Gen.Variant.Graftor.264320 (B)_ccab389166 – Adaware

Gen:Variant.Graftor.264320 (B) (Emsisoft), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: ccab389166c2a7b7e6f7b784a8edf3b7

SHA1: 280c07ed68f0fdf2ac1ae0a2f2d1bdacbf64daac

SHA256: 2fb616a2d5c59851a861a889d4349c4b42606e076030a32adb05b5cd02d616ed

SSDeep: 24576: O8OH8F37JqsB9n7KkVj9XCwGA6SWaQaT:QPJh kV5CQ

Size: 823808 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2016-01-03 14:34:15

Analyzed on: WindowsXP SP3 32-bit

Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

dwwin.exe:1744
uninstallmodule.exe:1392
%original file name%.exe:468

The Malware injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process dwwin.exe:1744 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7FEC0.dmp (74488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

The process uninstallmodule.exe:1392 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fb75_appcompat.txt (1979 bytes)

The Malware deletes the following file(s):

The process %original file name%.exe:468 makes changes in the file system.

The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uninstallmodule.exe.tmp (110740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_uninsep.bat (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uninstallmodule.exe (6841 bytes)

Registry activity

The process dwwin.exe:1744 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 84 73 39 A1 66 9F E3 FD 6E 76 F7 86 7D 6A 28"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process uninstallmodule.exe:1392 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 18 9F EB 0B F1 99 09 FF 8D CE 00 38 B0 07 93"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process %original file name%.exe:468 makes changes in the system registry.

The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 AE 6D 30 7E 98 D7 D2 0E B5 7A CF 1A D6 B5 24"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"_uninsep.bat" = "_uninsep"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"uninstallmodule.exe" = "uninstallmodule"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Malware deletes the following value(s) in system registry:

The Malware disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IDSCPRODUCT"

Dropped PE files

MD5	File path
ea8c1b5d9f7b766e04ff296758ae02db	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\uninstallmodule.exe
ea8c1b5d9f7b766e04ff296758ae02db	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\uninstallmodule.exe.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
dwwin.exe:1744
uninstallmodule.exe:1392
%original file name%.exe:468
Delete the original Malware file.
Delete or disinfect the following files created/modified by the Malware:
%Documents and Settings%\%current user%\Local Settings\Temp\7FEC0.dmp (74488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fb75_appcompat.txt (1979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uninstallmodule.exe.tmp (110740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_uninsep.bat (180 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Top Game Installer
Product Name: Top Game Installer
Product Version: 1.0
Legal Copyright: Top Game Installer
Legal Trademarks:
Original Filename: Top Game Installer.exe
Internal Name: Top Game Installer
File Version: 1.0
File Description: Top Game Installer
Comments:
Language: English (United States)

Company Name: Top Game InstallerProduct Name: Top Game InstallerProduct Version: 1.0 Legal Copyright: Top Game InstallerLegal Trademarks: Original Filename: Top Game Installer.exeInternal Name: Top Game InstallerFile Version: 1.0 File Description: Top Game InstallerComments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	702060	702464	4.26703	d78403c0efc3bc56a66b7c1d4f9f579c
.data	708608	23332	23552	0.100838	b07224b3acd84b8b6e0fc450410d300f
.rdata	733184	62252	62464	3.87274	dfc49cee6ba28be31b89b2d10c8b3758
.bss	798720	4096	0	0	d41d8cd98f00b204e9800998ecf8427e
.edata	802816	1598	2048	3.09204	276a0a5ad20775d1ae9e53aff007ba81
.idata	806912	6224	6656	3.55701	8d96631479e9195377a207719f07d8fc
.CRT	815104	56	512	0.221488	94975933fb719c11f3a8757e452a06ce
.tls	819200	32	512	0.14174	b94bb441a067f954ca855273080a7f2c
.rsrc	823296	856	1024	1.8821	1a990b6f248f4cf9ed3f54d7b877969d
.reloc	827392	23424	23552	4.62336	d9537cb6f518736060ac13cb67b084c3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 79
523c889c97eebcb4632a2c2a2fba0f0e
f4f83840a6d1859382001ffd15cb5f75
4b630f434f37d0dd82d9c702189a54ba
aace3d082e2d3abb2dd8ff674824e3a4
d51159ce3d5965d072808c5974c0e8f9
baa37f901981657ecf6353301f607539
a700f43c176c12d9eb27f6bd6f39df67
3bf59d95006b39e0a61f543cdf5b4d3d
fb1f142c97c84a46c7952867a183fa38
34debcd9f644530815b3b93e61e2337b
8004abd5d7d21dac173445a4409c8f83
8b2bb97fc20c90c613656e5367f630f9
b23769d8486c63d3c17bfd0d4b857bd6
763ef9babac4398a6987a006692ea8bf
d2b15df94bc965205bb0e753f9a97525
83ecadad63580b78bfd8b089766a344e
4ec44303f46fe3666d7d06510dfc5a13
69712554794f4fd160738c0c68966eb4
20b1179c1096e099edfd88ae02572b2c
27ca114a6b68dc4232d04500953e19d0
42d05e9e07dc3fcb1e680ae21bf99445
858021f8683ee6c7e7437979ee25e4ef
2f9c8b2ef7a888f6251f84c7cb0f72cb
97a7b8809e1642ebcf06f620deba3cc4
6f35f508794846a2695fec3d707092af
97628574fd15364a8e2b8b1e0837a49d

Network Activity

URLs

URL	IP
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_uninstaller_{	149.202.68.172
hxxp://dl.wizzuniquify.com/download/1/wizzuninstallmodule.exe	149.202.204.67
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_uninstaller_{..\|...\|.."_{..\|...\|.."_{..\|...\|.."_wizzuninstallmodule_download_succeed	149.202.68.172
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_uninstaller_{..\|...\|.."_{..\|...\|.."_{..\|...\|.."_wizzuninstallmodule_execute_succeed	149.202.68.172
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_uninstaller_{..\|...\|.."_{..\|...\|.."_{..\|...\|.."_wizzuninstallmodule_download_start	149.202.68.172
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_uninstaller_{..\|...\|.."_{..\|...\|.."_{..\|...\|.."_start	149.202.68.172
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_uninstaller_{..\|...\|.."_{..\|...\|.."_{..\|...\|.."_end	149.202.68.172
www.wizzmonetize.com	149.202.85.170

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_end HTTP/1.1

Host: agent.wizztrakys.com

Accept: */*

Content-Length: 59

Content-Type: application/x-www-form-urlencoded

user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Wed, 17 Feb 2016 01:30:17 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=jsqgg5tln030f7bo1io80u06a4; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 29

Content-Type: text/html; charset=UTF-8

{"message":"Track was added"}..

POST /csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_wizzuninstallmodule_execute_succeed HTTP/1.1

Host: agent.wizztrakys.com

Accept: */*

Content-Length: 59

Content-Type: application/x-www-form-urlencoded

user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Wed, 17 Feb 2016 01:30:17 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=7tnaotcd8nv758ikfg0hkroib3; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 29

Content-Type: text/html; charset=UTF-8

{"message":"Track was added"}..

POST /csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_wizzuninstallmodule_download_succeed HTTP/1.1

Host: agent.wizztrakys.com

Accept: */*

Content-Length: 59

Content-Type: application/x-www-form-urlencoded

user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Wed, 17 Feb 2016 01:30:16 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=7go2qor580ga8bs5e6a8juks16; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 29

Content-Type: text/html; charset=UTF-8

{"message":"Track was added"}..

GET /download/1/wizzuninstallmodule.exe HTTP/1.1

Host: dl.wizzuniquify.com

Accept: */*

HTTP/1.1 200 OK

Date: Wed, 17 Feb 2016 01:30:13 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=eyJpdiI6InRQaVYyUHdRUHZlY29cL0JJbnpQbURnPT0iLCJ2YWx1ZSI6ImtsOXF2RGdjMVBtS3ZKbnpBejVtb0h5ZVo3Q0JaQ3hya2ZkVGtBTnBTSURyWXA1N3dXdXFDVHdSZ1lBYUtKWW1lTTNVTWxwZkFLYmIxajNxVlpJcXF3PT0iLCJtYWMiOiI3ZjQ0NmRmM2IzYmE1NzhiZmI1Y2QyZThiYTc3YjdhMzEyMjg4MjFjNzJlMjliMWJmNjBlMjQwY2Q0NTJjMGFiIn0=; expires=Wed, 17-Feb-2016 03:30:13 GMT; Max-Age=7200; path=/; httponly

Transfer-Encoding: chunked

Content-Type: application/x-msdownload

df600..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L............................................ ....@..........................P................ .........................<.......................................0f......................................................D............................text...............................`.P`.data...d[... ...\..................@.p..rdata...............l..............@.p@.bss..................................p..edata..<............l..............@.0@.idata...............t..............@.0..CRT....8...........................@.0..tls.... ...........................@.0..reloc..0f.......h..................@.0B....................................................................................................................................................................................................................................................................................................&......'.......1.f.=..@.MZ..l.M.......h.M.......d.M.......t.M.....th...M..x.M...tJ..$.....n'....$.....2'....|.M....M....M..@.M.....)...=. L..tm1.......&......$.....$'....f...<.@.....@.PE......@.u...Q.f....t?f......j............].........1.......K....v...$.:D...)..1......yt...,.........1...........f...,...M..D$...M..D$...M..D$...M...$..M....M....M..D$..n&.....M...,.........'....U1........WV.U.S....|...0.25..)..D$...........@......@......@......@......@......@......@.........5x.M.........d

<<< skipped >>>

POST /csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_start HTTP/1.1

Host: agent.wizztrakys.com

Accept: */*

Content-Length: 59

Content-Type: application/x-www-form-urlencoded

user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Wed, 17 Feb 2016 01:30:14 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=hfidjnmjpek1nk79p0rs8p6k16; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 29

Content-Type: text/html; charset=UTF-8

{"message":"Track was added"}..

POST /csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_wizzuninstallmodule_download_start HTTP/1.1

Host: agent.wizztrakys.com

Accept: */*

Content-Length: 59

Content-Type: application/x-www-form-urlencoded

user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Wed, 17 Feb 2016 01:30:14 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=vpk092hgu3dj7jgsu46ge098o6; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 29

Content-Type: text/html; charset=UTF-8

{"message":"Track was added"}..

Map

The Malware connects to the servers at the folowing location(s):

Strings from Dumps

uninstallmodule.exe_1392:

.text

P`.data

.rdata

p@.bss

.edata

0@.idata

.reloc

-0123456789

XMLDocument error id=%d '%s' str1=%s str2=%s

%s>

%s?>

config.cfg

%s: __pos (which is %zu) > this->size() (which is %zu)

&api_key=

CFG: Can only have unique key names!

workXML.xml

hXXp://VVV.wizzmonetize.com/remotes_xml_sections.php

getpeername() failed with errno %d: %s

getsockname() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

ssloc inet_ntop() failed with errno %d: %s

sa_addr inet_ntop() failed with errno %d: %s

Trying %s...

Could not set TCP_NODELAY: %s

TCP_NODELAY set

Failed to set SO_KEEPALIVE on fd %d

Failed to set SIO_KEEPALIVE_VALS on fd %d: %d

Local Interface %s is ip %s using address family %i

Name '%s' family %i resolved to '%s' family %i

Local port: %hu

Bind to local port %hu failed, trying next

bind failed with errno %d: %s

Immediate connect fail for %s: %s

Couldn't bind to '%s'

Couldn't bind to interface '%s'

connect to %s port %ld failed: %s

Failed to connect to %s port %ld: %s

[%s %s %s]

Send failure: %s

Recv failure: %s

Write callback asked for PAUSE when not supported!

Could not resolve %s: %s

%s:%d

Hostname %s was found in DNS cache

%5[^:]:%d

Couldn't parse CURLOPT_RESOLVE removal entry '%s'!

%5[^:]:%d:%5s

Couldn't parse CURLOPT_RESOLVE entry '%s'!

Address in '%s' found illegal!

Added %s:%d:%s to DNS cache

IDN support not present, can't parse Unicode domains

CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!

Connected to %s (%s) port %ld (#%ld)

User-Agent: %s

smtp

Illegal characters found in URL

[^:]:%[^

:]://%[^

malformed

SMTP.

Rebuilt URL to: %s

Please URL encode %% as %%, see RFC 6874.

Protocol "%s" not supported or disabled in libcurl

%s://%s

http_proxy

[%*45[0123456789abcdefABCDEF:.]%c

;type=%c

%s://%s%s%s:%hu%s%s%s

Port number out of range

Couldn't find host %s in the _netrc file; using defaults

PTF@example.com

Found bundle for host %s: %p

Server doesn't support multi-use yet, wait

Server doesn't support multi-use (yet)

Pipe is full, skip (%zu)

Multiplexed connection found!

Found connection %ld, with requests in the pipe (%zu)

Re-using existing connection! (#%ld) with %s %s

No more connections allowed to host: %d

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

Connection #%ld to host %s left intact

Curl_poll(%d ds, %d ms)

Internal error clearing splay node = %d

Internal error removing splay node = %d

Pipe broke: handle %p, url = %s

In state %d with no easy_conn, bail out!

Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received

Operation timed out after %ld milliseconds with %I64d bytes received

#HttpOnly_

%s%s%s

23[^;

=] =I99[^;

httponly

skipped cookie with bad tailmatch domain: %s

%s cookie %s="%s" for domain %s, path %s, expire %I64d

ignoring failed cookie_init for %s

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/docs/http-cookies.html

# This file was generated by libcurl! Edit at your own risk.

# Fatal libcurl error

WARNING: failed to save cookies in %s

%d.%d.%d.%d

CURLSHcode unknown

Protocol option is unsupported

Protocol is unsupported

Socket is unsupported

Operation not supported

Address family not supported

Protocol family not supported

Winsock version not supported

Unknown error %d (%#x)

Please call curl_multi_perform() soon

Unsupported protocol

URL using bad/illegal format or missing URL

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

FTP: weird server reply

FTP: The server failed to connect to data port

FTP: unknown PASS reply

FTP: Accepting server connect has timed out

FTP: unknown PASV reply

FTP: unknown 227 response format

FTP: can't figure out the host in the PASV response

Error in the HTTP2 framing layer

FTP: couldn't set file type

FTP: couldn't retrieve (RETR failed) the specified file

HTTP response code said error

FTP: command PORT failed

FTP: command REST failed

Operation was aborted by an application callback

A libcurl function was given a bad argument

An unknown option was passed in to libcurl

SSL peer certificate or SSH remote key was not OK

Problem with the local SSL certificate

Peer certificate cannot be authenticated with given CA certificates

Unrecognized or bad HTTP Content or Transfer-Encoding

Invalid LDAP URL

TFTP: File Not Found

TFTP: Access Violation

TFTP: Illegal operation

TFTP: Unknown transfer ID

TFTP: No such user

Caller must register CURLOPT_CONV_ callback options

Problem with the SSL CA cert (path? access rights?)

Error in the SSH layer

Issuer check against peer certificate failed

FTP: The server did not accept the PRET command.

Unable to parse FTP file list

SSL public key does not match pinned public key

SSL server certificate status verification FAILED

0123456789

%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s

HTTP/

Avoided giant realloc for header (max is %d)!

%s:%s

%sAuthorization: Basic %s

%s auth using %s with user '%s'

The requested URL returned error: %d

%s, d %s M d:d:d GMT

If-Modified-Since: %s

If-Unmodified-Since: %s

Last-Modified: %s

Referer: %s

Accept-Encoding: %s

Host: %s%s%s

Host: %s%s%s:%hu

PTF://

Range: bytes=%s

Content-Range: bytes %s%I64d/%I64d

Content-Range: bytes %s/%I64d

PTF://%s:%s@%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

%s%s=%s

Internal HTTP POST error!

Content-Type: application/x-www-form-urlencoded

Failed sending HTTP POST request

Failed sending HTTP request

Chunky upload is not supported by HTTP 1.0

Connection closure while negotiating auth (HTTP 1.0?)

HTTP error before end of send, stop sending

HTTP/%d.%d %d

Lying server, not serving HTTP/2

HTTP =

RTSP/%d.%d =

The requested URL returned error: %s

HTTP 1.0, assume close after body

HTTP/1.0 proxy connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 connection set to keep alive!

%%X

%sAuthorization: Digest %s

%sAuthorization: NTLM %s

Conn: %ld (%p) Receive pipe weight: (%I64d/%zu), penalized: %s

Site %s:%d is pipeline blacklisted

Server %s is blacklisted

SOCKS4 communication to %s:%d

SOCKS4 connect to %s (locally resolved)

Failed to resolve "%s" for SOCKS4 connect.

SOCKS4%s request granted.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

User was rejected by the SOCKS5 server (%d %d).

SOCKS5 GSSAPI per-message authentication is not supported.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

Failed to resolve "%s" for SOCKS5 connect.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Can't complete SOCKS5 connection to %s:%d. (%d)

Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)

Establish HTTP proxy tunnel to %s:%hu

%s:%hu

%s%s%s:%hu

Host: %s

CONNECT %s HTTP/%s

%s%s%s%s

HTTP/1.%d %d

TUNNEL_STATE switched to: %d

Received HTTP code %d from proxy after CONNECT

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

password

operation aborted by callback

Read callback asked for PAUSE when not supported!

seek callback returned error %d

the ioctl callback returned %d

ioctl callback returned error %d

Rewinding stream by : %zd bytes on url %s (zero-length body)

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

HTTP server doesn't seem to support byte ranges. Cannot resume.

Simulate a HTTP 304 response!

%s in chunked-encoding

Rewinding stream by : %zu bytes on url %s (size = %I64d, maxdownload = %I64d, bytecount = %I64d, nread = %zd)

Excess found in a non pipelined read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d

No URL set!

[^?&/:]://%c

Issue another request to this URL: '%s'

Disables POST, goes with %s

d:d:d

d:d

------------------------xx

; filename="%s"

%s; boundary=%s

Content-Type: multipart/mixed; boundary=%s

Content-Type: %s

couldn't open file "%s"

--%s--

.jpeg

.html

%c%c==

%c%c%c=

%c%c%c%c

user=%s

auth=Bearer %s

%s/%s

xxxx

username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s,qop=%s

%s:%s:%s

%s:%s:x:%s:%s:%s

username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"

username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%s, opaque="%s"

%s, algorithm="%s"

%s xxxxxxxxxxxxxxxx

Unsupported SASL authentication mechanism

NTLMSSP%c

%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s

%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

not enough space for format expansion (Please submit full bug report at hXXp://gcc.gnu.org/bugs.html):

%m/%d/%y

%H:%M:%S

operator

global constructors keyed to

global destructors keyed to

operator""

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

use_fc_key

fc_key

Assertion failed: (%s), file %s, line %d

M%p %d %s

M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s

once %p is %d

_pthread_key_dest_shmem

_pthread_key_lock_shmem

_pthread_key_max_shmem

_pthread_key_sch_shmem

T%p %d %s

T%p %d V=%0X H=%p %s

C%p %d %s

C%p %d V=%0X w=%ld %s

RWL%p %d %s

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s

GCC: (GNU) 4.9.2

GCC: (tdm64-1) 4.9.2

wizzuninstallmodule.exe

curl_easy_cleanup

curl_easy_duphandle

curl_easy_escape

curl_easy_getinfo

curl_easy_init

curl_easy_pause

curl_easy_perform

curl_easy_recv

curl_easy_reset

curl_easy_send

curl_easy_setopt

curl_easy_strerror

curl_easy_unescape

curl_escape

curl_formadd

curl_formfree

curl_formget

curl_free

curl_getdate

curl_getenv

curl_global_cleanup

curl_global_init

curl_global_init_mem

curl_maprintf

curl_mfprintf

curl_mprintf

curl_msnprintf

curl_msprintf

curl_multi_add_handle

curl_multi_assign

curl_multi_cleanup

curl_multi_fdset

curl_multi_info_read

curl_multi_init

curl_multi_perform

curl_multi_remove_handle

curl_multi_setopt

curl_multi_socket

curl_multi_socket_action

curl_multi_socket_all

curl_multi_strerror

curl_multi_timeout

curl_multi_wait

curl_mvaprintf

curl_mvfprintf

curl_mvprintf

curl_mvsnprintf

curl_mvsprintf

curl_share_cleanup

curl_share_init

curl_share_setopt

curl_share_strerror

curl_slist_append

curl_slist_free_all

curl_strequal

curl_strnequal

curl_unescape

CryptDestroyKey

CryptImportKey

RegCloseKey

RegCreateKeyExA

RegOpenKeyA

RegOpenKeyExA

_acmdln

_amsg_exit

ShellExecuteExA

ADVAPI32.dll

KERNEL32.dll

msvcrt.dll

SHELL32.DLL

WS2_32.dll

WSOCK32.DLL

2%2C2L2b2

2.282>2^2

3/464=4}4

7 80878 90979

8 9(909\9

=0>8>@>^>

> >$>0>4>8>

: :$:(:,:0:4:8:

;$;(;,;0;4;8;

c%m/%d/%y

emsvcrt.dll

!"#$%&'()* ,-./012345678