Skip to main content

Trojan.Win32.FlyStudio_8610d33899


Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 8610d3389910f888de0d0ebe1a3ce061

SHA1: c00bb493133dff19eb9abfd3578772635475c7c8

SHA256: a96ecede8c9e45e5ee537ef6bfe369cca50f73b089750755a12e9dc72a4b2bd7

SSDeep: 24576:hnaFZnMf5AJt57zCOrG/RN6RG 7ZzHD20WYyb60asfs uBYTO:henMaXra5N6Rv1cW/svjTO

Size: 1888256 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171

Company: no certificate found

Created at: 2016-05-22 09:11:00

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:2928

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2928 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\taskMgr[1].js (193 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_util[1].js (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S99OLKTL.txt (91 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\xf.faxuan[1].xml (199 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\views[1].js (69642 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\login_1_s[1].js (742 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.min[2].js (54106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QB2Y37I3.txt (83 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_serv[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\public[1].css (3973 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\switch[1].png (363 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\orhon-U2M[1].js (865 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_validatebox_customtooltip[1].js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg_pwd[1].png (737 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\up[1].png (347 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jsrender[1].js (6568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\topnav_bg[1].jpg (5206 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bg_user[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_cookies[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\form-validate[1].js (14936 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\login[1].css (1132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\map[1].png (31018 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\orhonmclib.min[1].js (8142 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\gc[1].jpg (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\id[1].gif (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_popwin[1].js (441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\xf_faxuan_net[1].htm (628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\E2YBQL3V.txt (119 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\comm_validatebox_rules[1].js (606 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVU3JNLU.txt (229 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\popwin_style[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\easyui[1].css (24032 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bg_login[1].jpg (19558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\json2.min[1].js (616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\icon_qq[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\contains[1].js (4806 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\i[1].js (20032 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\login_1_v[1].js (3405 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jquery.cookie[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\popwin[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\icon_phone[1].png (625 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\r[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\id[1].htm (434 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TCH2R76M.txt (229 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\comm_customFuncTip[1].js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\icon[1].css (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\base[1].js (2093 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7RZVBA01.txt (399 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\userpoint_1_s[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\orhonmatrixfont[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\tooltipster_style[1].css (486 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logo[1].png (5173 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_resources[1].js (73 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVU3JNLU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\id[1].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TCH2R76M.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QB2Y37I3.txt (0 bytes)

Registry activity

The process %original file name%.exe:2928 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Total]
"(Default)" = "91293"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1463897460"
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\faxuan.net]
"(Default)" = "20"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\taskMgr[1].js (193 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_util[1].js (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S99OLKTL.txt (91 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\xf.faxuan[1].xml (199 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\views[1].js (69642 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\login_1_s[1].js (742 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.min[2].js (54106 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QB2Y37I3.txt (83 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_serv[1].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\public[1].css (3973 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\switch[1].png (363 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\orhon-U2M[1].js (865 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_validatebox_customtooltip[1].js (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg_pwd[1].png (737 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\up[1].png (347 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jsrender[1].js (6568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\topnav_bg[1].jpg (5206 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bg_user[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_cookies[1].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\form-validate[1].js (14936 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\login[1].css (1132 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\map[1].png (31018 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\orhonmclib.min[1].js (8142 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\gc[1].jpg (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\id[1].gif (35 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_popwin[1].js (441 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\xf_faxuan_net[1].htm (628 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\E2YBQL3V.txt (119 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\comm_validatebox_rules[1].js (606 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVU3JNLU.txt (229 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\popwin_style[1].css (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\easyui[1].css (24032 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bg_login[1].jpg (19558 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\json2.min[1].js (616 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\icon_qq[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\contains[1].js (4806 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\i[1].js (20032 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\login_1_v[1].js (3405 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jquery.cookie[1].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\popwin[1].css (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\icon_phone[1].png (625 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\r[1].htm (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\id[1].htm (434 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TCH2R76M.txt (229 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\comm_customFuncTip[1].js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\icon[1].css (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\base[1].js (2093 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7RZVBA01.txt (399 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\userpoint_1_s[1].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\orhonmatrixfont[1].css (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\tooltipster_style[1].css (486 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logo[1].png (5173 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_resources[1].js (73 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40968662638683524.4775816c6a569d59ac444f71f7ffd2453ab39
CODE8724483387683399684.578962acdb705e40e5832b663b1ab65dbe92c
.rdata12124163731963768324.4531badc389810e59620b12f03e6900a883d
.data1589248475147696323.66069924848d6abe71110bd3dcdf413b4a045
DATA206848069260696325.14555fb3673f94b0b6aa3d257c6a5fb6cabba
BSS213811225785286720cf845a781c107ec1346e849c9dd1b7e8
.rsrc21667841274321310722.289290871a8f30e7e4e72f9412b5986185fd1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://xf.faxuan.net/27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/easyui14/themes/easyui.css27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/json2.min.js27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/jquery/jquery.min.js27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/jquery/jquery.cookie.js27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/easyui14/themes/icon.css27.221.53.18
hxxp://xf.faxuan.net/baseui/js/comm_util.js27.221.53.18
hxxp://xf.faxuan.net/baseui/js/comm_cookies.js27.221.53.18
hxxp://xf.faxuan.net/baseui/js/comm_serv.js27.221.53.18
hxxp://xf.faxuan.net/baseui/style/common/tooltipster_style.css27.221.53.18
hxxp://xf.faxuan.net/baseui/style/common/popwin_style.css27.221.53.18
hxxp://xf.faxuan.net/bps/common/comm_resources.js27.221.53.18
hxxp://xf.faxuan.net/bps/userpoint/s/userpoint_1_s.js27.221.53.18
hxxp://xf.faxuan.net/bps/login/s/login_1_s.js27.221.53.18
hxxp://xf.faxuan.net/bps/login/v/login_1_v.js27.221.53.18
hxxp://wpa.b.qq.com/cgi/wpa.php14.17.43.53
hxxp://xf.faxuan.net/baseui/js/index/orhonmclib.min.js27.221.53.18
hxxp://xf.faxuan.net/baseui/js/index/orhon-U2M.js27.221.53.18
hxxp://xf.faxuan.net/baseui/style/newcss/public.css?v=2016091127.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/jsrender.js27.221.53.18
hxxp://xf.faxuan.net/baseui/style/newcss/login.css?v=2016091127.221.53.18
hxxp://xf.faxuan.net/baseui/style/popwin.css27.221.53.18
hxxp://xf.faxuan.net/baseui/style/orhonmatrixfont.css27.221.53.18
hxxp://xf.faxuan.net/baseui/images/up.png27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/easyui14/lib/base.js27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/easyui14/lib/form-validate.js27.221.53.18
hxxp://xf.faxuan.net/baseui/js/widget/comm_validatebox_customtooltip.js?_=148988349942327.221.53.18
hxxp://xf.faxuan.net/baseui/js/widget/comm_validatebox_rules.js?_=148988349942427.221.53.18
hxxp://xf.faxuan.net/baseui/js/widget/comm_customFuncTip.js?_=148988349942527.221.53.18
hxxp://xf.faxuan.net/baseui/js/widget/comm_popwin.js?_=148988349942627.221.53.18
hxxp://xf.faxuan.net/baseui/images/topnav_bg.jpg27.221.53.18
hxxp://xf.faxuan.net/baseui/images/login/bg_login.jpg27.221.53.18
hxxp://xf.faxuan.net/baseui/images/login/logo.png27.221.53.18
hxxp://xf.faxuan.net/baseui/images/login/map.png27.221.53.18
hxxp://p21.tcdn.qq.com/c/=/crm/wpa/release/3.3.7/wpa/ta.js,/crm/wpa/release/3.3.7/wpa/kfuin.js,/crm/wpa/release/3.3.7/wpa/sid.js,/crm/wpa/release/3.3.7/util/titleFlash.js,/crm/wpa/release/3.3.7/util/className.js,/crm/wpa/release/3.3.7/util/Style.js,/crm/wpa/release/3.3.7/util/taskMgr.js?v=3.3.7.20160126
hxxp://p21.tcdn.qq.com/c/=/crm/wpa/release/3.3.7/wpa/APIs/addCustom.js,/crm/wpa/release/3.3.7/lang/extend.js,/crm/wpa/release/3.3.7/util/domain.js,/crm/wpa/release/3.3.7/wpa/WPA.js,/crm/wpa/release/3.3.7/wpa/wpaMgr.js,/crm/wpa/release/3.3.7/lang/browser.js,/crm/wpa/release/3.3.7/util/proxy.js,/crm/wpa/release/3.3.7/util/pad.js,/crm/wpa/release/3.3.7/util/Bits.js,/crm/wpa/release/3.3.7/util/getJSONP.js,/crm/wpa/release/3.3.7/util/cookie.js,/crm/wpa/release/3.3.7/util/events.js,/crm/wpa/release/3.3.7/util/onLoad.js,/crm/wpa/release/3.3.7/util/offset.js,/crm/wpa/release/3.3.7/util/Panel.js,/crm/wpa/release/3.3.7/util/onIframeLoaded.js,/crm/wpa/release/3.3.7/util/GUID.js,/crm/wpa/release/3.3.7/wpa/getQQVersion.js,/crm/wpa/release/3.3.7/wpa/ViewHelper.js,/crm/wpa/release/3.3.7/wpa/views.js?v=3.3.7.20160126
hxxp://p21.tcdn.qq.com/c/=/crm/wpa/release/3.3.7/util/localStorage.js,/crm/wpa/release/3.3.7/wpa/SelectPanel.js,/crm/wpa/release/3.3.7/util/css.js,/crm/wpa/release/3.3.7/util/contains.js?v=3.3.7.20160126
hxxp://xf.faxuan.net/baseui/images/login/switch.png27.221.53.18
hxxp://prom.b.qq.com/se/r.gif?na=4006570518&ref=&1489883516357183.232.88.153
hxxp://xf.faxuan.net/baseui/images/login/bg_user.png27.221.53.18
hxxp://report.b.qq.com/crmReport/accesslog?FUID=&FKFUin=&FNa=4006570518&FRurl=&1489883516356183.232.119.175
hxxp://wpl.b.qq.com/cgi/conv.php?num=4006570518&cb=JSONP_CALLBACK_1_77120.198.199.200
hxxp://wpl.b.qq.com/cgi/ta.php?na=4006570518&dm=faxuan.net&cb=JSONP_CALLBACK_2_28120.198.199.200
hxxp://isdspeed.qq.com/cgi-bin/r.cgi?flag1=7818&flag2=21&flag3=1&3=2067&&1489883516356125.39.133.14
hxxp://xf.faxuan.net/baseui/images/login/bg_pwd.png27.221.53.18
hxxp://prom.b.qq.com/wpadisplay/r.gif?version=3.3.7.20160126&wty=3&type=&nameAccount=4006570518&kfuin=&ws=xf.faxuan.net&aty=0&a=0&title=&wording=&wording2=&tencentSig=5898714112&1489883517376183.232.88.153
hxxp://xf.faxuan.net/baseui/images/login/icon_phone.png27.221.53.18
hxxp://p21.tcdn.qq.com/da/i.js
hxxp://xf.faxuan.net/baseui/images/login/icon_qq.png27.221.53.18
hxxp://da.qidian.qq.com/ping/pv?v=0.6.6&tid=4006570518&aid=&pid=i9b1v3.3fir2g.j0fy6ges&qid=sjoq3o.t0e4l5.j0fy6ges&src=12&cid=1940917248&sid=1.1.sdyr8n.j0fy6get&r=&pt=国家工作人员学法用法及考试平台_登录&sw=1276&sh=846&dpr=1&saw=1276&sah=802&scd=32&so=&bw=390&bh=310&tz=-2&hasf=23.0.0&hasadb=1&hasc=1&hastc=0&hasls=1&hasss=1&hasid=0&t=j0fy6gfy&z=bsg424121.51.132.119
hxxp://da.qidian.qq.com/jsonp/mta?v=0.6.6&tid=4006570518&aid=&pid=i9b1v3.3fir2g.j0fy6ges&qid=sjoq3o.t0e4l5.j0fy6ges&src=12&cid=1940917248&sid=1.1.sdyr8n.j0fy6get&t=j0fy6gev&callback=S3JSONPPREFIXyi7ym0121.51.132.119
hxxp://xf.faxuan.net/service/gc.html?timestamp=148988351400027.221.53.18
hxxp://p21.tcdn.qq.com/da/id.html?q=sjoq3o.t0e4l5.j0fy6ges&p=i9b1v3.3fir2g.j0fy6ges&t=4006570518&a=&c=1940917248&s=1.1.sdyr8n.j0fy6get&src=12&pgv_pvi=&v=0.6.6&ts=http://da.qidian.qq.com/ping/id
hxxp://da.qidian.qq.com/ping/id?v=0.6.6&tid=4006570518&aid=&sid=1.1.sdyr8n.j0fy6get&qid=sjoq3o.t0e4l5.j0fy6ges&pid=i9b1v3.3fir2g.j0fy6ges&qqm=3&t=j0fy6ia5&cid=1940917248&src=12&z=ngke5u121.51.132.119
hxxp://bqq.gtimg.com/da/i.js203.205.158.37
hxxp://combo.b.qq.com/da/id.html?q=sjoq3o.t0e4l5.j0fy6ges&p=i9b1v3.3fir2g.j0fy6ges&t=4006570518&a=&c=1940917248&s=1.1.sdyr8n.j0fy6get&src=12&pgv_pvi=&v=0.6.6&ts=http://da.qidian.qq.com/ping/id203.205.158.38
hxxp://combo.b.qq.com/c/=/crm/wpa/release/3.3.7/wpa/ta.js,/crm/wpa/release/3.3.7/wpa/kfuin.js,/crm/wpa/release/3.3.7/wpa/sid.js,/crm/wpa/release/3.3.7/util/titleFlash.js,/crm/wpa/release/3.3.7/util/className.js,/crm/wpa/release/3.3.7/util/Style.js,/crm/wpa/release/3.3.7/util/taskMgr.js?v=3.3.7.20160126203.205.158.38
hxxp://combo.b.qq.com/c/=/crm/wpa/release/3.3.7/wpa/APIs/addCustom.js,/crm/wpa/release/3.3.7/lang/extend.js,/crm/wpa/release/3.3.7/util/domain.js,/crm/wpa/release/3.3.7/wpa/WPA.js,/crm/wpa/release/3.3.7/wpa/wpaMgr.js,/crm/wpa/release/3.3.7/lang/browser.js,/crm/wpa/release/3.3.7/util/proxy.js,/crm/wpa/release/3.3.7/util/pad.js,/crm/wpa/release/3.3.7/util/Bits.js,/crm/wpa/release/3.3.7/util/getJSONP.js,/crm/wpa/release/3.3.7/util/cookie.js,/crm/wpa/release/3.3.7/util/events.js,/crm/wpa/release/3.3.7/util/onLoad.js,/crm/wpa/release/3.3.7/util/offset.js,/crm/wpa/release/3.3.7/util/Panel.js,/crm/wpa/release/3.3.7/util/onIframeLoaded.js,/crm/wpa/release/3.3.7/util/GUID.js,/crm/wpa/release/3.3.7/wpa/getQQVersion.js,/crm/wpa/release/3.3.7/wpa/ViewHelper.js,/crm/wpa/release/3.3.7/wpa/views.js?v=3.3.7.20160126203.205.158.38
hxxp://combo.b.qq.com/c/=/crm/wpa/release/3.3.7/util/localStorage.js,/crm/wpa/release/3.3.7/wpa/SelectPanel.js,/crm/wpa/release/3.3.7/util/css.js,/crm/wpa/release/3.3.7/util/contains.js?v=3.3.7.20160126203.205.158.38

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /da/i.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: bqq.gtimg.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sun, 19 Mar 2017 00:31:57 GMT

Cache-Control: max-age=600

Expires: Sun, 19 Mar 2017 00:41:57 GMT

Last-Modified: Tue, 17 Jan 2017 07:54:50 GMT

Content-Type: application/x-javascript

Content-Length: 13195

Content-Encoding: gzip

X-NWS-LOG-UUID: b02c8cbd-b014-4a17-9697-ca12e767fa91

Keep-Alive: timeout=60

X-Cache-Lookup: Hit From Disktank Gz

...........}.W...._..\G..cC.I,..IH.L..$...p..`%Fr.6.`...UU/j.6....w.Y@.n.R]{W5.g.4.I....~\..`........4....0_K.s.{~..,O...)4b.....Y.r.F.Hg..z.;{y.^...$....w.N6.....]l....aN...0...9y}.X..[-W....g.a....x ..Y8........d..<......U..s.'.....;.Y|....,..'.......\.wvw6.~.n{.c4...M....Wz,-.x8...I..4H5..l>_..!...^R.(.jq.f...5....,.(.....:O....?.b..^......j..j.[.A.c..r.....u...#.;.E..A.~..7%...8....N..DYz..)...Y......q........i..|...,./.4...4.Y._..eYa...^....H.v&Y.N.........9..._.G.y....X..."0{.e...w.B..]..{~..}.:...y.......m'p;....b....x.7.....8.P.=Y2Y/.O..s.5.....|>).B..[..3.........N.:..s...).B?.g........N...J..y..N..:....v.....b....n2.:.$.....u.dIJ.F.S....&V..5.. @.6o;.4..`.W$..........&9/. ..{e...1.AA,.W^..m..n..b.....X..........=...y4....B.n............16.......M.0`x|.1j.w.6."J.....7p.7............q.gwt........P~.../(......7.L.[.#.$..Nq.5....G8.....3]....#.(6.Ss..w..;......9.....d.".. ...r<..]V.zk.p...v...n...l..:.;.....[.IPG..l&..~wY......=.O..Q...E....C...@..S....P.........}W.......m'.fi.n...r.......seq.{~..,;.<.^...Y(..{...z.].>A."8n..>..1.L..XA?g...q.,...<....x..4..f).......4.u......5..f.a.z.y&./. ......9.;.:..#.a.D........9..l..h..0]..n?Z.v......G>..(qY.b..Ec<..).3V.CU=. .]......cX>`'......|.p._...'..OQNb....f..k.E..x.s..._j...6M.M.q....|.N.[v*...3`_g......\.BUx^.>..V.}....UN..B...&.k...er....E.Q.9..7WI.t..7...X.S.M....R9....Z.d.i... |.5 "......q...M.A.u&az>....OgV...z.:"{.]..i....?..&..%.Qr........<r.......%...)K..U...Z-...Y.0oPr<B..W.....\\.....0...~x..a...{....9.E..

<<< skipped >>>

GET /wpadisplay/r.gif?version=3.3.7.20160126&wty=3&type=&nameAccount=4006570518&kfuin=&ws=xf.faxuan.net&aty=0&a=0&title=&wording=&wording2=&tencentSig=5898714112&1489883517376 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: prom.b.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: image/gif

Content-Length: 0

Last-Modified: Mon, 25 Jul 2016 09:54:54 GMT

Connection: close

ETag: "5795e1ee-0"

Accept-Ranges: bytes

GET /cgi/ta.php?na=4006570518&dm=faxuan.net&cb=JSONP_CALLBACK_2_28 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: wpl.b.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: text/javascript

Content-Length: 53

Connection: close

X-Powered-By: PHP/5.3.13

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache

JSONP_CALLBACK_2_28({"r":0,"data":{"sid":"2385419"}})..

GET /c/=/crm/wpa/release/3.3.7/wpa/ta.js,/crm/wpa/release/3.3.7/wpa/kfuin.js,/crm/wpa/release/3.3.7/wpa/sid.js,/crm/wpa/release/3.3.7/util/titleFlash.js,/crm/wpa/release/3.3.7/util/className.js,/crm/wpa/release/3.3.7/util/Style.js,/crm/wpa/release/3.3.7/util/taskMgr.js?v=3.3.7.20160126 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: combo.b.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sun, 19 Mar 2017 00:31:54 GMT

Cache-Control: max-age=300

Expires: Sun, 19 Mar 2017 00:36:54 GMT

Last-Modified: Fri, 22 Jul 2016 19:07:42 GMT

Content-Type: application/x-javascript

Content-Length: 1695

Content-Encoding: gzip

X-NWS-LOG-UUID: fdd522da-a684-47ce-9e8a-845c391e5952

Keep-Alive: timeout=60

Access-Control-Allow-Origin: *

X-Cache-Lookup: Hit From Disktank Gz

...........X[S.6.. ..2.Dk...!^u......$L.Xl%qql.$s....G..v..v.3.,.\........./.]..1.'...CA.I.F.L.`.. .I!.^....&..YFy~.0..e..$.<....g..........R...mI....o.1......i................!A..~T.'(T..sb.z.m!..`.c...&.....k.iNc..1M......EFgl/..2.8.g4.pD...Fw&.D.y2.0.L$cO..Lb.^...a[Z..U .i.0..B..d.....Y...p.S......sYzV.#......>.(4u..6a._.....s&K.U&^bpR......K.b..\09Lf,/.G....L.@.2......~...-...&,.L....hz7.....?..g./..>.p.h.J...G.?].....}(...1w.lGyv....t.P..F;....Dj.T?..a.h..R o.4......w............r..V...{....n!(.........o...r.... .!..Si..v.....&......2....%n.$^f..Y.../,...9.......k.. 8.@..8.....1nl.n.......j....<.9.......N....gA...At.....A.l....J`..i8_.C.7...}J...|.T..N.K....O.G.N..........;vBi..~....8..<.n.X;UK.. Qb...=...k.C.o.C.Dd .[!...e..l".~.m..].o)b.un.:..Y..LL.y...=.....C.j.K....x.o....Z..$h..>..!.0.......}.h..T.-..1..*...Z/..v...6.......k...%%9MD0.B;n.........z.......Z.[[z...`..M....}.zk.....H&...U_.t*..,.g?...s..W.......F...0B.R.......'...z...\...H...vH/.l ....R7.nw.S.....s.-..bag.\0${.z3....~...P..=."..d.)S..J...z...2....Y.......#H............2&....J..T...K$.......qQ..6D..4..U00.h........0....l.C..n.=.'\...$...Q.M=.......n.Ia@.0..K.. ....V.}.@\]..No..6...=t..`..>......N`1!....k)Z.,..5....<....Z.{w..k.d=.........qo.ytyuF......b.j..=..`..../..y._3O../F.c.......A3I.?3G...Mf....GP...P/.\....w...{.zZ_wt.%.</|..._..S...u..v.6..gxB.z...lF...[....SO6..&c.....s..b..3U...k=(...U..V......i....5.X..Hd/.XH.%..T.....zE. ...k.....D..e....-..N.y_.......e.%...9!..."..L..."..J.b%...H.h.*.]?.?..U*v....

<<< skipped >>>

GET /c/=/crm/wpa/release/3.3.7/util/localStorage.js,/crm/wpa/release/3.3.7/wpa/SelectPanel.js,/crm/wpa/release/3.3.7/util/css.js,/crm/wpa/release/3.3.7/util/contains.js?v=3.3.7.20160126 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: combo.b.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sun, 19 Mar 2017 00:31:55 GMT

Cache-Control: max-age=300

Expires: Sun, 19 Mar 2017 00:36:55 GMT

Last-Modified: Fri, 22 Jul 2016 19:07:15 GMT

Content-Type: application/x-javascript

Content-Length: 3583

Content-Encoding: gzip

X-NWS-LOG-UUID: 504e67e3-a4d4-46f6-9e81-f502c822746f

Keep-Alive: timeout=60

Access-Control-Allow-Origin: *

X-Cache-Lookup: Hit From Disktank Gz

.............r...W`.e...HI....G..XSY..M.r..H...@...%..g...!.L..>..}.K..I;..~.S....s...")Ki&....={n{n{..m.......r..hD,s...... l.1...t$.....8a...).C....NJ..b...2bO..f..<_..".i;H....lO....t.~r.....O|s...0.B........^...I..X7...w4$Q.t..0...4%,.#rn<'..Eb......-.;..... f.S.x..Z.zwa.vN.Xs...0{.H:b..z .2u.E.....`...tN.1....QJ8...P.IHS..@$. NH.~:.s...84%C....a.v......bfy.......=.u.....L.H.............@..........tJBN.I...Ri...T.U,N=5;.Q7>.......[S..lm pA-.<P...W.nK..//.Q.N.>IwAbm.......cA`.S./.t..p.....<..pP.c....d...0>#..Q..$.....I.r${.7......bR...6..[....}j{.W..<.....Nz.D$.....f.9'..Y.H.!..N.p......A.r9.{=..B.....b,...HI.]V>...B.).I&/_.@.,..kr..R.|A.aAm,_Q.....`. .~..S. .R. .&......I..a...W.V.o....%.....x....$`X.hWU.$A1.. ....4.e.QT...Z.iz..a.!..>\mA.b......b..vA./eYPt..e...w......s0.9.....@P.>..w.h...G.`O.zF..(.!j.\*G.Os...z.t. .R....@.y..k.eR0...h4.B!ymF........-..[.;m$.o*|..7....6|.P...jX.A.zH..|{......Sqw,...LL. %..............n.6..t....{.....1........]...w.......o.....a4Ik.....y.p5....U.....M.m..KU..H..l..p~..........Wo>....}....y..........?.|.......j....I...o...;O...5....p.2y.D.Y..-`pt.<..H|..{[...GGo.......2j.}d^.........r~.........w.|..... ......A.y.L.O.0.Z.<i..t.m5H....J..W.._.^c...Fsk....go..... ......1.,S.-M8$j-.<.....].......7..on...#.B.....\x.... ..}...!..F..g$A.K.>..1.BQ.&...C.5..n..X.....Q.u;1....z..&pY..#^.........tb..Q1....L.....1..5...U.i.....'...g.q.F!..j.......i<T..o9V...ap.....C.i..........l..8"8.Z..p.....'#.H ....x.8L$A...qT...yp.....`..A......!

<<< skipped >>>

GET /cgi-bin/r.cgi?flag1=7818&flag2=21&flag3=1&3=2067&&1489883516356 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: isdspeed.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Server: Apache

Cache-Control: max-age=0

Expires: Sun, 19 Mar 2017 00:31:57 GMT

1.....0..

GET /jsonp/mta?v=0.6.6&tid=4006570518&aid=&pid=i9b1v3.3fir2g.j0fy6ges&qid=sjoq3o.t0e4l5.j0fy6ges&src=12&cid=1940917248&sid=1.1.sdyr8n.j0fy6get&t=j0fy6gev&callback=S3JSONPPREFIXyi7ym0 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: da.qidian.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:59 GMT

Content-Type: application/javascript; charset=utf-8

Content-Length: 22

Connection: close

Cache-Control: no-cache,no-store,must-revalidate

Pragma: no-cache

P3P: IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT

S3JSONPPREFIXyi7ym0();..

GET /ping/id?v=0.6.6&tid=4006570518&aid=&sid=1.1.sdyr8n.j0fy6get&qid=sjoq3o.t0e4l5.j0fy6ges&pid=i9b1v3.3fir2g.j0fy6ges&qqm=3&t=j0fy6ia5&cid=1940917248&src=12&z=ngke5u HTTP/1.1

Accept: */*

Referer: hXXp://combo.b.qq.com/da/id.html?q=sjoq3o.t0e4l5.j0fy6ges&p=i9b1v3.3fir2g.j0fy6ges&t=4006570518&a=&c=1940917248&s=1.1.sdyr8n.j0fy6get&src=12&pgv_pvi=&v=0.6.6&ts=http://da.qidian.qq.com/ping/id

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: da.qidian.qq.com

Connection: Keep-Alive

Cookie: __qidianid=87af85c63adaa7058ecd29406314a27e0b85c26a

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:32:01 GMT

Content-Type: image/gif

Content-Length: 35

Connection: close

Cache-Control: no-cache,no-store,must-revalidate

Pragma: no-cache

P3P: IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT

GIF87a.............,...........D..;..

GET / HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:34 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Set-Cookie: rid=32a0cb241a97f8ecaba3339c887081d6;expires=31 GMT;path=/;domain=faxuan.net

Location: hXXp://xf.faxuan.net/

Access-Control-Allow-Origin: *

a7..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>openresty/1.7.10.1</center>..</body>..</html>..0......

GET / HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:34 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

Access-Control-Allow-Origin: *

Content-Encoding: gzip

13e6.............;ks.G..M....."9H.....-..C*d.....[...I#i.hf23....!!......b.H...`.......R.1........=..=l... .t.>.>}......../......z....]$o.d....Ov............? ..h._?!.H......LIU...w}...o.Z.....#.........C. ...f....d....yS7.8T..#..O....Mg......h......Ei ....)*fx..&r$....)..<.."......,..p.G..h..>.#...4..R....]I1..)..d.b....5....UZ..-.Z./[.f........u.te....E..C......%k.b7..n....%.../Z'o...o....=}.Z.6d..]Zz.....z....).k..DD...J$m..U.,).D..$g...h.E.....s......b6..)....? *.U....6.....p.#8..c.@.*^.B .d).B.&...34.1......f.Y'.... ..(..p.~p.../.....X.NY....ml...%.$..n..Mv~".I.....y6..f.\.f...e?:[.=f].S..../..)-L.............3T....o.O%......J... .$~.=:r........D..MJ..k.....c.q....]4.............%......G.....'8^3.....).zw...B..P4..guUf.....i.PP.>#........h./.j.#.... .......E..}w.&..aK[..*...[..yB...h....S...V..._O.........W~.......<g..)...V//.k...|yrm.re.fia.V..=_.....L...G..s..6v...Z................LX....~e}.C......`.M.E.. .>...8...ua.VH...m.[...U!..A%.E%..8.L.Q.B.#...h...$....sf...H. .O&..,..... ."..%..A.,%.]R7L...n.(qf........C.F.my;"....#.>.P.N...x...t..P..J....L...(.n4-....9.....'...".Pg...US/...e..R...G5..h2I.....t.....l...f[o........Y.p.......a.._|\Z..} K.kW.v....0H.e.4..|...I"..]..Mc..~!..P.........C8u.E.n`./ ."`eTAed ......5..*...."...):......T[....@T.a...*.....@......0..B.Qc#X.'...T.t5..4.<so^.3A...(.......Kb.......X..b...j.>s..[6x0P..jb.C.~3.j.t.5..._YJ.!.:.B.F9.C....~.f....W.}..-d....w..=.h.=........fN.?L..S...0..............*}ES._i..a....F.MX7.; ........T.....\5u..(4..^.^.....a.

<<< skipped >>>

GET /baseui/vendor/easyui14/themes/easyui.css HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:35 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-9f0d"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

1bc6.............=]o.H..E..0.....{&Q0/;...aq..>.[@K.ED.u..'c..o.G7...I..&/7A&..U]]]....C..w.........m.^...]...W..v......]u.m..............sN...j.....C}........s.v........../....Yw....s.=u_v........<T.u..]^.....tM._..].5....k.].xS.>.....zy....ssW......U............X...3...-..i\...@.....#q....8..=D...j..:.Qe .....'5zh...Y....9.....@..#....=&.V7...].6P..^.........m..n.._.g ?..#.......4 .....-.e...z\7.....l..f_.ov...D..9T....<.....uA^..a[.....u..$.3.s.....fU.X..0...-..1"..q_,..^...v...?...r....U.....C....H...`...\......n!.......rC..l...I.8C..,_$.Pb.LE.g......j%Q..S.3_..SQ....hw:?.o..9..P_.v....k...>?..R.q..S.._0F.g..]ux&.^]...?./....4.........~..i/z...-.....P.e.30'.q~..T.._...........g.3....K.^.&?..}.d..T........%.3.......6.....?a..q...M{.;.{.L...t...SW..?.....;wyV....v~...../...`.....f.....?.....v..O.....Ls.0t..%~} St........].W~.=.|...Z..<...Y.i.H......:a.......;..>0..!.."......6S....F..YI-?T.c....2.=.a.2.......\(.....Ofg..a...{.=....zW..Z.*.R_.....9Sz!....C._...P.Py...........q..A.{.../2. ....5?.!..l4bvG.YG..`..Q. ...).)...X...Z......../NPo.C.......r#.........T..D.0.X..."H.M..\-DGW.I.......;?m...C.............~....H._.V....~........$".m..Mv......94.....P~.<.{...........3.._<5..Kp.....[.JM...........k...p...P.h....`MY..:....:m....'.F.7T. ._..M.ko.,..g..2Iz.....K; ..D.A....T!'z.(...T.v.....h.g.Y....Fk..A$..,tJv.;......-:QQ(CT...<......F*.....>$.._.....0.S.8}...k9....)Z...$..y..C.R.......Xc.T.L...w.O8..W5.6....v....6..@:Ob.wBsKM`b..S^Q.@.[L...x.'.H..d...m....T..V.[...n.E.,Y.=...A..=

<<< skipped >>>

GET /baseui/vendor/jquery/jquery.cookie.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:38 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-5e1"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

333............}TM..6...Whyp...Z.......E..h.&....-.$..).......R.l'...<.yo4.......A._...< ...|..\.`?.Ot......GQ.l.nh..(....VQ......:..?...E^.....w.{.... .../O...P.7...LA....../A%...'.......JbNN".......2!.1..8.L.'.uJN...h...CN:...$..Fik|..)!...8..k..<2....0!.u......\..E.i...?H. '...2.P...1.....~~...FI.....%..%....7..ohi.\|..._j..2...!._...n....Y.*.._?f.-zK.,....j...,|......;E......o}..s".#..G..Y....Q..._:...pm..,.....%9u........e...y.@c.......A..o.|.y..et.'..n.6.....y[.2..@...}6..}..!.....Z.)>u..:.....%....;L....J...4.........$..?..L..../..<m....wO..G..C.../t.e.....Ca.J./9.(.......M....|...#...........!..........s..HZ..0X....TBb./....v....}L....N.~.d.............8S.{.b.a..=...:V..0_..R.G&C..U.r,.)Df1.\[&.Ez.[.n2..u9....m..x..o;..sA..nB.......r...y7.....`...i.V{.>.W..*v.GE:.....r....]Q.....Ex:.u.0..W..&q....k.........0......

GET /baseui/js/index/orhonmclib.min.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:38 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-3d44"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

146a.............[.s.... ....G.......%S..[rd)Jj..@P$H...A.l'.xy......:..K.d..u9.~...v...;....i&.W..........@.|0aU.....T...K..].kv=s..k<.\n..sMY.^.I..k.t....5f...R&............F..6..Z..959:.4G.*......`.?;E....dZC....N.7.....Z......3...c......-s.~.f.g...3.g.........T.Lp.uv..]u......tkh..-Sr.....c..6.......]..-.VJ...>...Z:c#K..J.Z...S.`..T0.O...>......z,.E.......X.{3#=.`.hM....Rv.U...\...t......|7..n!..1...!.e...#C.9.}.....0l.sF..Q....Q.1...X. sMQ.Q_...o.{.H.I...."M.....R.3..%....|>........nS..l(46..$...l. .M..7.0..7.....d.j../.T'.:.3Z.(s.{G.1..8.w.N...{.${..=..=..}V .a.:K.....p..q..D.....Roo......\..e.....MBu ...........?...C.|..s.|....................%.? `.......#..o2..U..R."..J....#....o..Z..2pM.O.XS.O.....3.G..b.?....?).........Y......WW..V.....R..a...h.z..3...K...T.-...-....D..$.f$.0#...I..H"..|..zz.h.Xrc.....eG.k......k.....\........B[..f.......1..6.UM....n#.@...."..F.s..p....4....5d..U.@..@..;....Z[.j.73\...B....f..0.......p!.....hA...g...a..U.=.B/Xa....y.G...j.OY.8..(...`.{....e=k.x..RlD...x..9...u.Q@..m.#y^t.YK..#.&F.5G..#..G.V.Z.......C1.%...i.K.Il..bS..).a......NS.^X.l...Q........./....b...q.......M...u@.<c..1...s....dVR.].O...p.Vw.....;]....Sw@..i..m.}.S..y..zY.. ....'......`.Sy@...8..x.@..O.-..a...q........V.q.2.U...............=$..s...{.y......v.2......!....g..Cp....>.t..).4.c...T...U...\..|.Un.9....~.Un....Fq?."... .^.\q?.*.1.V.<Z...v.dh...?]...e.u..gM.<....J...;.x...O[.....:........?7.&$.........x.|...:...)&..X.T.......P..QC...C.....;.).W[..y..=T.^o.........*7....... w.SCyC

<<< skipped >>>

GET /baseui/js/index/orhon-U2M.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:39 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-361"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

1c0............}Q.k.0..WR=...Q.=..e..>..!.:......S.L>'....$;..J.'.ww..;]$....,2.B.W(.8'..m.J...S0..N.i...V(u..Xr.V.CJ....Ec%jg.7.i7v-.,".SI[]...X..k.............h..D!...8K.....'S..........Q.?Qo/.B.W...F./. x.z.......Nmc..T.)r~..*m.......S.*&...s...(.O.ex.~K^.C.>b.,.d2P.X.77..@y..z..d6...]8.;..._.40......*Q.>3G.%/Y.}.=<x.P....\ ..mK>.W\..;1..%F..4.........6.. 0 ..O.$D.]........m..au.?k..<.....A...AxYm.....h....c.......K.....}.../'.....J.Z.X....G.a.....0......

GET /baseui/vendor/jsrender.js HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:42 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-4506"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

20fe.............\i{.H..>.....R.1N.MD...`.....O.d...A.......=UZ........%.z..9.Y...W...(...i.q.T..W.0V^.&.'.... .y.J....... ......m4.].........S$M........^...iX8......b<.Fq8........e_=.z.`<.kn.6..........f>.....l......QM......r..U.w...\..U7.5C..<.}ka.G.W...w..._.n/..:v..=...x.....0...~../u_..v...nq.)..6...7..$u..!.Z.....K..........k....fwl4.;. ....n....o....w.........1.N....)v...Ug..|yy.........O..O...?o..._..jg.;.}....sP=s.T..~...N.#d...r.@...Ut..m........cw0..Ts.*{u......_k.:q....vFs.o../.Z.c.W..4...V.N... 0..>.?..;.x.N......7....E ....|.n....~....:.....}.;OE....u.\..9........e....t...G.........{o<z.......9....._=..~.}....Y..g-..I.r.O|..|...ky........y}... ...o...R..].Z..2~...!...5.n.^l.g..W.Z.R.......34...8...Co.U.........u..[.7.p..C..*.X.w....w.Fa..F...*..9.......F..t...w....@a..Q.'.........a4O=....;uIlc.=.......5.B....c(....~.b...{.xt..lH..pt...{..D....W...^.F.E...SxBT<..*........3...D..(.F.U/M..I$8s_..(.U.qf..V.....c.X.....@#PA.....T.4.2V..VQ_..j......U0....D.....x..(,.v..-....@ ...a[..r.Kx...~..M....<....AT.......4.....V...0Z...S..uj.U...a..kR9..Cdc.......Z.|U5.S...V5...E..F...gS.s...0...JHTTP/1.1 200 OK..Server: openresty/1.7.10.1..Date: Sun, 19 Mar 2017 00:31:42 GMT..Content-Type: application/javascript..Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT..Transfer-Encoding: chunked..Connection: keep-alive..Keep-Alive: timeout=60..Vary: Accept-Encoding..ETag: W/"57e33f09-4506"..Access-Control-Allow-Origin: *..Content-Encoding: gzip..20fe.............\i{.H..>.....R.1N.MD...`.....O.

<<< skipped >>>

GET /baseui/js/widget/comm_validatebox_rules.js?_=1489883499424 HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:49 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-1136"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

6a1.............WmS.F.. ..*.0.y3.A.......$.tj.T/.. d*.I.....$.h.{.@(...%@2.6.L./`....B.t~...n&.r..;.>.........H..z....$..,.H.]q.hL..F..GT.f..'....`P...D.'Cz.XD..%.Q........Q...w_..>U.@..M--......:?...Gc.=.\r. q-.|..X.O..KN.>..[.%gr...........A.Nn..A..Ab6.\.O<.O,.v...S#.......0.g&P8,.P.3.5oNOe7....3.W33..7n...2/....8cgQ..S.Me....'H..A.M..MF,Xu...:.......0...Wv..(.O.....}0....}....6......*..\M...L..[.R......sn.\XKm%R[...=K?x.F..&..p.n....Jb..H.#....;......(:$.!H ..0...W7b..?..us-......#.e..#...qd......!6...n.....)L....*O.... D/$D....0.U..]...A$.W......c)@p../S[...7..\...k2Oo..2...s..Y.....^.....DDB.......n...,.......}[#0..Z@U.......G..".".k.y..|*..O.DEEU.B"]. ...Q...6Kw...1.k./:..OqA7...'N..z..)....56...Xv.7......l. k....k.e.....M/n...f~.*a....."......T4..i'z...1..~..b<....Mg....\....Z.H. ......r.J...9f..g......Uer0$...c.q...uT.c.yxm#.|H.......:k&...M0..M.t-.yP...PU....P.... .R.\...r.k.....T)........Z=..b..Q".kp&. ....T...5w:..BAZ..p\..'s|....K.ML.::.......C.X.g..,..Z...Mq{.ZH.._.......g!.c..P..P...GP....?p....s...|...hH...T..VV.,?n....O..{zO.q#D.{}....K/-....}?..j>.......|1.Bg....NU4I.......Wu..z.._G.~..A..?..F..z..Iw;..l^....$'.....I.......W.#3..2*.....lA&.. ..!z...........>H.......)g.._.j.9i..I...w.b%.N.......e. .B.T.<67.P........&.[o.8.-..^t$R.E^C.....|Ku1...2...ig...t2mL............Q.Y.7h............P...:..Fk.)]..|c!.R@....Js3...SF.q.~ ...B[:....:c1<.sv;.B..vU*,\B....6<4.0...JC.... 2X.GD...:......q.y .<oi=.4.EP.......<.nQ.8.....R...Q...... .....u$.{....[&q..#.......q...''.

<<< skipped >>>

GET /baseui/images/login/bg_login.jpg HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:54 GMT

Content-Type: image/jpeg

Content-Length: 126290

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-1ed52"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

......JFIF.....H.H.....C....................................................... ...C................ ...................................................G........................!1A..Qa."q..2BR....#3b..CS...$r....4D.Tc5Us.................................1..........................!Q..1Aa"Rq#B..2...br.............?....q.r......2.....X....pC....p..XC..........`;..........`;.v...,.,.p..X.....,..,...p....n...X......`.......,....; ,..v.`.....X.......`"...(...6...`..7..........,.Y.e..Y.....Ad.......X..XQa..V.X..V.`. ..l.V......0.....,(.`.......X...X..,.V.`......*.....X....X.....,)X..X..X.....,!...X..X..X..X..,..V.`..a.......X..X..V.`................X..X....7.n...`.@XR.....7...-.Q..q.`-...7.n.........p............`;.v.YC.... ...v.`;..A`..`..`..L..C...X.....Y.X..X..YPXQd..X....,..,..AaE.. ....e.......v.d.......a@C....,..7.U........`....`...E...V.`..`;........v.`....`;.X..6....YC...VP.(...,......`....a...............,..`......V....` ..V.....X.. ,.....e......P..... ...Y...*....,..@..........,.`.....X..X...X..,..,....,..V.`..`..X....V.`..d......YA`.@X..X..X..X..Y..m.`....a..........v..PX.pA`;..............=.U.X..X..X..X..X..,.`..`..........;........ j@U.;.......`;.....,.`;....,.........v.a..........,..,..........Y...P.L!XQ`;*.(...............X..YAd............. ............,.@.X...........` ........X...(......V....,...,..V.`....p..XC....X..VP.....,..,..V.` .X..Y...`.....X..Y.e..X...(,.`..d..X....n..(.........,)Y...p.....(....p..Y.`..`..`..,..Vm.a.....,.......YC...v..

<<< skipped >>>

GET /ping/pv?v=0.6.6&tid=4006570518&aid=&pid=i9b1v3.3fir2g.j0fy6ges&qid=sjoq3o.t0e4l5.j0fy6ges&src=12&cid=1940917248&sid=1.1.sdyr8n.j0fy6get&r=&pt=国家工作人员学法用法及考试平台_登录&sw=1276&sh=846&dpr=1&saw=1276&sah=802&scd=32&so=&bw=390&bh=310&tz=-2&hasf=23.0.0&hasadb=1&hasc=1&hastc=0&hasls=1&hasss=1&hasid=0&t=j0fy6gfy&z=bsg424 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: da.qidian.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:59 GMT

Content-Type: image/gif

Content-Length: 35

Connection: close

Cache-Control: no-cache,no-store,must-revalidate

Pragma: no-cache

P3P: IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT

Set-Cookie: __qidianid=87af85c63adaa7058ecd29406314a27e0b85c26a; expires=Mon, 19-Mar-2018 00:31:59 GMT; path=/; domain=.qidian.qq.com

GIF87a.............,...........D..;..

GET /cgi/conv.php?num=4006570518&cb=JSONP_CALLBACK_1_77 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: wpl.b.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: text/javascript

Content-Length: 93

Connection: close

X-Powered-By: PHP/5.3.13

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache

JSONP_CALLBACK_1_77({"r":0,"data":{"kfuin":938032293,"nameAccount":"4006570518","envId":11}})..

GET /baseui/vendor/easyui14/themes/icon.css HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:35 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-8a6"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

155..............Kr.0....d.v..o..Q...F...M.w..t).....7`.........^..(a..s..v/)}...n...8<.".zC..d....*.}. ....s.y<w...Ebt...'......-.....X..i.Tkp.J.A.ik.....3.......l..#y.i..........J...I.Z.AQ.kO.6.3...R...'jO.$."."%..r....mH.....F.N[.\lD.\....h..`E..F...kI6dq......{x..6...~......qVq....d.Gt.n.m.u...\a.....~c.. l. R:T..%t.Wqv..CW`...:qF..m.).......0......

GET /baseui/js/comm_cookies.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:36 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-7d4"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

256.............TM..0.. T...E(w.K{...#.v<6$,D|D.....`l.G..Co...7..c.o!.....k.L... .......<^....X...4..M......A.....":G.U\.y2.h.......p...14.:....>..... ^%.:.cU_.....P..g..0(2P.di...9...E.@....o.#.<..)C.{...%W.L.u#.6"_5b!.o....o.t..K......S.....Q.....,..."....../.../....iX|...P(.....".U.ev..A$M%.Q@Y....B..J.V. q>&-....g1@Di5.."..."j.Q.....4..u*....}.s..iD..G."r .?|.....J. .<......[.Q.;....u......\.P.....x..F.jgC........Q.7..].!..._...y.47..6.1~8.o,'Nd..&f/....D.C.#.]......q,..#.X&".....6/3:Oc....a.4]]..(l....3vI.L}....6..........,...C..;...[\..Q.-..I.-...8......i......5.n|/... ...7..T^.._F.........0..nt>....

GET /baseui/style/common/tooltipster_style.css HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:36 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-1e6"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

104..............Mn. .F.b..b.qZ........{T`,............b.x.f.yU".... 0.FN6...:?..8E.8..'...\D.....kq....4y...Z.Pd)...#../..oP.O..l...th/|.P..(}d...q.......(.=.....o.2....{....:.:B0.N|@....`.:.)..s.;.'C..Y0./....05.D...........Z..t].v.].s{ ....F6k#....v......U.?......0......

GET /baseui/style/common/popwin_style.css HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:37 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-555"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

209.............T... ...HV.V.#.8......7".......&.V......VT..13....5..U`..Z.#.}..'.F.9I...Z.....G..fgz......Q....K...KD..........IFUN.<j.J.....Gk.9...%...-.G.1Z......b4.....X....y..I..8../rK..z.......h..y..2.g......s.3....Q.....:.q.@.rv..c .!O.D..8g.%yw18k6.<..D9z1.a.....\.c..\.|..]../.E..........e..;.d..=...9.."Tg.,UU..-...:.m]..C.....1.-W}.<....r.vT31.j...r.v..:...hj ".t~...R,T.|qY...L.o......Q..*..i......y.u.n..V..5......3r.|....l..{..2.|.`.p....mlq....7#.@..x..D..|...N....L...[...o.....i.H].P..]....c...w.(&.._....U.....0......

GET /bps/common/comm_resources.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:37 GMT

Content-Type: application/javascript

Last-Modified: Wed, 08 Mar 2017 04:56:52 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"58bf8f14-906"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

2de.............V.N.0.=._Q.......B-Y.J.U.,.....KbG..RA.}glGq.4."AR..y3.3.;R..........~./QUf...s..C.&....f..LT....q.q..C..>Ne.K.S.I.....".. .J.b...).!......:B?...T..0.... <g........(.....M.......j.#..._Q...#*.\U@..E."..`..nY.~.w..eY..i...4...u.....6.1..'...g.....M.4..@.*.{.}...F.m...;.q\~....}X.t8....-...v..L........EM.^..JP#|.u.YR.s"zCCOy...=...z.]K_.I.,.(N=....g...8m.\...f..|.HW.......b....)5%.N...$..*....b..y..9-.......$....&de........=.m7....?V.t....N3....s..T...l....,.SV...F......D1.....g:......5..}2.P.}E1...........6.`{U........_.r.9...!.$...;'.V.^a.."2.,.=.,...d.a.?..%.6.U{.^...&M.KrA.H.G.I"..B.l.-..K...-...{..6k.....%.........f4?. ..f..f...d.O.m8.T.w....hOF..mun...F.>...o..[..*2..Y..4w.....<...%j..^L...|TDD........H..M......0......

GET /bps/login/s/login_1_s.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:37 GMT

Content-Type: application/javascript

Last-Modified: Mon, 27 Feb 2017 02:03:59 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"58b3890f-2e6"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

1c7............}R.n.0.......V.H. .9@%..QmU...&.dc.cG.. ........#.n...V./.&lwU..8.y.....m..[h{.~.%.Uge....K.\.^W...'.....aY..JV`......|.s.y.(........j).....O.....WR..FQ....BX;....)...Vb...x..R.L JR.0.......rMR.....m...L....t..._....#. *.:)1.s0.........k.S.u._....y..W)"pk....8*.....{O..FY('..m....Bkt.$....E.q.i.....].:...c5.....J.T.....yQ$~...v.Y..ZL.g.....Q.-..............7...|......._.n.?tx...Z.Z.8=.5.E......\i]...}.....{.......Fx...*........=M.....z.c......0......

GET /bps/login/v/login_1_v.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:40 GMT

Content-Type: application/javascript

Last-Modified: Mon, 27 Feb 2017 02:03:59 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"58b3890f-1f13"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

a18..............i......YC"#.%..H.-....;6l.h.U.!9$.K..I......Z.i..E..(P.......G..@.L..|._.{3.S..@Z....7o.}...S#.<....=...v..P...M..R...j....6.%..1.......&...a.w. .C.t.....^.87....@..2'.C].R....R,.V &IJ...J..^...&p.HJ..8..h.QU...k...}}....(]Ew.1a.@q....FH3e..P...4<..4........P.p...L....\.K..M...Fa...cc*...WHF......5\......z....w.........jU94.j.4.#..=...ix-Jn...t.z..................gG..<.........../~=..../...?.4......|.k%[...5.....||..O..>.../_>.2..../.&.......G...........CE.X...r.._.|.........,...K..I.X......v..&G.M...,...BSw.].T.F*.....e.41.'c..a.UaI....."..C...H.S.."{.Z@.*.$.4O.zMY...M.R..._R....e.N......M7...X...._B0. .<4&1..hU.h.....].V....._-.K.,H6.6...!.H.f:F...*...:a..<.....LSA..6.M.q3.e$).T~.l..J....q@.I....*E...,.....r...We..{...1.`uF.0.`uv.....s#..].....c../..<.auq.....w.s.C.7..........1.S..bT#.A..,F....0n.&.%.C..dA.R.nv.E.* .....&Z@..2$oG,...d..T..S..a.(......!....\.Y..........6=.......\..>......\.$...p.l1...r.zW.c......i.7;........W.K?...C......X..^a.m?...-.9.......hJ.oliB...jG.Q..j..E...n......I....'.....w5G...Wx.........0"............CP...SS..\]7.b..._....w.....T:.pe..%..$....c....a....H.._.6...^4.......J.8'........Vx...~.$..7f...7.....f.j;X.Y..P.Z.&..].~.._..ca..6RL1.V.0...R.3...l..t....4....t.x.lA......x'..^.'-....Q.j...F:.....Z...P.7..V{.[......b...s...M}aS..?hX...V.k10O.d..o...)q.:..]..(.....4..x..A.4..a..TugIT\(.^\..G..8.Jx.....gDQ.n....EsEN.m..l...]..j.xU.NENEC.....Hy..a.@m.D.dL.....P.|....*I..a.....By.......*4&........zZ...[\=.m..h.e.z.d.$...g.o..b...z..$e...~6.Xi.

<<< skipped >>>

GET /baseui/style/orhonmatrixfont.css HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:41 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-554"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

da..............A..0.....vQhz.CB.<.A....t....I..S...i...{......3.....{....WQqv.p.YJ...y.......j....\....}z;.E...@}.........p..R..d:....M...!.d........zK/..!c.;..r.Ulf..m.......H...S)1Tjw.F.H..Ui.Ou....<V.C.V5bG....i.b.T.....0..HTTP/1.1 200 OK..Server: openresty/1.7.10.1..Date: Sun, 19 Mar 2017 00:31:41 GMT..Content-Type: text/css..Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT..Transfer-Encoding: chunked..Connection: keep-alive..Keep-Alive: timeout=60..Vary: Accept-Encoding..ETag: W/"57e33f09-554"..Access-Control-Allow-Origin: *..Content-Encoding: gzip..da..............A..0.....vQhz.CB.<.A....t....I..S...i...{......3.....{....WQqv.p.YJ...y.......j....\....}z;.E...@}.........p..R..d:....M...!.d........zK/..!c.;..r.Ulf..m.......H...S)1Tjw.F.H..Ui.Ou....<V.C.V5bG....i.b.T.....0......

GET /baseui/vendor/easyui14/lib/form-validate.js HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:46 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-11921"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

4f10.............}y..F..W.0...A....&.q})q.;...;.I..........Lq?...O.)K.d...f~..>........6.d..s?...w-... .{......6.b......zy..Z.t>Z...zyM..h.J..:..W~p.>o-.xx..:^..q..m..<_..4....(.......t.2^.~P.....|......;.v.K.u2..`....n.p.|..Qk3........*....sj.....7(..^...ik..M}.....z....[.....[...r.C.k..p....:..{.a.0ZE........*%D&..b.B..(]...h"..~ *...j.$.j.......H..#..Y..h.cr..E....:.a..b9..V....^...S.[.W77..So.....,Z..ty.S..g ..A. *Z....`..[I<...E.Ct.yi.....eP#..k...c..pE..q.. ..#y.S.Z>.`L.^m._....!g....b.../...>...z.{.e........s.....?...d......*Y..u7.a......v..4.O.F.t...U....U1..S/\..n.(...i...;.A...E<...$@'..^..,...D*...BJf...d&0...X..J..u.D... ............|^[0.g...(./6...z.....a:..|.x.x..?........z~..y4o...?.v0.{.q".hd...]at....}....2./..G......5c"....6&w...1wf...............r$...uK......L...y..[.4.7...HZ..U.#.........!$my.....1.&.Aq...@}.2....l.h........x0M..G. K......"'.|N_X......Z.........I6 ..v... ...u_2 .(..i ......h....0.|.F}Od...".t.t^J.vj."%..C...Z/....22v...}.=.W.4..h....a..Q...q1\...)....[*...l...r...2....@.\..B.../..z.29.'......b<..r..J...: r2L6..Y.W.d..^..`Z.m.....BFRW.k....R....E.R.h..8.TD.^0e.z..9.......=.o.Q...Mt}..<.B.s..L.. t...... ....vx..z....^..7.A... ._...."j...K..W4..X.].......|OR..k.....0..az. ........0...X{.....F$..;@}....AP3D).?.0..$.7....iP.Zh.NA..-....s.yI1..@...X/...........N.|1u9.k..S..^.CH. .N)_.b-ha.>8$0........i.......y.n....i....}3...].^...g...@L..i..'.H..P..UegP..H7..q7....`....b3.".u=.......<,..1.j.U.}=%....9pJmo.d.&..&..o.e.`.H.`.....q..0.X......Q.3.A

<<< skipped >>>

GET /baseui/js/widget/comm_popwin.js?_=1489883499426 HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:54 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-1715"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

606.............X.o.D.?._.&.m.q.T..]o%B...Z.".S5...n........... N....\.UBp......r..../{.....'zI..~......7D.v.R....v.. ....$...H...4......2{.^.?..........4.3.9=m^=....<O g8..h.U.. _v.{.CTn..1....(CU........R..i..*hs..'....v.....o..U...?'9...|cK..e..#...MD[..l.2'.(.Z..>O...g{.f..n.c.1 q....!..2-..H...l...GY.=..P/.~F*l...j.V..?.w.d..f.;.X.A.u....m....IF.|TSr~.M.".q...WS...X.tHsV..y.........G....\_.U...9.....O~d.......g.n..r^....o....W........i.!.O..E..........4........*......]...ChB..[n8.zR`.s".e!......r_J....j.w......1....E .=...k|^....f...."..c.Ep....e................umc.jE%F.........Q'.............&.5....5.'.{.CR.AS..U..*.d......:..........)..S........"\U~. ....E..6.....&o?...o.^.....8.,I..h.LX..y.xy...._<...._~~..kx...o^.}...#.i...e..C....2i[....J4...UX,.u...o.....b..s.n...f....'.`...hC...<<G.W.$....19.E$...!.G.I..... .`.Y.....@.fu)Vi....PA......M.f....<u.8.AHP.oA.G%..../.......I..A..$:Q.9...X.........?...3b..$....MK...}k....#A.u.hi...9.N..l......J.zf...........gvCX...i.....C-W...af..9....r....eI=k..Rz..B... ...(..6.?E.'...<...Y.....~.=.fW...e.v.}..p.#..G..4?`t.....-.!.0B.;W.J.l_b........n......O.Y...Q...t.IM-c.2..i.%...m8..78}.......fuX..|..j`.r..8....RkN..[.......P..K...l....\$..<..m.X|...v...Ma..q..\4..O........0_..P.t.E..B;{..........d..8.KX...{......=,..N..p..]RH..q.n.U...... H...... .....mRII..N.A.Q.F{$n......Txt1......2. .zET.Lf)`.mk`.$... B.~.............}A..^....\.t....N....^..r{.^..K.nb*a.(J .P.q...j`.d.......[.`...A8.nx~..&....(..,bO.t...n.......4..6\..c.....j.AA.&....h...H(.

<<< skipped >>>

GET /baseui/images/login/map.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:54 GMT

Content-Type: image/png

Content-Length: 123144

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-1e108"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

.PNG........IHDR..............;......sBIT....|.d.....pHYs...........~.....tEXtCreation Time.05/04/163.......tEXtSoftware.Adobe Fireworks CS6...... .IDATx...{T...........|..C.1.;Mb(icw-.o...o..k..|7.....{....9..I...n...wN.K.....q..v..n....6.ly...Ev.5..CH....@B.......xtE...?.st...3.H.y....P.(.@H..(.@ ..................f....c6......./.m...B.!E[Y.7.k".}..5..5.......\g....r.'.."..!.*Qp..7. ......l...>I7.t.......{.6.....%..9M.q. .F?...?.@......Kw>i......\.}&!......L}.....q..y..C..}.s...._3.L.&f.K."..)Q....X...b..b............._.....088.......d:.z`....r.b.(m..f*q..n...4F9......tD.......Dsss.}.q.......Mq~i...>...A.;v....p8.3.Kn....MMMI..\......|...VLuuu..p....}U....G..ESS......UWW.\.]]]hjjR..0. .3..q.......P...l?w...>.|.2.L9.I..G[............Z........'O.._.....c...ikk..bQ..'.w....Mgg'.(..<...qV*..N.tvv...)n....../.(.....!..$. ....1t..!455...2`.....ZF,..v.....j`.....C..e.....OT.L..^..n.......3u..H........S..u.X.Emmm.F........_GG.........B]].r-.....v........H....S...V.k....^x....hnnF__...:..J[.@.c)..........>tuuA...Y....z..s......N.....=.....j......#..|.W.2...BZb...i0onnFKKK.0..g..|.I..K...n7..9....S..Ah...[.c../..B...n...566.......Cmm.2h8.N.....g.../.(.JI.%...f.:t(i ;...l..f.Y..).AGG.2p&..MMMp:..............v..I...y@.$....O....---......s....Vm.........b...*i0GL........UUU.....l...R[...... B....hll....].p....._%...$....n..f.9..L.......8..<..?.Qp........eee.Zp..)D..2........=....&.p8....ws...D[[..........p:.hkkCkk v...7...............Hy...T......;..;w...-..rN..Y.~:........~..cccIm....s..^...K..\P..~..

<<< skipped >>>

GET /crmReport/accesslog?FUID=&FKFUin=&FNa=4006570518&FRurl=&1489883516356 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: report.b.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:56 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Content-Encoding: gzip

14........................0..HTTP/1.1 200 OK..Server: nginx..Date: Sun, 19 Mar 2017 00:31:56 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..Content-Encoding: gzip..14........................0..

GET /se/r.gif?na=4006570518&ref=&1489883516357 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: prom.b.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: image/gif

Content-Length: 0

Last-Modified: Mon, 25 Jul 2016 09:54:55 GMT

Connection: close

ETag: "5795e1ef-0"

Accept-Ranges: bytes

GET /baseui/vendor/json2.min.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:35 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-d39"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

539.............Vmo.6.. .1$b$;v.%.\......5..}.$..e*V.P.E96d.....l'.....A.......Y.....i....Oo....G.(Bk$.u.8i%.....u..........'....2$..E.u..d....P....h-.J..Q..3....JV.d"S.Q....X^....t.........*...L:.%}..F..~-...ct..n.*.|~....d.9.Ku...?...I!f..'..x........`?UOS._..(..3..q4;.Ii....d...Q5...l......?.....Q5..^...Qu1.&}.I.}.....?W..>.....i.$........-.4.h4.H.FS.Q...SX.M..'........=q...DS(O.o.DJ/...^.\.z..R..$.)9.O!.S F.....|9.Z..............T?...`8...1.2..3. .Y.@s...t.^WfFk]..#.Y.*.m...RF..$.jE\.`...........W...........2..d..6...w..o.E.4..7/......[x /..A..'.y.._2.2.{.....ak<....''.o#..8...........M.7t .G..}..<w.O...9.).3..[..X'..mV}.pSp#0..B.n'..(#3..6.>.9@...in.[5.h..l2.6C>....g....2....c[. .)..;.f..Cl..7..f,4Fz..d...fJk.m~.i!..`......F..6.,..*...vk.[.V...{p`.1..sX@...C .Xd.!.%....b.%.....$....p.bm....P..Z....g.Ap.{....8w=G..*..x.._..5.....U9w....ut.~..........y.k.`..D..cU....Y.&.%.jc............U7.\.......h..c..kdl..Iq.n^\.........R..K..q...26m.W.--.%..Lu...4.E.....Gl....`a-iF. .Z..t....&..zr....m......z.H....\..=..{.....a..ml..4.x5!..cC_...X.c...].._ (.*[......|f.bo..>.&......R_.......B.../....#$\...T}.s....d...C..?.5....x\.|_....6P.%A..|.._..!Y....I...},..}..._7Q..}s...Y<."g..x.:..B.x[...[.O..o....p."....B.{......V..oS.......O...:.A4;....?....c............z.w.gQH].....1..`.8.E.]B.}qK..9..Lt.....j...Y.6B..~.h....p......*.9.....0......

<<< skipped >>>

GET /baseui/js/comm_util.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:36 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-95f"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

3e7.............V...6.~./k4$...IOV...O.......p|...Z.L9$....C{*..(.k..F...ts. tH...I.....p..o.o.N@..B.oT...l..J.u)S..........L...(/R..H.P.&....t.jn..qN..V..H..6*..t.B..ya6.V..J...s.J.>%.V.n..<-v.. ...).h......2....$B...lM-%...I...fO..)...J=..n..y..V..*..<3.|L.B./...x](.......=.8..{r."].`..b...r.a1]...u....P.)..ND......_iEN.23.L.c=-..P.LC...-.e!..l_.%....0>.......g"-..._....&Z...I.3.c'.X.l..........z....Mm..FMJ.rH..Z\<..E.i.!?)..[.#...As............Q&G).0.......J.$ .).p.}l....M....(%.........<.V...VTR.......8G!.. .....\=.....:\.6.!.a.Va.....m.hW...c.....}...v..s..`.D..F.K]...m.v.(.....w............1...x...a..}4.Y......O...l.z.C..H< wBRw>.10......apR3...x.9.f?..:.. .~...?8...t....{A.T...v.!.......$...I7..O.{..;3$.U...D..........P.i*..u.MCA..Gb.H.!.y..w....9... ....\..h....Dx......j/.Ic.V.>....<n.......$.....8.-B(.*..........q..T...Vr.......J.,qn.,....r.......{......r.......Z.....XGpk...... .Z .....t.X...l'..(...bF.........._n~...7..p..a!.....*E.....O.7o~.y.. .m......NNZ.hc.9..9..\.....$.._.....0......

GET /baseui/js/comm_serv.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:37 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-726"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

354.............U]K.@.. 2....u-..]..}.PiA}.>.&...q&L&....R.P.O......IK[...5...._.L>.......7..{..'.:.p.Q.P<OV.<..k.....F....Gf..E!k.[..y,...IE....Z.0.!=*.R.a......"O....j.).........M..G .;......@...X..M. ..q..4Z HU(.d....h<..{.@z.!V......(Z..Lzl.V*.=.A..".K.#.`.....3.."......._@d...P.Y..`~.5zdy.q...k`....W1oM..,ZO.}.......*....5...">d.$..b..e.5.1....s`...l.i.yi......ZY................................w._...::?<.|=:....j.%m.<:{.%...<..._......G...,.:.`$i'1..h.....c.r..v,h.C...e.....B(x.K..J.r.....W......i$.K..HO5..`W..4.r.....^..(?.........a\S..!B..% ...6J%..\...:YD>.......q.H.JK.C.u...=.L.H..a...|..8.J2`4j.j@.n.`^.`Y.b=..m.......Od..h.....1........(..u...D<..B..-...M...o...{.s.v...}......I....*.....-...="....)n]...&..T.5....:U...LIPE...R.....e4.-uEU..e*P3.O.l...L.X.?....dN....e......to.{Dh....vs....w....h.\..#y..>...]b...p..%.<X.....4.........&.....0......

GET /bps/userpoint/s/userpoint_1_s.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:40 GMT

Content-Type: application/javascript

Last-Modified: Mon, 27 Feb 2017 02:03:59 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"58b3890f-40f"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

25b............}SMo.0.. ..h.F.R.Kv..*G*AiO.U.3.z...?..to...#....U...&..[h.m<~~3o..hm.-.wZ(.....@ ...Z.I..LT.~..q..ry.,d5.}.O..D.Z.c..$P.q.)ty...=d.........d9.x.}..d-3.b...p..d......{...(...pH1.O.C...P;.?"..h.:....XZ2.."..s.6..U..q..(s...o..#.p.{...1._.~..*..*/..%....*D.du&I....a/...?.9B.I...gM.....52....Kf-%N8.d............_.h:.....=.Ex?.N......EU.&..@E...1..h].....0.C/q.$.D..J......FfS...5... ...hX.v,.V'..ZU.h<...l;Y...P....[.....d]N.V@..r..1.l>.?9.2..hUc.u@.-:..Km......FE....Jjm........Y.......y.~.._>y.cS..3..gX....K..b............;6rD^...61....... 4x.3.ZL...|.7..{..{.;.[&)...y...V..x!......QG.C......0..t>....

GET /baseui/style/newcss/login.css?v=20160911 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:40 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-11ea"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

514.............W[..6.. hGUf.@.$..4.......Rw..62`.;...L.h.{mc.Cn..PEJ.>>..;....5.%d...%..S`a....A..RR.._Q|?.A. 4A.Ha9.2.0}............[....`. .2@...........b[F......\./(..._..C..FA^&.f..E..$a..0... .y.. .}r. ........Q.. [..i.*F..-@.....'.k5.."...a....a........[|..s..W....O$..!.Th..wgd.m.g.....QC..z.Q.f..x.h..Y.............6..A1[..m...m.6..AAJ...}.1`..v=1.. .......J.LOh..q5....OG......,......"....<......7$8..n.A,Z..X...q..f...3?...&o.....x3o...$.h.o..`...&.......R...5HA.......).8.(.f..Hj......r..b..v.....;m.UFs.7...ByQ1@!....s!:$....c.rIy>..8G...F.7L.7S.m._>.M..p.;.)@....f.jF..kp..?.x...1..I..}.Q.....x.....X'...Ki.lo...<...-$.........e.X.Z.......<$...Y..sO.Ul.....m..0........:0.7.. .....@.B.C.e....../.J..|.......W.T....!5).QU...DM...[.....3..."~l.o...F.?....P..~smU....F.0...wD.".M.Q....c...7......@.....q..d.v.!.T.fp...F..YX.O....)..3.'=1..>R....*u.=.....FF.q.......8..{b.L'?..).....th....u.K.....%.q.p..o.....!M.......Ri....qz....O..@.ljH..:-..'.h!..8.....v.i..LB...h.E.......|.....;U....n#......R.a..g.yT.........1.ug..&=..~gg...........0.\....x..=.....l.?..t.5.N5.&.p..F.........}....3..!......?-k. ;P...M}.;..W.R......CT.A..2..L.9u.lSFz......aZ....<...RT.'$=......w..m`.G....z....%.d.....B.D*. a...K..;....=.......f!.c....1..8z._..!I..m./.3.K3Z.[..... O.. .......TS..x..!....{l..a.....Sk......0......

<<< skipped >>>

GET /baseui/images/up.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:42 GMT

Content-Type: image/png

Content-Length: 347

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-15b"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

.PNG........IHDR..............K......sBIT....|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.03/30/16...Y....IDAT(...M.. ...7Y..3...O...\@.......i.C........w3......{..Hk......t%2....*....e.........cDD..RJ../e'.].c$.p8sw...9...H..U=E.D..#...l.=.........R.A6....!...7..u..5RJ_E....o.s....<n............IEND.B`.HTTP/1.1 200 OK..Server: openresty/1.7.10.1..Date: Sun, 19 Mar 2017 00:31:42 GMT..Content-Type: image/png..Content-Length: 347..Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT..Connection: keep-alive..Keep-Alive: timeout=60..ETag: "57e33f09-15b"..Access-Control-Allow-Origin: *..Accept-Ranges: bytes...PNG........IHDR..............K......sBIT....|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.03/30/16...Y....IDAT(...M.. ...7Y..3...O...\@.......i.C........w3......{..Hk......t%2....*....e.........cDD..RJ../e'.].c$.p8sw...9...H..U=E.D..#...l.=.........R.A6....!...7..u..5RJ_E....o.s....<n............IEND.B`.....

GET /baseui/js/widget/comm_validatebox_customtooltip.js?_=1489883499423 HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:47 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-12ee"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

23a.............W.j.0.~..9H....[3ri..e.:.]..D...$wm..{..v.......mZ.....Uf[..K{.....}.~.>P..r6U.3.V=.(.r5 X^.....4..L..@.k.W.f.3c&. .>-....Dg....J4X`9N...X....W.m..{..F..*.-.y... ..-.W~...M0.|.)....T...p..1.).C.?^........9K.?.x.{...P.LK.hl....=........4...\..E..P.Z.8.....QT....$.........XC !R.~.PQ.9;......]J. % .....9......3"s.c...*..h..9~w..._=..6....F..y d54<.^.i.I.../qt.I......U@.gX....gE.Ts..........o.]...........S..W#.!......?.)..xz.t.8.2......w..\.z........1.u...e........).;!..S..r.(..L7e..... ^.W.w.z......N...;..@..i..s53!.....E........{]tO....F.I4.' e....uw.......0..HTTP/1.1 200 OK..Server: openresty/1.7.10.1..Date: Sun, 19 Mar 2017 00:31:47 GMT..Content-Type: application/javascript..Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT..Transfer-Encoding: chunked..Connection: keep-alive..Keep-Alive: timeout=60..Vary: Accept-Encoding..ETag: W/"57e33f09-12ee"..Access-Control-Allow-Origin: *..Content-Encoding: gzip..23a.............W.j.0.~..9H....[3ri..e.:.]..D...$wm..{..v.......mZ.....Uf[..K{.....}.~.>P..r6U.3.V=.(.r5 X^.....4..L..@.k.W.f.3c&. .>-....Dg....J4X`9N...X....W.m..{..F..*.-.y... ..-.W~...M0.|.)....T...p..1.).C.?^........9K.?.x.{...P.LK.hl....=........4...\..E..P.Z.8.....QT....$.........XC !R.~.PQ.9;......]J. % .....9......3"s.c...*..h..9~w..._=..6....F..y d54<.^.i.I.../qt.I......U@.gX....gE.Ts..........o.]...........S..W#.!......?.)..xz.t.8.2......w..\.z........1.u...e........).;!..S..r.(..L7e..... ^.W.w.z......N...;..@..i..s53!.....E........{]tO....F.I4.' e....uw.......0......

<<< skipped >>>

GET /baseui/images/topnav_bg.jpg HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:54 GMT

Content-Type: image/jpeg

Content-Length: 21507

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-5403"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

......JFIF.....H.H.....C....................................................................C.......................................................................T..............................................A...................Q....a.....A..........1q.!$4.Db.T..%Ut.5ERde................................1......................Qa.......!Rq..1Ab..".2...............?...`...................(.x..................6.>.d......u...<.=A?.<.S.........s.8....Q>....._...1....../.nl..}5....H...z.....x.Xm.............8.Xm......w....`.-a.3.-.4..9.v...F.}..L.>......|...s.....yR.z...:g........F.wN..K.N..y....:.......)......TN.:...O...............7.^s&].f0....G.....`|....:g9...t<.Ts.....................Q9W=~...../..._...?.`.k.b.L..$...?i...|...K.0N...."c......|?....1...,.X8.Xm....O.2.......C.....P.....;...|G...CE......{>W...5z.4....K.s...@.M......>>..~F>....s...-.......>.;..As.S......Z....3...3.*j.{..-......I..G>........B.x..........<5....|.K.z...>.s$_.{Z.._...#....j~.....T..B..5?...:.y.......^....*=.....$.o..t<}....D......0.....B.D.9.)....hr.>......(s....L...~.K.9....}.. .... _1..............('...t.z.z.._1..(_1....P.y...........O.............. ...[.....yz.s...AC..OPP......@.....A<OP....O.............O..M....?..{....|)..E.?.......&wt./.......@..<..%/..h.|.H..Q)|.;E<O.j'*...........'........................x.............'...................(.<5......>.aAA<O..>........g}c...6.....B.D.9. .....'.s.R.\...........&.A..O*QOh......>...?....yC.........'.1..|={.\...l.

<<< skipped >>>

GET /cgi/wpa.php HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: wpa.b.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:38 GMT

Content-Type: text/javascript

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.13

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache

Content-Encoding: gzip

1139.............Z.n.H......\...../.L7.f.[v..I'..{..V......"..........c.i_a.SU$K.g....X.....w.......q..U.g^....d........6..I6...M.../..|.=o..X.......U.<z...C.v.`........w....<.%..3..\H..a.........__~..)._.\u.T..sv6.g.y....!......v..P...E|.'g...q.yf.J.p..O..>~f...~(.B...."........3"....<S.z.W.g....I..N.....w.4...2.i>|.W..'.ZLrI|VO.....{#.y..p..H..!no.........f.X>.<.....W...M...:..Y.....CY.........JT.....VKT[.......k... ..K.......o..y%x..}U.W.|.Z\~.........;.....P........3....=..S...4i....1....x,.e.e5.'f.,8.}q..9.xZ-.~,..'{...w....b.]...7.X.............n..R..y...&]..to^.3.1...F..l....kNv.......5fikP.0.'s2...T...."...;....8....99...b.r..p.ju......3.U..Z....<.#...M-U..&.9..0.Hd..S.|..^...|./.....].1.utq`@..{......bt..|NK...7..;..(d.idn....Fz....0....).h...H/cV..H.#..Z].K...9._.W..=.....#..H...z.2...B,.Vs..4.... l.R..e...%.t..5.P.>.....i2C.......C9...T.`"..^.r..........].T.i..N.".$cf..(.!..L........S....o<s.'.l.5..u.......S..q?....W..5...L. .:G..H..7...oO..*7.x~...x.."`..n=_#..aB..@.N.....2.nx6Q....(.......p5..j..c...z@..Ew.......[...\x.V...~....H........h...........NO........n..e.......p.......S.@a..}d...Z..I.M.H6..M..<.Z......2j........X...>.[.-#w.."M..Z..j.KR[..e.....l....C....K..[..y... KM...r.....bD......jO.'..re..J.5}.3..b1)g.p..s. .. .E..*Xj-c.%....r.-..o...g...%..........I....-(...i.....(..Y..~.....u....0c.l.$...c.$..c.......e... .m6.T.JvV.i...w]...R...pz..Dhj%..9.D5.m..F..fc.)..Pj..l.0.G.W.@#.m..Q.....k........2.,r.=...D..I..!.....0.-..<g..........*^~..}...X.....jh%;.]

<<< skipped >>>

GET /c/=/crm/wpa/release/3.3.7/wpa/APIs/addCustom.js,/crm/wpa/release/3.3.7/lang/extend.js,/crm/wpa/release/3.3.7/util/domain.js,/crm/wpa/release/3.3.7/wpa/WPA.js,/crm/wpa/release/3.3.7/wpa/wpaMgr.js,/crm/wpa/release/3.3.7/lang/browser.js,/crm/wpa/release/3.3.7/util/proxy.js,/crm/wpa/release/3.3.7/util/pad.js,/crm/wpa/release/3.3.7/util/Bits.js,/crm/wpa/release/3.3.7/util/getJSONP.js,/crm/wpa/release/3.3.7/util/cookie.js,/crm/wpa/release/3.3.7/util/events.js,/crm/wpa/release/3.3.7/util/onLoad.js,/crm/wpa/release/3.3.7/util/offset.js,/crm/wpa/release/3.3.7/util/Panel.js,/crm/wpa/release/3.3.7/util/onIframeLoaded.js,/crm/wpa/release/3.3.7/util/GUID.js,/crm/wpa/release/3.3.7/wpa/getQQVersion.js,/crm/wpa/release/3.3.7/wpa/ViewHelper.js,/crm/wpa/release/3.3.7/wpa/views.js?v=3.3.7.20160126 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: combo.b.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sun, 19 Mar 2017 00:31:54 GMT

Cache-Control: max-age=300

Expires: Sun, 19 Mar 2017 00:36:54 GMT

Last-Modified: Fri, 12 Aug 2016 09:00:23 GMT

Content-Type: application/x-javascript

Content-Length: 48165

Content-Encoding: gzip

X-NWS-LOG-UUID: ac008d89-bb76-4556-9406-2036b987d4c8

Keep-Alive: timeout=60

Access-Control-Allow-Origin: *

X-Cache-Lookup: Hit From Disktank Gz

...........|.r.....xi.vC##.........;.l...!...I....qf..m.e..e..m...c...........;.>q:za.* 3 K7......aQ......:....f........ES.E..JW.,Y.........S.dmu..NyU....%."..d%<...n.."o...e.F........R.,YS......).......9..pB.....^5z.B.E^.....4.Z.w. $z...*..^.=.`...,|.=.J/..n.Y...EwK.n..x..:./G.):.j5...........JK.V...`.0%.R.L.mmm.'=..*{.......h>{..^.Y2&{6.9...1...5gH..Pm.O28w.4.2.o....9,.y.......f...s.M....?.&.._..l.U~!..A[..~...c.2....3%E.,........\.%.}....\x..9..Q...5a..T.ItI.....*z..'4......:"6aUZ........4...).....!..9]..................d!l..k.OqX74KCm..".C.^Q.P.yf...$....).#..8.4lN......J2..M.oJ.3.`>aXER'...}.r.G.4M.x...u....Y..q.w.q...Q...c.]..........!"p.&.oXX....L..7..$?s:.U.....hh...F....T....r...>.Q....a. ...l.}.b=...F3.[.7.....d...$$.z..3....D. ..S....\.....Ug.U.........T.....ec...K\p.^!.9.....yi(...<j.........A?.E..7K....I..4a9.G8p...%q..h...-..1.......T(..Vw..344.r..Ol..........3..k..!.=a..dZ.q....e.F. ...:,..aSWd @.. ....O0<.d........:3H...e.~0.o....~<........._.#W.....P..\&.,D .TI.xLu...\..'.y...Yq.M.K....Z.lR....y...ojdhkS2..$h.\..3.......H..-...d^.w. h...~.m/.F.K..c]..u....?K ......4..6......t...B'69.$.*.5h.]l.[.*).......pJ6...j.C.A.v_....?./K.........W.?Y<.3./m....sf.)..Kh...L."-...`_.]..!..d...ebN..CPaa..0tPX..*M...7...}..7..8..~.EN..{.xs.U.@.l....N&.C....B.......I.H.]......(.qh...dI{W.2d..v.[.a.^^RNs..l.,../......t...%x............g.Hc.|......b.^.A{..."b. ../..l.W.)..WE....X..z..s..g.p..5.6.. Z<.ww...b4T..-.YS>...C.Y`^.y..wm{un.T.j.....J.N}(.;&.-M........c..k.8}@h.h.z....

<<< skipped >>>

GET /da/id.html?q=sjoq3o.t0e4l5.j0fy6ges&p=i9b1v3.3fir2g.j0fy6ges&t=4006570518&a=&c=1940917248&s=1.1.sdyr8n.j0fy6get&src=12&pgv_pvi=&v=0.6.6&ts=http://da.qidian.qq.com/ping/id HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: combo.b.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sun, 19 Mar 2017 00:31:58 GMT

Cache-Control: max-age=600

Expires: Sun, 19 Mar 2017 00:41:58 GMT

Last-Modified: Tue, 17 Jan 2017 07:54:50 GMT

Content-Type: text/html

Content-Length: 5261

Content-Encoding: gzip

X-NWS-LOG-UUID: ee30b696-64af-4905-89b8-95cf831a9839

Keep-Alive: timeout=60

Access-Control-Allow-Origin: *

X-Cache-Lookup: Hit From Disktank Gz

...........Zk[....~~.hw.v#......1y(..3-e..t&.<&Q....l....o?.....t....K....k......N.<>...Y..M.7.XN"&$C]........p.g....t.f...t.S.s........}.F.;..0K.zgs\..N......!=....#}.........lCD...0......'0.O.........F."M7#..fY|..R......D..BzL....#1.21O..`~p..<..*k4<=M.`.fq".....i...H..D\....y....0[..V.Ep.%Zx..Ss..%S.."6R.b......`X.p.i...f."..*....>...=....%cOD.../..7.4bT.."*F.FC{.uVJoq........../....#../...B.....z........k.!.u.g.G..#y....a..3.....&......v.W....4..:z&..X.?V.G.t.hf.y...d."i[......A*.DOC.l.......c..:6."3.\_X......U...?...C.]..[G.:....$O...z..S.....?..u......C"ji.:.....}....../..........?..~....?../....4..=.I5..r]\].....<...??......Y@...........e.M%P..7..YidB.p........j0T2W..Y!..D.....ojL...y,Z..v!.....yz......../K.D.c..0?L.I..95....k:..E ..K....d.?y....Hy.mS.....,..v.c...........*Z..*..e.j...V.4..q.M...FE.../Y1xu!.....7...S....w.=.^f....1O.....%r....L..........~.....mv......?;.....5.aeqE...=.0.)........T..N..3.kq..j.X2....u%."..a...W..,.q.~2._.}"F.LQi...Db#dh5.^.l$.........y.............\....y~....*O.\7..l.Z...HO..p*..T.pa.@...|.....uv..@...H...q]^.. ..n.Z...?.h.}..B.W.2z.y...W/~z.3T.=(...NI.eT.!.Q......!.S.w.G ..i...Z......o........N........|<a..,...J.3.l....U.V.......^.S.....vX.4S.w.Zd{19C..x4:..M.Kr-..z..<.3......:.NMo..R......v'I$....._....8..V.0..ppi....8"|..... ..x.c^.e.y......y....**... \.fD.hs.h.~.j.......1.1~.cgXz...:..i.he...XaR.j...>/.|n.e.;..!..Q.H..KU.Xi.R..^.H:y[x...K..B.....!....d..&.k...$.|1...3.q....4..i.`.....i..7.....^.X..p1.R..6..f.V.)[.px.,}(..2.l4.cd.g...G..?.

<<< skipped >>>

GET /baseui/vendor/jquery/jquery.min.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:35 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-178cf"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

871d..............{w.F./....".....%:..7d....I2y...d.b.."..$(......~.W..h...9..s..Y..4.........'......'.......dw.......O...|b..Q.-.x[.Ku..2.S..[|......H..&?yz..t&w....L...W&.y...h..........y.{.C?..*......e..L...r;L...y..........f....uy....O^......0...]..7'..}..(.}....)...u..[/OR.w.Rc...h...X...1...C....b.l.bE}z..O.h4VY..7."..SZ..x.&..............5.....f.m.f...SuM/.x.....u.....u.L......"....../..%U^l..^-.._FW.../^.............l.J.v.....Utv.......qp6-.m{c.......e...`....E....%&,z.p...&`.]...r...&....yj./..Yx.....:~...6...x>.1.4.i.........N.../.!r...~.R...k...zeX.7.8..U.ULh$.|=.9 V....T.\.IX..w.3\G....n...j^T.Wy...v..\...[R.j.x.6J..v.... )V..lA.=..R.*..^...9nT....j..{...>...I..8.P. ...).<.`.....o[..Y1.F...c9....w...et..&..p......h......T.....-.H.E8Q..C!md.Q..O....-.!.-......N...-&.}.r5.Mo'rt>..hG...m}.l.~.u......,.y..0......i............v.~....k..v...I@.GQA.M.pg...Eq9.@E.......T.<.g.I.<...8...1-V..i'.R.......a..K.n.2.66V...N.A0....FL.1.v..q0....Mw...4j4.....i....]Yd'..7..R.{.......Dnb.....^...........?...|5...?.zE....Ul....C.9W9.M....(...KgG...vQZv.g.h%ixXL.FON...T.v-...rP.'!].....v.(..B.P.;Z.u......E.OW.z..1/c.Oo@..5.^....l.{..<.49...Bu..g.[*....v..;..w...,..-..>...'............\......{...-P.=.Q...........B....4j.._./.!.)..1!.'....w3O.....n.fV.B..a.i..q.......t....g.BW......w...2.......Q"s../17.z.......7..Xm.......:.....4^.s..mC...,.G..W.........Q.Na.....;A.}&......6..zJ.5...D.......:.F@......T..br._...f....x..>.....)......PW>..\..k..JI..4*S.....a.......:.0..m.g.....,Vk....#t.7.C..&p.

<<< skipped >>>

GET /baseui/style/newcss/public.css?v=20160911 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:40 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-14f1"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

638.............XMn.6....`.I!9..{2..t."....:...J.$&4.R....e..u....hoS.s....C[.3....p$.......e^#.b..t.......w~..u..S.>..._.../._.~G}N.F`..b...t..x)...../.....r.@.",.....a.. 9.A....%o.A.?..._.............{.Xk.V.Q.0......kJ..U..{...A.s..$..u.......f.=........%.7..D..V*.9..iq...}..Z....G.,...&..\...t.S..z..".......u..1...QZ......(.oR#.qY.....U..-&U-7...U..:C.M%x......I.Z....@.nOT.......uS.{.7..`..*.,<....e.I0X&5)..T.5F.F..8...ezK.Y'Q..P.L.dO.'*. .Q:.Hy.1.....8..QK.h..<]`...v)a8p.L...PH.r\$.y..d.(.%..v.'...;..SCmxK4.P.r.I...)./R..nL....:(........M.....H..W.... .:..N..>m... Q.S....g0......Z;F.V...08a.3.`[.*.J.P.Z.%7 ...7.{H.A9.BX...X/8....~.(...a....u....O`.2y.......U.].Sg.#j`EU{..]<{.....w$..C2.9W..S...ug.......]...R.:..a..n.FcZ.k..>.Rt.1.$.\....d......Wpo.......F/R..A9.w..,-.Uh$.65zi....c.]..=..9.....L...v..7....M.gg.!....ft...w....o..B........X.,.....".s4N.B..U...=..A.O..1.l.....%...<.q..?....."...G.i........f.]gT.$...9..F.b.H....h..N.%..F..2..V.w.?.36..j*3x.....RD.....4......_.....J.]W..rz..3R.)\....A.......Ri8....>.....Al.= ..V.Z s.b.....3;R.............w..h......sWxR.o.#8.................cD........J.iCz..?N([...~......y.U.)S.M.}..;.#.....9 .7.>....}&.0..Z..._.a.oB..:...k5......L.}...a9.K..Iv..".C(..?....F}I<}W ..V.b..z.s:v.D.A....b^{......$R}.:..a..eh.....V'..,.F.......5......X.9LT.~KU?.9NA....8.?wa8.....D....P...pZz.m.C.#0<.Pw5...tn@.....:....e....e.t&..r......UW ......~..^uqq1...}.........d.)N...9...wb.....C/v...........[...~.......K$U.1.n#xE......x...Z.G.........K..._^F.y._F.

<<< skipped >>>

GET /baseui/style/popwin.css HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:41 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-41f"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

1df............mS...0.....R[.#'...V..!...Vgl.^..t.^.p)\.}a.zgv..(L...K.. .e9.n....E.;$....a4.=Z^Z/.g;7d.j..F.T...BB..!^,E..x...6u].......Z..;J..R..xQ.Qd.b.]ZD.=.^2.....v.........;!%..$.w.|.5H.\....VV[.6.J.....;.W=a..m.O...'..].~..K.:F..."y..o.9.#.....OY..g:X...qn*..%..W&'a..h...iT...Z.R...J4#......V)......e...cP$......D..V..q...y.....=..:...2.sR...*....:.<U.p] .......e.F..q..j......x..Py....O...@...2..G.o1..H...k...0R.,_......Gn.../l{.5.h..............W.h..D.g0...h.j......b!.......0..HTTP/1.1 200 OK..Server: openresty/1.7.10.1..Date: Sun, 19 Mar 2017 00:31:41 GMT..Content-Type: text/css..Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT..Transfer-Encoding: chunked..Connection: keep-alive..Keep-Alive: timeout=60..Vary: Accept-Encoding..ETag: W/"57e33f09-41f"..Access-Control-Allow-Origin: *..Content-Encoding: gzip..1df............mS...0.....R[.#'...V..!...Vgl.^..t.^.p)\.}a.zgv..(L...K.. .e9.n....E.;$....a4.=Z^Z/.g;7d.j..F.T...BB..!^,E..x...6u].......Z..;J..R..xQ.Qd.b.]ZD.=.^2.....v.........;!%..$.w.|.5H.\....VV[.6.J.....;.W=a..m.O...'..].~..K.:F..."y..o.9.#.....OY..g:X...qn*..%..W&'a..h...iT...Z.R...J4#......V)......e...cP$......D..V..q...y.....=..:...2.sR...*....:.<U.p] .......e.F..q..j......x..Py....O...@...2..G.o1..H...k...0R.,_......Gn.../l{.5.h..............W.h..D.g0...h.j......b!.......0......

<<< skipped >>>

GET /baseui/vendor/easyui14/lib/base.js HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:44 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-4978"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

16c5.............<ks.6..Ef.z..f....'.G....^.$....].....E..)...s......A..(.......4.F......U..u.F.!.wQ..&<D..^^.E]....Rvri...Q........6.z.....M..Q..m....E....YW.eW.feQ=...........nwe.......N.G..k..u.....YV....z.....$@j..".U.m,..}..".:....Irj......._]....s..$*e.F<.Kh.Z....2.T.;8z%K....8.N6.'.@<....,J..I.F..*.?.."*..,.....Q\g.x.........>.:qxw/d8..[.C_.....]........p.r'.E.F....../n...(....LM...q...=._.;.........=T.V.7b......x..X....S..e.........y.Y.2..^4..|\..2S}.q7..FM...J...\*.K.......Z..9~/.>0.t......x...9..Q.....XH....p..2.b.{..[.o.o.v................k..n.b...8.....\.2.=...8...3..?..e.>j...@r..C.:.....o.]..~V.@,W...z.k.....|.-...,.yg.xK.............M5...~......;.... `;O<.`=.....up"......H........p......E........9:..[...?......x.. E.6.)2..X.Rf....l[T.E...Y5.....]....9W..J.Iv~.}*.]zOl....v..I...9.~..11d....0..C.kz.."..@...6Z...*.as.p.3...HR.i'.lV{..]}.*..J.........G}W..N..ZF.J.j.=zn.....K.0=K.{....9.....m..|I...(n..]y...ZD>.v.....zG....1.\K....}.6-.fD....m..K0.u..d.|]....w..q}..6.^}..4.r-..{v.....|.........v...'....0....,C.x.j..]6$ ...~#...(\pub.....@oj}.............y.....t.IZuy........o..//i....v>".'e.mZtIp6.`....p.R....gc....(i.1../k!...X.26Zm..e.....*>.*f,z`..ue...DE.v{6d.._........>.....(..#.........I7.9:.e(..@*..9.<.`o.z_u..@... ...]'...W7C..4|.p.........2j[..h....(`..?...O.........@......O...`u.....6b..Js..g..x...U3x.,<.......0Z.u.......{..]-.......b..JO..c.I..8.... .yc.....H.8x........S.{.~.:..=kXj.,..S.G.z...zt.%`.y...Y]..W..h...w..'.Ji......Q.....L...Cr...r#zv....

<<< skipped >>>

GET /baseui/js/widget/comm_customFuncTip.js?_=1489883499425 HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:49 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-5ee"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

248...............n.0.._.a:H.,....R.......$A. ...,".h..cC...C..];....M.l}...lX..z.&Q<.....q.Q.E....b:6. >. 0..9.....<v^8.....'X.S....8..k b1.Y.B.[H........t.............I.........0.z.3...N...._9...6]..].3GXN.)dZ...u....._.}........??>.r.e.E..).......r..o$..W.......k....g......b...[....".|f-W{.Zi.PAi)...\..\.`.........=......[..i...8...........A...X..NB...)d..............XW.3t7....\.1...><.C.n..Nl.*...EJ.v1@..{1N..e........N..M.......LdmY.S>..WI=#...-......AA.d .".2@.o_....F...n"E.....zP..o{. ..d.........s.b<:.d.$f......X...l...rP.<.. o&....$.$...............<{...Ow]......,...E'.......0..HTTP/1.1 200 OK..Server: openresty/1.7.10.1..Date: Sun, 19 Mar 2017 00:31:49 GMT..Content-Type: application/javascript..Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT..Transfer-Encoding: chunked..Connection: keep-alive..Keep-Alive: timeout=60..Vary: Accept-Encoding..ETag: W/"57e33f09-5ee"..Access-Control-Allow-Origin: *..Content-Encoding: gzip..248...............n.0.._.a:H.,....R.......$A. ...,".h..cC...C..];....M.l}...lX..z.&Q<.....q.Q.E....b:6. >. 0..9.....<v^8.....'X.S....8..k b1.Y.B.[H........t.............I.........0.z.3...N...._9...6]..].3GXN.)dZ...u....._.}........??>.r.e.E..).......r..o$..W.......k....g......b...[....".|f-W{.Zi.PAi)...\..\.`.........=......[..i...8...........A...X..NB...)d..............XW.3t7....\.1...><.C.n..Nl.*...EJ.v1@..{1N..e........N..M.......LdmY.S>..WI=#...-......AA.d .".2@.o_....F...n"E.....zP..o{. ..d.........s.b<:.d.$f......X...l...rP.<..

<<< skipped >>>

GET /baseui/images/login/logo.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:54 GMT

Content-Type: image/png

Content-Length: 29795

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-7463"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

.PNG........IHDR...4...L........F....sBIT....|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.05/04/163..... .IDATx...}.]W].....L...)d.)..... >t.z.y.i...?.....6.zQA.N..(W.)(.x..(?.{....^;9.\!.'<.(...`.LN..&..Lh.4.9...c...:{.y......t..g...{....~..a...!C..........(C7.......`v..K.3.t'.l!.. T..V.z..Y..my...{0.{9.......Z1.X...../C.(...(`.cl%.I.6R.....F...s...._.!...".R.R.....Gn....d..!....R_.n.ni...a..,-..FiKb.(...P"F..B..c.H..c..Wh.{...C...Z.?.0.]ae.$.g...v........-7^6.K.X.So.Y.Na....JeC..6................e.....m..{0cdAY{. .s;.C,....B.......?..8*.s.%}....A#..Q....M.<.11fIu...........!..2\.h{.S.a... .P-.....^..>.a......C.l.qh..f.4.....2dX..b^.G..&....2.o.......bZ.eo.....L.-Y.`.x..w.J.%..b.h.O....C.....B3l.puV0}.....\.^q..)...@...,f.0h..../cX%.^.=....A.].....;... ..b........(...AC.K..S...U...\.X.AK|1..`..a.G0..fl...$.s......8a.{...0..p.^>G.F.....\.}.c...L.....u....%..1.]H.Q.........g.(q...}4@.B....E.|...#..3\...M...2,.v.w.x...y1W.0.du..b..o.@.@9t......0..V.#./v.,.0b....9w.....fe.N>.J0.(...S....t.}:Bl..M..q...S...&]..z... ......5Vh}.Fh.%.l......Xk....K..0F.u...Q.K~}.....,..(&W...i....o.....2....!..0h...yF....9....X.....}..)`.....xCI.Lb|c.r.z.#.......0.`..."..&...Bi..O....{S....&7..s..:...~.'.M.....4w.")..f.d.12...........AFh2d..a../.1.....<.g...).%..aZ...U..v.x..........VI./...K..7f....g..t...!.....9..m..5&..:ce.%E.).?.6.."q........oJ..Rn.K6.RUN.......tc.i.{.\-..-.k.~.8.H.M!@.`............G..Y......-...1.P...J.{.....[YG0cv..[..|.....r.4...b..a...3:.......j.m..

<<< skipped >>>

GET /baseui/images/login/switch.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:56 GMT

Content-Type: image/png

Content-Length: 363

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-16b"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

.PNG........IHDR...............7.....sBIT....|.d.....pHYs...........~.....tEXtCreation Time.08/25/16.T.!....tEXtSoftware.Adobe Fireworks CS6........IDAT(......0.D......#.p..,.:....;..,A..y..D.Z.. q.E...$........o.X7*......6M........I^...*.....3]..j...t..K.|..j...I.....h....a.y.z..=z...ne.......h.*.. .{.@4tX.u..s!..z.d..g...f..3./.h\2....X../.5w(.@......IEND.B`.....

GET /baseui/images/login/bg_user.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: image/png

Content-Length: 1006

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-3ee"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

.PNG........IHDR...2...(......r.L....sBIT....|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.04/06/16?......FIDATX..Y[..0.=.........L......l.K.R..n.;..f._...-....*...".H..L......."..{......n......7._.|..b.../...l.(..|.....D.\..)0....9.S.s]..RPJ..>..9Y.ZC).)%....z2.....wc.....r.J..9)%.<.Rj...o$.c.a8...=!..,.e.`"..`.Z...Q..@.. ..1... ..!....Z.,K.e.i..yX.V.../..H.....9GQ.'..A.(.....s.L...6Y.....DUU`..q.$Ir0..K.....<.q.[......[.[k....!........6...cx||lt.0.Q..U6....r..n\)I..=f...lu..7.S.. ....5`.....R.VY...X...D....,.X,:.-...e9.N.I....}......;..B:]... !d......)TQ.A).!D.......&.i0y.kj...a....ZC...yg-..I..8..,..9?....1Mf...Zm....s..>n>s.....j......g..X..PJ5.T.M..CJ....N.}..F...C"I..........RX...t..7...j^yq.#..NYA. .c(.Z..O*7.MDk..v.B.U....v.mt.7!R..E.R.C..E...Z7...NXe.Kn`..v.p|.R,.f6 "...|>G.EVJ..E.....)....X..,.@.9Tf.w.9..WU5h.2. 2.PU....0..!.D.<i.$cH..8...I......!..4.L...i...EQ.....g..fs.!..m|]..BL.n......Z..3.?.m..0.!.....1{zz...3...a7...I.Z9.2.....IEND.B`.....

GET /baseui/images/login/bg_pwd.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: image/png

Content-Length: 737

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-2e1"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

.PNG........IHDR...2...(......r.L....sBIT....|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.04/06/16?......9IDATX...Q..@.........@ ....B..t.]J..-tG].B_..,...H......^K..k...z.'3L..?s..Q.v......|.....C..M..>.X..-..wn..F>.Z..Z.iM.....S<....E..(..t:...(....,..4jD)E..(.......jE.e.b.3....}...J).R..k.....F...}<.;<WUE...iJUU..!p]..u.B...>B......m#a..L.y.l6;Y.i.".d8...v..<..,Y..Z:......Ny..E..b...(....0..3:h.QJ..,..C*....Zm.!^m...e.q..s..t<.x..<M&....o....q.\.5...7..f....F\.e0.4.t)A...1i.6z.q.......si|.#Vn....H......^O..{.k;.....@.$.ql .=#..G...c......1SX3..A.B..>A...g.k.....m.0.......R"..}......R2..l.8.~Sk.......qj..k.....7S.EQ..\.U5rM ....y..._..a....."L.........5....'.;w.f......vB......IEND.B`.....

GET /baseui/images/login/icon_phone.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:58 GMT

Content-Type: image/png

Content-Length: 625

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-271"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

.PNG........IHDR................c....sBIT....|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.04/06/16?.......IDATH....M.@...Fy'.. .;..B...\.W....U.S....U......\RAx.q.6c>...i.d=3.....~..qvr.`............x.U.@...vn..z.>.f.k..J/.}CR;w......]......$.s%p.......c.6zf..'=../.'.i...{.....\........=6n.T...p..>E.k5...W...}.z]..s.v.e..e.w/@.wP...P..A...Wt.j...c.1&."U.E...cM~..H.........X.....M...../b...;..a6..XZ....%0%d#..#/.l......... ."Ys..]....w1f.]...D..5Ty.\jY..[.M4 m.Bm,..Km.. %..o....w.......=c.....I.$.........TM........51.....5..v^........ ......)..}. .2_....|....)..'o4.....IEND.B`.....

GET /baseui/images/login/icon_qq.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:59 GMT

Content-Type: image/png

Content-Length: 1786

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-6fa"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

.PNG........IHDR................c....sBIT....|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.04/06/16?......RIDATH...{p........_~......B.....I.&J.d.@. ...I]:)P.1.h..P.Z.g.)f|u.Zf.k.H-.Z.B.).I.$.h".....a7......8..q.4D{f......3.~.=.2"......w{ ..M.........}.._..E..Z.(.......BEo..V.........&.....dDa..........5.l6{..."..[ZZ6.|...Z..q<Y,6...d.;.b..c:.Z.TSSs...s.......K..V?.@UR.D2.....FN.Md.;..q.Of..22.T]..x8<.....v..u..j'Q.$..E......Z.E.9..z......v.(.(3.D6......9..~....c.JJ.....1...v.$I..~..-.PU.&..B.H$i....1F............ .L.......a.......N......y...aAn..~?.i.^..D...B......f6.gB,.H4?.JA.E....'N..........{.s.2|>..6 N.:..q....D..H..@.L.?cl.L%M............8..<....Wg......]..8y...h..1.....v.p.....2TM?...3.w....".K..`I....:.J2B...qs.u.....]....0...6g&.g.KjS.7.........a}..H...f0@.......@&...4l.WQ.8......mK.OY......}..^..\...'T>%..R..u<r8..W..F.8.\.2...2....O&P.I(........S.< .h......~o$..]V..*....5.8r....9.#..0...|1.[H....5.B>..H .s.z........_.}.v..C.?...g.....x.YSq<=.p.G..)...d...!. .K[.8.d.W....p..!.Lc_B.-...&......BD...wn.x.$..."...N......=]]a..;.F.2....r.Oc....."y....4.h5=V......h.o....X.......twO..l2.....U....&M!.V0..B*_..x@.=H..!^........../....R@...h........'.i..y.<69.)........{.t.Z,....a.P.%......`.u.D.]*..H...U.?........i".:.b1..ndgg.\W.(... (A@............AQ...$I...wc....\7!...1.M....................|z..._^..6?....< ..Pey.;.c.CCChmm..].vp..755.p.o..4...ymm.......o.[X.|..;DD..2.e....4.$..E!"..;v........{b.X..cMOD...9....z.....t..N.M.%..k....._}

<<< skipped >>>

GET /service/gc.html?timestamp=1489883514000 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6

HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:59 GMT

Content-Type: image/jpeg

Content-Length: 1240

Connection: keep-alive

Keep-Alive: timeout=60

Last-Modified: Wed, 02 Dec 2015 10:19:41 GMT

ETag: "565ec5bd-4d8"

Accept-Ranges: bytes

Age: 26507

X-Cache: HIT from 192.168.1.51

X-Cache-Lookup: HIT from 192.168.1.51:80

Via: 1.0 192.168.1.51 (squid/3.1.10)

Access-Control-Allow-Origin: *

Access-Control-Allow-Origin: *

......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........<.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..9n.H]..Ba....q...8.q...ZW.,5k.b..V.m.F.....X(lpr1.SksC.....2...!^.e.r......<../m..^..q..[.....yF.._%.P.!W..$s.F:\..8...o.Agj.-...Y#}..pTg..y.....|..j.._.M....!.......q...|G=.z..ssl...1..]......r.8...xsu....[@d.....m.2...z....'.p..........<e.x.{.E.-..@I!...3.0y..j.......W...(...B....<.a.J.|'5..X.&........._..mn..8..>...\..e.fF'dJz`."`t..?... ...R.......T..MF?...eb.`(...c?{<...HTTP/1.1 200 OK..Server: openresty/1.7.10.1..Date: Sun, 19 Mar 2017 00:31:59 GMT..Content-Type: image/jpeg..Content-Length: 1240..Connection: keep-alive..Keep-Alive: timeout=60..Last-Modified: Wed, 02 Dec 2015 10:19:41 GMT..ETag: "565ec5bd-4d8"..Accept-Ranges: bytes..Age: 26507..X-Cache: HIT from 192.168.1.51..X-Cache-Lookup: HIT from 192.168.1.51:80..Via: 1.0 192.168.1.51 (squid/3.1.10)..Access-Control-Allow-Origin: *..Access-Control-Allow-Origin: *........JFIF.............C.................................

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2928:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

t$(SSh

t$(SSh

|$D.tm

|$D.tm

~%UVW

~%UVW

u$SShe

u$SShe

kernel32.dll

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

oleaut32.dll

EVariantBadIndexError

EVariantBadIndexError

u%CNu

u%CNu

Uh.bN

Uh.bN

MaxKeySize

MaxKeySize

Invalid key size

Invalid key size

%UUUU1E

%UUUU1E

%UUUU3

%UUUU3

5 passes)

5 passes)

1.2.3

1.2.3

DB00735E-CFFB-47E6-B060-BB0D74008B7A

DB00735E-CFFB-47E6-B060-BB0D74008B7A

94-401@163.com

94-401@163.com

Bv.SCv=kAv

Bv.SCv=kAv

odbccp32.dll

odbccp32.dll

wininet.dll

wininet.dll

yzmsb.dll

yzmsb.dll

ole32.dll

ole32.dll

user32.dll

user32.dll

OLEACC.DLL

OLEACC.DLL

Kernel32.dll

Kernel32.dll

SQLConfigDataSource

SQLConfigDataSource

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

{B6F7542F-B8FE-46a8-9605-98856A687097}

{B6F7542F-B8FE-46a8-9605-98856A687097}

42305932-06E6-47a5-AC79-8BDCDC58DF61

42305932-06E6-47a5-AC79-8BDCDC58DF61

WebBrowser

WebBrowser

%S4WD

%S4WD

hg%fpM

hg%fpM

S.Ac9SR

S.Ac9SR

0.I%3s

0.I%3s

,wAe.kI

,wAe.kI

aiUy'4xu

aiUy'4xu

%c*@j

%c*@j

.eH'y

.eH'y

{&%U)

{&%U)

lj%4U

lj%4U

xe%CNs

xe%CNs

9F.cLe

9F.cLe

hJK.ZH

hJK.ZH

O.qt0

O.qt0

KERNEL32.DLL

KERNEL32.DLL

COMCTL32.dll

COMCTL32.dll

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

MSVCRT.dll

MSVCRT.dll

MSVFW32.dll

MSVFW32.dll

USER32.dll

USER32.dll

SkinH_EL.dll

SkinH_EL.dll

\zjspfz.tqs

\zjspfz.tqs

?Microsoft Access Driver (*.mdb)

?Microsoft Access Driver (*.mdb)

xf.faxuan.net

xf.faxuan.net

hXXp://

hXXp://

hXXps://

hXXps://

id=userpassword

id=userpassword

hXXp://xf.faxuan.net/service/gc.html?timestamp=

hXXp://xf.faxuan.net/service/gc.html?timestamp=

function time(){return new Date().getTime()}

function time(){return new Date().getTime()}

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

http=

https

https

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

HTTP/1.1

hXXp://xf.faxuan.net

hXXp://xf.faxuan.net

000000000

000000000

122149519

122149519

VVV.t7soft.com

VVV.t7soft.com

P@&key=13

P@&key=13

hXXp://xf.faxuan.net/pss/service/getpoint?type=mypoint&userAccount=

hXXp://xf.faxuan.net/pss/service/getpoint?type=mypoint&userAccount=

hXXp://xf.faxuan.net/sss/service/getcourse?dateType=1&targetDomainCode=

hXXp://xf.faxuan.net/sss/service/getcourse?dateType=1&targetDomainCode=

hXXp://xf.faxuan.net/sps/courseware/t/courseware_1_t.html?courseId=

hXXp://xf.faxuan.net/sps/courseware/t/courseware_1_t.html?courseId=

hXXp://xf.faxuan.net/sps/exercises/t/exercies_1_t.html?courseId=

hXXp://xf.faxuan.net/sps/exercises/t/exercies_1_t.html?courseId=

&key=

&key=

hXXp://xf.faxuan.net/sps/service/getcoursestudy?courseId=

hXXp://xf.faxuan.net/sps/service/getcoursestudy?courseId=

(.*?)_(.*?)_(.*?)

(.*?)_(.*?)_(.*?)

hXXp://xf.faxuan.net/sps/exercises/t/exercies_3_t.html?id=

hXXp://xf.faxuan.net/sps/exercises/t/exercies_3_t.html?id=

hXXp://xf.faxuan.net/pss/service/postPoint?operateType=epoint&userAccount=

hXXp://xf.faxuan.net/pss/service/postPoint?operateType=epoint&userAccount=

hXXp://xf.faxuan.net/sss/service/getcourseware?courseId=

hXXp://xf.faxuan.net/sss/service/getcourseware?courseId=

hXXp://xf.faxuan.net/sps/courseware/t/courseware_4_t.html?id=

hXXp://xf.faxuan.net/sps/courseware/t/courseware_4_t.html?id=

hXXp://xf.faxuan.net/pss/service/postPoint?operateType=spoint&userAccount=

hXXp://xf.faxuan.net/pss/service/postPoint?operateType=spoint&userAccount=

hXXp://VVV.t7soft.com

hXXp://VVV.t7soft.com

YPG>5md[RI@7.hR/O,LkHhEe=]

YPG>5md[RI@7.hR/O,LkHhEe=]

>yÛ

>yÛ

1979717

1979717

shell32.dll

shell32.dll

sql.a6.dns-dns.net

sql.a6.dns-dns.net

hXXp://VVV.t7soft.com/zy4.asp

hXXp://VVV.t7soft.com/zy4.asp

hXXp://news.qq.com

hXXp://news.qq.com

{626FC520-A41E-11CF-A731-00A0C9082637}

{626FC520-A41E-11CF-A731-00A0C9082637}

{0002DF05-0000-0000-C000-000000000046}

{0002DF05-0000-0000-C000-000000000046}

{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}

{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}

{6D5140C1-7436-11CE-8034-00AA006009FA}

{6D5140C1-7436-11CE-8034-00AA006009FA}

{D30C1661-CDAF-11d0-8A3E-00C04FC9E26E}

{D30C1661-CDAF-11d0-8A3E-00C04FC9E26E}

document.all.resultjs.innerText=

document.all.resultjs.innerText=

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

VBScript.RegExp

VBScript.RegExp

@odbccp32.dll

@odbccp32.dll

'8%&(#&=1

'8%&(#&=1

Lx.mya

Lx.mya

Adobe Photoshop CS5 Windows

Adobe Photoshop CS5 Windows

2015:11:23 23:56:09

2015:11:23 23:56:09

urlTEXT

urlTEXT

MsgeTEXT

MsgeTEXT

#hXXp://ns.adobe.com/xap/1.0/

#hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?>

  • " id="W5M0MpCehiHzreSzNTczkc9d"?>

  • IEC hXXp://VVV.iec.ch

    IEC hXXp://VVV.iec.ch

    .IEC 61966-2.1 Default RGB colour space - sRGB

    .IEC 61966-2.1 Default RGB colour space - sRGB

    CRT curv

    CRT curv

    wxg717@21cn.com

    wxg717@21cn.com

    1683596352

    1683596352

    1683596352

    1683596352

    F%*.*f

    F%*.*f

    CNotSupportedException

    CNotSupportedException

    commctrl_DragListMsg

    commctrl_DragListMsg

    Afx:%x:%x:%x:%x:%x

    Afx:%x:%x:%x:%x:%x

    Afx:%x:%x

    Afx:%x:%x

    COMCTL32.DLL

    COMCTL32.DLL

    CCmdTarget

    CCmdTarget

    MSH_SCROLL_LINES_MSG

    MSH_SCROLL_LINES_MSG

    MSWHEEL_ROLLMSG

    MSWHEEL_ROLLMSG

    __MSVCRT_HEAP_SELECT

    __MSVCRT_HEAP_SELECT

    RASAPI32.dll

    RASAPI32.dll

    iphlpapi.dll

    iphlpapi.dll

    SHLWAPI.dll

    SHLWAPI.dll

    MPR.dll

    MPR.dll

    WINMM.dll

    WINMM.dll

    WS2_32.dll

    WS2_32.dll

    VERSION.dll

    VERSION.dll

    GetProcessHeap

    GetProcessHeap

    WinExec

    WinExec

    GetCPInfo

    GetCPInfo

    GetWindowsDirectoryA

    GetWindowsDirectoryA

    KERNEL32.dll

    KERNEL32.dll

    GetKeyState

    GetKeyState

    SetWindowsHookExA

    SetWindowsHookExA

    UnhookWindowsHookEx

    UnhookWindowsHookEx

    EnumChildWindows

    EnumChildWindows

    GetKeyboardType

    GetKeyboardType

    RegisterHotKey

    RegisterHotKey

    UnregisterHotKey

    UnregisterHotKey

    GetViewportOrgEx

    GetViewportOrgEx

    WINSPOOL.DRV

    WINSPOOL.DRV

    RegCloseKey

    RegCloseKey

    RegOpenKeyExA

    RegOpenKeyExA

    RegCreateKeyExA

    RegCreateKeyExA

    ADVAPI32.dll

    ADVAPI32.dll

    ShellExecuteA

    ShellExecuteA

    SHELL32.dll

    SHELL32.dll

    OLEAUT32.dll

    OLEAUT32.dll

    oledlg.dll

    oledlg.dll

    WSOCK32.dll

    WSOCK32.dll

    InternetCrackUrlA

    InternetCrackUrlA

    InternetCanonicalizeUrlA

    InternetCanonicalizeUrlA

    WININET.dll

    WININET.dll

    CreateDialogIndirectParamA

    CreateDialogIndirectParamA

    SetViewportOrgEx

    SetViewportOrgEx

    OffsetViewportOrgEx

    OffsetViewportOrgEx

    SetViewportExtEx

    SetViewportExtEx

    ScaleViewportExtEx

    ScaleViewportExtEx

    GetViewportExtEx

    GetViewportExtEx

    comdlg32.dll

    comdlg32.dll

    .PAVCException@@

    .PAVCException@@

    .PAVCNotSupportedException@@

    .PAVCNotSupportedException@@

    .PAVCFileException@@

    .PAVCFileException@@

    (*.prn)|*.prn|

    (*.prn)|*.prn|

    (*.*)|*.*||

    (*.*)|*.*||

    Shell32.dll

    Shell32.dll

    Mpr.dll

    Mpr.dll

    Advapi32.dll

    Advapi32.dll

    User32.dll

    User32.dll

    Gdi32.dll

    Gdi32.dll

    (&07-034/)7 '

    (&07-034/)7 '

    ?? / %d]

    ?? / %d]

    %d / %d]

    %d / %d]

    : %d]

    : %d]

    (*.WAV;*.MID)|*.WAV;*.MID|WAV

    (*.WAV;*.MID)|*.WAV;*.MID|WAV

    (*.WAV)|*.WAV|MIDI

    (*.WAV)|*.WAV|MIDI

    (*.MID)|*.MID|

    (*.MID)|*.MID|

    (*.txt)|*.txt|

    (*.txt)|*.txt|

    (*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

    (*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

    (*.JPG)|*.JPG|BMP

    (*.JPG)|*.JPG|BMP

    (*.BMP)|*.BMP|GIF

    (*.BMP)|*.BMP|GIF

    (*.GIF)|*.GIF|

    (*.GIF)|*.GIF|

    (*.ICO)|*.ICO|

    (*.ICO)|*.ICO|

    (*.CUR)|*.CUR|

    (*.CUR)|*.CUR|

    %s:%d

    %s:%d

    windows

    windows

    out.prn

    out.prn

    %d.%d

    %d.%d

    %d / %d

    %d / %d

    %d/%d

    %d/%d

    Bogus message code %d

    Bogus message code %d

    (%d-%d):

    (%d-%d):

    %ld%c

    %ld%c

    %Y-%m-%d %H:%M:%S

    %Y-%m-%d %H:%M:%S

    FADODB.Connection

    FADODB.Connection

    DRIVER=SQL Server;SERVER=

    DRIVER=SQL Server;SERVER=

    ;Jet OLEDB:Database Password=

    ;Jet OLEDB:Database Password=

    Provider=Microsoft.Jet.OLEDB.4.0; Data Source=

    Provider=Microsoft.Jet.OLEDB.4.0; Data Source=

    Description: %s

    Description: %s

    State: %s, Native: %d, Source: %s

    State: %s, Native: %d, Source: %s

    FADODB.Recordset

    FADODB.Recordset

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

    HTTP/1.0

    HTTP/1.0

    %s

    %s

    Reply-To: %s

    Reply-To: %s

    From: %s

    From: %s

    To: %s

    To: %s

    Subject: %s

    Subject: %s

    Date: %s

    Date: %s

    Cc: %s

    Cc: %s

    %a, %d %b %Y %H:%M:%S

    %a, %d %b %Y %H:%M:%S

    SMTP

    SMTP

    %d%d%d

    %d%d%d

    rundll32.exe shell32.dll,

    rundll32.exe shell32.dll,

    .PAVCOleException@@

    .PAVCOleException@@

    .PAVCObject@@

    .PAVCObject@@

    .PAVCSimpleException@@

    .PAVCSimpleException@@

    .PAVCMemoryException@@

    .PAVCMemoryException@@

    .?AVCNotSupportedException@@

    .?AVCNotSupportedException@@

    .PAVCResourceException@@

    .PAVCResourceException@@

    .PAVCUserException@@

    .PAVCUserException@@

    .?AVCCmdTarget@@

    .?AVCCmdTarget@@

    .?AVCCmdUI@@

    .?AVCCmdUI@@

    .?AVCTestCmdUI@@

    .?AVCTestCmdUI@@

    .PAVCOleDispatchException@@

    .PAVCOleDispatchException@@

    .PAVCArchiveException@@

    .PAVCArchiveException@@

    zcÁ

    zcÁ

    right-curly-bracket

    right-curly-bracket

    left-curly-bracket

    left-curly-bracket

    c:\%original file name%.exe

    c:\%original file name%.exe

    *.yUW

    *.yUW

    deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

    deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

    inflate 1.2.3 Copyright 1995-2005 Mark Adler

    inflate 1.2.3 Copyright 1995-2005 Mark Adler

    #include "l.chs\afxres.rc" // Standard components

    #include "l.chs\afxres.rc" // Standard components

    Skin.dll

    Skin.dll

    1, 0, 6, 6

    1, 0, 6, 6

    2015-11-23-2347144232

    2015-11-23-2347144232

    (*.*)

    (*.*)

    %original file name%.exe_2928_rwx_10000000_0003E000:

    `.rsrc

    `.rsrc

    L$(h%f

    L$(h%f

    SSh0j

    SSh0j

    msctls_hotkey32

    msctls_hotkey32

    TVCLHotKey

    TVCLHotKey

    THotKey

    THotKey

    \skinh.she

    \skinh.she

    }uo,x6l5k%x-l h

    }uo,x6l5k%x-l h

    9p%s m)t4`#b

    9p%s m)t4`#b

    e"m?c&y1`Ð

    e"m?c&y1`Ð

    SetViewportOrgEx

    SetViewportOrgEx

    SetViewportExtEx

    SetViewportExtEx

    SetWindowsHookExA

    SetWindowsHookExA

    UnhookWindowsHookEx

    UnhookWindowsHookEx

    EnumThreadWindows

    EnumThreadWindows

    EnumChildWindows

    EnumChildWindows

    `c%US.4/

    `c%US.4/

    !#$

    !#$

    .text

    .text

    `.rdata

    `.rdata

    @.data

    @.data

    .rsrc

    .rsrc

    @.UPX0

    @.UPX0

    `.UPX1

    `.UPX1

    `.reloc

    `.reloc

    hJK.ZH

    hJK.ZH

    O.qt0

    O.qt0

    KERNEL32.DLL

    KERNEL32.DLL

    COMCTL32.dll

    COMCTL32.dll

    GDI32.dll

    GDI32.dll

    MSIMG32.dll

    MSIMG32.dll

    MSVCRT.dll

    MSVCRT.dll

    MSVFW32.dll

    MSVFW32.dll

    USER32.dll

    USER32.dll

    SkinH_EL.dll

    SkinH_EL.dll

    Skin.dll

    Skin.dll

    1, 0, 6, 6

    1, 0, 6, 6