File name:

AutoHotkey_2.0.19_setup.exe

Full analysis: https://app.any.run/tasks/c0cded3d-9a5d-4811-9570-0a8c95790be4
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 16, 2025, 16:55:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
ahk
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

34979CF8AB65E09D738FD6B95365CEFB

SHA1:

0AFD36786EEB45BBE7DB1CF2A6D2251C10DA303C

SHA256:

FD55129CBD356F49D2151E0A8B9662D90D2DBBB9579CC2410FDE38DF94787A3A

SSDEEP:

98304:/Rv3DwxUAtz2eVhxkk/7wIvycwI0mm/H7Krd6dV9zXv8E2d4J1KD3B+yfaXDFcd2:WmxZCp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AHK has been detected (YARA)

      • Ahk2Exe.exe (PID: 2188)

  • SUSPICIOUS

    • Application launched itself

      • AutoHotkey_2.0.19_setup.exe (PID: 1296)
      • AutoHotkeyUX.exe (PID: 6336)
      • AutoHotkeyUX.exe (PID: 4104)

    • Executable content was dropped or overwritten

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6656)
      • Ahk2Exe.exe (PID: 2188)

    • Creates a software uninstall entry

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)

    • Adds/modifies Windows certificates

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)

    • Reads security settings of Internet Explorer

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 4104)
      • AutoHotkeyUX.exe (PID: 6656)
      • AutoHotkey_2.0.19_setup.exe (PID: 1296)

    • Reads the date of Windows installation

      • AutoHotkeyUX.exe (PID: 4104)

    • Reads Internet Explorer settings

      • AutoHotkeyUX.exe (PID: 6656)

    • Starts CMD.EXE for commands execution

      • Ahk2Exe.exe (PID: 2188)

    • There is functionality for taking screenshot (YARA)

      • Ahk2Exe.exe (PID: 2188)

    • Reads Microsoft Outlook installation path

      • AutoHotkeyUX.exe (PID: 6656)

  • INFO

    • Checks supported languages

      • AutoHotkey_2.0.19_setup.exe (PID: 1296)
      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 3676)
      • AutoHotkeyUX.exe (PID: 6336)
      • AutoHotkeyUX.exe (PID: 4104)
      • AutoHotkeyUX.exe (PID: 6656)
      • Ahk2Exe.exe (PID: 2188)
      • AutoHotkey32.exe (PID: 1636)
      • AutoHotkey32.exe (PID: 6636)

    • The sample compiled with english language support

      • AutoHotkey_2.0.19_setup.exe (PID: 1296)
      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6656)
      • Ahk2Exe.exe (PID: 2188)

    • Reads the computer name

      • AutoHotkey_2.0.19_setup.exe (PID: 1296)
      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6336)
      • AutoHotkeyUX.exe (PID: 4104)
      • AutoHotkeyUX.exe (PID: 6656)
      • Ahk2Exe.exe (PID: 2188)

    • Creates files in the program directory

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6656)

    • Reads the machine GUID from the registry

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6656)

    • AutoHotkey executable

      • AutoHotkey_2.0.19_setup.exe (PID: 1296)
      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6336)
      • AutoHotkeyUX.exe (PID: 4104)
      • cmd.exe (PID: 7072)
      • Ahk2Exe.exe (PID: 2188)

    • Reads the software policy settings

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6656)
      • slui.exe (PID: 5952)

    • Creates files or folders in the user directory

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6656)

    • Manual execution by a user

      • AutoHotkeyUX.exe (PID: 6336)
      • Ahk2Exe.exe (PID: 2188)

    • Process checks computer location settings

      • AutoHotkeyUX.exe (PID: 4104)
      • AutoHotkey_2.0.19_setup.exe (PID: 1296)

    • Checks proxy server information

      • AutoHotkeyUX.exe (PID: 6656)
      • slui.exe (PID: 5952)

    • Create files in a temporary directory

      • Ahk2Exe.exe (PID: 2188)

    • Detects AutoHotkey samples (YARA)

      • Ahk2Exe.exe (PID: 2188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:25 08:00:28+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 2994176
InitializedDataSize: 40960
UninitializedDataSize: 2527232
EntryPoint: 0x544000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.0.19.0
ProductVersionNumber: 2.0.19.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: AutoHotkey installer
FileVersion: 2.0.19
ProductName: AutoHotkey Setup
ProductVersion: 2.0.19
InternalName: AutoHotkey Setup
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
14
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start autohotkey_2.0.19_setup.exe no specs autohotkey_2.0.19_setup.exe autohotkeyux.exe no specs autohotkeyux.exe no specs autohotkeyux.exe no specs autohotkeyux.exe #AHK ahk2exe.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs autohotkey32.exe no specs autohotkey32.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1296"C:\Users\admin\AppData\Local\Temp\AutoHotkey_2.0.19_setup.exe" C:\Users\admin\AppData\Local\Temp\AutoHotkey_2.0.19_setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AutoHotkey installer
Exit code:
0
Version:
2.0.19
Modules
Images
c:\users\admin\appdata\local\temp\autohotkey_2.0.19_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1636"C:\Program Files\AutoHotkey\v2\AutoHotkey32.exe" /iLib "C:\Users\admin\AppData\Local\Temp\~Ahk2Exe~SwarmStart~ilib~5637220484.tmp" /ErrorStdOut "C:\Users\admin\Desktop\SwarmStart.ahk" C:\Program Files\AutoHotkey\v2\AutoHotkey32.execmd.exe
User:
admin
Company:
AutoHotkey Foundation LLC
Integrity Level:
MEDIUM
Description:
AutoHotkey 32-bit
Exit code:
2
Version:
2.0.19
Modules
Images
c:\program files\autohotkey\v2\autohotkey32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
2188"C:\Program Files\AutoHotkey\Compiler\Ahk2Exe.exe" C:\Program Files\AutoHotkey\Compiler\Ahk2Exe.exe
explorer.exe
User:
admin
Company:
AutoHotkey
Integrity Level:
MEDIUM
Description:
AutoHotkey Script Compiler
Version:
1.1.37.02a0
Modules
Images
c:\program files\autohotkey\compiler\ahk2exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
2428\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2620"C:\WINDOWS\system32\cmd.exe" /c echo 1C:\Windows\SysWOW64\cmd.exeAhk2Exe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3676"C:\Program Files\AutoHotkey\UX\AutoHotkeyUX.exe" "C:\Program Files\AutoHotkey\UX\reset-assoc.ahk" /checkC:\Program Files\AutoHotkey\UX\AutoHotkeyUX.exeAutoHotkey_2.0.19_setup.exe
User:
admin
Company:
AutoHotkey Foundation LLC
Integrity Level:
HIGH
Description:
AutoHotkey 64-bit
Exit code:
0
Version:
2.0.19
Modules
Images
c:\program files\autohotkey\ux\autohotkeyux.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
3688\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3788"C:\Users\admin\AppData\Local\Temp\AutoHotkey_2.0.19_setup.exe" /to "C:\Program Files\AutoHotkey"C:\Users\admin\AppData\Local\Temp\AutoHotkey_2.0.19_setup.exe
AutoHotkey_2.0.19_setup.exe
User:
admin
Integrity Level:
HIGH
Description:
AutoHotkey installer
Exit code:
0
Version:
2.0.19
Modules
Images
c:\users\admin\appdata\local\temp\autohotkey_2.0.19_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4104"C:\Program Files\AutoHotkey\UX\AutoHotkeyUX.exe" /script "C:\Program Files\AutoHotkey\UX\install-ahk2exe.ahk"C:\Program Files\AutoHotkey\UX\AutoHotkeyUX.exeAutoHotkeyUX.exe
User:
admin
Company:
AutoHotkey Foundation LLC
Integrity Level:
MEDIUM
Description:
AutoHotkey 64-bit
Exit code:
0
Version:
2.0.19
Modules
Images
c:\program files\autohotkey\ux\autohotkeyux.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
5952C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
10 054
Read events
10 017
Write events
30
Delete events
7

Modification events

(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Value:
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Operation:writeName:Blob
Value:
03000000010000001400000079E8455D8FA36FD051ACD84232D1DB1C44B3432F0200000001000000840000001C0000003400000001000000000000000000000000000000020000004100750074006F0048006F0074006B0065007900000000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F007600690064006500720000002000000001000000E1010000308201DD30820146A00302010202101D37D7E8245639B146FA0FE91A40560A300D06092A864886F70D01010505003015311330110603550403130A4175746F486F746B65793020170D3235303631363136353630355A180F39393939303130313132303030305A3015311330110603550403130A4175746F486F746B657930819F300D06092A864886F70D010101050003818D0030818902818100F62A1CC3D59A3F11617B68133848A93DD795D12FD46929B7542092313B62CA9AFAB76FFB87FDCF5DA935ED137184D80AABBB9BF46F378BA53B67B4AB4E2D46DCB1110E2899C25955A2906C83C308C5E03A74205AAA1973FFBFFEE3603F69EE1740A09351EC78110EA7CB2650AF6CE218E631BF671B9BCA14B23AE80F2CE4798D0203010001A32C302A30100603551D040101FF040630040302049030160603551D250101FF040C300A06082B06010505070303300D06092A864886F70D0101050500038181000E9EF6C4E506C61648F2DB99E2FE0DACADE6ED7ABDC0F9D0FD3771EB16AE623B5E1A6D129C54D5EAA5D51EB9BAF4E78C96EC231C16CD9166E319B7647DDFD29E0021D87368BB7BEA34C28F4D2A845690E06AF5013CE12E2219DA06FD630B1A2F8E96B8336DB8A9F71E759C3AF30AFB02270552E04C2E0A6D548E187196A8E093
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Operation:writeName:Blob
Value:
0F00000001000000140000008C48504C443ABE70722B8CB2BCC55FFABD9A22BC0200000001000000840000001C0000003400000001000000000000000000000000000000020000004100750074006F0048006F0074006B0065007900000000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F0076006900640065007200000003000000010000001400000079E8455D8FA36FD051ACD84232D1DB1C44B3432F2000000001000000E1010000308201DD30820146A00302010202101D37D7E8245639B146FA0FE91A40560A300D06092A864886F70D01010505003015311330110603550403130A4175746F486F746B65793020170D3235303631363136353630355A180F39393939303130313132303030305A3015311330110603550403130A4175746F486F746B657930819F300D06092A864886F70D010101050003818D0030818902818100F62A1CC3D59A3F11617B68133848A93DD795D12FD46929B7542092313B62CA9AFAB76FFB87FDCF5DA935ED137184D80AABBB9BF46F378BA53B67B4AB4E2D46DCB1110E2899C25955A2906C83C308C5E03A74205AAA1973FFBFFEE3603F69EE1740A09351EC78110EA7CB2650AF6CE218E631BF671B9BCA14B23AE80F2CE4798D0203010001A32C302A30100603551D040101FF040630040302049030160603551D250101FF040C300A06082B06010505070303300D06092A864886F70D0101050500038181000E9EF6C4E506C61648F2DB99E2FE0DACADE6ED7ABDC0F9D0FD3771EB16AE623B5E1A6D129C54D5EAA5D51EB9BAF4E78C96EC231C16CD9166E319B7647DDFD29E0021D87368BB7BEA34C28F4D2A845690E06AF5013CE12E2219DA06FD630B1A2F8E96B8336DB8A9F71E759C3AF30AFB02270552E04C2E0A6D548E187196A8E093
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Operation:writeName:Blob
Value:
04000000010000001000000097FCBEC3424189142C6C37A259F8188803000000010000001400000079E8455D8FA36FD051ACD84232D1DB1C44B3432F0200000001000000840000001C0000003400000001000000000000000000000000000000020000004100750074006F0048006F0074006B0065007900000000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F007600690064006500720000000F00000001000000140000008C48504C443ABE70722B8CB2BCC55FFABD9A22BC2000000001000000E1010000308201DD30820146A00302010202101D37D7E8245639B146FA0FE91A40560A300D06092A864886F70D01010505003015311330110603550403130A4175746F486F746B65793020170D3235303631363136353630355A180F39393939303130313132303030305A3015311330110603550403130A4175746F486F746B657930819F300D06092A864886F70D010101050003818D0030818902818100F62A1CC3D59A3F11617B68133848A93DD795D12FD46929B7542092313B62CA9AFAB76FFB87FDCF5DA935ED137184D80AABBB9BF46F378BA53B67B4AB4E2D46DCB1110E2899C25955A2906C83C308C5E03A74205AAA1973FFBFFEE3603F69EE1740A09351EC78110EA7CB2650AF6CE218E631BF671B9BCA14B23AE80F2CE4798D0203010001A32C302A30100603551D040101FF040630040302049030160603551D250101FF040C300A06082B06010505070303300D06092A864886F70D0101050500038181000E9EF6C4E506C61648F2DB99E2FE0DACADE6ED7ABDC0F9D0FD3771EB16AE623B5E1A6D129C54D5EAA5D51EB9BAF4E78C96EC231C16CD9166E319B7647DDFD29E0021D87368BB7BEA34C28F4D2A845690E06AF5013CE12E2219DA06FD630B1A2F8E96B8336DB8A9F71E759C3AF30AFB02270552E04C2E0A6D548E187196A8E093
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Operation:writeName:Blob
Value:
140000000100000014000000D44E7AFE0F0C2E71D40BED7EEE643F39BB3FD9650F00000001000000140000008C48504C443ABE70722B8CB2BCC55FFABD9A22BC0200000001000000840000001C0000003400000001000000000000000000000000000000020000004100750074006F0048006F0074006B0065007900000000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F0076006900640065007200000003000000010000001400000079E8455D8FA36FD051ACD84232D1DB1C44B3432F04000000010000001000000097FCBEC3424189142C6C37A259F818882000000001000000E1010000308201DD30820146A00302010202101D37D7E8245639B146FA0FE91A40560A300D06092A864886F70D01010505003015311330110603550403130A4175746F486F746B65793020170D3235303631363136353630355A180F39393939303130313132303030305A3015311330110603550403130A4175746F486F746B657930819F300D06092A864886F70D010101050003818D0030818902818100F62A1CC3D59A3F11617B68133848A93DD795D12FD46929B7542092313B62CA9AFAB76FFB87FDCF5DA935ED137184D80AABBB9BF46F378BA53B67B4AB4E2D46DCB1110E2899C25955A2906C83C308C5E03A74205AAA1973FFBFFEE3603F69EE1740A09351EC78110EA7CB2650AF6CE218E631BF671B9BCA14B23AE80F2CE4798D0203010001A32C302A30100603551D040101FF040630040302049030160603551D250101FF040C300A06082B06010505070303300D06092A864886F70D0101050500038181000E9EF6C4E506C61648F2DB99E2FE0DACADE6ED7ABDC0F9D0FD3771EB16AE623B5E1A6D129C54D5EAA5D51EB9BAF4E78C96EC231C16CD9166E319B7647DDFD29E0021D87368BB7BEA34C28F4D2A845690E06AF5013CE12E2219DA06FD630B1A2F8E96B8336DB8A9F71E759C3AF30AFB02270552E04C2E0A6D548E187196A8E093
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Operation:writeName:Blob
Value:
19000000010000001000000098EC745F60BB2210A7913D3C2D77EEE104000000010000001000000097FCBEC3424189142C6C37A259F8188803000000010000001400000079E8455D8FA36FD051ACD84232D1DB1C44B3432F0200000001000000840000001C0000003400000001000000000000000000000000000000020000004100750074006F0048006F0074006B0065007900000000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F007600690064006500720000000F00000001000000140000008C48504C443ABE70722B8CB2BCC55FFABD9A22BC140000000100000014000000D44E7AFE0F0C2E71D40BED7EEE643F39BB3FD9652000000001000000E1010000308201DD30820146A00302010202101D37D7E8245639B146FA0FE91A40560A300D06092A864886F70D01010505003015311330110603550403130A4175746F486F746B65793020170D3235303631363136353630355A180F39393939303130313132303030305A3015311330110603550403130A4175746F486F746B657930819F300D06092A864886F70D010101050003818D0030818902818100F62A1CC3D59A3F11617B68133848A93DD795D12FD46929B7542092313B62CA9AFAB76FFB87FDCF5DA935ED137184D80AABBB9BF46F378BA53B67B4AB4E2D46DCB1110E2899C25955A2906C83C308C5E03A74205AAA1973FFBFFEE3603F69EE1740A09351EC78110EA7CB2650AF6CE218E631BF671B9BCA14B23AE80F2CE4798D0203010001A32C302A30100603551D040101FF040630040302049030160603551D250101FF040C300A06082B06010505070303300D06092A864886F70D0101050500038181000E9EF6C4E506C61648F2DB99E2FE0DACADE6ED7ABDC0F9D0FD3771EB16AE623B5E1A6D129C54D5EAA5D51EB9BAF4E78C96EC231C16CD9166E319B7647DDFD29E0021D87368BB7BEA34C28F4D2A845690E06AF5013CE12E2219DA06FD630B1A2F8E96B8336DB8A9F71E759C3AF30AFB02270552E04C2E0A6D548E187196A8E093
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Operation:writeName:Blob
Value:
5C000000010000000400000000040000140000000100000014000000D44E7AFE0F0C2E71D40BED7EEE643F39BB3FD9650F00000001000000140000008C48504C443ABE70722B8CB2BCC55FFABD9A22BC0200000001000000840000001C0000003400000001000000000000000000000000000000020000004100750074006F0048006F0074006B0065007900000000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F0076006900640065007200000003000000010000001400000079E8455D8FA36FD051ACD84232D1DB1C44B3432F04000000010000001000000097FCBEC3424189142C6C37A259F8188819000000010000001000000098EC745F60BB2210A7913D3C2D77EEE12000000001000000E1010000308201DD30820146A00302010202101D37D7E8245639B146FA0FE91A40560A300D06092A864886F70D01010505003015311330110603550403130A4175746F486F746B65793020170D3235303631363136353630355A180F39393939303130313132303030305A3015311330110603550403130A4175746F486F746B657930819F300D06092A864886F70D010101050003818D0030818902818100F62A1CC3D59A3F11617B68133848A93DD795D12FD46929B7542092313B62CA9AFAB76FFB87FDCF5DA935ED137184D80AABBB9BF46F378BA53B67B4AB4E2D46DCB1110E2899C25955A2906C83C308C5E03A74205AAA1973FFBFFEE3603F69EE1740A09351EC78110EA7CB2650AF6CE218E631BF671B9BCA14B23AE80F2CE4798D0203010001A32C302A30100603551D040101FF040630040302049030160603551D250101FF040C300A06082B06010505070303300D06092A864886F70D0101050500038181000E9EF6C4E506C61648F2DB99E2FE0DACADE6ED7ABDC0F9D0FD3771EB16AE623B5E1A6D129C54D5EAA5D51EB9BAF4E78C96EC231C16CD9166E319B7647DDFD29E0021D87368BB7BEA34C28F4D2A845690E06AF5013CE12E2219DA06FD630B1A2F8E96B8336DB8A9F71E759C3AF30AFB02270552E04C2E0A6D548E187196A8E093
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoHotkey
Operation:writeName:DisplayName
Value:
AutoHotkey
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoHotkey
Operation:writeName:UninstallString
Value:
"C:\Program Files\AutoHotkey\UX\AutoHotkeyUX.exe" "C:\Program Files\AutoHotkey\UX\ui-uninstall.ahk"
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoHotkey
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\AutoHotkey\UX\AutoHotkeyUX.exe" "C:\Program Files\AutoHotkey\UX\install.ahk" /uninstall /silent
Executable files
14
Suspicious files
8
Text files
65
Unknown types
12

Dropped files

PID
Process
Filename
Type
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\AutoHotkey64.exeexecutable
MD5:38746D44ECA1F41D1F8E16746EB182F5
SHA256:3880F9EC464DFE78C16BBD8B9F30560227154C292280337346A30C8FD92871FE
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\WindowSpy.ahktext
MD5:1B081984B7C90528E03E67096F001E5F
SHA256:83E60BA7D330D4FAA32576C0AB223A2440EF92972D3D32DEE46D117E8A446CE9
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\UX\install-version.ahktext
MD5:30B87FBFADC592C38BE9D82EDF597FA3
SHA256:1E59921BCDDB3C41651EB01605CDEFCDEE3C6ADEC5DB6B7CAFB7AB801EAD5E1E
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\UX\install-ahk2exe.ahktext
MD5:C90BED0679B789B74E4865AE6F2709A3
SHA256:C242EBB51241ACAB13152D95CDB05BE5382FFB97F3DCA2DA3A4E5A084C2E3FF4
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\license.txttext
MD5:E3F2AD7733F3166FE770E4DC00AF6C45
SHA256:B27C1A7C92686E47F8740850AD24877A50BE23FD3DBD44EDEE50AC1223135E38
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\Install.cmdtext
MD5:4CFB569D3628B7E14E729DE9956CC24B
SHA256:DB2578B4EE5617F45ACFFB3AF21E1D3FC31CDCF035DD9227C8061A950AA015E7
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\UX\ui-launcherconfig.ahktext
MD5:57DCC5F7853CFD0BDD49F35D1F86897B
SHA256:179C96D787FAE5DD26CDF832E5226142AB3E4F1FF53E3B1F24CECDDCF3E79947
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\UX\ui-setup.ahktext
MD5:DD3F9C2F9115689F4350896752F15926
SHA256:68B114A2EA4AF9DF54709A78EC5991A1F271097B29CB93757403FDB158746BC7
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\UX\install.ahktext
MD5:A3CAA9963C9133C2A14A4E36D62761E3
SHA256:F628EDFECE15DB0061FDFE96724266A3CFAAEC396524A94B574E22E6E3970C40
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\UX\reset-assoc.ahktext
MD5:0299132478B49E3EB706C214BF32E62F
SHA256:D26CAEF44190E0B612C3E4309FF6689DC2953C72CB3DE1C94D002250B089F16B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
30
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6656
AutoHotkeyUX.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPlNxcMEqnlIVyH5VuZ4lawhZX3QQU9oUKOxGG4QR9DqoLLNLuzGR7e64CECoW9cIBGAf3CpJj3Tw5qfI%3D
unknown
whitelisted
6656
AutoHotkeyUX.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
6656
AutoHotkeyUX.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D
unknown
whitelisted
6656
AutoHotkeyUX.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd
unknown
whitelisted
6656
AutoHotkeyUX.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
whitelisted
4664
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7164
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2468
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.216.77.11:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6656
AutoHotkeyUX.exe
140.82.121.5:443
api.github.com
GITHUB
US
whitelisted
6656
AutoHotkeyUX.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.216.77.11
  • 23.216.77.20
  • 23.216.77.17
  • 23.216.77.16
  • 23.216.77.25
  • 23.216.77.23
  • 23.216.77.10
  • 23.216.77.22
  • 23.216.77.12
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
api.github.com
  • 140.82.121.5
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.usertrust.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.sectigo.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
github.com
  • 140.82.121.4
whitelisted
release-assets.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.109.133
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AutoHotkey_2.0.19_setup.exe