× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: a04336b9a1cc99275128430e419e473b25995953d48e193c30771d589d42079c
File name: AutoHotkey112301_Install.exe
Detection ratio: 7 / 54
Analysis date: 2016-02-10 12:48:41 UTC ( 3 years, 1 month ago ) View latest
Antivirus Result Update
AegisLab Troj.Downloader.W32.Small 20160210
Yandex Trojan.Deshacop! 20160209
Ikarus Trojan.Win32.Deshacop 20160210
Jiangmin Trojan.Deshacop.ix 20160210
McAfee Artemis!880795A824A4 20160210
McAfee-GW-Edition BehavesLike.Win32.AAEH.vc 20160210
Rising PE:Malware.Generic/QRS!1.9E2D [F] 20160210
Ad-Aware 20160210
AhnLab-V3 20160210
Alibaba 20160204
ALYac 20160209
Antiy-AVL 20160210
Arcabit 20160210
Avast 20160210
AVG 20160210
Avira (no cloud) 20160210
Baidu-International 20160210
BitDefender 20160210
Bkav 20160204
ByteHero 20160210
CAT-QuickHeal 20160210
ClamAV 20160210
CMC 20160205
Comodo 20160210
Cyren 20160210
DrWeb 20160210
Emsisoft 20160210
ESET-NOD32 20160210
F-Prot 20160210
F-Secure 20160210
Fortinet 20160210
GData 20160210
K7AntiVirus 20160210
K7GW 20160210
Kaspersky 20160210
Malwarebytes 20160210
Microsoft 20160210
eScan 20160210
NANO-Antivirus 20160210
nProtect 20160205
Panda 20160208
Qihoo-360 20160210
Sophos AV 20160210
SUPERAntiSpyware 20160210
Symantec 20160209
Tencent 20160210
TheHacker 20160210
TrendMicro 20160210
TrendMicro-HouseCall 20160210
VBA32 20160210
VIPRE 20160210
ViRobot 20160210
Zillya 20160209
Zoner 20160210
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright (c) 2015 Steve Gray

Product AutoHotkey
File version 1.1.23.01
Description AutoHotkey Setup
Packers identified
F-PROT appended, 7Z, Unicode, UTF-8
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Entry Point 0x00011E80
Number of sections 3
PE sections
Overlays
MD5 9c1f74e4b956c3ae268c09d28efa89ea
File type data
Offset 95232
Size 2996517
Entropy 8.00
PE imports
GetLastError
GetModuleFileNameW
WaitForSingleObject
GetTickCount
GetVersionExA
GetStartupInfoA
GetCurrentDirectoryW
GetFileSize
SetFileTime
GetCommandLineW
CreateDirectoryW
DeleteFileW
GetModuleHandleA
RemoveDirectoryW
SetFilePointer
ReadFile
GetTempPathW
FindNextFileW
GetCommandLineA
FindFirstFileW
SetCurrentDirectoryW
WriteFile
CreateFileW
CreateProcessW
FindClose
SetFileAttributesW
CreateFileA
GetCurrentThreadId
GetCurrentProcessId
CloseHandle
_except_handler3
_itoa
malloc
strcpy
strstr
memmove
_exit
wcsncpy
memset
free
wcscpy
wcslen
wcscmp
wcscat
exit
_XcptFilter
memcmp
_controlfp
strlen
memcpy
__set_app_type
MessageBoxA
Number of PE resources by type
RT_ICON 7
RT_GROUP_ICON 1
RT_VERSION 1
RT_MANIFEST 1
Number of PE resources by language
NEUTRAL 8
ENGLISH US 2
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.1.23.1

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

FileDescription
AutoHotkey Setup

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit, No debug

CharacterSet
Unicode

InitializedDataSize
21504

EntryPoint
0x11e80

MIMEType
application/octet-stream

LegalCopyright
Copyright (c) 2015 Steve Gray

FileVersion
1.1.23.01

TimeStamp
0000:00:00 00:00:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
1.1.23.01

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
0

ProductName
AutoHotkey

ProductVersionNumber
1.1.23.1

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
Compressed bundles
File identification
MD5 880795a824a4189dc3d312b702880ced
SHA1 06d156b8d9b2e8e2e8b4d62c85234b86559a2b05
SHA256 a04336b9a1cc99275128430e419e473b25995953d48e193c30771d589d42079c
ssdeep
49152:rIamQjTdeOtl9F/xKlr6a8PQlJrU0nFb9QpQjg5Zi4DcC04nhjlCcLi4mRLJL+zC:ryQjReS0lr6JIlWyburZiUtl7wLJL6Nc

authentihash 948c3bceef85c6b8b72e6d178df861198ffb0f0a1bcc3008beff4f59c312a503
imphash 88e76079585191b78a8391dd026d71f2
File size 2.9 MB ( 3091749 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (45.0%)
Microsoft Visual C++ compiled executable (generic) (26.9%)
Win32 Dynamic Link Library (generic) (10.7%)
Win32 Executable (generic) (7.3%)
OS/2 Executable (generic) (3.3%)
Tags
peexe overlay

VirusTotal metadata
First submission 2016-01-24 02:44:25 UTC ( 3 years, 2 months ago )
Last submission 2018-05-24 02:20:17 UTC ( 10 months ago )
File names 793645
AutoHotkey112301_Install.exe
AutoHotkey112301_Install(1).exe
AutoHotkey112301_Install.exe
AutoHotkey112301_Install.exe
AutoHotkey112301_Install.exe
autohotkey.installInstall.exe
autohotkey.installInstall.exe
AutoHotkey.exe
AutoHotkey112301_Install (2).exe
AutoHotkey112301_Install (1).exe
autohotkey112301_install.exe
AutoHotkey112301_Install.exe
autohotkey-1-1-23-01.exe
AutoHotkey112301_Install.exe
unconfirmed 144136.crdownload
AutoHotkey112301_Install.exe
AutoHotkey_1_1_23_01_Install---03-02-2016---Antivirus-scan--7-Treffer.exe
AutoHotkey 112301 install.exe
AutoHotkey112301_Install.exe
AutoHotkey112301_Install.exe
3bd827d75ff530aa648f7a81b2c22dbe9ef90701cf9e7d398f37321c2f15a32cfcb02ea1ff5be9eaa9869371ae352de2330f312020ac5cf95009c0a5b0e72906
880795a824a4189dc3d312b702880ced_AutoHotkey112301_Install.exe
AutoHotkey_L 1.1.23.01.exe
0000008V.bin
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Created mutexes
Searched windows
Opened service managers
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications