Gen:Variant.Adware.Kazy.559039 (B) (Emsisoft), Gen:Variant.Adware.Kazy.559039 (AdAware), Trojan.Win32.Swrort.3.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6050bd32b4762f279017abddf83429d5
SHA1: e87de08e09f48ca793881b6eaaf3e01edc5c6686
SHA256: 8bfcaf0a452e20dfd3303a6b9f925067d32d68fb49f49de31191fbedea56cd23
SSDeep: 49152:JbzJQNMlmyHOXIIDpoA58 WNazhnwHAeVywv/6 Mo9Ere/V0:JRQNGmyHopYIZJHwv/6Ji/q
Size: 4868040 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: TODO:
Created at: 2013-07-23 00:41:56
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
tmp5.exe:464
tmp2.exe:1252
The Trojan injects its code into the following process(es):
%original file name%.exe:320
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.exe (157 bytes)
%Documents and Settings%\%current user%\Application Data\iPumper\config.xml (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6050bd32b4762f279017abddf83429d5_000320.log (29270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.exe (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\htmlayout.dll (6388 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (0 bytes)
The process tmp2.exe:1252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D84QQBV6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D84QQBV6\amipb[1].js (22235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1BXCJDKW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CA4RR9LF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ami3.tmp.ico (766 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y6R5H6KK\index[1].htm (4052 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y6R5H6KK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (14 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ami3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ami3.tmp.ico (0 bytes)
Registry activity
The process %original file name%.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 11 A0 96 B6 37 E3 B1 30 56 7D 78 C8 FC 71 A4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmp5.exe" = "Installer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Escolade]
"Guid" = "3ef7641038b311e581cc000c298a8b37"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmp2.exe" = "Installer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process tmp5.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp5.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\VersionIndependentProgID]
"(Default)" = "AmiBs.Installer"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\Version]
"(Default)" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\TypeLib]
"(Default)" = "{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}"
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}]
"(Default)" = "Installer Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp5.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKCR\AmiBs.Installer.1\CLSID]
"(Default)" = "{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}"
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp5.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\AmiBs.Installer]
"(Default)" = "Installer Class"
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmp5\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}]
"(Default)" = "IBoot"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\AmiBs.Installer.1]
"(Default)" = "Installer Class"
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\TypeLib]
"(Default)" = "{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}"
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\ProgID]
"(Default)" = "AmiBs.Installer.1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 30 62 F1 0D 03 22 C6 8E 07 E4 0E AF 89 85 00"
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0]
"(Default)" = "InstallerLib"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCR\AmiBs.Installer\CurVer]
"(Default)" = "AmiBs.Installer.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\TypeLib]
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\ProxyStubClsid]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\Version]
[HKCR\AmiBs.Installer.1\CLSID]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\ProgID]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0\win32]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\FLAGS]
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}]
[HKCR\AmiBs.Installer.1]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\TypeLib]
[HKCR\Interface\{D54C859C-6066-4F31-8FE0-2AAEDCAE67D7}\ProxyStubClsid32]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\0]
[HKCR\AmiBs.Installer]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\Programmable]
[HKCR\AmiBs.Installer\CurVer]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\VersionIndependentProgID]
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}]
[HKCR\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}\1.0\HELPDIR]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKCR\CLSID\{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}\LocalServer32]
"ServerExecutable"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmp5\DEBUG]
"Trace Level"
The process tmp2.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCR\AmiBs.Boot.1]
"(Default)" = "Boot Class"
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\ProgID]
"(Default)" = "AmiBs.Boot.1"
[HKCR\AmiBs.Boot\CurVer]
"(Default)" = "AmiBs.Boot.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp2.exe"
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AmiBs.Boot.1\CLSID]
"(Default)" = "{F04A2CA1-9140-4553-B6C4-03E4139ECA93}"
[HKCR\AmiBs.Boot]
"(Default)" = "Boot Class"
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\VersionIndependentProgID]
"(Default)" = "AmiBs.Boot"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\TypeLib]
"(Default)" = "{4ECB13A5-757F-472B-8E54-EE529A450220}"
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}]
"(Default)" = "IBoot"
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0]
"(Default)" = "BootStrapperLib"
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\TypeLib]
"(Default)" = "{4ECB13A5-757F-472B-8E54-EE529A450220}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp2.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp2.exe"
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "tmp2.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB B9 77 69 D0 A4 10 78 5E 50 08 DC 18 FF C7 88"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1354017460"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmp2\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}]
"(Default)" = "Boot Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\TypeLib]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\Version]
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\HELPDIR]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\ProgID]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\VersionIndependentProgID]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\0]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\FLAGS]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}]
[HKCR\AmiBs.Boot.1]
[HKCR\AmiBs.Boot\CurVer]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}]
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}]
[HKCR\AmiBs.Boot]
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid32]
[HKCR\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\TypeLib]
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\Programmable]
[HKCR\AmiBs.Boot.1\CLSID]
[HKCR\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\0\win32]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmp2\DEBUG]
"Trace Level"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoConfigURL"
[HKCR\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32]
"ServerExecutable"
Dropped PE files
MD5 | File path |
---|---|
7222f8144a764f45b21fbc89e007c4c9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\htmlayout.dll |
b7bd4dba39f45e1cf57683cab3a6f120 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp2.exe |
0bd49da3957331a9a932e8be35448de1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp5.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
tmp5.exe:464
tmp2.exe:1252 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.exe (157 bytes)
%Documents and Settings%\%current user%\Application Data\iPumper\config.xml (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6050bd32b4762f279017abddf83429d5_000320.log (29270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.exe (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\htmlayout.dll (6388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D84QQBV6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D84QQBV6\amipb[1].js (22235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1BXCJDKW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CA4RR9LF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ami3.tmp.ico (766 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y6R5H6KK\index[1].htm (4052 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y6R5H6KK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (14 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 0.0.0.
Legal Copyright:
Legal Trademarks:
Original Filename: xyzeAhK3X.lnk_
Internal Name: xyzeAhK3X.lnk_
File Version: 0.0.0.
File Description: iPumpe
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 0.0.0.Legal Copyright: Legal Trademarks: Original Filename: xyzeAhK3X.lnk_Internal Name: xyzeAhK3X.lnk_File Version: 0.0.0.File Description: iPumpeComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 403571 | 403968 | 4.56747 | ab9143413605400bbb2f6fd9535b900d |
.rdata | 409600 | 90682 | 91136 | 3.51744 | 519033a4b55b82f2dd933ec9cea0f213 |
.data | 503808 | 36608 | 9216 | 2.81532 | 40fdd4ae460b41f3fdb50fdf539d7509 |
.rsrc | 540672 | 4333568 | 4329984 | 3.03413 | d39338c96bc2bc1410e1cd8471b43fcd |
.reloc | 4874240 | 26820 | 27136 | 3.31665 | 127ac5e6d488e397c238b06e29a1b995 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 4
6cb468d8e106fd18f7d79c89cde5649f
619176599c8f8188c6a04179a75b0766
633aa8736aaf2d53a59af8b2b6333c04
9e94722d253d6f8f21ad96a78f7c4320
Network Activity
URLs
URL | IP |
---|---|
hxxp://urlforward.topdns.com/api/cc | |
hxxp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc | 78.140.166.249 |
hxxp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc | 188.164.255.157 |
hxxp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777ooMLeoLXOs3GIu/NdgFenPL1+kiGIS/oBRE/qBFA/RzVgO0MpYAtg4VU2YbBonzThIc8Y1SHPIJLc= | 206.190.150.104 |
hxxp://urlforward.topdns.com/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 | |
hxxp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 | 78.140.166.249 |
hxxp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 | 188.164.255.157 |
hxxp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777Iub7OyPX6tmTZ9uZEyDeOMPRHi2W4a68kBHe3EAgfYyAhV1M1fWdo4S1/UZ0R13zhKdcQ9T3rJPrV+ySXlNjMr6WIzK708Ohaqbj0S9gB0Tf1eJxmtU3wEhR1pV84WHQibRhYKmEMONcoOSXiPpEF7hqBAPoK7DGL7ugti/6Nwf7jiLTCqp3lS5qx0Uu6SZV0= | 206.190.150.104 |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing | |
hxxp://dyno3mlj15jgv.cloudfront.net/V26/amipb.js | |
hxxp://urlforward.topdns.com/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 | |
hxxp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 | 78.140.166.249 |
hxxp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 | 188.164.255.157 |
hxxp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd7778iZLepPHm6hDZwv404Vb7GaEOy2mke6cFQFr7GVgOFzFMHh55fCthiQQfUZE8gwz5Ud8U+T3rIIbJoj2DlO2QkumY0L7htMQfnJ3xAqlo2WKlbMlnsVykFkFYoApBKEQCNBVBUwh8VcIBLHn2AuwB8jw== | 206.190.150.104 |
hxxp://cdn1.downloadsoup.com/V26/amipb.js | 54.239.168.104 |
hxxp://www.freefilesdownloader.com/api/cc | 199.59.160.184 |
hxxp://www.freefilesdownloader.com/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 | 199.59.160.184 |
hxxp://www.amonetizeinstaller.com/index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing | 107.21.125.212 |
hxxp://www.freefilesdownloader.com/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 | 199.59.160.184 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.amonetizeinstaller.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Access-Control-Allow-Origin: hXXp://VVV.somauto.com
Content-Type: text/html; charset=UTF-8
Date: Sun, 02 Aug 2015 01:10:15 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
159c.... .. ..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">..<html>.. <head>.. <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> .. <title>Installer</title>.. <base href="hXXp://VVV.amonetizeinstaller.com:80/index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing" />.. <script type="text/javascript" src="http://cdn1.downloadsoup.com/V26/amipb.js"></script>.. <script type="text/javascript">.. var g_amiobj = '', g_ami, g_updb = false, g_close = '0', g_additional_offer_list = '0';.. var g_finish_install_button = '0';.. var g_popup_install_all = '0';.. var g_eula = '';.. var g_post1 = '_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=0&_psb=0&_cnt=17a44a22fad08cc0b155094444c454a2&_instid=&_brw=ie&_fc=0&_appname=&_appimageurl=&_netfs=0&_vert=0';.. var g_icon = '';.. var g_comps = [], g_pages = [], c, g_curPage = -1;.. var g_cid = '0';.. var g_tid = '';.. var g_cc = 'UA';.. var g_lang = 'en';.. var g_ip = '193.138.244.231';.. var g_browser = 'ie';.. var g_cnt = '6e3a7fadab157730fdf029b3bdb897c8';.. var g_ver = '1.1.2.41';..
<<< skipped >>>
GET /api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: VVV.freefilesdownloader.com
Connection: Close
HTTP/1.1 302 Found
Date: Sun, 02 Aug 2015 00:45:40 GMT
Server: Apache
location: hXXp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /j5GDXm7V6X9pw6NTZdm1JnyTtDd777ooMLeoLXOs3GIu/NdgFenPL1+kiGIS/oBRE/qBFA/RzVgO0MpYAtg4VU2YbBonzThIc8Y1SHPIJLc= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: y.the-ad.net
Connection: Close
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 02 Aug 2015 01:10:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.4-14 deb7u4
Set-Cookie: __d89=jcmxaHbZpF47hfkMMozmdDaN5mFxrLAofZuzICf4xzV3vpYjfaOcOU+w0G4a6MNUGeXTAVuSih9plcApU4RkWHqDchkun2gfI4YoTQyZYeprzlPkMQ==; expires=Mon, 01-Aug-2016 01:10:13 GMT; path=/; domain=the-ad.net
Set-Cookie: PHPSESSID=58451017baeadb97183c5cc32cfd96b5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: s=58451017baeadb97183c5cc32cfd96b5; expires=Tue, 04-Aug-2015 01:10:13 GMT; path=/; domain=the-ad.net
121..<html><head><title> </title><script type="text/javascript">function check(id){d=new Date();chk=(20-(d.getTimezoneOffset()/60))*id;s=document.createElement("script");s.src="/?nc=" chk;document.getElementsByTagName("head")[0].appendChild(s);}check(19960);</script></head><body></body></html>..0..
GET /api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: VVV.freefilesdownloader.com
Connection: Close
HTTP/1.1 302 Found
Date: Sun, 02 Aug 2015 00:45:49 GMT
Server: Apache
location: hXXp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: rc-aflrm.com
Connection: Close
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.0.15
Date: Sun, 02 Aug 2015 01:10:18 GMT
Content-Type: text/plain
Connection: close
X-Powered-By: Express
Set-Cookie: affgrprt=ac8251773404be77214325787c0829dcf72fd158; Path=/; Expires=Mon, 01 Aug 2016 01:10:18 GMT; HttpOnly
Set-Cookie: affhstr=MMJht12R8mf5XS5H9qrguZjpYYD4lCRnnyi8GNMUlyE.; Path=/; Expires=Mon, 01 Aug 2016 01:10:18 GMT; HttpOnly
Set-Cookie: affrdrct=32dP4337c47CJ-BbY7bMp37gNSivA0NJsUbwt0O4mK3qKHK0X07glVy_nrv0HoRWssHMR7Vg_WwF0AkPt6181inzrpzZEGPL_nlC8StgvcU.; Path=/; Expires=Mon, 03 Aug 2015 01:10:18 GMT; HttpOnly
Vary: Accept
Location: hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd7778iZLepPHm6hDZwv404Vb7GaEOy2mke6cFQFr7GVgOFzFMHh55fCthiQQfUZE8gwz5Ud8U+T3rIIbJoj2DlO2QkumY0L7htMQfnJ3xAqlo2WKlbMlnsVykFkFYoApBKEQCNBVBUwh8VcIBLHn2AuwB8jw==
Content-Length: 250
Moved Temporarily. Redirecting to hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd7778iZLepPHm6hDZwv404Vb7GaEOy2mke6cFQFr7GVgOFzFMHh55fCthiQQfUZE8gwz5Ud8U%2BT3rIIbJoj2DlO2QkumY0L7htMQfnJ3xAqlo2WKlbMlnsVykFkFYoApBKEQCNBVBUwh8VcIBLHn2AuwB8jw%3D%3D..
GET /nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: rc-aflrm.com
Connection: Close
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.0.15
Date: Sun, 02 Aug 2015 01:10:09 GMT
Content-Type: text/plain
Connection: close
X-Powered-By: Express
Set-Cookie: affgrprt=ac8251773404be77214325787c0829dcf72fd158; Path=/; Expires=Mon, 01 Aug 2016 01:10:09 GMT; HttpOnly
Set-Cookie: affhstr=SxJUEk_TrqMsAi_i3WZIhxQxIMq3E0MVOtKtU9Smmos.; Path=/; Expires=Mon, 01 Aug 2016 01:10:09 GMT; HttpOnly
Set-Cookie: affrdrct=32dP4337c47CJ-BbY7bMp37gNSivA0NJsUbwt0O4mK3qKHK0X07glVy_nrv0HoRWVTeiHGNz3gVK4cwKuZbGnjsf8CF6j956bb8f7mbeIDY.; Path=/; Expires=Mon, 03 Aug 2015 01:10:09 GMT; HttpOnly
Vary: Accept
Location: hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777ooMLeoLXOs3GIu/NdgFenPL1+kiGIS/oBRE/qBFA/RzVgO0MpYAtg4VU2YbBonzThIc8Y1SHPIJLc=
Content-Length: 186
Moved Temporarily. Redirecting to hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777ooMLeoLXOs3GIu%2FNdgFenPL1%2BkiGIS%2FoBRE%2FqBFA%2FRzVgO0MpYAtg4VU2YbBonzThIc8Y1SHPIJLc%3D..
GET /dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: unlimitedloads.com
Connection: Close
HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.10
Date: Sun, 02 Aug 2015 01:10:13 GMT
Content-Type: text/html
Content-Length: 185
Connection: close
Location: hXXp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.10</center>..</body>..</html>....
GET /dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: unlimitedloads.com
Connection: Close
HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.10
Date: Sun, 02 Aug 2015 01:10:23 GMT
Content-Type: text/html
Content-Length: 185
Connection: close
Location: hXXp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/firstscreenshown/3ef7641038b311e581cc000c298a8b37/11300001
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.10</center>..</body>..</html>....
GET /nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: rc-aflrm.com
Connection: Close
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.0.15
Date: Sun, 02 Aug 2015 01:10:10 GMT
Content-Type: text/plain
Connection: close
X-Powered-By: Express
Set-Cookie: affgrprt=ac8251773404be77214325787c0829dcf72fd158; Path=/; Expires=Mon, 01 Aug 2016 01:10:10 GMT; HttpOnly
Set-Cookie: affhstr=cbUq31HdMjvKxUKaxyzjeLUlwSpdyT1Zx9780v1N9Y0.; Path=/; Expires=Mon, 01 Aug 2016 01:10:10 GMT; HttpOnly
Set-Cookie: affrdrct=32dP4337c47CJ-BbY7bMp37gNSivA0NJsUbwt0O4mK3qKHK0X07glVy_nrv0HoRW9leZcTZQbTjgMpmg0V2FEMXmYV5ORfiNeA4wKBeqGhs.; Path=/; Expires=Mon, 03 Aug 2015 01:10:10 GMT; HttpOnly
Vary: Accept
Location: hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777Iub7OyPX6tmTZ9uZEyDeOMPRHi2W4a68kBHe3EAgfYyAhV1M1fWdo4S1/UZ0R13zhKdcQ9T3rJPrV+ySXlNjMr6WIzK708Ohaqbj0S9gB0Tf1eJxmtU3wEhR1pV84WHQibRhYKmEMONcoOSXiPpEF7hqBAPoK7DGL7ugti/6Nwf7jiLTCqp3lS5qx0Uu6SZV0=
Content-Length: 294
Moved Temporarily. Redirecting to hXXp://y.the-ad.net/j5GDXm7V6X9pw6NTZdm1JnyTtDd777Iub7OyPX6tmTZ9uZEyDeOMPRHi2W4a68kBHe3EAgfYyAhV1M1fWdo4S1%2FUZ0R13zhKdcQ9T3rJPrV%2BySXlNjMr6WIzK708Ohaqbj0S9gB0Tf1eJxmtU3wEhR1pV84WHQibRhYKmEMONcoOSXiPpEF7hqBAPoK7DGL7ugti%2F6Nwf7jiLTCqp3lS5qx0Uu6SZV0%3D..
GET /j5GDXm7V6X9pw6NTZdm1JnyTtDd7778iZLepPHm6hDZwv404Vb7GaEOy2mke6cFQFr7GVgOFzFMHh55fCthiQQfUZE8gwz5Ud8U+T3rIIbJoj2DlO2QkumY0L7htMQfnJ3xAqlo2WKlbMlnsVykFkFYoApBKEQCNBVBUwh8VcIBLHn2AuwB8jw== HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: y.the-ad.net
Connection: Close
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 02 Aug 2015 01:10:23 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.4-14 deb7u4
Set-Cookie: __d89=jcmxaHbZpF47hfkMMozmdDaO5mFxrLAofZuzICf4xzV3vpYjfaOcOU+w0G4a6MNUGeXTAVuSih9plcApU4RkWHqDchkun2gfI4YoTQyZYeprzlPhO3Jq/yVnb+o/ZlL7MXtLslBWGv4AIxurWygCmwwvBJYXFQGaFUcNn0pLc4pGTX3VsQdsicAFfIy6CGHzvw==; expires=Mon, 01-Aug-2016 01:10:23 GMT; path=/; domain=the-ad.net
Set-Cookie: PHPSESSID=58451017baeadb97183c5cc32cfd96b5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: s=58451017baeadb97183c5cc32cfd96b5; expires=Tue, 04-Aug-2015 01:10:23 GMT; path=/; domain=the-ad.net
121..<html><head><title> </title><script type="text/javascript">function check(id){d=new Date();chk=(20-(d.getTimezoneOffset()/60))*id;s=document.createElement("script");s.src="/?nc=" chk;document.getElementsByTagName("head")[0].appendChild(s);}check(12990);</..
GET /V26/amipb.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.amonetizeinstaller.com/index.php?ts=1438477824&Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp2&lang_DfltSys=0409&lang_DfltUser=0409&s=Y&screen=1276x818&ver=1.1.2.41&i=WSbing
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn1.downloadsoup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 67392
Connection: keep-alive
Date: Wed, 29 Jul 2015 11:41:12 GMT
x-amz-meta-cb-modifiedtime: Wed, 29 Jul 2015 05:06:06 GMT
Last-Modified: Wed, 29 Jul 2015 11:32:50 GMT
ETag: "8f5a83ae50a0bbb833ac39d48197be0f"
Accept-Ranges: bytes
Server: AmazonS3
Age: 48527
X-Cache: Hit from cloudfront
Via: 1.1 f96185b1d69d6f85635bc2b5554da639.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 6xCzLhQycfjR-YoxJ4KTf2sLB5-FXFpguplV0KwJhbZx9SXtWhKdPQ==
..//<!-- ../* Progress bar */..var g_AmiPbs = new Array();..var g_AmiPbsEx = new Array();..var g_interval = 0;..var g_initComp = 0;..var g_possibleComps = [];..var g_reportedComps = [];..var g_removedComps = [];..function LogMessage(message) {.. try {.. g_ami.Log(message);.. }.. catch (excpt) {.. }..}..function IsDeclined(name) {.. var declined = 0;.. for (var i = 0; i < g_removedComps.length; i ) {.. if (g_removedComps[i] == name) {.. declined = 1;.. break;.. }.. }.. return declined;..}..function UpdateSkipStatus(sn) {.. if (g_testa && !ArrayContains(g_reportedComps, sn) && !ArrayContains(g_notest, sn) && !ArrayContains(g_notest1, sn)) {.. if (g_testa.constructor != Array || ArrayContains(g_testa, sn)) {.. g_ami.WriteProfileString(g_testf, '', sn, 'S');.. g_reportedComps.push(sn);.. }.. }..}..function ShortNameFromName(name) {.. for (c = 0; c < g_comps.length; c ) {.. if (g_comps[c].name == name) {.. return g_comps[c].sn;.. }.. }.. return name;..}..function UpdateComponentsStatus() {.. LogMessage('UpdateComponentsStatus function started');.. for (var j = 0; j < g_possibleComps.length; j ) {.. if (g_possibleComps[j].sn == 'updater') {.. continue;.. }.. if (g_possibleComps[j].sel !== 2 && !IsDeclined(g_possibleComps[j].sn) && !IsDeclined(g_possibleComps[j].name)) {.. var k = 0;.. try {..
<<< skipped >>>
GET /api/cc HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: VVV.freefilesdownloader.com
Connection: Close
HTTP/1.1 302 Found
Date: Sun, 02 Aug 2015 00:45:39 GMT
Server: Apache
location: hXXp://unlimitedloads.com/dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/cc
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /dt?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: unlimitedloads.com
Connection: Close
HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.10
Date: Sun, 02 Aug 2015 01:10:15 GMT
Content-Type: text/html
Content-Length: 185
Connection: close
Location: hXXp://rc-aflrm.com/nav?k=cff6b189c27d17c7831a0bc63f5182ed&q=File Downloader/api/keywordexecute/3ef7641038b311e581cc000c298a8b37/11300001/6050bd32b4762f279017abddf83429d5
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.0.10</center>..</body>..</html>....
GET /j5GDXm7V6X9pw6NTZdm1JnyTtDd777Iub7OyPX6tmTZ9uZEyDeOMPRHi2W4a68kBHe3EAgfYyAhV1M1fWdo4S1/UZ0R13zhKdcQ9T3rJPrV+ySXlNjMr6WIzK708Ohaqbj0S9gB0Tf1eJxmtU3wEhR1pV84WHQibRhYKmEMONcoOSXiPpEF7hqBAPoK7DGL7ugti/6Nwf7jiLTCqp3lS5qx0Uu6SZV0= HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: y.the-ad.net
Connection: Close
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sun, 02 Aug 2015 01:10:14 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.4.4-14 deb7u4
Set-Cookie: __d89=jcmxaHbZpF47hfkMMozmdDaN4WFxrLAofZuzICf4xzV3vpYjfaOcOU+w0G4a6MNUGeXTAVuSih9plcApU4RkWHqDchkun2gfI4YoTQyZYeprzlPsN3lu5CRgePc/a1TnOykX0VF1T6xQIByvWSBTkF8tUJJKEVrIRhQNzEgRedJGTnaApwIPircHfY+6CGDmvHpj96dwO6+ldj/7rX5Ttax7XOeTZwi5wjAL55lsQ9rKaQ==; expires=Mon, 01-Aug-2016 01:10:14 GMT; path=/; domain=the-ad.net
Set-Cookie: PHPSESSID=58451017baeadb97183c5cc32cfd96b5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: s=58451017baeadb97183c5cc32cfd96b5; expires=Tue, 04-Aug-2015 01:10:14 GMT; path=/; domain=the-ad.net
120..<html><head><title> </title><script type="text/javascript">function check(id){d=new Date();chk=(20-(d.getTimezoneOffset()/60))*id;s=document.createElement("script");s.src="/?nc=" chk;document.getElementsByTagName("head")[0].appendChild(s);}check(2350);</script></head><body></body></html>..0..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_320:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
FTPQ
FTPQ
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
PASSWORD
PASSWORD
REPORT
REPORT
RegOpenKeyTransactedW
RegOpenKeyTransactedW
Cannot put setting information: %x
Cannot put setting information: %x
CreateProcess failed (%d).
CreateProcess failed (%d).
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
FRegDeleteKeyExW
FRegDeleteKeyExW
Product version: 1.0.1.1
Product version: 1.0.1.1
1,0,1,1099
1,0,1,1099
HTMLayout.dll
HTMLayout.dll
operator
operator
portuguese-brazilian
portuguese-brazilian
GetProcessWindowStation
GetProcessWindowStation
C:\iPumper\iPumper\Installer\Build\Release\TinyInstaller.pdb
C:\iPumper\iPumper\Installer\Build\Release\TinyInstaller.pdb
HTMLayoutCombineURL
HTMLayoutCombineURL
NETAPI32.dll
NETAPI32.dll
dbghelp.dll
dbghelp.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
RegQueryInfoKeyW
RegQueryInfoKeyW
ADVAPI32.dll
ADVAPI32.dll
SHFileOperationW
SHFileOperationW
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
COMCTL32.dll
COMCTL32.dll
WinHttpOpen
WinHttpOpen
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpConnect
WinHttpConnect
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpSetOption
WinHttpSetOption
WinHttpSendRequest
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReadData
WINHTTP.dll
WINHTTP.dll
Secur32.dll
Secur32.dll
RPCRT4.dll
RPCRT4.dll
PSAPI.DLL
PSAPI.DLL
GetCPInfo
GetCPInfo
.?AUIHttpRequestEvents@Http@CommonLib@@
.?AUIHttpRequestEvents@Http@CommonLib@@
.?AVCThreadCRT@System@CommonLib@@
.?AVCThreadCRT@System@CommonLib@@
zcÃ
zcÃ
ûJB
ûJB
{gm.Tt
{gm.Tt
16.Sr
16.Sr
.sN0|
.sN0|
x%C-B
x%C-B
%Uz7$
%Uz7$
i[^(.Ny
i[^(.Ny
0.vqA
0.vqA
bQ.ta
bQ.ta
=i%xB
=i%xB
B%%d%q
B%%d%q
.fLuY
.fLuY
c4ô
c4ô
6Y.wNAB
6Y.wNAB
>:v4.VV
>:v4.VV
=5%fI
=5%fI
%F>wZ
%F>wZ
o4 EXE5`
o4 EXE5`
5.kJ{
5.kJ{
%CtN'v1_
%CtN'v1_
0.Uu3
0.Uu3
ny&;%x:
ny&;%x:
.aZu}
.aZu}
iy
iy
ek{;%c
ek{;%c
:.BTK!
:.BTK!
&0%%F
&0%%F
{%CM
{%CM
FCRt`
FCRt`
4H.Lb
4H.Lb
`ck(%X
`ck(%X
.OnEu
.OnEu
(.tD"
(.tD"
yU%X`
yU%X`
sqli
sqli
[%Xc@
[%Xc@
.YCjq
.YCjq
B%f,{
B%f,{
D.or{s-
D.or{s-
N%Sy ]
N%Sy ]
/.dZzt
/.dZzt
d/P.ep
d/P.ep
.4.wC
.4.wC
.aOrW/
.aOrW/
.PEGS^
.PEGS^
zq6%d
zq6%d
2=r.JW
2=r.JW
.gQ^U~
.gQ^U~
1.nD5
1.nD5
1T6.rxY
1T6.rxY
EG.Zx
EG.Zx
H.kg9
H.kg9
W?)2h%s
W?)2h%s
N_WV&.Oq
N_WV&.Oq
Y\.CF{
Y\.CF{
Dm.tG
Dm.tG
kmu.qE
kmu.qE
=.Jc#
=.Jc#
ÃGW
ÃGW
EQ.lt
EQ.lt
}%U!q'
}%U!q'
7-2uk}o
7-2uk}o
f.wgh~
f.wgh~
`G571.Ug
`G571.Ug
^);~.wM
^);~.wM
>.Zc$
>.Zc$
QA
QA
.sE?>-QP"9.l
.sE?>-QP"9.l
O3.TS
O3.TS
6.qhz
6.qhz
'*.oZ
'*.oZ
9\0/$6&;
9\0/$6&;
;ve[%F
;ve[%F
#'BR-3}
#'BR-3}
.sj&f
.sj&f
%cj3y%o-D
%cj3y%o-D
ysqL
ysqL
.Qrw!
.Qrw!
S7W.AU
S7W.AU
!T.yO
!T.yO
)$.wG/
)$.wG/
7]*%Ue
7]*%Ue
.vKH,&
.vKH,&
so%Ua
so%Ua
B/.TP
B/.TP
Np.sG
Np.sG
lg.ex
lg.ex
##% pI%c
##% pI%c
Y.FVv
Y.FVv
.tdx^
.tdx^
&.AzOB O}
&.AzOB O}
.XS@(V@_
.XS@(V@_
w[5.VmG
w[5.VmG
.dUh[tW
.dUh[tW
%URTH
%URTH
.BR`uN
.BR`uN
z.OJY
z.OJY
q\%u>
q\%u>
msg)R,
msg)R,
2.Lr6
2.Lr6
8Y3%c
8Y3%c
'@].Pu
'@].Pu
oxdQB%xLXH
oxdQB%xLXH
w9.AOk9
w9.AOk9
%~.ne
%~.ne
Ml.dVF[|
Ml.dVF[|
Y*b%ua
Y*b%ua
'f%C#
'f%C#
A(.wb
A(.wb
;&%sIT
;&%sIT
!K.lW
!K.lW
1.Bj=
1.Bj=
}wJ%D
}wJ%D
\C%D
\C%D
%X:Vt
%X:Vt
.Xq8&
.Xq8&
2.GTi
2.GTi
bJ.Qs
bJ.Qs
F}.TS
F}.TS
.Hh!:
.Hh!:
!v-Q}
!v-Q}
a-A}!!Y
a-A}!!Y
.^.ok]
.^.ok]
(%4sg
(%4sg
`D[#%UGtE[
`D[#%UGtE[
%xt$ME
%xt$ME
`.UIh
`.UIh
j-6}0
j-6}0
.kvt?
.kvt?
-U}yu
-U}yu
a.ujeE
a.ujeE
X.hqPE
X.hqPE
UK.rN}
UK.rN}
7f#{%S
7f#{%S
R5cu%XO
R5cu%XO
.RU9e
.RU9e
32.sW
32.sW
o.JpI\>6
o.JpI\>6
}.eXQ\
}.eXQ\
Q.mi
Q.mi
3T.NI
3T.NI
q€u
q€u
w2)b%F
w2)b%F
s)9.Fb
s)9.Fb
ÃTw
ÃTw
6w.br
6w.br
^.wry
^.wry
{E.LB
{E.LB
.bcb
.bcb
_C.wa
_C.wa
Af.GR
Af.GR
X.Na6
X.Na6
p%0U'{
p%0U'{
a&3:Md-a}
a&3:Md-a}
`%X\[
`%X\[
1M%DxV
1M%DxV
6E.Zg
6E.Zg
.CbP>B2
.CbP>B2
[1VeV%uBYU
[1VeV%uBYU
54444444744476
54444444744476
(
(
)#0352%:
)#0352%:
X.WX-WX
X.WX-WX
0 0*040=0
0 0*040=0
6$6)686_6
6$6)686_6
6i6F6y6}6
6i6F6y6}6
>)>0>9>>>
>)>0>9>>>
9 9$9(9,9
9 9$9(9,9
9,989@9`9
9,989@9`9
4,484@4`4
4,484@4`4
Checking is %s installed
Checking is %s installed
Stopped dumping amitest.txt
Stopped dumping amitest.txt
Started deleting amitest.txt
Started deleting amitest.txt
amitest.txt
amitest.txt
Started dumping amitest.txt
Started dumping amitest.txt
mism.exe started
mism.exe started
Starting mism.exe
Starting mism.exe
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
TypeLib\{44444444-4444-4444-4444-440344264420}\1.0\0\win32
TypeLib\{44444444-4444-4444-4444-440344264420}\1.0\0\win32
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhiteSmoke_New Toolbar
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhiteSmoke_New Toolbar
TypeLib\{EFDF368C-8DD9-4E05-87CD-16AA5CB03CB8}\1.0\0\win32
TypeLib\{EFDF368C-8DD9-4E05-87CD-16AA5CB03CB8}\1.0\0\win32
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
VVV.products-placement.com
VVV.products-placement.com
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
chromex
chromex
[d/d/d
[d/d/d
d:d:d:d]
d:d:d:d]
https:
https:
http:
http:
29-03-2013
29-03-2013
Advapi32.dll
Advapi32.dll
[ASCTaskScheduler] Error: TaskUrl value is invalid
[ASCTaskScheduler] Error: TaskUrl value is invalid
QueryServiceStatusEx failed (%d)
QueryServiceStatusEx failed (%d)
[ASCTaskScheduler] Error: pExecAction->put_Path is failed
[ASCTaskScheduler] Error: pExecAction->put_Path is failed
TaskUrl
TaskUrl
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Can't delete file: %s
Can't delete file: %s
finish_screen.html
finish_screen.html
Key doesn't exist
Key doesn't exist
Key exists
Key exists
Checking does %s\%s exists
Checking does %s\%s exists
simapp_id: '%s'
simapp_id: '%s'
"%s" --uninstall
"%s" --uninstall
"%s",1
"%s",1
Installing from: '%s' to '%s'
Installing from: '%s' to '%s'
Mozilla\FireFox\Extensions
Mozilla\FireFox\Extensions
ntfdsaftsfdfdxx@mozilla.org
ntfdsaftsfdfdxx@mozilla.org
extension_firefox.xpi
extension_firefox.xpi
Installing firefox extension
Installing firefox extension
Installed: '%s'
Installed: '%s'
Google\Chrome\Extensions\%s
Google\Chrome\Extensions\%s
extension_chrome.crx
extension_chrome.crx
Installing chrome extension
Installing chrome extension
\iPumper.lnk
\iPumper.lnk
Starting distrib uninstaller: '%s'
Starting distrib uninstaller: '%s'
Usenet.nl.exe
Usenet.nl.exe
mediaget.exe
mediaget.exe
iPumper.exe
iPumper.exe
Uninstalling: '%s'
Uninstalling: '%s'
%s\%s
%s\%s
User global groups: %s
User global groups: %s
User local groups: %s
User local groups: %s
Default browser path: '%s'
Default browser path: '%s'
http\shell\open\command
http\shell\open\command
Windows version: %s
Windows version: %s
Parent process path: '%s'
Parent process path: '%s'
Special param --config: '%s'
Special param --config: '%s'
hXXp://%s/up/?key=%s&where=%s
hXXp://%s/up/?key=%s&where=%s
%domain%
%domain%
hXXp://%s/log/%s_crashlog
hXXp://%s/log/%s_crashlog
%s%i: %s - 0x%0X
%s%i: %s - 0x%0X
\Updater.exe
\Updater.exe
Updater.exe was extracted
Updater.exe was extracted
Extracting Updater.exe
Extracting Updater.exe
Updater.exe
Updater.exe
\extension_firefox.xpi
\extension_firefox.xpi
\extension_chrome.crx
\extension_chrome.crx
\config.xml
\config.xml
Checking --auto switch: %d
Checking --auto switch: %d
Checking --silent switch: %d
Checking --silent switch: %d
Checking --uninstall switch: %d
Checking --uninstall switch: %d
Command line: '%s'
Command line: '%s'
hXXp://%s/log/%s
hXXp://%s/log/%s
Flushing log to domain: '%s'
Flushing log to domain: '%s'
CT3272810.startpageurl = %s
CT3272810.startpageurl = %s
CT3272810.startpageurl
CT3272810.startpageurl
HKEY_CURRENT_USER\Software\Conduit\ChromeExtData\ocoombckbcnabpaghmokhaapnbngahck\Repository exists
HKEY_CURRENT_USER\Software\Conduit\ChromeExtData\ocoombckbcnabpaghmokhaapnbngahck\Repository exists
Software\Conduit\ChromeExtData\ocoombckbcnabpaghmokhaapnbngahck\Repository
Software\Conduit\ChromeExtData\ocoombckbcnabpaghmokhaapnbngahck\Repository
wstest.exe started
wstest.exe started
Starting wstest.exe
Starting wstest.exe
Qtrax folder was found: '%s'
Qtrax folder was found: '%s'
\Microsoft\Silverlight\OutOfBrowser\*.portal.qtrax.com
\Microsoft\Silverlight\OutOfBrowser\*.portal.qtrax.com
Ping sent. Url: '%s'. Status: %d
Ping sent. Url: '%s'. Status: %d
secret_key
secret_key
%s/%s
%s/%s
keywordinstalled
keywordinstalled
keywordexecute
keywordexecute
hXXp://%s/api/%s/%s/%s
hXXp://%s/api/%s/%s/%s
hXXp://%s/%s/suddendeath/
hXXp://%s/%s/suddendeath/
%s screen: cancel is pressed
%s screen: cancel is pressed
%s screen: continue is pressed
%s screen: continue is pressed
%s screen is shown
%s screen is shown
.html
.html
Start %s screen
Start %s screen
Uninstalled started. Self path: '%s'
Uninstalled started. Self path: '%s'
started: %d
started: %d
?id_1=%s&id_2=%s&id_3=%s
?id_1=%s&id_2=%s&id_3=%s
zid: %s
zid: %s
bid: %s
bid: %s
visitor_id: %s
visitor_id: %s
/s /i SweetImBing /u hXXp://VVV.amoninst.com/index.php /ta /x_t_b_toolbar
/s /i SweetImBing /u hXXp://VVV.amoninst.com/index.php /ta /x_t_b_toolbar
/u hXXp://VVV.amoninst.com/index.php /ta
/u hXXp://VVV.amoninst.com/index.php /ta
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\avast
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\avast
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\avast
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\avast
Oxy path: %s
Oxy path: %s
\Oxy\Application\Oxy.exe
\Oxy\Application\Oxy.exe
transmission-daemon.exe
transmission-daemon.exe
hXXp://download.microsoft.com/download/c/6/e/c6e88215-0178-4c6c-b5f3-158ff77b1f38/NetFx20SP2_x86.exe
hXXp://download.microsoft.com/download/c/6/e/c6e88215-0178-4c6c-b5f3-158ff77b1f38/NetFx20SP2_x86.exe
dotnetfx35.exe
dotnetfx35.exe
v2.0.50727
v2.0.50727
\iPumper\iPumper.exe
\iPumper\iPumper.exe
Distrib downloaded: '%s'. Size: '%d'
Distrib downloaded: '%s'. Size: '%d'
hXXps://
hXXps://
hXXp://
hXXp://
Generated GUID: '%s'. Last error: %d
Generated GUID: '%s'. Last error: %d
Keyword: '%s'
Keyword: '%s'
Programs path: '%s'
Programs path: '%s'
Install path: '%s'
Install path: '%s'
Configured affid: '%s'
Configured affid: '%s'
config.xml
config.xml
download_screen.html
download_screen.html
splash_screen.html
splash_screen.html
Installer started. Self path: '%s'. Self name: '%s'
Installer started. Self path: '%s'. Self name: '%s'
KERNEL32.DLL
KERNEL32.DLL
Windows NT 4
Windows NT 4
Windows 2000
Windows 2000
Windows XP
Windows XP
Windows Server 2003
Windows Server 2003
Windows Vista
Windows Vista
Windows 7
Windows 7
Windows CE
Windows CE
Windows NT 3.51
Windows NT 3.51
Windows 95
Windows 95
Windows 95 SP1
Windows 95 SP1
Windows 95 OSR2
Windows 95 OSR2
Windows 98
Windows 98
Windows 98 SP1
Windows 98 SP1
Windows 98 SE
Windows 98 SE
Windows ME
Windows ME
unknown Windows version
unknown Windows version
Web Server Edition
Web Server Edition
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
ADVAPI32.DLL
ADVAPI32.DLL
WUSER32.DLL
WUSER32.DLL
c:\%original file name%.exe
c:\%original file name%.exe
0.0.0.0
0.0.0.0
xyzeAhK3X.lnk_p
xyzeAhK3X.lnk_p
%original file name%.exe_320_rwx_10001000_0025B000:
D$.QP
D$.QP
%u%8H
%u%8H
t5Ot.Ot
t5Ot.Ot
t5Nt.Nt
t5Nt.Nt
mt.It It
mt.It It
t"SSh
t"SSh
Y9O u%f
Y9O u%f
\$ ;\$0}
\$ ;\$0}
u 8F%u
u 8F%u
\$09\$,~
\$09\$,~
@t.IIt
@t.IIt
.FG;}
.FG;}
tGHt.Ht&
tGHt.Ht&
Corrupt JPEG data: found marker 0xx instead of RST%d
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Obtained XMS handle %u
Freed XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Opened temporary file %s
Closed temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
Smoothing not supported with nonstandard sampling ratios
RST%d
RST%d
At marker 0xx, recovery action %d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
= = = = = = = =
Obtained EMS handle %u
Obtained EMS handle %u
Freed EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Unsupported marker type 0xx
Failed to create temporary file %s
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Cannot quantize more than %d color components
Insufficient memory (case %d)
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Backing store not supported
Arithmetic table 0xx was not defined
Arithmetic table 0xx was not defined
Cannot transcode due to multiple use of quantization table %d
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DQT index %d
Bogus DHT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC value 0x%x
Bogus DAC index %d
Bogus DAC index %d
Unsupported color conversion request
Unsupported color conversion request
Too many color components: %d, max %d
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Wrong JPEG library version: library is %d, caller expects %d
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
DCT scaled block size %dx%d not supported
DCT scaled block size %dx%d not supported
Invalid component ID %d in SOS
Invalid component ID %d in SOS
Bogus message code %d
Bogus message code %d
%ld%c
%ld%c
NULL row buffer for row %ld, pass %d
NULL row buffer for row %ld, pass %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
Buffer error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Incomplete compressed datastream in %s chunk
Incomplete compressed datastream in %s chunk
Unknown zTXt compression type %d
Unknown zTXt compression type %d
gamma = (%d/100000)
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
incorrect gamma=(%d/100000)
Unknown compression type %d
Unknown compression type %d
zero length keyword
zero length keyword
keyword length must be 1 - 79 characters
keyword length must be 1 - 79 characters
Zero length keyword
Zero length keyword
extra interior spaces removed from keyword
extra interior spaces removed from keyword
leading spaces removed from keyword
leading spaces removed from keyword
trailing spaces removed from keyword
trailing spaces removed from keyword
invalid keyword character 0xX
invalid keyword character 0xX
Out of memory while procesing keyword
Out of memory while procesing keyword
mscoree.dll
mscoree.dll
.mixcrt
.mixcrt
KERNEL32.DLL
KERNEL32.DLL
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
kernel32.dll
kernel32.dll
?#%X.y
?#%X.y
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
operator
operator
accesskey
accesskey
user32.dll
user32.dll
CSS ERROR, bad selector in select_elements_by_css: %S
CSS ERROR, bad selector in select_elements_by_css: %S
uxtheme.dll
uxtheme.dll
orientation-portrait
orientation-portrait
composition-supported
composition-supported
1.4.3
1.4.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
inflate 1.2.3 Copyright 1995-2005 Mark Adler
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
1.2.3
file://%s
file://%s
Error: cannot open %sError: cannot open %sCSSS! RUNTIME ERROR evaluating:%s
CSSS! RUNTIME ERROR evaluating:%s
SourceUrl
SourceUrl
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Content-Type: application/x-www-form-urlencoded;charset=utf-8
https
https
htmlayout 3.3; %s; VVV.terrainformatica.com )
htmlayout 3.3; %s; VVV.terrainformatica.com )
HTTP/1.0
HTTP/1.0
Content-Length: %d
Content-Length: %d
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
key-on!
key-on!
key-off!
key-off!
CSS ERROR in %s at line %d: bad attribute declaration syntax:
CSS ERROR in %s at line %d: bad attribute declaration syntax:
CSS ERROR in %s at line %d: bad attribute syntax, ignored:
CSS ERROR in %s at line %d: bad attribute syntax, ignored:
CSS ERROR in %s at line %d: bad combination of 'display-model' and 'display'
CSS ERROR in %s at line %d: bad combination of 'display-model' and 'display'
CSS ERROR in %s at line %d: tag %s was already defined
CSS ERROR in %s at line %d: tag %s was already defined
CSS ERROR in %s at line %d: 'display-model' without 'display' definition
CSS ERROR in %s at line %d: 'display-model' without 'display' definition
CSS ERROR in %s at line %d: bad css selector, following declaration skipped:
CSS ERROR in %s at line %d: bad css selector, following declaration skipped:
CSS ERROR in @import statement at line %d:
CSS ERROR in @import statement at line %d:
CSS ERROR in @include statement at line %d:
CSS ERROR in @include statement at line %d:
CSS ERROR in @font-face statement at line %d, font resource %s is not available
CSS ERROR in @font-face statement at line %d, font resource %s is not available
CSS ERROR in @font-face statement at line %d, failed to install font
CSS ERROR in @font-face statement at line %d, failed to install font
CSS ERROR in @font-face statement at line %d, declaration is not complete
CSS ERROR in @font-face statement at line %d, declaration is not complete
CSS ERROR in @font-face statement at line %d:
CSS ERROR in @font-face statement at line %d:
CSS ERROR in @set statement at line %d:
CSS ERROR in @set statement at line %d:
CSS ERROR in @set statement at line %d, parent set %s is not found
CSS ERROR in @set statement at line %d, parent set %s is not found
CSS ERROR in %s at line %d: AT-rule is not acceptable here, following declaration skipped:
CSS ERROR in %s at line %d: AT-rule is not acceptable here, following declaration skipped:
CSS ERROR in %s at line %d: wrong @const declaration, following statement skipped:
CSS ERROR in %s at line %d: wrong @const declaration, following statement skipped:
CSS ERROR in %s at line %d: invalid @media declaration
CSS ERROR in %s at line %d: invalid @media declaration
crosshair
crosshair
url()
url()
CSS ERROR in colorize() function: bad color value: %S
CSS ERROR in colorize() function: bad color value: %S
CSS ERROR, function '%s' is not supported
CSS ERROR, function '%s' is not supported
CSSS! ERROR in %s at line %d: %s
CSSS! ERROR in %s at line %d: %s
res:master.css
res:master.css
CSSS! RUNTIME ERROR:%s
CSSS! RUNTIME ERROR:%s
ERROR: cyclic INCLUDE of url %s
ERROR: cyclic INCLUDE of url %s
http-equiv
http-equiv
button.plus
button.plus
password
password
-password-char
-password-char
%u-%u-%u
%u-%u-%u
%u:%u:%u
%u:%u:%u
comctl32.dll
comctl32.dll
:
:
.today
.today
.other-month
.other-month
u-u-u
u-u-u
.other-year
.other-year
.other-decade
.other-decade
%d-
%d
%d-
%d
image%d%s
image%d%s
http:*
http:*
https:*
https:*
%d(%d)
%d(%d)
cid:%s
cid:%s
Windows-3.11
Windows-3.11
Windows-95
Windows-95
Windows-95-OSR2
Windows-95-OSR2
Windows-98
Windows-98
Windows-98-SE
Windows-98-SE
Windows-ME
Windows-ME
Windows-CE
Windows-CE
Windows-NT4
Windows-NT4
Windows-2000
Windows-2000
Windows-2003
Windows-2003
Windows-XP
Windows-XP
Windows-Vista
Windows-Vista
Windows-7
Windows-7
above-Windows-7
above-Windows-7
%Y-%m-%dZ
%Y-%m-%dZ
%Y-%m-%d
%Y-%m-%d
%Y-%m-%dT%H:%MZ
%Y-%m-%dT%H:%MZ
%Y-%m-%dT%H:%M
%Y-%m-%dT%H:%M
%Y-%m-%dT%H:%M:%SZ
%Y-%m-%dT%H:%M:%SZ
%Y-%m-%dT%H:%M:%S
%Y-%m-%dT%H:%M:%S
%H:%M:%SZ
%H:%M:%SZ
%H:%M:%S
%H:%M:%S
/:$-_.!*'(),?&=@#%
/:$-_.!*'(),?&=@#%
windows-1250
windows-1250
windows-1253
windows-1253
windows-1256
windows-1256
windows-1255
windows-1255
windows-1251
windows-1251
windows-1252
windows-1252
windows-1257
windows-1257
windows-1258
windows-1258
windows-1254
windows-1254
windows-874
windows-874
unknown bytecode=%d
unknown bytecode=%d
attribute '%S' not found or is read only
attribute '%S' not found or is read only
attribute '%S' not found
attribute '%S' not found
function '%S' not found
function '%S' not found
state flag '%S' not found
state flag '%S' not found
state flag '%S' not found or is read only
state flag '%S' not found or is read only
event '%S' not found
event '%S' not found
constant '%S' not found
constant '%S' not found
unknown character with code 0x%x
unknown character with code 0x%x
unexpected token '%S'
unexpected token '%S'
got '%S' but required %S
got '%S' but required %S
bad name token '%S'
bad name token '%S'
unknown variable '%S'
unknown variable '%S'
Msimg32.dll
Msimg32.dll
image/vnd.microsoft.icon
image/vnd.microsoft.icon
UXTHEME.DLL
UXTHEME.DLL
burlywood
burlywood
%1x%1x%1x
%1x%1x%1x
%1x%1x%1x%1x
%1x%1x%1x%1x
%2x%2x%2x
%2x%2x%2x
%2x%2x%2x%2x
%2x%2x%2x%2x
%s,%u,%d,%d:%dx%d,%d,%d,%d,%d,%d,X
%s,%u,%d,%d:%dx%d,%d,%d,%d,%d,%d,X
,XXXXXX
,XXXXXX
url(*)
url(*)
0123456789
0123456789
stroke-linejoin
stroke-linejoin
zcÃ
zcÃ
) *,*,* *-*.*.*-*4*5*5*4*
) *,*,* *-*.*.*-*4*5*5*4*
.?AUevent_key@html@@
.?AUevent_key@html@@
.?AUimage_functor@?1??get_image_urls@document@html@@QAEXAAV?$array@Vstring@tool@@@tool@@@Z@
.?AUimage_functor@?1??get_image_urls@document@html@@QAEXAAV?$array@Vstring@tool@@@tool@@@Z@
.?AUexec_env@csss@html@@
.?AUexec_env@csss@html@@
.?AUurl_edit_ctl@html@@
.?AUurl_edit_ctl@html@@
.?AUurl_ctl_factory@html@@
.?AUurl_ctl_factory@html@@
.?AUpassword_edit_ctl@html@@
.?AUpassword_edit_ctl@html@@
.?AUpassword_ctl_factory@html@@
.?AUpassword_ctl_factory@html@@
!"#$%&'()
!"#$%&'()
c:\%original file name%.exe
c:\%original file name%.exe
.www=9Z
.www=9Z
style="foreground-image:url(res:edit-undo.png)"
style="foreground-image:url(res:edit-undo.png)"
>UndoCtrl Z
>UndoCtrl Z
style="foreground-image:url(res:edit-cut.png)"
style="foreground-image:url(res:edit-cut.png)"
>CutCtrl X
>CutCtrl X
style="foreground-image:url(res:edit-copy.png)"
style="foreground-image:url(res:edit-copy.png)"
>CopyCtrl C
>CopyCtrl C
style="foreground-image:url(res:edit-paste.png)"
style="foreground-image:url(res:edit-paste.png)"
>PasteCtrl V
>PasteCtrl V
>Select AllCtrl A
>Select AllCtrl A
PA
PA
style="foreground-image:url(res:edit-undo.png)"
style="foreground-image:url(res:edit-undo.png)"
>UndoCtrl Z
>UndoCtrl Z
style="foreground-image:url(res:edit-cut.png)"
style="foreground-image:url(res:edit-cut.png)"
>CutCtrl X
>CutCtrl X
style="foreground-image:url(res:edit-copy.png)"
style="foreground-image:url(res:edit-copy.png)"
>CopyCtrl C
>CopyCtrl C
style="foreground-image:url(res:edit-paste.png)"
style="foreground-image:url(res:edit-paste.png)"
>PasteCtrl V
>PasteCtrl V
>Select AllCtrl A
>Select AllCtrl A
>MergeBackspace
>MergeBackspace
>Split by rowsCtrl 1
>Split by rowsCtrl 1
>Split by columnsCtrl 2
>Split by columnsCtrl 2
P
P
PADhtml { behavior: accesskeys; }
PADhtml { behavior: accesskeys; }
background-image:url(theme:groupbox-normal);
background-image:url(theme:groupbox-normal);
fieldset > legend:rtl /* see hXXp://terrainformatica.com/forums/topic.php?id=1772 */
fieldset > legend:rtl /* see hXXp://terrainformatica.com/forums/topic.php?id=1772 */
widget[type="password"],
widget[type="password"],
input[type="password"],
input[type="password"],
widget[type="url"],
widget[type="url"],
input[type="url"],
input[type="url"],
background-image:url(theme:edit-normal);
background-image:url(theme:edit-normal);
context-menu:url(res:behavior-edit-menu.htm);
context-menu:url(res:behavior-edit-menu.htm);
background-image:url(theme:edit-disabled);
background-image:url(theme:edit-disabled);
:root[type="password"]
:root[type="password"]
behavior:password;
behavior:password;
:root[type="url"]
:root[type="url"]
behavior:url;
behavior:url;
context-menu:url(res:behavior-edit-menu.htm);
context-menu:url(res:behavior-edit-menu.htm);
:root > button.minus
:root > button.minus
background-image:url(theme:v-spin-minus-normal);
background-image:url(theme:v-spin-minus-normal);
:root:rtl > button.minus
:root:rtl > button.minus
:root > button.minus:hover
:root > button.minus:hover
background-image:url(theme:v-spin-minus-hover);
background-image:url(theme:v-spin-minus-hover);
:root > button.minus:active
:root > button.minus:active
background-image:url(theme:v-spin-minus-pressed);
background-image:url(theme:v-spin-minus-pressed);
:root > button.minus:disabled
:root > button.minus:disabled
background-image:url(theme:v-spin-minus-disabled);
background-image:url(theme:v-spin-minus-disabled);
:root > button.plus
:root > button.plus
background-image:url(theme:v-spin-plus-normal);
background-image:url(theme:v-spin-plus-normal);
:root:rtl > button.plus
:root:rtl > button.plus
:root > button.plus:hover
:root > button.plus:hover
background-image:url(theme:v-spin-plus-hover);
background-image:url(theme:v-spin-plus-hover);
:root > button.plus:active
:root > button.plus:active
background-image:url(theme:v-spin-plus-pressed);
background-image:url(theme:v-spin-plus-pressed);
:root > button.plus:disabled
:root > button.plus:disabled
background-image:url(theme:v-spin-plus-disabled);
background-image:url(theme:v-spin-plus-disabled);
background-image:url(theme:button-normal);
background-image:url(theme:button-normal);
background-image:url(theme:button-defaulted);
background-image:url(theme:button-defaulted);
background-image:url(theme:button-hover);
background-image:url(theme:button-hover);
background-image:url(theme:button-pressed);
background-image:url(theme:button-pressed);
background-image:url(theme:button-disabled);
background-image:url(theme:button-disabled);
background-image:url(theme:button-pressed); /* ?? */
background-image:url(theme:button-pressed); /* ?? */
background-image:url(theme:radio-normal);
background-image:url(theme:radio-normal);
background-image:url(theme:radio-hover);
background-image:url(theme:radio-hover);
background-image:url(theme:radio-pressed);
background-image:url(theme:radio-pressed);
background-image:url(theme:radio-disabled);
background-image:url(theme:radio-disabled);
background-image:url(theme:radio-checked-normal);
background-image:url(theme:radio-checked-normal);
background-image:url(theme:radio-checked-hover);
background-image:url(theme:radio-checked-hover);
background-image:url(theme:radio-checked-pressed);
background-image:url(theme:radio-checked-pressed);
background-image:url(theme:radio-checked-disabled);
background-image:url(theme:radio-checked-disabled);
background-image:url(theme:check-normal);
background-image:url(theme:check-normal);
background-image:url(theme:check-hover);
background-image:url(theme:check-hover);
background-image:url(theme:check-pressed);
background-image:url(theme:check-pressed);
background-image:url(theme:check-disabled);
background-image:url(theme:check-disabled);
background-image:url(theme:check-checked-normal);
background-image:url(theme:check-checked-normal);
background-image:url(theme:check-checked-hover);
background-image:url(theme:check-checked-hover);
background-image:url(theme:check-checked-pressed);
background-image:url(theme:check-checked-pressed);
background-image:url(theme:check-checked-disabled);
background-image:url(theme:check-checked-disabled);
background-image:url(theme:check-mixed-normal);
background-image:url(theme:check-mixed-normal);
background-image:url(theme:check-mixed-hover);
background-image:url(theme:check-mixed-hover);
background-image:url(theme:check-mixed-pressed);
background-image:url(theme:check-mixed-pressed);
background-image:url(theme:check-mixed-disabled);
background-image:url(theme:check-mixed-disabled);
foreground-image:url(stock:arrow-down); /* that arrow */
foreground-image:url(stock:arrow-down); /* that arrow */
background-image:url(theme:h-progress-back);
background-image:url(theme:h-progress-back);
foreground-image:url(theme:h-progress-chunk);
foreground-image:url(theme:h-progress-chunk);
background-image:url(theme:edit-normal);
background-image:url(theme:edit-normal);
background-image:url(theme:edit-disabled);
background-image:url(theme:edit-disabled);
foreground-image:url(theme:tree-view-glyph-closed); }
foreground-image:url(theme:tree-view-glyph-closed); }
foreground-image:url(theme:tree-view-glyph-open); }
foreground-image:url(theme:tree-view-glyph-open); }
/* tree line support: */
/* tree line support: */
foreground-image:url(theme:check-normal);
foreground-image:url(theme:check-normal);
option:incomplete > :first-child { foreground-image:url(theme:check-mixed-normal); }
option:incomplete > :first-child { foreground-image:url(theme:check-mixed-normal); }
option:checked > :first-child { foreground-image:url(theme:check-checked-normal); }
option:checked > :first-child { foreground-image:url(theme:check-checked-normal); }
background-image:url(theme:edit-normal);
background-image:url(theme:edit-normal);
background-image:url(theme:edit-disabled);
background-image:url(theme:edit-disabled);
foreground-image:url(theme:check-normal);
foreground-image:url(theme:check-normal);
foreground-image:url(theme:check-checked-normal);
foreground-image:url(theme:check-checked-normal);
/* caption portion of combobox */
/* caption portion of combobox */
/* caption portion of combobox when select is in focus */
/* caption portion of combobox when select is in focus */
:url(theme:combobox-button-normal);
:url(theme:combobox-button-normal);
background-image:url(theme:combobox-button-hover);
background-image:url(theme:combobox-button-hover);
background-image:url(theme:combobox-button-pressed);
background-image:url(theme:combobox-button-pressed);
background-image:url(theme:combobox-button-disabled);
background-image:url(theme:combobox-button-disabled);
:root { background-image:url(theme:button-normal); }
:root { background-image:url(theme:button-normal); }
:root:hover { background-image:url(theme:button-hover); }
:root:hover { background-image:url(theme:button-hover); }
:root:disabled { background-image:url(theme:button-disabled); }
:root:disabled { background-image:url(theme:button-disabled); }
:root:active { background-image:url(theme:button-pressed); }
:root:active { background-image:url(theme:button-pressed); }
:root > button { background: url(stock:arrow-down) center center no-repeat;}
:root > button { background: url(stock:arrow-down) center center no-repeat;}
:root > button:hover { background-image:url(stock:arrow-down); background-position: center center; background-repeat: no-repeat;}
:root > button:hover { background-image:url(stock:arrow-down); background-position: center center; background-repeat: no-repeat;}
:root > button:active { background-image:url(stock:arrow-down); background-position: center center; }
:root > button:active { background-image:url(stock:arrow-down); background-position: center center; }
:root:disabled > button { background-image:url(stock:arrow-down); background-position: center center; }
:root:disabled > button { background-image:url(stock:arrow-down); background-position: center center; }
context-menu:url(res:behavior-richtext-menu.htm);
context-menu:url(res:behavior-richtext-menu.htm);
background-image:url(theme:edit-normal);
background-image:url(theme:edit-normal);
context-menu:url(res:behavior-text-menu.htm);
context-menu:url(res:behavior-text-menu.htm);
background-image:url(theme:h-trackbar-back);
background-image:url(theme:h-trackbar-back);
:root > .slider
:root > .slider
foreground-image:url(theme:h-trackbar-thumb-normal);
foreground-image:url(theme:h-trackbar-thumb-normal);
:root:focus > .slider
:root:focus > .slider
foreground-image:url(theme:h-trackbar-thumb-focus);
foreground-image:url(theme:h-trackbar-thumb-focus);
:root > .slider:hover
:root > .slider:hover
foreground-image:url(theme:h-trackbar-thumb-hover);
foreground-image:url(theme:h-trackbar-thumb-hover);
:root > .slider:active
:root > .slider:active
foreground-image:url(theme:h-trackbar-thumb-pressed);
foreground-image:url(theme:h-trackbar-thumb-pressed);
:root:disabled > .slider
:root:disabled > .slider
foreground-image:url(theme:h-trackbar-thumb-disabled);
foreground-image:url(theme:h-trackbar-thumb-disabled);
background-image:url(theme:v-trackbar-back);
background-image:url(theme:v-trackbar-back);
foreground-image:url(theme:v-trackbar-thumb-normal);
foreground-image:url(theme:v-trackbar-thumb-normal);
foreground-image:url(theme:v-trackbar-thumb-focus);
foreground-image:url(theme:v-trackbar-thumb-focus);
foreground-image:url(theme:v-trackbar-thumb-hover);
foreground-image:url(theme:v-trackbar-thumb-hover);
:root > .slider:active
:root > .slider:active
foreground-image:url(theme:v-trackbar-thumb-pressed);
foreground-image:url(theme:v-trackbar-thumb-pressed);
foreground-image:url(theme:v-trackbar-thumb-disabled);
foreground-image:url(theme:v-trackbar-thumb-disabled);
:root > div.page
:root > div.page
/*:root > splitter:active { background:transparent url(theme:toolbar-button-checked) stretch; }*/
/*:root > splitter:active { background:transparent url(theme:toolbar-button-checked) stretch; }*/
background-image:url(stock:arrow-right); /* that arrow */
background-image:url(stock:arrow-right); /* that arrow */
/* accesskey label (span) */
/* accesskey label (span) */
span.accesskey
span.accesskey
menu > option:current span.accesskey,
menu > option:current span.accesskey,
li:current span.accesskey
li:current span.accesskey
img.hr
img.hr
menu.popup,
menu.popup,
menu.context,
menu.context,
div.prev-date
div.prev-date
background-image:url(theme:h-scrollbar-minus-normal);
background-image:url(theme:h-scrollbar-minus-normal);
div.prev-date:rtl
div.prev-date:rtl
div.prev-date:active
div.prev-date:active
background-image:url(theme:h-scrollbar-minus-pressed);
background-image:url(theme:h-scrollbar-minus-pressed);
div.prev-date:hover {
div.prev-date:hover {
background-image:url(theme:h-scrollbar-minus-hover);
background-image:url(theme:h-scrollbar-minus-hover);
div.next-date
div.next-date
background-image:url(theme:h-scrollbar-plus-normal);
background-image:url(theme:h-scrollbar-plus-normal);
div.next-date:rtl
div.next-date:rtl
div.next-date:active
div.next-date:active
background-image:url(theme:h-scrollbar-plus-pressed);
background-image:url(theme:h-scrollbar-plus-pressed);
div.next-date:hover {
div.next-date:hover {
background-image:url(theme:h-scrollbar-plus-hover);
background-image:url(theme:h-scrollbar-plus-hover);
td.month.off,
td.month.off,
td.day.off
td.day.off
td.day.other-month,
td.day.other-month,
td.year.other-year,
td.year.other-year,
td.decade.other-decade
td.decade.other-decade
:root:current td.month:current,
:root:current td.month:current,
:root:focus td.month:current,
:root:focus td.month:current,
:root:current td.day:current,
:root:current td.day:current,
:root:focus td.day:current,
:root:focus td.day:current,
:root:current td.year:current,
:root:current td.year:current,
:root:focus td.year:current,
:root:focus td.year:current,
:root:current td.decade:current,
:root:current td.decade:current,
:root:focus td.decade:current
:root:focus td.decade:current
td.today
td.today
div.button
div.button
div.button:hover
div.button:hover
background-image:url(theme:toolbar-button-hover);
background-image:url(theme:toolbar-button-hover);
div.button:active
div.button:active
background-image:url(theme:toolbar-button-pressed);
background-image:url(theme:toolbar-button-pressed);
text.statusbar
text.statusbar
span.today
span.today
span.today:hover {
span.today:hover {
background-image:url(theme:toolbar-button-hover);
background-image:url(theme:toolbar-button-hover);
span.today:active {
span.today:active {
background-image:url(theme:toolbar-button-pressed);
background-image:url(theme:toolbar-button-pressed);
span.today-legend
span.today-legend
background-image:url(theme:combobox-button-normal);
background-image:url(theme:combobox-button-normal);
:root > button.minus:rtl
:root > button.minus:rtl
:root > button.plus:rtl
:root > button.plus:rtl
GetProcessHeap
GetProcessHeap
GetConsoleOutputCP
GetConsoleOutputCP
GetCPInfo
GetCPInfo
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
GetViewportExtEx
GetViewportExtEx
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
InternetCombineUrlA
InternetCombineUrlA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
5.''.''.' '' $ ';~
5.''.''.' '' $ ';~
&)-),)-))--)--
&)-),)-))--)--
`
`
"""4.&."
"""4.&."
$,((0(($
$,((0(($
$$ ($(0,,$( 0($,, $$,\ $
$$ ($(0,,$( 0($,, $$,\ $
,40000$(((($0($((
,40000$(((($0($((
40$$$(,,,$
40$$$(,,,$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
`
`
%d%%%%
%d%%%%
s*.url
s*.url
[id='%S'],[name='%S']
[id='%S'],[name='%S']
frame[id='%s'],frame[name='%s']
frame[id='%s'],frame[name='%s']
#xxx
#xxx
width(%d%%)
width(%d%%)
height(%d%%)
height(%d%%)
url(%S)
url(%S)
import
import
%S %S %S %S
%S %S %S %S
selector(%S)
selector(%S)
%S %S
%S %S
key-code
key-code
key-on
key-on
key-off
key-off
%s %S
%s %S
frame[id='%S'],frame[name='%S']
frame[id='%S'],frame[name='%S']
frame[name='%s'],frame#%s
frame[name='%s'],frame#%s
[name='%s']
[name='%s']
important
important
td[value='u-u-u']
td[value='u-u-u']
div.button.month
div.button.month
div.button.year
div.button.year
tr:nth-child(%d)
tr:nth-child(%d)
All files (*.*)
All files (*.*)
%S.%s
%S.%s
[command='%s']
[command='%s']
ncid:%S
ncid:%S
7%d;
7%d;
^(ftp|https?)://((\d \.\d \.\d \.\d |[_a-zA-Z0-9\-] ([\.] [_a-zA-Z0-9\-] )*))(:[0-9] )?((/[_a-zA-Z0-9\.\-]*) )*(\?[_a-zA-Z0-9\&\=\%\,\-\!\(\)\{\}] )?(\#[_a-zA-Z0-9\%] )?$
^(ftp|https?)://((\d \.\d \.\d \.\d |[_a-zA-Z0-9\-] ([\.] [_a-zA-Z0-9\-] )*))(:[0-9] )?((/[_a-zA-Z0-9\.\-]*) )*(\?[_a-zA-Z0-9\&\=\%\,\-\!\(\)\{\}] )?(\#[_a-zA-Z0-9\%] )?$
^ftp\.[_a-zA-Z0-9\-] ([\.] [_a-zA-Z0-9\-] )*((/[_a-zA-Z0-9\.\-]*) )*
^ftp\.[_a-zA-Z0-9\-] ([\.] [_a-zA-Z0-9\-] )*((/[_a-zA-Z0-9\.\-]*) )*
hXXp://
hXXp://
PTF://
PTF://
operand stack overflow
operand stack overflow
operator stack overflow
operator stack overflow
missing operand for
missing operand for
operator stack underflow
operator stack underflow
unknown _operator in evaluntil
unknown _operator in evaluntil
())(>
())(>
&'()* ,-
&'()* ,-