Trojan.Win32.FlyStudio_58b1fc28bc
Gen:Variant.Symmi.79132 (BitDefender), HEUR:HackTool.Win32.Generic (Kaspersky), Gen:Variant.Symmi.79132 (B) (Emsisoft), Packed-LF!58B1FC28BCB6 (McAfee), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), Trojan.Win32.FlyStudio.FD, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, HackTool, Packed, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Requires JavaScript enabled! |
---|
MD5: 58b1fc28bcb6932bd5bbca328213007d
SHA1: fa89f63119a350ac22c2755cb89e5a3c9c92795e
SHA256: 576fa9c8e92c0451497dee614bb6118844f53bf4847e3167eda4668c50c91966
SSDeep: 98304:qwvzutruoi6xQh3RJ4b12v d0Yb14lpS6WM0JVtkAAd9BNaeW1t:7x37C1Rd/1ef5AAd9BUeW1t
Size: 5144576 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, ACProtect141
Company: no certificate found
Created at: 2018-01-23 08:05:46
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:2692
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:2692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ereg.dll (86 bytes)
C:\Ä£¿éÖ§³Ö¿â.dll (413 bytes)
C:\eylogin.dll (148 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5071779\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5071779 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5071779\TemporaryFile\TemporaryFile (0 bytes)
Registry activity
The process %original file name%.exe:2692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\AppID\EyLogin.DLL]
"AppID" = "{C9B61D58-7E6F-421B-8BB1-4A0788556660}"
[HKCR\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\VersionIndependentProgID]
"(Default)" = "EyLogin.EyLoginSoft"
[HKCR\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\0\win32]
"(Default)" = "c:\eylogin.dll"
[HKCR\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\TypeLib]
"(Default)" = "{F8560BB6-C0D0-415B-B950-99F35E2F5385}"
[HKCR\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}]
"(Default)" = "IEyLoginSoft"
[HKCR\EyLogin.EyLoginSoft.1\CLSID]
"(Default)" = "{3674FE01-AB81-4659-AFA0-1245D0E1531B}"
[HKCR\EyLogin.EyLoginSoft\CurVer]
"(Default)" = "EyLogin.EyLoginSoft.1"
[HKCR\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\TypeLib]
"(Default)" = "{F8560BB6-C0D0-415B-B950-99F35E2F5385}"
[HKCR\EyLogin.EyLoginSoft\CLSID]
"(Default)" = "{3674FE01-AB81-4659-AFA0-1245D0E1531B}"
[HKCR\EyLogin.EyLoginSoft.1]
"(Default)" = "EyLoginSoft Class"
[HKCR\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{C9B61D58-7E6F-421B-8BB1-4A0788556660}]
"(Default)" = "EyLogin"
[HKCR\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\HELPDIR]
"(Default)" = "c:"
[HKCR\EyLogin.EyLoginSoft]
"(Default)" = "EyLoginSoft Class"
[HKCR\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\ProgID]
"(Default)" = "EyLogin.EyLoginSoft.1"
[HKCR\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0]
"(Default)" = "EyLogin 1.0 ÀàÃÂÿâ"
[HKCR\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}]
"(Default)" = "EyLoginSoft Class"
[HKCR\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\InprocServer32]
"(Default)" = "c:\eylogin.dll"
[HKCR\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
Dropped PE files
MD5 | File path |
---|---|
22925b4bbdb41b5b5893e93e08daa228 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\5071779\TemporaryFile\TemporaryFile |
6bd31bbbfc19693f93329e3c7286f5e3 | c:\ereg.dll |
c5babd2ae6f9b67867204263fe25f200 | c:\eylogin.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: ??
Product Name: ????[5.8]
Product Version: 5.8.0.0
Legal Copyright: By:????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.8.0.0
File Description: ?????
Comments: ??????????(http://www.dywt.com.cn)
Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 5513216 | 3973120 | 5.54514 | 4554f8ed96e80270d597d271ed9966f4 |
. | 5517312 | 1142784 | 1142784 | 5.11316 | 42877dc0038c0f57c9fd1fd5056e22fc |
.idata | 6660096 | 4096 | 4096 | 1.13711 | d99875c541bd3321fcdb59d256dcb1bb |
.rsrc | 6664192 | 8192 | 8192 | 3.64783 | 8c0d50329d2042101712d81eae547eeb |
. | 6672384 | 4096 | 4096 | 5.53311 | 2c0a6fa60c5c7e5792daeb4b0ed80b5b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
h.idata
H.rsrc
.SShG
t$(SSh
|$D.tm
u.hp4
~%UVW
u$SShe
iu2.iu
kernel32.dll
IPHLPAPI.DLL
iphlpapi.dll
ws2_32.dll
ereg.dll
EnumChildWindows
EnumWindows
GetAsyncKeyState
SetTcpEntry
GetExtendedTcpTable
MsgWaitForMultipleObjects
UnloadKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayout
ActivateKeyboardLayout
GetKeyboardLayoutNameA
RegOpenKeyA
RegDeleteKeyA
RegCloseKey
RegCreateKeyA
RegFlushKey
LoadKeyboardLayoutA
{B6F7542F-B8FE-46a8-9605-98856A687097}
hXXp://hbxiaock.lofter.com
C:\YYlogin.ini
password
`.rdata
@.data
.rsrc
@.reloc
@.sedata
.idata
`.tls
.reloc
GetProcessWindowStation
operator
C:\Users\Administrator.PC-20170413SJJU\Desktop\XAntiDebug\Release\test.cpp.pdb
zcÁ
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
xfx%Uf
%UfN`
|f|%Uf
KERNEL32.dll
GetProcessHeap
GetCPInfo
.TBO@
test.cpp.dll
user32.dll
.HOgl
5 5$5(5,5054585
>#>,>1>>>
5 5$5(5,5054585<5@5
VVV.4399.com
TslGame.exe
crossfire.exe
crossfire.exe.
127.0.0.1
\mlang.dll
.inidata
CNotSupportedException
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
USER32.dll
RegOpenKeyExA
ADVAPI32.dll
WS2_32.dll
COMCTL32.dll
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
WINSPOOL.DRV
comdlg32.dll
SHELL32.dll
SWNPM.dll
.PAVCException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
4"5(5,50545
8!8/878=8
3"32383|3"4
2 3=3Q3^3h3r3z3
4 41484[4}4
9$9(9,90989
<0=4=8=<=
winmm.dll
d3dx9_29.dll
d3dx9_43.dll
user32.DLL
cshell.dll
CShell.dll77E628
1891938
1305064
Super-EChXXp://ec.360bc.cnhXXp://VVV.eyybc.com/forumdisplay.php?fid=17/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php
hXXp://VVV.super-ec.cn
<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()
Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
getcpuid=cpu.ProcessorId
psapi.dll
@kernel32.dll
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Broken pipe
Inappropriate I/O control operation
Operation not permitted
WinExec
GetViewportOrgEx
WINMM.dll
ShellExecuteA
ole32.dll
OLEAUT32.dll
CreateDialogIndirectParamA
GetViewportExtEx
RegCreateKeyExA
mlang.dll
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCResourceException@@
.PAVCUserException@@
#include "l.chs\afxres.rc" // Standard components
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
7%7S7b7t7
6b6D6P6]6j6x6
8%9X9\9`9d9h9l9p9t9x9|9
6$7(7,70747
7$7(7,7074787<7@7
0 0
2!2F2[2n2
vcticta.dll
\SouGoo.ime
^}•D
IMM32.dll
imehost.dll
ImeProcessKey
Windows
:):3:9:|:
= =$=(=,=0=4=8=
? ?$?(?,?
\Sougoo.ime
40010034
200000000001
180000000001
360100000001
300000000001
200400000002
7600000300000001
5300003400000002
6800006800120000
4001003400000003
4900000000010049
8500000000010085
2200003400000006
2200003400000008
0000000001
1.0.2.9
Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php
0.0.0.0
eylogin.dll
\ereg.dll
.upx0
.upx1
@.rsrc
WLDAP32.dll
ShellExecuteW
EyLogin.DLL
m%0x[S
H.cjN
DþA
afdp%X
5%Cm6q
.Mfrg
M.jV.
xG.mN
qv.FF
.dbcO
o-BM.c-Î
7D*%US
FtCp}B
P5.Qs," "
.whb}4=\
sB.sY
&0.lo
('mSg9
8y?%4u
u.SZv
|W%x=
2".frA
yA^e.fTk~V
z5.um
-dÙ
*sv.tc`
F*hW%x
`l>.BP
%u oZ
>%FP%
PfT%f
j %C\
%X$`D`
%fTw0
_%x^(.2
DG1x.EU
tMsg
-fNa}
=v.rY
:%doe
\%F=PV
C.Lz2
dxn.ff5
n.WFH)cGK
P6fJ.Odf&
9Ì<:
p.BQ|
.dL}j
J^I.yw<
.ao |$
|.PB]
.Qb/H<
L'%X .N
%FL*.
v .hZ]
~.vH
Key<
D.Ln2
G.fQE{w
8N#.Uw*
.ktx_9U
H!.ym[AO
Cd%Xc,
5 %uS
sNmj.aOR
pm.ru
Z>.dW,2kk%
DNdf.cA
.xDv*
a{TBS%C
5";>.cN
M.lH<d
r.RCt
V%Ug-
w.ln.
tLN\.xD
=[UoÏ
`?%dqD
L.THC
lH%D}CF
.k %d
.ffy1
'fx)/Q-F}
;.JfLx
W.Tt"b
Et$.Pb
0.dPT
>{.in
.USls
G.Jp~y
1.uIH
x@.wy9^
"%u7-=E
ÿTHa
v!.ej
.Gj!]
c.OO2
%D[JB
.VN#k
A!U.Yh\_
)8.iJ
'.Xz7
Í 1e
] Å
dO9.IJ
OdfXx)%For
*3qØK
%XS5[
]a%Sy
%FycA@
XES.AUSf
"9.xw
.Ya uW
b-Ec}
.OOSZ
Ö^/
HM%D)
Tt4%U
-.fnS|
.Ufqi
P%6ss]
& %SJH%
?-.VQ
P[..OJ
Dj%cN0m4
'.dKws
O.gu^
sd.sF
{s.Gd
g[%F;
k/.HQ
").qcR@
.Ah/
XudP
#SSHK
'.yP;
1lw[.reU
n%cLq=
.ZPf&R
xÌw
.FzJ#8z
{cr%cjS
1Y.Hf
O.PACj
H%U]&
&7e;.ShQ,
OcMd
*m%S@
.sl`
c*?
Y-.DN
`Rhi=.kA
`%7'&-%!
g.KC ey
6R(.aa
z~.HaI
;$-b}q
8)%Xs
%uBry"
%X{1!
u.te9
S$Aj%F
@5.HDv
VsF
%C'Q{
H%UW<
.DuSAe
*GsD%x
l%upt
.xj~m
)e.vY&
a.OjN
WEbG2
595m6
5 5$5(575
6 6$6(6,6'7
62676>6@7\7
6 758%9}9
9 9$9(9,9
2$2C2M2Z2t2
= =$=(=,=0=
7!8?8]8{8
0 0$0(0,0004080
5]5\5a5t5
: :$:(:,:0:4:!;
> >$>(>,>0>4>8>
0 0$0(0,0
; ;$;(;,;0;4;8;
0&3"4!5?6
S.j%uh
*,c.jA
SHLWAPI.dll
f:\vm
\EyLogin.pdb
'%APPID%' = s 'EyLogin'
'EyLogin.DLL'
EyLogin.EyLoginSoft.1 = s 'EyLoginSoft Class'
CLSID = s '{3674FE01-AB81-4659-AFA0-1245D0E1531B}'
EyLogin.EyLoginSoft = s 'EyLoginSoft Class'
CurVer = s 'EyLogin.EyLoginSoft.1'
ForceRemove {3674FE01-AB81-4659-AFA0-1245D0E1531B} = s 'EyLoginSoft Class'
ProgID = s 'EyLogin.EyLoginSoft.1'
VersionIndependentProgID = s 'EyLogin.EyLoginSoft'
'TypeLib' = s '{F8560BB6-C0D0-415B-B950-99F35E2F5385}'
stdole2.tlbWWW
O~EyLoginW
EyLoginSoftWd
IEyLoginSoftd
SetAppKeyWWW
keyWd
UserLoginWWW
interfacekeyd
9UserLoginSingleW
r.userdatad
@LGetCpuIDd
BGetAppKeyWWW
appkeyWW
EyLogin 1.0
EyLoginSoft ClassW
IEyLoginSoft
Created by MIDL version 7.00.0500 at Tue May 10 13:06:27 2016
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
USER32.DLL
\trunk\EyLogin\Custom\EyLogin\Release\EyLoginReg.pdb
EyLoginReg.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
516<6_6#707
EyLogin.EyLoginSoft
SetAppKey
UserLogin
GetCpuID
UserLoginSingle
GetAppKey
imm32.dll
Keyboard Layout
Keyboard Layout\Preload
(.!$'$%-
%D"jPp
%]^rVÈ#
E.BIa
*%xoa[
1.2.18
F%*.*f
MSWHEEL_ROLLMSG
MPR.dll
VERSION.dll
WININET.dll
%s\ESPI%d.dll
hXXp://dywt.com.cn
service@dywt.com.cn
86(0411)88995834
86(0411)88995831
(ESPINN.dll(NN
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
CallerInfoCopyCmd
SetIPPort
GetIPPort
"C:\Windows\System32\ESPI11.dll"
ProviderInstallCopyCmd
SockDataCopyCmd
SockAddrCopyCmd
enetintercept_fnSockAddrSetIPPort
enetintercept_fnSockAddrGetIPPort
enetintercept_fnInstallCopyCmd
enetintercept_fnSockDataCopyCmd
enetintercept_fnSockAddrCopyCmd
enetintercept_fnCallerInfoCopyCmd
VVV.dywt.com.cn
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
c:\%original file name%.exe
ntdll.dll
advapi32.dll
hid.dll
mscoree.dll
mscorwks.dll
mscorsvr.dll
KernelBase.dll
mscoreei.dll
clr.dll
diasymreader.dll
SEGetNumExecUsed
SEGetNumExecLeft
SESetNumExecUsed
SEGetExecTimeUsed
SEGetExecTimeLeft
SESetExecTime
SEGetTotalExecTimeUsed
SEGetTotalExecTimeLeft
SESetTotalExecTime
SECheckExecTime
SECheckTotalExecTime
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
MSVCRT.dll
PSAPI.DLL
.Cp1q/
N,%fVf
.CM`'
$lALV %c
.pXa5(
IC\K%f
W.BTm
CS#%UH
.QHgnR
*3>%S!`
p.Qw*9
.az7p
'f.uh
%d*o%"]
d\W%x
.cpJ=U
X.sgB
a:.of|
}X.Wi
.Bub_
J..Zwnb
s.ya&
0.hB9BJ
.nl?S
oq%x|iZ
cV%x
h2.iu
MSIMG32.dll
AVIFIL32.dll
MSVFW32.dll
'WS2_32.dll
GetWindowsDirectoryA
.WindowFromDC
}ScaleViewportExtEx
RegEnumKeyA
Safengine Shielden v2.4.0.0
"WINMM.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
(2004-2010)
hXXp://VVV.eyuyan.com
oU@03.BZq
(*.*)
1.0.0.0
(hXXp://VVV.dywt.com.cn)
1, 0, 0, 1
imedllhost09.ime
1, 0, 2, 8
KERNEL32.DLL
5.8.0.0
%original file name%.exe_2692_rwx_00401000_00544000:
.SShG
t$(SSh
|$D.tm
u.hp4
~%UVW
u$SShe
iu2.iu
kernel32.dll
IPHLPAPI.DLL
iphlpapi.dll
ws2_32.dll
ereg.dll
EnumChildWindows
EnumWindows
GetAsyncKeyState
SetTcpEntry
GetExtendedTcpTable
MsgWaitForMultipleObjects
UnloadKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayout
ActivateKeyboardLayout
GetKeyboardLayoutNameA
RegOpenKeyA
RegDeleteKeyA
RegCloseKey
RegCreateKeyA
RegFlushKey
LoadKeyboardLayoutA
{B6F7542F-B8FE-46a8-9605-98856A687097}
hXXp://hbxiaock.lofter.com
C:\YYlogin.ini
password
.text
`.rdata
@.data
.rsrc
@.reloc
@.sedata
.idata
`.tls
.reloc
GetProcessWindowStation
operator
C:\Users\Administrator.PC-20170413SJJU\Desktop\XAntiDebug\Release\test.cpp.pdb
zcÁ
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
xfx%Uf
%UfN`
|f|%Uf
KERNEL32.dll
GetProcessHeap
GetCPInfo
.TBO@
test.cpp.dll
user32.dll
.HOgl
5 5$5(5,5054585
>#>,>1>>>
5 5$5(5,5054585<5@5
VVV.4399.com
TslGame.exe
crossfire.exe
crossfire.exe.
127.0.0.1
\mlang.dll
.inidata
CNotSupportedException
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
USER32.dll
RegOpenKeyExA
ADVAPI32.dll
WS2_32.dll
COMCTL32.dll
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
WINSPOOL.DRV
comdlg32.dll
SHELL32.dll
SWNPM.dll
.PAVCException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
4"5(5,50545
8!8/878=8
3"32383|3"4
2 3=3Q3^3h3r3z3
4 41484[4}4
9$9(9,90989
<0=4=8=<=
winmm.dll
d3dx9_29.dll
d3dx9_43.dll
user32.DLL
cshell.dll
CShell.dll77E628
1891938
1305064
Super-EChXXp://ec.360bc.cnhXXp://VVV.eyybc.com/forumdisplay.php?fid=17/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php
hXXp://VVV.super-ec.cn
<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()
Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
getcpuid=cpu.ProcessorId
psapi.dll
@kernel32.dll
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Broken pipe
Inappropriate I/O control operation
Operation not permitted
WinExec
GetViewportOrgEx
WINMM.dll
ShellExecuteA
ole32.dll
OLEAUT32.dll
CreateDialogIndirectParamA
GetViewportExtEx
RegCreateKeyExA
mlang.dll
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCResourceException@@
.PAVCUserException@@
#include "l.chs\afxres.rc" // Standard components
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
7%7S7b7t7
6b6D6P6]6j6x6
8%9X9\9`9d9h9l9p9t9x9|9
6$7(7,70747
7$7(7,7074787<7@7
0 0
2!2F2[2n2
vcticta.dll
\SouGoo.ime
^}•D
IMM32.dll
imehost.dll
ImeProcessKey
Windows
:):3:9:|:
= =$=(=,=0=4=8=
? ?$?(?,?
\Sougoo.ime
40010034
200000000001
180000000001
360100000001
300000000001
200400000002
7600000300000001
5300003400000002
6800006800120000
4001003400000003
4900000000010049
8500000000010085
2200003400000006
2200003400000008
0000000001
1.0.2.9
Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php
0.0.0.0
eylogin.dll
\ereg.dll
.upx0
.upx1
@.rsrc
WLDAP32.dll
ShellExecuteW
EyLogin.DLL
m%0x[S
H.cjN
DþA
afdp%X
5%Cm6q
.Mfrg
M.jV.
xG.mN
qv.FF
.dbcO
o-BM.c-Î
7D*%US
FtCp}B
P5.Qs," "
.whb}4=\
sB.sY
&0.lo
('mSg9
8y?%4u
u.SZv
|W%x=
2".frA
yA^e.fTk~V
z5.um
-dÙ
*sv.tc`
F*hW%x
`l>.BP
%u oZ
>%FP%
PfT%f
j %C\
%X$`D`
%fTw0
_%x^(.2
DG1x.EU
tMsg
-fNa}
=v.rY
:%doe
\%F=PV
C.Lz2
dxn.ff5
n.WFH)cGK
P6fJ.Odf&
9Ì<:
p.BQ|
.dL}j
J^I.yw<
.ao |$
|.PB]
.Qb/H<
L'%X .N
%FL*.
v .hZ]
~.vH
Key<
D.Ln2
G.fQE{w
8N#.Uw*
.ktx_9U
H!.ym[AO
Cd%Xc,
5 %uS
sNmj.aOR
pm.ru
Z>.dW,2kk%
DNdf.cA
.xDv*
a{TBS%C
5";>.cN
M.lH<d
r.RCt
V%Ug-
w.ln.
tLN\.xD
=[UoÏ
`?%dqD
L.THC
lH%D}CF
.k %d
.ffy1
'fx)/Q-F}
;.JfLx
W.Tt"b
Et$.Pb
0.dPT
>{.in
.USls
G.Jp~y
1.uIH
x@.wy9^
"%u7-=E
ÿTHa
v!.ej
.Gj!]
c.OO2
%D[JB
.VN#k
A!U.Yh\_
)8.iJ
'.Xz7
Í 1e
] Å
dO9.IJ
OdfXx)%For
*3qØK
%XS5[
]a%Sy
%FycA@
XES.AUSf
"9.xw
.Ya uW
b-Ec}
.OOSZ
Ö^/
HM%D)
Tt4%U
-.fnS|
.Ufqi
P%6ss]
& %SJH%
?-.VQ
P[..OJ
Dj%cN0m4
'.dKws
O.gu^
sd.sF
{s.Gd
g[%F;
k/.HQ
").qcR@
.Ah/
XudP
#SSHK
'.yP;
1lw[.reU
n%cLq=
.ZPf&R
xÌw
.FzJ#8z
{cr%cjS
1Y.Hf
O.PACj
H%U]&
&7e;.ShQ,
OcMd
*m%S@
.sl`
c*?
Y-.DN
`Rhi=.kA
`%7'&-%!
g.KC ey
6R(.aa
z~.HaI
;$-b}q
8)%Xs
%uBry"
%X{1!
u.te9
S$Aj%F
@5.HDv
VsF
%C'Q{
H%UW<
.DuSAe
*GsD%x
l%upt
.xj~m
)e.vY&
a.OjN
WEbG2
595m6
5 5$5(575
6 6$6(6,6'7
62676>6@7\7
6 758%9}9
9 9$9(9,9
2$2C2M2Z2t2
= =$=(=,=0=
7!8?8]8{8
0 0$0(0,0004080
5]5\5a5t5
: :$:(:,:0:4:!;
> >$>(>,>0>4>8>
0 0$0(0,0
; ;$;(;,;0;4;8;
0&3"4!5?6
S.j%uh
*,c.jA
SHLWAPI.dll
f:\vm
\EyLogin.pdb
'%APPID%' = s 'EyLogin'
'EyLogin.DLL'
EyLogin.EyLoginSoft.1 = s 'EyLoginSoft Class'
CLSID = s '{3674FE01-AB81-4659-AFA0-1245D0E1531B}'
EyLogin.EyLoginSoft = s 'EyLoginSoft Class'
CurVer = s 'EyLogin.EyLoginSoft.1'
ForceRemove {3674FE01-AB81-4659-AFA0-1245D0E1531B} = s 'EyLoginSoft Class'
ProgID = s 'EyLogin.EyLoginSoft.1'
VersionIndependentProgID = s 'EyLogin.EyLoginSoft'
'TypeLib' = s '{F8560BB6-C0D0-415B-B950-99F35E2F5385}'
stdole2.tlbWWW
O~EyLoginW
EyLoginSoftWd
IEyLoginSoftd
SetAppKeyWWW
keyWd
UserLoginWWW
interfacekeyd
9UserLoginSingleW
r.userdatad
@LGetCpuIDd
BGetAppKeyWWW
appkeyWW
EyLogin 1.0
EyLoginSoft ClassW
IEyLoginSoft
Created by MIDL version 7.00.0500 at Tue May 10 13:06:27 2016
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
USER32.DLL
\trunk\EyLogin\Custom\EyLogin\Release\EyLoginReg.pdb
EyLoginReg.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
516<6_6#707
EyLogin.EyLoginSoft
SetAppKey
UserLogin
GetCpuID
UserLoginSingle
GetAppKey
imm32.dll
Keyboard Layout
Keyboard Layout\Preload
(.!$'$%-
%D"jPp
%]^rVÈ#
E.BIa
*%xoa[
1.2.18
F%*.*f
MSWHEEL_ROLLMSG
MPR.dll
VERSION.dll
WININET.dll
%s\ESPI%d.dll
hXXp://dywt.com.cn
service@dywt.com.cn
86(0411)88995834
86(0411)88995831
(ESPINN.dll(NN
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
CallerInfoCopyCmd
SetIPPort
GetIPPort
"C:\Windows\System32\ESPI11.dll"
ProviderInstallCopyCmd
SockDataCopyCmd
SockAddrCopyCmd
enetintercept_fnSockAddrSetIPPort
enetintercept_fnSockAddrGetIPPort
enetintercept_fnInstallCopyCmd
enetintercept_fnSockDataCopyCmd
enetintercept_fnSockAddrCopyCmd
enetintercept_fnCallerInfoCopyCmd
VVV.dywt.com.cn
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
c:\%original file name%.exe
ntdll.dll
mscoree.dll
(2004-2010)
hXXp://VVV.eyuyan.com
oU@03.BZq
(*.*)
1.0.0.0
(hXXp://VVV.dywt.com.cn)
1, 0, 0, 1
imedllhost09.ime
1, 0, 2, 8
KERNEL32.DLL
%original file name%.exe_2692_rwx_0095A000_00001000:
MSVCRT.dll
IPHLPAPI.DLL
PSAPI.DLL
KERNEL32.dll
USER32.dll
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
ADVAPI32.dll
SHELL32.dll
%original file name%.exe_2692_rwx_00963000_00003000:
MSVCRT.dll
IPHLPAPI.DLL
PSAPI.DLL
KERNEL32.dll
%original file name%.exe_2692_rwx_009FE000_00056000:
KERNEL32.dll
USER32.dll
ole32.dll
OLEAUT32.dll
GDI32.dll
ADVAPI32.dll
SHELL32.dll
WS2_32.dll
WINMM.dll
WINSPOOL.DRV
h2.iu
COMCTL32.dll
MSIMG32.dll
AVIFIL32.dll
MSVFW32.dll
comdlg32.dll
%original file name%.exe_2692_rwx_00A55000_00002000:
WINMM.dll
WinExec
'WS2_32.dll
MSVFW32.dll
AVIFIL32.dll
KERNEL32.dll
GetCPInfo
GetWindowsDirectoryA
GetProcessHeap
%original file name%.exe_2692_rwx_6A960000_001E9000:
v*W%S
hv0.Vh5
u1ay%s
%fnR7
X.Uh_
WpJ.fw
<.hF.7r
2ih.qc
73Ê
.QNX0
5sWEb
4Ÿi
k-J}=&
.cIYx
.iV4]
.nFjX
.VrKn
.vrA}
.Tdcb
.YOt7
.HBt1
[(uL.LNV
.UGK/
K~%sS
;@.gaEk
kie%S
#<.Kk
# .JV
<%Cn1.k
m' %C
?x%FsL$c
.fSVb
#g{%XDl
d.pYG
Db>%f@0.
.BK|~
L$XhY%s
.BWd%
J%X-m
KY.Sa
7Y.ea
msG(]j
DVg.VH
(.yd"
%U/( Z
dKv-)<2v.il@
{.ahj
.Vj7?
K%Ue/
m3-C}
.hER2:GN
A.zdC
v).tG
=eUiwq%f
-k}H`
D$ %d
n:\zF<
2MMSg
uM.oJ
j.HMBV
<b%Fw
%SHv3
b.uz8W
z0.RX7
Yl!.MbooY
N%FS1;
;]h%dQ
hz%dZ
?%SRa
.RVLgk
.LxU_C
L|.JXf
^Xl.UP
bp%dP
_.IZ2
_8-2&=6-&
KEYymx
~tCP`
VF%9S]
.dqC%e
6%c$"t
@0%cm
I.xT_
UÏ`
~%x|T
r .Wf
8m%SX
j:\"2
hu6 .DQ
%original file name%.exe_2692_rwx_6AB57000_00001000:
IPHLPAPI.DLL
DþA
%original file name%.exe_2692_rwx_6E335000_00002000:
GetCPInfo
KERNEL32.dll
GetProcessHeap
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\ereg.dll (86 bytes)
C:\Ä£¿éÖ§³Ö¿â.dll (413 bytes)
C:\eylogin.dll (148 bytes) - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.