Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
791
Views
2
Helpful
6
Replies

AutoHotkeyU.exe disposition is now malicious

Go to solution
mski7861
Level 1
Level 1

‎02-29-2024 01:16 PM

Anyone else using AutoHotkeyU.exe in their environment and experiencing multiple retrospective quarantine events because the file disposition is now malicious? 

I understand what it does, but I'm curious why the disposition recently changed

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP
In response to mski7861

‎03-01-2024 06:59 AM

If you know it's a ln FP, I would add it to the whitelist temporarily and then submit file reputation disputes on talosintelligence.com.

Once Talos clears it, I pull it from the whitelist.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Matthew Franks
Cisco Employee
Cisco Employee

‎03-01-2024 05:08 AM

Could you post the SHA256 hash of the file please? Then we can look into why it was marked malicious.

Thanks,

-Matt

0 Helpful

Go to solution
mski7861
Level 1
Level 1
In response to Matthew Franks

‎03-01-2024 06:41 AM

@Matthew Franks  here are the details:

There appears to be at least 3 versions of AutoHotkey.exe in our environment that are triggering threat detection and retrospective quarantine failure events:

C:\Program Files\AutoHotkey\AutoHotkeyU32.exe / disposition = malicious
SHA256: 9ab9738634810cf54edca5a9937f2eb1ff64f8a221558ca57ef23832b413f5a2
993fcb15d8eb9197f71826d7b60ba86ad407c2c3d31801be2a7e4bac8e1abac3

AutoHotkey.exe / disposition = malicious
945adada6cf6698b949359d9b395a5f905989d0d1eb84f537de492ecc1263148

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to mski7861

‎03-01-2024 06:59 AM

If you know it's a ln FP, I would add it to the whitelist temporarily and then submit file reputation disputes on talosintelligence.com.

Once Talos clears it, I pull it from the whitelist.

0 Helpful

Go to solution
Pulkit Mittal
Spotlight
Spotlight

‎03-01-2024 05:17 AM

If you trust the sha and its affecting your business critical applications then I suggest whitelisting the SHA until Cisco comes back with an explanation.

Go to solution
mski7861
Level 1
Level 1

‎03-01-2024 06:47 AM

A little more background:
 
There are a number of users in our organization that have been using AutoHotKey for quite some time, primarily to automate repetitive tasks.  Working with a few end users yesterday, I noticed most were running the older version 1.1.37.01.  We uninstalled and installed 2.0.11.  There were also a couple users that generated events and were already running version 2.0.11.
 
So this morning I downloaded and installed both versions in my sandbox and the hash files are different as seen below:
 
- I downloaded AutoHotKey_1.1.37.01_setup.exe (SHA256: dbf3490648efe876bd9a98d53e4d9110bf5e02a3914c0dd4b2a48db4a09799b5)
- Installed and verified the following files:
     - AutoHotkey.exe SHA256: 7d47220e8a09c113b82ba9f366ce2cbe5924b0cc661dc9df93c13e8dbfa1f254 - Talos currently evaluating disposition
     - AutoHotkeyU32.exe SHA256: 897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb - Talos currently evaluating disposition
 
- I also downloaded AutoHotkey_2.0.11_setup.exe (SHA256: 2a3e882103232c1355e2a6a8f1d9bc7cc23134cd)
- Installed and verified the following files:
     - AutoHotkey.exe SHA256: f325aa17f9d8b3580b6a89ef8ee18dcf95961a3d28e0d79b7478f9800eba237c - Talos currently evaluating disposition 
     - AutoHotkey32.exe SHA256: bfde2b58f0a083d9d10e31cd95164d2812575b897e2eb04c6528f30fb2eabdf0 - Talos currently evaluating disposition
0 Helpful

Go to solution
Matthew Franks
Cisco Employee
Cisco Employee

‎03-01-2024 07:01 AM

Good advice from Ken as always. I submitted the first 3 hashes as FPs because I don't see anything in the report that jumps out to me as overtly malicious. Could you please submit that latest batch if you haven't already and they're showing as malicious?

Thanks,

-Matt

Customers Also Viewed These Support Documents