Gen.Variant.Barys.875_85d061c25d

by malwarelabrobot on October 28th, 2017 in Malware Descriptions.

HEUR:Backdoor.Win32.Generic (Kaspersky), Gen:Variant.Barys.875 (B) (Emsisoft), Gen:Variant.Barys.875 (AdAware), Trojan.Win32.BHO.FD, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 85d061c25ded727572a08deac0825d7d
SHA1: fbc864e9a0d2c419bc71f3f850bf72c2a7cf7342
SHA256: 341864682f4daf6c2fddbe9ee1e2366405eadddf608f4b93950ab22451738fa3
SSDeep: 49152: cEr31ZPj7z5S3XdF7y8iIDNF3u0sG HvKrW8z5V4dHgbZVVLLL4LLnD:EXPw33biIDNFeBHvKr1tV4dHUVLLL4LH
Size: 2779136 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Xacti, LLC
Created at: 2017-10-09 22:00:58
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3448
WmiApSrv.exe:3332

The Trojan injects its code into the following process(es):

0wjTXUPi47DMRpvB.exe:3504
%original file name%.exe:3808
M6Ur4kwQrMFjAIAB.exe:2692
conhost.exe:2076

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 0wjTXUPi47DMRpvB.exe:3504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{8265AE97-932F-4A12-BCDA-C8B4F7C1E139}\_extra\Carbonsx2f.swf (34292 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (548 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Game_20160606[1].swf (122293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\gameversion[1].htm (118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7EE2.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7EE1.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7EE1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7EE2.tmp (0 bytes)

The process %original file name%.exe:3448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\85d061c25ded727572a08deac0825d7d\%original file name%.exe (19832 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0wjTXUPi47DMRpvB.exe (51 bytes)

The process %original file name%.exe:3808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB7F0.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB7F1.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Monitoring\system.dat (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\M6Ur4kwQrMFjAIAB.exe (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA162.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp81BE.tmp (381 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA163.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Logs\27-10-2017 (366 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA160.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Monitoring\network.dat (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Geo.dat (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA161.tmp (2712 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB7F0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA163.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA162.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB7F1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA160.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA161.tmp (0 bytes)

The process M6Ur4kwQrMFjAIAB.exe:2692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{18167723-099C-444D-BE45-539A75D1840C}\_extra\Carbonsx2f.swf (34292 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\gameversion[1].htm (118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8058.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8057.tmp (53 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\gameversion[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8058.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8057.tmp (0 bytes)

Registry activity

The process 0wjTXUPi47DMRpvB.exe:3504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\0wjTXUPi47DMRpvB_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\D.V\Carbon 1.8\V1.8\Settings]
"crc" = "48 E5 1F C9 9F 4F C5 54 DA CD DA 78 E4 BB A0 4F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\0wjTXUPi47DMRpvB_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\0wjTXUPi47DMRpvB_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\D.V\Carbon 1.8\V1.8\Settings]
"Options" = "0B 00 00 00 43 00 61 00 72 00 62 00 6F 00 6E 00"

[HKLM\SOFTWARE\Microsoft\Tracing\0wjTXUPi47DMRpvB_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0wjTXUPi47DMRpvB_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0wjTXUPi47DMRpvB_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\0wjTXUPi47DMRpvB_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0wjTXUPi47DMRpvB_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\0wjTXUPi47DMRpvB_RASMANCS]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:3448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\85d061c25ded727572a08deac0825d7d_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\85d061c25ded727572a08deac0825d7d_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\85d061c25ded727572a08deac0825d7d_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\85d061c25ded727572a08deac0825d7d_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\85d061c25ded727572a08deac0825d7d_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\85d061c25ded727572a08deac0825d7d_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Clients]
"PID" = "3808"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\85d061c25ded727572a08deac0825d7d_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\85d061c25ded727572a08deac0825d7d_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\85d061c25ded727572a08deac0825d7d_RASMANCS]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\85d061c25ded727572a08deac0825d7d_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

The Trojan deletes the following value(s) in system registry:

The process M6Ur4kwQrMFjAIAB.exe:2692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\M6Ur4kwQrMFjAIAB_RASMANCS]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\M6Ur4kwQrMFjAIAB_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\M6Ur4kwQrMFjAIAB_RASAPI32]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\M6Ur4kwQrMFjAIAB_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\M6Ur4kwQrMFjAIAB_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\M6Ur4kwQrMFjAIAB_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process WmiApSrv.exe:3332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance]
"Performance Refreshed" = "0"

Dropped PE files

MD5	File path
676d5b67eb609113f3647318fce3258a	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\0wjTXUPi47DMRpvB.exe
676d5b67eb609113f3647318fce3258a	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\M6Ur4kwQrMFjAIAB.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: D.V
Product Name: Carbon 1.8
Product Version: 1.8
Legal Copyright: N/A
Legal Trademarks:
Original Filename: Carbon 1.8.exe
Internal Name: Carbon 1.8
File Version: 1.8
File Description:
Comments:
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	2600196	2600448	5.54455	abc34a4b70405f7e45b59ac9df2014a7
.rsrc	2613248	177232	177664	4.39439	03d5be05c0b70814cf686bee2c0f055c
.reloc	2793472	12	512	0.056519	be8a2b459b05c9b5c0ddc650e73a65c4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://game.aqworlds.com/game/gameversion.asp	75.126.77.27
hxxp://aqworldscdn-qqt01jtj2jkpiim.stackpathdns.com/game/gamefiles/Game_20160606.swf
hxxp://aqworldscdn-qqt01jtj2jkpiim.stackpathdns.com/game/gamefiles/title/null
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=
hxxp://apps.digsigtrust.com/roots/dstrootcax3.p7c
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://aqworldscdn.aq.com/game/gamefiles/Game_20160606.swf	151.139.241.12
hxxp://aqworldscdn.aq.com/game/gamefiles/title/null	151.139.241.12
hxxp://apps.identrust.com/roots/dstrootcax3.p7c	192.35.177.64
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	62.140.236.170
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=	23.46.123.27
fbcdn-profile-a.akamaihd.net	88.221.133.78
k3kk.nsupdate.info	35.185.253.72

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=338427, public, no-transform, must-revalidate

Last-Modified: Tue, 24 Oct 2017 01:22:12 GMT

Expires: Tue, 31 Oct 2017 01:22:12 GMT

Date: Fri, 27 Oct 2017 03:23:04 GMT

Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..2017102
4012212Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..Q?.t8p.4@A.0........20171024012212Z....20171031012212Z0...*.H.....
.........s_.....}...Z(y .2..Y....'.c.]..u...Zp..............8........n
.....<9...<r;.b#..d..^.$......^..w..>.>.&.n...e........D..
Ck....^.|...2.)...d...a..LJ7Jt..P<.u..f8."fg.8E...y}If.A.....c...tf
..O]...q ..........?o../..i..X..`.L..d...\9_-.9.........[.>..2C....
......0...0...0..........^..)......<...T.0...*.H........0..1.0...U.
...US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U
...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<Ver
iSign Class 3 Public Primary Certification Authority - G50...161122000
000Z..171214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0.
..U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP
 Responder Certificate 50.."0...*.H.............0.....................
........m..|........1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...
Rp.7...0C.j.)Z........ ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...
6...(...1...#..H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.
[.[...5.e.4.....D..t.;....).J....\fV..G.........0...0...U.......0.0l..
U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .
......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........
...0... .....0......0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI
.....L.c=...r..7Z0...U.#..0.....e......0..C9...3130...*.H.........<<< skipped >>>

GET /game/gameversion.asp HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: game.aqworlds.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 118

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Fri, 27 Oct 2017 03:22:53 GMT

status=success&sFile=Game_20160606.swf&sTitle=Mogloween Returns&sBG=Ge
neric2.swf&sCharCreate=AQW-Landing-20June16B.swfHTTP/1.1 200 OK..Cache
-Control: private..Content-Length: 118..Content-Type: text/html..Serve
r: Microsoft-IIS/8.0..X-Powered-By: ASP.NET..Date: Fri, 27 Oct 2017 03
:22:53 GMT..status=success&sFile=Game_20160606.swf&sTitle=Mogloween Re
turns&sBG=Generic2.swf&sCharCreate=AQW-Landing-20June16B.swf..

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Cache-Control: max-age = 86408

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 22 Sep 2017 22:03:52 GMT

If-None-Match: "014e8acee33d31:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.download.windowsupdate.com


HTTP/1.1 304 Not Modified

Content-Type: application/vnd.ms-cab-compressed

Last-Modified: Fri, 22 Sep 2017 22:03:52 GMT

ETag: "014e8acee33d31:0"

Cache-Control: max-age=604800

Date: Fri, 27 Oct 2017 03:23:18 GMT

Connection: keep-alive

X-CCC: UA

X-CID: 2

HTTP/1.1 304 Not Modified..Content-Type: application/vnd.ms-cab-compre
ssed..Last-Modified: Fri, 22 Sep 2017 22:03:52 GMT..ETag: "014e8acee33
d31:0"..Cache-Control: max-age=604800..Date: Fri, 27 Oct 2017 03:23:18
 GMT..Connection: keep-alive..X-CCC: UA..X-CID: 2..

GET /game/gamefiles/title/null HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: aqworldscdn.aq.com

Connection: Keep-Alive


HTTP/1.1 404 Not Found

Date: Fri, 27 Oct 2017 03:23:04 GMT

Content-Type: text/html

Content-Length: 1245

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS

Connection: keep-alive
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>..HTTP/1.1 404 Not Found..Date: Fri, 27 Oct 2017 03:23:04 GMT..Co
ntent-Type: text/html..Content-Length: 1245..X-Powered-By: ASP.NET<<< skipped >>>

GET /game/gamefiles/title/null HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: aqworldscdn.aq.com

Connection: Keep-Alive


HTTP/1.1 404 Not Found

Date: Fri, 27 Oct 2017 03:22:54 GMT

Content-Type: text/html

Content-Length: 1245

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

X-Cache: MISS

Connection: keep-alive
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>..HTTP/1.1 404 Not Found..Date: Fri, 27 Oct 2017 03:22:54 GMT..Co
ntent-Type: text/html..Content-Length: 1245..X-Powered-By: ASP.NET<<< skipped >>>

GET /game/gameversion.asp HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: game.aqworlds.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 118

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: ASP.NET

Date: Fri, 27 Oct 2017 03:23:02 GMT

status=success&sFile=Game_20160606.swf&sTitle=Mogloween Returns&sBG=Ge
neric2.swf&sCharCreate=AQW-Landing-20June16B.swfHTTP/1.1 200 OK..Cache
-Control: private..Content-Length: 118..Content-Type: text/html..Serve
r: Microsoft-IIS/8.0..X-Powered-By: ASP.NET..Date: Fri, 27 Oct 2017 03
:23:02 GMT..status=success&sFile=Game_20160606.swf&sTitle=Mogloween Re
turns&sBG=Generic2.swf&sCharCreate=AQW-Landing-20June16B.swf..

GET /game/gamefiles/Game_20160606.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: aqworldscdn.aq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 27 Oct 2017 03:22:54 GMT

Content-Type: application/x-shockwave-flash

Content-Length: 1808183

Cache-Control: max-age=2592000

Last-Modified: Mon, 06 Jun 2016 22:18:04 GMT

ETag: "b931ad4b41c0d11:0"

X-Powered-By: ASP.NET

Server: NetDNA-cache/2.2

Expires: Sun, 26 Nov 2017 03:22:54 GMT

X-Cache: HIT

Accept-Ranges: bytes

Connection: keep-alive
CWS...5.x...y<.].8..{..XB.J...o..kl."....R.([...%$.....A(%Q........
(.I.Z.........}|....~|>.......r...=...9.s...../....Em.....;.....9m.
......p.......q .bS..h.q\.1.....n.........x...{..\.u ..p..._...,.w...?
.....;.t....,a...H.._K.].v......H...BB...4..2...@.r.!...WGA......4K...
.D...J..<i....2..(@..(.......N....E3...@.P.<.4.]..Y....R.0A^(.I.
..........M...z..............Ch.....`.T.."o5..:@0....C....#.M....y.X..
.D.Z.b.J.h....}Fgu..T,3JA.t....p..>...`...B....l......... ....,G`..
.".>...@.....Z..(m!.1t......6z.>#.k.kt..!....%.j(.u.~.....z..2.M
h.v.Y.... Za.?....G...@..j.m.. S..$T.x.-.....Y8...=N..g.#.,'Rv...M ...
:7.......e...y.}..%t....$.c..}.. .....@.r...D..Xo...D..8V... .`.'.Z...
....].p....k.R(.~......./...k.j"....H]............x".F.#.x.Z.......lc.
:4{3..l.`..L.......AA......I84.b.q\_E%).[..3.c....l3..dwb.C...I..9..-I
..Q4.............=B.t..Z...34?....Q...............'...e.....9..h..,c..
t.@........#....}X'.Y.......U.mR.mw......A.............K1o.Q.V..[.....
.\.\*.^.s..w.0..06......(D..[-@..8.uD..52ac...4....<9.?....=...g...
.g...`.9.....4..@...~H...".<....<...L.;Z....*..i..t.-:.0....].b.
..t...v...":p.#.N.J.;b.....\.>..x.6..9^..@w....7....Bk/..!.n.'....}
.......*..k.~..O .....#Z}...M.?...1B=.u..r....z.Z.c..g.{...=.&.....|.0
....8v.`..1.#....Y<..y.9..>...6>...;>c...3.3...|.V=..6.}.U
..X~.}.........q....... ..k.Ko0...o.......r.U.1n(h..9.....^..*.....q..
.~..../....%....5.....7........b.E.?.6....'.=..w.N..o!....(A..aT&H@...
9..A..qT B..(.Ch......#..r.'.&.. .-.#I..,.>..R..C....!K.|>..<<< skipped >>>

GET /roots/dstrootcax3.p7c HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: apps.identrust.com


HTTP/1.1 200 OK

Date: Thu, 26 Oct 2017 23:19:24 GMT

Server: Apache

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Last-Modified: Fri, 19 Oct 2012 20:08:11 GMT

Accept-Ranges: bytes

Content-Length: 893

Cache-control: max-age=86400

Content-Type: application/x-pkcs7-mime
0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D.....'..0
9...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U..
..DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital S
ignature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..
..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.
2....w..{........s.z..2..~..0....*8.y.1.P..e..Qc....a.Ka..Rk...K.(.H..
....>.... .[.*....p....%.tr.{j.4.0...h.{T.....Z...=d......Ap..r.&.8
U9C....\@..........%.......:..n.>..\..<..i....*.)W..=....]......
B0@0...U.......0....0...U...........0...U..........{,q...K.u...`...0..
.*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~
.....K. D.....}..j.....N...:.pI............:^H...X._..Z.......Y..n....
...f3.Y[....sG. ...7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G
..P.......dc`........}...=2.e..|.Wv...(9..e...w.j..w........).....55.1
.HTTP/1.1 200 OK..Date: Thu, 26 Oct 2017 23:19:24 GMT..Server: Apache.
.X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..Last-Mo
dified: Fri, 19 Oct 2012 20:08:11 GMT..Accept-Ranges: bytes..Content-L
ength: 893..Cache-control: max-age=86400..Content-Type: application/x-
pkcs7-mime..0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.....
..D.....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust 
Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U.
...Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H....
.........0............P..W..be......,k0.[...}.@......3vI*.?!I..N..<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

0wjTXUPi47DMRpvB.exe_3504:

.text

`.rdata

@.data

.rsrc

SSShY

8SSSSSh

QSSSSh

PSSSSh

uDPW

SSSSSh

.PWuF

YYu.VW

%uWVW

.FG;}

Ht.Ht!

]`uk9UDt%9U(ua9UDt

.QPWR

.tgPV

FTPjK

FtPj;

C.PjRVj

u.VV3

L$XSSh

uùr

.SSSSSSh

HHCTRL.OCX

\\.\REGMON

\\.\REGVXD

1.1.3

SWFKit.BK

kernel32.dll

shlwapi.dll

comctl32.dll

------%s will be expired on d-d-d------

------%s will be expired after %d days after installed!------

f%d_%s

function f%d_%s() { return _call('%s', arguments);}

comdlg32.dll

urlmon.dll

user32.dll

%sX%d.cab

"%s" /Q /S

%sX%d.tmp

Failed to initialize the WIndows Socket!

%d%% Free

Physical memory available to Windows:

%d KB

0xX

SCRNSAVE.EXE

SYSTEM.INI

hXXp://VVV.swfbuddy.com

TOPURL

TWAIN_32.DLL

.main

oleaut32.dll

Src: %s

Line:%d Error:%d Scode:%x

%s\DefaultIcon

%s\shell\open\%s

windowShape

$EKHOTKEY

$KPDISABLEWINDOWKEYS

hotKey

exitKeys

keyPress

\t=~paste01.bmp

windowSize

expiryMsg

cmdItems

cmdLine

join

%s.%s

%s.%d

msgBox

winio.sys

\\.\PhysicalDrive%d

\\.\Scsi%d:

FtpGetFileSize

FtpRenameFileA

FtpDeleteFileA

FtpRemoveDirectoryA

FtpCreateDirectoryA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpFindFirstFileA

wininet.dll

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

_InetFtp_

@F_%u

.tiff

.jpeg

VVV.swfkit.com

onGetUrl

openFtp

getHttpFileHeader

getHttpFileStatus

getHttpFileLastModifiedTime

getHttpFileSize

getUrl

{X-X-X-XX-XXXXXX}

_FFish_MCI_%d

errorMsg

sendCmdString

 OK %d %s

%d %s

UIDL %d

TOP %d %d

RETR %d

 OK %d %d

%d %d

LIST %d

DELE %d

password

port

RegKey

key not found

deleteKey

getSubkeyNames

\StringFileInfo\X\SpecialBuild

\StringFileInfo\X\productVersion

\StringFileInfo\X\ProductName

\StringFileInfo\X\PrivateBuild

\StringFileInfo\X\OriginalFilename

\StringFileInfo\X\LegalTrademarks

\StringFileInfo\X\LegalCopyright

\StringFileInfo\X\InternalName

\StringFileInfo\X\FileVersion

\StringFileInfo\X\FileDescription

\StringFileInfo\X\CompanyName

\StringFileInfo\X\Comments

Shell32.dll

software\microsoft\windows\currentversion

windows

findExecutable

windowStyle

URLShortcut

Microsoft Windows Millennium Edition

Microsoft Windows 98

Microsoft Windows 95

%s (Build %d)

Service Pack 6a (Build %d)

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009

%d.%d

Web Edition

Microsoft Windows NT

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003,

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 "R2"

Windows Server "Longhorn"

Windows Vista

getWindowsByName

windowState

getExeName

processMsg

- deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetOpenUrlA

InternetCanonicalizeUrlA

illegal character '%s%c%c'

illegal unicode character '%s%c%c%c%c'

unterminated %s constant

unknown escape sequence '%c%c'

ECMAScript don't allow line terminators in %s constants

syntax error: %s

invalid alias name of the imported function

inflate 1.1.3 Copyright 1995-1998 Mark Adler

Corrupt JPEG data: found marker 0xx instead of RST%d

Warning: unknown JFIF revision number %d.d

Corrupt JPEG data: %u extraneous bytes before marker 0xx

Inconsistent progression sequence for component %d coefficient %d

Unknown Adobe color transform code %d

Obtained XMS handle %u

Freed XMS handle %u

Unrecognized component IDs %d %d %d, assuming YCbCr

JFIF extension marker: RGB thumbnail image, length %u

JFIF extension marker: palette thumbnail image, length %u

JFIF extension marker: JPEG-compressed thumbnail image, length %u

Opened temporary file %s

Closed temporary file %s

Ss=%d, Se=%d, Ah=%d, Al=%d

Component %d: dc=%d ac=%d

Start Of Scan: %d components

Component %d: %dhx%dv q=%d

Start Of Frame 0xx: width=%u, height=%u, components=%d

Smoothing not supported with nonstandard sampling ratios

RST%d

At marker 0xx, recovery action %d

Selected %d colors for quantization

Quantizing to %d colors

Quantizing to %d = %d*%d*%d colors

%4u %4u %4u %4u %4u %4u %4u %4u

Unexpected marker 0xx

Miscellaneous marker 0xx, length %u

with %d x %d thumbnail image

JFIF extension marker: type 0xx, length %u

Warning: thumbnail image size does not match data length %u

JFIF APP0 marker: version %d.d, density %dx%d %d

= = = = = = = =

Obtained EMS handle %u

Freed EMS handle %u

Define Restart Interval %u

Define Quantization Table %d precision %d

Define Huffman Table 0xx

Define Arithmetic Table 0xx: 0xx

Unknown APP14 marker (not Adobe), length %u

Unknown APP0 marker (not JFIF), length %u

Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d

Unsupported marker type 0xx

Failed to create temporary file %s

Unsupported JPEG process: SOF type 0xx

Cannot quantize to more than %d colors

Cannot quantize to fewer than %d colors

Cannot quantize more than %d color components

Insufficient memory (case %d)

Not a JPEG file: starts with 0xx 0xx

Quantization table 0xx was not defined

Huffman table 0xx was not defined

Backing store not supported

Cannot transcode due to multiple use of quantization table %d

Maximum supported image dimension is %u pixels

Empty JPEG image (DNL not supported)

Bogus DQT index %d

Bogus DHT index %d

Bogus DAC value 0x%x

Bogus DAC index %d

Unsupported color conversion request

Too many color components: %d, max %d

Buffer passed to JPEG library is too small

JPEG parameter struct mismatch: library thinks size is %u, caller expects %u

Improper call to JPEG library in state %d

Invalid scan script at entry %d

Invalid progressive parameters at scan script entry %d

Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d

Unsupported JPEG data precision %d

Invalid memory pool code %d

Wrong JPEG library version: library is %d, caller expects %d

IDCT output block size %d not supported

Invalid component ID %d in SOS

Bogus message code %d

%ld%c

dllimport

import

export

?456789:;<=

!"#$%&'()* ,-./0123

attachment %d

====_SWFKIT_MAIL_PART_%X.%X.%X_====

Content-Transfer-Encoding: %s

Content-Type: %s; charset="%s"

Content-Type: %s; name="%s"

Content-Disposition: attachment; filename="%s"

Content-ID: <%s>

--%s--

boundary="%s"

X-Priority: %d

X-Mailer: SWFKit.FFish

Date: %s

Subject: =?%s?B?

Bcc: %s

Cc: %s

Reply-To: %s

To: %s

From: %s

boundary="%s";

login

AUTH PLAIN %s

AUTH LOGIN

%s %s

MAIL FROM:<%s>

HELO %s

EHLO %s

can't connect to the smtp server

PASS %s

USER %s

@F_%d

Reply from %d.%d.%d.%d: bytes=%d time=%dms TTL=%d

Unkown host %s

ICMP.DLL

Reply from %s: bytes=%d time=%dms TTL=%d icmp_seq=%u

Pinging %s [%s]: with %d bytes of data:

1.2.5

0123456789ABCDEFlibpng error: %s

libpng error: %s, offset=%d

libpng error no. %s: %s

libpng warning: %s

libpng warning no. %s: %s

NULL row buffer for row %ld, pass %d

Unknown zTXt compression type %d

Incomplete compressed datastream in %s chunk

Data error in compressed datastream in %s chunk

Buffer error in compressed datastream in %s chunk

'7gamma = (%d/100000)

gx=%f, gy=%f, bx=%f, by=%f

wx=%f, wy=%f, rx=%f, ry=%f

incorrect gamma=(%d/100000)

?iTXt chunk not supported.

Unknown compression type %d

zero length keyword

keyword length must be 1 - 79 characters

Zero length keyword

extra interior spaces removed from keyword

leading spaces removed from keyword

trailing spaces removed from keyword

invalid keyword character 0xX

Empty keyword in tEXt chunk

Empty keyword in zTXt chunk

Empty keyword in iCCP chunk

Empty keyword in sPLT chunk

white_x=%f, white_y=%f

.yMax

.xMax

.yMin

.xMin

inetmib1.dll

SYSTEM\CurrentControlSet\Services\VxD\MSTCP

SYSTEM\CurrentControlSet\Services\Tcpip\parameters

SYSTEM\CurrentControlSet\Services\Tcpip\parameters\Transient

%s compression support is not configured

Compression algorithm does not support random access

Compression scheme %u %s encoding is not implemented

%s %s encoding is not implemented

%s %s encoding is no longer implemented due to Unisys patent enforcement

Compression scheme %u %s decoding is not implemented

%s %s decoding is not implemented

%s: Invalid InkNames value; expecting %d names, found %d

%f: Bad value for "%s"

%s: Invalid %stag "%s" (not supported by codec)

%ld: Bad value for "%s"

Nonstandard tile length %d, convert file

Nonstandard tile width %d, convert file

%d: Bad value for "%s"

Bad value %ld for "%s" tag ignored

%s: Cannot modify tag "%s" while writing

%s: Unknown %stag %u

%s: Error fetching directory count

%s: Error fetching directory link

Internal error, unknown tag 0x%x

No space %s

TIFF directory is missing required "%s" field

incorrect count for field "%s" (%lu, expecting %lu); tag ignored

Error fetching data for field "%s"

%s: Rational with zero denominator (num = %lu)

Cannot read TIFF_ANY type %d for field "%s"

Cannot handle different per-sample values for field "%s"

Bogus "%s" field, ignoring and calculating from imagelength

TIFF directory is missing required "%s" field, calculating from imagelength

unknown field with tag %d (0x%x) ignored

wrong data type %d for "%s"; tag ignored

Error writing data for field "%s"

%s: Error writing SubIFD directory link

A"%s": Information lost writing value (%g) as (unsigned) RATIONAL

DumpModeDecode: Not enough data for scanline %d

%s: Bad code word at scanline %d (x %lu)

%s: Uncompressed data (not supported) at scanline %d (x %lu)

%s: %s at scanline %d (got %lu, expected %lu)

%s: Premature EOF at scanline %d (x %lu)

%s: No space for Group 3/4 reference line

%s: No space for Group 3/4 run arrays

Fax SubAddress: %s

(%u = 0x%x)

%suncompressed data

%sEOL padding

%s2-d encoding

%s: No space for state block

Sorry, can not handle YCbCr images with %s=%d

Sorry, LogL data must have %s=%d

Sorry, can not handle LogLuv images with %s=%d

Sorry, LogLuv data must have %s=%d or %d

Sorry, can not handle image with %s=%d

Sorry, can not handle separated image with %s=%d

Sorry, can not handle RGB image with %s=%d

Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d

Missing needed %s tag

Sorry, can not image with %d-bit samples

LogL16Decode: Not enough data at row %d (short %d pixels)

LogLuvDecode24: Not enough data at row %d (short %d pixels)

LogLuvDecode32: Not enough data at row %d (short %d pixels)

?%s: No space for SGILog translation buffer

No support for converting user data format to LogL

No support for converting user data format to LogLuv

Inappropriate photometric interpretation %d for SGILog compression; %s

SGILog compression supported only for %s, or raw data

Unknown data format %d for LogLuv compression

Unknown encoding %d for LogLuv compression

%s: No space for LogLuv state block

LZWDecode: Bogus encoding, loop in the code table; scanline %d

LZWDecode: Not enough data at scanline %d (short %d bytes)

LZWDecode: Strip %d not terminated with EOI code

LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)

"%s": Bad mode

Not a TIFF file, bad version number %d (0x%x)

Not a TIFF file, bad magic number %d (0x%x)

%s: Out of memory (TIFF structure)

PackBitsDecode: discarding %d bytes to avoid buffer overrun

Horizontal differencing "Predictor" not supported with %d-bit samples

"Predictor" value %d not supported

%u (0x%x)

%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu

%s: Read error at scanline %lu; got %lu bytes, expected %lu

%s: Seek error at scanline %lu, strip %lu

%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu

%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu

%s: Seek error at row %ld, col %ld, tile %ld

%s: No space for data buffer at scanline %ld

%s: Data buffer too small to hold strip %lu

%s: Read error on strip %lu; got %lu bytes, expected %lu

%s: Data buffer too small to hold tile %ld

%u: Sample out of range, max %u

ThunderDecode: %s data at scanline %ld (%lu != %lu)

Sample %d out of range, max %u

LIBTIFF, Version 3.5.7

%s: Cannot open

%s Warning

%s Error

%s: Write error at scanline %lu

%s: Seek error at scanline %lu

%s: %s

%s: zlib error: %s

%s: Not enough data at scanline %d (short %d bytes)

%s: Decoding error at scanline %d, %s

%s: Encoder error: %s

Warning: unknown method "%s"

Runtime error: %s

Warning: invalid index for operator []

hook break %d

Warning: can't set property "%s" with a wrong type

Warning: using undefined property "%s"

Warning: using undefined variable "%s"

CNotSupportedException

COMCTL32.DLL

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

hhctrl.ocx

commctrl_DragListMsg

CCmdTarget

CHotKeyCtrl

msctls_hotkey32

GDI32.DLL

MSWHEEL_ROLLMSG

File%d

ntdll.dll

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

%s.dll

CMDIChildWnd

CMDIFrameWnd

ddeexec

%s\ShellNew

%s\shell\printto\%s

%s\shell\print\%s

MSH_SCROLL_LINES_MSG

MSH_WHEELSUPPORT_MSG

olepro32.dll

ole32.dll

mscoree.dll

?#%X.y

Please contact the application's support team for more information.

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

portuguese-brazilian

GetProcessWindowStation

0123456789

right-curly-bracket

left-curly-bracket

OLEAUT32.dll

OLEACC.dll

WINMM.dll

WSOCK32.dll

VERSION.dll

GetWindowsDirectoryA

CreatePipe

GetProcessHeaps

WinExec

GetCPInfo

KERNEL32.dll

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyNameTextA

MapVirtualKeyA

EnumThreadWindows

ExitWindowsEx

EnumWindows

EnumChildWindows

CreateDialogIndirectParamA

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyA

RegEnumKeyExA

RegQueryInfoKeyA

RegDeleteKeyA

RegEnumKeyA

RegCreateKeyA

ADVAPI32.dll

ShellExecuteA

FindExecutableA

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

oledlg.dll

.PAVCFileException@@

.PAVCObject@@

.PAVCException@@

.PAVCTopBaseException@@

.PAVCZipException@@

This executable file was created by an UNREGISTERED copy of SWFKit!

.PAVCOleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCNotSupportedException@@

.?AVCNotSupportedException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.?AVCHotKeyCtrl@@

.PAVCResourceException@@

.PAVCArchiveException@@

.?AVCStatusCmdUI@@

.?AVCMDIFrameWnd@@

.?AVCMDIChildWnd@@

.PAVCOleDispatchException@@

zcÁ

c:\users\"%CurrentUserName%"\appdata\local\microsoft\windows\temporary internet files

Carbonsx2f.swf

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0wjTXUPi47DMRpvB.exe

%S<^(

stdole2.tlbWWW

bstrMsgW

Created by MIDL version 6.00.0347 at Sun Jun 21 20:24:03 2009

<property id="%d">

<property id="%s">

<number>%d</number>

<string>%s</string>

<invoke name="%s" returntype="xml"><arguments>

%s:%s. See also: %s.

%s %s d d:d:d GMT% 04d %s%sd B.C.

%s %s d d:d:d GMT% 04d %s%sd

%s, d %s d d:d:d GMT B.C.

%s, d %s d d:d:d GMT

x%s.%s

%s.length

[object Inet.Ftp]

[object RegKey]

d[object URLShortcut]

[object Sound.playback]

[object Sound.recording]

<SUP>%s</SUP>

<SUB>%s</SUB>

<STRIKE>%s</STRIKE>

<SMALL>%s</SMALL>

<A HREF="%s">%s</A>

<I>%s</I>

<FONT SIZE="%s">%s</FONT>

<FONT COLOR="%s">%s</FONT>

<TT>%s</TT>

<B>%s</B>

<BLINK>%s</BLINK>

<BIG>%s</BIG>

<A NAME="%s">%s</A>

;/?:@&= $,#

accKeyboardShortcut

SUPPORT

Key Press

Disable Windows keys

Exit Keys

HotKey1

Custom Hot Key

%s Registration

Please enter your name, a serial number and a registration code to register %s.

Enter the World Wide Web location (URL) or specify the local file you would like to open.

WEBSITE

Port :

Prj.Document

Invalid projector window size!Invalid projector window position5Flash (*.swf,*.spl)|*.swf;*.spl|All Files (*.*)|*.*||

%s has expired!D%s

Press Register button to register %s, press OK button to exit.

'This copy of program is licensed to: %s

Serial Number: %s

Replace%Select the entire document

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Page %u

Pages %u-%u

Output.prn1Printer Files (*.prn)|*.prn|All Files (*.*)|*.*||

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

Carbon 1.8.exe

M6Ur4kwQrMFjAIAB.exe_2692:

.text

`.rdata

@.data

.rsrc

SSShY

8SSSSSh

QSSSSh

PSSSSh

uDPW

SSSSSh

.PWuF

YYu.VW

%uWVW

.FG;}

Ht.Ht!

]`uk9UDt%9U(ua9UDt

.QPWR

.tgPV

FTPjK

FtPj;

C.PjRVj

u.VV3

L$XSSh

uùr

.SSSSSSh

HHCTRL.OCX

\\.\REGMON

\\.\REGVXD

1.1.3

SWFKit.BK

kernel32.dll

shlwapi.dll

comctl32.dll

------%s will be expired on d-d-d------

------%s will be expired after %d days after installed!------

f%d_%s

function f%d_%s() { return _call('%s', arguments);}

comdlg32.dll

urlmon.dll

user32.dll

%sX%d.cab

"%s" /Q /S

%sX%d.tmp

Failed to initialize the WIndows Socket!

%d%% Free

Physical memory available to Windows:

%d KB

0xX

SCRNSAVE.EXE

SYSTEM.INI

hXXp://VVV.swfbuddy.com

TOPURL

TWAIN_32.DLL

.main

oleaut32.dll

Src: %s

Line:%d Error:%d Scode:%x

%s\DefaultIcon

%s\shell\open\%s

windowShape

$EKHOTKEY

$KPDISABLEWINDOWKEYS

hotKey

exitKeys

keyPress

\t=~paste01.bmp

windowSize

expiryMsg

cmdItems

cmdLine

join

%s.%s

%s.%d

msgBox

winio.sys

\\.\PhysicalDrive%d

\\.\Scsi%d:

FtpGetFileSize

FtpRenameFileA

FtpDeleteFileA

FtpRemoveDirectoryA

FtpCreateDirectoryA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpFindFirstFileA

wininet.dll

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

_InetFtp_

@F_%u

.tiff

.jpeg

VVV.swfkit.com

onGetUrl

openFtp

getHttpFileHeader

getHttpFileStatus

getHttpFileLastModifiedTime

getHttpFileSize

getUrl

{X-X-X-XX-XXXXXX}

_FFish_MCI_%d

errorMsg

sendCmdString

 OK %d %s

%d %s

UIDL %d

TOP %d %d

RETR %d

 OK %d %d

%d %d

LIST %d

DELE %d

password

port

RegKey

key not found

deleteKey

getSubkeyNames

\StringFileInfo\X\SpecialBuild

\StringFileInfo\X\productVersion

\StringFileInfo\X\ProductName

\StringFileInfo\X\PrivateBuild

\StringFileInfo\X\OriginalFilename

\StringFileInfo\X\LegalTrademarks

\StringFileInfo\X\LegalCopyright

\StringFileInfo\X\InternalName

\StringFileInfo\X\FileVersion

\StringFileInfo\X\FileDescription

\StringFileInfo\X\CompanyName

\StringFileInfo\X\Comments

Shell32.dll

software\microsoft\windows\currentversion

windows

findExecutable

windowStyle

URLShortcut

Microsoft Windows Millennium Edition

Microsoft Windows 98

Microsoft Windows 95

%s (Build %d)

Service Pack 6a (Build %d)

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009

%d.%d

Web Edition

Microsoft Windows NT

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003,

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 "R2"

Windows Server "Longhorn"

Windows Vista

getWindowsByName

windowState

getExeName

processMsg

- deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetOpenUrlA

InternetCanonicalizeUrlA

illegal character '%s%c%c'

illegal unicode character '%s%c%c%c%c'

unterminated %s constant

unknown escape sequence '%c%c'

ECMAScript don't allow line terminators in %s constants

syntax error: %s

invalid alias name of the imported function

inflate 1.1.3 Copyright 1995-1998 Mark Adler

Corrupt JPEG data: found marker 0xx instead of RST%d

Warning: unknown JFIF revision number %d.d

Corrupt JPEG data: %u extraneous bytes before marker 0xx

Inconsistent progression sequence for component %d coefficient %d

Unknown Adobe color transform code %d

Obtained XMS handle %u

Freed XMS handle %u

Unrecognized component IDs %d %d %d, assuming YCbCr

JFIF extension marker: RGB thumbnail image, length %u

JFIF extension marker: palette thumbnail image, length %u

JFIF extension marker: JPEG-compressed thumbnail image, length %u

Opened temporary file %s

Closed temporary file %s

Ss=%d, Se=%d, Ah=%d, Al=%d

Component %d: dc=%d ac=%d

Start Of Scan: %d components

Component %d: %dhx%dv q=%d

Start Of Frame 0xx: width=%u, height=%u, components=%d

Smoothing not supported with nonstandard sampling ratios

RST%d

At marker 0xx, recovery action %d

Selected %d colors for quantization

Quantizing to %d colors

Quantizing to %d = %d*%d*%d colors

%4u %4u %4u %4u %4u %4u %4u %4u

Unexpected marker 0xx

Miscellaneous marker 0xx, length %u

with %d x %d thumbnail image

JFIF extension marker: type 0xx, length %u

Warning: thumbnail image size does not match data length %u

JFIF APP0 marker: version %d.d, density %dx%d %d

= = = = = = = =

Obtained EMS handle %u

Freed EMS handle %u

Define Restart Interval %u

Define Quantization Table %d precision %d

Define Huffman Table 0xx

Define Arithmetic Table 0xx: 0xx

Unknown APP14 marker (not Adobe), length %u

Unknown APP0 marker (not JFIF), length %u

Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d

Unsupported marker type 0xx

Failed to create temporary file %s

Unsupported JPEG process: SOF type 0xx

Cannot quantize to more than %d colors

Cannot quantize to fewer than %d colors

Cannot quantize more than %d color components

Insufficient memory (case %d)

Not a JPEG file: starts with 0xx 0xx

Quantization table 0xx was not defined

Huffman table 0xx was not defined

Backing store not supported

Cannot transcode due to multiple use of quantization table %d

Maximum supported image dimension is %u pixels

Empty JPEG image (DNL not supported)

Bogus DQT index %d

Bogus DHT index %d

Bogus DAC value 0x%x

Bogus DAC index %d

Unsupported color conversion request

Too many color components: %d, max %d

Buffer passed to JPEG library is too small

JPEG parameter struct mismatch: library thinks size is %u, caller expects %u

Improper call to JPEG library in state %d

Invalid scan script at entry %d

Invalid progressive parameters at scan script entry %d

Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d

Unsupported JPEG data precision %d

Invalid memory pool code %d

Wrong JPEG library version: library is %d, caller expects %d

IDCT output block size %d not supported

Invalid component ID %d in SOS

Bogus message code %d

%ld%c

dllimport

import

export

?456789:;<=

!"#$%&'()* ,-./0123

attachment %d

====_SWFKIT_MAIL_PART_%X.%X.%X_====

Content-Transfer-Encoding: %s

Content-Type: %s; charset="%s"

Content-Type: %s; name="%s"

Content-Disposition: attachment; filename="%s"

Content-ID: <%s>

--%s--

boundary="%s"

X-Priority: %d

X-Mailer: SWFKit.FFish

Date: %s

Subject: =?%s?B?

Bcc: %s

Cc: %s

Reply-To: %s

To: %s

From: %s

boundary="%s";

login

AUTH PLAIN %s

AUTH LOGIN

%s %s

MAIL FROM:<%s>

HELO %s

EHLO %s

can't connect to the smtp server

PASS %s

USER %s

@F_%d

Reply from %d.%d.%d.%d: bytes=%d time=%dms TTL=%d

Unkown host %s

ICMP.DLL

Reply from %s: bytes=%d time=%dms TTL=%d icmp_seq=%u

Pinging %s [%s]: with %d bytes of data:

1.2.5

0123456789ABCDEFlibpng error: %s

libpng error: %s, offset=%d

libpng error no. %s: %s

libpng warning: %s

libpng warning no. %s: %s

NULL row buffer for row %ld, pass %d

Unknown zTXt compression type %d

Incomplete compressed datastream in %s chunk

Data error in compressed datastream in %s chunk

Buffer error in compressed datastream in %s chunk

'7gamma = (%d/100000)

gx=%f, gy=%f, bx=%f, by=%f

wx=%f, wy=%f, rx=%f, ry=%f

incorrect gamma=(%d/100000)

?iTXt chunk not supported.

Unknown compression type %d

zero length keyword

keyword length must be 1 - 79 characters

Zero length keyword

extra interior spaces removed from keyword

leading spaces removed from keyword

trailing spaces removed from keyword

invalid keyword character 0xX

Empty keyword in tEXt chunk

Empty keyword in zTXt chunk

Empty keyword in iCCP chunk

Empty keyword in sPLT chunk

white_x=%f, white_y=%f

.yMax

.xMax

.yMin

.xMin

inetmib1.dll

SYSTEM\CurrentControlSet\Services\VxD\MSTCP

SYSTEM\CurrentControlSet\Services\Tcpip\parameters

SYSTEM\CurrentControlSet\Services\Tcpip\parameters\Transient

%s compression support is not configured

Compression algorithm does not support random access

Compression scheme %u %s encoding is not implemented

%s %s encoding is not implemented

%s %s encoding is no longer implemented due to Unisys patent enforcement

Compression scheme %u %s decoding is not implemented

%s %s decoding is not implemented

%s: Invalid InkNames value; expecting %d names, found %d

%f: Bad value for "%s"

%s: Invalid %stag "%s" (not supported by codec)

%ld: Bad value for "%s"

Nonstandard tile length %d, convert file

Nonstandard tile width %d, convert file

%d: Bad value for "%s"

Bad value %ld for "%s" tag ignored

%s: Cannot modify tag "%s" while writing

%s: Unknown %stag %u

%s: Error fetching directory count

%s: Error fetching directory link

Internal error, unknown tag 0x%x

No space %s

TIFF directory is missing required "%s" field

incorrect count for field "%s" (%lu, expecting %lu); tag ignored

Error fetching data for field "%s"

%s: Rational with zero denominator (num = %lu)

Cannot read TIFF_ANY type %d for field "%s"

Cannot handle different per-sample values for field "%s"

Bogus "%s" field, ignoring and calculating from imagelength

TIFF directory is missing required "%s" field, calculating from imagelength

unknown field with tag %d (0x%x) ignored

wrong data type %d for "%s"; tag ignored

Error writing data for field "%s"

%s: Error writing SubIFD directory link

A"%s": Information lost writing value (%g) as (unsigned) RATIONAL

DumpModeDecode: Not enough data for scanline %d

%s: Bad code word at scanline %d (x %lu)

%s: Uncompressed data (not supported) at scanline %d (x %lu)

%s: %s at scanline %d (got %lu, expected %lu)

%s: Premature EOF at scanline %d (x %lu)

%s: No space for Group 3/4 reference line

%s: No space for Group 3/4 run arrays

Fax SubAddress: %s

(%u = 0x%x)

%suncompressed data

%sEOL padding

%s2-d encoding

%s: No space for state block

Sorry, can not handle YCbCr images with %s=%d

Sorry, LogL data must have %s=%d

Sorry, can not handle LogLuv images with %s=%d

Sorry, LogLuv data must have %s=%d or %d

Sorry, can not handle image with %s=%d

Sorry, can not handle separated image with %s=%d

Sorry, can not handle RGB image with %s=%d

Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d

Missing needed %s tag

Sorry, can not image with %d-bit samples

LogL16Decode: Not enough data at row %d (short %d pixels)

LogLuvDecode24: Not enough data at row %d (short %d pixels)

LogLuvDecode32: Not enough data at row %d (short %d pixels)

?%s: No space for SGILog translation buffer

No support for converting user data format to LogL

No support for converting user data format to LogLuv

Inappropriate photometric interpretation %d for SGILog compression; %s

SGILog compression supported only for %s, or raw data

Unknown data format %d for LogLuv compression

Unknown encoding %d for LogLuv compression

%s: No space for LogLuv state block

LZWDecode: Bogus encoding, loop in the code table; scanline %d

LZWDecode: Not enough data at scanline %d (short %d bytes)

LZWDecode: Strip %d not terminated with EOI code

LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)

"%s": Bad mode

Not a TIFF file, bad version number %d (0x%x)

Not a TIFF file, bad magic number %d (0x%x)

%s: Out of memory (TIFF structure)

PackBitsDecode: discarding %d bytes to avoid buffer overrun

Horizontal differencing "Predictor" not supported with %d-bit samples

"Predictor" value %d not supported

%u (0x%x)

%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu

%s: Read error at scanline %lu; got %lu bytes, expected %lu

%s: Seek error at scanline %lu, strip %lu

%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu

%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu

%s: Seek error at row %ld, col %ld, tile %ld

%s: No space for data buffer at scanline %ld

%s: Data buffer too small to hold strip %lu

%s: Read error on strip %lu; got %lu bytes, expected %lu

%s: Data buffer too small to hold tile %ld

%u: Sample out of range, max %u

ThunderDecode: %s data at scanline %ld (%lu != %lu)

Sample %d out of range, max %u

LIBTIFF, Version 3.5.7

%s: Cannot open

%s Warning

%s Error

%s: Write error at scanline %lu

%s: Seek error at scanline %lu

%s: %s

%s: zlib error: %s

%s: Not enough data at scanline %d (short %d bytes)

%s: Decoding error at scanline %d, %s

%s: Encoder error: %s

Warning: unknown method "%s"

Runtime error: %s

Warning: invalid index for operator []

hook break %d

Warning: can't set property "%s" with a wrong type

Warning: using undefined property "%s"

Warning: using undefined variable "%s"

CNotSupportedException

COMCTL32.DLL

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

hhctrl.ocx

commctrl_DragListMsg

CCmdTarget

CHotKeyCtrl

msctls_hotkey32

GDI32.DLL

MSWHEEL_ROLLMSG

File%d

ntdll.dll

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

%s.dll

CMDIChildWnd

CMDIFrameWnd

ddeexec

%s\ShellNew

%s\shell\printto\%s

%s\shell\print\%s

MSH_SCROLL_LINES_MSG

MSH_WHEELSUPPORT_MSG

olepro32.dll

ole32.dll

mscoree.dll

?#%X.y

Please contact the application's support team for more information.

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

portuguese-brazilian

GetProcessWindowStation

0123456789

right-curly-bracket

left-curly-bracket

OLEAUT32.dll

OLEACC.dll

WINMM.dll

WSOCK32.dll

VERSION.dll

GetWindowsDirectoryA

CreatePipe

GetProcessHeaps

WinExec

GetCPInfo

KERNEL32.dll

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyNameTextA

MapVirtualKeyA

EnumThreadWindows

ExitWindowsEx

EnumWindows

EnumChildWindows

CreateDialogIndirectParamA

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyA

RegEnumKeyExA

RegQueryInfoKeyA

RegDeleteKeyA

RegEnumKeyA

RegCreateKeyA

ADVAPI32.dll

ShellExecuteA

FindExecutableA

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

oledlg.dll

.PAVCFileException@@

.PAVCObject@@

.PAVCException@@

.PAVCTopBaseException@@

.PAVCZipException@@

This executable file was created by an UNREGISTERED copy of SWFKit!

.PAVCOleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCNotSupportedException@@

.?AVCNotSupportedException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.?AVCHotKeyCtrl@@

.PAVCResourceException@@

.PAVCArchiveException@@

.?AVCStatusCmdUI@@

.?AVCMDIFrameWnd@@

.?AVCMDIChildWnd@@

.PAVCOleDispatchException@@

zcÁ

c:\users\"%CurrentUserName%"\appdata\local\microsoft\windows\temporary internet files

Carbonsx2f.swf

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\M6Ur4kwQrMFjAIAB.exe

%S<^(

stdole2.tlbWWW

bstrMsgW

Created by MIDL version 6.00.0347 at Sun Jun 21 20:24:03 2009

<property id="%d">

<property id="%s">

<number>%d</number>

<string>%s</string>

<invoke name="%s" returntype="xml"><arguments>

%s:%s. See also: %s.

%s %s d d:d:d GMT% 04d %s%sd B.C.

%s %s d d:d:d GMT% 04d %s%sd

%s, d %s d d:d:d GMT B.C.

%s, d %s d d:d:d GMT

x%s.%s

%s.length

[object Inet.Ftp]

[object RegKey]

d[object URLShortcut]

[object Sound.playback]

[object Sound.recording]

<SUP>%s</SUP>

<SUB>%s</SUB>

<STRIKE>%s</STRIKE>

<SMALL>%s</SMALL>

<A HREF="%s">%s</A>

<I>%s</I>

<FONT SIZE="%s">%s</FONT>

<FONT COLOR="%s">%s</FONT>

<TT>%s</TT>

<B>%s</B>

<BLINK>%s</BLINK>

<BIG>%s</BIG>

<A NAME="%s">%s</A>

;/?:@&= $,#

accKeyboardShortcut

SUPPORT

Key Press

Disable Windows keys

Exit Keys

HotKey1

Custom Hot Key

%s Registration

Please enter your name, a serial number and a registration code to register %s.

Enter the World Wide Web location (URL) or specify the local file you would like to open.

WEBSITE

Port :

Prj.Document

Invalid projector window size!Invalid projector window position5Flash (*.swf,*.spl)|*.swf;*.spl|All Files (*.*)|*.*||

%s has expired!D%s

Press Register button to register %s, press OK button to exit.

'This copy of program is licensed to: %s

Serial Number: %s

Replace%Select the entire document

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Page %u

Pages %u-%u

Output.prn1Printer Files (*.prn)|*.prn|All Files (*.*)|*.*||

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

Carbon 1.8.exe

WmiApSrv.exe_3332:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

msvcrt.dll

OLEAUT32.dll

ole32.dll

wbemcomn.dll

loadperf.dll

tù\N

Invalid parameter passed to C runtime function.

WmiApSrv.exe

?CloseSubKey@CRegistry@@AAEXXZ

?CreateOpen@CRegistry@@QAEJPAUHKEY__@@PBGPAGKKPAU_SECURITY_ATTRIBUTES@@PAK@Z

?DeleteCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBG@Z

?DeleteCurrentKeyValue@CRegistry@@QAEKPBG@Z

?DeleteKey@CRegistry@@QAEJPAVCHString@@@Z

?GetCurrentBinaryKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGPAEPAK@Z

?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z

?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGPAEPAK@Z

?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z

?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z

?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z

?GetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z

?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z

?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z

?GetCurrentRawKeyValue@CRegistry@@AAEKPAUHKEY__@@PBGPAXPAK3@Z

?GetCurrentRawSubKeyValue@CRegistry@@AAEKPBGPAXPAK2@Z

?GetCurrentSubKeyCount@CRegistry@@QAEKXZ

?GetCurrentSubKeyName@CRegistry@@QAEKAAVCHString@@@Z

?GetCurrentSubKeyPath@CRegistry@@QAEKAAVCHString@@@Z

?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAK@Z

?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z

?GetCurrentSubKeyValue@CRegistry@@QAEKPBGPAXPAK@Z

?GetLongestSubKeySize@CRegistry@@QAEKXZ

?GethKey@CRegistry@@QAEPAUHKEY__@@XZ

?LocateKeyByNameOrValueName@CRegistrySearch@@QAEHPAUHKEY__@@PBG1PAPBGKAAVCHString@@3@Z

?NextSubKey@CRegistry@@QAEKXZ

?Open@CRegistry@@QAEJPAUHKEY__@@PBGK@Z

?OpenAndEnumerateSubKeys@CRegistry@@QAEJPAUHKEY__@@PBGK@Z

?OpenLocalMachineKeyAndReadValue@CRegistry@@QAEJPBG0AAVCHString@@@Z

?OpenSubKey@CRegistry@@AAEKXZ

?RewindSubKeys@CRegistry@@QAEXXZ

?SearchAndBuildList@CRegistrySearch@@QAEHVCHString@@AAVCHPtrArray@@00HPAUHKEY__@@@Z

?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z

?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z

?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z

?SetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z

?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z

?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z

?SetCurrentKeyValueExpand@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z

?myRegCreateKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKPAGKKQAU_SECURITY_ATTRIBUTES@@PAPAU2@PAK@Z

?myRegDeleteKey@CRegistry@@AAEJPAUHKEY__@@PBG@Z

?myRegDeleteValue@CRegistry@@AAEJPAUHKEY__@@PBG@Z

?myRegEnumKey@CRegistry@@AAEJPAUHKEY__@@KPAGK@Z

?myRegEnumValue@CRegistry@@AAEJPAUHKEY__@@KPAGPAK22PAE2@Z

?myRegOpenKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPAPAU2@@Z

?myRegQueryInfoKey@CRegistry@@AAEJPAUHKEY__@@PAGPAK22222222PAU_FILETIME@@@Z

?myRegQueryValueEx@CRegistry@@AAEJPAUHKEY__@@PBGPAK2PAE2@Z

?myRegSetValueEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPBEK@Z

ntdll.dll

RegCloseKey

RegDeleteKeyW

RegEnumKeyExW

RegOpenKeyExW

RegCreateKeyExW

RegOpenKeyW

RegEnumKeyW

RegQueryInfoKeyW

_amsg_exit

_acmdln

WmiApSrv.pdb

version="5.1.0.0"

name="Microsoft.Windows.WMI.WmiApSrv"

<requestedExecutionLevel

8"8(8.848

4A4C4J4\4b4h4

9%9 989_9

9 9$9(9,9<9@9

<&<8<@<{<

6$6,646|6

; ;<;\;|;

%s_%d

\\.\root\wmi

\\.\root\cimv2

PSAPI.DLL

_simulated_%d

AppID\{63A53A38-004F-489B-BD61-96B5EEFADC04}

WmiApRes.dll

xx %s

xx %s%s.ini

%s_x

x=%s

%s_x_

Describes all the counters supported via WMI Hi-Performance providers

_new.ini

%s\%s

6.1.7600.16385 (win7_rtm.090713-1255)

Windows

Operating System

6.1.7600.16385

conhost.exe_2076_rwx_000DC000_00007000:

GetProcessWindowStation

KERNEL32.dll

RegCloseKey

RegOpenKeyExW

ADVAPI32.dll

PSAPI.DLL

GetProcessHeap

GetCPInfo

zcÁ

C:\Windows\system32\conhost.exe

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

conhost.exe_2076_rwx_000E4000_00001000:

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:3448
WmiApSrv.exe:3332
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{8265AE97-932F-4A12-BCDA-C8B4F7C1E139}\_extra\Carbonsx2f.swf (34292 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (548 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Game_20160606[1].swf (122293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\gameversion[1].htm (118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7EE2.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7EE1.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\85d061c25ded727572a08deac0825d7d\%original file name%.exe (19832 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0wjTXUPi47DMRpvB.exe (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB7F0.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB7F1.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Monitoring\system.dat (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\M6Ur4kwQrMFjAIAB.exe (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA162.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1368 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp81BE.tmp (381 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA163.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Logs\27-10-2017 (366 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA160.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Monitoring\network.dat (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Geo.dat (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA161.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{18167723-099C-444D-BE45-539A75D1840C}\_extra\Carbonsx2f.swf (34292 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\gameversion[1].htm (118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8058.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8057.tmp (53 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Barys.875_85d061c25d

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Barys.875_85d061c25d

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet