Gen.Trojan.Heur.RP.0EWaatcOWjj_d9fff224eb

by malwarelabrobot on March 24th, 2017 in Malware Descriptions.

Gen:Trojan.Heur.RP.0EW@aatcOWjj (B) (Emsisoft), Gen:Trojan.Heur.RP.0EW@aatcOWjj (AdAware), Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: d9fff224eb4fbccb053f2cd2f9870eb3
SHA1: 7df8aba596b625954d86de78ecc72842a697eecd
SHA256: 4619f0def72937d87cd814ef2b32701a140c72df2143e34d78d6c67d6d2f949e
SSDeep: 49152:ZXJe4uelwfgRMY8KuGAP 32y8KL3z5v8aRCPUk2qLr6k8:RJe4NCfgnAGMaXLVEaRaeq/6k8
Size: 2952704 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2017-02-19 11:39:03
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

winnet.exe:1780

The Trojan injects its code into the following process(es):

%original file name%.exe:1908
Reality.log:2932

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\winnet.exe (72 bytes)
C:\Windows\winnet.dll (125 bytes)
C:\tbbmalloc.exe (359 bytes)

The process winnet.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QIXNH8A0.txt (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA63D.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XK3GIUWY.txt (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H5UXBDU3.txt (66 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FFF10234D401BC2B1190AF97E562D5D_F3D997279517A879744E962D7177C1F4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\sogou_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\6S2AZLV9.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LGPBOI6P.txt (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA63E.tmp (2712 bytes)
C:\Windows\LSP.dll (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ZSHEDCO8.txt (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\126_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_507563B8F03B0B599FD6AB48BFCFB84A (1464 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\intl_aliyun_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sina_com_cn[1].htm (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_F4C066FA094BC754843DB99590B2CE02 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\360_cn[1].htm (184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (2674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\intl_aliyun_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\360_cn[1].htm (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\126_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FD1DA35A7CC73400775DD44892329357 (380 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\aliyun_com[1].htm (278 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_F4C066FA094BC754843DB99590B2CE02 (2032 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_684FCCCFC824BF4B1A2F9D4C1AA422EA (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_507563B8F03B0B599FD6AB48BFCFB84A (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FD1DA35A7CC73400775DD44892329357 (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1476 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jd_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1236 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\aliyun_com[1].htm (278 bytes)
C:\Windows\winnet.dll (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FFF10234D401BC2B1190AF97E562D5D_F3D997279517A879744E962D7177C1F4 (1600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KBEB05BG.txt (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\sina_com_cn[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jd_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sogou_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\360_cn[1].htm (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_684FCCCFC824BF4B1A2F9D4C1AA422EA (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\126_com[1].htm (10 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA63E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\126_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jingdong_com[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\360_cn[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA63D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KBEB05BG.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XK3GIUWY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jd_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\intl_aliyun_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sina_com_cn[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\sina_com_cn[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jd_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\baidu_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\360_cn[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\sogou_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\qq_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\qq_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\6S2AZLV9.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\126_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\baidu_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\aliyun_com[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\D:\]
"login.exe" = "DisableNXShowUI"

The process winnet.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60101"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-100"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-101"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Next_Catalog_Entry_ID" = "1124"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-103"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BDC8D276-A5D8-4E4C-8EB2-2752A8E55337}] SEQPACKET 2"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Num_Catalog_Entries" = "21"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60100"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-102"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] DATAGRAM 1"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60102"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FB1DE278-988C-428A-AF16-245107A1AA49}] DATAGRAM 3"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] SEQPACKET 1"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Serial_Access_Num" = "43"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
"ProtocolName" = "VMCI sockets DGRAM"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BDC8D276-A5D8-4E4C-8EB2-2752A8E55337}] DATAGRAM 2"
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] DATAGRAM 0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FB1DE278-988C-428A-AF16-245107A1AA49}] SEQPACKET 3"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] SEQPACKET 0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60101"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60100"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60102"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
"ProtocolName" = "VMCI sockets STREAM"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002C]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002B]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002A]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
9e6bb4361ee32703cff0d82d4e5b2e34	c:\Windows\LSP.dll
74fd54dafeda3b2a8bd33129dcdd3087	c:\Windows\winnet.dll
9343169d6cf4ff200bf12a5b189efc4c	c:\Windows\winnet.exe
0ce89ea9135afb535e047fcd5af8f14f	c:\tbbmalloc.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	31159	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	36864	10056	0	0	d41d8cd98f00b204e9800998ecf8427e
.data	49152	12812	0	0	d41d8cd98f00b204e9800998ecf8427e
.vmp0	65536	2982386	0	0	d41d8cd98f00b204e9800998ecf8427e
.vmp1	3051520	2664720	2664960	5.42596	1f086447083577b94a21f8755a4c7f50
.reloc	5718016	224	512	1.97216	8f958fd3e1adf85a0e51b7152ca3eb98
.rsrc	5722112	286205	286208	1.88602	a9bf22c4a148bad28e02ff4bea303059

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://opthw.xdwscache.speedcdns.com/
hxxp://www.taobao.com.danuoyi.tbcache.com/	213.244.178.246
hxxp://a1574.b.akamai.net/
hxxp://p18077.cdnga.net/
hxxp://www.jingdong.com/	211.152.123.110
hxxp://www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com/
hxxp://www.360.cn/	106.120.167.67
hxxp://email.163.com.lxdns.com/
hxxp://www.a.shifen.com/
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=
hxxp://cdn.globalsigncdn.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH
hxxp://ocsp-services.uzto.netdna-cdn.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEBWsfo6gTWKBdqI6VatS5Uo=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CECQ1SvQ/t8C2OzukI4M8ERw=
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw==
hxxp://ocsp-services.uzto.netdna-cdn.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf/JPbFze27kLzihDdGdfcCEQDvBRp0Gh2UCfyl5GQPjTyb
hxxp://ocsp-services.uzto.netdna-cdn.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEA2p36mqGmxaqpMIxrUTcxI=
hxxp://crl.uzto.netdna-cdn.com/wosign-ovca.crl
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://www.baidu.com/	115.239.211.112
hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEBWsfo6gTWKBdqI6VatS5Uo=	23.52.27.27
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon	172.217.20.174
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY	172.217.20.174
hxxp://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso	23.111.11.211
hxxp://www.126.com/	176.34.63.150
hxxp://www.sina.com.cn/	87.118.248.106
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.52.27.27
hxxp://www.163.com/	203.130.61.92
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	62.140.236.171
hxxp://www.aliyun.com/	47.88.128.162
hxxp://wosign.crl.certum.pl/wosign-ovca.crl	23.111.11.210
hxxp://www.taobao.com/	213.244.178.246
hxxp://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH	104.16.26.216
hxxp://www.qq.com/	2.21.89.27
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=	23.52.27.27
hxxp://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf/JPbFze27kLzihDdGdfcCEQDvBRp0Gh2UCfyl5GQPjTyb	23.111.11.211
hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CECQ1SvQ/t8C2OzukI4M8ERw=	23.52.27.27
hxxp://wosign-ovca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEA2p36mqGmxaqpMIxrUTcxI=	23.111.11.211
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw==	104.16.26.216
www.jd.com	192.229.133.187
intl.aliyun.com	47.88.128.161
www.sogou.com	106.38.241.37
world.taobao.com	213.244.178.246
www.wdcrf.net	120.76.76.66

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon HTTP/1.1

Cache-Control: max-age = 345600

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com



-background-size:100% 100%}}#logo{display:inline-block;height:54px;wid
th:150px}.  </style>.  <a href=//VVV.google.com/><span 
id=logo aria-label=Google></span></a>.  <p><b&
gt;404.</b> <ins>That...s an error.</ins>.  <p>
;The requested URL <code>/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4
Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon&
lt;/code> was not found on this server.  <ins>That...s all we
 know.</ins>...


GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY HTTP/1.1

Cache-Control: max-age = 345600

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com



-background-size:100% 100%}}#logo{display:inline-block;height:54px;wid
th:150px}.  </style>.  <a href=//VVV.google.com/><span 
id=logo aria-label=Google></span></a>.  <p><b&
gt;404.</b> <ins>That...s an error.</ins>.  <p>
;The requested URL <code>/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4
Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY&
lt;/code> was not found on this server.  <ins>That...s all we
 know.</ins>.

GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf/JPbFze27kLzihDdGdfcCEQDvBRp0Gh2UCfyl5GQPjTyb HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: subca.ocsp-certum.com


HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:33:00 GMT

Content-Type: application/ocsp-response

Content-Length: 1702

Connection: keep-alive

Content-transfer-encoding: binary

X-Cached: MISS

Server: NetDNA-cache/2.2

X-Cache: HIT

0..........0..... .....0......0...0..@........0..1.0...U....PL1!0...U.
...Asseco Data Systems S.A.1'0%..U....Certum Certification Authority15
03..U...,Certum Trusted Network CA Validation Service..20170323062522Z
0r0p0H0... .......:L..!..O'...Q.)..&....v....$.........7Fu.......t....
...d..<.....20170323062522Z....20170330062522Z..0.0... .....0....0.
.. .....0..0...*.H..............F.....Q\C...:....(.&........02\..$....
...-..u.....l...n...~ZB.f.....$..b.......2?i...~....E.w...P=.q.Q.1.-L.
........7..@..V&i.&.OW.......}K#...*Ec.....f.O.-..I.i.....4.H..N..\.B.
.......yr.K.hWM.):M.\0.w/.....m8j.K.35LY.._..k.....c{L@O...)Pf. 6... .
I.......*0..&0.."0................]Nss1.B.../0...*.H........0~1.0...U.
...PL1"0 ..U....Unizeto Technologies S.A.1'0%..U....Certum Certificati
on Authority1"0 ..U....Certum Trusted Network CA0...161220102317Z..180
120102317Z0..1.0...U....PL1!0...U....Asseco Data Systems S.A.1'0%..U..
..Certum Certification Authority1503..U...,Certum Trusted Network CA V
alidation Service0.."0...*.H.............0..........AB...I....z..#U...
...oD.L.....UX....j.....S.K......".>w.;.r8....C...Zc...U.}%.....@Ff
..`.&.j.`.......ci.Io........pW...........#.s............tR@...N......
.L....U..t.>su...OyH.E...v...r.]."m..7.... ....@.....>.X......M.
P@......./.......k...O....@v7.d............0..0...U.......0.0...U.....
.....Lw..l..n..n...~.0...U.#..0....v....$.........7Fu.0...U...........
0...U.%..0... .......0... .....0......0...*.H...............).n......,
........].).I...t-.......J.........^...M...(...D:..'..l.#6Co......

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.qq.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: squid/3.5.20

Content-Type: text/html; charset=GB2312

Cache-Control: max-age=59

Expires: Thu, 23 Mar 2017 06:33:42 GMT

Date: Thu, 23 Mar 2017 06:32:43 GMT

Transfer-Encoding:  chunked

Connection: keep-alive

Connection: Transfer-Encoding
0000C000..<!DOCTYPE html>.<html lang="zh-CN">.<head>
.<meta content="text/html; charset=gb2312" http-equiv="Content-Type
">.<meta http-equiv="X-UA-Compatible" content="IE=edge">.<
title>........</title>.<script type="text/javascript">.
if(window.location.toString().indexOf('pref=padindex') != -1){.}else{.
.if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|Symbian
OS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LEN
OVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent)))
{  .      if(window.location.href.indexOf("?mobile")<0){...try{....
if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigato
r.userAgent)){.....window.location.href="hXXp://xw.qq.com/index.htm";.
...}else if(/iPad/i.test(navigator.userAgent)){.              //window
.location.href="hXXp://VVV.qq.com/pad/"....}else{.....window.location.
href="hXXp://xw.qq.com/simple/s/index/"....}...}catch(e){}..}..}.}.<
;/script>.<script type="text/javascript">var QosSS=new Object
();QosSS.t=new Array([0,0,0]);QosSS.t[0]=(new Date()).getTime();</s
cript>.<meta name="apple-itunes-app" content="app-id=660653351"&
gt;.<meta content="....,....,....,....,....,NBA,....,......,....,QQ
,Tencent" name="Keywords">.<meta name="description" content="...
...(VVV.QQ.com).......................................................
......................................................................
..................................................................<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.aliyun.com

Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently

Server: Tengine

Date: Thu, 23 Mar 2017 06:33:27 GMT

Content-Type: text/html

Content-Length: 278

Connection: keep-alive

Location: hXXps://intl.aliyun.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>301 Moved Permanently</title></hea
d>..<body bgcolor="white">..<h1>301 Moved Permanently&l
t;/h1>..<p>The requested resource has been assigned a new per
manent URI.</p>..<hr/>Powered by Tengine</body>..<
;/html>....

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.taobao.com

Cache-Control: no-cache


HTTP/1.1 302 Found

Server: Tengine

Date: Thu, 23 Mar 2017 06:32:43 GMT

Content-Type: text/html

Content-Length: 258

Connection: keep-alive

Location: hXXps://VVV.taobao.com/

Set-Cookie: thw=ua; Path=/; Domain=.taobao.com; Expires=Fri, 23-Mar-18 06:32:43 GMT;

Strict-Transport-Security: max-age=31536000
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>302 Found</title></head>..<b
ody bgcolor="white">..<h1>302 Found</h1>..<p>The 
requested resource resides temporarily under a different URI.</p>
;..<hr/>Powered by Tengine</body>..</html>..HTTP/1.1
 302 Found..Server: Tengine..Date: Thu, 23 Mar 2017 06:32:43 GMT..Cont
ent-Type: text/html..Content-Length: 258..Connection: keep-alive..Loca
tion: hXXps://VVV.taobao.com/..Set-Cookie: thw=ua; Path=/; Domain=.tao
bao.com; Expires=Fri, 23-Mar-18 06:32:43 GMT;..Strict-Transport-Securi
ty: max-age=31536000..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0/
/EN">..<html>..<head><title>302 Found</title&g
t;</head>..<body bgcolor="white">..<h1>302 Found<
/h1>..<p>The requested resource resides temporarily under a d
ifferent URI.</p>..<hr/>Powered by Tengine</body>..&
lt;/html>....

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.126.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 23 Mar 2017 06:33:45 GMT

Content-Type: text/html

Content-Length: 97571

Connection: keep-alive

Vary: Accept-Encoding

Vary: Accept-Encoding

Last-Modified: Thu, 09 Mar 2017 06:51:57 GMT

Vary: Accept-Encoding

Expires: Thu, 23 Mar 2017 06:42:07 GMT

Cache-Control: max-age=3600

X-Cache: HIT from HKGM

Accept-Ranges: bytes

X-Cache:  from ntes_hw
<!DOCTYPE html>..<html>..<head>..<meta charset="u
tf-8" />..<link rel="dns-prefetch" href="hXXp://mimg.127.net">
;..<link rel="dns-prefetch" href="hXXps://mail.126.com">..<li
nk rel="dns-prefetch" href="hXXp://iplocator.mail.163.com">..<me
ta name="description" content="......126............--................
...........14.........................................................
...............98%..........................................3G........
.......................................................">..<meta
 name="keywords" content="............................................
...................126........................mail...email........."&g
t;..<title>126...............--........................</titl
e>..<link rel="shortcut icon" href="hXXp://VVV.126.com/favicon.i
co" />..<style type="text/css">../* css reset */..body{color:
#000;background:#fff;font-size:12px;line-height:166.6%;text-align:cent
er;}..body.move{-webkit-transition:padding 0.3s ease;-moz-transition:p
adding 0.3s ease;-o-transition:padding 0.3s ease;-ms-transition:paddin
g 0.3s ease;transition:padding 0.3s ease;}..body,input,select,button{f
ont-family:verdana}..h1,h2,h3,select,input,button{font-size:100%}..bod
y,h1,h2,h3,ul,li,form,p,img{margin:0;padding:0;border:0}..input,button
,select,img{margin:0;line-height:normal}..select{padding:1px}..ul{list
-style:none}..select,input,button,button img,label{vertical-align:midd
le}..header,footer,section,aside,nav,hgroup,figure,figcaption{disp<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.sina.com.cn

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:33:13 GMT

Server: PWS/8.2.0.7

X-Px: ht h0-s2004.p0-mow.cdngp.net

Cache-Control: max-age=60

Expires: Thu, 23 Mar 2017 06:33:17 GMT

Age: 56

Accept-Ranges: bytes

Content-Length: 601537

Content-Type: text/html

Last-Modified: Thu, 23 Mar 2017 06:31:20 GMT

X-Via-CDN: f=TXCDN,s=87.118.248.106,c=194.242.96.218

Connection: keep-alive
<!DOCTYPE html>.<!-- [ published at 2017-03-23 14:31:17 ] --&
gt;.<html>.<head>.    <meta http-equiv="Content-type" c
ontent="text/html; charset=utf-8" />.    <meta http-equiv="X-UA-
Compatible" content="IE=edge" />.    <title>............</
title>..<meta name="keywords" content="......,.........,SINA,sin
a,sina.com.cn,............,......,......" />..<meta name="descri
ption" content="........................24............................
......................................................................
......................................................................
................................................30....................
..................................................................." /
>.    <link rel="mask-icon" sizes="any" href="hXXp://VVV.sina.co
m.cn/favicon.svg" color="red">..<meta name="stencil" content="PG
LS000022" />..<meta name="publishid" content="30,131,1" />..&
lt;meta name="verify-v1" content="6HtwmypggdgP1NLw7NOuQBI2TW8 CfkYCoye
B8IDbn8=" />..<meta name="360-site-verification" content="63349a
2167ca11f4b9bd9a8d48354541" />..<meta name="application-name" co
ntent="............"/>..<meta name ="msapplication-TileImage" co
ntent="hXXp://i1.sinaimg.cn/dy/deco/2013/0312/logo.png"/>..<meta
 name="msapplication-TileColor" content="#ffbf27"/>..<meta name=
"sogou_site_verification" content="Otg5irx9wL"/>.<link rel="appl
e-touch-icon" href="hXXp://i3.sinaimg.cn/home/2013/0331/U586P30DT2<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Cache-Control: max-age = 440358

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 18 Nov 2013 13:12:21 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1454

content-transfer-encoding: binary

Cache-Control: max-age=354606, public, no-transform, must-revalidate

Last-Modified: Mon, 20 Mar 2017 08:59:30 GMT

Expires: Mon, 27 Mar 2017 08:59:30 GMT

Date: Thu, 23 Mar 2017 06:33:40 GMT

Connection: keep-alive
0..........0..... .....0......0...0........FC..&..<.0...Y......2017
0320085930Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._).
.a..eR&.....Y.)..".\....20170320085930Z....20170327085930Z0...*.H.....
.............i..b....."D.X.I...z.@y8.Xd..k..D.......=.........!...>
u.rzK...Tc...d.[..p........r').[.....`o.....a=.x.`!wRY..t....~%....oC.
.7..:u.'..& ?..a=.^D....A.LR...w...m.....y\Mmv;.P.BC..Q.u>X.y...e1m
,mN.....!....6..4t@...Qw$.<..r....8.Go7...4..z.2..C....5n.N.....0..
.0...0..4.......My_e.\....'....j0...*.H........0_1.0...U....US1.0...U.
...VeriSign, Inc.1705..U....Class 3 Public Primary Certification Autho
rity0...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symante
c Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Clas
s 3 PCA - G1 OCSP Responder Certificate 50.."0...*.H.............0....
.........4..IP.....B..h.....]..).]w.!"..a..{...="....._...~.s1.E......
.;...6&/...\2..A....\..T aH:.8lH^.....l.v.$...K=sZf.*.|.%.Pb.......B..
*f.T\w.:.s.... ....9..4..cV...3.qc.c..j<.f.....>1X.I...P%?......
...5R-....Ca14..X.U....u.....:.z.\.k..b.E.v..,.J................0..0..
.U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.c
om/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0
...U........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-470...*
.H.............G..\..R.P..e]...N.....m.....4f......b4"8v..b.R....`.Auz
..........2=...@..........5..cWh....J......r...g.h......Kw'...j.@...x.
....<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.jingdong.com

Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently

Content-length: 0

Location: hXXps://VVV.jd.com/

Connection: close

GET /wosign-ovca.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: wosign.crl.certum.pl


HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:33:10 GMT

Content-Type: application/x-pkcs7-crl

Content-Length: 3201

Connection: keep-alive

Last-Modified: Wed, 22 Mar 2017 18:07:06 GMT

ETag: "30032-c81-a0d26680"

X-Cached: EXPIRED

Server: NetDNA-cache/2.2

X-Cache: HIT

Accept-Ranges: bytes

0..}0..e...0...*.H........0D1.0...U....CN1.0...U....WoSign CA Limited1
.0...U....WoSign OV SSL CA..170322180026Z..170401180026Z0...0/..ya.f.l
...m........161224014614Z0.0...U.......0/..bR...%......7[w...170105073
046Z0.0...U.......0/....,..:f...\...t...170117011138Z0.0...U.......0/.
.w....7z<.....J....170317005634Z0.0...U.......0/..K..Z.L.B@&.#.}...
.170105072721Z0.0...U.......0/.....y..W.G...e.D...170222023235Z0.0...U
.......0/..lK...-.n....u.....170222012928Z0.0...U.......0/..6.....h..u
Sc..^...161221082119Z0.0...U.......0/..w'..0.E..y.p..a...170306015736Z
0.0...U.......0/..D.WH1q..\v.!......161220033538Z0.0...U.......0/..t..
....B.q.9......170103024430Z0.0...U.......0/..(........k.f..rq..161125
025741Z0.0...U.......0/..[..V..(...d..VdA..170214004827Z0.0...U.......
0/........... 1.'..P..161209070108Z0.0...U.......0/...g2.B.B.K.....T1.
.161223074327Z0.0...U.......0/...m$s...B..Y..n.-..170216093834Z0.0...U
.......0/..eBo.... .@../W.v..170105011959Z0.0...U.......0/..!..fN'....
~L..f4..161207071134Z0.0...U.......0/..y.$.....7.Ne $ze..161222054457Z
0.0...U.......0/..;G..Ig.AgB.C51....170110062948Z0.0...U.......0/..-..
...v.?.S.0.1...170117023011Z0.0...U.......0/..t.U_..8$.j.3...=..161209
061340Z0.0...U.......0/..".B.n...6..W...z..161222022305Z0.0...U.......
0/...F.f......b.].....170106070454Z0.0...U.......0/..VJ...I..[.'."..L.
.170316063753Z0.0...U.......0/..Q........R..B.....161223064520Z0.0...U
.......0/....!..?3.F...|.i...161209025712Z0.0...U.......0/..y.......e.
..Om.@..161125093626Z0.0...U.......0/..r...!,..$n#{.6.}..161221081

<<< skipped >>>

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 01 Oct 2013 05:02:51 GMT

If-None-Match: "8071417b63bece1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 02 Dec 2015 18:30:06 GMT

Accept-Ranges: bytes

ETag: "0cb60772f2dd11:0"

Server: Microsoft-IIS/8.5

VTag: 279498805900000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 530

Cache-Control: max-age=900

Date: Thu, 23 Mar 2017 06:33:46 GMT

Connection: keep-alive
0...0.....0...*.H........0..1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows
 Verification PCA..151202080000Z..430418080000Z.A0?0...U.#..0.......p.
...........<.J0... .....7.......0...U......90...*.H..............I.
..MYp.....yh..$3..F.D....Qe]....~...>.Ye.h...L.nQ..091.=.G..s.D....
.....g)...4.'........B....l#....c...e..U......Z .[.,.x..h:M~..mS./p..F
......l.G.H<.".y.B.5.."\|.Hi`N=j.....;w.......o.*......C)....U..3Mt
.}......X......H.....|d...s..`.8F.l.......R.C....HTTP/1.1 200 OK..Cont
ent-Type: application/pkix-crl..Last-Modified: Wed, 02 Dec 2015 18:30:
06 GMT..Accept-Ranges: bytes..ETag: "0cb60772f2dd11:0"..Server: Micros
oft-IIS/8.5..VTag: 279498805900000000..P3P: CP="ALL IND DSP COR ADM CO
No CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PH
Y PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 530..Cache-Cont
rol: max-age=900..Date: Thu, 23 Mar 2017 06:33:46 GMT..Connection: kee
p-alive..0...0.....0...*.H........0..1.0...U....US1.0...U....Washingto
n1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsof
t Windows Verification PCA..151202080000Z..430418080000Z.A0?0...U.#..0
.......p............<.J0... .....7.......0...U......90...*.H.......
.......I...MYp.....yh..$3..F.D....Qe]....~...>.Ye.h...L.nQ..091.=.G
..s.D.........g)...4.'........B....l#....c...e..U......Z .[.,.x..h:M~.
.mS./p..F......l.G.H<.".y.B.5.."\|.Hi`N=j.....;w.......o.*......C).
...U..3Mt.}......X......H.....|d...s..`.8F.l.......R.C......<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEA2p36mqGmxaqpMIxrUTcxI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: wosign-ovca.ocsp-certum.com


HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:33:08 GMT

Content-Type: application/ocsp-response

Content-Length: 1539

Connection: keep-alive

Content-transfer-encoding: binary

X-Cached: HIT

Server: NetDNA-cache/2.2

X-Cache: HIT

0..........0..... .....0......0...0.........`0^1.0...U....PL1!0...U...
.Asseco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Servic
e..20170323063006Z0q0o0G0... ........J>.ldj..T.K.v....p....T.Vs,'..
......._.V........lZ......s.....20170323063006Z....20170330063006Z..0.
0... .....0....0... .....0..0...*.H...........'j.hi!.H..&=.Z../......h
$=...s..)GN....L.a.Y....4|.UB.a.9y6..t..p..w.6... ...'U..&...D..C}....
.y.m...@..(.PO....".b.?.....X...;.Y7.......M..U..n.&....;.....%"t.b...
..~.j.....p..z..{.yUQ...r...S..P..._......q. .^....<. Y.8'...'.dn.A
..:.I?Y.w.D....6*X.F..~......0...0...0..........H....'9!......^.0...*.
H........0D1.0...U....CN1.0...U....WoSign CA Limited1.0...U....WoSign 
OV SSL CA0...170104115010Z..170404115010Z0^1.0...U....PL1!0...U....Ass
eco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Service0..
"0...*.H.............0..........:B!cV....&......3..' ..,.....D...G/o4.
J.5.8.1>.^0..8[wXP)j..b...P......$iQ.s.4.z..........].n..bP2.....7.
.....Z_& .....S.*.o..........YI......?..e..G...g.4E....@:.S.O........Q
....zf.K..p_...qS..H..........."H..e.y..Ge.p.......-...F...=.o..%i.{.a
........E........0..0...U.......0.0...U.#..0.....T.Vs,'........._.V0..
.U......`..f8..6..m..y......0...U...........0...U.%..0... .......0... 
.....0......0...*.H.............8.!.}G{...4...2........gH.dF..q.......
loZ.[.k..0......aN.x..a%.....p*.X. .....aU..Of@]/.#....mx...9..v....&g
t;.{.H..?X..zu... 5S..Z.i.B..c...,..U.....z0..r.......g.T.....'...CIa.
Y...T.......r..c....~........UTD..iC....(.\....!..E..q.a.........P

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.126.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 23 Mar 2017 06:33:15 GMT

Content-Type: text/html

Content-Length: 97571

Connection: keep-alive

Vary: Accept-Encoding

Vary: Accept-Encoding

Last-Modified: Thu, 09 Mar 2017 06:51:57 GMT

Vary: Accept-Encoding

Expires: Thu, 23 Mar 2017 06:42:07 GMT

Cache-Control: max-age=3600

X-Cache: HIT from HKGM

Accept-Ranges: bytes

X-Cache:  from ntes_hw
<!DOCTYPE html>..<html>..<head>..<meta charset="u
tf-8" />..<link rel="dns-prefetch" href="hXXp://mimg.127.net">
;..<link rel="dns-prefetch" href="hXXps://mail.126.com">..<li
nk rel="dns-prefetch" href="hXXp://iplocator.mail.163.com">..<me
ta name="description" content="......126............--................
...........14.........................................................
...............98%..........................................3G........
.......................................................">..<meta
 name="keywords" content="............................................
...................126........................mail...email........."&g
t;..<title>126...............--........................</titl
e>..<link rel="shortcut icon" href="hXXp://VVV.126.com/favicon.i
co" />..<style type="text/css">../* css reset */..body{color:
#000;background:#fff;font-size:12px;line-height:166.6%;text-align:cent
er;}..body.move{-webkit-transition:padding 0.3s ease;-moz-transition:p
adding 0.3s ease;-o-transition:padding 0.3s ease;-ms-transition:paddin
g 0.3s ease;transition:padding 0.3s ease;}..body,input,select,button{f
ont-family:verdana}..h1,h2,h3,select,input,button{font-size:100%}..bod
y,h1,h2,h3,ul,li,form,p,img{margin:0;padding:0;border:0}..input,button
,select,img{margin:0;line-height:normal}..select{padding:1px}..ul{list
-style:none}..select,input,button,button img,label{vertical-align:midd
le}..header,footer,section,aside,nav,hgroup,figure,figcaption{disp<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.baidu.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:32:45 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Set-Cookie: BAIDUID=1FE0E7E4BC8E601C299EA5EE14A6305E:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BIDUPSID=1FE0E7E4BC8E601C299EA5EE14A6305E; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: PSTM=1490250765; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BDSVRTM=0; path=/

Set-Cookie: BD_HOME=0; path=/

Set-Cookie: H_PS_PSSID=1430_21108_17001_20928; path=/; domain=.baidu.com

P3P: CP=" OTI DSP COR IVA OUR IND COM "

Cache-Control: private

Cxy_all: baidu c8e00989edf39554a0508b60b12bc5b0

Expires: Thu, 23 Mar 2017 06:32:19 GMT

X-Powered-By: HPHP

Server: BWS/1.1

X-UA-Compatible: IE=Edge,chrome=1

BDPAGETYPE: 1

BDQID: 0xd0ec947b000102a5

BDUSERID: 0
18f39..<!DOCTYPE html>.<!--STATUS OK-->...................
......................................................................
......        .....        ........        ........        ........   
     .....    .....        .....        ........        ........      
  ........        .....    ..........................<html>.<
head>.    .    <meta http-equiv="content-type" content="text/htm
l;charset=utf-8">.    <meta http-equiv="X-UA-Compatible" content
="IE=Edge">..<meta content="always" name="referrer">.    <
meta name="theme-color" content="#2932e1">.    <link rel="shortc
ut icon" href="/favicon.ico" type="image/x-icon" />.    <link re
l="search" type="application/opensearchdescription xml" href="/content
-search.xml" title="............" /> .    <link rel="icon" sizes
="any" mask href="//VVV.baidu.com/img/baidu.svg">......<link rel
="dns-prefetch" href="//s1.bdstatic.com"/>..<link rel="dns-prefe
tch" href="//t1.baidu.com"/>..<link rel="dns-prefetch" href="//t
2.baidu.com"/>..<link rel="dns-prefetch" href="//t3.baidu.com"/&
gt;..<link rel="dns-prefetch" href="//t10.baidu.com"/>..<link
 rel="dns-prefetch" href="//t11.baidu.com"/>..<link rel="dns-pre
fetch" href="//t12.baidu.com"/>..<link rel="dns-prefetch" href="
//b1.bdstatic.com"/>.    .    <title>........................
...</title>.    ..<style id="css_index" index="index" type="t
ext/css">html,body{height:100%}.html{overflow-y:auto}.body{font<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=409215, public, no-transform, must-revalidate

Last-Modified: Tue, 21 Mar 2017 00:09:19 GMT

Expires: Tue, 28 Mar 2017 00:09:19 GMT

Date: Thu, 23 Mar 2017 06:32:50 GMT

Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..2017032
1000919Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..Q?.t8p.4@A.0........20170321000919Z....20170328000919Z0...*.H.....
..........6..MW..f.x.....G.&5.g...A.......5uP......)...ME6.L..r5.r'...
.|m/.~....(..g$......52..x.l....%/....hcE.D..,f..R.DX.me.D..;.r.i^....
.&I.F..F...b8.:i3s.........}.....6r..R}...(O.`.....:v~..v.*6....k~.^,R
.[U..c.a ......T;.0..Q..k..\W.?\..../.DAl}.`~lU...}.......0...0...0...
.......^..)......<...T.0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriS
ign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Publ
ic Primary Certification Authority - G50...161122000000Z..171214235959
Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Tr
ust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certifi
cate 50.."0...*.H.............0.............................m..|......
..1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z....
.... ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..H..
|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4.....D.
.t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H...E
....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://w
ww.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0....
..0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..7Z0
...U.#..0.....e......0..C9...3130...*.H.............<wN..g...S.<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=409215, public, no-transform, must-revalidate

Last-Modified: Tue, 21 Mar 2017 00:09:19 GMT

Expires: Tue, 28 Mar 2017 00:09:19 GMT

Date: Thu, 23 Mar 2017 06:32:50 GMT

Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..2017032
1000919Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..Q?.t8p.4@A.0........20170321000919Z....20170328000919Z0...*.H.....
..........6..MW..f.x.....G.&5.g...A.......5uP......)...ME6.L..r5.r'...
.|m/.~....(..g$......52..x.l....%/....hcE.D..,f..R.DX.me.D..;.r.i^....
.&I.F..F...b8.:i3s.........}.....6r..R}...(O.`.....:v~..v.*6....k~.^,R
.[U..c.a ......T;.0..Q..k..\W.?\..../.DAl}.`~lU...}.......0...0...0...
.......^..)......<...T.0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriS
ign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Publ
ic Primary Certification Authority - G50...161122000000Z..171214235959
Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Tr
ust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certifi
cate 50.."0...*.H.............0.............................m..|......
..1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z....
.... ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..H..
|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4.....D.
.t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H...E
....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://w
ww.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0....
..0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..7Z0
...U.#..0.....e......0..C9...3130...*.H.............<wN..g...S.<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.360.cn

Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently

Server: nginx/1.2.9

Date: Thu, 23 Mar 2017 06:32:44 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: hXXps://VVV.360.cn
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.2.9</center>..</body>..</html>....

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.sina.com.cn

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:33:44 GMT

Server: PWS/8.2.0.7

X-Px: ht h0-s2004.p0-mow.cdngp.net

Cache-Control: max-age=60

Expires: Thu, 23 Mar 2017 06:34:17 GMT

Age: 27

Accept-Ranges: bytes

Content-Length: 601537

Content-Type: text/html

Last-Modified: Thu, 23 Mar 2017 06:31:20 GMT

X-Via-CDN: f=TXCDN,s=87.118.248.106,c=194.242.96.218

Connection: keep-alive
<!DOCTYPE html>.<!-- [ published at 2017-03-23 14:31:17 ] --&
gt;.<html>.<head>.    <meta http-equiv="Content-type" c
ontent="text/html; charset=utf-8" />.    <meta http-equiv="X-UA-
Compatible" content="IE=edge" />.    <title>............</
title>..<meta name="keywords" content="......,.........,SINA,sin
a,sina.com.cn,............,......,......" />..<meta name="descri
ption" content="........................24............................
......................................................................
......................................................................
................................................30....................
..................................................................." /
>.    <link rel="mask-icon" sizes="any" href="hXXp://VVV.sina.co
m.cn/favicon.svg" color="red">..<meta name="stencil" content="PG
LS000022" />..<meta name="publishid" content="30,131,1" />..&
lt;meta name="verify-v1" content="6HtwmypggdgP1NLw7NOuQBI2TW8 CfkYCoye
B8IDbn8=" />..<meta name="360-site-verification" content="63349a
2167ca11f4b9bd9a8d48354541" />..<meta name="application-name" co
ntent="............"/>..<meta name ="msapplication-TileImage" co
ntent="hXXp://i1.sinaimg.cn/dy/deco/2013/0312/logo.png"/>..<meta
 name="msapplication-TileColor" content="#ffbf27"/>..<meta name=
"sogou_site_verification" content="Otg5irx9wL"/>.<link rel="appl
e-touch-icon" href="hXXp://i3.sinaimg.cn/home/2013/0331/U586P30DT2<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com


HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:32:58 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d49fc2a38117f47ba398cc4839209165c1490250778; expires=Fri, 23-Mar-18 06:32:58 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Thu, 23 Mar 2017 03:29:27 GMT

Expires: Mon, 27 Mar 2017 03:29:27 GMT

ETag: "8884992b1de4c69d057ebd82700de9fc67bd5c87"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 343f5b4641a14f4a-DME
0..........0..... .....0......0...0.......M........u....%...G..2017032
3032927Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
.EK.....L........20170323032927Z....20170327032927Z0...*.H............
.0.-J.^s ....Q....A.A..A.].O....e. N.%b!"_)...wK...Z...0.`./.b7..>.
e.#..(..n.._......W.0.9...E...|..D..3.m...iU..F......"L.h2cp.....1...3
.......)..5.}....c.d....O..5.(.....z.UyZyB..../^..:C ...T.......gsp. :
......k..().....Z~.(..*....&..OA.=o...........3......K0..G0..C0.. ....
...o.8...C.P=;E0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-
sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20..
.170213071103Z..170516071103Z0..1.0...U....BE1.0...U....GlobalSign nv-
sa1.0...U....2017021315051M0K..U...DGlobalSign Organization Validation
 CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C.
.0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.......
..u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V
..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~
..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U..
.....M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0..
....0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com
/repository/0...U...........0...U.%..0... .......0...*.H..............
=.. {.o...../...;[...!.._..3.......i{.."...I1....... w\...&..%....2...
4.....f....S.. Zz...q..{o. .e1[...X.2..F6$....'...[.s@..Y...".2b....~.
..........E..U_..Y[....b.G'}..^-.....:.mo......=........)x..k....N<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.baidu.com

Cache-Control: no-cache

Cookie: BAIDUID=1FE0E7E4BC8E601C299EA5EE14A6305E:FG=1; BIDUPSID=1FE0E7E4BC8E601C299EA5EE14A6305E; PSTM=1490250765; H_PS_PSSID=1430_21108_17001_20928; BDSVRTM=0; BD_HOME=0


HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:33:15 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Cache-Control: private

Cxy_all: baidu dda8f4b3a5e3bbe4dec65d42ded924a4

Expires: Thu, 23 Mar 2017 06:33:03 GMT

X-Powered-By: HPHP

Server: BWS/1.1

X-UA-Compatible: IE=Edge,chrome=1

BDPAGETYPE: 1

BDQID: 0xeaffe3270000f7ed

BDUSERID: 0

Set-Cookie: BDSVRTM=0; path=/

Set-Cookie: BD_HOME=0; path=/

Set-Cookie: H_PS_PSSID=1430_21108_17001_20928; path=/; domain=.baidu.com
18eee..<!DOCTYPE html>.<!--STATUS OK-->...................
......................................................................
......        .....        ........        ........        ........   
     .....    .....        .....        ........        ........      
  ........        .....    ..........................<html>.<
head>.    .    <meta http-equiv="content-type" content="text/htm
l;charset=utf-8">.    <meta http-equiv="X-UA-Compatible" content
="IE=Edge">..<meta content="always" name="referrer">.    <
meta name="theme-color" content="#2932e1">.    <link rel="shortc
ut icon" href="/favicon.ico" type="image/x-icon" />.    <link re
l="search" type="application/opensearchdescription xml" href="/content
-search.xml" title="............" /> .    <link rel="icon" sizes
="any" mask href="//VVV.baidu.com/img/baidu.svg">......<link rel
="dns-prefetch" href="//s1.bdstatic.com"/>..<link rel="dns-prefe
tch" href="//t1.baidu.com"/>..<link rel="dns-prefetch" href="//t
2.baidu.com"/>..<link rel="dns-prefetch" href="//t3.baidu.com"/&
gt;..<link rel="dns-prefetch" href="//t10.baidu.com"/>..<link
 rel="dns-prefetch" href="//t11.baidu.com"/>..<link rel="dns-pre
fetch" href="//t12.baidu.com"/>..<link rel="dns-prefetch" href="
//b1.bdstatic.com"/>.    .    <title>........................
...</title>.    ..<style id="css_index" index="index" type="t
ext/css">html,body{height:100%}.html{overflow-y:auto}.body{font<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.360.cn

Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently

Server: nginx/1.2.9

Date: Thu, 23 Mar 2017 06:33:07 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: hXXps://VVV.360.cn
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.2.9</center>..</body>..</html>....

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.126.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 23 Mar 2017 06:32:44 GMT

Content-Type: text/html

Content-Length: 97571

Connection: keep-alive

Vary: Accept-Encoding

Vary: Accept-Encoding

Last-Modified: Thu, 09 Mar 2017 06:51:57 GMT

Vary: Accept-Encoding

Expires: Thu, 23 Mar 2017 06:42:07 GMT

Cache-Control: max-age=3600

X-Cache: HIT from HKGM

Accept-Ranges: bytes

X-Cache:  from ntes_hw
<!DOCTYPE html>..<html>..<head>..<meta charset="u
tf-8" />..<link rel="dns-prefetch" href="hXXp://mimg.127.net">
;..<link rel="dns-prefetch" href="hXXps://mail.126.com">..<li
nk rel="dns-prefetch" href="hXXp://iplocator.mail.163.com">..<me
ta name="description" content="......126............--................
...........14.........................................................
...............98%..........................................3G........
.......................................................">..<meta
 name="keywords" content="............................................
...................126........................mail...email........."&g
t;..<title>126...............--........................</titl
e>..<link rel="shortcut icon" href="hXXp://VVV.126.com/favicon.i
co" />..<style type="text/css">../* css reset */..body{color:
#000;background:#fff;font-size:12px;line-height:166.6%;text-align:cent
er;}..body.move{-webkit-transition:padding 0.3s ease;-moz-transition:p
adding 0.3s ease;-o-transition:padding 0.3s ease;-ms-transition:paddin
g 0.3s ease;transition:padding 0.3s ease;}..body,input,select,button{f
ont-family:verdana}..h1,h2,h3,select,input,button{font-size:100%}..bod
y,h1,h2,h3,ul,li,form,p,img{margin:0;padding:0;border:0}..input,button
,select,img{margin:0;line-height:normal}..select{padding:1px}..ul{list
-style:none}..select,input,button,button img,label{vertical-align:midd
le}..header,footer,section,aside,nav,hgroup,figure,figcaption{disp<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.qq.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: squid/3.5.20

Content-Type: text/html; charset=GB2312

Cache-Control: max-age=60

Expires: Thu, 23 Mar 2017 06:34:19 GMT

Date: Thu, 23 Mar 2017 06:33:19 GMT

Transfer-Encoding:  chunked

Connection: keep-alive

Connection: Transfer-Encoding
0000C000..<!DOCTYPE html>.<html lang="zh-CN">.<head>
.<meta content="text/html; charset=gb2312" http-equiv="Content-Type
">.<meta http-equiv="X-UA-Compatible" content="IE=edge">.<
title>........</title>.<script type="text/javascript">.
if(window.location.toString().indexOf('pref=padindex') != -1){.}else{.
.if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|Symbian
OS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LEN
OVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent)))
{  .      if(window.location.href.indexOf("?mobile")<0){...try{....
if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigato
r.userAgent)){.....window.location.href="hXXp://xw.qq.com/index.htm";.
...}else if(/iPad/i.test(navigator.userAgent)){.              //window
.location.href="hXXp://VVV.qq.com/pad/"....}else{.....window.location.
href="hXXp://xw.qq.com/simple/s/index/"....}...}catch(e){}..}..}.}.<
;/script>.<script type="text/javascript">var QosSS=new Object
();QosSS.t=new Array([0,0,0]);QosSS.t[0]=(new Date()).getTime();</s
cript>.<meta name="apple-itunes-app" content="app-id=660653351"&
gt;.<meta content="....,....,....,....,....,NBA,....,......,....,QQ
,Tencent" name="Keywords">.<meta name="description" content="...
...(VVV.QQ.com).......................................................
......................................................................
..................................................................<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.163.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Expires: Thu, 23 Mar 2017 06:34:03 GMT

Date: Thu, 23 Mar 2017 06:32:43 GMT

Server: nginx

Content-Type: text/html; charset=GBK

Transfer-Encoding: chunked

Vary: Accept-Encoding,User-Agent,Accept

Cache-Control: max-age=80

X-Via: 1.1 czdx87:4 (Cdn Cache Server V2.0), 1.1 kf49:4 (Cdn Cache Server V2.0)

Connection: keep-alive
8000.. <!DOCTYPE HTML>.<!--[if IE 6 ]> <html class="ne_
ua_ie6 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE
 7 ]> <html class="ne_ua_ie7 ne_ua_ielte8" id="ne_wrap"> <
![endif]-->.<!--[if IE 8 ]> <html class="ne_ua_ie8 ne_ua_i
elte8" id="ne_wrap"> <![endif]-->.<!--[if IE 9 ]> <h
tml class="ne_ua_ie9" id="ne_wrap"> <![endif]-->.<!--[if (
gte IE 10)|!(IE)]><!--> <html phone="1" id="ne_wrap"> &
lt;!--<![endif]-->.<head>.<meta http-equiv="Content-Typ
e" content="text/html; charset=gbk">.<meta name="model_url" cont
ent="hXXp://VVV.163.com/special/0077rt/index.html" />.<title>
....</title>.<base target="_blank" />.<meta name="Keywo
rds" content="....,....,....,....,....,....,....,....,....,....,....,.
...,....,....,....,...." />.<meta name="Description" content="..
......................................................................
......................30..............................................
............" />.<meta name="robots" content="index, follow" /&g
t;.<meta name="googlebot" content="index, follow" />.<script 
type="text/javascript">.(function() {.    if(/s=noRedirect/i.test(l
ocation.search)) return; .    if(/AppleWebKit.*Mobile/i.test(navigator
.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|
DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE
/.test(navigator.userAgent))) {.        try {.            if(/Andr<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.jingdong.com

Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently

Content-length: 0

Location: hXXps://VVV.jd.com/

Connection: close

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.sina.com.cn

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:32:43 GMT

Server: PWS/8.2.0.7

X-Px: rf-ms h0-s2004.p0-mow ( h0-s2001.p0-mow), ht h0-s2001.p0-mow.cdngp.net

Cache-Control: max-age=60

Expires: Thu, 23 Mar 2017 06:33:17 GMT

Age: 26

Accept-Ranges: bytes

Content-Length: 601537

Content-Type: text/html

Last-Modified: Thu, 23 Mar 2017 06:31:20 GMT

X-Via-CDN: f=TXCDN,s=87.118.248.106,c=194.242.96.218

Connection: keep-alive
<!DOCTYPE html>.<!-- [ published at 2017-03-23 14:31:17 ] --&
gt;.<html>.<head>.    <meta http-equiv="Content-type" c
ontent="text/html; charset=utf-8" />.    <meta http-equiv="X-UA-
Compatible" content="IE=edge" />.    <title>............</
title>..<meta name="keywords" content="......,.........,SINA,sin
a,sina.com.cn,............,......,......" />..<meta name="descri
ption" content="........................24............................
......................................................................
......................................................................
................................................30....................
..................................................................." /
>.    <link rel="mask-icon" sizes="any" href="hXXp://VVV.sina.co
m.cn/favicon.svg" color="red">..<meta name="stencil" content="PG
LS000022" />..<meta name="publishid" content="30,131,1" />..&
lt;meta name="verify-v1" content="6HtwmypggdgP1NLw7NOuQBI2TW8 CfkYCoye
B8IDbn8=" />..<meta name="360-site-verification" content="63349a
2167ca11f4b9bd9a8d48354541" />..<meta name="application-name" co
ntent="............"/>..<meta name ="msapplication-TileImage" co
ntent="hXXp://i1.sinaimg.cn/dy/deco/2013/0312/logo.png"/>..<meta
 name="msapplication-TileColor" content="#ffbf27"/>..<meta name=
"sogou_site_verification" content="Otg5irx9wL"/>.<link rel="appl
e-touch-icon" href="hXXp://i3.sinaimg.cn/home/2013/0331/U586P30DT2<<< skipped >>>

....

....

..pingguo.pingguo

..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEBWsfo6gTWKBdqI6VatS5Uo= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcd.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1609

content-transfer-encoding: binary

Cache-Control: max-age=469987, public, no-transform, must-revalidate

Last-Modified: Tue, 21 Mar 2017 17:05:05 GMT

Expires: Tue, 28 Mar 2017 17:05:05 GMT

Date: Thu, 23 Mar 2017 06:32:55 GMT

Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......E ....e.u.....x..7....2017
0321170505Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C
......~..Mb.v.:U.R.J....20170321170505Z....20170328170505Z0...*.H.....
........Fx<."2.........t.wU...........\.......... ,@........../=...
.\..W.xb....J.=.y.p......<.....j....... .W.....d....../..F..K...Z..
...^o..\f...W_..T.0f{d..o...f..V.....M..Z.f.....&..1MV_.Q) ...<..q.
....d.-..\?..`Y....*B.......>V..F>...r..nX.3.........X.NOS~..G..
..n0..j0..f0..N.......Dh.ciH.........!0...*.H........0~1.0...U....US1.
0...U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U.
..&Symantec Class 3 Secure Server CA - G40...170204000000Z..1705052359
59Z0@1>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Resp
onder0.."0...*.H.............0......... B.}.@...E2.......&kg.#.c..7f#0
....!....Z.G..|.o..W{2.m.l.cM...%......V.Wx6I.t....Q,U^......;.U<ie
...X.{.6. .4...ep....q..OuV...F...s.f....!....K....O....Oj.?Yd6^Mlw.6.
k..*./.......b..Q4...H.s.........(...toW...9...............&...D...{T{
........4.;/pa<...........0...0... .....0......0"..U....0...0.1.0..
.U....TGV-D-38570...U.#..0..._`.a.U..C..`*..z.C..0...U......E ....e.u.
....x..7..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........http
://VVV.symauth.com/cps0*.. .......0...  hXXp://VVV.symauth.com/rpa0...
U.%..0... .......0...U...........0...*.H.............x..b5XG.........T
^2.....T..............zq.............f....#|.....P...R.....]...la.(.21
{...C.....K.....R..H.b....3L..52}5.8.......%.......l=..$X$_..01.3.<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CECQ1SvQ/t8C2OzukI4M8ERw= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcd.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1609

content-transfer-encoding: binary

Cache-Control: max-age=451642, public, no-transform, must-revalidate

Last-Modified: Tue, 21 Mar 2017 12:00:18 GMT

Expires: Tue, 28 Mar 2017 12:00:18 GMT

Date: Thu, 23 Mar 2017 06:32:56 GMT

Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......E ....e.u.....x..7....2017
0321120018Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C
....$5J.?...;;.#.<......20170321120018Z....20170328120018Z0...*.H..
.............~."....7..@....].WD..2a.....F......A.......Ph.E........z.
..u........M..........5L.V6.....~.].3Z....&z...Z....... .....9...3 M..
{.aU..U...- .=....A...<..... .x..t...Cuy!7 Yv'.W.yS....=...s...?6..
..AmW]...@.t@vwX.s.H8.nN/P ..._.TaL/>.....rFY...g..4D}.d.......n0..
j0..f0..N.......Dh.ciH.........!0...*.H........0~1.0...U....US1.0...U.
...Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&Sym
antec Class 3 Secure Server CA - G40...170204000000Z..170505235959Z0@1
>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Responder0
.."0...*.H.............0......... B.}.@...E2.......&kg.#.c..7f#0....!.
...Z.G..|.o..W{2.m.l.cM...%......V.Wx6I.t....Q,U^......;.U<ie...X.{
.6. .4...ep....q..OuV...F...s.f....!....K....O....Oj.?Yd6^Mlw.6.k..*./
.......b..Q4...H.s.........(...toW...9...............&...D...{T{......
..4.;/pa<...........0...0... .....0......0"..U....0...0.1.0...U....
TGV-D-38570...U.#..0..._`.a.U..C..`*..z.C..0...U......E ....e.u.....x.
.7..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://www
.symauth.com/cps0*.. .......0...  hXXp://VVV.symauth.com/rpa0...U.%..0
... .......0...U...........0...*.H.............x..b5XG.........T^2....
.T..............zq.............f....#|.....P...R.....]...la.(.21{...C.
....K.....R..H.b....3L..52}5.8.......%.......l=..$X$_..01.3.....&l<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.360.cn

Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently

Server: nginx/1.2.9

Date: Thu, 23 Mar 2017 06:33:44 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: hXXps://VVV.360.cn
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.2.9</center>..</body>..</html>....

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.aliyun.com

Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently

Server: Tengine

Date: Thu, 23 Mar 2017 06:32:44 GMT

Content-Type: text/html

Content-Length: 278

Connection: keep-alive

Location: hXXps://intl.aliyun.com/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>301 Moved Permanently</title></hea
d>..<body bgcolor="white">..<h1>301 Moved Permanently&l
t;/h1>..<p>The requested resource has been assigned a new per
manent URI.</p>..<hr/>Powered by Tengine</body>..<
;/html>....

GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: subca.ocsp-certum.com


HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:32:54 GMT

Content-Type: application/ocsp-response

Content-Length: 1657

Connection: keep-alive

Content-transfer-encoding: binary

X-Cached: MISS

Server: NetDNA-cache/2.2

X-Cache: HIT
0..u......n0..j.. .....0.....[0..W0..0........0..1.0...U....PL1!0...U.
...Asseco Data Systems S.A.1'0%..U....Certum Certification Authority1%
0#..U....Certum CA Validation Service..20170323061937Z0r0p0H0... .....
.y...bOm..(y.Y6B...}n...C..m.....i..J.`.:........@.eq_..(....(....2017
0323061937Z....20170330061937Z..0.0... .....0....0... .....0..0...*.H.
.......... 1.......b.p..BV. .V&.S,......7a\..Y...g% .B#{khJ.B4I.~.N R.
":..^8.5.t....)...W\...N ..(L..M.....Z..N....7)...w6r..;....Y...C..{..
O.....[\.u.......TH.......\....6..e.#{.D[...$....i .8..KZ.......@V8...
. 1........qx.(..)DR....fiUb;......P.A..../....v............0...0...0.
...................#=Xr..Q0...*.H........0>1.0...U....PL1.0...U....
Unizeto Sp. z o.o.1.0...U....Certum CA0...161220101836Z..180120101836Z
0..1.0...U....PL1!0...U....Asseco Data Systems S.A.1'0%..U....Certum C
ertification Authority1%0#..U....Certum CA Validation Service0.."0...*
.H.............0..........3..>......]{7..\...$vl.....V......T...-.:
.....y..'...X..}.fA\...._.Uxl6.ti %.SS..#. Z.5.G"..S.....)Q...!..P....
~0..32...Bmd...%.2...D.....J.........6....O.u..vm.l..V.'.L.4.._....\.e
K...MI.F.;H.;..%...KZ...H;e ..9.2..A.b......F.T..._........DY2...2Z#L.
D0)........0..0...U.......0.0...U.......L.oh.....2......|.=0R..U.#.K0I
.B.@0>1.0...U....PL1.0...U....Unizeto Sp. z o.o.1.0...U....Certum C
A.... 0...U...........0...U.%..0... .......0... .....0......0...*.H...
..........,.....D...,.c...<..............G..~Uug.....q6).g&..."....
B..k...{.(.S... 5...x.>......K.ks.....S...]R......n....q.Y.i><<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.163.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Expires: Thu, 23 Mar 2017 06:34:03 GMT

Date: Thu, 23 Mar 2017 06:32:43 GMT

Server: nginx

Content-Type: text/html; charset=GBK

Transfer-Encoding: chunked

Vary: Accept-Encoding,User-Agent,Accept

Cache-Control: max-age=80

Age: 61

X-Via: 1.1 czdx87:4 (Cdn Cache Server V2.0), 1.1 kf49:4 (Cdn Cache Server V2.0)

Connection: keep-alive
8000.. <!DOCTYPE HTML>.<!--[if IE 6 ]> <html class="ne_
ua_ie6 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE
 7 ]> <html class="ne_ua_ie7 ne_ua_ielte8" id="ne_wrap"> <
![endif]-->.<!--[if IE 8 ]> <html class="ne_ua_ie8 ne_ua_i
elte8" id="ne_wrap"> <![endif]-->.<!--[if IE 9 ]> <h
tml class="ne_ua_ie9" id="ne_wrap"> <![endif]-->.<!--[if (
gte IE 10)|!(IE)]><!--> <html phone="1" id="ne_wrap"> &
lt;!--<![endif]-->.<head>.<meta http-equiv="Content-Typ
e" content="text/html; charset=gbk">.<meta name="model_url" cont
ent="hXXp://VVV.163.com/special/0077rt/index.html" />.<title>
....</title>.<base target="_blank" />.<meta name="Keywo
rds" content="....,....,....,....,....,....,....,....,....,....,....,.
...,....,....,....,...." />.<meta name="Description" content="..
......................................................................
......................30..............................................
............" />.<meta name="robots" content="index, follow" /&g
t;.<meta name="googlebot" content="index, follow" />.<script 
type="text/javascript">.(function() {.    if(/s=noRedirect/i.test(l
ocation.search)) return; .    if(/AppleWebKit.*Mobile/i.test(navigator
.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|
DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE
/.test(navigator.userAgent))) {.        try {.            if(/Andr<<< skipped >>>

GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH HTTP/1.1

Cache-Control: max-age = 10800

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 11:51:19 GMT

If-None-Match: "8958b58603e19e9b46868d4300d201ea9ae7099b"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.globalsign.com


HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:32:53 GMT

Content-Type: application/ocsp-response

Content-Length: 1518

Connection: keep-alive

Set-Cookie: __cfduid=d8a8484918d128d1685e7c650bee36c2b1490250773; expires=Fri, 23-Mar-18 06:32:53 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Thu, 23 Mar 2017 05:09:59 GMT

Expires: Mon, 27 Mar 2017 05:09:59 GMT

ETag: "b3ee1471b72f0ced734a0acb26041b5d1b044a55"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 343f5b24d4454ede-DME
0..........0..... .....0......0...0........>'...;6..9.wS..._...2017
0323050959Z0n0l0D0... .........W......#....*..2..1..`{f.E....P/}..4...
.K........DN.BG....20170323050959Z....20170327050959Z0...*.H..........
.....K#.K6......J.S..... o..>4DW....=V=q.C...x..q.\)O...g......-}..
0....\wpZ..`.T...(8.k....O.3./2.$d..N.6...e..... {.......0.@`.....M...
.........L.........fJu../... V..vx..M^...c.P^...BS.W]..wl..."&<....
...I...X.~.......#..x..4.=$x..v....Y...}......X.8o8?.......0...0...0..
........H...!U,43.....0...*.H........0W1.0...U....BE1.0...U....GlobalS
ign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA0...1612080000
00Z..170515000000Z0[1.0...U....BE1.0...U....GlobalSign nv-sa110/..U...
(GlobalSign OCSP for Root R1 - Signer 1.20.."0...*.H.............0....
......N....K.N..z.........p...CL....@....\....f.JsR.{_awn....;...-..g.
.8..6.|l.(....h....;G.@..T..%.....7.R..O;u.g@g.C........2.Y....I..g.J{
}...u.@...ih..$.<...{.h.h... ....}M}.:.........rS=.$....lE)3.o.B.x.
....^.V.#N..=S^.F..U.}C2...-S...... .2....I.......].c........0..0...U.
..........0...U.%..0... .......0...U.......0.0...U........>'...;6..
9.wS..._.0...U.#..0...`{f.E....P/}..4....K0... .....0......0L..U. .E0C
0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0..
.*.H.............>S.......F@.).fox..V\.........x.[...I&.=[...u..4.\
m....V..n......3YC..Rl-.....a..@G...@..o.......@..~....9/}.i.<....e
\.\a.'.}......}.....Cn.y.u....xZ9..x..x|h .}I-:..RD.S..Ql..2cnX.Filstf
.......e.V.G......\..]hh ....W.../..x:.2I.*.....S?.Dr..A.....=..._<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.163.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Expires: Thu, 23 Mar 2017 06:34:03 GMT

Date: Thu, 23 Mar 2017 06:32:43 GMT

Server: nginx

Content-Type: text/html; charset=GBK

Transfer-Encoding: chunked

Vary: Accept-Encoding,User-Agent,Accept

Cache-Control: max-age=80

Age: 30

X-Via: 1.1 czdx87:4 (Cdn Cache Server V2.0), 1.1 kf49:4 (Cdn Cache Server V2.0)

Connection: keep-alive
8000.. <!DOCTYPE HTML>.<!--[if IE 6 ]> <html class="ne_
ua_ie6 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE
 7 ]> <html class="ne_ua_ie7 ne_ua_ielte8" id="ne_wrap"> <
![endif]-->.<!--[if IE 8 ]> <html class="ne_ua_ie8 ne_ua_i
elte8" id="ne_wrap"> <![endif]-->.<!--[if IE 9 ]> <h
tml class="ne_ua_ie9" id="ne_wrap"> <![endif]-->.<!--[if (
gte IE 10)|!(IE)]><!--> <html phone="1" id="ne_wrap"> &
lt;!--<![endif]-->.<head>.<meta http-equiv="Content-Typ
e" content="text/html; charset=gbk">.<meta name="model_url" cont
ent="hXXp://VVV.163.com/special/0077rt/index.html" />.<title>
....</title>.<base target="_blank" />.<meta name="Keywo
rds" content="....,....,....,....,....,....,....,....,....,....,....,.
...,....,....,....,...." />.<meta name="Description" content="..
......................................................................
......................30..............................................
............" />.<meta name="robots" content="index, follow" /&g
t;.<meta name="googlebot" content="index, follow" />.<script 
type="text/javascript">.(function() {.    if(/s=noRedirect/i.test(l
ocation.search)) return; .    if(/AppleWebKit.*Mobile/i.test(navigator
.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|
DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE
/.test(navigator.userAgent))) {.        try {.            if(/Andr<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1908:

.text

`.rdata

@.data

.vmp0

.vmp1

.reloc

@.rsrc

GetProcessWindowStation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

Reality.log

< \Login.exe

D:\chengzhen\

\StartGame\Release\StartGame.pdb

C:\OneRun.txt

360tcpview

365tcpview

cports

tcpview

httpanalyzer

C:\tbbmalloc.exe

tbbmalloc.exe

c:\%original file name%.exe

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

USER32.DLL

operator

activation.php?code=

deactivation.php?hash=

.?AVIUrlBuilderSource@@

hVm.AG

.eS~J

.gXSE

.zSKM

$ra.QF

.mQ :

$6.ZP;

AjR.To

A*.pY,

X00

%C{Mwb

{ .Fra

u%d!K

4.YQH

).tyO

.SCpC

%%8SC

,.nD2

%.cz9I

I.YU4

3.jmK

.jAdrc

>c"%FS

ByÎXo.

{g.zj

D.DRem

ÝZs

eW.eq

9L.KS

%S;f}k

!=.hh

.jTF@d

fQ4-p}

E=%u=]

cG%up=

W".rJ

.JD5L*)k

4k.Qju

[.zCK

.ZqM<

Td.lpw

.BPx?

8M%Xx

3ck.dCuJ

%d"sb)

.od7:

dPVI%u

.FCFU

41%%F

.NQ8o

r.Jls)

%CO4sp\

9sshM

K.JfMq2N

.ul7G

W}%fT

.FM<^

zu%Dg

EDS.oV

 5%Scx

nUH.kG

.yb:gUV

.mU8R

zÚ^

<_.Ln

;R<.LE,

%X=9q

H<.nu

~ .Gwz

fi.FK

.RlqY

KP.bN

H%d$)

.kv^d^

e*.MH

v.Aef

.ZK-)

]DQ.NooL

.kkBM

lJ.Qjb4

zn!4/.tU

xW%Cw?

.sI04

.EL;f

2.UJ=

}d%X[

F-?%U

@r.nA

.tF#Z

b7É

h].Iv

WuM%SQ

r.DY|

).Hvt>

%uZ$|3

MHy-b}

W:\ 0

.Cc&I

aP.ug

{A%C}

=~%3S}

h.Xv$

`h%X4

L.FiD

-j}a

w%UPt

a.gUh

%S|ac

n.tiu

Y.Zg`

M.Dzv

b%XrZf

?OCRtQH

v.iR`

hcu.Tf

%s~Oz

..rl0

3g.yz

.FPh9

.rT3$

#.vU}6

KEY|3

]{b-1}.

Z%Uk{)z

Wq.ZP

R#,%d

user32.dll

>=<;:987

6543210/

.-, *)('

5 5$5(5,5054585<5

> >@>\>`>

0S091K1h1

0 0$0(0,0

4!8-8}8

8USER32.dll

RegCreateKeyExA

KERNEL32.dll

0.dnN&}

}:~%d

=<;:9876

543210/.

-, *)('&

>!S%U

B/T?1%U6@

|S .iL

UD.FW

}U%uC3AN

.OL-#

n.pTX

%s6`{

%dnn9 (

`.JvP@

@%.Rbi

%Xv'r

w.AP%

.OlJ^

.BA%wV

:{.Mw

%Dhm\

.mO|<^

Bf!%DX]b

t5%x)

%D"MR

.EOm(

.RDrA

L.jVa

%@-pa}

.nu7X(

W.JmO

Q%shk

M>%sr2

@*.It

%US<L

2.ukvW

U-.hM

88.kf

%8xt<

gQ%xB

n Y=0.HL

ctA<=b%d

3}O$%cm(

yxY.ap

P.Clf

ha.ZJ

1?.qn9G

Y6tcp

W.UcX

.Un19j

B.hf>d

{.gfQ

.Lk/8

6S(%FT

_%Ck4@

z.dvH1

_%xsW

v.sq)

CmD-9

"%X2_

OX.ma

,9p%x

`&#.Oa

.chx[

%FV@,

5.yOz!

.Sd_S

.vfp0H

4}r6Z.dk

e".Xu

%c(uCw

.eB#&

@0.gQ

eurL

R.naE

pourL

 .xxr

6Fm.hQ

\l.Dag>

1%uNJ

=%X N

.mxnQt

D.jY(

u.QwW

.Lcp?y

S,D6%sn

.!.ns

bfTP

.Ewyw

KADVAPI32.dll

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

mscoree.dll

KERNEL32.DLL

WUSER32.DLL

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

%original file name%.exe_1908_rwx_013E0000_002D9000:

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

activation.php?code=

deactivation.php?hash=

.?AVIUrlBuilderSource@@

c:\%original file name%.exe

hVm.AG

.eS~J

.gXSE

.zSKM

$ra.QF

.mQ :

$6.ZP;

AjR.To

A*.pY,

X00

%C{Mwb

{ .Fra

u%d!K

4.YQH

).tyO

.SCpC

%%8SC

,.nD2

%.cz9I

I.YU4

3.jmK

.jAdrc

>c"%FS

ByÎXo.

{g.zj

D.DRem

ÝZs

eW.eq

9L.KS

%S;f}k

!=.hh

.jTF@d

fQ4-p}

E=%u=]

cG%up=

W".rJ

.JD5L*)k

4k.Qju

[.zCK

.ZqM<

Td.lpw

.BPx?

8M%Xx

3ck.dCuJ

%d"sb)

.od7:

dPVI%u

.FCFU

41%%F

.NQ8o

r.Jls)

%CO4sp\

9sshM

K.JfMq2N

.ul7G

W}%fT

.FM<^

zu%Dg

EDS.oV

 5%Scx

nUH.kG

.yb:gUV

.mU8R

zÚ^

<_.Ln

;R<.LE,

%X=9q

H<.nu

~ .Gwz

fi.FK

.RlqY

KP.bN

H%d$)

.kv^d^

e*.MH

v.Aef

.ZK-)

]DQ.NooL

.kkBM

lJ.Qjb4

zn!4/.tU

xW%Cw?

.sI04

.EL;f

2.UJ=

}d%X[

F-?%U

@r.nA

.tF#Z

b7É

h].Iv

WuM%SQ

r.DY|

).Hvt>

%uZ$|3

MHy-b}

W:\ 0

.Cc&I

aP.ug

{A%C}

=~%3S}

h.Xv$

`h%X4

L.FiD

-j}a

w%UPt

a.gUh

%S|ac

n.tiu

Y.Zg`

M.Dzv

b%XrZf

?OCRtQH

v.iR`

hcu.Tf

%s~Oz

..rl0

3g.yz

.FPh9

.rT3$

#.vU}6

KEY|3

]{b-1}.

Z%Uk{)z

Wq.ZP

KERNEL32.DLL

mscoree.dll

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

Reality.log_2932:

.text

`.rdata

@.data

`.tls

.rsrc

t$(SSh

~%UVW

u.hd;i

u$SShe

Bv=kAv.SCv

RCv=kAv.SCv

user32.dll

EnumWindows

CreatePipe

PeekNamedPipe

MsgWaitForMultipleObjects

GetWindowsDirectoryA

{84A90340-1CE7-4C96-8FFC-FB0124DE9AD7}

tbbmalloc.exe

Login.exe

\Login2.exe

\Login.exe

iexplore.exe

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

G@.tmp

wshom.ocx

iTXtXML:com.adobe.xmp

<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">

xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"

xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"

xmlns:dc="hXXp://purl.org/dc/elements/1.1/"

xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"

xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"

xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"

xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"

xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">

<xmp:CreatorTool>Adobe Photoshop CC (Windows)</xmp:CreatorTool>

<xmpMM:InstanceID>xmp.iid:b10e3b85-5a72-1140-b5db-48dd93d57ef7</xmpMM:InstanceID>

<xmpMM:DocumentID>xmp.did:CA8BB0CFB6BEE5118FC496E26DF882B3</xmpMM:DocumentID>

<xmpMM:OriginalDocumentID>xmp.did:CA8BB0CFB6BEE5118FC496E26DF882B3</xmpMM:OriginalDocumentID>

<stEvt:instanceID>xmp.iid:CA8BB0CFB6BEE5118FC496E26DF882B3</stEvt:instanceID>

<stEvt:softwareAgent>Adobe Photoshop CS6 (Windows)</stEvt:softwareAgent>

<stEvt:instanceID>xmp.iid:5e0f878d-9c6f-414c-adf0-58a00c0288d4</stEvt:instanceID>

<stEvt:softwareAgent>Adobe Photoshop CC (Windows)</stEvt:softwareAgent>

<stEvt:parameters>from application/vnd.adobe.photoshop to image/png</stEvt:parameters>

<stEvt:parameters>converted from application/vnd.adobe.photoshop to image/png</stEvt:parameters>

<stEvt:instanceID>xmp.iid:b10e3b85-5a72-1140-b5db-48dd93d57ef7</stEvt:instanceID>

<stRef:instanceID>xmp.iid:5e0f878d-9c6f-414c-adf0-58a00c0288d4</stRef:instanceID>

<stRef:documentID>xmp.did:CA8BB0CFB6BEE5118FC496E26DF882B3</stRef:documentID>

<stRef:originalDocumentID>xmp.did:CA8BB0CFB6BEE5118FC496E26DF882B3</stRef:originalDocumentID>

<xmpMM:InstanceID>xmp.iid:d7d670e4-ef3d-7f42-ba1f-1180b32c9492</xmpMM:InstanceID>

<stEvt:instanceID>xmp.iid:f9158bbd-8879-f347-b229-f39777b0f9f9</stEvt:instanceID>

<stEvt:instanceID>xmp.iid:d7d670e4-ef3d-7f42-ba1f-1180b32c9492</stEvt:instanceID>

<stRef:instanceID>xmp.iid:f9158bbd-8879-f347-b229-f39777b0f9f9</stRef:instanceID>

keye

BviTXtXML:com.adobe.xmp

<xmpMM:InstanceID>xmp.iid:2ee7594b-0ef1-4b4e-94e9-c5ea711f3044</xmpMM:InstanceID>

<stEvt:instanceID>xmp.iid:30d5e0e7-4fdb-7848-a5d9-d9a71da4268c</stEvt:instanceID>

<stEvt:instanceID>xmp.iid:a80b8398-c20e-3047-bd5d-144c19b7efae</stEvt:instanceID>

<stEvt:instanceID>xmp.iid:2ee7594b-0ef1-4b4e-94e9-c5ea711f3044</stEvt:instanceID>

<stRef:instanceID>xmp.iid:a80b8398-c20e-3047-bd5d-144c19b7efae</stRef:instanceID>

pz?F%F

iwLogin

&:]%x

N%xKP

.Zg,|.-21

2.WCS

!Ý"

F18B81BD-5D81-4d98-8D92-1CBC29BF1805

4D34F7D2-2FB8-44f4-9757-B08B2A220DDDL

v~97.PX

k.jOrM

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

CCmdTarget

CNotSupportedException

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

EnumChildWindows

USER32.dll

GetProcessHeap

KERNEL32.dll

GDI32.dll

gdiplus.dll

ole32.dll

IMM32.dll

ShellExecuteA

SHELL32.dll

comdlg32.dll

WINSPOOL.DRV

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

SHLWAPI.dll

WINMM.dll

SetWindowsHookExA

GetKeyState

UnhookWindowsHookEx

GetCPInfo

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

exui.dll

exui_zujiankeyouziji_kuozhanjiekou

F%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Broken pipe

Inappropriate I/O control operation

Operation not permitted

7iphlpapi.dll

MPR.dll

VERSION.dll

WININET.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

ex_ui keye

msimg32.dll

"iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:3C6D95F3EFEA11E4A90A99F39E3C2643" xmpMM:DocumentID="xmp.did:3C6D95F4EFEA11E4A90A99F39E3C2643"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3C6D95F1EFEA11E4A90A99F39E3C2643" stRef:documentID="xmp.did:3C6D95F2EFEA11E4A90A99F39E3C2643"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>O

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:643FD483EFEA11E4ACEAE14F48F716F7" xmpMM:DocumentID="xmp.did:643FD484EFEA11E4ACEAE14F48F716F7"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:643FD481EFEA11E4ACEAE14F48F716F7" stRef:documentID="xmp.did:643FD482EFEA11E4ACEAE14F48F716F7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:955837E3EFE711E493C8C26092811C81" xmpMM:DocumentID="xmp.did:955837E4EFE711E493C8C26092811C81"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:955837E1EFE711E493C8C26092811C81" stRef:documentID="xmp.did:955837E2EFE711E493C8C26092811C81"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:A3160C67F01D11E494A69C2025C6FDD6" xmpMM:DocumentID="xmp.did:A3160C68F01D11E494A69C2025C6FDD6"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A3160C65F01D11E494A69C2025C6FDD6" stRef:documentID="xmp.did:A3160C66F01D11E494A69C2025C6FDD6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:558A092BF01D11E4937B826B8C3A42BA" xmpMM:DocumentID="xmp.did:558A092CF01D11E4937B826B8C3A42BA"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:558A0929F01D11E4937B826B8C3A42BA" stRef:documentID="xmp.did:558A092AF01D11E4937B826B8C3A42BA"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:7355437BF01D11E4A0D689F533F2C8D4" xmpMM:DocumentID="xmp.did:7355437CF01D11E4A0D689F533F2C8D4"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:73554379F01D11E4A0D689F533F2C8D4" stRef:documentID="xmp.did:7355437AF01D11E4A0D689F533F2C8D4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:8B4B1D1BF01D11E4A724B297CA8A29E0" xmpMM:DocumentID="xmp.did:8B4B1D1CF01D11E4A724B297CA8A29E0"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8B4B1D19F01D11E4A724B297CA8A29E0" stRef:documentID="xmp.did:8B4B1D1AF01D11E4A724B297CA8A29E0"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>~/#

9D1569BC-D691-4216-844E-5DFE5D2EF825

fiTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CD0B3A4F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CD0B3A3F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>P

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CD0B3A8F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CD0B3A7F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7D00C452F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7D00C451F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CE42819F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CE42818F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CE4281DF00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CE4281CF00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CE42821F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CE42820F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

C715A368-6E3F-4e61-9991-E99EB74D5EFA

\lib\ex_ui\AttributeEditorexui.dllnew

\lib\ex_ui\AttributeEditorexui.dll

\lib\exui.fne

\lib\ex_ui\dll\exui.fne

krnln.fnr

<@wke.dll

\wke.dll

\lib\ex_ui\wke.dll

D:\wke.dll

wke.dll

\lib\ex_ui\wke.dll)

wke.dll

4F4232B4-AE1B-449c-BF6F-1B3DD0351CBF

ryxzxzw@163.com QQ 1060943567 QQ

1:128623809

201510.25

VVV.meitu.com

{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}

c.gff

.cLI)A)%

015621FD-C063-4706-B16E-A8877DC952E1

CB0AFE2E-CF04-4e82-9C0E-7A4351B79ABF

FB3DADD5-3E2F-48eb-BD31-AA43D142DA77

6A8E5D6D-16C0-498f-A605-0E5DA96DF355D

kernel32.dll

lib\ex_ui\AttributeEditorexui.dll

GdiPlus.dll

Ole32.dll

imm32.dll

shell32.dll

GetAsyncKeyState

wkeKeyDown

wkeKeyUp

wkeCreateWebView

wkeGlobalExec

wkeLoadURLW

wkeDestroyWebView

wkeKeyPress

program internal error number is %d.

%s%x.tmp

:"%s"

:"%s".

.?AVCCmdTarget@@

.?AVCCmdUI@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

zcÁ

D:\Reality.log

.PAVCResourceException@@

.PAVCUserException@@

.PAVCArchiveException@@

3r,f%f

*.Vkb%

\.An&

-8g

CMDP

FU/.QV

öT3z?i.W

Y:b0{%f

2{%f&i1z?

.Ces(n-

CreateDialogIndirectParamA

WS2_32.dll

winspool.drv

gdi32.dll

.rx'MQR

WinExec

GetViewportOrgEx

GetViewportExtEx

B.ryJ

.WX.h

Jx.ZO

\,b%X%

8^.vcJ

}.GBWu

>.UZ:~

%xK]@ta

vN.Oc]

comctl32.dll

.Eu52Q1g

Vzù&

'`.pR

Q%FnK

sqL[(}

.ONkL

W|<.WU

?|T.sl

Ve.kw

.iq&O

%x[?Hd

Lg.xN

%D(iE

8e.Do

.Vj}3#

=j-ns}

q.TLE&

b^.%C

o&u%x}i

*Zj%f

;kt%C

ÏA:

.vN'TU%

.m.RK

-t}M [

by3%f

M5)%X

l:.eDZ

hu%fj

0P.cM8

.NX1=

t"O%u~

%Xzla

Rg'%fL<,

^.RH2G

.Qw&I

.Yu]6

.hB^%

.adu:

 0a%c,

rrÉ<

yE.osS

4P"ûi

-s}w~

HL.IG

h.%uX

..qHQ

#!.UG0L

B%usG

.raw1

n.vnB

3t.xC

.DCP_

.Ss0q

(XÍ

.GRZibM

G.MF[

OLEAUT32.dll

advapi32.dll

shlwapi.dll

Yj%C-

S.Wrb

pa%uA-/3k

fqv%4xH

.kb2u

winmm.dll

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

#include "l.chs\afxres.rc" // Standard components

2.8.0.0

(hXXp://VVV.dywt.com.cn)

(*.*)

%original file name%.exe_1908_rwx_016BE000_00001000:

>=<;:987

6543210/

.-, *)('

Reality.log_2932_rwx_00799000_00001000:

RCv=kAv.SCv

Bv=kAv.SCv

winnet.exe_1780:

.text

`.rdata

@.data

.rsrc

@.reloc

w.SCv

GetProcessWindowStation

Reality.log

hXXp://VVV.baidu.com/

hXXp://VVV.qq.com/

hXXp://VVV.taobao.com/

hXXp://VVV.aliyun.com/

hXXp://VVV.sina.com.cn/

hXXp://VVV.126.com/

hXXp://VVV.163.com/

hXXp://VVV.jingdong.com/

hXXp://VVV.360.cn/

hXXps://VVV.sogou.com/

winnet.dll

D:\chengzhen\

\StartGame\StartGame\winnet.pdb

KERNEL32.dll

InternetOpenUrlA

WININET.dll

GetCPInfo

C:\Windows\winnet.exe

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

KERNEL32.DLL

WUSER32.DLL

10.0.14393.206

winnet.exe

1.0.0.1

Reality.log_2932_rwx_007A3000_00001000:

ScaleViewportExtEx

imm32.dll

comdlg32.dll

GetViewportExtEx

Reality.log_2932_rwx_007BD000_00001000:

user32.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

winnet.exe:1780
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Windows\winnet.exe (72 bytes)
C:\Windows\winnet.dll (125 bytes)
C:\tbbmalloc.exe (359 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QIXNH8A0.txt (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA63D.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XK3GIUWY.txt (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H5UXBDU3.txt (66 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FFF10234D401BC2B1190AF97E562D5D_F3D997279517A879744E962D7177C1F4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\sogou_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\6S2AZLV9.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LGPBOI6P.txt (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA63E.tmp (2712 bytes)
C:\Windows\LSP.dll (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ZSHEDCO8.txt (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\126_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_507563B8F03B0B599FD6AB48BFCFB84A (1464 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\intl_aliyun_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sina_com_cn[1].htm (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_F4C066FA094BC754843DB99590B2CE02 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\360_cn[1].htm (184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (2674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\intl_aliyun_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\360_cn[1].htm (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\126_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FD1DA35A7CC73400775DD44892329357 (380 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\aliyun_com[1].htm (278 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_F4C066FA094BC754843DB99590B2CE02 (2032 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_684FCCCFC824BF4B1A2F9D4C1AA422EA (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_507563B8F03B0B599FD6AB48BFCFB84A (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FD1DA35A7CC73400775DD44892329357 (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1476 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jd_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1236 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\aliyun_com[1].htm (278 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FFF10234D401BC2B1190AF97E562D5D_F3D997279517A879744E962D7177C1F4 (1600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KBEB05BG.txt (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\sina_com_cn[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jd_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sogou_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\360_cn[1].htm (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_684FCCCFC824BF4B1A2F9D4C1AA422EA (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\126_com[1].htm (10 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Trojan.Heur.RP.0EWaatcOWjj_d9fff224eb

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Trojan.Heur.RP.0EWaatcOWjj_d9fff224eb

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet