Gen.Variant.Strictor.111123_0af587a760

by malwarelabrobot on March 29th, 2017 in Malware Descriptions.

Gen:Variant.Strictor.111123 (B) (Emsisoft), Gen:Variant.Strictor.111123 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0af587a7601830069af309185f3ac01f
SHA1: 68095a1bc25d473d326546ff313fffb9b190c37e
SHA256: b2724830fe7da930a20c20dd53e37428147c8171f394719f577f5108c9d5d70f
SSDeep: 24576:2GNBMMD7j0SiJO0BadTHXtxtumBz5Q2ZHCm5ufuTfZinQt0oHTV8klv:2sBnktBGT9xAm229oQRiETV
Size: 1241168 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: /Soft company
Created at: 2017-03-12 21:53:41
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2060

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Pz.ini (20 bytes)
C:\midishow.dll (178 bytes)

Registry activity

The process %original file name%.exe:2060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Dropped PE files

MD5 File path
114054313070472cd1a6d7d28f7c5002 c:\midishow.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: CirnoIX
Product Name: ? Box
Product Version: 2.0.7.1313
Legal Copyright: CirnoIX ???? 1999 - 2017
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.0.7.1313
File Description: ????????,?????????????!!?????24???????!??????????????????????????!!
Comments: ????????,?????????????!!?????24???????!??????????????????????????!!
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1188514 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 1196032 471298 0 0 d41d8cd98f00b204e9800998ecf8427e
.data 1671168 1212930 0 0 d41d8cd98f00b204e9800998ecf8427e
.tvm0 2887680 17757 0 0 d41d8cd98f00b204e9800998ecf8427e
.tvm1 2908160 1111180 1114112 5.53685 c55d59053ba645811f6004b06cb77e3a
.rsrc 4022272 104102 106496 4.88198 592619c417df611c22f204ce82b8aa86

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2060:

.text
`.rdata
@.data
.tvm0
`.tvm1
.rsrc
t$(SSh
|$D.tm
u.hL6Z
~%UVW
.tTPV
FTPjK
FtPj;
F.PjRWj
u.WWj
u.VVj
u$SShe
Bv=kAv.SCv
kernel32.dll
ntdll.dll
comctl32.dll
psapi.dll
shell32.dll
VERSION.DLL
user32.dll
wininet.dll
Kernel32.dll
C:\midishow.dll
advapi32.dll
Advapi32.dll
shlwapi.dll
ole32.dll
OLEACC.DLL
gdiplus.dll
Ole32.dll
gdi32.dll
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
RegCreateKeyA
RegCloseKey
ShellExecuteA
RegOpenKeyExA
RegCreateKeyExA
GdiplusShutdown
RegOpenKeyA
RegEnumKeyA
RegQueryInfoKeyA
RegFlushKey
RegDeleteKeyA
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
MySQL
EnGine\Pz.ini
speed.exe
EnGine\speed.exe
EnGine\WProxy.exe
WProxy.exe
.Gw3z
tcP*K
RW5HaW5lXHNzNWNhcGNtZC5leGUgMSA0C:\Windows\System32\taskkill.exe /f /im speed.exe
C:\Windows\System32\taskkill.exe /f /im networktunnelx64helper.exe
vpnclient.exe
EnGine\Adorable_cat.dll
UpdateTime.exe
C:\Pz.ini
networktunnelx64helper.exe
hXXp://VVV.2345.com/?kqlnix
MZKERNEL32.DLL
.Upack
qp_%s;9a:
$.mbP
.xRDp
EnGine\IP\gamecap.ini
EnGine\IP\ipmana.exe
TfrmLogin.UnicodeClass
passwd
@qq.com
@163.com
@gmail.com
&password2=
&password=
newsletter=1&showemail=1&formhash=cad85a60&referer=index.php?sid=BISj7h&username=
hXXp://VVV.ipdaili.net/register.php?regsubmit=yes
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
ipmana.exe
TfrmSettings.UnicodeClass
xunyou.exe
gamecap.exe
qqdaili.exe
chuanqi.exe
360NmGameAcc.exe
TightSocks5.exe
FreeProxy.exe
DBMon_ABC.exe
\360P2P.tempEnGine\
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
hXXp://sf.symcb.com/sf.crl0f
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0
hXXp://sf.symcd.com0&
hXXp://sf.symcb.com/sf.crt0
<VeriSign Class 3 Public Primary Certification Authority - G50
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://VVV.360.cn 0
hXXp://sv.symcb.com/sv.crl0f
hXXp://sv.symcd.com0&
hXXp://sv.symcb.com/sv.crt0
hXXp://s2.symcb.com0
hXXp://VVV.symauth.com/cps0(
hXXp://VVV.symauth.com/rpa00
hXXp://s1.symcb.com/pca3-g5.crl0
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
AEnGine\IMProxy.cfg
EnGine\IMProxy.log
EnGine\pid2.log
.html
EnGine\360Tray.exe" action=allow
"Z%X%V%
Windows 95 Utopia Sound Scheme
mazrob@panix.com
set TempFile_Name=%SystemRoot%\System32\BatTestUACin_SysRt%Random%.batemp
Box.exe
EnGine\UpdateTime.exe
c3FfY2lybm9peA==2017.3.13
hXXp://VVV.10pan.com/space_CirnoIX.html
<meta http-equiv="refresh" content="0;url=
iexplore.exe
cmd /c del /f /s /q %userprofile%\AppData\Roaming\EnGine\*.log
cmd /c
\TenSRL.datOOTT
EnGine\lsp.exe
EnGine\networkdlllsp.dll
networkdlllsp.dll
cmd /c del /f /s /q %userprofile%\AppData\Roaming\EnGine\*.*
.ResmonCfg
<configuration><tabpane autocolumns="true"/><chartpane width="-1" hidden="false"/><cpuchart/><tab id="Overview" chartview="2"><table id="CPU" hidden="false" height="185"><column id="Image" width="180" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="Description" width="60" hidden="false"/><column id="Status" width="58" hidden="false"/><column id="Threads" width="58" hidden="false"/><column id="CPU" width="58" hidden="false"/><column id="AverageCPU" width="58" hidden="false"/><column id="SwitchContext" width="80" hidden="true"/><column id="UserName" width="80" hidden="true"/><column id="Cycle" width="80" hidden="true"/><column id="AverageCycle" width="80" hidden="true"/><column id="Platform" width="80" hidden="true"/><column id="Elevated" width="80" hidden="true"/><sort column="Status" descending="false"/></table><table id="Disk" hidden="true" height="185"><column id="Image" width="172" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="File" width="50" hidden="false"/><column id="Read" width="50" hidden="false"/><column id="Write" width="50" hidden="false"/><column id="DiskTotal" width="50" hidden="false"/><column id="IOPriority" width="50" hidden="false"/><column id="ResponseTime" width="50" hidden="false"/><sort column="IOPriority" descending="true"/></table><table id="Network" hidden="true" height="185"><column id="Image" width="180" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="Address" width="73" hidden="false"/><column id="Send" width="73" hidden="false"/><column id="Receive" width="73" hidden="false"/><column id="NetworkTotal" width="73" hidden="false"/><sort column="NetworkTotal" descending="true"/></table><table id="Memory" hidden="true" height="185"><column id="Image" width="180" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="HardFaults" width="60" hidden="false"/><column id="Commit" width="58" hidden="false"/><column id="WorkingSet" width="58" hidden="false"/><column id="Shareable" width="58" hidden="false"/><column id="Private" width="58" hidden="false"/><sort column="Private" descending="true"/></table></tab><tab id="CPU" chartview="2" focused="true"><table id="CPU" hidden="false" height="185"><column id="Image" width="180" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="Description" width="60" hidden="false"/><column id="Status" width="58" hidden="false"/><column id="Threads" width="58" hidden="false"/><column id="CPU" width="58" hidden="false"/><column id="AverageCPU" width="58" hidden="false"/><column id="SwitchContext" width="80" hidden="true"/><column id="UserName" width="80" hidden="true"/><column id="Cycle" width="80" hidden="true"/><column id="AverageCycle" width="80" hidden="true"/><column id="Platform" width="80" hidden="true"/><column id="Elevated" width="80" hidden="true"/><sort column="Status" descending="false"/></table><table id="Service" hidden="true" height="185"><column id="Name" width="180" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="Description" width="60" hidden="false"/><column id="Status" width="58" hidden="false"/><column id="Group" width="58" hidden="false"/><column id="CPU" width="58" hidden="false"/><column id="AverageCPU" width="58" hidden="false"/><sort column="Status" descending="false"/></table><table id="Handle" hidden="true" height="185"><column id="Image" width="180" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="Type" width="100" hidden="false"/><column id="HandleName" width="192" hidden="false"/><sort column="Image" descending="false"/></table><table id="Module" hidden="true" height="185"><column id="Image" width="180" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="ModuleName" width="97" hidden="false"/><column id="Version" width="97" hidden="false"/><column id="FullPath" width="98" hidden="false"/><sort column="Image" descending="false"/></table></tab><tab id="Memory" chartview="2"><table id="Memory" hidden="false" height="185"><column id="Image" width="180" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="HardFaults" width="60" hidden="false"/><column id="Commit" width="58" hidden="false"/><column id="WorkingSet" width="58" hidden="false"/><column id="Shareable" width="58" hidden="false"/><column id="Private" width="58" hidden="false"/><sort column="Private" descending="true"/></table><table id="MemoryWidget" hidden="false"/></tab><tab id="Disk" chartview="2"><table id="ProcessDisk" hidden="false" height="185"><column id="Image" width="180" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="Read" width="98" hidden="false"/><column id="Write" width="97" hidden="false"/><column id="DiskTotal" width="97" hidden="false"/><sort column="DiskTotal" descending="true"/></table><table id="Disk" hidden="true" height="185"><column id="Image" width="172" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="File" width="50" hidden="false"/><column id="Read" width="50" hidden="false"/><column id="Write" width="50" hidden="false"/><column id="DiskTotal" width="50" hidden="false"/><column id="IOPriority" width="50" hidden="false"/><column id="ResponseTime" width="50" hidden="false"/><sort column="IOPriority" descending="true"/></table><table id="Storage" hidden="true" height="185"><column id="LogicalDisk" width="180" hidden="false"/><column id="PhysicalDisk" width="70" hidden="false"/><column id="Utilization" width="68" hidden="false"/><column id="FreeSpace" width="68" hidden="false"/><column id="TotalSpace" width="68" hidden="false"/><column id="QueueLength" width="68" hidden="false"/><sort column="QueueLength" descending="true"/></table></tab><tab id="Network" chartview="2"><table id="ProcessNetwork" hidden="false" height="185"><column id="Image" width="180" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="Send" width="98" hidden="false"/><column id="Receive" width="97" hidden="false"/><column id="NetworkTotal" width="97" hidden="false"/><sort column="NetworkTotal" descending="true"/></table><table id="Network" hidden="true" height="185"><column id="Image" width="180" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="Address" width="73" hidden="false"/><column id="Send" width="73" hidden="false"/><column id="Receive" width="73" hidden="false"/><column id="NetworkTotal" width="73" hidden="false"/><sort column="NetworkTotal" descending="true"/></table><table id="Connection" hidden="true" height="185"><column id="Image" width="172" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="LocalAddress" width="50" hidden="false"/><column id="LocalPort" width="50" hidden="false"/><column id="RemoteAddress" width="50" hidden="false"/><column id="RemotePort" width="50" hidden="false"/><column id="PacketLoss" width="50" hidden="false"/><column id="Latency" width="50" hidden="false"/><column id="ConnSend" width="80" hidden="true"/><column id="ConnReceive" width="80" hidden="true"/><column id="ConnTotal" width="80" hidden="true"/><sort column="Latency" descending="true"/></table><table id="Port" hidden="true" height="185"><column id="Image" width="180" hidden="false"/><column id="PID" width="50" hidden="false"/><column id="Address" width="73" hidden="false"/><column id="Port" width="73" hidden="false"/><column id="Protocol" width="73" hidden="false"/><column id="FirewallStatus" width="73" hidden="false"/><sort column="Port" descending="false"/></table></tab></configuration>
EnGine\IP\license.lic
5.txt
~ WIN8RTMSoftware\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
\EnGine.temp
v@ini.temp
\SSH.temp
\IPProxy.tempEnGine\IP
passwd=
portid=28
EnGine\IP\gameppp.dll
D:\dnf.exegamepath1
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeW
KERNEL32.dll
USER32.dll
ADVAPI32.dll
SETUPAPI.dll
SHLWAPI.dll
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
.?AVCOnKeyProc@@
.?AVCLgnNamedPipe@@
.?AVCOnKeyDevice@@
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
%Application & Support Department No.21
hXXp://sv.symcb.com/sv.crl0a
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
SkinH_EL.dll
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
window.location.reload()
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
(*.DLL)|*.DLL|
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
>%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
iphlpapi.dll
MPR.dll
VERSION.dll
.PAVCException@@
Shell32.dll
Mpr.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
;3 #>6.&
'2, / 0&7!4-)1#
<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>
<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0xX</td></tr>
<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0xX</td></tr>
<table><tr><td><icon handle=0x%X></td><td>%s</td></tr></table>
.comment {color:green}
burlywood
\winhlp32.exe
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
-1-1 0:0:0
2000-1-1
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
PIPE
ssl-cert
ssl-key
pipe
password
port
MYSQL
\\%s\pipe\%s
Unknown option to protocol: %s
d:t:o,/tmp/client.trace
MYSQL_PWD
Windows_NT
MYSQL_UNIX_PORT
MYSQL_TCP_PORT
mysql
Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)
Can't open shared memory. %s event don't create for client (%lu)
Using unsupported buffer type: %d (parameter: %d)
Can't send long data for non string or binary data types (parameter: %d)
Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)
%-.100s via named pipe
Lost connection to MySQL server during query
%-.100s via TCP/IP
MySQL client run out of memory
Protocol mismatch. Server Version = %d Client Version = %d
MySQL server has gone away
Unknown MySQL Server Host '%-.100s' (%d)
Can't create TCP/IP socket (%d)
Can't connect to MySQL server on '%-.100s' (%d)
Can't connect to local MySQL server through socket '%-.100s' (%d)
Can't create UNIX socket (%d)
Unknown MySQL error
TCP/IP (%d)
socket (%d)
named pipe
%s would have been started with the following arguments:
error: Found option without preceding group in config file: %s at line: %d
error: Wrong group definition in config file: %s at line %d
C:/mysql/
Index.xml
127.0.0.1
Software\MySQL
HAVE_TCPIP
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Can't initialize threads: error %d
Can't sync file '%s' to disk (Errcode: %d)
Error on realpath() on '%s' (Error %d)
Can't create symlink '%s' pointing at '%s' (Error %d)
Can't read value for symlink '%s' (Error %d)
Out of resources when opening file '%s' (Errcode: %d)
Character set '%s' is not a compiled character set and is not specified in the '%s' file
Can't create directory '%s' (Errcode: %d)
Disk is full writing '%s'. Waiting for someone to free space...
%d files and %d streams is left open
Warning: '%s' had %d links
Can't change dir to '%s' (Errcode: %d)
Can't get working dirctory (Errcode: %d)
Can't open stream from handle (Errcode: %d)
Can't change size of file (Errcode: %d)
Can't get stat of '%s' (Errcode: %d)
Can't read dir of '%s' (Errcode: %d)
Can't unlock file (Errcode: %d)
Can't lock file (Errcode: %d)
Unexpected eof found when reading file '%s' (Errcode: %d)
Error on rename of '%s' to '%s' (Errcode: %d)
Error on delete of '%s' (Errcode: %d)
Out of memory (Needed %u bytes)
Error on close of '%s' (Errcode: %d)
Error writing file '%s' (Errcode: %d)
Error reading file '%s' (Errcode: %d)
Can't create/write to file '%s' (Errcode: %d)
File '%s' not found (Errcode: %d)
charsets.charset.collation.map
charsets.charset.collation.flag
charsets.charset.collation.order
charsets.charset.collation.id
charsets.charset.collation.name
charsets.charset.collation
charsets.charset.unicode.map
charsets.charset.unicode
charsets.charset.lower.map
charsets.charset.lower
charsets.charset.upper.map
charsets.charset.upper
charsets.charset.ctype.map
charsets.charset.ctype
charsets.charset.alias
charsets.charset.description
charsets.charset.family
charsets.charset.name
charsets.charset.binary-id
charsets.charset.primary-id
charsets.charset
charsets.max-id
xml.encoding
xml.version
1.1.4
%,%$%4%<%
eZl%u
Q.YeY
R:\Sg|p5rL
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe
s4s/s)s%s>sNsOs
!&"&#&$&%&&&'&(&)&*& &,&-&.&/&0&1&
2&3&4&5&6&7&8&
!(,("(-(
 !,!5!6!
!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%<$=%>%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%
g9H5_DF>L!9yMGE~8
%Sv0$S
|T)>~T%C
8]7]:]=5
.Dh26a
Z6%d#d
ReXeQe
uewexe
<6H@FO.LwfT@
6*6 8*8 5*5 :*: ;*; =*= <*
/"2"6"5"
21314151
'2(2)2*2 2
-6.6/6061626
.7/70717
[7\7]7^7
=8>8?8@8
19293949
%;&;';(;
<<=<><?<@<
%>&>'>(>
<>=>>>?>@>
[@\@]@^@
"U#U$U%U
8[9[:[;[<[=[>[
&\'\(\)\
~\!]"]#]
/]0]1]2]
4]5]6]7]8]
|_}_~_!`
&`'`(`)`
2`3`4`5`
WeXe
vewexe
$f%f&f
@mAmBmCmDm
S%S'S(S)S S,S-S0S2S5S<S=S>SBSLSKSYS[SaScSeSlSmSrSyS~S
d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d
.AK.)
.uGvG
/%S67
-<.GIg
 I.pKqK
J.AeRtH49
U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;U<U=U>U?U@UAUBUCUDUEUFUGUHUIUJUKULUMUNUOUPUQURUSUTUUUVUWUXUYUZU[U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU
?q.SM!@
$R&ß
C.JMH
-)./...6. .
E~ExE|E{E
&t.KIx
"*0QIs%u1
)Q.GN
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;X<X=X>X?X@XAXBXCXDXEXFXGXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfX
S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S<S=S@SBSDSFSKSLSMSPSTSXSYS[S]SeShSjSlSmSrSvSyS{S|S}S~S
U!U%U&U
X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X<X=X
_!_"_#_$_
%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;d<d>d@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d
"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e<e=e@eAeBeCeDeFeGeJeKeMeNePeReSeTeWeXeZe\e_e`eaedeeegeheiejemeneoeqeseuevexeyeze{e|e}e~e
2!2"2#2$2%2&2'2(2)2
"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%
1 1!1"1#1$1%1&1'1(1)1
!0"0#0$0%0&0'0(0)0
% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%<$=%>%?%@%A%B%C%D%E%F%G%H%I%J%K%
W%f?i
e.lFO
}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}
urlsS
~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~
u%urrGS
]']&].]$]
s"s9s%s,s8s1sPsMsWs`slsos~s
x<x%x,x#x)xNxmxVxWx&xPxGxLxjx
{.{1{ {%{${3{>{
!!"!#!(!
4!5!6!7!8!9!:!;!>!?!
~!2!3!<!=!
.VZN'Uu:&7V@
%FxG=R
~e%fWM
rP.BPb
C^%X*?M[lRzF*E
(m|P%c
NN"L.PSD25X^uU7<S;
.QqP8j9j:j5:
%CxF-kJD
(d.deB
3G,===%d
&8.pB1
mS.Xk@
tq.RG^JK
B]HC<F.NL]
yTDI.SS8`3
t6ZeXeYe@5
*M%u#u4=(u
"*")"'"("
%d&`&a&e&g&c&
%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%
[!\!]!^!
mQ.bx
{ | }9},
d6exe9j
]%sOu
m.t.zB}
w%xIyWy
%f?iCt
#$%&'()* ,
!"#$%&'()* ,-./0123456789:;<=>?@
%<%4%,%$%
%q%r%s%
`!`'`)` `
e%f-f f'f/f
%x-x x
~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
]8^6^3^7^
c{cichczc]eVeQeYeWe_UOeXeUeTe
r6s%s4s)s:t*t3t"t%t5t6t4t/t
t&t(t%u&ukuju
a.bidodyd
duewexe
]!^"^#^ ^$^
t.uGuHu
h&h(h.hMh:h%h h,k/k-k1k4kmk
k%lzmcmdmvm
{1{ {-{/{2{8{
WHX%X
`IaJa aEa6a2a.aFa/aOa)a@a bh
d@d%d'd
kCpDpJpHpIpEpFp
3: %s unexpected (ident or '/' wanted)
5: %s unexpected ('>' wanted)
6: %s unexpected ('?' wanted)
4: %s unexpected (ident or string wanted)
1: %s unexpected (ident wanted)
'</%s>' unexpected ('</%s>' wanted)
c:\%original file name%.exe
A^n.tS
z#.OE
SHELL32.dll
GetKeyState
WS2_32.dll
RASAPI32.dll
UnhookWindowsHookEx
m.JFE
GetWindowsDirectoryA
SetViewportOrgEx
?Ex@a%u
%CO.o
.RB-h
.;FP.Bo
4p%dW
|".ZP
5*.xV
.hZS*/n{
%9S?r:<utf
;.yer
 %xZ>
%x?>S
/1-7R}P
MkEy
?.oYi
.S%c X
Hs.sv
]Ck%D
?.yYd
.Yhj8
vL?1]^N%cu
 .TM[
QI.DJk#
G<g.nK
Cn.Ep
M'(.wZ
.Az~5
xtw.fa>
<&.TS
Z%Se'
* .pbE1
3%UHo
.hx@G
M.PD}
/.uh8Q
%4S_i
WSOCK32.dll
SetWindowsHookExA
WaitNamedPipeA
OLEAUT32.dll
OffsetViewportOrgEx
{%UO&
WININET.dll
InternetCrackUrlA
SetNamedPipeHandleState
WINSPOOL.DRV
WINMM.dll
AVIFIL32.dll
ScaleViewportExtEx
InternetCanonicalizeUrlA
WinExec
CreateDialogIndirectParamA
GetViewportOrgEx
SetViewportExtEx
fNR.EGy
.th&&i
B.kic
f.CQ1
BaAQRÍ
;:.eM
<f.oe
.ON(hL
'ITP$[ô
.fi%b
6%S}Y
U %cl
C.Nz>
0.qA|S9
o3%%F
-D8}Z
.mY}G
.eAl3
r!.WA
4.fVxy
w#O.eNbh
.TZn/
.FqH8y
WA\s%uB
)p.WR
7<.zO;6]
x.by[p
y.fj!K 
}p%f;
%X:'cF
L%U$N
F%u?8
Û],x
.GHLn
GetViewportExtEx
>Y.nC
AÜ6
Qq.JfeU
..WDm~
.~f.SG
C.oe|
^SGZ%F|
.dO@Z
5.nHco
zi`%fnw6
^%s6T
d4sypnirkV%u
.8.SQW
.jcUD
>.MnA
%P%d%
.dM.ZK
\q.QR
%Sw5=
.vr[~
z%Di=x
v.Hf2f>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
OnKeyMonClassDB_ABC
OnKeyMon001DB_ABC
\\.\pipe\OnKey193B_Pipe00_Device_%s
Global\OnKeyDB_Mut00_OnKeyMon
mscoree.dll
OnKeyMon
1, 1, 0, 9
OnKeyMon.exe
OnKey Monitor
1, 0, 6, 6
- Skin.dll
2.0.7.1313
1999 - 2017

%original file name%.exe_2060_rwx_001B2000_00001000:

(*.DLL)|*.DLL|
C:\midishow.dll

%original file name%.exe_2060_rwx_003C0000_0001A000:

MZKERNEL32.DLL
.Upack
.rsrc
%s %s s
KERNEL32.DLL
USER32.DLL
MSVCRT.DLL
MSVCP60.DLL
qp_%s;9a:
$.mbP
.xRDp

%original file name%.exe_2060_rwx_006C7000_00001000:

Bv=kAv.SCv

%original file name%.exe_2060_rwx_00741000_00001000:

ADVAPI32.dll
ScaleViewportExtEx
COMCTL32.dll
InternetCanonicalizeUrlA
HttpSendRequestA
RegDeleteKeyA
WinExec

%original file name%.exe_2060_rwx_10001000_00039000:

L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Pz.ini (20 bytes)
    C:\midishow.dll (178 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now