Trojan.GenericKD.2679499 (B) (Emsisoft), Trojan.GenericKD.2679499 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bf58aa5686eb7d006bc92225d0cdaa30
SHA1: 6ae324bd8210d5295743b1acbd74425d5f2d00d8
SHA256: 7359cefe56ff4a06858663c8c535f63febbdff3384def5b097143119112d3ff0
SSDeep: 12288:dXmV2U7VG5fNTShJADr88jBaEuPpOaEWzPtp7l3AnWqH4AUwWe:dWJVg5SADrr1uB/zPtwnWqH4
Size: 856064 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2015-08-25 00:26:14
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:660
Mutexes
The following mutexes were created/opened:
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003ZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex
File activity
The process %original file name%.exe:660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\youce[1].htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\more[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\style_dao[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\jquery-1.8.2.min[1].js (2122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\main[1].js (915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\jquery-1.4.2.min[1].js (2989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\select_topbg[1].png (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\logo[1].jpg (541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\common[1].js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\youce_a[1].htm (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\tu[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\style[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\youce[1].php (1349 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\head_bg[1].htm (340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\fulipao_banben[1].htm (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\sou[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\bg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\more[1].png (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\youce[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\more[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\fulipao_banben[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\more[1].png (0 bytes)
Registry activity
The process %original file name%.exe:660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 E5 52 DD 3F 1E 5D 6D 27 7B C4 B0 54 C8 A4 D8"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?kweige"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\youce[1].htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\more[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\style_dao[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\jquery-1.8.2.min[1].js (2122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\main[1].js (915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\jquery-1.4.2.min[1].js (2989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\select_topbg[1].png (946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\logo[1].jpg (541 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\common[1].js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\youce_a[1].htm (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\tu[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\style[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\youce[1].php (1349 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\head_bg[1].htm (340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\fulipao_banben[1].htm (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR05OL6D\sou[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IHOY79JB\bg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\more[1].png (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ELKZ81OR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KG969IO\desktop.ini (67 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ???????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English
Company Name: Product Name: ???????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: English
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1085440 | 431616 | 5.54479 | 6fed2ba5ac186723ef805a601c2dfd6c |
.rdata | 1089536 | 892928 | 276992 | 5.54459 | fca440c72fb0a447c787d160db8aed84 |
.data | 1982464 | 512000 | 31744 | 5.53878 | e400f4b30aef7f3b14d2590164394137 |
.rsrc | 2494464 | 126976 | 15872 | 4.98185 | 623323032f659af57887f5e19d401356 |
.aspack | 2621440 | 102400 | 98816 | 2.73394 | 8b0b8c6aa6884ef0b7b0bd8b5933483d |
.adata | 2723840 | 4096 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.lesouwuguojie.com/soft/fulipao_banben.php | |
hxxp://www.lesouwuguojie.com/sou.php?moban=3 | |
hxxp://www.lesouwuguojie.com/skin/youce_a.php | |
hxxp://www.lesouwuguojie.com/skin/youce.php | |
hxxp://www.lesouwuguojie.com/skin/js/jquery-1.8.2.min.js | |
hxxp://www.lesouwuguojie.com/skin/js/jquery-1.4.2.min.js | |
hxxp://www.lesouwuguojie.com/skin/css/style_dao.css | |
hxxp://www.lesouwuguojie.com/skin/js/common.js | |
hxxp://www.lesouwuguojie.com/skin/js/main.js | |
hxxp://www.lesouwuguojie.com/skin/images/tu.png | |
hxxp://www.lesouwuguojie.com/skin/css/style.css | |
hxxp://www.lesouwuguojie.com/skin/ecms041/images/logo.jpg | |
hxxp://www.lesouwuguojie.com/skin/images/more.png | |
hxxp://www.lesouwuguojie.com/skin/images/head_bg.gif | |
hxxp://www.lesouwuguojie.com/skin/images/bg.png | |
hxxp://www.lesouwuguojie.com/skin/images/select_topbg.png | |
hxxp://www.fulipao.com/skin/youce_a.php | |
hxxp://www.fulipao.com/skin/js/jquery-1.4.2.min.js | |
hxxp://www.fulipao.com/skin/images/more.png | |
hxxp://www.fulipao.com/skin/images/bg.png | |
hxxp://www.fulipao.com/skin/ecms041/images/logo.jpg | |
hxxp://www.fulipao.com/skin/images/head_bg.gif | |
hxxp://www.fulipao.com/skin/js/common.js | |
hxxp://www.fulipao.com/skin/css/style.css | |
hxxp://www.fulipao.com/skin/images/tu.png | |
hxxp://www.fulipao.com/skin/youce.php | |
hxxp://www.fulipao.com/skin/js/jquery-1.8.2.min.js | |
hxxp://www.fulipao.com/skin/css/style_dao.css | |
hxxp://www.fulipao.com/sou.php?moban=3 | |
hxxp://www.fulipao.com/skin/js/main.js |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /skin/css/style_dao.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/skin/youce.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:53 GMT
Server: Apache
Last-Modified: Sun, 16 Aug 2015 21:24:22 GMT
ETag: "444aa7-ab2-51d744efa6d80"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 943
Connection: close
Content-Type: text/css
...........U.n.8..n.....JI.(.t....../0.P.p..c..L..y.=.!.'....($6..............}...R.........U3....w........}.[.)du....F.,I.R\R4>........^G.>q..SG....m...B..*k.'U...G..Z..U............R...pF...4g.N.. L...}..V.a},. 8......j.^.w.)t....B.*....S.F........P...........wV..g{.......w`Gj..}DLT....D.......4.H..Vr.UTJ..F..|.....,zn.....R..:."@.e.Q..Q/9.........:......}....u....`G...~...3D.).(.......!.o.....rP=,u..MU~...............N.k$d.hG.v.Kj....F.T...m.'..........j|A...C.@7.........O#..........'...P:....\.3g.t.$.....*#Iw.^..e./jKA..9....(.{..@nK.M.......h.m....(L./7...^...M>.z.v. =T'....=.o.1.,{.n^...~.@..vo....2t}.\...BJ.!..Y....r.LL}I.e&5Z..../`.=..,6E9T..t.........m>.CVw{..].:....2.o.2...........4.y...7.......]%..1...Jo...0.:A.L..$/K...nG.nE.v..-!UK.L....L..7]G.....".....t..V #'%.....pfj.f|..T ..d...5y.:..Z....U.r....5..n6..fAq..d...b.c.....90.....! .....W.q.....q...p*........9.,..k..7.s.s....~...b1..W..Tg.-......:@o.}N&3.x....{........
GET /skin/images/more.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/skin/youce.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:55 GMT
Server: Apache
Last-Modified: Tue, 09 Jun 2015 00:57:22 GMT
ETag: "444ab3-c3f-5180b3dace080"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3158
Connection: close
Content-Type: image/png
...........?....PNG........IHDR.............;..J....pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...
<<< skipped >>>
GET /sou.php?moban=3 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:52 GMT
Server: Apache
X-Powered-By: PHP/5.3.29
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1618
Connection: close
Content-Type: text/html
...........X.o.V.....pw.P.p.'i.J,...J.Um.m.*..M.:v.o.....*MH........e!U..A..h..m.@[Ac...#Mc..E....9.....k7.Q.'.=_t.Fi.QQ...w.7#...g.f.o.iA.....@B .z.I3........s..4..F...........{....g..2.@.&.x.H..8.Q53............d4C...7G....8n.5J4...f.F.=.cJF(.........x*1...@.BU"N,/|.0qwkece......L....5.....{y/....^M..8.$....4....'."..$..p..2....e@...%K.i.q...........1F9!P...2...0...m^.]R....^^U..Q. ...l..IGU...F.Q....iB(F.b...b....`pL.....:{..L.9...L[O#.rTo:z.Y.8.z.v.........`v..C...,...*).1.$.*......U....H..QF....vm..y..&Y%....i.J......5...:.oO.<..7oB..L.<|D..... .)EL^.Sz` .B.@..JC... F. ...Q.. ..,a8Z..{4..w.....KO......_^z..1yw|..e@.....W..D4.".....5.0.C...b..*.P.&.FN.%.. 8fV..-..S..%RV..F%...G.a..?......F...G...k..DF.P......iQ=..{.iZ1O4A...(f..P%....*.'.Y...xI....,....*.).g.,&3......O...#.m.....bfUi.Q.5......zV2....Z.Y.b..(`....5.3.....:....^x7W...~x/W.. .n.......b....T.z0i3U...^..yx..).h...Pe.*I..Ggb7.44..a4$.9.FJYt |.t.V..0...C...V]....o.Q.F....>._|y.........W.3./.?....x.Mqw.j...e255M..j.{....'...S.g..n.k ?...H.......57q..C.l...i.K).%Y..Si...J......snn.v.gY.kp.(_...A.$....II..............`]]..........*..'N.".c..7w._M.Y_..C...N..HaQ.../.%....<........KM..\...a...^)......7..3.P...n.U...P..2...0.../....J....o..........[.s.....h....ru..._....@|8].l..\....!b.j.ZN............"\C......%@c...a.q...k......<.......#~R..S,.d..@F|.....{;3,....8.)...w...#>.8.=..s.....c_.Cv...|..`].......::}..B..u*.2......=....hm->........O.Y.....u=..q...Y.d...r..O;.z.}c.....?.a.....A2.............'.O.j.<x...........z.}.a.s"
<<< skipped >>>
GET /skin/youce_a.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:52 GMT
Server: Apache
X-Powered-By: PHP/5.3.29
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 405
Connection: close
Content-Type: text/html
..........m..n.0.....w`..(.NNq......n ........dI..9....e..m..b...~..?...j.iW~....[.w....w@(c...c.r.....n!KR(=7.Be....|$@.D.3..}./..kV..s`e.|.._8...l..M.xn...W8.j...S.."..D....o'.. ;kP....$.j.....Yp..j..$..a....X..B-...~...I....-.G..Pu].~E.|v.b.......Z........_H.#>.~.g..3....[.2.BH.=o%(Q... =...Vke...K ......$%./t$.d....al...M^..!..q!FX.B..6y..o....7R....4......>.x..q.T.e.We.`O.L\..v....f...7.._....Y.....
GET /skin/ecms041/images/logo.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/sou.php?moban=3
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:54 GMT
Server: Apache
Last-Modified: Fri, 10 Jul 2015 06:36:40 GMT
ETag: "4440e9-2244-51a7f982fee00"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 8420
Connection: close
Content-Type: image/jpeg
...........ygT.Q.n..H.J....4QJB....t.)..Ho..H.U..i.B.t........Q. . ......o.......z~.......}.s.s9{........ !..H.....@.@MIIEIAMEEu..5...u:ZZ:vF& 37...........->q~..ay...R... ......$ed..1...k..h..._g......_.e;...0..'#...2..1.\v.@WqR......HH..)(.....^9..........QP.._.._....(.y.T).....<...R.....:X..1.2.=.^.a....q[PHXDTV........54..ut.M.<553..wptz..........@`.........................}.....o............`brjz.5......{}csk{.{px.;>...............p..........HH....@N. E..jHe...'.F...._.q._.....s..U@v.6.......F...... .....:2...G....N...Bi...Wg.rJ..<....0..o`c..L`U...F3j......s1$4...g.......;.._H..*g..,x....Z..#..g.../....NDQ.U....d.O. ...$....PU.....W...l.|...3..v.....?.a.Z5...4...J....gS..........i..B.....1Iq .....\..b.i...].y..G{...].5P.z....,.:.f,...A=j.5|F..{:W...7....F....|....:.....}.d.2.39JgUY...3_}...Z...r6.5.D.6i........v.j....K.Qc........U.....~o..._...3.....D..k...fg<<.>......|..h....o..y....1.-{.@......../.^..S.).E.h}%..!.r.Q..r...lJ\....c....[XT.`0...LW.F...........a'?..p.gx2.......J..2.z.m..p.W..M....7L2!:..p .S......x.......m..0......... m.X....u&;... .$...=}.W..,4.Y....}.O.[.5..=1<...........,J..{....@.[8....X....T....s...`....5.h[.0.6.......$?U...n..._..$.m...v.o..<.my.A...........|..;....*..`.[..6...4....y.x@.x..L..P..Rk.T.&V....Xa......,Q.q.,.*F..-..A....G..o..m.....(....T.._.\..;<.U?..8...%[....%.G.V..R.9..v..(.....=............*.0.=w.a.$.R...'....E.[...nU_.H".;.,zh...z..jC.-...I..{./>O.(.....K.k.....3D4uJ.P.,.............MI...%].....Y.%C....,...vl.c...qr.....&..".>
<<< skipped >>>
GET /skin/images/more.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/skin/youce.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:55 GMT
Server: Apache
Last-Modified: Tue, 09 Jun 2015 00:57:22 GMT
ETag: "444ab3-c3f-5180b3dace080"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3158
Connection: close
Content-Type: image/png
...........?....PNG........IHDR.............;..J....pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...
<<< skipped >>>
GET /skin/images/more.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/skin/youce.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:55 GMT
Server: Apache
Last-Modified: Tue, 09 Jun 2015 00:57:22 GMT
ETag: "444ab3-c3f-5180b3dace080"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3158
Connection: close
Content-Type: image/png
...........?....PNG........IHDR.............;..J....pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...
<<< skipped >>>
GET /skin/js/jquery-1.8.2.min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/sou.php?moban=3
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:52 GMT
Server: Apache
Last-Modified: Fri, 11 Oct 2013 02:09:50 GMT
ETag: "44415e-17243-4e86d9d00d780"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 33546
Connection: close
Content-Type: application/javascript
.............v.F.7..... .kd.....=.4(..\....m\.m.P..n$A.."...".Y.Y..6~.......9....D ........?.[..b..c.....,.....&..m.g.^...Xf.{J..a.[.....u.E...q/.'.]..{....qo.o..NJ...CU..j-&~'...q..>..%Q.KV...E.....q.{...x........*..^...^Vl.e....Yo./V.s?.P....\-so..g/xLo.{?....M.../.|A...b............6Y......v3<..b:.E.@%.'.gE.Q}.^'-.....U..e.#q.........W..g.e.I.e.~S.r....w..j...x..f..z......>....K/..u.k~.....0.^Z....,.Km.1g@..@2...g5S...pe^.p..VQ~........t..i.x.Lzy...t.A........XQ..,...S.@Y.....f.v...``.q.."..(q.6...wo.E.....V....h`K...)PP......e~...^......'....}[...v5..~...........;.....T6k..ev......|.k/..d..#m.x..Y..|s~......J^...`....*iK..xPS5S...2_Nw35W.Q6..U..j.Vj=..6.4..L.......7..q.....XR.i....jv...V...m..nS,...-..z..7..|.:...*9.F.q0(.[n}:.....{...Q9..m~Fie.....p.<.....y.[....bL.v.=G.W.Y...(.....<x.G...iA.t..&..p.-.....R.|4.]..~.n.<.(u5V ......:\.#.p...AB{..@.u......9..fC.{...d.[..d.ZP...%.a.......V..@-;..4Z..~..k.E?Ap8..u.hP.l.\..hb.&.....&..W.m.e....k.%..*0C...24>...............j..........t.P.........]....G..WyL...t...#4R..,....p05w~....m..N.J.n)..f.)':.......%...L..|.i..Z.k..c.C.k......0...=.0.......4..[....cgc&....b..t...l.........a%..1....e.t*fT>.B...F^.....#o....&......%Bvf.tRt.e...*.S....I.[...$.|.UIE..bgT...0..F....y..&..h{o{.2.}.F..~..M.eh)..Q6..x.Sz.s.`.....z.......@......$8....85=QS..h.....t5..hZMG.1...v...F.....l8.8.......oT.}...s. .@.$.$.WF3.@....^....:.}:*..2JB.....2P...|I.'....~.......Z6JCF.b.3..p....hmt.....4JT..u...KS....g....F...8..4..h`\!.._O.9M......<....{i...32..!.Pg..`.G'
<<< skipped >>>
GET /skin/images/more.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/skin/youce.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:54 GMT
Server: Apache
Last-Modified: Tue, 09 Jun 2015 00:57:22 GMT
ETag: "444ab3-c3f-5180b3dace080"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3158
Connection: close
Content-Type: image/png
...........?....PNG........IHDR.............;..J....pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...
<<< skipped >>>
GET /skin/js/common.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/sou.php?moban=3
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:54 GMT
Server: Apache
Last-Modified: Mon, 17 Aug 2015 21:58:38 GMT
ETag: "44415c-1828-51d88e75ddf80"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1745
Connection: close
Content-Type: application/javascript
...........X.S.f................3.....B...:!.-..&k..LeF[...8..*...2..>XE,............^..>..<.l....9.N.y...#...Plo..kw...._*.....?..\3g.T.^7....V0dA....b..|.K.R(hX..w.m....*.r^.U.AyE0JX.c.....<..U.e.L.r.i....uq....ZK..<.....uC..!cM....g...."....].\.(..}^.0..R...n...\.6.....sK...."..!7....p.8-.8....<.c.^..t.nY..h...l..dNM[.....>.WG/......./...^.....z.2.....x.....`.\.=d..b......Q.C.l....:.dC.|......f..2...........Y17....R.E9.....M.O]........_...6......hX0T......#.....P<.[.....<e.X.z../.......m...6..4,.0...u~s..G.C.D"..e^W..>....d.....SO ...q..B.s.A..I.@..].<9<D.......F<yn.........Rl~z. .`g......v2.H.........o....m.rZ...:..@S.wS..(.....H@7J.L./@@A.`.m.....2..#[..N...p....*..ium...6'..5.z{..;......M.A.[.......'>qf.|1.l(7..*?dz:D:.I..M`P.,93qf..........qh.....p...E.#VD...=/\.y....5;..I....b.:......fmm.[..Z..YS...[.$B.U/...K..w..j..=..='.>I..*.k...Q1......h....#..={X1.E%.4....../...C.s$.`%.]...... .cX.v.GY.b>.......sw...k...sV.E....lH......ZQ...#C.......N......A@...d.."..C..%L...f..)@h...cyQ C...0.f.D. ..v.4 .iX.....\.hd|.xz'..=.q."..2p..4j. ......I~..\...AR..Ic......KE...E_Ot}.Q..F...E__t}.Q..G.7.E.@t}.....]..(..D..LDj..Gh.6b>b.$#....O.r..C.E..ce..Z......t.#....IXj.L..5..#zN.s.....(=e.ak3.m..7...I....z(..B.!.1.6HH......A....1.....?.......O..z.G.....*.wk. [.^...G.O..6......k~.v!.1....>5Hy....M.<~.9..........Ek~...............CA...e....O..dA..vns.D..-.^/m...^.....i.^8b..S'R.u1.B.e2.>..."..G-r...K{[.../..J......`.R.B{.<.m.AF'.-....e...l....{..<m`u.Y......
<<< skipped >>>
GET /skin/images/tu.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/skin/youce.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:54 GMT
Server: Apache
Last-Modified: Mon, 08 Jun 2015 08:45:24 GMT
ETag: "444ab6-b5a-517fda9a6d100"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2929
Connection: close
Content-Type: image/png
...........Z....PNG........IHDR.............;..J....pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...
<<< skipped >>>
GET /skin/css/style.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/sou.php?moban=3
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:54 GMT
Server: Apache
Last-Modified: Mon, 17 Aug 2015 22:39:38 GMT
ETag: "4440bd-b86-51d8979fe7e80"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1096
Connection: close
Content-Type: text/css
...........V]o.8.}...`.Zi[....db^...n..M..c..`.V.f.I&A...k....D...H....{.5?e%.-7.Mg.`.&y...=...W.Ae].k....~.*v.... \..\.r..3\j..T....N.....`.p'..X..h.s. ....=.K^....3F.X.Mg..;C5.........5...2&....=.>SRi.6.....T..&..&IivSh.......uZ.xrr**Z.....]..I!.wH..S...Q...1..K........V..4:. CKUQL.........:.......(JC..C...m.....(...9...m.3...5....z.i.%'...J.....h.C5.....*.Ti........k#2*..*..t.^.}...T.a..FC...dl$.@..l.8 ....%.."..gJS#T....HQ.XQR*..nA3#n.m...-...m.....p.:<...."..F......p..NZNuV^.j..\*j....3%....]R.q.....13.Y.5u...*.fC......`.m.....8...........Qx.cB..........T.>.t..z.....u..j4J.......#.. x............{S....o..`...........!.gggK.Gbnm..y...........@X....<..........*.......>:._..l.GYSZ.....w0...%....d......o``w[...\.......`.n...k.........A_........A..DIP..`T.2...g.....[D..a^....^....;k.;R......M.)...Y...&^...!.a....o............SK...6..M...J[k]..:z.is <....7...MX..4..m....Y.=......u.L.Y2.......<p...x..H.......&3.[..zhG....*m.pT....}..9c.t}_.I.......1..3...Z....S.jM{Re..*.yJ..\A...I.:........>..........{....q./.WW...u]]~q.K".{.D&.6@j...9.%c....g....a..Q....f.Y._v{M.. ..w^X...\.P6......
GET /skin/images/bg.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/sou.php?moban=3
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:55 GMT
Server: Apache
Last-Modified: Mon, 17 Aug 2015 22:31:14 GMT
ETag: "44414e-5e1-51d895bf41080"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length:
GET /skin/js/jquery-1.4.2.min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/skin/youce.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:53 GMT
Server: Apache
Last-Modified: Fri, 05 Sep 2014 02:02:40 GMT
ETag: "444ab7-139a3-50247dd29f000"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 26732
Connection: close
Content-Type: application/javascript
............iw.F.0....?H._.-...... ..%...o..m(:O...q.Am&y..[Kw...e'3.9oN,........../~.J.w.....ig9.M.yp!V.m....a......O.....rq...ug..I:]>.....g..l<..q.[zb......b.....I:.Z.W......j1.tj......im.. ....-:.NM^.[.u.......n..{r..AW....y.zYg1./...;..x....k9...2.]...{:.....:.N....o^...'..6....v.M...7..dv..........3.f........Z..F....i.9.`....Yo/....%.i.&d..-|.....{..J. iem.'...'7PC......x.|p.?8.......beY....Q.U*..K.)..............a....Q........y..|..`.9.?Mo...e*j}^K....L.=Z..............X..l.' ..c.Zz..4...8...||.c....B..$$.-.>.....O....`.#..................3Xv.j..lx......,..X..G..>....\-......~..v.....be......$......~..j.K59>. 2..[.......j.......6.K(...@&...6...U6.G.,..,.."<.esj`R........f.s..E.3.ei.....u......S...`.......?...h.Pt.Wa...E.t.zh.i.....'Q?.^..XbT./..j.&..,....o...2N.u..>.f.......c.Z...u...}./.Hy.V..0....%..h.h&.zZ..j.....0]..G#.....H..n...4QV^\....P....=\d.5...!J.-.6z{&.v|....x.d^....0x..k..W.B..Jb`.~^.....z"O.........T..M.U.K...B...,.8.?j.....R...]..T'.T..0..........`..y.6....d.u......J[....r..p?...g...U..u.....G=.%^m"......B....5n..zd..M..Lo......H.X.....Q..$DI..)..l.....(.3E0..AZx...4.g..@Q....#..b8.{89P.g<...1.......Oa.............|.X.:..3:....v...l0.=.....LaN{..'....m...QG....._H..Z. s..q.P.|.u`s.rJ..GT..zb..x...G.......t.NR....g.....`.:.O.a....]........E:.X...p!.....g.._r.G.....3.....ap.2.6........./...7...u8..n.=.`.;....q.....L...2...f2........G.5..]...?.......C..u~s.k..D.>>i.>Z....I.vE<..o _..1..y.....z0.q....<.e.......U...!*k... ..!..c..."....z........GOD....x*.
<<< skipped >>>
GET /skin/js/main.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/skin/youce.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:54 GMT
Server: Apache
Last-Modified: Tue, 09 Jun 2015 02:54:54 GMT
ETag: "444ab9-393-5180ce201db80"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 258
Connection: close
Content-Type: application/javascript
............... ...u.....nX[.n.. ...E..[.....E.,...}.9.?.~.Gx_...Rar.|.#.!M9. )`a!....a.z.EM!4.,...i........2....N..?.{.2.>.U.X..@.C=./6....}!2....D...3e..w.|..85E.l^.`...4..N`q...."Ev....J..s...... ..={.o2n.a..i.....Q.....H~?...y....mY..i.zu.{G..K.....[......
GET /skin/youce.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.fulipao.com/skin/youce_a.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:52 GMT
Server: Apache
X-Powered-By: PHP/5.3.29
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1349
Connection: close
Content-Type: text/html
............mS.H.._..~.\...D..p..P;....un...WN..`.X..|g..pV..UG9....u.=.."_...oq...8...z./.....O...n\...2....=...........8L.....>.0#......k..Q.,..`$...s.g....4.=.LMMY...H.1....H!......[.......R.ig...g)(...l.%o...M....s%q...`.......C..Q*..?..'..p$,.a.....i...s........|..*..;&.Y.hF.E...PQ^p..4-.b..%..P...>Q..@..s.......s...@..i..(..V.1....(....cO.E!..rq....=r&.............eh.G........`.....P....!..-6.c..-6..3MQ..}.t.G..\...... S..)xz..]......p\.6`........r.......:..Q.z. /..........R.....'........V{U.s.p.DYO...,..k.....Vf.x.....t.....pc....P *.O..[......tsbt[.....g.ja..(.1f...`... .".1...M.l .2.........M=`.0-G6.(...9..TK......4.Z.|.H....z..4n..A...v.~Qr...Op}W......V.R..g.q~0.t....9..dh.].._..9.&.........{..&1L.p.9%.<...b.=..;....l......[..s..)4.H............&5.jN.............0.@....I(Q.;.j...^(.D......o5...n...H....uz.YMo..FO........>..z.2.m..$....v...q.\=81S.*.j..m.*...0vW*....-J..m/.....\X.....q[v...\...-..@1..<.../_...&.B.....y...Kd....e.w.._..l.......m,...4Fab...F\L.....Z.C....Q..P...6.I..:p....0.w~......v...W....u........o.(.9.d.d.h9.....;0_"..:.3..LVN...a*J..:1....AS....Z...9......H.g..../....J...9B......u..i,.v.%ey.ti#..LA....h.3Xz_.V.rB.....\....b........[e4...\[J..9x..dgQ....n...'6..c..W...%.\......@.,Hf/G....mu!om.......o....M.........[.?Uh......R....D_48!....s..~.....M............ k....qQ.L..c...w..&ES..W=....?...Z......
<<< skipped >>>
GET /skin/images/head_bg.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.fulipao.com/sou.php?moban=3
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.fulipao.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Thu, 03 Sep 2015 22:31:55 GMT
Server: Apache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 256
Connection: close
Content-Type: text/html; charset=iso-8859-1
..........U.AO.0.....fg...1..k'&.1....e..D..H\..{...v....g...u..o xn^j......fw...Y!.My.<.s.j3 2.....I.X.....|....r.U./b&p2..Sc../.yb..S.h.O_..&....0|....-....o....,...8&.8..M.@..|..4...2l..]7....d.y..."{....[..t..Gc[`.C ...d..a..r...*..".....xS.L....?.T.....
GET /soft/fulipao_banben.php HTTP/1.1
Referer: hXXp://VVV.lesouwuguojie.com/soft/fulipao_banben.php
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: VVV.lesouwuguojie.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2015 22:31:51 GMT
Server: Apache
X-Powered-By: PHP/5.3.29
Vary: Accept-Encoding
Content-Length: 1607
Connection: close
Content-Type: text/html
........1.1|||............hXXp://VVV.lesouwuguojie.com/soft/lesou.zip|||............hXXp://pan.baidu.com/s/1o6GELnG|||............BT_id......v2.63.exe|||..ap..cangjiao1588216@163.com|||........hXXp://38.103.161.182/|||..po..hXXp://b.v3p.co/|||..........hXXp://VVV.fulipao.com/|||..henhenlu..hXXp://VVV.henhenpa.us/|||..mysql..148.163.3.212|||........|||........1000|||........hXXp://VVV.youtu888.com/#tui|||............http://VVV.lesouwuguojie.com/#tui|||..chaopeng..hXXp://men70.com/|||.............. .............................. 1.......................BT....8000......24.......................................... 2............................................................. 3.......................................pptv..........CNTV............................................ 4.....VIP........VIP......VIP..................VIP........VIP.......................................... 5.......................................MP3............................QQ........ 6........................................... 7................................................................................. 8..................................................... N.........................2.2.......... .. 1....................................... 2............... 3.....av.................................. 4............................... 5.........BUG....2.3.......... 1.....3.......................... 2................................... 3.........bug.... 4...............................2.5.......... 1.......bt2........
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_660:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
.aspack
.aspack
.adata
.adata
t%SVh
t%SVh
t$(SSh
t$(SSh
|$D.tm
|$D.tm
huDP
huDP
~%UVW
~%UVW
u$SShe
u$SShe
wininet.dll
wininet.dll
kernel32.dll
kernel32.dll
advapi32.dll
advapi32.dll
ole32.dll
ole32.dll
user32.dll
user32.dll
Kernel32.dll
Kernel32.dll
shlwapi.dll
shlwapi.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
EnumWindows
EnumWindows
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
CreateIoCompletionPort
CreateIoCompletionPort
{B6F7542F-B8FE-46a8-9605-98856A687097}
{B6F7542F-B8FE-46a8-9605-98856A687097}
WebBrowser
WebBrowser
b@hXXp://
b@hXXp://
\\hXXp://
\\hXXp://
4@alipay.com
4@alipay.com
pay/115.php
pay/115.php
pay/115.php?
pay/115.php?
hXXp://115.com/lixian/?ct=lixian&ac=add_task_url
hXXp://115.com/lixian/?ct=lixian&ac=add_task_url
hXXp://115.com/?tab=offline&mode=wangpan
hXXp://115.com/?tab=offline&mode=wangpan
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
http=
https
https
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXps://
%S4WD
%S4WD
hg%fpM
hg%fpM
S.Ac9SR
S.Ac9SR
0.I%3s
0.I%3s
,wAe.kI
,wAe.kI
aiUy'4xu
aiUy'4xu
%c*@j
%c*@j
.eH'y
.eH'y
{&%U)
{&%U)
lj%4U
lj%4U
xe%CNs
xe%CNs
9F.cLe
9F.cLe
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
%Program Files%\Windowsid\id.id
%Program Files%\Windowsid\id.id
hXXp://VVV.2345.com/?kweige
hXXp://VVV.2345.com/?kweige
ux
ux
X-X-X-X-X-X
X-X-X-X-X-X
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
hXXp://hao123.7654.com/?app_key=%s&tt=%u
hXXp://hao123.7654.com/?app_key=%s&tt=%u
%s_%u
%s_%u
%s,%s,6llX
%s,%s,6llX
startup_urls
startup_urls
Google\Chrome\User Data\Default\Preferences
Google\Chrome\User Data\Default\Preferences
user_pref("browser.startup.homepage", "%s");
user_pref("browser.startup.homepage", "%s");
user.js
user.js
Profile%u
Profile%u
profiles.ini
profiles.ini
Mozilla\Firefox
Mozilla\Firefox
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command
SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
SOFTWARE\Clients\StartMenuInternet\Firefox.exe\shell\open\command
SOFTWARE\Clients\StartMenuInternet\Firefox.exe\shell\open\command
Applications\firefox.exe\shell\open\command
Applications\firefox.exe\shell\open\command
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
Function not supported
Function not supported
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
KERNEL32.dll
KERNEL32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
$gp.ub
$gp.ub
hXXp://VVV.usertrust.com1
hXXp://VVV.usertrust.com1
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
hXXp://ocsp.usertrust.com0
hXXp://ocsp.usertrust.com0
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://ocsp.verisign.com0
hXXp://VVV.7654.com/0
hXXp://VVV.7654.com/0
%Program Files%\Windowsid\hao123_7654_20392.exe
%Program Files%\Windowsid\hao123_7654_20392.exe
@/shouye-3.html
@/shouye-3.html
pep.ini
pep.ini
XLPZk.mRsK
XLPZk.mRsK
seed = parseInt(seed, 10).toString(16); // to hex str
seed = parseInt(seed, 10).toString(16); // to hex str
if (reqWidth
if (reqWidth
return seed.slice(seed.length - reqWidth);
return seed.slice(seed.length - reqWidth);
if (reqWidth > seed.length) { // so short we pad
if (reqWidth > seed.length) { // so short we pad
return Array(1 (reqWidth - seed.length)).join('0') seed;
return Array(1 (reqWidth - seed.length)).join('0') seed;
if (!this.php_js) {
if (!this.php_js) {
this.php_js = {};
this.php_js = {};
if (!this.php_js.uniqidSeed) { // init seed with big random int
if (!this.php_js.uniqidSeed) { // init seed with big random int
this.php_js.uniqidSeed = Math.floor(Math.random() * 0x75bcd15);
this.php_js.uniqidSeed = Math.floor(Math.random() * 0x75bcd15);
this.php_js.uniqidSeed ;
this.php_js.uniqidSeed ;
retId = formatSeed(parseInt(new Date().getTime() / 1000, 10), 8);
retId = formatSeed(parseInt(new Date().getTime() / 1000, 10), 8);
retId = formatSeed(this.php_js.uniqidSeed, 5); // add seed hex string
retId = formatSeed(this.php_js.uniqidSeed, 5); // add seed hex string
retId = (Math.random() * 10).toFixed(8).toString();
retId = (Math.random() * 10).toFixed(8).toString();
hXXp://passport.115.com/?ct=login&ac=ajax&is_ssl=1
hXXp://passport.115.com/?ct=login&ac=ajax&is_ssl=1
&login[time]=1&goto=http://115.com&login[country]=
&login[time]=1&goto=http://115.com&login[country]=
&login[ssovcode]=
&login[ssovcode]=
&login[ssopw]=
&login[ssopw]=
&login[ssoln]=
&login[ssoln]=
login[ssoent]=A1&login[version]=2.0&login[ssoext]=
login[ssoent]=A1&login[version]=2.0&login[ssoext]=
hXXp://115.com/?mode=wangpan
hXXp://115.com/?mode=wangpan
hXXp://115.com/?ct=offline&ac=space&_=1420374241470
hXXp://115.com/?ct=offline&ac=space&_=1420374241470
ji.ini
ji.ini
/yonghu.php?api_ming=
/yonghu.php?api_ming=
/pep.ini
/pep.ini
hXXp://VVV.lesouwuguojie.com/jiqing
hXXp://VVV.lesouwuguojie.com/jiqing
%u y2
%u y2
0.du./
0.du./
.K.cW
.K.cW
}.Dkn
}.Dkn
OkC.xL
OkC.xL
hXXp://VVV.fulipao.com/sou.php?moban=3
hXXp://VVV.fulipao.com/sou.php?moban=3
hXXp://VVV.fulipao.com
hXXp://VVV.fulipao.com
/skin/youce_a.php
/skin/youce_a.php
Adobe Photoshop CS3 Windows
Adobe Photoshop CS3 Windows
2010:12:04 00:55:19
2010:12:04 00:55:19
urlTEXT
urlTEXT
MsgeTEXT
MsgeTEXT
hXXp://ns.adobe.com/xap/1.0/
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
IEC hXXp://VVV.iec.ch
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
CRT curv
hXXp://VVV.lesouwuguojie.com/soft/fulipao_banben.php
hXXp://VVV.lesouwuguojie.com/soft/fulipao_banben.php
hXXp://VVV.youtu888.com/soft/fulipao_banben.php
hXXp://VVV.youtu888.com/soft/fulipao_banben.php
hXXp://VVV.youtu88888.com/soft/fulipao_banben.php
hXXp://VVV.youtu88888.com/soft/fulipao_banben.php
favicon.ico
favicon.ico
hXXp://VVV.yuanlai.com/
hXXp://VVV.yuanlai.com/
\lesou.zip
\lesou.zip
update1.bat
update1.bat
lesou.zip
lesou.zip
@ExecuteStatement
@ExecuteStatement
hXXp://evip.sinaapp.com/wangpan.php
hXXp://evip.sinaapp.com/wangpan.php
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Y@.Config
Y@.Config
1970-01-01 08:00:00
1970-01-01 08:00:00
1970-01-01 00:00:00
1970-01-01 00:00:00
0gz.cn/FS
0gz.cn/FS
DownUrl
DownUrl
!BT.Config
!BT.Config
115.com/file
115.com/file
hXXp://pv.sohu.com/cityjson?ie=gb2312
hXXp://pv.sohu.com/cityjson?ie=gb2312
hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=js&ip=
hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=js&ip=
115.com
115.com
hXXp://get115.sinaapp.com/ed/index.php?pick_code=
hXXp://get115.sinaapp.com/ed/index.php?pick_code=
hXXp://pro.api.115.com/default/index.php
hXXp://pro.api.115.com/default/index.php
hXXp://get115.sinaapp.com/ed/index.php?ct=1
hXXp://get115.sinaapp.com/ed/index.php?ct=1
"Url":"(.*?)",
"Url":"(.*?)",
2,147,483,647
2,147,483,647
pan.baidu.com
pan.baidu.com
kuaipan.cn
kuaipan.cn
kuaipan.com.cn
kuaipan.com.cn
kuai.xunlei.com
kuai.xunlei.com
kupan.cc/
kupan.cc/
hXXp://pan.baidu.com/netdisk/singlepublic?fid=
hXXp://pan.baidu.com/netdisk/singlepublic?fid=
server_filename\\":\\"(.*?)\\",\\"s3_handle\\":\\"(http:.*?)"
server_filename\\":\\"(.*?)\\",\\"s3_handle\\":\\"(http:.*?)"
hXXp://VVV.kuaipan.com.cn/file/id_
hXXp://VVV.kuaipan.com.cn/file/id_
hXXp://VVV.kuaipan.com.cn/file/
hXXp://VVV.kuaipan.com.cn/file/
hXXp://kuai.xunlei.com/d/
hXXp://kuai.xunlei.com/d/
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
.html
.html
hXXp://dx.kupan.cc//ukupanccfile/userdir/
hXXp://dx.kupan.cc//ukupanccfile/userdir/
hXXp://wtll.kupan.cc//ukupanccfile/userdir/
hXXp://wtll.kupan.cc//ukupanccfile/userdir/
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; 360SE)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; 360SE)
MSXML2.ServerXMLHTTP
MSXML2.ServerXMLHTTP
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
Microsoft.XMLHTTP
Microsoft.XMLHTTP
MSXML2.XMLHTTP
MSXML2.XMLHTTP
VBScript.RegExp
VBScript.RegExp
ls.cu
ls.cu
2010:12:19 02:00:04
2010:12:19 02:00:04
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
2010:12:19 02:01:02
2010:12:19 02:01:02
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
2010:12:19 02:26:20
2010:12:19 02:26:20
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
2010:12:19 00:51:58
2010:12:19 00:51:58
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
2010:12:19 00:54:57
2010:12:19 00:54:57
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
2010:12:19 00:57:13
2010:12:19 00:57:13
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
2010:11:28 23:25:17
2010:11:28 23:25:17
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
1.2.18
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
AVIFIL32.dll
AVIFIL32.dll
RASAPI32.dll
RASAPI32.dll
iphlpapi.dll
iphlpapi.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
GetCPInfo
GetCPInfo
GetKeyState
GetKeyState
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumChildWindows
EnumChildWindows
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
CreateDialogIndirectParamA
CreateDialogIndirectParamA
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
WINSPOOL.DRV
WINSPOOL.DRV
comdlg32.dll
comdlg32.dll
RegCreateKeyA
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteA
ShellExecuteA
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
VVV.dywt.com.cn-MenuEx-Mask
VVV.dywt.com.cn-MenuEx-Mask
VVV.dywt.com.cn-MenuEx-OldProc
VVV.dywt.com.cn-MenuEx-OldProc
VVV.dywt.com.cn-MenuEx-MenuShown
VVV.dywt.com.cn-MenuEx-MenuShown
VVV.dywt.com.cn-MenuEx-ActiveBarItem
VVV.dywt.com.cn-MenuEx-ActiveBarItem
(*.avi)|*.avi
(*.avi)|*.avi
RICHED32.DLL
RICHED32.DLL
RICHED20.DLL
RICHED20.DLL
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
operator
operator
keywords
keywords
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
VVV.dywt.com.cn
VVV.dywt.com.cn
index.dat
index.dat
desktop.ini
desktop.ini
%d%d%d
%d%d%d
rundll32.exe shell32.dll,
rundll32.exe shell32.dll,
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
The procedure entry point %s could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
msvfw32.dll
msvfw32.dll
avifil32.dll
avifil32.dll
rasapi32.dll
rasapi32.dll
winmm.dll
winmm.dll
ws2_32.dll
ws2_32.dll
gdi32.dll
gdi32.dll
msimg32.dll
msimg32.dll
winspool.drv
winspool.drv
shell32.dll
shell32.dll
oleaut32.dll
oleaut32.dll
comctl32.dll
comctl32.dll
!"7$#7"!
!"7$#7"!
3//22//0
3//22//0
222222222252
222222222252
1, 0, 6, 6
1, 0, 6, 6
- Skin.dll
- Skin.dll
(*.*)
(*.*)
1.0.0.0
1.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
%original file name%.exe_660_rwx_00680000_00002000:
kernel32.dll
kernel32.dll
user32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
msvfw32.dll
msvfw32.dll
avifil32.dll
avifil32.dll
rasapi32.dll
rasapi32.dll
winmm.dll
winmm.dll
ws2_32.dll
ws2_32.dll
gdi32.dll
gdi32.dll
msimg32.dll
msimg32.dll
winspool.drv
winspool.drv
comdlg32.dll
comdlg32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
ole32.dll
ole32.dll
oleaut32.dll
oleaut32.dll
comctl32.dll
comctl32.dll
oledlg.dll
oledlg.dll
wininet.dll
wininet.dll
RegCreateKeyExA
RegCreateKeyExA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
1.0.0.0
1.0.0.0
(hXXp://VVV.eyuyan.com)
(hXXp://VVV.eyuyan.com)
%original file name%.exe_660_rwx_10000000_0003E000:
`.rsrc
`.rsrc
L$(h%f
L$(h%f
SSh0j
SSh0j
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
}uo,x6l5k%x-l h
}uo,x6l5k%x-l h
9p%s m)t4`#b
9p%s m)t4`#b
e"m?c&y1`Ã
e"m?c&y1`Ã
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
1, 0, 6, 6
1, 0, 6, 6
- Skin.dll
- Skin.dll