Gen.Variant.Strictor.121831_3d97790b1c – Adaware

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:2928

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2928 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0GWTUJW6.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H2GS2F82.txt (301 bytes)
C:\UPDATA.dll (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\C4UNTEDQ.txt (447 bytes)
C:\PCOMM.DLL (82 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0GWTUJW6.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H2GS2F82.txt (0 bytes)

Registry activity

The process %original file name%.exe:2928 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASMANCS]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
bedfff9a8296392992a458d03ba69e08	c:\PCOMM.DLL
4c853c2dd8c43005149f20c7797a57ce	c:\UPDATA.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0GWTUJW6.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H2GS2F82.txt (301 bytes)
C:\UPDATA.dll (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\C4UNTEDQ.txt (447 bytes)
C:\PCOMM.DLL (82 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: JMD?????V2.9.6
Product Name: ???(JMD)?????
Product Version: 2.9.6.8
Legal Copyright: ??: ???????????????????,????????????????????,?????????????,?????????????????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.9.6.8
File Description: ?????
Comments: JMD?????
Language: Language Neutral

Company Name: JMD?????V2.9.6Product Name: ???(JMD)?????Product Version: 2.9.6.8Legal Copyright: ??: ???????????????????,????????????????????,?????????????,?????????????????????Legal Trademarks: Original Filename: Internal Name: File Version: 2.9.6.8File Description: ?????Comments: JMD?????Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	4120576	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	4124672	1966080	1964544	5.50853	7babfebbe15004126f4bba2bd24b9a77
.rsrc	6090752	12288	9728	3.68427	1c335228c3040b8f25c61e1cb207824c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://www.a.shifen.com/
hxxp://www.baidu.com/

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

User-Agent: test

Host: VVV.baidu.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 20 Feb 2017 12:12:57 GMT

Content-Type: text/html

Content-Length: 14613

Last-Modified: Thu, 16 Feb 2017 03:07:00 GMT

Connection: Keep-Alive

Vary: Accept-Encoding

Set-Cookie: BAIDUID=CB5A39094238AC99E3247ADA8B953CD6:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BIDUPSID=CB5A39094238AC99E3247ADA8B953CD6; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: PSTM=1487592777; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

P3P: CP=" OTI DSP COR IVA OUR IND COM "

Server: BWS/1.1

X-UA-Compatible: IE=Edge,chrome=1

Pragma: no-cache

Cache-control: no-cache

Accept-Ranges: bytes

<!DOCTYPE html>..<html>..<head>...<meta http-equiv="content-type" content="text/html;charset=utf-8">...<meta http-equiv="X-UA-Compatible" content="IE=Edge">...<link rel="dns-prefetch" href="//s1.bdstatic.com"/>...<link rel="dns-prefetch" href="//t1.baidu.com"/>...<link rel="dns-prefetch" href="//t2.baidu.com"/>...<link rel="dns-prefetch" href="//t3.baidu.com"/>...<link rel="dns-prefetch" href="//t10.baidu.com"/>...<link rel="dns-prefetch" href="//t11.baidu.com"/>...<link rel="dns-prefetch" href="//t12.baidu.com"/>...<link rel="dns-prefetch" href="//b1.bdstatic.com"/>...<title>...........................</title>...<link href="hXXp://s1.bdstatic.com/r/www/cache/static/home/css/index.css" rel="stylesheet" type="text/css" />.........<script>var hashMatch = document.location.href.match(/# (.*wd=[^&]. )/);if (hashMatch && hashMatch[0] && hashMatch[1]) {document.location.replace("hXXp://" location.host "/s?" hashMatch[1]);}var ns_c = function(){};</script>...<script>function h(obj){obj.style.behavior='url(#default#homepage)';var a = obj.setHomePage('//VVV.baidu.com/');}</script>...<noscript><meta http-equiv="refresh" conte

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2928:

`.rsrc

t%SVh

t$(SSh

|$D.tm

~%UVW

u$SShe

Bv=kAv.SCv

shlwapi.dll

kernel32.dll

advapi32.dll

user32.dll

gdi32.dll

User32.dll

msimg32.dll

comctl32.dll

COMCTL32.DLL

Kernel32.dll

PCOMM.dll

wininet.dll

UPDATA.dll

ole32.dll

gdiplus.dll

GdiPlus.dll

Gdiplus.dll

dbghelp.dll

oleaut32.dll

OLEACC.DLL

Ole32.dll

ShellExecuteA

RegOpenKeyA

RegCloseKey

CreatePipe

PeekNamedPipe

SetWindowsHookExA

UnhookWindowsHookEx

MsgWaitForMultipleObjects

EnumWindows

InternetOpenUrlA

HttpQueryInfoA

HttpOpenRequestA

HttpSendRequestA

GdipSetPenLineJoin

GdipGetPenLineJoin

GdipSetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpGetFileA

FtpFindFirstFileA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpDeleteFileA

FtpRenameFileA

FtpPutFileA

FtpOpenFileA

FtpGetFileSize

GdiplusShutdown

RegCreateKeyA

RegEnumKeyA

RegFlushKey

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

{B6F7542F-B8FE-46a8-9605-98856A687097}

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

WebBrowser

C:\Windows\config_display.ini

C:\Windows\uppack.zip

\TempWmicBatchFile.bat

\JMD.ini

Speed.bat

tem.vbs

fso.DeleteFile("

Set fso = CreateObject("Scripting.FileSystemObject")

Wscript.Sleep(1000)

Serial port is occupied.

Didn't find Handybaby device, Maybe the following cause:Didn't connect to Handybaby to your PC/laptop or didn't install the driver Please search the serial port manual

wmic path Win32_SerialPort

command.com /c

cmd.exe /c

Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_SerialPort")

GetTrait = GetTrait Obj.Caption ","

hXXp://VVV.handy-baby.com/

*.jmd;*.jmd2

|*.jmd;*.jmd2

*.jmd,*.jmd2

|*.jmd*.jmd2

\UPDATA.dll

.text

.rdata

.data

.reloc

.aspack

.adata

__MSVCRT_HEAP_SELECT

GetCPInfo

KERNEL32.dll

serial.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

\PCOMM.DLL

`.rdata

@.data

.rsrc

@.reloc

\\.\COM%d

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

USER32.dll

PComm.dll

%hXXp://VVV.globalsign.net/repository/03

"hXXp://crl.globalsign.net/root.crl0

hXXp://crl.globalsign.net/Timestamping1.crl0

%hXXp://VVV.globalsign.net/repository/0

2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100.

3hXXp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0?

3hXXp://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0

.Class 3 Public Primary Certification Authority0

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif0

hXXp://ocsp.verisign.com01

hXXp://crl.verisign.com/pca3.crl0)

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

n.aAHu

c:\JMD.ini

2.9.6

KEY MAKER

website

JMD Client.lnk

JMD.lnk

bbs.125.la

Volkswagen={Beetle(HC912),Jetta(93C86),Gol(93C56),Passat,Santana(93C56),Bora(2002),FOX(93C56),pointer(93C56),anti-theft box(93C56),};

Jeep={Compass,Patriot,Wrangler,};

Maserati={Quattroporte,};

)Quattroporte,};

hXXp://i.youku.com/i/UMzAzMzg1NTIwNA==

Password input error ,please try again

Password length less than 6

C:\Windows\jmd_pic

C:\Windows\jmd_pic\1.jpg

C:\Windows\jmd_pic\2.jpg

C:\Windows\jmd_pic\3.jpg

120.76.132.181

/data.zip

Password can not be empty

B8.zCc

.oUc;

Port

*.jpg;*.jpeg;*.png;*.bmp

|*.jpg;*.jpeg;*.png;*.bmp

Password

1sLogin failed

audit of Result: does not pass

Website DownLoad

@.tmp

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Version below V6.2.0, please update the latest version

Passat={93C86,Megamos48,8200,2048,,0,,1};

Compass={24C16,ID46,10200,2048,,0,,1};

Quattroporte={9S12,Megamos48,10650,4096,,0,2004,1};

)Quattroporte={9S12,Megamos48,10650,4096,,0,2004,1};

VVV.meitu.com

F.RnRj)(

u%d$:

*.Bin

|*.Bin|

00000000

44444444

Click on the back of the key to generate the key to match the car

@@00102030

00000000000000

55555555

password

Honda password Calc(HDS)

first password

second password

password

@ping 127.0.0.1 -n

del Restart.bat

\Restart.bat

The key 1

The key 2

The key 3

The key 4

\CP210x_VCP_Windows\CP210xVCPInstaller.exe

Serial port is occupied

Please be patient and wait, to generate the key process, please do not take the chip

The current key can not start the car, you must then learn the key to the engine before they can start

Successful operation

0000000000

Operation is successful

Operation is successful, you need to write the data can be started

UM1 write failure, operation shall be terminated

UM2 write failure, operation shall be terminated

All chip information failure, operation terminated!

Chip to failure, operation shall be terminated

A serial port is not connected or not in the main interface!

Operation is successful, you need to write the data can be started!

Chip operation fails!

Read all chip error, termination of operations!

Write page2 failure, stop operation!

Write page1 failure, stop operation!

Chip information failure, stop operation!

Page4 write failure, operation terminated!

Operation is successful,Need to write the data can be started

Write failure, stop operation!

Read all chip information failure, stop operation

Page4 write failure, stop operation!

Page2 write failure, stop operation!

Page1 write failure, stop operation!

write failure, stop operation!

start the car for the KEY

17|6|73|6|113|6|

9|6|49|6|105|6|

1|6|57|6|97|6|

11|8|75|8|523|8|587|8|

21|8|85|8|533|8|597|8|

31|8|95|8|543|8|607|8|

9|2|73|2|521|2|585|2|

19|2|83|2|531|2|595|2|

29|2|93|2|541|2|605|2|

39|2|103|2|551|2|615|2|

881|8|889|8|897|8|

905|8|913|8|921|8|

929|8|937|8|945|8|

953|8|961|8|969|8|

57|8|65|8|73|8|

81|8|89|8|97|8|

105|8|113|8|121|8|

129|8|137|8|145|8|

449|4|457|2|

453|4|459|2|

465|4|473|2|

469|4|475|2|

449|4|459|2|

465|4|475|2|

00010001

00030003

00070007

49|8|177|8|

57|8|185|8|

65|8|193|8|

73|8|201|8|

1|8|17|8|33|8|

49|8|65|8|81|8|

97|8|113|8|129|8|

145|8|161|8|177|8|

161|8|169|8|177|8|

193|8|201|8|209|8|

225|8|233|8|241|8|

3|6|35|6|

11|6|43|6|

19|6|51|6|

27|6|59|6|

537|8|633|8|729|8|825|8|921|8|

581|8|677|8|773|8|869|8|965|8|

17|4|273|4|

9|4|265|4|

41|4|297|4|

1|8|129|8|385|8|

9|8|137|8|393|8|

17|8|145|8|401|8|

25|8|153|8|409|8|

hXXp://nspin.3110110.com/

handy baby identification key after online decoding

3|8|747|8|

13|8|757|8|

23|8|767|8|

33|8|777|8|

7|2|745|2|

11|2|755|2|

21|2|765|2|

31|2|775|2|

265|8|1033|8|

273|8|1041|8|

281|8|1049|8|

289|8|1057|8|

2219|8|3281|8|4333|8

2227|8|3289|8|4341|8|

2235|8|3297|8|4349|8|

2243|8|3305|8|4357|8|

753|8|2525|8|

773|8|2545|8|

743|2|2515|2|

749|2|2521|2|

763|2|2535|2|

769|2|2541|2|

165|2|169|4|175|2|

173|2|177|4|183|2|

181|2|185|4|191|2|

3|8|843|8|

11|8|851|8|

19|8|859|8|

27|8|867|8|

Serial port is not open!

hXXp://lanniao.e4os.com/frombd/

C:\Windows\data_up\Please make sure the connection JMD assistant,LOAD........

sm.bin

Scripting.FileSystemObject

C:\Windows\data_up

1.HandyBaby connect to computer

2.Only one HandyBaby connect to computer each time

3.Do not disconnect during updating

Support: Toyota 72G/Ford 4D83 80bit/Jetta ID42 (online)

Steps: (1)Read the key (2)Press OK to decode

(3)waiting, until finish (4)put the new key into the coil to copy

t move out the key!

Serial operation

Checking serial number passed...

C:\Windows\data_up\

C:\Windows\data_up\*.*

C:\Windows\data_up\4D\4d16.bin

C:\Windows\data_up\4D\4d32.bin

6.0.0

hXXp://VVV.handy-baby.com/download/

C:\Windows\System32

hXXp://VVV.handy-baby.com/aboutme.php

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXp://

=@{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}

MSScriptControl.ScriptControl

if (typeof Date.prototype.toJSON !== 'function') {

Date.prototype.toJSON = function (key) {

return isFinite(this.valueOf()) ?

this.getUTCFullYear() '-'

f(this.getUTCMonth() 1) '-'

f(this.getUTCDate()) 'T'

f(this.getUTCHours()) ':'

f(this.getUTCMinutes()) ':'

f(this.getUTCSeconds()) 'Z' : null;

String.prototype.toJSON =

Number.prototype.toJSON =

Boolean.prototype.toJSON = function (key) {

return this.valueOf();

'"' : '\\"',

'\\': '\\\\'

escapable.lastIndex = 0;

return escapable.test(string) ? '"' string.replace(escapable, function (a) {

'\\u' ('0000' a.charCodeAt(0).toString(16)).slice(-4);

function str(key, holder) {

// Produce a string from holder[key].

k, // The member key.

value = holder[key];

typeof value.toJSON === 'function') {

value = value.toJSON(key);

value = rep.call(holder, key, value);

if (Object.prototype.toString.apply(value) === '[object Array]') {

length = value.length;

// Join all of the elements together, separated with commas, and wrap them in

v = partial.length === 0 ? '[]' : gap ?

'[\n' gap partial.join(',\n' gap) '\n' mind ']' :

'[' partial.join(',') ']';

length = rep.length;

partial.push(quote(k) (gap ? ': ' : ':') v);

// Otherwise, iterate through all of the keys in the object.

if (Object.prototype.hasOwnProperty.call(value, k)) {

// Join all of the member texts together, separated with commas,

v = partial.length === 0 ? '{}' : gap ?

'{\n' gap partial.join(',\n' gap) '\n' mind '}' :

'{' partial.join(',') '}';

if (typeof JSON.stringify !== 'function') {

JSON.stringify = function (value, replacer, space) {

// that can replace values, or an array of strings that will select the keys.

typeof replacer.length !== 'number')) {

throw new Error('JSON.stringify');

// Make a fake root object containing our value under the key of ''.

if (typeof JSON.parse !== 'function') {

JSON.parse = function (text, reviver) {

function walk(holder, key) {

var k, v, value = holder[key];

if (Object.prototype.hasOwnProperty.call(value, k)) {

return reviver.call(holder, key, value);

// Parsing happens in four stages. In the first stage, we replace certain

cx.lastIndex = 0;

if (cx.test(text)) {

text = text.replace(cx, function (a) {

('0000' a.charCodeAt(0).toString(16)).slice(-4);

// We split the second stage into 4 regexp operations in order to work around

.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')

.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')

.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {

// JavaScript structure. The '{' operator is subject to a syntactic ambiguity

// In the optional fourth stage, we recursively walk the new structure, passing

throw new SyntaxError('JSON.parse');

// These forms are obsolete. It is recommended that JSON.stringify and

// JSON.parse be used instead.

if (!Object.prototype.toJSONString) {

Object.prototype.toJSONString = function (filter) {

return JSON.stringify(this, filter);

Object.prototype.parseJSON = function (filter) {

return JSON.parse(this, filter);

JSON.stringify(

.push(

.map)'){

.splice(

) {ary=ary key ','; }

var ary=''; for (var key in

\empty.exe

`.data

could not empty working set for process #%d [%s]

could not empty working set for process #%d

USAGE: empty.exe {pid | task-name}

AdjustTokenPrivileges failed with %d

LookupPrivilegeValue failed with %d

OpenProcessToken failed with %d

empty.pdb

msvcrt.dll

ADVAPI32.dll

CloseWindowStation

SetProcessWindowStation

OpenWindowStationA

EnumWindowStationsA

ntdll.dll

OLEAUT32.dll

?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

\\.\COM

javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}

javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};

window.location.reload()

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

text|password|file

comdlg32.dll

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

WarnOnHTTPSToHTTPRedirect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

2016:08:04 18:08:10

-6k}k

o.Sl@

.ou&j

r.umV

h.XhtR|

PfBCMd![p

.iKVy

.WcGV

LN->kEy

^u.wY'

)Y$}u.wR

mSgQ

]EÃžh`

1999-2003

%d&&'

123456789

00003333

1.2.18

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

CCmdTarget

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

VVV.dywt.com.cn

hXXp://VVV.baidu.com

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

;3 #>6.&

'2, / 0&7!4-)1#

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

code %d bits %d->%d

gen_codes: max_code %d

bl code -

opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u

last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)

%d%d%d

rundll32.exe shell32.dll,

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÃ

right-curly-bracket

left-curly-bracket

c:\%original file name%.exe

GetWindowsDirectoryA

WinExec

GetProcessHeap

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GetViewportOrgEx

CreateDialogIndirectParamA

UnregisterHotKey

RegisterHotKey

EnumChildWindows

GetKeyState

InternetCrackUrlA

InternetCanonicalizeUrlA

%fpoj

i-%c/-Q

KERNEL32.DLL

AVIFIL32.dll

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVFW32.dll

oledlg.dll

RASAPI32.dll

SHELL32.dll

WININET.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

mscoree.dll

*%$#"! '&):(91/638

2, 7, 0, 0

10080216

5.2.3790.0 built by: dnsrv_dev(v-smgum)

empty.exe

Windows

Operating System

5.2.3790.0

(*.*)

2.9.6.8

V2.9.6

%original file name%.exe_2928_rwx_00401000_005CD000:

t%SVh

t$(SSh

|$D.tm

~%UVW

u$SShe

Bv=kAv.SCv

shlwapi.dll

kernel32.dll

advapi32.dll

user32.dll

gdi32.dll

User32.dll

msimg32.dll

comctl32.dll

COMCTL32.DLL

Kernel32.dll

PCOMM.dll

wininet.dll

UPDATA.dll

ole32.dll

gdiplus.dll

GdiPlus.dll

Gdiplus.dll

dbghelp.dll

oleaut32.dll

OLEACC.DLL

Ole32.dll

ShellExecuteA

RegOpenKeyA

RegCloseKey

CreatePipe

PeekNamedPipe

SetWindowsHookExA

UnhookWindowsHookEx

MsgWaitForMultipleObjects

EnumWindows

InternetOpenUrlA

HttpQueryInfoA

HttpOpenRequestA

HttpSendRequestA

GdipSetPenLineJoin

GdipGetPenLineJoin

GdipSetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpGetFileA

FtpFindFirstFileA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpDeleteFileA

FtpRenameFileA

FtpPutFileA

FtpOpenFileA

FtpGetFileSize

GdiplusShutdown

RegCreateKeyA

RegEnumKeyA

RegFlushKey

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

{B6F7542F-B8FE-46a8-9605-98856A687097}

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

WebBrowser

C:\Windows\config_display.ini

C:\Windows\uppack.zip

\TempWmicBatchFile.bat

\JMD.ini

Speed.bat

tem.vbs

fso.DeleteFile("

Set fso = CreateObject("Scripting.FileSystemObject")

Wscript.Sleep(1000)

Serial port is occupied.

Didn't find Handybaby device, Maybe the following cause:Didn't connect to Handybaby to your PC/laptop or didn't install the driver Please search the serial port manual

wmic path Win32_SerialPort

command.com /c

cmd.exe /c

Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_SerialPort")

GetTrait = GetTrait Obj.Caption ","

hXXp://VVV.handy-baby.com/

*.jmd;*.jmd2

|*.jmd;*.jmd2

*.jmd,*.jmd2

|*.jmd*.jmd2

\UPDATA.dll

.text

.rdata

.data

.reloc

.aspack

.adata

__MSVCRT_HEAP_SELECT

GetCPInfo

KERNEL32.dll

serial.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

\PCOMM.DLL

`.rdata

@.data

.rsrc

@.reloc

\\.\COM%d

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

USER32.dll

PComm.dll

%hXXp://VVV.globalsign.net/repository/03

"hXXp://crl.globalsign.net/root.crl0

hXXp://crl.globalsign.net/Timestamping1.crl0

%hXXp://VVV.globalsign.net/repository/0

2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100.

3hXXp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0?

3hXXp://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0

.Class 3 Public Primary Certification Authority0

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif0

hXXp://ocsp.verisign.com01

hXXp://crl.verisign.com/pca3.crl0)

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

n.aAHu

c:\JMD.ini

2.9.6

KEY MAKER

website

JMD Client.lnk

JMD.lnk

bbs.125.la

Volkswagen={Beetle(HC912),Jetta(93C86),Gol(93C56),Passat,Santana(93C56),Bora(2002),FOX(93C56),pointer(93C56),anti-theft box(93C56),};

Jeep={Compass,Patriot,Wrangler,};

Maserati={Quattroporte,};

)Quattroporte,};

hXXp://i.youku.com/i/UMzAzMzg1NTIwNA==

Password input error ,please try again

Password length less than 6

C:\Windows\jmd_pic

C:\Windows\jmd_pic\1.jpg

C:\Windows\jmd_pic\2.jpg

C:\Windows\jmd_pic\3.jpg

120.76.132.181

/data.zip

Password can not be empty

B8.zCc

.oUc;

Port

*.jpg;*.jpeg;*.png;*.bmp

|*.jpg;*.jpeg;*.png;*.bmp

Password

1sLogin failed

audit of Result: does not pass

Website DownLoad

@.tmp

User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Version below V6.2.0, please update the latest version

Passat={93C86,Megamos48,8200,2048,,0,,1};

Compass={24C16,ID46,10200,2048,,0,,1};

Quattroporte={9S12,Megamos48,10650,4096,,0,2004,1};

)Quattroporte={9S12,Megamos48,10650,4096,,0,2004,1};

VVV.meitu.com

F.RnRj)(

u%d$:

*.Bin

|*.Bin|

00000000

44444444

Click on the back of the key to generate the key to match the car

@@00102030

00000000000000

55555555

password

Honda password Calc(HDS)

first password

second password

password

@ping 127.0.0.1 -n

del Restart.bat

\Restart.bat

The key 1

The key 2

The key 3

The key 4

\CP210x_VCP_Windows\CP210xVCPInstaller.exe

Serial port is occupied

Please be patient and wait, to generate the key process, please do not take the chip

The current key can not start the car, you must then learn the key to the engine before they can start

Successful operation

0000000000

Operation is successful

Operation is successful, you need to write the data can be started

UM1 write failure, operation shall be terminated

UM2 write failure, operation shall be terminated

All chip information failure, operation terminated!

Chip to failure, operation shall be terminated

A serial port is not connected or not in the main interface!

Operation is successful, you need to write the data can be started!

Chip operation fails!

Read all chip error, termination of operations!

Write page2 failure, stop operation!

Write page1 failure, stop operation!

Chip information failure, stop operation!

Page4 write failure, operation terminated!

Operation is successful,Need to write the data can be started

Write failure, stop operation!

Read all chip information failure, stop operation

Page4 write failure, stop operation!

Page2 write failure, stop operation!

Page1 write failure, stop operation!

write failure, stop operation!

start the car for the KEY

17|6|73|6|113|6|

9|6|49|6|105|6|

1|6|57|6|97|6|

11|8|75|8|523|8|587|8|

21|8|85|8|533|8|597|8|

31|8|95|8|543|8|607|8|

9|2|73|2|521|2|585|2|

19|2|83|2|531|2|595|2|

29|2|93|2|541|2|605|2|

39|2|103|2|551|2|615|2|

881|8|889|8|897|8|

905|8|913|8|921|8|

929|8|937|8|945|8|

953|8|961|8|969|8|

57|8|65|8|73|8|

81|8|89|8|97|8|

105|8|113|8|121|8|

129|8|137|8|145|8|

449|4|457|2|

453|4|459|2|

465|4|473|2|

469|4|475|2|

449|4|459|2|

465|4|475|2|

00010001

00030003

00070007

49|8|177|8|

57|8|185|8|

65|8|193|8|

73|8|201|8|

1|8|17|8|33|8|

49|8|65|8|81|8|

97|8|113|8|129|8|

145|8|161|8|177|8|

161|8|169|8|177|8|

193|8|201|8|209|8|

225|8|233|8|241|8|

3|6|35|6|

11|6|43|6|

19|6|51|6|

27|6|59|6|

537|8|633|8|729|8|825|8|921|8|

581|8|677|8|773|8|869|8|965|8|

17|4|273|4|

9|4|265|4|

41|4|297|4|

1|8|129|8|385|8|

9|8|137|8|393|8|

17|8|145|8|401|8|

25|8|153|8|409|8|

hXXp://nspin.3110110.com/

handy baby identification key after online decoding

3|8|747|8|

13|8|757|8|

23|8|767|8|

33|8|777|8|

7|2|745|2|

11|2|755|2|

21|2|765|2|

31|2|775|2|

265|8|1033|8|

273|8|1041|8|

281|8|1049|8|

289|8|1057|8|

2219|8|3281|8|4333|8

2227|8|3289|8|4341|8|

2235|8|3297|8|4349|8|

2243|8|3305|8|4357|8|

753|8|2525|8|

773|8|2545|8|

743|2|2515|2|

749|2|2521|2|

763|2|2535|2|

769|2|2541|2|

165|2|169|4|175|2|

173|2|177|4|183|2|

181|2|185|4|191|2|

3|8|843|8|

11|8|851|8|

19|8|859|8|

27|8|867|8|

Serial port is not open!

hXXp://lanniao.e4os.com/frombd/

C:\Windows\data_up\Please make sure the connection JMD assistant,LOAD........

sm.bin

Scripting.FileSystemObject

C:\Windows\data_up

1.HandyBaby connect to computer

2.Only one HandyBaby connect to computer each time

3.Do not disconnect during updating

Support: Toyota 72G/Ford 4D83 80bit/Jetta ID42 (online)

Steps: (1)Read the key (2)Press OK to decode

(3)waiting, until finish (4)put the new key into the coil to copy

t move out the key!

Serial operation

Checking serial number passed...

C:\Windows\data_up\

C:\Windows\data_up\*.*

C:\Windows\data_up\4D\4d16.bin

C:\Windows\data_up\4D\4d32.bin

6.0.0

hXXp://VVV.handy-baby.com/download/

C:\Windows\System32

hXXp://VVV.handy-baby.com/aboutme.php

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXp://

=@{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}

MSScriptControl.ScriptControl

if (typeof Date.prototype.toJSON !== 'function') {

Date.prototype.toJSON = function (key) {

return isFinite(this.valueOf()) ?

this.getUTCFullYear() '-'

f(this.getUTCMonth() 1) '-'

f(this.getUTCDate()) 'T'

f(this.getUTCHours()) ':'

f(this.getUTCMinutes()) ':'

f(this.getUTCSeconds()) 'Z' : null;

String.prototype.toJSON =

Number.prototype.toJSON =

Boolean.prototype.toJSON = function (key) {

return this.valueOf();

'"' : '\\"',

'\\': '\\\\'

escapable.lastIndex = 0;

return escapable.test(string) ? '"' string.replace(escapable, function (a) {

'\\u' ('0000' a.charCodeAt(0).toString(16)).slice(-4);

function str(key, holder) {

// Produce a string from holder[key].

k, // The member key.

value = holder[key];

typeof value.toJSON === 'function') {

value = value.toJSON(key);

value = rep.call(holder, key, value);

if (Object.prototype.toString.apply(value) === '[object Array]') {

length = value.length;

// Join all of the elements together, separated with commas, and wrap them in

v = partial.length === 0 ? '[]' : gap ?

'[\n' gap partial.join(',\n' gap) '\n' mind ']' :

'[' partial.join(',') ']';

length = rep.length;

partial.push(quote(k) (gap ? ': ' : ':') v);

// Otherwise, iterate through all of the keys in the object.

if (Object.prototype.hasOwnProperty.call(value, k)) {

// Join all of the member texts together, separated with commas,

v = partial.length === 0 ? '{}' : gap ?

'{\n' gap partial.join(',\n' gap) '\n' mind '}' :

'{' partial.join(',') '}';

if (typeof JSON.stringify !== 'function') {

JSON.stringify = function (value, replacer, space) {

// that can replace values, or an array of strings that will select the keys.

typeof replacer.length !== 'number')) {

throw new Error('JSON.stringify');

// Make a fake root object containing our value under the key of ''.

if (typeof JSON.parse !== 'function') {

JSON.parse = function (text, reviver) {

function walk(holder, key) {

var k, v, value = holder[key];

if (Object.prototype.hasOwnProperty.call(value, k)) {

return reviver.call(holder, key, value);

// Parsing happens in four stages. In the first stage, we replace certain

cx.lastIndex = 0;

if (cx.test(text)) {

text = text.replace(cx, function (a) {

('0000' a.charCodeAt(0).toString(16)).slice(-4);

// We split the second stage into 4 regexp operations in order to work around

.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')

.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')

.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {

// JavaScript structure. The '{' operator is subject to a syntactic ambiguity

// In the optional fourth stage, we recursively walk the new structure, passing

throw new SyntaxError('JSON.parse');

// These forms are obsolete. It is recommended that JSON.stringify and

// JSON.parse be used instead.

if (!Object.prototype.toJSONString) {

Object.prototype.toJSONString = function (filter) {

return JSON.stringify(this, filter);

Object.prototype.parseJSON = function (filter) {

return JSON.parse(this, filter);

JSON.stringify(

.push(

.map)'){

.splice(

) {ary=ary key ','; }

var ary=''; for (var key in

\empty.exe

`.data

could not empty working set for process #%d [%s]

could not empty working set for process #%d

USAGE: empty.exe {pid | task-name}

AdjustTokenPrivileges failed with %d

LookupPrivilegeValue failed with %d

OpenProcessToken failed with %d

empty.pdb

msvcrt.dll

ADVAPI32.dll

CloseWindowStation

SetProcessWindowStation

OpenWindowStationA

EnumWindowStationsA

ntdll.dll

OLEAUT32.dll

?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

\\.\COM

javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}

javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};

window.location.reload()

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

text|password|file

comdlg32.dll

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

WarnOnHTTPSToHTTPRedirect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

2016:08:04 18:08:10

-6k}k

o.Sl@

.ou&j

r.umV

h.XhtR|

PfBCMd![p

.iKVy

.WcGV

LN->kEy

^u.wY'

)Y$}u.wR

mSgQ

]EÃžh`

1999-2003

%d&&'

123456789

00003333

1.2.18

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

CCmdTarget

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

VVV.dywt.com.cn

hXXp://VVV.baidu.com

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

;3 #>6.&

'2, / 0&7!4-)1#

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

code %d bits %d->%d

gen_codes: max_code %d

bl code -

opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u

last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)

%d%d%d

rundll32.exe shell32.dll,

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÃ

right-curly-bracket

left-curly-bracket

c:\%original file name%.exe

GetWindowsDirectoryA

WinExec

GetProcessHeap

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GetViewportOrgEx

CreateDialogIndirectParamA

UnregisterHotKey

RegisterHotKey

EnumChildWindows

GetKeyState

InternetCrackUrlA

InternetCanonicalizeUrlA

%fpoj

i-%c/-Q

KERNEL32.DLL

mscoree.dll

*%$#"! '&):(91/638

2, 7, 0, 0

10080216

5.2.3790.0 built by: dnsrv_dev(v-smgum)

empty.exe

Windows

Operating System

5.2.3790.0

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps