MD5: 5193a201b7355f6ac00af96184d29d5d
SHA1: d66f981e23494860656b31e27e5dd4fcf8d91b46
SHA256: 4aa669e7382244709987ac4d6e52f0c966f373c65353d9d6778e6d5bd92fae51
SSDeep: 98304:GQHA/3XxoSj3XsbIABdUf0uXFvWomZHF7b MxntyV n:GQHAfxdjH4I8qVJGHF/txt n
Size: 5135223 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-08-14 22:15:49
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

svchostlsp.exe:3736
%original file name%.exe:452
117my.exe:2736
117my.exe:944

The Trojan injects its code into the following process(es):

svchosl.exe:3732

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process svchostlsp.exe:3736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\twain_32\config\ESPI11.dll (244 bytes)
C:\Windows\System32\addressoftext.inscan (1 bytes)
C:\Windows\System32\ESPI11.dll (723 bytes)

The process %original file name%.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\svchost.exe (12649 bytes)
C:\Windows\117my.exe (7296 bytes)
C:\Windows\117my.com.bat (258 bytes)
C:\Windows\Game.ico:Zone.Identifier (26 bytes)
C:\Windows\svchosl.exe (8713 bytes)
C:\Windows\Game.ico (1978 bytes)
C:\Windows\117my.skn (2160 bytes)
C:\Users\"%CurrentUserName%"\Desktop\117魔域7.1.lnk (1 bytes)

The Trojan deletes the following file(s):

C:\Windows\__tmp_rar_sfx_access_check_1308957 (0 bytes)

The process svchosl.exe:3732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YBU4WGCW.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\host[1].htm (775 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CCQ2R3OL.txt (0 bytes)

The process 117my.exe:2736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.exe (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\svchostlsp.exe (1948 bytes)

The process 117my.exe:944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\JpHrc.txt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Mag.dat (101 bytes)
C:\Windows\System32\drivers\etc\hosts (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Repairdata.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.skn (62 bytes)
C:\Windows\117my.skn (65 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\117my.ini (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\iat.dll (89 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OF9L3DR3.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\fc72ORSzwyUu08nYIdyG-ygy8w8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OLCWAOT0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\_yaru.ru[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YJCP8HIK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\jquery.min[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\fc07[1].swf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\eS-nxtWWJ1LfBWLfd096swuFjH4[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\9fkhsVhseQ-JJcxiLZwCHjhHY[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\00CZ9B9Z.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\BPMHTAIlmc5kh6Tymb1I2mmfSAc[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ZZxR-E_UBI8_1IS7VtDkH_bgw[1].css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\59FYE1S2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\JpHrc.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVWF9XLH.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K3H6JGON.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SHMEGTHE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\379IMDJA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\VqEnvKPzCrM8a4pakUu0bzh7d9o[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G6NPTRAV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\watch[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HGQPYGV7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YBU4WGCW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4CWVLDFS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Repairdata.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A5VV6NGJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\search[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O761920L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FBUBDDF0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\983WD333.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\spacer[1].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ya_favicon_ru[1].ico (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PMGXNABP.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJQLWW1A.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LXL295FY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\AllServices[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\fc07_2[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CZKDRHGB.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\P2Z07O4S.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VPSNR0J4.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\nearest[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Tsv1TyvAx4g5KyOkiAdSP1Stniw[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SN1VAMHK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SK6RC4AQ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8WNTYFZE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\otvet.mail[1].png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KK0IK9EV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\_search.uk[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KCULDY7L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\MG_en-us[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\GetMDRCDPOSTURL[1].aspx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7ZFPBM01.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ETGRPT21.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KJGZP41Y.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8Q2KNK5G.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NWCBOWT9.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1I56O6EZ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Yd__VnAFnBZBQiIS0sHoF6FGRC8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PFR2GFQJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GB74HSLE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KUZ61ORW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KE9BMB37.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9UFT3VMU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K4EMAOY7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GF0JZXVN.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XJJJSX58.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FDGZES7U.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\03Z3OHNC.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IAU75TW2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AW5IGQT7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0VR58838.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Z40SB5AS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.min[1].js (0 bytes)

Registry activity

The process svchostlsp.exe:3736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"FileName" = "C:\Windows\system32\ESPI11.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"1014" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1012" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\ESPI11]
"1002" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1003" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
"1001" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 73 79 73 74 65"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU]
"wodezhucbxm_1" = "393972"

[HKLM\SOFTWARE\Microsoft\Tracing\svchostlsp_RASMANCS]
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process svchosl.exe:3732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU]
"wodezpoiuy_5" = "328482"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASAPI32]
"MaxFileSize" = "1048576"

"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\svchosl_RASMANCS]
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xf1" = "C:\Windows\svchosl.exe /start"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process 117my.exe:2736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 117my.exe:944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\117my_RASMANCS]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5537 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://passport.n.shifen.com/?business&un=5182235367&from=prin
hxxp://www.gxnkw.com/jc/bjcguanjianzi.txt?WebShieldDRSessionVerify=YizhEArCBnQ1QwpILGI0
hxxp://www.gxnkw.com/jc/tongji.txt
hxxp://www.gxnkw.com/jc/bjcguanjianzi.txt
hxxp://www.gxnkw.com/jc/jcd.txt
hxxp://www.92117my.com/host.html	122.228.30.106
hxxp://18201869647.oicp.net/
hxxp://18201869647.oicp.net/favicon.ico
hxxp://www.gxnkw.com/jc/hostjc.txt
hxxp://www.92117my.com/index1.htm	122.228.30.106
hxxp://www.92117my.com/logo.jpg	122.228.30.106
hxxp://www.92117my.com/game.html	122.228.30.106
hxxp://www.92117my.com/images/new.js	122.228.30.106
hxxp://www.92117my.com/images/xx.css	122.228.30.106
hxxp://www.92117my.com/images/bg.jpg	122.228.30.106
hxxp://www.92117my.com/images/Index_c1_r5.jpg	122.228.30.106
hxxp://www.92117my.com/Images/Index_bottom.jpg	122.228.30.106
hxxp://cdn.globalsigncdn.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBisczuS0Hu180XFAA==
hxxp://www.92117my.com/favicon.ico	122.228.30.106
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDGlwEnDh1Wq84Ev4Sw==
hxxp://www.taobao.com.danuoyi.tbcache.com/	213.244.178.246
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw==
hxxp://www.gxnkw.com/jc/hostjc.txt?WebShieldDRSessionVerify=EMGc17Wrs9kjNC7K8XBq
hxxp://gpla1.wac.v2cdn.net/CRL/Omniroot2025.crl
hxxp://www.taobao.com/	213.244.178.246
hxxp://passport.baidu.com/?business&un=5182235367&from=prin
hxxp://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH	104.16.26.216
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDGlwEnDh1Wq84Ev4Sw==	104.16.27.216
hxxp://www.117my.cc/	183.60.204.14
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBisczuS0Hu180XFAA==	104.16.27.216
hxxp://cdp1.public-trust.com/CRL/Omniroot2025.crl	93.184.220.20
hxxp://www.117my.cc/favicon.ico	183.60.204.14
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw==	104.16.27.216
wg.200my.com	122.224.48.120
s95.cnzz.com	1.99.192.16
z4.cnzz.com	1.122.192.15
world.taobao.com	213.244.178.246
c.cnzz.com	123.138.67.81
cnzz.mmstat.com	198.11.132.221

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 302 Found

Server: Safedog/4.0.0

Location: /jc/hostjc.txt?WebShieldDRSessionVerify=EMGc17Wrs9kjNC7K8XBq

Content-Length: 0

Connection: Close

Content-Type: text/html

GET /jc/bjcguanjianzi.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 200

Content-Type: text/plain

Last-Modified: Sun, 08 Jan 2017 11:29:25 GMT

Accept-Ranges: bytes

ETag: "583b2977a269d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:41 GMT
....sf......................001my..139my..70..........................
................................................001......139..........
....178................520........................chihuo0517...
.


GET /jc/jcd.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 32

Content-Type: text/plain

Last-Modified: Thu, 12 Jan 2017 10:59:28 GMT

Accept-Ranges: bytes

ETag: "ca42d5f1c26cd21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:41 GMT
hXXp://VVV.92117my.com/host.html....


GET /jc/tongji.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 0

Content-Type: text/plain

Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT

Accept-Ranges: bytes

ETag: "4c1ca75e9d9d01:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:42 GMT
HTTP/1.1 200 OK..Content-Length: 0..Content-Type: text/plain..Last-Mod
ified: Mon, 17 Aug 2015 16:25:45 GMT..Accept-Ranges: bytes..ETag: "4c1
ca75e9d9d01:22a0"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..D
ate: Thu, 19 Jan 2017 00:36:42 GMT..

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDGlwEnDh1Wq84Ev4Sw== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 19 Jan 2017 00:40:40 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d9bd14783e463ca82c5866086ae2f56f41484786440; expires=Fri, 19-Jan-18 00:40:40 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Wed, 18 Jan 2017 23:26:57 GMT

Expires: Sun, 22 Jan 2017 23:26:57 GMT

ETag: "ce2c9bab38408c822469b28825da8da8a11ff254"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32363c92e3e24038-SOF
0..........0..... .....0......0...0.......M........u....%...G..2017011
8232657Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
.ip.p..j..K.K....20170118232657Z....20170122232657Z0...*.H............
.uO.5......./w;3.....3.J.n...E.....j.i..'...?.n>..J..l.sa......./..
..@.z..Qh.cc..l[...q.W ...g%.....o...f..."....9..;v_.n..m..!...f@.M...
!.Yu.L3'C.6'......saI.G.d'B..b.u.H......_....m.f.Z.....g...DHY.z.O[.|U
[o..#.O....0<....h....>...}..m..s....O..........8t...K0..G0..C0.
. .......q..}.dc.j..(0...*.H........0f1.0...U....BE1.0...U....GlobalSi
gn nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 -
 G20...161124031843Z..170224031843Z0..1.0...U....BE1.0...U....GlobalSi
gn nv-sa1.0...U....2016112411281M0K..U...DGlobalSign Organization Vali
dation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.....
....C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.
........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l..
.P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;..
...n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0
...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... ..
...0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsi
gn.com/repository/0...U...........0...U.%..0... .......0...*.H........
......H.....C.Ie....;.yN.'..../?.T..-T.a..4...n..OW/l....[|..-.i../.'.
.1."......3[...J.....\@.S.=-p..p......d...>~J.|E0y......!.;.c.,...|
|.V....K..L...dX...a....6'..U..G....A;..........4K...........k.B].
<<< skipped >>>

GET /?business&un=5182235367&from=prin HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: passport.baidu.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Connection: keep-alive

Content-Type: text/html

Date: Thu, 19 Jan 2017 00:40:03 GMT

P3p: CP=" OTI DSP COR IVA OUR IND COM "

Server: Apache

Set-Cookie: BAIDUID=9D02E474B4BC9B1BC9F49E269184DEEF:FG=1; expires=Fri, 19-Jan-18 00:40:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

Tracecode: 24029977590332382986011908

Tracecode: 24029977590286507274011908

Vary: Accept-Encoding

Vary: Accept-Encoding

Transfer-Encoding: chunked
3d0..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">.<head>.<meta http-
equiv="Content-Type" content="text/html; charset=utf-8" />.<titl
e>........................_5182235367</title>.<link rel="s
tylesheet" href="/style/v2/info.css?t=20100901" type="text/css" media=
"all" />.<script type="text/javascript" src="/js/center_accountb
ind.js?t=20100901"></script>.<script type="text/javascript
" src="/js/business.js?t=20100901"></script>.<script langu
age="javascript">.      document.domain = "baidu.com";.      window
.hasSpace = '';.      var tabinfo = initTabInfo('5182235367');.      v
ar ab=gethash(1);.      if(ab>0 && ab<tabinfo.length).      {.  
       if(tabinfo[ab][2]=="_blank").         {.            window.loca
tion=tabinfo[ab][0];.         }.      }.      function fixImgSize(img)
{...  var width = img.offsetWidth;...  var height = img.offsetHeight;.
..  if( w..1a65..idth>78 ){...      width>height?( img.style.wid
th='78px' ):( img.style.height='78px' );...  }else if( height>78 ){
...      img.style.height='78px';...  }..  }.    </script>.</
head>.<body onLoad="javascript:chgdeftab(0);">.              
                          <div class="wrapper">.<noscript>
.<p class="nojs">...............................................
.....................................</p>.</noscript>.
<<< skipped >>>

GET /jc/tongji.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 0

Content-Type: text/plain

Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT

Accept-Ranges: bytes

ETag: "4c1ca75e9d9d01:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:41 GMT
HTTP/1.1 200 OK..Content-Length: 0..Content-Type: text/plain..Last-Mod
ified: Mon, 17 Aug 2015 16:25:45 GMT..Accept-Ranges: bytes..ETag: "4c1
ca75e9d9d01:22a0"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..D
ate: Thu, 19 Jan 2017 00:36:41 GMT......


GET /jc/tongji.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 0

Content-Type: text/plain

Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT

Accept-Ranges: bytes

ETag: "4c1ca75e9d9d01:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:49 GMT
HTTP/1.1 200 OK..Content-Length: 0..Content-Type: text/plain..Last-Mod
ified: Mon, 17 Aug 2015 16:25:45 GMT..Accept-Ranges: bytes..ETag: "4c1
ca75e9d9d01:22a0"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..D
ate: Thu, 19 Jan 2017 00:36:49 GMT......


GET /jc/tongji.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 0

Content-Type: text/plain

Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT

Accept-Ranges: bytes

ETag: "4c1ca75e9d9d01:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:58 GMT
HTTP/1.1 200 OK..Content-Length: 0..Content-Type: text/plain..Last-Mod
ified: Mon, 17 Aug 2015 16:25:45 GMT..Accept-Ranges: bytes..ETag: "4c1
ca75e9d9d01:22a0"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..D
ate: Thu, 19 Jan 2017 00:36:58 GMT......

GET /CRL/Omniroot2025.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 16 Nov 2013 06:15:02 GMT

If-None-Match: "200da-5b6-4eb453c33260e"

User-Agent: Microsoft-CryptoAPI/6.1

Host: cdp1.public-trust.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/x-pkcs7-crl

Date: Thu, 19 Jan 2017 00:40:59 GMT

Etag: "200c0-cba-54651a19dc944"

Last-Modified: Tue, 17 Jan 2017 22:15:01 GMT

Server: ECS (arn/45CB)

X-Cache: HIT

Content-Length: 3258
0...0......0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U..
..CyberTrust1"0 ..U....Baltimore CyberTrust Root..170117212826Z..17041
4212826Z0...0....'k...120111220757Z0....'k...120111220847Z0....'.C..13
0130174530Z0....'....130807173059Z0....'....140122185220Z0....'....140
212185542Z0....'yr..150701184507Z0....'#...100303201301Z0....''q..1004
14175202Z0....'L...110224181251Z0....'Pn..110309142119Z0....'....10021
6203312Z0....'#...100303201213Z0....'3#..100908172555Z0....''n..101208
175627Z0....''m..101208175749Z0....''p..101208175916Z0....'H...1101141
62156Z0#...'X>..110815145134Z0.0...U.......0#...'Z2..110818184101Z0
.0...U.......0....'g...120111164333Z0....'g...120111164409Z0....'g...1
20111164519Z0....'....100216213519Z0....''s..100414175225Z0....''k..10
0414181839Z0....'3"..100908172705Z0....'3$..100908172728Z0....''o..101
208175645Z0....''l..101208175727Z0....'H...110119195142Z0....'Nz..1103
02154045Z0....'c...111207220933Z0....'g...120111164445Z0....''r..10041
4175143Z0....'8...101012182723Z0....'e...120111163041Z0....'VJ..110714
160903Z0....'s...130123162633Z0....'....130904190524Z0....'....1310242
14319Z0....'....140129172435Z0....'....140129172453Z0....'....13102421
4310Z0....'....131101204601Z0....'....140219171632Z0....'.^..140409155
638Z0....'i...140709171930Z0....'/:..141119193302Z0....'J...1506031846
05Z0....'k...150603185020Z0....'k...150603185058Z0....'k...15060318513
1Z0....'k...120111220827Z0....'8...140716191203Z0....'....131219195909
Z0....'....140219171545Z0....'k...151105070000Z0....'q...160126173
<<< skipped >>>

GET /jc/bjcguanjianzi.txt?WebShieldDRSessionVerify=YizhEArCBnQ1QwpILGI0 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: Safedog/4.0.0

Location: /jc/bjcguanjianzi.txt

Content-Length: 0

Connection: Close

Content-Type: text/html

GET /jc/tongji.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 0

Content-Type: text/plain

Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT

Accept-Ranges: bytes

ETag: "4c1ca75e9d9d01:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:37:39 GMT
HTTP/1.1 200 OK..Content-Length: 0..Content-Type: text/plain..Last-Mod
ified: Mon, 17 Aug 2015 16:25:45 GMT..Accept-Ranges: bytes..ETag: "4c1
ca75e9d9d01:22a0"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..D
ate: Thu, 19 Jan 2017 00:37:39 GMT..

GET / HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.117my.cc

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 228

Content-Type: text/html

Content-Location: hXXp://VVV.117my.cc/index.html

Last-Modified: Mon, 15 Aug 2016 05:17:18 GMT

Accept-Ranges: bytes

ETag: "c85d104bb4f6d11:a7a"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:39:59 GMT
..<html>..........117...................2............<script 
language="javascript"> .. <!-- .. setTimeout("goto()","1000");..
function goto(){.. window.location.href = "hXXp://VVV.92117my.com/inde
x1.htm";..}.. -->.. </script>HTTP/1.1 200 OK..Content-Length:
 228..Content-Type: text/html..Content-Location: hXXp://VVV.117my.cc/i
ndex.html..Last-Modified: Mon, 15 Aug 2016 05:17:18 GMT..Accept-Ranges
: bytes..ETag: "c85d104bb4f6d11:a7a"..Server: Microsoft-IIS/6.0..X-Pow
ered-By: ASP.NET..Date: Thu, 19 Jan 2017 00:39:59 GMT....<html>.
.........117...................2............<script language="javas
cript"> .. <!-- .. setTimeout("goto()","1000");..function goto()
{.. window.location.href = "hXXp://VVV.92117my.com/index1.htm";..}.. -
->.. </script>..

GET /index1.htm HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://VVV.117my.cc/

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.92117my.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 5219

Content-Type: text/html

Last-Modified: Thu, 12 Jan 2017 13:56:43 GMT

Accept-Ranges: bytes

ETag: "c8d99b5db6cd21:3fe"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:39:37 GMT
...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "
hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html
 xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http
-equiv="Content-Type" content="text/html; charset=utf-8" />..<ti
tle>......117................................................</t
itle>..<meta name="keywords" content="......sf,.................
.,117......" />..<meta name="description" content="117......sf..
......................................................................
......................................................................
....." />..<style type="text/css">..body{color:#175095;paddin
g:8px 0;background:#333;}..a{color:#175095;text-decoration:none;}..a:l
ink{color:#175095;text-decoration:none;}..a:hover{color:#e00;text-deco
ration:none;}..*{padding:0;margin:0;font-size:14px;font-family:'Micros
oft Yahei','Lucida Grande',Helvetica,Arial,sans-serif;}..#w{width:1002
px;margin:0 auto;padding:8px;background:#fff;-moz-border-radius:3px;-w
ebkit-border-radius:3px;border-radius:3px;-webkit-box-shadow:0 0 8px #
000000;-moz-box-shadow:0 0 8px #000000;box-shadow:0 0 8px #000000;}..#
logo{height:91px;background:url(logo.jpg) no-repeat;}..#d{margin-top:8
px;}..#d table{border-spacing:1px;width:100%;background:#e3f3fe;border
:1px solid #95bcd6;}..#d table tr:hover{background:#fff;}..#d td{paddi
ng:10px;line-height:15px;text-align:center;border:1px solid #95bcd6;ov
erflow:hidden;white-space:nowrap;}..#k{margin-top:8px;border-top:1
<<< skipped >>>

GET /game.html HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://VVV.92117my.com/index1.htm

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.92117my.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 17051

Content-Type: text/html

Last-Modified: Mon, 16 Jan 2017 11:52:03 GMT

Accept-Ranges: bytes

ETag: "cfaef4ee6fd21:3fe"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:39:38 GMT
<html>..<HEAD>..<title>117................</title
>..<meta http-equiv="Content-Type" content="text/html; charset=g
b2312">..<META NAME="keywords" CONTENT="117................">
..<META NAME="description" CONTENT="117................">..<M
ETA NAME="robots" CONTENT="all">..<script type='text/javascript'
>window.mod_pagespeed_start = Number(new Date());</script>..&
lt;link rel='stylesheet' href='images/xx.css' type='text/css'>..<
;script language=javascript src="images/new.js"></script>..&l
t;BODY leftMargin=0 topMargin=0>..<TABLE align='center' cellSpac
ing=0 cellPadding=0 width='100%' border=0>..<TR>..<TD>.
.<style type="text/css"> ..<!--..body{background:#2B0045 url(
images/bg.jpg) no-repeat center 0;font-size:12px;}...about {...height:
 38px;width: 310px;font-size: 14px;line-height: normal;font-weight: bo
lder;font-family: "....";position: absolute;.left: auto;top: 96px;text
-align: left;}...logo{width:980px;height:120px;position:absolute;left:
261px;top:23px;}...logo a{width:980px;height:120px;display:block;posit
ion:inherit;text-indent:-9999px;}.....-->...aboutqq {...height: 28p
x;width: 310px;font-size: 14px;line-height: normal;font-weight: bolder
;font-family: "....";position: absolute;.left: auto;top: 76px;text-ali
gn: left;}...logo{width:980px;height:130px;position:absolute;left:201p
x;top:13px;}...logo a{width:980px;height:130px;display:block;position:
inherit;text-indent:-9999px;}.. .. ...banner{width:984px;margin:0 
<<< skipped >>>

GET /images/bg.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.92117my.com/game.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.92117my.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 47783

Content-Type: image/jpeg

Last-Modified: Wed, 01 Jul 2015 07:57:44 GMT

Accept-Ranges: bytes

ETag: "08c919cd3b3d01:3fe"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:39:39 GMT
......Exif..II*.................Ducky.......F.....rhXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c01
4 79.151481, 2013/03/13-12:09:15        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:1AB21EE2D186E011A
F1EE9B4DAE6B957" xmpMM:DocumentID="xmp.did:8075A7ADFD1411E288C0AA50F7B
C029F" xmpMM:InstanceID="xmp.iid:8075A7ACFD1411E288C0AA50F7BC029F" xmp
:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom 
stRef:instanceID="xmp.iid:f3ed0250-4dae-e34c-bf8c-3468d4276f83" stRef:
documentID="xmp.did:1AB21EE2D186E011AF1EE9B4DAE6B957"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>....Adobe.d......................................................
......................................................................
.....................................Z................................
................................1aQ!A...............................?.
.Cj. @..... @..... 4...7...... .6.H.@....H. 7.)....V..H. .....U).).).)
....R.B..@).)..P....E.AJ@)..P..JA.@).J@)....U[ ..S..<..?.....Jy..A.
.H.<.....@..).B.A......E).F..<.g..A...y..A..7..A..7...7.o .Eo ..
o*7.o ...... ...s.*..*7.\... ....Ar..\....\....s.".. .A.....3.e../
<<< skipped >>>

GET /jc/tongji.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 0

Content-Type: text/plain

Last-Modified: Mon, 17 Aug 2015 16:25:45 GMT

Accept-Ranges: bytes

ETag: "4c1ca75e9d9d01:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:41 GMT
HTTP/1.1 200 OK..Content-Length: 0..Content-Type: text/plain..Last-Mod
ified: Mon, 17 Aug 2015 16:25:45 GMT..Accept-Ranges: bytes..ETag: "4c1
ca75e9d9d01:22a0"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..D
ate: Thu, 19 Jan 2017 00:36:41 GMT......


GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 5537

Content-Type: text/plain

Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT

Accept-Ranges: bytes

ETag: "b05a1ba5d67d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:46 GMT
170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.
31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.c
om..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 k
kk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214
my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.17
8.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.
com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com.
.170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 
VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.co
m..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.1
71.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11
moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.c
om..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.3
1 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..
170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.
31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..
170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31
 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 VVV.6moyu.com
..170.178.171.31 110moyu.com..170.178.171.31 VVV.110moyu.com..170.178.
171.31 dl.pconline.com.cn..170.178.171.31 VVV.moyushou.com..170.178.17
1.31 pconline.com.cn..170.178.171.31 VVV.52z.com..170.178.171.31 wanba
.baidu.com..170.178.171.31 VVV.99sfmy.com..170.178.171.31 VVV.myco
<<< skipped >>>

GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 5537

Content-Type: text/plain

Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT

Accept-Ranges: bytes

ETag: "b05a1ba5d67d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:58 GMT
170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.
31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.c
om..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 k
kk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214
my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.17
8.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.
com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com.
.170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 
VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.co
m..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.1
71.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11
moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.c
om..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.3
1 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..
170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.
31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..
170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31
 VVV.901my.com..170VVV.518ak.com..170.178.171.31 lpput.com..170.178.17
1.31 hjmyh.com..170.178.171.31 VVV.5555my.com..170.178.171.31 aaa.5555
my.com..170.178.171.31 VVV.hjmyh.com..170.178.171.31 VVV.195my.com..17
0.178.171.31 195my.com..170.178.171.31 VVV.195sy.com..170.178.171.31 1
95sy.com..170.178.171.31 spxwj.com..170.178.171.31 817zs.cn..170.1
<<< skipped >>>

GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 5537

Content-Type: text/plain

Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT

Accept-Ranges: bytes

ETag: "b05a1ba5d67d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:36:58 GMT
170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.
31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.c
om..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 k
kk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214
my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.17
8.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.
com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com.
.170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 
VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.co
m..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.1
71.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11
moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.c
om..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.3
1 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..
170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.
31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..
170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31
 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 VVV.6moyu.com
..170.178.171.31 110moyu.com..170.178.171.31 VVV.110moyu.com..170.178.
171.31 dl.pconline.com.cn..170.178.171.31 VVV.moyushou.com..170.178.17
1.31 pconline.com.cn..170.178.171.31 VVV.52z.com..170.178.171.31 wanba
.baidu.com..170.178.171.31 VVV.99sfmy.com..170.178.171.31 VVV.myco
<<< skipped >>>

GET /favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: VVV.117my.cc

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Content-Length: 1308

Content-Type: text/html

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:39:59 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.......</TITLE>..<META HTTP-EQUIV="Content-Type" Content="tex
t/html; charset=GB2312">..<STYLE type="text/css">..  BODY { f
ont: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font: 9pt/
12pt .... }..  A:link { color: red }..  A:visited { color: maroon }..&
lt;/STYLE>..</HEAD><BODY><TABLE width=500 border=0 c
ellspacing=10><TR><TD>..<h1>............</h1&g
t;....................................................<hr>..<
p>................</p>..<ul>..<li>...............
.........................................</li>..<li>......
......................................................................
......</li>..<li>....<a href="javascript:history.back(1
)">....</a>....................</li>..</ul>..<
h2>HTTP .... 404 - ..................<br>Internet ........ (I
IS)</h2>..<hr>..<p>..............................<
;/p>..<ul>..<li>.... <a href="hXXp://go.microsoft.co
m/fwlink/?linkid=8180">Microsoft ............</a>..........&l
dquo;HTTP”..“404”........</li>..<li>....
“IIS ....”...... IIS ...... (inetmgr) ....................
....“........”..“............”..“.......
...........”........</li>..</ul>..</TD><
<<< skipped >>>

GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 5537

Content-Type: text/plain

Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT

Accept-Ranges: bytes

ETag: "b05a1ba5d67d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:37:32 GMT
170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.
31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.c
om..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 k
kk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214
my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.17
8.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.
com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com.
.170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 
VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.co
m..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.1
71.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11
moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.c
om..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.3
1 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..
170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.
31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..
170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31
 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 VVV.6moyu.com
..170.178.171.31 110moyu.com..170.178.171.31 VVV.110moyu.com..170.178.
171.31 dl.pconline.com.cn..170.178.171.31 VVV.moyushou.com..170.178.17
1.31 pconline.com.cn..170.178.171.31 VVV.52z.com..170.178.171.31 wanba
.baidu.com..170.178.171.31 VVV.99sfmy.com..170.178.171.31 VVV.myco
<<< skipped >>>

GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 5537

Content-Type: text/plain

Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT

Accept-Ranges: bytes

ETag: "b05a1ba5d67d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:37:33 GMT
170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.
31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.c
om..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 k
kk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214
my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.17
8.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.
com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com.
.170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 
VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.co
m..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.1
71.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11
moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.c
om..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.3
1 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..
170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.
31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..
170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31
 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 VVV.6moyu.com
..170.178.171.31 110moyu.com..170.178.171.31 VVV.110moyu.com..170.178.
171.31 dl.pconline.com.cn..170.178.171.31 VVV.moyushou.com..170.178.17
1.31 pconline.com.cn..170.178.171.31 VVV.52z.com..170.178.171.31 wanba
.baidu.com..170.178.171.31 VVV.99sfmy.com..170.178.171.31 VVV.myco
<<< skipped >>>

GET /jc/hostjc.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.gxnkw.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 5537

Content-Type: text/plain

Last-Modified: Thu, 05 Jan 2017 14:07:24 GMT

Accept-Ranges: bytes

ETag: "b05a1ba5d67d21:22a0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 19 Jan 2017 00:37:37 GMT
170.178.171.31 VVV.176cc.cc..170.178.171.31 VVV.52my.com..170.178.171.
31 VVV.crsky.com..170.178.171.31 crsky.com..170.178.171.31 VVV.901my.c
om..170.178.171.31 901my.com..170.178.171.31 moyu.so..170.178.171.31 k
kk.dstfkj.com.cn..170.178.171.31 dstfkj.com.cn..170.178.171.31 VVV.214
my.com..170.178.171.31 VVV.h360k.com..170.178.171.31 h360k.com..170.17
8.171.31 rsivy.pw..170.178.171.31 214my.com..170.178.171.31 VVV.270my.
com..170.178.171.31 360.chihuo0517.com..170.178.171.31 chihuo0517.com.
.170.178.171.31 270my.com..170.178.171.31 VVV.moyu.so..170.178.171.31 
VVV.hwkam.com..170.178.171.31 178stu.com..170.178.171.31 VVV.178stu.co
m..170.178.171.31 hwkam.com..170.178.171.31 VVV.5917wan.com..170.178.1
71.31 VVV.delifs.com..170.178.171.31 delifs.com..170.178.171.31 VVV.11
moyu.com..170.178.171.31 t2.web.tonnn.com..170.178.171.31 VVV.2828my.c
om..170.178.171.31 2828my.com..170.178.171.31 tonnn.com..170.178.171.3
1 VVV.11my.net..170.178.171.31 VVV.91my.com..170.178.171.31 91my.com..
170.178.171.31 wg.91my.com..170.178.171.31 my.178stu.com..170.178.171.
31 134my.com..170.178.171.31 VVV.134my.com..170.178.171.31 001my.com..
170.178.171.31 VVV.910my.com..170.178.171.31 910my.com..170.178.171.31
 VVV.901my.com..170.178.171.31 901my.com..170.178.171.31 VVV.6moyu.com
..170.178.171.31 110moyu.com..170.178.171.31 VVV.110moyu.com..170.178.
171.31 dl.pconline.com.cn..170.178.171.31 VVV.moyushou.com..170.178.17
1.31 pconline.com.cn..170.178.171.31 VVV.52z.com..170.178.171.31 wanba
.baidu.com..170.178.171.31 VVV.99sfmy.com..170.178.171.31 VVV.myco
<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBisczuS0Hu180XFAA== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 19 Jan 2017 00:40:23 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d2049b01a660478030f630d1690d5c2f91484786423; expires=Fri, 19-Jan-18 00:40:23 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Wed, 18 Jan 2017 21:33:38 GMT

Expires: Sun, 22 Jan 2017 21:33:38 GMT

ETag: "3b988710a19508382f2e4d9507fbb592efa91e39"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32363c2d86d8405c-SOF
0..........0..... .....0......0...0.......M........u....%...G..2017011
8213338Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
...s;..{..E......20170118213338Z....20170122213338Z0...*.H............
.JA....vU.........q.:Z.......Oj..6T..mZ3...k%..S7`\.. ..i(.|.[.}... }i
.....N.......0D.*bO.UY..`...!0... .0y.s.........~.aR...3....0k?g......
....C.....U...r..:C?.N'F~..l.....MW.Iw.?.?..k3.4.~V.... b=x/&.u.7.....
....a...8.....\5..>..q..1.....AtLO/..m....B.hI....K0..G0..C0.. ....
...q..}.dc.j..(0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-
sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20..
.161124031843Z..170224031843Z0..1.0...U....BE1.0...U....GlobalSign nv-
sa1.0...U....2016112411281M0K..U...DGlobalSign Organization Validation
 CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C.
.0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.......
..u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V
..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~
..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U..
.....M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0..
....0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com
/repository/0...U...........0...U.%..0... .......0...*.H..............
H.....C.Ie....;.yN.'..../?.T..-T.a..4...n..OW/l....[|..-.i../.'..1."..
....3[...J.....\@.S.=-p..p......d...>~J.|E0y......!.;.c.,...||.V...
.K..L...dX...a....6'..U..G....A;..........4K...........k.B].s.3...
<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBisczuS0Hu180XFAA== HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 18 Jan 2017 21:33:38 GMT

If-None-Match: "3b988710a19508382f2e4d9507fbb592efa91e39"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 304 Not Modified

Date: Thu, 19 Jan 2017 00:40:27 GMT

Connection: keep-alive

Set-Cookie: __cfduid=dd9e2eab346214fdd619c23747ca55b821484786427; expires=Fri, 19-Jan-18 00:40:27 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Wed, 18 Jan 2017 21:33:38 GMT

Expires: Sun, 22 Jan 2017 21:33:38 GMT

ETag: "3b988710a19508382f2e4d9507fbb592efa91e39"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32363c44618a405c-SOF
HTTP/1.1 304 Not Modified..Date: Thu, 19 Jan 2017 00:40:27 GMT..Connec
tion: keep-alive..Set-Cookie: __cfduid=dd9e2eab346214fdd619c23747ca55b
821484786427; expires=Fri, 19-Jan-18 00:40:27 GMT; path=/; domain=.glo
balsign.com; HttpOnly..Last-Modified: Wed, 18 Jan 2017 21:33:38 GMT..E
xpires: Sun, 22 Jan 2017 21:33:38 GMT..ETag: "3b988710a19508382f2e4d95
07fbb592efa91e39"..Cache-Control: public, no-transform, must-revalidat
e..CF-Cache-Status: HIT..Server: cloudflare-nginx..CF-RAY: 32363c44618
a405c-SOF......


GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDGlwEnDh1Wq84Ev4Sw== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 19 Jan 2017 00:40:40 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d995cc79ed802be9825730749a8dec62d1484786440; expires=Fri, 19-Jan-18 00:40:40 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Wed, 18 Jan 2017 23:26:57 GMT

Expires: Sun, 22 Jan 2017 23:26:57 GMT

ETag: "ce2c9bab38408c822469b28825da8da8a11ff254"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32363c9250bb405c-SOF
0..........0..... .....0......0...0.......M........u....%...G..2017011
8232657Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
.ip.p..j..K.K....20170118232657Z....20170122232657Z0...*.H............
.uO.5......./w;3.....3.J.n...E.....j.i..'...?.n>..J..l.sa......./..
..@.z..Qh.cc..l[...q.W ...g%.....o...f..."....9..;v_.n..m..!...f@.M...
!.Yu.L3'C.6'......saI.G.d'B..b.u.H......_....m.f.Z.....g...DHY.z.O[.|U
[o..#.O....0<....h....>...}..m..s....O..........8t...K0..G0..C0.
. .......q..}.dc.j..(0...*.H........0f1.0...U....BE1.0...U....GlobalSi
gn nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 -
 G20...161124031843Z..170224031843Z0..1.0...U....BE1.0...U....GlobalSi
gn nv-sa1.0...U....2016112411281M0K..U...DGlobalSign Organization Vali
dation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.....
....C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.
........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l..
.P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;..
...n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0
...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0... ..
...0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsi
gn.com/repository/0...U...........0...U.%..0... .......0...*.H........
......H.....C.Ie....;.yN.'..../?.T..-T.a..4...n..OW/l....[|..-.i../.'.
.1."......3[...J.....\@.S.=-p..p......d...>~J.|E0y......!.;.c.,...|
|.V....K..L...dX...a....6'..U..G....A;..........4K...........k.B].
<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 19 Jan 2017 00:40:51 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d56bb1059e2865a2d42351fb11199ebd51484786451; expires=Fri, 19-Jan-18 00:40:51 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Wed, 18 Jan 2017 23:28:53 GMT

Expires: Sun, 22 Jan 2017 23:28:53 GMT

ETag: "0db1f4e8f454c9f557e61810f001e1875842e319"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32363cdcc475405c-SOF
0..........0..... .....0......0...0.......M........u....%...G..2017011
8232853Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
.EK.....L........20170118232853Z....20170122232853Z0...*.H............
...g..N.MF......T..e.2..[1...=i.. .. 9O....v:{.$....1......g......K.F.
..!6.~....j#u....*P..U.....$.?. .b.w..m..E.k..X..o7...#.GC...l.;j%...K
....v.=.3A...~1.j..f9s.9......b...1.x.x..3...N'......AQF...b.Z.P...v/.
........[.'....3.[h~..l/5.X...3......9.....gX.....K0..G0..C0.. .......
q..}.dc.j..(0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1
<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...16
1124031843Z..170224031843Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1
.0...U....2016112411281M0K..U...DGlobalSign Organization Validation CA
 - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j
..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u
..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G
..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..W
b.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.....
..M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0.....
.0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/re
pository/0...U...........0...U.%..0... .......0...*.H..............H..
...C.Ie....;.yN.'..../?.T..-T.a..4...n..OW/l....[|..-.i../.'..1.".....
.3[...J.....\@.S.=-p..p......d...>~J.|E0y......!.;.c.,...||.V....K.
.L...dX...a....6'..U..G....A;..........4K...........k.B].s.3...$..
<<< skipped >>>

GET / HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Connection: Keep-Alive

Host: VVV.taobao.com

HTTP/1.1 302 Found

Server: Tengine

Date: Thu, 19 Jan 2017 00:40:40 GMT

Content-Type: text/html

Content-Length: 258

Connection: keep-alive

Location: hXXps://VVV.taobao.com/

Set-Cookie: thw=ua; Path=/; Domain=.taobao.com; Expires=Fri, 19-Jan-18 00:40:40 GMT;

Strict-Transport-Security: max-age=31536000
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>302 Found</title></head>..<b
ody bgcolor="white">..<h1>302 Found</h1>..<p>The 
requested resource resides temporarily under a different URI.</p>
;..<hr/>Powered by Tengine</body>..</html>..HTTP/1.1
 302 Found..Server: Tengine..Date: Thu, 19 Jan 2017 00:40:40 GMT..Cont
ent-Type: text/html..Content-Length: 258..Connection: keep-alive..Loca
tion: hXXps://VVV.taobao.com/..Set-Cookie: thw=ua; Path=/; Domain=.tao
bao.com; Expires=Fri, 19-Jan-18 00:40:40 GMT;..Strict-Transport-Securi
ty: max-age=31536000..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0/
/EN">..<html>..<head><title>302 Found</title&g
t;</head>..<body bgcolor="white">..<h1>302 Found<
/h1>..<p>The requested resource resides temporarily under a d
ifferent URI.</p>..<hr/>Powered by Tengine</body>..&
lt;/html>....

GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH HTTP/1.1

Cache-Control: max-age = 10800

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 07:50:34 GMT

If-None-Match: "6b9ba9eca642c891cc02365fc6161341647bd9fc"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 19 Jan 2017 00:40:18 GMT

Content-Type: application/ocsp-response

Content-Length: 1518

Connection: keep-alive

Set-Cookie: __cfduid=dd5230a5dbbbba995e31d3feeb730dd801484786418; expires=Fri, 19-Jan-18 00:40:18 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Wed, 18 Jan 2017 22:23:23 GMT

Expires: Sun, 22 Jan 2017 22:23:23 GMT

ETag: "2e9ad832313d6be8aa684e9216f27afcf7f1b502"

Cache-Control: max-age=10800,public,no-transform,must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32363c0ba4004056-SOF
0..........0..... .....0......0...0...........%r2.]&.iO.).*V...2017011
8222323Z0n0l0D0... .........W......#....*..2..1..`{f.E....P/}..4....K.
.......DN.BG....20170118222323Z....20170122222323Z0...*.H.............
.f.......XA..... ..e..p:....:..........h.L.!...c.....[.@.mF.....L....v
c.....=.....&...G....w..~J..........NGk...pl...8.6.&4-...Gy.......$..0
....De../...u@..y.p}Kw.G.$.P...a....9..PD.4Gx[a}...%7...`...o..^g.Y.&l
t;.w=..:..../...G').o4.F;_~..;v{..cA...tzU.q....x....0...0...0........
..H....9...S....0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv
-sa1.0...U....Root CA1.0...U....GlobalSign Root CA0...161208000000Z..1
70415000000Z0[1.0...U....BE1.0...U....GlobalSign nv-sa110/..U...(Globa
lSign OCSP for Root R1 - Signer 1.10.."0...*.H.............0..........
b.Q........@....2Y_y%..0..I.S.....-.$=DZ.xx>..4...d.i&....:eh.....,
.M.......R..... .P..L.].J.....\oe.G...=....>.e.>.....!.......;.J
....,..............U.S..2.r..G.w..0~...F....P.n..#...i...?J.Bd(6.&3.C.
.%.]... ...f...q..0.f.........S....2H`.b..T`.O.....l.........0..0...U.
..........0...U.%..0... .......0...U.......0.0...U...........%r2.]&.iO
.).*V.0...U.#..0...`{f.E....P/}..4....K0... .....0......0L..U. .E0C0A.
. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...*.
H..............~.s..uk..\....)K.8p\..,.......d..V\..n.. ....u...m..:.c
b-.'....."......K2.Z.....7./y.[_.........x.(_Zf<.....9.@...s..KjP..
.U0.S..8eU.K..N.M......;...P..u...m.f..~.U.....5.? ...!z...\..B..y-t..
.%...{C.5.".zO.......C...S.d...g....N..I..i[.y..PfAr.t..W.$#..u
<<< skipped >>>

GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH HTTP/1.1

Cache-Control: max-age = 10800
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 18 Jan 2017 22:23:23 GMT
If-None-Match: "2e9ad832313d6be8aa684e9216f27afcf7f1b502"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.globalsign.com


HTTP/1.1 304 Not Modified
Date: Thu, 19 Jan 2017 00:40:22 GMT
Connection: keep-alive
Set-Cookie: __cfduid=d2e82d71249719d20589d01ed4e4b9b3c1484786422; expires=Fri, 19-Jan-18 00:40:22 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Wed, 18 Jan 2017 22:23:23 GMT
Expires: Sun, 22 Jan 2017 22:23:23 GMT
ETag: "2e9ad832313d6be8aa684e9216f27afcf7f1b502"
Cache-Control: max-age=10800,public,no-transform,must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 32363c2325894056-SOF
HTTP/1.1 304 Not Modified..Date: Thu, 19 Jan 2017 00:40:22 GMT..Connec
tion: keep-alive..Set-Cookie: __cfduid=d2e82d71249719d20589d01ed4e4b9b
3c1484786422; expires=Fri, 19-Jan-18 00:40:22 GMT; path=/; domain=.glo
balsign.com; HttpOnly..Last-Modified: Wed, 18 Jan 2017 22:23:23 GMT..E
xpires: Sun, 22 Jan 2017 22:23:23 GMT..ETag: "2e9ad832313d6be8aa684e92
16f27afcf7f1b502"..Cache-Control: max-age=10800,public,no-transform,mu
st-revalidate..CF-Cache-Status: HIT..Server: cloudflare-nginx..CF-RAY:
 32363c2325894056-SOF..


GET /images/new.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://VVV.92117my.com/game.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.92117my.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 3803
Content-Type: application/x-javascript
Last-Modified: Tue, 28 Jul 2015 08:19:44 GMT
Accept-Ranges: bytes
ETag: "0d08028ec9d01:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:39:38 GMT
function getDate2(){ ...var d = new Date(); ...var year = d.getYear();
 ...var month = d.getMonth() 1; ...var date = d.getDate(); ...return m
onth "../" date "../"; ..}..var hourX;..var openTime = getDate2();..no
w = new Date()..hour = now.getHours()..hourX=now.getHours()..mi = now.
getMinutes()..hour =hour "." mi..if (hourX==0&mi<30) {..openTime  =
 ("00..00......")..}else if (hour < 0.9&&hourX==0){..openTime  = ("
00..30......")..} else if (hourX <= 1&&hour < 2&&mi<=30){..op
enTime  = ("01..00......")..} else if (hour > 1.3&&hour < 2&&mi&
gt;=30){..openTime  = ("01..30......")..} else if (hour >= 2&&hour 
< 3&&mi<=30){..openTime  = ("02..00......")..} else if (hour >
; 2.3&&hour < 3&&mi>=30){..openTime  = ("02..30......")..} else 
if (hour >= 3&&hour < 4&&mi<=30){..openTime  = ("03..00......
")..} else if (hour > 3.3&&hour < 4&&mi>=30){..openTime  = ("
03..30......")..} else if (hour >= 4&&hour < 5&&mi<=30){..ope
nTime  = ("04..00......")..} else if (hour > 4.3&&hour < 5&&mi&g
t;=30){..openTime  = ("04..30......")..} else if (hour >= 5&&hour &
lt; 6&&mi<=30){..openTime  = ("05..00......")..} else if (hour >
 5.3&&hour < 6&&mi>=30){..openTime  = ("05..30......")..} else i
f (hour >= 6&&hour < 7&&mi<=30){..openTime  = ("06..00......"
)..} else if (hour > 6.3&&hour < 7&&mi>=30){..openTime  = ("0
6..30......")..} else if (hour >= 7&&hour < 8&&mi<=30){..open
Time  = ("07..00......")..} else if (hour > 7.3&&hour < 8&&m
<<< skipped >>>

GET /images/Index_c1_r5.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.92117my.com/game.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.92117my.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 1166
Content-Type: image/jpeg
Last-Modified: Wed, 01 Jul 2015 07:57:44 GMT
Accept-Ranges: bytes
ETag: "08c919cd3b3d01:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:39:39 GMT
......Exif..II*.................Ducky.......F.....*hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c01
4 79.151481, 2013/03/13-12:09:15        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpM
M:InstanceID="xmp.iid:5CF6ADCEFD1411E2AEB7ECB561BB81DC" xmpMM:Document
ID="xmp.did:5CF6ADCFFD1411E2AEB7ECB561BB81DC"> <xmpMM:DerivedFro
m stRef:instanceID="xmp.iid:5CF6ADCCFD1411E2AEB7ECB561BB81DC" stRef:do
cumentID="xmp.did:5CF6ADCDFD1411E2AEB7ECB561BB81DC"/> </rdf:Desc
ription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?&
gt;....Adobe.d........................................................
......................................................................
...................................W..................................
............................Qa.................................?..j,..
..5.(...B....Ru.5....F..M..?..HTTP/1.1 200 OK..Content-Length: 1166..C
ontent-Type: image/jpeg..Last-Modified: Wed, 01 Jul 2015 07:57:44 GMT.
.Accept-Ranges: bytes..ETag: "08c919cd3b3d01:3fe"..Server: Microsoft-I
IS/6.0..X-Powered-By: ASP.NET..Date: Thu, 19 Jan 2017 00:39:39 GMT....
....Exif..II*.................Ducky.......F.....*hXXp://ns.adobe.c
<<< skipped >>>

GET /logo.jpg HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.92117my.com/index1.htm
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.92117my.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 30031
Content-Type: image/jpeg
Last-Modified: Fri, 06 Jan 2017 05:34:02 GMT
Accept-Ranges: bytes
ETag: "fefcb7cde67d21:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:39:37 GMT
......JFIF.....H.H.....mExif..II*...........................b.........
..j...(...........1.......r...2...........i....................'......
.'..Adobe Photoshop CS3 Windows.2013:12:19 19:12:33.............0220..
..............................[...............................*.......
....2...(...................:........... .......H.......H.............
JFIF.....H.H......Adobe_CM......Adobe.d...............................
......................................................................
................................................."................?...
......................................................................
.3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE..t6..U.e...
..u..F'...............Vfv........7GWgw........................5.....!1
..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te......u..F...
............Vfv........'7GWgw.................?.......0..Le....6..[...
o,g..Sw..z.M...g../.V,x.|V.G.x.e..>.a....4.Yo.Ag.....u.............
...V...F.h|Xct\#...Y.&.Z.Z .s?F.m5_U..s...o~.?.......&.../..a.n.......
{..S*.%...6...#......I.o..HX...a.UV3..kc,>...e.....-..m........o...
j...6..k...|;..}Ce..o.k...........'.....,.$....>^........O.....W...
..2..Z.S=..e.m....]Tz.v.V.5=..,......{.......g.o........~......o^.y...
.n....,....<>)k..UnE....5......S..gIt.S.....1.........o....""8.K
..Z....rp.....^..].<.G.......Qaa{'l.G..w...}...6f>P...FM..T.f...
....E.....Y...3....5..!.<D..x:.A...=....Kt..5..e.....F.xD...Ci|....
.2A.s.E..{..h;.h$.........?.Z.......q.@=....LR.........P..Z.eo..D.
<<< skipped >>>

GET /favicon.ico HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: VVV.92117my.com
Connection: Keep-Alive
Cookie: CNZZDATA1255675994=993092947-1484785024-null|1484785024


HTTP/1.1 404 Not Found
Content-Length: 1308
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:40:00 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.......</TITLE>..<META HTTP-EQUIV="Content-Type" Content="tex
t/html; charset=GB2312">..<STYLE type="text/css">..  BODY { f
ont: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font: 9pt/
12pt .... }..  A:link { color: red }..  A:visited { color: maroon }..&
lt;/STYLE>..</HEAD><BODY><TABLE width=500 border=0 c
ellspacing=10><TR><TD>..<h1>............</h1&g
t;....................................................<hr>..<
p>................</p>..<ul>..<li>...............
.........................................</li>..<li>......
......................................................................
......</li>..<li>....<a href="javascript:history.back(1
)">....</a>....................</li>..</ul>..<
h2>HTTP .... 404 - ..................<br>Internet ........ (I
IS)</h2>..<hr>..<p>..............................<
;/p>..<ul>..<li>.... <a href="hXXp://go.microsoft.co
m/fwlink/?linkid=8180">Microsoft ............</a>..........&l
dquo;HTTP”..“404”........</li>..<li>....
“IIS ....”...... IIS ...... (inetmgr) ....................
....“........”..“............”..“.......
...........”........</li>..</ul>..</TD><
<<< skipped >>>

GET /host.html HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.92117my.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 5219
Content-Type: text/html
Last-Modified: Fri, 13 Jan 2017 12:48:11 GMT
Accept-Ranges: bytes
ETag: "9ebc6c4c9b6dd21:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:39:33 GMT
...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "
hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html
 xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http
-equiv="Content-Type" content="text/html; charset=utf-8" />..<ti
tle>......117................................................</t
itle>..<meta name="keywords" content="......sf,.................
.,117......" />..<meta name="description" content="117......sf..
......................................................................
......................................................................
....." />..<style type="text/css">..body{color:#175095;paddin
g:8px 0;background:#333;}..a{color:#175095;text-decoration:none;}..a:l
ink{color:#175095;text-decoration:none;}..a:hover{color:#e00;text-deco
ration:none;}..*{padding:0;margin:0;font-size:14px;font-family:'Micros
oft Yahei','Lucida Grande',Helvetica,Arial,sans-serif;}..#w{width:1002
px;margin:0 auto;padding:8px;background:#fff;-moz-border-radius:3px;-w
ebkit-border-radius:3px;border-radius:3px;-webkit-box-shadow:0 0 8px #
000000;-moz-box-shadow:0 0 8px #000000;box-shadow:0 0 8px #000000;}..#
logo{height:91px;background:url(logo.jpg) no-repeat;}..#d{margin-top:8
px;}..#d table{border-spacing:1px;width:100%;background:#e3f3fe;border
:1px solid #95bcd6;}..#d table tr:hover{background:#fff;}..#d td{paddi
ng:10px;line-height:15px;text-align:center;border:1px solid #95bcd6;ov
erflow:hidden;white-space:nowrap;}..#k{margin-top:8px;border-top:1
<<< skipped >>>

GET /?business&un=5182235367&from=prin HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: passport.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Connection: keep-alive
Content-Type: text/html
Date: Thu, 19 Jan 2017 00:40:02 GMT
P3p: CP=" OTI DSP COR IVA OUR IND COM "
Server: Apache
Set-Cookie: BAIDUID=BB091D280D8BB9A4DA1BF274DD690B70:FG=1; expires=Fri, 19-Jan-18 00:40:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Tracecode: 24029743220283886346011908
Tracecode: 24029743220703316746011908
Vary: Accept-Encoding
Vary: Accept-Encoding
Transfer-Encoding: chunked
978..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml">.<head>.<meta http-
equiv="Content-Type" content="text/html; charset=utf-8" />.<titl
e>........................_5182235367</title>.<link rel="s
tylesheet" href="/style/v2/info.css?t=20100901" type="text/css" media=
"all" />.<script type="text/javascript" src="/js/center_accountb
ind.js?t=20100901"></script>.<script type="text/javascript
" src="/js/business.js?t=20100901"></script>.<script langu
age="javascript">.      document.domain = "baidu.com";.      window
.hasSpace = '';.      var tabinfo = initTabInfo('5182235367');.      v
ar ab=gethash(1);.      if(ab>0 && ab<tabinfo.length).      {.  
       if(tabinfo[ab][2]=="_blank").         {.            window.loca
tion=tabinfo[ab][0];.         }.      }.      function fixImgSize(img)
{...  var width = img.offsetWidth;...  var height = img.offsetHeight;.
..  if( width>78 ){...      width>height?( img.style.width='78px
' ):( img.style.height='78px' );...  }else if( height>78 ){...     
 img.style.height='78px';...  }..  }.    </script>.</head>
.<body onLoad="javascript:chgdeftab(0);">.                      
                  <div class="wrapper">.<noscript>.<p c
lass="nojs">.......................................................
.............................</p>.</noscript>.<div 
<<< skipped >>>

GET /images/xx.css HTTP/1.1
Accept: text/css
Referer: hXXp://VVV.92117my.com/game.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.92117my.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 3604
Content-Type: text/css
Last-Modified: Wed, 01 Jul 2015 07:57:44 GMT
Accept-Ranges: bytes
ETag: "08c919cd3b3d01:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:39:38 GMT
..BODY {...FONT-SIZE: 9pt; COLOR: #222; FONT-FAMILY: "....", Arial, He
lvetica, sans-serif..}..TD {...FONT-SIZE: 9pt; COLOR: #222; FONT-FAMIL
Y: "....", Arial, Helvetica, sans-serif..}..TH {...FONT-SIZE: 9pt; COL
OR: #222; FONT-FAMILY: "....", Arial, Helvetica, sans-serif..}..BODY {
...MARGIN: 0px; BACKGROUND-COLOR: #EDECF5..}..A:link {...FONT-SIZE: 9p
t; COLOR: #222; FONT-FAMILY: "....", Arial, Helvetica, sans-serif; TEX
T-DECORATION: none..}..A:visited {...FONT-SIZE: 9pt; COLOR: #222; FONT
-FAMILY: "....", Arial, Helvetica, sans-serif; TEXT-DECORATION: none..
}..A:active {...FONT-SIZE: 9pt; COLOR: #222; FONT-FAMILY: "....", Aria
l, Helvetica, sans-serif; TEXT-DECORATION: none..}..A:hover {...FONT-S
IZE: 9pt; COLOR: #cc0000; FONT-FAMILY: "...."; TEXT-DECORATION: underl
ine..}..A.NavT:link {...FONT-SIZE: 9pt; COLOR: #ffffff; FONT-FAMILY: "
...."; TEXT-DECORATION: none..}..A.NavT:visited {...FONT-SIZE: 9pt; CO
LOR: #ffffff; FONT-FAMILY: "...."; TEXT-DECORATION: none..}..A.NavT:ac
tive {...FONT-SIZE: 9pt; COLOR: #ffffff; FONT-FAMILY: "...."; TEXT-DEC
ORATION: none..}..A.NavT:hover {...FONT-SIZE: 9pt; COLOR: #ffff00; FON
T-FAMILY: "...."; TEXT-DECORATION: underline..}...tb_border {...BORDER
-RIGHT: #009acb 1px solid; BORDER-TOP: #009acb 1px solid; BORDER-LEFT:
 #009acb 1px solid; BORDER-BOTTOM: #009acb 1px solid..}...T_t_b {...BO
RDER-RIGHT: 1px solid #990000; BORDER-LEFT: 1px solid #990000}...Top_g
uanggao {...BORDER-TOP: 1px solid #990000; BORDER-LEFT: 1px solid #990
000}...Top_guanggao_td {...BORDER-RIGHT: 1px solid #990000; BORDER
<<< skipped >>>

GET /Images/Index_bottom.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.92117my.com/game.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.92117my.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 17599
Content-Type: image/jpeg
Last-Modified: Wed, 01 Jul 2015 07:57:44 GMT
Accept-Ranges: bytes
ETag: "08c919cd3b3d01:3fe"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 19 Jan 2017 00:39:39 GMT
......Exif..II*.................Ducky.......F.....*hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c01
4 79.151481, 2013/03/13-12:09:15        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpM
M:InstanceID="xmp.iid:77946C53FD1411E2A6E0C1445DB6A2D7" xmpMM:Document
ID="xmp.did:77946C54FD1411E2A6E0C1445DB6A2D7"> <xmpMM:DerivedFro
m stRef:instanceID="xmp.iid:77946C51FD1411E2A6E0C1445DB6A2D7" stRef:do
cumentID="xmp.did:77946C52FD1411E2A6E0C1445DB6A2D7"/> </rdf:Desc
ription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?&
gt;....Adobe.d........................................................
......................................................................
...................Z..................................................
.......................................!Qa....1A.."2R..S..q....Bb#347.
.r.G.......Cc.6.D5..$TF........................!a1A...Q."23q....B.C...
....br............?...[dI..R......1..........U.../y..D....."DP^eC."(/2
......P.H....r$E..T9."..*...Ay..D....."DP^eC."(/2......P.H....r$E..T9.
"..*...Ay..D....."DP^eC."(/2......P.H....r$E..T9."..*...Ay..D....."DP^
eC."(/2......P.H....r$E..T9."..*...Ay..D....."DP^eC."(/2......P.H.
<<< skipped >>>

GET /jc/hostjc.txt?WebShieldDRSessionVerify=EMGc17Wrs9kjNC7K8XBq HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.gxnkw.com
Cache-Control: no-cache
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: Safedog/4.0.0
Location: /jc/hostjc.txt
Content-Length: 0
Connection: Close
Content-Type: text/html

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

kernel32.dll

user32.dll

Kernel32.dll

ws2_32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xfjct

hXXp://ip.qq.com/

@Windows 2000

@Windows Server 2003

@Windows Vista

@Windows 7

@Windows 8

00-00-00-00-00-00

%System%\host.txt

%System%\drivers\etc\hosts

hXXp://passport.baidu.com/?business&un=5182235367&from=prin#0

340046815

hXXp://VVV.gxnkw.com/jc/tongji.txt

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WSOCK32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

icmp.dll

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

X-X-X-X-X-X

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

right-curly-bracket

left-curly-bracket

0123456789

C:\Windows\svchost.exe

#include "l.chs\afxres.rc" // Standard components

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

A.AQAtA

(*.*)

1.0.0.0

svchosl.exe_3732:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

kernel32.dll

user32.dll

OLEACC.DLL

Kernel32.dll

ws2_32.dll

EnumChildWindows

EnumWindows

WebBrowser

%System%\gjzbjclb.txt

%System%\gjzjclb.txt

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xff

hXXp://

hXXp://passport.baidu.com/?business&un=5182235367&from=prin#0

340046815

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xf1

hXXp://ip.qq.com/

@Windows 2000

@Windows Server 2003

@Windows Vista

@Windows 7

@Windows 8

00-00-00-00-00-00

Chrome_WidgetWin_100

liebao.exe

maxthon.exe

360se.exe

2345Explorer.exe

MozillaWindowClass

firefox.exe

hao123Juzi.exe

SogouExplorer.exe

QQBrowser.exe

Chrome_WidgetWin_1

opera.exe

TaoBrowser.exe

TangoWeb.exe

TheWorld.exe

UCBrowser.exe

{7597C4B1-F62C-4e83-A35F-8B69C8779DC1}

baidubrowser.exe

360chrome.exe

TTraveler.exe

chrome.exe

vary.exe

Chrome_OmniboxView

f1browser.exe

went.exe

miniie.exe

Windows Internet Explorer_Frame

cpopmus32ex.exe

crowd.exe

slowt32ex.exe

Maxthon3Cls_MainFrmMsg

SmartUI.Win32.Edit

TT_WebCtrl

wscript.shell

SendKeys

hXXp://VVV.gxnkw.com/jc/tongji.txt

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

ole32.dll

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

GetKeyboardLayout

VkKeyScanExA

keybd_event

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

oledlg.dll

WSOCK32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

X-X-X-X-X-X

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

right-curly-bracket

left-curly-bracket

0123456789

hXXp://VVV.92117my.com/host.htmly

C:\Windows\svchosl.exe

#include "l.chs\afxres.rc" // Standard components

..a.OO

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

(*.*)

1.0.0.0

svchostlsp.exe_3736:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

^}•0DN

u$SShe

kernel32.dll

user32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xff

C:\Windows\twain_32\config\ESPI11.dll

C:\Windows\twain_32\config

.inidata

@.reloc

CNotSupportedException

CCmdTarget

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

WS2_32.dll

COMCTL32.dll

GetCPInfo

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

WINSPOOL.DRV

comdlg32.dll

SHELL32.dll

SWNPM.dll

.PAVCException@@

.PAVCArchiveException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

>$>(>,>0>4>8><>@>

0F0g0m0

<"<=<^<~<

9$9(9,90989

<0=4=8=<=

%System%\addressoftext.inscan

hXXp://20140507.ip138.com/ic.asp

z>Windows 2000

@Windows XP

@Windows Server 2003

@Windows Vista

@Windows 7

@Windows 8

@127.0.0.1

hXXp://VVV.gxnkw.com/jc/tongji.txt

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

GetProcessHeap

WinExec

GetViewportOrgEx

WINMM.dll

RegCreateKeyA

RegDeleteKeyA

RegCreateKeyExA

RegEnumKeyA

RegOpenKeyA

ShellExecuteA

ole32.dll

OLEAUT32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

CreateDialogIndirectParamA

GetViewportExtEx

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

%s\ESPI%d.dll

hXXp://dywt.com.cn

service@dywt.com.cn

 86(0411)88995834

 86(0411)88995831

Windows

(ESPINN.dll(NN

This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info

CallerInfoCopyCmd

SetIPPort

GetIPPort

"C:\Windows\System32\ESPI11.dll"

ProviderInstallCopyCmd

SockDataCopyCmd

SockAddrCopyCmd

enetintercept_fnSockAddrSetIPPort

enetintercept_fnSockAddrGetIPPort

enetintercept_fnInstallCopyCmd

enetintercept_fnSockDataCopyCmd

enetintercept_fnSockAddrCopyCmd

enetintercept_fnCallerInfoCopyCmd

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCResourceException@@

.PAVCUserException@@

zcÁ

18201869647.com:88

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\svchostlsp.exe

#include "l.chs\afxres.rc" // Standard components

555455###

1, 1, 0, 0

ESPI11.dll

(*.*)

1.0.0.0

iexplore.exe_1924:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

6user32.dll

Kernel32.DLL

6xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_1548:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

6user32.dll

Kernel32.DLL

6xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

SearchFilterHost.exe_3408:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

SearchProtocolHost.exe_1908:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   svchostlsp.exe:3736
   %original file name%.exe:452
   117my.exe:2736
   117my.exe:944
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Windows\twain_32\config\ESPI11.dll (244 bytes)
   C:\Windows\System32\addressoftext.inscan (1 bytes)
   C:\Windows\System32\ESPI11.dll (723 bytes)
   C:\Windows\svchost.exe (12649 bytes)
   C:\Windows\117my.exe (7296 bytes)
   C:\Windows\117my.com.bat (258 bytes)
   C:\Windows\Game.ico:Zone.Identifier (26 bytes)
   C:\Windows\svchosl.exe (8713 bytes)
   C:\Windows\117my.skn (2160 bytes)
   C:\Users\"%CurrentUserName%"\Desktop\117魔域7.1.lnk (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YBU4WGCW.txt (103 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\host[1].htm (775 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.exe (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\svchostlsp.exe (1948 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\JpHrc.txt (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Mag.dat (101 bytes)
   C:\Windows\System32\drivers\etc\hosts (39 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\Repairdata.txt (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\117my.skn (62 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\117my.ini (28 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temp\Data\iat.dll (89 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "xf1" = "C:\Windows\svchosl.exe /start"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.