• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Wed, 03/29/2017 - 03:12

Gen.Variant.Strictor.111123_0af587a760

Gen:Variant.Strictor.111123 (B) (Emsisoft), Gen:Variant.Strictor.111123 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR (Lavasoft MAS) Behaviour: Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: 0af587a7601830069af309185f3ac01f

SHA1: 68095a1bc25d473d326546ff313fffb9b190c37e

SHA256: b2724830fe7da930a20c20dd53e37428147c8171f394719f577f5108c9d5d70f

SSDeep: 24576:2GNBMMD7j0SiJO0BadTHXtxtumBz5Q2ZHCm5ufuTfZinQt0oHTV8klv:2sBnktBGT9xAm229oQRiETV

Size: 1241168 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: /Soft company

Created at: 2017-03-12 21:53:41

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es): No processes have been created. The Trojan injects its code into the following process(es):

%original file name%.exe:2060

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:2060 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Pz.ini (20 bytes)
C:\midishow.dll (178 bytes)

Registry activity

The process %original file name%.exe:2060 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Dropped PE files

MD5 File path
114054313070472cd1a6d7d28f7c5002c:\midishow.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Pz.ini (20 bytes)
    C:\midishow.dll (178 bytes)

  4. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: CirnoIX
Product Name: ? Box
Product Version: 2.0.7.1313
Legal Copyright: CirnoIX ???? 1999 - 2017
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.0.7.1313
File Description: ????????,?????????????!!?????24???????!??????????????????????????!!
Comments: ????????,?????????????!!?????24???????!??????????????????????????!!
Language: English (United States)

Company Name: CirnoIX Product Name: ? Box Product Version: 2.0.7.1313 Legal Copyright: CirnoIX ???? 1999 - 2017 Legal Trademarks: Original Filename: Internal Name: File Version: 2.0.7.1313 File Description: ????????,?????????????!!?????24???????!??????????????????????????!! Comments: ????????,?????????????!!?????24???????!??????????????????????????!! Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096118851400d41d8cd98f00b204e9800998ecf8427e
.rdata119603247129800d41d8cd98f00b204e9800998ecf8427e
.data1671168121293000d41d8cd98f00b204e9800998ecf8427e
.tvm028876801775700d41d8cd98f00b204e9800998ecf8427e
.tvm12908160111118011141125.53685c55d59053ba645811f6004b06cb77e3a
.rsrc40222721041021064964.88198592619c417df611c22f204ce82b8aa86

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2060:

.text

.text

`.rdata

`.rdata

@.data

@.data

.tvm0

.tvm0

`.tvm1

`.tvm1

.rsrc

.rsrc

t$(SSh

t$(SSh

|$D.tm

|$D.tm

u.hL6Z

u.hL6Z

~%UVW

~%UVW

.tTPV

.tTPV

FTPjK

FTPjK

FtPj;

FtPj;

F.PjRWj

F.PjRWj

u.WWj

u.WWj

u.VVj

u.VVj

u$SShe

u$SShe

Bv=kAv.SCv

Bv=kAv.SCv

kernel32.dll

kernel32.dll

ntdll.dll

ntdll.dll

comctl32.dll

comctl32.dll

psapi.dll

psapi.dll

shell32.dll

shell32.dll

VERSION.DLL

VERSION.DLL

user32.dll

user32.dll

wininet.dll

wininet.dll

Kernel32.dll

Kernel32.dll

C:\midishow.dll

C:\midishow.dll

advapi32.dll

advapi32.dll

Advapi32.dll

Advapi32.dll

shlwapi.dll

shlwapi.dll

ole32.dll

ole32.dll

OLEACC.DLL

OLEACC.DLL

gdiplus.dll

gdiplus.dll

Ole32.dll

Ole32.dll

gdi32.dll

gdi32.dll

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

RegCreateKeyA

RegCreateKeyA

RegCloseKey

RegCloseKey

ShellExecuteA

ShellExecuteA

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

GdiplusShutdown

GdiplusShutdown

RegOpenKeyA

RegOpenKeyA

RegEnumKeyA

RegEnumKeyA

RegQueryInfoKeyA

RegQueryInfoKeyA

RegFlushKey

RegFlushKey

RegDeleteKeyA

RegDeleteKeyA

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

MySQL

MySQL

EnGine\Pz.ini

EnGine\Pz.ini

speed.exe

speed.exe

EnGine\speed.exe

EnGine\speed.exe

EnGine\WProxy.exe

EnGine\WProxy.exe

WProxy.exe

WProxy.exe

.Gw3z

.Gw3z

tcP*K

tcP*K

RW5HaW5lXHNzNWNhcGNtZC5leGUgMSA0C:\Windows\System32\taskkill.exe /f /im speed.exe

RW5HaW5lXHNzNWNhcGNtZC5leGUgMSA0C:\Windows\System32\taskkill.exe /f /im speed.exe

C:\Windows\System32\taskkill.exe /f /im networktunnelx64helper.exe

C:\Windows\System32\taskkill.exe /f /im networktunnelx64helper.exe

vpnclient.exe

vpnclient.exe

EnGine\Adorable_cat.dll

EnGine\Adorable_cat.dll

UpdateTime.exe

UpdateTime.exe

C:\Pz.ini

C:\Pz.ini

networktunnelx64helper.exe

networktunnelx64helper.exe

hXXp://VVV.2345.com/?kqlnix

hXXp://VVV.2345.com/?kqlnix

MZKERNEL32.DLL

MZKERNEL32.DLL

.Upack

.Upack

qp_%s;9a:

qp_%s;9a:

$.mbP

$.mbP

.xRDp

.xRDp

EnGine\IP\gamecap.ini

EnGine\IP\gamecap.ini

EnGine\IP\ipmana.exe

EnGine\IP\ipmana.exe

TfrmLogin.UnicodeClass

TfrmLogin.UnicodeClass

passwd

passwd

@qq.com

@qq.com

@163.com

@163.com

@gmail.com

@gmail.com

&password2=

&password2=

&password=

&password=

newsletter=1&showemail=1&formhash=cad85a60&referer=index.php?sid=BISj7h&username=

newsletter=1&showemail=1&formhash=cad85a60&referer=index.php?sid=BISj7h&username=

hXXp://VVV.ipdaili.net/register.php?regsubmit=yes

hXXp://VVV.ipdaili.net/register.php?regsubmit=yes

https

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

http=

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXps://

hXXp://

hXXp://

ipmana.exe

ipmana.exe

TfrmSettings.UnicodeClass

TfrmSettings.UnicodeClass

xunyou.exe

xunyou.exe

gamecap.exe

gamecap.exe

qqdaili.exe

qqdaili.exe

chuanqi.exe

chuanqi.exe

360NmGameAcc.exe

360NmGameAcc.exe

TightSocks5.exe

TightSocks5.exe

FreeProxy.exe

FreeProxy.exe

DBMon_ABC.exe

DBMon_ABC.exe

\360P2P.tempEnGine\

\360P2P.tempEnGine\

Thawte Certification1

Thawte Certification1

hXXp://ocsp.thawte.com0

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

hXXp://sf.symcb.com/sf.crl0f

hXXp://sf.symcb.com/sf.crl0f

hXXps://d.symcb.com/cps0%

hXXps://d.symcb.com/cps0%

hXXps://d.symcb.com/rpa0

hXXps://d.symcb.com/rpa0

hXXp://sf.symcd.com0&

hXXp://sf.symcd.com0&

hXXp://sf.symcb.com/sf.crt0

hXXp://sf.symcb.com/sf.crt0

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

hXXps://VVV.verisign.com/cps0*

hXXps://VVV.verisign.com/cps0*

hXXps://VVV.verisign.com/rpa0

hXXps://VVV.verisign.com/rpa0

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

hXXp://ocsp.verisign.com0

hXXp://VVV.360.cn 0

hXXp://VVV.360.cn 0

hXXp://sv.symcb.com/sv.crl0f

hXXp://sv.symcb.com/sv.crl0f

hXXp://sv.symcd.com0&

hXXp://sv.symcd.com0&

hXXp://sv.symcb.com/sv.crt0

hXXp://sv.symcb.com/sv.crt0

hXXp://s2.symcb.com0

hXXp://s2.symcb.com0

hXXp://VVV.symauth.com/cps0(

hXXp://VVV.symauth.com/cps0(

hXXp://VVV.symauth.com/rpa00

hXXp://VVV.symauth.com/rpa00

hXXp://s1.symcb.com/pca3-g5.crl0

hXXp://s1.symcb.com/pca3-g5.crl0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

AEnGine\IMProxy.cfg

AEnGine\IMProxy.cfg

EnGine\IMProxy.log

EnGine\IMProxy.log

EnGine\pid2.log

EnGine\pid2.log

.html

.html

EnGine\360Tray.exe" action=allow

EnGine\360Tray.exe" action=allow

"Z%X%V%

"Z%X%V%

Windows 95 Utopia Sound Scheme

Windows 95 Utopia Sound Scheme

[email protected]

[email protected]

set TempFile_Name=%SystemRoot%\System32\BatTestUACin_SysRt%Random%.batemp

set TempFile_Name=%SystemRoot%\System32\BatTestUACin_SysRt%Random%.batemp

Box.exe

Box.exe

EnGine\UpdateTime.exe

EnGine\UpdateTime.exe

c3FfY2lybm9peA==2017.3.13

c3FfY2lybm9peA==2017.3.13

hXXp://VVV.10pan.com/space_CirnoIX.html

hXXp://VVV.10pan.com/space_CirnoIX.html

iexplore.exe

iexplore.exe

cmd /c del /f /s /q %userprofile%\AppData\Roaming\EnGine\*.log

cmd /c del /f /s /q %userprofile%\AppData\Roaming\EnGine\*.log

cmd /c

cmd /c

\TenSRL.datOOTT

\TenSRL.datOOTT

EnGine\lsp.exe

EnGine\lsp.exe

EnGine\networkdlllsp.dll

EnGine\networkdlllsp.dll

networkdlllsp.dll

networkdlllsp.dll

cmd /c del /f /s /q %userprofile%\AppData\Roaming\EnGine\*.*

cmd /c del /f /s /q %userprofile%\AppData\Roaming\EnGine\*.*

.ResmonCfg

.ResmonCfg

EnGine\IP\license.lic

EnGine\IP\license.lic

5.txt

5.txt

~ WIN8RTMSoftware\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

~ WIN8RTMSoftware\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

\EnGine.temp

\EnGine.temp

[email protected]

[email protected]

\SSH.temp

\SSH.temp

\IPProxy.tempEnGine\IP

\IPProxy.tempEnGine\IP

passwd=

passwd=

portid=28

portid=28

EnGine\IP\gameppp.dll

EnGine\IP\gameppp.dll

D:\dnf.exegamepath1

D:\dnf.exegamepath1

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

operator

operator

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

DisconnectNamedPipe

DisconnectNamedPipe

ConnectNamedPipe

ConnectNamedPipe

CreateNamedPipeW

CreateNamedPipeW

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

SETUPAPI.dll

SETUPAPI.dll

SHLWAPI.dll

SHLWAPI.dll

GetCPInfo

GetCPInfo

GetConsoleOutputCP

GetConsoleOutputCP

GetProcessHeap

GetProcessHeap

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

zcÁ

zcÁ

%Application & Support Department No.21

%Application & Support Department No.21

hXXp://sv.symcb.com/sv.crl0a

hXXp://sv.symcb.com/sv.crl0a

%S4WD

%S4WD

hg%fpM

hg%fpM

S.Ac9SR

S.Ac9SR

0.I%3s

0.I%3s

,wAe.kI

,wAe.kI

aiUy'4xu

aiUy'4xu

%c*@j

%c*@j

.eH'y

.eH'y

{&%U)

{&%U)

lj%4U

lj%4U

xe%CNs

xe%CNs

9F.cLe

9F.cLe

hJK.ZH

hJK.ZH

O.qt0

O.qt0

KERNEL32.DLL

KERNEL32.DLL

COMCTL32.dll

COMCTL32.dll

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

MSVCRT.dll

MSVCRT.dll

MSVFW32.dll

MSVFW32.dll

SkinH_EL.dll

SkinH_EL.dll

javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}

javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}

javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};

javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};

window.location.reload()

window.location.reload()

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

text|password|file

text|password|file

comdlg32.dll

comdlg32.dll

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

WarnOnHTTPSToHTTPRedirect

WarnOnHTTPSToHTTPRedirect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

(*.DLL)|*.DLL|

(*.DLL)|*.DLL|

%d&&'

%d&&'

123456789

123456789

00003333

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

inflate 1.1.3 Copyright 1995-1998 Mark Adler

1.2.18

1.2.18

>%*.*f

>%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CCmdTarget

CCmdTarget

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

portuguese-brazilian

portuguese-brazilian

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

inflate 1.1.4 Copyright 1995-2002 Mark Adler

iphlpapi.dll

iphlpapi.dll

MPR.dll

MPR.dll

VERSION.dll

VERSION.dll

[email protected]@

[email protected]@

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

User32.dll

User32.dll

Gdi32.dll

Gdi32.dll

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

[email protected]@

[email protected]@

: %d]

: %d]

(*.*)|*.*||

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

windows

windows

[email protected]@

[email protected]@

out.prn

out.prn

(*.prn)|*.prn|

(*.prn)|*.prn|

%d.%d

%d.%d

%d/%d

%d/%d

1.6.9

1.6.9

unsupported zlib version

unsupported zlib version

png_read_image: unsupported transformation

png_read_image: unsupported transformation

%d / %d

%d / %d

Bogus message code %d

Bogus message code %d

libpng error: %s

libpng error: %s

libpng warning: %s

libpng warning: %s

1.1.3

1.1.3

bad keyword

bad keyword

libpng does not support gamma background rgb_to_gray

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

Palette is NULL in indexed image

(%d-%d):

(%d-%d):

%ld%c

%ld%c

(*.avi)|*.avi

(*.avi)|*.avi

WPFT532.CNV

WPFT532.CNV

WPFT632.CNV

WPFT632.CNV

EXCEL32.CNV

EXCEL32.CNV

write32.wpc

write32.wpc

Windows Write

Windows Write

mswrd632.wpc

mswrd632.wpc

Word for Windows 6.0

Word for Windows 6.0

wword5.cnv

wword5.cnv

Word for Windows 5.0

Word for Windows 5.0

mswrd832.cnv

mswrd832.cnv

mswrd632.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

Word 6.0/95 for Windows & Macintosh

html32.cnv

html32.cnv

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

Y%d

Y%d

X%d

X%d

Height%d

Height%d

Width%d

Width%d

RECT(%d, %d)-(%d, %d)

RECT(%d, %d)-(%d, %d)

Styles0xX

Styles0xX

Control ID%d

Control ID%d

Handle0xX

Handle0xX

%s

%s

.comment {color:green}

.comment {color:green}

burlywood

burlywood

\winhlp32.exe

\winhlp32.exe

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

HTTP/1.0

%s

%s

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

SMTP

SMTP

-1-1 0:0:0

-1-1 0:0:0

2000-1-1

2000-1-1

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

[email protected]@

PIPE

PIPE

ssl-cert

ssl-cert

ssl-key

ssl-key

pipe

pipe

password

password

port

port

MYSQL

MYSQL

\\%s\pipe\%s

\\%s\pipe\%s

Unknown option to protocol: %s

Unknown option to protocol: %s

d:t:o,/tmp/client.trace

d:t:o,/tmp/client.trace

MYSQL_PWD

MYSQL_PWD

Windows_NT

Windows_NT

MYSQL_UNIX_PORT

MYSQL_UNIX_PORT

MYSQL_TCP_PORT

MYSQL_TCP_PORT

mysql

mysql

Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)

Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)

Can't open shared memory. %s event don't create for client (%lu)

Can't open shared memory. %s event don't create for client (%lu)

Using unsupported buffer type: %d (parameter: %d)

Using unsupported buffer type: %d (parameter: %d)

Can't send long data for non string or binary data types (parameter: %d)

Can't send long data for non string or binary data types (parameter: %d)

Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)

%-.100s via named pipe

%-.100s via named pipe

Lost connection to MySQL server during query

Lost connection to MySQL server during query

%-.100s via TCP/IP

%-.100s via TCP/IP

MySQL client run out of memory

MySQL client run out of memory

Protocol mismatch. Server Version = %d Client Version = %d

Protocol mismatch. Server Version = %d Client Version = %d

MySQL server has gone away

MySQL server has gone away

Unknown MySQL Server Host '%-.100s' (%d)

Unknown MySQL Server Host '%-.100s' (%d)

Can't create TCP/IP socket (%d)

Can't create TCP/IP socket (%d)

Can't connect to MySQL server on '%-.100s' (%d)

Can't connect to MySQL server on '%-.100s' (%d)

Can't connect to local MySQL server through socket '%-.100s' (%d)

Can't connect to local MySQL server through socket '%-.100s' (%d)

Can't create UNIX socket (%d)

Can't create UNIX socket (%d)

Unknown MySQL error

Unknown MySQL error

TCP/IP (%d)

TCP/IP (%d)

socket (%d)

socket (%d)

named pipe

named pipe

%s would have been started with the following arguments:

%s would have been started with the following arguments:

error: Found option without preceding group in config file: %s at line: %d

error: Found option without preceding group in config file: %s at line: %d

error: Wrong group definition in config file: %s at line %d

error: Wrong group definition in config file: %s at line %d

C:/mysql/

C:/mysql/

Index.xml

Index.xml

127.0.0.1

127.0.0.1

Software\MySQL

Software\MySQL

HAVE_TCPIP

HAVE_TCPIP

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Can't initialize threads: error %d

Can't initialize threads: error %d

Can't sync file '%s' to disk (Errcode: %d)

Can't sync file '%s' to disk (Errcode: %d)

Error on realpath() on '%s' (Error %d)

Error on realpath() on '%s' (Error %d)

Can't create symlink '%s' pointing at '%s' (Error %d)

Can't create symlink '%s' pointing at '%s' (Error %d)

Can't read value for symlink '%s' (Error %d)

Can't read value for symlink '%s' (Error %d)

Out of resources when opening file '%s' (Errcode: %d)

Out of resources when opening file '%s' (Errcode: %d)

Character set '%s' is not a compiled character set and is not specified in the '%s' file

Character set '%s' is not a compiled character set and is not specified in the '%s' file

Can't create directory '%s' (Errcode: %d)

Can't create directory '%s' (Errcode: %d)

Disk is full writing '%s'. Waiting for someone to free space...

Disk is full writing '%s'. Waiting for someone to free space...

%d files and %d streams is left open

%d files and %d streams is left open

Warning: '%s' had %d links

Warning: '%s' had %d links

Can't change dir to '%s' (Errcode: %d)

Can't change dir to '%s' (Errcode: %d)

Can't get working dirctory (Errcode: %d)

Can't get working dirctory (Errcode: %d)

Can't open stream from handle (Errcode: %d)

Can't open stream from handle (Errcode: %d)

Can't change size of file (Errcode: %d)

Can't change size of file (Errcode: %d)

Can't get stat of '%s' (Errcode: %d)

Can't get stat of '%s' (Errcode: %d)

Can't read dir of '%s' (Errcode: %d)

Can't read dir of '%s' (Errcode: %d)

Can't unlock file (Errcode: %d)

Can't unlock file (Errcode: %d)

Can't lock file (Errcode: %d)

Can't lock file (Errcode: %d)

Unexpected eof found when reading file '%s' (Errcode: %d)

Unexpected eof found when reading file '%s' (Errcode: %d)

Error on rename of '%s' to '%s' (Errcode: %d)

Error on rename of '%s' to '%s' (Errcode: %d)

Error on delete of '%s' (Errcode: %d)

Error on delete of '%s' (Errcode: %d)

Out of memory (Needed %u bytes)

Out of memory (Needed %u bytes)

Error on close of '%s' (Errcode: %d)

Error on close of '%s' (Errcode: %d)

Error writing file '%s' (Errcode: %d)

Error writing file '%s' (Errcode: %d)

Error reading file '%s' (Errcode: %d)

Error reading file '%s' (Errcode: %d)

Can't create/write to file '%s' (Errcode: %d)

Can't create/write to file '%s' (Errcode: %d)

File '%s' not found (Errcode: %d)

File '%s' not found (Errcode: %d)

charsets.charset.collation.map

charsets.charset.collation.map

charsets.charset.collation.flag

charsets.charset.collation.flag

charsets.charset.collation.order

charsets.charset.collation.order

charsets.charset.collation.id

charsets.charset.collation.id

charsets.charset.collation.name

charsets.charset.collation.name

charsets.charset.collation

charsets.charset.collation

charsets.charset.unicode.map

charsets.charset.unicode.map

charsets.charset.unicode

charsets.charset.unicode

charsets.charset.lower.map

charsets.charset.lower.map

charsets.charset.lower

charsets.charset.lower

charsets.charset.upper.map

charsets.charset.upper.map

charsets.charset.upper

charsets.charset.upper

charsets.charset.ctype.map

charsets.charset.ctype.map

charsets.charset.ctype

charsets.charset.ctype

charsets.charset.alias

charsets.charset.alias

charsets.charset.description

charsets.charset.description

charsets.charset.family

charsets.charset.family

charsets.charset.name

charsets.charset.name

charsets.charset.binary-id

charsets.charset.binary-id

charsets.charset.primary-id

charsets.charset.primary-id

charsets.charset

charsets.charset

charsets.max-id

charsets.max-id

xml.encoding

xml.encoding

xml.version

xml.version

1.1.4

1.1.4

%,%$%4%

%,%$%4%

eZl%u

eZl%u

Q.YeY

Q.YeY

R:\Sg|p5rL

R:\Sg|p5rL

e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe

e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe

s4s/s)s%s>sNsOs

s4s/s)s%s>sNsOs

!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&

!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&

2&3&4&5&6&7&8&

2&3&4&5&6&7&8&

!(,("(-(

!(,("(-(

!,!5!6!

!,!5!6!

!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%

!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%

g9H5_DF>L!9yMGE~8

g9H5_DF>L!9yMGE~8

%Sv0$S

%Sv0$S

|T)>~T%C

|T)>~T%C

8]7]:]=5

8]7]:]=5

.Dh26a

.Dh26a

Z6%d#d

Z6%d#d

ReXeQe

ReXeQe

uewexe

uewexe

6*6 8*8 5*5 :*: ;*; =*=

6*6 8*8 5*5 :*: ;*; =*=

/"2"6"5"

/"2"6"5"

21314151

21314151

'2(2)2*2 2

'2(2)2*2 2

-6.6/6061626

-6.6/6061626

.7/70717

.7/70717

[7\7]7^7

[7\7]7^7

=8>[email protected]

=8>[email protected]

19293949

19293949

%;&;';(;

%;&;';(;

%>&>'>(>

%>&>'>(>

=>>>?>@>

=>>>?>@>

[@\@]@^@

[@\@]@^@

"U#U$U%U

"U#U$U%U

8[9[:[;[[

8[9[:[;[[

&\'\(\)\

&\'\(\)\

~\!]"]#]

~\!]"]#]

/]0]1]2]

/]0]1]2]

4]5]6]7]8]

4]5]6]7]8]

|_}_~_!`

|_}_~_!`

&`'`(`)`

&`'`(`)`

2`3`4`5`

2`3`4`5`

WeXe

WeXe

vewexe

vewexe

$f%f&f

$f%f&f

@mAmBmCmDm

@mAmBmCmDm

S%S'S(S)S S,S-S0S2S5SSBSLSKSYS[SaScSeSlSmSrSyS~S

S%S'S(S)S S,S-S0S2S5SSBSLSKSYS[SaScSeSlSmSrSyS~S

d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d

d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d

.AK.)

.AK.)

.uGvG

.uGvG

/%S67

/%S67

-<.gig>

-<.gig>

I.pKqK

I.pKqK

J.AeRtH49

J.AeRtH49

U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;U[email protected][U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU

U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;U[email protected][U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU

[email protected]

[email protected]

$R&ß

$R&ß

C.JMH

C.JMH

-)./...6. .

-)./...6. .

E~ExE|E{E

E~ExE|E{E

&t.KIx

&t.KIx

"*0QIs%u1

"*0QIs%u1

)Q.GN

)Q.GN

X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;X[email protected][X\X]X^X_X`XaXbXcXdXeXfX

X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;X[email protected][X\X]X^X_X`XaXbXcXdXeXfX

S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S

S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S

U!U%U&U

U!U%U&U

X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X

X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X

_!_"_#_$_

_!_"_#_$_

%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;d[email protected][d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d

%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;d[email protected][d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d

"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e

"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e

2!2"2#2$2%2&2'2(2)2

2!2"2#2$2%2&2'2(2)2

"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%

"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%

1 1!1"1#1$1%1&1'1(1)1

1 1!1"1#1$1%1&1'1(1)1

!0"0#0$0%0&0'0(0)0

!0"0#0$0%0&0'0(0)0

% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%

% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%

W%f?i

W%f?i

e.lFO

e.lFO

}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}

}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}

urlsS

urlsS

~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~

~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~

u%urrGS

u%urrGS

]']&].]$]

]']&].]$]

s"s9s%s,s8s1sPsMsWs`slsos~s

s"s9s%s,s8s1sPsMsWs`slsos~s

x

x

{.{1{ {%{${3{>{

{.{1{ {%{${3{>{

!!"!#!(!

!!"!#!(!

4!5!6!7!8!9!:!;!>!?!

4!5!6!7!8!9!:!;!>!?!

~!2!3!

~!2!3!

.VZN'Uu:&[email protected]

.VZN'Uu:&[email protected]

%FxG=R

%FxG=R

~e%fWM

~e%fWM

rP.BPb

rP.BPb

C^%X*?M[lRzF*E

C^%X*?M[lRzF*E

(m|P%c

(m|P%c

NN"L.PSD25X^uU7

NN"L.PSD25X^uU7

.QqP8j9j:j5:

.QqP8j9j:j5:

%CxF-kJD

%CxF-kJD

(d.deB

(d.deB

3G,===%d

3G,===%d

&8.pB1

&8.pB1

[email protected]

[email protected]

tq.RG^JK

tq.RG^JK

B]HC

B]HC

yTDI.SS8`3

yTDI.SS8`3

[email protected]

[email protected]

*M%u#u4=(u

*M%u#u4=(u

"*")"'"("

"*")"'"("

%d&`&a&e&g&c&

%d&`&a&e&g&c&

%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%

%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%

[!\!]!^!

[!\!]!^!

mQ.bx

mQ.bx

{ | }9},

{ | }9},

d6exe9j

d6exe9j

]%sOu

]%sOu

m.t.zB}

m.t.zB}

w%xIyWy

w%xIyWy

%f?iCt

%f?iCt

#$%&'()* ,

#$%&'()* ,

!"#$%&'()* ,-./0123456789:;[email protected]

!"#$%&'()* ,-./0123456789:;[email protected]

%

%

%q%r%s%

%q%r%s%

`!`'`)` `

`!`'`)` `

e%f-f f'f/f

e%f-f f'f/f

%x-x x

%x-x x

~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP

~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP

]8^6^3^7^

]8^6^3^7^

c{cichczc]eVeQeYeWe_UOeXeUeTe

c{cichczc]eVeQeYeWe_UOeXeUeTe

r6s%s4s)s:t*t3t"t%t5t6t4t/t

r6s%s4s)s:t*t3t"t%t5t6t4t/t

t&t(t%u&ukuju

t&t(t%u&ukuju

a.bidodyd

a.bidodyd

duewexe

duewexe

]!^"^#^ ^$^

]!^"^#^ ^$^

t.uGuHu

t.uGuHu

h&h(h.hMh:h%h h,k/k-k1k4kmk

h&h(h.hMh:h%h h,k/k-k1k4kmk

k%lzmcmdmvm

k%lzmcmdmvm

{1{ {-{/{2{8{

{1{ {-{/{2{8{

WHX%X

WHX%X

`IaJa aEa6a2a.aFa/aOa)[email protected] bh

`IaJa aEa6a2a.aFa/aOa)[email protected] bh

[email protected]%d'd

[email protected]%d'd

kCpDpJpHpIpEpFp

kCpDpJpHpIpEpFp

3: %s unexpected (ident or '/' wanted)

3: %s unexpected (ident or '/' wanted)

5: %s unexpected ('>' wanted)

5: %s unexpected ('>' wanted)

6: %s unexpected ('?' wanted)

6: %s unexpected ('?' wanted)

4: %s unexpected (ident or string wanted)

4: %s unexpected (ident or string wanted)

1: %s unexpected (ident wanted)

1: %s unexpected (ident wanted)

'%s>' unexpected ('%s>' wanted)

'%s>' unexpected ('%s>' wanted)

c:\%original file name%.exe

c:\%original file name%.exe

A^n.tS

A^n.tS

z#.OE

z#.OE

SHELL32.dll

SHELL32.dll

GetKeyState

GetKeyState

WS2_32.dll

WS2_32.dll

RASAPI32.dll

RASAPI32.dll

UnhookWindowsHookEx

UnhookWindowsHookEx

m.JFE

m.JFE

GetWindowsDirectoryA

GetWindowsDirectoryA

SetViewportOrgEx

SetViewportOrgEx

[email protected]%u

[email protected]%u

%CO.o

%CO.o

.RB-h

.RB-h

.;FP.Bo

.;FP.Bo

4p%dW

4p%dW

|".ZP

|".ZP

5*.xV

5*.xV

.hZS*/n{

.hZS*/n{

%9S?r:

%9S?r:

;.yer

;.yer

%xZ>

%xZ>

%x?>S

%x?>S

/1-7R}P

/1-7R}P

MkEy

MkEy

?.oYi

?.oYi

.S%c X

.S%c X

Hs.sv

Hs.sv

]Ck%D

]Ck%D

?.yYd

?.yYd

.Yhj8

.Yhj8

vL?1]^N%cu

vL?1]^N%cu

.TM[

.TM[

QI.DJk#

QI.DJk#

G

G

Cn.Ep

Cn.Ep

M'(.wZ

M'(.wZ

.Az~5

.Az~5

xtw.fa>

xtw.fa>

Z%Se'

Z%Se'

* .pbE1

* .pbE1

3%UHo

3%UHo

[email protected]

[email protected]

M.PD}

M.PD}

/.uh8Q

/.uh8Q

%4S_i

%4S_i

WSOCK32.dll

WSOCK32.dll

SetWindowsHookExA

SetWindowsHookExA

WaitNamedPipeA

WaitNamedPipeA

OLEAUT32.dll

OLEAUT32.dll

OffsetViewportOrgEx

OffsetViewportOrgEx

{%UO&

{%UO&

WININET.dll

WININET.dll

InternetCrackUrlA

InternetCrackUrlA

SetNamedPipeHandleState

SetNamedPipeHandleState

WINSPOOL.DRV

WINSPOOL.DRV

WINMM.dll

WINMM.dll

AVIFIL32.dll

AVIFIL32.dll

ScaleViewportExtEx

ScaleViewportExtEx

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

WinExec

WinExec

CreateDialogIndirectParamA

CreateDialogIndirectParamA

GetViewportOrgEx

GetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

fNR.EGy

fNR.EGy

.th&&i

.th&&i

B.kic

B.kic

f.CQ1

f.CQ1

BaAQRÍ

BaAQRÍ

;:.eM

;:.eM

.ON(hL

.ON(hL

'ITP$[ô

'ITP$[ô

.fi%b

.fi%b

6%S}Y

6%S}Y

U %cl

U %cl

C.Nz>

C.Nz>

0.qA|S9

0.qA|S9

o3%%F

o3%%F

-D8}Z

-D8}Z

.mY}G

.mY}G

.eAl3

.eAl3

r!.WA

r!.WA

4.fVxy

4.fVxy

w#O.eNbh

w#O.eNbh

.TZn/

.TZn/

.FqH8y

.FqH8y

WA\s%uB

WA\s%uB

)p.WR

)p.WR

7<.zo>

7<.zo>

x.by[p

x.by[p

y.fj!K

y.fj!K

}p%f;

}p%f;

%X:'cF

%X:'cF

L%U$N

L%U$N

F%u?8

F%u?8

Û],x

Û],x

.GHLn

.GHLn

GetViewportExtEx

GetViewportExtEx

>Y.nC

>Y.nC

AÜ6

AÜ6

Qq.JfeU

Qq.JfeU

..WDm~

..WDm~

.~f.SG

.~f.SG

C.oe|

C.oe|

^SGZ%F|

^SGZ%F|

[email protected]

[email protected]

5.nHco

5.nHco

zi`%fnw6

zi`%fnw6

^%s6T

^%s6T

d4sypnirkV%u

d4sypnirkV%u

.8.SQW

.8.SQW

.jcUD

.jcUD

>.MnA

>.MnA

%P%d%

%P%d%

.dM.ZK

.dM.ZK

\q.QR

\q.QR

%Sw5=

%Sw5=

.vr[~

.vr[~

z%Di=x

z%Di=x

v.Hf2f>

v.Hf2f>

OnKeyMonClassDB_ABC

OnKeyMonClassDB_ABC

OnKeyMon001DB_ABC

OnKeyMon001DB_ABC

\\.\pipe\OnKey193B_Pipe00_Device_%s

\\.\pipe\OnKey193B_Pipe00_Device_%s

Global\OnKeyDB_Mut00_OnKeyMon

Global\OnKeyDB_Mut00_OnKeyMon

mscoree.dll

mscoree.dll

OnKeyMon

OnKeyMon

1, 1, 0, 9

1, 1, 0, 9

OnKeyMon.exe

OnKeyMon.exe

OnKey Monitor

OnKey Monitor

1, 0, 6, 6

1, 0, 6, 6

- Skin.dll

- Skin.dll

2.0.7.1313

2.0.7.1313

1999 - 2017

1999 - 2017

%original file name%.exe_2060_rwx_001B2000_00001000:

(*.DLL)|*.DLL|

(*.DLL)|*.DLL|

C:\midishow.dll

C:\midishow.dll

%original file name%.exe_2060_rwx_003C0000_0001A000:

MZKERNEL32.DLL

MZKERNEL32.DLL

.Upack

.Upack

.rsrc

.rsrc

%s %s s

%s %s s

KERNEL32.DLL

KERNEL32.DLL

USER32.DLL

USER32.DLL

MSVCRT.DLL

MSVCRT.DLL

MSVCP60.DLL

MSVCP60.DLL

qp_%s;9a:

qp_%s;9a:

$.mbP

$.mbP

.xRDp

.xRDp

%original file name%.exe_2060_rwx_006C7000_00001000:

Bv=kAv.SCv

Bv=kAv.SCv

%original file name%.exe_2060_rwx_00741000_00001000:

ADVAPI32.dll

ADVAPI32.dll

ScaleViewportExtEx

ScaleViewportExtEx

COMCTL32.dll

COMCTL32.dll

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

HttpSendRequestA

HttpSendRequestA

RegDeleteKeyA

RegDeleteKeyA

WinExec

WinExec

%original file name%.exe_2060_rwx_10001000_00039000:

L$(h%f

L$(h%f

SSh0j

SSh0j

msctls_hotkey32

msctls_hotkey32

TVCLHotKey

TVCLHotKey

THotKey

THotKey

\skinh.she

\skinh.she

}uo,x6l5k%x-l h

}uo,x6l5k%x-l h

9p%s m)t4`#b

9p%s m)t4`#b

e"m?c&y1`Ð

e"m?c&y1`Ð

SetViewportOrgEx

SetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

SetWindowsHookExA

SetWindowsHookExA

UnhookWindowsHookEx

UnhookWindowsHookEx

EnumThreadWindows

EnumThreadWindows

EnumChildWindows

EnumChildWindows

`c%US.4/

`c%US.4/

!#$

!#$

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.UPX0

@.UPX0

`.UPX1

`.UPX1

`.reloc

`.reloc