Gen.Variant.Graftor.37429_5193a201b7 – Adaware

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.37429 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 5193a201b7355f6ac00af96184d29d5d

SHA1: d66f981e23494860656b31e27e5dd4fcf8d91b46

SHA256: 4aa669e7382244709987ac4d6e52f0c966f373c65353d9d6778e6d5bd92fae51

SSDeep: 98304:GQHA/3XxoSj3XsbIABdUf0uXFvWomZHF7b MxntyV n:GQHAfxdjH4I8qVJGHF/txt n

Size: 5135223 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2016-08-14 22:15:49

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

svchostlsp.exe:3736
%original file name%.exe:452
117my.exe:2736
117my.exe:944

The Trojan injects its code into the following process(es):

svchosl.exe:3732

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process svchostlsp.exe:3736 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\twain_32\config\ESPI11.dll (244 bytes)
C:\Windows\System32\addressoftext.inscan (1 bytes)
C:\Windows\System32\ESPI11.dll (723 bytes)

The process %original file name%.exe:452 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\svchost.exe (12649 bytes)
C:\Windows\117my.exe (7296 bytes)
C:\Windows\117my.com.bat (258 bytes)
C:\Windows\Game.ico:Zone.Identifier (26 bytes)
C:\Windows\svchosl.exe (8713 bytes)
C:\Windows\Game.ico (1978 bytes)
C:\Windows\117my.skn (2160 bytes)
C:\Users\"%CurrentUserName%"\Desktop\117Ã©Ââ€Ã¥Å¸Å¸7.1.lnk (1 bytes)

The Trojan deletes the following file(s):

C:\Windows\__tmp_rar_sfx_access_check_1308957 (0 bytes)

The process svchosl.exe:3732 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YBU4WGCW.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\host[1].htm (775 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CCQ2R3OL.txt (0 bytes)

The process 117my.exe:2736 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.exe (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\svchostlsp.exe (1948 bytes)

The process 117my.exe:944 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\JpHrc.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Mag.dat (101 bytes)
C:\Windows\System32\drivers\etc\hosts (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Repairdata.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.skn (62 bytes)
C:\Windows\117my.skn (65 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\117my.ini (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\iat.dll (89 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OF9L3DR3.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\fc72ORSzwyUu08nYIdyG-ygy8w8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OLCWAOT0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\_yaru.ru[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YJCP8HIK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\jquery.min[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\fc07[1].swf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\eS-nxtWWJ1LfBWLfd096swuFjH4[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\9fkhsVhseQ-JJcxiLZwCHjhHY[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\00CZ9B9Z.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\BPMHTAIlmc5kh6Tymb1I2mmfSAc[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ZZxR-E_UBI8_1IS7VtDkH_bgw[1].css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\59FYE1S2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\JpHrc.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVWF9XLH.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K3H6JGON.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SHMEGTHE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\379IMDJA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\VqEnvKPzCrM8a4pakUu0bzh7d9o[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G6NPTRAV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\watch[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HGQPYGV7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YBU4WGCW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4CWVLDFS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Repairdata.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A5VV6NGJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\search[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O761920L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FBUBDDF0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\983WD333.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\spacer[1].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ya_favicon_ru[1].ico (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PMGXNABP.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJQLWW1A.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LXL295FY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\AllServices[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\fc07_2[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CZKDRHGB.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\P2Z07O4S.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VPSNR0J4.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\nearest[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Tsv1TyvAx4g5KyOkiAdSP1Stniw[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SN1VAMHK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SK6RC4AQ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8WNTYFZE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\otvet.mail[1].png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KK0IK9EV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\_search.uk[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KCULDY7L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\MG_en-us[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\GetMDRCDPOSTURL[1].aspx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7ZFPBM01.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ETGRPT21.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KJGZP41Y.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8Q2KNK5G.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NWCBOWT9.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1I56O6EZ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Yd__VnAFnBZBQiIS0sHoF6FGRC8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PFR2GFQJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GB74HSLE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KUZ61ORW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KE9BMB37.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9UFT3VMU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K4EMAOY7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GF0JZXVN.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XJJJSX58.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FDGZES7U.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\03Z3OHNC.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IAU75TW2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AW5IGQT7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0VR58838.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Z40SB5AS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.min[1].js (0 bytes)

Registry activity

The process svchostlsp.exe:3736 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"FileName" = "C:\Windows\system32\ESPI11.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"1014" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1012" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"1002" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1003" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1001" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU]
"wodezhucbxm_1" = "393972"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:452 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process svchosl.exe:3732 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU]
"wodezpoiuy_5" = "328482"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASAPI32]
"MaxFileSize" = "1048576"

"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASMANCS]
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xf1" = "C:\Windows\svchosl.exe /start"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process 117my.exe:2736 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process 117my.exe:944 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5	File path
0392346d2aa6c76da5ca7dda28564b41	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.exe
4a9e26121421e5b6c47f50309cb63266	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.skn
671575e2cc623b3d093538f1e658ad93	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\iat.dll
23d8fd353597d2edda54bdbad280749f	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\svchostlsp.exe
6a455c4a2c7fe46c633fd085c0204696	c:\Windows\117my.exe
4a9e26121421e5b6c47f50309cb63266	c:\Windows\117my.skn
6ded751b628ddb2a1c0c05f18858437c	c:\Windows\System32\ESPI11.dll
ee6c854fa4e81138fcfcfbda7418ec6b	c:\Windows\svchosl.exe
57b609130b60649f4a2729b164b7527b	c:\Windows\svchost.exe
6ded751b628ddb2a1c0c05f18858437c	c:\Windows\twain_32\config\ESPI11.dll

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 5537 bytes in size. The following strings are added to the hosts file listed below:

170.178.171.31	www.176cc.cc
170.178.171.31	www.52my.com
170.178.171.31	www.crsky.com
170.178.171.31	crsky.com
170.178.171.31	www.901my.com
170.178.171.31	901my.com
170.178.171.31	moyu.so
170.178.171.31	kkk.dstfkj.com.cn
170.178.171.31	dstfkj.com.cn
170.178.171.31	www.214my.com
170.178.171.31	www.h360k.com
170.178.171.31	h360k.com
170.178.171.31	rsivy.pw
170.178.171.31	214my.com
170.178.171.31	www.270my.com
170.178.171.31	360.chihuo0517.com
170.178.171.31	chihuo0517.com
170.178.171.31	270my.com
170.178.171.31	www.moyu.so
170.178.171.31	www.hwkam.com
170.178.171.31	178stu.com
170.178.171.31	www.178stu.com
170.178.171.31	hwkam.com
170.178.171.31	www.5917wan.com
170.178.171.31	www.delifs.com
170.178.171.31	delifs.com
170.178.171.31	www.11moyu.com
170.178.171.31	t2.web.tonnn.com
170.178.171.31	www.2828my.com
170.178.171.31	2828my.com
170.178.171.31	tonnn.com
170.178.171.31	www.11my.net
170.178.171.31	www.91my.com
170.178.171.31	91my.com
170.178.171.31	wg.91my.com
170.178.171.31	my.178stu.com
170.178.171.31	134my.com
170.178.171.31	www.134my.com
170.178.171.31	001my.com
170.178.171.31	www.910my.com
170.178.171.31	910my.com
170.178.171.31	www.901my.com
170.178.171.31	901my.com
170.178.171.31	www.6moyu.com
170.178.171.31	110moyu.com
170.178.171.31	www.110moyu.com
170.178.171.31	dl.pconline.com.cn
170.178.171.31	www.moyushou.com
170.178.171.31	pconline.com.cn
170.178.171.31	www.52z.com
170.178.171.31	wanba.baidu.com
170.178.171.31	www.99sfmy.com
170.178.171.31	www.mycom114.com
170.178.171.31	www.xpy7.com
170.178.171.31	xpy7.com
170.178.171.31	www.tztw88.net
170.178.171.31	www.cncrk.com
170.178.171.31	www.laomy.net
170.178.171.31	www.kk8181.com
170.178.171.31	pk255.com
170.178.171.31	www.pk255.com
170.178.171.31	www.99hjmy.com
170.178.171.31	www.550my.com
170.178.171.31	99moyu.net
170.178.171.31	www.n13.cc
170.178.171.31	www.18ytl.com
170.178.171.31	www.x99my.cc
170.178.171.31	tg.weegame.com
170.178.171.31	weegame.com
170.178.171.31	t.cnsaier.com
170.178.171.31	cnsaier.com
170.178.171.31	laas.zafu.edu.cn
170.178.171.31	www.tianya.cn
170.178.171.31	www.9000my.com
170.178.171.31	139my.3313sf.cn
170.178.171.31	www.qweqt.org.cn
170.178.171.31	moyu.spxwj.com
170.178.171.31	www.ahwfauto.com
170.178.171.31	www.ttms168.com
170.178.171.31	www.x99moyu.net
170.178.171.31	t.kmly988.com
170.178.171.31	t.ahtaoy.com
170.178.171.31	t.cnsaier.com
170.178.171.31	www.55moyu.com
170.178.171.31	www.xsf7.com
170.178.171.31	99moyu.com
170.178.171.31	www.99moyu.com
170.178.171.31	sogou.1118st.com
170.178.171.31	1118st.com
170.178.171.31	www.173185.net
170.178.171.31	www.518ak.com
170.178.171.31	lpput.com
170.178.171.31	hjmyh.com
170.178.171.31	www.5555my.com
170.178.171.31	aaa.5555my.com
170.178.171.31	www.hjmyh.com
170.178.171.31	www.195my.com
170.178.171.31	195my.com
170.178.171.31	www.195sy.com
170.178.171.31	195sy.com
170.178.171.31	spxwj.com
170.178.171.31	817zs.cn
170.178.171.31	mmmmm.cnm78.com
170.178.171.31	www.139sfmy.com
170.178.171.31	www.gaoji.co
170.178.171.31	kkk.5917my.com
170.178.171.31	5917my.com
170.178.171.31	cnm78.com
170.178.171.31	www.87tf.com
170.178.171.31	www.wxycw.com
170.178.171.31	zzxyyyz.com
170.178.171.31	www.zzxyyyz.com
170.178.171.31	www.150my.com
170.178.171.31	www.seefp.com
170.178.171.31	www.sz-jhled.com
170.178.171.31	www.9my.net
170.178.171.31	www.92mysf.com
170.178.171.31	sogu.173185.net
170.178.171.31	173185.net
170.178.171.31	jxkb56.com
170.178.171.31	yon.jxkb56.com
170.178.171.31	sogou13.170shouyou.com
170.178.171.31	www.915my.com
170.178.171.31	915my.com
170.178.171.31	www.hao2288.cn
170.178.171.31	ddddddd.xckdee.com
170.178.171.31	www.173ka.net
170.178.171.31	duge.xunleimy.com
170.178.171.31	mmmmm.cnm78.com
170.178.171.31	kkk.51173wan.com
170.178.171.31	www.hao2288.cn
170.178.171.31	ddddddd.xckdee.com
170.178.171.31	www.173ka.net
170.178.171.31	duge.xunleimy.com
170.178.171.31	mmmmm.cnm78.com
170.178.171.31	kkk.51173wan.com
170.178.171.31	170shouyou.com
170.178.171.31	www.173ka.net
170.178.171.31	www.58wg.co
170.178.171.31	www.58wgw.com
170.178.171.31	www.my158.com
170.178.171.31	www.huaimy.com
170.178.171.31	huaimy.com
170.178.171.31	www.dudumy.cn
170.178.171.31	www.nmoyu.com
170.178.171.31	www.357my.com
170.178.171.31	www.139my.com
170.178.171.31	www.001my.com
170.178.171.31	www.xunleimy.com
170.178.171.34	www.117my.com
170.178.171.31	www.181my.com
170.178.171.31	kkk.51173wan.com
170.178.171.31	www.ucbug.com/moyu
170.178.171.31	www.zhujiangroad.com
170.178.171.31	sss.u8nz.com
170.178.171.31	www.xixiwg.com
170.178.171.31	www.vdisk.cn
170.178.171.31	www.592my.net
170.178.171.31	www.581my.com
170.178.171.31	www.592wg.cc
170.178.171.31	www.moyusifu.com
170.178.171.31	www.139myw.com
170.178.171.31	www.rmoyu.com
170.178.171.31	www.001my.com.co
170.178.171.31	www.001my.com.cn
170.178.171.31	mmm.139sfmy.com
170.178.171.31	my.99.com
170.178.171.31	99.com
170.178.171.31	www.tjggg.com
170.178.171.31	www.gmoyu.com
170.178.171.31	139sfmy.com
170.178.171.31	770my.com
170.178.171.31	www.770my.com
170.178.171.31	www.660my.com
170.178.171.31	660my.com
170.178.171.31	www.2525my.cn
170.178.171.31	tjggg.com
170.178.171.31	www.99my.com.co
170.178.171.31	www.520jzw.com
170.178.171.31	www.70my.com
170.178.171.31	www.13moyu.com
170.178.171.31	laomy.net
170.178.171.31	www1.dlbyhw.com
170.178.171.31	dlbyhw.com
170.178.171.31	www.clzs888.com

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
svchostlsp.exe:3736
%original file name%.exe:452
117my.exe:2736
117my.exe:944
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\twain_32\config\ESPI11.dll (244 bytes)
C:\Windows\System32\addressoftext.inscan (1 bytes)
C:\Windows\System32\ESPI11.dll (723 bytes)
C:\Windows\svchost.exe (12649 bytes)
C:\Windows\117my.exe (7296 bytes)
C:\Windows\117my.com.bat (258 bytes)
C:\Windows\Game.ico:Zone.Identifier (26 bytes)
C:\Windows\svchosl.exe (8713 bytes)
C:\Windows\117my.skn (2160 bytes)
C:\Users\"%CurrentUserName%"\Desktop\117Ã©Ââ€Ã¥Å¸Å¸7.1.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YBU4WGCW.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\host[1].htm (775 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.exe (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\svchostlsp.exe (1948 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\JpHrc.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Mag.dat (101 bytes)
C:\Windows\System32\drivers\etc\hosts (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Repairdata.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.skn (62 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\117my.ini (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\iat.dll (89 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xf1" = "C:\Windows\svchosl.exe /start"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	188392	188416	4.65119	2ae181684b1677561119f5765623448e
.rdata	192512	39376	39424	3.57169	0e0f6a60d8fa917a060c8ef7becc0888
.data	233472	129208	3072	2.28424	4e4aa728d9cced1622c2be27733e3fc5
.gfids	364544	240	512	1.47202	c923099e27bf0e45a5c402d935d0620b
.rsrc	368640	19884	19968	4.01107	5c996f60fd4566aa444b73d2a69de10c
.reloc	389120	8076	8192	4.59547	d13d3f8a8adfe6861c49a01d81cf73ed

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://passport.n.shifen.com/?business&un=5182235367&from=prin
hxxp://www.gxnkw.com/jc/bjcguanjianzi.txt?WebShieldDRSessionVerify=YizhEArCBnQ1QwpILGI0
hxxp://www.gxnkw.com/jc/tongji.txt
hxxp://www.gxnkw.com/jc/bjcguanjianzi.txt
hxxp://www.gxnkw.com/jc/jcd.txt
hxxp://www.92117my.com/host.html	122.228.30.106
hxxp://18201869647.oicp.net/
hxxp://18201869647.oicp.net/favicon.ico
hxxp://www.gxnkw.com/jc/hostjc.txt
hxxp://www.92117my.com/index1.htm	122.228.30.106
hxxp://www.92117my.com/logo.jpg	122.228.30.106
hxxp://www.92117my.com/game.html	122.228.30.106
hxxp://www.92117my.com/images/new.js	122.228.30.106
hxxp://www.92117my.com/images/xx.css	122.228.30.106
hxxp://www.92117my.com/images/bg.jpg	122.228.30.106
hxxp://www.92117my.com/images/Index_c1_r5.jpg	122.228.30.106
hxxp://www.92117my.com/Images/Index_bottom.jpg	122.228.30.106
hxxp://cdn.globalsigncdn.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBisczuS0Hu180XFAA==
hxxp://www.92117my.com/favicon.ico	122.228.30.106
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDGlwEnDh1Wq84Ev4Sw==
hxxp://www.taobao.com.danuoyi.tbcache.com/	213.244.178.246
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw==
hxxp://www.gxnkw.com/jc/hostjc.txt?WebShieldDRSessionVerify=EMGc17Wrs9kjNC7K8XBq
hxxp://gpla1.wac.v2cdn.net/CRL/Omniroot2025.crl
hxxp://www.taobao.com/	213.244.178.246
hxxp://passport.baidu.com/?business&un=5182235367&from=prin
hxxp://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH	104.16.26.216
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDGlwEnDh1Wq84Ev4Sw==	104.16.27.216
hxxp://www.117my.cc/	183.60.204.14
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBisczuS0Hu180XFAA==	104.16.27.216
hxxp://cdp1.public-trust.com/CRL/Omniroot2025.crl	93.184.220.20
hxxp://www.117my.cc/favicon.ico	183.60.204.14
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw==	104.16.27.216
wg.200my.com	122.224.48.120
s95.cnzz.com	1.99.192.16
z4.cnzz.com	1.122.192.15
world.taobao.com	213.244.178.246
c.cnzz.com	123.138.67.81
cnzz.mmstat.com	198.11.132.221

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 302 Found

Server: Safedog/4.0.0

Location: /jc/hostjc.txt?WebShieldDRSessionVerify=EMGc17Wrs9kjNC7K8XBq

Content-Length: 0

Connection: Close

Content-Type: text/html

GET /jc/bjcguanjianzi.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 200

Content-Type: text/plain

Last-Modified: Sun, 08 Jan 2017 11:29:25 GMT

Accept-Ranges: bytes

ETag: "583b2977a269d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:41 GMT

....sf......................001my..139my..70..........................................................................001......139..............178................520........................chihuo0517....

GET /jc/jcd.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 32

Content-Type: text/plain

Last-Modified: Thu, 12 Jan 2017 10:59:28 GMT

Accept-Ranges: bytes

ETag: "ca42d5f1c26cd21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:41 GMT

hXXp://VVV.92117my.com/host.html....

GET /jc/tongji.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 0

Content-Type: text/plain

Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT

Accept-Ranges: bytes

ETag: "4c1ca75e9d9d01:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:42 GMT

HTTP/1.1 200 OK..Content-Length: 0..Content-Type: text/plain..Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT..Accept-Ranges: bytes..ETag: "4c1ca75e9d9d01:22a0"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Thu, 19 Jan 2017 00:36:42 GMT..

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDGlwEnDh1Wq84Ev4Sw== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 19 Jan 2017 00:40:40 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d9bd14783e463ca82c5866086ae2f56f41484786440; expires=Fri, 19-Jan-18 00:40:40 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Wed, 18 Jan 2017 23:26:57 GMT

Expires: Sun, 22 Jan 2017 23:26:57 GMT

ETag: "ce2c9bab38408c822469b28825da8da8a11ff254"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32363c92e3e24038-SOF

0..........0..... .....0......0...0.......M........u....%...G..20170118232657Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|..ip.p..j..K.K....20170118232657Z....20170122232657Z0...*.H.............uO.5......./w;3.....3.J.n...E.....j.i..'...?.n>..J..l.sa......./....@.z..Qh.cc..l[...q.W ...g%.....o...f..."....9..;v_.n..m..!...f@.M...!.Yu.L3'C.6'......saI.G.d'B..b.u.H......_....m.f.Z.....g...DHY.z.O[.|U[o..#.O....0<....h....>...}..m..s....O..........8t...K0..G0..C0.. .......q..}.dc.j..(0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...161124031843Z..170224031843Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....2016112411281M0K..U...DGlobalSign Organization Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.H..............H.....C.Ie....;.yN.'..../?.T..-T.a..4...n..OW/l....[|..-.i../.'..1."......3[...J.....\@.S.=-p..p......d...>~J.|E0y......!.;.c.,...||.V....K..L...dX...a....6'..U..G....A;..........4K...........k.B].

<<< skipped >>>

GET /?business&un=5182235367&from=prin HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: passport.baidu.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Connection: keep-alive

Content-Type: text/html

Date: Thu, 19 Jan 2017 00:40:03 GMT

P3p: CP=" OTI DSP COR IVA OUR IND COM "

Server: Apache

Set-Cookie: BAIDUID=9D02E474B4BC9B1BC9F49E269184DEEF:FG=1; expires=Fri, 19-Jan-18 00:40:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

Tracecode: 24029977590332382986011908

Tracecode: 24029977590286507274011908

Vary: Accept-Encoding

Transfer-Encoding: chunked

3d0..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">.<head>.<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.<title>........................_5182235367</title>.<link rel="stylesheet" href="/style/v2/info.css?t=20100901" type="text/css" media="all" />.<script type="text/javascript" src="/js/center_accountbind.js?t=20100901"></script>.<script type="text/javascript" src="/js/business.js?t=20100901"></script>.<script language="javascript">. document.domain = "baidu.com";. window.hasSpace = '';. var tabinfo = initTabInfo('5182235367');. var ab=gethash(1);. if(ab>0 && ab<tabinfo.length). {. if(tabinfo[ab][2]=="_blank"). {. window.location=tabinfo[ab][0];. }. }. function fixImgSize(img){... var width = img.offsetWidth;... var height = img.offsetHeight;... if( w..1a65..idth>78 ){... width>height?( img.style.width='78px' ):( img.style.height='78px' );... }else if( height>78 ){... img.style.height='78px';... }.. }. </script>.</head>.<body onLoad="javascript:chgdeftab(0);">. <div class="wrapper">.<noscript>.<p class="nojs">....................................................................................</p>.</noscript>.

<<< skipped >>>

GET /jc/tongji.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 0

Content-Type: text/plain

Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT

Accept-Ranges: bytes

ETag: "4c1ca75e9d9d01:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:41 GMT

GET /jc/tongji.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 0

Content-Type: text/plain

Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT

Accept-Ranges: bytes

ETag: "4c1ca75e9d9d01:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:49 GMT

GET /jc/tongji.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 0

Content-Type: text/plain

Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT

Accept-Ranges: bytes

ETag: "4c1ca75e9d9d01:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:58 GMT

GET /CRL/Omniroot2025.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 16 Nov 2013 06:15:02 GMT

If-None-Match: "200da-5b6-4eb453c33260e"

User-Agent: Microsoft-CryptoAPI/6.1

Host: cdp1.public-trust.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/x-pkcs7-crl

Date: Thu, 19 Jan 2017 00:40:59 GMT

Etag: "200c0-cba-54651a19dc944"

Last-Modified: Tue, 17 Jan 2017 22:15:01 GMT

Server: ECS (arn/45CB)

X-Cache: HIT

Content-Length: 3258

0...0......0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U....CyberTrust1"0 ..U....Baltimore CyberTrust Root..170117212826Z..170414212826Z0...0....'k...120111220757Z0....'k...120111220847Z0....'.C..130130174530Z0....'....130807173059Z0....'....140122185220Z0....'....140212185542Z0....'yr..150701184507Z0....'#...100303201301Z0....''q..100414175202Z0....'L...110224181251Z0....'Pn..110309142119Z0....'....100216203312Z0....'#...100303201213Z0....'3#..100908172555Z0....''n..101208175627Z0....''m..101208175749Z0....''p..101208175916Z0....'H...110114162156Z0#...'X>..110815145134Z0.0...U.......0#...'Z2..110818184101Z0.0...U.......0....'g...120111164333Z0....'g...120111164409Z0....'g...120111164519Z0....'....100216213519Z0....''s..100414175225Z0....''k..100414181839Z0....'3"..100908172705Z0....'3$..100908172728Z0....''o..101208175645Z0....''l..101208175727Z0....'H...110119195142Z0....'Nz..110302154045Z0....'c...111207220933Z0....'g...120111164445Z0....''r..100414175143Z0....'8...101012182723Z0....'e...120111163041Z0....'VJ..110714160903Z0....'s...130123162633Z0....'....130904190524Z0....'....131024214319Z0....'....140129172435Z0....'....140129172453Z0....'....131024214310Z0....'....131101204601Z0....'....140219171632Z0....'.^..140409155638Z0....'i...140709171930Z0....'/:..141119193302Z0....'J...150603184605Z0....'k...150603185020Z0....'k...150603185058Z0....'k...150603185131Z0....'k...120111220827Z0....'8...140716191203Z0....'....131219195909Z0....'....140219171545Z0....'k...151105070000Z0....'q...160126173

<<< skipped >>>

GET /jc/bjcguanjianzi.txt?WebShieldDRSessionVerify=YizhEArCBnQ1QwpILGI0 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: Safedog/4.0.0

Location: /jc/bjcguanjianzi.txt

Content-Length: 0

Connection: Close

Content-Type: text/html

GET /jc/tongji.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 0

Content-Type: text/plain

Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT

Accept-Ranges: bytes

ETag: "4c1ca75e9d9d01:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:37:39 GMT

GET / HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.117my.cc

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 228

Content-Type: text/html

Content-Location: hXXp://VVV.117my.cc/index.html

Last-Modified: Mon, 15 Aug 2016 05:17:18 GMT

Accept-Ranges: bytes

ETag: "c85d104bb4f6d11:a7a"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:39:59 GMT

..<html>..........117...................2............<script language="javascript"> .. .. </script>HTTP/1.1 200 OK..Content-Length: 228..Content-Type: text/html..Content-Location: hXXp://VVV.117my.cc/index.html..Last-Modified: Mon, 15 Aug 2016 05:17:18 GMT..Accept-Ranges: bytes..ETag: "c85d104bb4f6d11:a7a"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Thu, 19 Jan 2017 00:39:59 GMT....<html>..........117...................2............<script language="javascript"> .. .. </script>..

GET /index1.htm HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://VVV.117my.cc/

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.92117my.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 5219

Content-Type: text/html

Last-Modified: Thu, 12 Jan 2017 13:56:43 GMT

Accept-Ranges: bytes

ETag: "c8d99b5db6cd21:3fe"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:39:37 GMT

...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />..<title>......117................................................</title>..<meta name="keywords" content="......sf,..................,117......" />..<meta name="description" content="117......sf..................................................................................................................................................." />..<style type="text/css">..body{color:#175095;padding:8px 0;background:#333;}..a{color:#175095;text-decoration:none;}..a:link{color:#175095;text-decoration:none;}..a:hover{color:#e00;text-decoration:none;}..*{padding:0;margin:0;font-size:14px;font-family:'Microsoft Yahei','Lucida Grande',Helvetica,Arial,sans-serif;}..#w{width:1002px;margin:0 auto;padding:8px;background:#fff;-moz-border-radius:3px;-webkit-border-radius:3px;border-radius:3px;-webkit-box-shadow:0 0 8px #000000;-moz-box-shadow:0 0 8px #000000;box-shadow:0 0 8px #000000;}..#logo{height:91px;background:url(logo.jpg) no-repeat;}..#d{margin-top:8px;}..#d table{border-spacing:1px;width:100%;background:#e3f3fe;border:1px solid #95bcd6;}..#d table tr:hover{background:#fff;}..#d td{padding:10px;line-height:15px;text-align:center;border:1px solid #95bcd6;overflow:hidden;white-space:nowrap;}..#k{margin-top:8px;border-top:1

<<< skipped >>>

GET /game.html HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://VVV.92117my.com/index1.htm

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.92117my.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 17051

Content-Type: text/html

Last-Modified: Mon, 16 Jan 2017 11:52:03 GMT

Accept-Ranges: bytes

ETag: "cfaef4ee6fd21:3fe"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:39:38 GMT

<html>..<HEAD>..<title>117................</title>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312">..<META NAME="keywords" CONTENT="117................">..<META NAME="description" CONTENT="117................">..<META NAME="robots" CONTENT="all">..<script type='text/javascript'>window.mod_pagespeed_start = Number(new Date());</script>..<link rel='stylesheet' href='images/xx.css' type='text/css'>..<script language=javascript src="images/new.js"></script>..<BODY leftMargin=0 topMargin=0>..<TABLE align='center' cellSpacing=0 cellPadding=0 width='100%' border=0>..<TR>..<TD>..<style type="text/css"> .....aboutqq {...height: 28px;width: 310px;font-size: 14px;line-height: normal;font-weight: bolder;font-family: "....";position: absolute;.left: auto;top: 76px;text-align: left;}...logo{width:980px;height:130px;position:absolute;left:201px;top:13px;}...logo a{width:980px;height:130px;display:block;position:inherit;text-indent:-9999px;}.. .. ...banner{width:984px;margin:0

<<< skipped >>>

GET /images/bg.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.92117my.com/game.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.92117my.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 47783

Content-Type: image/jpeg

Last-Modified: Wed, 01 Jul 2015 07:57:44 GMT

Accept-Ranges: bytes

ETag: "08c919cd3b3d01:3fe"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:39:39 GMT

......Exif..II*.................Ducky.......F.....rhXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:1AB21EE2D186E011AF1EE9B4DAE6B957" xmpMM:DocumentID="xmp.did:8075A7ADFD1411E288C0AA50F7BC029F" xmpMM:InstanceID="xmp.iid:8075A7ACFD1411E288C0AA50F7BC029F" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:f3ed0250-4dae-e34c-bf8c-3468d4276f83" stRef:documentID="xmp.did:1AB21EE2D186E011AF1EE9B4DAE6B957"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................................Z................................................................1aQ!A...............................?..Cj. @..... @..... 4...7...... .6.H.@....H. 7.)....V..H. .....U).).).)....R.B..@).)..P....E.AJ@)..P..JA.@).J@)....U[ ..S..<..?.....Jy..A..H.<.....@..).B.A......E).F..<.g..A...y..A..7..A..7...7.o .Eo ..o*7.o ...... ...s.*..*7.\... ....Ar..\....\....s.".. .A.....3.e../

<<< skipped >>>

GET /jc/tongji.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 0

Content-Type: text/plain

Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT

Accept-Ranges: bytes

ETag: "4c1ca75e9d9d01:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:41 GMT

GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 5537

Content-Type: text/plain

Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT

Accept-Ranges: bytes

ETag: "b05a1ba5d67d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:46 GMT

170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 kkk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.178.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com..170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.com..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.171.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.com..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.31 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 VVV.6moyu.com..170.178.171.31 110moyu.com..170.178.171.31 VVV.110moyu.com..170.178.171.31 dl.pconline.com.cn..170.178.171.31 VVV.moyushou.com..170.178.171.31 pconline.com.cn..170.178.171.31 VVV.52z.com..170.178.171.31 wanba.baidu.com..170.178.171.31 VVV.99sfmy.com..170.178.171.31 VVV.myco

<<< skipped >>>

GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 5537

Content-Type: text/plain

Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT

Accept-Ranges: bytes

ETag: "b05a1ba5d67d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:58 GMT

170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 kkk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.178.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com..170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.com..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.171.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.com..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.31 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31 VVV.901my.com..170VVV.518ak.com..170.178.171.31 lpput.com..170.178.171.31 hjmyh.com..170.178.171.31 VVV.5555my.com..170.178.171.31 aaa.5555my.com..170.178.171.31 VVV.hjmyh.com..170.178.171.31 VVV.195my.com..170.178.171.31 195my.com..170.178.171.31 VVV.195sy.com..170.178.171.31 195sy.com..170.178.171.31 spxwj.com..170.178.171.31 817zs.cn..170.1

<<< skipped >>>

GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 5537

Content-Type: text/plain

Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT

Accept-Ranges: bytes

ETag: "b05a1ba5d67d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:58 GMT

<<< skipped >>>

GET /favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: VVV.117my.cc

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Content-Length: 1308

Content-Type: text/html

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:39:59 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.org/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>............</TITLE>..<META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">..<STYLE type="text/css">.. BODY { font: 9pt/12pt .... }.. H1 { font: 12pt/15pt .... }.. H2 { font: 9pt/12pt .... }.. A:link { color: red }.. A:visited { color: maroon }..</STYLE>..</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>..<h1>............</h1>....................................................<hr>..<p>................</p>..<ul>..<li>........................................................</li>..<li>..................................................................................</li>..<li>....<a href="javascript:history.back(1)">....</a>....................</li>..</ul>..<h2>HTTP .... 404 - ..................<br>Internet ........ (IIS)</h2>..<hr>..<p>..............................</p>..<ul>..<li>.... <a href="hXXp://go.microsoft.com/fwlink/?linkid=8180">Microsoft ............</a>..........“HTTP”..“404”........</li>..<li>....“IIS ....”...... IIS ...... (inetmgr) ........................“........”..“............”..“..................”........</li>..</ul>..</TD>&lt

<<< skipped >>>

GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 5537

Content-Type: text/plain

Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT

Accept-Ranges: bytes

ETag: "b05a1ba5d67d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:37:32 GMT

<<< skipped >>>

GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 5537

Content-Type: text/plain

Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT

Accept-Ranges: bytes

ETag: "b05a1ba5d67d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:37:33 GMT

<<< skipped >>>

GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 5537

Content-Type: text/plain

Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT

Accept-Ranges: bytes

ETag: "b05a1ba5d67d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:37:37 GMT

<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBisczuS0Hu180XFAA== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 19 Jan 2017 00:40:23 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d2049b01a660478030f630d1690d5c2f91484786423; expires=Fri, 19-Jan-18 00:40:23 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Wed, 18 Jan 2017 21:33:38 GMT

Expires: Sun, 22 Jan 2017 21:33:38 GMT

ETag: "3b988710a19508382f2e4d9507fbb592efa91e39"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32363c2d86d8405c-SOF

0..........0..... .....0......0...0.......M........u....%...G..20170118213338Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|....s;..{..E......20170118213338Z....20170122213338Z0...*.H.............JA....vU.........q.:Z.......Oj..6T..mZ3...k%..S7`\.. ..i(.|.[.}... }i.....N.......0D.*bO.UY..`...!0... .0y.s.........~.aR...3....0k?g..........C.....U...r..:C?.N'F~..l.....MW.Iw.?.?..k3.4.~V.... b=x/&.u.7.........a...8.....\5..>..q..1.....AtLO/..m....B.hI....K0..G0..C0.. .......q..}.dc.j..(0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...161124031843Z..170224031843Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....2016112411281M0K..U...DGlobalSign Organization Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.H..............H.....C.Ie....;.yN.'..../?.T..-T.a..4...n..OW/l....[|..-.i../.'..1."......3[...J.....\@.S.=-p..p......d...>~J.|E0y......!.;.c.,...||.V....K..L...dX...a....6'..U..G....A;..........4K...........k.B].s.3...

<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBisczuS0Hu180XFAA== HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 18 Jan 2017 21:33:38 GMT

If-None-Match: "3b988710a19508382f2e4d9507fbb592efa91e39"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 304 Not Modified

Date: Thu, 19 Jan 2017 00:40:27 GMT

Connection: keep-alive

Set-Cookie: __cfduid=dd9e2eab346214fdd619c23747ca55b821484786427; expires=Fri, 19-Jan-18 00:40:27 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Wed, 18 Jan 2017 21:33:38 GMT

Expires: Sun, 22 Jan 2017 21:33:38 GMT

ETag: "3b988710a19508382f2e4d9507fbb592efa91e39"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32363c44618a405c-SOF

HTTP/1.1 304 Not Modified..Date: Thu, 19 Jan 2017 00:40:27 GMT..Connection: keep-alive..Set-Cookie: __cfduid=dd9e2eab346214fdd619c23747ca55b821484786427; expires=Fri, 19-Jan-18 00:40:27 GMT; path=/; domain=.globalsign.com; HttpOnly..Last-Modified: Wed, 18 Jan 2017 21:33:38 GMT..Expires: Sun, 22 Jan 2017 21:33:38 GMT..ETag: "3b988710a19508382f2e4d9507fbb592efa91e39"..Cache-Control: public, no-transform, must-revalidate..CF-Cache-Status: HIT..Server: cloudflare-nginx..CF-RAY: 32363c44618a405c-SOF......

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDGlwEnDh1Wq84Ev4Sw== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 19 Jan 2017 00:40:40 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d995cc79ed802be9825730749a8dec62d1484786440; expires=Fri, 19-Jan-18 00:40:40 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Wed, 18 Jan 2017 23:26:57 GMT

Expires: Sun, 22 Jan 2017 23:26:57 GMT

ETag: "ce2c9bab38408c822469b28825da8da8a11ff254"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32363c9250bb405c-SOF

<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 19 Jan 2017 00:40:51 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d56bb1059e2865a2d42351fb11199ebd51484786451; expires=Fri, 19-Jan-18 00:40:51 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Wed, 18 Jan 2017 23:28:53 GMT

Expires: Sun, 22 Jan 2017 23:28:53 GMT

ETag: "0db1f4e8f454c9f557e61810f001e1875842e319"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32363cdcc475405c-SOF

0..........0..... .....0......0...0.......M........u....%...G..20170118232853Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|..EK.....L........20170118232853Z....20170122232853Z0...*.H...............g..N.MF......T..e.2..[1...=i.. .. 9O....v:{.$....1......g......K.F...!6.~....j#u....*P..U.....$.?. .b.w..m..E.k..X..o7...#.GC...l.;j%...K....v.=.3A...~1.j..f9s.9......b...1.x.x..3...N'......AQF...b.Z.P...v/.........[.'....3.[h~..l/5.X...3......9.....gX.....K0..G0..C0.. .......q..}.dc.j..(0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...161124031843Z..170224031843Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....2016112411281M0K..U...DGlobalSign Organization Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.H..............H.....C.Ie....;.yN.'..../?.T..-T.a..4...n..OW/l....[|..-.i../.'..1."......3[...J.....\@.S.=-p..p......d...>~J.|E0y......!.;.c.,...||.V....K..L...dX...a....6'..U..G....A;..........4K...........k.B].s.3...$..

<<< skipped >>>

GET / HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Connection: Keep-Alive

Host: VVV.taobao.com

HTTP/1.1 302 Found

Server: Tengine

Date: Thu, 19 Jan 2017 00:40:40 GMT

Content-Type: text/html

Content-Length: 258

Connection: keep-alive

Location: hXXps://VVV.taobao.com/

Set-Cookie: thw=ua; Path=/; Domain=.taobao.com; Expires=Fri, 19-Jan-18 00:40:40 GMT;

Strict-Transport-Security: max-age=31536000

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<h1>302 Found</h1>..<p>The requested resource resides temporarily under a different URI.</p>..<hr/>Powered by Tengine</body>..</html>..HTTP/1.1 302 Found..Server: Tengine..Date: Thu, 19 Jan 2017 00:40:40 GMT..Content-Type: text/html..Content-Length: 258..Connection: keep-alive..Location: hXXps://VVV.taobao.com/..Set-Cookie: thw=ua; Path=/; Domain=.taobao.com; Expires=Fri, 19-Jan-18 00:40:40 GMT;..Strict-Transport-Security: max-age=31536000..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<h1>302 Found</h1>..<p>The requested resource resides temporarily under a different URI.</p>..<hr/>Powered by Tengine</body>..</html>....

GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH HTTP/1.1

Cache-Control: max-age = 10800

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 07:50:34 GMT

If-None-Match: "6b9ba9eca642c891cc02365fc6161341647bd9fc"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 19 Jan 2017 00:40:18 GMT

Content-Type: application/ocsp-response

Content-Length: 1518

Connection: keep-alive

Set-Cookie: __cfduid=dd5230a5dbbbba995e31d3feeb730dd801484786418; expires=Fri, 19-Jan-18 00:40:18 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Wed, 18 Jan 2017 22:23:23 GMT

Expires: Sun, 22 Jan 2017 22:23:23 GMT

ETag: "2e9ad832313d6be8aa684e9216f27afcf7f1b502"

Cache-Control: max-age=10800,public,no-transform,must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32363c0ba4004056-SOF

<<< skipped >>>

Cache-Control: max-age = 10800

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 18 Jan 2017 22:23:23 GMT

If-None-Match: "2e9ad832313d6be8aa684e9216f27afcf7f1b502"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.globalsign.com

HTTP/1.1 304 Not Modified

Date: Thu, 19 Jan 2017 00:40:22 GMT

Connection: keep-alive

Set-Cookie: __cfduid=d2e82d71249719d20589d01ed4e4b9b3c1484786422; expires=Fri, 19-Jan-18 00:40:22 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Wed, 18 Jan 2017 22:23:23 GMT

Expires: Sun, 22 Jan 2017 22:23:23 GMT

ETag: "2e9ad832313d6be8aa684e9216f27afcf7f1b502"

Cache-Control: max-age=10800,public,no-transform,must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32363c2325894056-SOFHTTP/1.1 304 Not Modified..Date: Thu, 19 Jan 2017 00:40:22 GMT..Connection: keep-alive..Set-Cookie: __cfduid=d2e82d71249719d20589d01ed4e4b9b3c1484786422; expires=Fri, 19-Jan-18 00:40:22 GMT; path=/; domain=.globalsign.com; HttpOnly..Last-Modified: Wed, 18 Jan 2017 22:23:23 GMT..Expires: Sun, 22 Jan 2017 22:23:23 GMT..ETag: "2e9ad832313d6be8aa684e9216f27afcf7f1b502"..Cache-Control: max-age=10800,public,no-transform,must-revalidate..CF-Cache-Status: HIT..Server: cloudflare-nginx..CF-RAY: 32363c2325894056-SOF..

GET /images/new.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://VVV.92117my.com/game.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.92117my.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 3803

Content-Type: application/x-javascript

Last-Modified: Tue, 28 Jul 2015 08:19:44 GMT

Accept-Ranges: bytes

ETag: "0d08028ec9d01:3fe"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

<<< skipped >>>

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.92117my.com/game.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.92117my.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 1166

Content-Type: image/jpeg

Last-Modified: Wed, 01 Jul 2015 07:57:44 GMT

Accept-Ranges: bytes

ETag: "08c919cd3b3d01:3fe"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

<<< skipped >>>

GET /logo.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.92117my.com/index1.htm

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.92117my.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 30031

Content-Type: image/jpeg

Last-Modified: Fri, 06 Jan 2017 05:34:02 GMT

Accept-Ranges: bytes

ETag: "fefcb7cde67d21:3fe"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

<<< skipped >>>

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: VVV.92117my.com

Connection: Keep-Alive

Cookie: CNZZDATA1255675994=993092947-1484785024-null|1484785024

HTTP/1.1 404 Not Found

Content-Length: 1308

Content-Type: text/html

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

<<< skipped >>>

GET /host.html HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.92117my.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 5219

Content-Type: text/html

Last-Modified: Fri, 13 Jan 2017 12:48:11 GMT

Accept-Ranges: bytes

ETag: "9ebc6c4c9b6dd21:3fe"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

<<< skipped >>>

GET /?business&un=5182235367&from=prin HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: passport.baidu.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Connection: keep-alive

Content-Type: text/html

Date: Thu, 19 Jan 2017 00:40:02 GMT

P3p: CP=" OTI DSP COR IVA OUR IND COM "

Server: Apache

Set-Cookie: BAIDUID=BB091D280D8BB9A4DA1BF274DD690B70:FG=1; expires=Fri, 19-Jan-18 00:40:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

Tracecode: 24029743220283886346011908

Tracecode: 24029743220703316746011908

Vary: Accept-Encoding

<<< skipped >>>

GET /images/xx.css HTTP/1.1

Accept: text/css

Referer: hXXp://VVV.92117my.com/game.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.92117my.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 3604

Content-Type: text/css

Last-Modified: Wed, 01 Jul 2015 07:57:44 GMT

Accept-Ranges: bytes

ETag: "08c919cd3b3d01:3fe"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

<<< skipped >>>

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.92117my.com/game.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.92117my.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 17599

Content-Type: image/jpeg

Last-Modified: Wed, 01 Jul 2015 07:57:44 GMT

Accept-Ranges: bytes

ETag: "08c919cd3b3d01:3fe"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

<<< skipped >>>

GET /jc/hostjc.txt?WebShieldDRSessionVerify=EMGc17Wrs9kjNC7K8XBq HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: Safedog/4.0.0

Location: /jc/hostjc.txt

Content-Length: 0

Connection: Close

Content-Type: text/html

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_1652:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

kernel32.dll

user32.dll

Kernel32.dll

ws2_32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xfjct

hXXp://ip.qq.com/

@Windows 2000

@Windows Server 2003

@Windows Vista

@Windows 7

@Windows 8

00-00-00-00-00-00

%System%\host.txt

%System%\drivers\etc\hosts

hXXp://passport.baidu.com/?business&un=5182235367&from=prin#0

340046815

hXXp://VVV.gxnkw.com/jc/tongji.txt

%d&&'

123456789

00003333

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WSOCK32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

icmp.dll

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

X-X-X-X-X-X

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

right-curly-bracket

left-curly-bracket

0123456789

C:\Windows\svchost.exe

#include "l.chs\afxres.rc" // Standard components

A.AQAtA

(*.*)

1.0.0.0

svchosl.exe_3732:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

kernel32.dll

user32.dll

OLEACC.DLL

Kernel32.dll

ws2_32.dll

EnumChildWindows

EnumWindows

WebBrowser

%System%\gjzbjclb.txt

%System%\gjzjclb.txt

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xff

hXXp://

hXXp://passport.baidu.com/?business&un=5182235367&from=prin#0

340046815

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xf1

hXXp://ip.qq.com/

@Windows 2000

@Windows Server 2003

@Windows Vista

@Windows 7

@Windows 8

00-00-00-00-00-00

Chrome_WidgetWin_100

liebao.exe

maxthon.exe

360se.exe

2345Explorer.exe

MozillaWindowClass

firefox.exe

hao123Juzi.exe

SogouExplorer.exe

QQBrowser.exe

Chrome_WidgetWin_1

opera.exe

TaoBrowser.exe

TangoWeb.exe

TheWorld.exe

UCBrowser.exe

{7597C4B1-F62C-4e83-A35F-8B69C8779DC1}

baidubrowser.exe

360chrome.exe

TTraveler.exe

chrome.exe

vary.exe

Chrome_OmniboxView

f1browser.exe

went.exe

miniie.exe

Windows Internet Explorer_Frame

cpopmus32ex.exe

crowd.exe

slowt32ex.exe

Maxthon3Cls_MainFrmMsg

SmartUI.Win32.Edit

TT_WebCtrl

wscript.shell

SendKeys

hXXp://VVV.gxnkw.com/jc/tongji.txt

%d&&'

123456789

00003333

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

ole32.dll

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

GetKeyboardLayout

VkKeyScanExA

keybd_event

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

oledlg.dll

WSOCK32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

X-X-X-X-X-X

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

right-curly-bracket

left-curly-bracket

0123456789

hXXp://VVV.92117my.com/host.htmly

C:\Windows\svchosl.exe

#include "l.chs\afxres.rc" // Standard components

..a.OO

PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

(*.*)

1.0.0.0

svchostlsp.exe_3736:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

^}•0DN

u$SShe

kernel32.dll

user32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xff

C:\Windows\twain_32\config\ESPI11.dll

C:\Windows\twain_32\config

.inidata

@.reloc

CNotSupportedException

CCmdTarget

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

WS2_32.dll

COMCTL32.dll

GetCPInfo

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

WINSPOOL.DRV

comdlg32.dll

SHELL32.dll

SWNPM.dll

.PAVCException@@

.PAVCArchiveException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

>$>(>,>0>4>8>@>

0F0g0m0

9$9(9,90989

%System%\addressoftext.inscan

hXXp://20140507.ip138.com/ic.asp

z>Windows 2000

@Windows XP

@Windows Server 2003

@Windows Vista

@Windows 7

@Windows 8

@127.0.0.1

hXXp://VVV.gxnkw.com/jc/tongji.txt

%d&&'

123456789

00003333

%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

GetProcessHeap

WinExec

GetViewportOrgEx

WINMM.dll

RegCreateKeyA

RegDeleteKeyA

RegCreateKeyExA

RegEnumKeyA

RegOpenKeyA

ShellExecuteA

ole32.dll

OLEAUT32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

CreateDialogIndirectParamA

GetViewportExtEx

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

%s\ESPI%d.dll

hXXp://dywt.com.cn

service@dywt.com.cn

86(0411)88995834

86(0411)88995831

Windows

(ESPINN.dll(NN

This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info

CallerInfoCopyCmd

SetIPPort

GetIPPort

"C:\Windows\System32\ESPI11.dll"

ProviderInstallCopyCmd

SockDataCopyCmd

SockAddrCopyCmd

enetintercept_fnSockAddrSetIPPort

enetintercept_fnSockAddrGetIPPort

enetintercept_fnInstallCopyCmd

enetintercept_fnSockDataCopyCmd

enetintercept_fnSockAddrCopyCmd

enetintercept_fnCallerInfoCopyCmd

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCResourceException@@

.PAVCUserException@@

zcÁ

18201869647.com:88

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\svchostlsp.exe

#include "l.chs\afxres.rc" // Standard components

555455###

1, 1, 0, 0

ESPI11.dll

(*.*)

1.0.0.0

iexplore.exe_1924:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

6user32.dll

Kernel32.DLL

6xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_1548:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

6user32.dll

Kernel32.DLL

6xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

SearchFilterHost.exe_3408:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

0xx%p%S%d

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

0xx=

%S(%d)

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

SearchProtocolHost.exe_1908:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

0xx=

%s(%d)

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

0xx%p%S%d

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

%S(%d)

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610