Trojan-PSW.Win32.MSNPassword_be55cab52c

by malwarelabrobot on July 7th, 2017 in Malware Descriptions.

Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: be55cab52c112ed43d842478d0e0b3f9
SHA1: c6b26bb2bc90721728397b7d273dfad421e5958e
SHA256: 1c82c21fe1ed9f74dbe19307570465b5c184fe398d788a3d73691dbc899bf608
SSDeep: 49152:WrU nFz6z5cIhehel2UTsxddG McMGrcx0paSqT1Ep5wFv auaLXWkKhM:WgS6l9hWUoxy McMGwx0oSqTk5yP9LXB
Size: 2649061 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-05-23 18:17:22
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan-PSW creates the following process(es):
No processes have been created.
The Trojan-PSW injects its code into the following process(es):

WerFault.exe:3708
%original file name%.exe:264

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:264 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

C:\config\options.ini (2494 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\__new.bmp (965 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_____.bmp (876 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\______.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\________.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_____3.bmp (424 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\__3.bmp (639 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\TGP.bmp (3 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\__.bmp (2497 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\___2.bmp (308 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\____3.bmp (876 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\___1.bmp (340 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\___.bmp (732 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\res.7z (237 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\dict.txt (7 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\__1.bmp (638 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\__2.bmp (875 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_____2.bmp (596 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\____.bmp (1735 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\__4.bmp (7 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_____4.bmp (560 bytes)
C:\plugins\normal.dll (823 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_____new.bmp (1416 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_______.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\____2.bmp (876 bytes)
C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_____1.bmp (516 bytes)

The Trojan-PSW deletes the following file(s):

C:\Users\"%CurrentUserName%"\Documents\LOLHunter\res.7z (0 bytes)

Registry activity

The process WerFault.exe:3708 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "05 00 00 C0 00 00 00 00 00 00 00 00 C7 2C 9D 77"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

The process %original file name%.exe:264 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\be55cab52c112ed43d842478d0e0b3f9_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\be55cab52c112ed43d842478d0e0b3f9_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\be55cab52c112ed43d842478d0e0b3f9_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\be55cab52c112ed43d842478d0e0b3f9_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\be55cab52c112ed43d842478d0e0b3f9_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\be55cab52c112ed43d842478d0e0b3f9_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\be55cab52c112ed43d842478d0e0b3f9_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\be55cab52c112ed43d842478d0e0b3f9_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\be55cab52c112ed43d842478d0e0b3f9_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\be55cab52c112ed43d842478d0e0b3f9_RASMANCS]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
c578b6820bda5689940560147c6e5ffc c:\plugins\normal.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 1.4.7.0
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: HUNTER.EXE
Internal Name: Hunter
File Version: 1.4.7.0 (win7_rtm.090713-1255)
File Description: Hunter
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1515520 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1519616 2621440 2621440 5.42267 c546b9c9ccb32dc88667a9dcc129b08c
.rsrc 4141056 28672 26112 3.71805 5853f3e610330369a704111897c721f9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://x2.tcdn.qq.com/biz/hero/free.js
hxxp://www.cnblogs.com/Laopengblog/p/6044108.html 42.121.252.58
hxxp://x2.tcdn.qq.com/images/lol/img/champion2/201_Web_0.jpg
hxxp://x2.tcdn.qq.com/images/lol/img/champion2/31_Web_0.jpg
hxxp://x2.tcdn.qq.com/images/lol/img/champion2/114_Web_0.jpg
hxxp://x2.tcdn.qq.com/images/lol/img/champion2/105_Web_0.jpg
hxxp://nm.ctn.aicdn.com/blog/898984/201703/898984-20170312115817701-1336285413.png
hxxp://x2.tcdn.qq.com/images/lol/img/champion2/104_Web_0.jpg
hxxp://x2.tcdn.qq.com/images/lol/img/champion2/202_Web_0.jpg
hxxp://x2.tcdn.qq.com/images/lol/img/champion2/117_Web_0.jpg
hxxp://nm.ctn.aicdn.com/blog/898984/201703/898984-20170312115811170-344586015.png
hxxp://x2.tcdn.qq.com/images/lol/img/champion2/25_Web_0.jpg
hxxp://ossweb-img.qq.com/images/lol/img/champion2/117_Web_0.jpg 203.205.158.61
hxxp://ossweb-img.qq.com/images/lol/img/champion2/202_Web_0.jpg 203.205.158.61
hxxp://ossweb-img.qq.com/images/lol/img/champion2/25_Web_0.jpg 203.205.158.61
hxxp://ossweb-img.qq.com/images/lol/img/champion2/114_Web_0.jpg 203.205.158.61
hxxp://ossweb-img.qq.com/images/lol/img/champion2/104_Web_0.jpg 203.205.158.61
hxxp://images2015.cnblogs.com/blog/898984/201703/898984-20170312115811170-344586015.png 117.27.142.28
hxxp://ossweb-img.qq.com/images/lol/img/champion2/201_Web_0.jpg 203.205.158.61
hxxp://ossweb-img.qq.com/images/lol/img/champion2/31_Web_0.jpg 203.205.158.61
hxxp://lol.qq.com/biz/hero/free.js 203.205.158.63
hxxp://images2015.cnblogs.com/blog/898984/201703/898984-20170312115817701-1336285413.png 117.27.142.28
hxxp://ossweb-img.qq.com/images/lol/img/champion2/105_Web_0.jpg 203.205.158.61
www.lolhunter.cn 43.225.45.94


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /Laopengblog/p/6044108.html HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: text/html, application/xhtml xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: VVV.cnblogs.com


HTTP/1.1 200 OK
Date: Thu, 06 Jul 2017 02:00:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 9076
Connection: keep-alive
Vary: Accept-Encoding
Cache-Control: private, max-age=10
Expires: Thu, 06 Jul 2017 02:00:09 GMT
Last-Modified: Thu, 06 Jul 2017 01:59:59 GMT
X-UA-Compatible: IE=10
X-Frame-Options: SAMEORIGIN
..<!DOCTYPE html>..<html lang="zh-cn">..<head>..<
meta charset="utf-8"/>..<meta name="viewport" content="width=dev
ice-width, initial-scale=1" />..<title>Hunter public - ......
...... - .........</title>..<link type="text/css" rel="styles
heet" href="/bundles/blog-common.css?v=m_FXmwz3wxZoecUwNEK23PAzc-j9vbX
_C6MblJ5ouMc1"/>.<link id="MainCss" type="text/css" rel="stylesh
eet" href="/skins/BlueSky/bundle-BlueSky.css?v=_lYRTG5SjWWADGcuS8G-fWW
j62fg5g8s6xd9-hRa-g01"/>.<link id="mobile-style" media="only scr
een and (max-width: 768px)" type="text/css" rel="stylesheet" href="/sk
ins/BlueSky/bundle-BlueSky-mobile.css?v=Dtzal0Wa5_I-LWyzNOlvfF2nC7aL5I
-tOtpheayh1tc1"/>..<link title="RSS" type="application/rss xml" 
rel="alternate" href="hXXp://VVV.cnblogs.com/Laopengblog/rss"/>..&l
t;link title="RSD" type="application/rsd xml" rel="EditURI" href="http
://VVV.cnblogs.com/Laopengblog/rsd.xml"/>.<link type="applicatio
n/wlwmanifest xml" rel="wlwmanifest" href="hXXp://VVV.cnblogs.com/Laop
engblog/wlwmanifest.xml"/>..<script src="//common.cnblogs.com/sc
ript/jquery.js" type="text/javascript"></script>  ..<scrip
t type="text/javascript">var currentBlogApp = 'Laopengblog', cb_ena
ble_mathjax=true;var isLogined=false;</script>..<script src="
/bundles/blog-common.js?v=E1-LyrzANB2jbN9omtnpOHx3eU0Kt3DyislfhU0b5p81
" type="text/javascript"></script>..</head>..<body&g
t;..<a name="top"></a>..<!--done-->..<div id=
<<< skipped >>>


GET /images/lol/img/champion2/201_Web_0.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ossweb-img.qq.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: X2_Platform
Connection: keep-alive
Date: Thu, 06 Jul 2017 02:00:01 GMT
Cache-Control: max-age=86400
Expires: Fri, 07 Jul 2017 02:00:01 GMT
Last-Modified: Fri, 27 Jun 2014 02:56:03 GMT
Content-Type: image/jpeg
Content-Length: 5432
X-NWS-LOG-UUID: 23feb5be-504c-4401-bcf5-45c2656faec1
Access-Control-Allow-Origin:  *
X-Cache-Lookup: Hit From Disktank
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................x.x.........
......................................................................
..........!1..AQa."..q.2Rr.B#...b...5..$..CScs.%......................
.!1..A.Qa..2...q.."...r#3BR...............?..-3L.>o*-.4 ..o^V.Yb...
..c...z)...l.....{.z)..m..8...u/E ....N5n..K.H^.l.......=.....~...M.K.
.^.l..}[...z9.....7............m[...z9.....7............}[...z)..-..o.
u7u.E!{......Q..../x.Bj..V.H..:....9.v.............ce.)s..:.(....7...]
.G........p.@U......C....G...Lm.I..G./p.9.$.y.|..(Tp>T?*.......D_".
.T.X>D_"..".=.G./p.QQ..E...NLkL........:..../p.@U.....G...X....y...
N?...U}.......H....}......P-&..`...M.....`..?.X.~H..q..=...iJ8./ Y....
......wQ......-. .uj.....DI........e(...C..7.E.-U...7N.k.......L..d..{
...O?.....`....!..t7........}...,sT...W.Rf.....H...lnl.\>B..#...u.U
>...........CZ.....6.........%...v..Z...d.J...8.Zz.....!...b.N.....
..L..f.#.K(#o..O..j..|L ..Q......w.....g.x.SFl...S.EN...(.......J|dF..
.J.B.b...H...;.G.]......V.x.......~.}#......b*.QJD....M..u.9.......3."
..h6.vc...r.a.n..w]#L:.F....r.-...9._RDI...$....eP....[}R.zS....:M.'pZ
.....F=..._.......?)'..Wa.O.W..o.P[.q....u.:..g.....NVm1...\..*5.h....
A.&.{on.%\..R..kM....[o=...i...Mh[rUN.6.....f..{.. ..UeP..T.-....gA}.*
L|....Cx.....mF...k2..^~.......a..ux....VP.....i....,U:QG{.......t..n.
.e.......:.N.q.........g... Sp.q........Tu......G...:.L.......*...
<<< skipped >>>

GET /images/lol/img/champion2/31_Web_0.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ossweb-img.qq.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: X2_Platform
Connection: keep-alive
Date: Thu, 06 Jul 2017 02:00:01 GMT
Cache-Control: max-age=86400
Expires: Fri, 07 Jul 2017 02:00:01 GMT
Last-Modified: Fri, 09 Jan 2015 12:55:45 GMT
Content-Type: image/jpeg
Content-Length: 10062
X-NWS-LOG-UUID: 517c642c-7d39-40f3-85d4-5f5d00d97467
Access-Control-Allow-Origin:  *
X-Cache-Lookup: Hit From Disktank
......JFIF.....`.`.....C..............................................
......................C...............................................
........................x.x.."........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?..`....d
}C.......6... ...lg..W.....r.&b.j..G|&?.o......k.>..1.6"..\...#..k.
5.O....M.B.x.....*...Z^.A...)w"8....$.`....|.).l:.(7wm.<|e\\%).{...
.d...<]..f.'B;...WE.....}G.s..i..Z.T.|/.Ao.Y8....eo*.8.Vp#....._.Z7
.....E..-m....kW...'.mV.#........aP*...2I....z/..i.....>'G...7..K..
w/.).=B......qgt.....!.q......</.h...........=o....R.6.)..7yiow.w.W
...\.n....{.^%......M.....e........UyB.......r...a. .~"...K_.M..Pl..b1
......~..8$...d........t.OX.....Fh/n...0}...A"B...u$..!qK......7.:...j
.6..:.0....wx.%.$d....%c..a.h..3....S.Q.5..u{zt...C.q....JP..[oV...%mm
.G........O.. ....:.......DH..9W.2W.(.bG....5.?..c.~.x...k....aCr..#S#
..G...`n..w`._............n.I.I......J<?&.q...Ha.<.)q.)l....H.\d
.G......x..........;a.G....Vt..Yc',`Vb......b.s.....jT..6.^.....1.r...
....>U..M...u.m|..tO......f4X.m_UW.YZ..%#....X..$t.D.'........u..i.
......Th.....HB"..c.k.?...~...........<.)......z..f...De...Y...
<<< skipped >>>

GET /images/lol/img/champion2/114_Web_0.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ossweb-img.qq.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: X2_Platform
Connection: keep-alive
Date: Thu, 06 Jul 2017 02:00:01 GMT
Cache-Control: max-age=86400
Expires: Fri, 07 Jul 2017 02:00:01 GMT
Last-Modified: Tue, 26 Apr 2016 08:59:42 GMT
Content-Type: image/jpeg
Content-Length: 16465
X-NWS-LOG-UUID: b5bfc15a-e014-4975-ac33-96c54de7ad32
Access-Control-Allow-Origin:  *
X-Cache-Lookup: Hit From Disktank
......Exif..II*.................Ducky......._......hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
0 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns
:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.
com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0
/" xmpRights:Marked="False" xmpMM:OriginalDocumentID="uuid:A940F91D760
EE111804CB933DECE0D34" xmpMM:DocumentID="xmp.did:B8A2432C402611E5ABF7C
2B8F7C0A507" xmpMM:InstanceID="xmp.iid:B8A2432B402611E5ABF7C2B8F7C0A50
7" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:Deriv
edFrom stRef:instanceID="xmp.iid:D68EF4F60C5E11E5BFDE8811B9A11A57" stR
ef:documentID="xmp.did:D68EF4F70C5E11E5BFDE8811B9A11A57"/> </rdf
:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end=
"r"?>....Adobe.d...................................................
......................................................................
........................x.x...........................................
...................................................!...1A.".Q2.aqBR#..
....b.$..3Sc%..T..'........................!1A...Qaq.".......2B..Rb.r.
#3..CS....s..c.$............?.....;e^EeH.qT<..}..e.....Oc..dL..2...
.}.....-..(y...@..:......0..g...{<.}.6..W...bX.P..M.....*z:u...
<<< skipped >>>

GET /images/lol/img/champion2/105_Web_0.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ossweb-img.qq.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: X2_Platform
Connection: keep-alive
Date: Thu, 06 Jul 2017 02:00:02 GMT
Cache-Control: max-age=86400
Expires: Fri, 07 Jul 2017 02:00:02 GMT
Last-Modified: Fri, 03 Jan 2014 06:52:51 GMT
Content-Type: image/jpeg
Content-Length: 27169
X-NWS-LOG-UUID: ff3ca33d-b0c9-4df8-9494-bc58ba51800d
Access-Control-Allow-Origin:  *
X-Cache-Lookup: Hit From Disktank
......Exif..MM.*.............................b...........j.(..........
.1.........r.2...........i....................'.......'.Adobe Photosho
p CS5 Windows.2011:11:09 18:06:53............................x........
...x...........................................&.(....................
.............R.......H.......H..........Adobe_CM......Adobe.d.........
......................................................................
..................................................................x.x.
."................?...................................................
.......................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5
....&D.TdE..t6..U.e.....u..F'...............Vfv........7GWgw..........
..............5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.
T..dEU6te......u..F...............Vfv........'7GWgw.................?.
.^..nu..|........|.}D..!"u.....M.....y2..........R.?r_......{.....pO..
...L.........~..K.`.?../tn;O...'c...>......._...~..N?...T=.... ?...
...o-`.A.].EToP......_j.h.?.).R=..D>M....T.w...7.S......O...X..@c..
3..:.]...5.rH..H#3.......|..P..%...}N.o.y.)^...Mm..{F..9......b...V...
q....q..$-...F......fM.mvn>.......~..Zuur.C.a........[.. 8...F...L7
....`..T.y=4.l......;.ys. ...^ .U..........C...T?F.....>.......L-mA
.0..I<....2........5.....X...Z....@`........j.......UN....d~s......
.72.V.. ..T...ra...Q......q.T.8.F......j..........O....._..\.......m.^
.I?...5h...".q]....n.......alQ....D...WCO...... ........a..F....W.5q..
#.g.|f..w.'....?uty.W....o..eX4............E...6.".....\./..>.*
<<< skipped >>>

GET /images/lol/img/champion2/104_Web_0.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ossweb-img.qq.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: X2_Platform
Connection: keep-alive
Date: Thu, 06 Jul 2017 02:00:02 GMT
Cache-Control: max-age=86400
Expires: Fri, 07 Jul 2017 02:00:02 GMT
Last-Modified: Thu, 04 Dec 2014 13:42:11 GMT
Content-Type: image/jpeg
Content-Length: 7575
X-NWS-LOG-UUID: 0a1d9596-442a-498c-8671-6d784c547691
Access-Control-Allow-Origin:  *
X-Cache-Lookup: Hit From Disktank
......Exif..II*.................Ducky.......A......hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
0 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns
:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.
com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0
/" xmpRights:Marked="False" xmpMM:OriginalDocumentID="uuid:A940F91D760
EE111804CB933DECE0D34" xmpMM:DocumentID="xmp.did:D328EBFF7B0111E4B48CF
BA2B751E5E2" xmpMM:InstanceID="xmp.iid:D328EBFE7B0111E4B48CFBA2B751E5E
2" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:Deriv
edFrom stRef:instanceID="xmp.iid:CBE214B57A3211E49A51F36D7046789A" stR
ef:documentID="xmp.did:CBE214B67A3211E49A51F36D7046789A"/> </rdf
:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end=
"r"?>....Adobe.d...................................................
......................................................................
........................x.x...........................................
............................................!..1A..Qa"q.2B..R#......b.
.3S4r...Cc.$.5.....................!.1..AQa"2...q.......B..R#3........
....?..{aa>.?B.z..x.q..<;'qcA".g#...m..E7...b.@.4$....G.......&l
t;8.8..z..q.......N........0.....A#.rC`..J.k.i:I.~`....oAld..O..M2
<<< skipped >>>

GET /images/lol/img/champion2/202_Web_0.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ossweb-img.qq.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: X2_Platform
Connection: keep-alive
Date: Thu, 06 Jul 2017 02:00:03 GMT
Cache-Control: max-age=86400
Expires: Fri, 07 Jul 2017 02:00:03 GMT
Last-Modified: Tue, 26 Apr 2016 08:59:42 GMT
Content-Type: image/jpeg
Content-Length: 7353
X-NWS-LOG-UUID: 3e256e9b-500f-4fb4-925e-0cbeba33f33e
Access-Control-Allow-Origin:  *
X-Cache-Lookup: Hit From Disktank
......JFIF.....`.`.....C..............................................
......................C...............................................
........................x.x.."........................................
....................}........!1A..Qa."q.2....#B...R..$3br........%&'()
*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................
......................................................................
..........................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.
....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.......................
.............................................................?.....k..
...|;..f...D.M..t.d.o..n........i....#.]-. .....iJ4.....^.E.s.&.).s.I.
..z..$b.1=I....../h.9?x.W,.p..kZ..:....C..../........v.l...O.L7y9..;..
..Mt.x.P.#._...h#.cg...A...X..vG...............e...n.j...5...8.K...`.;
.?|.#......A...J.c.n.$.....q.....8..qI.z|5 .U... ..Z.L.]..$...........
F[...E.F...."C...OR....|;..~..i#Sq.?..@.. ..77.W*..($.y..... .\.......
.:. mV2(...} .....Zl...f......#.1.#...<k;..mi...@.O..X..#.<M....
W.G.J....m..q.k;....^..GY$6..*.....Y6..,...wm>.k............IJ[....
.{..V..sl...E]......%..............B......A...{.>....4.....e%Z6V...
..Z1...<..T..&.q...............P.*..|..7.I..?.(.....E.#j..!........
.....,.....O.....0.c......q.....D.i4\y.....VU..........z..t..|:.i.If..
UX..8..?....b.....G}...|......D..u.c.... >[.m_.5..L...yp..<..\..
...XM..a....*t..t.).......-n<;r.@.....7<k.v....z..w.H~Y..9.VE...
.Z.Rg..|%.......f,...f].Vy..w....}..U.....Zo-a.....c... ...o.[k..!
<<< skipped >>>

GET /images/lol/img/champion2/117_Web_0.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ossweb-img.qq.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: X2_Platform
Connection: keep-alive
Date: Thu, 06 Jul 2017 02:00:03 GMT
Cache-Control: max-age=86400
Expires: Fri, 07 Jul 2017 02:00:03 GMT
Last-Modified: Fri, 03 Jan 2014 06:52:26 GMT
Content-Type: image/jpeg
Content-Length: 49024
X-NWS-LOG-UUID: b1ffc6ee-bec9-4856-a762-3e0be10a2095
Access-Control-Allow-Origin:  *
X-Cache-Lookup: Hit From Disktank
......Exif..MM.*.............................b...........j.(..........
.1.........r.2...........i....................'.......'.Adobe Photosho
p CS5 Windows.2012:03:13 20:39:35............................x........
...x...........................................&.(....................
.....................H.......H..........Adobe_CM......Adobe.d.........
......................................................................
..................................................................x.x.
."................?...................................................
.......................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5
....&D.TdE..t6..U.e.....u..F'...............Vfv........7GWgw..........
..............5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.
T..dEU6te......u..F...............Vfv........'7GWgw.................?.
..LG.Y.....Q.p.(?V.9c......qgh-..<F.....(2..r...O.5..o...p...].o.).
.M.=..w.....rk8...q>..}.>....~\E..nOSw..Ox.....[...W..!.F..V...3
.......c^^..v.?.,..n...l...].-Ml...s.d....`..>.~.[..NO..S.te..0...e
X...[..7.....K]S......b.1..9.nL2...C...|Q.Tb..ZH....=2...m..[..`.,j.3p
.tx>i.r..pb.!..C.].8"7......B....i ..WY.".NS....Co z.Syi...2].=..{.
........HN.*,p...&....J#1.....d.[....;......U.>.;{).5....H.........
.~.\......~..............k...7...u..G..... ....k...8..".0....k........
U~.A0=.N.2a..| .-..}.Um.>.V..i.f....b....<<..@.....=....r..gs
.............>.....XL...s..4..qq.5=.E....;.......J.a........rs..U..
 ..Am-.....).C..w.....'.3..g.......8..2..z..=.u..X.......Y...a....
<<< skipped >>>

GET /images/lol/img/champion2/25_Web_0.jpg HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ossweb-img.qq.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: X2_Platform
Connection: keep-alive
Date: Thu, 06 Jul 2017 02:00:05 GMT
Cache-Control: max-age=86400
Expires: Fri, 07 Jul 2017 02:00:05 GMT
Last-Modified: Fri, 03 Jan 2014 06:52:37 GMT
Content-Type: image/jpeg
Content-Length: 54852
X-NWS-LOG-UUID: 70b34f8f-1c29-454d-82f6-1d1a1d04b2ed
Access-Control-Allow-Origin:  *
X-Cache-Lookup: Hit From Disktank
.....IExif..MM.*.............................b...........j.(..........
.1.........r.2...........i....................'.......'.Adobe Photosho
p CS5 Windows.2012:09:04 15:26:24............................x........
...x...........................................&.(....................
.....................H.......H..........Adobe_CM......Adobe.d.........
......................................................................
..................................................................x.x.
."................?...................................................
.......................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5
....&D.TdE..t6..U.e.....u..F'...............Vfv........7GWgw..........
..............5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.
T..dEU6te......u..F...............Vfv........'7GWgw.................?.
...Jf..3...H.6.....5.h...GdDB....rF...@.......p...>.D8.h.i<...{k
.........s...p......q....<"..Z......ZU...i......J.NI....'.Jy..,...@
.....&O.P.U.K..#...M..T...I y.....|6....hq..9*...k`..y.. ...kI..J.`.W{
n{.-.RVs...-............O...........<.....G...'Zm...S.<.......s.
.",......IV..n.u.B..h........i..?.T..?VH..8..C<|J.5.8z.._..>K^..
k...G....G1.......>..X.....@<o......c...v'..h..z.....-6.?.......
.....}.....T...V.N........7......... ...W......{L...Zw..#......n..../.
3/......9.....6...][..m{...m..M.C.%./.s...].5..../x...6...<......4.
..n.a.rL.sZ%.. ..........t. ..Qf.O.n......N....w......|.l...q$..K.....
......q...|c.RU,{...^.........-... sF..2....b].R...x...:..N5....&l
<<< skipped >>>


GET /blog/898984/201703/898984-20170312115817701-1336285413.png HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: images2015.cnblogs.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: marco/1.4
Date: Thu, 06 Jul 2017 02:00:02 GMT
Content-Type: image/png
Content-Length: 71425
Connection: keep-alive
X-Request-Id: 8655bf5ce6740fbaec7f6cf3a3b341b8; d626e386a9299153dc4310983be0bc0d
X-Source: U/304
ETag: "52dd674d6a49e844cd69e4b58373e085"
X-Slice-Complete-Length: 71425
Last-Modified: Sun, 12 Mar 2017 03:58:27 GMT
X-Slice-Size: 65536
Expires: Tue, 11 Jul 2017 14:04:19 GMT
Cache-Control: max-age=691200
Accept-Ranges: bytes
Age: 296117
Via: T.101168.H.1, V.mix-hz-fdi-170, T.1426.H.1, M.ctn-fj-foc-007
......JFIF.....H.H.....4Exif..MM.*.................V...........^.(....
.......1.........f.............i.........t.......H.......H....VVV.meit
u.com...........0221....................0100.......................X..
...............................................................$.(....
............................&........H.......H.......C................
....................................................C.................
......................................................................
..................................................}........!1A..Qa."q.
2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
......................................................................
........................................................w.......!1..AQ
.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijs
tuvwxyz...............................................................
.....................?..)...;._...w...ji.hv..5..HR..x.<...x..<w.
x..Ql..L..M.........-...........=.<..E....2..4.....g..(._..O.&...x.
....E................?......?...|..Q....x...%.I#.P!..N.....1:.."..( .P
..@.@..!..<........x.T.....K.gL..n.^).E".2..84........G.:w..3~....!
...0@.A ...Ph...#~...~.x.....*........E..91.P...r...@...<w.x....e..
~d...h..>.|X......._.j..:$..)u..........:...@.@....P.@.@.W........x
.E.mf-.G..-..Uf.V.Ux....*..>......5x.|5....kZ.B..X.pv.7...2(.....3.
..<.y....I.hv..{.RB.`....@..3.y.m.....-;.........,.mi.n..Q..J......
=.F(.'.. .....O.:.....l.sur...j2.@..@.?..(...@....d?....M.].?....&
<<< skipped >>>

GET /blog/898984/201703/898984-20170312115811170-344586015.png HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: images2015.cnblogs.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: marco/1.4
Date: Thu, 06 Jul 2017 02:00:03 GMT
Content-Type: image/png
Content-Length: 28551
Connection: keep-alive
X-Request-Id: 92f43295b7485184324c0cc3219bc58a; c4bb76f871ff75ca62602dc9c5c4c8e4
X-Source: U/304
ETag: "76d1368fa8102d922b3b6809bdb957e4"
Last-Modified: Sun, 12 Mar 2017 03:58:20 GMT
Expires: Mon, 03 Jul 2017 15:17:26 GMT
Cache-Control: max-age=691200
Accept-Ranges: bytes
Age: 672939
Via: T.101168.M.1, T.5205.H.1, V.403-zj-fud-206, S.mix-hz-fdi-172, V.mix-hz-fdi-172, T.1427.H.1, M.ctn-fj-foc-007
......JFIF.....H.H.....4Exif..MM.*.................V...........^.(....
.......1.........f.............i.........t.......H.......H....VVV.meit
u.com...........0221....................0100.......................w..
.........z.....................................................$.(....
............................ ........H.......H.......C................
....................................................C.................
......................................................................
..................................................}........!1A..Qa."q.
2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
......................................................................
........................................................w.......!1..AQ
.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijs
tuvwxyz...............................................................
.....................?..O....'./.3....]'.zn.ou.-.\^\:8%......|........
......&....u.o.'....M@..>....N4/....5.%.......<W../..D.;..-ZE...
.". z.......G.M.~...t..iZ-..qu.......UR........K..u._.'....M@..>...
.......&...?.?.f....Y_...M........A#4Y.9.'.....y....|x.......}c..~...a
..Ie3...M.........6............4}:k....Y.) .:.......[..w.s.g..&..E....
..,.........6...k..Y.u..........@...}.....{.....?.,u....?..l....n1..4.
.?.G...x|s.5............7...w\P./...a.....<Y.k....&.}..q.J....X....
.z...!.R......x...-F.C.7QZ..RC.F..@..?3.......|9...........Z..(.n..K..
..aox...C$j..a.P...........2....xcN...../$..gC.,...z.........>.
<<< skipped >>>


GET /biz/hero/free.js HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: zh-cn
Referer: hXXp://lol.qq.com/biz/hero/free.js
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: lol.qq.com


HTTP/1.1 200 OK
Server: X2_Platform
Connection: keep-alive
Date: Thu, 06 Jul 2017 02:00:00 GMT
Cache-Control: max-age=120
Expires: Thu, 06 Jul 2017 02:02:00 GMT
Last-Modified: Fri, 30 Jun 2017 02:53:46 GMT
Content-Type: application/x-javascript
Content-Length: 3089
X-NWS-LOG-UUID: e10138aa-5feb-4fac-8472-b3d7c3b57479
X-Cache-Lookup: Hit From Upstream
X-Cache-Lookup: Hit From Disktank
if(!LOLherojs)var LOLherojs={};LOLherojs.free={"keys":{"201":"Braum","
31":"Chogath","114":"Fiora","105":"Fizz","104":"Graves","202":"Jhin","
117":"Lulu","25":"Morgana","75":"Nasus","238":"Zed"},"data":{"Braum":{
"id":"Braum","key":"201","name":"\u5f17\u96f7\u5c14\u5353\u5fb7\u4e4b\
u5fc3","title":"\u5e03\u9686","tags":["Support","Tank"],"info":{"attac
k":3,"defense":9,"magic":4,"difficulty":3},"image":{"full":"Braum.png"
,"sprite":"champion0.png","group":"champion","x":144,"y":48,"w":48,"h"
:48}},"Chogath":{"id":"Chogath","key":"31","name":"\u865a\u7a7a\u6050\
u60e7","title":"\u79d1\u52a0\u65af","tags":["Tank","Mage"],"info":{"at
tack":3,"defense":7,"magic":7,"difficulty":5},"image":{"full":"Chogath
.png","sprite":"champion0.png","group":"champion","x":336,"y":48,"w":4
8,"h":48}},"Fiora":{"id":"Fiora","key":"114","name":"\u65e0\u53cc\u525
1\u59ec","title":"\u83f2\u5965\u5a1c","tags":["Fighter","Assassin"],"i
nfo":{"attack":10,"defense":4,"magic":2,"difficulty":3},"image":{"full
":"Fiora.png","sprite":"champion0.png","group":"champion","x":384,"y":
96,"w":48,"h":48}},"Fizz":{"id":"Fizz","key":"105","name":"\u6f6e\u6c5
0\u6d77\u7075","title":"\u83f2\u5179","tags":["Assassin","Fighter"],"i
nfo":{"attack":6,"defense":4,"magic":7,"difficulty":6},"image":{"full"
:"Fizz.png","sprite":"champion0.png","group":"champion","x":432,"y":96
,"w":48,"h":48}},"Graves":{"id":"Graves","key":"104","name":"\u6cd5\u5
916\u72c2\u5f92","title":"\u683c\u96f7\u798f\u65af","tags":["Marksman"
],"info":{"attack":8,"defense":5,"magic":3,"difficulty":3},"image"
<<< skipped >>>

The Trojan-PSW connects to the servers at the folowing location(s):

%original file name%.exe_264:

`.rsrc
t%SVh
t$(SSh
|$D.tm
~%UVW
u$SShe
Bv.SCv=kAv
kernel32.dll
shell32.dll
gdiplus.dll
GdiPlus.dll
Kernel32.dll
user32.dll
Ole32.dll
OleAut32.dll
shlwapi.dll
User32.dll
ntdll.dll
advapi32.dll
plugins\dmt.dll
DD32.dll
gdi32.dll
wininet.dll
ole32.dll
Winhttp.dll
Wininet.dll
dbghelp.dll
Gdi32.dll
imm32.dll
atl.dll
MsgWaitForMultipleObjects
GetProcessHeap
EnumWindows
ExitWindowsEx
keybd_event
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
SetWindowsHookExA
WinHttpCheckPlatform
WinHttpCrackUrl
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSetTimeouts
WinHttpSetCredentials
WinHttpCloseHandle
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpQueryHeaders
InternetOpenUrlA
ShellExecuteA
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
UnregisterHotKey
MZKERNEL32.DLL
.Upack
.rsrc
qp_%s;9a:
$.mbP
.xRDp
@V.Dv
.UmKm
4v %u
oft.XMLDOMnY
\dwmapi.dll
A715A0-6587-11D0-924A_20AFC7/
Leave.CoIn@alize
number is %d.
:"%s"
..0`%X
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
GDI32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
exdui.dll
t=.VMV
%%fnW
,7Z.in
k`%u"]
\config\options.ini
\TCLS\Client.exe
\normal.dll
!!"#$%&'())?
%C%]uSj
Ha.QE
xCmD$L
s.Nd)
A_%.ID,
n.Nn0 b
.hh=@-
T8.Sz
.dTR0
.PWh=j
nL.nP?
webH
NQt%F
.XV LV#
PGPus(.Gz
.ROH=
]v%UO
uù u
0k00[ `.kh#
.scwX
?456789:;<=
!"#$%&'()* ,-./0123
CxImage 6.0.0
deflate 1.2.3 Copyright 1995-200d
a .WO<t
e processors when executed
>support g
X:
UxTheme.dll
;9HttpCli
7.PAVCExcep=^
.1.2600.441~
PSAPI.DLLU%f
%u%x-
88.185.3
20 4.49.
0.4.10n
129.6.15.29
202.120.
\.\%c
g%s#$A
"LuCBy%d
./*.bmp
log.tx
cpublic.inject.type.54
LL keypadput
k.ap*
.=.minmax
x.cfake`?
defense.szX
.sel/O
on.Leve
mp7%ss
tCPo
wKeyboardD
Scsi%d:
H%d_%
1.2.24
%ct t
: %s=
= (%d/10
gx=%f, gy
%ld, pass
xkey
'%ds=
3%u B
orm.de6
`O%dhx%dv qV
FD=%u, "
'z %4u
iY;kUnkeY
%ld%c$
-t.SSSj
MSVCRT
ntoskrnl.exQ
8)939@9|9
#&$&@'!?
9}%U}
3(Ýd
6,?-.7?`
SAPI.DLLK04e
506:6?6[
8(83888?
>,?0?4?8?<?
.net4x7
.Crz03
hÕ@e
:;.ofSb
R.of'z
B{.zS,y
6o.ob#
Ftpf
PIpE
.Sj_^
.vCb'PK
WlCmd
l%u$}0
Jy%s2;J
x-d}X
_~.SO
'.Sj?
.Increm
WinExe&Copy
.DIBi
uDPtoLPNq`n
fo@@UAE@XZ.on
ad.boa
.DD-?J8
1,//2/,/
7G#V%F
(.text
@.tp0
{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'
'Dm.EXE'
val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}
dm.dmsoft = s 'dm.dmsoft'
CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'
CurVer = s 'dm.dmsoft'
ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'
ProgID = s 'dm.dmsoft'
stdole2.tlbWWW
~cmdWd
KeyPress
.aKeyDownWd
MKeyUpWWWd
ShowScrMsgWW
msgWd
SetShowErrorMsgW
>SGetWindowStateWW
U@SetWindowSizeWWWd
SetWindowStateWWd
iRSetKeypadDelayWWd
BkeypadWW
SetExportDictWWWd
keyWd
FindWindowSuperW
qHKeyDownCharW
pOkey_strWd
KeyUpCharWWWd
KeyPressChard
KeyPressStrWd
EnableKeypadPatchWWWd
=PEnableKeypadSyncd
EnableRealKeypadd
GetKeyStateWd
[.ReadFiled
WaitKeyW
!key_coded
joEnumWindowSuperW
urlW
=EnableKeypadMsgWd
EnableMouseMsgWWd
method KeyPressWWW
method KeyDown
method KeyUpWW
method ShowScrMsgW
method SetShowErrorMsg
method GetWindowStateW
method SetWindowSizeWW
method SetWindowStateW
method SetKeypadDelayW
method SetExportDictWW
method FindWindowSuper
method KeyDownChar
method KeyUpCharWW
method KeyPressCharWWW
method KeyPressStr
method EnableKeypadPatchWW
method EnableKeypadSyncWWW
method EnableRealKeypadWWW
method GetKeyState
method WaitKey
method EnumWindowSuper
method EnableKeypadMsg
method EnableMouseMsgW
IMM32.dll
MFC42.DLL
VERSION.dll
WINMM.dll
WS2_32.dll
RegCloseKey
dm.dll
hunterlocalhostkeys
%f%%f
7".Fv
>.OsM
r.vDO
]#.MC
.chY0
_'.dJ
C?.jG
j*.iQ
V]2#.JzB)w
)[a%F i
%Dm5A
H8-tw}
O.Ss j
/ChD$.fI
.Zr*)
%ctKjw
.FHvu/u
"=@B%u
.MEiKy%
,110N.bDtt
/UV.wl5
.IknH
u%5sa`r
.Qn9V
%DGnX
K0.tY
%s&ER
.EBW6;j*3
6 ~/:.Pb
L.NOZH
MsgBox
SysShadow.SubWnd
?kernel32.dll
"iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:3948D5698E8311E6A07AC44372870D66" xmpMM:DocumentID="xmp.did:3948D56A8E8311E6A07AC44372870D66"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3948D5678E8311E6A07AC44372870D66" stRef:documentID="xmp.did:3948D5688E8311E6A07AC44372870D66"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:D658B1BC8E8211E69CB3F8B598A690C1" xmpMM:DocumentID="xmp.did:D658B1BD8E8211E69CB3F8B598A690C1"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D658B1BA8E8211E69CB3F8B598A690C1" stRef:documentID="xmp.did:D658B1BB8E8211E69CB3F8B598A690C1"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:27AEF5EF8E8311E6BBC7DE73D91639D0" xmpMM:DocumentID="xmp.did:27AEF5F08E8311E6BBC7DE73D91639D0"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:27AEF5ED8E8311E6BBC7DE73D91639D0" stRef:documentID="xmp.did:27AEF5EE8E8311E6BBC7DE73D91639D0"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:C9D4033F8E8211E68757B0D6A123F001" xmpMM:DocumentID="xmp.did:C9D403408E8211E68757B0D6A123F001"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C9D4033D8E8211E68757B0D6A123F001" stRef:documentID="xmp.did:C9D4033E8E8211E68757B0D6A123F001"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>SCk
b&Z%S
LoginDate
Auto Login
1280*768
1280*720
\DD32.dll
DD32.dll
\plugins\custom.dll
[plugins\custom.dll]
SetShowErrorMsg
SetKeypadDelay
dict.txt
VcodePass
port
QuickLoginEnable
LoginType
QQPassword
...shift
KeyUpChar
\Game\Config\Game.cfg
\Game.cfg
\Game\Config\input.ini
\input.ini
\Game\Config\PersistedSettings.json
\PersistedSettings.json
\Game\Config\ItemSets.json
\ItemSets.json
BindSysKeys=0
CfgVersion=5.12.341
KeyboardScrollSpeed=0.5000
SmartCastOnKeyRelease=0
"description": "The settings in this file are persisted server-side. This file is generated automatically. Editing it is not recommended. Modify SettingsToPersist.json to specify which settings are persisted.",
"name": "Game.cfg",
"name": "KeyboardScrollSpeed",
"name": "SmartCastOnKeyRelease",
"name": "Input.ini",
_Speed.bat
@1970-01-01 08:00:00
CrossProxy.exe
BsSndRpt.exe
bugreport.exe
PVP.net
PVP.net
dx.mouse.position.lock.api|dx.mouse.position.lock.message|dx.mouse.focus.input.api|dx.mouse.focus.input.message|dx.mouse.clip.lock.api|dx.mouse.input.lock.api|dx.mouse.state.api|dx.mouse.state.message|dx.mouse.api
dx.keypad.input.lock.api|dx.keypad.api|dx.keypad.state.api
dx.public.active.api|dx.public.active.message
SetWindowState
lol.launcher_tencent.exe
League of Legends.exe
LolClient.exe
Client.exe
KeyPressChar
KeyDownChar
15075583
\VCode.bmp
KeyDown
KeyUp
850000-502020
new.bmp
_new.bmp
939087-202020
585856-151515
1.bmp
2.bmp
3.bmp
4.bmp
.bmp|
1.bmp|
2.bmp|
VVV.qun.qzone.qq.com
skey=
hXXp://
hXXp://qun.qzone.qq.com/group
g_iLoginUin =
; skey=
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
' hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?groupcount=4&count=4&callbackFun=_GetGroupPortal&uin=
&ua=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)%
------------------------------------------ VVV.lolhunter.cn
hXXp://VVV.lolhunter.cn
hXXp://lol.qq.com/biz/hero/free.js
"key":"
_Web_0.jpg
hXXp://ossweb-img.qq.com/images/lol/img/champion2/
hXXp://lol.qq.com/web201310/info-defail.shtml?id=
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
%Xvm%
ImageMagick 7.0.1-6 Q16 x86_64 2016-09-17 hXXp://VVV.imagemagick.org
Generator: Adobe Illustrator 18.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)
1474903719
file:///home/wwwroot/site/VVV.easyicon.net/cdn-img.easyicon.cn/src/12054/1205407.pngB
D:\game\
[lol.launcher_tencent.exe]
hXXp://v3.dama2.com
hXXp://sunlogin.oray.com/zh_CN/download/more
\dmt.dll
C:\Windows\System32\drivers\etc\hosts
127.0.0.1 lol.qq.com
%Sb!Rfp
.Mn"D
6?|.dN
h.jK7
%x"%h
%s!Gv
z_^:f.mP
:%s((l(
u.wii
IHo|%U
%X9s0
oÓ.1
h.YMZg
35%CQ
MsgR
.EjLe
`E.XAZ_
Xb&%x
.NFd\`
i.DJi
q,.ad V
mT0
P%x;r
,WhÛj
.bHWS
EfTp
>8_.Cz<
.zFWlC9LC
dt.fD'8
L.vTn
H:\fdL
9g@.MH
M8).DC
'%UQb
DB%d<
.dLai@%
%XHIc<Az
lTL%D|
h%c@D
58.iP
K.Rd;{
.whXh
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:7735B813938311E6A12ECA649D57F613" xmpMM:DocumentID="xmp.did:7735B814938311E6A12ECA649D57F613"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7735B811938311E6A12ECA649D57F613" stRef:documentID="xmp.did:7735B812938311E6A12ECA649D57F613"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>tI
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:B3B992DA8D6B11E68C4D9A68DC2ED933" xmpMM:DocumentID="xmp.did:B3B992DB8D6B11E68C4D9A68DC2ED933"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B3B992D88D6B11E68C4D9A68DC2ED933" stRef:documentID="xmp.did:B3B992D98D6B11E68C4D9A68DC2ED933"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>Z
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:BC1A2B9C8E8211E6A879C053A49FBF60" xmpMM:DocumentID="xmp.did:BC1A2B9D8E8211E6A879C053A49FBF60"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BC1A2B9A8E8211E6A879C053A49FBF60" stRef:documentID="xmp.did:BC1A2B9B8E8211E6A879C053A49FBF60"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>W
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:406D8D308E8311E6A444A0700B37E4CE" xmpMM:DocumentID="xmp.did:406D8D318E8311E6A444A0700B37E4CE"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:406D8D2E8E8311E6A444A0700B37E4CE" stRef:documentID="xmp.did:406D8D2F8E8311E6A444A0700B37E4CE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:E2A538668E8211E6A5E6BFC2956E99E6" xmpMM:DocumentID="xmp.did:E2A538678E8211E6A5E6BFC2956E99E6"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E2A538648E8211E6A5E6BFC2956E99E6" stRef:documentID="xmp.did:E2A538658E8211E6A5E6BFC2956E99E6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>:
!"#$%&'()* ,-.
1318090587
file:///home/wwwroot/site/VVV.easyicon.net/cdn-img.easyicon.cn/src/5631/563126.png
h@\CrackCaptcha.log
VVV.lolhunter.cn
523361798
v1.4.7 [
hXXp://VVV.cnblogs.com/Laopengblog/p/6473430.html
hXXp://VVV.cnblogs.com/Laopengblog/p/6044108.html
NoticeWebTitle:{
NoticeWebUrl:{
AddQQGruopUrl:{
UrlWebName1:{
UrlWebUrl1:{
UrlWebName2:{
UrlWebUrl2:{
Web:{
VersionUrl:{
ADUrl:{
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Adodb.Stream
WinHttp
hXXp://lolhunter.cn/api/lolhunter_server_vip.txt
hXXp://lolhunter.cn/api/lolhunter_server.txt
.tmpAgent
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
tem.vbs
fso.DeleteFile("
Set fso = CreateObject("Scripting.FileSystemObject")
Wscript.Sleep(1000)
Report
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
themepassword
SysShadow.HostWnd
VBScript.RegExp
SysShadow.Menu
dm.dmsoft
\custom.dll
normal.dll
custom.dll
LocationURL
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
Microsoft.XMLDOM
hXXp://qun.qzone.qq.com/groupr
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
VVV.dywt.com.cn
(*.htm;*.html)|*.htm;*.html
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
GetCPInfo
GetWindowsDirectoryA
WinExec
RegOpenKeyExA
RegCreateKeyExA
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
InternetCanonicalizeUrlA
InternetCrackUrlA
.text
`.rdata
@.data
g1Key
<>.um
UrlS3
g%Http
`.rdP>!#
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
COMCTL32.dll
comdlg32.dll
oledlg.dll
RASAPI32.dll
WININET.dll
WINSPOOL.DRV
1.0.15.507
3, 1233, 0, 0
1.4.7.0 (win7_rtm.090713-1255)
HUNTER.EXE
Windows
Operating System
1.4.7.0

%original file name%.exe_264_rwx_00380000_0001A000:

MZKERNEL32.DLL
.Upack
.rsrc
%s %s s
KERNEL32.DLL
USER32.DLL
MSVCRT.DLL
MSVCP60.DLL
qp_%s;9a:
$.mbP
.xRDp

%original file name%.exe_264_rwx_00401000_003F1000:

t%SVh
t$(SSh
|$D.tm
~%UVW
u$SShe
Bv.SCv=kAv
kernel32.dll
shell32.dll
gdiplus.dll
GdiPlus.dll
Kernel32.dll
user32.dll
Ole32.dll
OleAut32.dll
shlwapi.dll
User32.dll
ntdll.dll
advapi32.dll
plugins\dmt.dll
DD32.dll
gdi32.dll
wininet.dll
ole32.dll
Winhttp.dll
Wininet.dll
dbghelp.dll
Gdi32.dll
imm32.dll
atl.dll
MsgWaitForMultipleObjects
GetProcessHeap
EnumWindows
ExitWindowsEx
keybd_event
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
SetWindowsHookExA
WinHttpCheckPlatform
WinHttpCrackUrl
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSetTimeouts
WinHttpSetCredentials
WinHttpCloseHandle
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpQueryHeaders
InternetOpenUrlA
ShellExecuteA
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
UnregisterHotKey
MZKERNEL32.DLL
.Upack
.rsrc
qp_%s;9a:
$.mbP
.xRDp
@V.Dv
.UmKm
4v %u
oft.XMLDOMnY
\dwmapi.dll
A715A0-6587-11D0-924A_20AFC7/
Leave.CoIn@alize
number is %d.
:"%s"
..0`%X
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
GDI32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
exdui.dll
t=.VMV
%%fnW
,7Z.in
k`%u"]
\config\options.ini
\TCLS\Client.exe
\normal.dll
!!"#$%&'())?
%C%]uSj
Ha.QE
xCmD$L
s.Nd)
A_%.ID,
n.Nn0 b
.hh=@-
T8.Sz
.dTR0
.PWh=j
nL.nP?
webH
NQt%F
.XV LV#
PGPus(.Gz
.ROH=
]v%UO
uù u
0k00[ `.kh#
.scwX
?456789:;<=
!"#$%&'()* ,-./0123
CxImage 6.0.0
deflate 1.2.3 Copyright 1995-200d
a .WO<t
e processors when executed
>support g
X:
UxTheme.dll
;9HttpCli
7.PAVCExcep=^
.1.2600.441~
PSAPI.DLLU%f
%u%x-
88.185.3
20 4.49.
0.4.10n
129.6.15.29
202.120.
\.\%c
g%s#$A
"LuCBy%d
./*.bmp
log.tx
cpublic.inject.type.54
LL keypadput
k.ap*
.=.minmax
x.cfake`?
defense.szX
.sel/O
on.Leve
mp7%ss
tCPo
wKeyboardD
Scsi%d:
H%d_%
1.2.24
%ct t
: %s=
= (%d/10
gx=%f, gy
%ld, pass
xkey
'%ds=
3%u B
orm.de6
`O%dhx%dv qV
FD=%u, "
'z %4u
iY;kUnkeY
%ld%c$
-t.SSSj
MSVCRT
ntoskrnl.exQ
8)939@9|9
#&$&@'!?
9}%U}
3(Ýd
6,?-.7?`
SAPI.DLLK04e
506:6?6[
8(83888?
>,?0?4?8?<?
.net4x7
.Crz03
hÕ@e
:;.ofSb
R.of'z
B{.zS,y
6o.ob#
Ftpf
PIpE
.Sj_^
.vCb'PK
WlCmd
l%u$}0
Jy%s2;J
x-d}X
_~.SO
'.Sj?
.Increm
WinExe&Copy
.DIBi
uDPtoLPNq`n
fo@@UAE@XZ.on
ad.boa
.DD-?J8
1,//2/,/
7G#V%F
(.text
@.tp0
{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'
'Dm.EXE'
val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}
dm.dmsoft = s 'dm.dmsoft'
CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'
CurVer = s 'dm.dmsoft'
ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'
ProgID = s 'dm.dmsoft'
stdole2.tlbWWW
~cmdWd
KeyPress
.aKeyDownWd
MKeyUpWWWd
ShowScrMsgWW
msgWd
SetShowErrorMsgW
>SGetWindowStateWW
U@SetWindowSizeWWWd
SetWindowStateWWd
iRSetKeypadDelayWWd
BkeypadWW
SetExportDictWWWd
keyWd
FindWindowSuperW
qHKeyDownCharW
pOkey_strWd
KeyUpCharWWWd
KeyPressChard
KeyPressStrWd
EnableKeypadPatchWWWd
=PEnableKeypadSyncd
EnableRealKeypadd
GetKeyStateWd
[.ReadFiled
WaitKeyW
!key_coded
joEnumWindowSuperW
urlW
=EnableKeypadMsgWd
EnableMouseMsgWWd
method KeyPressWWW
method KeyDown
method KeyUpWW
method ShowScrMsgW
method SetShowErrorMsg
method GetWindowStateW
method SetWindowSizeWW
method SetWindowStateW
method SetKeypadDelayW
method SetExportDictWW
method FindWindowSuper
method KeyDownChar
method KeyUpCharWW
method KeyPressCharWWW
method KeyPressStr
method EnableKeypadPatchWW
method EnableKeypadSyncWWW
method EnableRealKeypadWWW
method GetKeyState
method WaitKey
method EnumWindowSuper
method EnableKeypadMsg
method EnableMouseMsgW
IMM32.dll
MFC42.DLL
VERSION.dll
WINMM.dll
WS2_32.dll
RegCloseKey
dm.dll
hunterlocalhostkeys
%f%%f
7".Fv
>.OsM
r.vDO
]#.MC
.chY0
_'.dJ
C?.jG
j*.iQ
V]2#.JzB)w
)[a%F i
%Dm5A
H8-tw}
O.Ss j
/ChD$.fI
.Zr*)
%ctKjw
.FHvu/u
"=@B%u
.MEiKy%
,110N.bDtt
/UV.wl5
.IknH
u%5sa`r
.Qn9V
%DGnX
K0.tY
%s&ER
.EBW6;j*3
6 ~/:.Pb
L.NOZH
MsgBox
SysShadow.SubWnd
?kernel32.dll
"iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:3948D5698E8311E6A07AC44372870D66" xmpMM:DocumentID="xmp.did:3948D56A8E8311E6A07AC44372870D66"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3948D5678E8311E6A07AC44372870D66" stRef:documentID="xmp.did:3948D5688E8311E6A07AC44372870D66"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:D658B1BC8E8211E69CB3F8B598A690C1" xmpMM:DocumentID="xmp.did:D658B1BD8E8211E69CB3F8B598A690C1"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D658B1BA8E8211E69CB3F8B598A690C1" stRef:documentID="xmp.did:D658B1BB8E8211E69CB3F8B598A690C1"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:27AEF5EF8E8311E6BBC7DE73D91639D0" xmpMM:DocumentID="xmp.did:27AEF5F08E8311E6BBC7DE73D91639D0"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:27AEF5ED8E8311E6BBC7DE73D91639D0" stRef:documentID="xmp.did:27AEF5EE8E8311E6BBC7DE73D91639D0"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:C9D4033F8E8211E68757B0D6A123F001" xmpMM:DocumentID="xmp.did:C9D403408E8211E68757B0D6A123F001"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C9D4033D8E8211E68757B0D6A123F001" stRef:documentID="xmp.did:C9D4033E8E8211E68757B0D6A123F001"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>SCk
b&Z%S
LoginDate
Auto Login
1280*768
1280*720
\DD32.dll
DD32.dll
\plugins\custom.dll
[plugins\custom.dll]
SetShowErrorMsg
SetKeypadDelay
dict.txt
VcodePass
port
QuickLoginEnable
LoginType
QQPassword
...shift
KeyUpChar
\Game\Config\Game.cfg
\Game.cfg
\Game\Config\input.ini
\input.ini
\Game\Config\PersistedSettings.json
\PersistedSettings.json
\Game\Config\ItemSets.json
\ItemSets.json
BindSysKeys=0
CfgVersion=5.12.341
KeyboardScrollSpeed=0.5000
SmartCastOnKeyRelease=0
"description": "The settings in this file are persisted server-side. This file is generated automatically. Editing it is not recommended. Modify SettingsToPersist.json to specify which settings are persisted.",
"name": "Game.cfg",
"name": "KeyboardScrollSpeed",
"name": "SmartCastOnKeyRelease",
"name": "Input.ini",
_Speed.bat
@1970-01-01 08:00:00
CrossProxy.exe
BsSndRpt.exe
bugreport.exe
PVP.net
PVP.net
dx.mouse.position.lock.api|dx.mouse.position.lock.message|dx.mouse.focus.input.api|dx.mouse.focus.input.message|dx.mouse.clip.lock.api|dx.mouse.input.lock.api|dx.mouse.state.api|dx.mouse.state.message|dx.mouse.api
dx.keypad.input.lock.api|dx.keypad.api|dx.keypad.state.api
dx.public.active.api|dx.public.active.message
SetWindowState
lol.launcher_tencent.exe
League of Legends.exe
LolClient.exe
Client.exe
KeyPressChar
KeyDownChar
15075583
\VCode.bmp
KeyDown
KeyUp
850000-502020
new.bmp
_new.bmp
939087-202020
585856-151515
1.bmp
2.bmp
3.bmp
4.bmp
.bmp|
1.bmp|
2.bmp|
VVV.qun.qzone.qq.com
skey=
hXXp://
hXXp://qun.qzone.qq.com/group
g_iLoginUin =
; skey=
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
' hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?groupcount=4&count=4&callbackFun=_GetGroupPortal&uin=
&ua=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)%
------------------------------------------ VVV.lolhunter.cn
hXXp://VVV.lolhunter.cn
hXXp://lol.qq.com/biz/hero/free.js
"key":"
_Web_0.jpg
hXXp://ossweb-img.qq.com/images/lol/img/champion2/
hXXp://lol.qq.com/web201310/info-defail.shtml?id=
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
%Xvm%
ImageMagick 7.0.1-6 Q16 x86_64 2016-09-17 hXXp://VVV.imagemagick.org
Generator: Adobe Illustrator 18.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)
1474903719
file:///home/wwwroot/site/VVV.easyicon.net/cdn-img.easyicon.cn/src/12054/1205407.pngB
D:\game\
[lol.launcher_tencent.exe]
hXXp://v3.dama2.com
hXXp://sunlogin.oray.com/zh_CN/download/more
\dmt.dll
C:\Windows\System32\drivers\etc\hosts
127.0.0.1 lol.qq.com
%Sb!Rfp
.Mn"D
6?|.dN
h.jK7
%x"%h
%s!Gv
z_^:f.mP
:%s((l(
u.wii
IHo|%U
%X9s0
oÓ.1
h.YMZg
35%CQ
MsgR
.EjLe
`E.XAZ_
Xb&%x
.NFd\`
i.DJi
q,.ad V
mT0
P%x;r
,WhÛj
.bHWS
EfTp
>8_.Cz<
.zFWlC9LC
dt.fD'8
L.vTn
H:\fdL
9g@.MH
M8).DC
'%UQb
DB%d<
.dLai@%
%XHIc<Az
lTL%D|
h%c@D
58.iP
K.Rd;{
.whXh
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:7735B813938311E6A12ECA649D57F613" xmpMM:DocumentID="xmp.did:7735B814938311E6A12ECA649D57F613"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7735B811938311E6A12ECA649D57F613" stRef:documentID="xmp.did:7735B812938311E6A12ECA649D57F613"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>tI
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:B3B992DA8D6B11E68C4D9A68DC2ED933" xmpMM:DocumentID="xmp.did:B3B992DB8D6B11E68C4D9A68DC2ED933"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B3B992D88D6B11E68C4D9A68DC2ED933" stRef:documentID="xmp.did:B3B992D98D6B11E68C4D9A68DC2ED933"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>Z
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:BC1A2B9C8E8211E6A879C053A49FBF60" xmpMM:DocumentID="xmp.did:BC1A2B9D8E8211E6A879C053A49FBF60"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BC1A2B9A8E8211E6A879C053A49FBF60" stRef:documentID="xmp.did:BC1A2B9B8E8211E6A879C053A49FBF60"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>W
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:406D8D308E8311E6A444A0700B37E4CE" xmpMM:DocumentID="xmp.did:406D8D318E8311E6A444A0700B37E4CE"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:406D8D2E8E8311E6A444A0700B37E4CE" stRef:documentID="xmp.did:406D8D2F8E8311E6A444A0700B37E4CE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:E2A538668E8211E6A5E6BFC2956E99E6" xmpMM:DocumentID="xmp.did:E2A538678E8211E6A5E6BFC2956E99E6"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E2A538648E8211E6A5E6BFC2956E99E6" stRef:documentID="xmp.did:E2A538658E8211E6A5E6BFC2956E99E6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>:
!"#$%&'()* ,-.
1318090587
file:///home/wwwroot/site/VVV.easyicon.net/cdn-img.easyicon.cn/src/5631/563126.png
h@\CrackCaptcha.log
VVV.lolhunter.cn
523361798
v1.4.7 [
hXXp://VVV.cnblogs.com/Laopengblog/p/6473430.html
hXXp://VVV.cnblogs.com/Laopengblog/p/6044108.html
NoticeWebTitle:{
NoticeWebUrl:{
AddQQGruopUrl:{
UrlWebName1:{
UrlWebUrl1:{
UrlWebName2:{
UrlWebUrl2:{
Web:{
VersionUrl:{
ADUrl:{
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Adodb.Stream
WinHttp
hXXp://lolhunter.cn/api/lolhunter_server_vip.txt
hXXp://lolhunter.cn/api/lolhunter_server.txt
.tmpAgent
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
tem.vbs
fso.DeleteFile("
Set fso = CreateObject("Scripting.FileSystemObject")
Wscript.Sleep(1000)
Report
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
themepassword
SysShadow.HostWnd
VBScript.RegExp
SysShadow.Menu
dm.dmsoft
\custom.dll
normal.dll
custom.dll
LocationURL
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
Microsoft.XMLDOM
hXXp://qun.qzone.qq.com/groupr
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
VVV.dywt.com.cn
(*.htm;*.html)|*.htm;*.html
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
GetCPInfo
GetWindowsDirectoryA
WinExec
RegOpenKeyExA
RegCreateKeyExA
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
InternetCanonicalizeUrlA
InternetCrackUrlA
.text
`.rdata
@.data
1.0.15.507
3, 1233, 0, 0

%original file name%.exe_264_rwx_008D0000_00036000:

.rsrc
f9z.vk
@Microsoft.XMLDOM
dwmapi.dll
Riched20.dll
Riched32.dll
{00000000-0000-0000-C000-000000000046}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
kernel32.dll
ole32.dll
gdiplus.dll
GdiPlus.dll
gdi32.dll
user32.dll
Advapi32.dll
advapi32.dll
User32.dll
ntdll.dll
Ole32.dll
shell32.dll
atl.dll
program internal error number is %d.
:"%s"
:"%s".
GetProcessHeap
&..0`%X
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
GDI32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
exdui.dll
1.0.15.507

%original file name%.exe_264_rwx_00960000_00013000:

.text
`.rdata
@.data
.rsrc
@.reloc
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
<fd:%d>
%c%c%c%c%c%c%c%c%c%c
MSVCRT.dll
KERNEL32.dll
zlib1.dll
!"#$%&'()* ,-./012
DLL support by Alessandro Iacopetti & Gilles Vollant

svchost.exe_1584:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

WerFault.exe_3708:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
USER32.dll
msvcrt.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
IMM32.dll
wer.dll
COMCTL32.dll
faultrep.dll
.Ew;AEwNDEw
Dw.AEw
CBv.TBv7
Starting kernel vertical - %S
rundll32.exe
NtQueryInformationProcess failed with status: 0x%x
Reporting never started for process id %u
StringCchPrintf failed with 0x%x
NtWow64QueryInformationProcess64 failed with 0x%x
NtWow64ReadVirtualMemory64 failed with 0x%x
NtQueryInformationProcess failed with status 0x%x
WerpNtWow64QueryInformationProcess64 failed with status 0x%x
StringCchCopy failed with 0x%x
Invalid arg in %s
wdi.dll
dbgeng.dll
dbghelp.dll
SETUPAPI.dll
SHELL32.dll
VERSION.dll
WTSAPI32.dll
WerFault.pdb
PSShD
tSSh,<
t.PSj6
t5SSh
SShx`
tsShxc
t.Ph0j
_amsg_exit
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
GetProcessHeap
GetWindowsDirectoryW
RegDeleteKeyW
ReportEventW
RegOpenKeyW
RegSetKeyValueW
GetProcessWindowStation
EnumWindows
NtAlpcSendWaitReceivePort
NtAlpcConnectPort
ShipAssert
ntdll.dll
RegisterErrorReportingDialog
WerReportSubmit
WerReportAddFile
WerReportCreate
WerReportCloseHandle
WerReportSetUIOption
WerpGetReportConsent
WerpSetIntegratorReportId
WerpReportCancel
WerpAddRegisteredDataToReport
WerReportAddDump
WerpCreateIntegratorReportId
WerpSetReportFlags
WerpGetReportFlags
WerpIsTransportAvailable
WerReportSetParameter
WerpInitiateCrashReporting
version="1.0.0.0"
name="Microsoft.Windows.Feedback.Watson"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<requestedExecutionLevel
ÝCD0
#$$$3355<
##$$$335566
% "#$$$3355666=
"#$$33555666
!.DQ$
.Py>o
Kÿg
.ib:?
T3%X_
a,M.cbd
KEYW8
KEYWH
? ?$?(?,?0?4?8?
1 2$2(2,20242
>,?0?4?8?<?@?
?%?5?:?|?
5'565^5{5
3#3(353_3
=#='= =/=3=7=;=?=
=#=(=>=]=
>!>&>3>}>
1!1&131[1
Microsoft\Windows\WindowsErrorReporting\WerFault
%s %s
Global\WerKernelVerticalReporting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
CrashDumpEnabled.Old
CrashDumpEnabled.New
%SystemRoot%\MEMORY.DMP
LiveKernelReports
Software\Microsoft\Windows\Windows Error Reporting\LiveKernelReports
LiveKernelReportsPath
BCCode=%x&BCP1=%p&BCP2=%p&BCP3=%p&BCP4=%p&OS Version=%u_%u_%u&Service Pack=%u_%u&Product=%u_%u
*WerKernelReporting
%SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\Windows Error Reporting\KernelFaults\Queue
sysdata.xml
%s -k -q
SOFTWARE\Microsoft\Windows NT\CurrentVersion
<OSVER>%u.%u.%u %u.%u</OSVER>
<OSLANGUAGE>%u</OSLANGUAGE>
<ARCHITECTURE>%u</ARCHITECTURE>
<PRODUCTTYPE>%u</PRODUCTTYPE>
<FILESIZE>%u</FILESIZE>
<CREATIONDATE>d-d-d d:d:d</CREATIONDATE>
<NAME>%s</NAME>
<DATA>%s</DATA>
<ERROR>Failed at Step: %s with error 0x%x</ERROR>
%sDrivers\%s.sys
</%s>
<%s>%s</%s>
%u.%u.%u.%u
*.mrk
WER-%u-%u.sysdata.xml
Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER
SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\MemoryDiagnostic
Web Server
Software\Microsoft\Windows\Windows Error Reporting\Debug
%SystemRoot%\Minidump
0xx (0xx, 0xx, 0xx, 0xx)
%s\%2.2d%2.2d%2.2d-%u-%2.2d.dmp
*.dmp
Software\Microsoft\Windows\Windows Error Reporting
Software\Policies\Microsoft\Windows\Windows Error Reporting
\KernelObjects\SystemErrorPortReady
%s\%s
Microsoft.Windows.Setup
\WindowsErrorReportingServicePort
(0x%x): %s
%u %s
WindowsNTVersion
%u.%u
ErrorPort
\StringFileInfo\xx\%s
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
%s="%s"
%s.%s
%s %d
Software\Microsoft\Windows\Windows Error Reporting\Hangs
_NT_EXECUTABLE_IMAGE_PATH
wxmu.dmp
wxhu.dmp
axmu.dmp
axhu.dmp
hu.kdmp
mu.kdmp
hu.dmp
mu.dmp
Software\Microsoft\.NETFramework
NOT_TCPIP
sos.dll
version.xml
.version.xml
%s.xml
memory.hdmp
minidump.mdmp
Local\WERReportingForProcess%d
atk.kdmp
Software\Microsoft\Windows\Windows Error Reporting\Hangs\NHRTimes
%i|%d|%d
xxxxxxxxxxxxxxxx
xx
%d.%d.%d.%d
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)S:(ML;;NR;;;HI)
dc.noreflect
dc.xpmemdump
dc.xpdata
dc.CustomDump
dc.expmodmem
dc.expmoddata
dc.OnDemandKdmp
dc.xpmodmem
dc.xpmoddata
default=%s
memory=%s
module=%s
.dbgcfg.ini
ElevatedDataCollectionStatus.txt
Open process failed unexpectedly: 0X%X
Attempting to cross-proc reporting process!
Elevation:Administrator!new:%s
Reflection attempt failed: 0X%X
Attempting to reflect reporting process!
Could not collect dump for reflection cross process: 0x%x
Could not collect xproc for reflection: 0x%x
CollectFile for reflection failed: 0x%x
Could not collect dump for cross process: 0x%x
CollectReflectionDump failed with: 0x%x
0 processes found for xproc module: %s
Could not collect cross dump from module: 0x%x
CollectCrossProcessModuleDumps failed: 0x%x
CollectCrossProcessDumps failed: 0x%x
KernelDump failed: 0x%x
ProcessHandle
%s|%s
rpcrt4
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
sntdll.dll
WerDiagController.dll
Software\Microsoft\Windows\Windows Error Reporting\Plugins
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
%s\%s\%u-%u.etl
%s\%s\%u-%u.etl_%d
Microsoft\Windows\FDR
%s-%d
Software\Microsoft\Windows\Windows Error Reporting\Plugins\DriverVerifier
Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
%d-AppRecorderEnabled
%s /stop
psr.exe
Software\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules
verifier.dll
nVerifier.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
lsvchost.exe
"%s" "%s" "%s"
%s\system32\cofire.exe
psapi.dll
sfc_os.dll
werfault.exe
%s\%s-(PID-%u)-%u
%s\%s-(PID-%u).dmp
%s\*-(PID-*)-*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit
kernel32.dll
kernelbase.dll
ReportingMode
WinShipAssert
WindowsMessageReportingB1
Windows
ws2_32.dll
Software\Microsoft\SQMClient\%s\AdaptiveSqm\ManifestInfo
%s\Sqm%d.bin
CorporateWerPortNumber
BypassDataThrottling
Software\Microsoft\Windows\Windows Error Reporting\Consent
Windows Problem Reporting
6.1.7600.16385 (win7_rtm.090713-1255)
WerFault.exe
Windows
Operating System
6.1.7600.16385
Microsoft-Windows-WER-Diag/Operational


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan-PSW file.
  3. Delete or disinfect the following files created/modified by the Trojan-PSW:

    C:\config\options.ini (2494 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\__new.bmp (965 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_____.bmp (876 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\______.bmp (7 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\________.bmp (7 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_____3.bmp (424 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\__3.bmp (639 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\TGP.bmp (3 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\__.bmp (2497 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\___2.bmp (308 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\____3.bmp (876 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\___1.bmp (340 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\___.bmp (732 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\res.7z (237 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\dict.txt (7 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\__1.bmp (638 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\__2.bmp (875 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_____2.bmp (596 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\____.bmp (1735 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\__4.bmp (7 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_____4.bmp (560 bytes)
    C:\plugins\normal.dll (823 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_____new.bmp (1416 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_______.bmp (2 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\____2.bmp (876 bytes)
    C:\Users\"%CurrentUserName%"\Documents\LOLHunter\_____1.bmp (516 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now