MD5: 58b1fc28bcb6932bd5bbca328213007d
SHA1: fa89f63119a350ac22c2755cb89e5a3c9c92795e
SHA256: 576fa9c8e92c0451497dee614bb6118844f53bf4847e3167eda4668c50c91966
SSDeep: 98304:qwvzutruoi6xQh3RJ4b12v d0Yb14lpS6WM0JVtkAAd9BNaeW1t:7x37C1Rd/1ef5AAd9BUeW1t
Size: 5144576 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, ACProtect141
Company: no certificate found
Created at: 2018-01-23 08:05:46
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2692

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ereg.dll (86 bytes)
C:\Ä£¿éÖ§³Ö¿â.dll (413 bytes)
C:\eylogin.dll (148 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5071779\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5071779 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5071779\TemporaryFile\TemporaryFile (0 bytes)

Registry activity

The process %original file name%.exe:2692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\AppID\EyLogin.DLL]
"AppID" = "{C9B61D58-7E6F-421B-8BB1-4A0788556660}"

[HKCR\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\VersionIndependentProgID]
"(Default)" = "EyLogin.EyLoginSoft"

[HKCR\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\0\win32]
"(Default)" = "c:\eylogin.dll"

[HKCR\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\TypeLib]
"(Default)" = "{F8560BB6-C0D0-415B-B950-99F35E2F5385}"

[HKCR\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}]
"(Default)" = "IEyLoginSoft"

[HKCR\EyLogin.EyLoginSoft.1\CLSID]
"(Default)" = "{3674FE01-AB81-4659-AFA0-1245D0E1531B}"

[HKCR\EyLogin.EyLoginSoft\CurVer]
"(Default)" = "EyLogin.EyLoginSoft.1"

[HKCR\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\TypeLib]
"(Default)" = "{F8560BB6-C0D0-415B-B950-99F35E2F5385}"

[HKCR\EyLogin.EyLoginSoft\CLSID]
"(Default)" = "{3674FE01-AB81-4659-AFA0-1245D0E1531B}"

[HKCR\EyLogin.EyLoginSoft.1]
"(Default)" = "EyLoginSoft Class"

[HKCR\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{C9B61D58-7E6F-421B-8BB1-4A0788556660}]
"(Default)" = "EyLogin"

[HKCR\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\HELPDIR]
"(Default)" = "c:"

[HKCR\EyLogin.EyLoginSoft]
"(Default)" = "EyLoginSoft Class"

[HKCR\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\ProgID]
"(Default)" = "EyLogin.EyLoginSoft.1"

[HKCR\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0]
"(Default)" = "EyLogin 1.0 ÀàÐÍ¿â"

[HKCR\TypeLib\{F8560BB6-C0D0-415B-B950-99F35E2F5385}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}]
"(Default)" = "EyLoginSoft Class"

[HKCR\CLSID\{3674FE01-AB81-4659-AFA0-1245D0E1531B}\InprocServer32]
"(Default)" = "c:\eylogin.dll"

[HKCR\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{795BE5A8-09BE-47E2-B920-3215F46989FB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??
Product Name: ????[5.8]
Product Version: 5.8.0.0
Legal Copyright: By:????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.8.0.0
File Description: ?????
Comments: ??????????(http://www.dywt.com.cn)
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

h.idata

H.rsrc

.SShG

t$(SSh

|$D.tm

u.hp4

~%UVW

u$SShe

iu2.iu

kernel32.dll

IPHLPAPI.DLL

iphlpapi.dll

ws2_32.dll

ereg.dll

EnumChildWindows

EnumWindows

GetAsyncKeyState

SetTcpEntry

GetExtendedTcpTable

MsgWaitForMultipleObjects

UnloadKeyboardLayout

GetKeyboardLayoutList

GetKeyboardLayout

ActivateKeyboardLayout

GetKeyboardLayoutNameA

RegOpenKeyA

RegDeleteKeyA

RegCloseKey

RegCreateKeyA

RegFlushKey

LoadKeyboardLayoutA

{B6F7542F-B8FE-46a8-9605-98856A687097}

hXXp://hbxiaock.lofter.com

C:\YYlogin.ini

password

`.rdata

@.data

.rsrc

@.reloc

@.sedata

.idata

`.tls

.reloc

GetProcessWindowStation

operator

C:\Users\Administrator.PC-20170413SJJU\Desktop\XAntiDebug\Release\test.cpp.pdb

zcÁ

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

xfx%Uf

%UfN`

|f|%Uf

KERNEL32.dll

GetProcessHeap

GetCPInfo

.TBO@

test.cpp.dll

user32.dll

.HOgl

5 5$5(5,5054585

>#>,>1>>>

5 5$5(5,5054585<5@5

VVV.4399.com

TslGame.exe

crossfire.exe

crossfire.exe.

127.0.0.1

\mlang.dll

.inidata

CNotSupportedException

CCmdTarget

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

USER32.dll

RegOpenKeyExA

ADVAPI32.dll

WS2_32.dll

COMCTL32.dll

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

WINSPOOL.DRV

comdlg32.dll

SHELL32.dll

SWNPM.dll

.PAVCException@@

.PAVCArchiveException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

4"5(5,50545

8!8/878=8

3"32383|3"4

2 3=3Q3^3h3r3z3

4 41484[4}4

9$9(9,90989

<0=4=8=<=

winmm.dll

d3dx9_29.dll

d3dx9_43.dll

user32.DLL

cshell.dll

CShell.dll77E628

1891938

1305064

Super-EChXXp://ec.360bc.cnhXXp://VVV.eyybc.com/forumdisplay.php?fid=17/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

hXXp://VVV.super-ec.cn

<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

psapi.dll

@kernel32.dll

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Broken pipe

Inappropriate I/O control operation

Operation not permitted

WinExec

GetViewportOrgEx

WINMM.dll

ShellExecuteA

ole32.dll

OLEAUT32.dll

CreateDialogIndirectParamA

GetViewportExtEx

RegCreateKeyExA

mlang.dll

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

.PAVCResourceException@@

.PAVCUserException@@

#include "l.chs\afxres.rc" // Standard components

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

7%7S7b7t7

6b6D6P6]6j6x6

8%9X9\9`9d9h9l9p9t9x9|9

6$7(7,70747

7$7(7,7074787<7@7

0
0

2!2F2[2n2

vcticta.dll

\SouGoo.ime

^}•D

IMM32.dll

imehost.dll

ImeProcessKey

Windows

:):3:9:|:

= =$=(=,=0=4=8=

? ?$?(?,?

\Sougoo.ime

40010034

200000000001

180000000001

360100000001

300000000001

200400000002

7600000300000001

5300003400000002

6800006800120000

4001003400000003

4900000000010049

8500000000010085

2200003400000006

2200003400000008

0000000001

1.0.2.9

Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

0.0.0.0

eylogin.dll

\ereg.dll

.upx0

.upx1

@.rsrc

WLDAP32.dll

ShellExecuteW

EyLogin.DLL

m%0x[S

H.cjN

DþA

afdp%X

5%Cm6q

.Mfrg

M.jV.

xG.mN

qv.FF

.dbcO

o-BM.c-Î

7D*%US

FtCp}B

P5.Qs," "

.whb}4=\

sB.sY

&0.lo

('mSg9

8y?%4u

u.SZv

|W%x=

2".frA

yA^e.fTk~V

z5.um

-dÙ

*sv.tc`

F*hW%x

`l>.BP

%u oZ

>%FP%

PfT%f

j %C\

%X$`D`

%fTw0

_%x^(.2

DG1x.EU

tMsg

-fNa}

=v.rY

:%doe

\%F=PV

C.Lz2

dxn.ff5

n.WFH)cGK

P6fJ.Odf&

9Ì<:

p.BQ|

.dL}j

J^I.yw<

.ao |$

|.PB]

.Qb/H<

L'%X .N

%FL*.

v .hZ]

 ~.vH

   Key<

D.Ln2

G.fQE{w

8N#.Uw*

.ktx_9U

H!.ym[AO

Cd%Xc,

5 %uS

sNmj.aOR

pm.ru

Z>.dW,2kk%

DNdf.cA

.xDv*

a{TBS%C

5";>.cN

M.lH<d

r.RCt

V%Ug-

w.ln.

tLN\.xD

=[UoÏ

`?%dqD

L.THC

lH%D}CF

.k %d

.ffy1

'fx)/Q-F}

;.JfLx

W.Tt"b

Et$.Pb

0.dPT

>{.in

.USls

G.Jp~y

1.uIH

x@.wy9^

"%u7-=E

ÿTHa

v!.ej

.Gj!]

c.OO2

%D[JB

.VN#k

A!U.Yh\_

)8.iJ

'.Xz7

Í 1e

] Å

dO9.IJ

OdfXx)%For

*3qØK

%XS5[

]a%Sy

%FycA@

XES.AUSf

"9.xw

.Ya uW

b-Ec}

.OOSZ

Ö^/

HM%D)

Tt4%U 

-.fnS|

.Ufqi

P%6ss]

& %SJH%

?-.VQ

P[..OJ

Dj%cN0m4

'.dKws

O.gu^

sd.sF

{s.Gd

 g[%F;

k/.HQ

").qcR@

 .Ah/

XudP

#SSHK

'.yP;

1lw[.reU

n%cLq=

.ZPf&R

xÌw

.FzJ#8z

{cr%cjS

1Y.Hf

O.PACj

H%U]&

&7e;.ShQ,

OcMd

*m%S@

 .sl`

c*?

Y-.DN

`Rhi=.kA

`%7'&-%!

g.KC ey

6R(.aa

z~.HaI

;$-b}q

8)%Xs

%uBry"

%X{1!

u.te9

S$Aj%F

@5.HDv

VsF

%C'Q{

H%UW<

.DuSAe

*GsD%x

l%upt

.xj~m

)e.vY&

a.OjN

WEbG2

595m6

5 5$5(575

6 6$6(6,6'7

62676>6@7\7

6 758%9}9

9 9$9(9,9

2$2C2M2Z2t2

= =$=(=,=0=

7!8?8]8{8

0 0$0(0,0004080

5]5\5a5t5

: :$:(:,:0:4:!;

> >$>(>,>0>4>8>

0 0$0(0,0

; ;$;(;,;0;4;8;

0&3"4!5?6

S.j%uh

*,c.jA

SHLWAPI.dll

f:\vm

\EyLogin.pdb

'%APPID%' = s 'EyLogin'

'EyLogin.DLL'

EyLogin.EyLoginSoft.1 = s 'EyLoginSoft Class'

CLSID = s '{3674FE01-AB81-4659-AFA0-1245D0E1531B}'

EyLogin.EyLoginSoft = s 'EyLoginSoft Class'

CurVer = s 'EyLogin.EyLoginSoft.1'

ForceRemove {3674FE01-AB81-4659-AFA0-1245D0E1531B} = s 'EyLoginSoft Class'

ProgID = s 'EyLogin.EyLoginSoft.1'

VersionIndependentProgID = s 'EyLogin.EyLoginSoft'

'TypeLib' = s '{F8560BB6-C0D0-415B-B950-99F35E2F5385}'

stdole2.tlbWWW

O~EyLoginW

EyLoginSoftWd

IEyLoginSoftd

SetAppKeyWWW

keyWd

UserLoginWWW

interfacekeyd

9UserLoginSingleW

r.userdatad

@LGetCpuIDd

BGetAppKeyWWW

appkeyWW

EyLogin 1.0

EyLoginSoft ClassW

IEyLoginSoft

Created by MIDL version 7.00.0500 at Tue May 10 13:06:27 2016

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

USER32.DLL

\trunk\EyLogin\Custom\EyLogin\Release\EyLoginReg.pdb

EyLoginReg.dll

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

516<6_6#707

EyLogin.EyLoginSoft

SetAppKey

UserLogin

GetCpuID

UserLoginSingle

GetAppKey

imm32.dll

Keyboard Layout

Keyboard Layout\Preload

(.!$'$%-

%D"jPp

%]^rVÈ#

E.BIa

*%xoa[

1.2.18

F%*.*f

MSWHEEL_ROLLMSG

MPR.dll

VERSION.dll

WININET.dll

%s\ESPI%d.dll

hXXp://dywt.com.cn

service@dywt.com.cn

 86(0411)88995834

 86(0411)88995831

(ESPINN.dll(NN

This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info

CallerInfoCopyCmd

SetIPPort

GetIPPort

"C:\Windows\System32\ESPI11.dll"

ProviderInstallCopyCmd

SockDataCopyCmd

SockAddrCopyCmd

enetintercept_fnSockAddrSetIPPort

enetintercept_fnSockAddrGetIPPort

enetintercept_fnInstallCopyCmd

enetintercept_fnSockDataCopyCmd

enetintercept_fnSockAddrCopyCmd

enetintercept_fnCallerInfoCopyCmd

VVV.dywt.com.cn

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

c:\%original file name%.exe

ntdll.dll

advapi32.dll

hid.dll

mscoree.dll

mscorwks.dll

mscorsvr.dll

KernelBase.dll

mscoreei.dll

clr.dll

diasymreader.dll

SEGetNumExecUsed

SEGetNumExecLeft

SESetNumExecUsed

SEGetExecTimeUsed

SEGetExecTimeLeft

SESetExecTime

SEGetTotalExecTimeUsed

SEGetTotalExecTimeLeft

SESetTotalExecTime

SECheckExecTime

SECheckTotalExecTime

&&&&6666????

""""****

2222::::

$$$$\\\\

00006666

####====

MSVCRT.dll

PSAPI.DLL

.Cp1q/

N,%fVf

.CM`'

$lALV %c

.pXa5(

IC\K%f

W.BTm

CS#%UH

.QHgnR

*3>%S!`

p.Qw*9

.az7p

'f.uh

%d*o%"]

d\W%x

.cpJ=U

X.sgB

a:.of|

}X.Wi

.Bub_

J..Zwnb

s.ya&

0.hB9BJ

.nl?S

oq%x|iZ

cV%x 

h2.iu

MSIMG32.dll

AVIFIL32.dll

MSVFW32.dll

'WS2_32.dll

GetWindowsDirectoryA

.WindowFromDC

}ScaleViewportExtEx

RegEnumKeyA

Safengine Shielden v2.4.0.0

"WINMM.dll

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

(2004-2010)

hXXp://VVV.eyuyan.com

oU@03.BZq

(*.*)

1.0.0.0

(hXXp://VVV.dywt.com.cn)

1, 0, 0, 1

imedllhost09.ime

1, 0, 2, 8

KERNEL32.DLL

5.8.0.0

%original file name%.exe_2692_rwx_00401000_00544000:

.SShG

t$(SSh

|$D.tm

u.hp4

~%UVW

u$SShe

iu2.iu

kernel32.dll

IPHLPAPI.DLL

iphlpapi.dll

ws2_32.dll

ereg.dll

EnumChildWindows

EnumWindows

GetAsyncKeyState

SetTcpEntry

GetExtendedTcpTable

MsgWaitForMultipleObjects

UnloadKeyboardLayout

GetKeyboardLayoutList

GetKeyboardLayout

ActivateKeyboardLayout

GetKeyboardLayoutNameA

RegOpenKeyA

RegDeleteKeyA

RegCloseKey

RegCreateKeyA

RegFlushKey

LoadKeyboardLayoutA

{B6F7542F-B8FE-46a8-9605-98856A687097}

hXXp://hbxiaock.lofter.com

C:\YYlogin.ini

password

.text

`.rdata

@.data

.rsrc

@.reloc

@.sedata

.idata

`.tls

.reloc

GetProcessWindowStation

operator

C:\Users\Administrator.PC-20170413SJJU\Desktop\XAntiDebug\Release\test.cpp.pdb

zcÁ

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

xfx%Uf

%UfN`

|f|%Uf

KERNEL32.dll

GetProcessHeap

GetCPInfo

.TBO@

test.cpp.dll

user32.dll

.HOgl

5 5$5(5,5054585

>#>,>1>>>

5 5$5(5,5054585<5@5

VVV.4399.com

TslGame.exe

crossfire.exe

crossfire.exe.

127.0.0.1

\mlang.dll

.inidata

CNotSupportedException

CCmdTarget

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

USER32.dll

RegOpenKeyExA

ADVAPI32.dll

WS2_32.dll

COMCTL32.dll

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

WINSPOOL.DRV

comdlg32.dll

SHELL32.dll

SWNPM.dll

.PAVCException@@

.PAVCArchiveException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

4"5(5,50545

8!8/878=8

3"32383|3"4

2 3=3Q3^3h3r3z3

4 41484[4}4

9$9(9,90989

<0=4=8=<=

winmm.dll

d3dx9_29.dll

d3dx9_43.dll

user32.DLL

cshell.dll

CShell.dll77E628

1891938

1305064

Super-EChXXp://ec.360bc.cnhXXp://VVV.eyybc.com/forumdisplay.php?fid=17/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

hXXp://VVV.super-ec.cn

<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

psapi.dll

@kernel32.dll

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Broken pipe

Inappropriate I/O control operation

Operation not permitted

WinExec

GetViewportOrgEx

WINMM.dll

ShellExecuteA

ole32.dll

OLEAUT32.dll

CreateDialogIndirectParamA

GetViewportExtEx

RegCreateKeyExA

mlang.dll

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

.PAVCResourceException@@

.PAVCUserException@@

#include "l.chs\afxres.rc" // Standard components

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

7%7S7b7t7

6b6D6P6]6j6x6

8%9X9\9`9d9h9l9p9t9x9|9

6$7(7,70747

7$7(7,7074787<7@7

0
0

2!2F2[2n2

vcticta.dll

\SouGoo.ime

^}•D

IMM32.dll

imehost.dll

ImeProcessKey

Windows

:):3:9:|:

= =$=(=,=0=4=8=

? ?$?(?,?

\Sougoo.ime

40010034

200000000001

180000000001

360100000001

300000000001

200400000002

7600000300000001

5300003400000002

6800006800120000

4001003400000003

4900000000010049

8500000000010085

2200003400000006

2200003400000008

0000000001

1.0.2.9

Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

0.0.0.0

eylogin.dll

\ereg.dll

.upx0

.upx1

@.rsrc

WLDAP32.dll

ShellExecuteW

EyLogin.DLL

m%0x[S

H.cjN

DþA

afdp%X

5%Cm6q

.Mfrg

M.jV.

xG.mN

qv.FF

.dbcO

o-BM.c-Î

7D*%US

FtCp}B

P5.Qs," "

.whb}4=\

sB.sY

&0.lo

('mSg9

8y?%4u

u.SZv

|W%x=

2".frA

yA^e.fTk~V

z5.um

-dÙ

*sv.tc`

F*hW%x

`l>.BP

%u oZ

>%FP%

PfT%f

j %C\

%X$`D`

%fTw0

_%x^(.2

DG1x.EU

tMsg

-fNa}

=v.rY

:%doe

\%F=PV

C.Lz2

dxn.ff5

n.WFH)cGK

P6fJ.Odf&

9Ì<:

p.BQ|

.dL}j

J^I.yw<

.ao |$

|.PB]

.Qb/H<

L'%X .N

%FL*.

v .hZ]

 ~.vH

   Key<

D.Ln2

G.fQE{w

8N#.Uw*

.ktx_9U

H!.ym[AO

Cd%Xc,

5 %uS

sNmj.aOR

pm.ru

Z>.dW,2kk%

DNdf.cA

.xDv*

a{TBS%C

5";>.cN

M.lH<d

r.RCt

V%Ug-

w.ln.

tLN\.xD

=[UoÏ

`?%dqD

L.THC

lH%D}CF

.k %d

.ffy1

'fx)/Q-F}

;.JfLx

W.Tt"b

Et$.Pb

0.dPT

>{.in

.USls

G.Jp~y

1.uIH

x@.wy9^

"%u7-=E

ÿTHa

v!.ej

.Gj!]

c.OO2

%D[JB

.VN#k

A!U.Yh\_

)8.iJ

'.Xz7

Í 1e

] Å

dO9.IJ

OdfXx)%For

*3qØK

%XS5[

]a%Sy

%FycA@

XES.AUSf

"9.xw

.Ya uW

b-Ec}

.OOSZ

Ö^/

HM%D)

Tt4%U 

-.fnS|

.Ufqi

P%6ss]

& %SJH%

?-.VQ

P[..OJ

Dj%cN0m4

'.dKws

O.gu^

sd.sF

{s.Gd

 g[%F;

k/.HQ

").qcR@

 .Ah/

XudP

#SSHK

'.yP;

1lw[.reU

n%cLq=

.ZPf&R

xÌw

.FzJ#8z

{cr%cjS

1Y.Hf

O.PACj

H%U]&

&7e;.ShQ,

OcMd

*m%S@

 .sl`

c*?

Y-.DN

`Rhi=.kA

`%7'&-%!

g.KC ey

6R(.aa

z~.HaI

;$-b}q

8)%Xs

%uBry"

%X{1!

u.te9

S$Aj%F

@5.HDv

VsF

%C'Q{

H%UW<

.DuSAe

*GsD%x

l%upt

.xj~m

)e.vY&

a.OjN

WEbG2

595m6

5 5$5(575

6 6$6(6,6'7

62676>6@7\7

6 758%9}9

9 9$9(9,9

2$2C2M2Z2t2

= =$=(=,=0=

7!8?8]8{8

0 0$0(0,0004080

5]5\5a5t5

: :$:(:,:0:4:!;

> >$>(>,>0>4>8>

0 0$0(0,0

; ;$;(;,;0;4;8;

0&3"4!5?6

S.j%uh

*,c.jA

SHLWAPI.dll

f:\vm

\EyLogin.pdb

'%APPID%' = s 'EyLogin'

'EyLogin.DLL'

EyLogin.EyLoginSoft.1 = s 'EyLoginSoft Class'

CLSID = s '{3674FE01-AB81-4659-AFA0-1245D0E1531B}'

EyLogin.EyLoginSoft = s 'EyLoginSoft Class'

CurVer = s 'EyLogin.EyLoginSoft.1'

ForceRemove {3674FE01-AB81-4659-AFA0-1245D0E1531B} = s 'EyLoginSoft Class'

ProgID = s 'EyLogin.EyLoginSoft.1'

VersionIndependentProgID = s 'EyLogin.EyLoginSoft'

'TypeLib' = s '{F8560BB6-C0D0-415B-B950-99F35E2F5385}'

stdole2.tlbWWW

O~EyLoginW

EyLoginSoftWd

IEyLoginSoftd

SetAppKeyWWW

keyWd

UserLoginWWW

interfacekeyd

9UserLoginSingleW

r.userdatad

@LGetCpuIDd

BGetAppKeyWWW

appkeyWW

EyLogin 1.0

EyLoginSoft ClassW

IEyLoginSoft

Created by MIDL version 7.00.0500 at Tue May 10 13:06:27 2016

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

USER32.DLL

\trunk\EyLogin\Custom\EyLogin\Release\EyLoginReg.pdb

EyLoginReg.dll

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

516<6_6#707

EyLogin.EyLoginSoft

SetAppKey

UserLogin

GetCpuID

UserLoginSingle

GetAppKey

imm32.dll

Keyboard Layout

Keyboard Layout\Preload

(.!$'$%-

%D"jPp

%]^rVÈ#

E.BIa

*%xoa[

1.2.18

F%*.*f

MSWHEEL_ROLLMSG

MPR.dll

VERSION.dll

WININET.dll

%s\ESPI%d.dll

hXXp://dywt.com.cn

service@dywt.com.cn

 86(0411)88995834

 86(0411)88995831

(ESPINN.dll(NN

This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info

CallerInfoCopyCmd

SetIPPort

GetIPPort

"C:\Windows\System32\ESPI11.dll"

ProviderInstallCopyCmd

SockDataCopyCmd

SockAddrCopyCmd

enetintercept_fnSockAddrSetIPPort

enetintercept_fnSockAddrGetIPPort

enetintercept_fnInstallCopyCmd

enetintercept_fnSockDataCopyCmd

enetintercept_fnSockAddrCopyCmd

enetintercept_fnCallerInfoCopyCmd

VVV.dywt.com.cn

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

c:\%original file name%.exe

ntdll.dll

mscoree.dll

(2004-2010)

hXXp://VVV.eyuyan.com

oU@03.BZq

(*.*)

1.0.0.0

(hXXp://VVV.dywt.com.cn)

1, 0, 0, 1

imedllhost09.ime

1, 0, 2, 8

KERNEL32.DLL

%original file name%.exe_2692_rwx_0095A000_00001000:

MSVCRT.dll

IPHLPAPI.DLL

PSAPI.DLL

KERNEL32.dll

USER32.dll

RegOpenKeyExA

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

ADVAPI32.dll

SHELL32.dll

%original file name%.exe_2692_rwx_00963000_00003000:

MSVCRT.dll

IPHLPAPI.DLL

PSAPI.DLL

KERNEL32.dll

%original file name%.exe_2692_rwx_009FE000_00056000:

KERNEL32.dll

USER32.dll

ole32.dll

OLEAUT32.dll

GDI32.dll

ADVAPI32.dll

SHELL32.dll

WS2_32.dll

WINMM.dll

WINSPOOL.DRV

h2.iu

COMCTL32.dll

MSIMG32.dll

AVIFIL32.dll

MSVFW32.dll

comdlg32.dll

%original file name%.exe_2692_rwx_00A55000_00002000:

WINMM.dll

WinExec

'WS2_32.dll

MSVFW32.dll

AVIFIL32.dll

KERNEL32.dll

GetCPInfo

GetWindowsDirectoryA

GetProcessHeap

%original file name%.exe_2692_rwx_6A960000_001E9000:

v*W%S

hv0.Vh5

u1ay%s

%fnR7

X.Uh_

WpJ.fw

<.hF.7r

2ih.qc

73Ê

.QNX0

5sWEb

4Ÿi

k-J}=&

.cIYx

.iV4]

.nFjX

.VrKn

.vrA}

.Tdcb

.YOt7

.HBt1

[(uL.LNV

.UGK/

K~%sS

;@.gaEk

kie%S

#<.Kk

# .JV

<%Cn1.k

m' %C

?x%FsL$c

.fSVb

#g{%XDl

d.pYG

Db>%f@0.

.BK|~

L$XhY%s

.BWd%

J%X-m

KY.Sa

7Y.ea

msG(]j

DVg.VH

(.yd"

%U/( Z

dKv-)<2v.il@

{.ahj

.Vj7?

K%Ue/

m3-C}

.hER2:GN

A.zdC

v).tG

=eUiwq%f

-k}H`

D$ %d

n:\zF<

2MMSg

uM.oJ

j.HMBV

<b%Fw

%SHv3

b.uz8W

z0.RX7

Yl!.MbooY

N%FS1;

;]h%dQ

hz%dZ

?%SRa

.RVLgk

.LxU_C

L|.JXf

^Xl.UP

bp%dP

_.IZ2

_8-2&=6-&

KEYymx

~tCP`

VF%9S]

.dqC%e

6%c$"t

@0%cm

I.xT_ 

UÏ`

~%x|T

r .Wf

8m%SX

j:\"2

hu6 .DQ

%original file name%.exe_2692_rwx_6AB57000_00001000:

IPHLPAPI.DLL

DþA

%original file name%.exe_2692_rwx_6E335000_00002000:

GetCPInfo

KERNEL32.dll

GetProcessHeap

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\ereg.dll (86 bytes)
   C:\Ä£¿éÖ§³Ö¿â.dll (413 bytes)
   C:\eylogin.dll (148 bytes)

4. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.