File name:

AutoHotkey_2.0.19_setup.exe

Full analysis: https://app.any.run/tasks/c0cded3d-9a5d-4811-9570-0a8c95790be4
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 16, 2025, 16:55:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
ahk
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

34979CF8AB65E09D738FD6B95365CEFB

SHA1:

0AFD36786EEB45BBE7DB1CF2A6D2251C10DA303C

SHA256:

FD55129CBD356F49D2151E0A8B9662D90D2DBBB9579CC2410FDE38DF94787A3A

SSDEEP:

98304:/Rv3DwxUAtz2eVhxkk/7wIvycwI0mm/H7Krd6dV9zXv8E2d4J1KD3B+yfaXDFcd2:WmxZCp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AHK has been detected (YARA)

      • Ahk2Exe.exe (PID: 2188)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6656)
      • Ahk2Exe.exe (PID: 2188)

    • Application launched itself

      • AutoHotkey_2.0.19_setup.exe (PID: 1296)
      • AutoHotkeyUX.exe (PID: 6336)
      • AutoHotkeyUX.exe (PID: 4104)

    • Reads security settings of Internet Explorer

      • AutoHotkey_2.0.19_setup.exe (PID: 1296)
      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 4104)
      • AutoHotkeyUX.exe (PID: 6656)

    • Creates a software uninstall entry

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)

    • Adds/modifies Windows certificates

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)

    • Reads the date of Windows installation

      • AutoHotkeyUX.exe (PID: 4104)

    • Reads Internet Explorer settings

      • AutoHotkeyUX.exe (PID: 6656)

    • Starts CMD.EXE for commands execution

      • Ahk2Exe.exe (PID: 2188)

    • There is functionality for taking screenshot (YARA)

      • Ahk2Exe.exe (PID: 2188)

    • Reads Microsoft Outlook installation path

      • AutoHotkeyUX.exe (PID: 6656)

  • INFO

    • Reads the computer name

      • AutoHotkey_2.0.19_setup.exe (PID: 1296)
      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6336)
      • AutoHotkeyUX.exe (PID: 4104)
      • AutoHotkeyUX.exe (PID: 6656)
      • Ahk2Exe.exe (PID: 2188)

    • Checks supported languages

      • AutoHotkey_2.0.19_setup.exe (PID: 1296)
      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 3676)
      • AutoHotkeyUX.exe (PID: 6336)
      • AutoHotkeyUX.exe (PID: 4104)
      • AutoHotkeyUX.exe (PID: 6656)
      • Ahk2Exe.exe (PID: 2188)
      • AutoHotkey32.exe (PID: 6636)
      • AutoHotkey32.exe (PID: 1636)

    • The sample compiled with english language support

      • AutoHotkey_2.0.19_setup.exe (PID: 1296)
      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6656)
      • Ahk2Exe.exe (PID: 2188)

    • Process checks computer location settings

      • AutoHotkey_2.0.19_setup.exe (PID: 1296)
      • AutoHotkeyUX.exe (PID: 4104)

    • AutoHotkey executable

      • AutoHotkey_2.0.19_setup.exe (PID: 1296)
      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6336)
      • AutoHotkeyUX.exe (PID: 4104)
      • cmd.exe (PID: 7072)
      • Ahk2Exe.exe (PID: 2188)

    • Creates files in the program directory

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6656)

    • Reads the machine GUID from the registry

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6656)

    • Creates files or folders in the user directory

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6656)

    • Reads the software policy settings

      • AutoHotkey_2.0.19_setup.exe (PID: 3788)
      • AutoHotkeyUX.exe (PID: 6656)
      • slui.exe (PID: 5952)

    • Manual execution by a user

      • AutoHotkeyUX.exe (PID: 6336)
      • Ahk2Exe.exe (PID: 2188)

    • Checks proxy server information

      • AutoHotkeyUX.exe (PID: 6656)
      • slui.exe (PID: 5952)

    • Detects AutoHotkey samples (YARA)

      • Ahk2Exe.exe (PID: 2188)

    • Create files in a temporary directory

      • Ahk2Exe.exe (PID: 2188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:25 08:00:28+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 2994176
InitializedDataSize: 40960
UninitializedDataSize: 2527232
EntryPoint: 0x544000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.0.19.0
ProductVersionNumber: 2.0.19.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: AutoHotkey installer
FileVersion: 2.0.19
ProductName: AutoHotkey Setup
ProductVersion: 2.0.19
InternalName: AutoHotkey Setup
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
14
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start autohotkey_2.0.19_setup.exe no specs autohotkey_2.0.19_setup.exe autohotkeyux.exe no specs autohotkeyux.exe no specs autohotkeyux.exe no specs autohotkeyux.exe #AHK ahk2exe.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs autohotkey32.exe no specs autohotkey32.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1296"C:\Users\admin\AppData\Local\Temp\AutoHotkey_2.0.19_setup.exe" C:\Users\admin\AppData\Local\Temp\AutoHotkey_2.0.19_setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AutoHotkey installer
Exit code:
0
Version:
2.0.19
Modules
Images
c:\users\admin\appdata\local\temp\autohotkey_2.0.19_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1636"C:\Program Files\AutoHotkey\v2\AutoHotkey32.exe" /iLib "C:\Users\admin\AppData\Local\Temp\~Ahk2Exe~SwarmStart~ilib~5637220484.tmp" /ErrorStdOut "C:\Users\admin\Desktop\SwarmStart.ahk" C:\Program Files\AutoHotkey\v2\AutoHotkey32.execmd.exe
User:
admin
Company:
AutoHotkey Foundation LLC
Integrity Level:
MEDIUM
Description:
AutoHotkey 32-bit
Exit code:
2
Version:
2.0.19
Modules
Images
c:\program files\autohotkey\v2\autohotkey32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
2188"C:\Program Files\AutoHotkey\Compiler\Ahk2Exe.exe" C:\Program Files\AutoHotkey\Compiler\Ahk2Exe.exe
explorer.exe
User:
admin
Company:
AutoHotkey
Integrity Level:
MEDIUM
Description:
AutoHotkey Script Compiler
Version:
1.1.37.02a0
Modules
Images
c:\program files\autohotkey\compiler\ahk2exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
2428\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2620"C:\WINDOWS\system32\cmd.exe" /c echo 1C:\Windows\SysWOW64\cmd.exeAhk2Exe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3676"C:\Program Files\AutoHotkey\UX\AutoHotkeyUX.exe" "C:\Program Files\AutoHotkey\UX\reset-assoc.ahk" /checkC:\Program Files\AutoHotkey\UX\AutoHotkeyUX.exeAutoHotkey_2.0.19_setup.exe
User:
admin
Company:
AutoHotkey Foundation LLC
Integrity Level:
HIGH
Description:
AutoHotkey 64-bit
Exit code:
0
Version:
2.0.19
Modules
Images
c:\program files\autohotkey\ux\autohotkeyux.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
3688\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3788"C:\Users\admin\AppData\Local\Temp\AutoHotkey_2.0.19_setup.exe" /to "C:\Program Files\AutoHotkey"C:\Users\admin\AppData\Local\Temp\AutoHotkey_2.0.19_setup.exe
AutoHotkey_2.0.19_setup.exe
User:
admin
Integrity Level:
HIGH
Description:
AutoHotkey installer
Exit code:
0
Version:
2.0.19
Modules
Images
c:\users\admin\appdata\local\temp\autohotkey_2.0.19_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4104"C:\Program Files\AutoHotkey\UX\AutoHotkeyUX.exe" /script "C:\Program Files\AutoHotkey\UX\install-ahk2exe.ahk"C:\Program Files\AutoHotkey\UX\AutoHotkeyUX.exeAutoHotkeyUX.exe
User:
admin
Company:
AutoHotkey Foundation LLC
Integrity Level:
MEDIUM
Description:
AutoHotkey 64-bit
Exit code:
0
Version:
2.0.19
Modules
Images
c:\program files\autohotkey\ux\autohotkeyux.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
5952C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
10 054
Read events
10 017
Write events
30
Delete events
7

Modification events

(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Value:
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Operation:writeName:Blob
Value:
03000000010000001400000079E8455D8FA36FD051ACD84232D1DB1C44B3432F0200000001000000840000001C0000003400000001000000000000000000000000000000020000004100750074006F0048006F0074006B0065007900000000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F007600690064006500720000002000000001000000E1010000308201DD30820146A00302010202101D37D7E8245639B146FA0FE91A40560A300D06092A864886F70D01010505003015311330110603550403130A4175746F486F746B65793020170D3235303631363136353630355A180F39393939303130313132303030305A3015311330110603550403130A4175746F486F746B657930819F300D06092A864886F70D010101050003818D0030818902818100F62A1CC3D59A3F11617B68133848A93DD795D12FD46929B7542092313B62CA9AFAB76FFB87FDCF5DA935ED137184D80AABBB9BF46F378BA53B67B4AB4E2D46DCB1110E2899C25955A2906C83C308C5E03A74205AAA1973FFBFFEE3603F69EE1740A09351EC78110EA7CB2650AF6CE218E631BF671B9BCA14B23AE80F2CE4798D0203010001A32C302A30100603551D040101FF040630040302049030160603551D250101FF040C300A06082B06010505070303300D06092A864886F70D0101050500038181000E9EF6C4E506C61648F2DB99E2FE0DACADE6ED7ABDC0F9D0FD3771EB16AE623B5E1A6D129C54D5EAA5D51EB9BAF4E78C96EC231C16CD9166E319B7647DDFD29E0021D87368BB7BEA34C28F4D2A845690E06AF5013CE12E2219DA06FD630B1A2F8E96B8336DB8A9F71E759C3AF30AFB02270552E04C2E0A6D548E187196A8E093
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Operation:writeName:Blob
Value:
0F00000001000000140000008C48504C443ABE70722B8CB2BCC55FFABD9A22BC0200000001000000840000001C0000003400000001000000000000000000000000000000020000004100750074006F0048006F0074006B0065007900000000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F0076006900640065007200000003000000010000001400000079E8455D8FA36FD051ACD84232D1DB1C44B3432F2000000001000000E1010000308201DD30820146A00302010202101D37D7E8245639B146FA0FE91A40560A300D06092A864886F70D01010505003015311330110603550403130A4175746F486F746B65793020170D3235303631363136353630355A180F39393939303130313132303030305A3015311330110603550403130A4175746F486F746B657930819F300D06092A864886F70D010101050003818D0030818902818100F62A1CC3D59A3F11617B68133848A93DD795D12FD46929B7542092313B62CA9AFAB76FFB87FDCF5DA935ED137184D80AABBB9BF46F378BA53B67B4AB4E2D46DCB1110E2899C25955A2906C83C308C5E03A74205AAA1973FFBFFEE3603F69EE1740A09351EC78110EA7CB2650AF6CE218E631BF671B9BCA14B23AE80F2CE4798D0203010001A32C302A30100603551D040101FF040630040302049030160603551D250101FF040C300A06082B06010505070303300D06092A864886F70D0101050500038181000E9EF6C4E506C61648F2DB99E2FE0DACADE6ED7ABDC0F9D0FD3771EB16AE623B5E1A6D129C54D5EAA5D51EB9BAF4E78C96EC231C16CD9166E319B7647DDFD29E0021D87368BB7BEA34C28F4D2A845690E06AF5013CE12E2219DA06FD630B1A2F8E96B8336DB8A9F71E759C3AF30AFB02270552E04C2E0A6D548E187196A8E093
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Operation:writeName:Blob
Value:
04000000010000001000000097FCBEC3424189142C6C37A259F8188803000000010000001400000079E8455D8FA36FD051ACD84232D1DB1C44B3432F0200000001000000840000001C0000003400000001000000000000000000000000000000020000004100750074006F0048006F0074006B0065007900000000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F007600690064006500720000000F00000001000000140000008C48504C443ABE70722B8CB2BCC55FFABD9A22BC2000000001000000E1010000308201DD30820146A00302010202101D37D7E8245639B146FA0FE91A40560A300D06092A864886F70D01010505003015311330110603550403130A4175746F486F746B65793020170D3235303631363136353630355A180F39393939303130313132303030305A3015311330110603550403130A4175746F486F746B657930819F300D06092A864886F70D010101050003818D0030818902818100F62A1CC3D59A3F11617B68133848A93DD795D12FD46929B7542092313B62CA9AFAB76FFB87FDCF5DA935ED137184D80AABBB9BF46F378BA53B67B4AB4E2D46DCB1110E2899C25955A2906C83C308C5E03A74205AAA1973FFBFFEE3603F69EE1740A09351EC78110EA7CB2650AF6CE218E631BF671B9BCA14B23AE80F2CE4798D0203010001A32C302A30100603551D040101FF040630040302049030160603551D250101FF040C300A06082B06010505070303300D06092A864886F70D0101050500038181000E9EF6C4E506C61648F2DB99E2FE0DACADE6ED7ABDC0F9D0FD3771EB16AE623B5E1A6D129C54D5EAA5D51EB9BAF4E78C96EC231C16CD9166E319B7647DDFD29E0021D87368BB7BEA34C28F4D2A845690E06AF5013CE12E2219DA06FD630B1A2F8E96B8336DB8A9F71E759C3AF30AFB02270552E04C2E0A6D548E187196A8E093
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Operation:writeName:Blob
Value:
140000000100000014000000D44E7AFE0F0C2E71D40BED7EEE643F39BB3FD9650F00000001000000140000008C48504C443ABE70722B8CB2BCC55FFABD9A22BC0200000001000000840000001C0000003400000001000000000000000000000000000000020000004100750074006F0048006F0074006B0065007900000000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F0076006900640065007200000003000000010000001400000079E8455D8FA36FD051ACD84232D1DB1C44B3432F04000000010000001000000097FCBEC3424189142C6C37A259F818882000000001000000E1010000308201DD30820146A00302010202101D37D7E8245639B146FA0FE91A40560A300D06092A864886F70D01010505003015311330110603550403130A4175746F486F746B65793020170D3235303631363136353630355A180F39393939303130313132303030305A3015311330110603550403130A4175746F486F746B657930819F300D06092A864886F70D010101050003818D0030818902818100F62A1CC3D59A3F11617B68133848A93DD795D12FD46929B7542092313B62CA9AFAB76FFB87FDCF5DA935ED137184D80AABBB9BF46F378BA53B67B4AB4E2D46DCB1110E2899C25955A2906C83C308C5E03A74205AAA1973FFBFFEE3603F69EE1740A09351EC78110EA7CB2650AF6CE218E631BF671B9BCA14B23AE80F2CE4798D0203010001A32C302A30100603551D040101FF040630040302049030160603551D250101FF040C300A06082B06010505070303300D06092A864886F70D0101050500038181000E9EF6C4E506C61648F2DB99E2FE0DACADE6ED7ABDC0F9D0FD3771EB16AE623B5E1A6D129C54D5EAA5D51EB9BAF4E78C96EC231C16CD9166E319B7647DDFD29E0021D87368BB7BEA34C28F4D2A845690E06AF5013CE12E2219DA06FD630B1A2F8E96B8336DB8A9F71E759C3AF30AFB02270552E04C2E0A6D548E187196A8E093
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Operation:writeName:Blob
Value:
19000000010000001000000098EC745F60BB2210A7913D3C2D77EEE104000000010000001000000097FCBEC3424189142C6C37A259F8188803000000010000001400000079E8455D8FA36FD051ACD84232D1DB1C44B3432F0200000001000000840000001C0000003400000001000000000000000000000000000000020000004100750074006F0048006F0074006B0065007900000000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F007600690064006500720000000F00000001000000140000008C48504C443ABE70722B8CB2BCC55FFABD9A22BC140000000100000014000000D44E7AFE0F0C2E71D40BED7EEE643F39BB3FD9652000000001000000E1010000308201DD30820146A00302010202101D37D7E8245639B146FA0FE91A40560A300D06092A864886F70D01010505003015311330110603550403130A4175746F486F746B65793020170D3235303631363136353630355A180F39393939303130313132303030305A3015311330110603550403130A4175746F486F746B657930819F300D06092A864886F70D010101050003818D0030818902818100F62A1CC3D59A3F11617B68133848A93DD795D12FD46929B7542092313B62CA9AFAB76FFB87FDCF5DA935ED137184D80AABBB9BF46F378BA53B67B4AB4E2D46DCB1110E2899C25955A2906C83C308C5E03A74205AAA1973FFBFFEE3603F69EE1740A09351EC78110EA7CB2650AF6CE218E631BF671B9BCA14B23AE80F2CE4798D0203010001A32C302A30100603551D040101FF040630040302049030160603551D250101FF040C300A06082B06010505070303300D06092A864886F70D0101050500038181000E9EF6C4E506C61648F2DB99E2FE0DACADE6ED7ABDC0F9D0FD3771EB16AE623B5E1A6D129C54D5EAA5D51EB9BAF4E78C96EC231C16CD9166E319B7647DDFD29E0021D87368BB7BEA34C28F4D2A845690E06AF5013CE12E2219DA06FD630B1A2F8E96B8336DB8A9F71E759C3AF30AFB02270552E04C2E0A6D548E187196A8E093
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\79E8455D8FA36FD051ACD84232D1DB1C44B3432F
Operation:writeName:Blob
Value:
5C000000010000000400000000040000140000000100000014000000D44E7AFE0F0C2E71D40BED7EEE643F39BB3FD9650F00000001000000140000008C48504C443ABE70722B8CB2BCC55FFABD9A22BC0200000001000000840000001C0000003400000001000000000000000000000000000000020000004100750074006F0048006F0074006B0065007900000000004D006900630072006F0073006F006600740020005300740072006F006E0067002000430072007900700074006F0067007200610070006800690063002000500072006F0076006900640065007200000003000000010000001400000079E8455D8FA36FD051ACD84232D1DB1C44B3432F04000000010000001000000097FCBEC3424189142C6C37A259F8188819000000010000001000000098EC745F60BB2210A7913D3C2D77EEE12000000001000000E1010000308201DD30820146A00302010202101D37D7E8245639B146FA0FE91A40560A300D06092A864886F70D01010505003015311330110603550403130A4175746F486F746B65793020170D3235303631363136353630355A180F39393939303130313132303030305A3015311330110603550403130A4175746F486F746B657930819F300D06092A864886F70D010101050003818D0030818902818100F62A1CC3D59A3F11617B68133848A93DD795D12FD46929B7542092313B62CA9AFAB76FFB87FDCF5DA935ED137184D80AABBB9BF46F378BA53B67B4AB4E2D46DCB1110E2899C25955A2906C83C308C5E03A74205AAA1973FFBFFEE3603F69EE1740A09351EC78110EA7CB2650AF6CE218E631BF671B9BCA14B23AE80F2CE4798D0203010001A32C302A30100603551D040101FF040630040302049030160603551D250101FF040C300A06082B06010505070303300D06092A864886F70D0101050500038181000E9EF6C4E506C61648F2DB99E2FE0DACADE6ED7ABDC0F9D0FD3771EB16AE623B5E1A6D129C54D5EAA5D51EB9BAF4E78C96EC231C16CD9166E319B7647DDFD29E0021D87368BB7BEA34C28F4D2A845690E06AF5013CE12E2219DA06FD630B1A2F8E96B8336DB8A9F71E759C3AF30AFB02270552E04C2E0A6D548E187196A8E093
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoHotkey
Operation:writeName:DisplayName
Value:
AutoHotkey
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoHotkey
Operation:writeName:UninstallString
Value:
"C:\Program Files\AutoHotkey\UX\AutoHotkeyUX.exe" "C:\Program Files\AutoHotkey\UX\ui-uninstall.ahk"
(PID) Process:(3788) AutoHotkey_2.0.19_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoHotkey
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\AutoHotkey\UX\AutoHotkeyUX.exe" "C:\Program Files\AutoHotkey\UX\install.ahk" /uninstall /silent
Executable files
14
Suspicious files
8
Text files
65
Unknown types
12

Dropped files

PID
Process
Filename
Type
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\WindowSpy.ahktext
MD5:1B081984B7C90528E03E67096F001E5F
SHA256:83E60BA7D330D4FAA32576C0AB223A2440EF92972D3D32DEE46D117E8A446CE9
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\AutoHotkey64.exeexecutable
MD5:38746D44ECA1F41D1F8E16746EB182F5
SHA256:3880F9EC464DFE78C16BBD8B9F30560227154C292280337346A30C8FD92871FE
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\UX\reload-v1.ahktext
MD5:35F4753A58432446B99BF89A9E930BF5
SHA256:E4659306A755B583E9CEF5FDBA3B3EB102D8939FB028AFD91AAD4496E758FAD5
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\AutoHotkey.chmchm
MD5:57BB054E56EB6FA154F5BCA6AFFA656A
SHA256:33D035BBC23CE61FA83E13DA126D17D3EB48ED210CA59E4F4BAB46F1BE3654C7
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\UX\launcher.ahktext
MD5:596B69069BBBCC9A22AC26BBA6EFE546
SHA256:830DB4BE4C8320F23FF32316DAC933D4E72D9056EA5A819CC12C38614DA6E06F
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\UX\ui-dash.ahkhtml
MD5:669BD791C5AAFB60EE0885EF064D3622
SHA256:E8C0B4E149AD58C57E77AAC12041F1FA8BC9F25C6D642D12837EFC5FD97B8D21
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\UX\ui-setup.ahktext
MD5:DD3F9C2F9115689F4350896752F15926
SHA256:68B114A2EA4AF9DF54709A78EC5991A1F271097B29CB93757403FDB158746BC7
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\UX\reset-assoc.ahktext
MD5:0299132478B49E3EB706C214BF32E62F
SHA256:D26CAEF44190E0B612C3E4309FF6689DC2953C72CB3DE1C94D002250B089F16B
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\UX\ui-newscript.ahktext
MD5:1B88198B4BD36EB25E23DC412321A555
SHA256:31249EF15CCE83D150A9A5DE11168A5052FF2C55DBD574B8DF1C054510B61843
3788AutoHotkey_2.0.19_setup.exeC:\Program Files\AutoHotkey\.staging\AutoHotkey_2.0.19_setup.exe\UX\ui-launcherconfig.ahktext
MD5:57DCC5F7853CFD0BDD49F35D1F86897B
SHA256:179C96D787FAE5DD26CDF832E5226142AB3E4F1FF53E3B1F24CECDDCF3E79947
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
30
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.11:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6656
AutoHotkeyUX.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPlNxcMEqnlIVyH5VuZ4lawhZX3QQU9oUKOxGG4QR9DqoLLNLuzGR7e64CECoW9cIBGAf3CpJj3Tw5qfI%3D
unknown
whitelisted
6656
AutoHotkeyUX.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
6656
AutoHotkeyUX.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTPlNxcMEqnlIVyH5VuZ4lawhZX3QQU9oUKOxGG4QR9DqoLLNLuzGR7e64CEQCrZoa1YnvoBZaCEzAShkn1
unknown
whitelisted
6656
AutoHotkeyUX.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
whitelisted
4664
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4664
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7164
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2468
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.216.77.11:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6656
AutoHotkeyUX.exe
140.82.121.5:443
api.github.com
GITHUB
US
whitelisted
6656
AutoHotkeyUX.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.216.77.11
  • 23.216.77.20
  • 23.216.77.17
  • 23.216.77.16
  • 23.216.77.25
  • 23.216.77.23
  • 23.216.77.10
  • 23.216.77.22
  • 23.216.77.12
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
api.github.com
  • 140.82.121.5
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.usertrust.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.sectigo.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
github.com
  • 140.82.121.4
whitelisted
release-assets.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.109.133
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
AutoHotkey_2.0.19_setup.exe