9c8b1aecaf1bdded80bec98ec5ab5b9b9754cbce9439dd9eacc7d1774d1438f8

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19/03/2023, 16:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AutoHotkey_2.0.2_setup.exe
Size

2.8MB
MD5

7ce7d260acfddf2dbc0286c1493560b2
SHA1

882b4d50de925a5411b83b47a1dbbd478490131c
SHA256

9c8b1aecaf1bdded80bec98ec5ab5b9b9754cbce9439dd9eacc7d1774d1438f8
SHA512

66ec91c9ee568342410e2b84b475b60190dcb31a8bb11b9999c81eefc43418b91dfb5822649d43c4376dbd8d804b3693d05decd30fb0035e190953d445035fcf
SSDEEP

49152:F5eZSM1m5dOO/VtzVrwHUR0QpGrfkrQdYhCl/EllK8g3pOkTQ26:YA9V9NHFpIfyQdzVK48AOkTQD

Score

7^/10

discovery upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
848	AutoHotkey_2.0.2_setup.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/624-54-0x0000000000400000-0x000000000092B000-memory.dmp	upx
behavioral1/memory/848-56-0x0000000000400000-0x000000000092B000-memory.dmp	upx
behavioral1/memory/624-57-0x0000000000400000-0x000000000092B000-memory.dmp	upx
behavioral1/memory/848-210-0x0000000000400000-0x000000000092B000-memory.dmp	upx
behavioral1/memory/848-213-0x0000000000400000-0x000000000092B000-memory.dmp	upx
behavioral1/memory/848-214-0x0000000000400000-0x000000000092B000-memory.dmp	upx
behavioral1/memory/848-250-0x0000000000400000-0x000000000092B000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\ui-launcherconfig.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\launcher.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\EnableUIAccess.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\identify.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\ShellRun.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\license.txt	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\install-ahk2exe.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\GetGitHubReleaseAssetURL.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\AutoHotkey.chm	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\spy.ico	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\install.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\CommandLineToArgs.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\CreateAppShortcut.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\launcher-common.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\install.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\ui-dash.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\bounce-v1.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\identify.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\identify_regex.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\Templates\Minimal for v2.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\config.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\README.txt	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\ui-setup.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\ui-uninstall.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\CreateAppShortcut.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\ui-base.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\v2\AutoHotkey.chm	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\ui-setup.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\spy.ico	AutoHotkey_2.0.2_setup.exe
File opened for modification	C:\Program Files\AutoHotkey\v2\RCX3045.tmp	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\install-ahk2exe.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\install-version.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\ui-newscript.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\v2\AutoHotkey32_UIA.exe	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\config.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\HashFile.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\reload-v1.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\ui-editor.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\v2\AutoHotkey64.exe	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\GetGitHubReleaseAssetURL.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\license.txt	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\common.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\reset-assoc.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\ui-launcherconfig.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\WindowSpy.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\bounce-v1.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\ui-base.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\AutoHotkey32.exe	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\Templates\Minimal for v2.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\ShellRun.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\ui-uninstall.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\ui-newscript.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\CommandLineToArgs.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\HashFile.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\AutoHotkey64.exe	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\WindowSpy.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\Install.cmd	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\WindowSpy.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\README.txt	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\inc\identify_regex.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\EnableUIAccess.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\inc\launcher-common.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\UX\ui-dash.ahk	AutoHotkey_2.0.2_setup.exe
File created	C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\UX\reload-v1.ahk	AutoHotkey_2.0.2_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 49 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Launch\ = "Launch"	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AutoHotkeyScript	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Open\ = "Run script"	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\RunAs\AppUserModelID = "AutoHotkey.AutoHotkey"	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\RunAs\Command	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\RunAs\HasLUAShield	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\UIAccess	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\UIAccess\Command\ = "\"C:\\Program Files\\AutoHotkey\\UX\\AutoHotkeyUX.exe\" \"C:\\Program Files\\AutoHotkey\\UX\\launcher.ahk\" /runwith UIA \"%1\" %*"	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AutoHotkeyScript\Shell\Launch\Command	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\ = "Open runas UIAccess Edit"	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AutoHotkeyScript\Shell\RunAs\Command	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Edit\Command\ = "\"C:\\Program Files\\AutoHotkey\\UX\\AutoHotkeyUX.exe\" \"C:\\Program Files\\AutoHotkey\\UX\\ui-editor.ahk\" \"%1\""	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Launch\Command\ = "\"C:\\Program Files\\AutoHotkey\\UX\\AutoHotkeyUX.exe\" \"C:\\Program Files\\AutoHotkey\\UX\\launcher.ahk\" /Launch \"%1\" %*"	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Launch\ProgrammaticAccessOnly	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AutoHotkeyScript\Shell\Edit\Command	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AutoHotkeyScript\Shell	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AutoHotkeyScript\Shell\Open\Command	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\UIAccess\AppUserModelID = "AutoHotkey.AutoHotkey"	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Launch\Command	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AutoHotkeyScript\Shell\Edit	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.ahk\ShellNew	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ahk\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\DefaultIcon\ = "C:\\Program Files\\AutoHotkey\\UX\\AutoHotkeyUX.exe,1"	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Open\Command\ = "\"C:\\Program Files\\AutoHotkey\\UX\\AutoHotkeyUX.exe\" \"C:\\Program Files\\AutoHotkey\\UX\\launcher.ahk\" \"%1\" %*"	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AutoHotkeyScript\Shell\RunAs	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AutoHotkeyScript\Shell\UIAccess\Command	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AutoHotkeyScript\Shell\UIAccess	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Launch\AppUserModelID = "AutoHotkey.AutoHotkey"	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ahk\ = "AutoHotkeyScript"	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AutoHotkeyScript\Shell\Open	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Open\FriendlyAppName = "AutoHotkey Launcher"	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\UIAccess\Command	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Edit	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Edit\Command	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.ahk\PersistentHandler	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\AppUserModelID = "AutoHotkey.AutoHotkey"	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\RunAs\Command\ = "\"C:\\Program Files\\AutoHotkey\\UX\\AutoHotkeyUX.exe\" \"C:\\Program Files\\AutoHotkey\\UX\\launcher.ahk\" \"%1\" %*"	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\RunAs	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\ = "AutoHotkey Script"	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AutoHotkeyScript\DefaultIcon	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Open\AppUserModelID = "AutoHotkey.AutoHotkey"	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.ahk	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AutoHotkeyScript\Shell\Launch	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Edit\ = "Edit script"	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ahk\ShellNew\Command = "\"C:\\Program Files\\AutoHotkey\\UX\\AutoHotkeyUX.exe\" \"C:\\Program Files\\AutoHotkey\\UX\\ui-newscript.ahk\" \"%1\""	AutoHotkey_2.0.2_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\UIAccess\ = "Run with UI access"	AutoHotkey_2.0.2_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\Shell\Launch	AutoHotkey_2.0.2_setup.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B7A756BF07DADE60B27EC4B7ABA2BEDC89099888	AutoHotkey_2.0.2_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B7A756BF07DADE60B27EC4B7ABA2BEDC89099888\Blob = 030000000100000014000000b7a756bf07dade60b27ec4b7aba2bedc890998880200000001000000840000001c0000003400000001000000000000000000000000000000020000004100750074006f0048006f0074006b0065007900000000004d006900630072006f0073006f006600740020005300740072006f006e0067002000430072007900700074006f0067007200610070006800690063002000500072006f007600690064006500720000002000000001000000b1010000308201ad30820116a00302010202106fb8f4adb979d08649e22d44b0161010300d06092a864886f70d01010505003015311330110603550403130a4175746f486f746b6579301e170d3233303331393137313432355a170d3333303331393137313432355a3015311330110603550403130a4175746f486f746b657930819f300d06092a864886f70d010101050003818d00308189028181009cfaaf072018c2af862a28baa3afc6f4c889294022fc047a51766880809ec206ebe5dbd46f5896c7797383e6a2c0fdf832907349c7f215966bda5037c252c27e10c8560c4a7abc074da6dcfe4aa29e8f524b08fe7b57c6a2a2dc7e7f81fe8697dbd6a0972743217911b26b8abd483150952aed5f883fa268dce10861fb84abe90203010001300d06092a864886f70d0101050500038181009a308bd7557ce62088fddba514280b4011a0f309be42622d537b29d916be6a97b9c4bb3dc1c63e1a957e24fdbd0a10d6d5da9fea291a2dc0d10ccba64da7223820ca645445c8f53265dc1527b75b76282b1f34fc6e297ebdb400104d58341a49c9f8749f25bebab8604768bc85437fa868d34407ff2c7a65e725fd121e2ce27f	AutoHotkey_2.0.2_setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
624	AutoHotkey_2.0.2_setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 848	624	AutoHotkey_2.0.2_setup.exe	28
PID 624 wrote to memory of 848	624	AutoHotkey_2.0.2_setup.exe	28
PID 624 wrote to memory of 848	624	AutoHotkey_2.0.2_setup.exe	28
PID 624 wrote to memory of 848	624	AutoHotkey_2.0.2_setup.exe	28
PID 624 wrote to memory of 848	624	AutoHotkey_2.0.2_setup.exe	28
PID 624 wrote to memory of 848	624	AutoHotkey_2.0.2_setup.exe	28
PID 624 wrote to memory of 848	624	AutoHotkey_2.0.2_setup.exe	28

C:\Users\Admin\AppData\Local\Temp\AutoHotkey_2.0.2_setup.exe
"C:\Users\Admin\AppData\Local\Temp\AutoHotkey_2.0.2_setup.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\AutoHotkey_2.0.2_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoHotkey_2.0.2_setup.exe" /to "C:\Program Files\AutoHotkey"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Modifies system certificate store
  PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.2_setup.exe\AutoHotkey64.exe

Filesize
1.2MB

MD5
99ec2b896ef799981db726d05baac05c

SHA1
5ba1cd1ced1c8657b45063cd374485b323b93a65

SHA256
18e4d217e5f750735996e5a804147e710e8ff541cec8ef88223afcfb60c18e40

SHA512
7689737430f6d84901e2ccd5f9ac0723cba6faa22edf34199b9814d91da196a420dd358b9a30c7c2642aa564ba8ed2ef1f065679d51c647e8918c7d575c70e37

Download Submit
C:\Program Files\AutoHotkey\v2\AutoHotkey32.exe

Filesize
955KB

MD5
756e244fdf729022c26f2de05c4a7249

SHA1
e0f8658e1e0e8b0f39809a45d8f6db14af707dae

SHA256
528ac75827d90533ff0ce9da73ba20a67161ff391c239d1f5eda4c17dc5b6978

SHA512
80a818775c8f01ac9968c157d7f6773fa34d3064e86aa8109a05f19a8da8ebf8dfb112cda12bfe3bb8648f063c64b99389ef049c19e6b96f77e01241eba56724

Download Submit
\Program Files\AutoHotkey\v2\AutoHotkey32_UIA.exe

Filesize
955KB

MD5
756e244fdf729022c26f2de05c4a7249

SHA1
e0f8658e1e0e8b0f39809a45d8f6db14af707dae

SHA256
528ac75827d90533ff0ce9da73ba20a67161ff391c239d1f5eda4c17dc5b6978

SHA512
80a818775c8f01ac9968c157d7f6773fa34d3064e86aa8109a05f19a8da8ebf8dfb112cda12bfe3bb8648f063c64b99389ef049c19e6b96f77e01241eba56724

Download Submit
memory/624-54-0x0000000000400000-0x000000000092B000-memory.dmp

Filesize
5.2MB

Download
memory/624-55-0x0000000003970000-0x0000000003E9B000-memory.dmp

Filesize
5.2MB

Download
memory/624-57-0x0000000000400000-0x000000000092B000-memory.dmp

Filesize
5.2MB

Download
memory/848-56-0x0000000000400000-0x000000000092B000-memory.dmp

Filesize
5.2MB

Download
memory/848-210-0x0000000000400000-0x000000000092B000-memory.dmp

Filesize
5.2MB

Download
memory/848-213-0x0000000000400000-0x000000000092B000-memory.dmp

Filesize
5.2MB

Download
memory/848-214-0x0000000000400000-0x000000000092B000-memory.dmp

Filesize
5.2MB

Download
memory/848-250-0x0000000000400000-0x000000000092B000-memory.dmp

Filesize
5.2MB

Download