Wed, 03/29/2017 - 03:12

Gen.Variant.Strictor.111123_0af587a760

Gen:Variant.Strictor.111123 (B) (Emsisoft), Gen:Variant.Strictor.111123 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR (Lavasoft MAS) Behaviour: Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

Summary

MD5: 0af587a7601830069af309185f3ac01f

SHA1: 68095a1bc25d473d326546ff313fffb9b190c37e

SHA256: b2724830fe7da930a20c20dd53e37428147c8171f394719f577f5108c9d5d70f

SSDeep: 24576:2GNBMMD7j0SiJO0BadTHXtxtumBz5Q2ZHCm5ufuTfZinQt0oHTV8klv:2sBnktBGT9xAm229oQRiETV

Size: 1241168 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: /Soft company

Created at: 2017-03-12 21:53:41

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es): No processes have been created. The Trojan injects its code into the following process(es):

%original file name%.exe:2060

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:2060 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Pz.ini (20 bytes)
C:\midishow.dll (178 bytes)

Registry activity

The process %original file name%.exe:2060 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Dropped PE files

MD5	File path
114054313070472cd1a6d7d28f7c5002	c:\midishow.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
C:\Pz.ini (20 bytes)
C:\midishow.dll (178 bytes)
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: CirnoIX
Product Name: ? Box
Product Version: 2.0.7.1313
Legal Copyright: CirnoIX ???? 1999 - 2017
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.0.7.1313
File Description: ????????,?????????????!!?????24???????!??????????????????????????!!
Comments: ????????,?????????????!!?????24???????!??????????????????????????!!
Language: English (United States)

Company Name: CirnoIX Product Name: ? Box Product Version: 2.0.7.1313 Legal Copyright: CirnoIX ???? 1999 - 2017 Legal Trademarks: Original Filename: Internal Name: File Version: 2.0.7.1313 File Description: ????????,?????????????!!?????24???????!??????????????????????????!! Comments: ????????,?????????????!!?????24???????!??????????????????????????!! Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1188514	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	1196032	471298	0	0	d41d8cd98f00b204e9800998ecf8427e
.data	1671168	1212930	0	0	d41d8cd98f00b204e9800998ecf8427e
.tvm0	2887680	17757	0	0	d41d8cd98f00b204e9800998ecf8427e
.tvm1	2908160	1111180	1114112	5.53685	c55d59053ba645811f6004b06cb77e3a
.rsrc	4022272	104102	106496	4.88198	592619c417df611c22f204ce82b8aa86

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2060:

.text

`.rdata

@.data

.tvm0

`.tvm1

.rsrc

t$(SSh

|$D.tm

u.hL6Z

~%UVW

.tTPV

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

u$SShe

Bv=kAv.SCv

kernel32.dll

ntdll.dll

comctl32.dll

psapi.dll

shell32.dll

VERSION.DLL

user32.dll

wininet.dll

Kernel32.dll

C:\midishow.dll

advapi32.dll

Advapi32.dll

shlwapi.dll

ole32.dll

OLEACC.DLL

gdiplus.dll

Ole32.dll

gdi32.dll

MsgWaitForMultipleObjects

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

RegCreateKeyA

RegCloseKey

ShellExecuteA

RegOpenKeyExA

RegCreateKeyExA

GdiplusShutdown

RegOpenKeyA

RegEnumKeyA

RegQueryInfoKeyA

RegFlushKey

RegDeleteKeyA

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

MySQL

EnGine\Pz.ini

speed.exe

EnGine\speed.exe

EnGine\WProxy.exe

WProxy.exe

.Gw3z

tcP*K

RW5HaW5lXHNzNWNhcGNtZC5leGUgMSA0C:\Windows\System32\taskkill.exe /f /im speed.exe

C:\Windows\System32\taskkill.exe /f /im networktunnelx64helper.exe

vpnclient.exe

EnGine\Adorable_cat.dll

UpdateTime.exe

C:\Pz.ini

networktunnelx64helper.exe

hXXp://VVV.2345.com/?kqlnix

MZKERNEL32.DLL

.Upack

qp_%s;9a:

$.mbP

.xRDp

EnGine\IP\gamecap.ini

EnGine\IP\ipmana.exe

TfrmLogin.UnicodeClass

passwd

@qq.com

@163.com

@gmail.com

&password2=

&password=

newsletter=1&showemail=1&formhash=cad85a60&referer=index.php?sid=BISj7h&username=

hXXp://VVV.ipdaili.net/register.php?regsubmit=yes

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXp://

ipmana.exe

TfrmSettings.UnicodeClass

xunyou.exe

gamecap.exe

qqdaili.exe

chuanqi.exe

360NmGameAcc.exe

TightSocks5.exe

FreeProxy.exe

DBMon_ABC.exe

\360P2P.tempEnGine\

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

hXXp://sf.symcb.com/sf.crl0f

hXXps://d.symcb.com/cps0%

hXXps://d.symcb.com/rpa0

hXXp://sf.symcd.com0&

hXXp://sf.symcb.com/sf.crt0

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

hXXps://VVV.verisign.com/cps0*

hXXps://VVV.verisign.com/rpa0

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

hXXp://VVV.360.cn 0

hXXp://sv.symcb.com/sv.crl0f

hXXp://sv.symcd.com0&

hXXp://sv.symcb.com/sv.crt0

hXXp://s2.symcb.com0

hXXp://VVV.symauth.com/cps0(

hXXp://VVV.symauth.com/rpa00

hXXp://s1.symcb.com/pca3-g5.crl0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

AEnGine\IMProxy.cfg

EnGine\IMProxy.log

EnGine\pid2.log

.html

EnGine\360Tray.exe" action=allow

"Z%X%V%

Windows 95 Utopia Sound Scheme

mazrob@panix.com

set TempFile_Name=%SystemRoot%\System32\BatTestUACin_SysRt%Random%.batemp

Box.exe

EnGine\UpdateTime.exe

c3FfY2lybm9peA==2017.3.13

hXXp://VVV.10pan.com/space_CirnoIX.html

iexplore.exe

cmd /c del /f /s /q %userprofile%\AppData\Roaming\EnGine\*.log

cmd /c

\TenSRL.datOOTT

EnGine\lsp.exe

EnGine\networkdlllsp.dll

networkdlllsp.dll

cmd /c del /f /s /q %userprofile%\AppData\Roaming\EnGine\*.*

.ResmonCfg

EnGine\IP\license.lic

5.txt

~ WIN8RTMSoftware\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

\EnGine.temp

v@ini.temp

\SSH.temp

\IPProxy.tempEnGine\IP

passwd=

portid=28

EnGine\IP\gameppp.dll

D:\dnf.exegamepath1

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

DisconnectNamedPipe

ConnectNamedPipe

CreateNamedPipeW

KERNEL32.dll

USER32.dll

ADVAPI32.dll

SETUPAPI.dll

SHLWAPI.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

.?AVCOnKeyProc@@

.?AVCLgnNamedPipe@@

.?AVCOnKeyDevice@@

zcÁ

%Application & Support Department No.21

hXXp://sv.symcb.com/sv.crl0a

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

SkinH_EL.dll

javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}

javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};

window.location.reload()

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

text|password|file

comdlg32.dll

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

WarnOnHTTPSToHTTPRedirect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

(*.DLL)|*.DLL|

%d&&'

123456789

00003333

1.2.18

>%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

iphlpapi.dll

MPR.dll

VERSION.dll

.PAVCException@@

Shell32.dll

Mpr.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

;3 #>6.&

'2, / 0&7!4-)1#

Y%d

X%d

Height%d

Width%d

RECT(%d, %d)-(%d, %d)

Styles0xX

Control ID%d

Handle0xX

.comment {color:green}

burlywood

\winhlp32.exe

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

-1-1 0:0:0

2000-1-1

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

PIPE

ssl-cert

ssl-key

pipe

password

port

MYSQL

\\%s\pipe\%s

Unknown option to protocol: %s

d:t:o,/tmp/client.trace

MYSQL_PWD

Windows_NT

MYSQL_UNIX_PORT

MYSQL_TCP_PORT

mysql

Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)

Can't open shared memory. %s event don't create for client (%lu)

Using unsupported buffer type: %d (parameter: %d)

Can't send long data for non string or binary data types (parameter: %d)

Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)

Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)

%-.100s via named pipe

Lost connection to MySQL server during query

%-.100s via TCP/IP

MySQL client run out of memory

Protocol mismatch. Server Version = %d Client Version = %d

MySQL server has gone away

Unknown MySQL Server Host '%-.100s' (%d)

Can't create TCP/IP socket (%d)

Can't connect to MySQL server on '%-.100s' (%d)

Can't connect to local MySQL server through socket '%-.100s' (%d)

Can't create UNIX socket (%d)

Unknown MySQL error

TCP/IP (%d)

socket (%d)

named pipe

%s would have been started with the following arguments:

error: Found option without preceding group in config file: %s at line: %d

error: Wrong group definition in config file: %s at line %d

C:/mysql/

Index.xml

127.0.0.1

Software\MySQL

HAVE_TCPIP

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Can't initialize threads: error %d

Can't sync file '%s' to disk (Errcode: %d)

Error on realpath() on '%s' (Error %d)

Can't create symlink '%s' pointing at '%s' (Error %d)

Can't read value for symlink '%s' (Error %d)

Out of resources when opening file '%s' (Errcode: %d)

Character set '%s' is not a compiled character set and is not specified in the '%s' file

Can't create directory '%s' (Errcode: %d)

Disk is full writing '%s'. Waiting for someone to free space...

%d files and %d streams is left open

Warning: '%s' had %d links

Can't change dir to '%s' (Errcode: %d)

Can't get working dirctory (Errcode: %d)

Can't open stream from handle (Errcode: %d)

Can't change size of file (Errcode: %d)

Can't get stat of '%s' (Errcode: %d)

Can't read dir of '%s' (Errcode: %d)

Can't unlock file (Errcode: %d)

Can't lock file (Errcode: %d)

Unexpected eof found when reading file '%s' (Errcode: %d)

Error on rename of '%s' to '%s' (Errcode: %d)

Error on delete of '%s' (Errcode: %d)

Out of memory (Needed %u bytes)

Error on close of '%s' (Errcode: %d)

Error writing file '%s' (Errcode: %d)

Error reading file '%s' (Errcode: %d)

Can't create/write to file '%s' (Errcode: %d)

File '%s' not found (Errcode: %d)

charsets.charset.collation.map

charsets.charset.collation.flag

charsets.charset.collation.order

charsets.charset.collation.id

charsets.charset.collation.name

charsets.charset.collation

charsets.charset.unicode.map

charsets.charset.unicode

charsets.charset.lower.map

charsets.charset.lower

charsets.charset.upper.map

charsets.charset.upper

charsets.charset.ctype.map

charsets.charset.ctype

charsets.charset.alias

charsets.charset.description

charsets.charset.family

charsets.charset.name

charsets.charset.binary-id

charsets.charset.primary-id

charsets.charset

charsets.max-id

xml.encoding

xml.version

1.1.4

%,%$%4%

eZl%u

Q.YeY

R:\Sg|p5rL

e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe

s4s/s)s%s>sNsOs

!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&

2&3&4&5&6&7&8&

!(,("(-(

!,!5!6!

!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%

g9H5_DF>L!9yMGE~8

%Sv0$S

|T)>~T%C

8]7]:]=5

.Dh26a

Z6%d#d

ReXeQe

uewexe

6*6 8*8 5*5 :*: ;*; =*=

/"2"6"5"

21314151

'2(2)2*2 2

-6.6/6061626

.7/70717

[7\7]7^7

=8>8?8@8

19293949

%;&;';(;

%>&>'>(>

=>>>?>@>

[@\@]@^@

"U#U$U%U

8[9[:[;[[

&\'\

~\!]"]#]

/]0]1]2]

4]5]6]7]8]

|_}_~_!`

&`'`(`)`

2`3`4`5`

WeXe

vewexe

$f%f&f

@mAmBmCmDm

S%S'S(S)S S,S-S0S2S5S~~SBSLSKSYS[SaScSeSlSmSrSyS~S~~

d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d

.AK.)

.uGvG

/%S67

-<.gig>

I.pKqK

J.AeRtH49

U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;UU?U@UAUBUCUDUEUFUGUHUIUJUKULUMUNUOUPUQURUSUTUUUVUWUXUYUZU[U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU

?q.SM!@

$R&ß

C.JMH

-)./...6. .

E~ExE|E{E

&t.KIx

"*0QIs%u1

)Q.GN

X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfX

S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S

U!U%U&U

X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X

_!_"_#_$_

%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;dd@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d

"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e

2!2"2#2$2%2&2'2(2)2

"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%

1 1!1"1#1$1%1&1'1(1)1

!0"0#0$0%0&0'0(0)0

% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%

W%f?i

e.lFO

}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}

urlsS

~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~

u%urrGS

]']&].]$]

s"s9s%s,s8s1sPsMsWs`slsos~s

{.{1{ {%{${3{>{

!!"!#!(!

4!5!6!7!8!9!:!;!>!?!

~!2!3!

.VZN'Uu:&7V@

%FxG=R

~e%fWM

rP.BPb

C^%X*?M[lRzF*E

(m|P%c

NN"L.PSD25X^uU7

.QqP8j9j:j5:

%CxF-kJD

(d.deB

3G,===%d

&8.pB1

mS.Xk@

tq.RG^JK

B]HC

yTDI.SS8`3

t6ZeXeYe@5

*M%u#u4=(u

"*")"'"("

%d&`&a&e&g&c&

%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%

[!\!]!^!

mQ.bx

{ | }9},

d6exe9j

]%sOu

m.t.zB}

w%xIyWy

%f?iCt

#$%&'()* ,

!"#$%&'()* ,-./0123456789:;?@

%q%r%s%

`!`'`)` `

e%f-f f'f/f

%x-x x

~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP

]8^6^3^7^

c{cichczc]eVeQeYeWe_UOeXeUeTe

r6s%s4s)s:t*t3t"t%t5t6t4t/t

t&t(t%u&ukuju

a.bidodyd

duewexe

]!^"^#^ ^$^

t.uGuHu

h&h(h.hMh:h%h h,k/k-k1k4kmk

k%lzmcmdmvm

{1{ {-{/{2{8{

WHX%X

`IaJa aEa6a2a.aFa/aOa)a@a bh

d@d%d'd

kCpDpJpHpIpEpFp

3: %s unexpected (ident or '/' wanted)

5: %s unexpected ('>' wanted)

6: %s unexpected ('?' wanted)

4: %s unexpected (ident or string wanted)

1: %s unexpected (ident wanted)

'%s>' unexpected ('%s>' wanted)

c:\%original file name%.exe

A^n.tS

z#.OE

SHELL32.dll

GetKeyState

WS2_32.dll

RASAPI32.dll

UnhookWindowsHookEx

m.JFE

GetWindowsDirectoryA

SetViewportOrgEx

?Ex@a%u

%CO.o

.RB-h

.;FP.Bo

4p%dW

|".ZP

5*.xV

.hZS*/n{

%9S?r:

;.yer

%xZ>

%x?>S

/1-7R}P

MkEy

?.oYi

.S%c X

Hs.sv

]Ck%D

?.yYd

.Yhj8

vL?1]^N%cu

.TM[

QI.DJk#

Cn.Ep

M'(.wZ

.Az~5

xtw.fa>

Z%Se'

* .pbE1

3%UHo

.hx@G

M.PD}

/.uh8Q

%4S_i

WSOCK32.dll

SetWindowsHookExA

WaitNamedPipeA

OLEAUT32.dll

OffsetViewportOrgEx

{%UO&

WININET.dll

InternetCrackUrlA

SetNamedPipeHandleState

WINSPOOL.DRV

WINMM.dll

AVIFIL32.dll

ScaleViewportExtEx

InternetCanonicalizeUrlA

WinExec

CreateDialogIndirectParamA

GetViewportOrgEx

SetViewportExtEx

fNR.EGy

.th&&i

B.kic

f.CQ1

BaAQRÍ

;:.eM

.ON(hL

'ITP$[ô

.fi%b

6%S}Y

U %cl

C.Nz>

0.qA|S9

o3%%F

-D8}Z

.mY}G

.eAl3

r!.WA

4.fVxy

w#O.eNbh

.TZn/

.FqH8y

WA\s%uB

)p.WR

7<.zo>

x.by[p

y.fj!K

}p%f;

%X:'cF

L%U$N

F%u?8

Û],x

.GHLn

GetViewportExtEx

>Y.nC

AÜ6

Qq.JfeU

..WDm~

.~f.SG

C.oe|

^SGZ%F|

.dO@Z

5.nHco

zi`%fnw6

^%s6T

d4sypnirkV%u

.8.SQW

.jcUD

>.MnA

%P%d%

.dM.ZK

\q.QR

%Sw5=

.vr[~

z%Di=x

v.Hf2f>

OnKeyMonClassDB_ABC

OnKeyMon001DB_ABC

\\.\pipe\OnKey193B_Pipe00_Device_%s

Global\OnKeyDB_Mut00_OnKeyMon

mscoree.dll

OnKeyMon

1, 1, 0, 9

OnKeyMon.exe

OnKey Monitor

1, 0, 6, 6

- Skin.dll

2.0.7.1313

1999 - 2017

%original file name%.exe_2060_rwx_001B2000_00001000:

(*.DLL)|*.DLL|

C:\midishow.dll

%original file name%.exe_2060_rwx_003C0000_0001A000:

MZKERNEL32.DLL

.Upack

.rsrc

%s %s s

KERNEL32.DLL

USER32.DLL

MSVCRT.DLL

MSVCP60.DLL

qp_%s;9a:

$.mbP

.xRDp

%original file name%.exe_2060_rwx_006C7000_00001000:

Bv=kAv.SCv

%original file name%.exe_2060_rwx_00741000_00001000:

ADVAPI32.dll

ScaleViewportExtEx

COMCTL32.dll

InternetCanonicalizeUrlA

HttpSendRequestA

RegDeleteKeyA

WinExec

%original file name%.exe_2060_rwx_10001000_00039000:

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc