s{%s DownR}${Blind}{%s Up}${LCtrl up}${RCtrl up}
API String ID: 2467999715-2749512620
Opcode ID: 58eb8bf25cde025b8a2fde775da8fdf7a3d892075c315318f5a03861fb7ce9c0
Instruction ID: d76c29f547aafbae01cdbdfffb27ede8f0bdad8749e0f57c73626aff5462de51
Opcode Fuzzy Hash: 58eb8bf25cde025b8a2fde775da8fdf7a3d892075c315318f5a03861fb7ce9c0
Instruction Fuzzy Hash: 821327717043609ADB309B24A8417BBB3E0AF95304F94452FE8898B392E77D9D85C79F

Function 0046C100 Relevance: 116.2, APIs: 41, Strings: 25, Instructions: 704windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0046C11F
GetWindowLongW.USER32(?,000000EC), ref: 0046C12A
__wcsnicmp.LIBCMT ref: 0046C1E9
__wcsnicmp.LIBCMT ref: 0046C20A
__wcsicoll.LIBCMT ref: 0046C220
SetWindowPos.USER32(?,-000000FE,00000000,00000000,00000000,00000000,00000013,?,?,?,?,?,00000000,00000000,00000000), ref: 0046C24B
__wcsicoll.LIBCMT ref: 0046C28C
__wcsicoll.LIBCMT ref: 0046C2BC
IsWindowVisible.USER32(?), ref: 0046C9A0
IsIconic.USER32(?), ref: 0046C9AE
SetWindowLongW.USER32(?,000000F0,?), ref: 0046C9D2
SetWindowLongW.USER32(?,000000EC,?), ref: 0046C9E8
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0046CA05
InvalidateRect.USER32(?,00000000,00000001), ref: 0046CA13

Strings

MaxSize, xrefs: 0046C586
MinimizeBox, xrefs: 0046C462
OwnDialogs, xrefs: 0046C678
MinSize, xrefs: 0046C494
Border, xrefs: 0046C286
Space, xrefs: 0046C31D
DPIScale, xrefs: 0046C74B
0-#v, xrefs: 0046C50E, 0046C546, 0046C600, 0046C63A
LastFound, xrefs: 0046C414
Invalid option., xrefs: 0046CA29
Caption, xrefs: 0046C2B6
Owner, xrefs: 0046C1DC
SysMenu, xrefs: 0046C6CD
Hwnd, xrefs: 0046C3B6
Tab, xrefs: 0046C2FD
Parent, xrefs: 0046C204
MaximizeBox, xrefs: 0046C432
ToolWindow, xrefs: 0046C71B
Disabled, xrefs: 0046C354
Label, xrefs: 0046C3E6
AlwaysOnTop, xrefs: 0046C21A
Theme, xrefs: 0046C6FD
Delimiter, xrefs: 0046C2E8
Resize, xrefs: 0046C69D
Invalid or nonexistent owner or parent window., xrefs: 0046CA43

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window$Long$__wcsicoll$__wcsnicmp$IconicInvalidateRectVisible
String ID: 0-#v$AlwaysOnTop$Border$Caption$DPIScale$Delimiter$Disabled$Hwnd$Invalid option.$Invalid or nonexistent owner or parent window.$Label$LastFound$MaxSize$MaximizeBox$MinSize$MinimizeBox$OwnDialogs$Owner$Parent$Resize$Space$SysMenu$Tab$Theme$ToolWindow
API String ID: 2729535577-2644714567
Opcode ID: 5752d24ceeccbde05bd884313f1c286b1aa8afa0b221bc06c02ec99eba3eefd5
Instruction ID: f97e498eb5c675b6e2babeaa17694e848fd0e8a3ad054b9971d71be422db1bec
Opcode Fuzzy Hash: 5752d24ceeccbde05bd884313f1c286b1aa8afa0b221bc06c02ec99eba3eefd5
Instruction Fuzzy Hash: 7D32E3B1A04340ABDB609F258CC17777B94AB41319F18856FF8869A282F76CD845CB6F

Function 0046F4D0 Relevance: 104.0, APIs: 50, Strings: 9, Instructions: 743windowCOMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 0046F4FD
IsZoomed.USER32 ref: 0046F521
IsIconic.USER32(?), ref: 0046F531

Strings

Maximize, xrefs: 0046F633
Invalid option., xrefs: 0046F989
Restore, xrefs: 0046F6AD
Minimize, xrefs: 0046F60D
Hide, xrefs: 0046F721
AutoSize, xrefs: 0046F5B7
Center, xrefs: 0046F5DE, 0046F6DA
NoActivate, xrefs: 0046F683
0-#v, xrefs: 0046F7A4, 0046F7C9

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: IconicTextWindowZoomed
String ID: 0-#v$AutoSize$Center$Hide$Invalid option.$Maximize$Minimize$NoActivate$Restore
API String ID: 3288056585-3364443547
Opcode ID: 6aa16bc9c30dbef29b4fc1fc7452a3c92820b63d2d5a1a1b6979895e6e65ced3
Instruction ID: 9e955fc03cba1bc5989b91a93e67ca38d74a868a43011eb31221a3e6c421501b
Opcode Fuzzy Hash: 6aa16bc9c30dbef29b4fc1fc7452a3c92820b63d2d5a1a1b6979895e6e65ced3
Instruction Fuzzy Hash: 08528F71908301AFD710DF64E884B5BBBE4BB55304F144A2EF8DA93251E778E948CB9B

Function 0043B080 Relevance: 88.1, APIs: 32, Strings: 18, Instructions: 610processlibraryloaderCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0043B0E7
__wcsicoll.LIBCMT ref: 0043B0F9
__wcsicoll.LIBCMT ref: 0043B10B
__wcsicoll.LIBCMT ref: 0043B11D
__wcsicoll.LIBCMT ref: 0043B12F
__wcsicoll.LIBCMT ref: 0043B141
_memset.LIBCMT ref: 0043B2E8
__swprintf.LIBCMT ref: 0043B36A
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000044,?), ref: 0043B403
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,00000044,?), ref: 0043B415
CloseHandle.KERNEL32(?), ref: 0043B456
_memset.LIBCMT ref: 0043B493
__wcsicoll.LIBCMT ref: 0043B4DF
_wcschr.LIBCMT ref: 0043B52B
ShellExecuteExW.SHELL32(0000003C), ref: 0043B636
GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId), ref: 0043B65A
GetProcAddress.KERNEL32(00000000), ref: 0043B661

Strings

"%s" %s, xrefs: 0043B364
..., xrefs: 0043B739, 0043B755, 0043B77F
explore, xrefs: 0043B0F3, 0043B1B5
open, xrefs: 0043B105, 0043B1C7
Launch Error (possibly related to RunAs):, xrefs: 0043B76A
edit, xrefs: 0043B117, 0043B1D9
\/., xrefs: 0043B594
Failed attempt to launch program or document:, xrefs: 0043B771, 0043B781
properties, xrefs: 0043B13B, 0043B1FD, 0043B4D6
print, xrefs: 0043B129, 0043B1EB
find, xrefs: 0043B0E1, 0043B1A3
GetProcessId, xrefs: 0043B650
kernel32.dll, xrefs: 0043B655
Verb: <%s>, xrefs: 0043B6EA
System verbs unsupported with RunAs., xrefs: 0043B26E
.exe.bat.com.cmd.hta, xrefs: 0043B5C5
%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>, xrefs: 0043B782
String too long., xrefs: 0043B2B7

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll$Handle$Close_memset$AddressCreateExecuteModuleProcProcessShell__swprintf_wcschr
String ID: Verb: <%s>$"%s" %s$%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>$...$.exe.bat.com.cmd.hta$Failed attempt to launch program or document:$GetProcessId$Launch Error (possibly related to RunAs):$String too long.$System verbs unsupported with RunAs.$\/.$edit$explore$find$kernel32.dll$open$print$properties
API String ID: 3691946165-2616667029
Opcode ID: 60352d2862462ec6d69d3979fdbed61ef14b53b38e96c089fdf58ffe046d2a67
Instruction ID: 749d80ff5dfd462ae6f12ffa27d563702a54a983c1c9c4622f36685a36bcbddc
Opcode Fuzzy Hash: 60352d2862462ec6d69d3979fdbed61ef14b53b38e96c089fdf58ffe046d2a67
Instruction Fuzzy Hash: B722AE71A002059BDF20DF65CC86BAF77A4EF98304F04916BEA05A7341E7789945CBA9

Function 004014E4 Relevance: 74.6, APIs: 40, Strings: 2, Instructions: 1091windowtimeclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 0040150F
CloseClipboard.USER32 ref: 0040151B
SetTimer.USER32(?,00000009,0000000A), ref: 004015C4
GetTickCount.KERNEL32 ref: 004015E9
GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 00401630
GetTickCount.KERNEL32 ref: 0040163B
GetFocus.USER32 ref: 004016D4

Strings

#32770, xrefs: 00401DD0
(&, xrefs: 00401613

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CountTick$ClipboardCloseFocusGlobalMessageTimerUnlock
String ID: #32770$(&
API String ID: 2919891889-2511465892
Opcode ID: e391da6a96714bc044cc5c940bee517ac6329e68af98c6b82389b0243b44f77d
Instruction ID: 8efcaa11bda21fb41c0711c83df5939c906220ec3daa44cf4f5dacab51e27cd2
Opcode Fuzzy Hash: e391da6a96714bc044cc5c940bee517ac6329e68af98c6b82389b0243b44f77d
Instruction Fuzzy Hash: 9D9290709083419BDB24DF24C98876B7BE1BB85304F58457BE885AB3E1D7B8DC41CB9A

Function 00444260 Relevance: 72.6, APIs: 36, Strings: 5, Instructions: 885windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004442C7
IsIconic.USER32(00000000), ref: 004442D8
GetWindowRect.USER32(?,?), ref: 004442F0
ClientToScreen.USER32(?,?), ref: 00444312
_wcsrchr.LIBCMT ref: 0044435B
__wcsicoll.LIBCMT ref: 00444372
__wcsicoll.LIBCMT ref: 00444384
__wcsicoll.LIBCMT ref: 00444396
GetSystemMetrics.USER32(00000031), ref: 004443AA
GetSystemMetrics.USER32(00000032), ref: 004443B2
__wcsnicmp.LIBCMT ref: 00444409
__fassign.LIBCMT ref: 00444428

Part of subcall function 0049BA2D: wcstoxl.LIBCMT ref: 0049BA3D

__wcsnicmp.LIBCMT ref: 00444450
_wcsncpy.LIBCMT ref: 0044446E
__fassign.LIBCMT ref: 004444B2
__fassign.LIBCMT ref: 00444591

Strings

Trans, xrefs: 0044444A
exe, xrefs: 0044437E
dll, xrefs: 00444390
Icon, xrefs: 00444403
ico, xrefs: 0044436C

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __fassign__wcsicoll$MetricsSystemWindow__wcsnicmp$ClientForegroundIconicRectScreen_wcsncpy_wcsrchrwcstoxl
String ID: Icon$Trans$dll$exe$ico
API String ID: 1615180671-2549557054
Opcode ID: d82fc7e0b74500fa4796c9e851a1cf6041092637d9a175fbb9ee312c1f74254a
Instruction ID: 953d35cb7651e20cf304447bfe9d3b135df43bd3450c6eae182fedd3850abcba
Opcode Fuzzy Hash: d82fc7e0b74500fa4796c9e851a1cf6041092637d9a175fbb9ee312c1f74254a
Instruction Fuzzy Hash: 6262E171A083419FE724DF298880B6BBBE4AFC5704F14492FF58597381E778D845CBAA

Function 00426070 Relevance: 62.5, APIs: 13, Strings: 22, Instructions: 1239COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0042621D

Strings

Out of memory., xrefs: 004261A5, 00426CB5, 0042914F
Parameter #2 invalid., xrefs: 00426DFE
<>=/|^,:*&~!()[]{}+-?, xrefs: 004264D7, 0042653E, 0042655B
(, xrefs: 004268F1
+, xrefs: 0042636C
Unexpected %, xrefs: 00426BDD
Too many var/func refs., xrefs: 00426C92
Divide by zero, xrefs: 00426EAC
<>=/|^,:*&~!()[]{}", xrefs: 00426358
The leftmost character above is illegal in an expression., xrefs: 00426C35
Missing close-quote, xrefs: 00426C16
Ambiguous or invalid use of ".", xrefs: 00426C54, 00426C73
A label must not point to an ELSE or UNTIL or CATCH., xrefs: 004291F0
Not allowed as an output variable., xrefs: 00426BF5
=, xrefs: 0042658E
<>=/|^,:*&~!()[]{}+-?., xrefs: 00426756, 00426770, 00426789, 00426A64
Parse, xrefs: 00426217
Quote marks are required around this key., xrefs: 00426644
'\;`, xrefs: 004267C6
Parameter #3 invalid., xrefs: 00426DA5
Parameter #2 required, xrefs: 004280A9
SMHD, xrefs: 00426D8C

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: <>=/|^,:*&~!()[]{}"$ <>=/|^,:*&~!()[]{}+-?$ <>=/|^,:*&~!()[]{}+-?.$ =$'\;`$($+$A label must not point to an ELSE or UNTIL or CATCH.$Ambiguous or invalid use of "."$Divide by zero$Missing close-quote$Not allowed as an output variable.$Out of memory.$Parameter #2 invalid.$Parameter #2 required$Parameter #3 invalid.$Parse$Quote marks are required around this key.$SMHD$The leftmost character above is illegal in an expression.$Too many var/func refs.$Unexpected %
API String ID: 3832890014-3913940891
Opcode ID: 20138aa46cf560a44c8153c94111f2306ffcfb8a68c83492a78e4fa00d24684a
Instruction ID: 678817ad220626c220030b37ef8e228867ae8b211a91ea3dcaed813c2b5849fe
Opcode Fuzzy Hash: 20138aa46cf560a44c8153c94111f2306ffcfb8a68c83492a78e4fa00d24684a
Instruction Fuzzy Hash: E9A203717043618ADB209F15E8817BBB7A1AF91314F96442FE8848B381E77CDC95C7AE

Function 00429780 Relevance: 56.9, APIs: 8, Strings: 24, Instructions: 900COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0042979F
__snwprintf.LIBCMT ref: 004297D2

Strings

Blank parameter, xrefs: 0042A026, 0042A2E3
Invalid function declaration., xrefs: 0042A09B
Out of memory., xrefs: 004299C0, 00429A10, 0042A0DD
Expected ":=", xrefs: 0042A259
Too many params., xrefs: 0042A000
true, xrefs: 00429EE1
false, xrefs: 00429EA8
Unsupported parameter default., xrefs: 0042A2A0
value, xrefs: 00429AEA
Parameter default required., xrefs: 0042A2BB
Duplicate parameter., xrefs: 0042A03E
Missing comma, xrefs: 00429FB0
Missing close-quote, xrefs: 0042A27A
this, xrefs: 00429A9C
, :=*), xrefs: 00429B53, 00429C13
Missing ")", xrefs: 00429B85, 00429C4C, 0042A068
, =), xrefs: 00429E62
A label must not point to a function., xrefs: 0042A1F8
%s.%s, xrefs: 004297BD
Parameters of hotkey functions must be optional., xrefs: 0042A221
Duplicate function definition., xrefs: 0042989D
Duplicate declaration., xrefs: 0042981A
ByRef, xrefs: 00429BC1
Function name too long., xrefs: 00429903

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __snwprintf_wcschr
String ID: %s.%s$, :=*)$, =)$A label must not point to a function.$Blank parameter$ByRef$Duplicate declaration.$Duplicate function definition.$Duplicate parameter.$Expected ":="$Function name too long.$Invalid function declaration.$Missing ")"$Missing close-quote$Missing comma$Out of memory.$Parameter default required.$Parameters of hotkey functions must be optional.$Too many params.$Unsupported parameter default.$false$this$true$value
API String ID: 1333472643-1825772190
Opcode ID: 65141d0833f818b936480aa1e5b0c54aa1434efa3ca9c245032277474ce24503
Instruction ID: 1c9b2a67bfb85d18724c98cf25bd425d91e1196ad192b8b12c260e754d2e3607
Opcode Fuzzy Hash: 65141d0833f818b936480aa1e5b0c54aa1434efa3ca9c245032277474ce24503
Instruction Fuzzy Hash: F0621431700221ABC720DF15E881ABBB3A4EF94314F54856FE8458B392EB3DDD55C7AA

Function 00473350 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 276windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047336D
GetWindowLongW.USER32(?,000000F0), ref: 00473379
IsWindowVisible.USER32(?), ref: 0047339A
IsIconic.USER32(?), ref: 004733AD
GetFocus.USER32 ref: 004733E1
GetWindowRect.USER32(?,?), ref: 00473411
GetPropW.USER32(?,ahk_dlg), ref: 00473420
ShowWindow.USER32(00000000,00000000,?,ahk_dlg,?,?), ref: 00473434
GetUpdateRect.USER32(?,?,00000000), ref: 0047345C
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0047346A
GetWindowLongW.USER32(?,000000F0), ref: 004734DD
ShowWindow.USER32(00000000,?,?,ahk_dlg,?,?), ref: 0047350D
EnableWindow.USER32(00000000,00000000), ref: 00473524
GetWindowRect.USER32(00000000,?), ref: 00473538
PtInRect.USER32(?,?,?), ref: 00473553
PtInRect.USER32(?,?,?), ref: 00473568
SetFocus.USER32(00000000,?,ahk_dlg,?,?), ref: 004735AA
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 004735E5
ShowWindow.USER32(00000000,00000005,?,ahk_dlg,?,?), ref: 004735F5
SetFocus.USER32(?,?,ahk_dlg,?,?), ref: 00473609
InvalidateRect.USER32(?,00000000,00000001,?,ahk_dlg,?,?), ref: 00473625
InvalidateRect.USER32(?,?,00000001,?,ahk_dlg,?,?), ref: 0047364F
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0047365E
InvalidateRect.USER32(?,?,00000001,?,ahk_dlg,?,?), ref: 0047366F

Strings

ahk_dlg, xrefs: 0047341A

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window$Rect$FocusInvalidateMessageSendShow$Long$EnableIconicPointsPropUpdateVisible
String ID: ahk_dlg
API String ID: 1662922230-2093416220
Opcode ID: 5652faa813781b0b649733104dbef4c8067b368c947f3a27687875be09f9f30c
Instruction ID: a859e8082bb668224de5d24321cbf382ec91396cea25e0006669855d4740d452
Opcode Fuzzy Hash: 5652faa813781b0b649733104dbef4c8067b368c947f3a27687875be09f9f30c
Instruction Fuzzy Hash: 79A18270508380AFD715CF648844BABBFE4AB89305F08C95EF5C947381C779EA48DB56

Function 0040C260 Relevance: 33.7, APIs: 17, Strings: 2, Instructions: 452threadkeyboardwindowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,0000041E,?,00000000), ref: 0040C321
GetForegroundWindow.USER32 ref: 0040C39C
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040C3B6
GetGUIThreadInfo.USER32(00000000,?), ref: 0040C3CE
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040C3E6
GetKeyboardLayout.USER32(00000000), ref: 0040C3EB
GetClassNameW.USER32(00000000,?,0000001C), ref: 0040C410
__wcsicoll.LIBCMT ref: 0040C423
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,00000000), ref: 0040C4B9
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,00000000), ref: 0040C4DE
GetKeyState.USER32(00000014), ref: 0040C537
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,00000000), ref: 0040C5A2
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,?), ref: 0040C69B
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,?), ref: 0040C77F
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,?), ref: 0040C7B4
_memset.LIBCMT ref: 0040C7E7
ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,?), ref: 0040C831

Strings

0, xrefs: 0040C3C3
ApplicationFrameWindow, xrefs: 0040C41D

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Unicode$ThreadWindow$Process$ClassForegroundInfoKeyboardLayoutMessageNamePostState__wcsicoll_memset
String ID: 0$ApplicationFrameWindow
API String ID: 1795949194-1469001145
Opcode ID: acdde6228dfe0c90839549102c2a670d6af60dc13a26f897435f3cbd53f25527
Instruction ID: baa89a8715a2f92fcabd8d413b0084162a7154774db677bad6868604c59eab16
Opcode Fuzzy Hash: acdde6228dfe0c90839549102c2a670d6af60dc13a26f897435f3cbd53f25527
Instruction Fuzzy Hash: BBF13431508380DBE721CB64D890BBB7BE4EB86704F04463FE885A72D1D7789949D7AE

Function 0044D4F0 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 223filewindowCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 0044D524
GetTickCount.KERNEL32 ref: 0044D53B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0044D55E
GetTickCount.KERNEL32 ref: 0044D574
FindNextFileW.KERNEL32(00000000,00000010), ref: 0044D635
FindClose.KERNEL32(00000000), ref: 0044D644
GetLastError.KERNEL32 ref: 0044D65B
FindFirstFileW.KERNEL32(?,?), ref: 0044D6A5
GetTickCount.KERNEL32 ref: 0044D6BC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0044D6DF
GetTickCount.KERNEL32 ref: 0044D6F5
__swprintf.LIBCMT ref: 0044D766
FindNextFileW.KERNEL32(00000000,00000010), ref: 0044D78C
FindClose.KERNEL32(00000000), ref: 0044D79B

Strings

%s\%s, xrefs: 0044D760
., xrefs: 0044D707
8dK, xrefs: 0044D680

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Find$CountFileTick$CloseFirstMessageNextPeek$ErrorLast__swprintf
String ID: %s\%s$.$8dK
API String ID: 2043249117-2117719227
Opcode ID: 14d40948558956f9e4e56b4a68a12fff21ec8cd6205600feef3901e0b82ac40f
Instruction ID: acd0a1602dae13d3d3ae1887a0a08d78c9e75040a1401dd7f037b7e43462d917
Opcode Fuzzy Hash: 14d40948558956f9e4e56b4a68a12fff21ec8cd6205600feef3901e0b82ac40f
Instruction Fuzzy Hash: FE81D635A043059FD720EF24D884BABB7E5EF84354F00492FF89687394EBB8A945CB59

Function 00442760 Relevance: 28.4, APIs: 10, Strings: 6, Instructions: 441windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CAA0: __wcsicoll.LIBCMT ref: 0041CABB
Part of subcall function 0041CAA0: __wcsicoll.LIBCMT ref: 0041CAD1

GetForegroundWindow.USER32 ref: 004427D9
IsWindowVisible.USER32(00000000), ref: 004427F4

Strings

user32, xrefs: 00442B85
Parameter #2 invalid., xrefs: 00442795
0x%06X, xrefs: 00442BFA
0x%08X, xrefs: 00442B1E
%s1, xrefs: 004429BB
GetLayeredWindowAttributes, xrefs: 00442B80

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window__wcsicoll$ForegroundVisible
String ID: %s1$0x%06X$0x%08X$GetLayeredWindowAttributes$Parameter #2 invalid.$user32
API String ID: 1910143062-141734719
Opcode ID: 5c7f484eb573f8355e77f031860678e6e1a1b55070b9834041dbcb8feeae038e
Instruction ID: 2229b0944fb40f90ed85245df7101be7cf22fbe8d2fb06f33c45bfaf9b03f4cf
Opcode Fuzzy Hash: 5c7f484eb573f8355e77f031860678e6e1a1b55070b9834041dbcb8feeae038e
Instruction Fuzzy Hash: 8ED11672B043055BE720EF699D81B6F77D8EB84314F500A2FF941972C1DAE8DD4483AA

Function 00405290 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 74clipboardCOMMON

Download Yara Rule

APIs

GetClipboardFormatNameW.USER32(0000000D,00000104,00000104), ref: 004052BC
__wcsnicmp.LIBCMT ref: 004052CE
__wcsicoll.LIBCMT ref: 004052E7
__wcsicoll.LIBCMT ref: 004052FC
__wcsicoll.LIBCMT ref: 00405311
__wcsicoll.LIBCMT ref: 00405326
__wcsicoll.LIBCMT ref: 0040533B
__wcsicoll.LIBCMT ref: 00405350
GetClipboardData.USER32(0000000D), ref: 00405376

Strings

Embed Source, xrefs: 00405320
OwnerLink, xrefs: 004052F6
MSDEVLineSelect, xrefs: 0040534A
MSDEVColumnSelect, xrefs: 00405335
Link Source, xrefs: 004052C8
Native, xrefs: 0040530B
ObjectLink, xrefs: 004052E1

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll$Clipboard$DataFormatName__wcsnicmp
String ID: Embed Source$Link Source$MSDEVColumnSelect$MSDEVLineSelect$Native$ObjectLink$OwnerLink
API String ID: 3127108255-1844231336
Opcode ID: 5ea2c3351164587978336dc008465dd7fc49f8326ce07ee02ae0989120baf7e9
Instruction ID: 69334690a8f70c6acdf00ce6594448056c5c142054193d773241eec891463b8f
Opcode Fuzzy Hash: 5ea2c3351164587978336dc008465dd7fc49f8326ce07ee02ae0989120baf7e9
Instruction Fuzzy Hash: 5511D8B190430136DB20A7709C43B7B7698AF54746F48493EBC94D11C2F7FCDA09CA9A

Function 0045C320 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 163windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?,?,00000000), ref: 0045C383
IsIconic.USER32(00000000), ref: 0045C390
GetWindowRect.USER32(00000000,?), ref: 0045C3A4
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0045C3F4

Part of subcall function 00443A50: GetForegroundWindow.USER32 ref: 00443B41
Part of subcall function 00443A50: IsIconic.USER32(00000000), ref: 00443B50
Part of subcall function 00443A50: GetWindowRect.USER32(?,?), ref: 00443B68

Strings

DISPLAY, xrefs: 0045C3EF
0x%06X, xrefs: 0045C4A9
RGB, xrefs: 0045C479
Alt, xrefs: 0045C3D0
Slow, xrefs: 0045C32F

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window$ForegroundIconicRect$Create
String ID: 0x%06X$Alt$DISPLAY$RGB$Slow
API String ID: 472947238-780868468
Opcode ID: a0d84084c95ff00d404a048df5e44577fe4a3eab8f9c6f502344ee0436d7a18a
Instruction ID: b2fe233c8cafdbbe7b449e4b3d682e2a79f21355d93c8b5bad85730baa4618de
Opcode Fuzzy Hash: a0d84084c95ff00d404a048df5e44577fe4a3eab8f9c6f502344ee0436d7a18a
Instruction Fuzzy Hash: 7B4136327443006FD220AB649C81FAB7B98EB81715F10412BFE41962D2DAA99C0A87BD

Function 004050C0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100clipboardCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 004050E4
GlobalUnlock.KERNEL32(00000000), ref: 004050FB
CloseClipboard.USER32 ref: 00405104
GlobalUnlock.KERNEL32(00000000), ref: 0040513B
GlobalFree.KERNEL32(00000000), ref: 0040514D
GlobalUnlock.KERNEL32 ref: 00405163
CloseClipboard.USER32 ref: 00405168

Part of subcall function 004051C0: GlobalUnlock.KERNEL32(00000000), ref: 004051DC
Part of subcall function 004051C0: CloseClipboard.USER32 ref: 004051E1
Part of subcall function 004051C0: GlobalUnlock.KERNEL32(00000000), ref: 004051F5
Part of subcall function 004051C0: GlobalFree.KERNEL32(00000000), ref: 00405205

Strings

Can't open clipboard for writing., xrefs: 004050D6
EmptyClipboard, xrefs: 0040510F
SetClipboardData, xrefs: 004051AF

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Global$Unlock$Clipboard$Close$Free$Empty
String ID: Can't open clipboard for writing.$EmptyClipboard$SetClipboardData
API String ID: 1414016178-2690908087
Opcode ID: 26718ce8527e5455ab28741a94bb936101b0d8e225dba5c232992013e6065a2f
Instruction ID: c31fad1c82b01ec232fbae2a0d899f4fcf0da175247c9f28ba6c2f0b11e7de7a
Opcode Fuzzy Hash: 26718ce8527e5455ab28741a94bb936101b0d8e225dba5c232992013e6065a2f
Instruction Fuzzy Hash: 65312B71D01B019FDB30AFA6D8C4517BBF4EF55305324893FE1979AAA1C678A884CF58

Function 00451760 Relevance: 21.8, APIs: 6, Strings: 6, Instructions: 797COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 004518AD
__wcsnicmp.LIBCMT ref: 0045190E
_memset.LIBCMT ref: 004519B1
__wcstoui64.LIBCMT ref: 00451B40
FreeLibrary.KERNEL32(?), ref: 0045209A

Strings

This DllCall requires a prior VarSetCapacity., xrefs: 00451C38
CDecl, xrefs: 004518A1, 00451908
DllCall, xrefs: 004517CA, 0045194A, 00451C8D
(6K, xrefs: 004517CF
, xrefs: 00451851
Int, xrefs: 0045192C

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsnicmp$FreeLibrary__wcstoui64_memset
String ID: $(6K$CDecl$DllCall$Int$This DllCall requires a prior VarSetCapacity.
API String ID: 886327013-998666964
Opcode ID: 9ce0c244b00f8267ecb7059bf7842c8aade53aec8e80cf452f3227024fd0e79b
Instruction ID: bfad584f1c1b5dcc6d1cadb0631b58d769e953268d694f5f3a839ab62909e77f
Opcode Fuzzy Hash: 9ce0c244b00f8267ecb7059bf7842c8aade53aec8e80cf452f3227024fd0e79b
Instruction Fuzzy Hash: B152E371A002059FCB24DF54C881BAAB7B1FF45306F24856FEC159B3A2D379AC49CB59

Function 0041F3CB Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

Out of memory., xrefs: 0041F438
*, xrefs: 0041F460
Too many includes., xrefs: 0041F3DF
*#2, xrefs: 0041F655

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID: *$*#2$Out of memory.$Too many includes.
API String ID: 0-744658508
Opcode ID: 78604e5a44b7f2934b41466ae364e3cb1411b8314b3251e9401cf4890cc07294
Instruction ID: cebd737840011d0a7ed4ae4f31cf641042e15227ad5008ef3c7bf29de8d98328
Opcode Fuzzy Hash: 78604e5a44b7f2934b41466ae364e3cb1411b8314b3251e9401cf4890cc07294
Instruction Fuzzy Hash: BC61B671700301ABE7209F24E841BA77795AF95714F14053BE949CB392EB3DD84AC7AE

Function 004164C0 Relevance: 19.9, APIs: 13, Instructions: 439keyboardwindowthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004164EE
GetKeyboardState.USER32(?), ref: 004165BA
SetKeyboardState.USER32(?), ref: 00416659
PostMessageW.USER32(00000000,00000100,?,00000000), ref: 00416685
PostMessageW.USER32(00000000,00000101,?,00000000), ref: 004166C2
BlockInput.USER32(00000000), ref: 004166FE
GetForegroundWindow.USER32 ref: 0041675C
GetAsyncKeyState.USER32 ref: 0041678C
keybd_event.USER32(?,00000000,?,00000000), ref: 00416857
GetAsyncKeyState.USER32(?), ref: 004168A2
keybd_event.USER32(?,00000000,00000002,00000000), ref: 00416982
GetAsyncKeyState.USER32(?), ref: 004169BD
BlockInput.USER32(00000001), ref: 00416A1E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: State$Async$BlockInputKeyboardMessagePostkeybd_event$CurrentForegroundThreadWindow
String ID:
API String ID: 802988723-0
Opcode ID: 52d8bab6890e6773e45320d3c8f57d97d02040d5cb93ba182f48c4ba02a228c0
Instruction ID: 7fabc05357295c8101665ebde29e69223d32a8779cf610359c7ebbaa548f2f1d
Opcode Fuzzy Hash: 52d8bab6890e6773e45320d3c8f57d97d02040d5cb93ba182f48c4ba02a228c0
Instruction Fuzzy Hash: 9102C1B05093859BDB11DF24D8447EB7FE1AB96308F09485FF89587391C23CC989CB6A

Function 0042A340 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 434COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0042A3CA

Strings

Out of memory., xrefs: 0042A800
extends, xrefs: 0042A3C4
Invalid class name., xrefs: 0042A472
__Class, xrefs: 0042A538, 0042A797
Missing class name., xrefs: 0042A40C
Syntax error in class definition., xrefs: 0042A576
Full class name is too long., xrefs: 0042A673
Duplicate class definition., xrefs: 0042A6EB
This class definition is nested too deep., xrefs: 0042A35B

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsnicmp
String ID: Duplicate class definition.$Full class name is too long.$Invalid class name.$Missing class name.$Out of memory.$Syntax error in class definition.$This class definition is nested too deep.$__Class$extends
API String ID: 1038674560-3763243221
Opcode ID: 47b969b72cf50e18692ba212d1510190a78d81538540f1d77314f4e188eac336
Instruction ID: 28f0fba0c4d5056baade32ceb9c975ec692cfeef84c3a9a32fab6b9097cd569b
Opcode Fuzzy Hash: 47b969b72cf50e18692ba212d1510190a78d81538540f1d77314f4e188eac336
Instruction Fuzzy Hash: F1E1EE716002208FCB14DF19E880AABB7E1EB98314F54846FED898B351D778DD95CB9B

Function 00473130 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110windowlibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(uxtheme,?,?,?,?,?,0046ED2A,?,?,?,0000041D,00000000,00000000,?,0000000B,00000000), ref: 0047315F
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00473171
FreeLibrary.KERNEL32(00000000,?,0000041D,00000000,00000000,?,0000000B,00000000,00000000,?,00000192,?,?), ref: 00473189
SendMessageW.USER32(?,00000406,?,?), ref: 004731E1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004731FA
SendMessageW.USER32(?,00002001,00000000,?), ref: 00473217
GetSysColor.USER32(0000000F), ref: 00473231
SendMessageW.USER32(?,00002001,00000000,?), ref: 00473247

Strings

uxtheme, xrefs: 0047315A
SetWindowTheme, xrefs: 0047316B

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$Library$AddressColorFreeLoadProc
String ID: SetWindowTheme$uxtheme
API String ID: 2745204275-1369271589
Opcode ID: 806b88e9484df04510396adb66c26fcb0c2832f06858f2416d2056cdc3dd154b
Instruction ID: 16990f9229a5685da94b4118ba246f59584ac10a4a703eaf1bf86810867177f1
Opcode Fuzzy Hash: 806b88e9484df04510396adb66c26fcb0c2832f06858f2416d2056cdc3dd154b
Instruction Fuzzy Hash: 1A3107303003006AE6349E658C84FB7B758EF11326F60862FF956966C1D768ED81D71C

Function 00417360 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

@, xrefs: 004175F8

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 52c8cf7de7ee5502e398bf83f1e78f5d6529e8725fab1beb655e615bbec4aca5
Instruction ID: 9bb40bada77e481f4e77f5964d0d3ae9cf41b9ebd96de40ee605ba039700fc3d
Opcode Fuzzy Hash: 52c8cf7de7ee5502e398bf83f1e78f5d6529e8725fab1beb655e615bbec4aca5
Instruction Fuzzy Hash: BBA1BE7060C2049FE7289B28D8947BBB7F6AB84315F54092FF48683391D77C99C5CB5A

Function 004160A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

@, xrefs: 00416167

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: eaa9ae610327ae0cc6f2fdaeb1e9bf4e589aeb8885b7b7734bb3f38a5a06ef9a
Instruction ID: 6fa203a9efdcdb7b93725501101b66a71e1baa4dfb51d08296207f6809b5e4d4
Opcode Fuzzy Hash: eaa9ae610327ae0cc6f2fdaeb1e9bf4e589aeb8885b7b7734bb3f38a5a06ef9a
Instruction Fuzzy Hash: CA4113346583E075F32093689C12BF77F905B42B14F59846FEAC84B2C3DAA8C884D76B

Function 0045F5A0 Relevance: 15.1, APIs: 10, Instructions: 123processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0045F5B5
Process32FirstW.KERNEL32(00000000,00000000), ref: 0045F5C7
__wcstoi64.LIBCMT ref: 0045F5F3

Part of subcall function 00499840: wcstoxq.LIBCMT ref: 00499861

Process32NextW.KERNEL32(00000000,?), ref: 0045F614
__wsplitpath.LIBCMT ref: 0045F655
__wcsicoll.LIBCMT ref: 0045F6A5
Process32NextW.KERNEL32(?,?), ref: 0045F6BB
CloseHandle.KERNEL32(00000000), ref: 0045F6CE
CloseHandle.KERNEL32(00000000), ref: 0045F6E1
CloseHandle.KERNEL32(?), ref: 0045F6F8

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CloseHandleProcess32$Next$CreateFirstSnapshotToolhelp32__wcsicoll__wcstoi64__wsplitpathwcstoxq
String ID:
API String ID: 2291101207-0
Opcode ID: 0b069d410339962b14e39f1e36ceaa861a0f9c7a35cc9223c65b3b77edd7c0a5
Instruction ID: 970fa0a2ea3cbeeefadb5dfe3caf0c08ae0e150ce7ab94c916f2ac53f2b60e26
Opcode Fuzzy Hash: 0b069d410339962b14e39f1e36ceaa861a0f9c7a35cc9223c65b3b77edd7c0a5
Instruction Fuzzy Hash: CE31B3726043056BD720EF649C45BEB77A8EBC5301F04483EF94687292EB79D60DC79A

Function 0045E1A0 Relevance: 12.3, APIs: 8, Instructions: 317comfileCOMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0045E288
_wcschr.LIBCMT ref: 0045E29A
GetFileAttributesW.KERNEL32(?), ref: 0045E2AA
FindFirstFileW.KERNEL32(?,?), ref: 0045E2C6
FindClose.KERNEL32(00000000), ref: 0045E2D6
CoInitialize.OLE32(00000000), ref: 0045E2DE
CoCreateInstance.OLE32(004AD820,00000000,00000001,004AD810,?), ref: 0045E2F7
CoUninitialize.OLE32 ref: 0045E4BB

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: FileFind_wcschr$AttributesCloseCreateFirstInitializeInstanceUninitialize
String ID:
API String ID: 1700229770-0
Opcode ID: f1a6238e9b8fe9512923cc11f866302a46654d64d32a2b348283019eb2fda38b
Instruction ID: 49fcae3e94eb92bb941ddcd62202e2ed8025de6f136ab263d24adf93ccf6f695
Opcode Fuzzy Hash: f1a6238e9b8fe9512923cc11f866302a46654d64d32a2b348283019eb2fda38b
Instruction Fuzzy Hash: 6AB1C0713043016BD614EF55CC81FAB73A9ABC9714F104A1EF9558B2D1D7B8ED08C79A

Function 0045F390 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0045F39A
OpenProcessToken.ADVAPI32(00000000), ref: 0045F3A1
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0045F3BD
AdjustTokenPrivileges.ADVAPI32 ref: 0045F3E5
GetLastError.KERNEL32 ref: 0045F3EB
ExitWindowsEx.USER32(?,00000000), ref: 0045F3FB

Strings

SeShutdownPrivilege, xrefs: 0045F3B6

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: e33d21e9821868b7492b716e6ff4923ce1667d42e0a022f49d7e47d729a169ea
Instruction ID: 24e649ce4d6df138e5824dc091e6de44c9bdf63add23181742e1fbc349d31b9e
Opcode Fuzzy Hash: e33d21e9821868b7492b716e6ff4923ce1667d42e0a022f49d7e47d729a169ea
Instruction Fuzzy Hash: C2F062B5604300AFF300AF65CC4AF9B7BB8BB89B05F40446CFA46D5191D7B8D8098B6A

Function 00411640 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 245COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411657
_wcsncpy.LIBCMT ref: 00411801
_wcsncpy.LIBCMT ref: 0041187B
_wcsncpy.LIBCMT ref: 004118AD

Strings

Up, xrefs: 004118BF
& , xrefs: 004117DE, 00411808

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _wcsncpy$_memset
String ID: & $ Up
API String ID: 4291556967-3258026345
Opcode ID: c3973739c305d695946c92067afe5007dba12f2fe9a409545d08fa77b83d7c17
Instruction ID: ea146dea876754dcfeedc5363ecd36b2df0a20e4f0135c39156c2b8efd15732c
Opcode Fuzzy Hash: c3973739c305d695946c92067afe5007dba12f2fe9a409545d08fa77b83d7c17
Instruction Fuzzy Hash: 4A8155316042818ADB249B2485917F77BD1AF52700F18805FEAD68B3F1E72E98C9C39F

Function 00419230 Relevance: 10.6, APIs: 7, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 00419239
_memset.LIBCMT ref: 00419262
ToUnicodeEx.USER32(0000006E,00000000,?,?,00000002,00000000,00000000), ref: 00419283
ToUnicodeEx.USER32(?,00000000,?,?,00000002,00000000,00000000), ref: 004192A9
ToUnicodeEx.USER32(0000006E,00000000,?,?,00000002,00000000,00000000), ref: 004192C6
ToUnicodeEx.USER32(?,00000000,?,?,00000002,00000000,00000000), ref: 0041930A
MapVirtualKeyExW.USER32(?,00000002,00000000), ref: 00419333

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Unicode$KeyboardLayoutVirtual_memset
String ID:
API String ID: 2910491412-0
Opcode ID: 3b20bbefeeb46bfb42843c5e45ab90676c8f9aea95f3b8b281ba2d627c7c3871
Instruction ID: 9ac22f3871fbb63799a4ec6c97682b2e808fbf52f3be064ef6a4f5273151c9d0
Opcode Fuzzy Hash: 3b20bbefeeb46bfb42843c5e45ab90676c8f9aea95f3b8b281ba2d627c7c3871
Instruction Fuzzy Hash: BE3108725443447BD324DB61CC56FFB7BE8AB85B04F84481DF685990C1E2B5EA08C7BA

Function 004A1767 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004A760A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004A761F
UnhandledExceptionFilter.KERNEL32(H~M), ref: 004A762A
GetCurrentProcess.KERNEL32(C0000409), ref: 004A7646
TerminateProcess.KERNEL32(00000000), ref: 004A764D

Strings

H~M, xrefs: 004A7625

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: H~M
API String ID: 2579439406-941190207
Opcode ID: 9f5fa2d9c982ad17457543f1ae1845021275cda48203d41c5f6daba2ce7149cc
Instruction ID: c0caff100f3e9301cbfd000cb99b3b0afff863403bb0dff261bab2a2d3160f37
Opcode Fuzzy Hash: 9f5fa2d9c982ad17457543f1ae1845021275cda48203d41c5f6daba2ce7149cc
Instruction Fuzzy Hash: 8021CDB985A2149FDB20DF65EC896583BA5FB59304F5010BFE809837A1F7B49980CB4D

Function 0040D680 Relevance: 9.6, APIs: 3, Strings: 2, Instructions: 842COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040D739
_memset.LIBCMT ref: 0040D75B
_memset.LIBCMT ref: 0040D76D

Part of subcall function 0040E4B0: CreateThread.KERNEL32(00000000,00002000,0040E7E0,00000000,00000000,004D85A0), ref: 0040E50A
Part of subcall function 0040E4B0: SetThreadPriority.KERNEL32(00000000,0000000F,?,00408CE2,?,00408938,An internal error has occurred in the debugger user.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E520
Part of subcall function 0040E4B0: PostThreadMessageW.USER32(?,00000417,004062BD,00000000), ref: 0040E544
Part of subcall function 0040E4B0: Sleep.KERNEL32(0000000A,?,00408CE2,?,00408938,An internal error has occurred in the debugger user.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E550
Part of subcall function 0040E4B0: GetTickCount.KERNEL32 ref: 0040E567
Part of subcall function 0040E4B0: PeekMessageW.USER32(?,00000000,00000417,00000417,00000001), ref: 0040E58A

Strings

DlM, xrefs: 0040D90E
[M, xrefs: 0040D7F8

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Thread$Message_memset$CountCreatePeekPostPrioritySleepTick_malloc
String ID: [M$DlM
API String ID: 2797994793-220038877
Opcode ID: a0277a27d527d6f36710225cd70a3e546bb14d535e5134fb3c894af60d7bfa53
Instruction ID: 813ed562dedafe5557cdd3931494a383f8027da915c8add8c546f60d4ff1a227
Opcode Fuzzy Hash: a0277a27d527d6f36710225cd70a3e546bb14d535e5134fb3c894af60d7bfa53
Instruction Fuzzy Hash: DD82F3309083818EE725CF25C4547B2BBE0AF55308F0985BFD8895B3D2D7BDA949C79A

Function 0040E7E0 Relevance: 9.1, APIs: 6, Instructions: 113windowthreadCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0040E80B
SetWindowsHookExW.USER32(0000000D,Function_00009E00,?,00000000), ref: 0040E873
UnhookWindowsHookEx.USER32(?), ref: 0040E88C
SetWindowsHookExW.USER32(0000000E,Function_00009F70,?,00000000), ref: 0040E8CF
UnhookWindowsHookEx.USER32(?), ref: 0040E8E3
PostThreadMessageW.USER32(?,00000417,?,00000000), ref: 0040E910

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: HookWindows$MessageUnhook$PostThread
String ID:
API String ID: 378849449-0
Opcode ID: e87eec9c23772e149d2dbfa9b91983acc2e188abfe2da193064e14ecbe1d9be2
Instruction ID: 82f1594234db6c158134b7ca8356d03bd98198c9eab869f498e06d705d2335de
Opcode Fuzzy Hash: e87eec9c23772e149d2dbfa9b91983acc2e188abfe2da193064e14ecbe1d9be2
Instruction Fuzzy Hash: 60318372A55302EAE720AF66DC09B677B949750304F484C3BE500E72E1D7B9DC64C76E

Function 004181B0 Relevance: 7.6, APIs: 5, Instructions: 84keyboardthreadCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000000), ref: 004181BB
GetKeyState.USER32(00000000), ref: 004181EA
GetForegroundWindow.USER32(00000000), ref: 00418224
GetWindowThreadProcessId.USER32(00000000), ref: 0041822B
GetKeyState.USER32(00000014), ref: 0041826E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: State$Window$ForegroundProcessThread
String ID:
API String ID: 2921243749-0
Opcode ID: f314f57b225e2f75140e28feabe27c02360f3931959cbb9e7c1a64794bba5a23
Instruction ID: 4ca9e7699063091770c6354c4ecf619e05b48292cbc624426e4146e738590a4f
Opcode Fuzzy Hash: f314f57b225e2f75140e28feabe27c02360f3931959cbb9e7c1a64794bba5a23
Instruction Fuzzy Hash: DC213B72A8071476EA3077046C46FEA77544751B4CF25021BF9083A3E2DAB614C486AE

Function 00418090 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004180C8
GetForegroundWindow.USER32(?,00416A12,?,00000000), ref: 00418114
GetWindowTextW.USER32(00000000,?,00000064), ref: 00418141

Strings

N/A, xrefs: 0041816A

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window$CountForegroundTextTick
String ID: N/A
API String ID: 3416458291-2525114547
Opcode ID: 6e0a026da9b91fa3b2157bb212803ad0b11cb383a78a2c4102d11ccb8426085d
Instruction ID: 82860f9e12c593ce16bc86499a0fa0c56dd153aea8b92913d30b03bf15879694
Opcode Fuzzy Hash: 6e0a026da9b91fa3b2157bb212803ad0b11cb383a78a2c4102d11ccb8426085d
Instruction Fuzzy Hash: F7316B3260A200DFC758DF28ED94AA5BBA1EB89304B05C57FD446CB3A0DBB49C42DB58

Function 004804F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,?), ref: 0048052E
FindClose.KERNEL32(00000000,?,?,?), ref: 0048053A
GetFileAttributesW.KERNEL32(00000000,?,?,?), ref: 00480555

Strings

\\?\, xrefs: 00480503

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID: \\?\
API String ID: 48322524-4282027825
Opcode ID: c3fc4c152e5982e28bd70fe5cf2296377dfebde9111d1f6d4ac0afef8e8b75e0
Instruction ID: 6308ded1558d9aaad8a4f93d5b288044f3a3d3d6c0c683a1baaa1712dd309081
Opcode Fuzzy Hash: c3fc4c152e5982e28bd70fe5cf2296377dfebde9111d1f6d4ac0afef8e8b75e0
Instruction Fuzzy Hash: 4101F739900A016BD761FA28DC897AF37549F80320F544A36EC24D23C0E77C894D5B6D

Function 0044D7F0 Relevance: 6.1, APIs: 4, Instructions: 113filetimeCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0044D81F
GetLastError.KERNEL32 ref: 0044D82A
FindClose.KERNEL32(00000000), ref: 0044D869
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0044D8C0

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: File$FindTime$CloseErrorFirstLastLocal
String ID:
API String ID: 1380247339-0
Opcode ID: 807ab6e0a0b51726660564de6561b2d45eefc054ffbb4c100756cbf532bb8b3b
Instruction ID: 3dc776bd0dedf3690ec4ccfe141519c0ef9ae4b8d9ad7f5a05d16fded1e68c87
Opcode Fuzzy Hash: 807ab6e0a0b51726660564de6561b2d45eefc054ffbb4c100756cbf532bb8b3b
Instruction Fuzzy Hash: 1A31F5B2A0430177E320FB64DC46FEB3798AB44725F14462BF964AA2D0D7B9A944C36D

Function 00405390 Relevance: 6.1, APIs: 4, Instructions: 51clipboardCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004053AB
OpenClipboard.USER32(?), ref: 004053BC
GetTickCount.KERNEL32 ref: 004053D0
OpenClipboard.USER32(?), ref: 0040540A

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ClipboardCountOpenTick
String ID:
API String ID: 420724667-0
Opcode ID: 651a6708b9213dd0c3a4d678e15823c8f71922899713aca3a1e8ff8df97975e1
Instruction ID: ed8853b92766a8f9651e7de7639f6eb5ba03e17ce7cb93d190cd71f8be86c550
Opcode Fuzzy Hash: 651a6708b9213dd0c3a4d678e15823c8f71922899713aca3a1e8ff8df97975e1
Instruction Fuzzy Hash: A40169326216108BD310DB68EC84B9B33E9EB94359F14413BE500E73D0CBB9DC91CBA8

Function 00449790 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 004497C9
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0044982D

Strings

\, xrefs: 004497F1

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: DiskFreeSpace_wcsncpy
String ID: \
API String ID: 1165104651-2967466578
Opcode ID: 1579c0bc3ad180801a4f3133a02e5b7a83da239c4471754ef8a3be1f444f87af
Instruction ID: 9688f3865c663d43b7458727641629474765d123225c8f32952d40f2dddaa87e
Opcode Fuzzy Hash: 1579c0bc3ad180801a4f3133a02e5b7a83da239c4471754ef8a3be1f444f87af
Instruction Fuzzy Hash: 3531393260430066D720FB59DC45FDBB798EB85724F14462FF944A72D0E6B9ED44C3A9

Function 0041A04E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(004DB230), ref: 0041A06D
__snwprintf.LIBCMT ref: 0041A0A4

Strings

10.0.19045, xrefs: 0041A08E
%u.%u.%u, xrefs: 0041A087

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Version__snwprintf
String ID: %u.%u.%u$10.0.19045
API String ID: 444779968-4060445884
Opcode ID: e1e7ce3a92834f78720694a515484305c9f7ac00c6d46e2baeb4738793576bb4
Instruction ID: ab1c3dfdb1a6e663e0c4dc7cf950089abed141bbf424aed54ac51e19997f775d
Opcode Fuzzy Hash: e1e7ce3a92834f78720694a515484305c9f7ac00c6d46e2baeb4738793576bb4
Instruction Fuzzy Hash: 58017C71607300DBCB14CF94AC867A63BA0E348704B12407FE94986361C7B85890A7EF

Function 0041E370 Relevance: 4.5, APIs: 3, Instructions: 45clipboardwindowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000415,00000001,00000000), ref: 0041E3B4
SetClipboardViewer.USER32(?), ref: 0041E3C7
ChangeClipboardChain.USER32(?,?), ref: 0041E409

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Clipboard$ChainChangeMessagePostViewer
String ID:
API String ID: 1822368796-0
Opcode ID: 9f357267cdd85439ebab49ec5f4f376c8b4d1175ffca5a965d773f8e61da975f
Instruction ID: d9b452989ced23a826708364905ad1171823d84fcb553d290879446dc1a04739
Opcode Fuzzy Hash: 9f357267cdd85439ebab49ec5f4f376c8b4d1175ffca5a965d773f8e61da975f
Instruction Fuzzy Hash: EF016D34642340DFDB10CB39AC84BA63BA4E74A780F1C003BAC45C72A0C774E890EB5D

Function 0048B2EB Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 691COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004892AB

Strings

}, xrefs: 0048C2A3

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _memmove
String ID: }
API String ID: 4104443479-4239843852
Opcode ID: da11247270d2e3db546ef6486e631b6df5dee6c6c35cecbbf366ca76471400ed
Instruction ID: f4103ad70279ecbb000bdaa02c18dc892dcc31b0b98f7213dbb9343b116b4610
Opcode Fuzzy Hash: da11247270d2e3db546ef6486e631b6df5dee6c6c35cecbbf366ca76471400ed
Instruction Fuzzy Hash: 2B526975A093418FC724EF18C4806AFB7E1FF89314F148D6EE98987391D738A946CB96

Function 0044F3D0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?), ref: 0044F3F4
GetUserNameW.ADVAPI32(?,?), ref: 0044F405

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: 484acdd6b1c0c57ed577efa55293d0ceabe5b9d93c65d1706b9fa83a50fc031c
Instruction ID: 59f6158cd52cee6d3b4592464ab4dbd40d86dad764125a62828b85dd9a3d81e8
Opcode Fuzzy Hash: 484acdd6b1c0c57ed577efa55293d0ceabe5b9d93c65d1706b9fa83a50fc031c
Instruction Fuzzy Hash: 21019E305082018BD728DF24C5497AB77B1FF94304F44892DE896C7290FB78DA09C756

Function 00488700 Relevance: 2.0, Strings: 1, Instructions: 799COMMON

Download Yara Rule

Strings

{0,, xrefs: 00488971, 00488F22

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID: {0,
API String ID: 0-1249576115
Opcode ID: 248e26cdf45dbe5b5d23807502433a6f30b32163b181bd71d31e63368b07f6b3
Instruction ID: 575e3a071f55b89f28538b0aa87fd19eabe8177bebc980e57c9f85417fc1f8ec
Opcode Fuzzy Hash: 248e26cdf45dbe5b5d23807502433a6f30b32163b181bd71d31e63368b07f6b3
Instruction Fuzzy Hash: 2732383260461547C734BA28E88137E7391FB81324F9C4E3FE854C67D5EB2E998AD35A

Function 004A7655 Relevance: .2, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction ID: be0ff70005ee51896e6d30d6bd3abf013f6eb977b6c8c78f1f93ed9f393cc39a
Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction Fuzzy Hash: 10617A759043158FCB28CF48C89469ABBF2FF95310F2AC5AED8095B361D7B4A945CBC8

Function 0040D3B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4f874815ee760f27c5a8d394161a2b9e2656fa4f507e5568db7478bd83a19f
Instruction ID: 8d96babd4026a849341dd8854424beb6069252471f928d2b60ee30f67e679201
Opcode Fuzzy Hash: 5e4f874815ee760f27c5a8d394161a2b9e2656fa4f507e5568db7478bd83a19f
Instruction Fuzzy Hash: 1841DD979189110FFB140919B4F23F3ABD2CBB2332F159967D1D447BC2D22AA98FE650

Function 0041C130 Relevance: 94.7, APIs: 27, Strings: 27, Instructions: 219COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C148
__wcsicoll.LIBCMT ref: 0041C15D

Strings

StatusBar, xrefs: 0041C329
Radio, xrefs: 0041C196
Hotkey, xrefs: 0041C314
Link, xrefs: 0041C353
Edit, xrefs: 0041C157
GroupBox, xrefs: 0041C2A9
Tab3, xrefs: 0041C294
DropDownList, xrefs: 0041C1C1
Pic, xrefs: 0041C2BE
Slider, xrefs: 0041C240
Progress, xrefs: 0041C255
Checkbox, xrefs: 0041C181
Custom, xrefs: 0041C368
Tab, xrefs: 0041C26A
Picture, xrefs: 0041C2D4
ComboBox, xrefs: 0041C1D7
DateTime, xrefs: 0041C2EA
Text, xrefs: 0041C142
Button, xrefs: 0041C16C
MonthCal, xrefs: 0041C2FF
ActiveX, xrefs: 0041C33E
Tab2, xrefs: 0041C27F
DDL, xrefs: 0041C1AB
UpDown, xrefs: 0041C22B
TreeView, xrefs: 0041C216
ListBox, xrefs: 0041C1EC
ListView, xrefs: 0041C201

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: ActiveX$Button$Checkbox$ComboBox$Custom$DDL$DateTime$DropDownList$Edit$GroupBox$Hotkey$Link$ListBox$ListView$MonthCal$Pic$Picture$Progress$Radio$Slider$StatusBar$Tab$Tab2$Tab3$Text$TreeView$UpDown
API String ID: 3832890014-2446625512
Opcode ID: 2901f291a698eb6e24ceb44a4213e4981d5e4937b95ba8c36b4378ab764076ac
Instruction ID: cf11397bbc3c6731868d0f736e2aa95a186b88ff6e4dce671b0ff68a31e34f32
Opcode Fuzzy Hash: 2901f291a698eb6e24ceb44a4213e4981d5e4937b95ba8c36b4378ab764076ac
Instruction Fuzzy Hash: 5F51C4A9EC5A11319F12212A2D43BEF25481CA1B4BBD4507FFC14E4343F78D9A4BA0BE

Function 0041E010 Relevance: 59.8, APIs: 24, Strings: 10, Instructions: 253windowregistryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041E042

Part of subcall function 00481680: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,76944BD0,?,004DA6C0,00000000,FFFFFF61,00000000,00000000,00000000,76944BD0,?,004DA6C0), ref: 00481699
Part of subcall function 00481680: FindResourceW.KERNEL32(?,?,0000000E), ref: 004816FF
Part of subcall function 00481680: LoadResource.KERNEL32(?,00000000), ref: 0048170F
Part of subcall function 00481680: LockResource.KERNEL32(00000000), ref: 0048171E
Part of subcall function 00481680: GetSystemMetrics.USER32(0000000B), ref: 00481746
Part of subcall function 00481680: FindResourceW.KERNEL32(?,?,00000003), ref: 004817A6
Part of subcall function 00481680: LoadResource.KERNEL32(?,00000000), ref: 004817B4
Part of subcall function 00481680: LockResource.KERNEL32(00000000), ref: 004817BF

GetSystemMetrics.USER32(00000031), ref: 0041E08C

Part of subcall function 00481680: EnumResourceNamesW.KERNEL32 ref: 004816E6
Part of subcall function 00481680: SizeofResource.KERNEL32(?,00000000,00000001,00030000,00000000,00000000,00000000), ref: 004817DA
Part of subcall function 00481680: CreateIconFromResourceEx.USER32(00000000,00000000), ref: 004817E2
Part of subcall function 00481680: ExtractIconW.SHELL32(00000000,?,?), ref: 00481822

LoadCursorW.USER32(00000000,00007F00), ref: 0041E0BC
RegisterClassExW.USER32 ref: 0041E0E1
RegisterClassExW.USER32(?), ref: 0041E12A
GetForegroundWindow.USER32 ref: 0041E131
GetClassNameW.USER32(00000000,?,00000040), ref: 0041E143
__wcsicoll.LIBCMT ref: 0041E157
CreateWindowExW.USER32(00000000,AutoHotkey,?,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,?,00000000), ref: 0041E1AE
GetMenu.USER32(00000000), ref: 0041E1DE
EnableMenuItem.USER32(00000000,0000FF79,00000003), ref: 0041E1EE
CreateWindowExW.USER32(00000000,edit,00000000,50A00804,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041E235
GetDC.USER32(00000000), ref: 0041E245
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041E27E
MulDiv.KERNEL32(0000000A,00000000), ref: 0041E287
CreateFontW.GDI32(00000000), ref: 0041E290
ReleaseDC.USER32(?,00000000), ref: 0041E2A3
SendMessageW.USER32(?,00000030,?,00000000), ref: 0041E2C0
SendMessageW.USER32(?,000000C5,00000000,00000000), ref: 0041E2D2
ShowWindow.USER32(?,00000000), ref: 0041E2E2
ShowWindow.USER32(?,00000000), ref: 0041E2ED
ShowWindow.USER32(?,00000006), ref: 0041E2FC
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0041E308
LoadAcceleratorsW.USER32(?,000000D4), ref: 0041E31A

Part of subcall function 0041E450: _memset.LIBCMT ref: 0041E460
Part of subcall function 0041E450: _wcsncpy.LIBCMT ref: 0041E4D2
Part of subcall function 0041E450: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0041E4E5

Strings

RegClass, xrefs: 0041E0F9
Consolas, xrefs: 0041E254
Lucida Console, xrefs: 0041E25B, 0041E260
edit, xrefs: 0041E22E
AutoHotkey2, xrefs: 0041E11A
Shell_TrayWnd, xrefs: 0041E151
AutoHotkey, xrefs: 0041E065, 0041E1A3
0, xrefs: 0041E05D
CreateWindow, xrefs: 0041E1CA
0-#v, xrefs: 0041E287

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Resource$Window$Load$Create$ClassIconShow$FindLockMenuMessageMetricsRegisterSendSystem_memset$AcceleratorsCapsCursorDeviceEnableEnumExtractFontForegroundFromItemLibraryLongNameNamesNotifyReleaseShell_Sizeof__wcsicoll_wcsncpy
String ID: 0$0-#v$AutoHotkey$AutoHotkey2$Consolas$CreateWindow$Lucida Console$RegClass$Shell_TrayWnd$edit
API String ID: 2663150501-127425354
Opcode ID: 27695deff8b8e19a3f4e35cd14154023138713e620d633747618fa860ddefe17
Instruction ID: 441e70ead37ee4330271e54fc4a76f266eb80d233ad2c8c4d28c4210b5f82463
Opcode Fuzzy Hash: 27695deff8b8e19a3f4e35cd14154023138713e620d633747618fa860ddefe17
Instruction Fuzzy Hash: 8581D875B45300BBE7209B61DC45FA73BA8EB45B04F14052BFA05AB2D0D7B9A844CB6D

Function 00478210 Relevance: 59.7, APIs: 17, Strings: 17, Instructions: 178COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0047823F
__wcsicoll.LIBCMT ref: 0047825C
__wcsicoll.LIBCMT ref: 0047828E
__wcsicoll.LIBCMT ref: 004782A2
__wcsicoll.LIBCMT ref: 004782BB
__wcsicoll.LIBCMT ref: 004782D4
__wcsicoll.LIBCMT ref: 0047831C

Strings

HasKey, xrefs: 00478316
Clone, xrefs: 004783A3
InsertAt, xrefs: 00478288
Pop, xrefs: 0047826F
Count, xrefs: 004782CE
Delete, xrefs: 004782B5
NewEnum, xrefs: 00478333
MaxIndex, xrefs: 004783BC
Push, xrefs: 00478256
Remove, xrefs: 00478407
GetAddress, xrefs: 00478350
Insert, xrefs: 004783EE
GetCapacity, xrefs: 00478369
RemoveAt, xrefs: 0047829C
SetCapacity, xrefs: 00478386
Length, xrefs: 00478239
MinIndex, xrefs: 004783D5

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Clone$Count$Delete$GetAddress$GetCapacity$HasKey$Insert$InsertAt$Length$MaxIndex$MinIndex$NewEnum$Pop$Push$Remove$RemoveAt$SetCapacity
API String ID: 3832890014-408958126
Opcode ID: fa9619153ed001410901670b790e5ed096840b1ac585f5c7f0fd13acecdbb93f
Instruction ID: 44df8864a19dd29b3c4f6dd573658532d1c1f656c0b8604ade01b3a4aa2f8cbb
Opcode Fuzzy Hash: fa9619153ed001410901670b790e5ed096840b1ac585f5c7f0fd13acecdbb93f
Instruction Fuzzy Hash: 72415EB2A8952122EF61312E7D0ABEB15884B6131BF15407FF808C5287FA8D9D9391ED

Function 0041C480 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 143COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C498
__wcsicoll.LIBCMT ref: 0041C4B0

Strings

ChooseString, xrefs: 0041C5FA
TabRight, xrefs: 0041C59A
Hide, xrefs: 0041C50A
Uncheck, xrefs: 0041C4AA
Show, xrefs: 0041C4F2
Delete, xrefs: 0041C5CA
Enable, xrefs: 0041C4C2
Disable, xrefs: 0041C4DA
ShowDropDown, xrefs: 0041C552
EditPaste, xrefs: 0041C612
Choose, xrefs: 0041C5E2
Style, xrefs: 0041C522
Check, xrefs: 0041C492
HideDropDown, xrefs: 0041C56A
Add, xrefs: 0041C5B2
ExStyle, xrefs: 0041C53A
TabLeft, xrefs: 0041C582

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Add$Check$Choose$ChooseString$Delete$Disable$EditPaste$Enable$ExStyle$Hide$HideDropDown$Show$ShowDropDown$Style$TabLeft$TabRight$Uncheck
API String ID: 3832890014-3688457572
Opcode ID: 2a6be5d219d4ed8a113b9e379ae1d1e566e37d0fc14a8626d18e487f6ae433cc
Instruction ID: 360c7f25003bc87261ed12e04d3bff2f31548cb06d1fe73cb1f9401970a5b75d
Opcode Fuzzy Hash: 2a6be5d219d4ed8a113b9e379ae1d1e566e37d0fc14a8626d18e487f6ae433cc
Instruction Fuzzy Hash: F6316EA5B85A1132EF12212E5D43BEB25495BA0B4BFD4407BFC04D4282F78DEE5390BE

Function 0041C630 Relevance: 52.6, APIs: 15, Strings: 15, Instructions: 127COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C648
__wcsicoll.LIBCMT ref: 0041C660

Strings

Choice, xrefs: 0041C6BA
Visible, xrefs: 0041C672
Enabled, xrefs: 0041C65A
Selected, xrefs: 0041C74A
Line, xrefs: 0041C732
CurrentLine, xrefs: 0041C702
LineCount, xrefs: 0041C6EA
Checked, xrefs: 0041C642
CurrentCol, xrefs: 0041C71A
List, xrefs: 0041C6D2
Style, xrefs: 0041C762
Hwnd, xrefs: 0041C792
FindString, xrefs: 0041C6A2
Tab, xrefs: 0041C68A
ExStyle, xrefs: 0041C77A

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Checked$Choice$CurrentCol$CurrentLine$Enabled$ExStyle$FindString$Hwnd$Line$LineCount$List$Selected$Style$Tab$Visible
API String ID: 3832890014-586525042
Opcode ID: a168fbf5ab8b9a9616839f05cd6ecc3d583be5aefb81053bf2bc12838a226441
Instruction ID: bd5c2008093ed378fadac1c4745cb4461a6cfa7f979c773bb9cc87ad6b6f8323
Opcode Fuzzy Hash: a168fbf5ab8b9a9616839f05cd6ecc3d583be5aefb81053bf2bc12838a226441
Instruction Fuzzy Hash: 363178A5A84A1122EF12212A5D43BEB68495BA1B4BFD4403BFC04C53C3F78DDA5780AE

Function 0041B500 Relevance: 47.4, APIs: 14, Strings: 13, Instructions: 143COMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 0041B529

Part of subcall function 00499840: wcstoxq.LIBCMT ref: 00499861

__wcsicoll.LIBCMT ref: 0041B550
__wcsicoll.LIBCMT ref: 0041B566
__wcsicoll.LIBCMT ref: 0041B57C

Strings

Loudness, xrefs: 0041B5C7
StereoEnh, xrefs: 0041B5E2
Vol, xrefs: 0041B54A
QSoundPan, xrefs: 0041B633
Pan, xrefs: 0041B618
Equalizer, xrefs: 0041B684
Mono, xrefs: 0041B5AC
Bass, xrefs: 0041B64E
BassBoost, xrefs: 0041B5FD
Mute, xrefs: 0041B591
OnOff, xrefs: 0041B576
Treble, xrefs: 0041B669
Volume, xrefs: 0041B560

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll$__wcstoi64wcstoxq
String ID: Bass$BassBoost$Equalizer$Loudness$Mono$Mute$OnOff$Pan$QSoundPan$StereoEnh$Treble$Vol$Volume
API String ID: 1236819900-1456001458
Opcode ID: 7328845727f1ffc28bde7bfd91f1ceb2e0da66f9eadefb1f51ce874c98274b3b
Instruction ID: 3b58f78f2b15da3226cb278668071b50ffa1cd2ce30bfdd18102c7837e68b0e7
Opcode Fuzzy Hash: 7328845727f1ffc28bde7bfd91f1ceb2e0da66f9eadefb1f51ce874c98274b3b
Instruction Fuzzy Hash: 9031CBE1E4561132DF12312A2D03BDB64455BB1B4BF99407AFC0895382F78E9A9A81FE

Function 004594C0 Relevance: 46.0, APIs: 17, Strings: 9, Instructions: 458windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001101,00000000,00000000), ref: 0045958E
__wcsicoll.LIBCMT ref: 004596CE
__wcsnicmp.LIBCMT ref: 004596F9
__wcsicoll.LIBCMT ref: 0045970E
SendMessageW.USER32(?,00001132,00000000,?), ref: 00459974
SendMessageW.USER32(00000000,0000113F,00000000,00000008), ref: 004599D0
SendMessageW.USER32(00000000,00001114,00000000,?), ref: 00459A03
SendMessageW.USER32(00000000,0000110B,00000005,?), ref: 00459A1F
SendMessageW.USER32(?,0000110B,?,?), ref: 00459A3B

Strings

", xrefs: 0045986C
Sort, xrefs: 00459887
First, xrefs: 00459708, 004598DF
Bold, xrefs: 00459740
Icon, xrefs: 00459850
Select, xrefs: 004596C5
Vis, xrefs: 004596F3
Check, xrefs: 004597FC
Expand, xrefs: 0045978A

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$__wcsicoll$__wcsnicmp
String ID: "$Bold$Check$Expand$First$Icon$Select$Sort$Vis
API String ID: 2665471568-3379154359
Opcode ID: 997216da964c0083502cc30a5e89d3c2c855407d8c0d358e1c7dbdbe2ccd8c10
Instruction ID: 4764b7c008dc99075ff7a6a461663adcf378453d4a1a8a79360eea8092d13d86
Opcode Fuzzy Hash: 997216da964c0083502cc30a5e89d3c2c855407d8c0d358e1c7dbdbe2ccd8c10
Instruction Fuzzy Hash: FEF180B1604341EBD7209F25888176BB7E4AF95306F14882FFC8997382E378DD49CB5A

Function 0045B2A0 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 199COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0045B2F6
__wcsnicmp.LIBCMT ref: 0045B31D
__fassign.LIBCMT ref: 0045B34E

Part of subcall function 004998AD: __fassign.LIBCMT ref: 004998A3

__wcsicoll.LIBCMT ref: 0045B381

Strings

JoyButtons, xrefs: 0045B44B
JoyY, xrefs: 0045B395
JoyU, xrefs: 0045B3E3
JoyV, xrefs: 0045B3FD
JoyZ, xrefs: 0045B3AF
JoyInfo, xrefs: 0045B47F
JoyX, xrefs: 0045B37B
JoyName, xrefs: 0045B431
Joy, xrefs: 0045B317
JoyPOV, xrefs: 0045B417
JoyR, xrefs: 0045B3C9
JoyAxes, xrefs: 0045B465

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __fassign$__wcsicoll__wcsnicmp
String ID: Joy$JoyAxes$JoyButtons$JoyInfo$JoyName$JoyPOV$JoyR$JoyU$JoyV$JoyX$JoyY$JoyZ
API String ID: 3933591233-249873715
Opcode ID: ff9f24b94457d12aa57e7e9472f55303e2375b5d8dea6389a18f077d043d2191
Instruction ID: e4d2329740c585aab2003d12bb5678fddcb3f9621b2ebb356fc5bcf59287bdb2
Opcode Fuzzy Hash: ff9f24b94457d12aa57e7e9472f55303e2375b5d8dea6389a18f077d043d2191
Instruction Fuzzy Hash: 0C417362A4461022EF21252E7C82BFF56898FA2757F15407BFC44E5283F78D8D8B50EE

Function 004667B0 Relevance: 44.2, APIs: 17, Strings: 8, Instructions: 498COMMON

Download Yara Rule

Strings

Out of memory., xrefs: 00466B0A
Menu does not exist., xrefs: 00466D3E
Parameter #2 invalid., xrefs: 00466C73
Could not create window., xrefs: 00466B8C
+LastFoundExist, xrefs: 00466967
NoHide, xrefs: 00466D9A
Invalid Gui name., xrefs: 004667F8
Parameter #1 invalid., xrefs: 00466831

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcstoui64
String ID: +LastFoundExist$Could not create window.$Invalid Gui name.$Menu does not exist.$NoHide$Out of memory.$Parameter #1 invalid.$Parameter #2 invalid.
API String ID: 3882282163-3244194469
Opcode ID: b0524672b85ba4720a418da6cf880f6c0321b874aaaa9342ef857da1374db196
Instruction ID: 8fed147f907bf6eff4893a3a777525d66df59293421ca44c660cd904adf21561
Opcode Fuzzy Hash: b0524672b85ba4720a418da6cf880f6c0321b874aaaa9342ef857da1374db196
Instruction Fuzzy Hash: E4029FB1A09300DBC710EF65D841A6B7BA4AB84708F05462FF9469B352F679ED04CB9B

Function 00442070 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 381COMMON

Download Yara Rule

Strings

+-^, xrefs: 004422CE
Parameter #1 invalid., xrefs: 00442094
Off, xrefs: 00442188

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: +-^$Off$Parameter #1 invalid.
API String ID: 3832890014-3419364491
Opcode ID: a6deb76571c3256fccdde9498a9ef4c97abb1712874da43a5a9c45ea0107f73c
Instruction ID: a9869502c2463e5c491b00f1daaed527760db5490b4bbb1d9e9abb1972f94f4b
Opcode Fuzzy Hash: a6deb76571c3256fccdde9498a9ef4c97abb1712874da43a5a9c45ea0107f73c
Instruction Fuzzy Hash: 73C149326443106BE730AF349D44BBB7BA4AB86724F50063BF951A72C1C7BD9D05C3AA

Function 00471450 Relevance: 43.9, APIs: 29, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a5ab4921aa3f2953b9e563fece6b2040fccb08ff2cd66a3ff285576d597cd7
Instruction ID: c418dee636523a824421918fb10bdfb1826edc2758b6bdd120931515686bcf98
Opcode Fuzzy Hash: b6a5ab4921aa3f2953b9e563fece6b2040fccb08ff2cd66a3ff285576d597cd7
Instruction Fuzzy Hash: 6CD142326002059BD720DF69EE48BEB77A8FB85311F04852BFA4DD7291D7B89C11C7A9

Function 0045C4F0 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 199windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000007), ref: 0045C509
GetSystemMetrics.USER32(00000007), ref: 0045C517
GetSystemMetrics.USER32(00000004), ref: 0045C51F
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0045C530
IsWindow.USER32(?), ref: 0045C56A
DestroyWindow.USER32(?,?,?,?,00000000), ref: 0045C57A
CreateWindowExW.USER32(00000008,AutoHotkey2,?,88C00000,?,?,00000000,?,?,00000000,?,00000000), ref: 0045C5BA
GetClientRect.USER32(00000000,?), ref: 0045C5C7
CreateWindowExW.USER32(00000000,static,?,50000001,00000000,00000000,?,?,?,00000000,?,00000000), ref: 0045C608
CreateDCW.GDI32(DISPLAY,?,?,?), ref: 0045C624
_wcsncpy.LIBCMT ref: 0045C642
EnumFontFamiliesExW.GDI32(00000000,?,00480B40,?,00000000,?,?,00000000), ref: 0045C669
GetStockObject.GDI32(00000011), ref: 0045C69B
SelectObject.GDI32(00000000,00000000), ref: 0045C6A3
GetTextFaceW.GDI32(00000000,00000040,?), ref: 0045C6B4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045C6BD
DeleteDC.GDI32(00000000), ref: 0045C6C6
CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045C704
SendMessageW.USER32(00000000,00000030,?,00000001), ref: 0045C715
ShowWindow.USER32(?,00000004,?,?,?,00000000), ref: 0045C724

Strings

DISPLAY, xrefs: 0045C61C
Segoe UI, xrefs: 0045C630
AutoHotkey2, xrefs: 0045C5A9
static, xrefs: 0045C601

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window$CreateSystem$Metrics$FontObject$CapsClientDeleteDestroyDeviceEnumFaceFamiliesInfoMessageParametersRectSelectSendShowStockText_wcsncpy
String ID: AutoHotkey2$DISPLAY$Segoe UI$static
API String ID: 2836835088-4085670783
Opcode ID: 45cd28ff753d53c51eb3a08d518f10fba634f883b99fb002f19dd95e68a10997
Instruction ID: be050891f345bdcc3dff80673354fe8a1bc207103d3dabe985dff002acf5ea75
Opcode Fuzzy Hash: 45cd28ff753d53c51eb3a08d518f10fba634f883b99fb002f19dd95e68a10997
Instruction Fuzzy Hash: CF61D671644300BFE314DB64DC4AFAB7BE8EB89B04F04452DFA09D72D1D6B4A905CB69

Function 0041D240 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 101COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041D258
__wcsicoll.LIBCMT ref: 0041D270

Strings

Number, xrefs: 0041D282
Date, xrefs: 0041D2B2
Integer, xrefs: 0041D252
Float, xrefs: 0041D26A
Upper, xrefs: 0041D324
Xdigit, xrefs: 0041D2DC
Alnum, xrefs: 0041D2F4
Time, xrefs: 0041D29A
Alpha, xrefs: 0041D30C
Digit, xrefs: 0041D2C4
Space, xrefs: 0041D354
Lower, xrefs: 0041D33C

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Alnum$Alpha$Date$Digit$Float$Integer$Lower$Number$Space$Time$Upper$Xdigit
API String ID: 3832890014-3813714638
Opcode ID: a1d1bb18f098e7ce648c934f1b50fae8254401a79685c194322b59a2f3e79781
Instruction ID: ebb7f230caecdf28871441904cd33f103267cef10d7addf5b143c3b2238c979b
Opcode Fuzzy Hash: a1d1bb18f098e7ce648c934f1b50fae8254401a79685c194322b59a2f3e79781
Instruction Fuzzy Hash: 602149E5E4561122EF22712E5D03BEB24495FA1B4BF86407AFC14D1382F68DDA8790AE

Function 004143C0 Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 128COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004143D0
__wcsicoll.LIBCMT ref: 004143E6
__wcsicoll.LIBCMT ref: 004143FC

Part of subcall function 00499409: __wcsicmp_l.LIBCMT ref: 00499489

__wcsicoll.LIBCMT ref: 00414412
__wcsicoll.LIBCMT ref: 00414428
__wcsicoll.LIBCMT ref: 0041443E
__wcsicoll.LIBCMT ref: 00414454
__wcsicoll.LIBCMT ref: 0041446C

Strings

MIDDLE, xrefs: 00414422
WheelDown, xrefs: 004144B1
LEFT, xrefs: 004143CA
WheelLeft, xrefs: 004144D5
RIGHT, xrefs: 004143F6
WheelRight, xrefs: 004144F9
WheelUp, xrefs: 00414489

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll$__wcsicmp_l
String ID: LEFT$MIDDLE$RIGHT$WheelDown$WheelLeft$WheelRight$WheelUp
API String ID: 3172861507-1318937625
Opcode ID: 871f8077f7d165b0b753eaa30569fc0ba2e7ce4ba664e2e6877f44c96bfd9ed5
Instruction ID: 14f48a568263ad753b36f23830c02888d00734b74cdf2b62df146ab359c2529a
Opcode Fuzzy Hash: 871f8077f7d165b0b753eaa30569fc0ba2e7ce4ba664e2e6877f44c96bfd9ed5
Instruction Fuzzy Hash: CD31C5A1A4561132EF12253A5E07BEB14894FE1747F99007FB904E12C3F68DDB9790BE

Function 0043D1C0 Relevance: 38.8, APIs: 17, Strings: 5, Instructions: 295windowCOMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0043D1E2

Part of subcall function 0049BA2D: wcstoxl.LIBCMT ref: 0049BA3D

IsWindow.USER32(?), ref: 0043D225
DestroyWindow.USER32(?), ref: 0043D230
GetCursorPos.USER32 ref: 0043D284
MonitorFromPoint.USER32(?,?,00000002), ref: 0043D2FA
GetMonitorInfoW.USER32 ref: 0043D314
_memset.LIBCMT ref: 0043D35C
IsWindow.USER32(?), ref: 0043D38A
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0043D3C7
SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 0043D3E7
SendMessageW.USER32(00000000,0000041F,00000000,?), ref: 0043D412
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0043D432
SendMessageW.USER32(00000000,00000412,00000000,?), ref: 0043D451
SendMessageW.USER32(00000000,00000439,00000000,?), ref: 0043D482
GetWindowRect.USER32(00000000,?), ref: 0043D49C
SendMessageW.USER32(00000000,00000412,00000000,?), ref: 0043D536
SendMessageW.USER32(00000000,00000411,00000001,?), ref: 0043D545

Strings

, xrefs: 0043D379
Max window number is 20., xrefs: 0043D562
(, xrefs: 0043D309
,, xrefs: 0043D371
tooltips_class32, xrefs: 0043D3BB

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$Window$Monitor$CreateCursorDestroyFromInfoPointRect__fassign_memsetwcstoxl
String ID: $($,$Max window number is 20.$tooltips_class32
API String ID: 3638321345-788377568
Opcode ID: ab33431602c28c16e0ffe96b82471f2814f508758258a9c70693ab2e136e758d
Instruction ID: 6813e2b45c8f004794b356349b0cbb727b598bf36e81c4c0f5d20437d5990eba
Opcode Fuzzy Hash: ab33431602c28c16e0ffe96b82471f2814f508758258a9c70693ab2e136e758d
Instruction Fuzzy Hash: 56B190719083049FD320DF58EC84B6BBBF4EBC9704F10492EF58497291D7B8A948CB9A

Function 00451230 Relevance: 38.7, APIs: 11, Strings: 11, Instructions: 244COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00451291
__wcsicoll.LIBCMT ref: 004512EE
__wcsicoll.LIBCMT ref: 00451308
__wcsicoll.LIBCMT ref: 00451322
__wcsicoll.LIBCMT ref: 0045133C
__wcsicoll.LIBCMT ref: 00451356
__wcsicoll.LIBCMT ref: 00451370
__wcsicoll.LIBCMT ref: 0045138A
__wcsicoll.LIBCMT ref: 004513A4
__wcsicoll.LIBCMT ref: 004513BE
__wcsicoll.LIBCMT ref: 004513D8

Strings

WStr, xrefs: 004513D2
Ptr, xrefs: 0045131C
Char, xrefs: 00451350
AStr, xrefs: 004513B8
Float, xrefs: 00451384
Str, xrefs: 00451302
*pP, xrefs: 004512B4
Short, xrefs: 00451336
Int, xrefs: 004512E8
Int64, xrefs: 0045136A
Double, xrefs: 0045139E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll$_wcsncpy
String ID: *pP$AStr$Char$Double$Float$Int$Int64$Ptr$Short$Str$WStr
API String ID: 1630244902-313837492
Opcode ID: 250b977920e5da3facc1f2e8760c7cabdce9ca42ee068587c241f30fc67022f8
Instruction ID: 22adc98ab5d999a66ddcd31eaaecf3ef09abb8fb6de086155b7e8ae5ad3885ae
Opcode Fuzzy Hash: 250b977920e5da3facc1f2e8760c7cabdce9ca42ee068587c241f30fc67022f8
Instruction Fuzzy Hash: 7B71F2B260030556CB20DA55A8817BB7394AB81357F98842FFD44C6292F67ED94EC3AA

Function 004585E0 Relevance: 37.2, APIs: 12, Strings: 9, Instructions: 439windowCOMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0045877A
__wcsnicmp.LIBCMT ref: 004587C4
__wcsnicmp.LIBCMT ref: 00458811
__wcsnicmp.LIBCMT ref: 004588A3
__wcsnicmp.LIBCMT ref: 00458870

Part of subcall function 00414390: __fassign.LIBCMT ref: 004143A0

__wcsicoll.LIBCMT ref: 004588D2
SendMessageW.USER32(00000001,00001004,00000000,00000000), ref: 00458937

Strings

Col, xrefs: 0045886A
Focus, xrefs: 004587BE
Icon, xrefs: 0045889D
Select, xrefs: 00458771
Vis, xrefs: 004588CC
Check, xrefs: 0045880B
I, xrefs: 00458B6A
A, xrefs: 00458639
M, xrefs: 0045866E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsnicmp$MessageSend__fassign__wcsicoll
String ID: A$Check$Col$Focus$I$Icon$M$Select$Vis
API String ID: 1367502766-1624853574
Opcode ID: 720f314f86cadc04defba916246f4b7719cd944dceab27522d00f6a28798d380
Instruction ID: 383f3affeda5b0a7df26afd361c1898acb4e7e4ee0adf806cb1392a4c1eb7d42
Opcode Fuzzy Hash: 720f314f86cadc04defba916246f4b7719cd944dceab27522d00f6a28798d380
Instruction Fuzzy Hash: 2BF181B0A083418FD7209F25C88576BB7E5EB85305F14492FED85A7392DFB8D848CB5A

Function 0042E010 Relevance: 33.7, APIs: 6, Strings: 13, Instructions: 493COMMON

Download Yara Rule

Strings

Parameter #2 invalid., xrefs: 0042E4C2
Parameter #2 must match an existing #If expression., xrefs: 0042E66D
This line will never execute, due to %s preceding it., xrefs: 0042E5AE
Jumps cannot exit a FINALLY block., xrefs: 0042E63D
Delete, xrefs: 0042E4A0
Parameter #3 must be blank in this case., xrefs: 0042E65F
Parameter #1 invalid., xrefs: 0042E110
Cannot jump from inside a function to outside., xrefs: 0042E61B
Not, xrefs: 0042E395
Active, xrefs: 0042E3AA
Win, xrefs: 0042E37A
Exist, xrefs: 0042E3C0
Target label does not exist., xrefs: 0042E5F9

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID: Active$Cannot jump from inside a function to outside.$Delete$Exist$Jumps cannot exit a FINALLY block.$Not$Parameter #1 invalid.$Parameter #2 invalid.$Parameter #2 must match an existing #If expression.$Parameter #3 must be blank in this case.$Target label does not exist.$This line will never execute, due to %s preceding it.$Win
API String ID: 0-3205472345
Opcode ID: 9e58ec4d0b624433541576fdc1f3846e0c326d0d45cea99ac432bbaa2008a559
Instruction ID: b4bdbc3e400f61fc8d017331cdbdb666db32f451c08ca4aaf6f54dc64ab78d06
Opcode Fuzzy Hash: 9e58ec4d0b624433541576fdc1f3846e0c326d0d45cea99ac432bbaa2008a559
Instruction Fuzzy Hash: 7AF11270700261ABEB249E27E8057B733916B61758F98406BFC458B382EB7DDD85C36E

Function 00451510 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 181libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32,?,?,?,00000000), ref: 00451537
GetModuleHandleW.KERNEL32(kernel32,?,00000000), ref: 00451543
GetModuleHandleW.KERNEL32(comctl32,?,00000000), ref: 0045154F
GetModuleHandleW.KERNEL32(gdi32,?,00000000), ref: 0045155B
_wcsncpy.LIBCMT ref: 00451577
_wcsrchr.LIBCMT ref: 00451593
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,00000000), ref: 004515C0
GetProcAddress.KERNEL32(00000000,?), ref: 004515E0
GetProcAddress.KERNEL32(?,?), ref: 0045162F
WideCharToMultiByte.KERNEL32(00000000,00000000,-00000002,000000FF,?,00000104,00000000,00000000,?,?,?,?,00000000), ref: 0045165D
GetModuleHandleW.KERNEL32(?,?,?,?,?,00000000), ref: 0045166B
LoadLibraryW.KERNEL32(?,?,?,?,?,00000000), ref: 00451686
GetProcAddress.KERNEL32(00000000,?), ref: 004516BF
GetProcAddress.KERNEL32(00000000,?), ref: 004516E8

Strings

user32, xrefs: 00451532
gdi32, xrefs: 00451551
DllCall, xrefs: 00451694, 00451736
kernel32, xrefs: 00451539
comctl32, xrefs: 00451545

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: HandleModule$AddressProc$ByteCharMultiWide$LibraryLoad_wcsncpy_wcsrchr
String ID: DllCall$comctl32$gdi32$kernel32$user32
API String ID: 1361463379-1793033601
Opcode ID: 4a66e51ec79bc4591fc50aea44f942e4f660af83507bcc19d5cacc0595c629f0
Instruction ID: bad41cd13a23302804f6c44f7f0421b67be71d430cf484c4473a340c18faea05
Opcode Fuzzy Hash: 4a66e51ec79bc4591fc50aea44f942e4f660af83507bcc19d5cacc0595c629f0
Instruction Fuzzy Hash: 41511A72A0030567C730DB64DCC5FABB3D9EB94710F05062BED4487392EBB9E80987A9

Function 004680D0 Relevance: 31.9, APIs: 13, Strings: 5, Instructions: 414COMMON

Download Yara Rule

Strings

%sY, xrefs: 00468310
%sW, xrefs: 0046837A
%sX, xrefs: 004682A6
%sH, xrefs: 004683E2
0-#v, xrefs: 004682EF, 00468359, 004683C7, 00468432

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcstoui64
String ID: %sH$%sW$%sX$%sY$0-#v
API String ID: 3882282163-2015483091
Opcode ID: b52bdff4dad9db26b87473a58fa66836fe5d568f64a8f0b4f8b24a99d4962441
Instruction ID: 7b2be640db927da8f634d05ab42af52b44dcdb53242448ab1d7e53b34c0f9e56
Opcode Fuzzy Hash: b52bdff4dad9db26b87473a58fa66836fe5d568f64a8f0b4f8b24a99d4962441
Instruction Fuzzy Hash: 24E1CEB1704201AFD710DF25DC95FAB77A9AB84704F044A2EF5458B391EB78EC05CBAA

Function 00470270 Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 358windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0047028C
SendMessageW.USER32(00000001,00000472,00000000,00000000), ref: 004702C6
SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0047031B
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00470337
SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0047034F
SendMessageW.USER32(?,00000408,00000000,00000000), ref: 00470385
SendMessageW.USER32(?,00001001,00000000,?), ref: 004703B4
GetWindowLongW.USER32(?,000000F0), ref: 00470401
SendMessageW.USER32(?,00001005,00000000,?), ref: 0047041A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004704A7
__wcsicoll.LIBCMT ref: 004704D6

Strings

Submit, xrefs: 00470284
Text, xrefs: 004704D0

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$__wcsicoll$LongWindow
String ID: Submit$Text
API String ID: 4045105239-2749448349
Opcode ID: 9c9479df573bd128423765a655e133282eee4c233e05c5262a08bd31603a0d8f
Instruction ID: 2b9b72a7cc23475c40644d4b001709e62ae10f18069b6516ec0d452a9a6ac1ef
Opcode Fuzzy Hash: 9c9479df573bd128423765a655e133282eee4c233e05c5262a08bd31603a0d8f
Instruction Fuzzy Hash: 46B18E72344300A7D720AF299C46FA77798EB95715F108A7FFA48EB2C1C6B9E844C358

Function 00482560 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 268clipboardCOMMON

Download Yara Rule

APIs

EnumClipboardFormats.USER32(00000000), ref: 004825A3
GlobalSize.KERNEL32(00000000), ref: 004825E5
EnumClipboardFormats.USER32(00000000), ref: 0048260C
GlobalUnlock.KERNEL32(00000000), ref: 00482636
CloseClipboard.USER32 ref: 00482642

Strings

Out of memory., xrefs: 0048272B
Can't open clipboard for reading., xrefs: 00482576

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Clipboard$EnumFormatsGlobal$CloseSizeUnlock
String ID: Can't open clipboard for reading.$Out of memory.
API String ID: 1341988473-4067353709
Opcode ID: 5eac3d6cec7096029926d5e381ad5903b160d356fba62ae97ba60a1ea25f262b
Instruction ID: 740ca751b165b8f8b8da37cbef786be5684cf737a591ae7ee69ae7fba4c6c415
Opcode Fuzzy Hash: 5eac3d6cec7096029926d5e381ad5903b160d356fba62ae97ba60a1ea25f262b
Instruction Fuzzy Hash: 4991C3729003018BC721BF29DA4466FB7E4EB84750F554D2FE841A3360E7B8D945CBEA

Function 0040E4B0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 169threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00002000,0040E7E0,00000000,00000000,004D85A0), ref: 0040E50A
SetThreadPriority.KERNEL32(00000000,0000000F,?,00408CE2,?,00408938,An internal error has occurred in the debugger user.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E520
PostThreadMessageW.USER32(?,00000417,004062BD,00000000), ref: 0040E544
Sleep.KERNEL32(0000000A,?,00408CE2,?,00408938,An internal error has occurred in the debugger user.Continue running the script without the debugger?,?,?,004062BD,?), ref: 0040E550
GetTickCount.KERNEL32 ref: 0040E567
PeekMessageW.USER32(?,00000000,00000417,00000417,00000001), ref: 0040E58A
CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd), ref: 0040E605
GetExitCodeThread.KERNEL32(?,?), ref: 0040E61A
GetTickCount.KERNEL32 ref: 0040E62A
Sleep.KERNEL32(00000000), ref: 0040E637
CloseHandle.KERNEL32(?), ref: 0040E64F

Part of subcall function 0040EB80: _free.LIBCMT ref: 0040EBED

CloseHandle.KERNEL32(?), ref: 0040E66F
CreateMutexW.KERNEL32(00000000,00000000,AHK Mouse), ref: 0040E694
CloseHandle.KERNEL32(?), ref: 0040E6AB

Strings

AHK Keybd, xrefs: 0040E5FC
AHK Mouse, xrefs: 0040E68B
Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function., xrefs: 0040E6D9

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Thread$CloseCreateHandle$CountMessageMutexSleepTick$CodeExitPeekPostPriority_free
String ID: AHK Keybd$AHK Mouse$Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.
API String ID: 1532042170-3816831916
Opcode ID: b230ceeae324c15aed96bfb0430533f314b76b11f94dad4ac88c9105ae843b26
Instruction ID: 4e47ffe3bdd9164d24f60697a05b0d8bd7e6ca4e4b0069e4342a2315b7a798b2
Opcode Fuzzy Hash: b230ceeae324c15aed96bfb0430533f314b76b11f94dad4ac88c9105ae843b26
Instruction Fuzzy Hash: 9B512770509340AAE720EF72AC05B5A7F949B51308F084C7FF981A62E2D7FD9954CB5D

Function 0045D290 Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 460windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C630: __wcsicoll.LIBCMT ref: 0041C648

Part of subcall function 0044DDD0: GetForegroundWindow.USER32(?,?,004408D5,?), ref: 0044DDFE
Part of subcall function 0044DDD0: IsWindowVisible.USER32(00000000), ref: 0044DE19

SendMessageTimeoutW.USER32(00000000,000000F0,00000000,00000000,00000002,000007D0,?), ref: 0045D308
IsWindowEnabled.USER32(00000000), ref: 0045D33C
IsWindowVisible.USER32(00000000), ref: 0045D366
SendMessageTimeoutW.USER32(00000000,0000130B,00000000,00000000,00000002,000007D0,?), ref: 0045D3A4
GetClassNameW.USER32(00000000,?,00000020), ref: 0045D3DA
GetClassNameW.USER32(00000000,?,00000020), ref: 0045D437
SendMessageTimeoutW.USER32(00000000,00000188,00000000,00000000,00000002,000007D0,?), ref: 0045D49B
SendMessageTimeoutW.USER32(00000000,0000018A,?,00000000,00000002,000007D0,?), ref: 0045D4C1
SendMessageTimeoutW.USER32(00000000,00000189,?,00000000), ref: 0045D51A
GetClassNameW.USER32(00000000,?,00000020), ref: 0045D5BF

Strings

Combo, xrefs: 0045D3E3, 0045D440, 0045D5F5
SysListView32, xrefs: 0045D5C8
List, xrefs: 0045D3FA, 0045D461, 0045D61A

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSendTimeout$Window$ClassName$Visible$EnabledForeground__wcsicoll
String ID: Combo$List$SysListView32
API String ID: 4132077911-371123625
Opcode ID: d1a763b8678a9109f1746a29f6018966e21d2c8333976550f998b3f4dbd8af26
Instruction ID: c79905c7d2559333bad2a7e6dfd45740cd3c71518115155d05284aff09525612
Opcode Fuzzy Hash: d1a763b8678a9109f1746a29f6018966e21d2c8333976550f998b3f4dbd8af26
Instruction Fuzzy Hash: 75F1B231E00205ABDB30DBA58C85BAF7774EF45715F10422AF911AB2C2D778AD4AC7A9

Function 0046B0DC Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 255windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,SysMonthCal32,004AF9BC,?,?,?,?,?,?,?,?,00000000), ref: 0046B165
SendMessageW.USER32(00000000,00001004,0000016E,00000000), ref: 0046B18E
SendMessageW.USER32(?,00001012,?,?), ref: 0046B1B1
SendMessageW.USER32(?,00001002,00000000,?), ref: 0046B22B
SendMessageW.USER32(?,0000100A,00000001,?), ref: 0046B24D
SendMessageW.USER32(?,00000030,?,?), ref: 0046B278
SendMessageW.USER32(?,00001009,00000000,?), ref: 0046B2AD
SendMessageW.USER32(?,00001015,00000000,00000000), ref: 0046B2D9
GetDC.USER32(?), ref: 0046B368
SelectObject.GDI32(00000000,?), ref: 0046B38A
GetTextMetricsW.GDI32(00000000,?), ref: 0046B3A1
MoveWindow.USER32(00000000,?,?,00000000,?,00000001,?,00001009,00000000,?,?,?,?,00000000), ref: 0046B434

Strings

SysMonthCal32, xrefs: 0046B15F
Can't create control., xrefs: 0046BB10

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$Window$CreateMetricsMoveObjectSelectText
String ID: Can't create control.$SysMonthCal32
API String ID: 291046171-3692857110
Opcode ID: af5ddfb7c9e325cdcedafc63d67d3c00e85cae5f291e8e2bb77e48abbfab4ac3
Instruction ID: e15074e71b927b4a4be2e38e61de6e262df78ba3fcd49212043db95cc6896db9
Opcode Fuzzy Hash: af5ddfb7c9e325cdcedafc63d67d3c00e85cae5f291e8e2bb77e48abbfab4ac3
Instruction Fuzzy Hash: B5A14C70A08341AFD734DB14C895FAB77E5FB89704F10491EE98997390E7789881CB9B

Function 0044E100 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 252timeCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0044E11E
GetTickCount.KERNEL32 ref: 0044E12A
GetLocalTime.KERNEL32(004DB400), ref: 0044E14E
__swprintf.LIBCMT ref: 0044E16C

Strings

%03d, xrefs: 0044E166
%02d, xrefs: 0044E2E3, 0044E2FE, 0044E319, 0044E334, 0044E36B, 0044E386
MSec, xrefs: 0044E118

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CountLocalTickTime__swprintf__wcsicoll
String ID: %02d$%03d$MSec
API String ID: 3794994719-2031959049
Opcode ID: 75af95b6452a60d9062f1fb2a88a9c9364053dbffff9b6b2003bb1ab6ab626ac
Instruction ID: d134a9e218522014b99d661dac36902b0603d91a7a68ed24a549a0bedd24c8ab
Opcode Fuzzy Hash: 75af95b6452a60d9062f1fb2a88a9c9364053dbffff9b6b2003bb1ab6ab626ac
Instruction Fuzzy Hash: 4B515877B414249AEA1097ABBC425BB335CF7E072A714027BF90DC12D3E66D881592FE

Function 00406440 Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 190COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 00406478

Strings

name, xrefs: 004064A3
multiple_sessions, xrefs: 00406541
max_children, xrefs: 0040657F
protocol_version, xrefs: 004064FD
language_, xrefs: 00406467
max_depth, xrefs: 004065A4
version, xrefs: 004064C0
supports_async, xrefs: 00406511
max_data, xrefs: 00406555
breakpoint_types, xrefs: 00406525
supports_threads, xrefs: 00406486
<response command="feature_get" feature_name="%e" supported="%i" transaction_id="%e">%s</response>, xrefs: 00406634
encoding, xrefs: 004064E1

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _strncmp
String ID: <response command="feature_get" feature_name="%e" supported="%i" transaction_id="%e">%s</response>$breakpoint_types$encoding$language_$max_children$max_data$max_depth$multiple_sessions$name$protocol_version$supports_async$supports_threads$version
API String ID: 909875538-401246380
Opcode ID: c2f9b74efa22d3e9f4544e272cbf12310426dd0486a9b8a911e1358f26a1bfbb
Instruction ID: d2556a61637ab4671aefbc8fd80a6bfb1a141bee1598400973bd5894eb224af0
Opcode Fuzzy Hash: c2f9b74efa22d3e9f4544e272cbf12310426dd0486a9b8a911e1358f26a1bfbb
Instruction Fuzzy Hash: 4A513732A04208BBDB288E548C817973B55A701315F1AC477F906BF2C1DB7BCD6593AC

Function 00468620 Relevance: 27.2, APIs: 18, Instructions: 196windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00468673
SendMessageW.USER32(?,00000414,00000000,00000000), ref: 0046868C
DestroyIcon.USER32(00000000,?,004D9B24,751E5780,7694FD10,0041DA41,?,?,?,?,?,00000000,00000000), ref: 00468693
IsWindow.USER32(00000000), ref: 004686A2
ShowWindow.USER32(00000000,00000000,?,004D9B24,751E5780,7694FD10,0041DA41,?,?,?,?,?,00000000,00000000), ref: 004686B2
SetMenu.USER32(00000000,00000000), ref: 004686BE
DestroyWindow.USER32(00000000,?,004D9B24,751E5780,7694FD10,0041DA41,?,?,?,?,?,00000000,00000000), ref: 004686D8
DeleteObject.GDI32(?), ref: 0046871F
DeleteObject.GDI32(?), ref: 00468733
DragFinish.SHELL32(?,?,004D9B24,751E5780,7694FD10,0041DA41,?,?,?,?,?,00000000,00000000), ref: 00468747
DestroyIcon.USER32(?,?,004D9B24,751E5780,7694FD10,0041DA41,?,?,?,?,?,00000000,00000000), ref: 0046877B
DeleteObject.GDI32(?), ref: 00468783
_free.LIBCMT ref: 00468793
DestroyIcon.USER32(?,?,004D9B24,751E5780,7694FD10,0041DA41,?,?,?,?,?,00000000,00000000), ref: 004687FA
DestroyIcon.USER32(?,?,004D9B24,751E5780,7694FD10,0041DA41,?,?,?,?,?,00000000,00000000), ref: 00468801
DestroyAcceleratorTable.USER32(?), ref: 0046880B
_free.LIBCMT ref: 00468824

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Destroy$Icon$DeleteObjectWindow$MessageSend_free$AcceleratorDragFinishMenuShowTable
String ID:
API String ID: 3471955023-0
Opcode ID: 0897b52ce2ccdef060f882ef19fceb2ebb799a71ffb42a1950b07bceab24a9e6
Instruction ID: 7e70e907f13ef7ea1bf94592863e9da0516713b6fb85fa7f13e4e766bd0fcdf7
Opcode Fuzzy Hash: 0897b52ce2ccdef060f882ef19fceb2ebb799a71ffb42a1950b07bceab24a9e6
Instruction Fuzzy Hash: 91617EB5A002059BCB20DF64DC84B6B77A9BB45705F14862EF906D7341EF78EC01CBAA

Function 0041B2E0 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 209COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0041B2E9
__fassign.LIBCMT ref: 0041B32B

Part of subcall function 004998AD: __fassign.LIBCMT ref: 004998A3

Strings

N/A, xrefs: 0041B4CF
Aux, xrefs: 0041B493
Digital, xrefs: 0041B3A3
Microphone, xrefs: 0041B3DF
Headphones, xrefs: 0041B385
Line, xrefs: 0041B3C1
Master, xrefs: 0041B351
Speakers, xrefs: 0041B36B
Analog, xrefs: 0041B4B1
Wave, xrefs: 0041B475
Telephone, xrefs: 0041B439
PCSpeaker, xrefs: 0041B457
Synth, xrefs: 0041B3FD

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __fassign$_wcschr
String ID: Analog$Aux$Digital$Headphones$Line$Master$Microphone$N/A$PCSpeaker$Speakers$Synth$Telephone$Wave
API String ID: 3927346847-2477456585
Opcode ID: 807440ed7d8a4043fc01e7d36501dd3642ce5c0fd85e8fb26fdb5077d2f124e1
Instruction ID: 514343a7a175dd003931788d502404ba6bb8c36e7628bbc431df0bcd8e5ab511
Opcode Fuzzy Hash: 807440ed7d8a4043fc01e7d36501dd3642ce5c0fd85e8fb26fdb5077d2f124e1
Instruction Fuzzy Hash: AB515C3261412512DE21212D7D417EA318D8B9537AF28C73BFC3DDA3C6EB8D889452EA

Function 0046B4DC Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 197windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0046A83C
ReleaseDC.USER32(?,?), ref: 0046A84E
CreateWindowExW.USER32(?,msctls_updown32,004AF9BC,?,?,?,?,?,?,?,?,00000000), ref: 0046B54F
SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0046B573
GetWindowRect.USER32(?,?), ref: 0046B5A8
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0046B5B4
GetWindowRect.USER32(?,?), ref: 0046B5F2
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0046B5FE
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0046B64E
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0046B67C
SendMessageW.USER32(?,?,00000000,00000000), ref: 0046B743

Strings

msctls_updown32, xrefs: 0046B549
Can't create control., xrefs: 0046BB10
@, xrefs: 0046B6C9
d, xrefs: 0046B704

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window$MessageMovePointsRectSend$CreateObjectReleaseSelect
String ID: @$Can't create control.$d$msctls_updown32
API String ID: 431196556-2282086589
Opcode ID: e145736d24e59873788bf10686fbc8f649771304afdeb1eb107eeae676b3af19
Instruction ID: 5e4ea78c4c87e5b60a8696e4cd53c2947b90e11772c4087e267017e684c7a572
Opcode Fuzzy Hash: e145736d24e59873788bf10686fbc8f649771304afdeb1eb107eeae676b3af19
Instruction Fuzzy Hash: 42810D70608380AFD724CF64C849FABBBE5EBC9704F14891EF98987291D7789845CB5B

Function 0040F160 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 72COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0040F178
__wcsicoll.LIBCMT ref: 0040F190

Strings

AltTabMenu, xrefs: 0040F1A2
AltTabAndMenu, xrefs: 0040F1BA
AltTabMenuDismiss, xrefs: 0040F1D2
Toggle, xrefs: 0040F221
ShiftAltTab, xrefs: 0040F18A
AltTab, xrefs: 0040F172
Off, xrefs: 0040F209

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: AltTab$AltTabAndMenu$AltTabMenu$AltTabMenuDismiss$Off$ShiftAltTab$Toggle
API String ID: 3832890014-1651597821
Opcode ID: 28bd729fac991b97375f51599cde9360995ff47be5afcc07d8e21ece8bc010de
Instruction ID: 00bee9903f18ae3c38702471433ed3d19759995753db6a5c7d3b62c54d26d9aa
Opcode Fuzzy Hash: 28bd729fac991b97375f51599cde9360995ff47be5afcc07d8e21ece8bc010de
Instruction Fuzzy Hash: 5B1170A4E0561131EF32292A5D027AB25455FA1707F88407FFC04E57C2F6ADEE5B80AE

Function 0043475A Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 253windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430A1A
GetTickCount.KERNEL32 ref: 00430A30
GetTickCount.KERNEL32 ref: 00430AF4
__wcsnicmp.LIBCMT ref: 00434768
_wcschr.LIBCMT ref: 0043479E
__swprintf.LIBCMT ref: 0043482E

Part of subcall function 00404040: __wcstoi64.LIBCMT ref: 00404050

__wcsnicmp.LIBCMT ref: 0043484D

Strings

v1j, xrefs: 00430A08
Integer, xrefs: 00434847
Float, xrefs: 00434762
%%%s%s%s, xrefs: 00434828

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CountTick$__wcsnicmp$ClipboardCloseGlobalMessagePeekUnlock__swprintf__wcstoi64_wcschr
String ID: %%%s%s%s$Float$Integer$v1j
API String ID: 2402484164-2641105242
Opcode ID: be7645b442eebc592d3db814edc8125b6b1c05ea8c63ddb9976ee35116c98a60
Instruction ID: a795a7c27c1cfb6a6991a9997a0675f614bdf05a03f198ba6d36b679fd26eefe
Opcode Fuzzy Hash: be7645b442eebc592d3db814edc8125b6b1c05ea8c63ddb9976ee35116c98a60
Instruction Fuzzy Hash: CAA15571A043009BDB24DB24ECA576A37A1AB99318F18173FE4558B3E1D77C9C41CB5E

Function 0044B580 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 184windowCOMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 0044B5BB
MessageBeep.USER32(00000000), ref: 0044B5D3

Part of subcall function 004998B8: __wcstoi64.LIBCMT ref: 004998C4

mciSendStringW.WINMM(status AHK_PlayMe mode,?,00000208,00000000), ref: 0044B60B
mciSendStringW.WINMM(close AHK_PlayMe,00000000,00000000,00000000), ref: 0044B620
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044B642

Strings

close AHK_PlayMe, xrefs: 0044B61B, 0044B78E
status AHK_PlayMe mode, xrefs: 0044B606, 0044B6F3, 0044B767
play AHK_PlayMe, xrefs: 0044B69F
stopped, xrefs: 0044B710
open "%s" alias AHK_PlayMe, xrefs: 0044B623

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: SendString$__wcstoi64$BeepMessage
String ID: close AHK_PlayMe$open "%s" alias AHK_PlayMe$play AHK_PlayMe$status AHK_PlayMe mode$stopped
API String ID: 315599926-4077410995
Opcode ID: 443d257141ef1a723e97d29663eea0ebc3436fbc2848b6957c3a7a0823c45faa
Instruction ID: a59512be31c2f44ef7b952768743a444a8fa8e3aeae1832b1b1feec19a47f7ab
Opcode Fuzzy Hash: 443d257141ef1a723e97d29663eea0ebc3436fbc2848b6957c3a7a0823c45faa
Instruction Fuzzy Hash: 6E51287278030461F620A6249C83FF77350DBA5B25F24053BF640A92D1E7AEE98982FD

Function 0041C070 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 61COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C082

Strings

FocusV, xrefs: 0041C0AC
Focus, xrefs: 0041C094
Pos, xrefs: 0041C07C
Name, xrefs: 0041C10C
Hwnd, xrefs: 0041C0F4
Visible, xrefs: 0041C0DC
Enabled, xrefs: 0041C0C4

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Enabled$Focus$FocusV$Hwnd$Name$Pos$Visible
API String ID: 3832890014-542124868
Opcode ID: 6b0cf7baff83b24d1400e744c4f44a3e57d96c221cb9590e97726be5e30937fa
Instruction ID: bc9ac6e8ff72f6a7ffb4b5a15c0e54f315aedd7080a02c6bc87ecbb9040aad37
Opcode Fuzzy Hash: 6b0cf7baff83b24d1400e744c4f44a3e57d96c221cb9590e97726be5e30937fa
Instruction Fuzzy Hash: 5C0144E5A84A11B2EF12226D4C037E764455BA1B17FD5407AF904D52C2F38EDA57807E

Function 0045C760 Relevance: 24.3, APIs: 16, Instructions: 258windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044DDD0: GetForegroundWindow.USER32(?,?,004408D5,?), ref: 0044DDFE
Part of subcall function 0044DDD0: IsWindowVisible.USER32(00000000), ref: 0044DE19

__wcsicoll.LIBCMT ref: 0045C7EA
GetSystemMenu.USER32(00000000,00000000), ref: 0045C7F8
GetMenu.USER32(00000000), ref: 0045C814
GetMenuItemCount.USER32(00000000), ref: 0045C829
__fassign.LIBCMT ref: 0045C8A9
GetMenuItemID.USER32(?,?), ref: 0045C8D0
GetSubMenu.USER32(?,?), ref: 0045C8DF
GetMenuItemCount.USER32(00000000), ref: 0045C8EA

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Menu$Item$CountWindow$ForegroundSystemVisible__fassign__wcsicoll
String ID:
API String ID: 3951159358-0
Opcode ID: 42e2dbe19847abb0c93aecc31c3886ec6805693b78a8517852eeeb95e40f8c78
Instruction ID: f786b000fcda9a4ca3e460338c6a59aabbfa3e864da7d3d57e48403bbf6adccc
Opcode Fuzzy Hash: 42e2dbe19847abb0c93aecc31c3886ec6805693b78a8517852eeeb95e40f8c78
Instruction Fuzzy Hash: 4F91C3B16043059FC720DF64DC85B6B7BE4EB89316F00492EFD9697282D778D908CB9A

Function 0042D3A0 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 410COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0042D400
__wcsicoll.LIBCMT ref: 0042D452
_memmove.LIBCMT ref: 0042D5BE
_memmove.LIBCMT ref: 0042D746
__wcsicoll.LIBCMT ref: 0042D78E
__wcsicoll.LIBCMT ref: 0042D82F
_memmove.LIBCMT ref: 0042D86A

Strings

Illegal parameter name., xrefs: 0042D48A
Out of memory., xrefs: 0042D6D1
", xrefs: 0042D4D8
ErrorLevel, xrefs: 0042D44C
Variable name too long., xrefs: 0042D3E2

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll_memmove$_wcsncpy
String ID: "$ErrorLevel$Illegal parameter name.$Out of memory.$Variable name too long.
API String ID: 3055118137-3900197193
Opcode ID: 3f2978ca08b5823e59234dcb84cac4d8f72408b5737be3d636cadafe55491627
Instruction ID: 597ed60744be9f5bb511461ab132ca5a6ba6c0cf59070a1053b609ac598c24a4
Opcode Fuzzy Hash: 3f2978ca08b5823e59234dcb84cac4d8f72408b5737be3d636cadafe55491627
Instruction Fuzzy Hash: 33E1E375A043158FC720DF18E880AABB3E1FF94318F54466EE84887351E779EE46CB96

Function 0045D050 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 133windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000020), ref: 0045D05C
SendMessageTimeoutW.USER32(?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045D09E
GetParent.USER32 ref: 0045D0B4
SetLastError.KERNEL32(00000000,?,?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045D0C6
GetDlgCtrlID.USER32 ref: 0045D0CD
GetLastError.KERNEL32(?,?,?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045D0D9
SendMessageTimeoutW.USER32(00000000,00000111,?,?,00000002,000007D0,000000FF), ref: 0045D106
SendMessageTimeoutW.USER32(00000000,00000111,00000002,?,00000002,000007D0,000000FF), ref: 0045D12E
GetWindowLongW.USER32(?,000000F0), ref: 0045D154
SendMessageTimeoutW.USER32(?,0000018F,000000FF,?,00000002,000007D0,?), ref: 0045D199
SendMessageTimeoutW.USER32(?,00000185,00000001,?,00000002,000007D0,?), ref: 0045D1BD

Strings

Combo, xrefs: 0045D066
List, xrefs: 0045D13D

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSendTimeout$ErrorLast$ClassCtrlLongNameParentWindow
String ID: Combo$List
API String ID: 3027087493-1246219895
Opcode ID: 9d0bd323d2027afc60b7deb037bf2b3968fe2c55dec6f6482042ec59cd7cc6be
Instruction ID: b2f99dfb8b04b2abc930e2567c4349aaa6524976b9ac8e221910365341d07884
Opcode Fuzzy Hash: 9d0bd323d2027afc60b7deb037bf2b3968fe2c55dec6f6482042ec59cd7cc6be
Instruction Fuzzy Hash: 8B410A70A4470779E6209F209C46F7B36A8AF81B55F10432AFE50E51D1DBA8DC0A877A

Function 00443490 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 289COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004434DF

Strings

%sLeft, xrefs: 004435CB
%sBottom, xrefs: 00443667
Parameter #2 invalid., xrefs: 004434BB
%sTop, xrefs: 00443607
h, xrefs: 004434E8
%sRight, xrefs: 00443637

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _memset
String ID: %sBottom$%sLeft$%sRight$%sTop$Parameter #2 invalid.$h
API String ID: 2102423945-3189716140
Opcode ID: 361f6bbfd2fc1d4f5d9ddf487c0baddf788c4cc8aae2a36b47072e8ce631c801
Instruction ID: d4e7abf59d4070fa54747ad06f1ca0fe5cd917a949eecd05da3ed2bb8b2cc8d5
Opcode Fuzzy Hash: 361f6bbfd2fc1d4f5d9ddf487c0baddf788c4cc8aae2a36b47072e8ce631c801
Instruction Fuzzy Hash: 6D9196B13442006BD214EE19DC41FABB3A9EBC8B15F10852FF948DB391DA79DD1487AA

Function 00481680 Relevance: 21.2, APIs: 14, Instructions: 174windowlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,76944BD0,?,004DA6C0,00000000,FFFFFF61,00000000,00000000,00000000,76944BD0,?,004DA6C0), ref: 00481699
EnumResourceNamesW.KERNEL32 ref: 004816E6
FindResourceW.KERNEL32(?,?,0000000E), ref: 004816FF
LoadResource.KERNEL32(?,00000000), ref: 0048170F
LockResource.KERNEL32(00000000), ref: 0048171E
GetSystemMetrics.USER32(0000000B), ref: 00481746
FindResourceW.KERNEL32(?,?,00000003), ref: 004817A6
LoadResource.KERNEL32(?,00000000), ref: 004817B4
LockResource.KERNEL32(00000000), ref: 004817BF
SizeofResource.KERNEL32(?,00000000,00000001,00030000,00000000,00000000,00000000), ref: 004817DA
CreateIconFromResourceEx.USER32(00000000,00000000), ref: 004817E2
FreeLibrary.KERNEL32(?), ref: 0048180D
ExtractIconW.SHELL32(00000000,?,?), ref: 00481822
ExtractIconW.SHELL32(00000000,?,-00000001), ref: 0048183F

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Resource$IconLoad$ExtractFindLibraryLock$CreateEnumFreeFromMetricsNamesSizeofSystem
String ID:
API String ID: 2349713634-0
Opcode ID: 08ac8f00e448fbdf342f32d71c7537f2804a7e9b3184fe5ff9c2f73d14adf3dc
Instruction ID: 13f58265a7cc48dcbbfd2008fb6ef1652058c1a787efe3a169d90be1eb2d3334
Opcode Fuzzy Hash: 08ac8f00e448fbdf342f32d71c7537f2804a7e9b3184fe5ff9c2f73d14adf3dc
Instruction Fuzzy Hash: 3C51E775A04311ABD3206F649C44B6FBBDCEB85B51F440D2FFC46E62A0D778D8428769

Function 0046A859 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 136windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0046A83C
ReleaseDC.USER32(?,?), ref: 0046A84E
CreateWindowExW.USER32(?,Listbox,004AF9BC,?,?,?,?,?,?,?,?,00000000), ref: 0046A897
SendMessageW.USER32(00000000,00000192,?,?), ref: 0046A8BE
SendMessageW.USER32(?,00000030,?,?), ref: 0046A8F3
SendMessageW.USER32 ref: 0046A907
MulDiv.KERNEL32(00000008,?,00000060), ref: 0046A920
GetSystemMetrics.USER32(00000003), ref: 0046A933
MulDiv.KERNEL32(00000008,?,00000060), ref: 0046A965
GetSystemMetrics.USER32(00000003), ref: 0046A989

Strings

Listbox, xrefs: 0046A891
Can't create control., xrefs: 0046BB10

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$MetricsSystem$CreateObjectReleaseSelectWindow
String ID: Can't create control.$Listbox
API String ID: 1965186488-2192301428
Opcode ID: baf48676b500503453c6d8a50dd4e077d6e6bc2dc7b14010bf2dc5298513025f
Instruction ID: bad21f99aac3765a0d1e11e722ba0c15aa94cd761b4e5482c0c18f724483fc3a
Opcode Fuzzy Hash: baf48676b500503453c6d8a50dd4e077d6e6bc2dc7b14010bf2dc5298513025f
Instruction Fuzzy Hash: 6A518D75704340AFD724CB54CC94FAB77A9FB89700F14891EFA8A97280D774A805CB6B

Function 0047C180 Relevance: 19.8, APIs: 13, Instructions: 292registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,00000000,004AF9BC,00000000,?,00000000,?,?,?,?,?,00000000,?,?,?), ref: 0047C1D0
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?,?,?,?,00000000,?,?,?), ref: 0047C223
_malloc.LIBCMT ref: 0047C278
RegSetValueExW.ADVAPI32(?,?,00000000,00000007,00000000,00000000), ref: 0047C2F1
_free.LIBCMT ref: 0047C2FA
RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 0047C339
_malloc.LIBCMT ref: 0047C37F
RegCloseKey.ADVAPI32(?,?,?,?,00000000,?,?,?), ref: 0047C46B
GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 0047C476

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Value$_malloc$CloseCreateErrorLast_free
String ID:
API String ID: 1054883360-0
Opcode ID: 1e526ac73728ca32e499448e28cab08a46f28660050d793f9b52d95741b0c3df
Instruction ID: 0461442c398d0faff4db75e9c84df6d5c0e8cbe74f27a73c4e78cb77a220ba59
Opcode Fuzzy Hash: 1e526ac73728ca32e499448e28cab08a46f28660050d793f9b52d95741b0c3df
Instruction Fuzzy Hash: 499123716043019BC7209F64CCC1BE773A5EB88724F14CA2FF9099B291E7B8ED458759

Function 004706C7 Relevance: 19.8, APIs: 13, Instructions: 266windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004706CC
SendMessageW.USER32(?,00000190,00000000,00000000), ref: 004706E9
_malloc.LIBCMT ref: 004706FE

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049EF67,00401234,00000001,00401234,?,0049E60D,00000018,004CFCF0,0000000C,0049E69D), ref: 00499913

SendMessageW.USER32(?,00000191,00000000,00000000), ref: 0047071A
_free.LIBCMT ref: 0047072E

Part of subcall function 0049996D: HeapFree.KERNEL32(00000000,00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499983
Part of subcall function 0049996D: GetLastError.KERNEL32(00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499995

__itow.LIBCMT ref: 00470773
__itow.LIBCMT ref: 004707F7
_free.LIBCMT ref: 004708CF
SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004708E9
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 0047090F

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$Heap__itow_free$AllocateErrorFreeLastLongWindow_malloc
String ID:
API String ID: 2838664992-0
Opcode ID: 21e246839c092f199b8d305fb097721d465521fdb8288fb7415574ddfc38fcce
Instruction ID: 0befb2e63560c981394e50c4b83afec71942ce3273bc7e2830535b9fd64d280f
Opcode Fuzzy Hash: 21e246839c092f199b8d305fb097721d465521fdb8288fb7415574ddfc38fcce
Instruction Fuzzy Hash: 7D8124716013019BD710EF28CC85BABB7A5EBD4714F10892EF949CB381D679E849CB9A

Function 00467110 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

Icon, xrefs: 00467353

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcstoui64
String ID: Icon
API String ID: 3882282163-3316025061
Opcode ID: 5d9b4d442fbe6cd93e1b3edc4756a4248635910355e3758068181f3abc589fc4
Instruction ID: 8a493aa0fa0bef176bec299ea456ef39cb30a6f7b45cafd14f0dd07a348eb3f0
Opcode Fuzzy Hash: 5d9b4d442fbe6cd93e1b3edc4756a4248635910355e3758068181f3abc589fc4
Instruction Fuzzy Hash: 2AC1F371608300ABC720EF25DC45BAB77E4AB88718F04492FF9458B391E779A945CB9B

Function 0040C850 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 319COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040C8B3
_wcschr.LIBCMT ref: 0040C946
CharLowerW.USER32(00000000,00000000,?,?), ref: 0040C9BA
CharLowerW.USER32 ref: 0040C9C4
IsCharAlphaNumericW.USER32(00000000,00000000,?,?), ref: 0040C9FF
GetStringTypeExW.KERNEL32(00000400,00000004,?,00000001,?), ref: 0040CA1C
IsCharLowerW.USER32(?), ref: 0040CB07
IsCharUpperW.USER32 ref: 0040CB15
IsCharUpperW.USER32 ref: 0040CB2B

Strings

-()[]{}:;'"/\,.?! , xrefs: 0040C941

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Char$Lower$Upper$AlphaNumericStringType_memmove_wcschr
String ID: -()[]{}:;'"/\,.?!
API String ID: 1628729082-2658396598
Opcode ID: 1592bbc9d99e5a05f88d60f596bf099518008693f75998c1797d7456857f04d5
Instruction ID: 566deb9c9f5bca66a41344b492ad5c31fd05c47c317f437d972baf5ec3d35d52
Opcode Fuzzy Hash: 1592bbc9d99e5a05f88d60f596bf099518008693f75998c1797d7456857f04d5
Instruction Fuzzy Hash: CCC10571A08251CADB18CF29D4C167B7BE1EF85704F05063FEC89A7392E63A9844C79D

Function 004604E0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 245COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0046064F
__wcsicoll.LIBCMT ref: 00460668
__wcsicoll.LIBCMT ref: 004606BC
SysStringLen.OLEAUT32(?), ref: 004606EE
SysFreeString.OLEAUT32(?), ref: 00460702
__wcsicoll.LIBCMT ref: 00460721
StringFromGUID2.OLE32(?,?,00000100,?,?,?,?,?,?,?,00000000), ref: 00460752

Strings

class, xrefs: 00460649
clsid, xrefs: 00460662
name, xrefs: 0046065B, 004606B6
iid, xrefs: 00460674, 0046071B

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll$String$FreeFrom
String ID: class$clsid$iid$name
API String ID: 2668509760-3724380462
Opcode ID: 113fc1c96e34fccf5c1cdd7b883b9e1a91a053569f7b95b1f65b896196ec69c5
Instruction ID: a05b808ae967ab5224aac7840156afee5113f0117b7b95a15f9afeb498deebe5
Opcode Fuzzy Hash: 113fc1c96e34fccf5c1cdd7b883b9e1a91a053569f7b95b1f65b896196ec69c5
Instruction Fuzzy Hash: D481AC75604201AFDB10DF19D880B27B3A4EF85315F14856EF94A8B391E778EC16CBAA

Function 0045D27E Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 243windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C630: __wcsicoll.LIBCMT ref: 0041C648

Part of subcall function 0044DDD0: GetForegroundWindow.USER32(?,?,004408D5,?), ref: 0044DDFE
Part of subcall function 0044DDD0: IsWindowVisible.USER32(00000000), ref: 0044DE19

SendMessageTimeoutW.USER32(00000000,000000F0,00000000,00000000,00000002,000007D0,?), ref: 0045D308
IsWindowEnabled.USER32(00000000), ref: 0045D33C
IsWindowVisible.USER32(00000000), ref: 0045D366
SendMessageTimeoutW.USER32(00000000,0000130B,00000000,00000000,00000002,000007D0,?), ref: 0045D3A4
GetClassNameW.USER32(00000000,?,00000020), ref: 0045D3DA
GetClassNameW.USER32(00000000,?,00000020), ref: 0045D437
SendMessageTimeoutW.USER32(00000000,00000188,00000000,00000000,00000002,000007D0,?), ref: 0045D49B
SendMessageTimeoutW.USER32(00000000,0000018A,?,00000000,00000002,000007D0,?), ref: 0045D4C1
SendMessageTimeoutW.USER32(00000000,00000189,?,00000000), ref: 0045D51A
GetClassNameW.USER32(00000000,?,00000020), ref: 0045D5BF

Strings

Combo, xrefs: 0045D3E3, 0045D440
SysListView32, xrefs: 0045D5C8

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSendTimeout$Window$ClassName$Visible$EnabledForeground__wcsicoll
String ID: Combo$SysListView32
API String ID: 4132077911-871643043
Opcode ID: 2430bb9f795c8816207e9c7302c48ebfe567a87afadb421e45e2e7fdceca4436
Instruction ID: 9bcfc81be60550c6068f3feb5087d46eeb933df4e18782bb5d57e1a9c42ad08c
Opcode Fuzzy Hash: 2430bb9f795c8816207e9c7302c48ebfe567a87afadb421e45e2e7fdceca4436
Instruction Fuzzy Hash: E671E470E042057BEB20DAA49C86FBF7778DF45711F10422ABE15EB2C1D7B8AD098769

Function 004120D0 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 235COMMON

Download Yara Rule

APIs

Part of subcall function 0047F770: _vswprintf_s.LIBCMT ref: 0047F789

__itow.LIBCMT ref: 0041215B
__swprintf.LIBCMT ref: 004122CC

Strings

%i-%i, xrefs: 004122C6
PART, xrefs: 00412291
(no), xrefs: 00412352
TypeOff?LevelRunningName-------------------------------------------------------------------, xrefs: 004120DF
%s%s%s%s%s%s, xrefs: 0041237A
OFF, xrefs: 00412241, 0041225D, 0041236C

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __itow__swprintf_vswprintf_s
String ID: %i-%i$%s%s%s%s%s%s$(no)$OFF$PART$TypeOff?LevelRunningName-------------------------------------------------------------------
API String ID: 726126973-1635122839
Opcode ID: a1d0f89bee5c33ce93391b826a2795e2f35dc68cc88e7a75cc90153950a6620b
Instruction ID: 34bf3e5c0087f181332967067a8d545fd9b9b4404796f165b32140a00490d79c
Opcode Fuzzy Hash: a1d0f89bee5c33ce93391b826a2795e2f35dc68cc88e7a75cc90153950a6620b
Instruction Fuzzy Hash: EF81F3712083019AD724DF69CA40BBB77E4AF85304F1449AFE88AC7251E3BCD9A5C35A

Function 00484280 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 196windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000406,00000000,00000000,00000002,000007D0,?), ref: 00484301
GetTickCount.KERNEL32 ref: 00484340
SendMessageTimeoutW.USER32(?,0000040C,?,00000000,00000002,000007D0,?), ref: 00484365
SendMessageTimeoutW.USER32(?,0000040D,?,?,00000002,000007D0,?), ref: 0048438F
ReadProcessMemory.KERNEL32(?,?,?,?,00000000,?,0000040D,?,?,00000002,000007D0,?,?,0000040C,?,00000000), ref: 004843AC
IsWindow.USER32 ref: 004843D5
GetTickCount.KERNEL32 ref: 004843EE
VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000,?,?,000000FF,00000000,00000001,?,0000040C,?,00000000,00000002,000007D0,?), ref: 0048448F
CloseHandle.KERNEL32(000000FF,?,0000040C,?,00000000,00000002,000007D0,?), ref: 00484496

Strings

d;K, xrefs: 004844B9
2, xrefs: 004842C8

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSendTimeout$CountTick$CloseFreeHandleMemoryProcessReadVirtualWindow
String ID: 2$d;K
API String ID: 1969275300-2700161102
Opcode ID: 431b0fba79cd4ce86ab3aa64cf794263b6eaaf450f7674a5490e9cef17ff2f0d
Instruction ID: 5f02aea699df8904a79e18c2b6c6c1686094d7063d14967b86cbf429e501baf7
Opcode Fuzzy Hash: 431b0fba79cd4ce86ab3aa64cf794263b6eaaf450f7674a5490e9cef17ff2f0d
Instruction Fuzzy Hash: 0961E731604301ABD721AB619C45FAF73A4ABC4B14F14492FF684AB2C0D6BDE985876E

Function 00474540 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 190windowlibraryloaderCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00474580
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00474627
__fassign.LIBCMT ref: 00474641
SendMessageW.USER32(?,0000104C,00000000,?), ref: 00474685
LoadLibraryW.KERNEL32(shlwapi,?,?,00001004,00000000,00000000,00000000,?,?,004593DC,00000000,00000000,00000041), ref: 004746CA
GetProcAddress.KERNEL32(00000000,StrCmpLogicalW), ref: 004746DA
SendMessageW.USER32 ref: 00474749
SendMessageW.USER32(00000000,0000104C,00000000,00000004), ref: 0047477E
SendMessageW.USER32(00000001,00001030,?,00474380), ref: 004747C3

Strings

shlwapi, xrefs: 004746C5
StrCmpLogicalW, xrefs: 004746D4

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$AddressLibraryLoadProc__fassign
String ID: StrCmpLogicalW$shlwapi
API String ID: 179551950-63816878
Opcode ID: aece04ec7635ab8c1e6fde562b3a804c5271cc6ad21ae6fd2bd98425d74328f4
Instruction ID: 5995b38b6d8d70bf30ef631f21e030ec937cbfca5242952c5c7f691f80a5e4a9
Opcode Fuzzy Hash: aece04ec7635ab8c1e6fde562b3a804c5271cc6ad21ae6fd2bd98425d74328f4
Instruction Fuzzy Hash: 5D7182B4508384AFD764DF24C880BABBBE4ABC5304F14891EF5C987291D7B9D948CF5A

Function 0043F330 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 167COMMON

Download Yara Rule

Strings

sc%03X, xrefs: 0043F49D
NewInput, xrefs: 0043F500
Timeout, xrefs: 0043F355
Match, xrefs: 0043F367
Stopped, xrefs: 0043F512
EndKey, xrefs: 0043F4DC
EndKey:, xrefs: 0043F394
Max, xrefs: 0043F4EE

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID: EndKey$EndKey:$Match$Max$NewInput$Stopped$Timeout$sc%03X
API String ID: 0-3482771585
Opcode ID: 2dd8544c31d98b52655b32ff5c91582ef3165c650e9ceb13a89a39e54645ecd0
Instruction ID: c95364e054c216d5446ddaf2595f1ffb2a7acf93bcac0a0a06727b461c2fbe7e
Opcode Fuzzy Hash: 2dd8544c31d98b52655b32ff5c91582ef3165c650e9ceb13a89a39e54645ecd0
Instruction Fuzzy Hash: CE515E72B0425056D730472DA8417F7B3A0DBE9325F04803FEA8486381E66E999DC37E

Function 00476240 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 147windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004762FA
SetMenuItemInfoW.USER32 ref: 004763FD

Strings

Break, xrefs: 0047634E
Radio, xrefs: 004762F1
Right, xrefs: 00476324
BarBreak, xrefs: 00476372
, xrefs: 00476388
0, xrefs: 004763E9

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: InfoItemMenu__wcsicoll
String ID: $0$BarBreak$Break$Radio$Right
API String ID: 4222793379-1315102453
Opcode ID: 76a3b46789b63ae370d0f613f381f8de91c706c77331fba836b3d477b9ca7788
Instruction ID: 8d0ca1c8e1922e1f532a8a2a8c603a1b6a78e451ade42486e9af547a6d324f81
Opcode Fuzzy Hash: 76a3b46789b63ae370d0f613f381f8de91c706c77331fba836b3d477b9ca7788
Instruction Fuzzy Hash: 66411671504B1286D7209F10CA006BBB7A6EF90705F16845FECCD97782E37C9E0AC7AA

Function 0046F100 Relevance: 18.2, APIs: 12, Instructions: 217windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001304,00000000,00000000), ref: 0046F13E
GetWindowLongW.USER32 ref: 0046F16D
_wcschr.LIBCMT ref: 0046F1B1
SendMessageW.USER32(?,?,00000000,?), ref: 0046F1FC
SendMessageW.USER32(?,00001061,?,?), ref: 0046F237
SendMessageW.USER32(?,?,00000000,00000000), ref: 0046F299
SendMessageW.USER32(?,0000108F,00000000,00000000), ref: 0046F2D2
GetWindowLongW.USER32(?,000000F0), ref: 0046F2D9
SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 0046F2FE
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0046F320
SendMessageW.USER32(?,0000014E,00000001,?), ref: 0046F33E
SendMessageW.USER32(0000014E,0000014E,?,00000000), ref: 0046F350

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$LongWindow$_wcschr
String ID:
API String ID: 958538355-0
Opcode ID: 3eece04c8e4ef4e6b7f8504e59e413abb7ae7cc1b6231b780bc68e99a075c784
Instruction ID: acc37d17634192ab70c2d38dd8c908b5a4024bb85b070ee8b658300eaab9f4f0
Opcode Fuzzy Hash: 3eece04c8e4ef4e6b7f8504e59e413abb7ae7cc1b6231b780bc68e99a075c784
Instruction Fuzzy Hash: 8471BFB4604341ABD320CF68EC91B7777E5EB85710F104A6EF9D1872C0E7799889CB6A

Function 00438590 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004385D9
_wcsncpy.LIBCMT ref: 00438643
_wcschr.LIBCMT ref: 0043868A
_memmove.LIBCMT ref: 004386D6
_wcschr.LIBCMT ref: 004386E3

Strings

Out of memory., xrefs: 004385F0
", xrefs: 004386A9

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _wcschr$_malloc_memmove_wcsncpy
String ID: "$Out of memory.
API String ID: 278627150-1555670740
Opcode ID: 85d8bb930e744d9b985b671e16ae46fda1e87f9b0430f28ca1ddb3939ad6bb24
Instruction ID: 999bcaa21686f6be214ae958bbfde84434e70bdbe1f61e35890ff8e0660d1f40
Opcode Fuzzy Hash: 85d8bb930e744d9b985b671e16ae46fda1e87f9b0430f28ca1ddb3939ad6bb24
Instruction Fuzzy Hash: 0C91B0B1E002159BDF20DB54DC81AAFB7B5EF48310F14406EF905A7341EB78AE45CBAA

Function 004145E0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

@, xrefs: 004146A9

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 21413663c1a70620908940de7f001471520e2de3903fb628938eea3e9f1f187f
Instruction ID: e2d7767ee30d8d3715f9d0fa255fca04d6fd0b4f98cfc70d02e2837637dac6be
Opcode Fuzzy Hash: 21413663c1a70620908940de7f001471520e2de3903fb628938eea3e9f1f187f
Instruction Fuzzy Hash: 2C91D434509384DED310DF28E850BA7BFE0AF96304F4984BFD5848B3A1DB789944DB6A

Function 00443840 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 182windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 0044384D
GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00443891
_malloc.LIBCMT ref: 004438E4
SelectObject.GDI32(?,?), ref: 00443927
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00443947
GetSystemPaletteEntries.GDI32(?,00000000,00000100), ref: 00443977

Strings

(, xrefs: 00443880

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Bits$CompatibleCreateEntriesObjectPaletteSelectSystem_malloc
String ID: (
API String ID: 1101625044-3887548279
Opcode ID: 6b96f9dcb9396a292764b8086e0fd596592656cc7616b9539c27107d32c0f28c
Instruction ID: ad798e3e8185a9a283abac946956045d51a21a710dbc96a9d4e6fd0f371ba2b6
Opcode Fuzzy Hash: 6b96f9dcb9396a292764b8086e0fd596592656cc7616b9539c27107d32c0f28c
Instruction Fuzzy Hash: 6061A3B1E002199FEF10CF65CC44BEEBBB4EF49705F0081AAE945A7340D678AE45CBA4

Function 004674C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001002,00000001,?), ref: 0046750D

Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F279
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F2A5
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F2DD
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F311
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F346
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F37B

SendMessageW.USER32(00000000,00001002,00000000,?), ref: 004674F2
GetWindowLongW.USER32 ref: 00467523
__wcsicoll.LIBCMT ref: 0046753A
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00467550
SendMessageW.USER32(?,00001032,00000000), ref: 0046756F
_free.LIBCMT ref: 00467801
SendMessageW.USER32(?,00000184,00000000,00000000), ref: 00467870

Strings

Time, xrefs: 0046757A
LongDate, xrefs: 00467534

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _wcsncpy$MessageSend$LongWindow$__wcsicoll_free
String ID: LongDate$Time
API String ID: 333296297-1184810688
Opcode ID: 07f42749f1b0850c7e36d6e5f41a3c78ad6e635c23d0795b6df597b4d8fe4976
Instruction ID: 448c83d4906ba90a0d96493c6752ca522e996e2aa57009fe90cbaf1226b23040
Opcode Fuzzy Hash: 07f42749f1b0850c7e36d6e5f41a3c78ad6e635c23d0795b6df597b4d8fe4976
Instruction Fuzzy Hash: AA313571A48310ABDB109B14EC05B667BA4AB9471AF14852BF806A73C1F7BCEC04C75B

Function 0047C5E0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 92registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,?,00000000,?,?,?,?,00000000,00434E7D,?,?), ref: 0047C61F
RegCloseKey.ADVAPI32(?,?), ref: 0047C647
GetModuleHandleW.KERNEL32(advapi32,RegDeleteKeyExW), ref: 0047C66E
GetProcAddress.KERNEL32(00000000), ref: 0047C675
GetLastError.KERNEL32(?,?,00000000,00434E7D,?,?), ref: 0047C6A9
RegDeleteKeyW.ADVAPI32(00000000,?), ref: 0047C6B3
RegDeleteValueW.ADVAPI32(?,00000000,?,?,00000000,00434E7D,?,?), ref: 0047C6BD
RegCloseKey.ADVAPI32(?,?,?,00000000,00434E7D,?,?), ref: 0047C6CA

Strings

advapi32, xrefs: 0047C669
RegDeleteKeyExW, xrefs: 0047C664

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CloseDelete$AddressErrorHandleLastModuleOpenProcValue
String ID: RegDeleteKeyExW$advapi32
API String ID: 1329167188-3857959575
Opcode ID: e72b6a8230bd936b4ac538a78201742b577c0020bc7a8b8c9030bdcc14223146
Instruction ID: d57583017dad03ac2bad04c37ef0300e89c0053c32fe1b04efc208e5aa11c72c
Opcode Fuzzy Hash: e72b6a8230bd936b4ac538a78201742b577c0020bc7a8b8c9030bdcc14223146
Instruction Fuzzy Hash: 4231B4B0A053159BD6209F60EDC8F6777A9AB98714F11952FFC0A97341DB38DC018ABD

Function 0041B750 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 58COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041B784

Strings

MonitorName, xrefs: 0041B7DE
MonitorPrimary, xrefs: 0041B796
MonitorCount, xrefs: 0041B77E
Monitor, xrefs: 0041B7AE
MonitorWorkArea, xrefs: 0041B7C6

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Monitor$MonitorCount$MonitorName$MonitorPrimary$MonitorWorkArea
API String ID: 3832890014-629551668
Opcode ID: d17115075d7f6471e149693e9a3b643435df823e4da4479ffd9f44a72b6bba49
Instruction ID: c6425b100e508f058a8959a63f5b0f4faa84fb59fc1a79ce48577125f116d9c1
Opcode Fuzzy Hash: d17115075d7f6471e149693e9a3b643435df823e4da4479ffd9f44a72b6bba49
Instruction Fuzzy Hash: CF011265B81A1132EF32213D5C03BE754458BA0B07F94457AB914D52C6F78DCA4681ED

Function 0041C3F0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C400
__wcsicoll.LIBCMT ref: 0041C418

Strings

Wait, xrefs: 0041C442
Exist, xrefs: 0041C3FA
WaitClose, xrefs: 0041C45A
Priority, xrefs: 0041C42A
Close, xrefs: 0041C412

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Close$Exist$Priority$Wait$WaitClose
API String ID: 3832890014-1466124334
Opcode ID: 80740709f46aa77b9e42f35d71546a86018188b7a208182927762f9b1387efde
Instruction ID: 002f69016ed5d0bfb1156b44c8af77ecc82072f8f28f633c089ee56fff300c41
Opcode Fuzzy Hash: 80740709f46aa77b9e42f35d71546a86018188b7a208182927762f9b1387efde
Instruction Fuzzy Hash: 07F090A1AC9A1131DF22213E5C63BFB20445BA1B0BFD4417BF840D12C2F78CDA8380AE

Function 0041D1B0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041D1C0
__wcsicoll.LIBCMT ref: 0041D1D3

Strings

Pixel, xrefs: 0041D1BA
Caret, xrefs: 0041D1FD
ToolTip, xrefs: 0041D1E5
Menu, xrefs: 0041D215
Mouse, xrefs: 0041D1CD

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Caret$Menu$Mouse$Pixel$ToolTip
API String ID: 3832890014-3728172800
Opcode ID: f7c489f79ff862c87d5e5056180509b16fd2c5991eba654e87aafe202eacc9cf
Instruction ID: 6b7eab92bbd90ef485dd7c641224e689282238dbf4668b6ea19f21cff2c5ea31
Opcode Fuzzy Hash: f7c489f79ff862c87d5e5056180509b16fd2c5991eba654e87aafe202eacc9cf
Instruction Fuzzy Hash: 97F067A0E4160132EF22252E4D027EB14455F6170BF9540BEBC10D2382F79CDA8691AE

Function 0041B1B0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 41COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041B1B6
__wcsicoll.LIBCMT ref: 0041B1CE

Strings

REG_BINARY, xrefs: 0041B210
REG_MULTI_SZ, xrefs: 0041B1E0
REG_DWORD, xrefs: 0041B1F8
REG_SZ, xrefs: 0041B1B0
REG_EXPAND_SZ, xrefs: 0041B1C8

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ
API String ID: 3832890014-2346799943
Opcode ID: 636ca79d1d711a199542fd432caeb1d53e84408aa76cdd028bbc58aea0e9143a
Instruction ID: db48ba164207f6db3d397e00ad028db4db0dbe4bb3af8cf376f2fc54541ef08c
Opcode Fuzzy Hash: 636ca79d1d711a199542fd432caeb1d53e84408aa76cdd028bbc58aea0e9143a
Instruction Fuzzy Hash: C0F0FEA1A85A1531DF02203E5C03BEB64845FA1B87FD9117AFC04D1382F78D9A5681ED

Function 0046F380 Relevance: 16.6, APIs: 11, Instructions: 137windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00480EF0: __wcsnicmp.LIBCMT ref: 00480F39
Part of subcall function 00480EF0: __wcsnicmp.LIBCMT ref: 00480F4D
Part of subcall function 00480EF0: __wcstoi64.LIBCMT ref: 00480FAB
Part of subcall function 00480EF0: _wcsrchr.LIBCMT ref: 00480FCD
Part of subcall function 00480EF0: __wcsicoll.LIBCMT ref: 00481005
Part of subcall function 00480EF0: __wcsicoll.LIBCMT ref: 00481017
Part of subcall function 00480EF0: __wcsicoll.LIBCMT ref: 00481029
Part of subcall function 00480EF0: __wcsicoll.LIBCMT ref: 0048103B

SendMessageW.USER32(?,00000172,00000002,00000000), ref: 0046F3D0
DestroyIcon.USER32(00000000,?,00000172,00000002,00000000), ref: 0046F3D3
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0046F3E5
DeleteObject.GDI32(00000000), ref: 0046F3E8
DestroyIcon.USER32(?), ref: 0046F422
GetWindowLongW.USER32(?,000000F0), ref: 0046F432
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0046F462
SendMessageW.USER32(?,00000172,?,?), ref: 0046F475
SendMessageW.USER32(00000000,00000173,?,00000000), ref: 0046F482
DeleteObject.GDI32(?), ref: 0046F496
DestroyIcon.USER32(?,?,00000172,?,?,?,000000F0), ref: 0046F49E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend__wcsicoll$DestroyIcon$DeleteLongObjectWindow__wcsnicmp$__wcstoi64_wcsrchr
String ID:
API String ID: 1900615721-0
Opcode ID: 1de272d16afe86be8d4f7eae551de673f3a750b3281a76ecaa06b6637ce86ffb
Instruction ID: 09f958eb69e3ef082951419ae80796751e14e2b22207021ec21a5c222c8700f2
Opcode Fuzzy Hash: 1de272d16afe86be8d4f7eae551de673f3a750b3281a76ecaa06b6637ce86ffb
Instruction Fuzzy Hash: 8641E9715087046BD2348B64EC44F27B7E9EF95324F204A2EF5E686BD0DB78E845C62A

Function 004626C0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 412memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00462A14

Strings

Message, xrefs: 004629D3
File, xrefs: 00462AAD
Line, xrefs: 00462B1A

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AllocString
String ID: File$Line$Message
API String ID: 2525500382-4121924845
Opcode ID: 98789537752971a8182dcafd0dfd4b66361628883d3ab238250a974c8f89ed9d
Instruction ID: 7942f8a2fb03a59f32bd8b01f1dcf0afa47e82e19b2d14bd93b61cec370c33fd
Opcode Fuzzy Hash: 98789537752971a8182dcafd0dfd4b66361628883d3ab238250a974c8f89ed9d
Instruction Fuzzy Hash: 49025BB16087419FC724CF14C584A9BB7E4FB88304F14892EE99987321E7B5E949CF97

Function 0043149B Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 353windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430A1A
_free.LIBCMT ref: 0043163F

Strings

v1j, xrefs: 00430A08
Jumps cannot exit a FINALLY block., xrefs: 00435127

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ClipboardCloseCountGlobalMessagePeekTickUnlock_free
String ID: Jumps cannot exit a FINALLY block.$v1j
API String ID: 3618655587-1623723626
Opcode ID: 8b5500a35736d5c2c765eef6bbb40fa8a6489c0295a2dfd9f687a43e836af385
Instruction ID: b10ae604a6f53770bc07aaa228f7014b05558723bc55e12b17cd8c63af1bd1b5
Opcode Fuzzy Hash: 8b5500a35736d5c2c765eef6bbb40fa8a6489c0295a2dfd9f687a43e836af385
Instruction Fuzzy Hash: 95E1F171A08340DFDB24CF14E8A076AB7E1EB9C314F14666FE8858B3A1D7799C41CB5A

Function 004484B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00448550
_wcschr.LIBCMT ref: 00448561
_wcsrchr.LIBCMT ref: 004485A0
_wcsrchr.LIBCMT ref: 004485B4
_wcschr.LIBCMT ref: 004485D9
_wcsrchr.LIBCMT ref: 00448617
_wcsrchr.LIBCMT ref: 00448628
_wcsrchr.LIBCMT ref: 004486B6

Strings

://, xrefs: 00448532

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _wcsrchr$_wcschr
String ID: ://
API String ID: 2648016162-1869659232
Opcode ID: 035b3e0356e366f738353e4e109bf200e6c284bd2d54192a67d02fb55a55a6b4
Instruction ID: 8bcf4223b7bbd0c7b9fa99477e12ae5b7fff0f90b92f95893d03c038d46b2c27
Opcode Fuzzy Hash: 035b3e0356e366f738353e4e109bf200e6c284bd2d54192a67d02fb55a55a6b4
Instruction Fuzzy Hash: 40712632A403015BEB34AE198D42BAF73E5DB80754F06492FFD459B381EAACED44C699

Function 00406849 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 251COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040684E

Strings

enabled, xrefs: 004068C0, 0040697E, 0040698D, 00406AF8, 00406B09
Any, xrefs: 004068A0
<response command="breakpoint_set" transaction_id="%e" state="%s" id="%i"/>, xrefs: 00406994
exception, xrefs: 0040693B
line, xrefs: 0040692A
disabled, xrefs: 004068D6, 00406985, 00406AFF

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: H_prolog
String ID: <response command="breakpoint_set" transaction_id="%e" state="%s" id="%i"/>$Any$disabled$enabled$exception$line
API String ID: 3519838083-30019439
Opcode ID: 91a540f84d9b5dca43b9d2328e6802e7fd38c1382a3a3eb9a8193f99c3a38b1b
Instruction ID: ab55c30a9eba873da08c071cc1ef27d19e17103c8cc3ae8a1e3d6536dc8663a6
Opcode Fuzzy Hash: 91a540f84d9b5dca43b9d2328e6802e7fd38c1382a3a3eb9a8193f99c3a38b1b
Instruction Fuzzy Hash: 3991AF71A042559FDF249FA884406AF7BA0AB06314F1A807BE446BB3D2D33DDD61CB69

Function 004274CD Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 162COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00427504
__wcsicoll.LIBCMT ref: 0042751D

Strings

Parameter #2 invalid., xrefs: 0042759A
Fast, xrefs: 00427514, 004275C9
Integer, xrefs: 004275B3
Float, xrefs: 004274FE
Parameter #1 invalid., xrefs: 004272A1

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll__wcsnicmp
String ID: Fast$Float$Integer$Parameter #1 invalid.$Parameter #2 invalid.
API String ID: 28402859-2639214213
Opcode ID: e77722db7d1114f14b243402929a27333a3f5173c68ae18f05fff8d630ae3aa8
Instruction ID: 78b9faa7227f0889ba17207453ccc45d74af977406fb8f5fdf3847e743574e4a
Opcode Fuzzy Hash: e77722db7d1114f14b243402929a27333a3f5173c68ae18f05fff8d630ae3aa8
Instruction Fuzzy Hash: 5D5156307043109BEB209B1AF8447E777D29B41314F88442FE8498B396E77EAC85C76E

Function 00461490 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004614EE
FormatMessageW.KERNEL32(00001200,00000000,?,00000000,?,00001000,00000000,004AF9BC), ref: 00461511
_vswprintf_s.LIBCMT ref: 00461556
SysFreeString.OLEAUT32(?), ref: 00461586
SysFreeString.OLEAUT32(00000000), ref: 0046158C
SysFreeString.OLEAUT32(?), ref: 00461592

Strings

No valid COM object!, xrefs: 004614DC
Source:%wsDescription:%wsHelpFile:%wsHelpContext:%d, xrefs: 0046154D
0x%08X - , xrefs: 004614E8

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: FreeString$FormatMessage__swprintf_vswprintf_s
String ID: Source:%wsDescription:%wsHelpFile:%wsHelpContext:%d$0x%08X - $No valid COM object!
API String ID: 380084984-3028990165
Opcode ID: 68d0894721cb238c5c9bd485fc00ef7966248919d791223bd30f722a6212f008
Instruction ID: 191914e5ffae442f18943f495a3a66eff0293f9cecff3748f6909c0bf6ae88e8
Opcode Fuzzy Hash: 68d0894721cb238c5c9bd485fc00ef7966248919d791223bd30f722a6212f008
Instruction Fuzzy Hash: 3E310972A003006BD714EB64DC84F6777ACEFC4750F08447EA90697295E678D804C7AA

Function 0041D370 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041D38B
__wcsicoll.LIBCMT ref: 0041D3A4

Strings

UTF-8-RAW, xrefs: 0041D39E
UTF-16-RAW, xrefs: 0041D3D0
UTF-16, xrefs: 0041D3B7
UTF-8, xrefs: 0041D385

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: UTF-16$UTF-16-RAW$UTF-8$UTF-8-RAW
API String ID: 3832890014-2787617770
Opcode ID: 1e08c170795e1eb99c3f92f4f3a7d2a989a1df6d76a214828b3e5b367b003693
Instruction ID: fe47605b6019905f47338be509509b2ce0185d2eef72e63ffa06a1245d634fee
Opcode Fuzzy Hash: 1e08c170795e1eb99c3f92f4f3a7d2a989a1df6d76a214828b3e5b367b003693
Instruction Fuzzy Hash: 6E010CF2E4562122EE21312E3C02BEB11484B5076AF1A417BFD14E5786F79DEDC251EE

Function 00453500 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 316COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004D8588,00000000,?,00000000), ref: 00453527
LeaveCriticalSection.KERNEL32(004D8588), ref: 0045368C
LeaveCriticalSection.KERNEL32(004D8588), ref: 0045383F
_free.LIBCMT ref: 0045388A
__wcsdup.LIBCMT ref: 004538B4
LeaveCriticalSection.KERNEL32(004D8588), ref: 004538F7

Strings

Compile error %d at offset %d: %hs, xrefs: 004537BD
0, xrefs: 004537D5

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CriticalSection$Leave$Enter__wcsdup_free
String ID: 0$Compile error %d at offset %d: %hs
API String ID: 2407865940-2351679343
Opcode ID: 9261572cfc13caa62c50edb1e90310031600812ec5bc7d1e75ac7d952361f823
Instruction ID: 0a8a2376a8eda69d11c22995ba1e06167350aa36c143cb948624275ee154f761
Opcode Fuzzy Hash: 9261572cfc13caa62c50edb1e90310031600812ec5bc7d1e75ac7d952361f823
Instruction Fuzzy Hash: 07C102B1A04205DBC714DF24C84076677E0FF49396F14496FEC5587392E378EA49CB9A

Function 0043A580 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 204COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0043A790

Strings

This DllCall requires a prior VarSetCapacity., xrefs: 0043A5A0
__Delete will now return., xrefs: 0043A803
Message, xrefs: 0043A6D9
The current thread will exit., xrefs: 0043A80A, 0043A816
Extra, xrefs: 0043A6FA
File, xrefs: 0043A742
Line, xrefs: 0043A71E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Extra$File$Line$Message$The current thread will exit.$This DllCall requires a prior VarSetCapacity.$__Delete will now return.
API String ID: 3832890014-2095053968
Opcode ID: da1e35bf049fcc6164c849a76e1ef3b3dd58603ca7ace7b19cef089c247ae8f3
Instruction ID: 19567ad700a7bf9a5f8a29faff85ec1f3400d064ae9a7cb3af0d69c5ee52fb8d
Opcode Fuzzy Hash: da1e35bf049fcc6164c849a76e1ef3b3dd58603ca7ace7b19cef089c247ae8f3
Instruction Fuzzy Hash: CF61E1716842009BD720EF158C41BAB73E4AB88718F04442FF9C49B391D779ED618B9F

Function 0041E600 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165timeCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0041E613

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049EF67,00401234,00000001,00401234,?,0049E60D,00000018,004CFCF0,0000000C,0049E69D), ref: 00499913

SetTimer.USER32(?,0000000E,04EF6D80,00403EA0), ref: 0041E656
_free.LIBCMT ref: 0041E7B6

Strings

Auto-execute, xrefs: 0041E717

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AllocateHeapTimer_free_malloc
String ID: Auto-execute
API String ID: 92111083-593629425
Opcode ID: 1fe79ad61f48468eda4346626c242dc4bffd3ac2d7efaf4e651592afc1fc5cab
Instruction ID: f79becd74e2b295e4b926f143f395e20fcb1a5bbc00015b257527efc8ef6efbe
Opcode Fuzzy Hash: 1fe79ad61f48468eda4346626c242dc4bffd3ac2d7efaf4e651592afc1fc5cab
Instruction Fuzzy Hash: A0617EB4602240DFEB10EF26EC84B963BE5EB45304F08413BE9459B3A1D7B99C85CB6D

Function 0044F7E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0044F813
GetForegroundWindow.USER32 ref: 0044F81A

Strings

0, xrefs: 0044F86C

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CountForegroundTickWindow
String ID: 0
API String ID: 1022652907-4108050209
Opcode ID: 6e7ea347bc7129ec467f6a06d1e446147a76fe609ec362c69ae3a6c64a60247c
Instruction ID: 2c376fb56ea014c708cea0e7ee17bf80b60a8f0505219084e605189d383812f7
Opcode Fuzzy Hash: 6e7ea347bc7129ec467f6a06d1e446147a76fe609ec362c69ae3a6c64a60247c
Instruction Fuzzy Hash: 21419D72A152049BD710EF69E84565AB7E4FB84B64F05457FEC08C73A0EB3598088BDA

Function 0045C100 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0045C14E

Strings

0.0.0.0, xrefs: 0045C1B7

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Startup
String ID: 0.0.0.0
API String ID: 724789610-3771769585
Opcode ID: 989fb97feed612ff752f784a1ed887b65df582be2ad3b042ed9a986b21a6647d
Instruction ID: 9c576b0ed2434dbdaa5375153f88b1a4b6e095ed9703ce71e5074f76ac8e7f31
Opcode Fuzzy Hash: 989fb97feed612ff752f784a1ed887b65df582be2ad3b042ed9a986b21a6647d
Instruction Fuzzy Hash: AF41A075A047418FC720DF68D88579B77A8FF85711F04466EE855C7741EB38D808CB9A

Function 0041A021 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion), ref: 0041A03A
GetProcAddress.KERNEL32(00000000), ref: 0041A041
GetVersionExW.KERNEL32(004DB230), ref: 0041A06D
__snwprintf.LIBCMT ref: 0041A0A4

Strings

ntdll.dll, xrefs: 0041A035
10.0.19045, xrefs: 0041A08E
%u.%u.%u, xrefs: 0041A087
RtlGetVersion, xrefs: 0041A030

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AddressHandleModuleProcVersion__snwprintf
String ID: %u.%u.%u$10.0.19045$RtlGetVersion$ntdll.dll
API String ID: 3388246157-3673595452
Opcode ID: fe2be610fc5eae03b47f9d251dc46594e8054e2d39619e390839d956cb11a5fa
Instruction ID: 8759b6a96d92ad7b9e60c1121f2ef0af13fb81733101d4a95d02437c91f332a2
Opcode Fuzzy Hash: fe2be610fc5eae03b47f9d251dc46594e8054e2d39619e390839d956cb11a5fa
Instruction Fuzzy Hash: 5D316171507380DBDF10CB64AC8A7963FA0E316718F26407FD84986761C7B948D4A7AF

Function 0041C7B0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C7C0
__wcsicoll.LIBCMT ref: 0041C7D8

Strings

Eject, xrefs: 0041C7BA
Lock, xrefs: 0041C7D2
Unlock, xrefs: 0041C7EA
Label, xrefs: 0041C802

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Eject$Label$Lock$Unlock
API String ID: 3832890014-1359929989
Opcode ID: 198c000c882611f307bbf2d7a2640c5fa0bf9f0dbfffbe054ba0add9c2aaa653
Instruction ID: 26aebac09cb40e35d5dd9c798f69efaa5b3f05884ab439b3ac882effcd6c6ad4
Opcode Fuzzy Hash: 198c000c882611f307bbf2d7a2640c5fa0bf9f0dbfffbe054ba0add9c2aaa653
Instruction Fuzzy Hash: D3F0A7F1AC1A1121EF1220394D437F758451B60B07F84413BF800D12C2F38CCD8780AD

Function 0041D140 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041D150
__wcsicoll.LIBCMT ref: 0041D162
__wcsicoll.LIBCMT ref: 0041D174

Part of subcall function 00499409: __wcsicmp_l.LIBCMT ref: 00499489

__wcsicoll.LIBCMT ref: 0041D186

Strings

Client, xrefs: 0041D180
Screen, xrefs: 0041D14A
Relative, xrefs: 0041D15C
Window, xrefs: 0041D16E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll$__wcsicmp_l
String ID: Client$Relative$Screen$Window
API String ID: 3172861507-2312238187
Opcode ID: 389fc2dc23fbb36090d37af25982b9f9ef53e983f3dd7bfabc1222de5a2db906
Instruction ID: a900d9552ae410e3e6313ba961ee67032e00c001389ed5ca3302fca8e23d3a9c
Opcode Fuzzy Hash: 389fc2dc23fbb36090d37af25982b9f9ef53e983f3dd7bfabc1222de5a2db906
Instruction Fuzzy Hash: CDE0C0E1F46A1131EF2231258D027FB90440F51747F99017BBC08E16C5F68DCD8690BD

Function 00474230 Relevance: 13.6, APIs: 9, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000019F,00000000,00000000), ref: 0047426A
SendMessageW.USER32(?,00000198,00000000,80000000), ref: 00474283
SendMessageW.USER32(00000000,0000100C,000000FF,00000001), ref: 00474299
SendMessageW.USER32(?,0000100E,00000000,80000000), ref: 004742B6
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 004742CC
SendMessageW.USER32(?,00001104,00000001,80000000), ref: 004742E5
SendMessageW.USER32(?,00000419,00000000,80000000), ref: 004742F8
GetWindowRect.USER32(?,80000000), ref: 00474310
MapWindowPoints.USER32(?,00000000,00000002,00000002), ref: 00474324

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$Window$PointsRect
String ID:
API String ID: 467674420-0
Opcode ID: 346b056c67873efc7fdd8c612ddcfb56faf0ec810fe3487c00370a25644a108a
Instruction ID: 8b07480056d6b1c07f7b9e10b4dfd9b3ceaa409341a3a6b351bcc2b98dfbc944
Opcode Fuzzy Hash: 346b056c67873efc7fdd8c612ddcfb56faf0ec810fe3487c00370a25644a108a
Instruction Fuzzy Hash: 2731CF70244301BBD324CF68CC85FAAB7A8EBD8750F208A1DF699972E4D7B4E8418B55

Function 0040F690 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 370COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F6B1
UnregisterHotKey.USER32(?,?,004D82E0,00000028,004DA6C0), ref: 0040F74B

Strings

+I@, xrefs: 0040FA72, 0040F8A0

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Unregister_memset
String ID: +I@
API String ID: 2392160147-2621359567
Opcode ID: 958f1b0fe1759e7ae6c0546d4a8cd93a611ab1a09577a5171f5d0a95110cc678
Instruction ID: adb740670463004cfe2d5e12b1818e76b7f31ee1aab3a39e96d1d0febf72ff1e
Opcode Fuzzy Hash: 958f1b0fe1759e7ae6c0546d4a8cd93a611ab1a09577a5171f5d0a95110cc678
Instruction Fuzzy Hash: 14E1D360A087809ADB35CF2594447637BA16B12708F0844BBD4C5ABFD2D37DED8EC79A

Function 0045A1E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 273COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0045A2E9
__fassign.LIBCMT ref: 0045A32C
__wcsnicmp.LIBCMT ref: 0045A351
__fassign.LIBCMT ref: 0045A370
__wcsnicmp.LIBCMT ref: 0045A395

Strings

GDI+, xrefs: 0045A38F
Icon, xrefs: 0045A34B

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __fassign$__wcsnicmp
String ID: GDI+$Icon
API String ID: 1066767119-2641797909
Opcode ID: ef8bdc071543b7902bc2c213db1879e84b5b98d6192ce4115e7727aa9fa61636
Instruction ID: 5ed88e9080d8f1f9fb406006ac9245464924e4f635579074e49692c53dd58749
Opcode Fuzzy Hash: ef8bdc071543b7902bc2c213db1879e84b5b98d6192ce4115e7727aa9fa61636
Instruction Fuzzy Hash: C591F3705002009BCB209F19884277B77E09F56756F144A6FFC859B382E379DD69C7AB

Function 00438290 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004382D7
_wcsncpy.LIBCMT ref: 00438343
_wcsncpy.LIBCMT ref: 00438366
_wcschr.LIBCMT ref: 00438403
_free.LIBCMT ref: 00438425
_free.LIBCMT ref: 0043850A

Strings

Out of memory., xrefs: 004382EE

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _free_wcsncpy$_malloc_wcschr
String ID: Out of memory.
API String ID: 609840974-4087320997
Opcode ID: a396431f2e61c274931c65f864ce0ddebe5d73a1a69d6d82684fc9aeccef4009
Instruction ID: 506b89859ed1b56aed38349df0a4b25dcf904bc87594b32a87bb147968f223a6
Opcode Fuzzy Hash: a396431f2e61c274931c65f864ce0ddebe5d73a1a69d6d82684fc9aeccef4009
Instruction Fuzzy Hash: 2E91AFB1A002169BCF20DF58C8416BFB3B4EF98710F18505EF84597341EB79AE55CBA9

Function 004581F0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 224windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(004D8190,00001032,00000000,00000000), ref: 004582CF
__wcsnicmp.LIBCMT ref: 004582EA
SendMessageW.USER32(004D8190,00001004,00000000,00000000), ref: 00458321

Strings

Col, xrefs: 004582E4

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$__wcsnicmp
String ID: Col
API String ID: 2103314646-737980560
Opcode ID: 26099f610d69601eff0ae24319f03ed8e3b87f464a97081735e8018b9a440437
Instruction ID: 8d7fb60e2da1b6f9f17f72c6fa7fd382c62d3d93dc44dbc2d435e95008db5d4f
Opcode Fuzzy Hash: 26099f610d69601eff0ae24319f03ed8e3b87f464a97081735e8018b9a440437
Instruction Fuzzy Hash: AA6104716003018BD720DF29D881B2AB7E4EB95B16F10456FFD45A7382DF39EC49C6AA

Function 0040304D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 170windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00403B70: _free.LIBCMT ref: 00403BA4
Part of subcall function 00403B70: _free.LIBCMT ref: 00403BDA
Part of subcall function 00403B70: _free.LIBCMT ref: 00403BFD

GetTickCount.KERNEL32 ref: 004015E9
GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 00401630
GetTickCount.KERNEL32 ref: 0040163B
GetFocus.USER32 ref: 004016D4
TranslateAcceleratorW.USER32(00000000,?,?), ref: 0040171A

Part of subcall function 004033A0: GetTickCount.KERNEL32 ref: 004033A0

Strings

(&, xrefs: 00401613
InputHook, xrefs: 0040308F

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CountTick_free$AcceleratorFocusMessageTranslate
String ID: InputHook$(&
API String ID: 3994156647-3679040146
Opcode ID: df8df3e3bf723a771e92e4328485573c86ee51d35dd2461919cf0982e948a640
Instruction ID: 8b970fc61506066c9ea0accfb51a20151b72b0dc749918c262fa9e1638dfffbe
Opcode Fuzzy Hash: df8df3e3bf723a771e92e4328485573c86ee51d35dd2461919cf0982e948a640
Instruction Fuzzy Hash: 3D518E719083409BDB24DB28C884BAFB6E4AB85704F04492FF589A73E1D778ED45C75B

Function 00412550 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 170sleepCOMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,?,?,?,?,0040218E,?,?), ref: 00412631
CharUpperW.USER32(?,?,?,?,?,0040218E,?,?), ref: 00412642
__swprintf.LIBCMT ref: 004126AC
Sleep.KERNEL32(00000000), ref: 00412721

Strings

{Text}, xrefs: 00412688
{Raw}, xrefs: 00412678, 004126A1
%s%c, xrefs: 004126A6

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CharUpper$Sleep__swprintf
String ID: %s%c${Raw}${Text}
API String ID: 676149037-2444501380
Opcode ID: f8768d4323739141c2f803a0e8b6586ff4d3852917af653cc688b8a6239d6e67
Instruction ID: dd99d662d94cfe82523cbcb363a1a8d639b18e47ac8b77dd1236bfabf992d280
Opcode Fuzzy Hash: f8768d4323739141c2f803a0e8b6586ff4d3852917af653cc688b8a6239d6e67
Instruction Fuzzy Hash: B3519F306047419BDB249F29C5506EBBBE1FF89304F05492EE8CAC7391E678E8A4C769

Function 0040155B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 162windowtimeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000009,0000000A), ref: 004015C4
GetTickCount.KERNEL32 ref: 004015E9
GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 00401630
GetTickCount.KERNEL32 ref: 0040163B
GetFocus.USER32 ref: 004016D4

Part of subcall function 00403610: joyGetPosEx.WINMM ref: 0040363F

TranslateAcceleratorW.USER32(00000000,?,?), ref: 0040171A
IsDialogMessageW.USER32(?,?), ref: 00401CC7

Part of subcall function 00473960: SendMessageW.USER32(00000000,00001304,00000000,00000000), ref: 0047397A

Strings

(&, xrefs: 00401613

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Message$CountTick$AcceleratorDialogFocusSendTimerTranslate
String ID: (&
API String ID: 3283625497-1801568203
Opcode ID: 9898ad49d0aa553f3aa91e8597851dd6cb572a70bed85a4c53127895d76081a8
Instruction ID: fdef66c3691e2a560f374b91998badb968f22f6f3cbdc9f7de635d54b17f8530
Opcode Fuzzy Hash: 9898ad49d0aa553f3aa91e8597851dd6cb572a70bed85a4c53127895d76081a8
Instruction Fuzzy Hash: 5A519F71A083409BDB219B28C88476F7BE4AB96704F04093FF486A73F1D7789D85C75A

Function 004316C9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160windowclipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 004309CC
CloseClipboard.USER32 ref: 004309DC
GetTickCount.KERNEL32 ref: 004309EE
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430A1A
GetTickCount.KERNEL32 ref: 00430A30
GetTickCount.KERNEL32 ref: 00430AF4

Strings

v1j, xrefs: 00430A08

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
String ID: v1j
API String ID: 1623861271-3288809988
Opcode ID: d395b3abce13ff46e29603b7b552c0c1e29d90ce80bb8c671450eaf6137fb9b7
Instruction ID: 976a08794c494d7c5564301efb597b32ae1a89cc08c08e8fcb2dc43fef6daacb
Opcode Fuzzy Hash: d395b3abce13ff46e29603b7b552c0c1e29d90ce80bb8c671450eaf6137fb9b7
Instruction Fuzzy Hash: FE510430505340DBD728DF24E8B476A7BA1AB49318F24276FE4518A3E1D7789881CB5E

Function 0043A676 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 152COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0043A790

Strings

__Delete will now return., xrefs: 0043A803
Message, xrefs: 0043A6D9
The current thread will exit., xrefs: 0043A80A, 0043A816
Extra, xrefs: 0043A6FA
File, xrefs: 0043A742
Line, xrefs: 0043A71E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Extra$File$Line$Message$The current thread will exit.$__Delete will now return.
API String ID: 3832890014-175628360
Opcode ID: 77754a55a646b393a41e2cdced0437dcf38e10bc365a1b9e9c521c784cb01b25
Instruction ID: ad524ae1bc14c49465ca95e1ccbe2e06e71f0faac895eaf9abbecdd3e741a62f
Opcode Fuzzy Hash: 77754a55a646b393a41e2cdced0437dcf38e10bc365a1b9e9c521c784cb01b25
Instruction Fuzzy Hash: 8D5103306842005BD710EB148882B6B73E5AB88718F09546FF9C49B392D77DED66C78F

Function 00486080 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 97windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0048608C

Part of subcall function 00484AD0: LoadLibraryW.KERNEL32(dwmapi.dll,DwmGetWindowAttribute,?,00483DB4,00000000,?,?,?,?,0040F2C8,004D82E0,?,?,004AF9BC,004AF9BC,00000000), ref: 00484AEB
Part of subcall function 00484AD0: GetProcAddress.KERNEL32(00000000), ref: 00484AF2

GetWindowLongW.USER32(?,000000EC), ref: 004860AE
GetClassNameW.USER32(?,?,00000009), ref: 004860C7
__wcsicoll.LIBCMT ref: 004860DB
__wcsicoll.LIBCMT ref: 004860F9

Strings

WorkerW, xrefs: 004860F3
Progman, xrefs: 004860D5

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window__wcsicoll$AddressClassLibraryLoadLongNameProcVisible
String ID: Progman$WorkerW
API String ID: 130391517-3171280841
Opcode ID: 8cd6a508d31bb5c7c17deb81d8f0e6e53e17a2a40b88b1a0163f8f6d627102dd
Instruction ID: a0b6a408bfe4a4d8567c661e567d42c65b39a7dbd038619e1b3b78d419a8c63c
Opcode Fuzzy Hash: 8cd6a508d31bb5c7c17deb81d8f0e6e53e17a2a40b88b1a0163f8f6d627102dd
Instruction Fuzzy Hash: 7331EFB56007016BC760BA259C45AABB7E8AF80700F454D2FF95A82243EB38F905C7A8

Function 004767E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00476808
CreatePopupMenu.USER32 ref: 00476834
SetMenuDefaultItem.USER32(?,00445613,00000000,?,?,?,?,?,?,?,?,?,?,?,00476C08), ref: 00476878
SetMenuInfo.USER32 ref: 004768BE
SetMenuInfo.USER32 ref: 004768E1
CreateMenu.USER32 ref: 004768F7

Strings

tray, xrefs: 00476802

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Menu$CreateInfo$DefaultItemPopup__wcsicoll
String ID: tray
API String ID: 3246407819-3344156567
Opcode ID: 58702ca8244081cd8df56b119dc4598f46b31b1c276d5f25efa5a7a6a4aa2732
Instruction ID: d8baa1242c2ff0945b70a06a6ea1e3d7266dc287fb8ece4ce7e89bf886772e67
Opcode Fuzzy Hash: 58702ca8244081cd8df56b119dc4598f46b31b1c276d5f25efa5a7a6a4aa2732
Instruction Fuzzy Hash: C0317271505B019FD720EF25C80479BBBE6BFC8704F06892EE48D97740E778E8058B9A

Function 0046B43F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0046A83C
ReleaseDC.USER32(?,?), ref: 0046A84E
CreateWindowExW.USER32(?,msctls_hotkey32,004AF9BC,?,?,?,?,?,?,?,?,00000000), ref: 0046B47E
SendMessageW.USER32(?,00000403,?,00000006), ref: 0046B4D1

Part of subcall function 00472C20: GetKeyboardLayout.USER32(00000000), ref: 00472C65

SendMessageW.USER32(00000000,00000401,?,00000000), ref: 0046B4B0

Strings

Can't create control., xrefs: 0046BB10
msctls_hotkey32, xrefs: 0046B478

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$CreateKeyboardLayoutObjectReleaseSelectWindow
String ID: Can't create control.$msctls_hotkey32
API String ID: 1360861577-3973893855
Opcode ID: de390573f457e3a551d6e75fb0aa08faed764c278ca8b7e732cf0072cdffe93e
Instruction ID: 97b5f039f7386d2b3928fabd84f51e925a6460e9ad5b8b1c5c3b7da91f319f09
Opcode Fuzzy Hash: de390573f457e3a551d6e75fb0aa08faed764c278ca8b7e732cf0072cdffe93e
Instruction Fuzzy Hash: FA214C71B04340ABD7249F54DC84FAB7BA8EB99700F04842EFA49D7690D7789840CB6B

Function 0049D048 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0049D054

Part of subcall function 0049D9F2: __getptd_noexit.LIBCMT ref: 0049D9F5
Part of subcall function 0049D9F2: __amsg_exit.LIBCMT ref: 0049DA02

__amsg_exit.LIBCMT ref: 0049D074
__lock.LIBCMT ref: 0049D084
InterlockedDecrement.KERNEL32(?), ref: 0049D0A1
_free.LIBCMT ref: 0049D0B4
InterlockedIncrement.KERNEL32(00A72D90), ref: 0049D0CC

Strings

BM, xrefs: 0049D0AB

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: BM
API String ID: 3470314060-773030966
Opcode ID: ca83c0c4e9c9ce2f27bb6eaa3788bfd4167bb4b303ff3dc4e74f8162e4b92dc6
Instruction ID: 60105e8036aa53d2e8b53c38c13c2e1c48d0f69e4f7f7582894f30c29d4dc866
Opcode Fuzzy Hash: ca83c0c4e9c9ce2f27bb6eaa3788bfd4167bb4b303ff3dc4e74f8162e4b92dc6
Instruction Fuzzy Hash: CB018431E026119BCF21AB6A980575E7FA0BF45719F05413BE84567780CB7CAD42CBDD

Function 00472770 Relevance: 12.1, APIs: 8, Instructions: 122COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0047278D
CallWindowProcW.USER32(?,?,?,?,?), ref: 004727C9
GetDlgCtrlID.USER32(?), ref: 004727DD
GetParent.USER32(?), ref: 004727EE
GetDlgCtrlID.USER32(00000000), ref: 004727FB
CallWindowProcW.USER32(?,?,00000047,?,?), ref: 00472853
GetClipBox.GDI32(?,?), ref: 0047288B
FillRect.USER32(?,?,00000000), ref: 0047289B

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CallCtrlParentProcWindow$ClipFillRect
String ID:
API String ID: 1046380989-0
Opcode ID: f5a6e3420fd5680ec3159ec6cb54bd9abf8363ac639463d9cf0d9a4235e6f7f8
Instruction ID: 5982cf7acbca502d04d8714398e0e1661b4c5961508523c6e59a6f7b63b90c23
Opcode Fuzzy Hash: f5a6e3420fd5680ec3159ec6cb54bd9abf8363ac639463d9cf0d9a4235e6f7f8
Instruction Fuzzy Hash: B241EE766011459BCB28DF08DA889FB77B9FB95310B05816AFC0A97341D778EC81CBA9

Function 00467597 Relevance: 12.1, APIs: 8, Instructions: 96windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004675BA
SendMessageW.USER32(00000000,00001002,00000000,?), ref: 004675F9
IsWindowVisible.USER32(00000000), ref: 00467615
SetWindowTextW.USER32(?,?), ref: 004677AB
GetWindowRect.USER32(?,?), ref: 004677C5
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004677D8
InvalidateRect.USER32(?,?,00000001,?,?), ref: 004677E9
_free.LIBCMT ref: 00467801
SendMessageW.USER32(?,00000184,00000000,00000000), ref: 00467870

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window$MessageRectSend$InvalidateLongPointsTextVisible_free
String ID:
API String ID: 1936637810-0
Opcode ID: a07600a6d0fbeb6ab60b72706e9a9d59ba0f0755dc34bb164270325030b4d080
Instruction ID: 0f7d55cce742fc83720c2ccf2508dbec8ae059d751f3f3e40fc98a55695a38f2
Opcode Fuzzy Hash: a07600a6d0fbeb6ab60b72706e9a9d59ba0f0755dc34bb164270325030b4d080
Instruction Fuzzy Hash: 98317C75608300AFD710DF64EC44A6BBBA5FB88705F04892EF94687390EB78EC04CB5A

Function 0045B550 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 390COMMON

Download Yara Rule

APIs

joyGetDevCapsW.WINMM(?,?,000002D8), ref: 0045B58F
_memset.LIBCMT ref: 0045B5A5
joyGetPosEx.WINMM ref: 0045B5E7

Strings

(6K, xrefs: 0045B8F3
@, xrefs: 0045BA62
4, xrefs: 0045B5D7

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Caps_memset
String ID: (6K$4$@
API String ID: 675830301-389607550
Opcode ID: 6f1df5e623130fc5519dfb89c1c6d076b81a087b6ec2a2738dc1641cfe1935c1
Instruction ID: 1b62503bb8dcafb966b9c70d5a13e8a36451d5d99be2e12f43ee9aadd3465e46
Opcode Fuzzy Hash: 6f1df5e623130fc5519dfb89c1c6d076b81a087b6ec2a2738dc1641cfe1935c1
Instruction Fuzzy Hash: 10E1A3356083428BD7248F15D8447AAB7E0FF85316F94492EEC9983792E73D990CDB8A

Function 00408026 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 280COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00408271

Strings

<response command="property_set" success="%i" transaction_id="%e"/>, xrefs: 00408323
integer, xrefs: 00408159
float, xrefs: 00408184
<exception>, xrefs: 004081E2
string, xrefs: 00408055

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _free
String ID: <exception>$<response command="property_set" success="%i" transaction_id="%e"/>$float$integer$string
API String ID: 269201875-2023057498
Opcode ID: a9878c18357ddd63bbd89cb60b05f898ec33a5beb5b3d6edfa57497887d9089d
Instruction ID: cd42c75e66b259a114bb2ffeff451e1deb067067da43e370cd3e6624a1d6fca2
Opcode Fuzzy Hash: a9878c18357ddd63bbd89cb60b05f898ec33a5beb5b3d6edfa57497887d9089d
Instruction Fuzzy Hash: 25A1DF711087029FCB10CF65C641A2BBBE1BB94714F14492FF4D4AB2C1DB39E946CB9A

Function 0042E4DD Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 275COMMON

Download Yara Rule

Strings

Parameter #2 invalid., xrefs: 0042E4C2
This line will never execute, due to %s preceding it., xrefs: 0042E5AE
Delete, xrefs: 0042E4A0
Target label does not exist., xrefs: 0042E5F9
Parameter #1 invalid., xrefs: 0042E110

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Delete$Parameter #1 invalid.$Parameter #2 invalid.$Target label does not exist.$This line will never execute, due to %s preceding it.
API String ID: 3832890014-1035571858
Opcode ID: b5b9572471b775356e3232ce2bc80512fb9e8d366ecbf7d6ddb2a9bcf1b16e55
Instruction ID: 7f1c32c2805df7a2bfeb35be32d2eb3580ec2f2dc9d25e35092ce2b511302f71
Opcode Fuzzy Hash: b5b9572471b775356e3232ce2bc80512fb9e8d366ecbf7d6ddb2a9bcf1b16e55
Instruction Fuzzy Hash: AC910430714260ABEB249F67E8447B73791AB11308FD8406BF8458B382EA7DDD95C769

Function 0040835E Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 264COMMON

Download Yara Rule

APIs

__wcstoui64.LIBCMT ref: 004083C9
__wcstoui64.LIBCMT ref: 004083D9
__wcsicoll.LIBCMT ref: 00408447

Strings

<response command="source" success="0" transaction_id="%e"/>, xrefs: 0040868A
<response command="source" success="1" transaction_id="%e" encoding="base64">, xrefs: 004084CC
</response>, xrefs: 00408631

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcstoui64$__wcsicoll
String ID: </response>$<response command="source" success="0" transaction_id="%e"/>$<response command="source" success="1" transaction_id="%e" encoding="base64">
API String ID: 400967290-3891583944
Opcode ID: 48c4c74edd8535ddaa4e350a028e5f0c79cb85c27335ebcc0bfbdbbab3abc75c
Instruction ID: 508038350793ddb0889309a683fc63c339571ad4e4d1caf4e39d0c50e309b7bd
Opcode Fuzzy Hash: 48c4c74edd8535ddaa4e350a028e5f0c79cb85c27335ebcc0bfbdbbab3abc75c
Instruction Fuzzy Hash: 8191DE315083019BD720DF29CA81B9BB7E4AB94714F144A3EF5D4E72D1EB79D8048B6A

Function 0044C5B0 Relevance: 10.8, APIs: 7, Instructions: 253COMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 0044C5EF

Part of subcall function 00499840: wcstoxq.LIBCMT ref: 00499861

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcstoi64wcstoxq
String ID:
API String ID: 2194140525-0
Opcode ID: 3d64a853eda7d81dc6727f3a22379b5208f28c5eea2613259f2a8d558fa4ccd3
Instruction ID: 98e56b39d11ef32ec0adde4c166550d4fa0f1bc9eb0b817ae16e7a245f6a06ee
Opcode Fuzzy Hash: 3d64a853eda7d81dc6727f3a22379b5208f28c5eea2613259f2a8d558fa4ccd3
Instruction Fuzzy Hash: B2A1FD716093019BE360EF25CC81F5BB7E4BB85704F184A2FF4549B291DBB99805CB6A

Function 004234D0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000009,0000000A,00000000), ref: 00423604
KillTimer.USER32(?,00000009), ref: 0042364D
__wcstoi64.LIBCMT ref: 004236D1
__fassign.LIBCMT ref: 00423761
GetTickCount.KERNEL32 ref: 00423785

Part of subcall function 004998AD: __fassign.LIBCMT ref: 004998A3

Strings

Out of memory., xrefs: 00423575

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Timer__fassign$CountKillTick__wcstoi64
String ID: Out of memory.
API String ID: 925375575-4087320997
Opcode ID: d8b4b5674ead970790b3891ba920a7fc3039405ff3ace9c02ef770c11821bc44
Instruction ID: fc6bcee34546581538d54a7a1a3f90d1cae2aab2ee9fd3b7f5a50b831930a387
Opcode Fuzzy Hash: d8b4b5674ead970790b3891ba920a7fc3039405ff3ace9c02ef770c11821bc44
Instruction Fuzzy Hash: 428119B1B00360ABDF349F14A8807777BB4AF16711F98442FE48686791E37C9E84C79A

Function 0045E530 Relevance: 10.7, APIs: 7, Instructions: 205comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 0045E54B
CoCreateInstance.OLE32(004AD820,00000000,00000001,004AD810,00000000), ref: 0045E564
__fassign.LIBCMT ref: 0045E5D6
GetKeyboardLayout.USER32(00000000), ref: 0045E620
__fassign.LIBCMT ref: 0045E671

Part of subcall function 004998AD: __fassign.LIBCMT ref: 004998A3

GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 0045E6BE
CoUninitialize.OLE32 ref: 0045E70F

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __fassign$CreateFullInitializeInstanceKeyboardLayoutNamePathUninitialize
String ID:
API String ID: 404581262-0
Opcode ID: b1d9b20903b53bdea41929694774a9e934d879e784a8dfdff31fa5fd3e9133fb
Instruction ID: 52db792a39c3e26bd4a94e9ebc1032de73813d1040626b417f3806f1de65675e
Opcode Fuzzy Hash: b1d9b20903b53bdea41929694774a9e934d879e784a8dfdff31fa5fd3e9133fb
Instruction Fuzzy Hash: 7B61D0B1604301AFD214EF65CC85FAB37A5AF89304F10485EF9448B2D2E7B9ED49C76A

Function 0042B280 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 197COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 0042B38A
_wcschr.LIBCMT ref: 0042B3A5

Part of subcall function 0042B1F0: GetFileAttributesW.KERNEL32(0042B2BF), ref: 0042B220

Part of subcall function 0044F750: SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,00000000), ref: 0044F762

Strings

.ahk, xrefs: 0042B366
\AutoHotkey\Lib\, xrefs: 0042B2CE
#Include %-0.*s#IncludeAgain %s, xrefs: 0042B453
\Lib\, xrefs: 0042B2B0, 0042B2E7

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AttributesFile$FolderPath_wcschr
String ID: #Include %-0.*s#IncludeAgain %s$.ahk$\AutoHotkey\Lib\$\Lib\
API String ID: 3341327518-2992999288
Opcode ID: 95cd0e968a4c8799b9744c8f97e9f83349e0315529c5296879c0870586eeb261
Instruction ID: 1f101769fe2fbaf9103fd5764babab83c1438d8bc7abeccccb3c6647e7fb8973
Opcode Fuzzy Hash: 95cd0e968a4c8799b9744c8f97e9f83349e0315529c5296879c0870586eeb261
Instruction Fuzzy Hash: 126102317002158FC710DF29E881BAB73A4EF98304F40852FED448B3A1EB78A915CBE9

Function 00440650 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 0044DDD0: GetForegroundWindow.USER32(?,?,004408D5,?), ref: 0044DDFE
Part of subcall function 0044DDD0: IsWindowVisible.USER32(00000000), ref: 0044DE19

__fassign.LIBCMT ref: 004406A4

Part of subcall function 0049BA2D: wcstoxl.LIBCMT ref: 0049BA3D

__fassign.LIBCMT ref: 004406E0
GetWindowRect.USER32(00000000,?), ref: 00440726
GetWindowRect.USER32(00000000,?), ref: 00440758
GetParent.USER32(00000000), ref: 00440783
ScreenToClient.USER32(00000000,80000000), ref: 00440793
MoveWindow.USER32(00000000,?,?,?,?,00000001,?,?,?,?,?,?,?,?,00432FE9), ref: 0044083A

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window$Rect__fassign$ClientForegroundMoveParentScreenVisiblewcstoxl
String ID:
API String ID: 4198355719-0
Opcode ID: 7b11d4f3686d466ed64f00bc0a3aba88c8ae5de20b93db39957d31416ca7f661
Instruction ID: a61a20ebbddf82122a898a34785317a2d7c88a676bedaf39aaa2eb719384a132
Opcode Fuzzy Hash: 7b11d4f3686d466ed64f00bc0a3aba88c8ae5de20b93db39957d31416ca7f661
Instruction Fuzzy Hash: A551B1B1A04301ABE710EF24DC41B5F77E4AB84710F14092EFA4197391D7B9EC95CBAA

Function 0047F250 Relevance: 10.7, APIs: 7, Instructions: 174timeCOMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0047F279
_wcsncpy.LIBCMT ref: 0047F2A5
_wcsncpy.LIBCMT ref: 0047F2DD
_wcsncpy.LIBCMT ref: 0047F311
_wcsncpy.LIBCMT ref: 0047F346
_wcsncpy.LIBCMT ref: 0047F37B
SystemTimeToFileTime.KERNEL32(?,?), ref: 0047F422

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _wcsncpy$Time$FileSystem
String ID:
API String ID: 456616543-0
Opcode ID: 62aef3695b26939a59dffcd19f42a4789964ddc22bda4d290c9eae8f59cab432
Instruction ID: 116c2c015460527e3f92fde828d369f602415525a7cebdddae21ad1deb615ec5
Opcode Fuzzy Hash: 62aef3695b26939a59dffcd19f42a4789964ddc22bda4d290c9eae8f59cab432
Instruction Fuzzy Hash: E751C37191530196D718EB69CC82AABB2E5EFD8300F44CD3FF85AC7251F639E509835A

Function 00451000 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?), ref: 00451039
GetLastError.KERNEL32 ref: 0045113C
__itow.LIBCMT ref: 00451168

Strings

DllCall, xrefs: 004511E1
0, xrefs: 004511BF

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ErrorLast$__itow
String ID: 0$DllCall
API String ID: 3125673013-1800201163
Opcode ID: f76db294036b85b086df669964c404c6de938ddb5128781bce957d49728f4ac9
Instruction ID: 435e9edd59bc84051a32e6960529c8a17d6b3bdade0838c8458c6ac64cdbf108
Opcode Fuzzy Hash: f76db294036b85b086df669964c404c6de938ddb5128781bce957d49728f4ac9
Instruction Fuzzy Hash: 6A618170E01208AFDF14DFA8C885BAEBBB4FB08714F10426BE915A73A1D7785845CB59

Function 004705B8 Relevance: 10.7, APIs: 7, Instructions: 171windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004705C4
GetWindowTextW.USER32(?,?,00000400), ref: 004705DE
SendMessageW.USER32(?,00000158,00000000,?), ref: 004705FA
SendMessageW.USER32(?,00000149,00000000,00000000), ref: 00470639
SendMessageW.USER32(00000000,00000148,00000000,00000000), ref: 0047066E
GetWindowTextLengthW.USER32(00000000), ref: 004709FC
GetWindowTextW.USER32(?,00000000,00000001), ref: 00470A2A

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$TextWindow$Length
String ID:
API String ID: 619060290-0
Opcode ID: 7f316653966c807c8ef1b484c9f02937afee6369a3a09f0c108982c064e272b3
Instruction ID: 355aed8c3edd722cc07035057f92290ab88a858021dbb350187275ec7d37cf82
Opcode Fuzzy Hash: 7f316653966c807c8ef1b484c9f02937afee6369a3a09f0c108982c064e272b3
Instruction Fuzzy Hash: F5513771341300ABD7209B248C89FAB7799EB95324F10897FF549DB2C2C678DC45C798

Function 00417750 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(004D85B4), ref: 004177E8
GetSystemMetrics.USER32(00000000), ref: 00417860
GetSystemMetrics.USER32(00000001), ref: 00417866
GetCursorPos.USER32(?), ref: 004178C5

Strings

d, xrefs: 004178A9

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CursorMetricsSystem
String ID: d
API String ID: 3091566494-2564639436
Opcode ID: f89fd4ef7ae1550b366f40461004737d39f97c3f644aaece7940061a6b1dccc7
Instruction ID: 119d6539a4c3c058e01fc4c3233a64bbc2f0d8b6b3b92e21f048465a99026b57
Opcode Fuzzy Hash: f89fd4ef7ae1550b366f40461004737d39f97c3f644aaece7940061a6b1dccc7
Instruction Fuzzy Hash: 5151C2757083019BE714DF29E881BAA73E1FB88315F24493EE886C7341DB39E985CB59

Function 0046E2ED Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000000,?,00000060), ref: 0046E330
MulDiv.KERNEL32(00000000,?,00000060), ref: 0046E3F3
GetWindowLongW.USER32(?,000000F0), ref: 0046E7E9

Strings

0-#v, xrefs: 0046E330, 0046E3F3, 0046E44E, 0046E4A9, 0046E4F8

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: LongWindow
String ID: 0-#v
API String ID: 1378638983-3862253926
Opcode ID: 8709f63d532a908add9a1c1a864a47d0e160dedfd8fb66514d3f9dbd240402b9
Instruction ID: 1d8effa668316b8f9011af1f4769ffeb63e465f78cc3ac82c3cbb219b826547e
Opcode Fuzzy Hash: 8709f63d532a908add9a1c1a864a47d0e160dedfd8fb66514d3f9dbd240402b9
Instruction Fuzzy Hash: C9618DBC600201CFDB24DF26C940BAA77E1BF88705F15466EE9955B361EB38EC51CB4A

Function 00476420 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148windowCOMMON

Download Yara Rule

APIs

SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004764F4
_wcschr.LIBCMT ref: 00476513
_wcschr.LIBCMT ref: 0047651D
__wcsicoll.LIBCMT ref: 0047652F
SetMenuItemInfoW.USER32(?,?,?,00000000), ref: 0047655C

Strings

0, xrefs: 0047648E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ItemMenu_wcschr$DefaultInfo__wcsicoll
String ID: 0
API String ID: 697447621-4108050209
Opcode ID: b5f8bdb52d5466c9898a0f9a4d9e59b38958a60e437932432c2c10b822c26a60
Instruction ID: 02261b57988016f57a9a0e9b29c8f655d426d673cab6de95d053a5ca00cf7a3d
Opcode Fuzzy Hash: b5f8bdb52d5466c9898a0f9a4d9e59b38958a60e437932432c2c10b822c26a60
Instruction Fuzzy Hash: 1C4139B16047016BD7249F18E8007AB77E5BB80314F05852FFC89973D5EB79E904C7AA

Function 00482000 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 00482037

Part of subcall function 0049BA2D: wcstoxl.LIBCMT ref: 0049BA3D

__fassign.LIBCMT ref: 00482057
_wcschr.LIBCMT ref: 0048206E
_wcschr.LIBCMT ref: 00482092

Strings

.-+, xrefs: 00482069, 0048208D
+, xrefs: 00482041

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __fassign_wcschr$wcstoxl
String ID: +$.-+
API String ID: 1230976502-3777370404
Opcode ID: 9610d407098dae9b6b0bdeb7db8ae82cf25586f41b2efed7791b4f54d19c4b70
Instruction ID: 3d31504c10a88408d2a02cccfb865c86144822f7cf2f4485934edee3b832ff72
Opcode Fuzzy Hash: 9610d407098dae9b6b0bdeb7db8ae82cf25586f41b2efed7791b4f54d19c4b70
Instruction Fuzzy Hash: A131D6B2604221568B347E159DC423F73D5EA96761F344D2BFA42CA2C0E7EC88C1D3AA

Function 00433438 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 120COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00433519

Strings

Parameter #1 must not be blank in this case., xrefs: 004334CC
Parameter #2 invalid., xrefs: 0043354A
Delete, xrefs: 00433513
Target label does not exist., xrefs: 0043346C
Parameter #1 invalid., xrefs: 00433496

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Delete$Parameter #1 invalid.$Parameter #1 must not be blank in this case.$Parameter #2 invalid.$Target label does not exist.
API String ID: 3832890014-14243736
Opcode ID: 86c0aaff76b6ce81f1437f36f9f7af26baa6f8112e9420dce3722020ee45889a
Instruction ID: e24b93fe6442b73996c024722daf9e01c2109cd0b4a87424bb1e2e76ce4a84c7
Opcode Fuzzy Hash: 86c0aaff76b6ce81f1437f36f9f7af26baa6f8112e9420dce3722020ee45889a
Instruction Fuzzy Hash: 7241F271740200B7DB21AF019C02B2773B6AB99715F29506FF8509B391D7BDED4287AE

Function 0042F211 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 110COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0042F2CA

Strings

Out of memory., xrefs: 0042FC54
Expression too long, xrefs: 0043076B
+-*&~!, xrefs: 0042F2C5
-, xrefs: 0042F312
Missing close-quote, xrefs: 0042FC76

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _wcschr
String ID: +-*&~!$-$Expression too long$Missing close-quote$Out of memory.
API String ID: 2691759472-2428279368
Opcode ID: 21d358b574a6c61366203aa2416cae8e5efab34523fb5948f7f50951a35798b2
Instruction ID: 24abdf7c417dbac91f6914fe5f90e9ab67c60156a4daccadf6aff6cdae6b3aa1
Opcode Fuzzy Hash: 21d358b574a6c61366203aa2416cae8e5efab34523fb5948f7f50951a35798b2
Instruction Fuzzy Hash: 6B311375B40225E6CF30DE8598817BE72B0AB54B10FB441BBEC45A32C0E77CAE45CB69

Function 0047F4F0 Relevance: 10.6, APIs: 7, Instructions: 82timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00431F06,00000000,00000001,00000000), ref: 0047F527
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00431F06,00000000,00000001,00000000), ref: 0047F53D
FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00431F06,00000000,00000001,00000000), ref: 0047F54D
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00431F06,00000000,00000001,00000000), ref: 0047F572
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,00431F06,00000000,00000001,00000000), ref: 0047F586
FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00431F06,00000000,00000001,00000000), ref: 0047F596
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0047F5B8

Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F279
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F2A5
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F2DD
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F311
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F346
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F37B

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Time$File$_wcsncpy$System$Local$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1899144181-0
Opcode ID: 9b4c0722e3b4447c1c64732a54f1b12daeb79bfa3bb53ba4e12e176010e4b2eb
Instruction ID: ec7f1e55bf55ed5fa15d96d36325509feef5b0460418d3e3c2bdb78589e7a9c1
Opcode Fuzzy Hash: 9b4c0722e3b4447c1c64732a54f1b12daeb79bfa3bb53ba4e12e176010e4b2eb
Instruction Fuzzy Hash: B721BF766043016BC700EF69DC44AEB7BA9ABC8704F44892AF54993241E674E60DC7A6

Function 0046B74E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0046A83C
ReleaseDC.USER32(?,?), ref: 0046A84E

Part of subcall function 00472F20: SendMessageW.USER32(?,00000407,00000000,?), ref: 00472F41
Part of subcall function 00472F20: SendMessageW.USER32(00000000,00000408,00000001,?), ref: 00472F51
Part of subcall function 00472F20: SendMessageW.USER32(?,00000408,00000001,00000000), ref: 00472FA6
Part of subcall function 00472F20: SendMessageW.USER32(?,00000417,00000000,00000000), ref: 00472FBA
Part of subcall function 00472F20: SendMessageW.USER32(?,00000415,00000000,?), ref: 00472FCE
Part of subcall function 00472F20: SendMessageW.USER32(?,0000041B,00000001,00000000), ref: 00472FE2
Part of subcall function 00472F20: SendMessageW.USER32(?,0000041F,?,00000000), ref: 00472FF7
Part of subcall function 00472F20: SendMessageW.USER32(?,00000420,00000001,?), ref: 0047300D
Part of subcall function 00472F20: SendMessageW.USER32(?,00000420,00000000), ref: 00473023

Part of subcall function 00414390: __fassign.LIBCMT ref: 004143A0

CreateWindowExW.USER32(?,msctls_trackbar32,004AF9BC,?,?,?,?,?,?,?,?,00000000), ref: 0046B78C
SendMessageW.USER32(?,00000405,00000001,00000000), ref: 0046B7D8

Part of subcall function 00472EE0: SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00472EF4
Part of subcall function 00472EE0: SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00472F08

Strings

Can't create control., xrefs: 0046BB10
msctls_trackbar32, xrefs: 0046B786

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$CreateObjectReleaseSelectWindow__fassign
String ID: Can't create control.$msctls_trackbar32
API String ID: 3404614496-1544864918
Opcode ID: 452bd6b0799c351e585191db705db8850b530c5b21f94cbcb56cb0e5fe0d0de4
Instruction ID: ddfc20119f1f62725ed980b3ff1e54f9acdff794dd0f7bda40f6e1f4b15b71ad
Opcode Fuzzy Hash: 452bd6b0799c351e585191db705db8850b530c5b21f94cbcb56cb0e5fe0d0de4
Instruction Fuzzy Hash: 17218E71604740AFD724EB14C844FAB7BE8EB89714F14852EF949D3690E7789C40CBAB

Function 0046B7E3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0046A83C
ReleaseDC.USER32(?,?), ref: 0046A84E

Part of subcall function 00473130: LoadLibraryW.KERNEL32(uxtheme,?,?,?,?,?,0046ED2A,?,?,?,0000041D,00000000,00000000,?,0000000B,00000000), ref: 0047315F
Part of subcall function 00473130: GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00473171
Part of subcall function 00473130: FreeLibrary.KERNEL32(00000000,?,0000041D,00000000,00000000,?,0000000B,00000000,00000000,?,00000192,?,?), ref: 00473189
Part of subcall function 00473130: SendMessageW.USER32(?,00000406,?,?), ref: 004731E1
Part of subcall function 00473130: SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004731FA
Part of subcall function 00473130: SendMessageW.USER32(?,00002001,00000000,?), ref: 00473217

Part of subcall function 00414390: __fassign.LIBCMT ref: 004143A0

CreateWindowExW.USER32(?,msctls_progress32,004AF9BC,?,?,?,?,?,?,?,?,00000000), ref: 0046B822
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0046B869

Strings

msctls_progress32, xrefs: 0046B81C
Can't create control., xrefs: 0046BB10

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$Library$AddressCreateFreeLoadObjectProcReleaseSelectWindow__fassign
String ID: Can't create control.$msctls_progress32
API String ID: 3671346002-3641780397
Opcode ID: 7f1fa14484f5fe2fd47615e06d432d797b70890d60c58f74e484852c4a2717cd
Instruction ID: b21c17dab264313a1b71e10fc84d11baec56b2134a0935dccdf68772bb5caac1
Opcode Fuzzy Hash: 7f1fa14484f5fe2fd47615e06d432d797b70890d60c58f74e484852c4a2717cd
Instruction Fuzzy Hash: BE218171708340AFD324DF14C884FAB77E8EB89700F14841EF98993690D778A844CBAB

Function 00473030 Relevance: 10.6, APIs: 7, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0047304C
SendMessageW.USER32(?,0000102F,00000000,00000000), ref: 00473060
SendMessageW.USER32(?,00001024,00000000,?), ref: 0047308F
GetSysColor.USER32(00000005), ref: 004730A3
SendMessageW.USER32(?,00001026,00000000,?), ref: 004730B6
SendMessageW.USER32(?,00001001,00000000,?), ref: 004730C3
InvalidateRect.USER32(00000000,00000000,00000001,?,0000000B,00000000,00000000,?,00000192,?,?), ref: 004730CC

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$ColorInvalidateRect
String ID:
API String ID: 2722326260-0
Opcode ID: 3e7659e6f9082ed6dc79fcb128e74a30ed78c172b3edf45ec36e39176db946fd
Instruction ID: 14fb7c1128e58af52256454588768c376876988844bf7dba871c3fd5e3d664a9
Opcode Fuzzy Hash: 3e7659e6f9082ed6dc79fcb128e74a30ed78c172b3edf45ec36e39176db946fd
Instruction Fuzzy Hash: EB118670740341ABD6308F688C85FD7B7A8AF0CB11F104519FA99A73C4D3B4B891DA58

Function 004620A0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 60COMMON

Download Yara Rule

Strings

ComObjRef, xrefs: 004620BE
ComObject, xrefs: 0046212E
ComObj, xrefs: 00462135
ComObjArray, xrefs: 004620AF

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID: ComObj$ComObjArray$ComObjRef$ComObject
API String ID: 0-4247866589
Opcode ID: 1123917aa73091fe6352a00bd7fe85667e0040399a4a726faddcbaadc29494c1
Instruction ID: 7468727b151b88665252e983340ae9065c02ba835f7346ba8c548fc048de484e
Opcode Fuzzy Hash: 1123917aa73091fe6352a00bd7fe85667e0040399a4a726faddcbaadc29494c1
Instruction Fuzzy Hash: 0401E1613002017BDA289A4DAD54BA36398EB84B10F20483FF651CB6D0EBA8D840C36F

Function 0044A0C5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 0047F770: _vswprintf_s.LIBCMT ref: 0047F789

mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044A0EE
mciSendStringW.WINMM(status cd mode,?,00000080,00000000), ref: 0044A107
mciSendStringW.WINMM(close cd wait,00000000,00000000,00000000), ref: 0044A116

Strings

close cd wait, xrefs: 0044A10F
open %s type cdaudio alias cd wait shareable, xrefs: 0044A0C6
status cd mode, xrefs: 0044A102

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: SendString$_vswprintf_s
String ID: close cd wait$open %s type cdaudio alias cd wait shareable$status cd mode
API String ID: 3589064202-1182961480
Opcode ID: f0be755721c286a6d2e3fe2952afc5994a2f6ab0a61cbee5435d9c39b1f394bd
Instruction ID: 1fe73425bde0e4d091d7d48565b79ee7e345e2dd204b493497ef2076858621a5
Opcode Fuzzy Hash: f0be755721c286a6d2e3fe2952afc5994a2f6ab0a61cbee5435d9c39b1f394bd
Instruction Fuzzy Hash: 4C01B57278430036E630E6659C43FDB7758DB84B64F60062BB758AF1D0DAE9A81186ED

Function 0041B6B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMON

Download Yara Rule

Strings

RegEx, xrefs: 0041B6F6
SLOW, xrefs: 0041B726
FAST, xrefs: 0041B70E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID: FAST$RegEx$SLOW
API String ID: 0-3371325577
Opcode ID: c9ff56912fc2a5445023e38118afcea68220d5fa3522d522f31d9742a3ad1101
Instruction ID: 40c3f79cf0f33fd675ea1d3eaf5275f6d4c181bb92bfb399535dd614a674d4ca
Opcode Fuzzy Hash: c9ff56912fc2a5445023e38118afcea68220d5fa3522d522f31d9742a3ad1101
Instruction Fuzzy Hash: 3CF08164A40A1022DF3126288C127EB61A1EBB1B16FD4886BF890C52C1F79CCDC6C1DE

Function 0041C390 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041C3A0
__wcsicoll.LIBCMT ref: 0041C3B8

Strings

Interrupt, xrefs: 0041C3B2
NoTimers, xrefs: 0041C3CA
Priority, xrefs: 0041C39A

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Interrupt$NoTimers$Priority
API String ID: 3832890014-3223323590
Opcode ID: 0ca710a28c9a6fdd3e1655b68ceb6b56f3a61ba5b0623bdf83e2a57486d68abd
Instruction ID: 835642e8b9c5ad1680c26623e24ea8d40f3999fc457d8eeae818b5aa4d921401
Opcode Fuzzy Hash: 0ca710a28c9a6fdd3e1655b68ceb6b56f3a61ba5b0623bdf83e2a57486d68abd
Instruction Fuzzy Hash: 6EE0D872B9591522CF1220395C43BEF60844B90B07F88827BFC10D03C2F78DC99380AD

Function 004AB012 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004AB033

Part of subcall function 0049D9F2: __getptd_noexit.LIBCMT ref: 0049D9F5
Part of subcall function 0049D9F2: __amsg_exit.LIBCMT ref: 0049DA02

__getptd.LIBCMT ref: 004AB044
__getptd.LIBCMT ref: 004AB052

Strings

csm, xrefs: 004AB02C
MOC, xrefs: 004AB025
RCC, xrefs: 004AB01E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: b3449fbdd393e6848ef1480637f78e220a71a91307a74da33634cafec3fb0c87
Instruction ID: f48fb7160891fdb28535c3b3785d5e92de556274b7b77f759ccaad76ee94d93b
Opcode Fuzzy Hash: b3449fbdd393e6848ef1480637f78e220a71a91307a74da33634cafec3fb0c87
Instruction Fuzzy Hash: 0AE012305181188FCB14A76DC04AB6A3795EB5A318F9942B7E61DCB323C72CDC50998B

Function 00455600 Relevance: 9.4, APIs: 6, Instructions: 393COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,-0000F939,00000000,?,00000000,00000000,00000000,00000000), ref: 004558EA
GetLastError.KERNEL32 ref: 004558F0
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00455913
WideCharToMultiByte.KERNEL32(?,-0000F939,00000000,?,00010000,00000000,00000000,00000000), ref: 0045594B
MultiByteToWideChar.KERNEL32(000004B0,00000000,00010000,00000000,00000000,00000000), ref: 00455983
MultiByteToWideChar.KERNEL32(?,00000000,00010000,00000000,?,?), ref: 004559AF

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a95e92de48907b82a118ca304b45eeb7a39cbf35b2509a2e4d9736f7136a285d
Instruction ID: 73ff15921c81c7c2b8fc7e5a511ab08273d7f697bb374050a02301f8568d450e
Opcode Fuzzy Hash: a95e92de48907b82a118ca304b45eeb7a39cbf35b2509a2e4d9736f7136a285d
Instruction Fuzzy Hash: 7CD1E6716046019FD710CF18D890B3BB3A1EF84325F54866BED198B392E738EC09C799

Function 00474380 Relevance: 9.2, APIs: 6, Instructions: 152windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 004743CA
SendMessageW.USER32(?,0000104B,00000000,?), ref: 004743E9
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00474426
SendMessageW.USER32(?,0000104B,00000000,?), ref: 00474449
__wcsicoll.LIBCMT ref: 00474471
lstrcmpiW.KERNEL32(?,?), ref: 00474487

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$__wcsicolllstrcmpi
String ID:
API String ID: 2730042983-0
Opcode ID: 57d251954f89da3658f36c1efe7c78cee2eda118024af6682d7eeb2d842c1357
Instruction ID: e6e3da32dbd8d32ace067b7c15c597e0952ef42ba965c392ac380ee0be724a55
Opcode Fuzzy Hash: 57d251954f89da3658f36c1efe7c78cee2eda118024af6682d7eeb2d842c1357
Instruction Fuzzy Hash: E951C3B0500B019ED730DF25CC40BF3B7E9AB95310F10CA1EE69A86680E779F846DB69

Function 004861B0 Relevance: 9.1, APIs: 6, Instructions: 130windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004861D3

Part of subcall function 00484AD0: LoadLibraryW.KERNEL32(dwmapi.dll,DwmGetWindowAttribute,?,00483DB4,00000000,?,?,?,?,0040F2C8,004D82E0,?,?,004AF9BC,004AF9BC,00000000), ref: 00484AEB
Part of subcall function 00484AD0: GetProcAddress.KERNEL32(00000000), ref: 00484AF2

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AddressLibraryLoadProcVisibleWindow
String ID:
API String ID: 3687547122-0
Opcode ID: 30fe50c5a62b6199537385c2a0a7e8c383a8a8029aaa90bdd8c4c131a37aabe9
Instruction ID: 3e0fe108ad0bd2575d487907d05d64137ca0e099aa239577ee73740001247862
Opcode Fuzzy Hash: 30fe50c5a62b6199537385c2a0a7e8c383a8a8029aaa90bdd8c4c131a37aabe9
Instruction Fuzzy Hash: CB31FB727102105BD360BB78FC84BEF6798EB85322F05893BF956D7382D729AC458768

Function 004621C0 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

SafeArrayGetDim.OLEAUT32(?), ref: 004621CD
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004621EB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00462205
SafeArrayAccessData.OLEAUT32(?,?), ref: 0046221D
SafeArrayGetElemsize.OLEAUT32(?), ref: 00462241

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ArraySafe$Bound$AccessDataElemsize
String ID:
API String ID: 505432365-0
Opcode ID: 5fe2341cbd0f1ce19e45c4412c871bb5549257b7a25b6be60c07814c3c6dc15c
Instruction ID: e428f4cc4004f9e538e2e69b6b7fde91aa7d4e1d207dcc21ad0ff8ea57338000
Opcode Fuzzy Hash: 5fe2341cbd0f1ce19e45c4412c871bb5549257b7a25b6be60c07814c3c6dc15c
Instruction Fuzzy Hash: DE31B1B5504702AFD700DF28D9849ABBBE8EF88310F40886EFD4597321E779E8448B66

Function 004673EA Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00467462
SetWindowTextW.USER32(?,?), ref: 004677AB
GetWindowRect.USER32(?,?), ref: 004677C5
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004677D8
InvalidateRect.USER32(?,?,00000001,?,?), ref: 004677E9
_free.LIBCMT ref: 00467801
SendMessageW.USER32(?,00000184,00000000,00000000), ref: 00467870

Part of subcall function 00414390: __fassign.LIBCMT ref: 004143A0

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window$MessageRectSend$InvalidatePointsText__fassign_free
String ID:
API String ID: 3122703565-0
Opcode ID: bbd68bf697bb1260bcb5c37ea3b21958cfa4e8cdfddbe184c34e22a9be59febf
Instruction ID: f4e6c7a1fc2bdadbdde067009d5c61c36dff6a259d0d2b60dbe198dfd4e7846b
Opcode Fuzzy Hash: bbd68bf697bb1260bcb5c37ea3b21958cfa4e8cdfddbe184c34e22a9be59febf
Instruction Fuzzy Hash: 3131A475A09200ABE720DB14DC49F6B7B64AB44719F04452BF95697381EB78EC40C75B

Function 00482759 Relevance: 9.1, APIs: 6, Instructions: 77clipboardCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(00000000), ref: 004827AB
GlobalLock.KERNEL32(00000000), ref: 004827B8
GlobalUnlock.KERNEL32(00000000), ref: 0048280D
EnumClipboardFormats.USER32(00000000), ref: 0048281E
GlobalUnlock.KERNEL32(00000000), ref: 00482842
CloseClipboard.USER32 ref: 00482852

Part of subcall function 00405290: GetClipboardFormatNameW.USER32(0000000D,00000104,00000104), ref: 004052BC
Part of subcall function 00405290: __wcsnicmp.LIBCMT ref: 004052CE
Part of subcall function 00405290: __wcsicoll.LIBCMT ref: 004052E7
Part of subcall function 00405290: __wcsicoll.LIBCMT ref: 004052FC
Part of subcall function 00405290: __wcsicoll.LIBCMT ref: 00405311
Part of subcall function 00405290: __wcsicoll.LIBCMT ref: 00405326
Part of subcall function 00405290: __wcsicoll.LIBCMT ref: 0040533B
Part of subcall function 00405290: __wcsicoll.LIBCMT ref: 00405350

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll$Global$Clipboard$Unlock$CloseEnumFormatFormatsLockNameSize__wcsnicmp
String ID:
API String ID: 4010163957-0
Opcode ID: 40593aeba01c4497ef93904eff2b40d7adc41392d5e8bdc42a46e339f33476da
Instruction ID: 5c6dbd579122e407d6b412bf30a8d6f5c6e6e16a3bb667846ccb4e092e4f3aa1
Opcode Fuzzy Hash: 40593aeba01c4497ef93904eff2b40d7adc41392d5e8bdc42a46e339f33476da
Instruction Fuzzy Hash: 24213C329013018BCB25FF68DA8835F77E0EB44744F054E6BE845A7761D7B8D944CBAA

Function 00473850 Relevance: 9.1, APIs: 6, Instructions: 77windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00473860
GetWindowLongW.USER32(?,000000F0), ref: 00473869
SendMessageW.USER32(?,0000130A,00000000,?), ref: 0047388C
SendMessageW.USER32(?,0000132C,00000000,00000000), ref: 00473898
SendMessageW.USER32(?,00001328,00000000,?), ref: 004738E9
MapWindowPoints.USER32(?,?,?,00000002), ref: 00473904

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$Window$ClientLongPointsRect
String ID:
API String ID: 1955914217-0
Opcode ID: 23206af3ca8f9d19d7f1f66e4c9b45bef16a656f740c438cdc23d9d25fba4fc4
Instruction ID: 81f356c42dc733e4713c5d19c5a592dd33b99f88c63cb40a4183143532d6bf7c
Opcode Fuzzy Hash: 23206af3ca8f9d19d7f1f66e4c9b45bef16a656f740c438cdc23d9d25fba4fc4
Instruction Fuzzy Hash: 2A218D71649302AFD308EF18C845FAABBE4FF98701F14851EF58A57280D734AA09CB5B

Function 0043D580 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043D592
__fassign.LIBCMT ref: 0043D5CB

Part of subcall function 0049BA2D: wcstoxl.LIBCMT ref: 0049BA3D

Part of subcall function 004998AD: __fassign.LIBCMT ref: 004998A3

__fassign.LIBCMT ref: 0043D5FB
_wcsncpy.LIBCMT ref: 0043D627
_wcsncpy.LIBCMT ref: 0043D64B
Shell_NotifyIconW.SHELL32(00000001), ref: 0043D663

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __fassign$_wcsncpy$IconNotifyShell__memsetwcstoxl
String ID:
API String ID: 551406035-0
Opcode ID: 8caa16ff89198dd174f85cb7a1e571fa066b27e236fd9c204203ff1755e0abb7
Instruction ID: 876c258d2f17f98dd501aa890ebf4067990aa608e37c955939e4989fa1efd456
Opcode Fuzzy Hash: 8caa16ff89198dd174f85cb7a1e571fa066b27e236fd9c204203ff1755e0abb7
Instruction Fuzzy Hash: 9C2166B1A0430067EB21EB14DC42BAF76EC9F85704F44443FF6899A2C2EBB99605875F

Function 004AB2BF Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 004AB2E7

Part of subcall function 004AABB1: __getptd.LIBCMT ref: 004AABBF
Part of subcall function 004AABB1: __getptd.LIBCMT ref: 004AABCD

__getptd.LIBCMT ref: 004AB2F1

Part of subcall function 0049D9F2: __getptd_noexit.LIBCMT ref: 0049D9F5
Part of subcall function 0049D9F2: __amsg_exit.LIBCMT ref: 0049DA02

__getptd.LIBCMT ref: 004AB2FF
__getptd.LIBCMT ref: 004AB30D
__getptd.LIBCMT ref: 004AB318
_CallCatchBlock2.LIBCMT ref: 004AB33E

Part of subcall function 004AAC56: __CallSettingFrame@12.LIBCMT ref: 004AACA2

Part of subcall function 004AB3E5: __getptd.LIBCMT ref: 004AB3F4
Part of subcall function 004AB3E5: __getptd.LIBCMT ref: 004AB402

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 76f0c4520016850ac94d2ba0d63413a0b5c51c2609147ee8bcbdc081ea961fdf
Instruction ID: 177d761e09cce0a390561c76f866a073fb92933ffe0de673f7bf7f8d10bec13a
Opcode Fuzzy Hash: 76f0c4520016850ac94d2ba0d63413a0b5c51c2609147ee8bcbdc081ea961fdf
Instruction Fuzzy Hash: 0311F6B1C00209DFDF00EFA9C846BADBBB0FF08314F50856AF854A7251DB389A519F58

Function 004541D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 296COMMON

Download Yara Rule

APIs

__wcsdup.LIBCMT ref: 0045447A
_free.LIBCMT ref: 004544DA

Strings

O, xrefs: 004544AC
ERCP, xrefs: 004542C8
RegExMatch, xrefs: 004543C9

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsdup_free
String ID: ERCP$O$RegExMatch
API String ID: 2088533098-700926398
Opcode ID: b2dcfb468934621f6407e4f9bcd8944f3d50b3aa7c5712ffe1754b4adac1ae56
Instruction ID: 31d996114747a65bd03f41cd5ec34fefb3b45e9e0d1dd7c269540ce4b78567f1
Opcode Fuzzy Hash: b2dcfb468934621f6407e4f9bcd8944f3d50b3aa7c5712ffe1754b4adac1ae56
Instruction Fuzzy Hash: DDB1C375A00214AFCB14DF94C881AAFB7B5FF85319F14819AFC04AB352D738AD89CB95

Function 004037CC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00403838
GetTickCount.KERNEL32 ref: 00403909
_free.LIBCMT ref: 004039CB

Strings

OnMessage, xrefs: 00403891
call, xrefs: 0040395E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CountTick_free_wcsncpy
String ID: OnMessage$call
API String ID: 2355968416-3128857728
Opcode ID: 5316463bfb7c07a5ee4189eedc162c972cbf6df35f57d9ab929a979a7564367c
Instruction ID: fcfe2bf54736c17d21a39cf7b35f46c0fab28c2d1df972d39fbc2a21bdba88d8
Opcode Fuzzy Hash: 5316463bfb7c07a5ee4189eedc162c972cbf6df35f57d9ab929a979a7564367c
Instruction Fuzzy Hash: 3A71BBB06052408FC720DF29D88096BBBF9BB85304F18897FE4859B361D739E906CF5A

Function 0042833D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 147COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 004283B8

Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F279
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F2A5
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F2DD
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F311
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F346
Part of subcall function 0047F250: _wcsncpy.LIBCMT ref: 0047F37B

Strings

Parameter #5 invalid., xrefs: 0042845C
Parameter #4 invalid., xrefs: 004283F4
MCA, xrefs: 004283B3
Parameter #1 invalid., xrefs: 004284FE

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _wcsncpy$_wcschr
String ID: MCA$Parameter #1 invalid.$Parameter #4 invalid.$Parameter #5 invalid.
API String ID: 585857694-2060875404
Opcode ID: d686314f4c978df5ada6b204da14649bac07d601e90125b3ba2c0e784efb08ee
Instruction ID: a213e4631e1f60fddd2d89f8af415b2c5647ab633988516b9b844c6a4182a90d
Opcode Fuzzy Hash: d686314f4c978df5ada6b204da14649bac07d601e90125b3ba2c0e784efb08ee
Instruction Fuzzy Hash: 1251E1307043618BEB208B0AE4047AB77E1AF50314F98445FED858B396E77EED95C75A

Function 00414150 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 145COMMON

Download Yara Rule

Strings

Invalid option., xrefs: 004142C4
?, xrefs: 00414249
Too few parameters passed to function., xrefs: 0041416B
{All}, xrefs: 00414262

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID: ?$Invalid option.$Too few parameters passed to function.${All}
API String ID: 0-1706679301
Opcode ID: c68af193537216e1fca643e98c41d250b25b3fec0216e2e742f5fd58f25bc69c
Instruction ID: e8044d063794a3151aa0f4c52f41973fb5085b30c1ad96ed797766c0dc14f8a9
Opcode Fuzzy Hash: c68af193537216e1fca643e98c41d250b25b3fec0216e2e742f5fd58f25bc69c
Instruction Fuzzy Hash: C641383664C29056D321DA1498447E7BB909BE63A5F1808AFFCD047292C13D99DEC7BF

Function 004061AD Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139networkCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004062A1
WSAAsyncSelect.WSOCK32(000000FF,00000408,00000021), ref: 00406335

Strings

<response command="%s" transaction_id="%e, xrefs: 00406247
<error code="%i"/></response>, xrefs: 00406265
<response command="%s" transaction_id="%e"/>, xrefs: 004062F0

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AsyncSelect_memmove
String ID: <error code="%i"/></response>$<response command="%s" transaction_id="%e$<response command="%s" transaction_id="%e"/>
API String ID: 1861896769-3791457405
Opcode ID: 34ff95711f651e1b10e939fe571f1c611fd5a674ff2fd8dcafa14c006471f3a5
Instruction ID: 1a62f14bb35c1d81c5fcc6f624dfc9327277399aac9e9fd24749a6011f185448
Opcode Fuzzy Hash: 34ff95711f651e1b10e939fe571f1c611fd5a674ff2fd8dcafa14c006471f3a5
Instruction Fuzzy Hash: 37413A31A003019BCB21ABB489856AF77B5AF54328F11067FE553B62D1DB79EA19CB08

Function 00470050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 004700BD
__itow.LIBCMT ref: 004700E5
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0047013F
ShowWindow.USER32(?,00000000), ref: 0047019F

Part of subcall function 00470270: __wcsicoll.LIBCMT ref: 0047028C

Strings

Submit, xrefs: 00470082

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window$LongMessageSendShow__itow__wcsicoll
String ID: Submit
API String ID: 1467826441-949859957
Opcode ID: 7f338afbb582545b23edb08314924bbc423268a33eb14a32d0a4d6af7373ae6b
Instruction ID: e93b8146909e15d1773c3805e98e4050586de0dd1c423466079335ad8d7a8ef6
Opcode Fuzzy Hash: 7f338afbb582545b23edb08314924bbc423268a33eb14a32d0a4d6af7373ae6b
Instruction Fuzzy Hash: DB41B17090A311EBD630DF54C881B97B7A5FB44B20F508B1AF569672C1C7B9EC84C6D9

Function 004AA792 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

PMDtoOffset.LIBCMT ref: 004AA866
__CxxThrowException@8.LIBCMT ref: 004AA89E

Strings

Bad dynamic_cast!, xrefs: 004AA888

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Exception@8OffsetThrow
String ID: Bad dynamic_cast!
API String ID: 2691599830-2956939130
Opcode ID: 5375ab0a33b2a7387026c35007303dd1e7d7ade775b27ec2b321e4646a18c0c5
Instruction ID: 9a6bd26d37644e0d0fac2bec084c5bd9b779d614c2032c38d45217a7ed9a899c
Opcode Fuzzy Hash: 5375ab0a33b2a7387026c35007303dd1e7d7ade775b27ec2b321e4646a18c0c5
Instruction Fuzzy Hash: 0D31B375A002059FCF04EF65C851AAEB7A0AF69311F14446EF801E7351D73CEC12CB6A

Function 004102E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0041030B

Part of subcall function 0047F770: _vswprintf_s.LIBCMT ref: 0047F789

GetTickCount.KERNEL32 ref: 00410321
GetTickCount.KERNEL32 ref: 00410424
PostMessageW.USER32(?,00000312,?,00000000), ref: 00410447

Strings

%u hotkeys have been received in the last %ums.Do you want to continue?(see #MaxHotkeysPerInterval in the help file), xrefs: 004103AC

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CountTick$MessagePost_vswprintf_s
String ID: %u hotkeys have been received in the last %ums.Do you want to continue?(see #MaxHotkeysPerInterval in the help file)
API String ID: 134691662-3609671246
Opcode ID: c404ac4db525e3e3a4875c23a226add479a04aa48ba6f0bf18bae27753fd1adc
Instruction ID: 244085edff8be58611c6e0e573786de16750f8735b5ffcafd24aea0ead46cdb6
Opcode Fuzzy Hash: c404ac4db525e3e3a4875c23a226add479a04aa48ba6f0bf18bae27753fd1adc
Instruction Fuzzy Hash: F5313371601240DBE721EFA4EC80BEA3B90EB55705F04403BEA8492391C7B858C8CBAE

Function 00441590 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0044DDD0: GetForegroundWindow.USER32(?,?,004408D5,?), ref: 0044DDFE
Part of subcall function 0044DDD0: IsWindowVisible.USER32(00000000), ref: 0044DE19

_wcsncpy.LIBCMT ref: 004415D4
__wcstoi64.LIBCMT ref: 00441614
__fassign.LIBCMT ref: 00441662
__fassign.LIBCMT ref: 0044168E

Part of subcall function 0049BD82: __wtof_l.LIBCMT ref: 0049BD8C

Part of subcall function 004998AD: __fassign.LIBCMT ref: 004998A3

Strings

msctls_statusbar321, xrefs: 004415EB

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __fassign$Window$ForegroundVisible__wcstoi64__wtof_l_wcsncpy
String ID: msctls_statusbar321
API String ID: 4167010027-1022929942
Opcode ID: 7d853f60dbb807625cb90e8ebb27f3763686600dc7ebc47fee0f7ca27cde5ca5
Instruction ID: e81e786bd3b8c8a7dd2fd0f7036c460b15d973a2291c7aca0ca955f0f748220c
Opcode Fuzzy Hash: 7d853f60dbb807625cb90e8ebb27f3763686600dc7ebc47fee0f7ca27cde5ca5
Instruction Fuzzy Hash: 32315A71A0430067E220BB265C42F6B37989F85318F09043FF94A57283EA7DD959C3AF

Function 0045F190 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0045F19F
__wsplitpath.LIBCMT ref: 0045F1E6
__wsplitpath.LIBCMT ref: 0045F1FD
_wcschr.LIBCMT ref: 0045F27F

Strings

*, xrefs: 0045F291

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wsplitpath_wcschr
String ID: *
API String ID: 1241525681-163128923
Opcode ID: dde068fda31d8c00ef34fc9fd5a5e3625eb78c6cd4edae929e1fea0f2ec6b459
Instruction ID: 9bb150c275161d5d26197bea011ddee46e51accbd289442bb181b83c814e053f
Opcode Fuzzy Hash: dde068fda31d8c00ef34fc9fd5a5e3625eb78c6cd4edae929e1fea0f2ec6b459
Instruction Fuzzy Hash: 9531E1B65043009AD730E750C886BEBB3B8AF94315F00856FF98987291F7B8564CC797

Function 00476040 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

RemoveMenu.USER32(?,?,00000000), ref: 0047606E
SetMenuItemInfoW.USER32 ref: 004760B5
DeleteObject.GDI32(?), ref: 004760C7
DestroyIcon.USER32(?), ref: 004760D3

Strings

0, xrefs: 004760A1

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Menu$DeleteDestroyIconInfoItemObjectRemove
String ID: 0
API String ID: 347692575-4108050209
Opcode ID: 062036dcf90c25c6aa1a430b1a52aa1ccc5b96ed00da7c2b613096453af6af17
Instruction ID: 37b093b8c93bb45f128d1c50df42bb5804af63f6545c64180b2bd1794ba6b386
Opcode Fuzzy Hash: 062036dcf90c25c6aa1a430b1a52aa1ccc5b96ed00da7c2b613096453af6af17
Instruction Fuzzy Hash: 08318CB16016409FC720CF59C884C6BBBEAFB49314B05867EE48E8B711C739EC45CB99

Function 00412184 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 004122CC

Strings

%i-%i, xrefs: 004122C6
(no), xrefs: 00412352
%s%s%s%s%s%s, xrefs: 0041237A
OFF, xrefs: 00412241, 0041236C

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __swprintf
String ID: %i-%i$%s%s%s%s%s%s$(no)$OFF
API String ID: 1857805200-721635399
Opcode ID: 8613c0c7f36b4631c54db5b6969d2941159ff2cbdb743f2b03bb499c0ccac6f9
Instruction ID: 697a3eef1c1f4c69f375fa34e8f3d3f4ea3ecd20db682625f14ac8ac8f2aed63
Opcode Fuzzy Hash: 8613c0c7f36b4631c54db5b6969d2941159ff2cbdb743f2b03bb499c0ccac6f9
Instruction Fuzzy Hash: BC3137311043409ADB28DE69C9407FB77F1AF85304F14496FE496C7740E7BD9995C399

Function 00419040 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,KbdLayerDescriptor), ref: 004190C2
GetCurrentProcess.KERNEL32(?), ref: 004190DE
IsWow64Process.KERNEL32(00000000), ref: 004190E5
FreeLibrary.KERNEL32(00000000), ref: 0041910B

Strings

KbdLayerDescriptor, xrefs: 004190BC

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Process$AddressCurrentFreeLibraryProcWow64
String ID: KbdLayerDescriptor
API String ID: 2487901806-1890577838
Opcode ID: b2d7b509e2caa1c39416aaf971f046d4676484bb8d071f3c907e2673ec1a3666
Instruction ID: d991a600d8f6fc8b461258ff220e162d17b1cde4a94af214da9bcc926f0446d1
Opcode Fuzzy Hash: b2d7b509e2caa1c39416aaf971f046d4676484bb8d071f3c907e2673ec1a3666
Instruction Fuzzy Hash: 11210A717013149BD7244F24FCA47A77BA8E748725F15053FE846C2260DB79DC90CA9D

Function 004835F0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00483639

Strings

The following %s name contains an illegal character:"%-1.300s", xrefs: 00483675
function, xrefs: 0048366B, 00483674
variable, xrefs: 00483664
_$#@, xrefs: 00483634

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _wcschr
String ID: The following %s name contains an illegal character:"%-1.300s"$_$#@$function$variable
API String ID: 2691759472-3792156013
Opcode ID: 474c0e5932dbf47c314e31d60c503162ec7c25967c3035a925af528ad8e0f116
Instruction ID: 9fb45b2d9d2496cbda5616e2469b7155100bad80590c4c9d7ed9f281b9c26bfa
Opcode Fuzzy Hash: 474c0e5932dbf47c314e31d60c503162ec7c25967c3035a925af528ad8e0f116
Instruction Fuzzy Hash: 0D11E762B0020026DB30A91FAC41B6B7398D781B66F04467BFD48E73C0F6699D1442EA

Function 0046A426 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,SysLink,?,?,?,?,?,?,?,?,?,00000000), ref: 0046A468
SelectObject.GDI32(?,?), ref: 0046A83C
ReleaseDC.USER32(?,?), ref: 0046A84E
SendMessageW.USER32(?,00000030,?,?), ref: 0046BBF1
SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 0046BC0B
GetClientRect.USER32(?,?), ref: 0046BC57

Strings

Can't create control., xrefs: 0046BB10
SysLink, xrefs: 0046A462

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$ClientCreateObjectRectReleaseSelectWindow
String ID: Can't create control.$SysLink
API String ID: 1174488663-3028581624
Opcode ID: 00f3ba94fb74a9e3a3b45686d18d6f06af102bed458aa675150bf51994c22f11
Instruction ID: 7200fb0f950f19bbd283d3665344afe95b5d01b85b90e2546419235854858cbe
Opcode Fuzzy Hash: 00f3ba94fb74a9e3a3b45686d18d6f06af102bed458aa675150bf51994c22f11
Instruction Fuzzy Hash: EE114F71708340AFC724DB44D884FABBBE8EB8A714F14841EF549D3650D738A841CB6B

Function 0044E070 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetDateFormatW.KERNEL32(00000400,00000000,00000000,ddd,?,?), ref: 0044E0EB

Strings

MMM, xrefs: 0044E0AF
ddd, xrefs: 0044E0C4, 0044E0E1
MMMM, xrefs: 0044E0A8
dddd, xrefs: 0044E0BD

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: DateFormat
String ID: MMM$MMMM$ddd$dddd
API String ID: 2793631785-2187213731
Opcode ID: 6222f31b7a83b363ae38b0487501c715728e0cbe8886c83ce5622683e32537f4
Instruction ID: 516f84411cdf78456ff86e9be08266e4064a3191b0a4a9b73a0b660eaea80255
Opcode Fuzzy Hash: 6222f31b7a83b363ae38b0487501c715728e0cbe8886c83ce5622683e32537f4
Instruction Fuzzy Hash: 8501D661A0562197F728961B9C45B776195FB81711F10CB27F9319B2C1C3BDDC4181AF

Function 004AB66C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 004AB67F

Part of subcall function 004AB5DA: ___BuildCatchObjectHelper.LIBCMT ref: 004AB610

_UnwindNestedFrames.LIBCMT ref: 004AB696
___FrameUnwindToState.LIBCMT ref: 004AB6A4

Strings

csm, xrefs: 004AB66E
csm, xrefs: 004AB67B, 004AB690, 004AB6A3, 004AB6C1, 004AB6D1

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 14e40ab7451e05e613886ddce8cd3cf3a9aa13a91e72528883753ac779b6b91f
Instruction ID: d0b253d120705d72eee6c2a48fe9dffd3e8492779c26fa9e745de2959eb789ac
Opcode Fuzzy Hash: 14e40ab7451e05e613886ddce8cd3cf3a9aa13a91e72528883753ac779b6b91f
Instruction Fuzzy Hash: 9F01E871401109BBDF126F52CC45EAB7F6AEF26354F044016BD1815122D73A99B1EBEA

Function 00405040 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,00000000,0040500A,?,00000000,?,?,0041A46E,004AF9BC,00463AC5,?,00000001,?), ref: 00405051
GlobalLock.KERNEL32(00000000), ref: 00405076
GlobalFree.KERNEL32(00000000), ref: 00405087

Strings

GlobalAlloc, xrefs: 00405063
GlobalLock, xrefs: 00405092

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Global$AllocFreeLock
String ID: GlobalAlloc$GlobalLock
API String ID: 1811133220-3672399903
Opcode ID: 4483452e756e322fc70055b39f1a8f8d2d848ebc45db87d51577b4246f2d8fb4
Instruction ID: 04dba852938eae33b56b363fdb162d0cbbbb8a9a62c176812635ef6d514174e6
Opcode Fuzzy Hash: 4483452e756e322fc70055b39f1a8f8d2d848ebc45db87d51577b4246f2d8fb4
Instruction Fuzzy Hash: 73F03C74A00B019BD7209F758905A17BBE9EF66701700883FA486C3790FB78E8048F19

Function 0040E770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,004D81D8,?,004149CE), ref: 0040E783
CreateMutexW.KERNEL32(00000000,00000000,AHK Mouse,?,004D81D8,?,004149CE), ref: 0040E78E
GetLastError.KERNEL32 ref: 0040E796
CloseHandle.KERNEL32(00000000), ref: 0040E7C1

Strings

AHK Mouse, xrefs: 0040E785

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: AHK Mouse
API String ID: 2372642624-1022267635
Opcode ID: 8b8466653b4715c537ef547cf467df1c7b83c73994144e49d2a019f9fc83f725
Instruction ID: e5d791abfec9a7bc10ebe606da1a98460db5e8157a61fe4d04c0c5245e65f9f5
Opcode Fuzzy Hash: 8b8466653b4715c537ef547cf467df1c7b83c73994144e49d2a019f9fc83f725
Instruction Fuzzy Hash: 39F0A7B3B0132057DB206B7AEC88B4B6B589BC5B62F058833E505D72D0D7788C414768

Function 0040E700 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,004D81D8,?,004149C1), ref: 0040E713
CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd,?,004D81D8,?,004149C1), ref: 0040E71E
GetLastError.KERNEL32 ref: 0040E726
CloseHandle.KERNEL32(00000000), ref: 0040E751

Strings

AHK Keybd, xrefs: 0040E715

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastMutex
String ID: AHK Keybd
API String ID: 2372642624-4057427925
Opcode ID: 0cf30500f44346e3d25740c0d253ca2bec4f373ea5796d9e17539d5148542ed6
Instruction ID: ed4e07cce867f80287ce807022d2b6961fb4eedc167c48551130ad127cb9ff8b
Opcode Fuzzy Hash: 0cf30500f44346e3d25740c0d253ca2bec4f373ea5796d9e17539d5148542ed6
Instruction Fuzzy Hash: B4F0A7B3B0232057D7206B79ED88B8B67549BC5BA2F194833E505D72D4D7B88C804268

Function 004367AA Relevance: 7.8, APIs: 5, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: 004964ae127b1730715ace7c35192c0863f607d9ac965b811d7a4cede65aaa5d
Instruction ID: 48752d9d18290a5b6f19c147175a7056f88d3b8878c9853a584df5e8c083cfb4
Opcode Fuzzy Hash: 004964ae127b1730715ace7c35192c0863f607d9ac965b811d7a4cede65aaa5d
Instruction Fuzzy Hash: 9E812B35905113B6EB10A7108C527B27350AB09758F1AD07BED46AB3C1E7ADDC43C3AE

Function 00416260 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(?,?,?,?), ref: 00416280
UnhookWindowsHookEx.USER32(?), ref: 004162BD
GetTickCount.KERNEL32 ref: 0041630C
GetTickCount.KERNEL32 ref: 0041644F

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CountHookTick$CallNextUnhookWindows
String ID:
API String ID: 2092930497-0
Opcode ID: e87c4d9cea8544c6985c9845e4e84471d6cc1ab62c4353a4d87c3acf2d3ed46c
Instruction ID: 1630e8a46408fb69bf2889bb6d5f33ef418d88e7e923b46a6d445bc897383f14
Opcode Fuzzy Hash: e87c4d9cea8544c6985c9845e4e84471d6cc1ab62c4353a4d87c3acf2d3ed46c
Instruction Fuzzy Hash: D861BF70505601DAD314DF28E8A4BB6B7E0FB94704F05842FD89AC7361DB78E894CB6D

Function 0045A0B0 Relevance: 7.6, APIs: 5, Instructions: 120windowCOMMON

Download Yara Rule

APIs

ImageList_GetIconSize.COMCTL32(?,?,?), ref: 0045A13F
ImageList_AddMasked.COMCTL32(?,00000000), ref: 0045A1A2
DeleteObject.GDI32(00000000), ref: 0045A1B0
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000), ref: 0045A1C5
DestroyIcon.USER32(00000000), ref: 0045A1D3

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: IconImageList_$DeleteDestroyMaskedObjectReplaceSize
String ID:
API String ID: 1613341713-0
Opcode ID: a1f99ad0e8403fb95f3e67d2cb71ff0e851d09979dab3422121fb46b2f7b4d0a
Instruction ID: 4792606ff067fb3f18dee290eef0c5e22189d084ef5192416eb87005e44faa19
Opcode Fuzzy Hash: a1f99ad0e8403fb95f3e67d2cb71ff0e851d09979dab3422121fb46b2f7b4d0a
Instruction Fuzzy Hash: 4441D6B19042119BC314DF29DC84A6BB7E9FF88315F108A2EF85AC3241D734E819C7E6

Function 0047C4F0 Relevance: 7.6, APIs: 5, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32 ref: 0047C527
RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0047C55A

Part of subcall function 0047C4F0: RegCloseKey.ADVAPI32(00000000,00000000), ref: 0047C576
Part of subcall function 0047C4F0: RegDeleteKeyW.ADVAPI32(?,?), ref: 0047C586
Part of subcall function 0047C4F0: RegEnumKeyExW.ADVAPI32 ref: 0047C5AE

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Enum$CloseDeleteOpen
String ID:
API String ID: 2095303065-0
Opcode ID: cee1baf5ba707318230caac1b9f7ab549421d1ecf0f3ae4e074baf5a2cab67d8
Instruction ID: c683caca23a88791a041d526f859f880ace065df1b30f8efc2a4fe0d7e984c55
Opcode Fuzzy Hash: cee1baf5ba707318230caac1b9f7ab549421d1ecf0f3ae4e074baf5a2cab67d8
Instruction Fuzzy Hash: 9E21BD726042117BE320CA54DC80FBBB7ECEB98718F04492EFA4496240D669E90987B6

Function 0040E3F0 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040E3FE

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049EF67,00401234,00000001,00401234,?,0049E60D,00000018,004CFCF0,0000000C,0049E69D), ref: 00499913

_malloc.LIBCMT ref: 0040E423
_free.LIBCMT ref: 0040E432

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _malloc$AllocateHeap_free
String ID:
API String ID: 1159278337-0
Opcode ID: 0872bf2dd194d61856b1b4b6ba2741c9cd0a96555d1e4a296f5af4e06333b243
Instruction ID: f575827962c0ea3e288840b0cadad7e1e0e991ad5fef708aa991705e8e1b4358
Opcode Fuzzy Hash: 0872bf2dd194d61856b1b4b6ba2741c9cd0a96555d1e4a296f5af4e06333b243
Instruction Fuzzy Hash: CF1126F29012155BCA20EF9ABC81E67739CA781715F04043FF80497752F77AAD15C6A9

Function 00484640 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000101), ref: 0048466A
__wcsnicmp.LIBCMT ref: 0048467D
__itow.LIBCMT ref: 00484699
__wcsicoll.LIBCMT ref: 004846AA
GetWindowTextW.USER32(?,?,00007FFF), ref: 004846D3

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ClassNameTextWindow__itow__wcsicoll__wcsnicmp
String ID:
API String ID: 3076845856-0
Opcode ID: 00875de00b167fdccc549cffb4258c332c564f6329ebf7b9642ce50d16979e34
Instruction ID: 01a611e8e609d62a52d64414622b49aed9dc0bb77e3df378df9fd947c524164b
Opcode Fuzzy Hash: 00875de00b167fdccc549cffb4258c332c564f6329ebf7b9642ce50d16979e34
Instruction Fuzzy Hash: 58110A776003016BD220EB15AC84DE7B7ECEBD2716F00882FF98292241EB697949C770

Function 0045F410 Relevance: 7.5, APIs: 5, Instructions: 37windowtimethreadCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000010,00000000,00000000,00000002,000001F4,?), ref: 0045F429
GetWindowThreadProcessId.USER32(00000000,?), ref: 0045F43D
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 0045F453
TerminateProcess.KERNEL32(00000000,00000000), ref: 0045F462
CloseHandle.KERNEL32(00000000), ref: 0045F469

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Process$CloseHandleMessageOpenSendTerminateThreadTimeoutWindow
String ID:
API String ID: 1181120299-0
Opcode ID: 51942ed318b50e9245b20737dc44951c570c2997323ab49361e77c592a896834
Instruction ID: 0c78edcfc4abf563eac65214c09aaa03b9827659997d4ad8dfe5786bc2f302a0
Opcode Fuzzy Hash: 51942ed318b50e9245b20737dc44951c570c2997323ab49361e77c592a896834
Instruction Fuzzy Hash: F0F05471A413117BE3215B249C0AFDB3A989F16B52F444139FA46E61D0F7B498088AAA

Function 0045C2B0 Relevance: 7.5, APIs: 5, Instructions: 35serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000008), ref: 0045C2C6
LockServiceDatabase.ADVAPI32(00000000), ref: 0045C2D3
UnlockServiceDatabase.ADVAPI32(00000000), ref: 0045C2DE
GetLastError.KERNEL32 ref: 0045C2E6
CloseServiceHandle.ADVAPI32(00000000), ref: 0045C2F9

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Service$Database$CloseErrorHandleLastLockManagerOpenUnlock
String ID:
API String ID: 2828566434-0
Opcode ID: f8830ba1c346d0a214bcc3ebd8c1ddb82fbbf3bcd4dfa298330856064dcc8b8f
Instruction ID: e1ba19c1d5db8cac9ec9d17fe69e0613a02188c8b3e9d40f358535a4c70ad967
Opcode Fuzzy Hash: f8830ba1c346d0a214bcc3ebd8c1ddb82fbbf3bcd4dfa298330856064dcc8b8f
Instruction Fuzzy Hash: F6F02771E053106BE7300BA4DCC9F4B3A6CAF92756F044072FD06F6691C768C88A836D

Function 0049D7C9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0049D7D5

Part of subcall function 0049D9F2: __getptd_noexit.LIBCMT ref: 0049D9F5
Part of subcall function 0049D9F2: __amsg_exit.LIBCMT ref: 0049DA02

__getptd.LIBCMT ref: 0049D7EC
__amsg_exit.LIBCMT ref: 0049D7FA
__lock.LIBCMT ref: 0049D80A
__updatetlocinfoEx_nolock.LIBCMT ref: 0049D81E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ef45a07a389c7c544fcc1b0804f3c3b88c4504175edd98dae87338ff740137fb
Instruction ID: 42fb7c23aaf222e8bba8594be5dbbadf58be550955e94941d92bddd22a616598
Opcode Fuzzy Hash: ef45a07a389c7c544fcc1b0804f3c3b88c4504175edd98dae87338ff740137fb
Instruction Fuzzy Hash: E2F06231D412109BDF25FB6E980374E6AA06F40718F11427FF455A76D2CB2C5941865D

Function 0048A57F Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 350COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0048A630

Strings

4, xrefs: 0048A6C7

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _memmove
String ID: 4
API String ID: 4104443479-4088798008
Opcode ID: 08c7dfd2f255c68d59f4eff65b376587674f84e8b4d64412f64171506931cc04
Instruction ID: d8f0c020478210e0a172cb9bc24c3874dccb951a10b41d67068053dc3c7d57a8
Opcode Fuzzy Hash: 08c7dfd2f255c68d59f4eff65b376587674f84e8b4d64412f64171506931cc04
Instruction Fuzzy Hash: B7D18870508740CBD724AF64C48462FB7A1FF95308F244D6EE8898B3A0E779D946CB9B

Function 0048A584 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 350COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0048A630

Strings

4, xrefs: 0048A6C7

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _memmove
String ID: 4
API String ID: 4104443479-4088798008
Opcode ID: ed8381de68a08efc46ecaba6acece23fb8637d22289bacf08037bb6a97376bc1
Instruction ID: c2e06a7c4da85f3d138b9e2efaf72ba072b1ba5227b1d3879d193b618ae5e0f2
Opcode Fuzzy Hash: ed8381de68a08efc46ecaba6acece23fb8637d22289bacf08037bb6a97376bc1
Instruction Fuzzy Hash: 78D19970508740CBD724AF64C48462FB7A1FF95308F244D6EE8898B3A0E779D946CB8B

Function 0048A591 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 349COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0048A630

Strings

4, xrefs: 0048A6C7

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _memmove
String ID: 4
API String ID: 4104443479-4088798008
Opcode ID: dcf3e8e373df0467d6fd8e705da59c8d31fed968d6734cd20c5741287d511ede
Instruction ID: d5278f23be49df784cae1764959c8b9be182e034cb24df7628e90211b217d8cd
Opcode Fuzzy Hash: dcf3e8e373df0467d6fd8e705da59c8d31fed968d6734cd20c5741287d511ede
Instruction Fuzzy Hash: 4BD18970508741CBD724AF64C48462FB7A1FF95308F244D6EE8898B3A0E779D946CB9B

Function 00437340 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 340COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004373B5

Part of subcall function 0049996D: HeapFree.KERNEL32(00000000,00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499983
Part of subcall function 0049996D: GetLastError.KERNEL32(00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499995

_free.LIBCMT ref: 00437473

Strings

Next, xrefs: 004374AE

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: Next
API String ID: 776569668-2753412866
Opcode ID: 4b63708bb0e43abc788ebf2c23a1c86c32cff4154bebb309715a34013d1df51d
Instruction ID: 43456afb34cfdc9fa657791ae87aa16bcc03d39cbb6885d4f22aa9db32ac606b
Opcode Fuzzy Hash: 4b63708bb0e43abc788ebf2c23a1c86c32cff4154bebb309715a34013d1df51d
Instruction Fuzzy Hash: 9DD177B1A083419FD760DF58C890A6BB7E4BBC8314F14592EE5CA87350D778EC45CB4A

Function 00439360 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0047F770: _vswprintf_s.LIBCMT ref: 0047F789

GetTickCount.KERNEL32 ref: 00439451

Strings

---- %s, xrefs: 0043948C
Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after , xrefs: 0043936B
Press [F5] to refresh., xrefs: 00439532

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: CountTick_vswprintf_s
String ID: Press [F5] to refresh.$---- %s$Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after
API String ID: 1349412622-1384135373
Opcode ID: fc26da72e96caeaec8486255f625393123b3ec32fdf5a3e16c7ccecdd1f84356
Instruction ID: 60e482e8402927963350048a824f211a63c52be3151287eae012bdec4fcaa884
Opcode Fuzzy Hash: fc26da72e96caeaec8486255f625393123b3ec32fdf5a3e16c7ccecdd1f84356
Instruction Fuzzy Hash: D751E2719083029FD714DF2CD98466A77E1EB98314F18463EEC4583395EB78DD0ACB96

Function 00428206 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00428231

Strings

+-^RASHNOT, xrefs: 0042822C
Parameter #3 invalid., xrefs: 00428162
Parameter #1 invalid., xrefs: 004279F4

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _wcschr
String ID: +-^RASHNOT$Parameter #1 invalid.$Parameter #3 invalid.
API String ID: 2691759472-20153427
Opcode ID: d5f1b93be6ad0314940e0029354aed85880483f86d67e9679187faa7c30f47ea
Instruction ID: a91bab1351b3cd19c5ecac0a0afb469d13fbc2654374cb225c63e19982c0a149
Opcode Fuzzy Hash: d5f1b93be6ad0314940e0029354aed85880483f86d67e9679187faa7c30f47ea
Instruction Fuzzy Hash: CD41CF307053658BEB308B16E4447B7B7E1AF40314F98446FE8858B396D73DAC95C76A

Function 004530F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00453212

Part of subcall function 0049996D: HeapFree.KERNEL32(00000000,00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499983
Part of subcall function 0049996D: GetLastError.KERNEL32(00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499995

Strings

Count, xrefs: 0045313B
object, xrefs: 00453110
array, xrefs: 00453187

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID: Count$array$object
API String ID: 1353095263-899595868
Opcode ID: b15cca4d1a6da6537073be9c7c7da9256b4e05ccd8648335006ba696072550af
Instruction ID: 75b02fc83696aa01e0dc4558d0abf97ba6053c19d5a36d8ba070f2b4c40ed50a
Opcode Fuzzy Hash: b15cca4d1a6da6537073be9c7c7da9256b4e05ccd8648335006ba696072550af
Instruction Fuzzy Hash: F34125B1208700AFC304CF59C880A6BF7E5BBC8714F108A1EF59987350D770E949CB96

Function 0043F160 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0043F180

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049EF67,00401234,00000001,00401234,?,0049E60D,00000018,004CFCF0,0000000C,0049E69D), ref: 00499913

_free.LIBCMT ref: 0043F1B7
_malloc.LIBCMT ref: 0043F1C5

Strings

Out of memory., xrefs: 0043F1DC

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _malloc$AllocateHeap_free
String ID: Out of memory.
API String ID: 1159278337-4087320997
Opcode ID: faec79506ab349064f9d040ecedd2be85dec563b1b67ef390f2f1dcda28431e2
Instruction ID: f321bdad49d7d9a1a8d9a69af1292d76e0e63c8517c7773031c59a15c2c2178c
Opcode Fuzzy Hash: faec79506ab349064f9d040ecedd2be85dec563b1b67ef390f2f1dcda28431e2
Instruction Fuzzy Hash: E4411CB5A10701CBDB20DF29D881A23B3E1FF5D300F14596ED48A87B80E379E895CB59

Function 0047C850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0047C87A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,?,?,?,004054B8,?,000000FF,?,00407949,?), ref: 0047C8AE
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,Iy@,00000000,00000000,?,00000000,?,004054B8,?,000000FF,?,00407949,?,?), ref: 0047C8D2

Strings

Iy@, xrefs: 0047C8BD, 0047C8C9

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ByteCharMultiWide$_free
String ID: Iy@
API String ID: 4292660327-137096306
Opcode ID: a8ba5c6a6570f4576656624e192b6a4eeefc65fe89a8b34bdeeea35e0a60b054
Instruction ID: 267cd2231b40b581543385b78a334964f91da0eccb6439cca647baa11b1a1e4a
Opcode Fuzzy Hash: a8ba5c6a6570f4576656624e192b6a4eeefc65fe89a8b34bdeeea35e0a60b054
Instruction Fuzzy Hash: 5131D1B26047056FE320EA29D880BA7B3E8EF84B14F15C82EE94DDB751E764EC408395

Function 00462370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(atl), ref: 00462382
GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 00462392

Strings

AtlAxGetControl, xrefs: 0046238C
atl, xrefs: 0046237D

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AtlAxGetControl$atl
API String ID: 1646373207-1501572552
Opcode ID: f323a2088a14fec1c0eb6621b70b875bd3db8fb2af03af3116e8cb42fa80b463
Instruction ID: f3be39ff9f6d87b59ac7e5cb09fa5c6b8457682dbf8b2c408e7a99e3e7b1a3b3
Opcode Fuzzy Hash: f323a2088a14fec1c0eb6621b70b875bd3db8fb2af03af3116e8cb42fa80b463
Instruction Fuzzy Hash: 0C313D74701701ABDB04DF69D950B6777E4AF84708F14846EE809CB361EBBED806CB96

Function 00450110 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004501A9
FileTimeToSystemTime.KERNEL32(?,?), ref: 004501B9
__swprintf.LIBCMT ref: 004501ED

Strings

%04d%02d%02d%02d%02d%02d, xrefs: 004501E7

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Time$File$LocalSystem__swprintf
String ID: %04d%02d%02d%02d%02d%02d
API String ID: 3390705568-4847443
Opcode ID: cdd856a6a5cba0d886cdf29c32d8186da00b77f2554ddd61ef6c4e0b54c340d2
Instruction ID: 4bf516d7b8ab1e972ca914f8eb945455db21716bb46c54fb6b9e513826b2b7d7
Opcode Fuzzy Hash: cdd856a6a5cba0d886cdf29c32d8186da00b77f2554ddd61ef6c4e0b54c340d2
Instruction Fuzzy Hash: 0C3180766086019FC318DF19C844D7BB7E9EF88311F04895EFC95872A1E738E945C76A

Function 004092FE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040935C
__wcstoi64.LIBCMT ref: 00409393

Strings

file://, xrefs: 0040933B
file:///, xrefs: 00409311

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcstoi64_memmove
String ID: file://$file:///
API String ID: 3802750240-3202756431
Opcode ID: ca6fe1fa0a4eb5a1d0128a02a452f52ce579525a54f6a47126a2bb294c1a0595
Instruction ID: 228adb1e2c64c27fd5af7c9564332824e60ecdba18ab1f92c03d7e87603bbe0c
Opcode Fuzzy Hash: ca6fe1fa0a4eb5a1d0128a02a452f52ce579525a54f6a47126a2bb294c1a0595
Instruction Fuzzy Hash: 6E212C61944244BADB214769CC46BDFBFBC5F25304F14006BE885772C2E17C6E458BAB

Function 0049A10C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0049A12E
__calloc_crt.LIBCMT ref: 0049A147

Strings

P@M, xrefs: 0049A15E
`@M, xrefs: 0049A180

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __calloc_crt
String ID: P@M$`@M
API String ID: 3494438863-2383487292
Opcode ID: ffe5a59e5f00644102a3a615c80f0601481d12a34835bdd7cc23129257e32339
Instruction ID: bcfa03b549583ac69abfd45bb155a581ace76187cd73da6f68ff5fb9f0701be7
Opcode Fuzzy Hash: ffe5a59e5f00644102a3a615c80f0601481d12a34835bdd7cc23129257e32339
Instruction Fuzzy Hash: 2D11CA317452116BFF148E1D7C926673B95EB85728F24423BF611C63D4E738CC92868E

Function 004091F4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0040542E: __EH_prolog.LIBCMT ref: 00405433

_sprintf.LIBCMT ref: 0040927C

Strings

-_.!~*()/, xrefs: 0040924C
%%%02X, xrefs: 00409276
file:///, xrefs: 004091FA

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: H_prolog_sprintf
String ID: %%%02X$-_.!~*()/$file:///
API String ID: 1907722333-736925546
Opcode ID: 932a68f7643a3f509e63f3e22a914d7b3f5376c1dde38a70d35418f81c7149c6
Instruction ID: 3c943c9e6d5ff8764beb7e891663df72525a85a3ea475272d33d92f8a8cfe894
Opcode Fuzzy Hash: 932a68f7643a3f509e63f3e22a914d7b3f5376c1dde38a70d35418f81c7149c6
Instruction Fuzzy Hash: CC210575600702AFC720EE6AD880D2777E89F55324720887EE896977E2EB38EC41C759

Function 0041F2F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0041F2FB
_wcschr.LIBCMT ref: 0041F33B

Strings

<>=/|^,:*&~!()[]{}+-?."'\;`, xrefs: 0041F336
Class, xrefs: 0041F2F5

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsnicmp_wcschr
String ID: <>=/|^,:*&~!()[]{}+-?."'\;`$Class
API String ID: 2237432580-400929710
Opcode ID: 3fa0ac90da6f11cfaf290d6626303dd51a1c61224933c921735cca7da6df2e48
Instruction ID: 73cbafe8aee45ee9c3ceeb6b08004815a7a22e724b4f6001eee5f2fced7aeaf5
Opcode Fuzzy Hash: 3fa0ac90da6f11cfaf290d6626303dd51a1c61224933c921735cca7da6df2e48
Instruction Fuzzy Hash: 91116B322046159ACB209B2DB8026FB73D0EF953107584937EC15CB244F32CDCCBC699

Function 0041B230 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041B236

Strings

Default, xrefs: 0041B230
tSK, xrefs: 0041B243
|SK, xrefs: 0041B285

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: Default$tSK$|SK
API String ID: 3832890014-2838226312
Opcode ID: 799ae03d8b50988138682ce1cbc28f35dac54398eba65daac673c9a73d3163e3
Instruction ID: 1c125c05a020d5abf465be3158653795cdcaf50c76ef6968716d9c0e49dece33
Opcode Fuzzy Hash: 799ae03d8b50988138682ce1cbc28f35dac54398eba65daac673c9a73d3163e3
Instruction Fuzzy Hash: 6F01A16261051642EB116B34CC467EA3192EB71BA4F8847B6EC15CA3D9F32EDAC9C188

Function 0047F440 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32 ref: 0047F454
FileTimeToSystemTime.KERNEL32(?,?), ref: 0047F472
__swprintf.LIBCMT ref: 0047F4A6

Strings

%04d%02d%02d%02d%02d%02d, xrefs: 0047F4A0

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Time$File$LocalSystem__swprintf
String ID: %04d%02d%02d%02d%02d%02d
API String ID: 3390705568-4847443
Opcode ID: 0c452a17264c90715c25bfd685b2e232ddf78e9e0220f7a006f8ae53647cc0b1
Instruction ID: 69ee923c25bac7f78ea06fb48614fbd1a7a1c61be3b154a77c01757d97b37213
Opcode Fuzzy Hash: 0c452a17264c90715c25bfd685b2e232ddf78e9e0220f7a006f8ae53647cc0b1
Instruction Fuzzy Hash: EF0152A1518211ABC314DF55DC4597BB7E8AF89A01F008A5EF88982290F67CD858D7B7

Function 0044F1D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 0044F1F4
__swprintf.LIBCMT ref: 0044F231

Strings

%04d%02d%02d%02d%02d%02d, xrefs: 0044F22B

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: SystemTime__swprintf
String ID: %04d%02d%02d%02d%02d%02d
API String ID: 3074119229-4847443
Opcode ID: ae8279b8155f0432419f5b7d66090c7ae7ae250e19b47eec4f082ac7e4461f1c
Instruction ID: 6c830e8ffff33c79251de3424dd09309443451ca299721e0cf7b916c0585d6a0
Opcode Fuzzy Hash: ae8279b8155f0432419f5b7d66090c7ae7ae250e19b47eec4f082ac7e4461f1c
Instruction Fuzzy Hash: E1017575404320ABD314EB49C8859BBB3F8EEC8700F84895EF8D986291E378D958D3A6

Function 0041E450 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041E460
_wcsncpy.LIBCMT ref: 0041E4D2
Shell_NotifyIconW.SHELL32(00000000,?), ref: 0041E4E5

Strings

AutoHotkey, xrefs: 0041E4C3, 0041E4CA

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: IconNotifyShell__memset_wcsncpy
String ID: AutoHotkey
API String ID: 1481257660-348589305
Opcode ID: ecd1b069303c88d3f1ea25889ce45ecf1cd6f4269b6201538435dd49830af13c
Instruction ID: c686445f2512367dc9ce89e0d941c16e9b78dc41647ae29c272231039a59f7ed
Opcode Fuzzy Hash: ecd1b069303c88d3f1ea25889ce45ecf1cd6f4269b6201538435dd49830af13c
Instruction Fuzzy Hash: F21161B46007019BEB60CF79D848B97B7E8EB49304F00482EE95EC7240EB78B944C769

Function 0046701F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00467029
FlashWindow.USER32(?,00000000), ref: 0046703C
_free.LIBCMT ref: 0046705E

Part of subcall function 0049996D: HeapFree.KERNEL32(00000000,00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499983
Part of subcall function 0049996D: GetLastError.KERNEL32(00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499995

Strings

Off, xrefs: 00467023

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ErrorFlashFreeHeapLastWindow__wcsicoll_free
String ID: Off
API String ID: 1749853394-334568355
Opcode ID: e9d64d0eca5ea6131d77de04498b3dbbd6a1b7e9f6794c587352d57dc53c48d3
Instruction ID: 6e97519503431384daa6544c0e3f04d90049bbae0d5151cea4dddf8dc417b7be
Opcode Fuzzy Hash: e9d64d0eca5ea6131d77de04498b3dbbd6a1b7e9f6794c587352d57dc53c48d3
Instruction Fuzzy Hash: 57F01D71A55200EBCA10DF25E801A2A77A4F784715F00453BF80293351E739AC1597AA

Function 00477030 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

SetMenuItemInfoW.USER32 ref: 00477063
DeleteObject.GDI32(00000000), ref: 00477076
DestroyIcon.USER32(00000000,?,00475AA5,00000000,?,751E5780,?,?,0041DAB1,004DA6C0,00000000,?,?,?,00000000,00000000), ref: 00477090

Strings

0, xrefs: 0047704B

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: DeleteDestroyIconInfoItemMenuObject
String ID: 0
API String ID: 2083505926-4108050209
Opcode ID: 8fe182bfc6fa1b5d3ef5d0b9c18640a74ac036c15acd338e6af6377507ab86b3
Instruction ID: ee6f528fee97588970cab22696269b78434f4982b2fea64e4973f0d9a385d81b
Opcode Fuzzy Hash: 8fe182bfc6fa1b5d3ef5d0b9c18640a74ac036c15acd338e6af6377507ab86b3
Instruction Fuzzy Hash: 05F04FF05053409FE324CF15C958B577BE4FB48704F844A1DE49A87690D7B9E808CB9A

Function 00424217 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00424224
__wcsicoll.LIBCMT ref: 0042423D

Strings

f9U, xrefs: 00423B45
WHILE, xrefs: 00424237

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: WHILE$f9U
API String ID: 3832890014-1171745783
Opcode ID: 8c817246c82c98187fafd3f910828143b13ff07b61f4ba220981b8bab369cb55
Instruction ID: c5cdfe8719934b4225720b737b4a50bcb2e5d34332e8ff571b97da6aaa14f866
Opcode Fuzzy Hash: 8c817246c82c98187fafd3f910828143b13ff07b61f4ba220981b8bab369cb55
Instruction Fuzzy Hash: FEF0E9106483E095CF30DF659C057BBBAA09BB034AF84481FF84482282F2ACD788C26F

Function 004AC6E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32,RemoveClipboardFormatListener), ref: 004AC6EA
GetProcAddress.KERNEL32(00000000), ref: 004AC6F1

Strings

user32, xrefs: 004AC6E5
RemoveClipboardFormatListener, xrefs: 004AC6E0

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RemoveClipboardFormatListener$user32
API String ID: 1646373207-262861245
Opcode ID: 2180c115e993454258d48d69f7161d2597859ffa2302fb5b7dbf229b318ca307
Instruction ID: a28d9356e194ecad96d4c927083b138a458a8970e8b539e4f154e73064df616e
Opcode Fuzzy Hash: 2180c115e993454258d48d69f7161d2597859ffa2302fb5b7dbf229b318ca307
Instruction Fuzzy Hash: 60B092B0E81300AFCA006FB4AD0D9463FA4E60AB027220033F50281666CB7E40009E2C

Function 004AC740 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 004AC74A
GetProcAddress.KERNEL32(00000000), ref: 004AC751

Strings

kernel32, xrefs: 004AC745
IsWow64Process, xrefs: 004AC740

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: 7cf20e03da5bc420203f9e16cab9d5822fae95a61026296c17b3ccaae8853429
Instruction ID: beb7f2c7450a43d0d7dbfd76a38949e2bf7a5ff79eb77d53d100d83136dae800
Opcode Fuzzy Hash: 7cf20e03da5bc420203f9e16cab9d5822fae95a61026296c17b3ccaae8853429
Instruction Fuzzy Hash: BEB092B4A82200DB86002FB2AE8DA283FE8E619B02750043AB842C2668CB7C40009B3C

Function 004AC700 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32,AddClipboardFormatListener), ref: 004AC70A
GetProcAddress.KERNEL32(00000000), ref: 004AC711

Strings

AddClipboardFormatListener, xrefs: 004AC700
user32, xrefs: 004AC705

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AddClipboardFormatListener$user32
API String ID: 1646373207-221531295
Opcode ID: 43ad8104f7242157a2ec02c256a3fcc2efb03479c62fb996584d130a5e834ab5
Instruction ID: 514cb8c2400bb0b6b47f06a3fd566b3e049c97ab4ae91a87cfaf9f2fc7c1732f
Opcode Fuzzy Hash: 43ad8104f7242157a2ec02c256a3fcc2efb03479c62fb996584d130a5e834ab5
Instruction Fuzzy Hash: 95B092B0E81200AF8A002FB8AD0D9463FE4A61A702B220032F54382666CB7E40009F2C

Function 004362BB Relevance: 6.4, APIs: 4, Instructions: 354stringCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004365EC
__wcsicoll.LIBCMT ref: 004365FE

Part of subcall function 0041A400: __wcstoi64.LIBCMT ref: 0041A413

lstrcmpiW.KERNEL32(?,?), ref: 00436617
lstrcmpiW.KERNEL32(?,?), ref: 00436624

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicolllstrcmpi$__wcstoi64
String ID:
API String ID: 455558549-0
Opcode ID: 9a7d1752987f0ad3d41bc1a9663a876de0dc2d4d735ff72631399082f474670f
Instruction ID: 45d2045dda6875f6f0292c47ba932af5119c93e2a452eee314bf208170be700c
Opcode Fuzzy Hash: 9a7d1752987f0ad3d41bc1a9663a876de0dc2d4d735ff72631399082f474670f
Instruction Fuzzy Hash: 73C13730B052037BDB109F24D88176B73A1AB68718F1AE17FE8455B392D669DC82C78E

Function 0042D0F0 Relevance: 6.2, APIs: 4, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0d0ee19a2c7d9d7d444e7d07f06a5dcbed08c38c33c376d513c3c10b53fcca
Instruction ID: a8907f5895546d634107f72b29e39a528a21f0366b9d94b3086508b11533b1e8
Opcode Fuzzy Hash: df0d0ee19a2c7d9d7d444e7d07f06a5dcbed08c38c33c376d513c3c10b53fcca
Instruction Fuzzy Hash: F681D276B043519BD730DA58E884BABB3E1AF88310F54055EE98457382D735EC06C7A6

Function 00448760 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 004487D5
__wcstoi64.LIBCMT ref: 00448808

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcstoi64
String ID:
API String ID: 398114495-0
Opcode ID: d368cd16a56b87dc9b1fca7be9f58092a5dc3d35ec999162e3d4214cda1dbf95
Instruction ID: 649cef476feb19c9ebc35da805fb32fdc699c4b9df499068426ad1c6de1e1cbf
Opcode Fuzzy Hash: d368cd16a56b87dc9b1fca7be9f58092a5dc3d35ec999162e3d4214cda1dbf95
Instruction Fuzzy Hash: 18414631A0410256FB11BF28CC417AF37A4AFD2754F98056FF881A7391EF2D9A06878E

Function 0045D7E5 Relevance: 6.1, APIs: 4, Instructions: 104windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,000000B0,?,?,00000002,000007D0,?), ref: 0045D804
SendMessageTimeoutW.USER32(?,000000C9,?,00000000,00000002,000007D0,?), ref: 0045D825
SendMessageTimeoutW.USER32(?,000000C9,?,00000000,00000002,000007D0,00000000), ref: 0045D852
SendMessageTimeoutW.USER32(?,000000C9,?,00000000,00000002,000007D0,00000000), ref: 0045D883

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: abc15d4db83a00bbe4814480fab8bdd09ebd37df512acd02d9e4cb8715834d98
Instruction ID: 99854541b1f9583881b17842ba83f381779d9684196dfc2af038cc0d16be25bc
Opcode Fuzzy Hash: abc15d4db83a00bbe4814480fab8bdd09ebd37df512acd02d9e4cb8715834d98
Instruction Fuzzy Hash: 52316431B44209AAEB20DAA4DC86FBF7778AF44B11F10061BBA10B71C5D7B4AD0587A9

Function 004A504D Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004A5081
__isleadbyte_l.LIBCMT ref: 004A50B4
MultiByteToWideChar.KERNEL32(54896610,00000009,?,00009B8D,00000000,00000000,?,?,?,0047F78E,?,00000000), ref: 004A50E5
MultiByteToWideChar.KERNEL32(54896610,00000009,?,00000001,00000000,00000000,?,?,?,0047F78E,?,00000000), ref: 004A5153

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b59e0e4450bc800f9a93e2b1cc921e81cc40bbc7ad70f6c7594ba30609f1cf79
Instruction ID: 3cb286f00d7614339aaae4525e53b06ff45c314c0ccaedaef05e4e6b28e7892c
Opcode Fuzzy Hash: b59e0e4450bc800f9a93e2b1cc921e81cc40bbc7ad70f6c7594ba30609f1cf79
Instruction Fuzzy Hash: 3E310030A08A45EFDF20DF64C980ABA3BA1BF12350F1485AEF4618B2A1D334CD40CB99

Function 004612D0 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 004612E5

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 75f7169935f71d0470cb2d8a072cb73fc8f75f28c1271252ab23fb96a1472ace
Instruction ID: f75ff6eebda167df49eca2dbdccf54938d51a1f2dba76d1c5790e1abba9c006d
Opcode Fuzzy Hash: 75f7169935f71d0470cb2d8a072cb73fc8f75f28c1271252ab23fb96a1472ace
Instruction Fuzzy Hash: 4D21083A6002045F9B10DF69D89487B77A8EBC9320B18857BFC1EC7720F638DC858796

Function 00484510 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00484588
EnumChildWindows.USER32(?,00484640,?), ref: 004845C9
EnumChildWindows.USER32(?,00484640,?), ref: 004845F5

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ChildEnumWindows$_wcsncpy
String ID:
API String ID: 1330499146-0
Opcode ID: b349284bc6e80cce4c27efcf33d5ff29a9a481e893eba498b14e6b0c3b528829
Instruction ID: 36d5f45516869322ed6f36828927181cd33ce7801d169331c47538860fb52bc0
Opcode Fuzzy Hash: b349284bc6e80cce4c27efcf33d5ff29a9a481e893eba498b14e6b0c3b528829
Instruction Fuzzy Hash: FD2103316453465BC234EB259C017EFB3D8EFD5310F44492EEA8883240EB7D954983AA

Function 00473260 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00473298
GetWindowRect.USER32(?,?), ref: 004732BC
GetWindowRect.USER32(?,?), ref: 004732C6
IntersectRect.USER32(?,?,?), ref: 004732D7

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Rect$Window$IntersectParent
String ID:
API String ID: 3824346474-0
Opcode ID: 2ac69dfb495a91facff9cadf3a68977131fbd4e23206bd57c00ed3ff04adbbd7
Instruction ID: 4964f4b91146b61ffbff53206609cd3e2b5890edde46945eee19c8cd1ae7b7ff
Opcode Fuzzy Hash: 2ac69dfb495a91facff9cadf3a68977131fbd4e23206bd57c00ed3ff04adbbd7
Instruction Fuzzy Hash: AB21DD725082059FC310CF64C9849ABFBE4FBD5310F048A2EFD8A93200DB36E909CB96

Function 0045C857 Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0045C8A9
GetMenuItemID.USER32(?,?), ref: 0045C8D0
GetSubMenu.USER32(?,?), ref: 0045C8DF
GetMenuItemCount.USER32(00000000), ref: 0045C8EA
PostMessageW.USER32(?,?,?,00000000), ref: 0045CA8F

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Menu$Item$CountMessagePost__fassign
String ID:
API String ID: 525247454-0
Opcode ID: 170e96d2ea3c8d79a3905b1c71aa9096b31d102e4daa73928574f2fb4129325a
Instruction ID: 673c47aef413a6eb1b51536a05a39f172dd2152a4097d26636a243d474ccbe58
Opcode Fuzzy Hash: 170e96d2ea3c8d79a3905b1c71aa9096b31d102e4daa73928574f2fb4129325a
Instruction Fuzzy Hash: 3D213A716003055FCB20EF249C85B9B7BA0AB85326F104A2BED62673C2D778DC4CC799

Function 004195C0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00419601
_wcstoul.LIBCMT ref: 00419618
__wcsnicmp.LIBCMT ref: 0041962B
_wcstoul.LIBCMT ref: 00419646

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsnicmp_wcstoul
String ID:
API String ID: 372159744-0
Opcode ID: fd0662cd15e2bc9ecd537496a386419bc16261a8e307adae47ae9c4ca74dd4df
Instruction ID: 7bd494f741f576a8ce20771c02b6e433522962607588b9d2a8ec4f69cf03f2de
Opcode Fuzzy Hash: fd0662cd15e2bc9ecd537496a386419bc16261a8e307adae47ae9c4ca74dd4df
Instruction Fuzzy Hash: E511063264435126DA00AB596C52FEB739D6F9471CF04442BF84C9B242E36E9D4683BE

Function 0045C855 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0045C8A9
GetMenuItemID.USER32(?,?), ref: 0045C8D0
GetSubMenu.USER32(?,?), ref: 0045C8DF
GetMenuItemCount.USER32(00000000), ref: 0045C8EA
PostMessageW.USER32(?,?,?,00000000), ref: 0045CA8F

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Menu$Item$CountMessagePost__fassign
String ID:
API String ID: 525247454-0
Opcode ID: 1727f8aa95cc93c037e10509a43b86ee32ea5f68065e25d0fa51c6904688572e
Instruction ID: 3c42eac86d051e1d7a8f6097c33cf37ef196e4d274adf927e79f82b016e8b26d
Opcode Fuzzy Hash: 1727f8aa95cc93c037e10509a43b86ee32ea5f68065e25d0fa51c6904688572e
Instruction Fuzzy Hash: 3B21F8716003055FC720EF249C85B9B3BA0AB85726F104A2BED52672C2D7789D4CC69D

Function 004770B0 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(?,?), ref: 004770FE
GetObjectW.GDI32(?,00000018,?), ref: 00477114
DeleteObject.GDI32(?), ref: 0047713C
DeleteObject.GDI32(?), ref: 00477143

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Object$Delete$IconInfo
String ID:
API String ID: 507670407-0
Opcode ID: b20c8195ae865672dc496070bf4c94ebcad6d13cc7563a73ebd2f83cd2cdfb0c
Instruction ID: 6b43e1e7c084cecba670cf66b695526791576ca4083491f4fe897a7a06c25ca9
Opcode Fuzzy Hash: b20c8195ae865672dc496070bf4c94ebcad6d13cc7563a73ebd2f83cd2cdfb0c
Instruction Fuzzy Hash: B51151717082029FDB14DF2AC850AA7B7A9BF94754B85C52EE84DC7350E735EC02CB99

Function 0046765D Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000472,00000000,00000000), ref: 00467684
SendMessageW.USER32(?,00000468,00000000,00000000), ref: 00467693
SendMessageW.USER32(?,?,00000000,00000000), ref: 004676C2
_free.LIBCMT ref: 00467801

Part of subcall function 00414390: __fassign.LIBCMT ref: 004143A0

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$__fassign_free
String ID:
API String ID: 3919206514-0
Opcode ID: 83ff71806ed9d319f6e7f3d6233b6026c0a1b42c5e7994dc9419baf743f64301
Instruction ID: 47f28ac46192420ea4ab24dc785a545f78f826e88626cd4604c94388866f5bdb
Opcode Fuzzy Hash: 83ff71806ed9d319f6e7f3d6233b6026c0a1b42c5e7994dc9419baf743f64301
Instruction Fuzzy Hash: A6110BB19042149BD714AF24EC5177A3360A744324F05862FEE556B391F67D9C01D79A

Function 0045B4A0 Relevance: 6.1, APIs: 4, Instructions: 61keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(?), ref: 0045B4B5

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: e82773afbcbe8a1dc9b96c6ce42733924d3b951cf6b87cb4284e9e4482bea35d
Instruction ID: 965dc7b8fc80dce80f6196c731ca50fc8bb2cace639006f0240492d1892f7766
Opcode Fuzzy Hash: e82773afbcbe8a1dc9b96c6ce42733924d3b951cf6b87cb4284e9e4482bea35d
Instruction Fuzzy Hash: 011148B48501049ADB289B24A8253FA37D1F782707FCC049BF8498A593D32DC54EE61D

Function 00485090 Relevance: 6.1, APIs: 4, Instructions: 60threadCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,00007FFF), ref: 004850C7
GetWindowThreadProcessId.USER32(?,?), ref: 004850EF
GetWindowThreadProcessId.USER32(?,?), ref: 00485102
GetClassNameW.USER32(?,?,00000101), ref: 00485148

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window$ProcessThread$ClassNameText
String ID:
API String ID: 3420357866-0
Opcode ID: cbe98b434cf80826166d63d86ef2370306080e96a37b5017900a048dc547deef
Instruction ID: 1dddd29d0a0e8a65f278402aa56dbe997ca847a4857300b78447aad09caf0507
Opcode Fuzzy Hash: cbe98b434cf80826166d63d86ef2370306080e96a37b5017900a048dc547deef
Instruction Fuzzy Hash: 31118EB1604B419AD734EB38DC54BEBB7EAEF81740F148D1DF48687280EB78A941C768

Function 004676CB Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000400,00000000,00000000), ref: 004676F4
SendMessageW.USER32(?,00000405,00000001,00000000), ref: 00467704
SendMessageW.USER32(?,00000405,00000001,00000000), ref: 0046772C
_free.LIBCMT ref: 00467801

Part of subcall function 00414390: __fassign.LIBCMT ref: 004143A0

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MessageSend$__fassign_free
String ID:
API String ID: 3919206514-0
Opcode ID: 149a1512e2fbbcfb1b93361dcfa3067f174b0d1655413f6468d5f8f41f565f72
Instruction ID: c7d3bd540f621dadfba3bc4f4f21eab6c52bfc108e058c0b41c4b6b99a5f9c7d
Opcode Fuzzy Hash: 149a1512e2fbbcfb1b93361dcfa3067f174b0d1655413f6468d5f8f41f565f72
Instruction Fuzzy Hash: 65110471A04304ABDB10AF24EC45B6A7764EB48718F04852BFE15AB3D1E779EC01CB5E

Function 00413760 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004137D4
_free.LIBCMT ref: 004137DD
_free.LIBCMT ref: 004137E6
_free.LIBCMT ref: 004137F8

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84372ab366233e1e3f11ea76a1918e4a540dbec9360a488de1cafb9e99ed26ba
Instruction ID: 15c89f8d632e1da3948e614e22d90df01441973e613c2258d7b1f18d58110370
Opcode Fuzzy Hash: 84372ab366233e1e3f11ea76a1918e4a540dbec9360a488de1cafb9e99ed26ba
Instruction Fuzzy Hash: 83113AB5600B009FCB20DF69C880B57B3E8BF88B04F14895DE16A87791D739ED41CB54

Function 0046746F Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00467479
SetWindowTextW.USER32 ref: 0046749D
_free.LIBCMT ref: 004674B4
_free.LIBCMT ref: 00467801

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window_free$LongText
String ID:
API String ID: 619191937-0
Opcode ID: da25cd6ff316bc7df0fd32b155c8f470c33ec1a05c8f2bfd7fe2a151d2c00d68
Instruction ID: 31e009861fe416d858f1265a6d8b2eaac72a6d6c2150090279bd541320a5b894
Opcode Fuzzy Hash: da25cd6ff316bc7df0fd32b155c8f470c33ec1a05c8f2bfd7fe2a151d2c00d68
Instruction Fuzzy Hash: 26019672A092109BCB20AF18FC4452B7BA4B745719B04453FE916A7311EB3DEC01C79F

Function 004A747C Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 004A74A2

Part of subcall function 004A72CE: __fltout2.LIBCMT ref: 004A72F9

__cftog_l.LIBCMT ref: 004A74C8
__cftoe_l.LIBCMT ref: 004A74FA

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 59b8ee1df70a32654047179b309df7b8dc7a692eb6fa6cc73ca9361a895a4520
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: FA11403600414EBBCF225F85DC01CEE3F26BB2E354B598516FE1859131C63AC9B1AB85

Function 004051C0 Relevance: 6.0, APIs: 4, Instructions: 45clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 004051DC
CloseClipboard.USER32 ref: 004051E1
GlobalUnlock.KERNEL32(00000000), ref: 004051F5
GlobalFree.KERNEL32(00000000), ref: 00405205

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Global$Unlock$ClipboardCloseFree
String ID:
API String ID: 1156981608-0
Opcode ID: cdb104fbe02ca3a2b87b981b4332b679801b1997406f8f313d5246e153e7d72b
Instruction ID: 7b06cf66b523ec39c383a240aa60a08e19c90baee00529917ca77d3278b74d3d
Opcode Fuzzy Hash: cdb104fbe02ca3a2b87b981b4332b679801b1997406f8f313d5246e153e7d72b
Instruction Fuzzy Hash: B201DA71900B009BC3209F5AD884827F7E9FF99711354C92FE59697A51DB35E980CF29

Function 0041E420 Relevance: 6.0, APIs: 4, Instructions: 20windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(00000000,0000FF81,00000003), ref: 0041E42E
EnableMenuItem.USER32(00000000,0000FF7E,00000003), ref: 0041E437
EnableMenuItem.USER32(00000000,0000FF7F,00000003), ref: 0041E440
EnableMenuItem.USER32(00000000,0000FF80,00000003), ref: 0041E449

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: EnableItemMenu
String ID:
API String ID: 1841910628-0
Opcode ID: 574a773f115e25bfa103674c532c74afdced1f61a0b464d7e107442c503312d9
Instruction ID: 6fa3dc5e3dabf9984090f1258573e8c6de812a1d7388ad0cb832bc4bef60568c
Opcode Fuzzy Hash: 574a773f115e25bfa103674c532c74afdced1f61a0b464d7e107442c503312d9
Instruction Fuzzy Hash: 76D0025164F31739B43172625DC5CBF5D2DDF8BEE87400175F208159C44E555C03B1B9

Function 00413730 Relevance: 6.0, APIs: 4, Instructions: 17COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00413734

Part of subcall function 0049996D: HeapFree.KERNEL32(00000000,00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499983
Part of subcall function 0049996D: GetLastError.KERNEL32(00000000,?,0049D9E3,00000000,?,0049F73B,?,0047F78E), ref: 00499995

_free.LIBCMT ref: 0041373D
_free.LIBCMT ref: 00413746
_free.LIBCMT ref: 00413758

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 345973364b0545af3fdb086cde8b5ba004b653dfe4a1be3d2f6b8bd271f90e75
Instruction ID: c2a0b7c4c52d022daa613f71fd762b6c0d849fc35d055dc1419f6c1ed5763def
Opcode Fuzzy Hash: 345973364b0545af3fdb086cde8b5ba004b653dfe4a1be3d2f6b8bd271f90e75
Instruction Fuzzy Hash: 84D012F15007009FCA34AB7AC845D5777AC7B44704B008D1EB1B657A42C63CE845CB54

Function 00485150 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 299COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004852EE
EnumChildWindows.USER32(00000000,00484170,?), ref: 00485473

Strings

%s%u, xrefs: 004854E2

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ChildEnumWindows__wcsicoll
String ID: %s%u
API String ID: 2617673624-679674701
Opcode ID: 9695a8490e76fbec8e3f7a5df6875ce0b74bb5ef3fe249b05653e96e94f5eca2
Instruction ID: fd503b9bf58d8d7e3ca49ccfc741b5e7740dbbe1e6e08fdb7da58b1b40acea88
Opcode Fuzzy Hash: 9695a8490e76fbec8e3f7a5df6875ce0b74bb5ef3fe249b05653e96e94f5eca2
Instruction Fuzzy Hash: 52B1C5316005849ADB74FE64DC44BEF33A6EF60355F44892BDC098B244EB39EB89CB58

Function 004416D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 276windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0044DDD0: GetForegroundWindow.USER32(?,?,004408D5,?), ref: 0044DDFE
Part of subcall function 0044DDD0: IsWindowVisible.USER32(00000000), ref: 0044DE19

SendMessageTimeoutW.USER32(?,?,?,00000000,00000002,00001388,?), ref: 00441842

Strings

FAIL, xrefs: 00441865, 00441880, 0044199D, 004419BE, 004419DA

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Window$ForegroundMessageSendTimeoutVisible
String ID: FAIL
API String ID: 578228273-2964506365
Opcode ID: 6a046053245d6cf30cfad53be2095a8a857fce27ab5d9c60f8de29f11a81a135
Instruction ID: e3aab89251119bf91e039b484f3e32ec53d8a3168cdea2df42cb83aa19531c57
Opcode Fuzzy Hash: 6a046053245d6cf30cfad53be2095a8a857fce27ab5d9c60f8de29f11a81a135
Instruction Fuzzy Hash: ACA137B17042005BE720DF25E881B67B7A5AB85324F24856FE8458B3E2C77AECC5C799

Function 0040709F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 184COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00407282

Part of subcall function 0049A774: __wcstoi64.LIBCMT ref: 0049A76A

Strings

<response command="context_get" context="%i" transaction_id="%e">, xrefs: 00407199
</response>, xrefs: 004072A9

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcstoi64_free
String ID: </response>$<response command="context_get" context="%i" transaction_id="%e">
API String ID: 2994465007-1369534021
Opcode ID: 90780f0643ae5196df1dfd8265b02ed8f390ca8f5298d51389d98e30d53f418f
Instruction ID: 91c04df020945328688d4e1b7fa7780b81ed1aca19b9e4d1e6cef039baa896ca
Opcode Fuzzy Hash: 90780f0643ae5196df1dfd8265b02ed8f390ca8f5298d51389d98e30d53f418f
Instruction Fuzzy Hash: 677137729083429FC710DF69C48095ABBE4BB88314F104A7FF5A5A7291D738EA05CB9B

Function 004033E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 00403C40: GetTickCount.KERNEL32 ref: 00403C72

GetTickCount.KERNEL32 ref: 0040346D
_wcsncpy.LIBCMT ref: 004034E3

Part of subcall function 00401060: IsClipboardFormatAvailable.USER32(0000000D), ref: 00401072
Part of subcall function 00401060: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040107A

Strings

Timer, xrefs: 0040354B

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AvailableClipboardCountFormatTick$_wcsncpy
String ID: Timer
API String ID: 1301760726-2870079774
Opcode ID: d0fff780e64689c34af00ca0d6334427c4046cc04e8364f15790e01347e6108e
Instruction ID: 88a1a9f590d70e8c25626c38314a5bdde0ade3cccdfd18b28cc201bae22654a4
Opcode Fuzzy Hash: d0fff780e64689c34af00ca0d6334427c4046cc04e8364f15790e01347e6108e
Instruction Fuzzy Hash: F851F170204744ABD730DF209845B27BFE9AB4130AF04057FE8816A6E1DB7CEE84879A

Function 00456280 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00456389

Strings

%0.*f, xrefs: 00456383

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __swprintf
String ID: %0.*f
API String ID: 1857805200-3326200935
Opcode ID: f3efc868f029221008d738867895e1ecbe01fd11a00cb585197f70b68130d1e5
Instruction ID: 1ab908d5ddf41f0e68c28e2bead8703a9a00ba5176545fe044d82a1471ca67b7
Opcode Fuzzy Hash: f3efc868f029221008d738867895e1ecbe01fd11a00cb585197f70b68130d1e5
Instruction Fuzzy Hash: 16415470604605EBC700BF1AE90525ABBB0FF89316F5105AFEDC993252DB398829C78F

Function 00412770 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004127D3

Part of subcall function 004998CE: __FF_MSGBANNER.LIBCMT ref: 004998E7
Part of subcall function 004998CE: __NMSG_WRITE.LIBCMT ref: 004998EE
Part of subcall function 004998CE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0049EF67,00401234,00000001,00401234,?,0049E60D,00000018,004CFCF0,0000000C,0049E69D), ref: 00499913

Strings

Out of memory., xrefs: 004127E9
Hotstring max abbreviation length is 40., xrefs: 004127A5

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID: Hotstring max abbreviation length is 40.$Out of memory.
API String ID: 501242067-4290233147
Opcode ID: 194b1ed92c7ff72f5b6e2d027fe6ab39e016c2f1ec6577834c81b3699ec54cbb
Instruction ID: 5f0199ee1d96cee1de2ad668c0bcdfbb6d51e196393b572e948264f15dbae98a
Opcode Fuzzy Hash: 194b1ed92c7ff72f5b6e2d027fe6ab39e016c2f1ec6577834c81b3699ec54cbb
Instruction Fuzzy Hash: E141BCB0A083419FD704EF28D950B9777E4EB88314F048A2FE459D73A0E778D991CB9A

Function 0040962B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409630

Part of subcall function 0040542E: __EH_prolog.LIBCMT ref: 00405433

Strings

<property name="%e" fullname="%e" type="%s" size="0" page="0" pagesize="%i" children="%i" numchildren="%i">, xrefs: 0040975C
<property name="%e" fullname="%e" type="%s" facet="%s" classname="%s" address="%p" size="0" page="%i" pagesize="%i" children="%i" numchildren="%i">, xrefs: 004096B7

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: H_prolog
String ID: <property name="%e" fullname="%e" type="%s" facet="%s" classname="%s" address="%p" size="0" page="%i" pagesize="%i" children="%i" numchildren="%i">$<property name="%e" fullname="%e" type="%s" size="0" page="0" pagesize="%i" children="%i" numchildren="%i">
API String ID: 3519838083-126030962
Opcode ID: 87c03c89220bf1667a2df9af8027606b09f5679cea5c4d0205409a389e4483e9
Instruction ID: ec74d3aad49231399a40807f729c761cf72e4b956a2551eb17b1f112bbe09f3e
Opcode Fuzzy Hash: 87c03c89220bf1667a2df9af8027606b09f5679cea5c4d0205409a389e4483e9
Instruction Fuzzy Hash: 6D417875600601DFCB28DF25C990E6ABBF6FF88304B04856EE8569B7A2DB35EC11CB44

Function 00465380 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004653E8
_malloc.LIBCMT ref: 00465402

Strings

Out of memory., xrefs: 0046541B

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _free_malloc
String ID: Out of memory.
API String ID: 845055658-4087320997
Opcode ID: e21ae786c6e9b8db64333e340c842a09a6c7fb063943bf23a6314815d1c1fc8b
Instruction ID: 6edd4201630c5618b3b346814b44ec0e210f623ce0764d09a1678dbcbdc49249
Opcode Fuzzy Hash: e21ae786c6e9b8db64333e340c842a09a6c7fb063943bf23a6314815d1c1fc8b
Instruction Fuzzy Hash: 44416BB26007059FC720DF19D880A2BB3E5EBC4700F10886FE99A87351EB75E985CB5A

Function 0047E730 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 0047E7FA

Part of subcall function 00404120: GetCPInfo.KERNEL32(?,?), ref: 00404136

Strings

UTF-16, xrefs: 0047E83E
UTF-8, xrefs: 0047E81F

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Info__itow
String ID: UTF-16$UTF-8
API String ID: 12026576-557455392
Opcode ID: 5747938a6824f265d044a13233a5687bd07c2c07ed748ba3a3132aa77d0ef743
Instruction ID: aaa09a8c173b39d83c1aa0c76f5aa8540e02c29f818dbacb883f0dc08b4e8a80
Opcode Fuzzy Hash: 5747938a6824f265d044a13233a5687bd07c2c07ed748ba3a3132aa77d0ef743
Instruction Fuzzy Hash: 433103766001048BD328EF0AC484796B3A0EB09324F19C2ABE95D8F391C339EC55CBDA

Function 00411510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0041152B

Part of subcall function 00411640: _memset.LIBCMT ref: 00411657

Part of subcall function 00411990: __wcsicoll.LIBCMT ref: 004119F8
Part of subcall function 00411990: GetKeyboardLayout.USER32(00000000), ref: 00411A13

Strings

& , xrefs: 00411538
~, xrefs: 00411586

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: KeyboardLayout__wcsicoll_memset_wcsncpy
String ID: & $~
API String ID: 3335490538-4238529414
Opcode ID: 7f3c27bdc95818d8a23ff64d8ef0efa5f9c03b8e0289060384dccb39a313ac87
Instruction ID: 8403d1b8a5aa793223eeb62f93f7f5aa207cb0d099a890c58be16bcea9e4b3a7
Opcode Fuzzy Hash: 7f3c27bdc95818d8a23ff64d8ef0efa5f9c03b8e0289060384dccb39a313ac87
Instruction Fuzzy Hash: 1E31287294030467D730E745D886BFB73A9DBD8300F04481EF659C7351F279988083A7

Function 004282D3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00428328

Strings

Parameter #3 invalid., xrefs: 004270D2
MCA, xrefs: 00428323

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _wcschr
String ID: MCA$Parameter #3 invalid.
API String ID: 2691759472-426094000
Opcode ID: 99c10b2f9ec2c62e613d60c1175dbc594d1c7a0e5ebae668770c73f5539571ef
Instruction ID: 620bec29d5405416955c381e020a42c8167fe42f35d90869f4ce5332c18ff832
Opcode Fuzzy Hash: 99c10b2f9ec2c62e613d60c1175dbc594d1c7a0e5ebae668770c73f5539571ef
Instruction Fuzzy Hash: DF31DF307043658BE720CB1AE4487B3B7E19B80314F88445FE9858B396D33EEC95C76A

Function 00439550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 004395D5

Strings

--->, xrefs: 004395C8
Line#, xrefs: 004395A0

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _wcsncpy
String ID: Line#$--->
API String ID: 1735881322-1677359465
Opcode ID: ef0ffd32523b02768b7948e73913e6f595e644a01feeb1b1a6a9487ae7fac2de
Instruction ID: 9a1b2ea245bc89fee8f0bc56fb6d134bd86feeb250aba0773214a7f6adb49bda
Opcode Fuzzy Hash: ef0ffd32523b02768b7948e73913e6f595e644a01feeb1b1a6a9487ae7fac2de
Instruction Fuzzy Hash: 1B21E1727043016FC719DE298885B6BB3E4FBCC300F18592EE946D7394D6B4ED45879A

Function 0045E790 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 0045E7BD
SHFileOperationW.SHELL32(?), ref: 0045E849

Strings

\, xrefs: 0045E7E3

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: FileFullNameOperationPath
String ID: \
API String ID: 1380555793-2967466578
Opcode ID: 8d2b88e816f9bfa920931be6c4e0e962604c60e178c24eca5e5724a8e2b1ff8b
Instruction ID: 5e74e19621455cf54786bedec00dbe43cd3d9e43a3c016b8638d59fec8e1f197
Opcode Fuzzy Hash: 8d2b88e816f9bfa920931be6c4e0e962604c60e178c24eca5e5724a8e2b1ff8b
Instruction Fuzzy Hash: F831D3705043119AC729EF15D885A9BBBE8EF88714F444E2FF844C7290E3B8D748CB9A

Function 00483200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00483224
_free.LIBCMT ref: 00483274

Part of subcall function 004830C0: _free.LIBCMT ref: 0048313F

Strings

m|D, xrefs: 00483298, 00483213, 0048321B

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _free
String ID: m|D
API String ID: 269201875-1299526162
Opcode ID: d323d817c49f455b9659b15cdae31802fd86ec66cc1a6163e059b4f6bea27c63
Instruction ID: a2b3207b83cdd2c038929843f2c6aa8c30e1f4fbfb90af73473c345508218e98
Opcode Fuzzy Hash: d323d817c49f455b9659b15cdae31802fd86ec66cc1a6163e059b4f6bea27c63
Instruction Fuzzy Hash: D6318DB0404B408BD731AF25C405B6BBBE0AF51718F048D5EE4968B751C268FA45CB6A

Function 00476150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00476240: __wcsicoll.LIBCMT ref: 004762FA
Part of subcall function 00476240: SetMenuItemInfoW.USER32 ref: 004763FD

SetMenuItemInfoW.USER32(00000000,?,00000000,00000030), ref: 004761EE
IsMenu.USER32(00000000), ref: 00476207

Strings

0, xrefs: 004761BA

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Menu$InfoItem$__wcsicoll
String ID: 0
API String ID: 2393440583-4108050209
Opcode ID: 786428c6d6a4870ec218ea75ca3fdb487a24edbde43f20a466cdc27c74f8baaf
Instruction ID: 9f46653eb60ce519536a17eeb38ea7de185bcf515c425d723660681604daf2be
Opcode Fuzzy Hash: 786428c6d6a4870ec218ea75ca3fdb487a24edbde43f20a466cdc27c74f8baaf
Instruction Fuzzy Hash: 25217E70200B019FD724DF15C984BA7BBEAEB84304F06C92EE85D87752DB39E804CB59

Function 00406342 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 004063C2

Strings

-, xrefs: 0040638A
i, xrefs: 00406379

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: _strncmp
String ID: -$i
API String ID: 909875538-173159675
Opcode ID: e8fa6d294f546e0832f5d64c0caedce7f0bc7988bebd5de4885de1c013d19c23
Instruction ID: 10446c57bc6a0d5a714ce762a0e1b5e1d34010fb9f65103ee1ca0a9c7611fe24
Opcode Fuzzy Hash: e8fa6d294f546e0832f5d64c0caedce7f0bc7988bebd5de4885de1c013d19c23
Instruction Fuzzy Hash: 3821AE305492914FE7358B2480057A3BBD59F26310F2A50BBDCC2AB3D2D73E9826C7D9

Function 0042B336 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 0042B38A
_wcschr.LIBCMT ref: 0042B3A5

Strings

.ahk, xrefs: 0042B366

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AttributesFile_wcschr
String ID: .ahk
API String ID: 3504862186-1610153849
Opcode ID: 82811bb11e0edf530550c7cf577b470fcda5e208f6050be767667e34ad2bd82a
Instruction ID: 757f1b1224c243466ffc8ddf836753953deab125922b7738243144f195b5fbe2
Opcode Fuzzy Hash: 82811bb11e0edf530550c7cf577b470fcda5e208f6050be767667e34ad2bd82a
Instruction Fuzzy Hash: 1521F3756002168BC720DF29EC81A6B7364EF91318F40462EED45C72B0E778A955CBD9

Function 004377F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00499F62: _malloc.LIBCMT ref: 00499F7C

Part of subcall function 004378C0: _malloc.LIBCMT ref: 00437949

_free.LIBCMT ref: 00437893
_free.LIBCMT ref: 004378A2

Part of subcall function 00437AD0: FindFirstFileW.KERNEL32(?,?,00000000,?,?,?,?,00000000,?,?,?), ref: 00437B6E
Part of subcall function 00437AD0: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?), ref: 00437B95
Part of subcall function 00437AD0: FindClose.KERNEL32(00000000,00000000,?,?,?), ref: 00437C25

Strings

Out of memory., xrefs: 0043786B

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: Find$File_free_malloc$CloseFirstNext
String ID: Out of memory.
API String ID: 1334603258-4087320997
Opcode ID: 0370aac5d5be72b740f8548dd181199583b6697839f540daa08704fe2db876e6
Instruction ID: e9e65c227f0058d7421a4c4165927854f5724022341d9465cd4b7566b11b8c72
Opcode Fuzzy Hash: 0370aac5d5be72b740f8548dd181199583b6697839f540daa08704fe2db876e6
Instruction Fuzzy Hash: AA1105F1604300ABC214FA199C41F6BB7D9ABCC718F04452DF58993342D778ED09C7A6

Function 00476660 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 0047668E
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004766B9

Part of subcall function 00468DD0: GetMenu.USER32(?), ref: 00468DFC
Part of subcall function 00468DD0: IsWindowVisible.USER32(?), ref: 00468E10
Part of subcall function 00468DD0: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00000000,00A71808,00476AE1,?), ref: 00468E32
Part of subcall function 00468DD0: RedrawWindow.USER32(?,00000000,00000000,00000501,?,?,00000000,00A71808,00476AE1,?), ref: 00468E49

Strings

0, xrefs: 0047667E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: MenuWindow$InfoItem$RedrawVisible
String ID: 0
API String ID: 4094535373-4108050209
Opcode ID: add5e239ce0c558f9d418fb77cf3e284f11c644daf4064df16e3b35aa4938fdf
Instruction ID: ab7516d805ddf85ca77b04442448d77c058692d0457b97d863963f09d3841d74
Opcode Fuzzy Hash: add5e239ce0c558f9d418fb77cf3e284f11c644daf4064df16e3b35aa4938fdf
Instruction Fuzzy Hash: 671194B5210701AFE320CF15D845BA7B7E8BB54700F44462EE44983650E779F949CB6A

Function 004510F5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0045113C
__itow.LIBCMT ref: 00451168

Strings

0, xrefs: 00451170

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ErrorLast__itow
String ID: 0
API String ID: 2292283701-4108050209
Opcode ID: aebd47600f01bfabd14335fbd3cf9b49aa7be08e6118b1397067c8e76fa0b1ec
Instruction ID: 0f713923508a108ba10baa6602ddcb62634484f821bc37a24d7f4c198d9fb580
Opcode Fuzzy Hash: aebd47600f01bfabd14335fbd3cf9b49aa7be08e6118b1397067c8e76fa0b1ec
Instruction Fuzzy Hash: 43215870E006089FDB14DF98C881BEEBBB0FB48311F20429AED14673A1D7786844CBA9

Function 0040F050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 0040EF90: __wcsicoll.LIBCMT ref: 0040EFA8
Part of subcall function 0040EF90: __wcsicoll.LIBCMT ref: 0040EFF5

__wcsicoll.LIBCMT ref: 0040F067

Strings

Toggle, xrefs: 0040F061
(6K, xrefs: 0040F073

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __wcsicoll
String ID: (6K$Toggle
API String ID: 3832890014-1051351072
Opcode ID: 999b54a5b6c7af4c3b496094a313acff8dbce92715b58fa9e78efa4c6abd583f
Instruction ID: 42b066d4894a4d4e886e42ba17fea605897e961e6a53100f9f036b529da03b5a
Opcode Fuzzy Hash: 999b54a5b6c7af4c3b496094a313acff8dbce92715b58fa9e78efa4c6abd583f
Instruction Fuzzy Hash: D2F0244261011121EB302A356D027B322918B30769F090133EC00EA7CBF72FDE4AC1A9

Function 0044B708 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status AHK_PlayMe mode,?,00000208,00000000), ref: 0044B76C
mciSendStringW.WINMM(close AHK_PlayMe,00000000,00000000,00000000), ref: 0044B793

Strings

status AHK_PlayMe mode, xrefs: 0044B767
stopped, xrefs: 0044B710

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: SendString
String ID: status AHK_PlayMe mode$stopped
API String ID: 890592661-3192028569
Opcode ID: a1c728250209188b9171eb88dc7b724ae304a23b21e66f356022af1aae4650c9
Instruction ID: 90a743a28dc1e510f6c071264ebc81d95873bde1a0bf0aa5cce66f863cbbe56a
Opcode Fuzzy Hash: a1c728250209188b9171eb88dc7b724ae304a23b21e66f356022af1aae4650c9
Instruction Fuzzy Hash: 2EF0C22164020645FA20AB10CC83BF77362EBF0755F44053AEA445B391E76AD999C2EA

Function 004AB3E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004AAC04: __getptd.LIBCMT ref: 004AAC0A
Part of subcall function 004AAC04: __getptd.LIBCMT ref: 004AAC1A

__getptd.LIBCMT ref: 004AB3F4

Part of subcall function 0049D9F2: __getptd_noexit.LIBCMT ref: 0049D9F5
Part of subcall function 0049D9F2: __amsg_exit.LIBCMT ref: 0049DA02

__getptd.LIBCMT ref: 004AB402

Strings

csm, xrefs: 004AB410

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: d6c216536e6c9934bd1e0d215e40cfabb2d9f4a4d9056726e4c472cc84c0db29
Instruction ID: 231d3972c73b5d16349401673d201e8cea309c931a7a14bb24a5a429e05a7387
Opcode Fuzzy Hash: d6c216536e6c9934bd1e0d215e40cfabb2d9f4a4d9056726e4c472cc84c0db29
Instruction Fuzzy Hash: 15018B308017458EDF389F25C444AAEB7B5FF3A311F58862FE08196253CB388D94CB89

Function 00401060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25clipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32(0000000D), ref: 00401072
IsClipboardFormatAvailable.USER32(0000000F), ref: 0040107A

Strings

<<>>, xrefs: 0040107E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: AvailableClipboardFormat
String ID: <<>>
API String ID: 778505046-913080871
Opcode ID: e466914c9b857a6ef36b3f1146f273cba9083202bc0a2492d8a84e718efd92e8
Instruction ID: 902c5d7fbcab7f026d29f3c887bb8a546b39c08af2ab105b567b58b6c4b53e64
Opcode Fuzzy Hash: e466914c9b857a6ef36b3f1146f273cba9083202bc0a2492d8a84e718efd92e8
Instruction Fuzzy Hash: 92E08622B1115196EA2076BEBD0079717C8AB667A0F41017BB894EB7F4D76CDC8146DC

Function 00405240 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22clipboardCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 0040524F
CloseClipboard.USER32 ref: 0040525C

Strings

GlobalLock, xrefs: 0040527E

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: ClipboardCloseGlobalUnlock
String ID: GlobalLock
API String ID: 3794156920-2848605275
Opcode ID: 3ff1db746bfd5ef77d9276e8a10a358c417422890e16e74ebe7dfe66ec90dcda
Instruction ID: 38bf5e4e31e08a559ee7673862494085ba07db61dd880ce74c4b58258c67e2b9
Opcode Fuzzy Hash: 3ff1db746bfd5ef77d9276e8a10a358c417422890e16e74ebe7dfe66ec90dcda
Instruction Fuzzy Hash: 3AE06570400B018FE7306F95C408393BAF4EF59305F68486FE88692BE0DBBC8888CE59

Function 00433376 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00433389
PostMessageW.USER32(00000000), ref: 00433390

Strings

Shell_TrayWnd, xrefs: 00433384

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: FindMessagePostWindow
String ID: Shell_TrayWnd
API String ID: 2578315405-2988720461
Opcode ID: a86c70d54e1c06e3e4c6db8c7be23a21970abb65d06ee739695596a6088f2950
Instruction ID: ba8efd1f5b3e9eb5217ddc9417771d947b3cdb3211b81847fa735299b7b8386f
Opcode Fuzzy Hash: a86c70d54e1c06e3e4c6db8c7be23a21970abb65d06ee739695596a6088f2950
Instruction Fuzzy Hash: 03E0C231F80200BBF9082360DD4BF8836412B0A728F380222F621BF2E5C1FDD481462E

Function 0043332F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00433342
PostMessageW.USER32(00000000), ref: 00433349

Strings

Shell_TrayWnd, xrefs: 0043333D

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: FindMessagePostWindow
String ID: Shell_TrayWnd
API String ID: 2578315405-2988720461
Opcode ID: 0db44364615d4117f498b74fc5ab622646eb7aeca04b62aad4051a8e54fd0276
Instruction ID: 74412fba28eff483349229005a01184927baed5a2df12cb1e6602a068471502a
Opcode Fuzzy Hash: 0db44364615d4117f498b74fc5ab622646eb7aeca04b62aad4051a8e54fd0276
Instruction Fuzzy Hash: 3DE0C231F80200BBF9082360DD4BF9836411B0A728F340122F622BF2E1C5FED441462E

Function 0044F3A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetSystemDefaultUILanguage.KERNEL32 ref: 0044F3A9
__swprintf.LIBCMT ref: 0044F3B9

Strings

%04hX, xrefs: 0044F3B3

Memory Dump Source

Source File: 00000000.00000002.2164530311.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2164519761.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164627206.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164667739.00000000004D4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164678901.00000000004D5000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004D6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164689374.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2164741082.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_AutoHotkey.jbxd

Similarity

API ID: DefaultLanguageSystem__swprintf
String ID: %04hX
API String ID: 1359733045-3571374829
Opcode ID: f9435cade1d7525a0e30c04fab40ca09abe64c8348ff6e313da6bd6930c62ec9
Instruction ID: 3bc3f87511c22233ea1fa0926701baa9e436478bdbe5c4d059401f84b2266587
Opcode Fuzzy Hash: f9435cade1d7525a0e30c04fab40ca09abe64c8348ff6e313da6bd6930c62ec9
Instruction Fuzzy Hash: F2C0127390257057D5502605B845BBA77585B81710F4940B7FD4096244D1288C5562FE

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to lowest risk score due to lack of data" ] }
Date: unknown

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AutoHotkey.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: AutoHotkey.exePID: 6236, Parent PID: 4004

General

Chronological Activities

Disassembly

Windows Analysis Report
AutoHotkey.exe

Function 00404290 Relevance: 81.0, APIs: 28, Strings: 18, Instructions: 518
sleepwindowCOMMON

Function 0041D920 Relevance: 51.0, APIs: 27, Strings: 2, Instructions: 264
windowclipboardCOMMON

Function 00480580 Relevance: 12.2, APIs: 8, Instructions: 164
fileCOMMON

Function 0041EF1D Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 251
COMMON

Function 0041DC60 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 259
COMMON

Function 0048476F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91
windowCOMMON

Function 0041D660 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134
comCOMMON

Function 0044F750 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
COMMON

Function 0048480C Relevance: 3.1, APIs: 2, Instructions: 54
windowCOMMON

Function 00499C53 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 0047C7F0 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Function 00499EAB Relevance: 1.5, APIs: 1, Instructions: 10
COMMON