Sample_237cfcd53b

by malwarelabrobot on April 19th, 2017 in Malware Descriptions.

HEUR:Packed.Win32.Vemply.gen (Kaspersky), GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Worm, EmailWorm, Packed


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 237cfcd53bb34f48ed8c110ce0b7bebf
SHA1: 52441bdcc00cc5795e3749a06711d55064f62de8
SHA256: f15214671c86fe970489a48e36d6d4b4655960b5302cf3ddc6fc2c005fe39f8f
SSDeep: 98304:wS7aGWEY26P3hOuXVHDkmaa16NaOk3xDlrflX 8G7DWeQ/ic pDbOej1aXrgxY q:wS2GWEap9wmf6gOkh5tG7DWZK3pX71aI
Size: 5787648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2017-03-24 11:35:09
Analyzed on: Windows7 SP1 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Worm creates the following process(es):
No processes have been created.
The Worm injects its code into the following process(es):

%original file name%.exe:1968

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1968 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\HjLol\yxtxtp\Irelia.Png (15 bytes)
C:\HjLol\yxtxtp\Aatrox.Png (13 bytes)
C:\HjLol\yxtxtp\Rengar.Png (15 bytes)
C:\HjLol\yxtxtp\Skarner.Png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\gengxin[1].htm (232 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\errorPageStrings[1] (2 bytes)
C:\HjLol\yxtxtp\Lux.Png (16 bytes)
C:\HjLol\yxtxtp\Malphite.Png (14 bytes)
C:\HjLol\yxtxtp\Gragas.Png (15 bytes)
C:\HjLol\yxtxtp\Xerath.Png (14 bytes)
C:\HjLol\yxtxtp\Nami.Png (14 bytes)
C:\HjLol\yxtxtp\Rammus.Png (15 bytes)
C:\HjLol\yxtxtp\Hecarim.Png (15 bytes)
C:\HjLol\yxtxtp\Brand.Png (15 bytes)
C:\HjLol\yxtxtp\Janna.Png (15 bytes)
C:\HjLol\yxtxtp\Ezreal.Png (16 bytes)
C:\HjLol\yxtxtp\Riven.Png (14 bytes)
C:\HjLol\yxtxtp\Leona.Png (16 bytes)
C:\Hjone.dll (326 bytes)
C:\HjLol\yxtxtp\Ó¢ÐÛÍ·Ïñ.zip (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\httpErrorPagesScripts[1] (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\navcancl[1] (2 bytes)
C:\HjLol\yxtxtp\Karthus.Png (15 bytes)
C:\HjLol\yxtxtp\Maokai.Png (13 bytes)
C:\HjLol\yxtxtp\Yasuo.Png (15 bytes)
C:\HjLol\yxtxtp\Annie.Png (15 bytes)
C:\HjLol\yxtxtp\Fizz.Png (16 bytes)
C:\HjLol\yxtxtp\Sona.Png (15 bytes)
C:\HjLol\yxtxtp\Singed.Png (15 bytes)
C:\HjLol\yxtxtp\Shaco.Png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\bullet[1] (447 bytes)
C:\HjLol\yxtxtp\Graves.Png (14 bytes)
C:\HjLol\yxtxtp\Taliyah.Png (13 bytes)
C:\HjLol\yxtxtp\Jax.Png (14 bytes)
C:\HjLol\yxtxtp\Galio.Png (15 bytes)
C:\HjLol\yxtxtp\Kennen.Png (14 bytes)
C:\HjLol\yxtxtp\Nocturne.Png (15 bytes)
C:\HjLol\yxtxtp\Olaf.Png (15 bytes)
C:\HjLol\SkinID.ini (13 bytes)
C:\HjLol\yxtxtp\Garen.Png (16 bytes)
C:\HjLol\yxtxtp\RekSai.Png (14 bytes)
C:\HjLol\yxtxtp\Nautilus.Png (15 bytes)
C:\HjLol\yxtxtp\Blitzcrank.Png (15 bytes)
C:\HjLol\yxtxtp\Udyr.Png (15 bytes)
C:\HjLol\yxtxtp\Morgana.Png (15 bytes)
C:\HjLol\yxtxtp\Corki.Png (15 bytes)
C:\HjLol\yxtxtp\Ekko.Png (14 bytes)
C:\HjLol\yxtxtp\Heimerdinger.Png (16 bytes)
C:\HjLol\yxtxtp\Kindred.Png (14 bytes)
C:\HjLol\yxtxtp\Ryze.png (15 bytes)
C:\HjLol\yxtxtp\Azir.Png (14 bytes)
C:\HjLol\yxtxtp\XinZhao.Png (15 bytes)
C:\HjLol\yxtxtp\Zilean.Png (784 bytes)
C:\HjLol\yxtxtp\Taric.Png (15 bytes)
C:\HjLol\yxtxtp\Veigar.Png (15 bytes)
C:\HjLol\Xiong (974 bytes)
C:\HjLol\yxtxtp\Poppy.Png (15 bytes)
C:\HjLol\yxtxtp\Kalista.Png (15 bytes)
C:\HjLol\yxtxtp\Caitlyn.Png (14 bytes)
C:\HjLol\yxtxtp\Thresh.Png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\ErrorPageTemplate[1] (2 bytes)
C:\HjLol\yxtxtp\Cassiopeia.Png (13 bytes)
C:\HjLol\yxtxtp\Katarina.Png (14 bytes)
C:\HjLol\yxtxtp\KogMaw.Png (14 bytes)
C:\HjLol\yxtxtp\Rumble.Png (15 bytes)
C:\HjLol\yxtxtp\MonkeyKing.Png (15 bytes)
C:\HjLol\yxtxtp\TwistedFate.Png (14 bytes)
C:\HjLol\yxtxtp\Kled.png (14 bytes)
C:\HjLol\yxtxtp\Mordekaiser.Png (14 bytes)
C:\HjLol\yxtxtp\Tristana.Png (15 bytes)
C:\HjLol\yxtxtp\Braum.Png (14 bytes)
C:\HjLol\yxtxtp\Ivern.png (13 bytes)
C:\HjLol\yxtxtp\Lulu.Png (16 bytes)
C:\HjLol\yxtxtp\Akali.Png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\errorPageStrings[1] (2 bytes)
C:\HjLol\yxtxtp\AurelionSol.Png (13 bytes)
C:\HjLol\yxtxtp\ChoGath.Png (15 bytes)
C:\HjLol\yxtxtp\Gnar.Png (15 bytes)
C:\HjLol\yxtxtp\Evelynn.Png (15 bytes)
C:\HjLol\yxtxtp\Draven.Png (15 bytes)
C:\HjLol\yxtxtp\Vi.Png (784 bytes)
C:\HjLol\yxtxtp\Jayce.Png (15 bytes)
C:\HjLol\yxtxtp\MasterYi.Png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\info_48[1] (4 bytes)
C:\HjLol\yxtxtp\Vayne.Png (16 bytes)
C:\HjLol\yxtxtp\Zyra.Png (15 bytes)
C:\HjLol\yxtxtp\Quinn.Png (16 bytes)
C:\HjLol\yxtxtp\LeeSin.Png (13 bytes)
C:\HjLol\yxtxtp\VelKoz.Png (15 bytes)
C:\HjLol\yxtxtp\Ziggs.Png (16 bytes)
C:\HjLol\yxtxtp\Syndra.Png (15 bytes)
C:\HjLol\yxtxtp\Bard.Png (16 bytes)
C:\HjLol\yxtxtp\Varus.Png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\bullet[1] (447 bytes)
C:\HjLol\yxtxtp\Soraka.Png (784 bytes)
C:\HjLol\yxtxtp\Malzahar.Png (15 bytes)
C:\HjLol\yxtxtp\Warwick.Png (14 bytes)
C:\HjLol\yxtxtp\Lucian.Png (14 bytes)
C:\HjLol\yxtxtp\DrMundo.Png (14 bytes)
C:\HjLol\yxtxtp\Pantheon.Png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\ErrorPageTemplate[1] (2 bytes)
C:\HjLol\yxtxtp\Diana.Png (15 bytes)
C:\HjLol\yxtxtp\Renekton.Png (14 bytes)
C:\HjLol\yxtxtp\Sivir.Png (15 bytes)
C:\HjLol\yxtxtp\Trundle.Png (15 bytes)
C:\HjLol\yxtxtp\Twitch.Png (15 bytes)
C:\HjLol\yxtxtp\Nidalee.Png (15 bytes)
C:\HjLol\yxtxtp\TahmKench.Png (14 bytes)
C:\HjLol\yxtxtp\Karma.Png (16 bytes)
C:\HjLol\yxtxtp\Swain.Png (14 bytes)
C:\HjLol\yxtxtp\Fiora.Png (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\navcancl[1] (2 bytes)
C:\HjLol\yxtxtp\Yorick.Png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\dlldy[1].htm (17 bytes)
C:\HjLol\yxtxtp\Fiddlesticks.Png (14 bytes)
C:\HjLol\yxtxtp\Talon.Png (14 bytes)
C:\HjLol\yxtxtp\Elise.Png (14 bytes)
C:\HjLol\yxtxtp\Viktor.Png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\dlldy[1].htm (43 bytes)
C:\HjLol\yxtxtp\Zac.Png (16 bytes)
C:\HjLol\yxtxtp\LeBlanc.Png (15 bytes)
C:\HjLol\yxtxtp\Illaoi.Png (12 bytes)
C:\HjLol\yxtxtp\Shen.Png (14 bytes)
C:\HjLol\yxtxtp\Teemo.Png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\background_gradient[1] (453 bytes)
C:\HjLol\yxtxtp\Tryndamere.Png (15 bytes)
C:\HjLol\yxtxtp\Ashe.Png (784 bytes)
C:\HjLol\yxtxtp\Lissandra.Png (15 bytes)
C:\HjLol\yxtxtp\Jhin.Png (13 bytes)
C:\HjLol\yxtxtp\Nunu.Png (16 bytes)
C:\HjLol\yxtxtp\Volibear.Png (15 bytes)
C:\HjLol\yxtxtp\Kassadin.Png (15 bytes)
C:\HjLol\yxtxtp\Vladimir.Png (14 bytes)
C:\HjLol\yxtxtp\Jinx.Png (16 bytes)
C:\HjLol\yxtxtp\Camille.png (14 bytes)
C:\HjLol\yxtxtp\Urgot.Png (15 bytes)
C:\HjLol\yxtxtp\Kayle.Png (15 bytes)
C:\HjLol\yxtxtp\Shyvana.Png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\61PNU50T.txt (108 bytes)
C:\HjLol\yxtxtp\Darius.Png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\httpErrorPagesScripts[1] (5 bytes)
C:\HjLol\yxtxtp\Ahri.Png (15 bytes)
C:\HjLol\yxtxtp\Sion.Png (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\background_gradient[1] (453 bytes)
C:\HjLol\yxtxtp\JarvanIV.Png (14 bytes)
C:\HjLol\yxtxtp\Anivia.Png (15 bytes)
C:\HjLol\yxtxtp\Nasus.Png (15 bytes)
C:\HjLol\yxtxtp\Orianna.Png (14 bytes)
C:\HjLol\yxtxtp\KhaZix.Png (15 bytes)
C:\HjLol\yxtxtp\Gangplank.Png (14 bytes)
C:\HjLol\yxtxtp\Amumu.Png (15 bytes)
C:\HjLol\yxtxtp\Sejuani.Png (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\info_48[1] (4 bytes)
C:\HjLol\yxtxtp\Zed.Png (15 bytes)
C:\HjLol\yxtxtp\Alistar.Png (14 bytes)
C:\HjLol\yxtxtp\MissFortune.Png (14 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\navcancl[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\httpErrorPagesScripts[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\info_48[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\background_gradient[1] (0 bytes)
C:\HjLol\yxtxtp\Ó¢ÐÛÍ·Ïñ.zip (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\errorPageStrings[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\ErrorPageTemplate[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\bullet[1] (0 bytes)

Registry activity

The process %original file name%.exe:1968 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\237cfcd53bb34f48ed8c110ce0b7bebf_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\237cfcd53bb34f48ed8c110ce0b7bebf_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKLM\SOFTWARE\Microsoft\Tracing\237cfcd53bb34f48ed8c110ce0b7bebf_RASMANCS]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\237cfcd53bb34f48ed8c110ce0b7bebf_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "30 3E A0 00 28 B8 D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\237cfcd53bb34f48ed8c110ce0b7bebf_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\237cfcd53bb34f48ed8c110ce0b7bebf_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?khuajin"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\237cfcd53bb34f48ed8c110ce0b7bebf_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 3E A0 00 28 B8 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\237cfcd53bb34f48ed8c110ce0b7bebf_RASMANCS]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
dd5d9a7b2d1422fe7bddd4cf3ba066d5 c:\HjLol\Xiong
65eca73f39f1c9d671519035e0585314 c:\Hjone.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Hj
Product Name: ????????
Product Version: 6.3.1.0
Legal Copyright: Copyright (C) 2016
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 6.3.1.0
File Description: ???????????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 945390 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 950272 4080718 0 0 d41d8cd98f00b204e9800998ecf8427e
.data 5033984 513418 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp0 5550080 1047398 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp1 6598656 5733998 5734400 5.45643 4d82905e222da607116af3cee24a759a
.rsrc 12333056 45994 49152 3.90229 e4ea80ee9fb1ed2104e05e49d2dd6397

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://rj.xie6.cn/gengxin.asp?id=7277&bs=MAYI&_r=33025 162.159.210.13
teredo.ipv6.microsoft.com 157.56.106.189
www.huajinv5.com 170.159.173.53
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /gengxin.asp?id=7277&bs=MAYI&_r=33025 HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Host: rj.xie6.cn


HTTP/1.1 200 OK
Date: Tue, 18 Apr 2017 09:42:16 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d38be28357ef20d03ef266dc60784a2ff1492508535; expires=Wed, 18-Apr-18 09:42:15 GMT; path=/; domain=.xie6.cn; HttpOnly
Cache-Control: private
Vary: Accept-Encoding
Set-Cookie: ASPSESSIONIDCSDAARTA=HAINNFNCENPJILMDMMLONEBB; path=/
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3516ac4af3b34f32-DME
e8..416B1BD09594E42FB1E8ADF1280D5C2B5AB6E09F50956C14DC636013AF636312D2
5D5BEE288489943286E61CDC686615DD646611D9116367D8166613DC116364DD686718
DC656217D8156712DC156367DD686718DC616660DC616718D8166619DD116411DD6267
67DD686618D8156710DD636611..0..HTTP/1.1 200 OK..Date: Tue, 18 Apr 2017
 09:42:16 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Co
nnection: keep-alive..Set-Cookie: __cfduid=d38be28357ef20d03ef266dc607
84a2ff1492508535; expires=Wed, 18-Apr-18 09:42:15 GMT; path=/; domain=
.xie6.cn; HttpOnly..Cache-Control: private..Vary: Accept-Encoding..Set
-Cookie: ASPSESSIONIDCSDAARTA=HAINNFNCENPJILMDMMLONEBB; path=/..X-Powe
red-By: ASP.NET..Server: yunjiasu-nginx..CF-RAY: 3516ac4af3b34f32-DME.
.e8..416B1BD09594E42FB1E8ADF1280D5C2B5AB6E09F50956C14DC636013AF636312D
25D5BEE288489943286E61CDC686615DD646611D9116367D8166613DC116364DD68671
8DC656217D8156712DC156367DD686718DC616660DC616718D8166619DD116411DD626
767DD686618D8156710DD636611..0......

The Worm connects to the servers at the folowing location(s):

%original file name%.exe_1968:

.text
`.rdata
@.data
.vmp0
.vmp1
.rsrc
t$(SSh
FTPW
~%UVW
u$SShe
Hjone.dll
kernel32.dll
user32.dll
GetWindowsDirectoryA
MsgWaitForMultipleObjects
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
hXXp://count.2881.com/count/count.asp?id=65494&sx=1&ys=43
C:\HjLol
C:\HjLol\yxtxtp
C:\HjLol\SkinID.ini
C:\HjLol\Xiong
`.vmp1
.reloc
@.rsrc
W{%1XU5
`{-0}o
y)-Oy%ur
%X,Rb
.zm\t
`-M}?td
'j><)2%D
T1%uB
Ufo.Xj
jO5A%S
r.lTA
sB.Tp
;.ujgR
dt.Hk
%ctQI=!
>%u{4(
.Gev=|
%CzNm
zg-9}@
.nWc(
.km\"
M.mfw
.HR\tV
};.BQ
%f[Zt
[O.oDSF
u.gZE
.Lc$w
/.QioL
e2.DC:
`<.TD
v~.og
.iVU-
.uMug
.Zl}FO
-E}Q%
If.pNr
!=.ANE
mSGD:7"jy
%s#g"
.WLeO
FjF[.dKI
'"".KE
.oL'b
.wLI%
%6U])=
yy
N_%C*o!
%S= {
X%Fm0YQ
SSh#w^T
.Mq=XM
.UL{b
%DkN D
comdlg32.dll
COMCTL32.dll
WS2_32.dll
GDI32.dll
]nxm
Vzuser32.dll
WINMM.dll
j.WINSPOOL.DRV
SHELL32.dll
ÝRi
ShellExecuteA
OLEAUT32.dll
HID.dll
/7.rM
2345.|/01
91Q%S
-2]
<o.AbJC
f.TDN
VD%U;I6MY
ADVAPI32.dll
.jgW]?
,:.:USER32.dll
58[.sv
U %x5
ole32.dll
UIKERNEL32.dll
.YnK|
G.BDU
&yA*.CB
-N}<x
].lsz4
€S#
E|8%xl
.RmAE
ZQ.qM
JuRL
-i})qY{
xRU,!kp.Nf
c'.MJ
)$-uK@.Ad
2c.dqh
:t.Kt
~N.wd
f0".iDH
=u"%D| [N5
.DZy[
T%xgo
mf.dQ
%ur b
%.Oe>
O!0%D
J%S] }
ku.ae\]vr
.bR'X;
SSH4//q
$.IiK5*
.wy],
&L-C}%{yK ;c
mH%X.
:T1%3s
Z=.tf
U.EK:
.ziZK
L.MdE,)^35F
Aatrox.Png
I|.AH
b%ftY
Ahri.Png
!%c(<
.vb#uJ
Akali.Png
.iB Z
$z%dz
Yv%f<
Alistar.Png
U,-%u
cmd7[
C>V%s
Amumu.Png
5]\.Azj
.OC\J*6%&
Anivia.Png
'.PnW
.TQSn
Annie.Png
q%X04
Ashe.Png
%5s,U
AurelionSol.Png
Azir.Png
Bard.Png
.Uh9]
.*ssH
Blitzcrank.Png
ÞUQ
yqe-}%F
?P,Cd
Brand.Png
!P%f#
%XH'{
Braum.Png
Caitlyn.Png
#\.Ey$
Camille.png
.sBSr
Cassiopeia.Png
X.HXa
<.RIy
.ou:0
ChoGath.Png
lI%uH*
Corki.Png
xXzBa%F
Darius.Png
FV%u<h
Diana.Png
@Qt.Sr
Draven.Png
d|i.kQ
)P\.Ey
DrMundo.Png
*Q.jF8h
Ekko.Png
(5Ê
B.XUH&
Elise.Png
INp.YF
Evelynn.Png
Pa.zz9 
Ezreal.Png
Fiddlesticks.Png
~.HL7-A
L(.QHL
Fiora.Png
.VA|)
-q}88u
Fizz.Png
nÇm
I%DVt
Galio.Png
Gangplank.Png
*~_%S
Garen.Png
Gg.nZ
xC%UE
Gnar.Png
l.cUL9
?%UR9
Gragas.Png
Graves.Png
..CnJ
Hecarim.Png
BÊer
Heimerdinger.Png
Illaoi.Png
){.ny
Irelia.Png
F%#.ZMp
#.FEF
Ivern.png
Janna.Png
lK.Sf
jJ$W%D
'a#zd%F
JarvanIV.Png
F3.Lf
Jax.Png
Jayce.Png
uh.jD[q3
Jhin.Png
Jinx.Png
)~.JzN
Kalista.Png
2%D=8
.vW\N
Karma.Png
V H.Ad
Karthus.Png
p$Ka.HA
Kassadin.Png
V@e.Bx
yJO?
Katarina.Png
*l5%c
`I.rj
Kayle.Png
Kennen.Png
i,j.bsW/
o,Ssh
[[.QA
KhaZix.Png
1%u(W
Ë*1W
Kindred.Png
L2B%sK
.Bjx%
.WSI 
Kled.png
.GyH4
=S0.ZM
o%SF'
KogMaw.Png
LeBlanc.Png
LeeSin.Png
%xNH/
Leona.Png
9L-'.mI
Lissandra.Png
Lucian.Png
,e%XY
8)7f%f
x%dQ)
Lulu.Png
3r]Æ
<.LZ6
y.uE#(Hl!;
Lux.Png
`z.Aqd
UDPJ
P:\/h
Malphite.Png
%FPN]
Malzahar.Png
Maokai.Png
.jF$5
.uuv 
.kdpA
MasterYi.Png
QLp`4.Nn
MissFortune.Png
g{%cg
MonkeyKing.Png
ýo~
W.zl!t
)%H%f
JzR.Sj
Mordekaiser.Png
.TT50b]
Evf.bX
4!YC.edXX
.nFVi;
Morgana.Png
Nami.Png
Nasus.Png
Þ~R2
%CXc#-YXc
"Yy#.XCi
Nautilus.Png
zVK%F
.LP?g
J%uh)
Nidalee.Png
Nocturne.Png
}7qG%X
Nunu.Png
9-U}i
z-V.Kq
(1#.rGp
{.EYS
Olaf.Png
Orianna.Png
p8.Jv3
Pantheon.Png
cnK.FU
$8'&u{3.sK8
ICrt8
}D.cA
Poppy.Png
!L.US_RG^
.UBy s
Quinn.Png
T^}
Rammus.Png
RekSai.Png
4a.LcK
Renekton.Png
i%D:JM
dl.UR
Rengar.Png
Y%D^ZP
S%D!9?
Riven.Png
im.HIpY
D%s#}
Rumble.Png
acrw%F
%dPuq
%SjT'
Ryze.png
td
Sejuani.Png
Shaco.Png
p.NQ^
Shen.Png
<%dU!|
Ne%c,L
Shyvana.Png
%xbI-~
ff%c 1
Singed.Png
Aa.zH
q-.oZ
Sion.Png
.YIDATx^
Sivir.Png
EEN%F
%U!SfB
Skarner.Png
&%ubVj
~o%S~
Sona.Png
Soraka.Png
L%uJ2KF/
M/-MZ}/
Swain.Png
.eKKn
Syndra.Png
TahmKench.Png
4Z!F<%S
Taliyah.Png
Talon.Png
.Pv8g
Taric.Png
Teemo.Png
Thresh.Png
Tristana.Png
.Ix;d
pq4 5%X*
Trundle.Png
ruT<
(Ko[@>.iU
Tryndamere.Png
.dLvn>
pv1%c
T.Eij2
TwistedFate.Png
K .VmG~
G.RY3h
Twitch.Png
H.CnJ
Udyr.Png
.tPp{-
Urgot.Png
Varus.Png
u(.lF
Ke%2%s
De9S%.LG
Vayne.Png
n /z.eE
Veigar.Png
I%fPe
VelKoz.Png
-HR6%FY
%cSF!
qL%UA
Vi.Png
Viktor.Png
.pBl_
.dC1i
Vladimir.Png
Volibear.Png
Warwick.Png
Xerath.Png
Z%f,BY
XinZhao.Png
1m.FK]83
i,%1s*f/<d
Yasuo.Png
.bN[P5
Yorick.Png
d}gge%XD
Zac.Png
6.wpn
.vDGS$\-
Zed.Png
.Nl*H
1R.zfY
IY%X[
Ziggs.Png
5Y1l.LdGy
Zilean.Png
m%.MK
:g%Fs
Zyra.Png
P9P<
C:\HjLol\yxtxtp\
MonkeyKing
hXXp://VVV.huajinv5.com/mcgg.txt
hXXp://VVV.huajinv5.com/pf.html
hXXp://VVV.huajinv5.com/V.pf.html
\Hjone.dll
@.reloc
f9z.vk
__MSVCRT_HEAP_SELECT
CreateIoCompletionPort
GetProcessHeap
KERNEL32.dll
USER32.dll
SHLWAPI.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
WININET.dll
GetCPInfo
proxy_AA555.dll
8@HNetCfg.FwMgr
hXXps://
hXXp://
https
http:
Client: VVV.xie6.cn
https:
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
/gengxin.asp?id=
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
@/dlldy.asp?cz=hqfwq&bs=MAYI
/dlldy.asp?cz=hqzjip
4@0.0.0.0
<@WinINet.dll
ws2_32.dll
Kernel32.dll
urlmon
URLDownloadToFileA
program internal error number is %d.
%s%x.tmp
:"%s"
:"%s".
zcÁ
7!8 808:8
0#0 040=0
5$5(5,5054585<5@5
$0004080
hXXp://VVV.2345.com/?khuajin
\2345Explorer.exe
\Opera.lnk
SOFTWARE\Opera Software\Last Stable Install Path
\launcher.exe
\safari.lnk
SOFTWARE\Apple Computer, Inc.\Safari\BrowserExe
\TheWorld6\Application\TheWorld.exe
\SogouExplorer.exe
SOFTWARE\360Chrome\Chrome\last_install_path
360Chrome\Chrome\Application\360chrome.exe
YYExplorer.exe
UCBrowser.exe
\QQBrowser.exe
liebao.exe
\Juzi.exe
Software\TaoBrowser.exe\
\Internet Exolorer.lnk
Google Chrome.lnk
\Google Chrome.lnk
wshom.ocx
C:\HjLol\dz.ini
\Game\League of Legends.exe
v6.3.1
hXXp://VVV.huajinv5.com/jc.html
Http://Www.HuaJinV5.Com/LolHf
hXXp://VVV.huajinv5.com/xzy/lolhf.html
LolClient.exe
#MonkeyKing
hXXp://wpa.qq.com/msgrd?v=3&uin=704900102&site=qq&menu=yes
League of legends.exe
\Game\hj.ini
\Game\Hid.dll
\Game\HID.dll
385304544
lol.launcher_tencent.exe
704900102
Http://Www.HuaJinV5.Com0
.comment {color:green}
hXXp://VVV.huajinv5.com/
þK3
.egJM=XL
ðBa
]|/6-.:.\
_ .Sd
 .Td%z
l.BLD
JTM%c
nILO.KK
Fr.Zz
vI%9X
K?.Bd
.mx1S
K.RHI
,*
.SC#E
.sFW9
f:F%uM
!cd.SP
.NlU|
%Yw0%X
v9k.hsN
A.FX2
g/B%X
F..RqVh
'%s\u7
"F$a4]-Y}
\W.Az
{CR0%f
.sn'?R
`.ej^
OcI$%X
9qx*uW.
<i%S'Q
_I.RK
j.lc1
-4R}O
^K%cy
-xJG}
Bl|.Xt u
u.UuS
%fgm{
/)%U5O-I
>%s45
O%UU;
CN%c!
o%xVX
kI6.ic
mKeY
*)%F']xp8
~4R%S
:%c h
C.wkH
K.JU~
_ßk
V7.WE
%UYLi
y.EHIYb
.IZti]
.QHf^
_5.Im^H
i:\N;
Www.HuaJinV5.Com
VVV.huajinv5.com
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
vs.3.sw
vs.2.sw
ps.3.sw
ps.2.sw
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
IDCT output block size %d not supported
Invalid component ID %d in SOS
Bogus message code %d
0123456789ABCDEF1.0.5
inflate 1.1.4 Copyright 1995-2002 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
Broken pipe
Inappropriate I/O control operation
Operation not permitted
MPR.dll
VERSION.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
\d3d9.dll
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
operator
keywords
(*.htm;*.html)|*.htm;*.html
<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>
<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0xX</td></tr>
<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0xX</td></tr>
<table><tr><td><icon handle=0x%X></td><td>%s</td></tr></table>
burlywood
\winhlp32.exe
VVV.dywt.com.cn
X-X-X-X-X-X
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
IndexedColor
nFaceIndexes
faceIndexes
FloatKeys
TimedFloatKeys
tfkeys
AnimationKey
keyType
nKeys
keys
nUrls
urls
?.vW@
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
c:\%original file name%.exe
F.fbR
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
activation.php?code=
deactivation.php?hash=
.?AVIUrlBuilderSource@@
&.lJ"P
n.OL9
$.YY`
V.tKL
<UE$!ZK=.ps`
zl!]tl.vL
.uAqb#
Y3y.CdK>
tw.An
|$$h\%U
SMk%s
2%F`9
.qOzW
]`h.us
.noJ9
"rM%sRZ
uRL8OWy
%cmXx
pH,%f
hI.LB
Y%co^
$.nan
E31exe1
hUdP
d_.Ll?
%9sZq6
WINSPOOL.DRV
{.FJW
.oG}?
wnCOMCTL32.dll
0.iVE3
i,.fi
irß
C_w%Fy
M.aJ<
F^.Jy
l|b.Ic
E.rQ(
r.bYdF
.dQ:m
dq.Oc
H%F/=
%dr=:
]:2Z
.XDuk
v.Dcy
E%CJS
 J%f*g
.IeyQ2
e.Os'Y
%ucBP
.?-7,/3'2_1
Z%F|A
a`.UO
"'%DR
.HJMx
B.uUo
*%U9m
.GE'P
.YV0e
%fMwq
DFtP
u%U}i
.DP#a"`
Eu%FZD
h>L
/Iy,a%d
9R|Ë
if5
D$:q%d
]s.ZF
:y.iQ
,%.Qe
-%F@U
*h}R.WUO$<$
%s`rC
Z.ehF
P.jJW
'.Md/k
.iCz8mO
.Os^T
T.iNs
%Czh@
Rii.Xo
z%fia
.aE*'
%u&_O
~.qpR
.nl{m=A
.EIj|b
g['J.gA
-J}bW
ü_{3-
%XfB#K
.mk`EV
g:\^Z
b@.nUe
l%Fve
1Qzf%U
I9%Si
t%u~ ,
{1be%c
8}.oF
W~Jq[%cY^
FXH.aC
o/%x?
1.Mg~
.iX>'B
.ih{]
m:\[i9
P5]Q%c(w
Xo.rvx
o.DG^
Nr{.Mi
~%S U
*2.zj
n*.JQ9
U'.lm
.Be4>
g.GFX
WI .iviW
wV
.BXU]
%sc&t
08.vB
0Öo
DqQ%s
8%d"}
i|%cSPmW
z/GT.xk
.ib#6;
eSR%x
Udpq
s:\ Z
N-Ii}
.iqxG
y1-X%s
[.bws
%Fi<> 
%Xf|*
oV%um,
2.Ub}
%SqLH
fTPA
.AA6>
yw%6x
`%fLs}
d.rsB1g
.Tcb{LU
.jh:$
%9Udz
.hcUAG\E
.ur\y
.ccvz
c.yW1
Ma/%x
b9\x%f
.OXs\s
BF@mi%XKl
f&.Qq8
' .kf
a%d}>OD
:O.iZ
Én<
%d(A6t
=?:%c
m.lhW
]h`%Xa=
;0?_2.GD
Q-X}(
y%DiS
i4P.hM
_ni\.Kf5
.mY="anX
BQ<
s.YgK
J%fPa
%U;}A
%UW{e
.jnXw
,.ojq<
@T%xO
|S%CX
.DTjqv
Af?%U:
;e.bo
i1.AT
4.cSHi
pnw4%s
T9y%D
<#.BEn
@W.bP
G%f 5z
"tpw%x
`.uw[
].wa9
2P%5U
-j}k[FR
i"%fsR@
H.vOq
e!8.iq
x%d|q
K.%u*
%.yRn 
B:\Id
Rý{
KLWEB
4F.VIn
$.FR9
uDpY
.nGg@
~ËcD
2S.Fg
1l.ETQ
RUc%F\B
<lJ
.rB\,
x'.yo
?z.Cg
cy.Cf
*{.iL
.aLRq
$.ci,O
(<h.Tr
.fzZ8
@~.Yi
hC.MH
Z.Mo;
iwn|.sr0
S%d$N
p" %UZ|
j"i%x
MK(()Êw
xk.qU
h%c>P
P%Dk[
=C.mx
g.ibQ
a.aLJ
M=%Ug*
%x=BYy
0b.Af
web >
9).rCJ
%Ui3B
 .DiT
 <.iZ*T
$'q.En:{
K%X4]X
eA.Jq
]iUrl
.fYqwD
bdpm%F
!9WB%spxo
õ'2
f:Å=
2r%SF
wo.qt[
x.crl
%5U=]-M
?;73/ '#
Z6%SGu'
Aaj%x
A.Am7
%xoykpH
%C>w}
@omsG
mN.fk}fk:$G
.RH(9
!V.oY7
:R.Ed<
%D~g\
l/`bD%s
1<.NEEADp
@yA.jU
Eh%C<
s.lnw
,%Cg"B
yH.Lt
O.cS.C
.QhHj`
jJ\%D
'.CpC6
QH%c&
!.LM|~
:@%fp
5t%xB
{}ôeEE
H:\f6
.ovag
Y.uBwC
7.rrlw
0$R .dE
Z%CVr
.AJ=C
%X6EyJ3
[%o.sK^
2.DO%'
au%sgh
iphlpapi.dll
v.jF3'%_M
oledlg.dll
AVIFIL32.dll
mvg%x
BC-r}
D2Tc(&.lo
IUY9%U
E.Zpo
Ax.wH
eC=,Kot%u
JHFCmD
.MIsw
.JE?C
XL.gm
ur%Co5
V%FiL
.VGu 
.HmywK
#.Oe&j/
O%x#m
w.cfi
sSH`q
%c(54M
i7.xBp]
.Qq#x2#u
0tþ
2A.yy
(msG3D
W.Gq#
N.ZKg
y.Eqwu'@
]Qj%f|r<
V..al
qy.ol
H^ftP
6.fI(?h
zWeB o
k.vZ}a(
%uaG]
.fWiy
.FUlN
B'XW
.sSZh
M.RCQh1
Qxe.EQ
'8.al
tv[%S
&uTcp
P.cvG
!.zr=
T~.fg55
.SrN3
j)web
Vq.Yx
P!.Ht
kCMD
ñ'm
%UkhK\
1C%Dp
r.nVG
UZzG{%D]
[k.Ho
vS.rH
<B.nz
.vrw.
f[.CM
/y%Xy
fsc%U
O.Al'
}a%Fo
o.cm6\
.mFpA
%X"TY-D
qM%F|
n.wlB
wDj%u`A
uvX%ci
iMSVFW32.dll
xRASAPI32.dll
b.vyj
A:\X]
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
1.0.0.0
(hXXp://VVV.eyuyan.com)
1.6.2.1
! !(!!"#")""
>?:)<:>?:)<
>?:)<)>?:<<;>?:
123456789:;
0123456
!! ##%%&&$$''  (**),,,//
(){()))?,
?;<=;,;<]
(/) )-),
]:;<)>?,
KERNEL32.DLL
mscoree.dll
Error at initialization of bundled DLL: %s
Error at hooking API "%S"
Dumping first %d bytes:
6.3.1.0

%original file name%.exe_1968_rwx_0094B000_00100000:

F.fbR
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
activation.php?code=
deactivation.php?hash=
.?AVIUrlBuilderSource@@
c:\%original file name%.exe
&.lJ"P
n.OL9
$.YY`
V.tKL
<UE$!ZK=.ps`
zl!]tl.vL
.uAqb#
Y3y.CdK>
tw.An
|$$h\%U
SMk%s
2%F`9
.qOzW
]`h.us
.noJ9
"rM%sRZ
uRL8OWy
%cmXx
pH,%f
hI.LB
Y%co^
$.nan
E31exe1
hUdP
d_.Ll?
%9sZq6
KERNEL32.DLL
mscoree.dll
Error at initialization of bundled DLL: %s
Error at hooking API "%S"
Dumping first %d bytes:

%original file name%.exe_1968_rwx_00FB9000_00001000:

ole32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    C:\HjLol\yxtxtp\Irelia.Png (15 bytes)
    C:\HjLol\yxtxtp\Aatrox.Png (13 bytes)
    C:\HjLol\yxtxtp\Rengar.Png (15 bytes)
    C:\HjLol\yxtxtp\Skarner.Png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\gengxin[1].htm (232 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\errorPageStrings[1] (2 bytes)
    C:\HjLol\yxtxtp\Lux.Png (16 bytes)
    C:\HjLol\yxtxtp\Malphite.Png (14 bytes)
    C:\HjLol\yxtxtp\Gragas.Png (15 bytes)
    C:\HjLol\yxtxtp\Xerath.Png (14 bytes)
    C:\HjLol\yxtxtp\Nami.Png (14 bytes)
    C:\HjLol\yxtxtp\Rammus.Png (15 bytes)
    C:\HjLol\yxtxtp\Hecarim.Png (15 bytes)
    C:\HjLol\yxtxtp\Brand.Png (15 bytes)
    C:\HjLol\yxtxtp\Janna.Png (15 bytes)
    C:\HjLol\yxtxtp\Ezreal.Png (16 bytes)
    C:\HjLol\yxtxtp\Riven.Png (14 bytes)
    C:\HjLol\yxtxtp\Leona.Png (16 bytes)
    C:\Hjone.dll (326 bytes)
    C:\HjLol\yxtxtp\Ó¢ÐÛÍ·Ïñ.zip (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\httpErrorPagesScripts[1] (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\navcancl[1] (2 bytes)
    C:\HjLol\yxtxtp\Karthus.Png (15 bytes)
    C:\HjLol\yxtxtp\Maokai.Png (13 bytes)
    C:\HjLol\yxtxtp\Yasuo.Png (15 bytes)
    C:\HjLol\yxtxtp\Annie.Png (15 bytes)
    C:\HjLol\yxtxtp\Fizz.Png (16 bytes)
    C:\HjLol\yxtxtp\Sona.Png (15 bytes)
    C:\HjLol\yxtxtp\Singed.Png (15 bytes)
    C:\HjLol\yxtxtp\Shaco.Png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\bullet[1] (447 bytes)
    C:\HjLol\yxtxtp\Graves.Png (14 bytes)
    C:\HjLol\yxtxtp\Taliyah.Png (13 bytes)
    C:\HjLol\yxtxtp\Jax.Png (14 bytes)
    C:\HjLol\yxtxtp\Galio.Png (15 bytes)
    C:\HjLol\yxtxtp\Kennen.Png (14 bytes)
    C:\HjLol\yxtxtp\Nocturne.Png (15 bytes)
    C:\HjLol\yxtxtp\Olaf.Png (15 bytes)
    C:\HjLol\SkinID.ini (13 bytes)
    C:\HjLol\yxtxtp\Garen.Png (16 bytes)
    C:\HjLol\yxtxtp\RekSai.Png (14 bytes)
    C:\HjLol\yxtxtp\Nautilus.Png (15 bytes)
    C:\HjLol\yxtxtp\Blitzcrank.Png (15 bytes)
    C:\HjLol\yxtxtp\Udyr.Png (15 bytes)
    C:\HjLol\yxtxtp\Morgana.Png (15 bytes)
    C:\HjLol\yxtxtp\Corki.Png (15 bytes)
    C:\HjLol\yxtxtp\Ekko.Png (14 bytes)
    C:\HjLol\yxtxtp\Heimerdinger.Png (16 bytes)
    C:\HjLol\yxtxtp\Kindred.Png (14 bytes)
    C:\HjLol\yxtxtp\Ryze.png (15 bytes)
    C:\HjLol\yxtxtp\Azir.Png (14 bytes)
    C:\HjLol\yxtxtp\XinZhao.Png (15 bytes)
    C:\HjLol\yxtxtp\Zilean.Png (784 bytes)
    C:\HjLol\yxtxtp\Taric.Png (15 bytes)
    C:\HjLol\yxtxtp\Veigar.Png (15 bytes)
    C:\HjLol\Xiong (974 bytes)
    C:\HjLol\yxtxtp\Poppy.Png (15 bytes)
    C:\HjLol\yxtxtp\Kalista.Png (15 bytes)
    C:\HjLol\yxtxtp\Caitlyn.Png (14 bytes)
    C:\HjLol\yxtxtp\Thresh.Png (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\ErrorPageTemplate[1] (2 bytes)
    C:\HjLol\yxtxtp\Cassiopeia.Png (13 bytes)
    C:\HjLol\yxtxtp\Katarina.Png (14 bytes)
    C:\HjLol\yxtxtp\KogMaw.Png (14 bytes)
    C:\HjLol\yxtxtp\Rumble.Png (15 bytes)
    C:\HjLol\yxtxtp\MonkeyKing.Png (15 bytes)
    C:\HjLol\yxtxtp\TwistedFate.Png (14 bytes)
    C:\HjLol\yxtxtp\Kled.png (14 bytes)
    C:\HjLol\yxtxtp\Mordekaiser.Png (14 bytes)
    C:\HjLol\yxtxtp\Tristana.Png (15 bytes)
    C:\HjLol\yxtxtp\Braum.Png (14 bytes)
    C:\HjLol\yxtxtp\Ivern.png (13 bytes)
    C:\HjLol\yxtxtp\Lulu.Png (16 bytes)
    C:\HjLol\yxtxtp\Akali.Png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\errorPageStrings[1] (2 bytes)
    C:\HjLol\yxtxtp\AurelionSol.Png (13 bytes)
    C:\HjLol\yxtxtp\ChoGath.Png (15 bytes)
    C:\HjLol\yxtxtp\Gnar.Png (15 bytes)
    C:\HjLol\yxtxtp\Evelynn.Png (15 bytes)
    C:\HjLol\yxtxtp\Draven.Png (15 bytes)
    C:\HjLol\yxtxtp\Vi.Png (784 bytes)
    C:\HjLol\yxtxtp\Jayce.Png (15 bytes)
    C:\HjLol\yxtxtp\MasterYi.Png (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\info_48[1] (4 bytes)
    C:\HjLol\yxtxtp\Vayne.Png (16 bytes)
    C:\HjLol\yxtxtp\Zyra.Png (15 bytes)
    C:\HjLol\yxtxtp\Quinn.Png (16 bytes)
    C:\HjLol\yxtxtp\LeeSin.Png (13 bytes)
    C:\HjLol\yxtxtp\VelKoz.Png (15 bytes)
    C:\HjLol\yxtxtp\Ziggs.Png (16 bytes)
    C:\HjLol\yxtxtp\Syndra.Png (15 bytes)
    C:\HjLol\yxtxtp\Bard.Png (16 bytes)
    C:\HjLol\yxtxtp\Varus.Png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\bullet[1] (447 bytes)
    C:\HjLol\yxtxtp\Soraka.Png (784 bytes)
    C:\HjLol\yxtxtp\Malzahar.Png (15 bytes)
    C:\HjLol\yxtxtp\Warwick.Png (14 bytes)
    C:\HjLol\yxtxtp\Lucian.Png (14 bytes)
    C:\HjLol\yxtxtp\DrMundo.Png (14 bytes)
    C:\HjLol\yxtxtp\Pantheon.Png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\ErrorPageTemplate[1] (2 bytes)
    C:\HjLol\yxtxtp\Diana.Png (15 bytes)
    C:\HjLol\yxtxtp\Renekton.Png (14 bytes)
    C:\HjLol\yxtxtp\Sivir.Png (15 bytes)
    C:\HjLol\yxtxtp\Trundle.Png (15 bytes)
    C:\HjLol\yxtxtp\Twitch.Png (15 bytes)
    C:\HjLol\yxtxtp\Nidalee.Png (15 bytes)
    C:\HjLol\yxtxtp\TahmKench.Png (14 bytes)
    C:\HjLol\yxtxtp\Karma.Png (16 bytes)
    C:\HjLol\yxtxtp\Swain.Png (14 bytes)
    C:\HjLol\yxtxtp\Fiora.Png (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\navcancl[1] (2 bytes)
    C:\HjLol\yxtxtp\Yorick.Png (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\dlldy[1].htm (17 bytes)
    C:\HjLol\yxtxtp\Fiddlesticks.Png (14 bytes)
    C:\HjLol\yxtxtp\Talon.Png (14 bytes)
    C:\HjLol\yxtxtp\Elise.Png (14 bytes)
    C:\HjLol\yxtxtp\Viktor.Png (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\dlldy[1].htm (43 bytes)
    C:\HjLol\yxtxtp\Zac.Png (16 bytes)
    C:\HjLol\yxtxtp\LeBlanc.Png (15 bytes)
    C:\HjLol\yxtxtp\Illaoi.Png (12 bytes)
    C:\HjLol\yxtxtp\Shen.Png (14 bytes)
    C:\HjLol\yxtxtp\Teemo.Png (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\background_gradient[1] (453 bytes)
    C:\HjLol\yxtxtp\Tryndamere.Png (15 bytes)
    C:\HjLol\yxtxtp\Ashe.Png (784 bytes)
    C:\HjLol\yxtxtp\Lissandra.Png (15 bytes)
    C:\HjLol\yxtxtp\Jhin.Png (13 bytes)
    C:\HjLol\yxtxtp\Nunu.Png (16 bytes)
    C:\HjLol\yxtxtp\Volibear.Png (15 bytes)
    C:\HjLol\yxtxtp\Kassadin.Png (15 bytes)
    C:\HjLol\yxtxtp\Vladimir.Png (14 bytes)
    C:\HjLol\yxtxtp\Jinx.Png (16 bytes)
    C:\HjLol\yxtxtp\Camille.png (14 bytes)
    C:\HjLol\yxtxtp\Urgot.Png (15 bytes)
    C:\HjLol\yxtxtp\Kayle.Png (15 bytes)
    C:\HjLol\yxtxtp\Shyvana.Png (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\61PNU50T.txt (108 bytes)
    C:\HjLol\yxtxtp\Darius.Png (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\httpErrorPagesScripts[1] (5 bytes)
    C:\HjLol\yxtxtp\Ahri.Png (15 bytes)
    C:\HjLol\yxtxtp\Sion.Png (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\background_gradient[1] (453 bytes)
    C:\HjLol\yxtxtp\JarvanIV.Png (14 bytes)
    C:\HjLol\yxtxtp\Anivia.Png (15 bytes)
    C:\HjLol\yxtxtp\Nasus.Png (15 bytes)
    C:\HjLol\yxtxtp\Orianna.Png (14 bytes)
    C:\HjLol\yxtxtp\KhaZix.Png (15 bytes)
    C:\HjLol\yxtxtp\Gangplank.Png (14 bytes)
    C:\HjLol\yxtxtp\Amumu.Png (15 bytes)
    C:\HjLol\yxtxtp\Sejuani.Png (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\info_48[1] (4 bytes)
    C:\HjLol\yxtxtp\Zed.Png (15 bytes)
    C:\HjLol\yxtxtp\Alistar.Png (14 bytes)
    C:\HjLol\yxtxtp\MissFortune.Png (14 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now