Gen.Variant.Zusy.198704_c3a7e615f0

by malwarelabrobot on May 25th, 2017 in Malware Descriptions.

Gen:Variant.Zusy.198704 (BitDefender), Trojan:Win32/Tonmye (Microsoft), not-a-virus:HEUR:AdWare.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader23.29795 (DrWeb), Gen:Variant.Zusy.198704 (B) (Emsisoft), Artemis!C3A7E615F059 (McAfee), SMG.Heur!gen (Symantec), Trojan.Win32.Tonmye (Ikarus), Gen:Variant.Zusy.198704 (FSecure), Generic37.CEQS (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R02LC0EEA17 (TrendMicro), Gen:Variant.Zusy.198704 (AdAware), Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Adware, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c3a7e615f0591bf2f2992cd4a8c84524
SHA1: 0ca8185005ded5bf72efe1ab3c10daff8fda468b
SHA256: e2f84324602b4e60cc964c8b65a9b320fe0a28e615825f5263e9395230be1f27
SSDeep: 24576:8GtDMcJWBnqvN541GjfBCZjJ2KldVMsnvivy5E26pl8s6dc:dtDZvc1AfBCui6sqlWdc
Size: 1009216 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2016-06-29 12:01:00
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

zg.exe:3960
%original file name%.exe:2372

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process zg.exe:3960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\loading_s[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bd917a36[1].js (51485 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\RWA1P9MV.txt (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FFF10234D401BC2B1190AF97E562D5D_400BCCB616F4067E445EA2973A86C18D (2884 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\FCT[1].swf (2037 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CE7BEA7675B51559AB228C6BB2F148E5 (456 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\t01b79193449c098c6f[1].png (1360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bd917a36[1].js (4506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\analytics[1].js (18074 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\btn-login[1].png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\login_ico[1].png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\login_360_cn[1] (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\psp_jump[1].htm (654 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bd917a36[2].js (6115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\950f1a12aa560f26[1].css (7473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\bac31a71bc48710d[1].js (86372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab76F.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\4.0.2[1].js (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\checkpage[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\bd917a36[1].js (7289 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\lab_span[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\winbox[1].js (3765 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\lab_bg[1].png (942 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\login_other[1].png (933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\5.0.3[1].js (199 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\index[1].css (241 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5IQMJ0LE.txt (78 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\login[1].css (145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar770.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\www.youxi[1].xml (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\index[1].js (3667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\382f2fd94eeeafb9[1].js (30512 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PBG80YUR.txt (291 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\index[2].css (1169 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (696 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bd917a36[1].js (3975 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ptlogin[1].htm (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\t019b5c6daf1c645ef4[1].jpg (4282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\W56LR75C.txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\a[1].htm (624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FFF10234D401BC2B1190AF97E562D5D_735CD3DF3EFC3FD45285204A43CE4916 (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3ZYYV8Z0.txt (304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\e2597d7a33637b4d[1].css (16825 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\active[1].js (997 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\t01e6635e1fa0e06a46[1].gif (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\t01b64da0a074800ab8[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4Z7HRL49.txt (538 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bd917a36[2].js (20139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\login[1].htm (511 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\t013e49a3dc1ae5334e[1].jpg (14816 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FFF10234D401BC2B1190AF97E562D5D_400BCCB616F4067E445EA2973A86C18D (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Cookie[1].swf (2010 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1236 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\image[1].gif (713 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FFF10234D401BC2B1190AF97E562D5D_735CD3DF3EFC3FD45285204A43CE4916 (4328 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\psp_jump[1].htm (654 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ptlogin[2].htm (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\img.yx-g.com\quyou_sn_21.sxx (123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\handlebars.min[1].js (34932 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#img.yx-g.com\settings.sxx (704 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\svrlist[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\8c48b57d397d07a5[1].css (10778 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\httpErrorPagesScripts[1] (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\navcancl[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\dnserrordiagoff_webOC[1] (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\JR0NLLQ1.txt (473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\MGZY5OG5.txt (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CE7BEA7675B51559AB228C6BB2F148E5 (352 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\536LMHX0.txt (603 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\index[1].js (3667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bd917a36[2].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\psp_jump_white_list[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\reset.0.0.1[1].css (588 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\RWA1P9MV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab76F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\img.yx-g.com\quyou_sn_21.sxx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ptlogin[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\W56LR75C.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#img.yx-g.com\settings.sol (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3ZYYV8Z0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PBG80YUR.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\JR0NLLQ1.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\MGZY5OG5.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar770.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5IQMJ0LE.txt (0 bytes)

The process %original file name%.exe:2372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\zg\zg.exe (1186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7521309489.exe (9 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\4553617409\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\4553617409\TemporaryFile\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\4553617409 (0 bytes)

Registry activity

The process zg.exe:3960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\zg_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\zg_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\zg_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1467083507"

[HKLM\SOFTWARE\Microsoft\Tracing\zg_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\zg_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\zg_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\zg_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\zg_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\zg_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "zg.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:2372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\c3a7e615f0591bf2f2992cd4a8c84524_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\c3a7e615f0591bf2f2992cd4a8c84524_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\c3a7e615f0591bf2f2992cd4a8c84524_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\c3a7e615f0591bf2f2992cd4a8c84524_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\c3a7e615f0591bf2f2992cd4a8c84524_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\c3a7e615f0591bf2f2992cd4a8c84524_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\c3a7e615f0591bf2f2992cd4a8c84524_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\c3a7e615f0591bf2f2992cd4a8c84524_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\c3a7e615f0591bf2f2992cd4a8c84524_RASAPI32]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
939e5eebf7d75f8ae975773213795033 c:\Program Files\zg\zg.exe
a2e75df4044dfea2e5d8d2c0a6b15be8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\7521309489.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.1
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.1
File Description:
Comments: ??????????(http://www.dywt.com.cn)
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 847872 321024 5.54466 5eab07d04b72cfe4b3b9a09bd7dade08
.rdata 851968 704512 631296 5.54431 6d2064b330fe417c42b564932199cbd8
.data 1556480 155648 21504 5.51417 ff59fa4ade7533bdb1a390c4bbd2e548
.rsrc 1712128 32768 2560 3.47168 d09bbdaea6a1fc1ea3573608b66b8068
. 1744896 32768 31744 3.21821 ccf2a40c0f5936d5d67d163a8f0a6ddc
.adata 1777664 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.youxi.com/mini/mir2/login.php 211.151.195.218
hxxp://acc.xdwscache.ourglb0.com/!8bfa78bb/login.css
hxxp://acc.xdwscache.ourglb0.com/yxcom/;;js;__config__/bd917a36.js
hxxp://acc.xdwscache.ourglb0.com/yxcom/;js;lib;/jquery.min,sea.211/bd917a36.js
hxxp://acc.xdwscache.ourglb0.com/yxcom/;js;lib;swfobject/bd917a36.js
hxxp://acc.xdwscache.ourglb0.com/yxcom/;js;/common;appendParamToUrl,lib;monitor_qdas,common;monitor_qdas.extend/bd917a36.js
hxxp://acc.xdwscache.ourglb0.com/t013e49a3dc1ae5334e.jpg
hxxp://login.u.youxi.com/js/4.0.2.js
hxxp://acc.xdwscache.ourglb0.com/5.0.3.js
hxxp://acc.xdwscache.ourglb0.com/static/bac31a71bc48710d.js
hxxp://acc.xdwscache.ourglb0.com/static/e2597d7a33637b4d.css
hxxp://ocsp-services.uzto.netdna-cdn.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso
hxxp://acc.xdwscache.ourglb0.com/yxcom/;js;lib;jquery.cookie/bd917a36.js
hxxp://acc.xdwscache.ourglb0.com/static/950f1a12aa560f26.css
hxxp://acc.xdwscache.ourglb0.com/t019b5c6daf1c645ef4.jpg
hxxp://acc.xdwscache.ourglb0.com/static/382f2fd94eeeafb9.js
hxxp://acc.xdwscache.ourglb0.com/yxcom/;js;mini;/prompt,enterzone,active,reg,login,minislide,zonelist/bd917a36.js
hxxp://acc.xdwscache.ourglb0.com/yxcom/;js;common;/vplan;vplan,jquery_slider,radialIndicator,jquery.pagination,winbox,copy-text,jquery.tinyscrollbar,zone,allneed,template,api,slider/bd917a36.js
hxxp://www.youxi.com/psp_jump.html?fun=QhpassUserData 211.151.195.218
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j54&a=1453265282&t=pageview&_s=1&dl=http://www.youxi.com/mini/mir2/login.php&ul=en-us&de=utf-8&dt=登录-热血战歌&sd=24-bit&sr=1276x846&vp=552x396&je=1&fl=23.0 r0&_u=IEBAAAAAI~&jid=1626280177&gjid=2074139498&cid=1442319705.1495600809&tid=UA-49486422-16&_gid=1546250211.1495600809&_r=1&z=1657285665
hxxp://s-b.360.cn/0kee/a.html
hxxp://s-b.360.cn/qdas/s.htm?p=QH_103_7#3_3&u=http://www.youxi.com/mini/mir2/login.php&gid=87247646.593124094.1495600808578.1495600808578.1&sid=87247646.1754977220340360000.1495600808562.859&title=登录-热血战歌&mid=&guid=87247646.52884733302422330.1495600803648.9416&gkey=mir2&b=msie 7.0&c=1&r=&fl=23&sd=24-bit&sr=1276x846&ul=en-us&ce=1&t=1495600808580
hxxp://captcha.youxi.com/image.php?app=youxi 211.151.170.85
hxxp://acc.xdwscache.ourglb0.com/d/inn/34f0612b/images/common/lab_span.png
hxxp://acc.xdwscache.ourglb0.com/d/inn/34f0612b/images/common/lab_bg.png
hxxp://ocsp-services.uzto.netdna-cdn.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf/JPbFze27kLzihDdGdfcCEQDvBRp0Gh2UCfyl5GQPjTyb
hxxp://acc.xdwscache.ourglb0.com/d/inn/34f0612b/images/login/login_other.png
hxxp://login.360.cn/?callback=jQuery191041567470558817965_1495600794835&src=pcw_wan_youxi&from=pcw_wan_youxi&charset=utf-8&requestScema=http&o=sso&m=info&show_name_flag=1&head_type=b&_=1495600794836 220.181.150.247
hxxp://s-b.360.cn/i360/qhpass.htm?src=pcw_wan_youxi&version=5.0.3.21319&guid=87247646.52884733302422330.1495600803648.9416&action=init&resolution=1276x846&color=24&isCookieEnabled=true
hxxp://www.youxi.com/js/mini/active.js 211.151.195.218
hxxp://acc.xdwscache.ourglb0.com/psp_jump_white_list.js
hxxp://axlogin.passport.360.cn/ptlogin.php?nextUrl=hxxp://www.youxi.com/psp_jump.html&us=1&func=QHPass.getQuickLoginUserLength 101.199.102.247
hxxp://www.youxi.com/js/lib/handlebars.min.js 211.151.195.218
hxxp://axlogin.passport.360.cn/static/css/index.css?r=1495600812 101.199.102.247
hxxp://axlogin.passport.360.cn/static/js/index.js?r=1495600812 101.199.102.247
hxxp://www.youxi.com/js/common/winbox.js 211.151.195.218
hxxp://crl.uzto.netdna-cdn.com/ctnca.crl
hxxp://www.youxi.com/psp_jump.html?fun=parent.parent.QHPass.getQuickLoginUserLength&us=0 211.151.195.218
hxxp://www.youxi.com/swf/FCT.swf 211.151.195.218
hxxp://r.yx-s.net/b/weiduan/s/svrlist?pkey=youxi&gkey=mir2&qid=&cid=&lancher=&upver=&_t=0.41104189699071414 211.151.195.215
hxxp://dztwzmsj1889p.cloudfront.net/t01e6635e1fa0e06a46.gif
hxxp://ocsp-services.uzto.netdna-cdn.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEGzcMzbY/Z/9R/IXXh6Z+8s=
hxxp://acc.xdwscache.ourglb0.com/combine/Cookie.swf?Ver=1.0
hxxp://ocsp-services.uzto.netdna-cdn.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEFRHShYVXovG0R614xcEKoY=
hxxp://axlogin.passport.360.cn/static/css/index.css?r=1495600818 101.199.102.247
hxxp://acc.xdwscache.ourglb0.com/d/inn/34f0612b/images/login/login_ico.png
hxxp://dztwzmsj1889p.cloudfront.net/t01b79193449c098c6f.png
hxxp://s-b.360.cn/i360/qhpass.htm?src=pcw_wan_youxi&version=5.0.3.21319&guid=87247646.52884733302422330.1495600803648.9416&action=changeSigninType&module=signin&type=normal
hxxp://acc.xdwscache.ourglb0.com/d/inn/4f8be2af/btn-login.png
hxxp://s-b.360.cn/i360/qhpass.htm?src=pcw_wan_youxi&version=5.0.3.21319&guid=87247646.52884733302422330.1495600803648.9416&action=show&module=signin
hxxp://axlogin.passport.360.cn/static/js/index.js?r=1495600818 101.199.102.247
hxxp://gpla1.wac.v2cdn.net/CRL/Omniroot2025.crl
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://s8.yx-s.com/yxcom/;js;/common;appendParamToUrl,lib;monitor_qdas,common;monitor_qdas.extend/bd917a36.js 87.245.198.83
hxxp://s.360.cn/i360/qhpass.htm?src=pcw_wan_youxi&version=5.0.3.21319&guid=87247646.52884733302422330.1495600803648.9416&action=changeSigninType&module=signin&type=normal 125.88.193.249
hxxp://www.google-analytics.com/r/collect?v=1&_v=j54&a=1453265282&t=pageview&_s=1&dl=http://www.youxi.com/mini/mir2/login.php&ul=en-us&de=utf-8&dt=登录-热血战歌&sd=24-bit&sr=1276x846&vp=552x396&je=1&fl=23.0 r0&_u=IEBAAAAAI~&jid=1626280177&gjid=2074139498&cid=1442319705.1495600809&tid=UA-49486422-16&_gid=1546250211.1495600809&_r=1&z=1657285665 172.217.16.110
hxxp://s.360.cn/i360/qhpass.htm?src=pcw_wan_youxi&version=5.0.3.21319&guid=87247646.52884733302422330.1495600803648.9416&action=init&resolution=1276x846&color=24&isCookieEnabled=true 125.88.193.249
hxxp://subca.crl.certum.pl/ctnca.crl 23.111.11.210
hxxp://p7.yx-s.com/t013e49a3dc1ae5334e.jpg 87.245.198.83
hxxp://s6.yx-s.com/yxcom/;js;common;/vplan;vplan,jquery_slider,radialIndicator,jquery.pagination,winbox,copy-text,jquery.tinyscrollbar,zone,allneed,template,api,slider/bd917a36.js 87.245.198.83
hxxp://cdp1.public-trust.com/CRL/Omniroot2025.crl 93.184.220.20
hxxp://p9.yx-s.com/d/inn/34f0612b/images/common/lab_span.png 87.245.198.83
hxxp://s.360.cn/qdas/s.htm?p=QH_103_7#3_3&u=http://www.youxi.com/mini/mir2/login.php&gid=87247646.593124094.1495600808578.1495600808578.1&sid=87247646.1754977220340360000.1495600808562.859&title=登录-热血战歌&mid=&guid=87247646.52884733302422330.1495600803648.9416&gkey=mir2&b=msie 7.0&c=1&r=&fl=23&sd=24-bit&sr=1276x846&ul=en-us&ce=1&t=1495600808580 125.88.193.249
hxxp://s5.yx-s.com/yxcom/;js;lib;swfobject/bd917a36.js 87.245.198.83
hxxp://p2.qhimg.com/t01b79193449c098c6f.png 54.230.44.101
hxxp://s.360.cn/0kee/a.html 125.88.193.249
hxxp://s6.qhres.com/static/e2597d7a33637b4d.css 87.245.198.83
hxxp://s.360.cn/i360/qhpass.htm?src=pcw_wan_youxi&version=5.0.3.21319&guid=87247646.52884733302422330.1495600803648.9416&action=show&module=signin 125.88.193.249
hxxp://s5.yx-s.com/yxcom/;js;mini;/prompt,enterzone,active,reg,login,minislide,zonelist/bd917a36.js 87.245.198.83
hxxp://js.passport.qihucdn.com/psp_jump_white_list.js 87.245.198.83
hxxp://s7.yx-s.com/yxcom/;js;lib;/jquery.min,sea.211/bd917a36.js 87.245.198.83
hxxp://p6.yx-s.com/d/inn/4f8be2af/btn-login.png 87.245.198.83
hxxp://s5.yx-s.com/yxcom/;;js;__config__/bd917a36.js 87.245.198.83
hxxp://p2.qhimg.com/t01e6635e1fa0e06a46.gif 54.230.44.101
hxxp://www.google-analytics.com/analytics.js 172.217.16.110
hxxp://p9.yx-s.com/d/inn/34f0612b/images/common/lab_bg.png 87.245.198.83
hxxp://s5.qhres.com/static/bac31a71bc48710d.js 87.245.198.83
hxxp://img.yx-g.com/combine/Cookie.swf?Ver=1.0 87.245.198.83
hxxp://p8.yx-s.com/t019b5c6daf1c645ef4.jpg 87.245.198.83
hxxp://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf/JPbFze27kLzihDdGdfcCEQDvBRp0Gh2UCfyl5GQPjTyb 23.111.11.211
hxxp://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso 23.111.11.211
hxxp://s6.yx-s.com/yxcom/;js;lib;jquery.cookie/bd917a36.js 87.245.198.83
hxxp://s5.yx-s.com/!8bfa78bb/login.css 87.245.198.83
hxxp://p9.yx-s.com/d/inn/34f0612b/images/login/login_ico.png 87.245.198.83
hxxp://passport.youxi.com/js/4.0.2.js 211.151.195.217
hxxp://js.passport.qihucdn.com/5.0.3.js 87.245.198.83
hxxp://s6.yx-s.com/static/382f2fd94eeeafb9.js 87.245.198.83
hxxp://p9.yx-s.com/d/inn/34f0612b/images/login/login_other.png 87.245.198.83
hxxp://wosign-ovca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEFRHShYVXovG0R614xcEKoY= 23.111.11.211
hxxp://s6.yx-s.com/static/950f1a12aa560f26.css 87.245.198.83
hxxp://wosign-ovca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEGzcMzbY/Z/9R/IXXh6Z+8s= 23.111.11.211
hao.360.cn 111.206.66.62
dns.msftncsi.com 131.107.255.255
p2.ssl.qhimg.com 116.211.111.248
ocsp.verisign.com 23.46.123.27
rx.hebchengjiu.com 222.186.60.131


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /CRL/Omniroot2025.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 16 Nov 2013 06:15:02 GMT
If-None-Match: "200da-5b6-4eb453c33260e"
User-Agent: Microsoft-CryptoAPI/6.1
Host: cdp1.public-trust.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/x-pkcs7-crl
Date: Wed, 24 May 2017 04:40:48 GMT
Etag: "200c0-f1d-550377b150dca"
Last-Modified: Tue, 23 May 2017 21:15:01 GMT
Server: ECS (fcn/418B)
X-Cache: HIT
Content-Length: 3869
0...0......0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U..
..CyberTrust1"0 ..U....Baltimore CyberTrust Root..170523194154Z..17081
8194154Z0..`0....'k...120111220757Z0....'k...120111220847Z0....'.C..13
0130174530Z0....'....130807173059Z0....'....140122185220Z0....'....140
212185542Z0....'yr..150701184507Z0....'#...100303201301Z0....''q..1004
14175202Z0....'L...110224181251Z0....'Pn..110309142119Z0....'....10021
6203312Z0....'#...100303201213Z0....'3#..100908172555Z0....''n..101208
175627Z0....''m..101208175749Z0....''p..101208175916Z0....'H...1101141
62156Z0#...'X>..110815145134Z0.0...U.......0#...'Z2..110818184101Z0
.0...U.......0....'g...120111164333Z0....'g...120111164409Z0....'g...1
20111164519Z0....'....100216213519Z0....''s..100414175225Z0....''k..10
0414181839Z0....'3"..100908172705Z0....'3$..100908172728Z0....''o..101
208175645Z0....''l..101208175727Z0....'H...110119195142Z0....'Nz..1103
02154045Z0....'c...111207220933Z0....'g...120111164445Z0....''r..10041
4175143Z0....'8...101012182723Z0....'e...120111163041Z0....'VJ..110714
160903Z0....'s...130123162633Z0....'....130904190524Z0....'....1310242
14319Z0....'....140129172435Z0....'....140129172453Z0....'....13102421
4310Z0....'....131101204601Z0....'....140219171632Z0....'.^..140409155
638Z0....'i...140709171930Z0....'/:..141119193302Z0....'J...1506031846
05Z0....'k...150603185020Z0....'k...150603185058Z0....'k...15060318513
1Z0....'k...120111220827Z0....'8...140716191203Z0....'....131219195909
Z0....'....140219171545Z0....'k...151105070000Z0....'q...160126173
<<< skipped >>>


GET /yxcom/;js;lib;jquery.cookie/bd917a36.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s6.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 16 May 2027 13:02:11 GMT
Date: Thu, 18 May 2017 13:02:11 GMT
Server: nginx
Content-Type: application/x-javascript
Content-Length: 771
Last-Modified: Mon, 15 May 2017 08:10:44 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip
X-QSTATIC-HIT: 1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 fuzhou190:5 (Cdn Cache Server V2.0), 1.1 db78:9 (Cdn Cache Server V2.0)
Connection: keep-alive
.....b.Y..}S...6... h..r...m..R..\.M.6m.9.>h..DG"..r.0...Z....9y8..
.....f...!..;0G......O..R..*|..|.r...rYJWu.a..e..*5.^..x.mv."....=.YV.
.|....Y..%.x..~..R.9.T....._o.I-3P..X..S..Z1.'wlA.$.B*...5:...0m.d....
z....]...j.,r...2G.`..t.....G..5..?.0...2.:.H...k...L......nZ.@9....|.
...)...X...V.......3R..8"".x~`tE......>./.....!..s..B.7.V......:..r
...2....v.I.5.cg......>.]@.2.k.mj,x..g..*....R....Cj....\d.....P...
c(.(fxdzOpb.]...g..'.....)?......h...|>{..r~J....T.N=jGh....c._<
.".E.x...y.C....JA...._.o....-.{..[........ ./..:....8.......H..L.....
3]L...O....xD)2..U....X...\7.T.8D......Yg....bz...T.R~.z&\2.3..U..!.o.
.mk..6.<...B..;....E...JW...<n..a..Qm.......@Vh Y8.. ......;....
..S&4 .......~..V.......M...t...../p4o.F.`.?w../:z..&..'.U..j....f*8]N
...z.gv...=...........HTTP/1.1 200 OK..Expires: Sun, 16 May 2027 13:02
:11 GMT..Date: Thu, 18 May 2017 13:02:11 GMT..Server: nginx..Content-T
ype: application/x-javascript..Content-Length: 771..Last-Modified: Mon
, 15 May 2017 08:10:44 GMT..Cache-Control: max-age=315360000..Content-
Encoding: gzip..X-QSTATIC-HIT: 1..Access-Control-Allow-Origin: *..Acce
pt-Ranges: bytes..Age: 1..X-Via: 1.1 fuzhou190:5 (Cdn Cache Server V2.
0), 1.1 db78:9 (Cdn Cache Server V2.0)..Connection: keep-alive.......b
.Y..}S...6... h..r...m..R..\.M.6m.9.>h..DG"..r.0...Z....9y8.......f
...!..;0G......O..R..*|..|.r...rYJWu.a..e..*5.^..x.mv."....=.YV..|....
Y..%.x..~..R.9.T....._o.I-3P..X..S..Z1.'wlA.$.B*...5:...0m.d....z....]
...j.,r...2G.`..t.....G..5..?.0...2.:.H...k...L......nZ.@9....|...
<<< skipped >>>

GET /yxcom/;js;common;/vplan;vplan,jquery_slider,radialIndicator,jquery.pagination,winbox,copy-text,jquery.tinyscrollbar,zone,allneed,template,api,slider/bd917a36.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s6.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 16 May 2027 13:02:12 GMT
Date: Thu, 18 May 2017 13:02:12 GMT
Server: nginx
Content-Type: application/x-javascript
Content-Length: 9983
Last-Modified: Mon, 15 May 2017 07:55:54 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip
X-QSTATIC-HIT: 1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 fuzhou183:5 (Cdn Cache Server V2.0), 1.1 db77:4 (Cdn Cache Server V2.0)
Connection: keep-alive
....._.Y...[.s.6..WdlW& ....-e....lf.6..{..f<..Y.).!A...........l.n
..?D$.><......X.Tx$R..JOn.....}ON>.'...|.T.......".X..tQ...*.
..4.7.,.....4.U..e..`b..h.4..^..........7.1F.I....:...:.....Q~?..?....
..H....w......'..?.....b.........R...R...|.?.._ e.....<.`.t.G.XL".#
.......l......0.............@j1.R?L..7.......c.]<...=.....}.....1iI
8...W.....j1.U...l..B....67<.h........D .<U..D.s.g8"e:@z...D..d.
.:..J..../...J......c.T.J?Lk5}a..G....9.N..{od!.2......q,R..$..V{....K
i..v......f.....#..6e..%....K..E...e.y...w...|,T..Z.Q$."....o.u.$A..H.
.r..x^......\.2Og....4.7.....q.... K.......@..1...2...7..}.G#`.z..|6.T
.jB9...L....M....n...\.w ?P?...].....i..7v!.L...?...T.'.;..........'X.
.{T...!`,d.u....L.7..*o%0.:.).......O.9...9.....E..C.._...N...e.@.2?.,
.....D..`..J..i.T.w2.ov;..u\.:Ml.e.s.C...U|n......qR.a.on.F....0y..\|*
A)^5..`.}..|..v.8.`s/...k..[..u......2....... .....h...g......L..`....
..D.h......7./.Y.X.R.0vv....._...S.P.\.q .y....|..|....1......e...Hp.v
.2...(..\......-:XY.H..!O..k.......f|...4........D.M".:$..O'.-.a.#..&;
J.D..m.....v...h.v............... ._.P{y..h.../...Z0...o.k...@.w...h&.
.Pb..z8.L......Tw.l ...K^.`n.u8....9. .]...i. ... g$4...$X...o`_O'....
./.X.....$..O....2........ .^.u:....Q9.J.-..........k..o..f.X...&..R{G
0.fq.mf.O2UH.N(....7.....R:...\;..y s..|.. ....-e....1. ..1d...6...Oh.
. ..-M..:.P.......f@C.#.....5T.M...J..Y.X....(.>.):X.U...Y~.Yj...Vf
.~.....D...2.b.%..A.3..H..>.......GS...&.g...l\..,3k..%..t...Z|..9.
qG.....:).-.... i..G.CNO..6N...Ki............./.......W.._.=%..@..
<<< skipped >>>


GET /ctnca.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: subca.crl.certum.pl


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 04:40:14 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 456
Connection: keep-alive
Last-Modified: Thu, 18 May 2017 10:51:46 GMT
ETag: "30009-1c8-30e73480"
X-Cached: HIT
Server: NetDNA-cache/2.2
X-Cache: HIT
Accept-Ranges: bytes
0...0..0...*.H........0~1.0...U....PL1"0 ..U....Unizeto Technologies S
.A.1'0%..U....Certum Certification Authority1"0 ..U....Certum Trusted 
Network CA..170518071123Z..180517071123Z0...*.H...............}i{....q
-pb.... .. ..].s.EL~w..IM.V]..N.z..0.8/..G1...gN....v.......M.U.Q..9&e
.....M.._.o.....j9nq.0..:....?.^...<.......X...<..:.J.@.....Ec..
f...EG..W..A=.d].f.o...F..".m\clI....f.X....4.R.....5....I....9...%.3.
?.s..[..b'Zz.  ..b..nG..K.m.4.U.7....M(.'...



GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf/JPbFze27kLzihDdGdfcCEQDvBRp0Gh2UCfyl5GQPjTyb HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: subca.ocsp-certum.com


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 04:40:09 GMT
Content-Type: application/ocsp-response
Content-Length: 1702
Connection: keep-alive
Content-transfer-encoding: binary
X-Cached: MISS
Server: NetDNA-cache/2.2
X-Cache: HIT
0..........0..... .....0......0...0..@........0..1.0...U....PL1!0...U.
...Asseco Data Systems S.A.1'0%..U....Certum Certification Authority15
03..U...,Certum Trusted Network CA Validation Service..20170524042625Z
0r0p0H0... .......:L..!..O'...Q.)..&....v....$.........7Fu.......t....
...d..<.....20170524042625Z....20170531042625Z..0.0... .....0....0.
.. .....0..0...*.H....................!.R8....!.t}.6z8...J-.?.I>L..
%F.D...w.....l.S..$T..}.H..4....I.]z.\.4pq~..M..m.!.X..w.Wf.k.$..5W..{
.....F.l.0C........1.~.Z.X....q.!..Ww_.?.]...>.E..}...._...4.3.X...
.e.".bi...D...i2I&a..B.(..# ./...8...........c0.......xF$.....x0....K.
|..Qg#..X$j...*0..&0.."0................]Nss1.B.../0...*.H........0~1.
0...U....PL1"0 ..U....Unizeto Technologies S.A.1'0%..U....Certum Certi
fication Authority1"0 ..U....Certum Trusted Network CA0...161220102317
Z..180120102317Z0..1.0...U....PL1!0...U....Asseco Data Systems S.A.1'0
%..U....Certum Certification Authority1503..U...,Certum Trusted Networ
k CA Validation Service0.."0...*.H.............0..........AB...I....z.
.#U......oD.L.....UX....j.....S.K......".>w.;.r8....C...Zc...U.}%..
...@Ff..`.&.j.`.......ci.Io........pW...........#.s............tR@...N
.......L....U..t.>su...OyH.E...v...r.]."m..7.... ....@.....>.X..
....M.P@......./.......k...O....@v7.d............0..0...U.......0.0...
U..........Lw..l..n..n...~.0...U.#..0....v....$.........7Fu.0...U.....
......0...U.%..0... .......0... .....0......0...*.H...............).n.
.....,........].).I...t-.......J.........^...M...(...D:..'..l.#6Co
<<< skipped >>>


GET /ptlogin.php?nextUrl=hXXp://VVV.youxi.com/psp_jump.html&us=1&func=QHPass.getQuickLoginUserLength HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: axlogin.passport.360.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.2.9
Date: Wed, 24 May 2017 04:40:12 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.2.5
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Encoding: gzip
5ed.............V[o.F.~v...a$.........QIi..75..V.j......q.q..*Q...J...
...."...-b[J.g.Mx._...{......d..3g.s.w..g.[..g?.p...=;S..5.#.@.R......
..IR*\<7..y..q.D@.._?<.....'......`2`Q.%4pq*V..v(..u...#D0....f.
O.-x.J....G.....C..r..S hr.....g......'!....4...7MSM....7.2.u...Y....4
uq.c3&QD.......we..m-X.....\.....t=..S......:........>.../...._y...
5.|.LL\7...5.g7nool.W....^".I..%....4...0@.l....)....{n..K.........E..
se_.5....T.!i.....hKL...'q.aa.......q:a..Q M.k..3..C..:G..c..x.H..8.N.
..f- .e..0.6....EG...Q8.DP....KR....$9..9.2:.&*.....V.....V...Y......n
=}..uP..W....._...z...no<vH.`.)..,(..E@. .yL#..#A....F3 Q..Q...u...
F.M.SE..=.....YJ.3f....Z.^.H....ec.L.. *.........h.../...'.`.\:h.....C
..|@..O[....D.A)t...E.z...."g~.::(.I....8.....X.g.....@..8..t.b.2".82:
.P.%.j. ...!.?...]..]..=.zB.u..Y...,...r.H.....~.....JI..fA......c.j..
.....z..u.|yF.[SD.."`.@. .fZ......t.KUei....lq.y.s....M......!..f[.y.I
%>...'..W.p}.w.....W.......{.f.N.*Z..)u.h.;LB....sG....:...."ULxo@.
.)._.q>K...LD<.20m.I4..h.#..S.8P...6p.<,3....a,........=....h
D....B..:..0>l....Q. .f..i......?..".... h....k.....Mj...,.Qk....C.
...........V|.....`........efI....1...%/.j...("|..... R?.i...z....K.)G
/......x/.c].J)....S....9x.....#.k.2..A..W...\....[....g...a.EZ..r..W0
.!.N...TD...De..U:Y.F  m.I.......?C#...J..H@J..d..ii&.{......r^.-'..l.
..G.2.....So..Dx... ..;...P......P.X.U....z..,...1....ck......J.......
l.-X.U.X.! ..u.E..2.Z.U~>U.w.... .....N........BT.%JYJ.}Ydwo. :o.U.
...H. Q..S..e?.r......QK..Up.......x..4U..Jz^.8..U....k...[.....c.
<<< skipped >>>


GET /d/inn/34f0612b/images/common/lab_span.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: p9.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Mon, 09 Mar 2026 11:36:07 GMT
Date: Fri, 11 Mar 2016 11:36:07 GMT
Server: nginx
Content-Type: image/png
Content-Length: 1050
Last-Modified: Tue, 22 Dec 2015 04:13:20 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
X-Varnish: 3206646567 1870590287
Via: 1.1 varnish
X-Varnish-Hits: 1008
X-Varnish-Cache: HIT
Age: 1
X-Via: 1.1 db78:0 (Cdn Cache Server V2.0)
Connection: keep-alive
.PNG........IHDR.......3......N).....tEXtSoftware.Adobe ImageReadyq.e&
lt;...qiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:e139ec04-6804-8f43-8598-9264ccb5c497" xmpMM:DocumentID="xmp.did:
B341DCA65FDB11E4A911C205C2ECCD99" xmpMM:InstanceID="xmp.iid:B341DCA55F
DB11E4A911C205C2ECCD99" xmp:CreatorTool="Adobe Photoshop CC (Windows)"
> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e139ec04-6804-8f4
3-8598-9264ccb5c497" stRef:documentID="xmp.did:e139ec04-6804-8f43-8598
-9264ccb5c497"/> </rdf:Description> </rdf:RDF> </x:x
mpmeta> <?xpacket end="r"?>.&......PLTE..................).w.
...!IDATx.b`ea......S.....8....... ..k$.o..p?....IEND.B`.....
<<< skipped >>>

GET /d/inn/34f0612b/images/login/login_other.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: p9.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sat, 01 Nov 2025 09:42:59 GMT
Date: Wed, 04 Nov 2015 09:42:59 GMT
Server: nginx
Content-Type: image/png
Content-Length: 3583
X-Powered-By: PHP/5.4.25
Last-Modified: Fri, 21 Nov 2014 07:25:08 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
X-Varnish: 213768532 820362844
Via: 1.1 varnish
X-Varnish-Hits: 2618
X-Varnish-Cache: HIT
Age: 1
X-Via: 1.1 fuzhou190:88 (Cdn Cache Server V2.0), 1.1 db78:8 (Cdn Cache Server V2.0)
Connection: keep-alive
.PNG........IHDR...x.................tEXtSoftware.Adobe ImageReadyq.e&
lt;...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap
/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
 xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xm
p.did:DB51473DDD5FE411A448A06172290FF2" xmpMM:DocumentID="xmp.did:D27C
9E725FE011E49141E03BF0464EDB" xmpMM:InstanceID="xmp.iid:D27C9E715FE011
E49141E03BF0464EDB" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:DC51473DDD5FE411A448
A06172290FF2" stRef:documentID="xmp.did:DB51473DDD5FE411A448A06172290F
F2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>...,....PLTE..m..R..P..N..]........2..,..6.W.
....l1....h.g.I........t.... V.......rv............. h..........VZ.Js.
....3......(.=........I.........*.5..........._.4rj.'jjm......x.*..M.|
......A..[.!_......s.)....GL....HxG.7.........8.'.........X.6.........
.bg...........<.......x.............J.-......LLL.y?.|........ k....
....e...7.8..f....i.f.(_.*.F.....\1...e.,.......;{.4_T.-....3l.4v..=.a
...;.....%.........!v1W...H..Y..........J.3w.>=.;,.(.....0j./......
N...6j...G.-...../...556W./z.........f......:Z.1....j........... Y
<<< skipped >>>

GET /d/inn/34f0612b/images/login/login_ico.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: p9.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 16 May 2027 13:02:16 GMT
Date: Thu, 18 May 2017 13:02:16 GMT
Server: nginx
Content-Type: image/png
Content-Length: 3055
Last-Modified: Sat, 07 May 2016 17:57:45 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
X-Varnish: 3631332913 3607965127
Via: 1.1 varnish
X-Varnish-Hits: 14
X-Varnish-Cache: HIT
Age: 1
X-Via: 1.1 fuzhou185:2 (Cdn Cache Server V2.0), 1.1 db77:1 (Cdn Cache Server V2.0)
Connection: keep-alive
.PNG........IHDR...g...M.............tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5.1 Windows" xmpMM:InstanceID="xmp.iid:870A33EF544011E4A9C7FFC8
5B1B6307" xmpMM:DocumentID="xmp.did:870A33F0544011E4A9C7FFC85B1B6307"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:870A33ED544011E4A9
C7FFC85B1B6307" stRef:documentID="xmp.did:870A33EE544011E4A9C7FFC85B1B
6307"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>.%......PLTE.........P.{...................
......................................................................
...................UUU................................................
.........~~~...r....................ddd.....................T.~.......
........`....._........^.....Q.|...]..^.....W.........................
.y...........q.............................r..a.....o..............p..
...Z..w.....}..........................h.........................tRNS.
......................................................................
..................................................................
<<< skipped >>>


GET /combine/Cookie.swf?Ver=1.0 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.youxi.com/swf/FCT.swf
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: img.yx-g.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Thu, 25 May 2017 04:40:20 GMT
Date: Wed, 24 May 2017 04:40:20 GMT
Server: nginx
Content-Type: application/x-shockwave-flash
Content-Length: 15955
Last-Modified: Fri, 27 Jun 2014 10:44:30 GMT
ETag: "53ad4b0e-3e53"
Cache-Control: max-age=86400
Accept-Ranges: bytes
X-Via: 1.1 hdwt42:5 (Cdn Cache Server V2.0), 1.1 db78:8 (Cdn Cache Server V2.0)
Connection: keep-alive
CWS./u..x....`TE.........&.p...b"q.px...5...!(.....a..63.QWc..@..[.[.\
t....53..}.........U..f&.v....Zo..........=...6.1....a..V..0vhWs.ri...
....D%j.M.'......^.z..Y.:.VN.1g....3...9..S.k......'&O.[,9.F.....dKG{1
.C....a.&.lOl...mOL.5w...".m.O.uN.1.b:..QeMW4...j..h.[ET...P"^...#.M$.
>.Z\...............8t...9.....3 f..Z1..6..U9.......8..."..N.w].M..C
....3f4.8.r.....r;..5.w4....O.....N....M....j;..Z.z5G.G[.m..d...!.....
ut...sC...-..1.~..D.#r...........Y...H...E.y.........h.?S'..tF./.&:.."
Q.O6.f......d.=.._;..i--.....|u.9.>_..u.f.8.w.._M......q...:...]Mn.
..n..........&7.W.....n.V...SWsp....f......95......Uq...L..a..5...*...
.h.....JDIS.M2UEj...l.UMU..f.<...7cO........2.]...:...i.,.3.....Mz.
......188..H..$g.^... .......Db.l&cy...T.......s.>..t.0.u....A..X..
3.V..v.......4h..........G...q...g.XGq....k..y...y..(=^d. 9....1q...*c
kU.U..EC.....f..=...b..'.:Z....d..=Onp.5...ZS0.=...E...?||4..U.....t..
.G.4.. .\>..........4.e.......0N.t..U.v,u..7.....I..GF..;B]...X....
..uqw[8...Z[i.m....hW"o...H..|...Z;GCK[.Kv.5."#...&..'q..X..pk....D..`
..P.(.P....=...&%... .Z....@y..X..5./B.......=1.`0..#.<Q%?..e[i..i.
.[.u9mr.q.8..fq.XK{.ng;...c..6......W.Z[...A.d.a....\..kZ...1...m.$...
!.$.....E...a:.DmK.,...;...p..N..5...d)....Z].......p.UGx.,.......{\#.
l_I....(.....m...ia(.m]....3.8gkU.....}..gT .tL..rh.-.al.H ..\..(6...$
.K./.......DM.....&,U]].5v.<..#..Hw .Y.;...Ea..&...*.(v..>...!.&
lt;.i...jn.6.c..hW~W..cU...6.)n..7f....v..-...F.$.&......[..Z..lP..n..
x.}e..m....`..[.G0..m.....5`TG...;i.Mm.....30...d..'D.......c.9.[v
<<< skipped >>>


GET /0kee/a.html HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s.360.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.12
Date: Wed, 24 May 2017 04:40:11 GMT
Content-Type: text/html
Last-Modified: Fri, 19 May 2017 03:04:17 GMT
Transfer-Encoding: chunked
Connection: close
Content-Encoding: gzip
790.............X[....~7.......LR.]ZQ...... ..0$G.X....I.....ql.i.A..m
b.-.uz......v.gLI..9.R Z.r....8..s..9s.......n9.......iQ..d9(d....o]U.
...........?..d........;.......\.0.*.B.2]l....p.\............Mfg....R.
........~F.T..b. ..S(p.`9Jw....1.^...wq{.....{.........[.^.......!;...
.i..2.......O._4.F...J.|.\-...Z....k...]....k........`{...&(\..q.....r
....R.f.j.".g.*dX&...=......Y.^..<[.|.>.....\R..`o;3...#.L~..C.a
...M.J..=%...|4...C... ..<.$9z.....................nV.6*.B.\/..YW..
'.&..2TF..8e[R.!...&=.7u...2J..X.mI..Vv..}.,V.j)}@....;...?.|.....V...
[..$..!.O....8. ..*...t]?.c,.vJ..hlw.'..AW..D..~.......C.U0....d...)..
.O..B.w....RT..Ljh..=...&C.r.c.|..,x.t..,.."e.B..py...i..Z..>..,..#
....,...{...!.<....v..!v.L.C.;..2......4 @...v.&5N.r...'-...?H....O
7.xvh..B4.f ....{.r.........}:....."...d......w.6..G.V..Nh.q;g...)0.%L
...o............=....> R......U..-.@..!...eK.z*#.....A...ct..."....
Yh-.....=..h..j.jC...V.AU.;...v:<D....x.b.L.....j._(....}5.st>..
.PH..N...>5..^.....l...!z.....W.u..=uwWh~...........UMxu.g..e...~b.
w.._.z^..a......_..W..........Nt.8..(......R..-..\b...."Q.v.o.....o..W
....^..D.O...t.6.Qf...|.1....f.l..G~h..c........\5.Z.'~.p.a. .p,......
FG.G..d.7.->..#.L....9._. P..w...@....W.r...t.Z.Z(.z.Zn.......o.G'.
.......^-..........:...Et{..N..[.....8...m.P.u....X(.k..{qj..=..!]...@
.x..$..g.......\..Jv.8.y-3.z.........\,.].F...f...MG/n............B.eg
'.....P....EH..D/..........~x....G(P1b.....".cf......s...u...([q.8..6a
.?..xc.fO.DG....].!.. .GF......Fec.^.wwz..........!..[.c^E.I|...X,
<<< skipped >>>


GET /yxcom/;js;/common;appendParamToUrl,lib;monitor_qdas,common;monitor_qdas.extend/bd917a36.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s8.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Thu, 13 May 2027 08:41:58 GMT
Date: Mon, 15 May 2017 08:41:58 GMT
Server: nginx
Content-Type: application/x-javascript
Content-Length: 4351
Last-Modified: Mon, 15 May 2017 07:55:53 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip
X-QSTATIC-HIT: 1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 fuzhou188:5 (Cdn Cache Server V2.0), 1.1 db78:6 (Cdn Cache Server V2.0)
Connection: keep-alive
....._.Y...Zmw.6.. 2N......;n.....i..:i...{.... .... ..J..w./$e..=.t.H
$0.....`.hV......].....h91d`...*.-...L....,..1 y=..j..W...A....".}..).
.....K{..F...J...2..|.......,....i.>....,"E.Z.R..>.\.Y6,.(&.JDz.
lL...`.v`x..BO....."UJdv.x..|....WY:.r............0...$r.D,RXK.vwk..&l
t;^.."2tK.............Z......X...y?........;....N2$.{h:..$J:*..a....l.
y..57.v[D.2......d..V.2B..SR/.).p...,P|M...^..D....4qj@Cd........ih..&
=.{..*6.0.....F..X.}......Hw...M)M......Z...'.*.L...!......m.4...R.[:.
........g.k..~..z.........}z......2.J..9eY..N..........'q..?{..n......
....y<.Cd$.....oc.y5?..SH.....ExW....tn.I..&.9...uZ...`..s.0f...&&l
t;........F.Bp...i>).`!..*.......\.....6....$...|.J.;3.x.....9...M.
.@e.4....-..E./........<..z..f..l[1.<...!.>...\%M.D..q:......
...J.!........O..k...%.H.H.ym.*......{...l6......[.*._/d&"...._..A....
w......{....z..o...S..L....A#"&.sa....r....M&P1......z......9?j.#\o='e
...0.....a|..%..;....C.2.........?..8.Dg..}...y<I....E&A./. ^B..z-.
S...d...3...'[&.7.^c...6....?..0r.#T..Y.#..n.T..9.n."1....6.......T.bB
M@..}8.g.c.A/.. .V..5....%R........I..u.\...QQ..{z...._....% }..c..v..
...U5...H..#..#..#u..`6.].W)..L.`ll0.=:`.A...e.......Z..\..f%.(.^a....
.%. 0Ym..Cj..0...\B.....v...Z..K..2.E.N..d.i.C.].=..L3.....jj.@...W.{.
s...-.d..#.x.HDV05...y......4.. -.....9..h.0..T..t.....8...M._....6..]
...>Z..(..{.p-.8.....B....Q..|...J...b&..:..I.....l.PA|..... ..a...
n....!9...D.Y.w..?...j!...$...O....>..0:...&;...Y.s..{ .-.#0&s|.R$.
c>...@...oZ..<<.o..B.;...&X.k|"....sm.....Ff...ho..?>.
<<< skipped >>>


GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: subca.ocsp-certum.com


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 04:40:03 GMT
Content-Type: application/ocsp-response
Content-Length: 1657
Connection: keep-alive
Content-transfer-encoding: binary
X-Cached: MISS
Server: NetDNA-cache/2.2
X-Cache: HIT
0..u......n0..j.. .....0.....[0..W0..0........0..1.0...U....PL1!0...U.
...Asseco Data Systems S.A.1'0%..U....Certum Certification Authority1%
0#..U....Certum CA Validation Service..20170524043530Z0r0p0H0... .....
.y...bOm..(y.Y6B...}n...C..m.....i..J.`.:........@.eq_..(....(....2017
0524043530Z....20170531043530Z..0.0... .....0....0... .....0..0...*.H.
..........].:.%#..... .W....G&~J9...o}/..w5.....>..]...y..&#l.W....
*ZP..a........w.t...ZO....a2.Q.....crO2.5.....*[...b..........=.2o?...
.@8.M.9...D.g..cZV...8.A.. {..7..Z..v%N_4!m^.-.....\..B......Q...?...D
&M..`..B.Ap.(.j.kpM.r.fU....5F... C.W.j..G.p...I"..8...........0...0..
.0....................#=Xr..Q0...*.H........0>1.0...U....PL1.0...U.
...Unizeto Sp. z o.o.1.0...U....Certum CA0...161220101836Z..1801201018
36Z0..1.0...U....PL1!0...U....Asseco Data Systems S.A.1'0%..U....Certu
m Certification Authority1%0#..U....Certum CA Validation Service0.."0.
..*.H.............0..........3..>......]{7..\...$vl.....V......T...
-.:.....y..'...X..}.fA\...._.Uxl6.ti %.SS..#. Z.5.G"..S.....)Q...!..P.
...~0..32...Bmd...%.2...D.....J.........6....O.u..vm.l..V.'.L.4.._....
\.eK...MI.F.;H.;..%...KZ...H;e ..9.2..A.b......F.T..._........DY2...2Z
#L.D0)........0..0...U.......0.0...U.......L.oh.....2......|.=0R..U.#.
K0I.B.@0>1.0...U....PL1.0...U....Unizeto Sp. z o.o.1.0...U....Certu
m CA.... 0...U...........0...U.%..0... .......0... .....0......0...*.H
.............,.....D...,.c...<..............G..~Uug.....q6).g&...".
...B..k...{.(.S... 5...x.>......K.ks.....S...]R......n....q.Y.i
<<< skipped >>>


GET /static/950f1a12aa560f26.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s6.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 16 May 2027 13:02:07 GMT
Date: Thu, 18 May 2017 13:02:07 GMT
Server: nginx
Content-Type: text/css
Content-Length: 2736
Last-Modified: Wed, 17 Aug 2016 17:06:41 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip
X-QSTATIC-HIT: 1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 jfzh181:10 (Cdn Cache Server V2.0), 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
.......W...Z...:.~.t.Vsf...5$.>..;o..0.j.....A... .......D.J.].*...
2.....n......Qw..7.o.2w.....Z....Gq.v...r......y^..c.....=.0{.t......E
qj.....>v..C...... ...x-.....isgW.{.=)#.k.......Y..h.6.w._.ah.....O
u.].................^P.\5..f..e.........C-....(..M..y...|?.uU..M.&{9a.
.2.....R...=.`.........&..N.r..(.C..<9...u....C....S|....0..=~.Qi.)
.w}.......i..#..G.P...\M.X....72 [.8.M=.}...=bIYS.....PW...N.t....0...
P1..D3`.q?...`. ..GgO.~..2 ....=w#.S....T...N....E."....kS.Y#..!$S..fM
]....0<Y......4...6p..........a'p|0...d.../m.ArG...u.f......_(...V.
P... Z.VRs....y"....e...1..r 7..i.Z.....z...C.<.@.Q....#c..7<-5%
.QGa;.W..y o....7O_...L..;..!{?hO..]..j....'E..N..*.!.@(!.)..S.....b..
N....>!.....p4..5...<....aH..($...!0..g..l>....yb7.Zd..*...i.
x.'e..2md./".Hn...."L.\I.'..._'-...-r...(0.pb......-...J..R....M...~Z&
lt;...<P..'..{..5 .(...u0.H.....Q..XLde.....H.....3..I.......X$>
^..[.f.G.o........K<.B{. .mY\.Q=.eP]Y.@a.A..<..:...`..O...".du..
d.#gm#.!...a2.da}BmI...r...S...........E.-......S.u....}SF0....<a|.
..~O@o. ...........g !...`..>(N U..E..U0............F...d...kz.....
`..... ..H.]..v..../..~rk.....^....w.......Z.^b..4]a.`...M4..%...5X.W.
{Mr.3...6....LK>'MC.....FDI........(LnZ....q.....l.a.^._|....*.kkY.
DL..............c.....:. r.uN...`..........Y|.,=........"p.?.....(...J
.....a.....f..m...Kkf%........xL.I.....'.q......5.Q...H.4.l....f.....I
..$....09.#.".r./h.o......B......E... .....~.=..2..3..p.......t.."....
(....."O.../3.5........^...C.....-|C.!8z...>~h\..vO...l...P..c.
<<< skipped >>>

GET /static/382f2fd94eeeafb9.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s6.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 16 May 2027 13:02:07 GMT
Date: Thu, 18 May 2017 13:02:07 GMT
Server: nginx
Content-Type: application/x-javascript
Content-Length: 17846
Last-Modified: Mon, 06 Mar 2017 11:03:38 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip
X-QSTATIC-HIT: 1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 jfzh181:8 (Cdn Cache Server V2.0), 1.1 db77:9 (Cdn Cache Server V2.0)
Connection: keep-alive
.....B.X...\.s.... .....0..2e:.....l.2m..h(...P...v.Y...s..".Y....M;..
b98.w.@..A.{"L..3..)7gEIh$43ga`../.Ku%....k.#n.,.j.}.B....M.....c.lo.5
9...k.tz.nby.....{...]..8O.A..q..Z..~m..Y.j..~.O.../.<.......!._>
;}..l....../..xJh0..".iwf..4.".g.y..pQ..<7.....hN....cGVl\^...&54..
...9...%..ws]....J*..x....v......"..............s..5....H.".;..~}....'
?=.g..={qv..n../..&}z...w....9}s........_...$.......'.c.a.x..={..&,...
>{......o..o/..zn..$......O/_..C8N..z.....W.L6..%..d.."............
.?d)..;a...Go.......L...=w*...O...wO...=......Wg...5......W9<....|$
 .\,......6W.X..7.....5..T8..snMy".....N.e.*(...Q...&..X.,...T..k.,u.U
..TZU...^C..3........ru.P.O..}..$.0.~...[.4.=fp.X.D.p4b|.5.y..{S....@(
{r.(..X.&.....53.....;.S..). ......@7../-w:.n$wAZs."..&.(J.......d.h.7
.*..pE.:d....#P..........'.ns.Y.DW...@R.&.A$...BE.z.F...L.P.5L ob .p..
....T..#P.F.4..1...FT]....].....3..,...3.....8.y.U.1....zQ.d...AY..)..
!..^.(oo.....[[.. ....c...y....)c....)r."..$..q.....*E..r.P..1...d....
pK.....\Y.3.e.z.d...R.Q4e.... F....%sZn..tg3p:.F..y...Z..e..>..... 
......&......k..yp..W..w..M..Z*n".5.C_..F........P..$..;....3.....]..d
.....~..0...z....H0n.`......z>qG.-w...pb=.=......h:..i.z..q..(.k.n.
... :b...>9=9..OO...7...s.;L2a.#7^L!ot..o..&.K.#5......S....q.@I
.0.>..:..h>}@.5.....v..[..4r...).....}q{K................0....&l
t;T...H1....*..B..U.(X...U.3...@a~y{{.... 4v.>h...7f...x....2c.E...
$...(O. ....T. .VU....h......U.....<h..I._.............:#.99....)..
<..4}y.`.4..al....^cNe......UH!..1..xgT.j*...D...g.`..j.C..39.Q
<<< skipped >>>


GET /static/bac31a71bc48710d.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s5.qhres.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 16 May 2027 16:06:36 GMT
Date: Thu, 18 May 2017 16:06:36 GMT
Server: nginx
Content-Type: application/x-javascript
Content-Length: 33949
Last-Modified: Thu, 06 Apr 2017 12:17:33 GMT
ETag: "58e631dd-849d"
Cache-Control: max-age=315360000
Content-Encoding: gzip
X-QSTATIC-HIT: 1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 iandianxin11:6 (Cdn Cache Server V2.0), 1.1 fuzhou185:1 (Cdn Cache Server V2.0), 1.1 db77:7 (Cdn Cache Server V2.0)
Connection: keep-alive
.....1.X...[{s....*2&...CKN...a4>.....Il..Cv=4.IH(@.@;.............
"A.X.....rk..X3....."..!....9R*\.yp|r..( .~..I.....{'.......J.g../..7^
.Y....[...q....]...E........<..#...........3..........!JK..$.....I.
v....J..]......F....Fc...]. .....).{[..`....c.0.q6.\......).;.......b.
 S.....7.....p..Hn.;.......=....g.Mg.\*}.R?aj.F7!..S..,...,...oQ..b..*
!..,(LE.!....Z."...m..|..c...N.v...<%......d.......|..V.n..R....S*a
i.......V ...D\.^..$S....5...:....:....4.g...i.C.K!R.q.R.........<.
.A.wAPtU...y ..g2.......4x.M...s...S=....P@.U..!...9.G\?.Z:..g,..;..T3
'vd|.........N('..........z..l>..&T7.y.......v_.l..R..z6..1.....[0T
...z...B73.=.P)i...Z......Z.....(M../).XL....0/w....{v.l.#...`...2...1
.9..0..A.K".....i._..0..gs\.........0..8Z.x..w.....`?y'o.w......:...&g
t;....wqx.........T`.#. P".B....s5.....I).G5-'(^.....!`.8......pl..h..
.......n...`I......F.....T..A........gi.B.e@.3/....$..k....Etc... ....
.=./......3..^Z.!....%..,r..B..)2%.7R@......5.....X......NP.[.(.(0...9
..G..`..x....."..Gy#J.....'1.G.Z.3.`....`{.h._.................4.S..`.
.Z.y.oo...P....T~..~.....l...U..,.........Q........C./.........V..-..A
.H...a.t...e_...xK..A.2.y..3,p..A3.. "..}\.?.Th.w].sp....%....1.....A.
..Mp....\0.S..5...H*....S_...$.)....4B......H....5..S....Q.I.;....)..r
.H,..Z=..ú..U..-tU..-..].......z...A,.=.#.).&...n&........@s...V..~.
.>.!...**.ct...F..,FE.....L..C..@[.......... $..&._.._....5._...[..
....p...M...%.(.0r..Ht.r'...EF...Q}.....^B....6........B.yjm.a.a|.^.1.
.a.S]..".....bA..q.k.WBc......b..I...cu.Nl.._r..v......{......}.m.
<<< skipped >>>


GET /?callback=jQuery191041567470558817965_1495600794835&src=pcw_wan_youxi&from=pcw_wan_youxi&charset=utf-8&requestScema=http&o=sso&m=info&show_name_flag=1&head_type=b&_=1495600794836 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: login.360.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.2.9
Date: Wed, 24 May 2017 04:40:11 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.2.5
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
8a..  jQuery191041567470558817965_1495600794835({"qid":"","username":"
","nickname":"","login_email":"","userName":"","crumb":"","img_url":""
})..0..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEGzcMzbY/Z/9R/IXXh6Z+8s= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: wosign-ovca.ocsp-certum.com


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 04:40:18 GMT
Content-Type: application/ocsp-response
Content-Length: 1539
Connection: keep-alive
Content-transfer-encoding: binary
X-Cached: HIT
Server: NetDNA-cache/2.2
X-Cache: HIT
0..........0..... .....0......0...0.........`0^1.0...U....PL1!0...U...
.Asseco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Servic
e..20170524043128Z0q0o0G0... ........J>.ldj..T.K.v....p....T.Vs,'..
......._.V..l.36....G..^........20170524043128Z....20170531043128Z..0.
0... .....0....0... .....0..0...*.H............`..G.......U<.'.0SX.
=...5I.$d.K.;?g...._...3......,|.6k.j].L(...b...#....6..{..s.(_.....k.
b...Cd.....)o.P._....^.....5.....9..P....9.j.P...O.........~...*.3...L
........X\...{?....X:.,J.84.'.\....F...........X.!........]...upP...P.
.9.r>.$.,..T...P..=.W........0...0...0..........A%`FLx.u.8..(.E.0..
.*.H........0D1.0...U....CN1.0...U....WoSign CA Limited1.0...U....WoSi
gn OV SSL CA0...170323082637Z..180323082637Z0^1.0...U....PL1!0...U....
Asseco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Service
0.."0...*.H.............0..........:B!cV....&......3..' ..,.....D...G/
o4.J.5.8.1>.^0..8[wXP)j..b...P......$iQ.s.4.z..........].n..bP2....
.7......Z_& .....S.*.o..........YI......?..e..G...g.4E....@:.S.O......
..Q....zf.K..p_...qS..H..........."H..e.y..Ge.p.......-...F...=.o..%i.
{.a........E........0..0...U.......0.0...U.#..0.....T.Vs,'........._.V
0...U......`..f8..6..m..y......0...U...........0...U.%..0... .......0.
.. .....0......0...*.H.............g..a(..8*.o.q.$..Uu.r.4.V..i....k .
0.5..P...v.H.1.".#.)v.L..|......^...\...R$.f.QFl....Y.x.<..M.`..L..
&e.{e.,M.....^..@.e0-....C...f..>9.qI.Y....?.(..Z..rw.J......8..q.t
.(..Y...$W..S...T.|....XmK.#..._.A..L7.....@6..aB./.X.r..A."......
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEFRHShYVXovG0R614xcEKoY= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: wosign-ovca.ocsp-certum.com


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 04:40:21 GMT
Content-Type: application/ocsp-response
Content-Length: 1539
Connection: keep-alive
Content-transfer-encoding: binary
X-Cached: HIT
Server: NetDNA-cache/2.2
X-Cache: HIT
0..........0..... .....0......0...0.........`0^1.0...U....PL1!0...U...
.Asseco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Servic
e..20170524042737Z0q0o0G0... ........J>.ldj..T.K.v....p....T.Vs,'..
......._.V..TGJ..^........*.....20170524042737Z....20170531042737Z..0.
0... .....0....0... .....0..0...*.H...............AN u.B..g.Y........6
..(.R.E..P......^O...........,A.@..."O..9...8..Z.....3..T...&..:.v....
.....'.[..8......dc......(.....HG.H...!.f......6?....[.K..{6p%........
..Ls..0...N.k.. ...n@.F..<..v.|.....M..x..{d4.B.)z.....(kl..&&~.E .
%J..W.c.....n.V...K..-5:.....0...0...0..........A%`FLx.u.8..(.E.0...*.
H........0D1.0...U....CN1.0...U....WoSign CA Limited1.0...U....WoSign 
OV SSL CA0...170323082637Z..180323082637Z0^1.0...U....PL1!0...U....Ass
eco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Service0..
"0...*.H.............0..........:B!cV....&......3..' ..,.....D...G/o4.
J.5.8.1>.^0..8[wXP)j..b...P......$iQ.s.4.z..........].n..bP2.....7.
.....Z_& .....S.*.o..........YI......?..e..G...g.4E....@:.S.O........Q
....zf.K..p_...qS..H..........."H..e.y..Ge.p.......-...F...=.o..%i.{.a
........E........0..0...U.......0.0...U.#..0.....T.Vs,'........._.V0..
.U......`..f8..6..m..y......0...U...........0...U.%..0... .......0... 
.....0......0...*.H.............g..a(..8*.o.q.$..Uu.r.4.V..i....k .0.5
..P...v.H.1.".#.)v.L..|......^...\...R$.f.QFl....Y.x.<..M.`..L..&e.
{e.,M.....^..@.e0-....C...f..>9.qI.Y....?.(..Z..rw.J......8..q.t.(.
.Y...$W..S...T.|....XmK.#..._.A..L7.....@6..aB./.X.r..A.".........
<<< skipped >>>


GET /static/e2597d7a33637b4d.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s6.qhres.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Mon, 22 Mar 2027 03:21:24 GMT
Date: Fri, 24 Mar 2017 03:21:24 GMT
Server: nginx
Content-Type: text/css
Content-Length: 4498
Last-Modified: Thu, 23 Mar 2017 04:03:58 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip
X-QSTATIC-HIT: 1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Age: 1
X-Cache: HIT from cache.51cdn.com
X-Via: 1.1 zhoudxin82:6 (Cdn Cache Server V2.0), 1.1 db78:8 (Cdn Cache Server V2.0)
Connection: keep-alive
.....I.X...\I..8.. F..J....zC......%.....D...%.$'Um.....DJ\.Z.iw./....
...Q..\..G./.T...l... ..<}v.yu./T|Gm.............9,._...k.......k..
....,.......k...9..xj.npy..A.p..k.s.}.E1......>.......h.Q..T../..kq
;....{p..4..#~W.M.4.s..eU...<mO{xm.C7[.>...&...I0sQ.:...s..tt..@
.c.j~...o-zj..%U...*)1.MR Xg......:.]..=.Z......._.i.\.....*y.....c.W.
..=o.8/..y.....25.C|m...}k..../O=l^RY`.........[......~.Wu.jLLumI{...*
....1..8P..eJ...v;..^.......p.."?..3.K....n.z..r.......XW.2._....m/...
/.....||H......f... .%`.M...R.?.........m.q.3<..`.@\.T;.*P.2..R4..&
gt;..<....g^.]!......{C.I .R59.&..`.......j.U..Y...*...q..}$..9..u.
.}.....dmf......R.\/.jx..Y....9H.....).CaC0g(.j......vm...1.?..gx6..VF
....B.f)...%mh...#*D..VKQ..EkY..\..,X.w..c.9....W..o..;..X..j.Mg.....F
\\9.)..5.#...<p..L..i...YK..c.........w..USe...._(.#.[...m.e_wQ.~..
..#.....J>2..h#,;...........1.o.V...q.........%tF;.5.(U..?..._....H
V.zOO.=//...d..D.#N.=.@...Zl.W.3_...g.9.{..../...%zZ.@.....o..k....eY.
\.......'.(..;7...y9.......H.P.........0}..K@..=....F.:T.u.C..F.CQ....
.L...Xa..D..l2l...q.....;;.eV=.6.......=.M........[5'<......c...`&.
..A.c.Y7..F.-X..[.H....#.~..!.rX........xC^..N..........v......ER.'.V?
0X....70Y........_.?..'-......:...4..8............o......J.1..\.6U7..:
kTS...Z._n...p..|u...uUw-k.jZ5.$AM... .z.(.B?..x\k...2.....u ....:....
.9..=.3..4....T..n.......O..c..{..........w...s.|.....Xt...z)=..QhK...
...>......X]`........{.......'.]0p.G..'.....a....E........-......e.
.....i..*!DJ..(r......!...%...x....=>.....q..D...wt.niL..}.H..&
<<< skipped >>>


GET /static/js/index.js?r=1495600812 HTTP/1.1
Accept: */*
Referer: hXXp://axlogin.passport.360.cn/ptlogin.php?nextUrl=hXXp://VVV.youxi.com/psp_jump.html&us=1&func=QHPass.getQuickLoginUserLength
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: axlogin.passport.360.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.2.9
Date: Wed, 24 May 2017 04:40:13 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 16905
Last-Modified: Thu, 03 Nov 2016 03:10:18 GMT
Connection: close
Accept-Ranges: bytes
.../**.. * .......................... */..(function(){...var.domainLis
t = [],....time = 1,//................................................
...................timeoutHandler = null,....loginTimeoutHandler = nul
l,....flag_skip = true,....clk_flag = true,....tempDomainNum = 0,....r
d = "",....web_qid = '',....primaryStation = false,....oneUnit = 134,.
...number = 0,....tempN = 0,....acc_msg = "...........................
.....................",....acc_msg_web = "............................
......................................",....timerId, startTime, frameT
ime = 13, dur = 1 * 1000,....s_flag = false,....dire,mleft,src,obj = g
('loginUserList'),....iskeepalive = 1;...src = queryUrl(location.href)
.src ? queryUrl(location.href).src : 'pcw_i360';.../*******...........
.............*****/...if (displayType!="newpic") {....g('loginCheckBox
').onclick = function(e){.....var span = g('iskeepalive');.....var spa
nClassName = span.className;.....if(spanClassName.toString().indexOf("
checked")>-1){......span.className = "checkbox quick-login-common-b
g";......iskeepalive = 0;.....}else{......span.className = "checkbox c
hecked quick-login-common-bg";......iskeepalive = 1;.....}....}...}...
....../*********..................**********/......function queryUrl(u
rl){....var queryStr = location.search.substring(1).split('&'),oneQuer
yStr,args = {};....for(var i in queryStr){.....oneQueryStr = queryStr[
i].split('=');.....if(oneQueryStr[0]&&oneQueryStr[1]&&oneQueryStr[0]==
"src"){......args[oneQueryStr[0]] = (oneQueryStr[1]||'').replace(/
<<< skipped >>>


GET /static/css/index.css?r=1495600818 HTTP/1.1
Accept: */*
Referer: hXXp://axlogin.passport.360.cn/ptlogin.php?nextUrl=hXXp://VVV.youxi.com/psp_jump.html&us=1&func=QHPass.getQuickLoginUserLength
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: axlogin.passport.360.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.2.9
Date: Wed, 24 May 2017 04:40:22 GMT
Content-Type: text/css
Content-Length: 4826
Last-Modified: Thu, 03 Nov 2016 03:10:46 GMT
Connection: close
Accept-Ranges: bytes
a:hover,a {...text-decoration: none;..}..dl,dt,dd,ul,ol,li,h1,h2,h3,h4
,h5,h6,pre,form,fieldset,input,textarea,p,blockquote,th,td,body,div {.
..margin: 0;...padding: 0;..}..body {...color:#333;...font: 12px/1.5 T
ahoma,Helvetica,Arial,'\5b8b\4f53',sans-serif;..}..select,textarea,but
ton,input {...vertical-align: middle;..}..html{overflow-y: scroll;}..o
l,ul {...list-style: none;..}..h3,h4,h5,h6,h1,h2 {...font-size: 100%;.
.}..fieldset,img {...border: 0;...vertical-align: top;..}..table {...b
order-collapse: collapse;...border-spacing: 0;..}..cite,code,dfn,em,th
,var,address,caption {...font-style: normal;...font-weight: 400;..}..a
 {...color: #333;...cursor: pointer;..}..a:hover {...color: #0069bd;..
}..#doc {...color: #999;...font:14px "Microsoft Yahei";..}..#mod-quick
-login {...padding: 14px 0 0;..}..#mod-quick-login .tips-text {...marg
in: 0 auto;...width: 100%;...text-align: center;...color: #767676;...f
ont-size: 16px;..}...mod-user-pic-list {...position: relative;...min-h
eight:90px;...height:auto !important;...height:90px;..}...mod-user-pic
-list .user-text-list{...margin-bottom:5px;...margin-left: 110px;..}..
.user-text-list label{...cursor:pointer;..}...quick-login-btn{...margi
n: 10px 0;..}...quick-login-btn a.qtlogin-btn{...height:50px;...width:
252px;...background-position:-5px -5px;...font-size:14px;...font-weigh
t:bold;...color:white;...border-radius:5px;...cursor:pointer;...text-a
lign:center;...line-height:35px;...display:inline-block;..}...quick-lo
gin-btn a.qtlogin-btn:hover{...background-position:-5px -61px;..}.
<<< skipped >>>


GET /5.0.3.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: js.passport.qihucdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 18 May 2017 10:18:51 GMT
Server: nginx/1.2.9
Content-Type: application/x-javascript; charset=utf-8
Transfer-Encoding: chunked
X-Powered-By: PHP/5.2.5
Last-Modified: Thu, 06 Apr 2017 12:22:15 GMT
Cache-Control: max-age=600
Age: 1
X-Via: 1.1 hdwt37:5 (Cdn Cache Server V2.0), 1.1 db77:1 (Cdn Cache Server V2.0)
Connection: keep-alive
c7..document.write('<link type="text/css" rel="stylesheet" href="ht
tp://s6.qhres.com/static/e2597d7a33637b4d.css"/><script charset=
"utf-8" src="hXXp://s5.qhres.com/static/bac31a71bc48710d.js"></s
cript>')..0..HTTP/1.1 200 OK..Date: Thu, 18 May 2017 10:18:51 GMT..
Server: nginx/1.2.9..Content-Type: application/x-javascript; charset=u
tf-8..Transfer-Encoding: chunked..X-Powered-By: PHP/5.2.5..Last-Modifi
ed: Thu, 06 Apr 2017 12:22:15 GMT..Cache-Control: max-age=600..Age: 1.
.X-Via: 1.1 hdwt37:5 (Cdn Cache Server V2.0), 1.1 db77:1 (Cdn Cache Se
rver V2.0)..Connection: keep-alive..c7..document.write('<link type=
"text/css" rel="stylesheet" href="hXXp://s6.qhres.com/static/e2597d7a3
3637b4d.css"/><script charset="utf-8" src="hXXp://s5.qhres.com/s
tatic/bac31a71bc48710d.js"></script>')..0......


GET /psp_jump_white_list.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.youxi.com/psp_jump.html?fun=QhpassUserData
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: js.passport.qihucdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 02 Jun 2016 11:15:14 GMT
Server: nginx/1.2.9
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 1088
Last-Modified: Thu, 02 Jun 2016 11:12:33 GMT
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 hdwt39:8104 (Cdn Cache Server V2.0), 1.1 db78:2 (Cdn Cache Server V2.0)
Connection: keep-alive
/**. * ............. */.(function() {..var i;..var reg;..//...........
.................................var filter = [...//.........'^parent.
parent.QHPass.getQuickLoginUserLength$',...'^parent.parent.QHPass.ptLo
gin$',...//v3.........'^window.opener.QHPass.thirdLoginSuccess$',...'^
parent.QHPass.mobileLoginUtils.mobileLoginSuccess$',...'^parent.QHPass
.regUtils.submitCallback$',...'^parent.QHPass.nicknameUtils.submitCall
back$',...'^parent.QHPass.userNameUtils.submitCallback$',...'^parent.Q
HPass.emailUtils.submitCallback$',...'^parent.QHPass.bindCallback$',..
.'^parent.QHPass.loginEmailUtils.sendCB$',...'^parent.QHPass.bindMobil
eUtils.bindMobileSuccess$',...//............'^parent.QHPass.regUtils.s
ubmitCB$',...'^parent.QHPass.setnameUtils.setnameCallback$',...//v5...
......'^QiUserJsonp\\d $'..];...//......true..........................
........................window.validateCallback = function(callback) {
...var flag = true;...for (i = 0; i < filter.length; i  ) {....reg 
= new RegExp(filter[i], "i");....if (reg.test(callback)) {.....flag = 
false;....}...}...return flag;..};.})();.HTTP/1.1 200 OK..Date: Thu, 0
2 Jun 2016 11:15:14 GMT..Server: nginx/1.2.9..Content-Type: applicatio
n/x-javascript; charset=utf-8..Content-Length: 1088..Last-Modified: Th
u, 02 Jun 2016 11:12:33 GMT..Accept-Ranges: bytes..Age: 1..X-Via: 1.1 
hdwt39:8104 (Cdn Cache Server V2.0), 1.1 db78:2 (Cdn Cache Server V2.0
)..Connection: keep-alive../**. * ............. */.(function() {..var 
i;..var reg;..//............................................var fi
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEGzcMzbY/Z/9R/IXXh6Z+8s= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: wosign-ovca.ocsp-certum.com


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 04:40:18 GMT
Content-Type: application/ocsp-response
Content-Length: 1539
Connection: keep-alive
Content-transfer-encoding: binary
X-Cached: HIT
Server: NetDNA-cache/2.2
X-Cache: HIT
0..........0..... .....0......0...0.........`0^1.0...U....PL1!0...U...
.Asseco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Servic
e..20170524043128Z0q0o0G0... ........J>.ldj..T.K.v....p....T.Vs,'..
......._.V..l.36....G..^........20170524043128Z....20170531043128Z..0.
0... .....0....0... .....0..0...*.H............`..G.......U<.'.0SX.
=...5I.$d.K.;?g...._...3......,|.6k.j].L(...b...#....6..{..s.(_.....k.
b...Cd.....)o.P._....^.....5.....9..P....9.j.P...O.........~...*.3...L
........X\...{?....X:.,J.84.'.\....F...........X.!........]...upP...P.
.9.r>.$.,..T...P..=.W........0...0...0..........A%`FLx.u.8..(.E.0..
.*.H........0D1.0...U....CN1.0...U....WoSign CA Limited1.0...U....WoSi
gn OV SSL CA0...170323082637Z..180323082637Z0^1.0...U....PL1!0...U....
Asseco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Service
0.."0...*.H.............0..........:B!cV....&......3..' ..,.....D...G/
o4.J.5.8.1>.^0..8[wXP)j..b...P......$iQ.s.4.z..........].n..bP2....
.7......Z_& .....S.*.o..........YI......?..e..G...g.4E....@:.S.O......
..Q....zf.K..p_...qS..H..........."H..e.y..Ge.p.......-...F...=.o..%i.
{.a........E........0..0...U.......0.0...U.#..0.....T.Vs,'........._.V
0...U......`..f8..6..m..y......0...U...........0...U.%..0... .......0.
.. .....0......0...*.H.............g..a(..8*.o.q.$..Uu.r.4.V..i....k .
0.5..P...v.H.1.".#.)v.L..|......^...\...R$.f.QFl....Y.x.<..M.`..L..
&e.{e.,M.....^..@.e0-....C...f..>9.qI.Y....?.(..Z..rw.J......8..q.t
.(..Y...$W..S...T.|....XmK.#..._.A..L7.....@6..aB./.X.r..A."......
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEFRHShYVXovG0R614xcEKoY= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: wosign-ovca.ocsp-certum.com


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 04:40:21 GMT
Content-Type: application/ocsp-response
Content-Length: 1539
Connection: keep-alive
Content-transfer-encoding: binary
X-Cached: HIT
Server: NetDNA-cache/2.2
X-Cache: HIT
0..........0..... .....0......0...0.........`0^1.0...U....PL1!0...U...
.Asseco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Servic
e..20170524042737Z0q0o0G0... ........J>.ldj..T.K.v....p....T.Vs,'..
......._.V..TGJ..^........*.....20170524042737Z....20170531042737Z..0.
0... .....0....0... .....0..0...*.H...............AN u.B..g.Y........6
..(.R.E..P......^O...........,A.@..."O..9...8..Z.....3..T...&..:.v....
.....'.[..8......dc......(.....HG.H...!.f......6?....[.K..{6p%........
..Ls..0...N.k.. ...n@.F..<..v.|.....M..x..{d4.B.)z.....(kl..&&~.E .
%J..W.c.....n.V...K..-5:.....0...0...0..........A%`FLx.u.8..(.E.0...*.
H........0D1.0...U....CN1.0...U....WoSign CA Limited1.0...U....WoSign 
OV SSL CA0...170323082637Z..180323082637Z0^1.0...U....PL1!0...U....Ass
eco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Service0..
"0...*.H.............0..........:B!cV....&......3..' ..,.....D...G/o4.
J.5.8.1>.^0..8[wXP)j..b...P......$iQ.s.4.z..........].n..bP2.....7.
.....Z_& .....S.*.o..........YI......?..e..G...g.4E....@:.S.O........Q
....zf.K..p_...qS..H..........."H..e.y..Ge.p.......-...F...=.o..%i.{.a
........E........0..0...U.......0.0...U.#..0.....T.Vs,'........._.V0..
.U......`..f8..6..m..y......0...U...........0...U.%..0... .......0... 
.....0......0...*.H.............g..a(..8*.o.q.$..Uu.r.4.V..i....k .0.5
..P...v.H.1.".#.)v.L..|......^...\...R$.f.QFl....Y.x.<..M.`..L..&e.
{e.,M.....^..@.e0-....C...f..>9.qI.Y....?.(..Z..rw.J......8..q.t.(.
.Y...$W..S...T.|....XmK.#..._.A..L7.....@6..aB./.X.r..A.".........
<<< skipped >>>


GET /!8bfa78bb/login.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s5.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 16 May 2027 13:01:59 GMT
Date: Thu, 18 May 2017 13:01:59 GMT
Server: nginx
Content-Type: text/css
Content-Length: 987
Last-Modified: Sat, 06 Aug 2016 06:22:56 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip
X-QSTATIC-HIT: 1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 fuzhou186:8 (Cdn Cache Server V2.0), 1.1 db77:9 (Cdn Cache Server V2.0)
Connection: keep-alive
....@..W...W.n.0.|....;..gB.a"...Jld.&-.....l..I..*1.zvvv.....e..&}A.D
,......C..,...!?g.1l.......0..[.!&uv.........5.W.......v.cJ2....'..'bU
Co..C...7o.x..!.j..7h.|}_............yo../.F.[CkL..'\R.%.o.P.......FTc
..W...._.&.&.-.Z~."..K....5.8m..`.y.;...c....3.nx.....m.'....{1....B&g
t;(D2.....LV..h.........p.,..W......}A...B<.A.(!..".......FY L..6b.
.8.mR/B.........Q5...RK.:.0.. .e"/...}B...T....Rq.........c..Jb.DFP...
...V....H.Q.%%...Ob.....n....Gw.(.......S.D.8..P....&....O..q..6Y...$.
?e:V..l.D.TO..:}&.7..j5.z...%E...Ou.%SC.....mjGGB..k6.[.......|_....$.
.%. K......b..u........Jv.5...?.Q..X.K.(...y.6..sx..D.....1..x66.....D
.;..w....S.. ..^..fP.j..m..B....F........eml...a.!.=7./......M.z....?.
.x..... .B..p].......-.jy.h..Wr....F... ......\.Y..Drb..>]...y3....
..z..D...bw..o..>.J..@.. .....4........E.Z.%.4Mu...4......l...br...
T..O......`..............f(Z...p....&.....>.'...v.w%.....C..{..~...
-....|&R.`..U(...#.....<.X.8P..j.........l.<.3. .a.6....<^n.5
]...G....f.......X"....~.'.........


GET /yxcom/;js;lib;swfobject/bd917a36.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s5.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 16 May 2027 13:02:10 GMT
Date: Thu, 18 May 2017 13:02:10 GMT
Server: nginx
Content-Type: application/x-javascript
Content-Length: 3784
Last-Modified: Mon, 15 May 2017 08:10:44 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip
X-QSTATIC-HIT: 1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 fuzhou183:7 (Cdn Cache Server V2.0), 1.1 db78:2 (Cdn Cache Server V2.0)
Connection: keep-alive
.....b.Y....ks.6......*D.S..h.2.....N..b'....P$D2.H..$......|J...s2...
..}.z/...o.>...G....a...2.z='v............-&.Z.;n........P..p[...iK
..uyq...8".D.l.X.q..x.:..S...%Yo...|`&~.._..v.*...Y.. ...,>[g0.&...
B.../..%...6=!.C1...N.nl..=..........i'@.{...k|1H........)l....b...^#.
........q.1o.....;f("O..I...J.~?=..i.K.a:2..$...-..aP...;G\T >.)..|
HD<i.L.u..@.. .".i....5H...a......._!.w"....8SJ.......1c$..-;..9.I.
..K-.b._...1..I..Z!,W.JF'.*.|.!^.......u..........'R..x&a..NX@..f<j
.JJ..^............o!..i`.C..R.%o...l..L../;.CrifI.H.....Q1b...3..!.g&.
"iH..`....`.r. #...&>..2.v.0}.LE<...z3%&...P.....<j.AJ.Hd....
N..q.....[.0....>-.#..EG...u,....hd......1...w....f.#..j.....5.Cq..
.k~.....).|3...._..i...=..N...^..R..HY.....33?...e.......p..^ ..>Ia
.E.I ..ykPM../....-m.c%.....>.Q5k.....Vd.."_../.Vip.ls...,#..133...
...,.[..0..|......va..l...02PA{.J....kt........O..h.....j..C........9.
.........F|....g....We...[..{...y.`.Y...J...M....N'....n..n.I...._i...
Q...~.P.H..4......x.O......Zy.`.T..@..R..`.-H.r..hL9P....V4.......t...
..o.y....$.V..sj;....reH.)...(.......a..n..2......S......`....Q...Y...
.........Y.."....@z..5.....O......1..-.....a.....i.....mS.2..D.53Ls.}.
.g.%...;.G.u....:.~.VqRIj.o.@(.........7b..p.]D...\^...R...|..Iwf...p.
.].!D.AA/....{....O.o.....L..7.9l.(..;.h............e......I.tC......%
..N.d.....%.. m...a..s..).)s..bA......3R.^.<-..1...<.0....r...d.
.'Q.AL...:%.....%~1.~.)....k..5...i.......J..Q.$....*..j2O...L..s....)
._.\.R.4]..-..gh%.JJJ>(,..........E.]y...Ox<@..3.......e5..&
<<< skipped >>>


GET /b/weiduan/s/svrlist?pkey=youxi&gkey=mir2&qid=&cid=&lancher=&upver=&_t=0.41104189699071414 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: r.yx-s.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 May 2017 04:40:15 GMT
Content-Type: image/gif
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=15
2b..GIF89a.............!.......,...........L..;..0..HTTP/1.1 200 OK..S
erver: nginx..Date: Wed, 24 May 2017 04:40:15 GMT..Content-Type: image
/gif..Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT..Transfer-Encoding:
 chunked..Connection: keep-alive..Keep-Alive: timeout=15..2b..GIF89a..
...........!.......,...........L..;..0..



GET /t019b5c6daf1c645ef4.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: p8.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 04:40:08 GMT
Server: nginx
Content-Type: image/jpeg
Content-Length: 57648
Last-Modified: Wed, 24 May 2017 04:30:14 GMT
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
X-Varnish: 3900168212 3899993384
Via: 1.1 varnish
X-Varnish-Hits: 1
X-Varnish-Cache: HIT
X-Via: 1.1 fzhdx81:5 (Cdn Cache Server V2.0), 1.1 db78:3 (Cdn Cache Server V2.0)
Connection: keep-alive
......JFIF.....H.H.....C..............................................
......................C...............................................
..........................2...........................................
..............................................>.T..L....C...9 i=.d.
..AW..JrM..|ieM1...f..gl u..L.......fa&..v ....jE.... ..59...U..4]..V.
.#[.....)....M.....yV..jQ.i.i.)...<....Z...v..Q..3t...(..Vm2E...k5R
....%a.....H.\..hV....yQ.\..JD...GsY.jS..c..M....a.h..U .......D(.].t3
...e...Fx.mp.;M .r......k.c..w..L8..:.I......1....QO.....8..0%Z..^r.e.
.6.T......%...U}-.R1..a....IQy..mm.e._).....}.z.I...s...zL.[gP.]x..Z..
>.y.....[..T..w..U...}.. ..(5(..........Y..i.j./2."...{...ed....H.4
.G...]1.W..K...A..v=...s.I...oW.........7..<......\...kx.....5u..=.
..k....P..)M.wTl.=.b..#.e..z.o..{..#=%...B.Y.F.....4g\.Y$?.`".[HQ..q.k
*C....Q...N...%.6< ....t..P..f........\..|.Y.>W&..LA].S....B....
4, x.^^.ef!....0.:...H.-.PlR.Ht...N*.E. 6-r..).AIkjA.d}.C..L.~s.Y....1
 ...9.....I.C2.N........s....\.z.x..f./..5I....VI..hp.Yd...V$.b....cTY
&.TY... ......&.!..r.B.$.'......pt.)w..U...........y...k. '.2i.W...S..
r..d.A..C|....8[..m. ......W.....iD......|..U.u.....7...4.z..H.!U..q..
.k..%,..j.-...2.$l`.....e.......qz o*...^.SY......X..S......Q>Z|..K
U..P<i:uKr...Mm2.QF.l...I.ps.x..../y..Us1Q.....UV.=>....Y.dX....
-E....z.!c..m...~..........C#b{0.]ed...N<.@.4R..G..V).....u....G`..
I.N ....(Y.....OqDC.:...;..4.....!g....J.3^........3.R0v.}.z.....z...P
1....I...eD......u..c..f:.....z.. |Ej.....*..%Ws.[.d...iU..YZC._se
<<< skipped >>>


GET /t01e6635e1fa0e06a46.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: p2.qhimg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 7347
Connection: keep-alive
Server: nginx
Date: Tue, 09 May 2017 11:05:41 GMT
Last-Modified: Sat, 06 May 2017 19:59:52 GMT
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
X-Varnish: 590910359 539538501
Via: 1.1 varnish, 1.1 b4ee4db849dcb5fce83f0bc3d6a9d57f.cloudfront.net (CloudFront)
X-Varnish-Hits: 30
X-Varnish-Cache: HIT
Age: 1500023
X-Cache: Hit from cloudfront
X-Amz-Cf-Id: vekZN8G_dzwuf-t8VUSFed6RpDejcmIuwuPRpgVWV_m9lIMJNe0ipw==
GIF89ad.d....................................................{{{sssfff
fff....................................!..NETSCAPE2.0.....!.......,...
.Y.Z.....$.di...(...p,.sd.8`Dt...B.W.....p.B:...2..Z....P.zG.C...1....
......`:X{.....!..<3...v(.yo.3..,=..,..%..nE....M.%....v.....&x.{..
..#.yq..'..................4....k.......O....../.-1.....)....(.....'..
./.....&..`l.............A .:)(......3j...... C..y1....d...`c....T~t..
.K./...q"...$...).(..BSDH...../_.xq.)..Uyf...*..Ve8h.....8o...6.W.@...
 7.\.mO.%.aAT.:{....p..Z..X.._..1.V.;81..m.b....'.(e..M.....S.^......N
/ @._...S..];...db...3.......A.7... $W.z.p...E@...9.0m[...b.]..p......
...7}......0...A.^..gG....^0...._-v8`.I.......X...f(.,...``_@P .......
....*..@...rJS-. ]..........I8.w....i..!.`d.>zD`....T.)....!.......
,....d.d.....$.di.h..l..p,.tm.x..|.:..p8b.......-..esJ;B......^.....E.
...C..."e.{.I....z......-.ezt.....{(.~....W. .....E....j..-...Y.$....C
...$....B.......s>.......RBp...........................a...M.......
:....$...0.....AX..............4 $|wf.4..H.0......4....]...w........0c
..I....8s...s....z.X@.(.b4#. ........\.."..E..@`S.........kM.`......T.
..X....L./~.x ........L...... .. A..s.?.X.r.r.. XhCOe..Sj.......).D.@.
...*K.| ....J..P.u.... . .mk... _......#P58%..n$..0.......\..@.y.i....
....vU..?.........~>.n\i..Z8<...........w.wm.......`_..@am.!P...
..D......rA...,..b..!.......,....X.Y.....$.di.....p<i,.t=?C.....@.A
.3...#..l:eK.s*.< .B.Ps......A........g..\...........o2.s..v&.zz.Xd
.B.s..(8.g.....r\.%..g=.....&,..........z...q...*.......u.........
<<< skipped >>>

GET /t01b79193449c098c6f.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: p2.qhimg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 31296
Connection: keep-alive
Server: nginx
Date: Wed, 22 Feb 2017 15:52:56 GMT
Last-Modified: Wed, 22 Feb 2017 15:52:56 GMT
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
X-Varnish: 1791388773
Via: 1.1 varnish, 1.1 b4ee4db849dcb5fce83f0bc3d6a9d57f.cloudfront.net (CloudFront)
X-Varnish-Hits: 0
X-Varnish-Cache: MISS
Age: 7822062
X-Cache: Hit from cloudfront
X-Amz-Cf-Id: 6mnOdlNKoalgo3uCDJmezj-4MFlQsn7wb5aQw0KBB1lCuncyHYvAgA==
.PNG........IHDR...............7...z.IDATx...{.e.u.Y...I.....0.M..#..$
.6........(."A..H.1d..1.,G.i..(.".0......``..JN...(.t.|....).e..j.HuG.
.T.TwuU..V...v.w.k.y.s..[.....y....o....g...Zv..J........9.........F..
..s..^....5....{uu=.(..........a.......9).{..o.o....y37..G.Zw.$|.i....
{..wZ~.i,3.V.f...9..].i....v^...D.ZG..I.q..........FU................8
M..6e..5..\].A....\.-3M.d....Z.-..f.]..]..A.F.....>W..]6]..L..y..n.
f...........hJ....F.Q.MMM..0....T...u3..\.......O......~... B.!..5....
k.i...8m...i....s...Q..........]....u..h...iV...w...hv..z7.....a..q...
8V..d..!...3V..B..V..B.."..BS...._.x..W^y....^.X.B...d....B.!..Q......
. ...:. . B.!4...!..B.....z..B..n.X.B.!...B..V..B.."..B..X....!..B...V
..B.."..B..!...}..Z.e.!...F..!.....g..2..B.u#...B..V..B.."..B..!..B...
..^..B..n.X.B.!...B..V..Bh......B.!...`E.!........B.!...`E.!.. B.!.X.B
.!...B...`}mm#C.!.P7......!...F..!.....!..`E.!.. B.!......F..B..n.X.B.
!...B.M0X.{[..... ...:. . B.!....9.A.!.P7.;u.t..B..n4.a..a....V..0....
.a..X1..0l..z..J..B...$:rnG.S.~P=..r.r.7>........;N.....l.:..m[..|.
.zv:.>W..u.. ....i(.s.9..!.P....A..u..[W.7|..:m.....S...Q.4u`;(XG.{
..;../..m...By...G[f`...m.T...e...my.0.....T'..b....l..$...I..}. c.J..
S..!4r..;{..lY.V.<..b...U...{7....uf...)_.&....!42..i.<Z.>...
....TU?d^V[.Zt.&.l.......N.....w&..3..o..1{....}..]...k.5.f..u.......-
._UF..7........]..q....7.6?.;...6R;..3.........=....nWWr..N~........:.
q.B.*.....>.e.....#i..S...n... .._m.....y.r..Sv.....BNY..w..7fO....
.x...g...;?<s.q....}*...^.^_\.wR........O..?......}....m.[...p-
<<< skipped >>>


GET /i360/qhpass.htm?src=pcw_wan_youxi&version=5.0.3.21319&guid=87247646.52884733302422330.1495600803648.9416&action=init&resolution=1276x846&color=24&isCookieEnabled=true HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s.360.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.12
Date: Wed, 24 May 2017 04:40:11 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Fri, 16 May 2014 06:46:24 GMT
Connection: close
Accept-Ranges: bytes



GET /yxcom/;;js;__config__/bd917a36.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s5.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 16 May 2027 13:02:08 GMT
Date: Thu, 18 May 2017 13:02:08 GMT
Server: nginx
Content-Type: application/x-javascript
Content-Length: 1150
Last-Modified: Mon, 15 May 2017 07:55:53 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip
X-QSTATIC-HIT: 1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 jfzh181:7 (Cdn Cache Server V2.0), 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
....._.Y....]..6...K.......Iv.lU)..z.!.<..xc>..t.(.=.`...x.`*.d.
.9.}............x.._..0..9<|=4...aFj.D......A.gJ...O.W.I.D.o..r...I
.^.........F......;........*(F...:.?.t..f:^#........s"...........\]...
..v...H.."..T..?..[X.....X....?6.f.F5.(f.......0z.......@...T^PZV..'..
B8-.&.K.N.F.. .3V..!Nr!....E....rd.j.6@..f.f5.......a.,......`&y...%..
.L.....F[...aX..C...M.........e0si1.I.u*.j..{hg...].0.viKo.L...P#.{C..
0.9.M..0,.H.c03...i.|P .p....4...........b^..3>.$.....l...X%.......
.."#..i.P7.`}...m...>..h ..^XAd......{j.. S|..QP.......a.e`<di..
......R..m.Un_^...x.....sDu)...Y.X2}.q.W..X...E.t..S....3.....$'.S.t.C
ws............k....6.)ic.i........._(...,E-..)/.....o..,$..d.2.*......
.=....EfX8<w...J.DQ.v......d.4*.N..=:PZ.Te.u.?xl^...g...L4.@..~....
....8.fs......>..*............)........cN......yH.0.#.....N%.3..P..
8veS...n..4.....;.h..`.......<.C...[-....S.i...Y........1.<.{...
...Q.sQ^f.....\-X.W..;..O...$s .=.......b..U.....o/(.f...@W.D.........
...]9.I..SR..CL..E..E....o q.s.ml.5...D..Sh.C..-.T7J.{?.;[....*.Vu.WN.
..>V......-.n.M.....,...@y.T.r.V.........6..8c.=p.. .N=...b{..yK...
...%......N.1@d...2xA.SS.0c..4c.H.S.@(......xv..\...W....=..=..
....
<<< skipped >>>

GET /yxcom/;js;mini;/prompt,enterzone,active,reg,login,minislide,zonelist/bd917a36.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s5.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 16 May 2027 13:02:12 GMT
Date: Thu, 18 May 2017 13:02:12 GMT
Server: nginx
Content-Type: application/x-javascript
Content-Length: 3181
Last-Modified: Mon, 15 May 2017 08:08:09 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip
X-QSTATIC-HIT: 1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 fuzhou185:9 (Cdn Cache Server V2.0), 1.1 db77:0 (Cdn Cache Server V2.0)
Connection: keep-alive
.....a.Y...Yms.6.. 6.Q...$.&R.O/....i:..3wI..HH.M.4..%...=...%.q....?.
 ......g....Tzl.R..u6.-..Y.....K.J....4.*K=.-O......us'i>H<d..&l
t;.2..C#..j&..b.b_...>...F.l......%.."..&...E.f~`.(Q..x~..,........
i.R........z!_.{.Z....,.v.X6U3a.7O.......q.,.< ..l...4.......h.>
.H.(Q.ESI...u..X.xv..?..)t.........`..F:.7......q....q0CS..]..yf..1...
dIa%.yJ........E..4.5..........{...YT.5.`.]....-.....CC..z5dd......g[.
.k}.SU...*.......N......'.....;.."I.9..#..M...pe.. n..j.\=.f.,.\.t..@7
.s.q..4x...........r....`.s..2.H..R_.a.x....hS..].]..V..=.....H..B..A.
........x...8..v^.6....@.`.T$A4..........\h#........h.D .N..].5T..D.. 
.H...zHD....Rc.............8_dX...cjq._....._.Y5Xy..R.1..,.X.M.L&.D.1.
m...F.O..m..<....=I.....>.ME......<OD$U...6...\.5...{..>..
X.'..c...Z..r.....$V}(n..u_s...x....N5........l..#......./...c..gSk.~.
s}}..f........A>...~.......s......M2..:a...|..?g|.....Zye.Y....|.(.
...jf.S.W.......x>Pc'b*e.]d[.]z...".E.O....../.........h8`...).F...
..;...._jHk..._,...1.L.Sa......*Y...T......R}V........]...\8-m...m....
L.8...0<8 <..8...O0l7.T..v.O.........{ ..|..T..G.......m.O..'...
W/.r4..W.. ..H...NOh.....8....M...=..yOF'.h...8r|D......>x].S.f.u%.
..b..........<....[.[`........0..`R..[-..I..K...C."..o.". .v7 .....
...HwY...;x.Kx.......N.i..N3 ..R..q&&r.!.%..Cj@.L...e..Mf..q.XiU.[...2
.1K..7m.ko;..5 ..i.t..N......HAQ.4J.>....7...... %9{....:o.....[e..
x...6...F.blj.....Cp..I......{.._..M..y.(P...w_....e..#6W......7..)...
..x.J...~......p..|N :..........N..sV.L../.d.h.:7....#>..$>.
<<< skipped >>>


GET /js/4.0.2.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: passport.youxi.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 May 2017 04:40:02 GMT
Content-Type: application/x-javascript
Content-Length: 207
Last-Modified: Tue, 07 Mar 2017 06:29:34 GMT
Connection: keep-alive
Keep-Alive: timeout=15
ETag: "58be534e-cf"
Expires: Wed, 24 May 2017 05:40:02 GMT
Cache-Control: max-age=3600
Accept-Ranges: bytes
document.write('<link rel="stylesheet" type="text/css" href="http:/
/s6.yx-s.com/static/950f1a12aa560f26.css" /><script type="text/j
avascript" src="hXXp://s6.yx-s.com/static/382f2fd94eeeafb9.js"><
/script>');.HTTP/1.1 200 OK..Server: nginx..Date: Wed, 24 May 2017 
04:40:02 GMT..Content-Type: application/x-javascript..Content-Length: 
207..Last-Modified: Tue, 07 Mar 2017 06:29:34 GMT..Connection: keep-al
ive..Keep-Alive: timeout=15..ETag: "58be534e-cf"..Expires: Wed, 24 May
 2017 05:40:02 GMT..Cache-Control: max-age=3600..Accept-Ranges: bytes.
.document.write('<link rel="stylesheet" type="text/css" href="http:
//s6.yx-s.com/static/950f1a12aa560f26.css" /><script type="text/
javascript" src="hXXp://s6.yx-s.com/static/382f2fd94eeeafb9.js"><
;/script>');...



GET /swf/FCT.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.youxi.com
Connection: Keep-Alive
Cookie: __guid=87247646.52884733302422330.1495600803648.9416; monitor_count=1; __sid=87247646.1754977220340360000.1495600808562.859; __gid=87247646.593124094.1495600808578.1495600808578.1


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 May 2017 04:40:15 GMT
Content-Type: application/x-shockwave-flash
Last-Modified: Wed, 08 Mar 2017 08:10:57 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=15
ETag: "58bfbc91-3fda"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Vary: Accept-Encoding
3fda..CWS.nw..x..}.`T.....{.%l6....".\ ..*.J.X..E..fKv.h....k....6.A..
gA......-....{..U....{w7...../p....9s...3....e.V.........`.c.....cG.7.
....)^.......1#...mS'LX.t......./.0..#..P6i..I..b\ryKGx...........X2..
.....RL.p......#M....2d[........hk..e......M :h4..=..hm.mmm.VN..k...D.
...x,...pSq......G:......1....{...U..M*.8e\..q..j'N.:.....=....ee9}..F
.9..pC.#.W..S....OC.okCc|....6 >zB?............I.TCtB.)..k.HB...`..
S......i.....h..NX6..h...4.$6.NB>zB....%.l.._^....V.d..X..['k...&..
%[;..14.e...9Sg.$;.-....i@.oll.ZY9yruEUUYM....'N,?lr..X...I.M.TS.d...E
..5.Ir3.5._P..jQ..7.n.........'VO.RSS~./Q........%.....f..m..d.$u.HKT$
&%...{...Y...E...3...Z.Z._...$.3.....Uz.i....J.....@.L#g.o...M..Od.!V.
0!6....9C ..b.........j{z.g....^..X..k.v..;.....Y..:.#................
... .${..&;.&.}.r...CE..F|....3.i...c[4.W....-..........7a..t..6%.....
.-yj.C........-...p....DN.E;.U.5F.....-.v]Qj.....lmnkm.x.F.........J.N
z...%dvl....C.U..I.....GZ............}ngs$...MM4..pKxq.=.7S..c..5.-QZ;
Wmcs.]u...E...9D....'..j.G.b....JM......Y..3[.b...X.j.lh./U..~v...X<
;...a,BQ..I...[.Qk...".4Q$;...Xl...s&...>.j.q...bVv.xcK.>g{.H...
.GZ!.fY..';Z....5.ZS,.a.?s..Zw.B..[_.8q.gvyE......s.W......6cfU.F...`F
.D..J..j......ks.'T....V..)..6.TZ.m.. fEO.`.r.q. ..0.......2^.......&l
t;...}..Lr.H.UX3.....A./.<aRY.a.......pNf..[.rn..Z..-......k.7b.:.b
.*V!...{...>.......cW...1..7.e.Qs.... ...R.....VZC:3.. k.....Z3..:.
........(..D6..|q.W[^Q_=..bvu.......L.l..........7..h.....3f....2q.6h8
L........,.......l......... 9.d......I...f...L.#.[eCk....F...(..C.
<<< skipped >>>


GET /analytics.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Strict-Transport-Security: max-age=10886400; includeSubDomains; preload
Timing-Allow-Origin: *
Date: Wed, 24 May 2017 04:07:06 GMT
Expires: Wed, 24 May 2017 06:07:06 GMT
Last-Modified: Thu, 04 May 2017 01:31:56 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 12267
Cache-Control: public, max-age=7200
Age: 1982
...........}.W.8........k7.I.^6....R(.......Y.&%.:...|..73.l9.....}..m
....h4.../&}1...~p...G.E.Axp?......O.....X..t0....*.....-..J..../.RE..
......Q......7t............1n//..u....Ew.=.....-.ml..y.4p0=.w.s..y...^
o..y...n.........N>.~.z.c!.Er..q.......h<.....U....?}..._ ..P\.t
s..p.i5h.j<I..x.c............9.2...@b.~..=...DtAi.....8.k.....-.]..
.#....;...&..O..u.Q.........G...p.....L....(...$.-......j..|.o....,../
.=.r.&4..q..2....9.4Z./t....yQ.T2....ja.. .....f...6t8.g.....q..'.....
...3.s........Z....Jm.....G.t"....k.v.R..].......[63T5.4..1..-|#o.0U..
...|k...oy.].f........7c._.[..>..$.f.NF*.LT.\..`....j.B......Pi..f^
.*.rv..Y....`.;K.....x9.  .`'..l]J?......Z[...b...sF.2.L..'.y..*@.....
.T.j.kA.l...8..G.*.<U.u..z.M......qx.......K.I..T.."........5c..o.\
...O>.n.z.A............i......}....pH......&...w.<.Rn_C.}.......
|.P*...u.1..T..\x.=..eh.....K_..0...l.."$....z%lF..)!....`V@..h.2.<
.//_.c5B..`..............3......M.. .....3.{eY......sh...vMTt..?......
i..lI..W#o.n......*`m|t..pr@...I.r8.w.\F2.i.3.4.......7.^.}..!.j......
..<..CXJ...[...l%.......D.Tcx..x<........ .*5.....m/..>r..-..
7...?..... ..$...o.O..oQ...~.....y..r~..p...?..a...o.....^.k..e[..[.6.
....k..yeg......(i,bR.....D...$.......g.n......;...0.... ..%%.e.n...$.
RY<.%}...|`oA..Q$..g.o.CA.9yE.b `^.V....i~....}{..f...[0.....z.....
.-..X.).....eO$.g....l..p......g.3,.X.MV...6dC.A..]4.j..=...A.Ox.GG7..
.`..{.'.[E ..Z....#l......#..>..C..0cX....9.D. u7.S.A...;Q#.:......
.o.?d1.8.p2....M...KS..0.;.g....9..L].4...#(.f.K.^.... ra).B.;.A..
<<< skipped >>>

GET /r/collect?v=1&_v=j54&a=1453265282&t=pageview&_s=1&dl=http://VVV.youxi.com/mini/mir2/login.php&ul=en-us&de=utf-8&dt=登录-热血战歌&sd=24-bit&sr=1276x846&vp=552x396&je=1&fl=23.0 r0&_u=IEBAAAAAI~&jid=1626280177&gjid=2074139498&cid=1442319705.1495600809&tid=UA-49486422-16&_gid=1546250211.1495600809&_r=1&z=1657285665 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Wed, 24 May 2017 04:40:08 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Wed, 24 May 2017 04:40:08 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..



GET /i360/qhpass.htm?src=pcw_wan_youxi&version=5.0.3.21319&guid=87247646.52884733302422330.1495600803648.9416&action=changeSigninType&module=signin&type=normal HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s.360.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.12
Date: Wed, 24 May 2017 04:40:35 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Thu, 08 Dec 2016 01:41:19 GMT
Connection: close
Accept-Ranges: bytes



GET /d/inn/34f0612b/images/common/lab_bg.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: p9.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Mon, 09 Mar 2026 09:58:47 GMT
Date: Fri, 11 Mar 2016 09:58:47 GMT
Server: nginx
Content-Type: image/png
Content-Length: 942
Last-Modified: Sun, 14 Feb 2016 14:14:54 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
X-Varnish: 3205031791 2743109708
Via: 1.1 varnish
X-Varnish-Hits: 341
X-Varnish-Cache: HIT
Age: 1
X-Via: 1.1 db78:10 (Cdn Cache Server V2.0)
Connection: keep-alive
.PNG........IHDR.............L.]l....tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:8E0CC62FC91E11E3ADAB98B0
550B4E21" xmpMM:DocumentID="xmp.did:8E0CC630C91E11E3ADAB98B0550B4E21"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8E0CC62DC91E11E3AD
AB98B0550B4E21" stRef:documentID="xmp.did:8E0CC62EC91E11E3ADAB98B0550B
4E21"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>.G.$....PLTE..............IDATx.b`..F0..0..
#..,..t....IEND.B`.HTTP/1.1 200 OK..Expires: Mon, 09 Mar 2026 09:58:47
 GMT..Date: Fri, 11 Mar 2016 09:58:47 GMT..Server: nginx..Content-Type
: image/png..Content-Length: 942..Last-Modified: Sun, 14 Feb 2016 14:1
4:54 GMT..Cache-Control: max-age=315360000..Access-Control-Allow-Origi
n: *..Accept-Ranges: bytes..X-Varnish: 3205031791 2743109708..Via: 1.1
 varnish..X-Varnish-Hits: 341..X-Varnish-Cache: HIT..Age: 1..X-Via: 1.
1 db78:10 (Cdn Cache Server V2.0)..Connection: keep-alive...PNG.......
.IHDR.............L.]l....tEXtSoftware.Adobe ImageReadyq.e<..."
<<< skipped >>>


GET /yxcom/;js;lib;/jquery.min,sea.211/bd917a36.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s7.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 16 May 2027 13:01:59 GMT
Date: Thu, 18 May 2017 13:01:59 GMT
Server: nginx
Content-Type: application/x-javascript
Content-Length: 35314
Last-Modified: Mon, 15 May 2017 07:55:53 GMT
Cache-Control: max-age=315360000
Content-Encoding: gzip
X-QSTATIC-HIT: 1
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 zhdx182:3 (Cdn Cache Server V2.0), 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
....._.Y...Zi..F......zh@,..<.0.@.......ukW.AR. Pl...(.}..../...<
;Z.......|...g....S...s;v...;e.......g........PQ..Z...*t1..o4...f...T.
..gC{]....R...m.v.HE...;...\h_.....T...Hth6..0....?......./....>K..
.......sWd...GF4..|.*....b.'n...4V7...M.}.S..z'..A..;..[....Ne^....]g.
..6.s.......p..,g..[D..n.,.>.s.f..h....t...;.....o.'..e.....7o..._.
.......}.4.f../......3.2]> ..F.`..q~.. Lza/..."{....X.b1\..%......{
./..3........J...X5w..k.. ...b1\.U./.b...........{..^.Ck......|f.yZ.r.
$.,U.$.....$?n...j...C....l>..û....r...w..U.I....5.y...D..[...8..
.iYZ.."...?.q...v..\R.vS.D..y.K......X.>......8....l.`.o.Q.m....J..
.p..,.....!/Og.........p..lK .'#..M.n$..V'..M@...._..T..n.?...v...AXa.
So%H....a..Fc.L....N..M.Q.....y......}...2HL_......G].l.n..`...1....Ie
.N......{.B....e7..........T....F#u.5...=".m..V..QN.1..W.......V35.-=.
.oez#m...].f..O...J.@..t$?..3..;..u..@..Ew.8...e...z...g.%A.>...a..
.5(.A@G94...>.;...........<.".=..D..N.-....D.%..~.p...#.^/.[....
...n.u}.'T.....(#..,.............}..n&.I..%.....).hY...~|....C:..2E...
S...s......8:P._d....|....m.'...y.%.9.Hd...k.~..f.^....0m..A.0.8....n.
.&Pv..K.....o45]..Y}.d5...^P......mJ6..m.>......./.[..,.....n.|/$..
w...\.3.B.{...t....;.......$.g......vs]{...].`....6<..:N.....7...H.
.N.O.m.].iK.B.}..YD....[t..?........j...Kl..v..s...tg..L..j..J....u..T
...k$]........."..4.....l.2.&..E.|ZQ..0.].....[...9..Xh...5..#(K ... 9
t.....xB..Zi..@..N.....h.q..sGX./.ZP.G.%s....'........1...3I.........R
..u..b.....>.k...~2........4..t0..83&.:..H......M....3#)8^....G
<<< skipped >>>


GET /t013e49a3dc1ae5334e.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: p7.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 04:39:56 GMT
Server: nginx
Content-Type: image/jpeg
Content-Length: 89275
Last-Modified: Sun, 21 May 2017 14:29:58 GMT
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
X-Varnish: 3564335599 3518783054
Via: 1.1 varnish
X-Varnish-Hits: 45
X-Varnish-Cache: HIT
X-Via: 1.1 z185:1 (Cdn Cache Server V2.0), 1.1 db77:0 (Cdn Cache Server V2.0)
Connection: keep-alive
......JFIF.....H.H.....C..............................................
......................C...............................................
..........................2...........................................
...............................................E...}y......oNd.A.y..".
...4....g7|.Z.F."~"3.l.^....5!X...........)....m.$i.'..Y?,......\DaK..
.....k$.s.J.`....\..L.N..'=..L.lB.E..S.~....|.......'<^.g..!F_ 7j..
.m..N.....0A.T....ogA/<.;..0.rB..5.&..p..O.%y.  ^F0....I. ..w....G.
r..}cpohG...=i....cK..a.o.x..%.(.Y06..;..>U.....q......G..S....a.Q\
.~a..5."...<l..@[}..hZ...l>..71.O..jd._.3....\Xu.[;.ms.#.b:o.0..
u...^o....k...}.z5.z.`...t..&..k6`.t.[.P.A..Kt...d..L..>.F:.K!.X.^.
9)../B.2..7..%.}...p.6.~...2....oWQ..4...Yx.q.._.^...#.k.A.k@c}y).il2S
V.[.0.7Qh^...j.......c.p.sQ.q..5]!BZ..'... ....,*{..8k-.E..Wm8...x..L.
..t.8..U=.)...........z.......#~.3.H..1.U.1..~.o8..}@jP....6...E.....Z
qAH.O.n....b?!$...=..v....-...U...Ps..I.<.I..{.#..<3..]WC.....}.
.Y...4iw..6......uMB<2h.....6%@..@U..n{J.%}...%.....p.Ul..U..X.R...
h...2&a%kRB.J..g~....k...>F.....Sa.q.. ../fc..q..k".h._x"....F..O..
........^j..aB-.........h..A.....4..5r](E..P.V.M,....?FE. )...1..d...k
...;Zx_Cy..V.....e.&-V.._Q.h,.s.z.J...8..`.:E`"!.2.W.q..u.z.......9..C
.WTH..Klg.X....:..].Q..v...0.."y.;.e$.S@v.1..U,...ub..C.x.o=.....A..72
..hz.......r....^.i..T/N....c.X'(.M.....}..*.......!..4....R[......>
;.....#3f.gm@.sP'..1.D.....S....w.n...[\..:y..:Lt:.V.............fr.H.
.N..*m.5.....t.....-..V.p....A.{...u..P*.5|.yv.;_3.a.^..y...@..n..
<<< skipped >>>


GET /image.php?app=youxi HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: captcha.youxi.com
Connection: Keep-Alive
Cookie: __guid=87247646.52884733302422330.1495600803648.9416


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 May 2017 04:40:09 GMT
Content-Type: image/gif
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=15
X-Powered-By: PHP/5.2.5
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: crypt_code=wWO2Lt4BcrSUG4gSJjF1hmyxj%2FNd4P4tlwYWtdtUSd6bcBX%2FjZzs%2BPQ5vUKoQ%2B3i; path=/; domain=youxi.com
2c9..GIF87ap.(........................................................
............................................,....p.(....  .di.h..l..P,
.tm.x..|O...pH,....rY.2....).Z...v{.r.\/x\...L.0.n..a..M.0%..E..O.I...
..2....C.u...}djAv:.m.3..:....u.g.>.9.n.2..4..1..1.........F.7.....
..1.3...2...~5.=.6..2......2...1....GK.5..4.....3.....<....i.....x.
.<.Q ..u.|PP0 @...j..A.A...f.. ..._O.4.Yh.....b.1i.... OZ.$...M0.I.
.C......p....R."...c............l....!B...b|.y.Q.....aBTF.{.0B.0S.Jip.
.1....CO1.K0@...;....F.W..X..0Y.N..,\.XA]..l.........#.s...Z6..0.`.F..
.Q..Lc... e .[.. ..fd5.....|.H.[q.,..!..?..^..T..,|.u..$..`.n....!..hW
..1.F...\.....PA...1...8!............uE0.../..Tu......]...Q.h..,*.....
.....h..8n...:. ..D.i$.!..;..0..HTTP/1.1 200 OK..Server: nginx..Date: 
Wed, 24 May 2017 04:40:09 GMT..Content-Type: image/gif..Transfer-Encod
ing: chunked..Connection: keep-alive..Keep-Alive: timeout=15..X-Powere
d-By: PHP/5.2.5..P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi 
CONi HIS OUR IND CNT"..Set-Cookie: crypt_code=wWO2Lt4BcrSUG4gSJjF1hmyx
j%2FNd4P4tlwYWtdtUSd6bcBX%2FjZzs%2BPQ5vUKoQ%2B3i; path=/; doma
in=youxi.com..2c9..GIF87ap.(..........................................
..........................................................,....p.(....
  .di.h..l..P,.tm.x..|O...pH,....rY.2....).Z...v{.r.\/x\...L.0.n..a..M
.0%..E..O.I.....2....C.u...}djAv:.m.3..:....u.g.>.9.n.2..4..1..1...
......F.7.......1.3...2...~5.=.6..2......2...1....GK.5..4.....3.....&l
t;....i.....x..<.Q ..u.|PP0 @...j..A.A...f.. ..._O.4.Yh.....b.1
<<< skipped >>>


GET /static/js/index.js?r=1495600818 HTTP/1.1
Accept: */*
Referer: hXXp://axlogin.passport.360.cn/ptlogin.php?nextUrl=hXXp://VVV.youxi.com/psp_jump.html&us=1&func=QHPass.getQuickLoginUserLength
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: axlogin.passport.360.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.2.9
Date: Wed, 24 May 2017 04:40:40 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 16905
Last-Modified: Thu, 03 Nov 2016 03:10:34 GMT
Connection: close
Accept-Ranges: bytes
.../**.. * .......................... */..(function(){...var.domainLis
t = [],....time = 1,//................................................
...................timeoutHandler = null,....loginTimeoutHandler = nul
l,....flag_skip = true,....clk_flag = true,....tempDomainNum = 0,....r
d = "",....web_qid = '',....primaryStation = false,....oneUnit = 134,.
...number = 0,....tempN = 0,....acc_msg = "...........................
.....................",....acc_msg_web = "............................
......................................",....timerId, startTime, frameT
ime = 13, dur = 1 * 1000,....s_flag = false,....dire,mleft,src,obj = g
('loginUserList'),....iskeepalive = 1;...src = queryUrl(location.href)
.src ? queryUrl(location.href).src : 'pcw_i360';.../*******...........
.............*****/...if (displayType!="newpic") {....g('loginCheckBox
').onclick = function(e){.....var span = g('iskeepalive');.....var spa
nClassName = span.className;.....if(spanClassName.toString().indexOf("
checked")>-1){......span.className = "checkbox quick-login-common-b
g";......iskeepalive = 0;.....}else{......span.className = "checkbox c
hecked quick-login-common-bg";......iskeepalive = 1;.....}....}...}...
....../*********..................**********/......function queryUrl(u
rl){....var queryStr = location.search.substring(1).split('&'),oneQuer
yStr,args = {};....for(var i in queryStr){.....oneQueryStr = queryStr[
i].split('=');.....if(oneQueryStr[0]&&oneQueryStr[1]&&oneQueryStr[0]==
"src"){......args[oneQueryStr[0]] = (oneQueryStr[1]||'').replace(/
<<< skipped >>>


GET /i360/qhpass.htm?src=pcw_wan_youxi&version=5.0.3.21319&guid=87247646.52884733302422330.1495600803648.9416&action=show&module=signin HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s.360.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.12
Date: Wed, 24 May 2017 04:40:38 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Fri, 16 May 2014 06:46:04 GMT
Connection: close
Accept-Ranges: bytes



GET /mini/mir2/login.php HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.youxi.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 May 2017 04:39:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
Content-Encoding: gzip
bcd..............ko...{~...!UP.(.z...$M...f...\C."..kS$M^.......I.L.5.
.b.........Y...e.d._..KR.d9.u..K.....=o..=...._.?#uy.Y>..|Qb.S.r"Y]
...7.>o.kr.......>.j..._<.?..|.Y...dy....y.L....Y.......9..].
........_...O{. ..>.c...b.....MC `>g... KF....,E'6.`...0.q..!u..
n....a...`'....3.j.6..Z-..:.......i.!.84.R.e..|....n....q%..."....;.~q
=\tXk.X...`.......E.4Zv...RE_...%#.7..z..$.}/..&..-.8...zA/=.......a..
zh..t.1Ng....r5...6.4...e.$..<W...[]Yk.]./T..K[$..P..d.mP..0-h.z.;.
.<....u;...(.8.....9.........5.}.c......z\.q...z..m.R/U......k5..?.
...,..$@...^....,...%X....6:..w....\......>.$}.o.....4......a,...H.
.^2....<{..c.-.r.T.2.38...4..K.(....$..p.w;m....}f7.....d.B|...d.)3
...F@;....i6y.,.. .B.^.g..!.=...I^.../...8.............V........Y.%Y.;
..d..wp.a.6...D.$.`.j...n..q...S.0..Y-..bIHcs...U..Z.t.....j.PA...D...
OD...../.uR...J....&...u_.../.....t....*:.2......?.X..u..O.mk....mZ..&
lt;m........./.?L.L..u.h.NJ.e.:_*.....>f.i kq.....}.N...5.~K.......
.>..{.f......H< ui\..............F.$..c....z..Ao.g.H.G.....|.(..
.R.R DV8......yp.......n..}|...... ...O..].V...^..._....5. ..|...QV...
8...;.,q&....@........I..].A.....Y(.jE.v.-L.].[0kS|?..... ....h..7.?..
..Y{|..1.Sb........wU8A.R.7.O..i.....9[.%.q..q.F/>..P.?....r.@...lx
...Nt."....).D$..i...a.l.Q).?......P.dj.4.D.MXp.oxD.."}2./.o.?z._..\..
...6..0..o....4|2.dX.)h ..L.z.....d_}u....;...}.q.....i..,.!=...?. >
;>..a2.V.!..l..7.."~...Qfp.........?...'..........J..8...JP.J..d...
y(...sx...w.<...H.... ...........W..............k.......z..W...
<<< skipped >>>


GET /d/inn/4f8be2af/btn-login.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: p6.yx-s.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Sun, 29 Nov 2026 01:01:54 GMT
Date: Thu, 01 Dec 2016 01:01:54 GMT
Server: nginx
Content-Type: image/png
Content-Length: 2959
Last-Modified: Tue, 16 Feb 2016 12:27:35 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
X-Varnish: 502635140 311449661
Via: 1.1 varnish
X-Varnish-Hits: 122
X-Varnish-Cache: HIT
Age: 1
X-Via: 1.1 fuzhou184:6 (Cdn Cache Server V2.0), 1.1 db78:1 (Cdn Cache Server V2.0)
Connection: keep-alive
.PNG........IHDR.......o......L.'....tEXtSoftware.Adobe ImageReadyq.e&
lt;...#iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CC (Macintosh)" xmpMM:InstanceID="xmp.iid:24CE52589F5411E48F89810
7972CDE12" xmpMM:DocumentID="xmp.did:24CE52599F5411E48F898107972CDE12"
> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:24CE52569F5411E48
F898107972CDE12" stRef:documentID="xmp.did:24CE52579F5411E48F898107972
CDE12"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&g
t; <?xpacket end="r"?>5.< ....IDATx...klSe...g8....0`."....P.
...@....A.@@1...H&.7....c...B r... ....\BB..".P.r..q..]dAq>.g=.R..,
....I.kK.5g........d..oc.Yf.)v...-M..6.m~....ns.'@...f@m.`g...........
....<.........@.@ . .................@.@ ............G....D...H~3..
....;7..i...@..qr...^fq.....:3.\.s...Up.....}..8..5A ...m.LX!..b>Z}
......as...X...Sre..-.~.@H7.........$.@  .\Q.ScV]....}.=.......#....NA
....0...f6.(q..N!.}......P.'8@ .)g.m{......g.\.kf.)..RR...Ch..w...=...
.Kb>G....4.j.....@.:.=.-t......*,.e.@ <...#..~G..w?|.Pu.O.\X.9.L
.2.-5.n......K.%....%.....5.m...m............u...... p..c...V...K.
<<< skipped >>>


GET /ptlogin.php?nextUrl=hXXp://VVV.youxi.com/psp_jump.html&us=1&func=QHPass.getQuickLoginUserLength HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: axlogin.passport.360.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.2.9
Date: Wed, 24 May 2017 04:40:18 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.2.5
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Encoding: gzip
5ed.............V[o.F.~v...a.........{QIi..75..V.j......q.q..*Q...J...
...."...-b[J.g.Mx._...{w..BU-..3g.|...|3......}p.$:5wf... NG.......!..
y...T.x~.m.(........~xz...[..'7.[..d...Jh..T..4.P*0.$.%G.`....."..X.v&
lt;qk.....V...bd...N....U.0..-!......`..>..E..4M51...o.f....o..#/ i
....fL.....%.. .....Z.85.]....}...Z~....{...u..'.yo=_{..._l_.-..8..k..
Z...n.#!k.O........o...D....K....5...0@.l....)..}.=.z...vBV_.XE....../
..N.YB...4..`i..%... ........sqG.8................C.#...Zm.y.f..H'..j.
....v..U..h....^..(.["(K.l.%)X..M...3.w..D...eD..k;._.o..........?..&l
t;..:(`..o....o..{=...w6.9.`....e...." j..<..v.. I[vK......(_...~OO
#.&..E..=.....YJ.3f....Z.^.H....ec.L.. *.........h.../...'.a.\:h.....#
..|@..O[....D.A)t./.%.z.....g~.:>(.I....8.K...X.g.....@..8.Kt>b.
2&.86>.P.%.j. ...!.?...]..]....zB.u..Y...,...r.H.>...~..k..JI..f
A......b.j.......z..u.|eV.[SD.."`.@. .fF... ..t.KUei....li.<.9.A..&
hDJM...Gf.-.<....v[..d. x..............Jq..T3k....zFJ]9Z...P.<2.
...a!..k%$.H......a..Wh...8 .S....L.K...;..H...(......N..e&Z..4.%..y..
.T.... ..)...P.U^....G.^..3.v....n....Kt.....s_.H.4..}.k.../.Mj...,.Vk
....C............V|.....`.........fI........%/.j...("|..... R?.i...z..
..K.)G/.:....x/.c].J)....S....9x6....c.j.2.....W..............7..a.EZ.
.r..W0.!.....dD...De..U:Y.F  m.I.......?K#...J..H@J..d..ii&.{......r^.
/'..\...G.2.....Po..Dx... ..;..&P.........*.V..?...9<..c.......gQ..
q..c.8..1.X[.....*B@.X.0.\.e".$..|....... ..............BT.%JYJ.}Ydwo.
 :o.U....H. Q.....e?.z......qK..Up.......x..4U..Jz^.8..U....k...[.
<<< skipped >>>


GET /static/css/index.css?r=1495600812 HTTP/1.1
Accept: */*
Referer: hXXp://axlogin.passport.360.cn/ptlogin.php?nextUrl=hXXp://VVV.youxi.com/psp_jump.html&us=1&func=QHPass.getQuickLoginUserLength
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: axlogin.passport.360.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.2.9
Date: Wed, 24 May 2017 04:40:13 GMT
Content-Type: text/css
Content-Length: 4826
Last-Modified: Thu, 03 Nov 2016 03:09:42 GMT
Connection: close
Accept-Ranges: bytes
a:hover,a {...text-decoration: none;..}..dl,dt,dd,ul,ol,li,h1,h2,h3,h4
,h5,h6,pre,form,fieldset,input,textarea,p,blockquote,th,td,body,div {.
..margin: 0;...padding: 0;..}..body {...color:#333;...font: 12px/1.5 T
ahoma,Helvetica,Arial,'\5b8b\4f53',sans-serif;..}..select,textarea,but
ton,input {...vertical-align: middle;..}..html{overflow-y: scroll;}..o
l,ul {...list-style: none;..}..h3,h4,h5,h6,h1,h2 {...font-size: 100%;.
.}..fieldset,img {...border: 0;...vertical-align: top;..}..table {...b
order-collapse: collapse;...border-spacing: 0;..}..cite,code,dfn,em,th
,var,address,caption {...font-style: normal;...font-weight: 400;..}..a
 {...color: #333;...cursor: pointer;..}..a:hover {...color: #0069bd;..
}..#doc {...color: #999;...font:14px "Microsoft Yahei";..}..#mod-quick
-login {...padding: 14px 0 0;..}..#mod-quick-login .tips-text {...marg
in: 0 auto;...width: 100%;...text-align: center;...color: #767676;...f
ont-size: 16px;..}...mod-user-pic-list {...position: relative;...min-h
eight:90px;...height:auto !important;...height:90px;..}...mod-user-pic
-list .user-text-list{...margin-bottom:5px;...margin-left: 110px;..}..
.user-text-list label{...cursor:pointer;..}...quick-login-btn{...margi
n: 10px 0;..}...quick-login-btn a.qtlogin-btn{...heis://p.ssl.qhimg.co
m/t012baa59bdfe70ffab.gif) -226px -65px no-repeat;...position: absolut
e;...top: 35%;...visibility: hidden;..}...arr-prev {...left: 0;..}...a
rr-prev-1{...left:127px;..}...arr-prev-2{...left:64px;..}...arr-prev:h
over {...background-position: -280px -65px;..}...arr-next {...back
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEGzcMzbY/Z/9R/IXXh6Z+8s= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: wosign-ovca.ocsp-certum.com


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 04:40:18 GMT
Content-Type: application/ocsp-response
Content-Length: 1539
Connection: keep-alive
Content-transfer-encoding: binary
X-Cached: HIT
Server: NetDNA-cache/2.2
X-Cache: HIT
0..........0..... .....0......0...0.........`0^1.0...U....PL1!0...U...
.Asseco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Servic
e..20170524043128Z0q0o0G0... ........J>.ldj..T.K.v....p....T.Vs,'..
......._.V..l.36....G..^........20170524043128Z....20170531043128Z..0.
0... .....0....0... .....0..0...*.H............`..G.......U<.'.0SX.
=...5I.$d.K.;?g...._...3......,|.6k.j].L(...b...#....6..{..s.(_.....k.
b...Cd.....)o.P._....^.....5.....9..P....9.j.P...O.........~...*.3...L
........X\...{?....X:.,J.84.'.\....F...........X.!........]...upP...P.
.9.r>.$.,..T...P..=.W........0...0...0..........A%`FLx.u.8..(.E.0..
.*.H........0D1.0...U....CN1.0...U....WoSign CA Limited1.0...U....WoSi
gn OV SSL CA0...170323082637Z..180323082637Z0^1.0...U....PL1!0...U....
Asseco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Service
0.."0...*.H.............0..........:B!cV....&......3..' ..,.....D...G/
o4.J.5.8.1>.^0..8[wXP)j..b...P......$iQ.s.4.z..........].n..bP2....
.7......Z_& .....S.*.o..........YI......?..e..G...g.4E....@:.S.O......
..Q....zf.K..p_...qS..H..........."H..e.y..Ge.p.......-...F...=.o..%i.
{.a........E........0..0...U.......0.0...U.#..0.....T.Vs,'........._.V
0...U......`..f8..6..m..y......0...U...........0...U.%..0... .......0.
.. .....0......0...*.H.............g..a(..8*.o.q.$..Uu.r.4.V..i....k .
0.5..P...v.H.1.".#.)v.L..|......^...\...R$.f.QFl....Y.x.<..M.`..L..
&e.{e.,M.....^..@.e0-....C...f..>9.qI.Y....?.(..Z..rw.J......8..q.t
.(..Y...$W..S...T.|....XmK.#..._.A..L7.....@6..aB./.X.r..A."......
<<< skipped >>>


GET /qdas/s.htm?p=QH_103_7#3_3&u=http://VVV.youxi.com/mini/mir2/login.php&gid=87247646.593124094.1495600808578.1495600808578.1&sid=87247646.1754977220340360000.1495600808562.859&title=登录-热血战歌&mid=&guid=87247646.52884733302422330.1495600803648.9416&gkey=mir2&b=msie 7.0&c=1&r=&fl=23&sd=24-bit&sr=1276x846&ul=en-us&ce=1&t=1495600808580 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s.360.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.12
Date: Wed, 24 May 2017 04:40:11 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Fri, 08 Apr 2016 09:30:56 GMT
Connection: close
Accept-Ranges: bytes



GET /psp_jump.html?fun=QhpassUserData HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.youxi.com
Connection: Keep-Alive
Cookie: __guid=87247646.52884733302422330.1495600803648.9416; monitor_count=1; __sid=87247646.1754977220340360000.1495600808562.859; __gid=87247646.593124094.1495600808578.1495600808578.1


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 May 2017 04:40:12 GMT
Content-Type: text/html
Last-Modified: Wed, 08 Mar 2017 08:10:57 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
Expires: Wed, 24 May 2017 05:40:12 GMT
Cache-Control: max-age=3600
Content-Encoding: gzip
2c9.............UK..0..s.....16.R36.9A*....F.,b,#.....Er.,r.T..n.MfR.h
#.V.{~.......s.Ib..r...........P..|...8F.......#.Y....2...0....*.MT...
.E...fJ...`i.qR...2.s%.d2%QD,D...{...S\......R.p...zD .5)A..9.:...Z..!
.....>.u.. ...)...Th.....?../.}..J.j......w....l...x-|.k..I...E....
...m..;z....rb..f.l.....@.#U.Ppu.`..H....b....m......u....S..d..7Y.U[.
......S.M.4....J<F........Iy.k....Dd...;......\W"n.D.Na.....#....j.
..l....... .%-...> .W......tx_.. .h...y.....".^m....S......m].8.z..
c....k..._?.......Yt.........i*.....C......M.W.......vZ.].%...US..j...
.6..h.mw}...Nm...=...1..&y.!ZK...(..-.h.fh.C.....z;Z.m.......{..F.Z.u@
#... 4.5..#..H...."..7.`.W...W.."..8.-;....U..%...O.&.x....i.8.t.8.0.Y
.p.;)a.5..N.|..E......z......0......


GET /js/mini/active.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.youxi.com
Connection: Keep-Alive
Cookie: __guid=87247646.52884733302422330.1495600803648.9416; monitor_count=1; __sid=87247646.1754977220340360000.1495600808562.859; __gid=87247646.593124094.1495600808578.1495600808578.1


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 May 2017 04:40:12 GMT
Content-Type: application/x-javascript
Last-Modified: Wed, 08 Mar 2017 08:10:57 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Vary: Accept-Encoding
Content-Encoding: gzip
1ce............}SKn.0.......(C%...4......... .....(.......%. ...A.Q~L.
u.pA..{...p..X.o.a.........~...g."E.wBr.s.Y.$ .?9.y.|.....A....<...
....j...*...hA....!..m......\T..@5<....6....aP...S.....=<I..N=.!
.EU>.......zOYb.q@KT^..k...`e...UGW...$..m....7.~...y.c..)..:..K-..
.......A!Gg.CT..;.Cl...}y...E.V..;..).7j.9>.....\...h_.......6$...'
.e...u<..,1....7& 9........t-~Rn..?..h.T...2.9S.7.ZG.o!n.F..ro..gC.
[....1.1...I.573...Y...~..dfj.p8>..S.......4..8..I.rU....N8........
0......


GET /js/lib/handlebars.min.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.youxi.com
Connection: Keep-Alive
Cookie: __guid=87247646.52884733302422330.1495600803648.9416; _ga=GA1.2.1442319705.1495600809; _gid=GA1.2.1546250211.1495600809; _gat=1; crypt_code=wWO2Lt4BcrSUG4gSJjF1hmyxj%2FNd4P4tlwYWtdtUSd6bcBX%2FjZzs%2BPQ5vUKoQ%2B3i; monitor_count=1; __sid=87247646.1754977220340360000.1495600808562.859; __gid=87247646.593124094.1495600808578.1495600808578.1


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 May 2017 04:40:13 GMT
Content-Type: application/x-javascript
Last-Modified: Wed, 08 Mar 2017 08:10:57 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Vary: Accept-Encoding
Content-Encoding: gzip
5a37.............}.B.I...?........wD..............W.....-._..g?.....U.
.=;=g.................'OJ..ag....I..Zu.........q.w1-._TJ. ..2.Y/.....^
.t...6......t|..L..a.?)]...9z..p.v.Rw...Q...h.{i\..J....u:....5m...a..
,......^....;......)5'.Q..D}...}s....)......T.^....JD.i..6.O.C........
.bt3-...t.o.......7...>..W}k.....'..f.....t5.....J..oZ...".u...u3E.
........g.qi...OPC.xK_3.$.....}#..)..FW...'O.7.!..Q..3.....i{..b.....O
.Z{4....I...w..l.>......h.T..2.....}.\4..R 5.......\w....d...7....X
. v..._..N..z.......i...././.^...S........:..].9N.....t.Si.........K..
......t|........H;<z.....G.)..rG..J.....C...Kl..:<@..Jo.N^.B..?.
.>|....O...X.O.'......w./~~..Rz.......4.......t.V.......U...~......
........... .8~......zWzu......<.f.?.>.............o..B.NJ......
)v...:`...../....../.....g.^...E.vxz...O.OI..N...OHN.@.........Z..G.YH
...i.K....k...9...F....O...d.{3.iUn...m4j...$.~.N...g..dqq..... ..?U..
...z........0]\....UgO.r...ht.*....N.o...!O....Z....).Z..4 .......m.[n
7:...H.ua.cs\J.&%..A..>.w..x0jv.N}.v.kE.,...*...8.3.U..-.,.d...L;..
...W....N...:...U^.....u.Q.. A..T.F..c..~..f2.W<v.....B7q..R.!..>
;35nV..f.z.~.L.#(.....7".j.f0..Q..mz.\z......<m...S..*_.-..t.|.^.@.
....)..... A..V...t.F......"W...........Z...uQ.?..Z%....J<...J|.o.J
<...J<..a%....J..~]W.q......)V.x.`.v'.3.......J<.......q2....
.G2.[..M.TI..>c.o..a........c.<.rev.r......6.U@..f7=..8.....s;..
Z.\.......`.\.J'..uz..."kR...I....d.?...z...L...............~m%7.5..%F
.......0@.....p......,..%...uL..X}dP..|.oCz.....]....v.!.(.!w.`D.)
<<< skipped >>>

GET /js/common/winbox.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.youxi.com/mini/mir2/login.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.youxi.com
Connection: Keep-Alive
Cookie: __guid=87247646.52884733302422330.1495600803648.9416; _ga=GA1.2.1442319705.1495600809; _gid=GA1.2.1546250211.1495600809; _gat=1; crypt_code=wWO2Lt4BcrSUG4gSJjF1hmyxj%2FNd4P4tlwYWtdtUSd6bcBX%2FjZzs%2BPQ5vUKoQ%2B3i; monitor_count=1; __sid=87247646.1754977220340360000.1495600808562.859; __gid=87247646.593124094.1495600808578.1495600808578.1


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 May 2017 04:40:14 GMT
Content-Type: application/x-javascript
Last-Modified: Wed, 08 Mar 2017 08:10:57 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Vary: Accept-Encoding
Content-Encoding: gzip
699.............Xmo.6.......*..i..'...m.V...4....!K..E.U...&.......z@.
..x.{}x<r....yCva..O.H.....y.;4_....sw.lg.l.7...M.!...|.s./z[7C.d..
0....h..M....h..K....H.7.%Y.L...dC....|.q...#....T....??....w........n
I.....w./.....t...Z....!z0q.9.6.M#...x*x..K.{\e|....P_.F.e.4..........
...$.x.....x..Ao.t..<u.P.g...T.O......b....i..}.dn.H.y.....1YFn..7.
........dW..Q.w..J..%.~......4q.3.e.......^ .7....D..........S....U^.9
&..C...//..P....:.)...$:.w.. |*..z..X...5P..MPc.#.1V.>r.8....-J..LU
#...)..S..Ze.~kR.....c.\..H.."...\..1J..h)l...K...'...~>.H..0..X^.z
./.s..E...x...1...... ......JL.....D....}.,.....|m..C...`?.P. ........
..K..4!..v.dh.4c.S..*V2._3&6Y"..s.p..6....9.$..U......i.i]E]....CcUQ..
...........SK....>.j...e...F.v./a..%...V,...8#....a..r[1.z.........
]L.'...oq #...>'..ggd^....\...........d..|4.*[W..C....9-....t..U9.D
.. ..S...%7z..h....RTxK..........6(....l[B..P.._.,b...(x.y....^......g
u....L...;V...u.;.I..aP.J^tx.....4..3...q:.g..R7M.......V...z..8..U#..
.@.ak.......i#N....V..m/R....~.z<.Ly.h.W..;.I. .a...|...V.S.-....W.
B...r...c1e.v. .. .k.GU...T.7m.....A.....*..5.8.....Y/.......d%.].- ..
.X.J....]A7.Z.......XP/..f.0.......-..r~. {mR.!.6..TkM,<#t..'...(..
..Bd........UI;0../...Y............!.$.{...x|2.r.U=o.......S....p..[.#
......ctTI.U...ND.R..W.t.rN ..F....:..3)....8...[N...N.\.j]..........1
.....C..L...r.!..S...*Sbc.lT........b.. .N&....R.WR.r[.h..JX..u9......
..4"[/...o.Z..5$...'.A....<b./R..wy.'7..)..Bt ...q ..gSP.N. .c.`Y*@
P....@..@...|.SP.y..W.t. ...W0.L....|.O....0/.(.g..."a.2`.........
<<< skipped >>>

GET /psp_jump.html?fun=parent.parent.QHPass.getQuickLoginUserLength&us=0 HTTP/1.1


Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://axlogin.passport.360.cn/ptlogin.php?nextUrl=hXXp://VVV.youxi.com/psp_jump.html&us=1&func=QHPass.getQuickLoginUserLength
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.youxi.com
Connection: Keep-Alive
Cookie: __guid=87247646.52884733302422330.1495600803648.9416; _ga=GA1.2.1442319705.1495600809; _gid=GA1.2.1546250211.1495600809; _gat=1; crypt_code=wWO2Lt4BcrSUG4gSJjF1hmyxj%2FNd4P4tlwYWtdtUSd6bcBX%2FjZzs%2BPQ5vUKoQ%2B3i; monitor_count=1; __sid=87247646.1754977220340360000.1495600808562.859; __gid=87247646.593124094.1495600808578.1495600808578.1


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 24 May 2017 04:40:14 GMT
Content-Type: text/html
Last-Modified: Wed, 08 Mar 2017 08:10:57 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=15
Vary: Accept-Encoding
Expires: Wed, 24 May 2017 05:40:14 GMT
Cache-Control: max-age=3600
Content-Encoding: gzip
2c9.............UK..0..s.....16.R36.9A*....F.,b,#.....Er.,r.T..n.MfR.h
#.V.{~.......s.Ib..r...........P..|...8F.......#.Y....2...0....*.MT...
.E...fJ...`i.qR...2.s%.d2%QD,D...{...S\......R.p...zD .5)A..9.:...Z..!
.....>.u.. ...)...Th.....?../.}..J.j......w....l...x-|.k..I...E....
...m..;z....rb..f.l.....@.#U.Ppu.`..H....b....m......u....S..d..7Y.U[.
......S.M.4....J<F........Iy.k....Dd...;......\W"n.D.Na.....#....j.
..l....... .%-...> .W......tx_.. .h...y.....".^m....S......m].8.z..
c....k..._?.......Yt.........i*.....C......M.W.......vZ.].%...US..j...
.6..h.mw}...Nm...=...1..&y.!ZK...(..-.h.fh.C.....z;Z.m.......{..F.Z.u@
#... 4.5..#..H...."..7.`.W...W.."..8.-;....U..%...O.&.x....i.8.t.8.0.Y
.p.;)a.5..N.|..E......z......0..HTTP/1.1 200 OK..Server: nginx..Date: 
Wed, 24 May 2017 04:40:14 GMT..Content-Type: text/html..Last-Modified:
 Wed, 08 Mar 2017 08:10:57 GMT..Transfer-Encoding: chunked..Connection
: keep-alive..Keep-Alive: timeout=15..Vary: Accept-Encoding..Expires: 
Wed, 24 May 2017 05:40:14 GMT..Cache-Control: max-age=3600..Content-En
coding: gzip..2c9.............UK..0..s.....16.R36.9A*....F.,b,#.....Er
.,r.T..n.MfR.h#.V.{~.......s.Ib..r...........P..|...8F.......#.Y....2.
..0....*.MT....E...fJ...`i.qR...2.s%.d2%QD,D...{...S\......R.p...zD .5
)A..9.:...Z..!.....>.u.. ...)...Th.....?../.}..J.j......w....l...x-
|.k..I...E.......m..;z....rb..f.l.....@.#U.Ppu.`..H....b....m......u..
..S..d..7Y.U[.......S.M.4....J<F........Iy.k....Dd...;......\W"n.D.
Na.....#....j...l....... .%-...> .W......tx_.. .h...y.....".^m.
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_2372:




.text
`.rdata
@.data
.rsrc
.adata
t$(SSh
|$D.tm
~%UVW
u$SShe
shlwapi.dll
URLMON.DLL
shell32.dll
kernel32.dll
advapi32.dll
user32.dll
ole32.dll
WinINet.dll
wininet.dll
URLDownloadToFileA
ShellExecuteA
MsgWaitForMultipleObjects
RegCreateKeyA
RegEnumKeyA
RegCloseKey
GetProcessHeap
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpQueryInfoA
RegOpenKeyA
InternetOpenUrlA
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
zg.exe
!79.rH
"e<.eZCc
J'8V%x
bH7M.Ea@V>_
G:%dW
93o.Fs
T.OOmV
XÊV
gq?.SB
<.QZCH-
#".mlU
wi.MV
.xM`E> J
.rIml
pB.SO
U.xZ@M-
uDP'u
,||.Dh
].rVH
.cv~?M
O.DRv
.rN2Rgu
GB%Ci
-.fu'rUQ
TFL.ny
n-F%F
ekÊ
p%Unl?
@.Kbcv)
Drr.rJ
.EQVV
}uhXx.aK
nÞD&
 ;/K%F
S:%U?
 '8.pm
8xj
SHELL32.dll
MSVCRT.dll
KERNEL32.dll
USER32.dll
program internal error number is %d.
@http=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
hXXps://
AHTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
hXXp://
Adodb.Stream
AA,C5,2C*.lnk
*.url
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
?#%X.y
Broken pipe
Inappropriate I/O control operation
Operation not permitted
GetProcessWindowStation
USER32.DLL
operator
WinExec
GetKeyState
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegOpenKeyExA
ADVAPI32.dll
OLEAUT32.dll
COMCTL32.dll
WS2_32.dll
GetCPInfo
GetConsoleOutputCP
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
%s%s%s
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
gdi32.dll
winmm.dll
winspool.drv
oleaut32.dll
comctl32.dll
ws2_32.dll
<assemblyIdentity type="win32" name="xxx" version="1.0.0.0" />
<!-- Windows XP style common controls -->
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
<!-- Windows feature settings -->
<windowsSettings xmlns:ws="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</windowsSettings>
<!-- Supported OS versions -->
<!-- Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />
<!-- Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
<!-- Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
1.0.0.0
(hXXp://VVV.dywt.com.cn)
mscoree.dll
KERNEL32.DLL
1.0.0.1

%original file name%.exe_2372_rwx_005AA000_00002000:




kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
gdi32.dll
winmm.dll
winspool.drv
advapi32.dll
shell32.dll
ole32.dll
oleaut32.dll
comctl32.dll
ws2_32.dll
comdlg32.dll
RegCloseKey
ShellExecuteA
<assemblyIdentity type="win32" name="xxx" version="1.0.0.0" />
<!-- Windows XP style common controls -->
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
<!-- Windows feature settings -->
<windowsSettings xmlns:ws="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</windowsSettings>
<!-- Supported OS versions -->
<!-- Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />
<!-- Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
<!-- Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
1.0.0.1
(hXXp://VVV.dywt.com.cn)

zg.exe_3960:




`.rsrc
$`\3B2%Xq
L%SbbS
i8H.zgZX
t$(SSh
u.htd
~%UVW
u$SShe
urlmon.dll
kernel32.dll
ole32.dll
oleaut32.dll
user32.dll
gdi32.dll
atl.dll
shell32.dll
User32.dll
ShellExecuteA
GetAsyncKeyState
GetProcessHeap
RegisterHotKey
UnregisterHotKey
-$$=445  
5  =44%$
-$$=44-$$-,"$
%,$,,$,,$,
84*-,"%$
%,$,,$,,$,$
$$$$,$%$
%,$,,$,$
%$$$,$,,$,$
$,,444<$$,
,,,<<2-,"
%-$$,$,,$,$$$
$,4444,$,$$,
,,,84*%$
,$,,$4,$,$
$$$5  ,$,$$$$
%F;GF;G=44,$4,$,,$,DDFE;:
%-$$5,6,$,$
$$$,$,,$,-$$$
5  =4484*-$$$
,$$4$$4$$4
$$,4$$4$$4$$4
,,$4$,4$,4$$<
-$$5  5  5  $
$$$<$,<$$<$$<
-$$-,"5  5  -,"%$
$,4$,4$,<$$<$$<$$<
,4$,4$$$
$$<-$@$$4
$$,,,$$,
$$$,44<<<<,,4
,$$,$,4,,4,,444<,,4,,4$,4$$,
$$$$,$$,$$,$$,,,4,,4$$,
$$$<<<$$$
$,$<<<]\\
$,$,)5:44<444$
,$,444<$$,
$,,,4,,4$,,$$,
$$,,4)5:444$$,
$$,4444$
574<<)5:
$$,,,,4,,4
$$<<<4<<,,4$$,$
%$$,,$,5  -$$
,,$,,$,84*84*-,"$
,$$$,,,=4484*84*%$
$,$,5  84*84*84*-,"
$$,$,4444<<444,4,$$$
$$$$-,"84*<<2<<284*
$$,444,,,$$,
$$,,4$$,
,,4,,4$,,$$,
$$$-$$-,"84*84*84*-,"
$$$,,,4$,,
$,,444,,4
$$$4<4$$$
$$$,<$,4$,4
,,4444,,4,,4
,,4,,4,,4
$$44<444
$$$$,$$,,,4
,$,,,4$,,,,4$$,
$,,4444,,444<
444,,4,,4
-,"84*84*84*84*
$,,,,4444
,$,4$,<$,<
$$$$444<<<$,,
$$,$$,,$,$$,$$,$$,$$,
$$,$$,$,,$,,$$,
$,,,,4$,,,,4
,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4
$$,,$,$$$
-,"84*84*84*%$
,4$,4$,<)5:
$$$,,4444
444$$,$$,
84*<<284*%$
$$$-,"-,"
$$$,$,4)5:44<44<44<444$$,
,,4,,4,,4,,4,,4,,4,,4,,4,,4
4<<,,4444
$$$-,"84*-,"
,$,4,,4,,<,,4$,,
,,4,,4,,4,,4$,4$,,,,4$,4,,4
,,4,,4$$,
$$,,,,$$,,,,$,,,$,$$,$$,$,,$$,$$,$$$
$,4,,4,,4,,4,,4,,4,,4$,,$$,$$,
44<,,4$$,
-,"<<2<<284*
$,$$4$,4$,4
,,4,,4,,4,,4,,4$,4$,4,,4,,4,,4
$$$,$$,$$,
$$,44<444$$,
$,$$4$,4$$4$,4$,4$,<$,4,,<$,4
$$,$$,$$,
$$$$,$,$,,,$,$,,,$,$$,$$,
,,4,,4,,4,,4,,4,,4,,4,,4,,4$,4
$$,,4,,4,,,$$,$$,,$,
,,,44<44<
$$$<<<$$,
$,)5:)5:$
$,$,<,,<$,<$,<)5:$,<,,<$,4
,,,,$,$,,,$,$,,,$,,,,$$,,$,$$,
$$$$,$,,,$,$$,$,,,$,$$,
,,4,,4,,4,,4,,4$,4,,4$,4,,4,,4
$$$,,,4$$,$$,
,,4444<<<,,4
$4$,<$,<$,<,,<,,<$,<$,4
$$$,,$,$$,$$,,,,$,,$$,
,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4
$,$$,$$,
$$,,$,,$444<444,,,
,$,4$,4$,4
$,,,$,$,,,$,$,,,$,$,,,$,$,,,$,$,,
$$,$$,$,,$$$
$$$$,$$,$,,,$,,,,$$,$$,,,4
,,4,,4$,4,,4$,4,,4$,4,,4$,4
$$$,$,,$$,$$,$$,
,$$4$$,$$,
5,6=44$$,
,,4,,4$,4
$$$,,,,$$,$
%$,,,,4$$,
$$,$$,$$,$$,$$,$$,$$,$$,$$,
$,,,$,$,,,$,$,,,$,$,,,$,$,,,$,$,,,$,$,,
$,,,$$,,$,$,,$$,$$,,$,$,,
,,4,,4$,,,,4,,4
$)5:,,4,,4
$,4,,4$,4,,4$,4,,4$,4,,4$,4
$,$,$$,$$$
,,4<<<444,,4$,,
%$,,44<44<
$$,$$,$$,$$,$$,$$,$$,
$$,,$,$,,,$,,$,$$,,$,$,,,$,
,,4,,4,,4,,4,,4,,4
,,4,,4,,4,,4
$$,,4<<<,,4$$,,,4$,,,,4,$,,,4
,,4,,4$,,,$,,,4,,4$,,
$$,4,,4$,4
$,4,,4$,4,,4$,4$,4
,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4,,<,,4
$,4$,4$,4$,4$,4$,4$,4,,<$,4
$,,4,,4,,<$,4$$,,,4
$$$,,$,,,4<<<,,4$$,,,4$$,$$,
,$$,$$,,$4
$$$,$,,$$,
$$$$,,$,,
,,4,,4,$,$,,,$,,$,$$,,,4
,,4,,4,,4,,4,,,$$,$$,$,,,$,
$$,<<<,,4444,,4444
$$,44<$$,
$$$$,$,,,,444<44<44<44<4<<444$$$
,,45,6$$,$,,,,4,,4$,,,$,,$,,,,
$$,,4,,4$,,
$$$$4$,4,,4,,<44<44<44<44<44<4<<4<<444,,,
44<$,,,$,
,4)5:)5:,,4)5:44<44<444,,,$$,
$,$$,$$4
$,44<$$4
$,$$4$$4
$44<<$$4
,$$4$,<$,4$,4$$4$,4$,4$,<$,4
$$,,,,4,,4444,,4,,,
,,)5:$$,
,44<<$$,
$4$,<$,<$,<$,<$,<$,<,,<$,<
$$$$,$,,$$,$$,,$,$,,$$,$,,$$,$$$
)5:4<<$$,
$,444<$,4
$,44<<$,4
$$,,$4$$4$$4,$4,,4,,4$$,$$$
$,44<<,,4
$,,,44<44<444$,,
&$,444<$,4
,,,$,,$$,$$$
$$$5,6,,,
$,,44<444$,,
$$$,,,,$,
,,,<4>=44$$$
$$<<<<4>444
$$$$,$,$,,,4,4,44<<<<444
,$,$,,$$$
<4><<<=44$$$
$$$,$,$$$
5  <<<=44,4,
$,$$4$$,
%$$,$$,,$,,$4,,4,,4,$,$$$
444<<<<4>444
<4>$,<,,<
$$$,,4,,,
-$$<4><<<<4>$$$
,,<$,<$$4
,,,$,,$$$
$$$444<4><<<,,4
5,6$,<$$4
$,$,$,$$$
5  444<4>44<$$$
,,<$,<$$,
$$$,,$$$
,$,4445,644<,,4
5,6,,<$$4
5  5,64445,6,,,
-$$5  ,4,
,$4,,4$,4
$$$$,$$,$$$
,$,,,<$,4
$$$,,$,,
$$,,,<$,4
$$,)5:44<,4,,,4$,,
$$,44<$,4
,,,-,",$,,,,
-,",,,-,",$,,$,
%,$4$,4$$,$$,
,,,5  ,$,,,,$$$
-,"84*<<2<<2<<2<<2<<284*-,"
-$$=44]\\$
84*84*84*84*84*84*84*84*-,"
,,,-,"-,"84*-,"84*-,"84*-,"
-,"-,"84*-,"
-,"-,"-,"-,"
-,"-,"%$
-,"-,"-,"
$,4)5:)5:$,4$$,
$,$$4$$<
$<$$<$$<
57)5:)5:
$$$$,$,,$$$
$$$,,$,4$,4)5:$,4$,4)5:4<<4<<)5:$,4$,,
$$$,,)5:)5:)5:
$,$,4$,,
$$$,,$,4,,4,,4$,4$,,$,,
$$$,,$,4)5:44<)5:,,4$,,
$$$,4,,444<)5:444$,4$,,
$,)5:44<,,4,,4,,4$,,$$,$$,$$,
$,)5:44<44<$,,,,4$$,
$$)5:44<44<$$,
$$$,,$,,$$,
$$$$,$,,$$,$$$
$,$,4)5:
$,$$,$$,$
$4$,<)5:
$,$,<$,4
$$4445  
$,4$,<$$<
57)5:)5:)5:$,4
$$,444<<<4<<$,4$$$
$,,444$,,
$,,$,,$,,
$$,$,,444,,4$$$
$$$,,44<4<<444$,,
,4)5:)5:
$$,,4)5:4<<4<<$,4
$$)5:)5:)5:
$$$$,44<444<$,,
$$)5:$,<
$$,,44<)5:$,,
,$,,4,,,4
$,,,,4,,,$$$
$$,$,,$$,
$,,,4444
$$,$$,$$4$$,
,,4$$,$$,
$$$4$$,$$,
$$,$$4$$,
$$$,$,,$$4
$)5:44<$,,
$$,,44<<,,4$,,$,,$$,$,,4<<444
,,,,4)5:
$$,$$,$$,$$,
$$$,4)5:
5  <<<$,,
$,,,,4)5:4<<44<
$$$$,$,,
44<$,4$,4
$,)5:)5:)5:)5:
$,4)5:$,4$,4
)5:)5:)5:
$4$,<$,<
$4$$4$$4$$4
$4$$<$,<
$4$$4$$4
$<$,<$$<
$<$$<$,<
$<$$<$$<$$<$$<$,<$$<$,<$$<
$4$$<$,<,,<$,<$,<$,<
$4$$<$$<$$<
$4$$<$$<$,4$$<$,<$$<$,<$,<
$4$$4,,<$,<$$<$$<$,4$$<$$<
$4$$<$,4$,<$$<
$<$,<$,<
$4$,<$$4
$4$$<$,<$,<$,<$,<
$4$,<$$4$$<
$4$,<$$<
$4$,<$$<$,<
$4$,<$,<$,<$,<$,<$$<$$4$$<$$4$,<$$<$$<$$<$,<$$<$$<$$4
$4$$<$,<$,<$,<$$<$,<$$<
$<$,<,,<$,<$,<$$<$,<$,<$$<$,<$$<
$<$$<$,<$,<$$<
$<$$<$,<$,<
$4$,<$,<$$<
$<$,<$$<$,<$,<$$<
$4$$4$$4$$<
$<$$<$,<$$<
$4$$4$$<$$<
$4$$<$,<$,<$$<$,<
$4$,<$$<$,<$$<$,<$,<
$4$$<$,<$$<$,<$$<$,<$,<$,<$,<
$4$,<$,<$,<$,<$,<$$<$,<$$<$$<
$4$,<,,<$$<$$<$,<$$<
$4$$<$,<$,<$$<$$<
$,$$<$$4
,?]\\$$$
$,$,4$$,
$$$,$$4$,4
$4$$<$$<
$,)5:$,4
$$$,,4<<
$$<<<$$,
444,,,$$$
,$,$$,$$$
$$44<-,"
$$)5:)5:$,4
$$$$,$$,,,,
$$$$,,,4,,<4<<,,4$$,
$$$,,$,,$,4)5:$,4
$$$,$$,$$,$$,$$,$$,$,4
$$$,<$,<
$$$444,,4
$$,$,,$$$
,,$,4$,4
44<$$$)5:
$,$$444<
$,$$,$$,$$,
$$,45,6,$4
$,$,,$,4)5:$,4$,4$,,
,4$,4)5:$,4$,,
$$$,,$,4$,4
$$,,)5:$,4
,,$,4)5:$,4
$$,,44<44<44<,,4$,4$$4
$,$$,$$4$$,
$,$,4,,4$,,$$,
$,,444<5,6
$$$,$$,$$4$$,
$$$$,,,4,,4,,<
$4$$<$$4$$4$$4$$4
$4$$4$,4$$<$$4$$4$$4$$<$$4$$4$$4$$4$$4
$$$$,,,4
$4$$4$$4$,4$,4$$<$$4$$4$$<$$4$$4$$4
$,$$4$$4$,4$,<$$<$$4$$4
$4$$4$$4$$4$$<
$4$$<$$4$$4$$4$$4$$4$$4$$4$,<$$4$$4
$4$$4$,4$,<$,<$$<$$<$,4$$4$,4$,4$$4$$4$$4$$4$$4
<<<-,",,,
$4$$<$$<$$<$$4$$4
$4$$4$$4$$4$$4$$4$$4$$4
$4$$4$$4$,4$$4$$4
$4$,4$$4$,<$$4$$4
,$$4$,4$$4$,4$,<
<<<,$,$$$$
$,44<,$4
$,$$4$$4$$4$$4$$4
<<<,,,$$$$
$4$$4$$4$$4$$4
444,,4,,4,,4<<<,,,
,,4<<<]\\
$,$$4$$<$$4
444,,,,$,4<4$$$
$,$$4$$4$,4$$4$$4
$$44<,,,
,$$4$,<$$4$$4$$4
,,4444$$,
$,$,,,,$$$
$44<444$$,
$$$44<444$$,
$$,44<444,,4
$,,4,,4,,4$,,$$,$
$$$,,444<444$$,
$$$]\\$$$
$,,4444,,444<,,4,,4$$$
$$,,,4$$$
$$,444$$$
,$$4$,4$$4$$4
$,,4,,4,,444<,,4
$$$$,$,,$,,$,,$,,,,4)5:$,4
$$$4$,<$$4$$4
,,4,,4444,,,$
$,$,,,4,,4
$,$,<$,4$$4
$$$,,$,,$,4$,4$,,
$$,<<<$$,
$$$,,4$$,,,,$$,,,4$$$
$$$-$$$$,$$$
$,$)5:)5:)5:
57$,4$,,$,4
$$$,$$,$$,$$4$$4$$,$$,$$,$$,$$,
]\\4<4,4,,,4444,$,
$4$,4$$4
$4$$4$$4$$<$$4
$4$$4$$4$$4$$4$$4$$4
,,$$,$,,$,4$,4$,4$,,$,,
,$$4$$<$,<$$<$$4$$<$$4$$4$$4$,<$$<,,<$$4$,<$$4$$4
,44<<4<<)5:,,44<<)5:
,,$,,$,,
$4$$4$,4$$4$,4$$4$,<
,$$<$,<$$4$$<$$<$$<
$4$$4$$<$,<$,<$,<$$<$,4$$<$$4$$4
$$,4$$4$$4$,4$$4$$4$$4
$4$$<$,<$$<
$4$$<$,<$,4$$<$$<$$<$$<
$,$,,44<4<<$,,$,,,,4)5:4<<$,4
$$$,4$,4$,,
$4$$<$$4$$<$$4$$<$$<$$4$$4$$<$$<$$<$$<$$<
,,$,,=44<<<$,4$,,$,,,,4)5:4<<)5:$,,
$,4$,4$,,
$4$$4$$<
$,$$4$$<$$<$$4
$4$$4$$<$$4
,,$,,$,4$,,
$4$$<$$4
$,$,,$,4
$4$$<$,<$$<$$<$$4
$,$$4$$4$$<$$4
,4$$$5  
$4$$4$,<$$<$,<$$<
,$$4$$<$$<$$4
,$$4$$4$$<$,<$$<$$4$$<
$4$$<$,4$$<$$4
$4$$4$,4
,$$4$$<$,<-$@$,<$$<$$4
$4$$4$$<$,<$$4$$4
$4$$4$$<$,<$$4
$4$$<$,4$,<$$<$$<$$4
$,$$4$,4$$4$$4$$4
$,$$4$$4$,<$$4
,$$<$$<$$<$,<$$<$$<
$4$$4$$4$$<$,<$$4
,,)5:)5:
$,$,<$,4$$<$,<
$,$$4$$<$$<,,<$,<$$<
$4$$4$$4$$4$,<$$4$$4
$4$,4$$<$,<$$4
$4$,<$,<,,<$,<$$<
$4$$4$$4$$<$$4$$4
$,$,4$$4$,<$$4$$4
$,,,4,,4,,4$,,$,,$,,)5:)5:
$,$$4$$4$,<$,<
,$$4$$4$,<
$,,,,4,,4$,,
$,$,4)5:)5:
$4$,4$,4
$4$,<$,<$$4
$,$$4$,4
$,$,4$,4$$4$$,$$,$,,
,$$4$,<$$4
$4$$4$$4$,4$$4
$<$,<$,<$$<
:$,<,$,$$,$,444<<<<44<,,,
,,4,,4$$$
$,$,4,,<$,4$,4$,4$,4$,4
$,$,4$,<$$4
$4$$4$,<$$4
$$,$,$$,
$$$,$4,,<
,$$4$,<$,4
,$$,<<<$
,$,44<$$<
,$,444$$$
$$,,,444,,4
$,,4444,,4
$4$$4$,4$$4
$4$,<$,<,,<$,<$$<$,<$$<
,,44<<$$$
,,,4<4,,4$$$
$$$,$$,$$,$$,
$,$$4$$4$$4
%$$,$,,$$,
$4$$<$,<,,<,,<$,<$$<$$<
,$$4$$4$,<$$4$$4
$$,4,,,,$4
,$,<$,<$,<$$<,,<$$<$$4
$,$$4$,4$$4
,$$,$,45,6,,4$$,
$$,,,$,$,4$$,
$$,,,,4,,,$$,
5  ,,,$$$
444$$$,,4
$$$<$,<$,<$,<$,<$$<$$<$$4$$4
,$$4$,<$,<$,<$,<$,<$,<$$<$$<$$<
$$$,,4444,,4$$$
$,,,4,,4,$,
$$,$,,$,4,$,
$$,,4,,4$$,
$$$,,$,,,4,,4,,4,,4,,,
57)5:,$,$$$
$,$$4$$4$$<$$<$,<$$<$$<
$4$,<$$,
-$$,,,<$,,
$,,4$$4$$,$$,$,4,,4
$$$$,$$,
$4$,<,,<$,<$,<$,<$$4
$4$$4$$,
,,<$,<$,4
$4$$4$$<$$4$$<
$$$$,,4,,,
-$$,444$,4
$$$$,,,4,,4
,$,<$$<$$<$$<$$<$$4
-$$4444$$,
$$,<<<44<
%$$$5,6444,,4,,,
44<,,4$,<
,$,<$,4$$<$$4$,<$$<$$4$$4
$$$$44<44<444
$,,,444,,,
$$$4$,<$$<$$<$$4
$4$$4$$<$$4$,4
$<4>5,6,$,
44<<<<$,<
$<$$4,,,$,,
$4$,<$$4$$4$$<$$4$$4
$4$$4$$4$$4$$4$$4$$4$$<$$4$$4
$$,<<<$$$
$$$,,4<<<,,,
$$,<<<,,,$$,
-,,4,,4,,4
$$,,$,$,,$$4
,,4<<<44<
$$$$,,$,,,4$$,
$4$$,$$4
$4$$4$$4$,4$,<$$<$,<$$4
$$$$<<<444
$$$<<<444$,$$$,
$444<44<
$4,$,$,,
$$$$,$,444<<<44<$$,
$$$-$$,,4$$$5  $$$,,,$$$
$4$$4$$4$$4$,4$$<$$4$$4$$4
$$$$<<<444$
,$$,,,444<
-$$4,,<444,,4
$<$$,,$,
$<<<]\\44<$
$$,,,4,,,
$4$$4$$4$$4$$4$$4
$,,444<,,,
$$$4,,<4445,6
$<$$4,,,
$$,,,,$,$$,$$$
$$$,,,$$$$
$4$$4$$4$,4$$4$,4$$<$$4
$<<<4<<$$,
&$,<44<,,4444$,,
-$$4$$4$$<
%,,4,,4$$$$
$$$,,,,$,444,$,$$$
,$,=44$$$5  $$$
$$$,$,,,4444,,4$$$
,4)5:$,<
$4$$4$$<$$4$$4$$<$$4
,,4,,,$$,,,4
,$,$$,,$,,$,$,,,$,$,,,$,
-,,4444,,4,,<,,4
<<<,,<$$,,$,
,$,$,,44<44<
,$$4,,<$$4
%F;G5  5  5,67:Gkx
$$$$,$,4,,4$,4$$,
$$$,<$,4
$$$,,4,,444<$$,
$$$$,$$,$$,$$$
$$$<<<$,4$,,
$$$,$$,$$,$$$
$$$,444)5:444,,4,,4,,444<$$,
,4,44<$$,$$,
$$,$,,<<<$,,
,$,<,,<$$4
$,$444<,$4
$,$,,,4,,4,,4
$,$,,,4444$$,
$,$,4$,4
$4$$4$$4$$4$$4$$4$$4$$4$$4$$4$$4$$4
$<<<,,,$$$
$$,44<<<<
,$,<$$<$$4
$,,,<$$4
$$,4<<<44<$
$$$,5,6,,4444<4>$$,
$,$,4$,4$,4$,<$,4)5:)5:$,4
$4$$4$$4$,<$,4$$4$$4$$4$,4$$4$,4$$4$$4$$4
$44<44<44<,,4,,<$,4
44<44<$$,
$$,<<<,4,
$4,,<$$<$$<
,$$444<,,<
$$$,,,4$$4,,444<
444<<<=44$$$
,,444<,,4$$,
,,<$$,$$,
$,$$4$$4$$<,,<,,<$,<,$4$,<$$4$$4$$4$$4$$4
,,,<<<$$,
$4$$<,,<,,<
,$$444<,$4
,,$4,,4,$4$$,
$$5,6,,45,644<$$,
,,4,,4444$$,
$$$$,$$$<4>]\\44<,,444<44<$,<
,$$4,,4,,4$$,$$,,,4$$,
$$$$,$,,,,$$$
$$$4<<44<,,4
,,,4445,6,,4
$$,4,,4$$,
$4$$<$$<$$<$$<
,,,<,,4$$4$$4$$,
,$,=44,,,$$$,$,
$4$$4$$4$,<$$<
,$$4,,<,,<,,4,,<,$4
,$$,$$4$$,
$$$,4,444
,$$4$$,$$4$$,
$444=44=44,,,$$$
$,$,4<<444$$,$$,$$,$$,$$,$$,
$4$$4,$4$$4$$4,$4$$4$$4
$$$,,,<44<,$4$$,$
444<<<$,$$$$<<<444
$,)5:,,<
$4$$4$$4$,4$$4$$<$$4
$4$,4$$4$$4
$4$$<$$4$$4
,,,4,,4,,<$,4
$4$$,$$4$$4,,<,,<$$4
$,$$4,,<44<,,<$$4
,$,5  $$$
$4$,<,,<,,<$,<$$4$$4$$4$,<$$4
$4$,<,,<$,<
$4$$<$,<,,<
$,$$<44<,,<44<44<$$<$$4
$4$$4,,<
$4$$4,,<,,<
$4,,<$$<
$4$,4$$<,,<,,<$$4
$5  =44$$$
$4$$<,,<,,<$$<
$$$$,,,=44<<<5  
$,$,4$,<$,<$,4
7$$4$$<$$<
$<$$<$$<$$<
$4$$<$,<$$<$$<
$$$,$$,$,,,$,$$$,,,$$,
$$$,$$,,,4
$$,5  ,,,
ÝF7:G,,4$,<7>Y>Jz7>Y,,4,,,,$,$$,$$$
$,$$4$,4$,4$,4
$$$,$,$,,,$,$$,,$,$$,$$,
$,$$4$,4$,<,,<$,<
44<]\\<<<
$$$,$$<$,<$$<
$$$444$$$
,,,)5:$,4$,4
,,,84*444<<<,,,
$444$$,,$,,,,444
$,4<<$,4$,<
]\\<<<$$4
<4>,,<$$4
$$$,$$$$
$$,$,$$$
$,,,44<4<<44<$,<
,$,=44,$,
%$$,,$,,,4444<<<444
,$,,$,,$,5,6444
$$,$,,$$$$
)5:$,<$$<
,,4$$,$$$$
-$$<<<=44
84*$$$5  
44<$$$444
$$4<<444
$4$$4$,<
$4$,4$,4$,4
$$$$,$,,$,,$$,$$$
$,$,4$,4,,<
$$$,4$$,$$4
$,$$,$,4$,4$,4
$,$,4)5:$,4
$$$,,$,4
-$$5  -$$
$$$$,,4$,4,,44<4
$,<$,,$$,
$,$,4$$4
$,$,4$,4$,4$,4$$4$,4$,4$$4$$,$$,
,4$,<$,<$$4
$,$,,$$4
$,$$,$,4
$,$,4$,4)5:$,4
$$$$,$$,$,4
$$$$,$,4$$,$$4
$,$$,$$,$,,$,4$$,$,4$,4
$,$$,$$,$,,
$,$,4$,4$$,$$,
,,$,,$$4$,4$,,$,4$,4
$,$,,$$,
,4$,4$,4$,4$,,$,4$,4$,4$,<$,<$,4$,4$,4$,4$,4
$,$$,$,,
$,$$,$,,$,,$,4
$,$,4$,4$,4
-$$,,,5  =44$
$,$,4$$$
5  ,,,$$$5  ,,,,$,-$$-$$84*5  
-$$,,,5  -$$
44<,,4)5:$$,
$$$,$,5  84*
,,<$$,$$,$$,
$$$,4$$,
$$)5:$,,
$,$$4$,,
=4484*-,"
$$$,44<<)5:
YE#dI.wP3
hC!uG$pI!dG!dG#cH#cH#dI(kK.wP7
M.}N sM(kK(kK sM.wP4
%'.EED
{00000117-0000-0000-C000-000000000046}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
LocationURL
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
?#%X.y
Operation not permitted
Inappropriate I/O control operation
Broken pipe
GetProcessWindowStation
operator
.text
.text$AFX_AUX
.text$AFX_CMNCTL
.text$AFX_COL1
.text$AFX_COL2
.text$AFX_CORE1
.text$AFX_CORE2
.text$AFX_CORE3
.text$AFX_CORE4
.text$AFX_INIT
.text$AFX_TERM
.text$mn
.text$x
.idata$5
.CRT$XCA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIC
.CRT$XIY
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.rsrc$01
.rsrc$02
Shell32.dll
Mpr.dll
Advapi32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
%Program Files%\zg\zg.exe
#include "l.chs\afxres.rc" // Standard components
WinExec
GetCPInfo
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
< 3)20,6
..../..LLLXLLV
`.rdata
@.data
.rsrc
@.reloc
<assemblyIdentity type="win32" name="xxx" version="1.0.0.0" />
<!-- Windows XP style common controls -->
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
<!-- Windows feature settings -->
<windowsSettings xmlns:ws="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</windowsSettings>
<!-- Supported OS versions -->
<!-- Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />
<!-- Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
<!-- Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
EUSER32.DLL
1.0.0.1
(hXXp://VVV.dywt.com.cn)

zg.exe_3960_rwx_00BE1000_002EF000:




t$(SSh
u.htd
~%UVW
u$SShe
urlmon.dll
kernel32.dll
ole32.dll
oleaut32.dll
user32.dll
gdi32.dll
atl.dll
shell32.dll
User32.dll
ShellExecuteA
GetAsyncKeyState
GetProcessHeap
RegisterHotKey
UnregisterHotKey
-$$=445  
5  =44%$
-$$=44-$$-,"$
%,$,,$,,$,
84*-,"%$
%,$,,$,,$,$
$$$$,$%$
%,$,,$,$
%$$$,$,,$,$
$,,444<$$,
,,,<<2-,"
%-$$,$,,$,$$$
$,4444,$,$$,
,,,84*%$
,$,,$4,$,$
$$$5  ,$,$$$$
%F;GF;G=44,$4,$,,$,DDFE;:
%-$$5,6,$,$
$$$,$,,$,-$$$
5  =4484*-$$$
,$$4$$4$$4
$$,4$$4$$4$$4
,,$4$,4$,4$$<
-$$5  5  5  $
$$$<$,<$$<$$<
-$$-,"5  5  -,"%$
$,4$,4$,<$$<$$<$$<
,4$,4$$$
$$<-$@$$4
$$,,,$$,
$$$,44<<<<,,4
,$$,$,4,,4,,444<,,4,,4$,4$$,
$$$$,$$,$$,$$,,,4,,4$$,
$$$<<<$$$
$,$<<<]\\
$,$,)5:44<444$
,$,444<$$,
$,,,4,,4$,,$$,
$$,,4)5:444$$,
$$,4444$
574<<)5:
$$,,,,4,,4
$$<<<4<<,,4$$,$
%$$,,$,5  -$$
,,$,,$,84*84*-,"$
,$$$,,,=4484*84*%$
$,$,5  84*84*84*-,"
$$,$,4444<<444,4,$$$
$$$$-,"84*<<2<<284*
$$,444,,,$$,
$$,,4$$,
,,4,,4$,,$$,
$$$-$$-,"84*84*84*-,"
$$$,,,4$,,
$,,444,,4
$$$4<4$$$
$$$,<$,4$,4
,,4444,,4,,4
,,4,,4,,4
$$44<444
$$$$,$$,,,4
,$,,,4$,,,,4$$,
$,,4444,,444<
444,,4,,4
-,"84*84*84*84*
$,,,,4444
,$,4$,<$,<
$$$$444<<<$,,
$$,$$,,$,$$,$$,$$,$$,
$$,$$,$,,$,,$$,
$,,,,4$,,,,4
,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4
$$,,$,$$$
-,"84*84*84*%$
,4$,4$,<)5:
$$$,,4444
444$$,$$,
84*<<284*%$
$$$-,"-,"
$$$,$,4)5:44<44<44<444$$,
,,4,,4,,4,,4,,4,,4,,4,,4,,4
4<<,,4444
$$$-,"84*-,"
,$,4,,4,,<,,4$,,
,,4,,4,,4,,4$,4$,,,,4$,4,,4
,,4,,4$$,
$$,,,,$$,,,,$,,,$,$$,$$,$,,$$,$$,$$$
$,4,,4,,4,,4,,4,,4,,4$,,$$,$$,
44<,,4$$,
-,"<<2<<284*
$,$$4$,4$,4
,,4,,4,,4,,4,,4$,4$,4,,4,,4,,4
$$$,$$,$$,
$$,44<444$$,
$,$$4$,4$$4$,4$,4$,<$,4,,<$,4
$$,$$,$$,
$$$$,$,$,,,$,$,,,$,$$,$$,
,,4,,4,,4,,4,,4,,4,,4,,4,,4$,4
$$,,4,,4,,,$$,$$,,$,
,,,44<44<
$$$<<<$$,
$,)5:)5:$
$,$,<,,<$,<$,<)5:$,<,,<$,4
,,,,$,$,,,$,$,,,$,,,,$$,,$,$$,
$$$$,$,,,$,$$,$,,,$,$$,
,,4,,4,,4,,4,,4$,4,,4$,4,,4,,4
$$$,,,4$$,$$,
,,4444<<<,,4
$4$,<$,<$,<,,<,,<$,<$,4
$$$,,$,$$,$$,,,,$,,$$,
,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4
$,$$,$$,
$$,,$,,$444<444,,,
,$,4$,4$,4
$,,,$,$,,,$,$,,,$,$,,,$,$,,,$,$,,
$$,$$,$,,$$$
$$$$,$$,$,,,$,,,,$$,$$,,,4
,,4,,4$,4,,4$,4,,4$,4,,4$,4
$$$,$,,$$,$$,$$,
,$$4$$,$$,
5,6=44$$,
,,4,,4$,4
$$$,,,,$$,$
%$,,,,4$$,
$$,$$,$$,$$,$$,$$,$$,$$,$$,
$,,,$,$,,,$,$,,,$,$,,,$,$,,,$,$,,,$,$,,
$,,,$$,,$,$,,$$,$$,,$,$,,
,,4,,4$,,,,4,,4
$)5:,,4,,4
$,4,,4$,4,,4$,4,,4$,4,,4$,4
$,$,$$,$$$
,,4<<<444,,4$,,
%$,,44<44<
$$,$$,$$,$$,$$,$$,$$,
$$,,$,$,,,$,,$,$$,,$,$,,,$,
,,4,,4,,4,,4,,4,,4
,,4,,4,,4,,4
$$,,4<<<,,4$$,,,4$,,,,4,$,,,4
,,4,,4$,,,$,,,4,,4$,,
$$,4,,4$,4
$,4,,4$,4,,4$,4$,4
,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4,,4,,<,,4
$,4$,4$,4$,4$,4$,4$,4,,<$,4
$,,4,,4,,<$,4$$,,,4
$$$,,$,,,4<<<,,4$$,,,4$$,$$,
,$$,$$,,$4
$$$,$,,$$,
$$$$,,$,,
,,4,,4,$,$,,,$,,$,$$,,,4
,,4,,4,,4,,4,,,$$,$$,$,,,$,
$$,<<<,,4444,,4444
$$,44<$$,
$$$$,$,,,,444<44<44<44<4<<444$$$
,,45,6$$,$,,,,4,,4$,,,$,,$,,,,
$$,,4,,4$,,
$$$$4$,4,,4,,<44<44<44<44<44<4<<4<<444,,,
44<$,,,$,
,4)5:)5:,,4)5:44<44<444,,,$$,
$,$$,$$4
$,44<$$4
$,$$4$$4
$44<<$$4
,$$4$,<$,4$,4$$4$,4$,4$,<$,4
$$,,,,4,,4444,,4,,,
,,)5:$$,
,44<<$$,
$4$,<$,<$,<$,<$,<$,<,,<$,<
$$$$,$,,$$,$$,,$,$,,$$,$,,$$,$$$
)5:4<<$$,
$,444<$,4
$,44<<$,4
$$,,$4$$4$$4,$4,,4,,4$$,$$$
$,44<<,,4
$,,,44<44<444$,,
&$,444<$,4
,,,$,,$$,$$$
$$$5,6,,,
$,,44<444$,,
$$$,,,,$,
,,,<4>=44$$$
$$<<<<4>444
$$$$,$,$,,,4,4,44<<<<444
,$,$,,$$$
<4><<<=44$$$
$$$,$,$$$
5  <<<=44,4,
$,$$4$$,
%$$,$$,,$,,$4,,4,,4,$,$$$
444<<<<4>444
<4>$,<,,<
$$$,,4,,,
-$$<4><<<<4>$$$
,,<$,<$$4
,,,$,,$$$
$$$444<4><<<,,4
5,6$,<$$4
$,$,$,$$$
5  444<4>44<$$$
,,<$,<$$,
$$$,,$$$
,$,4445,644<,,4
5,6,,<$$4
5  5,64445,6,,,
-$$5  ,4,
,$4,,4$,4
$$$$,$$,$$$
,$,,,<$,4
$$$,,$,,
$$,,,<$,4
$$,)5:44<,4,,,4$,,
$$,44<$,4
,,,-,",$,,,,
-,",,,-,",$,,$,
%,$4$,4$$,$$,
,,,5  ,$,,,,$$$
-,"84*<<2<<2<<2<<2<<284*-,"
-$$=44]\\$
84*84*84*84*84*84*84*84*-,"
,,,-,"-,"84*-,"84*-,"84*-,"
-,"-,"84*-,"
-,"-,"-,"-,"
-,"-,"%$
-,"-,"-,"
$,4)5:)5:$,4$$,
$,$$4$$<
$<$$<$$<
57)5:)5:
$$$$,$,,$$$
$$$,,$,4$,4)5:$,4$,4)5:4<<4<<)5:$,4$,,
$$$,,)5:)5:)5:
$,$,4$,,
$$$,,$,4,,4,,4$,4$,,$,,
$$$,,$,4)5:44<)5:,,4$,,
$$$,4,,444<)5:444$,4$,,
$,)5:44<,,4,,4,,4$,,$$,$$,$$,
$,)5:44<44<$,,,,4$$,
$$)5:44<44<$$,
$$$,,$,,$$,
$$$$,$,,$$,$$$
$,$,4)5:
$,$$,$$,$
$4$,<)5:
$,$,<$,4
$$4445  
$,4$,<$$<
57)5:)5:)5:$,4
$$,444<<<4<<$,4$$$
$,,444$,,
$,,$,,$,,
$$,$,,444,,4$$$
$$$,,44<4<<444$,,
,4)5:)5:
$$,,4)5:4<<4<<$,4
$$)5:)5:)5:
$$$$,44<444<$,,
$$)5:$,<
$$,,44<)5:$,,
,$,,4,,,4
$,,,,4,,,$$$
$$,$,,$$,
$,,,4444
$$,$$,$$4$$,
,,4$$,$$,
$$$4$$,$$,
$$,$$4$$,
$$$,$,,$$4
$)5:44<$,,
$$,,44<<,,4$,,$,,$$,$,,4<<444
,,,,4)5:
$$,$$,$$,$$,
$$$,4)5:
5  <<<$,,
$,,,,4)5:4<<44<
$$$$,$,,
44<$,4$,4
$,)5:)5:)5:)5:
$,4)5:$,4$,4
)5:)5:)5:
$4$,<$,<
$4$$4$$4$$4
$4$$<$,<
$4$$4$$4
$<$,<$$<
$<$$<$,<
$<$$<$$<$$<$$<$,<$$<$,<$$<
$4$$<$,<,,<$,<$,<$,<
$4$$<$$<$$<
$4$$<$$<$,4$$<$,<$$<$,<$,<
$4$$4,,<$,<$$<$$<$,4$$<$$<
$4$$<$,4$,<$$<
$<$,<$,<
$4$,<$$4
$4$$<$,<$,<$,<$,<
$4$,<$$4$$<
$4$,<$$<
$4$,<$$<$,<
$4$,<$,<$,<$,<$,<$$<$$4$$<$$4$,<$$<$$<$$<$,<$$<$$<$$4
$4$$<$,<$,<$,<$$<$,<$$<
$<$,<,,<$,<$,<$$<$,<$,<$$<$,<$$<
$<$$<$,<$,<$$<
$<$$<$,<$,<
$4$,<$,<$$<
$<$,<$$<$,<$,<$$<
$4$$4$$4$$<
$<$$<$,<$$<
$4$$4$$<$$<
$4$$<$,<$,<$$<$,<
$4$,<$$<$,<$$<$,<$,<
$4$$<$,<$$<$,<$$<$,<$,<$,<$,<
$4$,<$,<$,<$,<$,<$$<$,<$$<$$<
$4$,<,,<$$<$$<$,<$$<
$4$$<$,<$,<$$<$$<
$,$$<$$4
,?]\\$$$
$,$,4$$,
$$$,$$4$,4
$4$$<$$<
$,)5:$,4
$$$,,4<<
$$<<<$$,
444,,,$$$
,$,$$,$$$
$$44<-,"
$$)5:)5:$,4
$$$$,$$,,,,
$$$$,,,4,,<4<<,,4$$,
$$$,,$,,$,4)5:$,4
$$$,$$,$$,$$,$$,$$,$,4
$$$,<$,<
$$$444,,4
$$,$,,$$$
,,$,4$,4
44<$$$)5:
$,$$444<
$,$$,$$,$$,
$$,45,6,$4
$,$,,$,4)5:$,4$,4$,,
,4$,4)5:$,4$,,
$$$,,$,4$,4
$$,,)5:$,4
,,$,4)5:$,4
$$,,44<44<44<,,4$,4$$4
$,$$,$$4$$,
$,$,4,,4$,,$$,
$,,444<5,6
$$$,$$,$$4$$,
$$$$,,,4,,4,,<
$4$$<$$4$$4$$4$$4
$4$$4$,4$$<$$4$$4$$4$$<$$4$$4$$4$$4$$4
$$$$,,,4
$4$$4$$4$,4$,4$$<$$4$$4$$<$$4$$4$$4
$,$$4$$4$,4$,<$$<$$4$$4
$4$$4$$4$$4$$<
$4$$<$$4$$4$$4$$4$$4$$4$$4$,<$$4$$4
$4$$4$,4$,<$,<$$<$$<$,4$$4$,4$,4$$4$$4$$4$$4$$4
<<<-,",,,
$4$$<$$<$$<$$4$$4
$4$$4$$4$$4$$4$$4$$4$$4
$4$$4$$4$,4$$4$$4
$4$,4$$4$,<$$4$$4
,$$4$,4$$4$,4$,<
<<<,$,$$$$
$,44<,$4
$,$$4$$4$$4$$4$$4
<<<,,,$$$$
$4$$4$$4$$4$$4
444,,4,,4,,4<<<,,,
,,4<<<]\\
$,$$4$$<$$4
444,,,,$,4<4$$$
$,$$4$$4$,4$$4$$4
$$44<,,,
,$$4$,<$$4$$4$$4
,,4444$$,
$,$,,,,$$$
$44<444$$,
$$$44<444$$,
$$,44<444,,4
$,,4,,4,,4$,,$$,$
$$$,,444<444$$,
$$$]\\$$$
$,,4444,,444<,,4,,4$$$
$$,,,4$$$
$$,444$$$
,$$4$,4$$4$$4
$,,4,,4,,444<,,4
$$$$,$,,$,,$,,$,,,,4)5:$,4
$$$4$,<$$4$$4
,,4,,4444,,,$
$,$,,,4,,4
$,$,<$,4$$4
$$$,,$,,$,4$,4$,,
$$,<<<$$,
$$$,,4$$,,,,$$,,,4$$$
$$$-$$$$,$$$
$,$)5:)5:)5:
57$,4$,,$,4
$$$,$$,$$,$$4$$4$$,$$,$$,$$,$$,
]\\4<4,4,,,4444,$,
$4$,4$$4
$4$$4$$4$$<$$4
$4$$4$$4$$4$$4$$4$$4
,,$$,$,,$,4$,4$,4$,,$,,
,$$4$$<$,<$$<$$4$$<$$4$$4$$4$,<$$<,,<$$4$,<$$4$$4
,44<<4<<)5:,,44<<)5:
,,$,,$,,
$4$$4$,4$$4$,4$$4$,<
,$$<$,<$$4$$<$$<$$<
$4$$4$$<$,<$,<$,<$$<$,4$$<$$4$$4
$$,4$$4$$4$,4$$4$$4$$4
$4$$<$,<$$<
$4$$<$,<$,4$$<$$<$$<$$<
$,$,,44<4<<$,,$,,,,4)5:4<<$,4
$$$,4$,4$,,
$4$$<$$4$$<$$4$$<$$<$$4$$4$$<$$<$$<$$<$$<
,,$,,=44<<<$,4$,,$,,,,4)5:4<<)5:$,,
$,4$,4$,,
$4$$4$$<
$,$$4$$<$$<$$4
$4$$4$$<$$4
,,$,,$,4$,,
$4$$<$$4
$,$,,$,4
$4$$<$,<$$<$$<$$4
$,$$4$$4$$<$$4
,4$$$5  
$4$$4$,<$$<$,<$$<
,$$4$$<$$<$$4
,$$4$$4$$<$,<$$<$$4$$<
$4$$<$,4$$<$$4
$4$$4$,4
,$$4$$<$,<-$@$,<$$<$$4
$4$$4$$<$,<$$4$$4
$4$$4$$<$,<$$4
$4$$<$,4$,<$$<$$<$$4
$,$$4$,4$$4$$4$$4
$,$$4$$4$,<$$4
,$$<$$<$$<$,<$$<$$<
$4$$4$$4$$<$,<$$4
,,)5:)5:
$,$,<$,4$$<$,<
$,$$4$$<$$<,,<$,<$$<
$4$$4$$4$$4$,<$$4$$4
$4$,4$$<$,<$$4
$4$,<$,<,,<$,<$$<
$4$$4$$4$$<$$4$$4
$,$,4$$4$,<$$4$$4
$,,,4,,4,,4$,,$,,$,,)5:)5:
$,$$4$$4$,<$,<
,$$4$$4$,<
$,,,,4,,4$,,
$,$,4)5:)5:
$4$,4$,4
$4$,<$,<$$4
$,$$4$,4
$,$,4$,4$$4$$,$$,$,,
,$$4$,<$$4
$4$$4$$4$,4$$4
$<$,<$,<$$<
:$,<,$,$$,$,444<<<<44<,,,
,,4,,4$$$
$,$,4,,<$,4$,4$,4$,4$,4
$,$,4$,<$$4
$4$$4$,<$$4
$$,$,$$,
$$$,$4,,<
,$$4$,<$,4
,$$,<<<$
,$,44<$$<
,$,444$$$
$$,,,444,,4
$,,4444,,4
$4$$4$,4$$4
$4$,<$,<,,<$,<$$<$,<$$<
,,44<<$$$
,,,4<4,,4$$$
$$$,$$,$$,$$,
$,$$4$$4$$4
%$$,$,,$$,
$4$$<$,<,,<,,<$,<$$<$$<
,$$4$$4$,<$$4$$4
$$,4,,,,$4
,$,<$,<$,<$$<,,<$$<$$4
$,$$4$,4$$4
,$$,$,45,6,,4$$,
$$,,,$,$,4$$,
$$,,,,4,,,$$,
5  ,,,$$$
444$$$,,4
$$$<$,<$,<$,<$,<$$<$$<$$4$$4
,$$4$,<$,<$,<$,<$,<$,<$$<$$<$$<
$$$,,4444,,4$$$
$,,,4,,4,$,
$$,$,,$,4,$,
$$,,4,,4$$,
$$$,,$,,,4,,4,,4,,4,,,
57)5:,$,$$$
$,$$4$$4$$<$$<$,<$$<$$<
$4$,<$$,
-$$,,,<$,,
$,,4$$4$$,$$,$,4,,4
$$$$,$$,
$4$,<,,<$,<$,<$,<$$4
$4$$4$$,
,,<$,<$,4
$4$$4$$<$$4$$<
$$$$,,4,,,
-$$,444$,4
$$$$,,,4,,4
,$,<$$<$$<$$<$$<$$4
-$$4444$$,
$$,<<<44<
%$$$5,6444,,4,,,
44<,,4$,<
,$,<$,4$$<$$4$,<$$<$$4$$4
$$$$44<44<444
$,,,444,,,
$$$4$,<$$<$$<$$4
$4$$4$$<$$4$,4
$<4>5,6,$,
44<<<<$,<
$<$$4,,,$,,
$4$,<$$4$$4$$<$$4$$4
$4$$4$$4$$4$$4$$4$$4$$<$$4$$4
$$,<<<$$$
$$$,,4<<<,,,
$$,<<<,,,$$,
-,,4,,4,,4
$$,,$,$,,$$4
,,4<<<44<
$$$$,,$,,,4$$,
$4$$,$$4
$4$$4$$4$,4$,<$$<$,<$$4
$$$$<<<444
$$$<<<444$,$$$,
$444<44<
$4,$,$,,
$$$$,$,444<<<44<$$,
$$$-$$,,4$$$5  $$$,,,$$$
$4$$4$$4$$4$,4$$<$$4$$4$$4
$$$$<<<444$
,$$,,,444<
-$$4,,<444,,4
$<$$,,$,
$<<<]\\44<$
$$,,,4,,,
$4$$4$$4$$4$$4$$4
$,,444<,,,
$$$4,,<4445,6
$<$$4,,,
$$,,,,$,$$,$$$
$$$,,,$$$$
$4$$4$$4$,4$$4$,4$$<$$4
$<<<4<<$$,
&$,<44<,,4444$,,
-$$4$$4$$<
%,,4,,4$$$$
$$$,,,,$,444,$,$$$
,$,=44$$$5  $$$
$$$,$,,,4444,,4$$$
,4)5:$,<
$4$$4$$<$$4$$4$$<$$4
,,4,,,$$,,,4
,$,$$,,$,,$,$,,,$,$,,,$,
-,,4444,,4,,<,,4
<<<,,<$$,,$,
,$,$,,44<44<
,$$4,,<$$4
%F;G5  5  5,67:Gkx
$$$$,$,4,,4$,4$$,
$$$,<$,4
$$$,,4,,444<$$,
$$$$,$$,$$,$$$
$$$<<<$,4$,,
$$$,$$,$$,$$$
$$$,444)5:444,,4,,4,,444<$$,
,4,44<$$,$$,
$$,$,,<<<$,,
,$,<,,<$$4
$,$444<,$4
$,$,,,4,,4,,4
$,$,,,4444$$,
$,$,4$,4
$4$$4$$4$$4$$4$$4$$4$$4$$4$$4$$4$$4
$<<<,,,$$$
$$,44<<<<
,$,<$$<$$4
$,,,<$$4
$$,4<<<44<$
$$$,5,6,,4444<4>$$,
$,$,4$,4$,4$,<$,4)5:)5:$,4
$4$$4$$4$,<$,4$$4$$4$$4$,4$$4$,4$$4$$4$$4
$44<44<44<,,4,,<$,4
44<44<$$,
$$,<<<,4,
$4,,<$$<$$<
,$$444<,,<
$$$,,,4$$4,,444<
444<<<=44$$$
,,444<,,4$$,
,,<$$,$$,
$,$$4$$4$$<,,<,,<$,<,$4$,<$$4$$4$$4$$4$$4
,,,<<<$$,
$4$$<,,<,,<
,$$444<,$4
,,$4,,4,$4$$,
$$5,6,,45,644<$$,
,,4,,4444$$,
$$$$,$$$<4>]\\44<,,444<44<$,<
,$$4,,4,,4$$,$$,,,4$$,
$$$$,$,,,,$$$
$$$4<<44<,,4
,,,4445,6,,4
$$,4,,4$$,
$4$$<$$<$$<$$<
,,,<,,4$$4$$4$$,
,$,=44,,,$$$,$,
$4$$4$$4$,<$$<
,$$4,,<,,<,,4,,<,$4
,$$,$$4$$,
$$$,4,444
,$$4$$,$$4$$,
$444=44=44,,,$$$
$,$,4<<444$$,$$,$$,$$,$$,$$,
$4$$4,$4$$4$$4,$4$$4$$4
$$$,,,<44<,$4$$,$
444<<<$,$$$$<<<444
$,)5:,,<
$4$$4$$4$,4$$4$$<$$4
$4$,4$$4$$4
$4$$<$$4$$4
,,,4,,4,,<$,4
$4$$,$$4$$4,,<,,<$$4
$,$$4,,<44<,,<$$4
,$,5  $$$
$4$,<,,<,,<$,<$$4$$4$$4$,<$$4
$4$,<,,<$,<
$4$$<$,<,,<
$,$$<44<,,<44<44<$$<$$4
$4$$4,,<
$4$$4,,<,,<
$4,,<$$<
$4$,4$$<,,<,,<$$4
$5  =44$$$
$4$$<,,<,,<$$<
$$$$,,,=44<<<5  
$,$,4$,<$,<$,4
7$$4$$<$$<
$<$$<$$<$$<
$4$$<$,<$$<$$<
$$$,$$,$,,,$,$$$,,,$$,
$$$,$$,,,4
$$,5  ,,,
ÝF7:G,,4$,<7>Y>Jz7>Y,,4,,,,$,$$,$$$
$,$$4$,4$,4$,4
$$$,$,$,,,$,$$,,$,$$,$$,
$,$$4$,4$,<,,<$,<
44<]\\<<<
$$$,$$<$,<$$<
$$$444$$$
,,,)5:$,4$,4
,,,84*444<<<,,,
$444$$,,$,,,,444
$,4<<$,4$,<
]\\<<<$$4
<4>,,<$$4
$$$,$$$$
$$,$,$$$
$,,,44<4<<44<$,<
,$,=44,$,
%$$,,$,,,4444<<<444
,$,,$,,$,5,6444
$$,$,,$$$$
)5:$,<$$<
,,4$$,$$$$
-$$<<<=44
84*$$$5  
44<$$$444
$$4<<444
$4$$4$,<
$4$,4$,4$,4
$$$$,$,,$,,$$,$$$
$,$,4$,4,,<
$$$,4$$,$$4
$,$$,$,4$,4$,4
$,$,4)5:$,4
$$$,,$,4
-$$5  -$$
$$$$,,4$,4,,44<4
$,<$,,$$,
$,$,4$$4
$,$,4$,4$,4$,4$$4$,4$,4$$4$$,$$,
,4$,<$,<$$4
$,$,,$$4
$,$$,$,4
$,$,4$,4)5:$,4
$$$$,$$,$,4
$$$$,$,4$$,$$4
$,$$,$$,$,,$,4$$,$,4$,4
$,$$,$$,$,,
$,$,4$,4$$,$$,
,,$,,$$4$,4$,,$,4$,4
$,$,,$$,
,4$,4$,4$,4$,,$,4$,4$,4$,<$,<$,4$,4$,4$,4$,4
$,$$,$,,
$,$$,$,,$,,$,4
$,$,4$,4$,4
-$$,,,5  =44$
$,$,4$$$
5  ,,,$$$5  ,,,,$,-$$-$$84*5  
-$$,,,5  -$$
44<,,4)5:$$,
$$$,$,5  84*
,,<$$,$$,$$,
$$$,4$$,
$$)5:$,,
$,$$4$,,
=4484*-,"
$$$,44<<)5:
YE#dI.wP3
hC!uG$pI!dG!dG#cH#cH#dI(kK.wP7
M.}N sM(kK(kK sM.wP4
%'.EED
{00000117-0000-0000-C000-000000000046}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
LocationURL
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
?#%X.y
Operation not permitted
Inappropriate I/O control operation
Broken pipe
GetProcessWindowStation
operator
.text
.text$AFX_AUX
.text$AFX_CMNCTL
.text$AFX_COL1
.text$AFX_COL2
.text$AFX_CORE1
.text$AFX_CORE2
.text$AFX_CORE3
.text$AFX_CORE4
.text$AFX_INIT
.text$AFX_TERM
.text$mn
.text$x
.idata$5
.CRT$XCA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIC
.CRT$XIY
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.rsrc$01
.rsrc$02
Shell32.dll
Mpr.dll
Advapi32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
%Program Files%\zg\zg.exe
#include "l.chs\afxres.rc" // Standard components
WinExec
GetCPInfo
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
< 3)20,6
..../..LLLXLLV
`.rdata
@.data
.rsrc
@.reloc
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
EUSER32.DLL






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\loading_s[1].gif (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bd917a36[1].js (51485 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\RWA1P9MV.txt (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FFF10234D401BC2B1190AF97E562D5D_400BCCB616F4067E445EA2973A86C18D (2884 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ErrorPageTemplate[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\FCT[1].swf (2037 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CE7BEA7675B51559AB228C6BB2F148E5 (456 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\t01b79193449c098c6f[1].png (1360 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bd917a36[1].js (4506 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\analytics[1].js (18074 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\btn-login[1].png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\login_ico[1].png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\login_360_cn[1] (138 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\psp_jump[1].htm (654 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bd917a36[2].js (6115 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\950f1a12aa560f26[1].css (7473 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\bac31a71bc48710d[1].js (86372 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab76F.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\4.0.2[1].js (207 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\checkpage[1].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\bd917a36[1].js (7289 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\lab_span[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\winbox[1].js (3765 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\lab_bg[1].png (942 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\login_other[1].png (933 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\5.0.3[1].js (199 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\index[1].css (241 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5IQMJ0LE.txt (78 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\login[1].css (145 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar770.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\www.youxi[1].xml (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\info_48[1] (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\index[1].js (3667 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\382f2fd94eeeafb9[1].js (30512 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PBG80YUR.txt (291 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\index[2].css (1169 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (696 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bd917a36[1].js (3975 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (540 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ptlogin[1].htm (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\t019b5c6daf1c645ef4[1].jpg (4282 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\W56LR75C.txt (111 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bullet[1] (447 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\a[1].htm (624 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FFF10234D401BC2B1190AF97E562D5D_735CD3DF3EFC3FD45285204A43CE4916 (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3ZYYV8Z0.txt (304 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\e2597d7a33637b4d[1].css (16825 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\active[1].js (997 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\t01e6635e1fa0e06a46[1].gif (256 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\t01b64da0a074800ab8[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4Z7HRL49.txt (538 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bd917a36[2].js (20139 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\login[1].htm (511 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\t013e49a3dc1ae5334e[1].jpg (14816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FFF10234D401BC2B1190AF97E562D5D_400BCCB616F4067E445EA2973A86C18D (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\Cookie[1].swf (2010 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1236 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\image[1].gif (713 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FFF10234D401BC2B1190AF97E562D5D_735CD3DF3EFC3FD45285204A43CE4916 (4328 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\psp_jump[1].htm (654 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ptlogin[2].htm (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\NBXZ88BJ\img.yx-g.com\quyou_sn_21.sxx (123 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\handlebars.min[1].js (34932 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\background_gradient[1] (453 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\errorPageStrings[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#img.yx-g.com\settings.sxx (704 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\svrlist[1].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\8c48b57d397d07a5[1].css (10778 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\httpErrorPagesScripts[1] (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\navcancl[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\dnserrordiagoff_webOC[1] (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\JR0NLLQ1.txt (473 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\MGZY5OG5.txt (108 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CE7BEA7675B51559AB228C6BB2F148E5 (352 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\536LMHX0.txt (603 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\index[1].js (3667 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bd917a36[2].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\psp_jump_white_list[1].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\reset.0.0.1[1].css (588 bytes)
    %Program Files%\zg\zg.exe (1186 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7521309489.exe (9 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now