Gen.Variant.Strictor.70570_bce5185cd6 – Adaware

Susp_Dropper (Kaspersky), Gen:Variant.Strictor.70570 (B) (Emsisoft), Gen:Variant.Strictor.70570 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: bce5185cd6bcfb15ea413b2870904564

SHA1: fe60dcb09257e2fbc85cc08508bef11e1536bab5

SHA256: 9739e06e111c6f213e67517a0d3cf14c40695b57073d5c01814c1bcce6670c74

SSDeep: 24576:23MMjuiZd4rfbCbg2acawU9txGoF6BhBsYSUNMuITpwTZaqdiXSp0c02uFG6dAk8:2Ng7txKBPeUzBTZaqdwk0c05HGi JJ7

Size: 2351104 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171

Company: no certificate found

Created at: 2016-09-02 15:15:09

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:3404

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:3404 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G8CYUMX5.txt (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXGBCMD7.txt (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\gjgg[1].htm (3748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8ZW2X1AZ.txt (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\4473463[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxs11[1].htm (825 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxszgg1[1].htm (1380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\19059730[1].js (25 bytes)
C:\dc.dll (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ssxs13[1].htm (508 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssxs12[1].htm (1283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032220170323\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ssxsz[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KZT5IAY.txt (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mcgg456[1].htm (1461 bytes)
C:\SkinH_EL.dll (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mcgg[1].htm (75 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GZOJPSMC.txt (233 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssggd[1].htm (106 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KZT5IAY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8ZW2X1AZ.txt (0 bytes)

Registry activity

The process %original file name%.exe:3404 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CachePrefix" = ":2017032220170323:"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032220170323"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"
"fdwSupport" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101320161014]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
147127382e001f495d1842ee7a9e7912	c:\SkinH_EL.dll
f803ad370a8649a143429f179af5f3ab	c:\dc.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G8CYUMX5.txt (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXGBCMD7.txt (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\gjgg[1].htm (3748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8ZW2X1AZ.txt (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\4473463[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxs11[1].htm (825 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxszgg1[1].htm (1380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\19059730[1].js (25 bytes)
C:\dc.dll (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ssxs13[1].htm (508 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssxs12[1].htm (1283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032220170323\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ssxsz[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KZT5IAY.txt (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mcgg456[1].htm (1461 bytes)
C:\SkinH_EL.dll (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mcgg[1].htm (75 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GZOJPSMC.txt (233 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssggd[1].htm (106 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ??????????????
Product Name: ??????????????
Product Version: 4.4.0.0
Legal Copyright: ??????????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.4.0.0
File Description: ??????????????
Comments: ??????????????
Language: Chinese (Simplified, PRC)

Company Name: ??????????????Product Name: ??????????????Product Version: 4.4.0.0Legal Copyright: ??????????????Legal Trademarks: Original Filename: Internal Name: File Version: 4.4.0.0File Description: ??????????????Comments: ??????????????Language: Chinese (Simplified, PRC)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	970229	970752	4.52493	882e1d6a4d0017a9879d47b74c0635e7
.rdata	974848	1249212	1249280	5.16012	5fcf6c33b35812e3412d866b620faa03
.data	2224128	365898	90112	3.54456	e90c0ce56c63695ac986b82f08626ee2
.rsrc	2592768	32960	36864	3.55108	37ff9cd91594fbeb59b4863ab563a374

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://ad.51pc114.cn/setup/a.html	122.228.204.12
hxxp://ad.51pc114.cn/setup/ssxczgg2269.txt	122.228.204.12
hxxp://ad.51pc114.cn/ad/ssggd.htm	122.228.204.12
hxxp://ad.51pc114.cn/ad/ssxs11.htm	122.228.204.12
hxxp://ad.51pc114.cn/ad/mcgg.htm	122.228.204.12
hxxp://ad.51pc114.cn/ad/ssxs12.htm	122.228.204.12
hxxp://ad.51pc114.cn/ad/ssxs13.htm	122.228.204.12
hxxp://ad.51pc114.cn/ad/gjgg.htm	122.228.204.12
hxxp://ad.51pc114.cn/ad/ssxszgg1.htm	122.228.204.12
hxxp://ad.51pc114.cn/setup/ssxsz.htm	122.228.204.12
hxxp://js.users.51.la/19059730.js	42.236.74.247
hxxp://js.tongji.linezing.com.danuoyi.tbcache.com/1522895/tongji.js	47.89.65.199
hxxp://ad.51pc114.cn/ad/mcgg456.htm	122.228.204.12
hxxp://popup.jointreport-switch.com/close.php?uid=1130	115.238.244.82
hxxp://js.tongji.linezing.com.danuoyi.tbcache.com/1435675/tongji.js	47.89.65.199
hxxp://grp1.51.la/go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/ssxs11.htm&vvtime=1490144878746
hxxp://js.users.51.la/4473463.js	42.236.74.247
hxxp://web.users.51.la/go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/ssxs11.htm&vvtime=1490144878746	42.236.74.234
hxxp://123.51pc114.cn/ad/ssxszgg1.htm	122.228.204.12
hxxp://123.51pc114.cn/ad/ssxs11.htm	122.228.204.12
hxxp://123.51pc114.cn/ad/ssggd.htm	122.228.204.12
hxxp://123.51pc114.cn/ad/gjgg.htm	122.228.204.12
hxxp://123.51pc114.cn/ad/mcgg.htm	122.228.204.12
hxxp://123.51pc114.cn/setup/ssxsz.htm	122.228.204.12
hxxp://js.tongji.linezing.com/1435675/tongji.js	47.89.65.199
hxxp://123.51pc114.cn/ad/ssxs12.htm	122.228.204.12
hxxp://ad.7532.com/ad/mcgg456.htm	122.228.204.12
hxxp://123.51pc114.cn/ad/ssxs13.htm	122.228.204.12
hxxp://js.tongji.linezing.com/1522895/tongji.js	47.89.65.199
u291014.778669.com	122.225.96.73

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ad/ssxs13.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 508

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/ssxs13.htm

Last-Modified: Thu, 26 Nov 2015 07:34:50 GMT

Accept-Ranges: bytes

ETag: "e0a720ef1c28d11:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:42 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">....</style>..</head>..<html>..<body>....<............................</body>..</html>..HTTP/1.1 200 OK..Content-Length: 508..Content-Type: text/html..Content-Location: hXXp://123.51pc114.cn/ad/ssxs13.htm..Last-Modified: Thu, 26 Nov 2015 07:34:50 GMT..Accept-Ranges: bytes..ETag: "e0a720ef1c28d11:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:42 GMT..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">....</style>..</head>..<html>..<body>....<............................</body>..</html>....

<<< skipped >>>

GET /close.php?uid=1130 HTTP/1.1

Accept: */*

Referer: hXXp://123.51pc114.cn/ad/ssxs12.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: popup.jointreport-switch.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: tengine

Date: Wed, 22 Mar 2017 01:07:57 GMT

Content-Type: text/html; charset=gb2312

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.28

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Cache-Control: no-cache, must-revalidate

Set-Cookie: lgPTN20963270664410=0; expires=Wed, 22-Mar-2017 16:00:00 GMT; path=/; domain=.jointreport-switch.com

222f..(function() {.. var popUrl = 'hXXp://popup.jointreport-switch.com/jointreport_process.php?ap=MjE2Mnw1ODhlMWM3OTA4ZWQ1YzliM2FmZmY0MGQ4Zjg2YzAwZWZkNw==';.. var lgUnionPushUrl = CrazyInitUrl(popUrl);.. function CrazyInitUrl(urls){.. var sf=0,sc=0,ol='',sd=0;.. var ae = function(p) {.. v = false;.. document.write('<SCRIPT LANGUAGE=VBScript>\n on error resume next \n v = IsObject(CreateObject("' p '"))<\/SCRIPT>\n');.. if(v){.. return '1';.. }else{.. return '0';.. }.. };.. var af = function(p) {.. var m = '';.. for (var i=0; i < navigator.mimeTypes.length; i ){.. m = navigator.mimeTypes[i].type.toLowerCase();.. }.. v = '0';.. if (m.indexOf(p) != -1){.. if (navigator.mimeTypes[p].enabledPlugin != null) v = '1';.. }.. return v;.. };.. var __dm = (navigator.appName.indexOf("Netscape") != -1);.. var __di = (navigator.userAgent.toLowerCase().indexOf("msie") != -1);.. var __dw = ((navigator.userAgent.toLowerCase().indexOf("win")!=-1) || (navigator.userAgent.toLowerCase().indexOf("32bit")!=-1));.. if(__dw && __di) sf = ae("ShockwaveFlash.ShockwaveFlash.1");.. if(!__dw || __dm) fs = af("application/x-shockwave-flash");.. if(navigator.appName=="Netscape"){.. ol = navigator.language.substr(0,2);.. }else{..

<<< skipped >>>

GET /setup/ssxczgg2269.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: ad.51pc114.cn

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Content-Length: 4435

Content-Type: text/html

Server: IIS

Date: Wed, 22 Mar 2017 01:07:39 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>................</title>..<style type="text/css">..<!--..BODY {.PADDING-RIGHT: 0px; PADDING-LEFT: 35px; BACKGROUND: url(/images/photoback.gif) repeat-x left top; PADDING-BOTTOM: 0px; MARGIN: 0px; FONT: 12px Arial, Helvetica, sans-serif; COLOR: #333; PADDING-TOP: 35px}..A {.COLOR: #007ab7; TEXT-DECORATION: none}..A:hover {COLOR: #007ab7; TEXT-DECORATION: none}..A:hover {COLOR: #de1d6a}...hidehr {DISPLAY: none}...show12 {PADDING-RIGHT: 0px; DISPLAY: block; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 5px 0px; PADDING-TOP: 0px}...show13 {PADDING-RIGHT: 0px; DISPLAY: block; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 5px 0px; PADDING-TOP: 0px}...show12 A {.BORDER-RIGHT: #bfdeed 1px solid; PADDING-RIGHT: 6px; BORDER-TOP: #bfdeed 1px solid; DISPLAY: inline-block; PADDING-LEFT: 6px; BACKGROUND: #d8ebf4; PADDING-BOTTOM: 2px; OVERFLOW: hidden; BORDER-LEFT: #bfdeed 1px solid; LINE-HEIGHT: 17px; PADDING-TOP: 2px; BORDER-BOTTOM: #bfdeed 1px solid; HEIGHT: 16px}...show13 A {.BORDER-RIGHT: #bfdeed 1px solid; PADDING-RIGHT: 6px; BORDER-TOP: #bfdeed 1px solid; DISPLAY: inline-block; PADDING-LEFT: 6px; BACKGROUND: #d8ebf4; PADDING-BOTTOM: 2px; OVERFLOW: hidden; BORDER-LEFT: #bfdeed 1px solid; LINE-HEIGHT: 17px; PADDING-TOP: 2p

<<< skipped >>>

GET /setup/a.html HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)

Host: ad.51pc114.cn

HTTP/1.1 200 OK

Content-Length: 45

Content-Type: text/html

Content-Location: hXXp://ad.51pc114.cn/setup/a.html

Last-Modified: Fri, 01 Aug 2014 03:58:28 GMT

Accept-Ranges: bytes

ETag: "3efdd9d93cadcf1:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:39 GMT

[EhXXp://ad.51pc114.cn/setup/ex.html]..[n101]HTTP/1.1 200 OK..Content-Length: 45..Content-Type: text/html..Content-Location: hXXp://ad.51pc114.cn/setup/a.html..Last-Modified: Fri, 01 Aug 2014 03:58:28 GMT..Accept-Ranges: bytes..ETag: "3efdd9d93cadcf1:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:39 GMT..[EhXXp://ad.51pc114.cn/setup/ex.html]..[n101]..

GET /go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/ssxs11.htm&vvtime=1490144878746 HTTP/1.1

Accept: */*

Referer: hXXp://123.51pc114.cn/ad/ssxs11.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: web.users.51.la

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 22 Mar 2017 01:08:00 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 0

Content-Type: text/html

Expires: Tue, 21 Mar 2017 08:28:00 GMT

Set-Cookie: ASPSESSIONIDAQDQDRCC=ICHPJKMAONIHNDIJIIFFLDJL; path=/

Cache-control: private

HTTP/1.1 200 OK..Date: Wed, 22 Mar 2017 01:08:00 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 0..Content-Type: text/html..Expires: Tue, 21 Mar 2017 08:28:00 GMT..Set-Cookie: ASPSESSIONIDAQDQDRCC=ICHPJKMAONIHNDIJIIFFLDJL; path=/..Cache-control: private..

GET /19059730.js HTTP/1.1

Accept: */*

Referer: hXXp://123.51pc114.cn/ad/ssxs11.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: js.users.51.la

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Encoding: gzip

Last-Modified: Tue, 07 Mar 2017 12:17:14 GMT

Accept-Ranges: bytes

ETag: "c1c17cc13c97d21:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/8.5

Date: Wed, 22 Mar 2017 01:07:58 GMT

Content-Length: 972

.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"f.t........<...q........m.zt...............w.?|po............Rf...w...g.Q..Y......g.w.....C....>..p...~>8}.?......N.=.....#......O~......]~|..7N..:..TK(..-....G..g....[4..........4k.j.}w..%..$...v.V...T.:.6..z..._....U.4k..;..iUV5.....2.,......j."[..}....m..*.../.^h.u./...]^>.W.....y..i.....~......Q..V..`...d:....b..j....../X...p.i...@E.vZUo.|... ......j.....g.;..._e.y....~..........nw>.s.....-..g.uY..=v..[.S..-...2g.n.fw....;w>..f..S....q..o.E.o.c.....'..|......s..3..>....G.._..'.G.....v.0..*j..|.V....u[......~Tj.3"F.J..b.*ut......e...X .;TR.>.w....WK.}d~.s.K..M4....o...........j.....=.$rt. .4D..m.Z....$. _...?.sK....JPX..H.hu~.KL.v.UK...R7.s.>..eV,.kR.....4k..x...~.1i.|2^7y..n...Y..=..b..._H..]..[a...p.....V.l>k....eN.l.l..33.....s...;w?.......1..?...u..@PeuU...'......... .5.m...p.s.....oV..%....3..M.o..v..Z.[.....".,...-..L5}8...............S..B...HTTP/1.1 200 OK..Content-Type: application/javascript..Content-Encoding: gzip..Last-Modified: Tue, 07 Mar 2017 12:17:14 GMT..Accept-Ranges: bytes..ETag: "c1c17cc13c97d21:0"..Vary: Accept-Encoding..Server: Microsoft-IIS/8.5..Date: Wed, 22 Mar 2017 01:07:58 GMT..Content-Length: 972...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"f.t........<...q........m.zt...............w.?|po............Rf...w...g.Q..Y......g.w.....C....>..p...~>8}.?......N.=.....#......O~...

<<< skipped >>>

GET /ad/ssxs12.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 1283

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/ssxs12.htm

Last-Modified: Fri, 09 Dec 2016 13:25:51 GMT

Accept-Ranges: bytes

ETag: "aa9133c31f52d21:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:42 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">....</style>..</head>..<html>..<body>......................<script language='javascript'>..// ..................html............var random = {...ad_num : 3,...init : function(){....n = (Math.floor(Math.random()*random.ad_num 1));....switch(n){.....case 1:......document.writeln('<script src=\"http:\/\/p.rhgw.net\/code\/popjs.asp?pid=258920\" charset=\"gb2312\"><\/script>');.....break;.....case 2:......document.writeln('<script type=\"text\/javascript\" src=\"http:\/\/popup.jointreport-switch.com\/close.php?uid=1130\"><\/script>');.....break;.....case 3:......document.writeln('<script language=\"javascript\" src=\"http:\/\/u291014.778669.com\/fclose.php?id=180495\"><\/script>');.....break;....}...}..}..random.init();..</script>....<script language="javascript" src="hXXp://u291014.778669.com/fclose.php?id=152695"></script>..........</body>..</html>..t>....

<<< skipped >>>

GET /setup/ssxsz.htm HTTP/1.1

Referer: hXXp://123.51pc114.cn/setup/ssxsz.htm

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: 123.51pc114.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 3

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/setup/ssxsz.htm

Last-Modified: Thu, 09 Mar 2017 06:09:42 GMT

Accept-Ranges: bytes

ETag: "e46a71be9b98d21:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:42 GMT

5.2HTTP/1.1 200 OK..Content-Length: 3..Content-Type: text/html..Content-Location: hXXp://123.51pc114.cn/setup/ssxsz.htm..Last-Modified: Thu, 09 Mar 2017 06:09:42 GMT..Accept-Ranges: bytes..ETag: "e46a71be9b98d21:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:42 GMT..5.2..

GET /1522895/tongji.js HTTP/1.1

Accept: */*

Referer: hXXp://123.51pc114.cn/ad/ssxszgg1.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: js.tongji.linezing.com

Connection: Keep-Alive

HTTP/1.1 503 Service Temporarily Unavailable

Server: Tengine

Content-Length: 0

Connection: keep-alive

Via: cache30.l2hk1[0,503-0,M], cache18.l2hk1[10016,0], cache8.it1[10661,503-0,M], cache7.it1[30000,10661,504001]

Age: 0

X-Cache: MISS TCP_MISS dirn:-2:-2

X-Swift-SaveTime: Wed, 22 Mar 2017 01:08:37 GMT

X-Swift-CacheTime: 1

Timing-Allow-Origin: *

EagleId: 2f59411814901448766361688e

HTTP/1.1 503 Service Temporarily Unavailable..Server: Tengine..Content-Length: 0..Connection: keep-alive..Via: cache30.l2hk1[0,503-0,M], cache18.l2hk1[10016,0], cache8.it1[10661,503-0,M], cache7.it1[30000,10661,504001]..Age: 0..X-Cache: MISS TCP_MISS dirn:-2:-2..X-Swift-SaveTime: Wed, 22 Mar 2017 01:08:37 GMT..X-Swift-CacheTime: 1..Timing-Allow-Origin: *..EagleId: 2f59411814901448766361688e..

GET /ad/ssggd.htm HTTP/1.1

Referer: hXXp://123.51pc114.cn/ad/ssggd.htm

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: 123.51pc114.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 106

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/ssggd.htm

Last-Modified: Fri, 06 Jan 2017 15:11:59 GMT

Accept-Ranges: bytes

ETag: "147f493a2f68d21:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:41 GMT

................................................4.9............................,..........................HTTP/1.1 200 OK..Content-Length: 106..Content-Type: text/html..Content-Location: hXXp://123.51pc114.cn/ad/ssggd.htm..Last-Modified: Fri, 06 Jan 2017 15:11:59 GMT..Accept-Ranges: bytes..ETag: "147f493a2f68d21:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:41 GMT..................................................4.9............................,..............................

GET /ad/ssxs11.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 825

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/ssxs11.htm

Last-Modified: Mon, 16 Jan 2017 15:57:20 GMT

Accept-Ranges: bytes

ETag: "070cb371170d21:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:41 GMT

GET /ad/mcgg.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 75

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/mcgg.htm

Last-Modified: Thu, 28 Mar 2013 03:33:01 GMT

Accept-Ranges: bytes

ETag: "8222f3642bce1:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:41 GMT

GET /ad/ssxszgg1.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 2915

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/ssxszgg1.htm

Last-Modified: Fri, 06 Jan 2017 15:12:34 GMT

Accept-Ranges: bytes

ETag: "8c63f64e2f68d21:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:42 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">....</style>..</head>..<html>..<body>.. <br />..<font size="2" color="red"><a href="hXXp://url.cn/OGLodN" target="_blank">................28..................:</a></font><font size="2" color="red">..<br />..<font size="2" color="blue"><a href="hXXp://km.7532.com" target="_blank">............1-3........1........10..4..................1-10......................7532......</a></font><font size="2" color="blue"><br />..<br />..<a href="hXXp://VVV.7532.com/" target="_blank" ..style="color:#0000ff"><strong>..<br />........................................4.9............................,..........................</strong></a>..<br />..<a href="hXXp://VVV.7532.com/" target="_blank" ..style="color:#ff0000"><strong>........<br />..<br />..1........................,....................<br />..2.................................................................</strong></a>....<br />....<br />..

<<< skipped >>>

GET /1435675/tongji.js HTTP/1.1

Accept: */*

Referer: hXXp://ad.7532.com/ad/mcgg456.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: js.tongji.linezing.com

Connection: Keep-Alive

HTTP/1.1 503 Service Temporarily Unavailable

Server: Tengine

Content-Length: 0

Connection: keep-alive

Via: cache34.l2hk1[0,503-0,M], cache1.l2hk1[10023,0], cache10.it1[10679,503-0,M], cache3.it1[30000,10679,504001]

Age: 0

X-Cache: MISS TCP_MISS dirn:-2:-2

X-Swift-SaveTime: Wed, 22 Mar 2017 01:08:38 GMT

X-Swift-CacheTime: 1

Timing-Allow-Origin: *

EagleId: 2f59410314901448775867203e

HTTP/1.1 503 Service Temporarily Unavailable..Server: Tengine..Content-Length: 0..Connection: keep-alive..Via: cache34.l2hk1[0,503-0,M], cache1.l2hk1[10023,0], cache10.it1[10679,503-0,M], cache3.it1[30000,10679,504001]..Age: 0..

GET /4473463.js HTTP/1.1

Accept: */*

Referer: hXXp://ad.7532.com/ad/mcgg456.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: js.users.51.la

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: max-age=300

Content-Length: 1872

Content-Type: application/x-javascript

Last-Modified: Tue, 07 Mar 2017 03:16:45 GMT

Accept-Ranges: bytes

ETag: "6cedff3ff196d21:5590"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 22 Mar 2017 01:07:36 GMT

Connection: close

<<< skipped >>>

GET /ad/gjgg.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 15198

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/gjgg.htm

Last-Modified: Tue, 21 Jun 2016 02:14:19 GMT

Accept-Ranges: bytes

ETag: "8228749e62cbd11:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:42 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<meta name="keywords" content="QQ...."/>..<meta name="description" content="QQ...."/>..<title>............</title>..<style type="text/css">....</style>..</head>..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">....</style>..</head>..<html>..<body>..<body>......<table width="250" border="0">..<tr>..<tr>..<tr>..<tr>.. <td class="STYLE2"> <span class="STYLE1"><a href="hXXp://VVV.7532.com/" target="_blank" style="color:#FE0000;" onMouseOver="this.style.color='#FE0000';" onMouseOut="this.style.color='#FE0000';">......QQ......................</a></span></td>.. <td><span class="STYLE2">[<span class="STYLE1">........

<<< skipped >>>

GET /ad/mcgg456.htm HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ad.7532.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 4406

Content-Type: text/html

Content-Location: hXXp://ad.7532.com/ad/mcgg456.htm

Last-Modified: Wed, 02 Mar 2016 05:01:52 GMT

Accept-Ranges: bytes

ETag: "a8b4a0a24074d11:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:44 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<meta name="keywords" content="QQ...."/>..<meta name="description" content="QQ...."/>..<title>............</title>..<style type="text/css">....</style>..</head>..<html>..<body>........<table width="494" border="0" cellpadding="0" cellspacing="0">.. .. <tr>.. <td width="494" height="708" align="left" valign="top"><table width="236" height="221">.. <tr> <tr>.... </tr>....<tr>.. <tr>.. <td height="14" align="left" valign="middle"><a href="http://shop107817006.taobao.com" target="_blank" style="color:#FF00FF;" onmouseover="this.style.color='#FF00FF';" onmouseout="this.style.color='#FF00FF';">........................</a></td>.. <td height="14"><span class="STYLE1">[........]</span></td>.. </tr>..<tr>.. <td height="14" align="left" valign="middle"><a href="hXXp://down.cncpa.net:9000/mmliao/MM-liao8869.exe" target="_blank" style="color:#2222f0;" onMouseOver="this.style.color='#2222f0F';" onMouseOut="this.style.co

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_3404:

.text

`.rdata

@.data

.rsrc

t%SVh

t$(SSh

~%UVW

}?9\$0~9

u$SShe

iu2.iu

dc.dll

ole32.dll

kernel32.dll

wininet.dll

SkinH_EL.dll

advapi32.dll

user32.dll

MsgWaitForMultipleObjects

ReportError

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

WebBrowser

hXXp://VVV.7532.com/forum-49-1.html

O;.lQ5"

ytv%c]`

hXXp://VVV.7532.com

WinHttp.WinHttpRequest.5.1

8926356713

hXXp://api.t.qq.com/qzApp/appHomePage.php?index=1&home=1&apiType=5&g_tk=

hXXp://z.t.qq.com/mb/qzone/index.html

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)

"loginedUser"

MSXML2.ServerXMLHTTP.6.0

MSXML2.ServerXMLHTTP.5.0

application/x-www-form-urlencoded

hXXp://api.t.qq.com/old/follow.php

hXXp://api.t.qq.com/proxy.html

hXXp://z.t.qq.com/mb/qzone/index.html#

&veriCode=&lieuId=&apiType=5&apiHost=http://api.t.qq.com&g_tk=

&apiType=5&apiHost=http://api.t.qq.com&_r=

hXXp://api.t.qq.com/qzApp/appUserTweets.php?filter=0&uid=

hXXp://api.t.qq.com/old/unfollow.php

hXXp://ad.51pc114.cn/setup/yinyue.html

.html

hXXp://y.qq.com/y/static/singer/

&loginUin=

hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_add.fcg?singermid=

hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_getnum.fcg?singermid=

hXXp://ad.51pc114.cn/setup/ssxczgg2269.txt

hXXp://VVV.7532.com/thread-143613-1-1.html

122.228.204.12

hXXp://blog.sina.com.cn/s/blog_81b5163c0102vw7z.html

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXp://

hXXp://123.51pc114.cn/ad/ssggd.htm

Adodb.Stream

fJ.WM_

CX%xm

Ã•6m*

n.BjCw

%s;7*

0%x@w

%C^L:

%s T5

]E4%F(

.Funr

k%UPp

fg.VG

%C',@

>Ã™d

0'.Ll

[I(3/#N0.bd

j"%u=w

q%Xn`

@|H.NI

.wdd!

S|%u4

*.Ea]S

Q.CGo

fTpe

.LLbX

-.Mdl

\-A}=3K

Y:.akpS

$.Zcqn

.WE= T!N

#?%s(C(

u.Jck~

zx/%FN[

%s=\RI

}j%c%Y)

Rx.GR

4o#.dM

IeS`%C

[n 4\.UY

,4.qO,

gQ'.Io

%cLur?

s%DHB

]I%%X

5r.US

:mD].tB

f%fUZ

.fOuV12

*_.dC

&-N}

({?.cQm

.Cqx~c

.`.Qw

**.dU

!n]%x

%X,Cr

&.PFy{xh

.um ZZE7L

/^p%u$

I.NoQY

zu.ew

D/.nT

b\SkinH_EL.dll

C$%cmb

.ppM|

aZ.mO

%-^

.hk;~

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

51pc114.cn

123.51pc114.cn

hXXp://123.51pc114.cn/setup/ssxsz.htm

Www.7532.com

hXXp://km.7532.com

hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=

/mood/

.1&curkey=http://user.qzone.qq.com/

&unikey=http://user.qzone.qq.com/

/&opuin=

qzreferrer=http://user.qzone.qq.com/

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

mailto:shenglin_yu@126.com

hXXp://qlogo2.store.qq.com/qzone/

hXXp://ad.51pc114.cn/setup/ssxczgg9976.txt

hXXp://taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=

hXXp://tjalist.photo.qzone.qq.com/fcgi-bin/fcg_list_album_v3?g_tk=

hXXp://123.51pc114.cn/setup/QQssxs.html

&qzreferrer=http://ctc.qzs.qq.com/qzone/photo/v7/page/photo.html?init=photo.v7/module/photoList2/index&navBar=1&normal=1&aid=

/photo/

&curkey=http://user.qzone.qq.com/

unikey=http://user.qzone.qq.com/

\dc.dll

@.reloc

MFC42.DLL

KERNEL32.dll

GdiplusShutdown

gdiplus.dll

WSOCK32.dll

MSVCP60.dll

ReportError_A

VBYB_ReportError

VB_ReportError

uu_loginA

uu_loginW

uu_reportError

debug.ini

ReportError:%s

Error:%s

%s|!|%s

\dms.pdb

%u%u,

dclog.txt

config.ini

port

settimeout:%d

[%d]%s

reg2:%s

checkok:%s %s

check fail:%s %s %s

check:%s %s

getcjfail:%s %s

getcj:%s %s

%s%uout

%s%uin

put img ok:%s

put img fail:%s

put img:%s %s %d

get result ok:%s,%s

get result fail:%s

get result:%s

notifyfail ok:%s

%s\%d-%s.png

notifyfail fail:%s,%s

notifyfail:%s

getimgok:%s,%s

getimg:%s

getinfo fail:%s

getinfo:%s,%s

setresult:%s,%s

HTTP/1.1 200 OK

recv:%d

send:%d

GET /ip.txt HTTP/1.1

Host: %s

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

select:%d

ioctlsocket:%d

socket:%d

api.qqchaoren.net

14.17.65.24

14.17.65.23

dama2.qqchaoren.net

dama1.qqchaoren.net

connect total:%s %d

:%s %d

connect discard:%s %d

[d-d-d d:d:d](u)

recv timeout:

recvfail:%d

server close:%d

recv:%d

send:%d

sendfail:%d

connect timeout:

connectok:%s %hu

127.0.0.1

1.1.3

hXXp://ad.51pc114.cn/setup/a.html

regsvr32 /s winhttp.dll

WinHttp

&appid=549000912&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.25413458029055885

hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=

hXXp://captcha.qq.com/cap_union_show?clientype=2&uin=

hXXp://captcha.qq.com/getimgbysig?aid=549000912&uin=

&0.10107533859643092

hXXp://captcha.qq.com/cap_union_verify?aid=549000912&uin=

&0.05596214901416252

hXXp://captcha.qq.com/getQueSig?aid=715030901&uin=

&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=8-30-1445255935887&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&

hXXp://ptlogin2.qq.com/login?u=

hXXp://user.qzone.qq.com/

.1^||^http://qzs.qq.com/qzone/client/&face=0&fupdate=1&g_tk=

hXXp://user.qzone.qq.com/p/r/cgi-bin/user/qz_opcnt2?_stp=

function time(){return new Date().getTime()}

<.>http://user.qzone.qq.com/

&refer=qzone&plat=qzone&json_esc=1&output_type=json&unikey=http://user.qzone.qq.com/

hXXp://r.qzone.qq.com/cgi-bin/user/qz_opcnt2?g_tk=

skey

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('Y 1O=X(){X r(){W.n=1d;W.e=0;W.4V=W.3h=W.4k=W.q=W.p=W.d=1d}X B(r,z,I){1d!=r&&("50"==2W r?W.3i(r,z,I):1d==z&&"3T"!=2W r?W.1S(r,1B):W.1S(r,z))}X z(){Z 1u B(1d)}X A(r){Y V=z();V.2c(r);Z V}X D(r){Y z=1,I;0!=(I=r>>>16)&&(r=I,z =16);0!=(I=r>>8)&&(r=I,z =8);0!=(I=r>>4)&&(r=I,z =4);0!=(I=r>>2)&&(r=I,z =2);0!=r>>1&&(z =1);Z z}X C(r){W.m=r}X E(r){W.m=r;W.2a=r.2V();W.2f=W.2a&1N;W.2U=W.2a>>15;W.2T=(1>8&1f;L[G ]^=r>>16&1f;L[G ]^=r>>24&1f;G>=U&&(G-=U)}X O(){}X N(){W.j=W.i=0;W.S=[]}r.1b.2R=X(r){Z r.2Q(W.e,W.n)};r.1b.2P=X(r,z){1d!=r&&1d!=z&&0>3;1a(z>=15;0>15,G=z*R F*E,R=E*R ((G&1N)>>30) (G>>>15) z*F (D>>>30);A[B ]=R&2L}Z D};H=30;B.1b.1e=H;B.1b.1s=(1=K; K)S[H ]=K;H=3n;19(K=10;36>K; K)S[H ]=K;H=3D;19(K=10;36>K; K)S[H ]=K;C.1b.2e=X(r){Z 0>r.s||0r.s&&0>15)*W.2f&W.2T)=r.1o;)r[A]-=r.1o,r[ A] }r.1q();r.2b(W.m.t,r);0r?-1:0;0r?W[0]=r 1o:W.t=0};B.1b.1S=X(r,z){Y A;1a(16==z)A=4;1h 1a(8==z)A=3;1h 1a(1B==z)A=8;1h 1a(2==z)A=1;1h 1a(32==z)A=5;1h 1a(4==z)A=2;1h{W.3I(r,z);Z}W.s=W.t=0;19(Y D=r.1c,C=!1,E=0;0J?"-"==r.1l(D)&&(C=!0):(C=!1,0==E?W[W.t ]=J:E A>W.1e?(W[W.t-1]|=(J&(1>W.1e-E):W[W.t-1]|=J=W.1e&&(E-=W.1e))}8==A&&0!=(r[0]&2I)&&(W.s=-1,0>B|E,E=(W[F]&D)=W.t)z.t=0;1h{Y B=r%W.1e,D=W.1e-B,C=(1>B;19(Y E=A 1;E>B;0>=W.1e;1a(r.t>=W.1e;B =W.s}1h{19(B =W.s;A>=W.1e;B-=r.s}z.s=0>B?-1:0;-1>B?z[A ]=W.1o B:0=z.1o&&(r[A z.t]-=z.1o,r[A z.t 1]=1)}0=E.t)){Y F=W.1w();1a(F.t>W.29:0),K=W.2K/H,H=(1J&&B.1x.1m(C,C)}}}};B.1b.2V=X(){1a(1>W.t)Z 0;Y r=W[0];1a(0==(r&1))Z 0;Y z=r&3,z=z*(2-(r&15)*z)&15,z=z*(2-(r&1f)*z)&1f,z=z*(2-((r&1G)*z&1G))&1G,z=z*(2-r*z%W.1o)%W.1o;Z 0r)Z B.1U;Y C=z(),E=z(),F=A.2e(W),G=D(r)-1;19(F.1I(C);0W.s)Z"-" W.1Z().1F(r);1a(16==r)r=4;1h 1a(8==r)r=3;1h 1a(2==r)r=1;1h 1a(32==r)r=5;1h 1a(4==r)r=2;1h Z W.3o(r);Y z=(1>E)&&(B=!0,C="2A".1l(A));0>(E =W.1e-r)):(A=W[D]>>(E-=r)&z,0>=E&&(E =W.1e,--D)),0W.s?W.1Z():W};B.1b.1H=X(r){Y z=W.s-r.s;1a(0!=z)Z z;Y A=W.t,z=A-r.t;1a(0!=z)Z z;19(;0=W.t?0:W.1e*(W.t-1) D(W[W.t-1]^W.s&W.1s)};B.1b.2J=X(r){Y A=z();W.1w().1Q(r,1d,A);0>W.s&&0r||z.2G()?1u C(z):1u E(z);Z W.2E(r,A)};B.1x=A(0);B.1U=A(1);Y T,L,G;1a(1d==L){L=[];19(G=0;G>>8,L[G ]=H&1f;G=0;F()}O.1b.2M=X(r){Y z;19(z=0;zz; z)W.S[z]=z;19(z=A=0;1B>z; z)A=A W.S[z] r[z%r.1c]&1f,B=W.S[z],W.S[z]=W.S[A],W.S[A]=B;W.j=W.i=0};N.1b.2x=X(){Y r;W.i=W.i 1&1f;W.j=W.j W.S[W.i]&1f;r=W.S[W.i];W.S[W.i]=W.S[W.j];W.S[W.j]=r;Z W.S[r W.S[W.i]&1f]};Y U=1B;Z{2r:X(z,A,B){A="41";B="3";Y C=1u r;C.2P(A,B);Z C.26(z)}}}(),s="",a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=!0;X e(){Z 1p.35(1r*1p.2z())}X j(r,B,z){1a(!z||4>>0}X b(r,B,z){r[B 3]=z>>0&1f;r[B 2]=z>>8&1f;r[B 1]=z>>16&1f;r[B 0]=z>>24&1f}X w(r){1a(!r)Z"";19(Y B="",z=0;zz;z )x[z]=0;19(z=1;2>=z;)8>a&&(g[a ]=e()&1f,z ),8==a&&p();19(z=0;0a&&(g[a ]=r[z ],B--),8==a&&p();19(z=1;7>=z;)8>a&&(g[a ]=0,z ),8==a&&p();Z m}X q(r){Y B=0,z=1t(8),B=r.1c;t=r;1a(0!=B%8||16>B)Z 1d;x=l(r);a=x[0]&7;B=B-a-10;1a(0>B)Z 1d;19(Y A=0;A=A;)1a(8>a&&(a ,A ),8==a&&(z=r,!f()))Z 1d;19(A=0;0!=B;)1a(8>a&&(m[A]=(z[u a]^x[a])&1f,A ,B--,a ),8==a&&(z=r,u=y-8,!f()))Z 1d;19(A=1;8>A;A ){1a(8>a){1a(0!=(z[u a]^x[a]))Z 1d;a }1a(8==a&&(z=r,u=y,!f()))Z 1d}Z m}X p(){19(Y r=0;8>r;r )g[r]=n?g[r]^x[r]:g[r]^m[u r];19(Y B=k(g),r=0;8>r;r )m[y r]=B[r]^x[r],x[r]=g[r];u=y;y =8;a=0;n=!1}X k(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=0;0>>0,z =(r>>5) D,z=(z&1r)>>>0,r =(z>>5) E,r=(r&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X l(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=3y;0>>5) E,r=(r&1r)>>>0,z-=(r>>5) D,z=(z&1r)>>>0,F-=2o,F=(F&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X f(){19(Y r=0;8>r;r )x[r]^=t[y r];x=l(x);y =8;a=0;Z!0}X o(r,B){Y z=[];1a(B)19(Y A=0;A>18)),E.1y(z.1l(C>>12&1J)),E.1y(z.1l(C>>6&1J)),E.1y(z.1l(C&1J));3e(r.1c-F){2B 1:C=A(r,D)>18) z.1l(C>>12&1J) B B);3g;2B 2:C=A(r,D)>18) z.1l(C>>12&1J) z.1l(C>>6&1J) B)}Z E.2C("")}},2D=1,3j="",1n=8,2F=32;X 1W(r){Z 2H(r)}X 2H(r){Z 2l(1E(1K(r),r.1c*1n))}X 3q(r){Z 2d(1E(1K(r),r.1c*1n))}X 3s(r,B){Z 2l(1R(r,B))}X 3u(r,B){Z 3v(1R(r,B))}X 3w(r,B){Z 2d(1R(r,B))}X 1E(r,B){r[B>>5]|=2I>>9C;C )A[C]=z[C]^4T,D[C]=z[C]^4U;z=1E(A.2Y(1K(B)),4W B.1c*1n);Z 1E(D.2Y(z),4X)}X 1v(r,B){Y z=(r&1G) (B&1G);Z(r>>16) (B>>16) (z>>16)>>32-B}X 1K(r){19(Y B=[],z=(1>5]|=(r.1C(A/1n)&z)>5]>>>A2&z);Z B}X 2l(r){19(Y B=2D?"4Y":"4Z",z="",A=0;A>2]>>A%4*8 4&15) B.1l(r[A>>2]>>A%4*8&15);Z z}X 2Z(r){19(Y B=[],z=0;zD.1c;)D="0" D;1D.2g(r);B=1D.2p(D A 1D.28(B) z C);1D.2g("");Z B.57(/[\\/\\ =]/g,X(r){Z{"/":"-"," ":"*","=":"58"}[r]})}X 4Q(r,B,z){Z 33(r,B,z,!1)};',62,320,'||||||||||||||||||||||||||||||||||||||||||||||||||||||||||this|function|var|return||||||||||for|if|prototype|length|null|DB|255|md5_gg|else|md5_hh|md5_ff|md5_ii|charAt|subTo|chrsz|DV|Math|clamp|4294967295|DM|Array|new|safe_add|abs|ZERO|push|am|reduce|256|charCodeAt|TEA|core_md5|toString|65535|compareTo|copyTo|63|str2binl|dlShiftTo|md5_cmn|32767|RSA|floor|divRemTo|core_hmac_md5|fromString|parseInt|ONE|mulTo|md5|multiplyTo|sqrTo|negate||||||squareTo|encrypt|F1|strToBytes|F2|mp|drShiftTo|fromInt|binl2str|convert|mpl|initkey|String|fromCharCode|substr|lShiftTo|binl2hex|revert|rShiftTo|2654435769|enAsBase64|encode|rsa_encrypt|PADCHAR|ALPHA|getbyte|throw|arguments|next|init|random|0123456789abcdefghijklmnopqrstuvwxyz|case|join|hexcase|exp|mode|isEven|hex_md5|128|mod|FV|1073741823|nextBytes|bitLength|uv_alert|setPublic|modPowInt|doPublic|mt2|um|mph|invDigit|typeof|bit_rol|concat|hexchar2bin||temp||getEncryption|Exception|round||SyntaxError|Not|enough|Message|min|too|pow|switch|long|break|dmq1|fromNumber|b64pad|Date|Invalid|248|97|toRadix|public|str_md5|key|hex_hmac_md5|65536|b64_hmac_md5|binl2b64|str_hmac_md5|64|3816266640|1732584193|271733879|1732584194|271733878|65|680876936|389564586|getTime|606105819|fromRadix|1044525330|176418897|1200080426|1473231341|45705983|1770035416|1958414417|42063|1990404162|1804603682|string|40341101|1502002290|1236535329|decrypt|165796510|1069501632|643717713|F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7|373897302|701558691|38016083|660478335|405537848|568446438||1019803690|187363961|1163531501|1444681467|51403784|1735328473|1926607734|bytesToStr|378558|2022574463|1839030562|dmp1|35309556|1530992060|1272893353|155497632|1094730640|681279174|358537222|722521979|76029189|640364487|421815835|530742520|995338651|bytesInStr|198630844|1126891415|1416354905|dataFromStr|57434055|1700485571|1894986606|1051523|2054922799|1873313359|30611744|1560198380|1309151649|145523070|1120210379|718787259|343485551|Hs|max|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|909522486|1549556828|coeff|512|640|0123456789ABCDEF|0123456789abcdef|number|eval||INVALID_CHARACTER_ERR|DOM|toUpperCase|000|replace|_|Number'.split('|'),0,{}))

p_skey=;

airkey=;

&appid=549000912&js_ver=10135&js_type=1&login_sig=&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.

hXXp://captcha.qq.com/getimgbysig?clientype=2&uin=

var window=window||{};$=window.$||{};$pt=window.$pt||{};$pt.RSA=function(){function g(z,t){return new ar(z,t)}

function ah(aA,aB){var t='';var z=0;while(z aB

return t aA.substring(z,aA.length)}

function r(t){if(t

function af(aB,aE){if(aE

var aD=new Array();var aA=aB.length-1;while(aA>=0&&aE>0){var aC=aB.charCodeAt(aA--);aD[--aE]=aC}

aD[--aE]=0;var z=new ad();var t=new Array();while(aE>2){t[0]=0;while(t[0]==0){z.nextBytes(t)}

function L(){this.n=null;this.e=0;this.d=null;this.p=null;this.q=null;this.dmp1=null;this.dmq1=null;this.coeff=null}

function o(z,t){if(z!=null&&t!=null&&z.length>0&&t.length>0){this.n=g(z,16);this.e=parseInt(t,16)}else{uv_alert('Invalid RSA public key')}}

function W(t){return t.modPowInt(this.e,this.n)}

function p(aA){var t=af(aA,(this.n.bitLength() 7)>>3);if(t==null){return null}

var aB=this.doPublic(t);if(aB==null){return null}

var z=aB.toString(16);if((z.length&1)==0){return z}else{return'0' z}}

L.prototype.doPublic=W;L.prototype.setPublic=o;L.prototype.encrypt=p;var aw;var ai=244837814094590;var Z=((ai&16777215)==15715070);function ar(z,t,aA){if(z!=null){if('number'==typeof z){this.fromNumber(z,t,aA)}else{if(t==null&&'string'!=typeof z){this.fromString(z,256)}else{this.fromString(z,t)}}}}

function b(aC,t,z,aB,aE,aD){while(--aD>=0){var aA=t*this[aC ] z[aB] aE;aE=Math.floor(aA/67108864);z[aB ]=aA&67108863}

ar.prototype.DB=aw;ar.prototype.DM=((1

ap='a'.charCodeAt(0);for(v=10;v

ap='A'.charCodeAt(0);for(v=10;v

function az(t){return ae.charAt(t)}

function A(z,t){var aA=ag[z.charCodeAt(t)];return(aA==null)?-1:aA}

function c(t){var z=h();z.fromInt(t);return z}

function w(aE,z){var aB;if(z==16){aB=4}else{if(z==8){aB=3}else{if(z==256){aB=8}else{if(z==2){aB=1}else{if(z==32){aB=5}else{if(z==4){aB=2}else{this.fromRadix(aE,z);return}}}}}}

this.t=0;this.s=0;var aD=aE.length,aA=false,aC=0;while(--aD>=0){var t=(aB==8)?aE[aD]&255:A(aE,aD);if(t

aA=false;if(aC==0){this[this.t ]=t}else{if(aC aB>this.DB){this[this.t-1]|=(t&((1>(this.DB-aC))}else{this[this.t-1]|=t

aC =aB;if(aC>=this.DB){aC-=this.DB}}

if(aB==8&&(aE[0]&128)!=0){this.s=-1;if(aC>0){this[this.t-1]|=((1

this.clamp();if(aA){ar.ZERO.subTo(this,this)}}

function O(){var t=this.s&this.DM;while(this.t>0&&this[this.t-1]==t){--this.t}}

function q(z){if(this.s

var aA;if(z==16){aA=4}else{if(z==8){aA=3}else{if(z==2){aA=1}else{if(z==32){aA=5}else{if(z==4){aA=2}else{return this.toRadix(z)}}}}}

var aC=(10){if(aE>aE)>0){t=true;aD=az(aF)}

while(aB>=0){if(aE>(aE =this.DB-aA)}else{aF=(this[aB]>>(aE-=aA))&aC;if(aE

function R(){var t=h();ar.ZERO.subTo(this,t);return t}

function al(){return(this.s

return this.DB*(this.t-1) j(this[this.t-1]^(this.s&this.DM))}

z.t=Math.max(this.t-aA,0);z.s=this.s}

function s(aF,aB){var z=aF%this.DB;var t=this.DB-z;var aD=(1=0;--aA){aB[aA aC 1]=(this[aA]>>t)|aE;aE=(this[aA]&aD)

aB[aC]=aE;aB.t=this.t aC 1;aB.s=this.s;aB.clamp()}

function l(aE,aB){aB.s=this.s;var aC=Math.floor(aE/this.DB);if(aC>=this.t){aB.t=0;return}

var z=aE%this.DB;var t=this.DB-z;var aD=(1>z;for(var aA=aC 1;aA>z}

aB.t=this.t-aC;aB.clamp()}

function ab(z,aB){var aA=0,aC=0,t=Math.min(z.t,this.t);while(aA>=this.DB}

if(z.t>=this.DB}

aC =this.s}else{aC =this.s;while(aA>=this.DB}

aB.s=(aC0){aB[aA ]=aC}}

aB.t=aA;aB.clamp()}

function D(z,aB){var t=this.abs(),aC=z.abs();var aA=t.t;aB.t=aA aC.t;while(--aA>=0){aB[aA]=0}

for(aA=0;aA

aB.s=0;aB.clamp();if(this.s!=z.s){ar.ZERO.subTo(aB,aB)}}

function Q(aA){var t=this.abs();var z=aA.t=2*t.t;while(--z>=0){aA[z]=0}

for(z=0;z=t.DV){aA[z t.t]-=t.DV;aA[z t.t 1]=1}}

if(aA.t>0){aA[aA.t-1] =t.am(z,t[z],aA,2*z,0,1)}

aA.s=0;aA.clamp()}

function E(aI,aF,aE){var aO=aI.abs();if(aO.t

var aG=this.abs();if(aG.t

if(aE!=null){this.copyTo(aE)}

var aC=h(),z=this.s,aH=aI.s;var aN=this.DB-j(aO[aO.t-1]);if(aN>0){aO.lShiftTo(aN,aC);aG.lShiftTo(aN,aE)}else{aO.copyTo(aC);aG.copyTo(aE)}

var aJ=aA*(11)?aC[aK-2]>>this.F2:0);var aR=this.FV/aJ,aQ=(1=0){aE[aE.t ]=1;aE.subTo(aD,aE)}

ar.ONE.dlShiftTo(aK,aD);aD.subTo(aC,aC);while(aC.t

while(--aL>=0){var aB=(aE[--aM]==aA)?this.DM:Math.floor(aE[aM]*aR (aE[aM-1] aP)*aQ);if((aE[aM] =aC.am(0,aB,aE,aL,0,aK))

if(aF!=null){aE.drShiftTo(aK,aF);if(z!=aH){ar.ZERO.subTo(aF,aF)}}

aE.t=aK;aE.clamp();if(aN>0){aE.rShiftTo(aN,aE)}

if(z

function N(t){var z=h();this.abs().divRemTo(t,null,z);if(this.s0){t.subTo(z,z)}

function V(t){if(t.s=0){return t.mod(this.m)}else{return t}}

function J(t){t.divRemTo(this.m,null,t)}

function H(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}

function au(t,z){t.squareTo(z);this.reduce(z)}

K.prototype.convert=V;K.prototype.revert=ak;K.prototype.reduce=J;K.prototype.mulTo=H;K.prototype.sqrTo=au;function B(){if(this.t

var z=t&3;z=(z*(2-(t&15)*z))&15;z=(z*(2-(t&255)*z))&255;z=(z*(2-(((t&65535)*z)&65535)))&65535;z=(z*(2-t*z%this.DV))%this.DV;return(z>0)?this.DV-z:-z}

function f(t){this.m=t;this.mp=t.invDigit();this.mpl=this.mp&32767;this.mph=this.mp>>15;this.um=(1

function aj(t){var z=h();t.abs().dlShiftTo(this.m.t,z);z.divRemTo(this.m,null,z);if(t.s0){this.m.subTo(z,z)}

function at(t){var z=h();t.copyTo(z);this.reduce(z);return z}

function P(t){while(t.t

for(var aA=0;aA>15)*this.mpl)&this.um)=t.DV){t[z]-=t.DV;t[ z] }}

t.clamp();t.drShiftTo(this.m.t,t);if(t.compareTo(this.m)>=0){t.subTo(this.m,t)}}

function am(t,z){t.squareTo(z);this.reduce(z)}

function y(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}

f.prototype.convert=aj;f.prototype.revert=at;f.prototype.reduce=P;f.prototype.mulTo=y;f.prototype.sqrTo=am;function i(){return((this.t>0)?(this[0]&1):this.s)==0}

function x(aF,aG){if(aF>4294967295||aF

var aE=h(),aA=h(),aD=aG.convert(this),aC=j(aF)-1;aD.copyTo(aE);while(--aC>=0){aG.sqrTo(aE,aA);if((aF&(10){aG.mulTo(aA,aD,aE)}else{var aB=aE;aE=aA;aA=aB}}

return aG.revert(aE)}

function an(aA,t){var aB;if(aA

return this.exp(aA,aB)}

ar.prototype.copyTo=Y;ar.prototype.fromInt=n;ar.prototype.fromString=w;ar.prototype.clamp=O;ar.prototype.dlShiftTo=aq;ar.prototype.drShiftTo=X;ar.prototype.lShiftTo=s;ar.prototype.rShiftTo=l;ar.prototype.subTo=ab;ar.prototype.multiplyTo=D;ar.prototype.squareTo=Q;ar.prototype.divRemTo=E;ar.prototype.invDigit=B;ar.prototype.isEven=i;ar.prototype.exp=x;ar.prototype.toString=q;ar.prototype.negate=R;ar.prototype.abs=al;ar.prototype.compareTo=G;ar.prototype.bitLength=u;ar.prototype.mod=N;ar.prototype.modPowInt=an;ar.ZERO=c(0);ar.ONE=c(1);var m;var U;var ac;function d(t){U[ac ]^=t&255;U[ac ]^=(t>>8)&255;U[ac ]^=(t>>16)&255;U[ac ]^=(t>>24)&255;if(ac>=M){ac-=M}}

function T(){d(new Date().getTime())}

if(U==null){U=new Array();ac=0;var I;if(navigator.appName=='Netscape'&&navigator.appVersion

while(ac>>8;U[ac ]=I&255}

function C(){if(m==null){T();m=ao();m.init(U);for(ac=0;ac

return m.next()}

function av(z){var t;for(t=0;t

ad.prototype.nextBytes=av;function k(){this.i=0;this.j=0;this.S=new Array()}

z=0;for(aB=0;aB

k.prototype.init=e;k.prototype.next=a;function ao(){return new k()}

var M=256;function S(aB,aA,z){aA='F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7';z='3';var t=new L();t.setPublic(aA,z);return t.encrypt(aB)}

return{rsa_encrypt:S}}();var r=window||{};(function(r){var s='',a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=true;function e(){return Math.round(Math.random()*4294967295)}

var z='';for(var A=0;A

function v(A){var B='';for(var z=0;z

var B=[];for(var A=0;A

function k(C){var B,D,A=[],z=C.length;for(B=0;B0&&D=128&&D>6)&31)),String.fromCharCode(128|(D&63)))}else{if(D>=2048&&D>12)&15)),String.fromCharCode(128|((D>>6)&63)),String.fromCharCode(128|(D&63)))}}}}

return A.join('')}

function h(B){g=new Array(8);x=new Array(8);y=u=0;n=true;a=0;var z=B.length;var C=0;a=(z 10)%8;if(a!=0){a=8-a}

function q(D){var C=0;var A=new Array(8);var z=D.length;t=D;if(z%8!=0||z

for(var B=0;B

function f(){var z=t.length;for(var A=0;A

function o(D,C){var B=[];if(C){for(var A=0;A

r.TEA={encrypt:function(C,B){var A=o(C,B);var z=h(A);return w(z)},enAsBase64:function(E,D){var C=o(E,D);var B=h(C);var z='';for(var A=0;A

return d.encode(z)},decrypt:function(B){var A=o(B,false);var z=q(A);return w(z)},initkey:function(z,A){s=o(z,A)},bytesToStr:v,strToBytes:c,bytesInStr:w,dataFromStr:o};var d={};d.PADCHAR='=';d.ALPHA='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';d.getbyte=function(B,A){var z=B.charCodeAt(A);if(z>255){throw'INVALID_CHARACTER_ERR: DOM Exception 5'}

return z};d.encode=function(D){if(arguments.length!=1){throw'SyntaxError: Not enough arguments'}

var A=d.PADCHAR;var F=d.ALPHA;var E=d.getbyte;var C,G;var z=[];D='' D;var B=D.length-D.length%3;if(D.length==0){return D}

for(C=0;C>18));z.push(F.charAt((G>>12)&63));z.push(F.charAt((G>>6)&63));z.push(F.charAt(G&63))}

switch(D.length-B){case 1:G=E(D,C)>18) F.charAt((G>>12)&63) A A);break;case 2:G=(E(D,C)>18) F.charAt((G>>12)&63) F.charAt((G>>6)&63) A);break}

return z.join('')};if(!window.btoa){window.btoa=d.encode}})(window);var hexcase=1;var b64pad='';var chrsz=8;var mode=32;function md5(s){return hex_md5(s)}

function hex_md5(s){return binl2hex(core_md5(str2binl(s),s.length*chrsz))}

function str_md5(s){return binl2str(core_md5(str2binl(s),s.length*chrsz))}

function hex_hmac_md5(key,data){return binl2hex(core_hmac_md5(key,data))}

function b64_hmac_md5(key,data){return binl2b64(core_hmac_md5(key,data))}

function str_hmac_md5(key,data){return binl2str(core_hmac_md5(key,data))}

function core_md5(x,len){x[len>>5]|=128>>9)

function core_hmac_md5(key,data){var bkey=str2binl(key);if(bkey.length>16){bkey=core_md5(bkey,key.length*chrsz)}

var ipad=Array(16),opad=Array(16);for(var i=0;i

var hash=core_md5(ipad.concat(str2binl(data)),512 data.length*chrsz);return core_md5(opad.concat(hash),512 128)}

function str2binl(str){var bin=Array();var mask=(1>5]|=(str.charCodeAt(i/chrsz)&mask)

function binl2str(bin){var str='';var mask=(1>5]>>>(i2))&mask)}

function binl2hex(binarray){var hex_tab=hexcase?'0123456789ABCDEF':'0123456789abcdef';var str='';for(var i=0;i>2]>>((i%4)*8 4))&15) hex_tab.charAt((binarray[i>>2]>>((i%4)*8))&15)}

function hexchar2bin(str){var arr=[];for(var i=0;i

arr=arr.join('');eval('var temp = \'' arr '\'');return temp}

function __monitor(mid,probability){if(Math.random()>(probability||1)){return}

try{var url=location.protocol '//ui.ptlogin2.qq.com/cgi-bin/report?id=' mid;var s=document.createElement('img');s.src=url}catch(e){}}

function getEncryption(password,salt,vcode){salt=uin2hex(salt);vcode=vcode||'';password=password||'';var md5Pwd=md5(password),h1=hexchar2bin(md5Pwd),s2=md5(h1 salt),rsaH1=$pt.RSA.rsa_encrypt(h1),rsaH1Len=(rsaH1.length/2).toString(16),hexVcode=r.TEA.strToBytes(vcode.toUpperCase(),true),vcodeLen=Number(hexVcode.length/2).toString(16);while(vcodeLen.length

while(rsaH1Len.length

r.TEA.initkey(s2);var saltPwd=r.TEA.enAsBase64(rsaH1Len rsaH1 r.TEA.strToBytes(salt) vcodeLen hexVcode);r.TEA.initkey('');return saltPwd.replace(/[\/\ =]/g,function(a){return{'/':'-',' ':'*','=':'_'}[a]})}

function uin2hex(str){var maxLength=16;var hex=parseInt(str).toString(16);var len=hex.length;for(var i=len;i

var arr=[];for(var j=0;j

var result=arr.join("");eval('result="' result '"');return result}getEncryption

&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=21-43-1443602837456&js_ver=10135&js_type=1&login_sig=bX2vEC1My7mgtm3kIVH0UY57UQiklmQQaaq2BdbCVtd39fDjGGywlyInOnozDIje&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&

&js_ver=10135&js_type=1&login_sig=&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&

&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=5-23-

function time(){return Math.random()}

VBScript.RegExp

km.7532.com

shenglin_yu@126.com

VVV.7532.com

VVV.7532.comt

7532.com

|*.txt

%d&&'

123456789

00003333

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSH_SCROLL_LINES_MSG

windows

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

RASAPI32.dll

GetProcessHeap

WinExec

GetKeyState

GetViewportOrgEx

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

oledlg.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

;3 #>6.&

'2, / 0&7!4-)1#

VVV.dywt.com.cn

(*.htm;*.html)|*.htm;*.html

its:%s::%s

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCResourceException@@

%d-%d-%d

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.jpg;*.bmp;*.gif;*.ico;*.cur|JPG

(*.JPG)|*.jpg|BMP

(*.BMP)|*.bmp|GIF

(*.GIF)|*.gif|

(*.ICO)|*.ico|

(*.CUR)|*.cur||

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÃ

3 ,,25%!4

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

!"#$%&'()* ,-

25, 0, 0, 1

Windows

Grid.Document

(*.*)

4.4.0.0

%original file name%.exe_3404_rwx_10001000_00039000:

L$(h%f

SSh0j

hu2.iu

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ã

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps

Related articles