Packed.Win32.Themida_b9b9e040be

by malwarelabrobot on June 30th, 2017 in Malware Descriptions.

Trojan.KillProc.42650 (DrWeb), SMG.Heur!gen (Symantec), PUA.VrBrothers (Ikarus), Win32:Adware-gen [Adw] (AVG), Win32:Adware-gen [Adw] (Avast), Trojan.Win32.Swrort.3.FD, PackedThemida.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Trojan, Packed, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: b9b9e040be7de744371d4159f0bf0e49
SHA1: ca7438af99466ce43e1450a97ebbfd3f21467a64
SHA256: 966349d3f53d951d49f853a5cb092fe21b8cd56ea5985a8c39feb732c0ebeff1
SSDeep: 196608:KyEa4qmi4YP1pTqebZQbLoLVUBYWoudLE8C1nxfjp0D1ly9b:Kuh4SHTaaVUBYWTU1n0/Ub
Size: 7880885 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ACProtect141, UPolyXv05_v6, MicrosoftWindowsShortcutfile
Company: no certificate found
Created at: 2016-04-28 12:52:02
Analyzed on: Windows7 SP1 32-bit

Summary:

Packed. A packed file can be a compressed and/or encrypted in a manner that prevents matching the memory image of that file and the actual file on disk. Sometimes used for copy protection, packers are often used to make Spyware less easy to analyze/detect.

Payload

No specific payload has been found.

Process activity

The Packed creates the following process(es):
No processes have been created.
The Packed injects its code into the following process(es):

%original file name%.exe:3500
Runner.exe:4016

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3500 makes changes in the file system.
The Packed creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\cefb4b2021321623b2ca2cde9d8d3eb1[1].swf (4251 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\MSG.DLL (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\acookie[1].htm (291 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\WINDOW.DLL (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G7TSM4ZG.txt (141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\MEMORY.DLL (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\SYS.DLL (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Runner.zip (481172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\adcon\mm\tmpad.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\COLOR.DLL (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\plugin.zip (15548 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\PIC.DLL (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8DJNKVY8.txt (95 bytes)
C:\ProgramData\boost_interprocess\ZujmmPSdl68J (183 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\k[1].js (29209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\r[1].js (7678 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\k[2].js (8150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\MT.exe (8560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\FILE.DLL (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\ad-mymacro8-p[1].htm (295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\go[1].htm (846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\aad73199e7c8277dbf3bb6345a7b5390[1].jpg (692 bytes)
C:\ProgramData\boost_interprocess\x2LFJS9VwUSr (256416 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MT.zip (14764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YEV4251U.txt (74 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mac49CC.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\acookie[1].htm (133 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\ad-mymacro[1].xml (815 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mymacro.zip (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\go[1].htm (846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PSBQTTMX.txt (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\ab839707bb853d9ee2579a0e04062ff1[1].jpg (919 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\ad-mymacro8-b[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\hm[1].js (14686 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\app[1].gif (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CODV3XW8.txt (94 bytes)
C:\ProgramData\boost_interprocess\HU7DdW3HvIWv (440472 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\mymacro_errinfo.exe (13584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\GETSYSINFO.DLL (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\RKey.dat (704 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\k[1].js (8150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ad-mymacro9.xml.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\k[2].js (29209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\mmcount[1].htm (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\67Z28ZCW.txt (93 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RKey.zip (849 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\ad.vrbrothers[1].xml (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\ad-mymacro8-b[1].htm (351 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ad-mymacro9.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\Runner.exe (240729 bytes)

The Packed deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\app[1].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CODV3XW8.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MT.zip (0 bytes)
C:\ProgramData\boost_interprocess\HU7DdW3HvIWv (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\k[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mac49CC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\ad-mymacro8-b[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\mmcount[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mymacro.zip (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RKey.zip (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\k[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Runner.zip (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\adcon\mm\tmpad.xml (0 bytes)
C:\ProgramData\boost_interprocess\ZujmmPSdl68J (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\plugin.zip (0 bytes)

The process Runner.exe:4016 makes changes in the file system.
The Packed creates and/or writes to the following file(s):

C:\ProgramData\boost_interprocess\P8v8PMFud9G (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\mmcount[1].htm (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\QMLog\20170629.log (484 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\cfgdll.dll (7393 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7A4BS0L5.txt (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\h[1].js (1444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\qdisp.dll (39523 bytes)
C:\ProgramData\boost_interprocess\P8v8PMFud9GT (256416 bytes)

The Packed deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\mmcount[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:3500 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "10 9A 40 82 BE F0 D2 01"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\b9b9e040be7de744371d4159f0bf0e49_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\b9b9e040be7de744371d4159f0bf0e49_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\b9b9e040be7de744371d4159f0bf0e49_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Total]
"(Default)" = "91617"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1461837122"

[HKLM\SOFTWARE\Microsoft\Tracing\b9b9e040be7de744371d4159f0bf0e49_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"fdwSupport" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\b9b9e040be7de744371d4159f0bf0e49_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadNetworkName" = "Network 2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "10 9A 40 82 BE F0 D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\b9b9e040be7de744371d4159f0bf0e49_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\b9b9e040be7de744371d4159f0bf0e49_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\b9b9e040be7de744371d4159f0bf0e49_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\vrbrothers.com]
"(Default)" = "63"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\b9b9e040be7de744371d4159f0bf0e49_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\b9b9e040be7de744371d4159f0bf0e49_RASMANCS]
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Packed deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process Runner.exe:4016 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKCR\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}]
"(Default)" = "QMDispatch.QMRoutine"

[HKLM\SOFTWARE\Microsoft\Tracing\Runner_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCR\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}]
"(Default)" = "QMDispatch.QMLibrary"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID]
"(Default)" = "QMDispatch.QMVBSRoutine"

[HKLM\SOFTWARE\Microsoft\Tracing\Runner_RASMANCS]
"EnableFileTracing" = "0"

[HKCR\QMDispatch.QMLibrary]
"(Default)" = "QMDispatch.QMLibrary"

[HKCR\QMDispatch.QMVBSRoutine\CLSID]
"(Default)" = "{241D7F03-9232-4024-8373-149860BE27C0}"

[HKCU\Software\Microsoft\DirectInput\RUNNER.EXE5791C019007344C0]
"UsesMapper" = "00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\mymacro\qdisp.dll"

[HKLM\SOFTWARE\Microsoft\Tracing\Runner_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCR\QMDispatch.QMVBSRoutine]
"(Default)" = "QMDispatch.QMVBSRoutine"

[HKCU\Software\Microsoft\DirectInput\MostRecentApplication]
"Name" = "RUNNER.EXE"

[HKLM\SOFTWARE\Microsoft\Tracing\Runner_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Runner_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\DirectInput\MostRecentApplication]
"Version" = "00 08 00 00"

[HKCR\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\mymacro\qdisp.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Runner_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Runner_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Runner_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCR\QMDispatch.QMRoutine]
"(Default)" = "QMDispatch.QMRoutine"

[HKCR\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\mymacro\qdisp.dll"

[HKLM\SOFTWARE\Microsoft\Tracing\Runner_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\DirectInput\MostRecentApplication]
"MostRecentStart" = "5C 11 39 86 BE F0 D2 01"

[HKCR\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\QMDispatch.QMRoutine\CLSID]
"(Default)" = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "90 32 2C 83 BE F0 D2 01"

[HKCR\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}]
"(Default)" = "QMDispatch.QMVBSRoutine"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 39 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\DirectInput\RUNNER.EXE5791C019007344C0]
"Name" = "RUNNER.EXE"

[HKCR\QMDispatch.QMLibrary\CLSID]
"(Default)" = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"

[HKCU\Software\Microsoft\DirectInput\MostRecentApplication]
"ID" = "RUNNER.EXE5791C019007344C0"

[HKCR\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID]
"(Default)" = "QMDispatch.QMLibrary"

[HKCR\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Tracing\Runner_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0E0F&PID_0003\Calibration\0]
"Guid" = "10 4C 1D E9 CA 5C E7 11 80 01 44 45 53 54 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Runner_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCR\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID]
"(Default)" = "QMDispatch.QMRoutine"

[HKLM\SOFTWARE\Microsoft\Internet Explorer]
"ver" = "f3be9300"

[HKLM\SOFTWARE\Microsoft\Tracing\Runner_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\QMRunner\ServName]
"3" = "P8v8PMFud9GT"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Packed deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
295f142c363d8c14a3f7c84622497cf6	c:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\MT.exe
5f77953abe1e7a3991ec6db053d2bd0f	c:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\Runner.exe
b35416c2b3e818894df95608b76934f7	c:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\cfgdll.dll
436579e5933399bb5bd1a70cf7804272	c:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\mymacro_errinfo.exe
31735a9a5811567db16a02b20b360583	c:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\COLOR.DLL
4723c8d438821f0b0bc7edfe9811a1dc	c:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\FILE.DLL
86fac926e4317612393f677b42bb10d1	c:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\GETSYSINFO.DLL
9745bcfd017304958270e20f4ccae3ab	c:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\MEMORY.DLL
67be71ef830b10f536c9fadfd0ff8689	c:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\MSG.DLL
8bcd66ebfedbc0cbd05475300c76160b	c:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\PIC.DLL
9e540d9b62d97b7ec9761ab519db6a5c	c:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\SYS.DLL
6b7a84d4bb513320b4b96bdc125f57f6	c:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\WINDOW.DLL
014c01cd6522778e1e15be0e696dfe0c	c:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\qdisp.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ????????????(C)2001-2016
Product Name: ?????
Product Version: 2014.0.3.16480
Legal Copyright: Copyright (C) 2001 - 2016
Legal Trademarks:
Original Filename: MyMacro.exe
Internal Name: MyMacro.exe
File Version: 2014.0.3.16480
File Description: ?????
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	2273930	2274304	4.57777	bf2ab76e61961072f4089362f56f62fe
.rdata	2281472	499042	499200	3.57952	a8eb3b9199d8a0eaddfe8431dd45800c
.data	2781184	89732	50176	3.4866	cf42bf54a39813cbcd018e69631f24d6
.tls	2871296	2	512	0	bf619eac0cdf3f68d496ea9344137e8b
.rsrc	2875392	236132	236544	4.37808	7be00b9989399aef33967f6784a31ace
.reloc	3112960	272786	272896	3.53303	04717c2d1bbe06029cc36c13b637128e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 10
e1d38059d6c64b13aa0d4e28c354527d
65169e8cb5a3379a65845b36bdc70d5c
3f6cb45a2aebc3e7f946201521f74664
9ebff15d3264474bc39661069fe60239
192ee53bdb648e86b65ba7005468c521
b9f0b957b09ccffd92945a8ae9ad022c
6895104ae731990f1575feab5dbffab3
169791b3f3ee23b79ad71c00f4fe9b86
4c2e56a53e88eb4c10e8dadea62d4235
adb65c12d542fd091b290574a6485fc6

URLs

URL	IP
hxxp://soft.anjian.com/Include/BuildPage/ExitAdXJL.shtml	117.27.139.134
hxxp://soft.anjian.com/V2014V2/Config/ad-mymacro.xml	117.27.139.134
hxxp://soft.anjian.com/qmacro/up_mymacro/liveupdate8.dat	117.27.139.134
hxxp://soft.anjian.com/Interface/GetIP.aspx	117.27.139.134
hxxp://soft.anjian.com/xjl/mmcount.aspx?mm=0002640090CE5F90555D81927F0FAF9790CD8DA902A732F446649CA6E316BF1393E706CA0EA394AEE23B7270&randcode=000219CFDA64417E6FA4E4FA54D6FD3A2A267270	117.27.139.134
hxxp://soft.anjian.com/qmacro/ad-mymacro8-b.htm	117.27.139.134
hxxp://soft.anjian.com/qmacro/ad-mymacro8-n.htm	117.27.139.134
hxxp://soft.anjian.com/qmacro/ad-mymacro8-p.htm	117.27.139.134
hxxp://hm.e.shifen.com/h.js?82d5c049236934007371777578c30be1
hxxp://csbew.alicdn.com.danuoyi.tbcache.com/k.js
hxxp://img.users.51.la/321019.asp	42.236.74.213
hxxp://grp1.51.la/go.asp?svid=2&id=321019&style=0&vpage=http://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm&64841.73.gif
hxxp://grp1.51.la/go.asp?svid=2&id=321019&style=0&vpage=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&64841.73.gif
hxxp://log.hm.e.shifen.com/hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&et=0&ja=1&ln=zh-CN&lo=0&lt=1498730432&nv=1&rnd=1403808374&si=82d5c049236934007371777578c30be1&st=1&v=1.2.14&lv=2
hxxp://log.hm.e.shifen.com/hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&ep=2000,100&et=3&ja=1&ln=zh-CN&lo=0&lt=1498730432&nv=0&rnd=1384992487&si=82d5c049236934007371777578c30be1&st=4&v=1.2.14&lv=2
hxxp://afp.csbew.com/a.htm?pv=1&sp=115775,1,0,0,0,1,1,23&ec=utf-8&re=1916,902&jsv=7&cb=6812604787&seq=1&fs=0	106.11.129.138
hxxp://afp.csbew.com/a.htm?pv=1&sp=115779,1,0,0,0,1,1,23&ec=utf-8&re=1916,902&jsv=7&cb=8673242454&seq=1&fs=0	106.11.129.138
hxxp://afpmm.alicdn.com.danuoyi.tbcache.com/g/mm/afp-cdn/JS/k.js	195.27.31.250
hxxp://adsz.wagbridge.tanx.alimama.com.gds.alibabadns.com/ex?a=115775&sp=1&cb=_acM.r&u=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&ds=1916x902&_=1498730437538&fs=0&pvid=a0c73da328211a1b9241762137edb15f&cg=dd46ef18df69a228cc6b6ae47097af0c&from_csbew=1
hxxp://adsz.wagbridge.tanx.alimama.com.gds.alibabadns.com/ex?a=115779&sp=1&cb=_acM.r&u=http://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm&ds=1916x902&_=1498730437508&fs=0&pvid=e38919f7160d2696c2987f65e42c77f7&cg=d7bcba6dbfbeb3ba34869c81841127cc&from_csbew=1
hxxp://afpmm.alicdn.com.danuoyi.tbcache.com/g/mm/afp-cdn/JS/r.js	195.27.31.250
hxxp://csbew.alicdn.com.danuoyi.tbcache.com/acookie.html
hxxp://afp.csbew.com/a.htm?pv=1&sp=115777,1,0,0,0,1,1,23&ec=utf-8&re=1916,902&jsv=7&cb=3507284218&seq=2&fs=0	106.11.129.138
hxxp://adsz.wagbridge.tanx.alimama.com.gds.alibabadns.com/acookie.html
hxxp://hm.e.shifen.com/hm.js?9f7c90c4f314eb12aa0ed7c4b4d9d002
hxxp://hm.e.shifen.com/hm.gif?cc=0&ck=1&cl=32-bit&ds=1916x902&et=0&fl=23.0&ja=1&ln=en-us&lo=0&nv=1&rnd=197592874&si=9f7c90c4f314eb12aa0ed7c4b4d9d002&st=1&v=1.2.14&lv=1&ct=!!&tt=vrbrothers-276*226&sn=10525
hxxp://adsz.wagbridge.tanx.alimama.com.gds.alibabadns.com/ex?a=115777&sp=1&cb=_acM.r&u=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&ds=1916x902&_=1498730440063&fs=0&pvid=ab7a0393a09da94e4e9ea40b164b9351&cg=afb670ff70a137972abf2d9df5ceec17&from_csbew=1
hxxp://afp.alicdn.com.danuoyi.alicdn.com/afp-creative/creative/u115547070/aad73199e7c8277dbf3bb6345a7b5390.jpg	212.98.178.240
hxxp://afp.alicdn.com.danuoyi.alicdn.com/afp-creative/creative/u115547070/cefb4b2021321623b2ca2cde9d8d3eb1.swf	212.98.178.240
hxxp://afp.alicdn.com.danuoyi.alicdn.com/afp-creative/creative/u115547070/ab839707bb853d9ee2579a0e04062ff1.jpg	212.98.178.240
hxxp://log.gds.mmstat.com/w.gif?logtype=1&pre=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&cache=5e2e70&scr=1916x902&cna=&isbeta=7&
hxxp://log.gds.mmstat.com/w.gif?logtype=1&pre=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&cache=401daa3&scr=1916x902&cna=&isbeta=7&
hxxp://pcookie.gds.taobao.com/app.gif?&cna=yL3bEerekwMCAcLyYOLfMQOp
hxxp://pcookie.gds.taobao.com/app.gif?&cna=yL3bEVvR1HMCAcLyYOJ8a70Y
hxxp://adsz.wagbridge.tanx.alimama.com.gds.alibabadns.com/opt?bid=0a67349c00005954cfc64cf2054fd348&pid=mm_115547070_13540502_55734872&cid=234769&mid=20288&oid=4107&productType=1&qytInfoMTime=1498672941&cb=604822609
hxxp://adsz.wagbridge.tanx.alimama.com.gds.alibabadns.com/imp?bid=0a67349c00005954cfc64cf2054fd348&pid=mm_115547070_13540502_55734872&cid=234769&mid=20288&oid=4107&productType=1&qytInfoMTime=1498672941&e=+HPe4ISqiWeMpq0A4M5XO26eRFjZyoypzemELSkJtejSUsZE06YCxcM2jkePM0lG&k=65&cb=132017663
hxxp://hm.e.shifen.com/hm.gif?cc=0&ck=1&cl=32-bit&ds=1916x902&ep={"netAll":1367,"netDns":0,"netTcp":0,"srv":577,"dom":2982,"loadEvent":11403,"qid":"","bdDom":0,"bdRun":0,"bdDef":0}&et=87&fl=23.0&ja=1&ln=en-us&lo=0&nv=1&rnd=313009406&si=9f7c90c4f314eb12aa0ed7c4b4d9d002&st=1&v=1.2.14&lv=1
hxxp://adsz.wagbridge.tanx.alimama.com.gds.alibabadns.com/imp?bid=0a67342400005954cfc6519f05508f54&pid=mm_115547070_13540502_55734874&cid=242900&mid=20290&oid=4107&productType=1&qytInfoMTime=1498672941&e=VKjcte5hJXOMpq0A4M5XO3cITZg/F8NJpwioiHF9xcOk1ZLglTopXZ67Wwdqcl1a&k=65&cb=230734364
hxxp://adsz.wagbridge.tanx.alimama.com.gds.alibabadns.com/opt?bid=0a67342400005954cfc6519f05508f54&pid=mm_115547070_13540502_55734874&cid=242900&mid=20290&oid=4107&productType=1&qytInfoMTime=1498672941&cb=793991707
hxxp://adsz.wagbridge.tanx.alimama.com.gds.alibabadns.com/imp?bid=0a67349c00005954cfc84ceb0556f5d1&pid=mm_115547070_13540502_55734873&cid=233510&mid=20286&oid=4107&productType=1&qytInfoMTime=1498672941&e=U7XlpuWNEHmMpq0A4M5XO26eRFjZyoypS2e4T2otjKXodsbiHREsTA4uxciZmuRv&k=65&cb=191561710
hxxp://adsz.wagbridge.tanx.alimama.com.gds.alibabadns.com/opt?bid=0a67349c00005954cfc84ceb0556f5d1&pid=mm_115547070_13540502_55734873&cid=233510&mid=20286&oid=4107&productType=1&qytInfoMTime=1498672941&cb=154613844
hxxp://pcookie.alimama.com/app.gif?&cna=yL3bEerekwMCAcLyYOLfMQOp	106.11.94.21
hxxp://hm.baidu.com/h.js?82d5c049236934007371777578c30be1	220.181.7.190
hxxp://log.mmstat.com/w.gif?logtype=1&pre=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&cache=5e2e70&scr=1916x902&cna=&isbeta=7&	106.11.94.27
hxxp://afptrack.csbew.com/opt?bid=0a67349c00005954cfc64cf2054fd348&pid=mm_115547070_13540502_55734872&cid=234769&mid=20288&oid=4107&productType=1&qytInfoMTime=1498672941&cb=604822609	140.205.243.64
hxxp://web.users.51.la/go.asp?svid=2&id=321019&style=0&vpage=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&64841.73.gif	42.236.74.237
hxxp://pcookie.csbew.com/app.gif?&cna=yL3bEVvR1HMCAcLyYOJ8a70Y	106.11.94.21
hxxp://hm.baidu.com/hm.js?9f7c90c4f314eb12aa0ed7c4b4d9d002	220.181.7.190
hxxp://web.users.51.la/go.asp?svid=2&id=321019&style=0&vpage=http://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm&64841.73.gif	42.236.74.237
hxxp://afpmm.alicdn.com/g/mm/afp-cdn/JS/r.js	195.27.31.250
hxxp://afp.alicdn.com/afp-creative/creative/u115547070/aad73199e7c8277dbf3bb6345a7b5390.jpg	212.98.178.240
hxxp://s.csbew.com/k.js	195.59.70.240
hxxp://hi.vrbrothers.com/xjl/mmcount.aspx?mm=0002640090CE5F90555D81927F0FAF9790CD8DA902A732F446649CA6E316BF1393E706CA0EA394AEE23B7270&randcode=000219CFDA64417E6FA4E4FA54D6FD3A2A267270	117.27.139.134
hxxp://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm	117.27.139.134
hxxp://afpeng.csbew.com/ex?a=115779&sp=1&cb=_acM.r&u=http://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm&ds=1916x902&_=1498730437508&fs=0&pvid=e38919f7160d2696c2987f65e42c77f7&cg=d7bcba6dbfbeb3ba34869c81841127cc&from_csbew=1	140.205.243.64
hxxp://afpeng.csbew.com/ex?a=115775&sp=1&cb=_acM.r&u=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&ds=1916x902&_=1498730437538&fs=0&pvid=a0c73da328211a1b9241762137edb15f&cg=dd46ef18df69a228cc6b6ae47097af0c&from_csbew=1	140.205.243.64
hxxp://afptrack.csbew.com/opt?bid=0a67349c00005954cfc84ceb0556f5d1&pid=mm_115547070_13540502_55734873&cid=233510&mid=20286&oid=4107&productType=1&qytInfoMTime=1498672941&cb=154613844	140.205.243.64
hxxp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm	117.27.139.134
hxxp://s.csbew.com/acookie.html	195.59.70.240
hxxp://afpeng.csbew.com/ex?a=115777&sp=1&cb=_acM.r&u=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&ds=1916x902&_=1498730440063&fs=0&pvid=ab7a0393a09da94e4e9ea40b164b9351&cg=afb670ff70a137972abf2d9df5ceec17&from_csbew=1	140.205.243.64
hxxp://hm.baidu.com/hm.gif?cc=0&ck=1&cl=32-bit&ds=1916x902&ep={"netAll":1367,"netDns":0,"netTcp":0,"srv":577,"dom":2982,"loadEvent":11403,"qid":"","bdDom":0,"bdRun":0,"bdDef":0}&et=87&fl=23.0&ja=1&ln=en-us&lo=0&nv=1&rnd=313009406&si=9f7c90c4f314eb12aa0ed7c4b4d9d002&st=1&v=1.2.14&lv=1	220.181.7.190
hxxp://log.hm.baidu.com/hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&ep=2000,100&et=3&ja=1&ln=zh-CN&lo=0&lt=1498730432&nv=0&rnd=1384992487&si=82d5c049236934007371777578c30be1&st=4&v=1.2.14&lv=2	111.202.114.153
hxxp://afp.alicdn.com/afp-creative/creative/u115547070/cefb4b2021321623b2ca2cde9d8d3eb1.swf	212.98.178.240
hxxp://log.mmstat.com/w.gif?logtype=1&pre=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&cache=401daa3&scr=1916x902&cna=&isbeta=7&	106.11.94.27
hxxp://afptrack.csbew.com/imp?bid=0a67349c00005954cfc84ceb0556f5d1&pid=mm_115547070_13540502_55734873&cid=233510&mid=20286&oid=4107&productType=1&qytInfoMTime=1498672941&e=U7XlpuWNEHmMpq0A4M5XO26eRFjZyoypS2e4T2otjKXodsbiHREsTA4uxciZmuRv&k=65&cb=191561710	140.205.243.64
hxxp://afp.alicdn.com/afp-creative/creative/u115547070/ab839707bb853d9ee2579a0e04062ff1.jpg	212.98.178.240
hxxp://down.vrbrothers.com/qmacro/up_mymacro/liveupdate8.dat	117.27.139.134
hxxp://afpssp.alimama.com/acookie.html	140.205.243.64
hxxp://hm.baidu.com/hm.gif?cc=0&ck=1&cl=32-bit&ds=1916x902&et=0&fl=23.0&ja=1&ln=en-us&lo=0&nv=1&rnd=197592874&si=9f7c90c4f314eb12aa0ed7c4b4d9d002&st=1&v=1.2.14&lv=1&ct=!!&tt=vrbrothers-276*226&sn=10525	220.181.7.190
hxxp://afpmm.alicdn.com/g/mm/afp-cdn/JS/k.js	195.27.31.250
hxxp://afptrack.csbew.com/imp?bid=0a67349c00005954cfc64cf2054fd348&pid=mm_115547070_13540502_55734872&cid=234769&mid=20288&oid=4107&productType=1&qytInfoMTime=1498672941&e=+HPe4ISqiWeMpq0A4M5XO26eRFjZyoypzemELSkJtejSUsZE06YCxcM2jkePM0lG&k=65&cb=132017663	140.205.243.64
hxxp://afptrack.csbew.com/imp?bid=0a67342400005954cfc6519f05508f54&pid=mm_115547070_13540502_55734874&cid=242900&mid=20290&oid=4107&productType=1&qytInfoMTime=1498672941&e=VKjcte5hJXOMpq0A4M5XO3cITZg/F8NJpwioiHF9xcOk1ZLglTopXZ67Wwdqcl1a&k=65&cb=230734364	140.205.243.64
hxxp://ad.vrbrothers.com/qmacro/ad-mymacro8-n.htm	117.27.139.134
hxxp://afptrack.csbew.com/opt?bid=0a67342400005954cfc6519f05508f54&pid=mm_115547070_13540502_55734874&cid=242900&mid=20290&oid=4107&productType=1&qytInfoMTime=1498672941&cb=793991707	140.205.243.64
hxxp://log.hm.baidu.com/hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&et=0&ja=1&ln=zh-CN&lo=0&lt=1498730432&nv=1&rnd=1403808374&si=82d5c049236934007371777578c30be1&st=1&v=1.2.14&lv=2	111.202.114.153

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE User-Agent (Mozilla/4.0 (compatible))

Traffic

GET /app.gif?&cna=yL3bEerekwMCAcLyYOLfMQOp HTTP/1.1

Accept: */*

Referer: hXXp://afpssp.alimama.com/acookie.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Connection: Keep-Alive

Host: pcookie.alimama.com


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:00:41 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=yL3bEerekwMCAcLyYOLfMQOp; expires=Sun, 27-Jun-27 10:00:41 GMT; path=/; domain=.alimama.com

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache

GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Date: Thu,
 29 Jun 2017 10:00:41 GMT..Content-Type: image/gif..Content-Length: 43
..Connection: keep-alive..P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSD
a OUR IND UNI PUR NAV"..Set-Cookie: cna=yL3bEerekwMCAcLyYOLfMQOp; expi
res=Sun, 27-Jun-27 10:00:41 GMT; path=/; domain=.alimama.com..Expires:
 Thu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache..Pragma: no-ca
che..GIF89a.............!.......,...........L..;..

GET /g/mm/afp-cdn/JS/k.js HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afpmm.alicdn.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 13501

Connection: keep-alive

Date: Thu, 29 Jun 2017 09:56:34 GMT

x-oss-request-id: 5954CED2823C8AE5134477F7

Accept-Ranges: bytes

ETag: "5E11B3FC376FC9C90A9A445C5F6ACF98"

Last-Modified: Wed, 31 May 2017 03:21:09 GMT

x-oss-object-type: Normal

x-oss-hash-crc64ecma: 17676891865371297199

x-oss-storage-class: Standard

Cache-Control: max-age=3600,s-maxage=3600

Vary: Accept-Encoding

Content-MD5: XhGz/DdvyckKmkRcX2rPmA==

x-oss-server-time: 8

Content-Encoding: gzip

Via: cache37.l2de1[847,200-0,C], cache55.l2de1[847,0], cache2.de1[0,200-0,H], cache5.de1[0,0]

Age: 243

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2

X-Swift-SaveTime: Thu, 29 Jun 2017 09:56:35 GMT

X-Swift-CacheTime: 3599

Timing-Allow-Origin: *

EagleId: c31b1fcd14987304374271965e
...........}.w.6.._.y.Id..R....$N.I7m.I.~{e....mITE..k.....@...Nv.w.'i
i.....`03..Gw..u{.....{...........p...(^.....j..~.F..g..*`..e>{..K.
..d.a.\. ~.-...3.=.?.,Wq.{..m..9...."._t.x..Co.@.......1b.}.{.I.C..c..
...lY../.x.l6f1._..I?.........A.e.j...Q[.i.U..W.#k.q...e......8..#....
a../....(........,..-....L...z.o.-.x..m6M=...Xz.c...|I...U.\.Y.^... ..
.0^...~#Z4\..L......*^.....-.q.....,[..l.:...V9....I'J>b$.mY......z
#6........7jI....8Z|pV.<H.U...%..........k.Uh.c9u.z.Z9WZ.,....9...1
........6...;..n(4h..h;. ........;Q{p.x...:.f...G'...hf..^...W........
.I..G..........s.M.4^...r.z..}..../.c.._...7...3.tuu.....'."i6 QC.....
.s.4.lc4p.m.u. .V........C~......K.6.C.(3/.J.....2...:..._.U..2.;..?..
....B.]o...NgN.G.~.hb.-uG[A..E....W.....:<...?...`.vVA..)X...L.2x..
$$.......oO..2^@n./H$k.d.~..j\.....vp...N.(.g......|....S...v..:.....v
Fm....(...Oq..?.;.Bl..kb'.EM."Hkb...&v..jb....ZI..*.U..%{....G...<.
..x.P...{..{#...7]..4O.....Y...~..V.|..[....N:Y.a.~!..9[..7.......?...
.:.$Hk.n...O.lr.u.~.Q.'.)D8.0.OA.e...........)..........r..)7`.<K.&
lt;..1..N....... 'x...,..i.VeX,. ..F.s...s...Hp....{...|.?............
W...O...1.I....:.r....4..0...Q..Mha.4 /.r....z& j...@..V.i......Sx=~v$
2...V...;..^..../..._H.HR@.t.b.p.....C..0}..C.g...hC}.K@H...$.....*...
A6..p..........Hi6..>G. ^...dp......q}........'....?HF.MAo..$`...8#
..:..i..d...Pk.([...f..v..'........W.Q..j^. .. ....h..D...M..6........
i`X.....\n....Xm]|yZ.^...b....h1.$.A.pyq...Y..2.......<n....P..'...
t.@D8.......?..[.8I`Z.D.b.6 .k....'...f#~O........wo>..n..)..9~<<< skipped >>>

GET /qmacro/ad-mymacro8-n.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ad.vrbrothers.com

Connection: Keep-Alive


HTTP/1.1 404 Not Found

Server: nginx

Date: Thu, 29 Jun 2017 10:00:31 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: ASP.NET

Content-Encoding: gzip
2c5............}S.N.@..G.?...a.....N.6...-*.k9.'.....C.....]../.).H%B.
..)..V]w.E..R..3.c.E.H..}.........W*?Y..6.;`....;% ..>.. ..O..s..y.
H2X.>1).3w. ..64.[....J._.....Y...o. ..,j..t.........aP..|...1.xP.S
......-.fA(y..............m.y...6..L....UT.r.J...99.Dp:X.m.9........v^
..0.....8.PF.s.A.....t..Y.n..5.j.^e...<..t...c......b.B....|...0..&
..do...b.}R. .|Z..e..23..W..*....t....[.d.L6.@.....  ....E~U.1..0.s<
;_....r>[.A*....RIf ..^B...a~....'.AqX.f...n.X...S.....B.f...u.D.K5
... ...)XX.&@R....8c...O..O........V(C...^@(.\......9Z..........yT...D
.5...2..xy.g.E..0l.p.k.7...."M@,6.a...a ...G...l~=.n@v4 ..bc..7AH`:(`.
...F7.(.....g.....-...^..9.l.?..l...?...z.o7.....o..........~>.t...
.=x..g....`.5.>......e...<!/......0......


GET /qmacro/ad-mymacro8-b.htm HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ad.vrbrothers.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 29 Jun 2017 10:00:32 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Mon, 21 Dec 2015 09:24:12 GMT

ETag: W/"046525ad13bd11:0"

X-Powered-By: ASP.NET

Content-Encoding: gzip
370.............T_k.G.....a.....Vg..N:...iI...........Ow...%c.5./..)..
........-i.8....r...:..(...>..q.....f~...............O~.>.{.....
.q.............6>.~|o...'..<?.<..b......d?...V.........*..v..
..}.<Xf...Ei .8b!.k.. =)....ph.Kf,...%.)_.2...y....O..F...(u.......
y.....d C..&.&.w...%.4db.K.`.!.q$y$..N..x....G.*..x=&R.....K..BH.N.A..
T.KS...........a,....._..........]...../{vm1.5...nO..2.n,|.l .A......N
G.7..E...j.g.7....x.8{.?>.yrg..~.ur.~.....N=.$.d...6.w.......^.....
}.e^...X[..].b.Lt.....,......z}.t....^....$....kCQ..2o. .A..:9...q.:$.
.7..d.2.YrH....,9.Z$....\z<...gr.0.....5...._;],..QW..!..z...qlY.Z.
....Y........g...n=..o.............Q.........f....aF.....].i.JQ.M..;..
,.m..)@'.}&....c..A..Z..)..\.B.Dh.a..DI.\...S...j{j~....j...wx........
...@4...M'YB....I]U.r.......3k)..U,3d....U..._-.T.....>Z.U.-...R}I.
.J....Un..V....Zk]. g...]......t....,MPO.]..>4Q...G......JH51......
.3.....0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 29 Jun 2017 10:00
:32 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connecti
on: keep-alive..Last-Modified: Mon, 21 Dec 2015 09:24:12 GMT..ETag: W/
"046525ad13bd11:0"..X-Powered-By: ASP.NET..Content-Encoding: gzip..370
.............T_k.G.....a.....Vg..N:...iI...........Ow...%c.5./..).....
.....-i.8....r...:..(...>..q.....f~...............O~.>.{......q.
............6>.~|o...'..<?.<..b......d?...V.........*..v....}
.<Xf...Ei .8b!.k.. =)....ph.Kf,...%.)_.2...y....O..F...(u.......y..
...d C..&.&.w...%.4db.K.`.!.q$y$..N..x....G.*..x=&R.....K..BH.N.A.<<< skipped >>>

GET /k.js HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: s.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 4853

Connection: keep-alive

Date: Thu, 29 Jun 2017 09:28:39 GMT

x-oss-request-id: 5954C847A1542EE550B49CAA

Accept-Ranges: bytes

ETag: "3CBE574399794F264CA872690F6B4ECE"

Last-Modified: Tue, 13 Sep 2016 05:41:40 GMT

x-oss-object-type: Normal

x-oss-hash-crc64ecma: 2664518053344101812

x-oss-storage-class: Standard

Vary: Accept-Encoding

Content-MD5: PL5XQ5l5TyZMqHJpD2tOzg==

x-oss-server-time: 1

Via: cache6.l2hk1[0,304-0,H], cache25.l2hk1[1,0], cache10.uk1[0,200-0,H], cache9.uk1[1,0]

Content-Encoding: gzip

Age: 1914

X-Cache: HIT TCP_MEM_HIT dirn:3:822988064

X-Swift-SaveTime: Thu, 29 Jun 2017 09:43:06 GMT

X-Swift-CacheTime: 3600

Timing-Allow-Origin: *

EagleId: c33b46d114987304338454230e
...........;k..8... ..B.....n..k.:....[l..`.gp.t..m.q..^.IUmU......#..
..@E&)..(...fpJ.2J..<.y~.R.15X...4..r....8%...D...g.Q.....l......&l
t;..<..M".n| ..2E.V.D%./...{.(.......G.N....Bh.t..-.X.........7..8.
y.....i.7Qr..........<.D^>..........8.....a.....'[..oE./.d....X.
.%]nh(..q.^.....8.8B.V.ff......(....(J...>).H.[o.(0]P.5H=).'...O..I
..s...?;.;..qlzt..>.U.....N[...W...bf0c...U.g..L.V.....-.v....y...G
^.7...l....h.?,.-.....6M..x.p7.........iny:.ji/d..b^.~.%C/...83.T.3.2.
znye.)..b:.....]....Y.H..f....Y.(.<.P...J.A........J..vP.d.l$...iH[
f...#....7.G.-..; .......`../.M.u...O.l...e..\...s..._.xD.J...if..w:..
.r..<.y;.".F...r........_..6=fi........KR~.....*G.....kz..fi\......
?>.........t..}..=........i.....h"..h..#.c..@...8.d8.P...}.^..>~
.L....... ?Y....O..h.-.e|.._.J.....(..I.nh............N...%.1h...-..4.
N=......]*.............F.W..f_5f.U|:..... ...S...S..j(Ac6G.._`...N.yD.
...s_..O.;c.[.Gl..W.h-]Q...~..rS...B.........y.../...-...l.?E.k@....._
...#....a.;8A.. e.,......}8g.=1.]..Sl.F.......w. .n...A...f|..q..Bs..W
... .W....,(..3... MP...2.(J...I....5t.......//.W.6cB.....~....<.I.
%$.8.MO.p.rta.....1....a.cz..:.".8`.`Z...HO...^...K.....>..o...1.x.
..qlg..yW.,:.`].U.O.....b..&F... .gz6..]3M.2...q..n.?..) .y# ....t.A..
...q<e.3.C._<..... .. c..'........./..;{$H.ca.yQ.Q....=...o.....
R......5 ...LK..xj..s.{yy.V.1.(..._:.&....x..5.]...NMi...U..~|.AJm.\..
f]w....."}.Ek.....)._x..L..h.'. ....3~..k.._D..13.g..'L.\......Ob..(.^
w.....VL..%..^.!...h............C.....Cb8.}.^.Jb........h..a`u..J&<<< skipped >>>

POST /Include/BuildPage/ExitAdXJL.shtml HTTP/1.1

Accept: */*

Host: soft.anjian.com

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible)

Content-Length: 0

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 29 Jun 2017 10:00:18 GMT

Content-Type: text/html

Content-Length: 134

Connection: keep-alive

Last-Modified: Mon, 19 Dec 2016 09:25:33 GMT

ETag: "79a829d9d959d21:0"

X-Powered-By: ASP.NET

{"Plan":"0","URL":"hXXp://e.games.sina.com.cn/statistic/index/?url=160
4b931ac54cf7408a1d0cf4f1fafed","Area":".........","Interval":""}>....

POST /Interface/GetIP.aspx HTTP/1.1

Accept: */*

Host: soft.anjian.com

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible)

Content-Length: 29

Cache-Control: no-cache

data=7241C11686D7B74E3C4A0002
HTTP/1.1 500 Internal Server Error

Server: nginx

Date: Thu, 29 Jun 2017 10:00:18 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 7965

Connection: keep-alive

Cache-Control: private

X-AspNet-Version: 2.0.50727

X-Powered-By: ASP.NET
<html>..    <head>..        <title>.................
....System.String..............................FzCyjh.AnJian.SoftSite.
Interface.GetIP Data...</title>..        <style>..        
 body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:
black;} ..         p {font-family:"Verdana";font-weight:normal;color:b
lack;margin-top: -5px}..         b {font-family:"Verdana";font-weight:
bold;color:black;margin-top: -5px}..         H1 { font-family:"Verdana
";font-weight:normal;font-size:18pt;color:red }..         H2 { font-fa
mily:"Verdana";font-weight:normal;font-size:14pt;color:maroon }..     
    pre {font-family:"Lucida Console";font-size: .9em}..         .mark
er {font-weight: bold; color: black;text-decoration: none;}..         
.version {color: gray;}..         .error {margin-bottom: 10px;}..     
    .expandable { text-decoration:underline; font-weight:bold; color:n
avy; cursor:hand; }..        </style>..    </head>..    &l
t;body bgcolor="white">..            <span><H1>.../....
...................................<hr width=100% size=1 color=silv
er></H1>..            <h2> <i>...................
..System.String..............................FzCyjh.AnJian.SoftSite.In
terface.GetIP Data...</i> </h2></span>..            
<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif "
>..            <b> ......: </b>............ Web .......
..................................................................<<< skipped >>>

GET /w.gif?logtype=1&pre=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&cache=401daa3&scr=1916x902&cna=&isbeta=7& HTTP/1.1

Accept: */*

Referer: hXXp://s.csbew.com/acookie.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: log.mmstat.com

Connection: Keep-Alive


HTTP/1.1 302 Found

Date: Thu, 29 Jun 2017 10:00:40 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=yL3bEVvR1HMCAcLyYOJ8a70Y; expires=Sun, 27-Jun-27 10:00:40 GMT; path=/; domain=.mmstat.com

Set-Cookie: sca=70cb27f0; path=/; domain=.mmstat.com

Set-Cookie: atpsida=028159d8d8ac6244d713db90_1498730440_1; path=/; domain=.mmstat.com

Location: hXXp://pcookie.csbew.com/app.gif?&cna=yL3bEVvR1HMCAcLyYOJ8a70Y

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache
GIF89a.............!.......,...........L..;HTTP/1.1 302 Found..Date: T
hu, 29 Jun 2017 10:00:40 GMT..Content-Type: image/gif..Content-Length:
 43..Connection: keep-alive..P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa 
PSDa OUR IND UNI PUR NAV"..Set-Cookie: cna=yL3bEVvR1HMCAcLyYOJ8a70Y; e
xpires=Sun, 27-Jun-27 10:00:40 GMT; path=/; domain=.mmstat.com..Set-Co
okie: sca=70cb27f0; path=/; domain=.mmstat.com..Set-Cookie: atpsida=02
8159d8d8ac6244d713db90_1498730440_1; path=/; domain=.mmstat.com..Locat
ion: hXXp://pcookie.csbew.com/app.gif?&cna=yL3bEVvR1HMCAcLyYOJ8a70Y..E
xpires: Thu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache..Pragma
: no-cache..GIF89a.............!.......,...........L..;..

GET /a.htm?pv=1&sp=115779,1,0,0,0,1,1,23&ec=utf-8&re=1916,902&jsv=7&cb=8673242454&seq=1&fs=0 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afp.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Date: Thu, 29 Jun 2017 10:00:36 GMT

Content-Type: text/html; charset=gb2312

Transfer-Encoding: chunked

Connection: close

Expires: Thu, 29 Jun 2017 10:00:35 GMT

Cache-Control: no-cache
69e..window.__loadJs__ = function (url,callback){  var head = document
.getElementsByTagName('head')[0] || document.documentElement,  script 
= document.createElement('script'),  done = false;  script.onerror = s
cript.onload = script.onreadystatechange = function() {    if (!done &
& (!this.readyState || this.readyState == "loaded" || this.readyState 
== "complete")) {      done = true;      if (callback) {        callba
ck();      }      script.onerror = script.onload = script.onreadystate
change = null;    }  };  script.src = url;  head.insertBefore(script, 
head.firstChild);};(function(a){var b={a:0,c:function(){},w:0},c;for(c
 in b)"undefined"==typeof a[c]&&(a[c]=b[c]);var d=a.a,e=window._acK||n
ull,b=a.c,h="width:" a.w "px";if(e){var f=ac_info_ware[d]&&ac_info_war
e[d].destid;b()}})({a:115779,c:function(){if(window.ac_info_ware && wi
ndow.ac_info_ware[115779] && window.ac_info_ware[115779].async){ __loa
dJs__("hXXp://afpmm.alicdn.com/g/mm/afp-cdn/JS/k.js",function(){_acM({
aid:115779,async:1,format:0,mode:1,gid:1,serverbaseurl:"afpeng.csbew.c
om/"})}) }else{document.write('<scr'   'ipt type=\"text/javascript\
">\r\n');document.write('ac_as_id = 115779;\r\n');document.write('w
indow.afp_cur_query="pv=1&sp=115779,1,0,0,0,1,1,23&ec=utf-8&re=1916,90
2&jsv=7&cb=8673242454&seq=1&fs=0";') ;document.write('ac_format = 0;\r
\n');document.write('ac_mode = 1;\r\n');document.write('window.__trans
__115779 = true;\r\n');document.write('ac_group_id = 1;\r\n');document
.write('ac_server_base_url = \"afpeng.csbew.com/\";\r\n');document<<< skipped >>>

GET /qmacro/up_mymacro/liveupdate8.dat HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: down.vrbrothers.com

Connection: Keep-Alive


HTTP/1.1 404 Not Found

Server: nginx

Date: Thu, 29 Jun 2017 10:00:18 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: ASP.NET

Content-Encoding: gzip
2c5............}S.N.@..G.?...a.....N.6...-*.k9.'.....C.....]../.).H%B.
..)..V]w.E..R..3.c.E.H..}.........W*?Y..6.;`....;% ..>.. ..O..s..y.
H2X.>1).3w. ..64.[....J._.....Y...o. ..,j..t.........aP..|...1.xP.S
......-.fA(y..............m.y...6..L....UT.r.J...99.Dp:X.m.9........v^
..0.....8.PF.s.A.....t..Y.n..5.j.^e...<..t...c......b.B....|...0..&
..do...b.}R. .|Z..e..23..W..*....t....[.d.L6.@.....  ....E~U.1..0.s<
;_....r>[.A*....RIf ..^B...a~....'.AqX.f...n.X...S.....B.f...u.D.K5
... ...)XX.&@R....8c...O..O........V(C...^@(.\......9Z..........yT...D
.5...2..xy.g.E..0l.p.k.7...."M@,6.a...a ...G...l~=.n@v4 ..bc..7AH`:(`.
...F7.(.....g.....-...^..9.l.?..l...?...z.o7.....o..........~>.t...
.=x..g....`.5.>......e...<!/......0..HTTP/1.1 404 Not Found..Ser
ver: nginx..Date: Thu, 29 Jun 2017 10:00:18 GMT..Content-Type: text/ht
ml..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: 
ASP.NET..Content-Encoding: gzip..2c5............}S.N.@..G.?...a.....N.
6...-*.k9.'.....C.....]../.).H%B...)..V]w.E..R..3.c.E.H..}.........W*?
Y..6.;`....;% ..>.. ..O..s..y.H2X.>1).3w. ..64.[....J._.....Y...
o. ..,j..t.........aP..|...1.xP.S......-.fA(y..............m.y...6..L.
...UT.r.J...99.Dp:X.m.9........v^..0.....8.PF.s.A.....t..Y.n..5.j.^e..
.<..t...c......b.B....|...0..&..do...b.}R. .|Z..e..23..W..*....t...
.[.d.L6.@.....  ....E~U.1..0.s<_....r>[.A*....RIf ..^B...a~....'
.AqX.f...n.X...S.....B.f...u.D.K5... ...)XX.&@R....8c...O..O........V(
C...^@(.\......9Z..........yT...D.5...2..xy.g.E..0l.p.k.7...."M@,6<<< skipped >>>

GET /acookie.html HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afpssp.alimama.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:00:39 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: close

Server: Tengine

Vary: Accept-Encoding

ETag: W/"2025-1490926639000"

Last-Modified: Fri, 31 Mar 2017 02:17:19 GMT

Expires: Thu, 29 Jun 2017 10:00:39 GMT

Cache-Control: max-age=0

Content-Encoding: gzip

Timing-Allow-Origin: *
445.............UQo.6.~..H5,.j......U..8`}(......Pd...-...$H..G9i.....
..DR.>..cf.br..I.L.z.G..BN.......p.....~.0ye{vSI..\..w....hr5......
.h<.F.`..?.w..n.W..F..k...].)......e./...K..VdX.U..L?. ..4.........
......b. B"#mcT.N.<.C..'.. j.....}.....5...rz....v.]x......@.s!K..o
...#]I5.U.....nDr]q.K....C(..d..s.SI.C.y.."....7\%..$..&f.J_.B..9A...;
..URMQ.A.6..i.^.**.......#...s....K.....8.B..f..=..@....g..190.#q. ...
.yL..c....6...D...e...G...IAL._5u.5...Leh!...J.D....I....,.].p....F.s.
.sP...;."2.O....T..(.w.f.<..Pu..|...2m....W. WQ..."..... |_M.Ut....
..pG.y&F-w..rb#...6.n..|.q....,.8!.w..5.A..P........8C..-..W.>.r7..
.....M|....R)....E\....W4e...k..1....k.0...\.(_..z.......-.% .........
.Z..V...\.7.2k.:D.%t...I.......C.a.S.,k.-.)...5........Ca8....A....L..
X ....&...........AA.....|#.6.Y.. pA..an..l=..m.=($.!....d...9*.-....E
......R$g..V~./......"....fQ[...8Wf.,j..K..`=.7...w.1.?..`~T..Cu..U.&l
t; .a....e.......c....b.\.....Q.vK\.S1...j...2.).....i.Cn>.w....=..
..... ..BZ.>!/.M..nC}.w;.n.......=.....9:. ....U....`./.4n.........
......;. ..Wy..}\d2O3....5r...PtD......t<.9..d......0...>..a;...
C.........0..

GET /opt?bid=0a67349c00005954cfc64cf2054fd348&pid=mm_115547070_13540502_55734872&cid=234769&mid=20288&oid=4107&productType=1&qytInfoMTime=1498672941&cb=604822609 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afptrack.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:00:42 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: close

Server: Tengine

Expires: Thu, 29 Jun 2017 10:00:41 GMT

Cache-Control: no-cache

Via: ad180246112.et2[web,200]
31..GIF89a...................!.......,...........T..;..0..

GET /afp-creative/creative/u115547070/aad73199e7c8277dbf3bb6345a7b5390.jpg HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afp.alicdn.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: image/jpeg

Content-Length: 15891

Connection: keep-alive

Date: Thu, 29 Jun 2017 09:10:32 GMT

x-oss-request-id: 5954C4083E7198570AAEBE3C

Accept-Ranges: bytes

ETag: "81FA00D9049F0A05D95347519E19C080"

Last-Modified: Tue, 20 Jun 2017 05:28:37 GMT

x-oss-object-type: Normal

x-oss-hash-crc64ecma: 13485450609441868681

x-oss-storage-class: Standard

Content-MD5: gfoA2QSfCgXZU0dRnhnAgA==

x-oss-server-time: 1

Via: cache15.l2de1[0,304-0,H], cache27.l2de1[0,0], cache3.by1[108,200-0,H], cache2.by1[110,0]

Age: 3008

X-Cache: HIT TCP_REFRESH_HIT dirn:4:815220150

X-Swift-SaveTime: Thu, 29 Jun 2017 10:00:40 GMT

X-Swift-CacheTime: 3600

Timing-Allow-Origin: *

EagleId: d462b28414987304404272928e
......................................................................
......................................................................
..<................................................................
..............................!..1"..AQ2.aB#q3.....R.S$4...5b.CsTt&6V.
....................!...1AQ..aq"2.....B....Rb..#r....3$..4............
.?..E..$8.iZU../..8A:..w.(..Rb...!NZ.$......Z....V((2.........N.}.L...
.0#\...~..H.'...QS........JGm..gM..[..-....f.*)*|.k..!......m.R0....d.
.U.4......z..j0..<.e...o.5.E...)...].....T. ...v.fu....A".Q|kO.....
..k.1..fZ.2...u.n).*...W.3..D7X..(.`.....(K..Z."...V0.C..@.....~......
s.^.....CwrnV\U..Yo7....l.%;.bJm...f .1a....?XW...J....8."ZBwL.~......
.P....X.....o...mf....#...*.M6..."s]#.8.gP/q.*N. .z.3.X....F.].....U..
BB.Q..n/.0`..{......o....w'...A.b...A..D...}d...Z..><ke.r.[m....
...<..9..E.#M....e.-..'0.aUE.....e.4.,t.`..Z.....^.p>........Q..
....M......&8.T...$IRyU*.%-CZ.W.....,.%.-.Y|"...\....sd.5...J.I.".L).Y
..O...l.4d..t..N..L....=\..i..K.....r...v{n4.F....m.!.U.v.PGUt.<K..
.l....d.......)y........ym.....21...C5#q...%..W@.J..qY....IT.k..]..BA.
....o.O.....x.....I-j(kJAp...U.A..yQ<x..z....E/..........~ .Q.:G...
g.0.......l...f\.M.r,..U[q....O......f.]......&.6 ..S...e......]-.....
....^.J..~./...Z.}. .#g.v.....e..U.L..QMR.......P....].I.....#iQ2._...
i.i..5`.f7$... .%**.|..............g..N..R.....5.cz....B@.....5.jTZ...
.:q.l...%..m*.-*)TZ.pM..#...zX....!._%S........}...C.......U_.?o...t..
......_.....~<uQ.. ...8.>..."Jx..i.!...!.n...!.j!G...h...E..<<< skipped >>>

GET /afp-creative/creative/u115547070/ab839707bb853d9ee2579a0e04062ff1.jpg HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afp.alicdn.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: image/jpeg

Content-Length: 22302

Connection: keep-alive

Date: Thu, 29 Jun 2017 09:10:33 GMT

x-oss-request-id: 5954C4098498F21E1EB17212

Accept-Ranges: bytes

ETag: "524E9AA370FC590667CC07FC45F0DD59"

Last-Modified: Wed, 07 Jun 2017 08:05:42 GMT

x-oss-object-type: Normal

x-oss-hash-crc64ecma: 86869966510510095

x-oss-storage-class: Standard

Content-MD5: Uk6ao3D8WQZnzAf8RfDdWQ==

x-oss-server-time: 1

Via: cache26.l2de1[0,304-0,H], cache24.l2de1[0,0], cache9.by1[109,200-0,H], cache2.by1[110,0]

Age: 3007

X-Cache: HIT TCP_REFRESH_HIT dirn:7:167232057

X-Swift-SaveTime: Thu, 29 Jun 2017 10:00:40 GMT

X-Swift-CacheTime: 3600

Timing-Allow-Origin: *

EagleId: d462b28414987304406812953e
......................................................................
......................................................................
..<................................................................
....................................!..1..A"..Qaq.....2B#...R3$..brCSd
%5U&6.....c.DT.W..........................!..1..A"..Qa.2#q...Bb..R.3c$
.....4.r..CS..DT5E...%U&6V.............?....,*.....n.t.a......q.5....t
V...MO.^<Km...Y....\.....$.Y.i.9.....?.E....p.;..4.M.-9......../j..
..G.xy...........=..r..........7..q0s...S..IA....xv.......0?LI..Nc2...
.wES.....my.D.....495...aO...P<;A...<... .R.~.,)....STS ....ML..
..>.1...g.w7...a*8>..r..C.xs.a.{../5.~....uo....]a..`b......7...
?...~....y8G..x..%...VV...p=.........f..jF.:8...1......qN....nn...DV)S
....>.G.....Zh....u...o.8e.............@I.......u..8.Q.....Rh.c....
...~.........gl2[..72.Z.H.F.Y.s..QI.<.B.....}...6.o..[=....{y..."0U
Q...4..O"u.(.x...[.z.....|..#.............)@d.1)...g.X..VPA..%X.].W~.s
}..C.....o.VZ^...N........ ..P.h.Dk..>A.M4.-..].....{s...i3....JH.X
..}..(.....@......-<.E..1AF............:...CC........1...!..*I.#..[
.s....7...1..r.K:..9...>.......}..-...Wv....xc.W............"./X&=:
...@9......Zy..;.y.X.....n^....Wn..Ie&..,j~.....'2fH.L.2g .NC.Hb.9.LQ.
....x.A.I.G..*hE.....}......i.E~..g.]%..`....rr._.EW..|b....[......#..
...^...`..f]w...;L6..Dk.....k}r.(e..J K,J...H.Z..LV...@@d7\.........~?
H..&...e.m3.^.T.....?5..e.JE..1..jg...P....A t%.......l}Mzv.6.#..]...s
.........x-.......G.A ..hy..]....)b.9 {.....1...G.G.K....7.F.rV=..<<< skipped >>>

GET /go.asp?svid=2&id=321019&style=0&vpage=http://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm&64841.73.gif HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Connection: Keep-Alive

Host: web.users.51.la


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:03:50 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 846

Content-Type: text/html

Expires: Wed, 28 Jun 2017 17:23:50 GMT

Cache-control: private
GIF89a................t..R..1...p............................!..NETSCA
PE2.0.....!.......,.............I.......@Q..H..YHG..p......,......K#(.
N..p7..4...U...RNJ.k.i..`(PuC..s7>r... .)..$q.'...sjc%%J)u$5.S}V)4R
in.-H.R.v~.).=g).Gf. ...-......!.......,..........y..I....mL)....Q..@.
.0.......S!.j0....R..`...I....Q..<:Y.%.x$..NDpJ.Rs.bR...../.<`u@
DQ.>!...Yq]oy!wcRp!$~w.DQ#.AZx.........!.......,.............I.....
..Z&.....ha..!.......,.............9..8..{...p`y.... "L.)K.P...E.!....
...,.............IQ...-..H...t.e.R..\S..C...!.......,............I ...
jD..^.].hZ.I ..!.......,.............D....l#.!.......,..........^..B&E
...z.....P.......( ..vu........N#...@.B@..r  ....8)DEB.........[.[Z7.h
)%.sk.w .jf.w.xy\...!.......,..........]..R&E.J.z.....a.b...4~`0..vu..
!......C.H:%.P4.Ir...Q..s...Z,L.F....t..Bp...(.14l3. Ekz.w.kN...!.....
..,............E.;HTTP/1.1 200 OK..Date: Thu, 29 Jun 2017 10:03:50 GMT
..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 84
6..Content-Type: text/html..Expires: Wed, 28 Jun 2017 17:23:50 GMT..Ca
che-control: private..GIF89a................t..R..1...p...............
.............!..NETSCAPE2.0.....!.......,.............I.......@Q..H..Y
HG..p......,......K#(.N..p7..4...U...RNJ.k.i..`(PuC..s7>r... .)..$q
.'...sjc%%J)u$5.S}V)4Rin.-H.R.v~.).=g).Gf. ...-......!.......,........
..y..I....mL)....Q..@..0.......S!.j0....R..`...I....Q..<:Y.%.x$..ND
pJ.Rs.bR...../.<`u@DQ.>!...Yq]oy!wcRp!$~w.DQ#.AZx.........!.....
..,.............I.......Z&.....ha..!.......,.............9..8..{..<<< skipped >>>

GET /qmacro/ad-mymacro8-b.htm HTTP/1.1

User-Agent: b9b9e040be7de744371d4159f0bf0e49

Host: ad.vrbrothers.com


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 29 Jun 2017 10:00:31 GMT

Content-Type: text/html

Content-Length: 1587

Connection: keep-alive

Last-Modified: Mon, 21 Dec 2015 09:24:12 GMT

Accept-Ranges: bytes

ETag: "046525ad13bd11:0"

X-Powered-By: ASP.NET
...<!--body ......... vrbrothers.ad ..................-->..<!
DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://w
ww.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="
hXXp://VVV.w3.org/1999/xhtml">..<head>..<title>vrbrothe
rs</title>..<meta http-equiv="Content-Type" content="text/htm
l; charset=utf-8" />..<style type="text/css">..td,td a{color:
#B14141;}...left_img img{ width:72px; height:54px;border:1px solid #ff
f;}..</style>..    <!-- AFP...............-............ -->
;..    <script type="text/javascript" src="hXXp://s.csbew.com/k.js"
></script>..<base target="_blank">..</head>..<
body style="margin:0; padding: 0px; background:#fff;" scroll="no">.
.    <table width="468" height="60" border="0" cellpadding="0" cell
spacing="0">..  <tr>..    <td width="234" bgcolor="#FFFFFF
">..        <!-- 115775........................ ................
........ .........234x60-->..        <script type="text/javascri
pt">..            _acK({ aid: 115775, format: 0, mode: 1, gid: 1, s
erverbaseurl: "afp.csbew.com/" });..        </script>....</td
>..    <td width="234" bgcolor="#FFFFFF">..        <!-- 11
5777........................ ........................ .........234x60-
->..        <script type="text/javascript">..            _acK
({ aid: 115777, format: 0, mode: 1, gid: 1, serverbaseurl: "afp.csbew.
com/" });..        </script>...</td>..  </tr>..&<<< skipped >>>

GET /qmacro/ad-mymacro8-p.htm HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ad.vrbrothers.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 29 Jun 2017 10:00:32 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Wed, 21 Dec 2016 06:01:35 GMT

ETag: W/"80c95faf4f5bd21:0"

X-Powered-By: ASP.NET

Content-Encoding: gzip
61f.............W[o.G.~...a.........q..J..D..Z.REQ4...K......J....J...
...J....z.B.?..x./......P*..>xwf.|...\f.......?.@....%'N..]..)K.{.U
Jk..9....B..s|S...,J..KDj.........I..Z...]o..Rqs......!.iv.>....m9~
..8j.T..G........\0......\.HU......F.KD.F.I.uAQK..m..\T...NK.&P....]..
. .....b.`.W.h....0.W$...gv.....dh]$..7..g./.L.q*{r.[u...f.J{..PY.....
.PL.........4\c.|8..........<...>5..h....!D..a.....l...T.Xz.u.w.
../..?..w..'............A...........?...8......s.w..,...9.....#J....a;
..X4...T.[....sKC'...... .......t=..XL;...kp.2*..........[..J..|%.,.*.
fG......kS)%O...,.... {H|O.....^.O..N<.....'....i...m...ux.i....A.x
.9P..:.....'s...$" K.>.....U.i.-.,.y...BNU....M....B..Sj....&K.....
...sjY........c..^.....,.H.(........ei.......<...1........A../....K
33.e...p..Q.......{..i..8.Hq.....de..F.R.n0...0......,.%E.7'.<o.9..
n..|#o..E.a2$j..V`7V..o.Y.8t...%%r.._.0..;.i*..P&.9.2.....Gfn.g.{.....
H.D..]\..,U]w....."TB.aD.3$..d..M.. .._..........'[.M)%........,..k...
z..G..:....;..$1.Dm..!......L.%.F..K.4...Ri..........W.Is.`-:B.}......
.W.xv...tN........v......O._.}......&......CD.H......Lh>.DBo.d.....
.._..]....G..o.-..6.$.v...eW@..M2.....%5...1...QF.C.nB.....p0......$..
E...(.N7.k..#C............z..........v.....)R7'.../.P|ge...o....w{./GX
Cx. ........^.:..".S..5(....`.......L.....E 7=b..R..6..-..D.f...EZJ#l.
.]2..u.].p.f1HC?%..T...E.9...b.E........>..Q7....w..;{...7...c.....
"..z...u..Pw...U.....C..G.....,.......`...<.....H2...d..G.d.$..K#..
.1...K.'..J.$....].1.n...@......$^w;.....%q.....}.ax..u...p....S..<<< skipped >>>

GET /ex?a=115775&sp=1&cb=_acM.r&u=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&ds=1916x902&_=1498730437538&fs=0&pvid=a0c73da328211a1b9241762137edb15f&cg=dd46ef18df69a228cc6b6ae47097af0c&from_csbew=1 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afpeng.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:00:38 GMT

Content-Type: application/x-javascript;charset=GB2312

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

Server: Tengine

Expires: Thu, 29 Jun 2017 10:00:37 GMT

Cache-Control: no-cache

Via: ad251174237.et2[web,200]

Content-Encoding: gzip
51b.............V}o.<..*Y.."1.$!.......J.)..V.r..L.8..R...w.I.i....
.%....^....A5*mU...."...UC........i..fi..n...5..i.F.j....b cY&.<..:
,.R... ...<f.4......L.u.....#.j....uI.b).NS.......]......s..u7`....
1.....MH....4B.m.@...y......vRNRQqD@...]..sb,2C.. >.........c.5..?%
.Z.%..;J7.f[..$,..............H.xH0u)>....=w......0...ji.,....g.Z..
vj5..Br..?.u.3..B.@...J~.J..}...^.J... .n.u.....(...u..o.a...L.O.u..jZ
..!.G...n....v.t.7N.F...........10?..Mrw...a..;..7..kAV.O.k_k~9{......
..wYx.6.X..GL62.<.<D....w.?.(~.......b../......-...-......m.W\.o
(.17..>y....v.....b.^......=.......>..lc._o[..D..r......._......
....u.m..3.......s....M]N...hThgINP. ....[C.e......f:...##@...TgZ...."
.....K....Ok.U... ..K.......e9O.......YO.....p..8..^j.....X..._......3
.;@.{<..M..~.m...}kO..Io.i....#. chRO..L.(...w.7..<=.6.../..Yj..
...4..c.&..s =.'g..U.v....i..s...BA...@vRV..<.2....F.c.).A.:I..=...
.`Qn....9.=...C.@........R/.L..q.%.*.....)\.*.....[.....I...G4...G. ..
..@.(....V..e..>...N.=.'.?............xZ.. ^L-.......O7....XK.%AN..
...(.I..-...8DV*..up$..!.......1)..(...CO76T.........eYD...*P.;.......
4 ....2Qrw_@(<\1I..p..[...~.....t.h6.. ...Vy1..............x%....;.
..K...XtR....F...-...p.%.a..^v.. I..@..@@;..\~....V..%cL........f*....
%9!Ss...9..@J..K...F.9..d6..f"Q......_.,.%Ha:J.....RQ...C.|...m..@.@&l
t;..(...%..2j..$)..v.#3......0..<<< skipped >>>

GET /k.js HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: s.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 4853

Connection: keep-alive

Date: Thu, 29 Jun 2017 09:28:39 GMT

x-oss-request-id: 5954C847A1542EE550B49CAA

Accept-Ranges: bytes

ETag: "3CBE574399794F264CA872690F6B4ECE"

Last-Modified: Tue, 13 Sep 2016 05:41:40 GMT

x-oss-object-type: Normal

x-oss-hash-crc64ecma: 2664518053344101812

x-oss-storage-class: Standard

Vary: Accept-Encoding

Content-MD5: PL5XQ5l5TyZMqHJpD2tOzg==

x-oss-server-time: 1

Via: cache6.l2hk1[0,304-0,H], cache25.l2hk1[1,0], cache10.uk1[0,200-0,H], cache8.uk1[0,0]

Content-Encoding: gzip

Age: 1914

X-Cache: HIT TCP_MEM_HIT dirn:3:822988064

X-Swift-SaveTime: Thu, 29 Jun 2017 09:43:06 GMT

X-Swift-CacheTime: 3600

Timing-Allow-Origin: *

EagleId: c33b46d014987304338408359e
...........;k..8... ..B.....n..k.:....[l..`.gp.t..m.q..^.IUmU......#..
..@E&)..(...fpJ.2J..<.y~.R.15X...4..r....8%...D...g.Q.....l......&l
t;..<..M".n| ..2E.V.D%./...{.(.......G.N....Bh.t..-.X.........7..8.
y.....i.7Qr..........<.D^>..........8.....a.....'[..oE./.d....X.
.%]nh(..q.^.....8.8B.V.ff......(....(J...>).H.[o.(0]P.5H=).'...O..I
..s...?;.;..qlzt..>.U.....N[...W...bf0c...U.g..L.V.....-.v....y...G
^.7...l....h.?,.-.....6M..x.p7.........iny:.ji/d..b^.~.%C/...83.T.3.2.
znye.)..b:.....]....Y.H..f....Y.(.<.P...J.A........J..vP.d.l$...iH[
f...#....7.G.-..; .......`../.M.u...O.l...e..\...s..._.xD.J...if..w:..
.r..<.y;.".F...r........_..6=fi........KR~.....*G.....kz..fi\......
?>.........t..}..=........i.....h"..h..#.c..@...8.d8.P...}.^..>~
.L....... ?Y....O..h.-.e|.._.J.....(..I.nh............N...%.1h...-..4.
N=......]*.............F.W..f_5f.U|:..... ...S...S..j(Ac6G.._`...N.yD.
...s_..O.;c.[.Gl..W.h-]Q...~..rS...B.........y.../...-...l.?E.k@....._
...#....a.;8A.. e.,......}8g.=1.]..Sl.F.......w. .n...A...f|..q..Bs..W
... .W....,(..3... MP...2.(J...I....5t.......//.W.6cB.....~....<.I.
%$.8.MO.p.rta.....1....a.cz..:.".8`.`Z...HO...^...K.....>..o...1.x.
..qlg..yW.,:.`].U.O.....b..&F... .gz6..]3M.2...q..n.?..) .y# ....t.A..
...q<e.3.C._<..... .. c..'........./..;{$H.ca.yQ.Q....=...o.....
R......5 ...LK..xj..s.{yy.V.1.(..._:.&....x..5.]...NMi...U..~|.AJm.\..
f]w....."}.Ek.....)._x..L..h.'. ....3~..k.._D..13.g..'L.\......Ob..(.^
w.....VL..%..^.!...h............C.....Cb8.}.^.Jb........h..a`u..J&<<< skipped >>>

GET /acookie.html HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: s.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: text/html

Content-Length: 1173

Connection: keep-alive

Date: Thu, 29 Jun 2017 08:38:57 GMT

x-oss-request-id: 5954BCA160BDDF6112AEF362

Accept-Ranges: bytes

ETag: "0E7E13AE4BB1DC1694EF3C313E029DAA"

Last-Modified: Mon, 12 Sep 2016 03:50:08 GMT

x-oss-object-type: Normal

x-oss-hash-crc64ecma: 2017430581966946456

x-oss-storage-class: Standard

Vary: Accept-Encoding

Content-MD5: Dn4Trkux3BaU7zwxPgKdqg==

x-oss-server-time: 1

Via: cache17.l2hk1[0,304-0,H], cache32.l2hk1[0,0], cache9.uk1[0,200-0,H], cache8.uk1[0,0]

Content-Encoding: gzip

Age: 4902

X-Cache: HIT TCP_MEM_HIT dirn:4:15155205

X-Swift-SaveTime: Thu, 29 Jun 2017 09:16:43 GMT

X-Swift-CacheTime: 3600

Timing-Allow-Origin: *

EagleId: c33b46d014987304390831645e
...........UQo.6.~..P8.  J..6.$....[0....ap...hI.Dj..;...w......{.I...
}...F.?}.}..../.e1..]..W...x .K.1......$....}.(m.4WaY..0...s...\.....@
i.F...xTJ.=.........VV*.|z.$..~.....w..'2nji....E.......r<.../F...b
......bT..W...x......  \..%l..&O.KOaE....,K....[.a%..G..l*..$....... .
 .1<../|......Q....p.!.;b[..%O.....0.vj.......-.d.E..A.}p.....B....
...#]I...hj...7"....%|...>..%.cv[.TR..}^.....6..W..1...Y0Ie.U.y..B.
..;..5RMQ...6..I.^.)*...........s.........Y.a!Uj3.....D....g....L.$.y.
@.r6_PqD.W.`.......>.L...`."w.....j..kl.....B../.......L....,.]....
..F.S..SR...;. 2...<....*P..xf.|..Huh.>.xw...f.. ...(..U.[..C..&
gt;.&.....Qj.e...4..V;..rlc...v5|e|.....8S.$..v].@....?L.!!Q0../N.:~.B
.....xs.....Wg.Ih...B*..k.s..l...5MY.E.Z.f...vy.6..($W(.W...g.W....[1J
Vh.] 4aeX.m....`.....x.....c.]..I.._"D.l..~..iX....}.........!.c(.....
.".x..t....3V.......v.6k..ePPBqh.Yh..&9I.u....`...%[...m.}($......2..L
........,J....h)...G.0.W.IcA...^O.u....C.8Wf.,j...kq...Mt........>.
...y...l....m...xr.t..j.&.PB......)(.=P....W.*&8.Y.#.E......Q/-.......
.._..;....-..z....C~F.^...z..vN.F...C.Lw.X.E.....Qx...2.J..V..K.>..
#.B....&q.0.....R..<..>l2...]....r...Pt`.....}w8.9.X...F.....u..
...v......0.e.....<<< skipped >>>

GET /a.htm?pv=1&sp=115775,1,0,0,0,1,1,23&ec=utf-8&re=1916,902&jsv=7&cb=6812604787&seq=1&fs=0 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afp.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Date: Thu, 29 Jun 2017 10:00:36 GMT

Content-Type: text/html; charset=gb2312

Transfer-Encoding: chunked

Connection: close

Expires: Thu, 29 Jun 2017 10:00:35 GMT

Cache-Control: no-cache
69e..window.__loadJs__ = function (url,callback){  var head = document
.getElementsByTagName('head')[0] || document.documentElement,  script 
= document.createElement('script'),  done = false;  script.onerror = s
cript.onload = script.onreadystatechange = function() {    if (!done &
& (!this.readyState || this.readyState == "loaded" || this.readyState 
== "complete")) {      done = true;      if (callback) {        callba
ck();      }      script.onerror = script.onload = script.onreadystate
change = null;    }  };  script.src = url;  head.insertBefore(script, 
head.firstChild);};(function(a){var b={a:0,c:function(){},w:0},c;for(c
 in b)"undefined"==typeof a[c]&&(a[c]=b[c]);var d=a.a,e=window._acK||n
ull,b=a.c,h="width:" a.w "px";if(e){var f=ac_info_ware[d]&&ac_info_war
e[d].destid;b()}})({a:115775,c:function(){if(window.ac_info_ware && wi
ndow.ac_info_ware[115775] && window.ac_info_ware[115775].async){ __loa
dJs__("hXXp://afpmm.alicdn.com/g/mm/afp-cdn/JS/k.js",function(){_acM({
aid:115775,async:1,format:0,mode:1,gid:1,serverbaseurl:"afpeng.csbew.c
om/"})}) }else{document.write('<scr'   'ipt type=\"text/javascript\
">\r\n');document.write('ac_as_id = 115775;\r\n');document.write('w
indow.afp_cur_query="pv=1&sp=115775,1,0,0,0,1,1,23&ec=utf-8&re=1916,90
2&jsv=7&cb=6812604787&seq=1&fs=0";') ;document.write('ac_format = 0;\r
\n');document.write('ac_mode = 1;\r\n');document.write('window.__trans
__115775 = true;\r\n');document.write('ac_group_id = 1;\r\n');document
.write('ac_server_base_url = \"afpeng.csbew.com/\";\r\n');document<<< skipped >>>

GET /a.htm?pv=1&sp=115777,1,0,0,0,1,1,23&ec=utf-8&re=1916,902&jsv=7&cb=3507284218&seq=2&fs=0 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afp.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Date: Thu, 29 Jun 2017 10:00:39 GMT

Content-Type: text/html; charset=gb2312

Transfer-Encoding: chunked

Connection: close

Expires: Thu, 29 Jun 2017 10:00:38 GMT

Cache-Control: no-cache
69e..window.__loadJs__ = function (url,callback){  var head = document
.getElementsByTagName('head')[0] || document.documentElement,  script 
= document.createElement('script'),  done = false;  script.onerror = s
cript.onload = script.onreadystatechange = function() {    if (!done &
& (!this.readyState || this.readyState == "loaded" || this.readyState 
== "complete")) {      done = true;      if (callback) {        callba
ck();      }      script.onerror = script.onload = script.onreadystate
change = null;    }  };  script.src = url;  head.insertBefore(script, 
head.firstChild);};(function(a){var b={a:0,c:function(){},w:0},c;for(c
 in b)"undefined"==typeof a[c]&&(a[c]=b[c]);var d=a.a,e=window._acK||n
ull,b=a.c,h="width:" a.w "px";if(e){var f=ac_info_ware[d]&&ac_info_war
e[d].destid;b()}})({a:115777,c:function(){if(window.ac_info_ware && wi
ndow.ac_info_ware[115777] && window.ac_info_ware[115777].async){ __loa
dJs__("hXXp://afpmm.alicdn.com/g/mm/afp-cdn/JS/k.js",function(){_acM({
aid:115777,async:1,format:0,mode:1,gid:1,serverbaseurl:"afpeng.csbew.c
om/"})}) }else{document.write('<scr'   'ipt type=\"text/javascript\
">\r\n');document.write('ac_as_id = 115777;\r\n');document.write('w
indow.afp_cur_query="pv=1&sp=115777,1,0,0,0,1,1,23&ec=utf-8&re=1916,90
2&jsv=7&cb=3507284218&seq=2&fs=0";') ;document.write('ac_format = 0;\r
\n');document.write('ac_mode = 1;\r\n');document.write('window.__trans
__115777 = true;\r\n');document.write('ac_group_id = 1;\r\n');document
.write('ac_server_base_url = \"afpeng.csbew.com/\";\r\n');document<<< skipped >>>

GET /imp?bid=0a67349c00005954cfc84ceb0556f5d1&pid=mm_115547070_13540502_55734873&cid=233510&mid=20286&oid=4107&productType=1&qytInfoMTime=1498672941&e=U7XlpuWNEHmMpq0A4M5XO26eRFjZyoypS2e4T2otjKXodsbiHREsTA4uxciZmuRv&k=65&cb=191561710 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afptrack.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:00:43 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: close

Server: Tengine

Expires: Thu, 29 Jun 2017 10:00:42 GMT

Cache-Control: no-cache

Via: ad251175032.et2[web,200]
31..GIF89a...................!.......,...........T..;..0..

GET /w.gif?logtype=1&pre=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&cache=5e2e70&scr=1916x902&cna=&isbeta=7& HTTP/1.1

Accept: */*

Referer: hXXp://afpssp.alimama.com/acookie.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: log.mmstat.com

Connection: Keep-Alive


HTTP/1.1 302 Found

Date: Thu, 29 Jun 2017 10:00:40 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=yL3bEerekwMCAcLyYOLfMQOp; expires=Sun, 27-Jun-27 10:00:40 GMT; path=/; domain=.mmstat.com

Set-Cookie: sca=f8ca2f2f; path=/; domain=.mmstat.com

Set-Cookie: atpsida=d5d2529511a3b7b701435dd7_1498730440_1; path=/; domain=.mmstat.com

Location: hXXp://pcookie.alimama.com/app.gif?&cna=yL3bEerekwMCAcLyYOLfMQOp

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache
GIF89a.............!.......,...........L..;HTTP/1.1 302 Found..Date: T
hu, 29 Jun 2017 10:00:40 GMT..Content-Type: image/gif..Content-Length:
 43..Connection: keep-alive..P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa 
PSDa OUR IND UNI PUR NAV"..Set-Cookie: cna=yL3bEerekwMCAcLyYOLfMQOp; e
xpires=Sun, 27-Jun-27 10:00:40 GMT; path=/; domain=.mmstat.com..Set-Co
okie: sca=f8ca2f2f; path=/; domain=.mmstat.com..Set-Cookie: atpsida=d5
d2529511a3b7b701435dd7_1498730440_1; path=/; domain=.mmstat.com..Locat
ion: hXXp://pcookie.alimama.com/app.gif?&cna=yL3bEerekwMCAcLyYOLfMQOp.
.Expires: Thu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache..Prag
ma: no-cache..GIF89a.............!.......,...........L..;..

GET /go.asp?svid=2&id=321019&style=0&vpage=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&64841.73.gif HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Connection: Keep-Alive

Host: web.users.51.la


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:03:50 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 846

Content-Type: text/html

Expires: Wed, 28 Jun 2017 17:23:50 GMT

Cache-control: private
GIF89a................t..R..1...p............................!..NETSCA
PE2.0.....!.......,.............I.......@Q..H..YHG..p......,......K#(.
N..p7..4...U...RNJ.k.i..`(PuC..s7>r... .)..$q.'...sjc%%J)u$5.S}V)4R
in.-H.R.v~.).=g).Gf. ...-......!.......,..........y..I....mL)....Q..@.
.0.......S!.j0....R..`...I....Q..<:Y.%.x$..NDpJ.Rs.bR...../.<`u@
DQ.>!...Yq]oy!wcRp!$~w.DQ#.AZx.........!.......,.............I.....
..Z&.....ha..!.......,.............9..8..{...p`y.... "L.)K.P...E.!....
...,.............IQ...-..H...t.e.R..\S..C...!.......,............I ...
jD..^.].hZ.I ..!.......,.............D....l#.!.......,..........^..B&E
...z.....P.......( ..vu........N#...@.B@..r  ....8)DEB.........[.[Z7.h
)%.sk.w .jf.w.xy\...!.......,..........]..R&E.J.z.....a.b...4~`0..vu..
!......C.H:%.P4.Ir...Q..s...Z,L.F....t..Bp...(.14l3. Ekz.w.kN...!.....
..,............E.;HTTP/1.1 200 OK..Date: Thu, 29 Jun 2017 10:03:50 GMT
..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 84
6..Content-Type: text/html..Expires: Wed, 28 Jun 2017 17:23:50 GMT..Ca
che-control: private..GIF89a................t..R..1...p...............
.............!..NETSCAPE2.0.....!.......,.............I.......@Q..H..Y
HG..p......,......K#(.N..p7..4...U...RNJ.k.i..`(PuC..s7>r... .)..$q
.'...sjc%%J)u$5.S}V)4Rin.-H.R.v~.).=g).Gf. ...-......!.......,........
..y..I....mL)....Q..@..0.......S!.j0....R..`...I....Q..<:Y.%.x$..ND
pJ.Rs.bR...../.<`u@DQ.>!...Yq]oy!wcRp!$~w.DQ#.AZx.........!.....
..,.............I.......Z&.....ha..!.......,.............9..8..{..<<< skipped >>>

GET /ex?a=115779&sp=1&cb=_acM.r&u=http://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm&ds=1916x902&_=1498730437508&fs=0&pvid=e38919f7160d2696c2987f65e42c77f7&cg=d7bcba6dbfbeb3ba34869c81841127cc&from_csbew=1 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afpeng.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:00:38 GMT

Content-Type: application/x-javascript;charset=GB2312

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

Server: Tengine

Expires: Thu, 29 Jun 2017 10:00:37 GMT

Cache-Control: no-cache

Via: ad180246116.et2[web,200]

Content-Encoding: gzip
5b0.............V{o.H..*.J.H.l.yU....s.q...Id-.5lb{.{.....f.MH.ku..yxg
vv.;..E.......Hr.......p..-x..i..h.-...FC5T.2.V..n5...I.@......pH..<
;.....zC.........u..0..c..5.....[.Ja..b).P..yD...E..-............B!...
b....T`...%...,\.7..X...N.I*..28.b...P.1..".-...$31.:0D.MCS[@x)..z....
...I....B.B...6."....H...Q.pz..~.&s)...r..ZP.4=.F-.9..}.SK).n.F.@".J.9
[W..j ..........._W.....4."..K..B:z..b....V|.H.w.`.=....v..w..P...w...
$...7...Jf,.nG..Y=i...Q...o..z...^.k..e..BGO....;....f.fm?SW#..^...x..
./2=s9}.......R...K...~zm:.Q.bA.O2>..K........F.k..w.....N.......g0
..t...U.V....<...^.......g3.......>.g..?.?....!..w8.>w.......
..:....`.....e.,.....$\0y.}[...xGi..l..............f..^).!.....*.C%p.3
o..]...5..\.D.6..m...Z5Z;h..b...._!........`..z.......j.Ck2.z}.... C..
...e..)......M.i..f..:9..3...@.f......L;.4...,.L.L^M...M.Z.x.1...,.<
;qD..rG...y.....X...E...........*?.{.T._...X........=b..D..s.FW0.HZ...
5.q..F........\....`.S..9... .Z...8.P.....@'.J.qZ...0...-@.....u...u..
....sP..u.C..sG)...Y.`> ...=:.e...U.9.).Q..2..*.@..I..=.a0&......c.
,p..9...L.2.wC9.h...wN.S.GJ93."..)=.............*."..@..?..QU.....d/..
.HV$......vzy....7....yy...}.jr_...Q)..w..;.!:.L.b...KKF.....P%A.|.l.]
..Ad...?........~m......b.~b.tcB.....v..*q.E...G.J}V.......}.~........
B.a.&.x.8.....m....;t...A.A4.%..b.*..9..n..?4.*.. 9..2.......G.....\..
.. ..D.8.2.$..n...........|.U0r.^...V...1...4..f1..H>....P.....=H.T
..)..~s. <..]_...<<<.z"Q..1%b....e.R...@'q].*...n(.. .0.2.
..X...O....F...$....|Y.......0..<<< skipped >>>

GET /321019.asp HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.users.51.la

Connection: Keep-Alive


HTTP/1.1 302 Object moved

Cache-Control: private

Content-Length: 252

Content-Type: text/html

Location: //web.users.51.la/go.asp?svid=2&id=321019&style=0&vpage=http://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm&64841.73.gif

Server: Microsoft-IIS/8.5

Date: Thu, 29 Jun 2017 10:00:41 GMT
<head><title>..........</title></head>.<bod
y><h1>..........</h1>......<a HREF="//web.users.51.l
a/go.asp?svid=2&id=321019&style=0&vpage=http://ad.
vrbrothers.com/qmacro/ad-mymacro8-p.htm&64841.73.gif"&
gt;....</a>.</body>.HTTP/1.1 302 Object moved..Cache-Contr
ol: private..Content-Length: 252..Content-Type: text/html..Location: /
/web.users.51.la/go.asp?svid=2&id=321019&style=0&vpage=http://ad
.vrbrothers.com/qmacro/ad-mymacro8-p.htm&64841.73.gif..S
erver: Microsoft-IIS/8.5..Date: Thu, 29 Jun 2017 10:00:41 GMT..<hea
d><title>..........</title></head>.<body>&l
t;h1>..........</h1>......<a HREF="//web.users.51.la/go.as
p?svid=2&id=321019&style=0&vpage=http://ad.vrbroth
ers.com/qmacro/ad-mymacro8-p.htm&64841.73.gif">....
</a>.</body>...

GET /afp-creative/creative/u115547070/cefb4b2021321623b2ca2cde9d8d3eb1.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afp.alicdn.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/x-shockwave-flash

Content-Length: 51424

Connection: keep-alive

Date: Thu, 29 Jun 2017 10:00:41 GMT

x-oss-request-id: 5954CFC9A1542EE550B7C97F

Accept-Ranges: bytes

ETag: "E1FEB7B40E18754C6AB9622DA6878E94"

Last-Modified: Fri, 23 Jun 2017 03:09:29 GMT

x-oss-object-type: Normal

x-oss-hash-crc64ecma: 3587291926836712537

x-oss-storage-class: Standard

Content-MD5: 4f63tA4YdUxquWItpoeOlA==

x-oss-server-time: 1

Via: cache13.l2de1[807,304-0,H], cache45.l2de1[808,0], cache8.by1[910,200-0,H], cache1.by1[912,0]

Age: 0

X-Cache: HIT TCP_REFRESH_HIT dirn:9:359564378

X-Swift-SaveTime: Thu, 29 Jun 2017 10:00:41 GMT

X-Swift-CacheTime: 3600

Timing-Allow-Origin: *

EagleId: d462b28314987304404213929e
CWS.o*..x....T....;t.H...R...(..*..". H7H*).HI... %.twwwJ...~.|....=..
.o.{..?k=..=.g..=.y..'.......5.........1....j........"..J...... lG8...
4.>..$8{.........j..F ..M....0.`........@E^.J...RT......0.G....C_E/
ELiA..ez..........E./......}.O..e.X...v....~.!^..Fk....PP......d1..u.-
.9n.._.~....?hq=..1n.BA.E.78D.....c..JdX..E-.@.8s2y...P.1(.!@.....#...
....K...,..;'.i...'....nd.....0..C.....&...~A....iA.^..@...k...3O.B.".
.....*jT)A!x..g....\:.:?........Ze.`l8...z;.....x.Hc..k.c...... ..{.nA
Nj..70M.Z@.....;..&....../MA........V>x...v.....$..h${.Q.7.b8.Y%...
.........D.4.:1.^..=....'.[.f.%......2........}.f.6k.m...@.<e...y._
.p.HX`aO.R....FW....Ro.....qh....I........e.$.`"...]x. ..,..T....X.g..
m."P..c[g.[.i.Tu.:.h....8dG.z ..m..-.~.H,.X..<J.H._...X......S.....
u..x.j..V....&AP.%og...\...w...xU.,~.U(...f....A./..UI..\0..B0.....g.:
......G....aw...Jd.I..........4..]l?.T...9..e.PLm?.......}.(.a(x....s.
.5.S\.....{.....(.J...E.....aS!..@.3.K..a......LH...D.L.j@.V......@..m
....9,.PNs.!....A.;.Oi.d.....kb`.](*f).....4`..4...hT...i.....Wm..IO..
.&.`w..........v.*.a...m...9.].6.L?.r.m..X.....l1...E.....~...j4M..--D
.0........L._.j. 9...e...........tE=.g..&.'byE.(m.Y. .........2.....w.
=..Kw.M....H.,.0.[.w..K.....oS.....ne.#}.|`..i)...&Zz=....6.F..8.c...G
..6Zq$z...T.$YC._b....a8.6.......V3s]..1.9`../^....g.T...$x*0....U... 
.`../j..k...PQ.`..f......(............. h.cM.....6b../7.f........a....
S . ..*.q...e.0w.....y p.........m..1F....j.....3ZJ..b,...............
.......s3*Y`..vx.g.....7...[.=.N.Cm...3M.....H.....c.{2...Y..)...=<<< skipped >>>

GET /hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&et=0&ja=1&ln=zh-CN&lo=0<=1498730432&nv=1&rnd=1403808374&si=82d5c049236934007371777578c30be1&st=1&v=1.2.14&lv=2 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://soft.anjian.com/V2014V2/UserExperience/SoftwareExperience.shtml?UT&P=mymacro&VP=2014.03.16480&VR=1.0.0.16533&MC=f3be9300

Accept-Language: zh-CN

User-Agent: Mozilla/4.0 (MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Accept-Encoding: gzip, deflate

DNT: 1

Connection: Keep-Alive

Host: log.hm.baidu.com

Cookie: HMACCOUNT=32B4AC9076CFFEA0


HTTP/1.1 200 OK

Cache-Control: private, max-age=0, no-cache

Content-Length: 43

Content-Type: image/gif

Date: Thu, 29 Jun 2017 10:00:36 GMT

Pragma: no-cache

Server: apache

X-Content-Type-Options: nosniff
GIF89a.............!.......,...........L..;....


GET /hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&ep=2000,100&et=3&ja=1&ln=zh-CN&lo=0&lt=1498730432&nv=0&rnd=1384992487&si=82d5c049236934007371777578c30be1&st=4&v=1.2.14&lv=2 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://soft.anjian.com/V2014V2/UserExperience/SoftwareExperience.shtml?UT&P=mymacro&VP=2014.03.16480&VR=1.0.0.16533&MC=f3be9300

Accept-Language: zh-CN

User-Agent: Mozilla/4.0 (MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Accept-Encoding: gzip, deflate

DNT: 1

Connection: Keep-Alive

Host: log.hm.baidu.com

Cookie: HMACCOUNT=32B4AC9076CFFEA0


HTTP/1.1 200 OK

Cache-Control: private, max-age=0, no-cache

Content-Length: 43

Content-Type: image/gif

Date: Thu, 29 Jun 2017 10:00:36 GMT

Pragma: no-cache

Server: apache

X-Content-Type-Options: nosniff

GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Cache-Cont
rol: private, max-age=0, no-cache..Content-Length: 43..Content-Type: i
mage/gif..Date: Thu, 29 Jun 2017 10:00:36 GMT..Pragma: no-cache..Serve
r: apache..X-Content-Type-Options: nosniff..GIF89a.............!......
.,...........L..;..

GET /xjl/mmcount.aspx?mm=0002640090CE5F90555D81927F0FAF9790CD8DA902A732F446649CA6E316BF1393E706CA0EA394AEE23B7270&randcode=000219CFDA64417E6FA4E4FA54D6FD3A2A267270 HTTP/1.1

User-Agent: b9b9e040be7de744371d4159f0bf0e49

Host: hi.vrbrothers.com


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 29 Jun 2017 10:00:30 GMT

Content-Type: text/html; charset=gb2312

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: private

X-AspNet-Version: 2.0.50727

X-Powered-By: ASP.NET

c..Open..Open..0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 29 Jun 20
17 10:00:30 GMT..Content-Type: text/html; charset=gb2312..Transfer-Enc
oding: chunked..Connection: keep-alive..Cache-Control: private..X-AspN
et-Version: 2.0.50727..X-Powered-By: ASP.NET..c..Open..Open..0..

GET /V2014V2/Config/ad-mymacro.xml HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: soft.anjian.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 29 Jun 2017 10:00:19 GMT

Content-Type: text/xml

Content-Length: 4000

Connection: keep-alive

Last-Modified: Thu, 25 Sep 2014 10:03:32 GMT

Accept-Ranges: bytes

ETag: "0b246f6a7d8cf1:0"

X-Powered-By: ASP.NET
.|j.]..~.0JK..7/.0.A..`. ..-...A...B.{..dX..^.....}.r.........b..RW.;.
L..6.........%..J..(;/{..;!...u].Z.o...t...i...7.......p..:......1..X'
.F.a.......O6.. ..K;.8C.z.Q........_.W@t.-.....N.P....Azu..d..M..D.(..
......G.....|_r....!5mY.u.kr....P...$.(P(...../.g.7.....lWYH..#.N>.
..{`..b........Hz..w!..]....>.:.n....../....`...`G....;A.{.6.$....2
...,r..`.,.`>.....^.g...W......7...@.h....e.......L.$.X.3.`..f....e
bO..@X...=...7)....F. S.h0...T..3(....{'^.....A...[.$L.:.#'I.X.2......
.....!=....NZ...l.R...T...!P....0uy$TV.t.....@|.@.S2.g...^.5..,....\..
 ..n...8.....&...Vjx.O.A>..[.....V...`(.L........|}.... w.H..ylLy.O
5....Y. ..........-.Z...B..[....&.z...D.'.......C.....N.$M.'.....a\.c.
e...Z.;.m.Y..-dU.C.k.43.Z..u_..8..*....|...C...J..b.k_......#0R.o.,..\
../D?47:a....%..J........&..lWYH......6....w\....:SR..;.J.w!..]....^..
.3..,K}...}.|. T.iC..A....../w.R.."....:.......;~%.....H.....w...i(.X.
2.....\.qWw..Ku0~0...8:..`!1jBa....~.~.Z.:......9...%.~X......aHT.?oB=
W......7..k...m......&S......8(...n.s..M<..z..f......T....v.&/l..{N
T........FNfDD........0..k...\.t..;....COF2e[.=..e.4..A....y.S%...Q...
..?.Zx..................I....'.]..P.~6a.E!Lq...i..G.,.o.,.`>....G..
.(...xj..'q..!._.....0.'.8g.Db.........{..D~...{..D~...{..D~...{..D~..
.{..D~...{..D~...{..D~...{..D~...{..D~...{..D~...{..D~...{..D~...{..D~
...{..D~...{..D~...{..D~...{..D~...{..D~...{..D~...{..D~...{..D~...{..
D~...{..D~...{..D~...{..D~...{..D~...{..D~...{..D~...{..D~...{..D~...{
..D~...{..D~...{..D~...{..D~...{..D~...{..D~...{..D~...{..D~...{..<<< skipped >>>

GET /321019.asp HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: img.users.51.la

Connection: Keep-Alive


HTTP/1.1 302 Object moved

Cache-Control: private

Content-Length: 252

Content-Type: text/html

Location: //web.users.51.la/go.asp?svid=2&id=321019&style=0&vpage=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&64841.73.gif

Server: Microsoft-IIS/8.5

Date: Thu, 29 Jun 2017 10:00:41 GMT
<head><title>..........</title></head>.<bod
y><h1>..........</h1>......<a HREF="//web.users.51.l
a/go.asp?svid=2&id=321019&style=0&vpage=http://ad.
vrbrothers.com/qmacro/ad-mymacro8-b.htm&64841.73.gif"&
gt;....</a>.</body>.HTTP/1.1 302 Object moved..Cache-Contr
ol: private..Content-Length: 252..Content-Type: text/html..Location: /
/web.users.51.la/go.asp?svid=2&id=321019&style=0&vpage=http://ad
.vrbrothers.com/qmacro/ad-mymacro8-b.htm&64841.73.gif..S
erver: Microsoft-IIS/8.5..Date: Thu, 29 Jun 2017 10:00:41 GMT..<hea
d><title>..........</title></head>.<body>&l
t;h1>..........</h1>......<a HREF="//web.users.51.la/go.as
p?svid=2&id=321019&style=0&vpage=http://ad.vrbroth
ers.com/qmacro/ad-mymacro8-b.htm&64841.73.gif">....
</a>.</body>...

GET /ex?a=115777&sp=1&cb=_acM.r&u=http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm&ds=1916x902&_=1498730440063&fs=0&pvid=ab7a0393a09da94e4e9ea40b164b9351&cg=afb670ff70a137972abf2d9df5ceec17&from_csbew=1 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afpeng.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:00:40 GMT

Content-Type: application/x-javascript;charset=GB2312

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

Server: Tengine

Expires: Thu, 29 Jun 2017 10:00:39 GMT

Cache-Control: no-cache

Via: ad052056.et2[web,200]

Content-Encoding: gzip
517.............V.o.<..*Y..Cb.BB....-].Z..k......i.g.S.P..{.B.W....
Y.....=w....zS....&.t.Pm=m...jK..i.j...Y..Z3.....iZ5.a...JR3..,..(.EU.
.R.F.`.....i.......f.u...p.m.P[z.(........ZI.yD..........}!.....pY($..
.......*.Kq...%h..II.!....m!.........<0...XQ!.....`.T.5.Q..n.Z...n2
.a..\.\...!...\. ....r...x..>..(8...."M...D G!...f!e..T..H..i4c.2.^
....D.........R..^[O...w;E..t.1..`..v5.c-{.#nF.c...l.-.i z.........s..
.zt......n..Z..1.o.:..X~_.u0..1..\~~.v4..w.h.1.W..{..K..]7..Gh(.a)d...
.2..9mOz.r..5t.[R.>.e....^?..spU{^................k...;7....... ...
.s3..m.......,.Y.lmu_...{V{..I.......[m....~..X6..g]=...u..}..~....tD.
.t....8"......b.y.......u<....l....... c<pe.5.}<l..aG(..~..1$
....&..l.0kv.1...Dc...u..........RWl.'..../..?.xC1.H..Az.i.l...f.v?...
..t8....3..r@.l.-.b.b2`..}.....a.....`..4o..$.d.'.............S....~..
.Vi..S.k.\N....uRT6....\.-.!s...y0.v./mN s..=_......x.sB..s..b..C. .w.
...LR..?&....H.J!....J...[....[....2.....<...G.5*K.z.:/...W...d...(
..:....<.......k,..W...JX^F...[...Y...zD.}.Z./....'mR&A.|.l.]....B.
...1...A.c\..7FJ..b.~...... t....iV."..3 ..*u.....o3.........o........
..7.<5... h...0.........0...]..-..}w..-..xi....[........V...;...p.\
...&.FpXp........>.~o.........C...Q1.?....n...%. &...%;.Ss...;iG..|
L/;..7R.1a%..d{&....S"&..@...)L.RT..u. )Um..@>. d?.. R"... ...%@...
(&I...?x........0..<<< skipped >>>

GET /imp?bid=0a67349c00005954cfc64cf2054fd348&pid=mm_115547070_13540502_55734872&cid=234769&mid=20288&oid=4107&productType=1&qytInfoMTime=1498672941&e=+HPe4ISqiWeMpq0A4M5XO26eRFjZyoypzemELSkJtejSUsZE06YCxcM2jkePM0lG&k=65&cb=132017663 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afptrack.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:00:42 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: close

Server: Tengine

Expires: Thu, 29 Jun 2017 10:00:41 GMT

Cache-Control: no-cache

Via: ad251175081.et2[web,200]
31..GIF89a...................!.......,...........T..;..0..

GET /hm.js?9f7c90c4f314eb12aa0ed7c4b4d9d002 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: hm.baidu.com

Connection: Keep-Alive

Cookie: HMACCOUNT=32B4AC9076CFFEA0


HTTP/1.1 200 OK

Cache-Control: max-age=0, must-revalidate

Content-Encoding: gzip

Content-Length: 8644

Content-Type: application/javascript

Date: Thu, 29 Jun 2017 10:00:39 GMT

Etag: d5550c5f6541cf3a976af78e8a914a4f

Server: apache
...........-...(function(){var h={},mt={},c={id:"9f7c90c4f314eb12aa0ed
7c4b4d9d002",dm:["ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm"],js:"ton
gji.baidu.com/hm-web/js/",etrk:[],icon:'',ctrk:false,align:-1,nv:-1,vd
ur:1800000,age:31536000000,rec:0,rp:[],trust:0,vcard:0,qiao:0,lxb:0,co
nv:0,med:0,cvcc:'',cvcf:[],apps:''};.Zyw.F.._...hh@l..$ .!. _.w.8.k&C.
~..A.... %..w..>.......=..>....UU.......,.......-.t..t......#w..
....v."..y...m.cu"..Ei.l..Y..........%...{..A...h...*..j.~...og.Q...$.
g.4..S..<pkZ..r.g.`.....b6f.x...1Kw.Vu..g7...{...........B..O.k.Di.
....s..7QPNV...&...58..xR...B.............s.XP....]....._FYj2.Pn-.`...
..[-3tS~c<c%.!N~.%....jYm.fYN.3..k......A.....q...~..'..)3VNp...al.
.....,.y.C.]f?.z....tlZ....N .?.9..u}`..qDk..r.C...e.....H.y6.....e:.#
.X6....u6......_.=f.7f`&{v1......c.....f.eo....e..f..p................
.....V..BO..ww3.XQh2.d..X.]7....Q.`...;....vSM....8d..k....AN....K...1
O.........V8.F..^W$...e~..q`upx~..Y..$.a.Z.Y.O..Z*.........^.Sk...s...
...........F.o)......i9O....i.g._=....2....).[.n..7(K.O.Jp......Y.KN\.
u....... 0......$K...'.....[[.6.........Z.nN...%.......^.Y........*T.]
..4B..nw.Zv.]4z............M..A;.5..9..22.-.Y..r.MSl..V @3.LmvF..@....
..=....Y.AY .9./G........)k.f....0I..r.g."..k..v..j....p..Dv..,...x...
&.....v...JY|`...O...:.g...7.Ba*........I..Qd.... ...D-Y.l.......P.v;C
r}}}...\...QG... P.b.g1...=mL.g.8..l...jx...H...O.I........%.W...0...;
...`Y..xh.......&..<......YG.^.1D-......%.. |]._J.K.,...f..P4Cl....
.{..\_...y-:.g.c...7..F.!#....!..d..<.Rp..:~...).<.x....x..Q<<< skipped >>>

GET /hm.gif?cc=0&ck=1&cl=32-bit&ds=1916x902&et=0&fl=23.0&ja=1&ln=en-us&lo=0&nv=1&rnd=197592874&si=9f7c90c4f314eb12aa0ed7c4b4d9d002&st=1&v=1.2.14&lv=1&ct=!!&tt=vrbrothers-276*226&sn=10525 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: hm.baidu.com

Connection: Keep-Alive

Cookie: HMACCOUNT=32B4AC9076CFFEA0


HTTP/1.1 200 OK

Cache-Control: private, max-age=0, no-cache

Content-Length: 43

Content-Type: image/gif

Date: Thu, 29 Jun 2017 10:00:40 GMT

Pragma: no-cache

Server: apache

X-Content-Type-Options: nosniff
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Cache-Cont
rol: private, max-age=0, no-cache..Content-Length: 43..Content-Type: i
mage/gif..Date: Thu, 29 Jun 2017 10:00:40 GMT..Pragma: no-cache..Serve
r: apache..X-Content-Type-Options: nosniff..GIF89a.............!......
.,...........L..;....


GET /hm.gif?cc=0&ck=1&cl=32-bit&ds=1916x902&ep={"netAll":1367,"netDns":0,"netTcp":0,"srv":577,"dom":2982,"loadEvent":11403,"qid":"","bdDom":0,"bdRun":0,"bdDef":0}&et=87&fl=23.0&ja=1&ln=en-us&lo=0&nv=1&rnd=313009406&si=9f7c90c4f314eb12aa0ed7c4b4d9d002&st=1&v=1.2.14&lv=1 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: hm.baidu.com

Connection: Keep-Alive

Cookie: HMACCOUNT=32B4AC9076CFFEA0


HTTP/1.1 200 OK

Cache-Control: private, max-age=0, no-cache

Content-Length: 43

Content-Type: image/gif

Date: Thu, 29 Jun 2017 10:00:42 GMT

Pragma: no-cache

Server: apache

X-Content-Type-Options: nosniff

GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Cache-Cont
rol: private, max-age=0, no-cache..Content-Length: 43..Content-Type: i
mage/gif..Date: Thu, 29 Jun 2017 10:00:42 GMT..Pragma: no-cache..Serve
r: apache..X-Content-Type-Options: nosniff..GIF89a.............!......
.,...........L..;..

GET /xjl/mmcount.aspx?mm=0002640090CE5F90555D81927F0FAF9790CD8DA902A732F446649CA6E316BF1393E706CA0EA394AEE23B7270&randcode=000219CFDA64417E6FA4E4FA54D6FD3A2A267270 HTTP/1.1

User-Agent: Runner

Host: hi.vrbrothers.com


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 29 Jun 2017 10:00:50 GMT

Content-Type: text/html; charset=gb2312

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: private

X-AspNet-Version: 2.0.50727

X-Powered-By: ASP.NET

c..Open..Open..0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 29 Jun 20
17 10:00:50 GMT..Content-Type: text/html; charset=gb2312..Transfer-Enc
oding: chunked..Connection: keep-alive..Cache-Control: private..X-AspN
et-Version: 2.0.50727..X-Powered-By: ASP.NET..c..Open..Open..0..

GET /imp?bid=0a67342400005954cfc6519f05508f54&pid=mm_115547070_13540502_55734874&cid=242900&mid=20290&oid=4107&productType=1&qytInfoMTime=1498672941&e=VKjcte5hJXOMpq0A4M5XO3cITZg/F8NJpwioiHF9xcOk1ZLglTopXZ67Wwdqcl1a&k=65&cb=230734364 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afptrack.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:00:42 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: close

Server: Tengine

Expires: Thu, 29 Jun 2017 10:00:41 GMT

Cache-Control: no-cache

Via: ad180246114.et2[web,200]
31..GIF89a...................!.......,...........T..;..0..

GET /opt?bid=0a67342400005954cfc6519f05508f54&pid=mm_115547070_13540502_55734874&cid=242900&mid=20290&oid=4107&productType=1&qytInfoMTime=1498672941&cb=793991707 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afptrack.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:00:42 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: close

Server: Tengine

Expires: Thu, 29 Jun 2017 10:00:41 GMT

Cache-Control: no-cache

Via: ad251174177.et2[web,200]
31..GIF89a...................!.......,...........T..;..0..

GET /g/mm/afp-cdn/JS/k.js HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-p.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afpmm.alicdn.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 13501

Connection: keep-alive

Date: Thu, 29 Jun 2017 09:56:34 GMT

x-oss-request-id: 5954CED2823C8AE5134477F7

Accept-Ranges: bytes

ETag: "5E11B3FC376FC9C90A9A445C5F6ACF98"

Last-Modified: Wed, 31 May 2017 03:21:09 GMT

x-oss-object-type: Normal

x-oss-hash-crc64ecma: 17676891865371297199

x-oss-storage-class: Standard

Cache-Control: max-age=3600,s-maxage=3600

Vary: Accept-Encoding

Content-MD5: XhGz/DdvyckKmkRcX2rPmA==

x-oss-server-time: 8

Content-Encoding: gzip

Via: cache37.l2de1[847,200-0,C], cache55.l2de1[847,0], cache2.de1[0,200-0,H], cache6.de1[0,0]

Age: 243

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2

X-Swift-SaveTime: Thu, 29 Jun 2017 09:56:35 GMT

X-Swift-CacheTime: 3599

Timing-Allow-Origin: *

EagleId: c31b1fce14987304374303252e
...........}.w.6.._.y.Id..R....$N.I7m.I.~{e....mITE..k.....@...Nv.w.'i
i.....`03..Gw..u{.....{...........p...(^.....j..~.F..g..*`..e>{..K.
..d.a.\. ~.-...3.=.?.,Wq.{..m..9...."._t.x..Co.@.......1b.}.{.I.C..c..
...lY../.x.l6f1._..I?.........A.e.j...Q[.i.U..W.#k.q...e......8..#....
a../....(........,..-....L...z.o.-.x..m6M=...Xz.c...|I...U.\.Y.^... ..
.0^...~#Z4\..L......*^.....-.q.....,[..l.:...V9....I'J>b$.mY......z
#6........7jI....8Z|pV.<H.U...%..........k.Uh.c9u.z.Z9WZ.,....9...1
........6...;..n(4h..h;. ........;Q{p.x...:.f...G'...hf..^...W........
.I..G..........s.M.4^...r.z..}..../.c.._...7...3.tuu.....'."i6 QC.....
.s.4.lc4p.m.u. .V........C~......K.6.C.(3/.J.....2...:..._.U..2.;..?..
....B.]o...NgN.G.~.hb.-uG[A..E....W.....:<...?...`.vVA..)X...L.2x..
$$.......oO..2^@n./H$k.d.~..j\.....vp...N.(.g......|....S...v..:.....v
Fm....(...Oq..?.;.Bl..kb'.EM."Hkb...&v..jb....ZI..*.U..%{....G...<.
..x.P...{..{#...7]..4O.....Y...~..V.|..[....N:Y.a.~!..9[..7.......?...
.:.$Hk.n...O.lr.u.~.Q.'.)D8.0.OA.e...........)..........r..)7`.<K.&
lt;..1..N....... 'x...,..i.VeX,. ..F.s...s...Hp....{...|.?............
W...O...1.I....:.r....4..0...Q..Mha.4 /.r....z& j...@..V.i......Sx=~v$
2...V...;..^..../..._H.HR@.t.b.p.....C..0}..C.g...hC}.K@H...$.....*...
A6..p..........Hi6..>G. ^...dp......q}........'....?HF.MAo..$`...8#
..:..i..d...Pk.([...f..v..'........W.Q..j^. .. ....h..D...M..6........
i`X.....\n....Xm]|yZ.^...b....h1.$.A.pyq...Y..2.......<n....P..'...
t.@D8.......?..[.8I`Z.D.b.6 .k....'...f#~O........wo>..n..)..9~<<< skipped >>>

GET /g/mm/afp-cdn/JS/r.js HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afpmm.alicdn.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 5229

Connection: keep-alive

Date: Thu, 29 Jun 2017 09:44:01 GMT

x-oss-request-id: 5954CBE170375AE2FE27C403

Accept-Ranges: bytes

ETag: "19BE5BCE7A0A05A556835E18638F14ED"

Last-Modified: Wed, 31 May 2017 03:21:09 GMT

x-oss-object-type: Normal

x-oss-hash-crc64ecma: 13727714711611258853

x-oss-storage-class: Standard

Cache-Control: max-age=3600,s-maxage=3600

x-oss-bucket-storage-type: standard

Vary: Accept-Encoding

x-oss-server-time: 1

Via: cache56.l2de1[790,304-0,H], cache58.l2de1[790,0], cache7.de1[0,200-0,H], cache6.de1[0,0]

Content-Encoding: gzip

Age: 998

X-Cache: HIT TCP_MEM_HIT dirn:4:565455739

X-Swift-SaveTime: Thu, 29 Jun 2017 09:44:01 GMT

X-Swift-CacheTime: 3600

Timing-Allow-Origin: *

EagleId: c31b1fce14987304390703849e
...........[.s.8.. 2fV!#..r.4..dgk.5WM2..J..@.<d..I.Gl.......dj.U.L
.".F..ht..pf.O^..o...t.b.../_...N.]..q....-.G...6.y......E(..*...;....
0L.22...[.....X....>....|..5..X..&...l......4...c......3.i-......r.
..Oe.......C..../....q`.].. N.O. ..".FW..]..cwq.gw.V.6s.SA......n.Y.&l
t; 3dc.i\v...g..R.>.J.d.!.....5] ...w.oy..y.`x.xl...b.<LG....bhx
...m.Y^.#...}bh./`.[.?..k..........f.K...y....'k~..<=qk.K/2f.".....
l.&..\.V...i...f...H!..h....CQ...|.....}l......J=..[.,...x.....A..L...
z...?..(@...........c_...J....d...o.&a..A.K..g.x)..a.hi.Y-t..:..Q^..6w
W.#..2....c......oR....1......OL.N.?TF...ty.<<.,.%.~O...@>e.8
t.....j.......[....5...LR.b..g.>yFF)...p..e.%.K.........KxQ`W/.....
...7b.....Xx.........W._.|.j.......|.........d'.u...Ks..;n...4.H.....]
8@....>yy.-/<O..=O..Cq..T..i...B..@o.(...........HY,.....Q......
..#..S..?R..O.NmA...]...&|.Mb......E.y.w.VL.4...(.,...].O.............
}.........Mxl?8A{R@XM..r_..\.aO...&d{O.....[...9*...4dj....n?T.lx...".
J.....,I...$....79...6....Oj..WoP%oH#.3B.......D......,.......|-g.N...
...T...p7..........j.........A...4..0.T."..lR.;.So.J9.T.........m.ByO.
.X..-.4..."...&nV......~\@.......:oX..0.......qpJ.....8.).:I.aP..X....
..3".).......FQ.I.N.Sp..t..a..X.........>...D.!%E^....."..h..Og..t.
x.A.?...|.......`.............y..h. .@(`.I..>s.D.a.9.t...n...*A<
.q.\."...c....3.=..........u.......H.x(.f........h.........(....A...Vg
.K..{j....T..D.@P@d..1..M...a.$..f.I....=w.f..m}...kL..|vI.g.. @.....1
.....UK~.......T..l k~..#..J..[N.Y=.g......AE.N..).$d......).@`...<<< skipped >>>

GET /opt?bid=0a67349c00005954cfc84ceb0556f5d1&pid=mm_115547070_13540502_55734873&cid=233510&mid=20286&oid=4107&productType=1&qytInfoMTime=1498672941&cb=154613844 HTTP/1.1

Accept: */*

Referer: hXXp://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: afptrack.csbew.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:00:43 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: close

Server: Tengine

Expires: Thu, 29 Jun 2017 10:00:42 GMT

Cache-Control: no-cache

Via: ad180246118.et2[web,200]
31..GIF89a...................!.......,...........T..;..0..

GET /h.js?82d5c049236934007371777578c30be1 HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://soft.anjian.com/V2014V2/UserExperience/SoftwareExperience.shtml?UT&P=mymacro&VP=2014.03.16480&VR=1.0.0.16533&MC=f3be9300

Accept-Language: zh-CN

User-Agent: Mozilla/4.0 (MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Connection: Keep-Alive

Host: hm.baidu.com


HTTP/1.1 200 OK

Cache-Control: max-age=0, must-revalidate

Content-Length: 23397

Content-Type: application/javascript

Date: Thu, 29 Jun 2017 10:00:33 GMT

Etag: 66067e503816104015f0598e6ebf3481

P3p: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Server: apache

Set-Cookie: HMACCOUNT=32B4AC9076CFFEA0; Path=/; Domain=hm.baidu.com; Expires=Sun, 18 Jan 2038 00:00:00 GMT
(function(){var h={},mt={},c={id:"82d5c049236934007371777578c30be1",dm
:["soft.anjian.com"],js:"tongji.baidu.com/hm-web/js/",etrk:[],icon:'/h
mt/icon/21|gif|20|20',ctrk:false,align:-1,nv:-1,vdur:1800000,age:31536
000000,rec:0,rp:[],trust:0,vcard:0,qiao:0,lxb:0,conv:0,med:0,cvcc:'',c
vcf:[],apps:''};var q=void 0,r=!0,s=null,t=!1;mt.i={};mt.i.Ba=/msie (\
d \.\d )/i.test(navigator.userAgent);mt.i.za=/msie (\d \.\d )/i.test(n
avigator.userAgent)?document.documentMode|| RegExp.$1:q;mt.i.cookieEna
bled=navigator.cookieEnabled;mt.i.javaEnabled=navigator.javaEnabled();
mt.i.language=navigator.language||navigator.browserLanguage||navigator
.systemLanguage||navigator.userLanguage||"";mt.i.Da=(window.screen.wid
th||0) "x" (window.screen.height||0);mt.i.colorDepth=window.screen.col
orDepth||0;mt.cookie={};.mt.cookie.set=function(a,d,f){var e;f.H&&(e=n
ew Date,e.setTime(e.getTime() f.H));document.cookie=a "=" d (f.domain?
"; domain=" f.domain:"") (f.path?"; path=" f.path:"") (e?"; expires=" 
e.toGMTString():"") (f.Za?"; secure":"")};mt.cookie.get=function(a){re
turn(a=RegExp("(^| )" a "=([^;]*)(;|$)").exec(document.cookie))?a[2]:s
};mt.p={};mt.p.ma=function(a){return document.getElementById(a)};mt.p.
Ta=function(a,d){for(d=d.toUpperCase();(a=a.parentNode)&&1==a.nodeType
;)if(a.tagName==d)return a;return s};.(mt.p.X=function(){function a(){
if(!a.B){a.B=r;for(var d=0,f=e.length;d<f;d  )e[d]()}}function d(){
try{document.documentElement.doScroll("left")}catch(e){setTimeout(d,1)
;return}a()}var f=t,e=[],k;document.addEventListener?k=function(){<<< skipped >>>

GET /app.gif?&cna=yL3bEVvR1HMCAcLyYOJ8a70Y HTTP/1.1

Accept: */*

Referer: hXXp://s.csbew.com/acookie.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Connection: Keep-Alive

Host: pcookie.csbew.com


HTTP/1.1 200 OK

Date: Thu, 29 Jun 2017 10:00:42 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=yL3bEVvR1HMCAcLyYOJ8a70Y; expires=Sun, 27-Jun-27 10:00:42 GMT; path=/; domain=.csbew.com

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache

GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Date: Thu,
 29 Jun 2017 10:00:42 GMT..Content-Type: image/gif..Content-Length: 43
..Connection: keep-alive..P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSD
a OUR IND UNI PUR NAV"..Set-Cookie: cna=yL3bEVvR1HMCAcLyYOJ8a70Y; expi
res=Sun, 27-Jun-27 10:00:42 GMT; path=/; domain=.csbew.com..Expires: T
hu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache..Pragma: no-cach
e..GIF89a.............!.......,...........L..;..

The Packed connects to the servers at the folowing location(s):

%original file name%.exe_3500:

.text

`.rdata

@.data

.rsrc

@.reloc

H SSh

@ SSh

t'SShl

tFHt:Ht.Ht"Hu`

tl9_ tgSSh

SSSSh0LK

j%XtL9E

tWSShW

tAHt.HHt

FtPW

SSh@B

FTCP

u.Ph$GC

u$SShe

@ SSHPWj

<SShG

xSSSh

FTPjKS

FtPj;S

C.PjRV

F SShG

W SShW

V SShG

Ht.Hub

V SSh

F SSh

N SSh

%UUUU

N$SWSSh

8.uKj

8.uoS

N%SQj

hJw:3Hw2.Hw

CNotSupportedException

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp

kernel32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

comctl32.dll

comdlg32.dll

shell32.dll

CHotKeyCtrl

msctls_hotkey32

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

user32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

CCmdTarget

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

CHttpFile

mfcm100.dll

Shell32.dll

%s:%x:%x:%x:%x

MFCLink_UrlPrefix

MFCLink_Url

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

KERNEL32.DLL

%s%s.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

lX-X-x-XX-XXXXXX

RegOpenKeyTransactedA

Advapi32.dll

RegCreateKeyTransactedA

RegDeleteKeyTransactedA

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

CMDITabProxyWnd

CMDIChildWndEx

CMDIFrameWndEx

%sMFCToolBar-%d%x

%sMFCToolBar-%d

%sMFCToolBarParameters

TOOLBAR_RESETKEYBAORD

KeyboardManager

MSG_CHECKEMPTYMINIFRAME

%sDockingManager-%d

&%d %s

RegDeleteKeyExA

lXXxXXXXXXXX

ole32.dll

CMDIChildWnd

CMDIFrameWnd

CMDIClientAreaWnd

%sMDIClientArea-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp

%sBasePane-%d%x

%sBasePane-%d

%sPane-%d%x

%sPane-%d

ShowCmd

Hex={X,X,X}

%sMFCOutlookBar-%d%x

%sMFCOutlookBar-%d

%c%d%c%s

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp

%sDockablePaneAdapter-%d%x

%sDockablePaneAdapter-%d

ENABLE_KEYS

KEYS_MENU

KEYS

windows

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp

CMFCToolBarsKeyboardPropertyPage

RGB(%d, %d, %d)

%sMFCTasksPane-%d%x

%sMFCTasksPane-%d

GetProcessWindowStation

operator

portuguese-brazilian

F%D,3

PassWordEditBox

WebBrowser

Skin.xml

<%s> attribute has error

'<%s> ... </%s>' is not wel-formed.

it must be closed with </%s>

%s must be closed with </%s>

CWebBrowser2

USER32.DLL

CUIPassWordEdit

LeftPic

LinkUrl

CPassWordEditEx

HtmlWebFrame

NET_ERROR.HTM

monochrome

unsupported bit depth

Global\Event_%s

ntdll.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

CHECK failed: (from.GetDescriptor()) == (descriptor):

..\src\google\protobuf\message.cc

: Tried to copy from a message with a different type.to:

..\src\google\protobuf\descriptor.cc

". To use it here, please add the necessary import.

", which is not imported by "

.PLACEHOLDER_VALUE

.placeholder.proto

map key must name a scalar or string field.

map_key must not name a repeated field.

$0$1 = $2

.dummy

FieldDescriptorProto.extendee not set for extension field.

FieldDescriptorProto.extendee set for non-extension field.

$0$1 $2 $3 = $4

Files that do not use optimize_for = LITE_RUNTIME cannot import files which do use this option. This file is not lite, but it imports "

CHECK failed: dynamic.get() != NULL:

.foo = value".

CHECK failed: !out.HadError():

" is repeated. Repeated options are not supported.

Import "

Missing field: FileDescriptorProto.name.

File recursively imports itself:

[libprotobuf %s %s:%d] %s

%d.%d.%d

..\src\google\protobuf\stubs\common.cc

..\src\google\protobuf\generated_message_reflection.cc

CHECK failed: (field->options().ctype()) == (ctype):

CHECK failed: value.size() <= kint32max:

..\src\google\protobuf\wire_format_lite.cc

..\src\google\protobuf\wire_format.cc

..\src\google\protobuf\reflection_ops.cc

..\src\google\protobuf\message_lite.cc

CHECK failed: !coded_out.HadError():

..\src\google\protobuf\io\coded_stream.cc

?456789:;<=

!"#$%&'()* ,-./0123

\xx

..\src\google\protobuf\stubs\strutil.cc

..\src\google\protobuf\descriptor.pb.cc

google/protobuf/descriptor.proto

google/protobuf/descriptor.proto

google.protobuf"G

2$.google.protobuf.FileDescriptorProto"

2 .google.protobuf.DescriptorProto

2$.google.protobuf.EnumDescriptorProto

2'.google.protobuf.ServiceDescriptorProto

2%.google.protobuf.FieldDescriptorProto

.google.protobuf.FileOptions

.google.protobuf.SourceCodeInfo"

2/.google.protobuf.DescriptorProto.ExtensionRange

.google.protobuf.MessageOptions

2 .google.protobuf.FieldDescriptorProto.Label

2*.google.protobuf.FieldDescriptorProto.Type

.google.protobuf.FieldOptions"

2).google.protobuf.EnumValueDescriptorProto

.google.protobuf.EnumOptions"l

2!.google.protobuf.EnumValueOptions"

2&.google.protobuf.MethodDescriptorProto

.google.protobuf.ServiceOptions"

.google.protobuf.MethodOptions"

2).google.protobuf.FileOptions.OptimizeMode:

2$.google.protobuf.UninterpretedOption":

2$.google.protobuf.UninterpretedOption*

2#.google.protobuf.FieldOptions.CType:

experimental_map_key

2$.google.protobuf.UninterpretedOption"/

2-.google.protobuf.UninterpretedOption.NamePart

2(.google.protobuf.SourceCodeInfo.Location

com.google.protobufB

Tokenizer::ParseInteger() passed text that could not have been tokenized as an integer:

..\src\google\protobuf\io\tokenizer.cc

Tokenizer::ParseFloat() passed text that could not have been tokenized as a float:

\Ux

Tokenizer::ParseStringAppend() passed text that could not have been tokenized as a string:

..\src\google\protobuf\dynamic_message.cc

..\src\google\protobuf\text_format.cc

..\src\google\protobuf\stubs\substitute.cc

..\src\google\protobuf\descriptor_database.cc

Invalid file descriptor data passed to EncodedDescriptorDatabase::Add().

..\src\google\protobuf\io\zero_copy_stream_impl_lite.cc

..\src\google\protobuf\extension_set.cc

CHECK failed: iter != extensions_.end():

..\src\google\protobuf\extension_set_heavy.cc

Webdings

Incorrect key length

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag

password

{WindowsDir}\

VVV.baidu.com -n 2

ping.exe

D:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl

%s (%s:%d)

%*[^-]-%[^*]*%[0-9]

\tmpad.xml

vrbrothers.ad

%s?param=%s

clickurl

newswndurl

downloadurl

pluginlist.txt

adurl

\tmpad-down.xml

curl

hXXp://VVV.anjian.com

%s,%s,%s,%s,%s -%s

hXXp://soft.anjian.com/Include/BuildPage/ExitAdXJL.shtml

hXXp://soft.anjian.com/Interface/GetIP.aspx

MT.exe

%s%s -"%s" -%s -%s

hXXp://

Content-Type: application/x-www-form-urlencoded

Mozilla/4.0 (compatible)

HTTP/1.0

Host: %s

inflate 1.1.3 Copyright 1995-1998 Mark Adler

MyMacro\RKey.dat

MyMacro\Runner.exe

2014.03.16480

HotkeyMode

EndHotkey

Hotkey

EndHotkeyMod

macro%d_%d_[%d]_tmp

uservar.ini

SupportLogin

SupportFileCheck

plugin.zip

mymacro.zip

RKey.zip

Runner.zip

MT.zip

ad-mymacro9.xml

bro.mymacro

hXXp://soft.anjian.com/V2014V2/Config/ad-mymacro.xml

background.bmp

BackGround.png

MyMacro_logo.png

hi.vrbrothers.com

hXXp://hi.vrbrothers.com/xjl/mmcount.aspx

%s?mm=%s&randcode=%s

00109019

mymacro.htm

mmlog.txt

BeginHotkey

BeginHotkeyMod

PauseHotkey

PauseHotkeyMod

StopHotkey

StopHotkeyMod

CSetupHotkeyDlg

\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

D:\boost\boost_1_49_0\boost/exception/detail/exception_ptr.hpp

%s.version=%d.hostid=%d

--host_id %d --verify_key %s --product "%s" --version %s

CreateProcess Fail[errno=%d]

RunnerCmd: %s

QMEngine.proto

..\protobuff\QMEngine.pb.cc

.QMProto._MacroDataType"

msg_name

private_key

begin_hotkey

begin_hotkey_mod

pause_hotkey

pause_hotkey_mod

stop_hotkey

stop_hotkey_mod

.QMProto._MacroRunData

.QMProto._MacroInfo"6

.QMProto._MacroInfo"

.QMProto._CompileResult"#

_EnableHotkey_R

hotkey_type

stop_all_hotkey

_DisableHotkey_R

.QMProto._VarInfo"E

_CurExecPos_R

.QMProto._MacroInfo"=

key_info

_MergeScriptKeyInfo_R

_CommonMsgExchange_R

msg_type

%s_%d_

GetSrcCodeByIdx offset: %x

pFileBuffer: %x, pAddr: %x, szCodeSize: %d

CreateFile Failed: %d

GetFileSize Failed: %d

ReadFile Failed: %d

CodeInfoProc dwFlag: %d

CodeInfoProc SetEvent Failed: %d

g_szDataPath: %s

g_hEventFlag: %x, g_hEvent_CodeInfo: %x

g_pCodeFlag: %x, g_pCodeInfo: %x

Copyright (c) J.S.A.Kapp 94-96.

GetWindowsDirectoryA

GetCPInfo

GetProcessHeap

KERNEL32.dll

GetKeyState

UnhookWindowsHookEx

GetKeyNameTextA

MapVirtualKeyA

SetWindowsHookExA

CreateDialogIndirectParamA

GetAsyncKeyState

GetKeyboardLayout

GetKeyboardState

MapVirtualKeyExA

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportOrgEx

GDI32.dll

MSIMG32.dll

COMDLG32.dll

WINSPOOL.DRV

RegOpenKeyExA

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyA

RegEnumKeyExA

ADVAPI32.dll

ShellExecuteExA

ShellExecuteA

SHELL32.dll

COMCTL32.dll

UrlUnescapeA

SHLWAPI.dll

OLEAUT32.dll

oledlg.dll

URLDownloadToFileA

urlmon.dll

GdiplusShutdown

gdiplus.dll

WS2_32.dll

dbghelp.dll

SensApi.dll

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpQueryInfoA

HttpEndRequestA

InternetOpenUrlA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

WINMM.dll

OLEACC.dll

IMM32.dll

UxTheme.dll

WinExec

.PAVCOleException@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCArchiveException@@

.?AVCHotKeyCtrl@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.PAVCUserException@@

.PAVCResourceException@@

.?AVCHttpFile@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCFileException@@

.PAVCOleDispatchException@@

.?AVCMDITabProxyWnd@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWnd@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWnd@@

.?AVCMFCToolBarCmdUI@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AVCMDIClientAreaWnd@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCCmdUsageCount@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCRibbonKeyTip@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÁ

.?AV?$sp_counted_impl_p@VCUIPassWordEdit@@@detail@boost@@

.?AVCPassWordEditEx@@

.?AVCUIPassWordEdit@@

#*1892 $

%,3:;4-&

.?AV?$sp_counted_impl_p@VCMsgPack@Common@@@detail@boost@@

.?AVCHotKeyMouseCtrlFlat@@

.?AVCMFCHotKeyCtrlFlat@@

.?AVCReportHeaderCtrl@CReportCtrl@@

.?AVCCmdTarget@@

.?AVCReportCtrl@@

.PAVCException@@

.?AVCWebBrowser2Ex@@

.?AVCWebBrowser2@@

.PAVCInternetException@@

;3 #>6.&

'2, / 0&7!4-)1#

.?AVCHTTPHelp@@

.?AV?$sp_counted_impl_p@VCSetupHotkeyDlg@@@detail@boost@@

.?AVCSetupHotkeyDlg@@

.?AV?$bind_t@XV?$mf1@XVCQMClientBLL@QMClient@@PAVCMsgPack@Common@@@_mfi@boost@@V?$list2@V?$value@PAVCQMClientBLL@QMClient@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.?AV_EnableHotkey_R@QMProto@@

.?AV_DisableHotkey_R@QMProto@@

.?AV_CurExecPos_R@QMProto@@

.?AV_MergeScriptKeyInfo_R@QMProto@@

.?AV_CommonMsgExchange_R@QMProto@@

c:\%original file name%.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\RKey.dat

AdDlg.xml

AutoRunDlg.xml

..gs<"

Caption_Icon.png

M.Bvi

_%s@.[

i\ghU34%F

CheckBox.png

CloseBtn_Disable.png

CloseBtn_Down.png

CloseBtn_Normal.png^

CloseBtn_Over.png

EulaDlg.xml

Eula_Logo.pnge

LeftMoveTableBtn_Disable.png['

LeftMoveTableBtn_Down.png{^

|{.NA

e$.tE

LeftMoveTableBtn_Normal.png

LeftMoveTableBtn_Over.png

MaxBtn_Disable.png=z

MinBtn_Disable.pngU

MinBtn_Down.png

MinBtn_Normal.png

MinBtn_Over.png

MyMacroDlg.xml

MyMacroInstructionDlg.xmlB

MyMacro_Free.png

RadioBox.png

RightMoveTableBtn_Disable.png

RightMoveTableBtn_Down.png

iob.vT

RightMoveTableBtn_Normal.png

RightMoveTableBtn_Over.png

ScriptContainerDlg.xml

SetupBg.png

SetupHotkeyDlg.xmln

SetupOptionDlg.xml

SliderCtrl_Left.pngI

SliderCtrl_Right.png)Iy

SliderCtrl_Thumb.png

TabCtrlBG_Check.png

TabCtrlBG_Hover.png

n.Beg,

TabCtrlBG_Noraml.pngm4

Z_BtnTrans38x22.png

Z_BtnTrans60x24.png

CloseBtn_Normal.png

Eula_Logo.png

LeftMoveTableBtn_Disable.png

LeftMoveTableBtn_Down.png

MaxBtn_Disable.png

MinBtn_Disable.png

MyMacroInstructionDlg.xml

SetupHotkeyDlg.xml

SliderCtrl_Left.png

SliderCtrl_Right.png

TabCtrlBG_Noraml.png

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>PAJ

:&:4:&=6=

9(;,;0;4;8;

2-2c2

1%1S1l1s1

11u1

6|7

1%2u2

77a7

2 2C2O2`2s2~2

: :-:6:?:_:

3,323:3@3

5!52585`5{5

7|7

=!=6=?=[=

9(:?:]:{:

1/2q2w2

2/2

1"1&1*1.12161:1

9*90969<9

0(191-2|3

0%0/040\0

5-6}6

11C1J1Y1y1

: :$:(:,:

7%8X8

9-9Z9}9

7-8}8

1 2$2(2`2

1 1$1(1,10141

4 4$4(4,4

: :$:(:,:0:4:

2 2$2(2,2024282<2

*3.32363

< <$<(<,<0<4<8<<<@<

3 3$3(3,30343

0 0$0(0,00040

; ;(;0;<;`;

6,686@6`6

>$>,>8>`>

7 8$8(8,8084888<8@8

9$989\9|9

accKeyboardShortcut

hhctrl.ocx

WININET.DLL

dwmapi.dll

SHELL32.DLL

RICHED20.DLL

ekernel32.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

{8856F961-340A-11D0-A96B-00C04FD705A2}

Windows

VVV.anjian.com

new.xiaojl.com

Ò"#1030

(*.*)

Your program raised an exception and should be closed. Please email hi@vrbrothers.com and report the error message. Thanks!

hi@vrbrothers.com

2001-2016

2014.0.3.16480

MyMacro.exe

Runner.exe_4016_rwx_00401000_0051F000:

]s.wP

U^.wP

f;T$.uBf

F SShG

H SSh

@ SSh

N SSh

t.Hub

t#WSSh

8.uKj

8.uoS

N%SQj

t'SShl

FTCP

tFHt:Ht.Ht"Hu`

SSSSh

tWSShW

tl9_ tgSSh

j%XtL9E

SSh@B

FtPW

tAHt.HHt

u$SShe

@ SSHPWj

<SShG

xSSSh

FTPjKS

FtPj;S

C.PjRV

@.hF4

.EH%(

SSSh`/s

t.Huu

N$SWSSh

SVSSh

F SSh'

N SSh(

V SSh

B SSh

_^-x}

dHw2.Hwz

CHECK failed: (from.GetDescriptor()) == (descriptor):

..\src\google\protobuf\message.cc

: Tried to copy from a message with a different type.to:

..\src\google\protobuf\descriptor.cc

". To use it here, please add the necessary import.

", which is not imported by "

.PLACEHOLDER_VALUE

.placeholder.proto

map key must name a scalar or string field.

map_key must not name a repeated field.

$0$1 = $2

.dummy

FieldDescriptorProto.extendee not set for extension field.

FieldDescriptorProto.extendee set for non-extension field.

$0$1 $2 $3 = $4

Files that do not use optimize_for = LITE_RUNTIME cannot import files which do use this option. This file is not lite, but it imports "

CHECK failed: dynamic.get() != NULL:

.foo = value".

CHECK failed: !out.HadError():

" is repeated. Repeated options are not supported.

Import "

Missing field: FileDescriptorProto.name.

File recursively imports itself:

[libprotobuf %s %s:%d] %s

%d.%d.%d

..\src\google\protobuf\stubs\common.cc

..\src\google\protobuf\generated_message_reflection.cc

CHECK failed: (field->options().ctype()) == (ctype):

CHECK failed: value.size() <= kint32max:

..\src\google\protobuf\wire_format_lite.cc

..\src\google\protobuf\wire_format.cc

..\src\google\protobuf\reflection_ops.cc

..\src\google\protobuf\message_lite.cc

CHECK failed: !coded_out.HadError():

..\src\google\protobuf\io\coded_stream.cc

\xx

..\src\google\protobuf\stubs\strutil.cc

..\src\google\protobuf\descriptor.pb.cc

google/protobuf/descriptor.proto

google/protobuf/descriptor.proto

google.protobuf"G

2$.google.protobuf.FileDescriptorProto"

2 .google.protobuf.DescriptorProto

2$.google.protobuf.EnumDescriptorProto

2'.google.protobuf.ServiceDescriptorProto

2%.google.protobuf.FieldDescriptorProto

.google.protobuf.FileOptions

.google.protobuf.SourceCodeInfo"

2/.google.protobuf.DescriptorProto.ExtensionRange

.google.protobuf.MessageOptions

2 .google.protobuf.FieldDescriptorProto.Label

2*.google.protobuf.FieldDescriptorProto.Type

.google.protobuf.FieldOptions"

2).google.protobuf.EnumValueDescriptorProto

.google.protobuf.EnumOptions"l

2!.google.protobuf.EnumValueOptions"

2&.google.protobuf.MethodDescriptorProto

.google.protobuf.ServiceOptions"

.google.protobuf.MethodOptions"

2).google.protobuf.FileOptions.OptimizeMode:

2$.google.protobuf.UninterpretedOption":

2$.google.protobuf.UninterpretedOption*

2#.google.protobuf.FieldOptions.CType:

experimental_map_key

2$.google.protobuf.UninterpretedOption"/

2-.google.protobuf.UninterpretedOption.NamePart

2(.google.protobuf.SourceCodeInfo.Location

com.google.protobufB

Tokenizer::ParseInteger() passed text that could not have been tokenized as an integer:

..\src\google\protobuf\io\tokenizer.cc

Tokenizer::ParseFloat() passed text that could not have been tokenized as a float:

\Ux

Tokenizer::ParseStringAppend() passed text that could not have been tokenized as a string:

..\src\google\protobuf\dynamic_message.cc

..\src\google\protobuf\text_format.cc

..\src\google\protobuf\stubs\substitute.cc

..\src\google\protobuf\descriptor_database.cc

Invalid file descriptor data passed to EncodedDescriptorDatabase::Add().

..\src\google\protobuf\io\zero_copy_stream_impl_lite.cc

..\src\google\protobuf\extension_set.cc

CHECK failed: iter != extensions_.end():

..\src\google\protobuf\extension_set_heavy.cc

CNotSupportedException

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp

comctl32.dll

comdlg32.dll

shell32.dll

kernel32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

CHttpConnection

CHttpFile

hXXp://

HTTP/1.0

user32.dll

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

CCmdTarget

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

KERNEL32.DLL

%s%s.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

lX-X-x-XX-XXXXXX

ShowCmd

Shell32.dll

%s:%x:%x:%x:%x

RegOpenKeyTransactedA

Advapi32.dll

RegCreateKeyTransactedA

RegDeleteKeyTransactedA

CHotKeyCtrl

msctls_hotkey32

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

CLSID\%s

mfcm100.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp

RegDeleteKeyExA

lXXxXXXXXXXX

%sKeyboard-%d

KeyboardManager

%c%d%c%s

CMDIFrameWndEx

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

%s-Bar%d

%s-Summary

MRUDockLeftPos

Bar#%d

%s-%d

%sMFCToolBar-%d%x

%sMFCToolBar-%d

ShortcutKeys

%sMFCToolBarParameters

TOOLBAR_RESETKEYBAORD

%sDockingManager-%d

%sCommandManager

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olefact.cpp

CMDITabProxyWnd

CMDIChildWndEx

MSG_CHECKEMPTYMINIFRAME

ole32.dll

MFCLink_UrlPrefix

MFCLink_Url

%sPane-%d%x

%sPane-%d

&%d %s

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

CMDIChildWnd

CMDIFrameWnd

CMDIClientAreaWnd

%sMDIClientArea-%d

%sBasePane-%d%x

%sBasePane-%d

windows

%sMFCOutlookBar-%d%x

%sMFCOutlookBar-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp

Hex={X,X,X}

%sDockablePaneAdapter-%d%x

%sDockablePaneAdapter-%d

ENABLE_KEYS

KEYS_MENU

KEYS

CMFCToolBarsKeyboardPropertyPage

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp

RGB(%d, %d, %d)

%sMFCTasksPane-%d%x

%sMFCTasksPane-%d

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

portuguese-brazilian

GetProcessWindowStation

Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag

%s\%s%d%s

%s\%s%s

StopHotkeyMod

StopHotkey

PauseHotkeyMod

PauseHotkey

BeginHotkeyMod

BeginHotkey

Set %s = New CLASS_NAME_%s

%s = QMLibrary.PluginCall(CallCommand)

& CStr(Param%d)

CallCommand = "%s.%s("

Param%d,

Function %s(

Class CLASS_NAME_%s

If IsEmpty(%s) Then Set %s=CreateObject("%s")

If IsEmpty(%s) Then : Set %s = CreateObject("%s") : End If : %s %s.%s(%s)

"   QMLibrary.ProgIDFromCLSID("

KERNELBASE.dll

*.dll

}}}}}}}}}}}}}}}}-8}}1|{};

}}}}-, *

}}}}-,. *

}}}|}}}$

|}}}

`}}}}"#&

E-8}}

~V8a@-i}}r

%uD qr

](4}}}}0.].

||mMT~m}}}}A*~m~{|m-B}m

}}}}>,0 ?./

0}m-2}m

}>1.49}}}9

9>}}}>9>}>(

}}}12>}:

PXMO%XMO%PXMO%XMO%XMO%XMO%XMO%XMO%}}}>>

U~m{rrr{}}}%U~m]}}}

%XMI%XMI

XMO%XMO%XMO%XMO%XMO%XMO%XMO%XMO%}}}F}}}GR!}pwpw}}}}XO}XH}}}XO!>1.49}XL}XO!4

}}}}-0}}<0}}9

my888xxxxxHM}-}}}}U]E-%zu}JMM*-z}}]]u}}}}u

}]}0}.}4}1}]}

}]}>}/})}]}

<?>98;:54761032-,/.)( *%$'

}}}}=}}}

}}}}=}}}!

}}}}=}}}%

}}}}=}}}1

}}}}=}}}9

}}}}=}}}]

}}}}=}}}=

}}}}=}}})

}}}}-Y}m}}}}

}}}}]}}}

}}}}]}}}-

}}}~}}}|}}}

}}}}|}}}

}}}}|}}}

}}}}|}}}^

}}}|}}}=

(3><}};}-

~}|}}}~}}}~}}}

==}}}|}}}

(4==}}}}

=<)1===<)1==}}}}

=<)1====}}}

=<)1===<)1==}}}

=<)1==}}}}

9>==}|}}}

z}}}}}}}}}}y}}}}}|}yu}}uu}}}}}}}}}}y}}}}}|}yu}}eu}}}}}}}}}}y}}}}}|}yu}}Uu}}}}}}}}}}y}}}}}|}yu}}Eu}}}}}}}}}}y}}}}}|}yu}}5u}}}}}}}}}}y}}}}}|}yu}}%u}}}}}}}}}}y}}}}}|}yu}}

-y}I|}}

}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}Mq}}-w}}

t}}-w}}Mq}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}

4}3}4}]}

]}4}3}4}]}

]}9}1}1}]}

}]}>}2}0}]}

GxFpF%F

JlEXE

ExDiDJDAD<D%D}G

EgD@D%D

E}DyDuDqDmDiDeDaD]DYDUDQDMDIDEDAD=D9D5D1D-D)D%D!D

GaFUFQFEFAF=F9F%F!F

@yCuCiCeCaC]CICEC-C)C%C!C

G}FyFuFqFmFiFeFaF]FYFUFQFMFIFEFAF=F9F5F1F-F)F%F!F

E}DqDaDQD5D1D-D)D%D

G}FuFqFmFiFeFaF]FYFUFQFMFIFEFAF=F9F5F1F-F)F%F!F

@}CmCaC]CYCUCQCMCICECAC=C9C%C!C

EuDqDmDiDaDID9D5D%D!D

G}FyFuFqFiFQFAF=F-F)F%F

@iCeCMC=C9C)C%C

G}FyFuFmFUFEFAF1F-F)F%F!F

GmFeFaFIFEF)F%F

@-C)C%C

(.LjMh{~(ywns

|.Mq{~(`n||

qdisp.dll

VBScript.dll

MSScript.ocx

49]@],01

Kernel32.dll

On Error Resume Next: QMLibrary.SetRunTimeParam %u: QMVBSRoutine.SetRunTimeParam %u: On Error Goto 0: Dim %s

%sF2730835_2229_445E_97C7_13F761277lDA_I_%s

: '[number: %d]',

%sF2730835_2229_445E_97C7_13F761277lDA_S_%u

Set %s=Nothing

QMLibrary.SetGlobalVar "%s", %s, %d

%s=QMLibrary.GetGlobalVar("%s", %d)

QMLibrary.SetGlobalVar "%s", %s, 0

%s=QMLibrary.GetGlobalVar("%s", 0)

%s=%d

CLng(%s)

CoreLib\Log\ExecuteMacro

.qmle

IDispatch error #%d

(Script Error%x%x.

:%x%x.

%s=%s

KeyPress

KeyDown

KeyUp

KeyPressH

KeyDownH

KeyUpH

KeyPressS

KeyDownS

KeyUpS

WaitKey

GetLastKey

Import

CStr(%s)

On Error Resume Next:QMEngine.SetRunTimeParam %u:QMRoutine.SetRunTimeParam %u:On Error Goto 0

QMRoutine.VBSRoutine %u

CStr(%s.%s)

?456789:;<=

!"#$%&'()* ,-./0123

Error 8:%d:%d:%d:%d:

F2730835_2229_445E_97C7_l3F7612771DA.F2730835_2229_445E_97C7_l3F761277lDA(%u)

F2730835_2229_445E_97C7_l3F761277lDA(%u)

%s=%s.%s:Set %s=%s:Set %s=%s.%s:Set %s=Nothing

Dim %s:Dim %s,%s:Set %s=Nothing:Set %s=Nothing

QMVBSRoutine.VBSRoutine(%d):

Set %s.%s=%s:Set %s=%s

%s.%s=%s:

Set %s=New %s_%s:

Dim %s:

Class %s_%s:Dim %s,%s,%s:

%s__%u

%s.%s

QMLibrary.CompColor(

%s=%s %s

Sgn((%s-(%s))*Sgn(%s))

If (IsObject(%s)) Then Set %s=%s(%s) Else %s=%s(%s)

%s=0:

For Each %s In %s:

%s=%s 1:

%s=%s-1:

If (IsObject(%s)) Then:

ReDim %s(%s):

Set %s(%s)=%s:

%s = %s:

%s%s%u

%s=%s:%s=%s:%s=%s:For %s=0 To %u:If %s(%s)=%s Then Exit For:End If:Next

%s(%s)

Set %s=New %s_%s:Set %s.%s=%s:Set %s=%s

, $%d

QMLibrary.CallAPI%d(%s, %s

CoreLib\Compiler\KeyWordsDescription\

Error %d:%d:%d:%d:%d:%s

Hotkey

WebBrowser_HtmlWrite

WebBrowser_SetProxy

WebBrowser_CleanCookie

WebBrowser_SendString

WebBrowser_Save

WebBrowser_ScrollTo

WebBrowser_Refresh

WebBrowser_RunJS

WebBrowser_HtmlExists

WebBrowser_HtmlGet

WebBrowser_HtmlSelectEx

WebBrowser_HtmlSelect

WebBrowser_HtmlCheck

WebBrowser_HtmlInput

WebBrowser_HtmlClickEx

WebBrowser_HtmlClick

WebBrowser_Forward

WebBrowser_Back

Hotkey_Register

Password

GetURL

VirtualKey

%s|%d|%d|%d|%d

([^:\|\}"] )(:([^:\|\}] ))?\|?

]*(("[^"] ")|([^"\{\} ] ))

((((\([^\(\)]*\))|("[^"]*")|([^",])) ,)*((\([^\(\)]*\))|("[^"]*")|([^"\),]))*\))(@<([^<>] )>)?

]*(((\([^\(\)]*\))|("[^"]*")|([^"\),])) ))|\))

]*((((\([^\(\)]*\))|("[^"]*")|([^"\),])) )|\))

ScanKeyMouse

Thread:%d - %s

QMDispatch.QMFunction

GetExeDir

KeyGroup

\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\LocalServer32\

Dim %s

%s = QMEngine.PluginCall(CallCommand)

Param%d

%s = %s.%s(

If IsEmpty(%s) Then

Set %s = CreateObject("%s")

WebBrowser_Clear

WebBrowser_SetIEControlHwnd

WebBrowser_SetIEVersion

WebBrowser_GetStyle

WebBrowser_GetReadyState

WebBrowser_GetIEHwnd

WebBrowser_GetTitle

WebBrowser_GetDialogContent

WebBrowser_GetURL

WebBrowser_GetHtml

WebBrowser_Navigate

XXX

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Global\Event_%s

%d.%d.%d.%d

\hknm_tmp.sys

cfgdll.dll

NTDLL.DLL

SD000.dat

ShieldModule.dat

shield.ini

qmdispatch.dll

qmhelper.dll

winio.dll

~}}}}}}}}}}}}}}}}}}}}}}}}-8}}1|x}HH

..=..- ..

|}}} "#&

}}-0}}<0}}9

}}Mh}}-h}}}}}}

}}}%u}}|}M}E}M}I}M}I}

}]}3}2})}]}

}]}<}-}4}]}/}

}]}9}1}1}]}

}]}8}%}8}]}

}}}9}}}|} }

IuKqKMDEDAD=D9D5D1D-D)D%D!D

Tv.ETV.

$_.tu

{.vD7&

8*%uu

.mm"H

ts%U"?

\.LUW2

?.AjA@

Ph.Qp#ZF

%H:%M:%S

.text

\drivers\mouclass.sys

\drivers\kbdclass.sys

error.log

Your program raised an exception and should be closed. Please email hi@vrbrothers.com and report the error message. Thanks!

dbghelp.dll

[X] = X

Name = %s, Base = 0x%X, Top = 0x%X, Size = %d

ESI=X EDI=X ESP=X EBP=X

EAX=X EBX=X ECX=X EDX=X

Address = 0x%X

Type = 0x%X

Software\Microsoft\Windows NT\CurrentVersion

hi@vrbrothers.com

exit.exe

%s%s%X

LineNum = %d(%d)

Environment = %s|%d|%s

%s&Ex=%s

%*[^-]-%[^*]*%[0-9]

Incorrect key length

WebBrowser

OLEACC.DLL

Button.Click

CheckBox.CheckedChanged

ComboBox.SelectedIndexChanged

IpAddress.TextChanged

ListBox.SelectedIndexChanged

RadioButton.CheckedChanged

SpinButton.Click

TextBox.EnterKeyPress

TextBox.LostFocus

Slider.ValueChanged

WebBrowser.NavigateCompleted

CWebBrowser2

WM_XCOMBOLIST_KEYDOWN

UxTheme.dll

}}}}}}}}}}}}}}}}}}}}}}}}-8}}1|u}

}|}}}=|}

~}}}}}}}}}}}}}}}}|}yu}}}y}}}}}}}}}}}}}}}}|}yu}}my}}}}}}}}}}}}}}}}|}yu}}]y}}}}}}}}}}}}}}}}|}yu}}My}}}}}}}}}}}}}}}}|}yu}}=y}}}}}}}}}}}}}}}}|}yu}}-y}}

GAF%F

\\.\hkSymbolicLink

DeviceIoControl(JDY_HOTKEY_CLEAN) Error! code:%u

DeviceIoControl(JDY_GETLASTKEY) Error! code:%u

failure: CreateService! error code:%u

Invalid Parameter Expression[%s] Function[%s] File[%s:%d]

%s\dump\[d-d-d][dHdMdS][tidu][TickCount%lu].dmp

(%s %p:%i)

IGNORED_KEYWORD

OPERATOR_IS

OPERATOR_GET

OPERATOR_LET

OPERATOR_NE

OPERATOR_GT

OPERATOR_LT

OPERATOR_NOT

OPERATOR_AND

OPERATOR_OR

OPERATOR_XOR

OPERATOR_EQV

OPERATOR_IMP

OPERATOR_EXP

OPERATOR_INTDIV

OPERATOR_MOD

OPERATOR_EQU

OPERATOR_DIV

OPERATOR_MUL

OPERATOR_SUB

OPERATOR_ADD

STATEMENT_IMPORT

E:\SVN\trunk\CodeLib\ANTLR\QMScript\QMScript.g

token OPERATOR_EQU

1:1: Tokens : ( STATEMENT_SET | STATEMENT_CALL | STATEMENT_GOSUB | STATEMENT_CONST | STATEMENT_DIM | STATEMENT_REDIM | STATEMENT_ENV_VAR | STATEMENT_GLOBAL_VAR | STATEMENT_DO | STATEMENT_LOOP | STATEMENT_WHILE | STATEMENT_UNTIL | STATEMENT_EXIT | STATEMENT_FOR | STATEMENT_NEXT | STATEMENT_SUB | STATEMENT_FUNCTION | STATEMENT_EVENT | STATEMENT_REM | STATEMENT_GOTO | STATEMENT_ENDSCRIPT | STATEMENT_USERVAR | STATEMENT_IMPORT | STATEMENT_WEND | STATEMENT_ENDWHILE | STATEMENT_ERASE | STATEMENT_TO | STATEMENT_STEP | STATEMENT_EACH | STATEMENT_IN | STATEMENT_ENDFOR | STATEMENT_IF | STATEMENT_IFCOLOR | STATEMENT_THEN | STATEMENT_ELSEIF | STATEMENT_ELSE | STATEMENT_ENDIF | STATEMENT_SELECT | STATEMENT_CASE | STATEMENT_ON | STATEMENT_ERROR | STATEMENT_RESUME | STATEMENT_RANDOMIZE | STATEMENT_OPTION | STATEMENT_RETURN | STATEMENT_VBS_BEGIN | STATEMENT_VBS_END | STATEMENT_WITH | STATEMENT_DECLARE | CLAUSE_END | DECORATOR_PRIVATE | DECORATOR_PUBLIC | DECORATOR_BYVAL | DECORATOR_BYREF | DECORATOR_EXPLICIT | DECORATOR_PRESERVE | DECORATOR_NEW | DECORATOR_AS | CONST_NULL | CONST_EMPTY | CONST_NOTHING | CONST_TRUE | CONST_FALSE | OPERATOR_ADD | OPERATOR_SUB | OPERATOR_MUL | OPERATOR_DIV | OPERATOR_EQU | OPERATOR_MOD | OPERATOR_INTDIV | OPERATOR_EXP | OPERATOR_IMP | OPERATOR_EQV | OPERATOR_XOR | OPERATOR_OR | OPERATOR_AND | OPERATOR_NOT | OPERATOR_LT | OPERATOR_GT | OPERATOR_NE | OPERATOR_LET | OPERATOR_GET | OPERATOR_IS | AUX_SYMBOL_COMMA | AUX_SYMBOL_DOT | AUX_SYMBOL_LPARENTHESIS | AUX_SYMBOL_RPARENTHESIS | AUX_SYMBOL_AND | AUX_SYMBOL_COLON | T__140 | T__141 | T__142 | T__143 | T__144 | T__145 | T__146 | T__147 | T__148 | T__149 | STATEMENT_END | IGNORED_KEYWORD | ID | FLOAT | DATE | STRING | HEX_INT | OCT_INT | DEC_INT | IGNORED | COMMENT | COMMENT_BLOCK );

Can't terminate a sub-expression with an alternation operator |.

A regular expression can start with the alternation operator |.

Alternation operators are not allowed inside a DEFINE block.

More than one alternation operator | was encountered inside a conditional expression.

A repetition operator cannot be applied to a zero-width assertion.

Invalid alternation operators within (?...) block.

The \c and \C escape sequences are not supported by POSIX basic regular expressions: try the Perl syntax instead.

Found a closing repetition operator } with no corresponding {.

The repeat operator " " cannot start a regular expression.

The repeat operator "?" cannot start a regular expression.

The repeat operator "*" cannot start a regular expression.

right-curly-bracket

left-curly-bracket

0123456789

Unmatched quantified repeat operator { or \{.

Invalid preceding regular expression prior to repetition operator.

lexer->mTokens(): Error: No lexer rules were added to the lexer yet!

is also the end of the line, so you must check your lexer rules

The lexer was matching from line %d, offset %d, which

This indicates a poorly specified lexer RULE

near '%c' :

: lexer error %d :

%s at offset %d,

: expected %s ...

: Missing %s

: Missing token (%d)...

: Extraneous input - expected %s ...

near %s

, near %s

, at offset %d

: error %d : %s

replaceChildren call: Indexes are invalid; no children in list for %s

ANTLR3_EXCEPTION: %s

ANTLR3_EXCEPTION number %d (X).

{WindowsDir}\

\\.\PhysicalDrive0

iphlpapi.dll

ntdll.dll

%s%d%d

ping.exe

VVV.baidu.com -n 2

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl

%s (%s:%d)

inflate 1.1.3 Copyright 1995-1998 Mark Adler

.pZ}u]

>}}}}4839

}}}}4839

>.WUo

50%SQ

)w-y}

JA0%s

1}}}}4839

_}}}}4839

(}}}}4839

~-%d|ym^

CAR98>2/<)2/"38*Cpw]]]]]]]]A98>2/<)2/"<.CA\&>9<)<&<

CAR98>2/<)2/"<.Cpw]]]]]]]]A>23.)"3(11CA\&>9<)<&3

CAR2-8/<)2/"029CpwA2-8/<)2/"43)94 CA\&>9<)<& CAR2-8/<)2/"43)94 CpwA2-8/<)2/"8%-CA\&>9<)<& CAR2-8/<)2/"8%-CpwA2-8/<)2/"40-CA\&>9<)<& CAR2-8/<)2/"40-CpwA2-8/<)2/"8, CA\&>9<)<& CAR2-8/<)2/"8, CpwA2-8/<)2/"%2/CA\&>9<)<& CAR2-8/<)2/"%2/CpwA2-8/<)2/"2/CA\&>9<)<& CAR2-8/<)2/"2/CpwA2-8/<)2/"<39CA\&>9<)<& CAR2-8/<)2/"<39CpwA2-8/<)2/"32)CA\&>9<)<& CAR2-8/<)2/"32)CpwA2-8/<)2/"1)CA\&>9<)<& CAR2-8/<)2/"1)CpwA2-8/<)2/":)CA\&>9<)<& CAR2-8/<)2/":)CpwA2-8/<)2/"38CA\&>9<)<& CAR2-8/<)2/"38CpwA2-8/<)2/"18)CA\&>9<)<& CAR2-8/<)2/"18)CpwA2-8/<)2/":8)CA\&>9<)<& CAR2-8/<)2/":8)CpwA2-8/<)2/"4.CA\&>9<)<& CAR2-8/<)2/"4.PPCpw]]]]]]]]A<(%".$0?21">200<CA\&>9<)<&]

]ZSZ CAR<(%".$0?21"92)Cpw]]]]]]]]A<(%".$0?21"1-</83)58.4.CA\&>9<)<&]

]ZUZ CAR<(%".$0?21"1-</83)58.4.Cpw]]]]]]]]A<(%".$0?21"/-</83)58.4.CA\&>9<)<&]

]ZTZ CAR<(%".$0?21"/-</83)58.4.Cpw]]]]]]]]A<(%".$0?21"<39CA\&>9<)<&]Z[Z CAR<(%".$0?21"<39Cpw]]]]]]]]A<(%".$0?21">2123CA\&>9<)<&]

]ZGZ CAR<(%".$0?21">2123Cpw]]]]]]]]A<(%")2683"(.8/ </"9/2-14.)"4)80.CA\&>9<)<&]

CAR<(%")2683"(.8/ </"9/2-14.)"4)80.Cpw]]]]]]]]A<(%")2683"</:(083)"14.)CA\&>9<)<&]

CAR<(%")2683"><.8">2394)423."14.)Cpw]]]]]]]]A<(%")2683">20023".83)83>8".(;;4Ê\&>9<)<& CAR<(%")2683">20023".83)83>8".(;;4%Cpw]]]]]]]]A<(%")2683".83)83>8".8-</<)2/CA\&>9<)<&]

CAR<(%")2683"98>1</8"14?Cpw]]]]]]]]A<(%")2683"98>1</8"<14<.CA\&>9<)<&<

CAR<(%")2683"98>1</8"<14<.Cpw]]]]]]]]A<(%")2683"*4)5"</8<"204))89CA\&>9<)<&] CAR<(%")2683"*4)5"</8<"204))89Cpw]]]]]]]]A<(%")2683"2?.218)8".$3)<Ê\&>9<)<&] CAR<(%")2683"2?.218)8".$3)<%Cpw]]]]]]]]A.)<)8083)"839CA\&>9<)<&]

CAR8%-2383)Cpw]]]]]]]]A;12<)".(;;4Ê\&>9<)<&]

CAR;12<)".(;;4%Cpw]]]]]]]]A58%"94:4)CA\&>9<)<&]

CAR58%"94:4)Cpw]]]]]]]]A)$-8".(;;4Ê\&>9<)<&]

CAR)$-8".(;;4%Cpw]]]]]]]]A2>)"94:4)CA\&>9<)<&]

.CA\&>9<)<&

.Cpw]]]]]]A6

.Cpwpw]]]]]]A1

.Cpw]]]]]]A/

.Cpw]]]]]]A0

.Cpw]]]]]]A1

.Cpwpw]]]]]]A0

/.CA\&>9<)<&

/.Cpw]]]]]]A0

.Cpwpw]]]]]]A.

7.CA\&>9<)<&

7.Cpw]]]]]]]]A/

Cpw]]]]]]A68$-/8..CA\&>9<)<&,01

QYOT CAR68$-/8..Cpw]]]]]]A68$92*3CA\&>9<)<&,01

UYLQLT CAR02(.8*58815Cpwpw]]]]]]A68$-/8...CA\&>9<)<&,01

UYLQOQYOT CAR68$-/8...Cpw]]]]]]A68$92*3.CA\&>9<)<&,01

UYLQOQYOT CAR68$92*3.Cpw]]]]]]A68$(-.CA\&>9<)<&,01

UYLQOQYOT CAR68$(-.Cpwpw]]]]]]A18;)>14>6.CA\&>9<)<&,01

UMQOQYLT CAR18;)>14>6.Cpw]]]]]]A/4:5)>14>6.CA\&>9<)<&,01

UOQOQYLT CAR/4:5)>14>6.Cpw]]]]]]A049918>14>6.CA\&>9<)<&,01

ULQOQYLT CAR049918>14>6.Cpw]]]]]]A18;)92(?18>14>6.CA\&>9<)<&,01

UDQOQYLT CAR18;)92(?18>14>6.Cpw]]]]]]A18;)92*3.CA\&>9<)<&,01

UNQOQYLT CAR18;)92*3.Cpw]]]]]]A18;)(-.CA\&>9<)<&,01

UKQOQYLT CAR18;)(-.Cpw]]]]]]A/4:5)92*3.CA\&>9<)<&,01

UHQOQYLT CAR/4:5)92*3.Cpw]]]]]]A/4:5)(-.CA\&>9<)<&,01

UEQOQYLT CAR/4:5)(-.Cpwpw]]]]]]A02 8)2.CA\&>9<)<&,01

UYLQYOQOQMT CAR02 8)2.Cpw]]]]]]A02 8/.CA\&>9<)<&,01

UYLQYOQOQLT CAR02 8/.Cpw]]]]]]A02(.8*5881.CA\&>9<)<&,01

UYLQOT CAR02(.8*5881.Cpwpw]]]]]]A.< 802(.8-2.CA\&>9<)<&,01

ULT CAR.< 802(.8-2.Cpw]]]]]]A/8.)2/802(.8-2.CA\&>9<)<&,01

UMT CAR/8.)2/802(.8-2.Cpw]]]]]]A12>602(.8CA\&>9<)<&,01

UYLT CAR981<$Cpw]]]]]]A08..<:8?2Ê\&>9<)<&,01

ULQYLT CAR08..<:8?2%Cpw]]]]]]A.<$.)/43:CA\&>9<)<&,01

]@]YL CAR.8).400298PPCpwpw]]]]]]A:8)>(/.2/-2.CA\&>9<)<&:

UY[LQY[OT CAR:8)>(/.2/-2.Cpw]]]]]]A;439>212/CA\&>9<)<&;

UYLQYOQYNQYIQYHQY[KQY[JT CAR;439>83)8/>212/Cpw]]]]]]A;439>212/8Ê\&>9<)<&;

UYLQYOQYNQYIQYHQYKQYJQY[EQY[DT CAR;439>212/8%Cpw]]]]]]A/8<90802/$CA\&>9<)<&/

UYLQYOQYNQYIQYHQYKQY[JQY[ET CAR;439-4>Cpw]]]]]]A;439-4>8Ê\&>9<)<&;

UYLQYOQYNQYIQYHQYKQYJQY[EQY[DT CAR;439-4>8%Cpwpw]]]]AR,01

<%s> attribute has error

%s must be closed with </%s>

it must be closed with </%s>

'<%s> ... </%s>' is not wel-formed.

QMEngine.proto

..\protobuff\QMEngine.pb.cc

.QMProto._MacroDataType"

msg_name

private_key

begin_hotkey

begin_hotkey_mod

pause_hotkey

pause_hotkey_mod

stop_hotkey

stop_hotkey_mod

.QMProto._MacroRunData

.QMProto._MacroInfo"6

.QMProto._MacroInfo"

.QMProto._CompileResult"#

_EnableHotkey_R

hotkey_type

stop_all_hotkey

_DisableHotkey_R

.QMProto._VarInfo"E

_CurExecPos_R

.QMProto._MacroInfo"=

key_info

_MergeScriptKeyInfo_R

_CommonMsgExchange_R

msg_type

wHotkey: %d wHotkeyMod: %d

MacroListData: SourceID = %lu, MacroID = %s, ThreadID = %d, MacroStatus = %d

%Y-%m-%d %H:%M:%S

AlterFlag: %d Old Enable: %d New Enable: %d

begin_hotkey %d begin_hotkey_mod %d

FindKey: %s

&MI=%s_%s_%s_%lu

&MC=%x

P=%s&VP=%s&VR=%s

/UserExperience/SoftwareExperience.shtml?

hXXp://soft.anjian.com/V2014

Set MyMacro = CreateObject("MyMacro.MyGUIMacroControlServer")

hXXp://VVV.vrbrothers.com/cn/qmacro/qkbase/FAQ/Read/

hXXp://bug.vrbrothers.com/?SoftId=47ec9486-0f3c-4fcd-a564-fa0e0c0dd9ad&

.copy

MacroID: %s

Name: %s

Value: %s

VarName: %s

IsAdd: %d

LineNum: %u

IsRecordOrder: %d

MsgCode: %d

%s[%d]

%s = %s

HotkeyServer

ErrorCode: %d

MsgName: %s

FileName: %s

ShmName: %s

MergePart: %s

ScriptEntryLine: %d

Type: %d

IncludeQUIThreads: %d

FileMacro: %s

IsSave: %d

EncryptType %d

Scope: %d

SrcFileName: %s

DesShmName: %s

FilePath: %s

KeyInfo: %s

uservar.ini

MacroContent: %s

MacroName: %s

SavePath: %s

MsgType: %d

PluginName: %s

PluginData: %s

process start verify key

verify_key,k

verify_key

<PROTOCOL_VER>: d

<CORELIB_HOST_ID>: d

%s.version=%d.hostid=%d

ProductPath: %s

E:\BOOST\boost_1_49_0\boost_1_49_0\boost/exception/detail/exception_ptr.hpp

User-Agent: Mozilla/4.0 (MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

%dx%d

1.1.16

hXXp://hm.baidu.com/h.js?

%sReferer: %s

hXXp://log.hm.baidu.com/hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&et=0&ja=1&ln=zh-CN&lo=0<=%s&nv=1&rnd=%s&si=%s&st=1&v=%s&lv=2

hXXp://log.hm.baidu.com/hm.gif?cc=1&ck=1&cl=24-bit&ds=1440x900&ep=2000,100&et=3&ja=1&ln=zh-CN&lo=0<=%s&nv=0&rnd=%s&si=%s&st=4&v=%s&lv=2

%%%X%X

RCodeKey.dat

Copyright (c) J.S.A.Kapp 94-96.

Page %d of %d

%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin2.inl

WEBBrowserCtrl

%d|%d

2014.exe

FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT

FEATURE_SCRIPTURL_MITIGATION

FEATURE_WEBOC_POPUPMANAGEMENT

There is an error (%d) when trying deleting temporary internet files.

CQUIHotkeyCtrl

CoreLib\QUI\Control\Hotkey\VKLeftDownText

CoreLib\QUI\Control\Hotkey\VKLeftUpText

CoreLib\QUI\Control\Hotkey\VKLeftDoubleClickText

CoreLib\QUI\Control\Hotkey\VKRightDownText

CoreLib\QUI\Control\Hotkey\VKRightUpText

CoreLib\QUI\Control\Hotkey\VKRightDoubleClickText

CoreLib\QUI\Control\Hotkey\VKMiddleDownText

CoreLib\QUI\Control\Hotkey\VKMiddleUpText

CoreLib\QUI\Control\Hotkey\VKMiddleDoubleClickText

CoreLib\QUI\Control\Hotkey\VKWheelMoveDownText

CoreLib\QUI\Control\Hotkey\VKWheelMoveUpText

CoreLib\QUI\Control\Hotkey\KeyboardHotkeyText

CoreLib\QUI\Control\Hotkey\MouseHotkeyText

CoreLib\QUI\Control\Hotkey\NoHotkeyText

d-d-d

CSCGridURLCell

https:

http:

|*.*|

password

function %s(){%s}

%s.get(0).click();

return %s.size();

Browserjq=jQuery.noConflict();

('#%s')

[name=%s]

[type=%s]

[innerText%c=%s]

[innerText=%s]

[value%c=%s]

[value=%s]

[src%c=%s]

[src=%s]

.eq(%d)

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCArchiveException@@

.PAVCUserException@@

.PAVCInternetException@@

.?AVCHttpConnection@@

.?AVCHttpFile@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWnd@@

.?AVCMFCToolBarCmdUI@@

.?AVCMDITabProxyWnd@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWnd@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCRibbonCmdUI@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AVCMDIClientAreaWnd@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@

.?AVCMFCCmdUsageCount@@

.PAVCOleDispatchException@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AVCMFCRibbonKeyTip@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÁ

.?AVCMD5@@

.?AV?$CList@UHotkeyInfo@CQUIHotkeyManager@CCommonHotkeyManager@@U123@@@

.?AVCCommonHotkeyManager@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDUSQUIControlMemberInfo@CQVMCompiler@@AAU34@@@

.?AVCExecutingVirtualMachineList@CQMVirtualMachine@@

.?AV?$CList@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@AAV12@@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDKK@@

.?AVCControlImageSupport@@

.?AVCWndHotkeyControlEx@@

.?AVCWndHotkeyControl@@

.?AVCWndWebBrowserEx@@

.?AVCWndWebBrowser@@

.?AV?$CSerializableMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDKK@@

.?AV?$bind_t@XV?$mf1@XVCMessageUnitServer@Common@@PAVCMsgPack@2@@_mfi@boost@@V?$list2@V?$value@PAVCMessageUnitServer@Common@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.?AV?$thread_data@V?$bind_t@XV?$function@$$A6AXPAVCMsgPack@Common@@@Z@boost@@V?$list1@V?$value@PAVCMsgPack@Common@@@_bi@boost@@@_bi@2@@_bi@boost@@@detail@boost@@

.?AVCHotkeyManager@@

.?AVCHotkeyBase@CHotkeyManager@@

.?AVCHookHotkey@CHotkeyManager@@

.?AVCRegisterHotkey@CHotkeyManager@@

.?AVCDriverHotkey@CHotkeyManager@@

.?AVCJournalHookHotkey@CHotkeyManager@@

.?AVCDInputHotkey@CHotkeyManager@@

.?AVCWebDialog@@

.?AVCWebBrowser2@@

.?AVCWebBrowser2Ex@@

crt_init

Unsupported Feature - check mirdef.h

Integer operation attempted on Flash number

.?AV?$bind_t@V?$vector@V?$basic_option@D@program_options@boost@@V?$allocator@V?$basic_option@D@program_options@boost@@@std@@@std@@V?$mf1@V?$vector@V?$basic_option@D@program_options@boost@@V?$allocator@V?$basic_option@D@program_options@boost@@@std@@@std@@Vcmdline@detail@program_options@boost@@AAV?$vector@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$allocator@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@2@@_mfi@boost@@V?$list2@V?$value@PAVcmdline@detail@program_options@boost@@@_bi@boost@@U?$arg@$00@3@@_bi@5@@_bi@boost@@

.PAVCException@@

.?AV_EnableHotkey_R@QMProto@@

.?AV_DisableHotkey_R@QMProto@@

.?AV_CurExecPos_R@QMProto@@

.?AV_MergeScriptKeyInfo_R@QMProto@@

.?AV_CommonMsgExchange_R@QMProto@@

;3 #>6.&

'2, / 0&7!4-)1#

.?AVCHotkeyObserver@QMServer@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDVCFunctionEntryInfo@CCodeMacro@@AAV34@@@

.?AV?$sp_counted_impl_p@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@@detail@boost@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDUQUIFormInfo@CQUIFormManager@@AAU34@@@

.?AVCCmdTarget@@

.?AV?$bind_t@XV?$mf1@XVCQMServerBLL@QMServer@@PAVCMsgPack@Common@@@_mfi@boost@@V?$list2@V?$value@PAVCQMDebugBLL@QMServer@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.?AV?$sp_counted_impl_p@VCMsgPack@Common@@@detail@boost@@

.?AV?$bind_t@XV?$mf1@XVCQMServerBLL@QMServer@@PAVCMsgPack@Common@@@_mfi@boost@@V?$list2@V?$value@PAVCQMServerBLL@QMServer@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.PAVCMemoryException@@

.PAVCFileException@@

.?AVCQUIWebBrowser@@

.?AVCStoreImageSupport@@

.?AVCHotKeyCtrl@@

.?AVCQUIHotkeyCtrl@@

.?AV?$CMap@IIV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@V12@@@

.?AVCQUIHotkeyMenu@@

.PAVCResourceException@@

.?AVCSCGridURLCell@@

C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\Runner.exe

Set QMLibrary_Stub = CreateObject("QMDispatch.QMLibrary")

Set QMLibrary = QMLibrary_Stub.GetQMLibraryObject()

Set QUIMethodObj = QMLibrary.GetQUIMethodObject()

Set QMVBSRoutine = CreateObject("QMDispatch.QMVBSRoutine")

Function KeyPress(KeyCode, Count)

QMLibrary.KeyPress KeyCode, g_iSimulateModeInVBSBlock, Count

Function KeyDown(KeyCode, Count)

QMLibrary.KeyDown KeyCode, g_iSimulateModeInVBSBlock, Count

Function KeyUp(KeyCode, Count)

QMLibrary.KeyUp KeyCode, g_iSimulateModeInVBSBlock, Count

Function KeyGroup(KeyCodes)

QMLibrary.KeyGroup KeyCodes, g_iSimulateModeInVBSBlock

QMLibrary.MouseClick 0, g_iSimulateModeInVBSBlock, Count

QMLibrary.MouseClick 2, g_iSimulateModeInVBSBlock, Count

QMLibrary.MouseClick 1, g_iSimulateModeInVBSBlock, Count

QMLibrary.MouseClick 9, g_iSimulateModeInVBSBlock, Count

QMLibrary.MouseClick 3, g_iSimulateModeInVBSBlock, Count

QMLibrary.MouseClick 6, g_iSimulateModeInVBSBlock, Count

QMLibrary.MouseClick 5, g_iSimulateModeInVBSBlock, Count

QMLibrary.MouseClick 8, g_iSimulateModeInVBSBlock, Count

QMLibrary.MouseMove MoveX, MoveY, g_iSimulateModeInVBSBlock, 0

QMLibrary.MouseMove MoveX, MoveY, g_iSimulateModeInVBSBlock, 1

QMLibrary.MouseWheel Movement, g_iSimulateModeInVBSBlock

Function KeyPressH(KeyCode, Count)

QMLibrary.KeyPress KeyCode, 1, Count

Function KeyDownH(KeyCode, Count)

QMLibrary.KeyDown KeyCode, 1, Count

Function KeyUpH(KeyCode, Count)

QMLibrary.KeyUp KeyCode, 1, Count

QMLibrary.MouseClick 0, 1, Count

QMLibrary.MouseClick 2, 1, Count

QMLibrary.MouseClick 1, 1, Count

QMLibrary.MouseClick 9, 1, Count

QMLibrary.MouseClick 3, 1, Count

QMLibrary.MouseClick 6, 1, Count

QMLibrary.MouseClick 5, 1, Count

QMLibrary.MouseClick 8, 1, Count

QMLibrary.MouseMove MoveX, MoveY, 1, 0

QMLibrary.MouseMove MoveX, MoveY, 1, 1

QMLibrary.MouseWheel Movement, 1

Function KeyPressS(KeyCode, Count)

QMLibrary.KeyPress KeyCode, 2, Count

Function KeyDownS(KeyCode, Count)

QMLibrary.KeyDown KeyCode, 2, Count

Function KeyUpS(KeyCode, Count)

QMLibrary.KeyUp KeyCode, 2, Count

QMLibrary.MouseClick 0, 2, Count

QMLibrary.MouseClick 2, 2, Count

QMLibrary.MouseClick 1, 2, Count

QMLibrary.MouseClick 9, 2, Count

QMLibrary.MouseClick 3, 2, Count

QMLibrary.MouseClick 6, 2, Count

QMLibrary.MouseClick 5, 2, Count

QMLibrary.MouseClick 8, 2, Count

QMLibrary.MouseMove MoveX, MoveY, 2, 0

QMLibrary.MouseMove MoveX, MoveY, 2, 1

QMLibrary.MouseWheel Movement, 2

QMLibrary.MousePosSaveRestore 1

QMLibrary.MousePosSaveRestore 0

QMLibrary.MousePosLockUnlock 1

QMLibrary.MousePosLockUnlock 0

Function WaitKey

WaitKey = QMLibrary.ScanKeyMouse(1,1)

Function GetLastKey

GetLastKey = QMLibrary.ScanKeyMouse(0,1)

WaitClick = QMLibrary.ScanKeyMouse(1,0)

GetLastClick = QMLibrary.ScanKeyMouse(0,0)

QMLibrary.Delay DelayTime

QMLibrary.MessageNotify 1,MessageText

QMLibrary.SayString MessageText, 0

QMLibrary.MessageNotify 0,""

QMLibrary.EndScript

QMLibrary.PutAttachment PutPath

QMLibrary.TracePrint PrintContent

QMLibrary.OpenLog LogFileName

QMLibrary.CloseLog

QMLibrary.ExitScript

QMLibrary.ThreadControl ThreadID, 0

QMLibrary.ThreadControl ThreadID, 1

QMLibrary.ThreadControl ThreadID, 2

GetThreadId = QMLibrary.GetThreadId()

GetMacroID = QMLibrary.GetMacroID()

Function GetExeDir()

GetExeDir = QMLibrary.GetExeDir()

GetEnv = QMLibrary.GetEnvironmentVariable(Name)

SetEnv = QMLibrary.SetEnvironmentVariable(Name,Value)

CompColor = QMLibrary.CompColor(XPos, YPos, ColorToComp, CompType)

Call QMLibrary.RunApp(AppPath)

CursorPos = QMLibrary.GetCursorPos()

GetPixelColor = QMLibrary.GetPixelColor(PosX,PosY)

FoundPixel = QMLibrary.FindColor(iLeft,iTop,iRight,iBottom,szColor,0)

FoundPixel = QMLibrary.FindColor(iLeft,iTop,iRight,iBottom,szColor,1)

FoundPixel = QMLibrary.FindColor(iLeft,iTop,iRight,iBottom,szColor,iType,fSimilar)

ReadValue = CByte(QMLibrary.ReadMemory(dwAddress, iType))

ReadValue = CLng(QMLibrary.ReadMemory(dwAddress, iType))

FoundPixel = QMLibrary.FindPic(iLeft,iTop,iRight,iBottom,szFileName,fSimilar)

FoundPixel = QMLibrary.FindPic(iLeft,iTop,iRight,iBottom,szFileName,fSimilar,szTransparentColor)

GetCursorShape=CLng(QMLibrary.GetCursorShape(iType))

GetSysInfo.dll

Resolution = QMLibrary.GetScreenResolution()

QMLibrary.MouseMove CursorX, CursorY, 0, 0

.sTFXf

C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\RCodeKey.dat

=%d:%d]]>

=%d]]>

<KeyWordsDescription>

<STATEMENT_IMPORT><![CDATA[Import]]></STATEMENT_IMPORT>

<!--OPERATOR_ADD><![CDATA[' ']]></OPERATOR_ADD>

<OPERATOR_SUB><![CDATA['-']]></OPERATOR_SUB>

<OPERATOR_MUL><![CDATA['*']]></OPERATOR_MUL>

<OPERATOR_DIV><![CDATA['/']]></OPERATOR_DIV>

<OPERATOR_EQU><![CDATA[Equ]]></OPERATOR_EQU>

<OPERATOR_MOD><![CDATA[Mod]]></OPERATOR_MOD>

<OPERATOR_INTDIV><![CDATA[]]></OPERATOR_INTDIV>

<OPERATOR_EXP><![CDATA[]]></OPERATOR_EXP>

<OPERATOR_IMP><![CDATA[]]></OPERATOR_IMP>

<OPERATOR_EQV><![CDATA[]]></OPERATOR_EQV>

<OPERATOR_XOR><![CDATA[]]></OPERATOR_XOR>

<OPERATOR_OR><![CDATA[]]></OPERATOR_OR>

<OPERATOR_AND><![CDATA[]]></OPERATOR_AND>

<OPERATOR_NOT><![CDATA[]]></OPERATOR_NOT>

<OPERATOR_LT><![CDATA[]]></OPERATOR_LT>

<OPERATOR_GT><![CDATA[]]></OPERATOR_GT>

<OPERATOR_NE><![CDATA[]]></OPERATOR_NE>

<OPERATOR_LET><![CDATA[]]></OPERATOR_LET>

<OPERATOR_GET><![CDATA[]]></OPERATOR_GET>

<OPERATOR_IS><![CDATA[]]></OPERATOR_IS-->

<IGNORED_KEYWORD><![CDATA[ ]]></IGNORED_KEYWORD>

</KeyWordsDescription>

<KeyPress><![CDATA[

]]></KeyPress>

<KeyDown><![CDATA[

]]></KeyDown>

<KeyUp><![CDATA[

]]></KeyUp>

<KeyPressH><![CDATA[

]]></KeyPressH>

<KeyDownH><![CDATA[

]]></KeyDownH>

<KeyUpH><![CDATA[

]]></KeyUpH>

<KeyPressS><![CDATA[

]]></KeyPressS>

<KeyDownS><![CDATA[

]]></KeyDownS>

<KeyUpS><![CDATA[

]]></KeyUpS>

<WaitKey><![CDATA[

]]></WaitKey>

<GetLastKey><![CDATA[

]]></GetLastKey>

($1, $2)

($6, $7)

($8, $9)

($7, $8)

%s]]></Declare>

%s]]></Erase>

%s]]></Const>

%s]]></Call>

<Equal><![CDATA[%s = %s]]></Equal>

%s]]></Rem>

%s]]></Goto>

%s]]></UserVar>

%s]]></CommentLine>

(%s,%s)

<![CDATA[%s %s

%s %s]]>

%s %s

%s]]>

<Import><![CDATA[

%s]]></Import>

<Operator>

</Operator>

): %s]]></ParseError>

<GetExeDir><![CDATA[

]]></GetExeDir>

|*.bmp|ICO

|*.ico|

|*.*||]]>

<Hotkey>

<NoHotkeyText><![CDATA[

]]></NoHotkeyText>

<KeyboardHotkeyText><![CDATA[

]]></KeyboardHotkeyText>

<MouseHotkeyText><![CDATA[

]]></MouseHotkeyText>

</Hotkey>

|*.*]]>

<WebBrowser>

</WebBrowser>

<PasswordChar><![CDATA[

]]></PasswordChar>

<Hotkey><![CDATA[

]]></Hotkey>

<VirtualKey><![CDATA[

]]></VirtualKey>

<Url><![CDATA[

]]></Url>

<GetURL><![CDATA[

]]></GetURL>

<SetHotkeyModifiers><![CDATA[

]]></SetHotkeyModifiers>

<SetHotkeyVirtualkey><![CDATA[

]]></SetHotkeyVirtualkey>

<SetHotkeyRegister><![CDATA[

]]></SetHotkeyRegister>

<GetHotkeyText><![CDATA[

]]></GetHotkeyText>

<KeyDown><![CDATA[

<KeyUp><![CDATA[

<KeyPress><![CDATA[

%x]]></CopyExternalParamError>

<ExecuteMacro>

%u]]>

</ExecuteMacro>

%s]]>

<HotkeyMode>

</HotkeyMode>

<HotkeyMatched>

</HotkeyMatched>

<![CDATA[%u

%s]]></LogFileOpenFail>

<LogFileAndLineNumberFormat><![CDATA[%s

%d]]></RegisterCOMError>

%d]]></QMDispatchError>

<KEYPRESS><![CDATA[QMLibrary.KeyPress($1,g_iSimulateModeInVBSBlock,$2)]]></KEYPRESS>

<KEYDOWN><![CDATA[QMLibrary.KeyDown($1,g_iSimulateModeInVBSBlock,$2)]]></KEYDOWN>

<KEYUP><![CDATA[QMLibrary.KeyUp($1,g_iSimulateModeInVBSBlock,$2)]]></KEYUP>

<KEYGROUP><![CDATA[QMLibrary.KeyGroup($1,g_iSimulateModeInVBSBlock)]]></KEYGROUP>

<LEFTCLICK><![CDATA[QMLibrary.MouseClick(0,g_iSimulateModeInVBSBlock,$1)]]></LEFTCLICK>

<RIGHTCLICK><![CDATA[QMLibrary.MouseClick(2,g_iSimulateModeInVBSBlock,$1)]]></RIGHTCLICK>

<MIDDLECLICK><![CDATA[QMLibrary.MouseClick(1,g_iSimulateModeInVBSBlock,$1)]]></MIDDLECLICK>

<LEFTDOUBLECLICK><![CDATA[QMLibrary.MouseClick(9,g_iSimulateModeInVBSBlock,$1)]]></LEFTDOUBLECLICK>

<LEFTDOWN><![CDATA[QMLibrary.MouseClick(3,g_iSimulateModeInVBSBlock,$1)]]></LEFTDOWN>

<LEFTUP><![CDATA[QMLibrary.MouseClick(6,g_iSimulateModeInVBSBlock,$1)]]></LEFTUP>

<RIGHTDOWN><![CDATA[QMLibrary.MouseClick(5,g_iSimulateModeInVBSBlock,$1)]]></RIGHTDOWN>

<RIGHTUP><![CDATA[QMLibrary.MouseClick(8,g_iSimulateModeInVBSBlock,$1)]]></RIGHTUP>

<MOVETO><![CDATA[QMLibrary.MouseMove($1,$2,g_iSimulateModeInVBSBlock,0)]]></MOVETO>

<MOVER><![CDATA[QMLibrary.MouseMove($1,$2,g_iSimulateModeInVBSBlock,1)]]></MOVER>

<MOUSEWHEEL><![CDATA[QMLibrary.MouseWheel($1,g_iSimulateModeInVBSBlock)]]></MOUSEWHEEL>

<KEYPRESSH><![CDATA[QMLibrary.KeyPress($1,1,$2)]]></KEYPRESSH>

<KEYDOWNH><![CDATA[QMLibrary.KeyDown($1,1,$2)]]></KEYDOWNH>

<KEYUPH><![CDATA[QMLibrary.KeyUp($1,1,$2)]]></KEYUPH>

<LEFTCLICKH><![CDATA[QMLibrary.MouseClick(0,1,$1)]]></LEFTCLICKH>

<RIGHTCLICKH><![CDATA[QMLibrary.MouseClick(2,1,$1)]]></RIGHTCLICKH>

<MIDDLECLICKH><![CDATA[QMLibrary.MouseClick(1,1,$1)]]></MIDDLECLICKH>

<LEFTDOUBLECLICKH><![CDATA[QMLibrary.MouseClick(9,1,$1)]]></LEFTDOUBLECLICKH>

<LEFTDOWNH><![CDATA[QMLibrary.MouseClick(3,1,$1)]]></LEFTDOWNH>

<LEFTUPH><![CDATA[QMLibrary.MouseClick(6,1,$1)]]></LEFTUPH>

<RIGHTDOWNH><![CDATA[QMLibrary.MouseClick(5,1,$1)]]></RIGHTDOWNH>

<RIGHTUPH><![CDATA[QMLibrary.MouseClick(8,1,$1)]]></RIGHTUPH>

<MOVETOH><![CDATA[QMLibrary.MouseMove($1,$2,1,0)]]></MOVETOH>

<MOVERH><![CDATA[QMLibrary.MouseMove($1,$2,1,1)]]></MOVERH>

<MOUSEWHEELH><![CDATA[QMLibrary.MouseWheel($1,1)]]></MOUSEWHEELH>

<KEYPRESSS><![CDATA[QMLibrary.KeyPress($1,2,$2)]]></KEYPRESSS>

<KEYDOWNS><![CDATA[QMLibrary.KeyDown($1,2,$2)]]></KEYDOWNS>

<KEYUPS><![CDATA[QMLibrary.KeyUp($1,2,$2)]]></KEYUPS>

<LEFTCLICKS><![CDATA[QMLibrary.MouseClick(0,2,$1)]]></LEFTCLICKS>

<RIGHTCLICKS><![CDATA[QMLibrary.MouseClick(2,2,$1)]]></RIGHTCLICKS>

<MIDDLECLICKS><![CDATA[QMLibrary.MouseClick(1,2,$1)]]></MIDDLECLICKS>

<LEFTDOUBLECLICKS><![CDATA[QMLibrary.MouseClick(9,2,$1)]]></LEFTDOUBLECLICKS>

<LEFTDOWNS><![CDATA[QMLibrary.MouseClick(3,2,$1)]]></LEFTDOWNS>

<LEFTUPS><![CDATA[QMLibrary.MouseClick(6,2,$1)]]></LEFTUPS>

<RIGHTDOWNS><![CDATA[QMLibrary.MouseClick(5,2,$1)]]></RIGHTDOWNS>

<RIGHTUPS><![CDATA[QMLibrary.MouseClick(8,2,$1)]]></RIGHTUPS>

<MOVETOS><![CDATA[QMLibrary.MouseMove($1,$2,2,0)]]></MOVETOS>

<MOVERS><![CDATA[QMLibrary.MouseMove($1,$2,2,1)]]></MOVERS>

<MOUSEWHEELS><![CDATA[QMLibrary.MouseWheel($1,2)]]></MOUSEWHEELS>

<SAVEMOUSEPOS><![CDATA[QMLibrary.MousePosSaveRestore(1)]]></SAVEMOUSEPOS>

<RESTOREMOUSEPOS><![CDATA[QMLibrary.MousePosSaveRestore(0)]]></RESTOREMOUSEPOS>

<LOCKMOUSE><![CDATA[QMLibrary.MousePosLockUnlock(1)]]></LOCKMOUSE>

<UNLOCKMOUSE><![CDATA[QMLibrary.MousePosLockUnlock(0)]]></UNLOCKMOUSE>

<WAITKEY><![CDATA[QMLibrary.ScanKeyMouse(1,1)]]></WAITKEY>

<GETLASTKEY><![CDATA[QMLibrary.ScanKeyMouse(0,1)]]></GETLASTKEY>

<WAITCLICK><![CDATA[QMLibrary.ScanKeyMouse(1,0)]]></WAITCLICK>

<GETLASTCLICK><![CDATA[QMLibrary.ScanKeyMouse(0,0)]]></GETLASTCLICK>

<DELAY><![CDATA[QMLibrary.Delay($1)]]></DELAY>

<MESSAGEBOX><![CDATA[QMLibrary.MessageNotify(1,$1)]]></MESSAGEBOX>

<SAYSTRING><![CDATA[QMLibrary.SayString($1, 0)]]></SAYSTRING>

<BEEP><![CDATA[QMLibrary.MessageNotify(0,"")]]></BEEP>

<PUTATTACHMENT><![CDATA[QMLibrary.ExtractAttachment($1,$2)]]></PUTATTACHMENT>

<TRACEPRINT><![CDATA[QMLibrary.TracePrint($1)]]></TRACEPRINT>

<LOGSTART><![CDATA[QMLibrary.OpenLog($?1)]]></LOGSTART>

<LOGSTOP><![CDATA[QMLibrary.CloseLog()]]></LOGSTOP>

<EXITSCRIPT><![CDATA[QMLibrary.ExitScript(0)]]></EXITSCRIPT>

<RESTARTSCRIPT><![CDATA[QMLibrary.ExitScript(1)]]></RESTARTSCRIPT>

<STOPTHREAD><![CDATA[QMLibrary.ThreadControl($1, 0)]]></STOPTHREAD>

<PAUSETHREAD><![CDATA[QMLibrary.ThreadControl($1, 1)]]></PAUSETHREAD>

<CONTINUETHREAD><![CDATA[QMLibrary.ThreadControl($1, 2)]]></CONTINUETHREAD>

<GETTHREADID><![CDATA[QMLibrary.GetThreadId()]]></GETTHREADID>

<GETMACROID><![CDATA[QMLibrary.GetMacroID()]]></GETMACROID>

<GETEXEDIR><![CDATA[QMLibrary.GetExeDir()]]></GETEXEDIR>

<GETENV><![CDATA[QMLibrary.GetGlobalVar($1, 0)]]></GETENV>

<GETENVIRONMENTVAR><![CDATA[QMLibrary.GetGlobalVar($1, 0)]]></GETENVIRONMENTVAR>

<SETENV><![CDATA[QMLibrary.SetGlobalVar($1, $2, 0)]]></SETENV>

<SETENVIRONMENTVAR><![CDATA[QMLibrary.SetGlobalVar($1, $2, 0)]]></SETENVIRONMENTVAR>

QMLibrary.vbs

<RegisterSupport>

<![CDATA[%s -

</RegisterSupport>

hWININET.DLL

accKeyboardShortcut

hhctrl.ocx

dwmapi.dll

yDWrite.dll

D2D1.dll

SHELL32.DLL

USER32.DLL

\RICHED20.DLL

mscoree.dll

ekernel32.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

HotkeyMod

QMDispatch.QMLibrary

Runner.exe_4016_rwx_00925000_0000B000:

%userappdata%\RestartApp.exe

C:\Windows\system32\ADVAPI32.dll

3<$1<$3<$

7.JGM

Exit Status = %d

34$14$34$\

e.KYXV

\34$14$34$\

[3,$1,$3,$

LN%US][

Runner.exe_4016_rwx_00A5B000_00002000:

eHUSER32.dll

ADVAPI32.dll

NTDLL.dll

Runner.exe_4016_rwx_00A5E000_00027000:

34$14$34$

34$14$34$\

3Cannot write oreans.vxd

\Oreans.vxd

,_3,$1,$3,$

ADVAPI32.DLL

oreans32.sys

oreansx64.sys

\\.\oreans32

\\.\Global\oreans32

\\.\Global\oreansx64

%s\system32\drivers\%s

%s\syswow64\drivers\%s

%s\system32\drivers\oreans32.sys

3Cannot Update oreans.sys driver. Please, make sure that you have

3Cannot open oreans.vxd driver. Make sure that oreans.vxd

\\.\Oreans.vxd

%s\Oreans.vxd

contact info@oreans.com for this error

winmm.dll

3<$1<$3<$

3,$1,$3,$

CheckIN = %d

CheckOUT = %d

ProcIN = %d

ProcOUT = %d

ExitIN = %d

ExitOUT = %d

TPin = %d

HWIn = %d

IntV = %x, %x, %x, %x

[34$14$34$

_34$14$34$

~.wN({

3An internal exception occured (Address: 0x%x)

Please, contact support@oreans.com. Thank you!

[3,$1,$3,$

$14$34$14$

Runner.exe_4016_rwx_00A98000_0004E000:

3<$1<$3<$

<$\34$14$34$

$\34$14$

34$14$34$

3<$1<$3<$\

3,$1,$3,$

^3,$1,$3,$\

3,$1,$3,$\

Runner.exe

3Cannot find '%s'. Please, re-install this application

.OiXQ

]3<$1<$3<$

mSgHQ

406.II

#Tntdll.dll

34$14$34$\

.bPdWQ

6P'%s

.dz4cN6-

t-Z.Kt)

$\3,$1,$

!-Q}R.

.TZid

$\3<$1<$3<$

5.jzH

.tXR`

Runner.exe_4016_rwx_00B28000_00009000:

.jidf

.conj

1?.hk

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Packed file.
Delete or disinfect the following files created/modified by the Packed:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\cefb4b2021321623b2ca2cde9d8d3eb1[1].swf (4251 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\MSG.DLL (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\acookie[1].htm (291 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\WINDOW.DLL (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G7TSM4ZG.txt (141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\MEMORY.DLL (1552 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\SYS.DLL (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Runner.zip (481172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\adcon\mm\tmpad.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\COLOR.DLL (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\plugin.zip (15548 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\PIC.DLL (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8DJNKVY8.txt (95 bytes)
C:\ProgramData\boost_interprocess\ZujmmPSdl68J (183 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\k[1].js (29209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\r[1].js (7678 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\k[2].js (8150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\MT.exe (8560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\FILE.DLL (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\ad-mymacro8-p[1].htm (295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\go[1].htm (846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\aad73199e7c8277dbf3bb6345a7b5390[1].jpg (692 bytes)
C:\ProgramData\boost_interprocess\x2LFJS9VwUSr (256416 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MT.zip (14764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YEV4251U.txt (74 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mac49CC.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\acookie[1].htm (133 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\ad-mymacro[1].xml (815 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mymacro.zip (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\go[1].htm (846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PSBQTTMX.txt (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\ab839707bb853d9ee2579a0e04062ff1[1].jpg (919 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\ad-mymacro8-b[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\hm[1].js (14686 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\app[1].gif (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CODV3XW8.txt (94 bytes)
C:\ProgramData\boost_interprocess\HU7DdW3HvIWv (440472 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\mymacro_errinfo.exe (13584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\plugin\GETSYSINFO.DLL (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\RKey.dat (704 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\k[1].js (8150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ad-mymacro9.xml.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\k[2].js (29209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\mmcount[1].htm (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\67Z28ZCW.txt (93 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RKey.zip (849 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\ad.vrbrothers[1].xml (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\ad-mymacro8-b[1].htm (351 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\Runner.exe (240729 bytes)
C:\ProgramData\boost_interprocess\P8v8PMFud9G (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\mmcount[1].htm (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\QMLog\20170629.log (484 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\cfgdll.dll (7393 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7A4BS0L5.txt (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\h[1].js (1444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MyMacro\qdisp.dll (39523 bytes)
C:\ProgramData\boost_interprocess\P8v8PMFud9GT (256416 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Packed.Win32.Themida_b9b9e040be

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Packed.Win32.Themida_b9b9e040be

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet