Susp_Dropper (Kaspersky), Trojan.Generic.14584096 (B) (Emsisoft), Trojan.Generic.14584096 (AdAware), Packed.Win32.Themida.FD, Trojan-Downloader.Win32.Karagany.1.FD, Trojan-PSW.Win32.Bzub.2.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan-PSW, Trojan, Worm, EmailWorm, Packed
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 41f626030c33af914d6945b837bc7a84
SHA1: cb9e44e8a4f4dc4bc0edf6ef348f7810ccd3bf81
SHA256: 1caa4703a582c184835784b1696f7d9510418955db86439094af1ea61e92d6b7
SSDeep: 49152:jat bWHjf uxIDJkyUujoWKa/mS5K23 gFGocBxgzOmRE:OiWHxxGGujo9q553 oGosaOmRE
Size: 2125904 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, ACProtect141
Company: no certificate found
Created at: 2015-04-23 18:58:47
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1756
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\UUWiseHelper.dll (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\QQ.ini (78 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHU30HQ3\desktop.ini (67 bytes)
C:\dc.dll (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GWI7ONE6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KIA5LSFM\desktop.ini (67 bytes)
C:\%original file name%.exe (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\DSCXAXEZ\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
C:\bzbgsypkgrriyexkscsx.dfg (0 bytes)
Registry activity
The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 7D A0 5C 91 4A F0 F4 28 C2 90 5E 41 E1 0A 30"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
Dropped PE files
MD5 | File path |
---|---|
0b441d309282fed4f1dbc75f042e265e | c:\%original file name%.exe |
7c0415db33190179697196004e57d7c4 | c:\UUWiseHelper.dll |
de3dc550babddae4d74fa8591b31ee3a | c:\dc.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\UUWiseHelper.dll (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\QQ.ini (78 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHU30HQ3\desktop.ini (67 bytes)
C:\dc.dll (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GWI7ONE6\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KIA5LSFM\desktop.ini (67 bytes)
C:\%original file name%.exe (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\DSCXAXEZ\desktop.ini (67 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ?????
Product Name: QQ????????1.0 Www.52Dfg.Com
Product Version: 1.0.0.0
Legal Copyright: ??????????[www.52dfg.com],??????,?????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ????QQ?????,?????
Comments: ???????
Language: Language Neutral
Company Name: ?????Product Name: QQ????????1.0 Www.52Dfg.ComProduct Version: 1.0.0.0Legal Copyright: ??????????[www.52dfg.com],??????,?????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ????QQ?????,?????Comments: ???????Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 2203648 | 811008 | 5.5444 | 24090c5f87d08d8662cbca0502582093 |
UPX | 2207744 | 1196032 | 1196032 | 5.00442 | 55cff1848f765020b57f9c7f4631c4c0 |
.idata | 3403776 | 4096 | 4096 | 1.11657 | 702a9ab56b33f8dd72698dea0892a4d0 |
.rsrc | 3407872 | 98304 | 98304 | 2.47439 | 823ed892dd51e734099835ca2be7aa9e |
UPX | 3506176 | 4096 | 4096 | 5.53276 | 9ed01a2472c542d087c4ed8e7d99422e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://aps0550.qq.com/cgi-bin/cgi_svrtime | |
hxxp://92wg.sinaapp.com/softtj.php?act=add&softname=QS | 220.181.136.55 |
hxxp://cgi.im.qq.com/cgi-bin/cgi_svrtime | 203.205.147.218 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /cgi-bin/cgi_svrtime HTTP/1.1
Referer: hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime
Accept: */*
Accept-Language: zh-CN
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Host: cgi.im.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: QZHTTP-2.12
Date: Tue, 08 Sep 2015 23:20:36 GMT
UUID: 0
Content-Length: 20
Content-Type: text/html
Connection: keep-alive
2015-09-09 07:20:36.HTTP/1.1 200 OK..Server: QZHTTP-2.12..Date: Tue, 08 Sep 2015 23:20:36 GMT..UUID: 0..Content-Length: 20..Content-Type: text/html..Connection: keep-alive..2015-09-09 07:20:36...
GET /softtj.php?act=add&softname=QS HTTP/1.1
Referer: hXXp://92wg.sinaapp.com/softtj.php?act=add&softname=QS
Accept: */*
Accept-Language: zh-CN
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Host: 92wg.sinaapp.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 08 Sep 2015 23:20:37 GMT
Content-Type: text/html
Transfer-Encoding
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1756:
.text
.text
h.idata
h.idata
H.rsrc
H.rsrc
t%SVh
t%SVh
5SShG
5SShG
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
kernel32.dll
kernel32.dll
UUWiseHelper.dll
UUWiseHelper.dll
dc.dll
dc.dll
Kernel32.dll
Kernel32.dll
user32.dll
user32.dll
wininet.dll
wininet.dll
ntdll.dll
ntdll.dll
OLEACC.DLL
OLEACC.DLL
uu_loginA
uu_loginA
uu_reportError
uu_reportError
ReportError
ReportError
CreateIoCompletionPort
CreateIoCompletionPort
{18C0788E-59AE-4112-B452-6BF0C1B727FB}
{18C0788E-59AE-4112-B452-6BF0C1B727FB}
{86AB1D8A-7995-4D86-AE5F-18710759228B}
{86AB1D8A-7995-4D86-AE5F-18710759228B}
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
&url=
&url=
hXXp://92dfg.vipsinaapp.com/ly.php
hXXp://92dfg.vipsinaapp.com/ly.php
hXXp://w666666.sinaapp.com/dfg/qun.txt
hXXp://w666666.sinaapp.com/dfg/qun.txt
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
application/x-www-form-urlencoded
application/x-www-form-urlencoded
@hXXp://92dfg.vipsinaapp.com/code.php
@hXXp://92dfg.vipsinaapp.com/code.php
\QQ.ini
\QQ.ini
/QQ.ini
/QQ.ini
hXXp://VVV.uuwise.com/
hXXp://VVV.uuwise.com/
hXXp://VVV.qqchaoren.net
hXXp://VVV.qqchaoren.net
hXXp://w666666.sinaapp.com/dfg/y.php
hXXp://w666666.sinaapp.com/dfg/y.php
.exew666666.vipsinaapp.com/dfg/y.php
.exew666666.vipsinaapp.com/dfg/y.php
hXXp://w666666.sinaapp.com/dfg/x.php?m=1
hXXp://w666666.sinaapp.com/dfg/x.php?m=1
httphXXp://w666666.vipsinaapp.com/dfg/x.php?m=1
httphXXp://w666666.vipsinaapp.com/dfg/x.php?m=1
hXXp://w666666.sinaapp.com/dfg/x.php?m=3
hXXp://w666666.sinaapp.com/dfg/x.php?m=3
hXXp://w666666.vipsinaapp.com/dfg/x.php?m=3
hXXp://w666666.vipsinaapp.com/dfg/x.php?m=3
\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk
\Application Data\Microsoft\Internet Explorer\Quick Launch\*.lnk
http\shell\open\command\Shell.Application
http\shell\open\command\Shell.Application
QQBrowser.exe
QQBrowser.exe
Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.5.1277.202; Windows NT 6.1; WOW64; Trident/6.0; QQBrowser/7.7.28658.400)
Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.5.1277.202; Windows NT 6.1; WOW64; Trident/6.0; QQBrowser/7.7.28658.400)
z>pass
z>pass
0@hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime
0@hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime
-02:00:00
-02:00:00
1970-01-01 08:00:00
1970-01-01 08:00:00
{"-16001":"
{"-16001":"
","-16002":"
","-16002":"
","-16003":"
","-16003":"
","-16004":"
","-16004":"
","-16005":"
","-16005":"
","-16006":"
","-16006":"
","-16007":"
","-16007":"
","-16008":"
","-16008":"
","-16009":"
","-16009":"
","-16010":"
","-16010":"
","-16011":"
","-16011":"
TEAKEY
TEAKEY
","-11001":"
","-11001":"
","-11002":"
","-11002":"
","-11003":"
","-11003":"
","-11004":"
","-11004":"
","-11005":"
","-11005":"
","-11007":"
","-11007":"
","-11008":"
","-11008":"
","-11009":"
","-11009":"
","-11010":"
","-11010":"
","-11011":"
","-11011":"
","-11012":"
","-11012":"
","-11013":"
","-11013":"
","-11014":"
","-11014":"
","-1001":"
","-1001":"
","-1002":"
","-1002":"
","-1003":"
","-1003":"
[?]","-1004":"
[?]","-1004":"
","-1005":"
","-1005":"
","-1006":"
","-1006":"
","-1007":"
","-1007":"
","-1008":"
","-1008":"
","-1009":"
","-1009":"
","-1010":"
","-1010":"
","-1012":"
","-1012":"
","-1013":"
","-1013":"
","-1014":"URL
","-1014":"URL
","-1015":"
","-1015":"
","-1016":"
","-1016":"
","-1017":"
","-1017":"
","-1020":"
","-1020":"
","-1021":"1
","-1021":"1
","-1022":"
","-1022":"
","-1023":"1
","-1023":"1
","-1024":"
","-1024":"
0","-1101":"
0","-1101":"
","-1102":"
","-1102":"
","-16009":"1
","-16009":"1
","-11006":"
","-11006":"
","-14009":"
","-14009":"
","-17009":"
","-17009":"
","-19008":"
","-19008":"
","-19011":"
","-19011":"
","-19012":"
","-19012":"
","-19013":"
","-19013":"
","-19014":"
","-19014":"
","-19015":"
","-19015":"
","-19020":"
","-19020":"
","-12001":"
","-12001":"
","-12002":"
","-12002":"
","-12003":"
","-12003":"
","-12004":"
","-12004":"
","-12005":"
","-12005":"
SESSIONkEY
SESSIONkEY
","-12006":"
","-12006":"
","-12007":"
","-12007":"
","-12008":"
","-12008":"
","-12009":"
","-12009":"
","-12010":"
","-12010":"
","-12011":"
","-12011":"
","-12012":"
","-12012":"
","-12013":"
","-12013":"
","-12014":"
","-12014":"
","-12015":"
","-12015":"
","-12016":"
","-12016":"
","-12017":"
","-12017":"
","-12018":"
","-12018":"
","-12019":"
","-12019":"
","-12021":"
","-12021":"
","-12022":"
","-12022":"
","-12023":"
","-12023":"
","-12024":"
","-12024":"
","-12025":"
","-12025":"
","-12026":"
","-12026":"
","-12027":"TEAKEY
","-12027":"TEAKEY
","-13001":"
","-13001":"
","-13002":"
","-13002":"
","-13003":"KEY
","-13003":"KEY
","-13005":"
","-13005":"
","-13006":"
","-13006":"
","-13007":"
","-13007":"
","-13008":"
","-13008":"
","-17001":"
","-17001":"
","-17002":"
","-17002":"
","-17003":"
","-17003":"
","-17004":"
","-17004":"
","-17005":"
","-17005":"
","-17006":"
","-17006":"
","-17007":"
","-17007":"
","-17008":"
","-17008":"
","-17010":"
","-17010":"
MSScriptControl.ScriptControl
MSScriptControl.ScriptControl
function get__key(o) {
function get__key(o) {
a.push(i);
a.push(i);
%y-%m-%d
%y-%m-%d
%y/%m/%d
%y/%m/%d
*.txt
*.txt
|*.txt
|*.txt
T@\*.dfg
T@\*.dfg
cmd /c regsvr32 msscript.ocx
cmd /c regsvr32 msscript.ocx
\UUWiseHelper.dll
\UUWiseHelper.dll
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SSSSh
SSSSh
ByScreen.JPG
ByScreen.JPG
operator
operator
GetProcessWindowStation
GetProcessWindowStation
E:\work\UUWiseHelper
E:\work\UUWiseHelper
\UUWiseHelper.pdb
\UUWiseHelper.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
urlmon.dll
urlmon.dll
dbghelp.dll
dbghelp.dll
gdiplus.dll
gdiplus.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
WS2_32.dll
WS2_32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
UUWiseHelper.DLL
UUWiseHelper.DLL
uu_easyRecognizeUrlA
uu_easyRecognizeUrlA
uu_easyRecognizeUrlW
uu_easyRecognizeUrlW
uu_loginW
uu_loginW
uu_recognizeByCodeTypeAndUrlA
uu_recognizeByCodeTypeAndUrlA
uu_recognizeByCodeTypeAndUrlW
uu_recognizeByCodeTypeAndUrlW
zcÃ
zcÃ
4$5(5,505
4$5(5,505
939^9):3:
939^9):3:
\dc.dll
\dc.dll
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
GdiplusShutdown
GdiplusShutdown
WSOCK32.dll
WSOCK32.dll
MSVCP60.dll
MSVCP60.dll
ReportError_A
ReportError_A
VBYB_ReportError
VBYB_ReportError
VB_ReportError
VB_ReportError
debug.ini
debug.ini
ReportError:%s
ReportError:%s
Error:%s
Error:%s
%s|!|%s
%s|!|%s
\dms.pdb
\dms.pdb
%u%u,
%u%u,
dclog.txt
dclog.txt
port
port
settimeout:%d
settimeout:%d
[%d]%s
[%d]%s
reg2:%s
reg2:%s
checkok:%s %s
checkok:%s %s
check fail:%s %s %s
check fail:%s %s %s
check:%s %s
check:%s %s
getcjfail:%s %s
getcjfail:%s %s
getcj:%s %s
getcj:%s %s
%s%uout
%s%uout
%s%uin
%s%uin
put img ok:%s
put img ok:%s
put img fail:%s
put img fail:%s
put img:%s %s %d
put img:%s %s %d
get result ok:%s,%s
get result ok:%s,%s
get result fail:%s
get result fail:%s
get result:%s
get result:%s
notifyfail ok:%s
notifyfail ok:%s
notifyfail fail:%s,%s
notifyfail fail:%s,%s
notifyfail:%s
notifyfail:%s
getimgok:%s,%s
getimgok:%s,%s
getimg:%s
getimg:%s
getinfo fail:%s
getinfo fail:%s
getinfo:%s,%s
getinfo:%s,%s
setresult:%s,%s
setresult:%s,%s
HTTP/1.1 200 OK
HTTP/1.1 200 OK
recv:%d
recv:%d
send:%d
send:%d
GET /ip.txt HTTP/1.1
GET /ip.txt HTTP/1.1
Host: %s
Host: %s
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
select:%d
select:%d
ioctlsocket:%d
ioctlsocket:%d
socket:%d
socket:%d
api.qqchaoren.net
api.qqchaoren.net
14.17.65.24
14.17.65.24
14.17.65.23
14.17.65.23
dama2.qqchaoren.net
dama2.qqchaoren.net
dama1.qqchaoren.net
dama1.qqchaoren.net
connect total:%s %d
connect total:%s %d
:%s %d
:%s %d
connect discard:%s %d
connect discard:%s %d
[d-d-d d:d:d](u)
[d-d-d d:d:d](u)
recv timeout:
recv timeout:
recvfail:%d
recvfail:%d
server close:%d
server close:%d
recv:%d
recv:%d
send:%d
send:%d
sendfail:%d
sendfail:%d
connect timeout:
connect timeout:
connectok:%s %hu
connectok:%s %hu
127.0.0.1
127.0.0.1
1.1.3
1.1.3
1'1,1
1'1,1
9 9$9(9,9094989
9 9$9(9,9094989
hXXp://92wg.sinaapp.com/softtj.php?act=add&softname=QS
hXXp://92wg.sinaapp.com/softtj.php?act=add&softname=QS
hXXp://92wg.sinaapp.com/getupdata.php?act=getver&wgname=QS
hXXp://92wg.sinaapp.com/getupdata.php?act=getver&wgname=QS
hXXp://92wg.vipsinaapp.com/softtj.php?act=add&softname=QS
hXXp://92wg.vipsinaapp.com/softtj.php?act=add&softname=QS
hXXp://92wg.vipsinaapp.com/getupdata.php?act=getver&wgname=QS
hXXp://92wg.vipsinaapp.com/getupdata.php?act=getver&wgname=QS
hXXp://VVV.52dfg.com/forum-40-1.html?wb11
hXXp://VVV.52dfg.com/forum-40-1.html?wb11
hXXp://VVV.52dfg.com
hXXp://VVV.52dfg.com
hXXp://w666666.sinaapp.com/dfg/gongao.txt
hXXp://w666666.sinaapp.com/dfg/gongao.txt
g@\Error.log
g@\Error.log
hXXp://imgcache.gtimg.cn/ACT/vip_act/act_data/28302.json.js
hXXp://imgcache.gtimg.cn/ACT/vip_act/act_data/28302.json.js
[[0,1,2,3],[4,5,6,7],[8,9,10,11]]
[[0,1,2,3],[4,5,6,7],[8,9,10,11]]
hXXp://login.52dfg.com/online.php
hXXp://login.52dfg.com/online.php
hXXp://dfgpath.sinaapp.com/dfg/gonggao.txt
hXXp://dfgpath.sinaapp.com/dfg/gonggao.txt
hXXp://dfgpath.vipsinaapp.com/dfg/gonggao.txt
hXXp://dfgpath.vipsinaapp.com/dfg/gonggao.txt
].txt
].txt
].url
].url
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=46000101&style=23&lang=&low_login=1&hide_border=1&hide_title_bar=1&hide_close_icon=1&border_radius=1&self_regurl=http://reg.t.qq.com/index.php&proxy_url=hXXp://t.qq.com/proxy_t.html&s_url=http://t.qq.com&daid=6
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=46000101&style=23&lang=&low_login=1&hide_border=1&hide_title_bar=1&hide_close_icon=1&border_radius=1&self_regurl=http://reg.t.qq.com/index.php&proxy_url=hXXp://t.qq.com/proxy_t.html&s_url=http://t.qq.com&daid=6
login_sig:"
login_sig:"
&u1=http://t.qq.com&r=0.
&u1=http://t.qq.com&r=0.
&appid=46000101&js_ver=10114&js_type=1&login_sig=
&appid=46000101&js_ver=10114&js_type=1&login_sig=
hXXps://ssl.ptlogin2.qq.com/check?regmaster=&pt_tea=1&uin=
hXXps://ssl.ptlogin2.qq.com/check?regmaster=&pt_tea=1&uin=
hXXps://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&f_url=loginerroralert&hide_title_bar=1&style=11&daid=196&low_login=0&appid=710032918&s_url=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&target=self?link_target=blank&f_url=loginerroralert&hide_title_bar=1&style=11&daid=196&low_login=0&appid=710032918&s_url=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&target=self
hXXps://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&f_url=loginerroralert&hide_title_bar=1&style=11&daid=196&low_login=0&appid=710032918&s_url=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&target=self?link_target=blank&f_url=loginerroralert&hide_title_bar=1&style=11&daid=196&low_login=0&appid=710032918&s_url=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&target=self
&u1=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&r=0.
&u1=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&r=0.
&appid=710032918&js_ver=10114&js_type=1&login_sig=
&appid=710032918&js_ver=10114&js_type=1&login_sig=
hXXps://ssl.captcha.qq.com/getimage?aid=46000101&cap_cd=
hXXps://ssl.captcha.qq.com/getimage?aid=46000101&cap_cd=
hXXps://ssl.captcha.qq.com/getimage?aid=710032918&cap_cd=
hXXps://ssl.captcha.qq.com/getimage?aid=710032918&cap_cd=
&js_ver=10114&js_type=1&login_sig=
&js_ver=10114&js_type=1&login_sig=
&pt_vcode_v1=0&pt_randsalt=0&u1=http://t.qq.com&ptredirect=1&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=
&pt_vcode_v1=0&pt_randsalt=0&u1=http://t.qq.com&ptredirect=1&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=
hXXps://ssl.ptlogin2.qq.com/login?u=
hXXps://ssl.ptlogin2.qq.com/login?u=
&mibao_css=&t=1&g=1&js_ver=10114&js_type=1&login_sig=
&mibao_css=&t=1&g=1&js_ver=10114&js_type=1&login_sig=
&aid=710032918&u1=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&h=1&ptredirect=0&ptlang=2052&daid=196&from_ui=1&dumy=&low_login_enable=0®master=&fp=loginerroralert&action=
&aid=710032918&u1=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&h=1&ptredirect=0&ptlang=2052&daid=196&from_ui=1&dumy=&low_login_enable=0®master=&fp=loginerroralert&action=
aq.qq.com
aq.qq.com
t.qq.com
t.qq.com
skey=@
skey=@
hXXp://vipfunc.qq.com/common/user.php?callback=showGrowInfoPanel&data=grow_value&g_tk=
hXXp://vipfunc.qq.com/common/user.php?callback=showGrowInfoPanel&data=grow_value&g_tk=
hXXp://iyouxi.vip.qq.com/ams.php?_c=page&actid=23314&callback=vipSignNew.signCb&cachetime=
hXXp://iyouxi.vip.qq.com/ams.php?_c=page&actid=23314&callback=vipSignNew.signCb&cachetime=
hXXp://vipfunc.qq.com/act/client_oz.php?action=client&g_tk=
hXXp://vipfunc.qq.com/act/client_oz.php?action=client&g_tk=
hXXp://iyouxi.vip.qq.com/ams.php?actid=20656&sid=&callback=json
hXXp://iyouxi.vip.qq.com/ams.php?actid=20656&sid=&callback=json
hXXp://ui.ptlogin2.qq.com/cgi-bin/login?appid=7000201&f_url=loginerroralert&s_url=http://baobao.qq.com/&qlogin_param=u1=http%3A//baobao.qq.com/&daid=50&style=11
hXXp://ui.ptlogin2.qq.com/cgi-bin/login?appid=7000201&f_url=loginerroralert&s_url=http://baobao.qq.com/&qlogin_param=u1=http%3A//baobao.qq.com/&daid=50&style=11
&u1=http://baobao.qq.com/&r=0.
&u1=http://baobao.qq.com/&r=0.
&appid=7000201&js_ver=10114&js_type=1&login_sig=
&appid=7000201&js_ver=10114&js_type=1&login_sig=
hXXps://ssl.captcha.qq.com/getimage?aid=7000201&cap_cd=
hXXps://ssl.captcha.qq.com/getimage?aid=7000201&cap_cd=
&aid=7000201&u1=http://baobao.qq.com/&h=1&ptredirect=1&ptlang=2052&daid=50&from_ui=1&dumy=&low_login_enable=0®master=&fp=loginerroralert&action=
&aid=7000201&u1=http://baobao.qq.com/&h=1&ptredirect=1&ptlang=2052&daid=50&from_ui=1&dumy=&low_login_enable=0®master=&fp=loginerroralert&action=
'0','0','
'0','0','
baobao.qq.com
baobao.qq.com
hXXp://cgi.baobao.qq.com/cgi-bin/pets_get_carried
hXXp://cgi.baobao.qq.com/cgi-bin/pets_get_carried
pet.seq
pet.seq
pet.avatarid
pet.avatarid
300007156
300007156
hXXp://cgi.baobao.qq.com/cgi-bin/pets_speedup
hXXp://cgi.baobao.qq.com/cgi-bin/pets_speedup
1000003
1000003
cmd=22&petID=
cmd=22&petID=
hXXp://cgi.bbly.qq.com/cgi-bin/PetHome?
hXXp://cgi.bbly.qq.com/cgi-bin/PetHome?
1001001
1001001
hXXp://minigamecgi.qq.com/cgi-bin/GameVip_SignIn?callback=jsonp
hXXp://minigamecgi.qq.com/cgi-bin/GameVip_SignIn?callback=jsonp
SignDay.day
SignDay.day
hXXp://minigamecgi.qq.com/cgi-bin/GameVip_Lottery?callback=jsonp
hXXp://minigamecgi.qq.com/cgi-bin/GameVip_Lottery?callback=jsonp
hXXp://iyouxi.vip.qq.com/json.php?mod=game&func=award&uin=
hXXp://iyouxi.vip.qq.com/json.php?mod=game&func=award&uin=
hXXp://iyouxi.vip.qq.com/jsonp.php?_c=page&actid=5474&isLoadUserInfo=1&callback=page.signInCb&g_tk=
hXXp://iyouxi.vip.qq.com/jsonp.php?_c=page&actid=5474&isLoadUserInfo=1&callback=page.signInCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams2.02.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/ams2.02.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/ams.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams.php?_c=page&actid=21842&g_tk=
hXXp://iyouxi.vip.qq.com/ams.php?_c=page&actid=21842&g_tk=
data.op.name
data.op.name
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&callback=jQuery
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&callback=jQuery
hXXp://mq.qq.com/index_userSignIn.shtml?r=0.
hXXp://mq.qq.com/index_userSignIn.shtml?r=0.
hXXp://mq.qq.com/activity/badgepk10_qiandao.shtml?r=0.
hXXp://mq.qq.com/activity/badgepk10_qiandao.shtml?r=0.
&apiType=14&apiHost=http://api.t.qq.com&g_tk=
&apiType=14&apiHost=http://api.t.qq.com&g_tk=
hXXp://vip.t.qq.com/ajax/toAcceptMbrTaskPrize
hXXp://vip.t.qq.com/ajax/toAcceptMbrTaskPrize
&apiType=9&apiHost=http://api.t.qq.com&g_tk=
&apiType=9&apiHost=http://api.t.qq.com&g_tk=
hXXp://shop.t.qq.com/asyn/apiSignIn.php
hXXp://shop.t.qq.com/asyn/apiSignIn.php
hXXp://flower.qzone.qq.com/fcg-bin/cgi_plant?g_tk=
hXXp://flower.qzone.qq.com/fcg-bin/cgi_plant?g_tk=
&newflower=1&outCharset=utf-8&g_tk=
&newflower=1&outCharset=utf-8&g_tk=
hXXp://flower.qzone.qq.com/cgi-bin/cgi_pickup_oldfruit?g_tk=
hXXp://flower.qzone.qq.com/cgi-bin/cgi_pickup_oldfruit?g_tk=
&outCharset=utf-8&fupdate=1&format=json
&outCharset=utf-8&fupdate=1&format=json
mode=1&g_tk=
mode=1&g_tk=
data.count
data.count
hXXp://flower.qzone.qq.com/cgi-bin/cgi_show_userprop?p=0.
hXXp://flower.qzone.qq.com/cgi-bin/cgi_show_userprop?p=0.
].name
].name
data.prop[
data.prop[
hXXp://flower.qzone.qq.com/cgi-bin/cgi_exchange_prop?g_tk=
hXXp://flower.qzone.qq.com/cgi-bin/cgi_exchange_prop?g_tk=
&qzreferrer=http://rc.qzone.qq.com/appstore/dailycoupon?from=appstore.myInfoBoxBtn&fupdate=1
&qzreferrer=http://rc.qzone.qq.com/appstore/dailycoupon?from=appstore.myInfoBoxBtn&fupdate=1
qzreferrer=http://ctc.qzs.qq.com/qzone/flower/tool.html#&op_uin=
qzreferrer=http://ctc.qzs.qq.com/qzone/flower/tool.html#&op_uin=
frameElement.callback(
frameElement.callback(
hXXp://flower.qzone.qq.com/cgi-bin/cgi_use_mallprop?g_tk=
hXXp://flower.qzone.qq.com/cgi-bin/cgi_use_mallprop?g_tk=
qzreferrer=http://ctc.qzs.qq.com/qzone/flower/tool.html#&propid=7&op_uin=
qzreferrer=http://ctc.qzs.qq.com/qzone/flower/tool.html#&propid=7&op_uin=
&p=9B9303440358DDF85AB6EBB1DACFAC7B&pt_rsa=0&ptlang=2052&low_login_enable=0&u1=http://connect.qq.com&from_ui=1&fp=loginerroralert&device=2&aid=716027609&pt_3rd_aid=100689805&ptredirect=1&h=1&g=1&pt_uistyle=35&
&p=9B9303440358DDF85AB6EBB1DACFAC7B&pt_rsa=0&ptlang=2052&low_login_enable=0&u1=http://connect.qq.com&from_ui=1&fp=loginerroralert&device=2&aid=716027609&pt_3rd_aid=100689805&ptredirect=1&h=1&g=1&pt_uistyle=35&
hXXps://ssl.ptlogin2.qq.com/pt_open_login?openlogin_data=which=ConfirmPage&refer_cgi=m_authorize&response_type=token&client_id=100689805&state=&display=mobile&openapi=%23&switch=1&src=1&sdkv=1.7&sdkp=a&tid=1403309181&pf=openmobile_android&need_pay=1&browser=0&browser_error=&serial=&token_key=&redirect_uri=auth%3A%2F%2Ftauth.qq.com%2F&sign=&time=7&status_version=10&status_os=2.3.4&status_machine=GT-I9100&page_type=1&has_auth=0&update_auth=0&auth_time=1403309114279&skey_token=
hXXps://ssl.ptlogin2.qq.com/pt_open_login?openlogin_data=which=ConfirmPage&refer_cgi=m_authorize&response_type=token&client_id=100689805&state=&display=mobile&openapi=%23&switch=1&src=1&sdkv=1.7&sdkp=a&tid=1403309181&pf=openmobile_android&need_pay=1&browser=0&browser_error=&serial=&token_key=&redirect_uri=auth%3A%2F%2Ftauth.qq.com%2F&sign=&time=7&status_version=10&status_os=2.3.4&status_machine=GT-I9100&page_type=1&has_auth=0&update_auth=0&auth_time=1403309114279&skey_token=
Referer: hXXp://qzs.qq.com/open/connect/widget/mobile/login/proxy.htm?
Referer: hXXp://qzs.qq.com/open/connect/widget/mobile/login/proxy.htm?
X-Requested-With: com.tencent.peng
X-Requested-With: com.tencent.peng
redirect_uri_key=
redirect_uri_key=
hXXp://cgi.connect.qq.com/report/mstat/report?data=[{"ky":"AH46I8G5IHWE","ui":"{ui}","et":1000,"ts":1427777715,"ei":"LoginPageViews","du":1,"kv":{"Platform":"pc","Appid":"100689805","UIN":0,"Entrance":"PC","Time":4929,"SDK":"pc,2.5","Ext1":"nologin"}}]
hXXp://cgi.connect.qq.com/report/mstat/report?data=[{"ky":"AH46I8G5IHWE","ui":"{ui}","et":1000,"ts":1427777715,"ei":"LoginPageViews","du":1,"kv":{"Platform":"pc","Appid":"100689805","UIN":0,"Entrance":"PC","Time":4929,"SDK":"pc,2.5","Ext1":"nologin"}}]
hXXps://openmobile.qq.com/oauth2.0/m_get_redirect_url?keystr=
hXXps://openmobile.qq.com/oauth2.0/m_get_redirect_url?keystr=
101.226.129.156
101.226.129.156