Gen:Trojan.Heur.RP.0EW@aatcOWjj (B) (Emsisoft), Gen:Trojan.Heur.RP.0EW@aatcOWjj (AdAware), Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d9fff224eb4fbccb053f2cd2f9870eb3
SHA1: 7df8aba596b625954d86de78ecc72842a697eecd
SHA256: 4619f0def72937d87cd814ef2b32701a140c72df2143e34d78d6c67d6d2f949e
SSDeep: 49152:ZXJe4uelwfgRMY8KuGAP 32y8KL3z5v8aRCPUk2qLr6k8:RJe4NCfgnAGMaXLVEaRaeq/6k8
Size: 2952704 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2017-02-19 11:39:03
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
winnet.exe:1780
The Trojan injects its code into the following process(es):
%original file name%.exe:1908
Reality.log:2932
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\winnet.exe (72 bytes)
C:\Windows\winnet.dll (125 bytes)
C:\tbbmalloc.exe (359 bytes)
The process winnet.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QIXNH8A0.txt (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA63D.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XK3GIUWY.txt (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H5UXBDU3.txt (66 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FFF10234D401BC2B1190AF97E562D5D_F3D997279517A879744E962D7177C1F4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\sogou_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\6S2AZLV9.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LGPBOI6P.txt (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA63E.tmp (2712 bytes)
C:\Windows\LSP.dll (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ZSHEDCO8.txt (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\126_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_507563B8F03B0B599FD6AB48BFCFB84A (1464 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\intl_aliyun_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sina_com_cn[1].htm (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_F4C066FA094BC754843DB99590B2CE02 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\360_cn[1].htm (184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (2674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\intl_aliyun_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\360_cn[1].htm (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\126_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FD1DA35A7CC73400775DD44892329357 (380 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\aliyun_com[1].htm (278 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_F4C066FA094BC754843DB99590B2CE02 (2032 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_684FCCCFC824BF4B1A2F9D4C1AA422EA (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_507563B8F03B0B599FD6AB48BFCFB84A (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FD1DA35A7CC73400775DD44892329357 (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1476 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jd_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1236 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\aliyun_com[1].htm (278 bytes)
C:\Windows\winnet.dll (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FFF10234D401BC2B1190AF97E562D5D_F3D997279517A879744E962D7177C1F4 (1600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KBEB05BG.txt (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\sina_com_cn[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jd_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sogou_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\360_cn[1].htm (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_684FCCCFC824BF4B1A2F9D4C1AA422EA (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\126_com[1].htm (10 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA63E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\126_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jingdong_com[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\360_cn[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA63D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KBEB05BG.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XK3GIUWY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jd_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\intl_aliyun_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sina_com_cn[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\sina_com_cn[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jd_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\baidu_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\360_cn[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\sogou_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\qq_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\qq_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\6S2AZLV9.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\126_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\baidu_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\aliyun_com[1].htm (0 bytes)
Registry activity
The process %original file name%.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\D:\]
"login.exe" = "DisableNXShowUI"
The process winnet.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60101"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-100"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
"ProtocolName" = "LR_LSP"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-101"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Next_Catalog_Entry_ID" = "1124"
[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-103"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BDC8D276-A5D8-4E4C-8EB2-2752A8E55337}] SEQPACKET 2"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
"ProtocolName" = "LR_LSP"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Num_Catalog_Entries" = "21"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60100"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-102"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] DATAGRAM 1"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"
[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60102"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FB1DE278-988C-428A-AF16-245107A1AA49}] DATAGRAM 3"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] SEQPACKET 1"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Serial_Access_Num" = "43"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
"ProtocolName" = "VMCI sockets DGRAM"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BDC8D276-A5D8-4E4C-8EB2-2752A8E55337}] DATAGRAM 2"
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] DATAGRAM 0"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
"ProtocolName" = "LR_LSP"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FB1DE278-988C-428A-AF16-245107A1AA49}] SEQPACKET 3"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] SEQPACKET 0"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60101"
[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60100"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60102"
[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
"ProtocolName" = "LR_LSP"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
"ProtocolName" = "VMCI sockets STREAM"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002C]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002B]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002A]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
| MD5 | File path |
|---|---|
| 9e6bb4361ee32703cff0d82d4e5b2e34 | c:\Windows\LSP.dll |
| 74fd54dafeda3b2a8bd33129dcdd3087 | c:\Windows\winnet.dll |
| 9343169d6cf4ff200bf12a5b189efc4c | c:\Windows\winnet.exe |
| 0ce89ea9135afb535e047fcd5af8f14f | c:\tbbmalloc.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
winnet.exe:1780
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\winnet.exe (72 bytes)
C:\Windows\winnet.dll (125 bytes)
C:\tbbmalloc.exe (359 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QIXNH8A0.txt (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA63D.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XK3GIUWY.txt (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H5UXBDU3.txt (66 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FFF10234D401BC2B1190AF97E562D5D_F3D997279517A879744E962D7177C1F4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\sogou_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\6S2AZLV9.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LGPBOI6P.txt (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA63E.tmp (2712 bytes)
C:\Windows\LSP.dll (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ZSHEDCO8.txt (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\126_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_507563B8F03B0B599FD6AB48BFCFB84A (1464 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\intl_aliyun_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sina_com_cn[1].htm (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_F4C066FA094BC754843DB99590B2CE02 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\360_cn[1].htm (184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (2674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\intl_aliyun_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\360_cn[1].htm (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\126_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FD1DA35A7CC73400775DD44892329357 (380 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\aliyun_com[1].htm (278 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_F4C066FA094BC754843DB99590B2CE02 (2032 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_684FCCCFC824BF4B1A2F9D4C1AA422EA (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_507563B8F03B0B599FD6AB48BFCFB84A (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FD1DA35A7CC73400775DD44892329357 (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1476 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jd_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1236 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\aliyun_com[1].htm (278 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FFF10234D401BC2B1190AF97E562D5D_F3D997279517A879744E962D7177C1F4 (1600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KBEB05BG.txt (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\sina_com_cn[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jd_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sogou_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\360_cn[1].htm (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_684FCCCFC824BF4B1A2F9D4C1AA422EA (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\126_com[1].htm (10 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 31159 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 36864 | 10056 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .data | 49152 | 12812 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .vmp0 | 65536 | 2982386 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .vmp1 | 3051520 | 2664720 | 2664960 | 5.42596 | 1f086447083577b94a21f8755a4c7f50 |
| .reloc | 5718016 | 224 | 512 | 1.97216 | 8f958fd3e1adf85a0e51b7152ca3eb98 |
| .rsrc | 5722112 | 286205 | 286208 | 1.88602 | a9bf22c4a148bad28e02ff4bea303059 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://opthw.xdwscache.speedcdns.com/ | |
| hxxp://www.taobao.com.danuoyi.tbcache.com/ | 213.244.178.246 |
| hxxp://a1574.b.akamai.net/ | |
| hxxp://p18077.cdnga.net/ | |
| hxxp://www.jingdong.com/ | 211.152.123.110 |
| hxxp://www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com/ | |
| hxxp://www.360.cn/ | 106.120.167.67 |
| hxxp://email.163.com.lxdns.com/ | |
| hxxp://www.a.shifen.com/ | |
| hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= | |
| hxxp://cdn.globalsigncdn.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH | |
| hxxp://ocsp-services.uzto.netdna-cdn.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso | |
| hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEBWsfo6gTWKBdqI6VatS5Uo= | |
| hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CECQ1SvQ/t8C2OzukI4M8ERw= | |
| hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw== | |
| hxxp://ocsp-services.uzto.netdna-cdn.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf/JPbFze27kLzihDdGdfcCEQDvBRp0Gh2UCfyl5GQPjTyb | |
| hxxp://ocsp-services.uzto.netdna-cdn.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEA2p36mqGmxaqpMIxrUTcxI= | |
| hxxp://crl.uzto.netdna-cdn.com/wosign-ovca.crl | |
| hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon | |
| hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY | |
| hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl | |
| hxxp://www.baidu.com/ | 115.239.211.112 |
| hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEBWsfo6gTWKBdqI6VatS5Uo= | 23.52.27.27 |
| hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon | 172.217.20.174 |
| hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY | 172.217.20.174 |
| hxxp://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso | 23.111.11.211 |
| hxxp://www.126.com/ | 176.34.63.150 |
| hxxp://www.sina.com.cn/ | 87.118.248.106 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.52.27.27 |
| hxxp://www.163.com/ | 203.130.61.92 |
| hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 62.140.236.171 |
| hxxp://www.aliyun.com/ | 47.88.128.162 |
| hxxp://wosign.crl.certum.pl/wosign-ovca.crl | 23.111.11.210 |
| hxxp://www.taobao.com/ | 213.244.178.246 |
| hxxp://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH | 104.16.26.216 |
| hxxp://www.qq.com/ | 2.21.89.27 |
| hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= | 23.52.27.27 |
| hxxp://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf/JPbFze27kLzihDdGdfcCEQDvBRp0Gh2UCfyl5GQPjTyb | 23.111.11.211 |
| hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CECQ1SvQ/t8C2OzukI4M8ERw= | 23.52.27.27 |
| hxxp://wosign-ovca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEA2p36mqGmxaqpMIxrUTcxI= | 23.111.11.211 |
| hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw== | 104.16.26.216 |
| www.jd.com | 192.229.133.187 |
| intl.aliyun.com | 47.88.128.161 |
| www.sogou.com | 106.38.241.37 |
| world.taobao.com | 213.244.178.246 |
| www.wdcrf.net | 120.76.76.66 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon HTTP/1.1
Cache-Control: max-age = 345600
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com
-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}. </style>. <a href=//VVV.google.com/><span id=logo aria-label=Google></span></a>. <p><b>404.</b> <ins>That...s an error.</ins>. <p>The requested URL <code>/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon</code> was not found on this server. <ins>That...s all we know.</ins>.
..
-background-size:100% 100%}}#logo{display:inline-block;height:54px;wid
th:150px}. . id=logo aria-label=Google>. gt;404. That...s an error..
;The requested URL /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4
Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY&
lt;/code> was not found on this server. That...s all we
know.. GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf/JPbFze27kLzihDdGdfcCEQDvBRp0Gh2UCfyl5GQPjTyb HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: subca.ocsp-certum.com
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 06:33:00 GMT
Content-Type: application/ocsp-response
Content-Length: 1702
Connection: keep-alive
Content-transfer-encoding: binary
X-Cached: MISS
Server: NetDNA-cache/2.2
X-Cache: HIT
0..........0..... .....0......0...0..@........0..1.0...U....PL1!0...U....Asseco Data Systems S.A.1'0%..U....Certum Certification Authority1503..U...,Certum Trusted Network CA Validation Service..20170323062522Z0r0p0H0... .......:L..!..O'...Q.)..&....v....$.........7Fu.......t.......d..<.....20170323062522Z....20170330062522Z..0.0... .....0....0... .....0..0...*.H..............F.....Q\C...:....(.&........02\..$.......-..u.....l...n...~ZB.f.....$..b.......2?i...~....E.w...P=.q.Q.1.-L.........7..@..V&i.&.OW.......}K#...*Ec.....f.O.-..I.i.....4.H..N..\.B........yr.K.hWM.):M.\0.w/.....m8j.K.35LY.._..k.....c{L@O...)Pf. 6... .I.......*0..&0.."0................]Nss1.B.../0...*.H........0~1.0...U....PL1"0 ..U....Unizeto Technologies S.A.1'0%..U....Certum Certification Authority1"0 ..U....Certum Trusted Network CA0...161220102317Z..180120102317Z0..1.0...U....PL1!0...U....Asseco Data Systems S.A.1'0%..U....Certum Certification Authority1503..U...,Certum Trusted Network CA Validation Service0.."0...*.H.............0..........AB...I....z..#U......oD.L.....UX....j.....S.K......".>w.;.r8....C...Zc...U.}%.....@Ff..`.&.j.`.......ci.Io........pW...........#.s............tR@...N.......L....U..t.>su...OyH.E...v...r.]."m..7.... ....@.....>.X......M.P@......./.......k...O....@v7.d............0..0...U.......0.0...U..........Lw..l..n..n...~.0...U.#..0....v....$.........7Fu.0...U...........0...U.%..0... .......0... .....0......0...*.H...............).n......,........].).I...t-.......J.........^...M...(...D:..'..l.#6Co......
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.qq.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: squid/3.5.20
Content-Type: text/html; charset=GB2312
Cache-Control: max-age=59
Expires: Thu, 23 Mar 2017 06:33:42 GMT
Date: Thu, 23 Mar 2017 06:32:43 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
0000C000..<!DOCTYPE html>.<html lang="zh-CN">.<head>.<meta content="text/html; charset=gb2312" http-equiv="Content-Type">.<meta http-equiv="X-UA-Compatible" content="IE=edge">.<title>........</title>.<script type="text/javascript">.if(window.location.toString().indexOf('pref=padindex') != -1){.}else{..if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))){ . if(window.location.href.indexOf("?mobile")<0){...try{....if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)){.....window.location.href="hXXp://xw.qq.com/index.htm";....}else if(/iPad/i.test(navigator.userAgent)){. //window.location.href="hXXp://VVV.qq.com/pad/"....}else{.....window.location.href="hXXp://xw.qq.com/simple/s/index/"....}...}catch(e){}..}..}.}.</script>.<script type="text/javascript">var QosSS=new Object();QosSS.t=new Array([0,0,0]);QosSS.t[0]=(new Date()).getTime();</script>.<meta name="apple-itunes-app" content="app-id=660653351">.<meta content="....,....,....,....,....,NBA,....,......,....,QQ,Tencent" name="Keywords">.<meta name="description" content="......(VVV.QQ.com)...............................................................................................................................................................................................
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.aliyun.com
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Server: Tengine
Date: Thu, 23 Mar 2017 06:33:27 GMT
Content-Type: text/html
Content-Length: 278
Connection: keep-alive
Location: hXXps://intl.aliyun.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<h1>301 Moved Permanently</h1>..<p>The requested resource has been assigned a new permanent URI.</p>..<hr/>Powered by Tengine</body>..</html>....
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.taobao.com
Cache-Control: no-cache
HTTP/1.1 302 Found
Server: Tengine
Date: Thu, 23 Mar 2017 06:32:43 GMT
Content-Type: text/html
Content-Length: 258
Connection: keep-alive
Location: hXXps://VVV.taobao.com/
Set-Cookie: thw=ua; Path=/; Domain=.taobao.com; Expires=Fri, 23-Mar-18 06:32:43 GMT;
Strict-Transport-Security: max-age=31536000
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<h1>302 Found</h1>..<p>The requested resource resides temporarily under a different URI.</p>..<hr/>Powered by Tengine</body>..</html>..HTTP/1.1 302 Found..Server: Tengine..Date: Thu, 23 Mar 2017 06:32:43 GMT..Content-Type: text/html..Content-Length: 258..Connection: keep-alive..Location: hXXps://VVV.taobao.com/..Set-Cookie: thw=ua; Path=/; Domain=.taobao.com; Expires=Fri, 23-Mar-18 06:32:43 GMT;..Strict-Transport-Security: max-age=31536000..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<h1>302 Found</h1>..<p>The requested resource resides temporarily under a different URI.</p>..<hr/>Powered by Tengine</body>..</html>....
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.126.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Mar 2017 06:33:45 GMT
Content-Type: text/html
Content-Length: 97571
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Last-Modified: Thu, 09 Mar 2017 06:51:57 GMT
Vary: Accept-Encoding
Expires: Thu, 23 Mar 2017 06:42:07 GMT
Cache-Control: max-age=3600
X-Cache: HIT from HKGM
Accept-Ranges: bytes
X-Cache: from ntes_hw
<!DOCTYPE html>..<html>..<head>..<meta charset="utf-8" />..<link rel="dns-prefetch" href="hXXp://mimg.127.net">..<link rel="dns-prefetch" href="hXXps://mail.126.com">..<link rel="dns-prefetch" href="hXXp://iplocator.mail.163.com">..<meta name="description" content="......126............--...........................14........................................................................98%..........................................3G...............................................................">..<meta name="keywords" content="...............................................................126........................mail...email.........">..<title>126...............--........................</title>..<link rel="shortcut icon" href="hXXp://VVV.126.com/favicon.ico" />..<style type="text/css">../* css reset */..body{color:#000;background:#fff;font-size:12px;line-height:166.6%;text-align:center;}..body.move{-webkit-transition:padding 0.3s ease;-moz-transition:padding 0.3s ease;-o-transition:padding 0.3s ease;-ms-transition:padding 0.3s ease;transition:padding 0.3s ease;}..body,input,select,button{font-family:verdana}..h1,h2,h3,select,input,button{font-size:100%}..body,h1,h2,h3,ul,li,form,p,img{margin:0;padding:0;border:0}..input,button,select,img{margin:0;line-height:normal}..select{padding:1px}..ul{list-style:none}..select,input,button,button img,label{vertical-align:middle}..header,footer,section,aside,nav,hgroup,figure,figcaption{disp
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.sina.com.cn
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 06:33:13 GMT
Server: PWS/8.2.0.7
X-Px: ht h0-s2004.p0-mow.cdngp.net
Cache-Control: max-age=60
Expires: Thu, 23 Mar 2017 06:33:17 GMT
Age: 56
Accept-Ranges: bytes
Content-Length: 601537
Content-Type: text/html
Last-Modified: Thu, 23 Mar 2017 06:31:20 GMT
X-Via-CDN: f=TXCDN,s=87.118.248.106,c=194.242.96.218
Connection: keep-alive
<!DOCTYPE html>.<!-- [ published at 2017-03-23 14:31:17 ] -->.<html>.<head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8" />. <meta http-equiv="X-UA-Compatible" content="IE=edge" />. <title>............</title>..<meta name="keywords" content="......,.........,SINA,sina,sina.com.cn,............,......,......" />..<meta name="description" content="........................24........................................................................................................................................................................................................................30......................................................................................." />. <link rel="mask-icon" sizes="any" href="hXXp://VVV.sina.com.cn/favicon.svg" color="red">..<meta name="stencil" content="PGLS000022" />..<meta name="publishid" content="30,131,1" />..<meta name="verify-v1" content="6HtwmypggdgP1NLw7NOuQBI2TW8 CfkYCoyeB8IDbn8=" />..<meta name="360-site-verification" content="63349a2167ca11f4b9bd9a8d48354541" />..<meta name="application-name" content="............"/>..<meta name ="msapplication-TileImage" content="hXXp://i1.sinaimg.cn/dy/deco/2013/0312/logo.png"/>..<meta name="msapplication-TileColor" content="#ffbf27"/>..<meta name="sogou_site_verification" content="Otg5irx9wL"/>.<link rel="apple-touch-icon" href="hXXp://i3.sinaimg.cn/home/2013/0331/U586P30DT2
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Cache-Control: max-age = 440358
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 18 Nov 2013 13:12:21 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1454
content-transfer-encoding: binary
Cache-Control: max-age=354606, public, no-transform, must-revalidate
Last-Modified: Mon, 20 Mar 2017 08:59:30 GMT
Expires: Mon, 27 Mar 2017 08:59:30 GMT
Date: Thu, 23 Mar 2017 06:33:40 GMT
Connection: keep-alive
0..........0..... .....0......0...0........FC..&..<.0...Y......20170320085930Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20170320085930Z....20170327085930Z0...*.H..................i..b....."D.X.I...z.@y8.Xd..k..D.......=.........!...>u.rzK...Tc...d.[..p........r').[.....`o.....a=.x.`!wRY..t....~%....oC..7..:u.'..& ?..a=.^D....A.LR...w...m.....y\Mmv;.P.BC..Q.u>X.y...e1m,mN.....!....6..4t@...Qw$.<..r....8.Go7...4..z.2..C....5n.N.....0...0...0..4.......My_e.\....'....j0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 50.."0...*.H.............0.............4..IP.....B..h.....]..).]w.!"..a..{...="....._...~.s1.E.......;...6&/...\2..A....\..T aH:.8lH^.....l.v.$...K=sZf.*.|.%.Pb.......B..*f.T\w.:.s.... ....9..4..cV...3.qc.c..j<.f.....>1X.I...P%?.........5R-....Ca14..X.U....u.....:.z.\.k..b.E.v..,.J................0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-470...*.H.............G..\..R.P..e]...N.....m.....4f......b4"8v..b.R....`.Auz..........2=...@..........5..cWh....J......r...g.h......Kw'...j.@...x.....
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.jingdong.com
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: hXXps://VVV.jd.com/
Connection: close
GET /wosign-ovca.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: wosign.crl.certum.pl
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 06:33:10 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 3201
Connection: keep-alive
Last-Modified: Wed, 22 Mar 2017 18:07:06 GMT
ETag: "30032-c81-a0d26680"
X-Cached: EXPIRED
Server: NetDNA-cache/2.2
X-Cache: HIT
Accept-Ranges: bytes
0..}0..e...0...*.H........0D1.0...U....CN1.0...U....WoSign CA Limited1.0...U....WoSign OV SSL CA..170322180026Z..170401180026Z0...0/..ya.f.l...m........161224014614Z0.0...U.......0/..bR...%......7[w...170105073046Z0.0...U.......0/....,..:f...\...t...170117011138Z0.0...U.......0/..w....7z<.....J....170317005634Z0.0...U.......0/..K..Z.L.B@&.#.}....170105072721Z0.0...U.......0/.....y..W.G...e.D...170222023235Z0.0...U.......0/..lK...-.n....u.....170222012928Z0.0...U.......0/..6.....h..uSc..^...161221082119Z0.0...U.......0/..w'..0.E..y.p..a...170306015736Z0.0...U.......0/..D.WH1q..\v.!......161220033538Z0.0...U.......0/..t......B.q.9......170103024430Z0.0...U.......0/..(........k.f..rq..161125025741Z0.0...U.......0/..[..V..(...d..VdA..170214004827Z0.0...U.......0/........... 1.'..P..161209070108Z0.0...U.......0/...g2.B.B.K.....T1..161223074327Z0.0...U.......0/...m$s...B..Y..n.-..170216093834Z0.0...U.......0/..eBo.... .@../W.v..170105011959Z0.0...U.......0/..!..fN'....~L..f4..161207071134Z0.0...U.......0/..y.$.....7.Ne $ze..161222054457Z0.0...U.......0/..;G..Ig.AgB.C51....170110062948Z0.0...U.......0/..-.....v.?.S.0.1...170117023011Z0.0...U.......0/..t.U_..8$.j.3...=..161209061340Z0.0...U.......0/..".B.n...6..W...z..161222022305Z0.0...U.......0/...F.f......b.].....170106070454Z0.0...U.......0/..VJ...I..[.'."..L..170316063753Z0.0...U.......0/..Q........R..B.....161223064520Z0.0...U.......0/....!..?3.F...|.i...161209025712Z0.0...U.......0/..y.......e...Om.@..161125093626Z0.0...U.......0/..r...!,..$n#{.6.}..161221081
<<< skipped >>>
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 01 Oct 2013 05:02:51 GMT
If-None-Match: "8071417b63bece1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Wed, 02 Dec 2015 18:30:06 GMT
Accept-Ranges: bytes
ETag: "0cb60772f2dd11:0"
Server: Microsoft-IIS/8.5
VTag: 279498805900000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 530
Cache-Control: max-age=900
Date: Thu, 23 Mar 2017 06:33:46 GMT
Connection: keep-alive
0...0.....0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..151202080000Z..430418080000Z.A0?0...U.#..0.......p............<.J0... .....7.......0...U......90...*.H..............I...MYp.....yh..$3..F.D....Qe]....~...>.Ye.h...L.nQ..091.=.G..s.D.........g)...4.'........B....l#....c...e..U......Z .[.,.x..h:M~..mS./p..F......l.G.H<.".y.B.5.."\|.Hi`N=j.....;w.......o.*......C)....U..3Mt.}......X......H.....|d...s..`.8F.l.......R.C....HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Wed, 02 Dec 2015 18:30:06 GMT..Accept-Ranges: bytes..ETag: "0cb60772f2dd11:0"..Server: Microsoft-IIS/8.5..VTag: 279498805900000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 530..Cache-Control: max-age=900..Date: Thu, 23 Mar 2017 06:33:46 GMT..Connection: keep-alive..0...0.....0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..151202080000Z..430418080000Z.A0?0...U.#..0.......p............<.J0... .....7.......0...U......90...*.H..............I...MYp.....yh..$3..F.D....Qe]....~...>.Ye.h...L.nQ..091.=.G..s.D.........g)...4.'........B....l#....c...e..U......Z .[.,.x..h:M~..mS./p..F......l.G.H<.".y.B.5.."\|.Hi`N=j.....;w.......o.*......C)....U..3Mt.}......X......H.....|d...s..`.8F.l.......R.C......
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEA2p36mqGmxaqpMIxrUTcxI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: wosign-ovca.ocsp-certum.com
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 06:33:08 GMT
Content-Type: application/ocsp-response
Content-Length: 1539
Connection: keep-alive
Content-transfer-encoding: binary
X-Cached: HIT
Server: NetDNA-cache/2.2
X-Cache: HIT
0..........0..... .....0......0...0.........`0^1.0...U....PL1!0...U....Asseco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Service..20170323063006Z0q0o0G0... ........J>.ldj..T.K.v....p....T.Vs,'........._.V........lZ......s.....20170323063006Z....20170330063006Z..0.0... .....0....0... .....0..0...*.H...........'j.hi!.H..&=.Z../......h$=...s..)GN....L.a.Y....4|.UB.a.9y6..t..p..w.6... ...'U..&...D..C}.....y.m...@..(.PO....".b.?.....X...;.Y7.......M..U..n.&....;.....%"t.b.....~.j.....p..z..{.yUQ...r...S..P..._......q. .^....<. Y.8'...'.dn.A..:.I?Y.w.D....6*X.F..~......0...0...0..........H....'9!......^.0...*.H........0D1.0...U....CN1.0...U....WoSign CA Limited1.0...U....WoSign OV SSL CA0...170104115010Z..170404115010Z0^1.0...U....PL1!0...U....Asseco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Service0.."0...*.H.............0..........:B!cV....&......3..' ..,.....D...G/o4.J.5.8.1>.^0..8[wXP)j..b...P......$iQ.s.4.z..........].n..bP2.....7......Z_& .....S.*.o..........YI......?..e..G...g.4E....@:.S.O........Q....zf.K..p_...qS..H..........."H..e.y..Ge.p.......-...F...=.o..%i.{.a........E........0..0...U.......0.0...U.#..0.....T.Vs,'........._.V0...U......`..f8..6..m..y......0...U...........0...U.%..0... .......0... .....0......0...*.H.............8.!.}G{...4...2........gH.dF..q.......loZ.[.k..0......aN.x..a%.....p*.X. .....aU..Of@]/.#....mx...9..v....>.{.H..?X..zu... 5S..Z.i.B..c...,..U.....z0..r.......g.T.....'...CIa.Y...T.......r..c....~........UTD..iC....(.\....!..E..q.a.........P
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.126.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Mar 2017 06:33:15 GMT
Content-Type: text/html
Content-Length: 97571
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Last-Modified: Thu, 09 Mar 2017 06:51:57 GMT
Vary: Accept-Encoding
Expires: Thu, 23 Mar 2017 06:42:07 GMT
Cache-Control: max-age=3600
X-Cache: HIT from HKGM
Accept-Ranges: bytes
X-Cache: from ntes_hw
<!DOCTYPE html>..<html>..<head>..<meta charset="utf-8" />..<link rel="dns-prefetch" href="hXXp://mimg.127.net">..<link rel="dns-prefetch" href="hXXps://mail.126.com">..<link rel="dns-prefetch" href="hXXp://iplocator.mail.163.com">..<meta name="description" content="......126............--...........................14........................................................................98%..........................................3G...............................................................">..<meta name="keywords" content="...............................................................126........................mail...email.........">..<title>126...............--........................</title>..<link rel="shortcut icon" href="hXXp://VVV.126.com/favicon.ico" />..<style type="text/css">../* css reset */..body{color:#000;background:#fff;font-size:12px;line-height:166.6%;text-align:center;}..body.move{-webkit-transition:padding 0.3s ease;-moz-transition:padding 0.3s ease;-o-transition:padding 0.3s ease;-ms-transition:padding 0.3s ease;transition:padding 0.3s ease;}..body,input,select,button{font-family:verdana}..h1,h2,h3,select,input,button{font-size:100%}..body,h1,h2,h3,ul,li,form,p,img{margin:0;padding:0;border:0}..input,button,select,img{margin:0;line-height:normal}..select{padding:1px}..ul{list-style:none}..select,input,button,button img,label{vertical-align:middle}..header,footer,section,aside,nav,hgroup,figure,figcaption{disp
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.baidu.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 06:32:45 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Set-Cookie: BAIDUID=1FE0E7E4BC8E601C299EA5EE14A6305E:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=1FE0E7E4BC8E601C299EA5EE14A6305E; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1490250765; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BDSVRTM=0; path=/
Set-Cookie: BD_HOME=0; path=/
Set-Cookie: H_PS_PSSID=1430_21108_17001_20928; path=/; domain=.baidu.com
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Cache-Control: private
Cxy_all: baidu c8e00989edf39554a0508b60b12bc5b0
Expires: Thu, 23 Mar 2017 06:32:19 GMT
X-Powered-By: HPHP
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
BDPAGETYPE: 1
BDQID: 0xd0ec947b000102a5
BDUSERID: 0
18f39..<!DOCTYPE html>.<!--STATUS OK-->............................................................................................... ..... ........ ........ ........ ..... ..... ..... ........ ........ ........ ..... ..........................<html>.<head>. . <meta http-equiv="content-type" content="text/html;charset=utf-8">. <meta http-equiv="X-UA-Compatible" content="IE=Edge">..<meta content="always" name="referrer">. <meta name="theme-color" content="#2932e1">. <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />. <link rel="search" type="application/opensearchdescription xml" href="/content-search.xml" title="............" /> . <link rel="icon" sizes="any" mask href="//VVV.baidu.com/img/baidu.svg">......<link rel="dns-prefetch" href="//s1.bdstatic.com"/>..<link rel="dns-prefetch" href="//t1.baidu.com"/>..<link rel="dns-prefetch" href="//t2.baidu.com"/>..<link rel="dns-prefetch" href="//t3.baidu.com"/>..<link rel="dns-prefetch" href="//t10.baidu.com"/>..<link rel="dns-prefetch" href="//t11.baidu.com"/>..<link rel="dns-prefetch" href="//t12.baidu.com"/>..<link rel="dns-prefetch" href="//b1.bdstatic.com"/>. . <title>...........................</title>. ..<style id="css_index" index="index" type="text/css">html,body{height:100%}.html{overflow-y:auto}.body{font
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s2.symcb.com
HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1763
content-transfer-encoding: binary
Cache-Control: max-age=409215, public, no-transform, must-revalidate
Last-Modified: Tue, 21 Mar 2017 00:09:19 GMT
Expires: Tue, 28 Mar 2017 00:09:19 GMT
Date: Thu, 23 Mar 2017 06:32:50 GMT
Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..20170321000919Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..Q?.t8p.4@A.0........20170321000919Z....20170328000919Z0...*.H...............6..MW..f.x.....G.&5.g...A.......5uP......)...ME6.L..r5.r'....|m/.~....(..g$......52..x.l....%/....hcE.D..,f..R.DX.me.D..;.r.i^.....&I.F..F...b8.:i3s.........}.....6r..R}...(O.`.....:v~..v.*6....k~.^,R.[U..c.a ......T;.0..Q..k..\W.?\..../.DAl}.`~lU...}.......0...0...0..........^..)......<...T.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 50.."0...*.H.............0.............................m..|........1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z........ ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4.....D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://www.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..7Z0...U.#..0.....e......0..C9...3130...*.H.............<wN..g...S.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s2.symcb.com
HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1763
content-transfer-encoding: binary
Cache-Control: max-age=409215, public, no-transform, must-revalidate
Last-Modified: Tue, 21 Mar 2017 00:09:19 GMT
Expires: Tue, 28 Mar 2017 00:09:19 GMT
Date: Thu, 23 Mar 2017 06:32:50 GMT
Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..20170321000919Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..Q?.t8p.4@A.0........20170321000919Z....20170328000919Z0...*.H...............6..MW..f.x.....G.&5.g...A.......5uP......)...ME6.L..r5.r'....|m/.~....(..g$......52..x.l....%/....hcE.D..,f..R.DX.me.D..;.r.i^.....&I.F..F...b8.:i3s.........}.....6r..R}...(O.`.....:v~..v.*6....k~.^,R.[U..c.a ......T;.0..Q..k..\W.?\..../.DAl}.`~lU...}.......0...0...0..........^..)......<...T.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 50.."0...*.H.............0.............................m..|........1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z........ ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4.....D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://www.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..7Z0...U.#..0.....e......0..C9...3130...*.H.............<wN..g...S.
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.360.cn
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Server: nginx/1.2.9
Date: Thu, 23 Mar 2017 06:32:44 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: hXXps://VVV.360.cn
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.2.9</center>..</body>..</html>....
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.sina.com.cn
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 06:33:44 GMT
Server: PWS/8.2.0.7
X-Px: ht h0-s2004.p0-mow.cdngp.net
Cache-Control: max-age=60
Expires: Thu, 23 Mar 2017 06:34:17 GMT
Age: 27
Accept-Ranges: bytes
Content-Length: 601537
Content-Type: text/html
Last-Modified: Thu, 23 Mar 2017 06:31:20 GMT
X-Via-CDN: f=TXCDN,s=87.118.248.106,c=194.242.96.218
Connection: keep-alive
<!DOCTYPE html>.<!-- [ published at 2017-03-23 14:31:17 ] -->.<html>.<head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8" />. <meta http-equiv="X-UA-Compatible" content="IE=edge" />. <title>............</title>..<meta name="keywords" content="......,.........,SINA,sina,sina.com.cn,............,......,......" />..<meta name="description" content="........................24........................................................................................................................................................................................................................30......................................................................................." />. <link rel="mask-icon" sizes="any" href="hXXp://VVV.sina.com.cn/favicon.svg" color="red">..<meta name="stencil" content="PGLS000022" />..<meta name="publishid" content="30,131,1" />..<meta name="verify-v1" content="6HtwmypggdgP1NLw7NOuQBI2TW8 CfkYCoyeB8IDbn8=" />..<meta name="360-site-verification" content="63349a2167ca11f4b9bd9a8d48354541" />..<meta name="application-name" content="............"/>..<meta name ="msapplication-TileImage" content="hXXp://i1.sinaimg.cn/dy/deco/2013/0312/logo.png"/>..<meta name="msapplication-TileColor" content="#ffbf27"/>..<meta name="sogou_site_verification" content="Otg5irx9wL"/>.<link rel="apple-touch-icon" href="hXXp://i3.sinaimg.cn/home/2013/0331/U586P30DT2
<<< skipped >>>
GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 06:32:58 GMT
Content-Type: application/ocsp-response
Content-Length: 1570
Connection: keep-alive
Set-Cookie: __cfduid=d49fc2a38117f47ba398cc4839209165c1490250778; expires=Fri, 23-Mar-18 06:32:58 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Thu, 23 Mar 2017 03:29:27 GMT
Expires: Mon, 27 Mar 2017 03:29:27 GMT
ETag: "8884992b1de4c69d057ebd82700de9fc67bd5c87"
Cache-Control: public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 343f5b4641a14f4a-DME
0..........0..... .....0......0...0.......M........u....%...G..20170323032927Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|..EK.....L........20170323032927Z....20170327032927Z0...*.H.............0.-J.^s ....Q....A.A..A.].O....e. N.%b!"_)...wK...Z...0.`./.b7..>.e.#..(..n.._......W.0.9...E...|..D..3.m...iU..F......"L.h2cp.....1...3.......)..5.}....c.d....O..5.(.....z.UyZyB..../^..:C ...T.......gsp. :......k..().....Z~.(..*....&..OA.=o...........3......K0..G0..C0.. .......o.8...C.P=;E0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...170213071103Z..170516071103Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....2017021315051M0K..U...DGlobalSign Organization Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.H..............=.. {.o...../...;[...!.._..3.......i{.."...I1....... w\...&..%....2...4.....f....S.. Zz...q..{o. .e1[...X.2..F6$....'...[.s@..Y...".2b....~...........E..U_..Y[....b.G'}..^-.....:.mo......=........)x..k....N
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.baidu.com
Cache-Control: no-cache
Cookie: BAIDUID=1FE0E7E4BC8E601C299EA5EE14A6305E:FG=1; BIDUPSID=1FE0E7E4BC8E601C299EA5EE14A6305E; PSTM=1490250765; H_PS_PSSID=1430_21108_17001_20928; BDSVRTM=0; BD_HOME=0
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 06:33:15 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Cache-Control: private
Cxy_all: baidu dda8f4b3a5e3bbe4dec65d42ded924a4
Expires: Thu, 23 Mar 2017 06:33:03 GMT
X-Powered-By: HPHP
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
BDPAGETYPE: 1
BDQID: 0xeaffe3270000f7ed
BDUSERID: 0
Set-Cookie: BDSVRTM=0; path=/
Set-Cookie: BD_HOME=0; path=/
Set-Cookie: H_PS_PSSID=1430_21108_17001_20928; path=/; domain=.baidu.com
18eee..<!DOCTYPE html>.<!--STATUS OK-->............................................................................................... ..... ........ ........ ........ ..... ..... ..... ........ ........ ........ ..... ..........................<html>.<head>. . <meta http-equiv="content-type" content="text/html;charset=utf-8">. <meta http-equiv="X-UA-Compatible" content="IE=Edge">..<meta content="always" name="referrer">. <meta name="theme-color" content="#2932e1">. <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />. <link rel="search" type="application/opensearchdescription xml" href="/content-search.xml" title="............" /> . <link rel="icon" sizes="any" mask href="//VVV.baidu.com/img/baidu.svg">......<link rel="dns-prefetch" href="//s1.bdstatic.com"/>..<link rel="dns-prefetch" href="//t1.baidu.com"/>..<link rel="dns-prefetch" href="//t2.baidu.com"/>..<link rel="dns-prefetch" href="//t3.baidu.com"/>..<link rel="dns-prefetch" href="//t10.baidu.com"/>..<link rel="dns-prefetch" href="//t11.baidu.com"/>..<link rel="dns-prefetch" href="//t12.baidu.com"/>..<link rel="dns-prefetch" href="//b1.bdstatic.com"/>. . <title>...........................</title>. ..<style id="css_index" index="index" type="text/css">html,body{height:100%}.html{overflow-y:auto}.body{font
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.360.cn
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Server: nginx/1.2.9
Date: Thu, 23 Mar 2017 06:33:07 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: hXXps://VVV.360.cn
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.2.9</center>..</body>..</html>....
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.126.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Mar 2017 06:32:44 GMT
Content-Type: text/html
Content-Length: 97571
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Last-Modified: Thu, 09 Mar 2017 06:51:57 GMT
Vary: Accept-Encoding
Expires: Thu, 23 Mar 2017 06:42:07 GMT
Cache-Control: max-age=3600
X-Cache: HIT from HKGM
Accept-Ranges: bytes
X-Cache: from ntes_hw
<!DOCTYPE html>..<html>..<head>..<meta charset="utf-8" />..<link rel="dns-prefetch" href="hXXp://mimg.127.net">..<link rel="dns-prefetch" href="hXXps://mail.126.com">..<link rel="dns-prefetch" href="hXXp://iplocator.mail.163.com">..<meta name="description" content="......126............--...........................14........................................................................98%..........................................3G...............................................................">..<meta name="keywords" content="...............................................................126........................mail...email.........">..<title>126...............--........................</title>..<link rel="shortcut icon" href="hXXp://VVV.126.com/favicon.ico" />..<style type="text/css">../* css reset */..body{color:#000;background:#fff;font-size:12px;line-height:166.6%;text-align:center;}..body.move{-webkit-transition:padding 0.3s ease;-moz-transition:padding 0.3s ease;-o-transition:padding 0.3s ease;-ms-transition:padding 0.3s ease;transition:padding 0.3s ease;}..body,input,select,button{font-family:verdana}..h1,h2,h3,select,input,button{font-size:100%}..body,h1,h2,h3,ul,li,form,p,img{margin:0;padding:0;border:0}..input,button,select,img{margin:0;line-height:normal}..select{padding:1px}..ul{list-style:none}..select,input,button,button img,label{vertical-align:middle}..header,footer,section,aside,nav,hgroup,figure,figcaption{disp
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.qq.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: squid/3.5.20
Content-Type: text/html; charset=GB2312
Cache-Control: max-age=60
Expires: Thu, 23 Mar 2017 06:34:19 GMT
Date: Thu, 23 Mar 2017 06:33:19 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
0000C000..<!DOCTYPE html>.<html lang="zh-CN">.<head>.<meta content="text/html; charset=gb2312" http-equiv="Content-Type">.<meta http-equiv="X-UA-Compatible" content="IE=edge">.<title>........</title>.<script type="text/javascript">.if(window.location.toString().indexOf('pref=padindex') != -1){.}else{..if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))){ . if(window.location.href.indexOf("?mobile")<0){...try{....if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)){.....window.location.href="hXXp://xw.qq.com/index.htm";....}else if(/iPad/i.test(navigator.userAgent)){. //window.location.href="hXXp://VVV.qq.com/pad/"....}else{.....window.location.href="hXXp://xw.qq.com/simple/s/index/"....}...}catch(e){}..}..}.}.</script>.<script type="text/javascript">var QosSS=new Object();QosSS.t=new Array([0,0,0]);QosSS.t[0]=(new Date()).getTime();</script>.<meta name="apple-itunes-app" content="app-id=660653351">.<meta content="....,....,....,....,....,NBA,....,......,....,QQ,Tencent" name="Keywords">.<meta name="description" content="......(VVV.QQ.com)...............................................................................................................................................................................................
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.163.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Expires: Thu, 23 Mar 2017 06:34:03 GMT
Date: Thu, 23 Mar 2017 06:32:43 GMT
Server: nginx
Content-Type: text/html; charset=GBK
Transfer-Encoding: chunked
Vary: Accept-Encoding,User-Agent,Accept
Cache-Control: max-age=80
X-Via: 1.1 czdx87:4 (Cdn Cache Server V2.0), 1.1 kf49:4 (Cdn Cache Server V2.0)
Connection: keep-alive
8000.. <!DOCTYPE HTML>.<!--[if IE 6 ]> <html class="ne_ua_ie6 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 7 ]> <html class="ne_ua_ie7 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 8 ]> <html class="ne_ua_ie8 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 9 ]> <html class="ne_ua_ie9" id="ne_wrap"> <![endif]-->.<!--[if (gte IE 10)|!(IE)]><!--> <html phone="1" id="ne_wrap"> <!--<![endif]-->.<head>.<meta http-equiv="Content-Type" content="text/html; charset=gbk">.<meta name="model_url" content="hXXp://VVV.163.com/special/0077rt/index.html" />.<title>....</title>.<base target="_blank" />.<meta name="Keywords" content="....,....,....,....,....,....,....,....,....,....,....,....,....,....,....,...." />.<meta name="Description" content="..............................................................................................30.........................................................." />.<meta name="robots" content="index, follow" />.<meta name="googlebot" content="index, follow" />.<script type="text/javascript">.(function() {. if(/s=noRedirect/i.test(location.search)) return; . if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))) {. try {. if(/Andr
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.jingdong.com
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: hXXps://VVV.jd.com/
Connection: close
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.sina.com.cn
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 06:32:43 GMT
Server: PWS/8.2.0.7
X-Px: rf-ms h0-s2004.p0-mow ( h0-s2001.p0-mow), ht h0-s2001.p0-mow.cdngp.net
Cache-Control: max-age=60
Expires: Thu, 23 Mar 2017 06:33:17 GMT
Age: 26
Accept-Ranges: bytes
Content-Length: 601537
Content-Type: text/html
Last-Modified: Thu, 23 Mar 2017 06:31:20 GMT
X-Via-CDN: f=TXCDN,s=87.118.248.106,c=194.242.96.218
Connection: keep-alive
<!DOCTYPE html>.<!-- [ published at 2017-03-23 14:31:17 ] -->.<html>.<head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8" />. <meta http-equiv="X-UA-Compatible" content="IE=edge" />. <title>............</title>..<meta name="keywords" content="......,.........,SINA,sina,sina.com.cn,............,......,......" />..<meta name="description" content="........................24........................................................................................................................................................................................................................30......................................................................................." />. <link rel="mask-icon" sizes="any" href="hXXp://VVV.sina.com.cn/favicon.svg" color="red">..<meta name="stencil" content="PGLS000022" />..<meta name="publishid" content="30,131,1" />..<meta name="verify-v1" content="6HtwmypggdgP1NLw7NOuQBI2TW8 CfkYCoyeB8IDbn8=" />..<meta name="360-site-verification" content="63349a2167ca11f4b9bd9a8d48354541" />..<meta name="application-name" content="............"/>..<meta name ="msapplication-TileImage" content="hXXp://i1.sinaimg.cn/dy/deco/2013/0312/logo.png"/>..<meta name="msapplication-TileColor" content="#ffbf27"/>..<meta name="sogou_site_verification" content="Otg5irx9wL"/>.<link rel="apple-touch-icon" href="hXXp://i3.sinaimg.cn/home/2013/0331/U586P30DT2
<<< skipped >>>
....
..
..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEBWsfo6gTWKBdqI6VatS5Uo= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ss.symcd.com
HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1609
content-transfer-encoding: binary
Cache-Control: max-age=469987, public, no-transform, must-revalidate
Last-Modified: Tue, 21 Mar 2017 17:05:05 GMT
Expires: Tue, 28 Mar 2017 17:05:05 GMT
Date: Thu, 23 Mar 2017 06:32:55 GMT
Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......E ....e.u.....x..7....20170321170505Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C......~..Mb.v.:U.R.J....20170321170505Z....20170328170505Z0...*.H.............Fx<."2.........t.wU...........\.......... ,@........../=....\..W.xb....J.=.y.p......<.....j....... .W.....d....../..F..K...Z.....^o..\f...W_..T.0f{d..o...f..V.....M..Z.f.....&..1MV_.Q) ...<..q.....d.-..\?..`Y....*B.......>V..F>...r..nX.3.........X.NOS~..G....n0..j0..f0..N.......Dh.ciH.........!0...*.H........0~1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&Symantec Class 3 Secure Server CA - G40...170204000000Z..170505235959Z0@1>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Responder0.."0...*.H.............0......... B.}.@...E2.......&kg.#.c..7f#0....!....Z.G..|.o..W{2.m.l.cM...%......V.Wx6I.t....Q,U^......;.U<ie...X.{.6. .4...ep....q..OuV...F...s.f....!....K....O....Oj.?Yd6^Mlw.6.k..*./.......b..Q4...H.s.........(...toW...9...............&...D...{T{........4.;/pa<...........0...0... .....0......0"..U....0...0.1.0...U....TGV-D-38570...U.#..0..._`.a.U..C..`*..z.C..0...U......E ....e.u.....x..7..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........http://VVV.symauth.com/cps0*.. .......0... hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0...*.H.............x..b5XG.........T^2.....T..............zq.............f....#|.....P...R.....]...la.(.21{...C.....K.....R..H.b....3L..52}5.8.......%.......l=..$X$_..01.3.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CECQ1SvQ/t8C2OzukI4M8ERw= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ss.symcd.com
HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1609
content-transfer-encoding: binary
Cache-Control: max-age=451642, public, no-transform, must-revalidate
Last-Modified: Tue, 21 Mar 2017 12:00:18 GMT
Expires: Tue, 28 Mar 2017 12:00:18 GMT
Date: Thu, 23 Mar 2017 06:32:56 GMT
Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......E ....e.u.....x..7....20170321120018Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C....$5J.?...;;.#.<......20170321120018Z....20170328120018Z0...*.H...............~."....7..@....].WD..2a.....F......A.......Ph.E........z...u........M..........5L.V6.....~.].3Z....&z...Z....... .....9...3 M..{.aU..U...- .=....A...<..... .x..t...Cuy!7 Yv'.W.yS....=...s...?6....AmW]...@.t@vwX.s.H8.nN/P ..._.TaL/>.....rFY...g..4D}.d.......n0..j0..f0..N.......Dh.ciH.........!0...*.H........0~1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&Symantec Class 3 Secure Server CA - G40...170204000000Z..170505235959Z0@1>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Responder0.."0...*.H.............0......... B.}.@...E2.......&kg.#.c..7f#0....!....Z.G..|.o..W{2.m.l.cM...%......V.Wx6I.t....Q,U^......;.U<ie...X.{.6. .4...ep....q..OuV...F...s.f....!....K....O....Oj.?Yd6^Mlw.6.k..*./.......b..Q4...H.s.........(...toW...9...............&...D...{T{........4.;/pa<...........0...0... .....0......0"..U....0...0.1.0...U....TGV-D-38570...U.#..0..._`.a.U..C..`*..z.C..0...U......E ....e.u.....x..7..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://www.symauth.com/cps0*.. .......0... hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0...*.H.............x..b5XG.........T^2.....T..............zq.............f....#|.....P...R.....]...la.(.21{...C.....K.....R..H.b....3L..52}5.8.......%.......l=..$X$_..01.3.....&l
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.360.cn
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Server: nginx/1.2.9
Date: Thu, 23 Mar 2017 06:33:44 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: hXXps://VVV.360.cn
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.2.9</center>..</body>..</html>....
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.aliyun.com
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Server: Tengine
Date: Thu, 23 Mar 2017 06:32:44 GMT
Content-Type: text/html
Content-Length: 278
Connection: keep-alive
Location: hXXps://intl.aliyun.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<h1>301 Moved Permanently</h1>..<p>The requested resource has been assigned a new permanent URI.</p>..<hr/>Powered by Tengine</body>..</html>....
GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: subca.ocsp-certum.com
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 06:32:54 GMT
Content-Type: application/ocsp-response
Content-Length: 1657
Connection: keep-alive
Content-transfer-encoding: binary
X-Cached: MISS
Server: NetDNA-cache/2.2
X-Cache: HIT
0..u......n0..j.. .....0.....[0..W0..0........0..1.0...U....PL1!0...U....Asseco Data Systems S.A.1'0%..U....Certum Certification Authority1%0#..U....Certum CA Validation Service..20170323061937Z0r0p0H0... ......y...bOm..(y.Y6B...}n...C..m.....i..J.`.:........@.eq_..(....(....20170323061937Z....20170330061937Z..0.0... .....0....0... .....0..0...*.H........... 1.......b.p..BV. .V&.S,......7a\..Y...g% .B#{khJ.B4I.~.N R.":..^8.5.t....)...W\...N ..(L..M.....Z..N....7)...w6r..;....Y...C..{..O.....[\.u.......TH.......\....6..e.#{.D[...$....i .8..KZ.......@V8.... 1........qx.(..)DR....fiUb;......P.A..../....v............0...0...0....................#=Xr..Q0...*.H........0>1.0...U....PL1.0...U....Unizeto Sp. z o.o.1.0...U....Certum CA0...161220101836Z..180120101836Z0..1.0...U....PL1!0...U....Asseco Data Systems S.A.1'0%..U....Certum Certification Authority1%0#..U....Certum CA Validation Service0.."0...*.H.............0..........3..>......]{7..\...$vl.....V......T...-.:.....y..'...X..}.fA\...._.Uxl6.ti %.SS..#. Z.5.G"..S.....)Q...!..P....~0..32...Bmd...%.2...D.....J.........6....O.u..vm.l..V.'.L.4.._....\.eK...MI.F.;H.;..%...KZ...H;e ..9.2..A.b......F.T..._........DY2...2Z#L.D0)........0..0...U.......0.0...U.......L.oh.....2......|.=0R..U.#.K0I.B.@0>1.0...U....PL1.0...U....Unizeto Sp. z o.o.1.0...U....Certum CA.... 0...U...........0...U.%..0... .......0... .....0......0...*.H.............,.....D...,.c...<..............G..~Uug.....q6).g&..."....B..k...{.(.S... 5...x.>......K.ks.....S...]R......n....q.Y.i>
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.163.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Expires: Thu, 23 Mar 2017 06:34:03 GMT
Date: Thu, 23 Mar 2017 06:32:43 GMT
Server: nginx
Content-Type: text/html; charset=GBK
Transfer-Encoding: chunked
Vary: Accept-Encoding,User-Agent,Accept
Cache-Control: max-age=80
Age: 61
X-Via: 1.1 czdx87:4 (Cdn Cache Server V2.0), 1.1 kf49:4 (Cdn Cache Server V2.0)
Connection: keep-alive
8000.. <!DOCTYPE HTML>.<!--[if IE 6 ]> <html class="ne_ua_ie6 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 7 ]> <html class="ne_ua_ie7 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 8 ]> <html class="ne_ua_ie8 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 9 ]> <html class="ne_ua_ie9" id="ne_wrap"> <![endif]-->.<!--[if (gte IE 10)|!(IE)]><!--> <html phone="1" id="ne_wrap"> <!--<![endif]-->.<head>.<meta http-equiv="Content-Type" content="text/html; charset=gbk">.<meta name="model_url" content="hXXp://VVV.163.com/special/0077rt/index.html" />.<title>....</title>.<base target="_blank" />.<meta name="Keywords" content="....,....,....,....,....,....,....,....,....,....,....,....,....,....,....,...." />.<meta name="Description" content="..............................................................................................30.........................................................." />.<meta name="robots" content="index, follow" />.<meta name="googlebot" content="index, follow" />.<script type="text/javascript">.(function() {. if(/s=noRedirect/i.test(location.search)) return; . if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))) {. try {. if(/Andr
<<< skipped >>>
GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH HTTP/1.1
Cache-Control: max-age = 10800
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 11:51:19 GMT
If-None-Match: "8958b58603e19e9b46868d4300d201ea9ae7099b"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.globalsign.com
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 06:32:53 GMT
Content-Type: application/ocsp-response
Content-Length: 1518
Connection: keep-alive
Set-Cookie: __cfduid=d8a8484918d128d1685e7c650bee36c2b1490250773; expires=Fri, 23-Mar-18 06:32:53 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Thu, 23 Mar 2017 05:09:59 GMT
Expires: Mon, 27 Mar 2017 05:09:59 GMT
ETag: "b3ee1471b72f0ced734a0acb26041b5d1b044a55"
Cache-Control: public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 343f5b24d4454ede-DME
0..........0..... .....0......0...0........>'...;6..9.wS..._...20170323050959Z0n0l0D0... .........W......#....*..2..1..`{f.E....P/}..4....K........DN.BG....20170323050959Z....20170327050959Z0...*.H...............K#.K6......J.S..... o..>4DW....=V=q.C...x..q.\)O...g......-}..0....\wpZ..`.T...(8.k....O.3./2.$d..N.6...e..... {.......0.@`.....M............L.........fJu../... V..vx..M^...c.P^...BS.W]..wl..."&<.......I...X.~.......#..x..4.=$x..v....Y...}......X.8o8?.......0...0...0..........H...!U,43.....0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA0...161208000000Z..170515000000Z0[1.0...U....BE1.0...U....GlobalSign nv-sa110/..U...(GlobalSign OCSP for Root R1 - Signer 1.20.."0...*.H.............0..........N....K.N..z.........p...CL....@....\....f.JsR.{_awn....;...-..g..8..6.|l.(....h....;G.@..T..%.....7.R..O;u.g@g.C........2.Y....I..g.J{}...u.@...ih..$.<...{.h.h... ....}M}.:.........rS=.$....lE)3.o.B.x.....^.V.#N..=S^.F..U.}C2...-S...... .2....I.......].c........0..0...U...........0...U.%..0... .......0...U.......0.0...U........>'...;6..9.wS..._.0...U.#..0...`{f.E....P/}..4....K0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...*.H.............>S.......F@.).fox..V\.........x.[...I&.=[...u..4.\m....V..n......3YC..Rl-.....a..@G...@..o.......@..~....9/}.i.<....e\.\a.'.}......}.....Cn.y.u....xZ9..x..x|h .}I-:..RD.S..Ql..2cnX.Filstf.......e.V.G......\..]hh ....W.../..x:.2I.*.....S?.Dr..A.....=..._
<<< skipped >>>
GET / HTTP/1.1
User-Agent: winnet
Host: VVV.163.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Expires: Thu, 23 Mar 2017 06:34:03 GMT
Date: Thu, 23 Mar 2017 06:32:43 GMT
Server: nginx
Content-Type: text/html; charset=GBK
Transfer-Encoding: chunked
Vary: Accept-Encoding,User-Agent,Accept
Cache-Control: max-age=80
Age: 30
X-Via: 1.1 czdx87:4 (Cdn Cache Server V2.0), 1.1 kf49:4 (Cdn Cache Server V2.0)
Connection: keep-alive
8000.. <!DOCTYPE HTML>.<!--[if IE 6 ]> <html class="ne_ua_ie6 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 7 ]> <html class="ne_ua_ie7 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 8 ]> <html class="ne_ua_ie8 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 9 ]> <html class="ne_ua_ie9" id="ne_wrap"> <![endif]-->.<!--[if (gte IE 10)|!(IE)]><!--> <html phone="1" id="ne_wrap"> <!--<![endif]-->.<head>.<meta http-equiv="Content-Type" content="text/html; charset=gbk">.<meta name="model_url" content="hXXp://VVV.163.com/special/0077rt/index.html" />.<title>....</title>.<base target="_blank" />.<meta name="Keywords" content="....,....,....,....,....,....,....,....,....,....,....,....,....,....,....,...." />.<meta name="Description" content="..............................................................................................30.........................................................." />.<meta name="robots" content="index, follow" />.<meta name="googlebot" content="index, follow" />.<script type="text/javascript">.(function() {. if(/s=noRedirect/i.test(location.search)) return; . if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))) {. try {. if(/Andr
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1908:
.text
.text
`.rdata
`.rdata
@.data
@.data
.vmp0
.vmp0
.vmp1
.vmp1
.reloc
.reloc
@.rsrc
@.rsrc
GetProcessWindowStation
GetProcessWindowStation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Reality.log
Reality.log
D:\chengzhen\
D:\chengzhen\
\StartGame\Release\StartGame.pdb
\StartGame\Release\StartGame.pdb
C:\OneRun.txt
C:\OneRun.txt
360tcpview
360tcpview
365tcpview
365tcpview
cports
cports
tcpview
tcpview
httpanalyzer
httpanalyzer
C:\tbbmalloc.exe
C:\tbbmalloc.exe
tbbmalloc.exe
tbbmalloc.exe
c:\%original file name%.exe
c:\%original file name%.exe
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
USER32.DLL
USER32.DLL
operator
operator
activation.php?code=
activation.php?code=
deactivation.php?hash=
deactivation.php?hash=
.?AVIUrlBuilderSource@@
.?AVIUrlBuilderSource@@
hVm.AG
hVm.AG
.eS~J
.eS~J
.gXSE
.gXSE
.zSKM
.zSKM
$ra.QF
$ra.QF
.mQ :
.mQ :
$6.ZP;
$6.ZP;
AjR.To
AjR.To
A*.pY,
A*.pY,
X00
X00
%C{Mwb
%C{Mwb
{ .Fra
{ .Fra
u%d!K
u%d!K
4.YQH
4.YQH
).tyO
).tyO
.SCpC
.SCpC
%%8SC
%%8SC
,.nD2
,.nD2
%.cz9I
%.cz9I
I.YU4
I.YU4
3.jmK
3.jmK
.jAdrc
.jAdrc
>c"%FS
>c"%FS
ByÃŽXo.
ByÃŽXo.
{g.zj
{g.zj
D.DRem
D.DRem
ÃZs
ÃZs
eW.eq
eW.eq
9L.KS
9L.KS
%S;f}k
%S;f}k
!=.hh
!=.hh
.jTF@d
.jTF@d
fQ4-p}
fQ4-p}
E=%u=]
E=%u=]
cG%up=
cG%up=
W".rJ
W".rJ
.JD5L*)k
.JD5L*)k
4k.Qju
4k.Qju
[.zCK
[.zCK
.ZqM
.ZqM
Td.lpw
Td.lpw
.BPx?
.BPx?
8M%Xx
8M%Xx
3ck.dCuJ
3ck.dCuJ
%d"sb)
%d"sb)
.od7:
.od7:
dPVI%u
dPVI%u
.FCFU
.FCFU
41%%F
41%%F
.NQ8o
.NQ8o
r.Jls)
r.Jls)
%CO4sp\
%CO4sp\
9sshM
9sshM
K.JfMq2N
K.JfMq2N
.ul7G
.ul7G
W}%fT
W}%fT
.FM
.FM
zu%Dg
zu%Dg
EDS.oV
EDS.oV
5%Scx
5%Scx
nUH.kG
nUH.kG
.yb:gUV
.yb:gUV
.mU8R
.mU8R
zÚ^
zÚ^
<_.ln>
<_.ln>
;R<.le>
;R<.le>
%X=9q
%X=9q
H<.nu>
H<.nu>
~ .Gwz
~ .Gwz
fi.FK
fi.FK
.RlqY
.RlqY
KP.bN
KP.bN
H%d$)
H%d$)
.kv^d^
.kv^d^
e*.MH
e*.MH
v.Aef
v.Aef
.ZK-)
.ZK-)
]DQ.NooL
]DQ.NooL
.kkBM
.kkBM
lJ.Qjb4
lJ.Qjb4
zn!4/.tU
zn!4/.tU
xW%Cw?
xW%Cw?
.sI04
.sI04
.EL;f
.EL;f
2.UJ=
2.UJ=
}d%X[
}d%X[
F-?%U
F-?%U
@r.nA
@r.nA
.tF#Z
.tF#Z
b7É
b7É
h].Iv
h].Iv
WuM%SQ
WuM%SQ
r.DY|
r.DY|
).Hvt>
).Hvt>
%uZ$|3
%uZ$|3
MHy-b}
MHy-b}
W:\ 0
W:\ 0
.Cc&I
.Cc&I
aP.ug
aP.ug
{A%C}
{A%C}
=~%3S}
=~%3S}
h.Xv$
h.Xv$
`h%X4
`h%X4
L.FiD
L.FiD
-j}a
-j}a
w%UPt
w%UPt
a.gUh
a.gUh
%S|ac
%S|ac
n.tiu
n.tiu
Y.Zg`
Y.Zg`
M.Dzv
M.Dzv
b%XrZf
b%XrZf
?OCRtQH
?OCRtQH
v.iR`
v.iR`
hcu.Tf
hcu.Tf
%s~Oz
%s~Oz
..rl0
..rl0
3g.yz
3g.yz
.FPh9
.FPh9
.rT3$
.rT3$
#.vU}6
#.vU}6
KEY|3
KEY|3
]{b-1}.
]{b-1}.
Z%Uk{)z
Z%Uk{)z
Wq.ZP
Wq.ZP
R#,%d
R#,%d
user32.dll
user32.dll
>=
>=
6543210/
6543210/
.-, *)('
.-, *)('
5 5$5(5,5054585
5 5$5(5,5054585
> >@>\>`>
> >@>\>`>