Gen:Variant.Strictor.111123 (B) (Emsisoft), Gen:Variant.Strictor.111123 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0af587a7601830069af309185f3ac01f
SHA1: 68095a1bc25d473d326546ff313fffb9b190c37e
SHA256: b2724830fe7da930a20c20dd53e37428147c8171f394719f577f5108c9d5d70f
SSDeep: 24576:2GNBMMD7j0SiJO0BadTHXtxtumBz5Q2ZHCm5ufuTfZinQt0oHTV8klv:2sBnktBGT9xAm229oQRiETV
Size: 1241168 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: /Soft company
Created at: 2017-03-12 21:53:41
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:2060
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Pz.ini (20 bytes)
C:\midishow.dll (178 bytes)
Registry activity
The process %original file name%.exe:2060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
Dropped PE files
MD5 | File path |
---|---|
114054313070472cd1a6d7d28f7c5002 | c:\midishow.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Pz.ini (20 bytes)
C:\midishow.dll (178 bytes) - Reboot the computer.
Static Analysis
VersionInfo
Company Name: CirnoIX
Product Name: ? Box
Product Version: 2.0.7.1313
Legal Copyright: CirnoIX ???? 1999 - 2017
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.0.7.1313
File Description: ????????,?????????????!!?????24???????!??????????????????????????!!
Comments: ????????,?????????????!!?????24???????!??????????????????????????!!
Language: English (United States)
Company Name: CirnoIXProduct Name: ? BoxProduct Version: 2.0.7.1313Legal Copyright: CirnoIX ???? 1999 - 2017Legal Trademarks: Original Filename: Internal Name: File Version: 2.0.7.1313File Description: ????????,?????????????!!?????24???????!??????????????????????????!!Comments: ????????,?????????????!!?????24???????!??????????????????????????!!Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1188514 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 1196032 | 471298 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.data | 1671168 | 1212930 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.tvm0 | 2887680 | 17757 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.tvm1 | 2908160 | 1111180 | 1114112 | 5.53685 | c55d59053ba645811f6004b06cb77e3a |
.rsrc | 4022272 | 104102 | 106496 | 4.88198 | 592619c417df611c22f204ce82b8aa86 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2060:
.text
.text
`.rdata
`.rdata
@.data
@.data
.tvm0
.tvm0
`.tvm1
`.tvm1
.rsrc
.rsrc
t$(SSh
t$(SSh
|$D.tm
|$D.tm
u.hL6Z
u.hL6Z
~%UVW
~%UVW
.tTPV
.tTPV
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.WWj
u.WWj
u.VVj
u.VVj
u$SShe
u$SShe
Bv=kAv.SCv
Bv=kAv.SCv
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
comctl32.dll
comctl32.dll
psapi.dll
psapi.dll
shell32.dll
shell32.dll
VERSION.DLL
VERSION.DLL
user32.dll
user32.dll
wininet.dll
wininet.dll
Kernel32.dll
Kernel32.dll
C:\midishow.dll
C:\midishow.dll
advapi32.dll
advapi32.dll
Advapi32.dll
Advapi32.dll
shlwapi.dll
shlwapi.dll
ole32.dll
ole32.dll
OLEACC.DLL
OLEACC.DLL
gdiplus.dll
gdiplus.dll
Ole32.dll
Ole32.dll
gdi32.dll
gdi32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
GdiplusShutdown
GdiplusShutdown
RegOpenKeyA
RegOpenKeyA
RegEnumKeyA
RegEnumKeyA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegFlushKey
RegFlushKey
RegDeleteKeyA
RegDeleteKeyA
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
MySQL
MySQL
EnGine\Pz.ini
EnGine\Pz.ini
speed.exe
speed.exe
EnGine\speed.exe
EnGine\speed.exe
EnGine\WProxy.exe
EnGine\WProxy.exe
WProxy.exe
WProxy.exe
.Gw3z
.Gw3z
tcP*K
tcP*K
RW5HaW5lXHNzNWNhcGNtZC5leGUgMSA0C:\Windows\System32\taskkill.exe /f /im speed.exe
RW5HaW5lXHNzNWNhcGNtZC5leGUgMSA0C:\Windows\System32\taskkill.exe /f /im speed.exe
C:\Windows\System32\taskkill.exe /f /im networktunnelx64helper.exe
C:\Windows\System32\taskkill.exe /f /im networktunnelx64helper.exe
vpnclient.exe
vpnclient.exe
EnGine\Adorable_cat.dll
EnGine\Adorable_cat.dll
UpdateTime.exe
UpdateTime.exe
C:\Pz.ini
C:\Pz.ini
networktunnelx64helper.exe
networktunnelx64helper.exe
hXXp://VVV.2345.com/?kqlnix
hXXp://VVV.2345.com/?kqlnix
MZKERNEL32.DLL
MZKERNEL32.DLL
.Upack
.Upack
qp_%s;9a:
qp_%s;9a:
$.mbP
$.mbP
.xRDp
.xRDp
EnGine\IP\gamecap.ini
EnGine\IP\gamecap.ini
EnGine\IP\ipmana.exe
EnGine\IP\ipmana.exe
TfrmLogin.UnicodeClass
TfrmLogin.UnicodeClass
passwd
passwd
@qq.com
@qq.com
@163.com
@163.com
@gmail.com
@gmail.com
&password2=
&password2=
&password=
&password=
newsletter=1&showemail=1&formhash=cad85a60&referer=index.php?sid=BISj7h&username=
newsletter=1&showemail=1&formhash=cad85a60&referer=index.php?sid=BISj7h&username=
hXXp://VVV.ipdaili.net/register.php?regsubmit=yes
hXXp://VVV.ipdaili.net/register.php?regsubmit=yes
https
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
http=
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
hXXp://
hXXp://
ipmana.exe
ipmana.exe
TfrmSettings.UnicodeClass
TfrmSettings.UnicodeClass
xunyou.exe
xunyou.exe
gamecap.exe
gamecap.exe
qqdaili.exe
qqdaili.exe
chuanqi.exe
chuanqi.exe
360NmGameAcc.exe
360NmGameAcc.exe
TightSocks5.exe
TightSocks5.exe
FreeProxy.exe
FreeProxy.exe
DBMon_ABC.exe
DBMon_ABC.exe
\360P2P.tempEnGine\
\360P2P.tempEnGine\
Thawte Certification1
Thawte Certification1
hXXp://ocsp.thawte.com0
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
hXXp://sf.symcb.com/sf.crl0f
hXXp://sf.symcb.com/sf.crl0f
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0
hXXps://d.symcb.com/rpa0
hXXp://sf.symcd.com0&
hXXp://sf.symcd.com0&
hXXp://sf.symcb.com/sf.crt0
hXXp://sf.symcb.com/sf.crt0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
hXXps://VVV.verisign.com/rpa0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://ocsp.verisign.com0
hXXp://VVV.360.cn 0
hXXp://VVV.360.cn 0
hXXp://sv.symcb.com/sv.crl0f
hXXp://sv.symcb.com/sv.crl0f
hXXp://sv.symcd.com0&
hXXp://sv.symcd.com0&
hXXp://sv.symcb.com/sv.crt0
hXXp://sv.symcb.com/sv.crt0
hXXp://s2.symcb.com0
hXXp://s2.symcb.com0
hXXp://VVV.symauth.com/cps0(
hXXp://VVV.symauth.com/cps0(
hXXp://VVV.symauth.com/rpa00
hXXp://VVV.symauth.com/rpa00
hXXp://s1.symcb.com/pca3-g5.crl0
hXXp://s1.symcb.com/pca3-g5.crl0
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
AEnGine\IMProxy.cfg
AEnGine\IMProxy.cfg
EnGine\IMProxy.log
EnGine\IMProxy.log
EnGine\pid2.log
EnGine\pid2.log
.html
.html
EnGine\360Tray.exe" action=allow
EnGine\360Tray.exe" action=allow
"Z%X%V%
"Z%X%V%
Windows 95 Utopia Sound Scheme
Windows 95 Utopia Sound Scheme
mazrob@panix.com
mazrob@panix.com
set TempFile_Name=%SystemRoot%\System32\BatTestUACin_SysRt%Random%.batemp
set TempFile_Name=%SystemRoot%\System32\BatTestUACin_SysRt%Random%.batemp
Box.exe
Box.exe
EnGine\UpdateTime.exe
EnGine\UpdateTime.exe
c3FfY2lybm9peA==2017.3.13
c3FfY2lybm9peA==2017.3.13
hXXp://VVV.10pan.com/space_CirnoIX.html
hXXp://VVV.10pan.com/space_CirnoIX.html
iexplore.exe
iexplore.exe
cmd /c del /f /s /q %userprofile%\AppData\Roaming\EnGine\*.log
cmd /c del /f /s /q %userprofile%\AppData\Roaming\EnGine\*.log
cmd /c
cmd /c
\TenSRL.datOOTT
\TenSRL.datOOTT
EnGine\lsp.exe
EnGine\lsp.exe
EnGine\networkdlllsp.dll
EnGine\networkdlllsp.dll
networkdlllsp.dll
networkdlllsp.dll
cmd /c del /f /s /q %userprofile%\AppData\Roaming\EnGine\*.*
cmd /c del /f /s /q %userprofile%\AppData\Roaming\EnGine\*.*
.ResmonCfg
.ResmonCfg
EnGine\IP\license.lic
EnGine\IP\license.lic
5.txt
5.txt
~ WIN8RTMSoftware\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
~ WIN8RTMSoftware\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
\EnGine.temp
\EnGine.temp
v@ini.temp
v@ini.temp
\SSH.temp
\SSH.temp
\IPProxy.tempEnGine\IP
\IPProxy.tempEnGine\IP
passwd=
passwd=
portid=28
portid=28
EnGine\IP\gameppp.dll
EnGine\IP\gameppp.dll
D:\dnf.exegamepath1
D:\dnf.exegamepath1
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
DisconnectNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeW
CreateNamedPipeW
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
SETUPAPI.dll
SETUPAPI.dll
SHLWAPI.dll
SHLWAPI.dll
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
GetProcessHeap
GetProcessHeap
.?AVCOnKeyProc@@
.?AVCOnKeyProc@@
.?AVCLgnNamedPipe@@
.?AVCLgnNamedPipe@@
.?AVCOnKeyDevice@@
.?AVCOnKeyDevice@@
zcÃ
zcÃ
%Application & Support Department No.21
%Application & Support Department No.21
hXXp://sv.symcb.com/sv.crl0a
hXXp://sv.symcb.com/sv.crl0a
%S4WD
%S4WD
hg%fpM
hg%fpM
S.Ac9SR
S.Ac9SR
0.I%3s
0.I%3s
,wAe.kI
,wAe.kI
aiUy'4xu
aiUy'4xu
%c*@j
%c*@j
.eH'y
.eH'y
{&%U)
{&%U)
lj%4U
lj%4U
xe%CNs
xe%CNs
9F.cLe
9F.cLe
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
SkinH_EL.dll
SkinH_EL.dll
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
window.location.reload()
window.location.reload()
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
text|password|file
comdlg32.dll
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
(*.DLL)|*.DLL|
(*.DLL)|*.DLL|
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
1.2.18
>%*.*f
>%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
inflate 1.1.4 Copyright 1995-2002 Mark Adler
iphlpapi.dll
iphlpapi.dll
MPR.dll
MPR.dll
VERSION.dll
VERSION.dll
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
(*.avi)|*.avi
(*.avi)|*.avi
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
Y%dY%dX%dX%dHeight%dHeight%dWidth%dWidth%dRECT(%d, %d)-(%d, %d)RECT(%d, %d)-(%d, %d)Styles0xXStyles0xXControl ID%dControl ID%dHandle0xXHandle0xX%s |
%s |
.comment {color:green}
.comment {color:green}
burlywood
burlywood
\winhlp32.exe
\winhlp32.exe
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
-1-1 0:0:0
-1-1 0:0:0
2000-1-1
2000-1-1
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
PIPE
PIPE
ssl-cert
ssl-cert
ssl-key
ssl-key
pipe
pipe
password
password
port
port
MYSQL
MYSQL
\\%s\pipe\%s
\\%s\pipe\%s
Unknown option to protocol: %s
Unknown option to protocol: %s
d:t:o,/tmp/client.trace
d:t:o,/tmp/client.trace
MYSQL_PWD
MYSQL_PWD
Windows_NT
Windows_NT
MYSQL_UNIX_PORT
MYSQL_UNIX_PORT
MYSQL_TCP_PORT
MYSQL_TCP_PORT
mysql
mysql
Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)
Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)
Can't open shared memory. %s event don't create for client (%lu)
Can't open shared memory. %s event don't create for client (%lu)
Using unsupported buffer type: %d (parameter: %d)
Using unsupported buffer type: %d (parameter: %d)
Can't send long data for non string or binary data types (parameter: %d)
Can't send long data for non string or binary data types (parameter: %d)
Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)
%-.100s via named pipe
%-.100s via named pipe
Lost connection to MySQL server during query
Lost connection to MySQL server during query
%-.100s via TCP/IP
%-.100s via TCP/IP
MySQL client run out of memory
MySQL client run out of memory
Protocol mismatch. Server Version = %d Client Version = %d
Protocol mismatch. Server Version = %d Client Version = %d
MySQL server has gone away
MySQL server has gone away
Unknown MySQL Server Host '%-.100s' (%d)
Unknown MySQL Server Host '%-.100s' (%d)
Can't create TCP/IP socket (%d)
Can't create TCP/IP socket (%d)
Can't connect to MySQL server on '%-.100s' (%d)
Can't connect to MySQL server on '%-.100s' (%d)
Can't connect to local MySQL server through socket '%-.100s' (%d)
Can't connect to local MySQL server through socket '%-.100s' (%d)
Can't create UNIX socket (%d)
Can't create UNIX socket (%d)
Unknown MySQL error
Unknown MySQL error
TCP/IP (%d)
TCP/IP (%d)
socket (%d)
socket (%d)
named pipe
named pipe
%s would have been started with the following arguments:
%s would have been started with the following arguments:
error: Found option without preceding group in config file: %s at line: %d
error: Found option without preceding group in config file: %s at line: %d
error: Wrong group definition in config file: %s at line %d
error: Wrong group definition in config file: %s at line %d
C:/mysql/
C:/mysql/
Index.xml
Index.xml
127.0.0.1
127.0.0.1
Software\MySQL
Software\MySQL
HAVE_TCPIP
HAVE_TCPIP
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Can't initialize threads: error %d
Can't initialize threads: error %d
Can't sync file '%s' to disk (Errcode: %d)
Can't sync file '%s' to disk (Errcode: %d)
Error on realpath() on '%s' (Error %d)
Error on realpath() on '%s' (Error %d)
Can't create symlink '%s' pointing at '%s' (Error %d)
Can't create symlink '%s' pointing at '%s' (Error %d)
Can't read value for symlink '%s' (Error %d)
Can't read value for symlink '%s' (Error %d)
Out of resources when opening file '%s' (Errcode: %d)
Out of resources when opening file '%s' (Errcode: %d)
Character set '%s' is not a compiled character set and is not specified in the '%s' file
Character set '%s' is not a compiled character set and is not specified in the '%s' file
Can't create directory '%s' (Errcode: %d)
Can't create directory '%s' (Errcode: %d)
Disk is full writing '%s'. Waiting for someone to free space...
Disk is full writing '%s'. Waiting for someone to free space...
%d files and %d streams is left open
%d files and %d streams is left open
Warning: '%s' had %d links
Warning: '%s' had %d links
Can't change dir to '%s' (Errcode: %d)
Can't change dir to '%s' (Errcode: %d)
Can't get working dirctory (Errcode: %d)
Can't get working dirctory (Errcode: %d)
Can't open stream from handle (Errcode: %d)
Can't open stream from handle (Errcode: %d)
Can't change size of file (Errcode: %d)
Can't change size of file (Errcode: %d)
Can't get stat of '%s' (Errcode: %d)
Can't get stat of '%s' (Errcode: %d)
Can't read dir of '%s' (Errcode: %d)
Can't read dir of '%s' (Errcode: %d)
Can't unlock file (Errcode: %d)
Can't unlock file (Errcode: %d)
Can't lock file (Errcode: %d)
Can't lock file (Errcode: %d)
Unexpected eof found when reading file '%s' (Errcode: %d)
Unexpected eof found when reading file '%s' (Errcode: %d)
Error on rename of '%s' to '%s' (Errcode: %d)
Error on rename of '%s' to '%s' (Errcode: %d)
Error on delete of '%s' (Errcode: %d)
Error on delete of '%s' (Errcode: %d)
Out of memory (Needed %u bytes)
Out of memory (Needed %u bytes)
Error on close of '%s' (Errcode: %d)
Error on close of '%s' (Errcode: %d)
Error writing file '%s' (Errcode: %d)
Error writing file '%s' (Errcode: %d)
Error reading file '%s' (Errcode: %d)
Error reading file '%s' (Errcode: %d)
Can't create/write to file '%s' (Errcode: %d)
Can't create/write to file '%s' (Errcode: %d)
File '%s' not found (Errcode: %d)
File '%s' not found (Errcode: %d)
charsets.charset.collation.map
charsets.charset.collation.map
charsets.charset.collation.flag
charsets.charset.collation.flag
charsets.charset.collation.order
charsets.charset.collation.order
charsets.charset.collation.id
charsets.charset.collation.id
charsets.charset.collation.name
charsets.charset.collation.name
charsets.charset.collation
charsets.charset.collation
charsets.charset.unicode.map
charsets.charset.unicode.map
charsets.charset.unicode
charsets.charset.unicode
charsets.charset.lower.map
charsets.charset.lower.map
charsets.charset.lower
charsets.charset.lower
charsets.charset.upper.map
charsets.charset.upper.map
charsets.charset.upper
charsets.charset.upper
charsets.charset.ctype.map
charsets.charset.ctype.map
charsets.charset.ctype
charsets.charset.ctype
charsets.charset.alias
charsets.charset.alias
charsets.charset.description
charsets.charset.description
charsets.charset.family
charsets.charset.family
charsets.charset.name
charsets.charset.name
charsets.charset.binary-id
charsets.charset.binary-id
charsets.charset.primary-id
charsets.charset.primary-id
charsets.charset
charsets.charset
charsets.max-id
charsets.max-id
xml.encoding
xml.encoding
xml.version
xml.version
1.1.4
1.1.4
%,%$%4%
%,%$%4%
eZl%u
eZl%u
Q.YeY
Q.YeY
R:\Sg|p5rL
R:\Sg|p5rL
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe
s4s/s)s%s>sNsOs
s4s/s)s%s>sNsOs
!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&
!&"&$&%&&&'&(&)&*& &,&-&.&/&0&1&
2&3&4&5&6&7&8&
2&3&4&5&6&7&8&
!(,("(-(
!(,("(-(
!,!5!6!
!,!5!6!
!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%
!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%
g9H5_DF>L!9yMGE~8
g9H5_DF>L!9yMGE~8
%Sv0$S
%Sv0$S
|T)>~T%C
|T)>~T%C
8]7]:]=5
8]7]:]=5
.Dh26a
.Dh26a
Z6%d#d
Z6%d#d
ReXeQe
ReXeQe
uewexe
uewexe
6*6 8*8 5*5 :*: ;*; =*=
6*6 8*8 5*5 :*: ;*; =*=
/"2"6"5"
/"2"6"5"
21314151
21314151
'2(2)2*2 2
'2(2)2*2 2
-6.6/6061626
-6.6/6061626
.7/70717
.7/70717
[7\7]7^7
[7\7]7^7
=8>8?8@8
=8>8?8@8
19293949
19293949
%;&;';(;
%;&;';(;
%>&>'>(>
%>&>'>(>
=>>>?>@>
=>>>?>@>
[@\@]@^@
[@\@]@^@
"U#U$U%U
"U#U$U%U
8[9[:[;[[
8[9[:[;[[
&\'\(\)\
&\'\(\)\
~\!]"]#]
~\!]"]#]
/]0]1]2]
/]0]1]2]
4]5]6]7]8]
4]5]6]7]8]
|_}_~_!`
|_}_~_!`
&`'`(`)`
&`'`(`)`
2`3`4`5`
2`3`4`5`
WeXe
WeXe
vewexe
vewexe
$f%f&f
$f%f&f
@mAmBmCmDm
@mAmBmCmDm
S%S'S(S)S S,S-S0S2S5SSBSLSKSYS[SaScSeSlSmSrSyS~S
S%S'S(S)S S,S-S0S2S5SSBSLSKSYS[SaScSeSlSmSrSyS~S
d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d
d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d
.AK.)
.AK.)
.uGvG
.uGvG
/%S67
/%S67
-<.gig>
-<.gig>
I.pKqK
I.pKqK
J.AeRtH49
J.AeRtH49
U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;UU?U@UAUBUCUDUEUFUGUHUIUJUKULUMUNUOUPUQURUSUTUUUVUWUXUYUZU[U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU
U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;UU?U@UAUBUCUDUEUFUGUHUIUJUKULUMUNUOUPUQURUSUTUUUVUWUXUYUZU[U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU
?q.SM!@
?q.SM!@
$R&ß
$R&ß
C.JMH
C.JMH
-)./...6. .
-)./...6. .
E~ExE|E{E
E~ExE|E{E
&t.KIx
&t.KIx
"*0QIs%u1
"*0QIs%u1
)Q.GN
)Q.GN
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfX
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfX
S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S
S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S
U!U%U&U
U!U%U&U
X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X
X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X
_!_"_#_$_
_!_"_#_$_
%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;dd@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d
%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;dd@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d
"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e
"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e
2!2"2#2$2%2&2'2(2)2
2!2"2#2$2%2&2'2(2)2
"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%
"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%
1 1!1"1#1$1%1&1'1(1)1
1 1!1"1#1$1%1&1'1(1)1
!0"0#0$0%0&0'0(0)0
!0"0#0$0%0&0'0(0)0
% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%
% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%%?%@%A%B%C%D%E%F%G%H%I%J%K%
W%f?i
W%f?i
e.lFO
e.lFO
}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}
}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}
urlsS
urlsS
~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~
~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~
u%urrGS
u%urrGS
]']&].]$]
]']&].]$]
s"s9s%s,s8s1sPsMsWs`slsos~s
s"s9s%s,s8s1sPsMsWs`slsos~s
x
x
{.{1{ {%{${3{>{
{.{1{ {%{${3{>{
!!"!#!(!
!!"!#!(!
4!5!6!7!8!9!:!;!>!?!
4!5!6!7!8!9!:!;!>!?!
~!2!3!
~!2!3!
.VZN'Uu:&7V@
.VZN'Uu:&7V@
%FxG=R
%FxG=R
~e%fWM
~e%fWM
rP.BPb
rP.BPb
C^%X*?M[lRzF*E
C^%X*?M[lRzF*E
(m|P%c
(m|P%c
NN"L.PSD25X^uU7
NN"L.PSD25X^uU7
.QqP8j9j:j5:
.QqP8j9j:j5:
%CxF-kJD
%CxF-kJD
(d.deB
(d.deB
3G,===%d
3G,===%d
&8.pB1
&8.pB1
mS.Xk@
mS.Xk@
tq.RG^JK
tq.RG^JK
B]HC
B]HC
yTDI.SS8`3
yTDI.SS8`3
t6ZeXeYe@5
t6ZeXeYe@5
*M%u#u4=(u
*M%u#u4=(u
"*")"'"("
"*")"'"("
%d&`&a&e&g&c&
%d&`&a&e&g&c&
%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%
%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%
[!\!]!^!
[!\!]!^!
mQ.bx
mQ.bx
{ | }9},
{ | }9},
d6exe9j
d6exe9j
]%sOu
]%sOu
m.t.zB}
m.t.zB}
w%xIyWy
w%xIyWy
%f?iCt
%f?iCt
#$%&'()* ,
#$%&'()* ,
!"#$%&'()* ,-./0123456789:;?@
!"#$%&'()* ,-./0123456789:;?@
%
%
%q%r%s%
%q%r%s%
`!`'`)` `
`!`'`)` `
e%f-f f'f/f
e%f-f f'f/f
%x-x x
%x-x x
~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
]8^6^3^7^
]8^6^3^7^
c{cichczc]eVeQeYeWe_UOeXeUeTe
c{cichczc]eVeQeYeWe_UOeXeUeTe
r6s%s4s)s:t*t3t"t%t5t6t4t/t
r6s%s4s)s:t*t3t"t%t5t6t4t/t
t&t(t%u&ukuju
t&t(t%u&ukuju
a.bidodyd
a.bidodyd
duewexe
duewexe
]!^"^#^ ^$^
]!^"^#^ ^$^
t.uGuHu
t.uGuHu
h&h(h.hMh:h%h h,k/k-k1k4kmk
h&h(h.hMh:h%h h,k/k-k1k4kmk
k%lzmcmdmvm
k%lzmcmdmvm
{1{ {-{/{2{8{
{1{ {-{/{2{8{
WHX%X
WHX%X
`IaJa aEa6a2a.aFa/aOa)a@a bh
`IaJa aEa6a2a.aFa/aOa)a@a bh
d@d%d'd
d@d%d'd
kCpDpJpHpIpEpFp
kCpDpJpHpIpEpFp
3: %s unexpected (ident or '/' wanted)
3: %s unexpected (ident or '/' wanted)
5: %s unexpected ('>' wanted)
5: %s unexpected ('>' wanted)
6: %s unexpected ('?' wanted)
6: %s unexpected ('?' wanted)
4: %s unexpected (ident or string wanted)
4: %s unexpected (ident or string wanted)
1: %s unexpected (ident wanted)
1: %s unexpected (ident wanted)
'%s>' unexpected ('%s>' wanted)
'%s>' unexpected ('%s>' wanted)
c:\%original file name%.exe
c:\%original file name%.exe
A^n.tS
A^n.tS
z#.OE
z#.OE
SHELL32.dll
SHELL32.dll
GetKeyState
GetKeyState
WS2_32.dll
WS2_32.dll
RASAPI32.dll
RASAPI32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
m.JFE
m.JFE
GetWindowsDirectoryA
GetWindowsDirectoryA
SetViewportOrgEx
SetViewportOrgEx
?Ex@a%u
?Ex@a%u
%CO.o
%CO.o
.RB-h
.RB-h
.;FP.Bo
.;FP.Bo
4p%dW
4p%dW
|".ZP
|".ZP
5*.xV
5*.xV
.hZS*/n{
.hZS*/n{
%9S?r:
%9S?r:
;.yer
;.yer
%xZ>
%xZ>
%x?>S
%x?>S
/1-7R}P
/1-7R}P
MkEy
MkEy
?.oYi
?.oYi
.S%c X
.S%c X
Hs.sv
Hs.sv
]Ck%D
]Ck%D
?.yYd
?.yYd
.Yhj8
.Yhj8
vL?1]^N%cu
vL?1]^N%cu
.TM[
.TM[
QI.DJk#
QI.DJk#
G
G
Cn.Ep
Cn.Ep
M'(.wZ
M'(.wZ
.Az~5
.Az~5
xtw.fa>
xtw.fa>
Z%Se'
Z%Se'
* .pbE1
* .pbE1
3%UHo
3%UHo
.hx@G
.hx@G
M.PD}
M.PD}
/.uh8Q
/.uh8Q
%4S_i
%4S_i
WSOCK32.dll
WSOCK32.dll
SetWindowsHookExA
SetWindowsHookExA
WaitNamedPipeA
WaitNamedPipeA
OLEAUT32.dll
OLEAUT32.dll
OffsetViewportOrgEx
OffsetViewportOrgEx
{%UO&
{%UO&
WININET.dll
WININET.dll
InternetCrackUrlA
InternetCrackUrlA
SetNamedPipeHandleState
SetNamedPipeHandleState
WINSPOOL.DRV
WINSPOOL.DRV
WINMM.dll
WINMM.dll
AVIFIL32.dll
AVIFIL32.dll
ScaleViewportExtEx
ScaleViewportExtEx
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WinExec
WinExec
CreateDialogIndirectParamA
CreateDialogIndirectParamA
GetViewportOrgEx
GetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
fNR.EGy
fNR.EGy
.th&&i
.th&&i
B.kic
B.kic
f.CQ1
f.CQ1
BaAQRÃ
BaAQRÃ
;:.eM
;:.eM
.ON(hL
.ON(hL
'ITP$[ô
'ITP$[ô
.fi%b
.fi%b
6%S}Y
6%S}Y
U %cl
U %cl
C.Nz>
C.Nz>
0.qA|S9
0.qA|S9
o3%%F
o3%%F
-D8}Z
-D8}Z
.mY}G
.mY}G
.eAl3
.eAl3
r!.WA
r!.WA
4.fVxy
4.fVxy
w#O.eNbh
w#O.eNbh
.TZn/
.TZn/
.FqH8y
.FqH8y
WA\s%uB
WA\s%uB
)p.WR
)p.WR
7<.zo>
7<.zo>
x.by[p
x.by[p
y.fj!K
y.fj!K
}p%f;
}p%f;
%X:'cF
%X:'cF
L%U$N
L%U$N
F%u?8
F%u?8
Û],x
Û],x
.GHLn
.GHLn
GetViewportExtEx
GetViewportExtEx
>Y.nC
>Y.nC
AÜ6
AÜ6
Qq.JfeU
Qq.JfeU
..WDm~
..WDm~
.~f.SG
.~f.SG
C.oe|
C.oe|
^SGZ%F|
^SGZ%F|
.dO@Z
.dO@Z
5.nHco
5.nHco
zi`%fnw6
zi`%fnw6
^%s6T
^%s6T
d4sypnirkV%u
d4sypnirkV%u
.8.SQW
.8.SQW
.jcUD
.jcUD
>.MnA
>.MnA
%P%d%
%P%d%
.dM.ZK
.dM.ZK
\q.QR
\q.QR
%Sw5=
%Sw5=
.vr[~
.vr[~
z%Di=x
z%Di=x
v.Hf2f>
v.Hf2f>
OnKeyMonClassDB_ABC
OnKeyMonClassDB_ABC
OnKeyMon001DB_ABC
OnKeyMon001DB_ABC
\\.\pipe\OnKey193B_Pipe00_Device_%s
\\.\pipe\OnKey193B_Pipe00_Device_%s
Global\OnKeyDB_Mut00_OnKeyMon
Global\OnKeyDB_Mut00_OnKeyMon
mscoree.dll
mscoree.dll
OnKeyMon
OnKeyMon
1, 1, 0, 9
1, 1, 0, 9
OnKeyMon.exe
OnKeyMon.exe
OnKey Monitor
OnKey Monitor
1, 0, 6, 6
1, 0, 6, 6
- Skin.dll
- Skin.dll
2.0.7.1313
2.0.7.1313
1999 - 2017
1999 - 2017
%original file name%.exe_2060_rwx_001B2000_00001000:
(*.DLL)|*.DLL|
(*.DLL)|*.DLL|
C:\midishow.dll
C:\midishow.dll
%original file name%.exe_2060_rwx_003C0000_0001A000:
MZKERNEL32.DLL
MZKERNEL32.DLL
.Upack
.Upack
.rsrc
.rsrc
%s %s s
%s %s s
KERNEL32.DLL
KERNEL32.DLL
USER32.DLL
USER32.DLL
MSVCRT.DLL
MSVCRT.DLL
MSVCP60.DLL
MSVCP60.DLL
qp_%s;9a:
qp_%s;9a:
$.mbP
$.mbP
.xRDp
.xRDp
%original file name%.exe_2060_rwx_006C7000_00001000:
Bv=kAv.SCv
Bv=kAv.SCv
%original file name%.exe_2060_rwx_00741000_00001000:
ADVAPI32.dll
ADVAPI32.dll
ScaleViewportExtEx
ScaleViewportExtEx
COMCTL32.dll
COMCTL32.dll
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
HttpSendRequestA
HttpSendRequestA
RegDeleteKeyA
RegDeleteKeyA
WinExec
WinExec
%original file name%.exe_2060_rwx_10001000_00039000:
L$(h%f
L$(h%f
SSh0j
SSh0j
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
}uo,x6l5k%x-l h
}uo,x6l5k%x-l h
9p%s m)t4`#b
9p%s m)t4`#b
e"m?c&y1`Ã
e"m?c&y1`Ã
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc