HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.MSILDrop.8 (B) (Emsisoft), Gen:Variant.MSILDrop.8 (AdAware), Monitor.Win32.PerfectKeylogger.FD, Trojan.Win32.Swrort.3.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Keylogger, Trojan, Worm, EmailWorm, Monitor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2ec78d335d88dcbc6bd74873b242ed92
SHA1: 7f967dff65e07fb61d2a1fe358d682a24da76495
SHA256: e36f5a05c634282392bddbcb4062c50a7a983c7638409c34ccd64f2d9301d3ac
SSDeep: 49152:5xMVFM0MG C70HCgA 5H9bnBJ6ZroERHMGge1/jjFMfO34HX tq:/H0MG a0HCgzbBJ2rpbge1rz34HX t
Size: 4599808 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: DBMS are
Created at: 2014-06-06 10:26:21
Analyzed on: WindowsXP SP3 32-bit
Summary: Monitor. A surveillance tool used to observe activity on a computer system.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Monitor creates the following process(es):
AutoHotkey111402_Install(2).exe:1168
mscorsvw.exe:1924
AutoHotkey111402_Install.exe:884
vshovs.exe:1768
rinst.exe:608
The Monitor injects its code into the following process(es):
%original file name%.exe:1600
setup.exe:1780
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process AutoHotkey111402_Install(2).exe:1168 makes changes in the file system.
The Monitor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\rinst.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovswb.dll (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\pk.bin (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovs.exe (2813 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovshk.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\inst.dat (1000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\AutoHotkey111402_Install.exe (21374 bytes)
The Monitor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\AutoHotkey111402_Install.exe (0 bytes)
The process %original file name%.exe:1600 makes changes in the file system.
The Monitor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\AutoHotkey111402_Install(2).exe (17629 bytes)
The process AutoHotkey111402_Install.exe:884 makes changes in the file system.
The Monitor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Template.ahk (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkey.chm (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkeyU64.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\license.txt (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\ANSI 32-bit.bin (3761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\readme.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\Unicode 64-bit.bin (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\Unicode 32-bit.bin (3885 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkeyU32.exe (6347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AU3_Spy.exe (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkeyA32.exe (3853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\setup.exe (6293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Installer.ahk (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\Ahk2Exe.exe (3911 bytes)
The process vshovs.exe:1768 makes changes in the file system.
The Monitor creates and/or writes to the following file(s):
%System%\pk.bin (4 bytes)
%System%\bpk.dat (138 bytes)
The process setup.exe:1780 makes changes in the file system.
The Monitor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
The process rinst.exe:608 makes changes in the file system.
The Monitor creates and/or writes to the following file(s):
%System%\rinst.exe (7 bytes)
%System%\vshovswb.dll (1552 bytes)
%System%\vshovs.exe (15168 bytes)
%System%\pk.bin (4 bytes)
%System%\inst.dat (996 bytes)
%System%\vshovshk.dll (784 bytes)
The Monitor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\rinst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovswb.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\pk.bin (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovs.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovshk.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\inst.dat (0 bytes)
Registry activity
The process AutoHotkey111402_Install(2).exe:1168 makes changes in the system registry.
The Monitor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D C5 F5 1D 94 E5 B5 24 24 77 F7 DC EE 54 2C 0A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"rinst.exe" = "rinst"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Monitor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Monitor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Monitor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:1600 makes changes in the system registry.
The Monitor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 55 01 B3 0B D1 A3 36 EA E5 8C 46 99 4D 2E 53"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"AutoHotkey111402_Install(2).exe" = "AutoHotkey111402_Install(2)"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Monitor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Monitor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Monitor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process mscorsvw.exe:1924 makes changes in the system registry.
The Monitor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"
The process vshovs.exe:1768 makes changes in the system registry.
The Monitor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID]
"(Default)" = "PK.IE"
[HKCR\PK.IE\CurVer]
"(Default)" = "PK.IE.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "IE Plugin Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0]
"(Default)" = "BPK IE Plugin Type Library"
[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "IViewSource"
[HKCR\PK.IE.1\CLSID]
"(Default)" = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32]
"(Default)" = "%System%\vshovswb.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\PK.IE.1]
"(Default)" = "IE Plugin Class"
[HKCR\PK.IE]
"(Default)" = "IE Class"
[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32]
"(Default)" = "%System%\vshovswb.dll"
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID]
"(Default)" = "PK.IE.1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"(Default)" = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"
[HKCR\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib]
"(Default)" = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 9B 13 A1 15 C1 E3 05 1F CD F7 51 A1 B8 DD 4D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCR\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR]
"(Default)" = "%System%\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\PK.IE\CLSID]
"(Default)" = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}"
To automatically run itself each time Windows is booted, the Monitor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vshovs" = "%System%\vshovs.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}]
"(Default)" = "PK IE Plugin"
The Monitor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The Monitor disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"vshovs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vshovs"
The process setup.exe:1780 makes changes in the system registry.
The Monitor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 B4 F0 94 57 73 4A 99 B2 FE 1B 5D B5 42 F9 1D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
The Monitor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Monitor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Monitor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process rinst.exe:608 makes changes in the system registry.
The Monitor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB C6 96 C8 FD 6D E4 DC DD 11 B0 7A 6E 7C 6A 41"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"AutoHotkey111402_Install.exe" = "AutoHotkey Setup"
The Monitor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Monitor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Monitor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
MD5 | File path |
---|---|
ad20f40c144869d62fa5e03a96a98984 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\AutoHotkey111402_Install(2).exe |
71e128e297a3817f8396a5b862c1ea01 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7z47B60374\AU3_Spy.exe |
236d98ce24b3f534584d4eef13805598 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7z47B60374\AutoHotkeyA32.exe |
e142d2b124f161115161d0e2424107f4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7z47B60374\AutoHotkeyU32.exe |
7e61170f7fd27c27641c1f49d38d6ce4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7z47B60374\AutoHotkeyU64.exe |
bac30e3a45b46cc23f22c46025053b3d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7z47B60374\Compiler\ANSI 32-bit.bin |
46a5e79f4e83fb59fe846d150ec5e300 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7z47B60374\Compiler\Ahk2Exe.exe |
86b03e204944f39e2b441cf3c211c915 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7z47B60374\Compiler\Unicode 32-bit.bin |
3cce8b23fdd3e5d3ec42d094d204c6d2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7z47B60374\Compiler\Unicode 64-bit.bin |
e3afd9d01fb36f4aafb845720bdd8c6c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7z47B60374\setup.exe |
0eee60867caf74958c4ab8432f827280 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RarSFX0\AutoHotkey111402_Install.exe |
a455ca431e66975d886f1a8cfee8cb9f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RarSFX0\rinst.exe |
a455ca431e66975d886f1a8cfee8cb9f | c:\WINDOWS\system32\rinst.exe |
bae0fb25bcf05a5da7fde8dce759ee0d | c:\WINDOWS\system32\vshovs.exe |
58129986fa29f6dacd99ab45f60bcb3c | c:\WINDOWS\system32\vshovshk.dll |
2e6016325548ab79e2d636640c6ec473 | c:\WINDOWS\system32\vshovswb.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
AutoHotkey111402_Install(2).exe:1168
mscorsvw.exe:1924
AutoHotkey111402_Install.exe:884
vshovs.exe:1768
rinst.exe:608 - Delete the original Monitor file.
- Delete or disinfect the following files created/modified by the Monitor:
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\rinst.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovswb.dll (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\pk.bin (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovs.exe (2813 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\vshovshk.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\inst.dat (1000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\AutoHotkey111402_Install.exe (21374 bytes)
%Documents and Settings%\%current user%\Application Data\AutoHotkey111402_Install(2).exe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Template.ahk (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkey.chm (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkeyU64.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\license.txt (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\ANSI 32-bit.bin (3761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\readme.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\Unicode 64-bit.bin (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\Unicode 32-bit.bin (3885 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkeyU32.exe (6347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AU3_Spy.exe (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\AutoHotkeyA32.exe (3853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\setup.exe (6293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Installer.ahk (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7z47B60374\Compiler\Ahk2Exe.exe (3911 bytes)
%System%\pk.bin (4 bytes)
%System%\bpk.dat (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\rinst.exe (7 bytes)
%System%\vshovswb.dll (1552 bytes)
%System%\vshovs.exe (15168 bytes)
%System%\inst.dat (996 bytes)
%System%\vshovshk.dll (784 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vshovs" = "%System%\vshovs.exe" - Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: Autohotkey.exe
Internal Name: Autohotkey.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 0.0.0.0Legal Copyright: Legal Trademarks: Original Filename: Autohotkey.exeInternal Name: Autohotkey.exeFile Version: 0.0.0.0File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 4586308 | 4587520 | 4.47908 | cc3b5d7df9bc2a770c49f2d8cc8a05d8 |
.rsrc | 4595712 | 3872 | 4096 | 3.11224 | 8810e9202289c91294e3d40efd494710 |
.reloc | 4603904 | 12 | 4096 | 0.011373 | ffae2366a0adb901e6d11dfdc43116aa |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Monitor connects to the servers at the folowing location(s):
Strings from Dumps
vshovs.exe_1768:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
0WSSh
0WSSh
SSSSh
SSSSh
YSSSh
YSSSh
ujSSh
ujSSh
tn9.uc
tn9.uc
tq9.uf
tq9.uf
!"#$%&'()* ,-./012
!"#$%&'()* ,-./012
!"#$%&'()* ,-./012345678
!"#$%&'()* ,-./012345678
kw.dat
kw.dat
mc.dat
mc.dat
Software\Blazing Tools\Perfect Keylogger\1.2
Software\Blazing Tools\Perfect Keylogger\1.2
readme.txt
readme.txt
inst.dat
inst.dat
rinst.exe
rinst.exe
pk.bin
pk.bin
inst.bin
inst.bin
inst.tmp
inst.tmp
bpk.dat
bpk.dat
$#$#$#$#$#$#$#$#$#$#$#$#$#$
$#$#$#$#$#$#$#$#$#$#$#$#$#$
web.dat
web.dat
bpkch.dat
bpkch.dat
keystrokes.html
keystrokes.html
websites.html
websites.html
chats.html
chats.html
Logs.zip
Logs.zip
bpk.chm
bpk.chm
apps.dat
apps.dat
titles.dat
titles.dat
temporary.bmp
temporary.bmp
th_temp.bmp
th_temp.bmp
report.txt
report.txt
http://www.blazingtools.com/
http://www.blazingtools.com/
update.tmp
update.tmp
updates/bpk.dat
updates/bpk.dat
install.log
install.log
hhctrl.ocx
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
FtpPutFileA
FtpPutFileA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
WININET.dll
WININET.dll
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
KERNEL32.dll
KERNEL32.dll
EnumChildWindows
EnumChildWindows
GetKeyNameTextA
GetKeyNameTextA
MapVirtualKeyA
MapVirtualKeyA
MapVirtualKeyExA
MapVirtualKeyExA
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayoutList
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
comdlg32.dll
comdlg32.dll
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
RegOpenKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyA
RegOpenKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
WSOCK32.dll
WSOCK32.dll
MSVCP60.dll
MSVCP60.dll
RPCRT4.dll
RPCRT4.dll
.PAVCFileException@@
.PAVCFileException@@
.PAVCException@@
.PAVCException@@
.PAVCObject@@
.PAVCObject@@
0xx %d
0xx %d
%u 0xx
%u 0xx
%d %d
%d %d
%d %d %d
%d %d %d
Ss=%d, Se=%d, Ah=%d, Al=%d
Ss=%d, Se=%d, Ah=%d, Al=%d
%d: dc=%d ac=%d
%d: dc=%d ac=%d
%d: %dhx%dv q=%d
%d: %dhx%dv q=%d
0xx: %u, %u, =%d
0xx: %u, %u, =%d
RST%d
RST%d
0xx, %d
0xx, %d
to %d
to %d
%d = %d*%d*%d
%d = %d*%d*%d
%4u %4u %4u %4u %4u %4u %4u %4u
%4u %4u %4u %4u %4u %4u %4u %4u
0xx, length %u
0xx, length %u
%d x %d
%d x %d
%d.d
%d.d
%dx%d %d
%dx%d %d
= = = = = = = =
= = = = = = = =
%d precision %d
%d precision %d
0xx: 0xx
0xx: 0xx
Ðxx 0xx, %d
Ðxx 0xx, %d
0xx 0xx
0xx 0xx
0xx
0xx
Ss=%d Se=%d Ah=%d Al=%d
Ss=%d Se=%d Ah=%d Al=%d
.PAVCOXJPEGException@@
.PAVCOXJPEGException@@
options_alerts.htm
options_alerts.htm
%d-%d-%d %d:%d:%d
%d-%d-%d %d:%d:%d
%d-%d-%d %d:%d
%d-%d-%d %d:%d
options_ftp.htm
options_ftp.htm
OLEACC.DLL
OLEACC.DLL
oleacc.dll
oleacc.dll
TskMultiChatForm.UnicodeClass
TskMultiChatForm.UnicodeClass
TMsgForm
TMsgForm
__oxFrame.class__
__oxFrame.class__
icq.exe
icq.exe
options_notification.htm
options_notification.htm
The .EXE file is invalid
The .EXE file is invalid
(non-Win32 .EXE or error in .EXE image).
(non-Win32 .EXE or error in .EXE image).
%s action failed!
%s action failed!
Failed to execute unknown action!
Failed to execute unknown action!
The operating system is out
The operating system is out
The operating system denied
The operating system denied
There was not enough memory to complete the operation.
There was not enough memory to complete the operation.
d-d-%d d:d:d
d-d-%d d:d:d
WININET.DLL
WININET.DLL
%s <%s>
%s <%s>
Content-Location: %s
Content-Location: %s
Content-ID: %s
Content-ID: %s
Content-Base: %s
Content-Base: %s
Content-Type: %s; charset=%s
Content-Type: %s; charset=%s
Content-Type: %s; charset=%s; Boundary="%s"
Content-Type: %s; charset=%s; Boundary="%s"
Content-Type: %s; charset=%s; name=%s
Content-Type: %s; charset=%s; name=%s
Content-Disposition: attachment; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Type: %s; charset=%s; name=%s; Boundary="%s"
Content-Type: %s; charset=%s; name=%s; Boundary="%s"
--%s--
--%s--
Microsoft Outlook Express 6.00.2800.1437
Microsoft Outlook Express 6.00.2800.1437
Reply-To: %s
Reply-To: %s
Content-Type: %s;
Content-Type: %s;
charset=%s
charset=%s
Content-Type: %s
Content-Type: %s
Content-Type: %s; boundary="%s"
Content-Type: %s; boundary="%s"
Subject: %s
Subject: %s
Date: %s
Date: %s
X-Mailer: %s
X-Mailer: %s
Cc: %s
Cc: %s
From: %s
From: %s
To: %s
To: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
=?%s?q?
=?%s?q?
EHLO %s
EHLO %s
HELO %s
HELO %s
MAIL FROM:<%s>
MAIL FROM:<%s>
RCPT TO:<%s>
RCPT TO:<%s>
Password:
Password:
AUTH LOGIN
AUTH LOGIN
AUTH LOGIN PLAIN
AUTH LOGIN PLAIN
Opera
Opera
Mozilla
Mozilla
Firefox
Firefox
code %d bits %d->%d
code %d bits %d->%d
gen_codes: max_code %d
gen_codes: max_code %d
bl code -
bl code -
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
Build 1.6.8.2
Build 1.6.8.2
version.dll
version.dll
options_common.htm
options_common.htm
options_diary.htm
options_diary.htm
options_title.htm
options_title.htm
options_email.htm
options_email.htm
Perfect Keylogger Test
Perfect Keylogger Test
KERNEL32.DLL
KERNEL32.DLL
Setup=rinst.exe
Setup=rinst.exe
Program files (*.exe)
Program files (*.exe)
*.exe
*.exe
All files (*.*)
All files (*.*)
explorer.exe
explorer.exe
\shell32.dll
\shell32.dll
-$!.#"%&'(
-$!.#"%&'(
d-d-%d d:d
d-d-%d d:d
user32.dll
user32.dll
EnableSpecialKeysLogging
EnableSpecialKeysLogging
main.htm
main.htm
Windows
Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Perfect Keylogger
Perfect Keylogger
%d-%d-%d_%d-%d-%d
%d-%d-%d_%d-%d-%d
th_%d-%d-%d_%d-%d-%d
th_%d-%d-%d_%d-%d-%d
th_%d-d-d_d-d-d-%d
th_%d-d-d_d-d-d-%d
%d-d-d_d-d-d-%d
%d-d-d_d-d-d-%d
nopass
nopass
d-d-d-d-d-d
d-d-d-d-d-d
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
i.dll
i.dll
un.exe
un.exe
vw.exe
vw.exe
wb.dll
wb.dll
hk.dll
hk.dll
r.exe
r.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
psapi.dll
psapi.dll
<H2>%s, %s</H2><H3>%s</H3>
<H2>%s, %s</H2><H3>%s</H3>
<H1> %s</H1>
<H1> %s</H1>
%d/%d/%d %d:%d:%d
%d/%d/%d %d:%d:%d
<H2>%s %s</H2><H3>%s</H3><P><A target="_blank" href="%s" title="%s">%s</A></P>
<H2>%s %s</H2><H3>%s</H3><P><A target="_blank" href="%s" title="%s">%s</A></P>
%s, %s
%s, %s
<H2>%s - %s, %s</H2><H3>%s</H3>
<H2>%s - %s, %s</H2><H3>%s</H3>
advapi32.dll
advapi32.dll
\StringFileInfo\XX\FileDescription
\StringFileInfo\XX\FileDescription
Application files (*.exe)
Application files (*.exe)
options_ex_programs.htm
options_ex_programs.htm
options_screenshots.htm
options_screenshots.htm
%ld%c
%ld%c
00000409
00000409
##.kkJ
##.kkJ
):76666'$
):76666'$
<840.----#
<840.----#
33<<33::3399338833773333
33<<33::3399338833773333
33<<33::3399
33<<33::3399
8833773333
8833773333
11<<11::119;66;811771111
11<<11::119;66;811771111
))<<))::);
))<<))::);
;)77))))
;)77))))
''<<%'::%
''<<%'::%
#!<<##::#
#!<<##::#
111111111111111
111111111111111
11111111111111111111
11111111111111111111
#-5874.*'&&()('#
#-5874.*'&&()('#
'-.,(%&)0686.&
'-.,(%&)0686.&
#-5874.*'&&()('"
#-5874.*'&&()('"
& .010.- (%!
& .010.- (%!
(17<>=<97641.)$
(17<>=<97641.)$
fdUD2(( -.CA*7
fdUD2(( -.CA*7
"(.67420' !'
"(.67420' !'
%,27>=:97/)).
%,27>=:97/)).
(.3431/...148
(.3431/...148
@?940.04
@?940.04
@?:5/,,.
@?:5/,,.
%(()))** -.
%(()))** -.
, (&#! "#
, (&#! "#
(&#""#
(&#""#
}@"7>>7&$
}@"7>>7&$
LOGIN PLAIN
LOGIN PLAIN
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Manifest"
name="Microsoft.Windows.Manifest"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
Password
Password
Password required
Password required
Enter the password:
Enter the password:
Perfect Keylogger can carry out visual surveillance. It means the screen capturing every time when the specified interval is elapsed and storing the compressed images on a disk. You can review it later using Log Viewer.
Perfect Keylogger can carry out visual surveillance. It means the screen capturing every time when the specified interval is elapsed and storing the compressed images on a disk. You can review it later using Log Viewer.
&Web log (websites visited)
&Web log (websites visited)
&Also hide keylogger's icon when it will start next time
&Also hide keylogger's icon when it will start next time
Please notice, that "Run on Windows startup" option is checked. This means, that keylogger's startup screen will appear after PC reboot. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.
Please notice, that "Run on Windows startup" option is checked. This means, that keylogger's startup screen will appear after PC reboot. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.
&SMTP server:
&SMTP server:
Example: smtp.aol.com
Example: smtp.aol.com
&Port number:
&Port number:
&Password:
&Password:
Text log (&keystrokes)
Text log (&keystrokes)
Password protection
Password protection
&Try to upload logs by FTP every
&Try to upload logs by FTP every
HTML (can be viewed with a web browser)
HTML (can be viewed with a web browser)
Example: ftp.prohosting.com
Example: ftp.prohosting.com
Remote dir is the directory on the FTP server where you want to store log files. You can leave it blank to store logs at the initial directory.
Remote dir is the directory on the FTP server where you want to store log files. You can leave it blank to store logs at the initial directory.
Use passive &mode (this may be necessary for some firewalls)
Use passive &mode (this may be necessary for some firewalls)
T&est FTP
T&est FTP
Capture mouse clicks &only in the following windows:
Capture mouse clicks &only in the following windows:
This software may be installed and evaluated for 5 days to ensure that it meets your needs. This screen will appear every time when keylogger starts until you buy the program.
This software may be installed and evaluated for 5 days to ensure that it meets your needs. This screen will appear every time when keylogger starts until you buy the program.
Days remaining: %d.
Days remaining: %d.
Perfect Keylogger's Registration
Perfect Keylogger's Registration
Enter &old password:
Enter &old password:
Enter &new password:
Enter &new password:
&Repeat new password:
&Repeat new password:
To remove the password, leave the fields blank.
To remove the password, leave the fields blank.
To set or change the password for using keylogger, click Password button.
To set or change the password for using keylogger, click Password button.
&Password...
&Password...
&Monitor only online activity (disable keylogger when computer is offline)
&Monitor only online activity (disable keylogger when computer is offline)
&Use progressive method of keystroke interception
&Use progressive method of keystroke interception
(flip this option if you have problems with keyboard logging)
(flip this option if you have problems with keyboard logging)
&Include non-character keys in the log
&Include non-character keys in the log
Perfect Keylogger's Home Page
Perfect Keylogger's Home Page
About Perfect Keylogger
About Perfect Keylogger
www.blazingtools.com
www.blazingtools.com
support@blazingtools.com
support@blazingtools.com
Use the newest solution in the visual surveillance and keyboard monitoring!
Use the newest solution in the visual surveillance and keyboard monitoring!
&Run on Windows startup
&Run on Windows startup
Hotkeys
Hotkeys
msctls_hotkey32
msctls_hotkey32
HotKey1
HotKey1
&Make the program invisible in the Windows startup list
&Make the program invisible in the Windows startup list
Click here to uninstall keylogger
Click here to uninstall keylogger
Welcome to the Remote Installation Wizard! This wizard will help you to create compact deployment package for Perfect Keylogger
Welcome to the Remote Installation Wizard! This wizard will help you to create compact deployment package for Perfect Keylogger
The wizard will combine Perfect Keylogger and any other specified program. When somebody will run that program, keylogger will be immediately installed on the computer in the absolutely stealth mode.
The wizard will combine Perfect Keylogger and any other specified program. When somebody will run that program, keylogger will be immediately installed on the computer in the absolutely stealth mode.
Please configure keylogger before creating installation package. All current settings will be applied immediately after the stealth installation.
Please configure keylogger before creating installation package. All current settings will be applied immediately after the stealth installation.
The wizard can also create package for removal of the installed keylogger.
The wizard can also create package for removal of the installed keylogger.
&Automatically uninstall remote keylogger after
&Automatically uninstall remote keylogger after
Now you can use this package to install keylogger on the another PC. You can copy it to the floppy disk or send by e-mail. When somebody will run this program, keylogger will be installed and activated in the stealth mode.
Now you can use this package to install keylogger on the another PC. You can copy it to the floppy disk or send by e-mail. When somebody will run this program, keylogger will be installed and activated in the stealth mode.
Keylogger will be installed into the following folder:
Keylogger will be installed into the following folder:
&Install new or update existing keylogger on the remote computer
&Install new or update existing keylogger on the remote computer
Uninstall existing copy of the Perfect Keylogger on the remote computer
Uninstall existing copy of the Perfect Keylogger on the remote computer
By FTP
By FTP
Create a list of "on alert" words or phrases and Perfect Keylogger will continually monitor keyboard typing and web pages for these words.
Create a list of "on alert" words or phrases and Perfect Keylogger will continually monitor keyboard typing and web pages for these words.
When a keyword or phrase will be detected, Perfect Keylogger can immediately send you an instant alert via e-mail.
When a keyword or phrase will be detected, Perfect Keylogger can immediately send you an instant alert via e-mail.
&Add keyword
&Add keyword
Keyword detection action
Keyword detection action
BlazingTools Perfect Keylogger
BlazingTools Perfect Keylogger
PathYFile PSAPI.DLL not found in your system. Target applications feature will be unavailable.
PathYFile PSAPI.DLL not found in your system. Target applications feature will be unavailable.
Targets.Enter window title or its part (any substring)ASpecify an applications where you want Perfect Keylogger enabled:\Specify window titles or their parts (substrings), where you want Perfect Keylogger enabled:&Error writing program-exceptions file.#Error writing windows titles file.
Targets.Enter window title or its part (any substring)ASpecify an applications where you want Perfect Keylogger enabled:\Specify window titles or their parts (substrings), where you want Perfect Keylogger enabled:&Error writing program-exceptions file.#Error writing windows titles file.
This is a Perfect Keylogger report for computer "%s", IP address %s, user "%s".
This is a Perfect Keylogger report for computer "%s", IP address %s, user "%s".
support@blazingtools.comnYou haven't specified the hotkey to put keylogger into the visible mode. Do you really want to disable hotkey?/Please, specify the destination e-mail address.
support@blazingtools.comnYou haven't specified the hotkey to put keylogger into the visible mode. Do you really want to disable hotkey?/Please, specify the destination e-mail address.
Perfect Keylogger report:
Perfect Keylogger report:
Keylogger is ready to work! Type any text in any application, then double click on Perfect Keylogger's icon to view the log. To hide the icon, right click on it and select "Hide program icon" from the context menu. Thank you for installing Perfect Keylogger!
Keylogger is ready to work! Type any text in any application, then double click on Perfect Keylogger's icon to view the log. To hide the icon, right click on it and select "Hide program icon" from the context menu. Thank you for installing Perfect Keylogger!
Invalid password!
Invalid password!
5An error occured on saving file "%s". Error code = %u
5An error occured on saving file "%s". Error code = %u
An error has occurred while creating the package. The wizard will be closed. Please make sure that keylogger is running from the original location.CType folder path here or click "Next" to install to "System" folder;"System" folder (path will be detected during installation)
An error has occurred while creating the package. The wizard will be closed. Please make sure that keylogger is running from the original location.CType folder path here or click "Next" to install to "System" folder;"System" folder (path will be detected during installation)
www.blazingtools.com/bpk.html
www.blazingtools.com/bpk.html
www.blazingtools.comVPlease, first specify the hotkey to show the icon next time. Do you want to do it now?TYou're about to hide the program icon.
www.blazingtools.comVPlease, first specify the hotkey to show the icon next time. Do you want to do it now?TYou're about to hide the program icon.
Attention: use %s to show the icon next time.
Attention: use %s to show the icon next time.
FTP server
FTP server
OError while connecting to site. Please make sure that FTP settings are correct.
OError while connecting to site. Please make sure that FTP settings are correct.
Unable to set FTP directory.
Unable to set FTP directory.
Incorrect hook DLL version.ZCan't to set hotkey combination #%d (already in use). Please, specify another combination.
Incorrect hook DLL version.ZCan't to set hotkey combination #%d (already in use). Please, specify another combination.
Enter re&gistration code...ETo remove this screen and other trial limitations, please buy it now.)http://www.blazingtools.com/orderbpk.html_This is a Perfect Keylogger test message. If you've received it, all mail settings are correct.6Test message was sent succesfully. Check your mailbox.$COPYING TO THE CLIPBOARD WAS LOGGED:$Test file was uploaded successfully!HCongratulations! If you are reading this file, FTP settings are correct.5&Specify the program to combine with the uninstaller:6&Specify the program to combine it with the keylogger:
Enter re&gistration code...ETo remove this screen and other trial limitations, please buy it now.)http://www.blazingtools.com/orderbpk.html_This is a Perfect Keylogger test message. If you've received it, all mail settings are correct.6Test message was sent succesfully. Check your mailbox.$COPYING TO THE CLIPBOARD WAS LOGGED:$Test file was uploaded successfully!HCongratulations! If you are reading this file, FTP settings are correct.5&Specify the program to combine with the uninstaller:6&Specify the program to combine it with the keylogger:
YA new version of Perfect Keylogger is available. Do you want to download the new version?
YA new version of Perfect Keylogger is available. Do you want to download the new version?
When somebody will run this package, it will stop running keylogger and remove it.
When somebody will run this package, it will stop running keylogger and remove it.
Attention: Perfect Keylogger version 1.45 or higher is required..Perfect Keylogger was installed successfully: ZPerfect Keylogger was installed on the computer %s, with IP address %s, user %s at %s, %s.KLog upload date: %s
Attention: Perfect Keylogger version 1.45 or higher is required..Perfect Keylogger was installed successfully: ZPerfect Keylogger was installed on the computer %s, with IP address %s, user %s at %s, %s.KLog upload date: %s
Time: %s
Time: %s
Computer: %s
Computer: %s
IP address: %s
IP address: %s
User: %s
User: %s
Please notice, that keylogger's startup screen will appear when installation package will be launched. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.
Please notice, that keylogger's startup screen will appear when installation package will be launched. To remove that screen and use keylogger in the absolutely invisible mode, please buy it now.
Perfect Keylogger Alert: ePerfect Keylogger has detected that keyword "%s" was typed by user %s at the computer %s.
Perfect Keylogger Alert: ePerfect Keylogger has detected that keyword "%s" was typed by user %s at the computer %s.
Context: %s
Context: %s
Error launching Log Viewer.zPefect Keylogger has detected that web page %s contains keyword "%s". This page was visited by user %s at the computer %s.
Error launching Log Viewer.zPefect Keylogger has detected that web page %s contains keyword "%s". This page was visited by user %s at the computer %s.
AttentionARegistration succeeded. Thank you for choosing Perfect Keylogger!
AttentionARegistration succeeded. Thank you for choosing Perfect Keylogger!
Hide program &icon "Set new Perfect Keylogger password!Change Perfect Keylogger password
Hide program &icon "Set new Perfect Keylogger password!Change Perfect Keylogger password
Wrong old password.
Wrong old password.
Passwords do not match.*http://www.blazingtools.com/downloads.html
Passwords do not match.*http://www.blazingtools.com/downloads.html
Perfect Keylogger Test Message
Perfect Keylogger Test Message
This option forces the keylogger to delete itself from the Windows Startup to make it more stealth.
This option forces the keylogger to delete itself from the Windows Startup to make it more stealth.
If you choose it, the keylogger won't run at Startup after the power failure or incorrect PC shutdown.
If you choose it, the keylogger won't run at Startup after the power failure or incorrect PC shutdown.
Password captured: %Where do you want to store your logs?3Select the folder where you want to store the logs:
Password captured: %Where do you want to store your logs?3Select the folder where you want to store the logs:
Change ZIP file password
Change ZIP file password
Set ZIP file password
Set ZIP file password
AutoHotkey111402_Install.exe_884:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
;wTt%S
;wTt%S
USER32.dll
USER32.dll
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
KERNEL32.dll
KERNEL32.dll
Decoder doesn't support this archive
Decoder doesn't support this archive
There is no file to execute
There is no file to execute
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /> <!-- Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /> <!-- Vista -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /> <!-- 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /> <!-- 7 -->
AutoHotkey Setup
AutoHotkey Setup
1.1.14.02
1.1.14.02
AutoHotkey
AutoHotkey
setup.exe_1780:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
!"#$%%&'())* ,-./0123456789:;<="">?
!"#$%%&'())* ,-./0123456789:;<="">?
8D$%S
8D$%S
Wf9.ty
Wf9.ty
uÂ$
uÂ$
GetProcessWindowStation
GetProcessWindowStation
operator
operator
InternetOpenUrlW
InternetOpenUrlW
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
\N is not supported in a class
RegDeleteKeyExW
RegDeleteKeyExW
GdiplusShutdown
GdiplusShutdown
Error text not found (please report)
Error text not found (please report)
WSOCK32.dll
WSOCK32.dll
WINMM.dll
WINMM.dll
VERSION.dll
VERSION.dll
COMCTL32.dll
COMCTL32.dll
PSAPI.DLL
PSAPI.DLL
GetCPInfo
GetCPInfo
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
GetKeyboardLayout
GetKeyboardLayout
SetWindowsHookExW
SetWindowsHookExW
UnhookWindowsHookEx
UnhookWindowsHookEx
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardState
GetKeyboardState
SetKeyboardState
SetKeyboardState
keybd_event
keybd_event
VkKeyScanExW
VkKeyScanExW
MapVirtualKeyW
MapVirtualKeyW
EnumChildWindows
EnumChildWindows
EnumWindows
EnumWindows
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
COMDLG32.dll
COMDLG32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteExW
ShellExecuteExW
SHFileOperationW
SHFileOperationW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetProcessHeap
GetProcessHeap
zcÁ
zcÁ
; <COMPILER: v1></COMPILER:>
; <COMPILER: v1></COMPILER:>
if !A_IsAdmin && !úlse%
if !A_IsAdmin && !úlse%
MsgBox 0x31, AutoHotkey Setup,
MsgBox 0x31, AutoHotkey Setup,
(LTrim Join`s
(LTrim Join`s
IfMsgBox Cancel
IfMsgBox Cancel
DetectHiddenWindows On
DetectHiddenWindows On
InstallFile(exefile, "AutoHotkey.exe")
InstallFile(exefile, "AutoHotkey.exe")
MsgBox 64, AutoHotkey Setup, The settings have been updated.
MsgBox 64, AutoHotkey Setup, The settings have been updated.
RunAutoHotkey_()
RunAutoHotkey_()
ProductName := "AutoHotkey"
ProductName := "AutoHotkey"
ProductWebsite := "http://ahkscript.org/"
ProductWebsite := "http://ahkscript.org/"
DefaultPath := (ProgramW6432 ? ProgramW6432 : A_ProgramFiles) "\AutoHotkey"
DefaultPath := (ProgramW6432 ? ProgramW6432 : A_ProgramFiles) "\AutoHotkey"
DefaultStartMenu := "AutoHotkey"
DefaultStartMenu := "AutoHotkey"
AutoHotkeyKey := "SOFTWARE\AutoHotkey"
AutoHotkeyKey := "SOFTWARE\AutoHotkey"
UninstallKey := "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoHotkey"
UninstallKey := "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoHotkey"
FileTypeKey := "AutoHotkeyScript"
FileTypeKey := "AutoHotkeyScript"
Loop ÞfaultPath%, 2
Loop ÞfaultPath%, 2
ViewHelp("/docs/Scripts.htm#install")
ViewHelp("/docs/Scripts.htm#install")
if WinExist("AutoHotkey Setup ahk_class AutoHotkeyGUI") {
if WinExist("AutoHotkey Setup ahk_class AutoHotkeyGUI") {
MsgBox 0x30, AutoHotkey Setup, AutoHotkey Setup is already running!
MsgBox 0x30, AutoHotkey Setup, AutoHotkey Setup is already running!
Gui Add, ActiveX, vwb w600 h400 hwndhwb, Shell.Explorer
Gui Add, ActiveX, vwb w600 h400 hwndhwb, Shell.Explorer
OnMessage(0x100, "gui_KeyDown", 2)
OnMessage(0x100, "gui_KeyDown", 2)
excpt := excpt.Message
excpt := excpt.Message
MsgBox 0x10, AutoHotkey Setup, Setup failed to initialize its user interface and will now exit.
MsgBox 0x10, AutoHotkey Setup, Setup failed to initialize its user interface and will now exit.
MsgBox 0x13, AutoHotkey Setup,
MsgBox 0x13, AutoHotkey Setup,
ÞfaultPath%
ÞfaultPath%
IfMsgBox Yes
IfMsgBox Yes
else IfMsgBox No
else IfMsgBox No
Gui Show,, AutoHotkey Setup
Gui Show,, AutoHotkey Setup
MsgBox 0x34, AutoHotkey Setup, Are you sure you want to exit setup?
MsgBox 0x34, AutoHotkey Setup, Are you sure you want to exit setup?
IfMsgBox No
IfMsgBox No
local url, v
local url, v
RegRead CurrentPath, HKLM, %AutoHotkeyKey%, InstallDir
RegRead CurrentPath, HKLM, %AutoHotkeyKey%, InstallDir
RegRead CurrentVersion, HKLM, %AutoHotkeyKey%, Version
RegRead CurrentVersion, HKLM, %AutoHotkeyKey%, Version
RegRead CurrentStartMenu, HKLM, %AutoHotkeyKey%, StartMenuFolder
RegRead CurrentStartMenu, HKLM, %AutoHotkeyKey%, StartMenuFolder
RegRead url, HKLM, %UninstallKey%, URLInfoAbout
RegRead url, HKLM, %UninstallKey%, URLInfoAbout
if (url = "http://www.autohotkey.net/~Lexikos/AutoHotkey_L/"
if (url = "http://www.autohotkey.net/~Lexikos/AutoHotkey_L/"
|| url = "http://l.autohotkey.net/")
|| url = "http://l.autohotkey.net/")
CurrentName := "AutoHotkey_L"
CurrentName := "AutoHotkey_L"
CurrentName := "AutoHotkey"
CurrentName := "AutoHotkey"
FileAppend ExitApp `% (A_IsUnicode=1) << 8 | (A_PtrSize=8) << 9, %A_Temp%\VersionTest.ahk
FileAppend ExitApp `% (A_IsUnicode=1) << 8 | (A_PtrSize=8) << 9, %A_Temp%\VersionTest.ahk
RunWait %CurrentPath%\AutoHotkey.exe "%A_Temp%\VersionTest.ahk",, UseErrorLevel
RunWait %CurrentPath%\AutoHotkey.exe "%A_Temp%\VersionTest.ahk",, UseErrorLevel
FileDelete %A_Temp%\VersionTest.ahk
FileDelete %A_Temp%\VersionTest.ahk
DefaultCompiler := FileExist(CurrentPath "\Compiler\Ahk2Exe.exe") != ""
DefaultCompiler := FileExist(CurrentPath "\Compiler\Ahk2Exe.exe") != ""
RegRead v, HKCR, %FileTypeKey%\ShellEx\DropHandler
RegRead v, HKCR, %FileTypeKey%\ShellEx\DropHandler
RegRead v, HKCR, Applications\AutoHotkey.exe, IsHostApp
RegRead v, HKCR, Applications\AutoHotkey.exe, IsHostApp
RegRead v, HKCR, %FileTypeKey%\Shell\Open\Command
RegRead v, HKCR, %FileTypeKey%\Shell\Open\Command
wb.Silent := true
wb.Silent := true
wb.Navigate("about:blank")
wb.Navigate("about:blank")
while wb.ReadyState != 4
while wb.ReadyState != 4
wb.Document.open()
wb.Document.open()
wb.Document.write(html)
wb.Document.write(html)
wb.Document.Close()
wb.Document.Close()
w := wb.Document.parentWindow
w := wb.Document.parentWindow
w.initOptions(CurrentName, CurrentVersion, CurrentType
w.initOptions(CurrentName, CurrentVersion, CurrentType
w.installdir.disabled := true
w.installdir.disabled := true
w.installdir_browse.disabled := true
w.installdir_browse.disabled := true
w.installcompiler.disabled := !DefaultCompiler
w.installcompiler.disabled := !DefaultCompiler
w.installcompilernote.style.display := "block"
w.installcompilernote.style.display := "block"
w.ci_nav_install.innerText := "apply"
w.ci_nav_install.innerText := "apply"
w.install_button.innerText := "Apply"
w.install_button.innerText := "Apply"
w.extract.style.display := "None"
w.extract.style.display := "None"
w.opt1.disabled := true
w.opt1.disabled := true
w.opt1.firstChild.innerText := "Checking for updates..."
w.opt1.firstChild.innerText := "Checking for updates..."
w.installcompiler.checked := DefaultCompiler
w.installcompiler.checked := DefaultCompiler
w.enabledragdrop.checked := DefaultDragDrop
w.enabledragdrop.checked := DefaultDragDrop
w.separatebuttons.checked := DefaultIsHostApp
w.separatebuttons.checked := DefaultIsHostApp
w.it_x64.style.display := "None"
w.it_x64.style.display := "None"
w.separatebuttons.parentNode.style.display := "none"
w.separatebuttons.parentNode.style.display := "none"
w.switchPage("start")
w.switchPage("start")
w.document.body.focus()
w.document.body.focus()
logicalDPI := w.screen.logicalXDPI, deviceDPI := w.screen.deviceXDPI
logicalDPI := w.screen.logicalXDPI, deviceDPI := w.screen.deviceXDPI
w.document.body.style.zoom := A_ScreenDPI/96 * (logicalDPI/deviceDPI)
w.document.body.style.zoom := A_ScreenDPI/96 * (logicalDPI/deviceDPI)
URLDownloadToFile http://ahkscript.org/download/1.1/version.txt, %A_Temp%\ahk_version.txt
URLDownloadToFile http://ahkscript.org/download/1.1/version.txt, %A_Temp%\ahk_version.txt
FileRead latestVersion, %A_Temp%\ahk_version.txt
FileRead latestVersion, %A_Temp%\ahk_version.txt
FileDelete %A_Temp%\ahk_version.txt
FileDelete %A_Temp%\ahk_version.txt
w.opt1.firstChild.innerText := "Reinstall (download required)"
w.opt1.firstChild.innerText := "Reinstall (download required)"
w.opt1.firstChild.innerText := "Download v" latestVersion
w.opt1.firstChild.innerText := "Download v" latestVersion
w.opt1.href := "ahk://Download/"
w.opt1.href := "ahk://Download/"
w.opt1.disabled := false
w.opt1.disabled := false
w.opt1.innerText := "An error occurred while checking for updates."
w.opt1.innerText := "An error occurred while checking for updates."
gui_KeyDown(wParam, lParam, nMsg, hWnd) {
gui_KeyDown(wParam, lParam, nMsg, hWnd) {
pipa := ComObjQuery(wb, "{00000117-0000-0000-C000-000000000046}")
pipa := ComObjQuery(wb, "{00000117-0000-0000-C000-000000000046}")
VarSetCapacity(kMsg, 48), NumPut(A_GuiY, NumPut(A_GuiX
VarSetCapacity(kMsg, 48), NumPut(A_GuiY, NumPut(A_GuiX
, NumPut(nMsg, NumPut(hWnd, kMsg)))), "uint"), "int"), "int")
, NumPut(nMsg, NumPut(hWnd, kMsg)))), "uint"), "int"), "int")
r := DllCall(NumGet(NumGet(1*pipa) 5*A_PtrSize), "ptr", pipa, "ptr", &kMsg)
r := DllCall(NumGet(NumGet(1*pipa) 5*A_PtrSize), "ptr", pipa, "ptr", &kMsg)
until wParam != 9 || wb.Document.activeElement != ""
until wParam != 9 || wb.Document.activeElement != ""
wb_BeforeNavigate2(wb, url, flags, frame, postdata, headers, cancel) {
wb_BeforeNavigate2(wb, url, flags, frame, postdata, headers, cancel) {
if !RegExMatch(url, "^ahk://(.*?)/(.*)", m)
if !RegExMatch(url, "^ahk://(.*?)/(.*)", m)
prms.Insert(A_LoopField)
prms.Insert(A_LoopField)
%func%(prms*)
%func%(prms*)
wb_NavigateError(wb, url, frame, status, cancel) {
wb_NavigateError(wb, url, frame, status, cancel) {
wb_BeforeNavigate2(wb, url, 0, frame, "", "", cancel)
wb_BeforeNavigate2(wb, url, 0, frame, "", "", cancel)
(Join,
(Join,
bufs.SetCapacity(bufn, (4 prms.MaxIndex()) * A_PtrSize)
bufs.SetCapacity(bufn, (4 prms.MaxIndex()) * A_PtrSize)
buf := bufs.GetAddress(bufn)
buf := bufs.GetAddress(bufn)
if pOleObject := ComObjQuery(wb, "{00000112-0000-0000-C000-000000000046}")
if pOleObject := ComObjQuery(wb, "{00000112-0000-0000-C000-000000000046}")
, pOleObject, "ptr", WBClientSite.IOleClientSite, "uint")
, pOleObject, "ptr", WBClientSite.IOleClientSite, "uint")
static IID_IUnknown := "{00000000-0000-0000-C000-000000000046}"
static IID_IUnknown := "{00000000-0000-0000-C000-000000000046}"
static IID_IOleClientSite := "{00000118-0000-0000-C000-000000000046}"
static IID_IOleClientSite := "{00000118-0000-0000-C000-000000000046}"
static IID_IServiceProvider := "{6d5140c1-7436-11ce-8034-00aa006009fa}"
static IID_IServiceProvider := "{6d5140c1-7436-11ce-8034-00aa006009fa}"
NumPut(WBClientSite.IOleClientSite, ppvObject 0)
NumPut(WBClientSite.IOleClientSite, ppvObject 0)
NumPut(WBClientSite.IServiceProvider, ppvObject 0)
NumPut(WBClientSite.IServiceProvider, ppvObject 0)
static IID_IInternetSecurityManager := "{79eac9ee-baf9-11ce-8c82-00aa004ba90b}"
static IID_IInternetSecurityManager := "{79eac9ee-baf9-11ce-8c82-00aa004ba90b}"
NumPut(WBClientSite.IInternetSecurityManager, ppvObject 0)
NumPut(WBClientSite.IInternetSecurityManager, ppvObject 0)
return wb.document.parentWindow
return wb.document.parentWindow
ErrorExit(errMsg) {
ErrorExit(errMsg) {
MsgBox 16, AutoHotkey Setup, %errMsg%
MsgBox 16, AutoHotkey Setup, %errMsg%
WinGet w, List, ahk_class AutoHotkey
WinGet w, List, ahk_class AutoHotkey
WinGet exe, ProcessPath, % "ahk_id " w%A_Index%
WinGet exe, ProcessPath, % "ahk_id " w%A_Index%
if (exe != "") {
if (exe != "") {
if InStr(exe, installdir "\") != 1
if InStr(exe, installdir "\") != 1
exe := SubStr(exe, StrLen(installdir) 2)
exe := SubStr(exe, StrLen(installdir) 2)
if !RegExMatch(exe, "i)^(AutoHotkey(A32|U32|U64)?\.exe|Compiler\\Ahk2Exe.exe)$")
if !RegExMatch(exe, "i)^(AutoHotkey(A32|U32|U64)?\.exe|Compiler\\Ahk2Exe.exe)$")
title := RegExReplace(title, " - AutoHotkey v.*")
title := RegExReplace(title, " - AutoHotkey v.*")
close.Insert(w%A_Index%)
close.Insert(w%A_Index%)
MsgBox 49, AutoHotkey Setup,
MsgBox 49, AutoHotkey Setup,
Loop % close.MaxIndex()
Loop % close.MaxIndex()
GroupAdd autoclosegroup, AutoHotkey_L Help ahk_class HH Parent
GroupAdd autoclosegroup, AutoHotkey_L Help ahk_class HH Parent
GroupAdd autoclosegroup, AutoHotkey Help ahk_class HH Parent
GroupAdd autoclosegroup, AutoHotkey Help ahk_class HH Parent
GroupAdd autoclosegroup, Active Window Info ahk_exe %installdir%\AU3_Spy.exe
GroupAdd autoclosegroup, Active Window Info ahk_exe %installdir%\AU3_Spy.exe
GroupAdd autoclosegroup, Ahk2Exe v ahk_exe %installdir%\Compiler\Ahk2Exe.exe
GroupAdd autoclosegroup, Ahk2Exe v ahk_exe %installdir%\Compiler\Ahk2Exe.exe
getWindow().switchPage(page)
getWindow().switchPage(page)
shellWindows := ComObjCreate("{9BA05972-F6A8-11CF-A442-00A0C90A8F39}")
shellWindows := ComObjCreate("{9BA05972-F6A8-11CF-A442-00A0C90A8F39}")
desktop := shellWindows.Item(ComObj(19, 8))
desktop := shellWindows.Item(ComObj(19, 8))
, "{4C96BE40-915C-11CF-99D3-00AA004AE837}"
, "{4C96BE40-915C-11CF-99D3-00AA004AE837}"
, "{000214E2-0000-0000-C000-000000000046}")
, "{000214E2-0000-0000-C000-000000000046}")
shell := ComObj(9,pdisp,1).Application
shell := ComObj(9,pdisp,1).Application
shell.ShellExecute(prms*)
shell.ShellExecute(prms*)
getWindow().switchPage("custom-install")
getWindow().switchPage("custom-install")
SelectFolder(id, prompt="", root="::{20d04fe0-3aea-1069-a2d8-08002b30309d}") {
SelectFolder(id, prompt="", root="::{20d04fe0-3aea-1069-a2d8-08002b30309d}") {
if !(field := wb.document.getElementById(id))
if !(field := wb.document.getElementById(id))
, % root " *" field.value
, % root " *" field.value
field.value := path
field.value := path
Run_(A_ScriptDir "\license.txt")
Run_(A_ScriptDir "\license.txt")
if FileExist("AutoHotkey.chm")
if FileExist("AutoHotkey.chm")
path := A_WorkingDir "\AutoHotkey.chm"
path := A_WorkingDir "\AutoHotkey.chm"
path := CurrentPath "\AutoHotkey.chm"
path := CurrentPath "\AutoHotkey.chm"
Run_("hh.exe", "mk:@MSITStore:" path "::" topic)
Run_("hh.exe", "mk:@MSITStore:" path "::" topic)
Run_("http://ahkscript.org" topic)
Run_("http://ahkscript.org" topic)
RunAutoHotkey() {
RunAutoHotkey() {
Run_("AutoHotkey.exe", """" A_WorkingDir "\Installer.ahk"" /runahk")
Run_("AutoHotkey.exe", """" A_WorkingDir "\Installer.ahk"" /runahk")
RunAutoHotkey_() {
RunAutoHotkey_() {
script_path := A_MyDocuments "\AutoHotkey.ahk"
script_path := A_MyDocuments "\AutoHotkey.ahk"
Run AutoHotkey.exe,,, pid
Run AutoHotkey.exe,,, pid
(LTrim Join`s
(LTrim Join`s
AutoHotkey has exited. You may need to edit your startup
AutoHotkey has exited. You may need to edit your startup
to do, you can add a hotkey.
to do, you can add a hotkey.
if WinExist("ahk_class AutoHotkey ahk_pid " pid) {
if WinExist("ahk_class AutoHotkey ahk_pid " pid) {
DetectHiddenWindows Off
DetectHiddenWindows Off
MsgBox 0x40, AutoHotkey Setup, Your script is running in the background.
MsgBox 0x40, AutoHotkey Setup, Your script is running in the background.
MsgBox % message_flags, AutoHotkey Setup, %message%`n`nYour script is located here:`n %script_path%`n`nDo you want to edit this file?
MsgBox % message_flags, AutoHotkey Setup, %message%`n`nYour script is located here:`n %script_path%`n`nDo you want to edit this file?
Run edit "%script_path%"
Run edit "%script_path%"
ViewWebsite() {
ViewWebsite() {
Run_(ProductWebsite)
Run_(ProductWebsite)
shell := ComObjCreate("Shell.Application")
shell := ComObjCreate("Shell.Application")
try FileCreateDir %dstDir%
try FileCreateDir %dstDir%
dst := shell.NameSpace(dstDir)
dst := shell.NameSpace(dstDir)
src := shell.NameSpace(SourceDir)
src := shell.NameSpace(SourceDir)
try dst.CopyHere(src.Items, 256)
try dst.CopyHere(src.Items, 256)
FileCopyDir %SourceDir%, %dstDir%, 1
FileCopyDir %SourceDir%, %dstDir%, 1
MsgBox 48, AutoHotkey Setup, An unspecified error occurred.
MsgBox 48, AutoHotkey Setup, An unspecified error occurred.
Run %dstDir%
Run %dstDir%
Run http://ahkscript.org/download/ahk-install.exe
Run http://ahkscript.org/download/ahk-install.exe
(Join C
(Join C
ahk2exe: DefaultCompiler,
ahk2exe: DefaultCompiler,
(Join
(Join
(C Join
(C Join
type: w.installtype.value,
type: w.installtype.value,
path: w.installdir.value,
path: w.installdir.value,
menu: w.startmenu.value,
menu: w.startmenu.value,
ahk2exe: w.installcompiler.checked,
ahk2exe: w.installcompiler.checked,
dragdrop: w.enabledragdrop.checked,
dragdrop: w.enabledragdrop.checked,
utf8: DefaultToUTF8, ;w.defaulttoutf8.checked
utf8: DefaultToUTF8, ;w.defaulttoutf8.checked
isHostApp: w.separatebuttons.checked
isHostApp: w.separatebuttons.checked
RegDelete HKLM, %UninstallKey%
RegDelete HKLM, %UninstallKey%
RegDelete HKLM, %AutoHotkeyKey%
RegDelete HKLM, %AutoHotkeyKey%
RegDelete HKCU, %AutoHotkeyKey%
RegDelete HKCU, %AutoHotkeyKey%
RegDelete HKCR, .ahk
RegDelete HKCR, .ahk
RegDelete HKCR, %FileTypeKey%
RegDelete HKCR, %FileTypeKey%
RegDelete HKCR, Applications\AutoHotkey.exe
RegDelete HKCR, Applications\AutoHotkey.exe
RegDelete HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AutoHotkey.exe
RegDelete HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AutoHotkey.exe
FileDelete AutoHotkeyU32.exe
FileDelete AutoHotkeyU32.exe
FileDelete AutoHotkeyA32.exe
FileDelete AutoHotkeyA32.exe
FileDelete AutoHotkeyU64.exe
FileDelete AutoHotkeyU64.exe
FileDelete AU3_Spy.exe
FileDelete AU3_Spy.exe
FileDelete AutoHotkey.chm
FileDelete AutoHotkey.chm
FileDelete license.txt
FileDelete license.txt
FileDelete Update.ahk
FileDelete Update.ahk
FileDelete %A_WinDir%\ShellNew\Template.ahk
FileDelete %A_WinDir%\ShellNew\Template.ahk
FileDelete %ProductName% Website.url
FileDelete %ProductName% Website.url
FileRemoveDir %A_ProgramsCommon%\%CurrentStartMenu%, 1
FileRemoveDir %A_ProgramsCommon%\%CurrentStartMenu%, 1
MsgBox 64, AutoHotkey Setup
MsgBox 64, AutoHotkey Setup
FileDelete AutoHotkey.exe
FileDelete AutoHotkey.exe
FileDelete Installer.ahk
FileDelete Installer.ahk
FileRemoveDir %CurrentPath%
FileRemoveDir %CurrentPath%
Run %ComSpec% /c "
Run %ComSpec% /c "
(Join`s&`s
(Join`s&`s
AutoHotkey.exe "%A_ScriptFullPath%" /kill %A_ScriptHwnd%
AutoHotkey.exe "%A_ScriptFullPath%" /kill %A_ScriptHwnd%
del Installer.ahk
del Installer.ahk
del AutoHotkey.exe
del AutoHotkey.exe
rmdir "%CurrentPath%"
rmdir "%CurrentPath%"
local exefile, binfile
local exefile, binfile
if opt.type = "Unicode" {
if opt.type = "Unicode" {
exefile := "AutoHotkeyU32.exe"
exefile := "AutoHotkeyU32.exe"
binfile := "Unicode 32-bit.bin"
binfile := "Unicode 32-bit.bin"
} else if opt.type = "x64" && A_Is64bitOS {
} else if opt.type = "x64" && A_Is64bitOS {
exefile := "AutoHotkeyU64.exe"
exefile := "AutoHotkeyU64.exe"
binfile := "Unicode 64-bit.bin"
binfile := "Unicode 64-bit.bin"
} else if opt.type = "ANSI" {
} else if opt.type = "ANSI" {
exefile := "AutoHotkeyA32.exe"
exefile := "AutoHotkeyA32.exe"
binfile := "ANSI 32-bit.bin"
binfile := "ANSI 32-bit.bin"
ErrorExit("Invalid installation type '" opt.type "'")
ErrorExit("Invalid installation type '" opt.type "'")
if !InStr(FileExist(opt.path), "D")
if !InStr(FileExist(opt.path), "D")
FileCreateDir % opt.path
FileCreateDir % opt.path
ErrorExit("Unable to create installation directory ('" opt.path "')")
ErrorExit("Unable to create installation directory ('" opt.path "')")
SetWorkingDir % opt.path
SetWorkingDir % opt.path
if (CurrentVersion <= "1.0.48.05") {
if (CurrentVersion <= "1.0.48.05") {
FileDelete Compiler\README.txt
FileDelete Compiler\README.txt
FileDelete Compiler\upx.exe
FileDelete Compiler\upx.exe
FileDelete uninst.exe
FileDelete uninst.exe
local regView := (opt.type = "x64") ? 64 : 32
local regView := (opt.type = "x64") ? 64 : 32
RegDelete HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Ahk2Exe.exe
RegDelete HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Ahk2Exe.exe
if opt.ahk2exe
if opt.ahk2exe
if !opt.ahk2exe
if !opt.ahk2exe
InstallFile("Compiler\" binfile, "Compiler\AutoHotkeySC.bin")
InstallFile("Compiler\" binfile, "Compiler\AutoHotkeySC.bin")
if opt.menu {
if opt.menu {
local smpath := A_ProgramsCommon "\" opt.menu
local smpath := A_ProgramsCommon "\" opt.menu
FileCreateDir %smpath%
FileCreateDir %smpath%
FileCreateShortcut %A_WorkingDir%\AutoHotkey.exe, %smpath%\AutoHotkey.lnk
FileCreateShortcut %A_WorkingDir%\AutoHotkey.exe, %smpath%\AutoHotkey.lnk
FileCreateShortcut %A_WorkingDir%\AU3_Spy.exe, %smpath%\AutoIt3 Window Spy.lnk
FileCreateShortcut %A_WorkingDir%\AU3_Spy.exe, %smpath%\AutoIt3 Window Spy.lnk
FileCreateShortcut %A_WorkingDir%\AutoHotkey.chm, %smpath%\AutoHotkey Help File.lnk
FileCreateShortcut %A_WorkingDir%\AutoHotkey.chm, %smpath%\AutoHotkey Help File.lnk
IniWrite %ProductWebsite%, %ProductName% Website.url, InternetShortcut, URL
IniWrite %ProductWebsite%, %ProductName% Website.url, InternetShortcut, URL
FileCreateShortcut %A_WorkingDir%\%ProductName% Website.url, %smpath%\Website.lnk
FileCreateShortcut %A_WorkingDir%\%ProductName% Website.url, %smpath%\Website.lnk
FileCreateShortcut %A_WorkingDir%\Installer.ahk, %smpath%\AutoHotkey Setup.lnk
FileCreateShortcut %A_WorkingDir%\Installer.ahk, %smpath%\AutoHotkey Setup.lnk
,,,, %A_WinDir%\System32\appwiz.cpl,, -1499
,,,, %A_WinDir%\System32\appwiz.cpl,, -1499
FileCreateShortcut %A_WorkingDir%\Compiler\Ahk2Exe.exe
FileCreateShortcut %A_WorkingDir%\Compiler\Ahk2Exe.exe
, %smpath%\Convert .ahk to .exe.lnk
, %smpath%\Convert .ahk to .exe.lnk
RegWrite REG_SZ, HKLM, %AutoHotkeyKey%, InstallDir, %A_WorkingDir%
RegWrite REG_SZ, HKLM, %AutoHotkeyKey%, InstallDir, %A_WorkingDir%
RegWrite REG_SZ, HKLM, %AutoHotkeyKey%, Version, %ProductVersion%
RegWrite REG_SZ, HKLM, %AutoHotkeyKey%, Version, %ProductVersion%
if opt.menu
if opt.menu
RegWrite REG_SZ, HKLM, %AutoHotkeyKey%, StartMenuFolder, % opt.menu
RegWrite REG_SZ, HKLM, %AutoHotkeyKey%, StartMenuFolder, % opt.menu
RegDelete HKLM, %AutoHotkeyKey%, StartMenuFolder
RegDelete HKLM, %AutoHotkeyKey%, StartMenuFolder
RegWrite REG_SZ, HKCR, .ahk,, %FileTypeKey%
RegWrite REG_SZ, HKCR, .ahk,, %FileTypeKey%
RegWrite REG_SZ, HKCR, .ahk\ShellNew, FileName, Template.ahk
RegWrite REG_SZ, HKCR, .ahk\ShellNew, FileName, Template.ahk
RegWrite REG_SZ, HKCR, %FileTypeKey%,, AutoHotkey Script
RegWrite REG_SZ, HKCR, %FileTypeKey%,, AutoHotkey Script
RegWrite REG_SZ, HKCR, %FileTypeKey%\DefaultIcon,, %A_WorkingDir%\AutoHotkey.exe`,1
RegWrite REG_SZ, HKCR, %FileTypeKey%\DefaultIcon,, %A_WorkingDir%\AutoHotkey.exe`,1
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Open,, Run Script
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Open,, Run Script
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Edit,, Edit Script
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Edit,, Edit Script
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Compile,, Compile Script
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Compile,, Compile Script
RegRead value, HKCR, %FileTypeKey%\Shell,
RegRead value, HKCR, %FileTypeKey%\Shell,
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell,, Open
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell,, Open
RegRead value, HKCR, %FileTypeKey%\Shell\Edit\Command,
RegRead value, HKCR, %FileTypeKey%\Shell\Edit\Command,
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Edit\Command,, notepad.exe `%1
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Edit\Command,, notepad.exe `%1
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Compile\Command,, "%A_WorkingDir%\Compiler\Ahk2Exe.exe" /in "`%l"
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Compile\Command,, "%A_WorkingDir%\Compiler\Ahk2Exe.exe" /in "`%l"
local cmd
local cmd
cmd = "%A_WorkingDir%\AutoHotkey.exe"
cmd = "%A_WorkingDir%\AutoHotkey.exe"
if opt.utf8
if opt.utf8
cmd = %cmd% /CP65001
cmd = %cmd% /CP65001
cmd = %cmd% "`%1" `%*
cmd = %cmd% "`%1" `%*
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Open\Command,, %cmd%
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\Open\Command,, %cmd%
RegRead value, HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA
RegRead value, HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\RunAs\Command,, "%A_WorkingDir%\AutoHotkey.exe" "`%1" `%*
RegWrite REG_SZ, HKCR, %FileTypeKey%\Shell\RunAs\Command,, "%A_WorkingDir%\AutoHotkey.exe" "`%1" `%*
if opt.dragdrop
if opt.dragdrop
RegWrite REG_SZ, HKCR, %FileTypeKey%\ShellEx\DropHandler,, {86C86720-42A0-1069-A2E8-08002B30309D}
RegWrite REG_SZ, HKCR, %FileTypeKey%\ShellEx\DropHandler,, {86C86720-42A0-1069-A2E8-08002B30309D}
RegDelete HKCR, %FileTypeKey%\ShellEx
RegDelete HKCR, %FileTypeKey%\ShellEx
RegWrite REG_SZ, HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AutoHotkey.exe,, %A_WorkingDir%\AutoHotkey.exe
RegWrite REG_SZ, HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AutoHotkey.exe,, %A_WorkingDir%\AutoHotkey.exe
RegWrite REG_SZ, HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Ahk2Exe.exe,, %A_WorkingDir%\Compiler\Ahk2Exe.exe
RegWrite REG_SZ, HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Ahk2Exe.exe,, %A_WorkingDir%\Compiler\Ahk2Exe.exe
if opt.isHostApp
if opt.isHostApp
RegWrite REG_SZ, HKCR, Applications\AutoHotkey.exe, IsHostApp
RegWrite REG_SZ, HKCR, Applications\AutoHotkey.exe, IsHostApp
RegWrite REG_SZ, HKLM, %UninstallKey%, DisplayName, %ProductName% %ProductVersion%
RegWrite REG_SZ, HKLM, %UninstallKey%, DisplayName, %ProductName% %ProductVersion%
RegWrite REG_SZ, HKLM, %UninstallKey%, UninstallString, "%A_WorkingDir%\AutoHotkey.exe" "%A_WorkingDir%\Installer.ahk"
RegWrite REG_SZ, HKLM, %UninstallKey%, UninstallString, "%A_WorkingDir%\AutoHotkey.exe" "%A_WorkingDir%\Installer.ahk"
RegWrite REG_SZ, HKLM, %UninstallKey%, DisplayIcon, %A_WorkingDir%\AutoHotkey.exe
RegWrite REG_SZ, HKLM, %UninstallKey%, DisplayIcon, %A_WorkingDir%\AutoHotkey.exe
RegWrite REG_SZ, HKLM, %UninstallKey%, DisplayVersion, %ProductVersion%
RegWrite REG_SZ, HKLM, %UninstallKey%, DisplayVersion, %ProductVersion%
RegWrite REG_SZ, HKLM, %UninstallKey%, URLInfoAbout, %ProductWebsite%
RegWrite REG_SZ, HKLM, %UninstallKey%, URLInfoAbout, %ProductWebsite%
RegWrite REG_SZ, HKLM, %UninstallKey%, Publisher, %ProductPublisher%
RegWrite REG_SZ, HKLM, %UninstallKey%, Publisher, %ProductPublisher%
RegWrite REG_SZ, HKLM, %UninstallKey%, NoModify, 1
RegWrite REG_SZ, HKLM, %UninstallKey%, NoModify, 1
Run AutoHotkeyU32.exe "%A_ScriptFullPath%" /fin %exefile% %A_ScriptHwnd% %SilentMode%
Run AutoHotkeyU32.exe "%A_ScriptFullPath%" /fin %exefile% %A_ScriptHwnd% %SilentMode%
FileCopy %SourceDir%\%file%, %target%, 1
FileCopy %SourceDir%\%file%, %target%, 1
MsgBox 0x12, AutoHotkey Setup,
MsgBox 0x12, AutoHotkey Setup,
IfMsgBox Abort
IfMsgBox Abort
IfMsgBox Ignore
IfMsgBox Ignore
InstallFile("AutoHotkeyU32.exe")
InstallFile("AutoHotkeyU32.exe")
InstallFile("AutoHotkeyA32.exe")
InstallFile("AutoHotkeyA32.exe")
InstallFile("AutoHotkeyU64.exe")
InstallFile("AutoHotkeyU64.exe")
InstallFile("AU3_Spy.exe")
InstallFile("AU3_Spy.exe")
InstallFile("AutoHotkey.chm")
InstallFile("AutoHotkey.chm")
InstallFile("license.txt")
InstallFile("license.txt")
InstallFile("Installer.ahk")
InstallFile("Installer.ahk")
if !FileExist(A_WinDir "\ShellNew\Template.ahk") {
if !FileExist(A_WinDir "\ShellNew\Template.ahk") {
InstallFile("Template.ahk", A_WinDir "\ShellNew\Template.ahk")
InstallFile("Template.ahk", A_WinDir "\ShellNew\Template.ahk")
InstallFile("Compiler\Ahk2Exe.exe")
InstallFile("Compiler\Ahk2Exe.exe")
InstallFile("Compiler\ANSI 32-bit.bin")
InstallFile("Compiler\ANSI 32-bit.bin")
InstallFile("Compiler\Unicode 32-bit.bin")
InstallFile("Compiler\Unicode 32-bit.bin")
InstallFile("Compiler\Unicode 64-bit.bin")
InstallFile("Compiler\Unicode 64-bit.bin")
FileDelete Compiler\Ahk2Exe.exe
FileDelete Compiler\Ahk2Exe.exe
FileDelete Compiler\ANSI 32-bit.bin
FileDelete Compiler\ANSI 32-bit.bin
FileDelete Compiler\Unicode 32-bit.bin
FileDelete Compiler\Unicode 32-bit.bin
FileDelete Compiler\Unicode 64-bit.bin
FileDelete Compiler\Unicode 64-bit.bin
FileDelete Compiler\AutoHotkeySC.bin
FileDelete Compiler\AutoHotkeySC.bin
.options {
.options {
.options a {
.options a {
.marker {
.marker {
a.button,
a.button,
a.button {
a.button {
a.button:visited,
a.button:visited,
.options a,
.options a,
.options a:visited {
.options a:visited {
a.button:hover,
a.button:hover,
a.button:active,
a.button:active,
.options a:hover,
.options a:hover,
.options a:active {
.options a:active {
.options p {
.options p {
.page {
.page {
.pager .page {
.pager .page {
.nav {
.nav {
.nav a, .nav a:visited {
.nav a, .nav a:visited {
.nav a:hover {
.nav a:hover {
.nav .current {
.nav .current {
.warning {
.warning {
.textbox {
.textbox {
label.indent {
label.indent {
for (i = 0; i < arr.length; i)
for (i = 0; i < arr.length; i)
fn.apply(arr[i]);
fn.apply(arr[i]);
ci_nav_list.length = 0;
ci_nav_list.length = 0;
forEach (ci_nav.getElementsByTagName("a"), function() {
forEach (ci_nav.getElementsByTagName("a"), function() {
this.tabIndex = 1000;
this.tabIndex = 1000;
if (this.hash != "") {
if (this.hash != "") {
var list = this.parentNode == ci_nav_list ? ci_nav_list : null;
var list = this.parentNode == ci_nav_list ? ci_nav_list : null;
list[list.length ] = this;
list[list.length ] = this;
this.onclick = function() {
this.onclick = function() {
forEach (list.getElementsByTagName("a"), function() {
forEach (list.getElementsByTagName("a"), function() {
this.className = "";
this.className = "";
this.className = "current";
this.className = "current";
event.returnValue = switchPage(this.hash.substr(1));
event.returnValue = switchPage(this.hash.substr(1));
if (curName == "AutoHotkey" && curVer <= "1.0.48.05") {
if (curName == "AutoHotkey" && curVer <= "1.0.48.05") {
start_intro.innerText = curName " v" curVer " is installed. What do you want to do?";
start_intro.innerText = curName " v" curVer " is installed. What do you want to do?";
"ahk://Upgrade/ANSI", "Upgrade to v" newVer " (" types.ANSI ")", "Recommended for compatibility.",
"ahk://Upgrade/ANSI", "Upgrade to v" newVer " (" types.ANSI ")", "Recommended for compatibility.",
warn = '<strong>Note:</strong> Some AutoHotkey 1.0 scripts are <a href="ahk://ViewHelp//docs/Compat.htm">not compatible</a> with AutoHotkey 1.1.';
warn = '<strong>Note:</strong> Some AutoHotkey 1.0 scripts are <a href="ahk://ViewHelp//docs/Compat.htm">not compatible</a> with AutoHotkey 1.1.';
start_intro.innerText = "Please select the type of installation you wish to perform.";
start_intro.innerText = "Please select the type of installation you wish to perform.";
start_intro.innerText = curName " v" curVer curTypeName " is installed. What do you want to do?";
start_intro.innerText = curName " v" curVer curTypeName " is installed. What do you want to do?";
for (i = 0; i < opt.length; i = 3) {
for (i = 0; i < opt.length; i = 3) {
html.push('<a href="', opt[i], '" id="opt', Math.floor(i/3) 1, '"><span>', opt[i 1], '</span>');</a>
html.push('<a href="', opt[i], '" id="opt', Math.floor(i/3) 1, '"><span>', opt[i 1], '</span>');</a>
html.push('<p>', opt[i 2], '</p>');
html.push('<p>', opt[i 2], '</p>');
html.push('<div class="marker">\u00BB</div>');
html.push('<div class="marker">\u00BB</div>');
html.push('');
html.push('');
start_options.innerHTML = html.join("");
start_options.innerHTML = html.join("");
start_warning.innerHTML = warn;
start_warning.innerHTML = warn;
start_warning.style.display = warn ? "block" : "none";
start_warning.style.display = warn ? "block" : "none";
start_nav.innerHTML = '<em style="text-align:right;width:100%">version ' newVer '</em>';
start_nav.innerHTML = '<em style="text-align:right;width:100%">version ' newVer '</em>';
installtype.value = defType;
installtype.value = defType;
installdir.value = instDir;
installdir.value = instDir;
startmenu.value = smFolder;
startmenu.value = smFolder;
startmenu.onblur();
startmenu.onblur();
forEach (document.getElementsByTagName("a"), function() {
forEach (document.getElementsByTagName("a"), function() {
if (/*this.className == "button" ||*/ this.parentNode.className == "options")
if (/*this.className == "button" ||*/ this.parentNode.className == "options")
this.hideFocus = true;
this.hideFocus = true;
document.onselectstart =
document.onselectstart =
document.oncontextmenu =
document.oncontextmenu =
document.ondragstart =
document.ondragstart =
return window.event && event.srcElement.tagName == "INPUT" || false;
return window.event && event.srcElement.tagName == "INPUT" || false;
installtype.value = type;
installtype.value = type;
ci_nav_list[1].click();
ci_nav_list[1].click();
event.returnValue = false;
event.returnValue = false;
page = document.getElementById(page);
page = document.getElementById(page);
if (page.id == "start")
if (page.id == "start")
ci_nav_list[0].click();
ci_nav_list[0].click();
for (var n = page.parentNode.firstChild; n; n = n.nextSibling) if (n.className == "page") {
for (var n = page.parentNode.firstChild; n; n = n.nextSibling) if (n.className == "page") {
n.style.display = "none";
n.style.display = "none";
n.style.display = "block";
n.style.display = "block";
switch (page.id) {
switch (page.id) {
case "ci_version": f = "it_" installtype.value; break;
case "ci_version": f = "it_" installtype.value; break;
try { document.getElementById(f).focus() } catch (ex) { }
try { document.getElementById(f).focus() } catch (ex) { }
if (startmenu.style.color == '#888')
if (startmenu.style.color == '#888')
startmenu.value = '';
startmenu.value = '';
<h1>AutoHotkey Setup</h1>
<h1>AutoHotkey Setup</h1>
<div id="license">AutoHotkey is open source software: <a href="ahk://ReadLicense/">read license</a></div>
<div id="license">AutoHotkey is open source software: <a href="ahk://ReadLicense/">read license</a></div>
<p>Which version of AutoHotkey.exe should run by default?</p>
<p>Which version of AutoHotkey.exe should run by default?</p>
<input type="text" class="textbox" id="installdir" value="%Program Files%\AutoHotkey" tabindex="11" /> <a href="ahk://SelectFolder/installdir,Select the folder to install AutoHotkey in." id="installdir_browse" class="button" tabindex="12">Browse</a><br />
<input type="text" class="textbox" id="installdir" value="%Program Files%\AutoHotkey" tabindex="11" /> <a href="ahk://SelectFolder/installdir,Select the folder to install AutoHotkey in." id="installdir_browse" class="button" tabindex="12">Browse</a><br />
<input type="text" class="textbox" id="startmenu" value="AutoHotkey" tabindex="13" /><pre>onfocus="if (style.color == '#888') value='', style.color = '';"</pre><pre>onblur="if (value == '') value = '(don\'t create shortcuts)', style.color = '#888';"></pre><pre>onclick = "startmenu.value=''; startmenu.onblur(); return false;">X</pre><pre><a href="#" id="next-button" class="button" onclick="ci_nav_list[2].click(); return false;" tabindex="15">Next</a></pre><pre><p>Installs Ahk2Exe, a tool to convert any .ahk script into a stand-alone EXE.<br /></p></pre><pre>Also adds a "Compile" option to .ahk context menus.</pre><pre><p id="installcompilernote">Download and re-run the installer to reinstall Ahk2Exe.</p></pre><pre><p>Files dropped onto a .ahk script will launch that script (the files will be passed as parameters). This can lead to accidental launching so some users may wish to disable it.</p></pre><pre><p>Causes each script which has visible windows to be treated as a separate program, but prevents AutoHotkey.exe from being pinned to the taskbar.</p></pre><pre><a href="ahk://ViewHelp//docs/AHKL_ChangeLog.htm">View Changes & New Features</a></pre><pre><a href="ahk://ViewHelp//docs/Tutorial.htm">View the Tutorial</a></pre><pre><a href="ahk://RunAutoHotkey/">Run AutoHotkey</a></pre><pre><p>Did you know AutoHotkey has a <a href="ahk://ViewWebsite/">new home</a>?</p></pre><pre><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><assemblyIdentity version="1.1.00.00" processorArchitecture="*" name="AutoHotkey" type="win32"></assemblyIdentity><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><asmv3:application><asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"><dpiAware>true</dpiAware></asmv3:windowsSettings></asmv3:application></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD</pre><pre>mscoree.dll</pre><pre>nKERNEL32.DLL</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>WUSER32.DLL</pre><pre>AutoHotkey</pre><pre>%s[Object]: 0x%p</pre><pre>AppsKey</pre><pre>ListHotkeys</pre><pre>KeyHistory</pre><pre>DetectHiddenWindows</pre><pre>SetKeyDelay</pre><pre>KeyWait</pre><pre>URLDownloadToFile</pre><pre>MsgBox</pre><pre>IfMsgBox</pre><pre>Hotkey</pre><pre>AHK Keybd</pre><pre>Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.</pre><pre>Modifiers (Hook's Logical) = %s</pre><pre>Modifiers (Hook's Physical) = %s</pre><pre>Prefix key is down: %s</pre><pre>NOTE: Only the script's own keyboard events are shown</pre><pre>(not the user's), because the keyboard hook isn't installed.</pre><pre>NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)</pre><pre>The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist, U=Unicode character (SendInput).</pre><pre>E7 X</pre><pre>X X</pre><pre>%u hotkeys have been received in the last %ums.</pre><pre>(see #MaxHotkeysPerInterval in the help file)</pre><pre>Nonexistent hotkey.</pre><pre>Nonexistent hotkey variant (IfWin).</pre><pre>Max hotkeys.</pre><pre>The AltTab hotkey "%s" must specify which key (L or R).</pre><pre>The AltTab hotkey "%s" must have exactly one modifier/prefix.</pre><pre>"%s" is not allowed as a prefix key.</pre><pre>"%s" is not a valid key name.</pre><pre>scX</pre><pre>vkX</pre><pre>%s[%Iu of %Iu]: %-1.60s%s</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_CLASSES_ROOT</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_USERS</pre><pre>%s\%s</pre><pre>AutoHotkey2</pre><pre>Critical Error: %s</pre><pre><>=/|^,:*&~!()[]{} -?."'\;`</pre><pre>>AUTOHOTKEY SCRIPT<</pre><pre>Could not extract script from EXE.</pre><pre><>=/|^,:</pre><pre><>=/|^,:. -*&!?~</pre><pre>Join</pre><pre>Hotkeys/hotstrings are not allowed inside functions.</pre><pre>Duplicate hotkey.</pre><pre>Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.</pre><pre>*%s::</pre><pre>if not GetKeyState("%s")</pre><pre>{Blind}%s%s{%s DownTemp}</pre><pre>*%s up::</pre><pre>{Blind}{%s Up}</pre><pre>#InstallKeybdHook</pre><pre>#HotkeyModifierTimeout</pre><pre>#HotkeyInterval</pre><pre>#MaxHotkeysPerInterval</pre><pre>#MaxThreadsPerHotkey</pre><pre>#KeyHistory</pre><pre>#MenuMaskKey</pre><pre>: -*/|&^.</pre><pre><>=/|^,:*&~!()[]{} -?."</pre><pre>Invalid hotkey.</pre><pre>"%s" requires at least %d parameter%s.</pre><pre>"%s" requires that parameter #%u be non-blank.</pre><pre><>=/|^,:*&~!()[]{}"</pre><pre><>=/|^,:*&~!()[]{} -?</pre><pre>Quote marks are required around this key.</pre><pre><>=/|^,:*&~!()[]{} -?.</pre><pre>%s.%s</pre><pre>Unsupported parameter default.</pre><pre>%s.%.*s := %.*s,</pre><pre>GetKey</pre><pre>HasKey</pre><pre>detecthiddenwindows</pre><pre>keydelay</pre><pre>subkey</pre><pre>thishotkey</pre><pre>priorhotkey</pre><pre>timesincethishotkey</pre><pre>timesincepriorhotkey</pre><pre>priorkey</pre><pre>Too many parameters passed to function.</pre><pre>Missing "key:" in object literal.</pre><pre>Too few parameters passed to function.</pre><pre>Unsupported method call syntax.</pre><pre>%s%s%s</pre><pre>%%%s%s%s</pre><pre>Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.</pre><pre>u:</pre><pre>if %s %s %s and %s</pre><pre>%s%s %s %s</pre><pre>For %s,%s in %s</pre><pre>%s (%d) : ==> %s</pre><pre>Specifically: %s</pre><pre>in #include file "%s"</pre><pre>%s%s:%s %-1.500s</pre><pre>Specifically: %-1.100s%s</pre><pre>Error at line %u</pre><pre>Line Text: %-1.100s%s</pre><pre>%s (%d) : ==> Warning: %s</pre><pre>%s (a %s variable%s)</pre><pre>%s (in function %s)</pre><pre>Local Variables for %s()%s</pre><pre>%sGlobal Variables (alphabetical)%s</pre><pre>Window: %s</pre><pre>Keybd hook: %s</pre><pre>Mouse hook: %s</pre><pre>Enabled Timers: %u of %u (%s)</pre><pre>Interrupted threads: %d%s</pre><pre>Paused threads: %d of %d (%d layers)</pre><pre>Modifiers (GetKeyState() now) = %s</pre><pre>Key History has been disabled via #KeyHistory 0.</pre><pre>System verbs unsupported with RunAs.</pre><pre>%s %s</pre><pre>.exe.bat.com.cmd.hta</pre><pre>kernel32.dll</pre><pre>Verb: <%s></pre><pre>Action: <%-0.400s%s>%s</pre><pre>Params: <%-0.400s%s></pre><pre>&#%d;</pre><pre>EndKey:</pre><pre>0xX</pre><pre>0xX</pre><pre>s%sLeft</pre><pre>%sTop</pre><pre>%sRight</pre><pre>%sBottom</pre><pre>\AU3_Spy.exe"</pre><pre>%sAU3_Spy.exe"</pre><pre>\AutoHotkey.chm"</pre><pre>%sAutoHotkey.chm"</pre><pre>hh.exe</pre><pre>http://ahkscript.org</pre><pre>Could not open URL http://ahkscript.org in default browser.</pre><pre>SOFTWARE\AutoHotkey</pre><pre>AutoHotkey v1.1.14.02</pre><pre>set cdaudio door %s wait</pre><pre>open %s type cdaudio alias cd wait shareable</pre><pre>set cd door %s wait</pre><pre>\\.\%c:</pre><pre>Mixer Doesn't Support This Component Type</pre><pre>Component Doesn't Support This Control Type</pre><pre>open "%s" alias AHK_PlayMe</pre><pre>Select File - %s</pre><pre>%s%c%sÊll Files (*.*)%c*.*%c</pre><pre>All Files (*.*)</pre><pre>Text Documents (*.txt)</pre><pre>*.txt</pre><pre>1.1.14.02</pre><pre>\AutoHotkey.exe</pre><pre>Pos%s</pre><pre>Len%s</pre><pre>Pos%d</pre><pre>Len%d</pre><pre>Compile error %d at offset %d: %hs</pre><pre>RunAs: Missing advapi32.dll.</pre><pre>0.0.0.0</pre><pre>Select Folder - %s</pre><pre>%u.%u.%u.%u</pre><pre>.----/01/01/01</pre><pre>0xX -</pre><pre>%s%ws</pre><pre>AutoHotkeyGUI</pre><pre>%sGui</pre><pre>Button%s</pre><pre>msctls_hotkey32</pre><pre>Report</pre><pre>Password</pre><pre>Supported only for the tray menu</pre><pre>&Suspend Hotkeys</pre><pre>Gdd</pre><pre>dddddd</pre><pre>The following %s name contains an illegal character:</pre><pre>The maximum number of MsgBoxes has been reached.</pre><pre>7-()[]{}:;'"/\,.?!</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7z47B60374\setup.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0</pre><pre>&Lines most recently executed</pre><pre>&Hotkeys and their methods</pre><pre>&Key history and script info</pre><pre>&Web Site</pre><b>setup.exe_1780_rwx_00089000_00001000:</b><pre>%Documents and Settings%\%current user%\Local Settings\History\History.IE5\</pre><pre>%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat</pre><pre>CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0</pre><pre>\??\%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini</pre><pre>%Documents and Settings%\%current user%\Local Settings\Tempor</pre></pre>