Trojan.Win32.FlyStudio_8610d33899

by malwarelabrobot on March 20th, 2017 in Malware Descriptions.

Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 8610d3389910f888de0d0ebe1a3ce061
SHA1: c00bb493133dff19eb9abfd3578772635475c7c8
SHA256: a96ecede8c9e45e5ee537ef6bfe369cca50f73b089750755a12e9dc72a4b2bd7
SSDeep: 24576:hnaFZnMf5AJt57zCOrG/RN6RG 7ZzHD20WYyb60asfs uBYTO:henMaXra5N6Rv1cW/svjTO
Size: 1888256 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2016-05-22 09:11:00
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2928

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\taskMgr[1].js (193 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_util[1].js (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S99OLKTL.txt (91 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\xf.faxuan[1].xml (199 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\views[1].js (69642 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\login_1_s[1].js (742 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.min[2].js (54106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QB2Y37I3.txt (83 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_serv[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\public[1].css (3973 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\switch[1].png (363 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\orhon-U2M[1].js (865 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_validatebox_customtooltip[1].js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg_pwd[1].png (737 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\up[1].png (347 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jsrender[1].js (6568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\topnav_bg[1].jpg (5206 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bg_user[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_cookies[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\form-validate[1].js (14936 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\login[1].css (1132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\map[1].png (31018 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\orhonmclib.min[1].js (8142 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\gc[1].jpg (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\id[1].gif (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_popwin[1].js (441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\xf_faxuan_net[1].htm (628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\E2YBQL3V.txt (119 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\comm_validatebox_rules[1].js (606 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVU3JNLU.txt (229 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\popwin_style[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\easyui[1].css (24032 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bg_login[1].jpg (19558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\json2.min[1].js (616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\icon_qq[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\contains[1].js (4806 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\i[1].js (20032 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\login_1_v[1].js (3405 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jquery.cookie[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\popwin[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\icon_phone[1].png (625 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\r[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\id[1].htm (434 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TCH2R76M.txt (229 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\comm_customFuncTip[1].js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\icon[1].css (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\base[1].js (2093 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7RZVBA01.txt (399 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\userpoint_1_s[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\orhonmatrixfont[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\tooltipster_style[1].css (486 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logo[1].png (5173 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_resources[1].js (73 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVU3JNLU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\id[1].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TCH2R76M.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QB2Y37I3.txt (0 bytes)

Registry activity

The process %original file name%.exe:2928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Total]
"(Default)" = "91293"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1463897460"
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\faxuan.net]
"(Default)" = "20"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	866263	868352	4.47758	16c6a569d59ac444f71f7ffd2453ab39
CODE	872448	338768	339968	4.57896	2acdb705e40e5832b663b1ab65dbe92c
.rdata	1212416	373196	376832	4.4531	badc389810e59620b12f03e6900a883d
.data	1589248	475147	69632	3.66069	924848d6abe71110bd3dcdf413b4a045
DATA	2068480	69260	69632	5.14555	fb3673f94b0b6aa3d257c6a5fb6cabba
BSS	2138112	25785	28672	0	cf845a781c107ec1346e849c9dd1b7e8
.rsrc	2166784	127432	131072	2.28929	0871a8f30e7e4e72f9412b5986185fd1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://xf.faxuan.net/	27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/easyui14/themes/easyui.css	27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/json2.min.js	27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/jquery/jquery.min.js	27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/jquery/jquery.cookie.js	27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/easyui14/themes/icon.css	27.221.53.18
hxxp://xf.faxuan.net/baseui/js/comm_util.js	27.221.53.18
hxxp://xf.faxuan.net/baseui/js/comm_cookies.js	27.221.53.18
hxxp://xf.faxuan.net/baseui/js/comm_serv.js	27.221.53.18
hxxp://xf.faxuan.net/baseui/style/common/tooltipster_style.css	27.221.53.18
hxxp://xf.faxuan.net/baseui/style/common/popwin_style.css	27.221.53.18
hxxp://xf.faxuan.net/bps/common/comm_resources.js	27.221.53.18
hxxp://xf.faxuan.net/bps/userpoint/s/userpoint_1_s.js	27.221.53.18
hxxp://xf.faxuan.net/bps/login/s/login_1_s.js	27.221.53.18
hxxp://xf.faxuan.net/bps/login/v/login_1_v.js	27.221.53.18
hxxp://wpa.b.qq.com/cgi/wpa.php	14.17.43.53
hxxp://xf.faxuan.net/baseui/js/index/orhonmclib.min.js	27.221.53.18
hxxp://xf.faxuan.net/baseui/js/index/orhon-U2M.js	27.221.53.18
hxxp://xf.faxuan.net/baseui/style/newcss/public.css?v=20160911	27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/jsrender.js	27.221.53.18
hxxp://xf.faxuan.net/baseui/style/newcss/login.css?v=20160911	27.221.53.18
hxxp://xf.faxuan.net/baseui/style/popwin.css	27.221.53.18
hxxp://xf.faxuan.net/baseui/style/orhonmatrixfont.css	27.221.53.18
hxxp://xf.faxuan.net/baseui/images/up.png	27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/easyui14/lib/base.js	27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/easyui14/lib/form-validate.js	27.221.53.18
hxxp://xf.faxuan.net/baseui/js/widget/comm_validatebox_customtooltip.js?_=1489883499423	27.221.53.18
hxxp://xf.faxuan.net/baseui/js/widget/comm_validatebox_rules.js?_=1489883499424	27.221.53.18
hxxp://xf.faxuan.net/baseui/js/widget/comm_customFuncTip.js?_=1489883499425	27.221.53.18
hxxp://xf.faxuan.net/baseui/js/widget/comm_popwin.js?_=1489883499426	27.221.53.18
hxxp://xf.faxuan.net/baseui/images/topnav_bg.jpg	27.221.53.18
hxxp://xf.faxuan.net/baseui/images/login/bg_login.jpg	27.221.53.18
hxxp://xf.faxuan.net/baseui/images/login/logo.png	27.221.53.18
hxxp://xf.faxuan.net/baseui/images/login/map.png	27.221.53.18
hxxp://p21.tcdn.qq.com/c/=/crm/wpa/release/3.3.7/wpa/ta.js,/crm/wpa/release/3.3.7/wpa/kfuin.js,/crm/wpa/release/3.3.7/wpa/sid.js,/crm/wpa/release/3.3.7/util/titleFlash.js,/crm/wpa/release/3.3.7/util/className.js,/crm/wpa/release/3.3.7/util/Style.js,/crm/wpa/release/3.3.7/util/taskMgr.js?v=3.3.7.20160126
hxxp://p21.tcdn.qq.com/c/=/crm/wpa/release/3.3.7/wpa/APIs/addCustom.js,/crm/wpa/release/3.3.7/lang/extend.js,/crm/wpa/release/3.3.7/util/domain.js,/crm/wpa/release/3.3.7/wpa/WPA.js,/crm/wpa/release/3.3.7/wpa/wpaMgr.js,/crm/wpa/release/3.3.7/lang/browser.js,/crm/wpa/release/3.3.7/util/proxy.js,/crm/wpa/release/3.3.7/util/pad.js,/crm/wpa/release/3.3.7/util/Bits.js,/crm/wpa/release/3.3.7/util/getJSONP.js,/crm/wpa/release/3.3.7/util/cookie.js,/crm/wpa/release/3.3.7/util/events.js,/crm/wpa/release/3.3.7/util/onLoad.js,/crm/wpa/release/3.3.7/util/offset.js,/crm/wpa/release/3.3.7/util/Panel.js,/crm/wpa/release/3.3.7/util/onIframeLoaded.js,/crm/wpa/release/3.3.7/util/GUID.js,/crm/wpa/release/3.3.7/wpa/getQQVersion.js,/crm/wpa/release/3.3.7/wpa/ViewHelper.js,/crm/wpa/release/3.3.7/wpa/views.js?v=3.3.7.20160126
hxxp://p21.tcdn.qq.com/c/=/crm/wpa/release/3.3.7/util/localStorage.js,/crm/wpa/release/3.3.7/wpa/SelectPanel.js,/crm/wpa/release/3.3.7/util/css.js,/crm/wpa/release/3.3.7/util/contains.js?v=3.3.7.20160126
hxxp://xf.faxuan.net/baseui/images/login/switch.png	27.221.53.18
hxxp://prom.b.qq.com/se/r.gif?na=4006570518&ref=&1489883516357	183.232.88.153
hxxp://xf.faxuan.net/baseui/images/login/bg_user.png	27.221.53.18
hxxp://report.b.qq.com/crmReport/accesslog?FUID=&FKFUin=&FNa=4006570518&FRurl=&1489883516356	183.232.119.175
hxxp://wpl.b.qq.com/cgi/conv.php?num=4006570518&cb=JSONP_CALLBACK_1_77	120.198.199.200
hxxp://wpl.b.qq.com/cgi/ta.php?na=4006570518&dm=faxuan.net&cb=JSONP_CALLBACK_2_28	120.198.199.200
hxxp://isdspeed.qq.com/cgi-bin/r.cgi?flag1=7818&flag2=21&flag3=1&3=2067&&1489883516356	125.39.133.14
hxxp://xf.faxuan.net/baseui/images/login/bg_pwd.png	27.221.53.18
hxxp://prom.b.qq.com/wpadisplay/r.gif?version=3.3.7.20160126&wty=3&type=&nameAccount=4006570518&kfuin=&ws=xf.faxuan.net&aty=0&a=0&title=&wording=&wording2=&tencentSig=5898714112&1489883517376	183.232.88.153
hxxp://xf.faxuan.net/baseui/images/login/icon_phone.png	27.221.53.18
hxxp://p21.tcdn.qq.com/da/i.js
hxxp://xf.faxuan.net/baseui/images/login/icon_qq.png	27.221.53.18
hxxp://da.qidian.qq.com/ping/pv?v=0.6.6&tid=4006570518&aid=&pid=i9b1v3.3fir2g.j0fy6ges&qid=sjoq3o.t0e4l5.j0fy6ges&src=12&cid=1940917248&sid=1.1.sdyr8n.j0fy6get&r=&pt=å›½å®¶å·¥ä½œäººå‘˜å¦æ³•ç”¨æ³•åŠè€ƒè¯•å¹³å°_ç™»å½•&sw=1276&sh=846&dpr=1&saw=1276&sah=802&scd=32&so=&bw=390&bh=310&tz=-2&hasf=23.0.0&hasadb=1&hasc=1&hastc=0&hasls=1&hasss=1&hasid=0&t=j0fy6gfy&z=bsg424	121.51.132.119
hxxp://da.qidian.qq.com/jsonp/mta?v=0.6.6&tid=4006570518&aid=&pid=i9b1v3.3fir2g.j0fy6ges&qid=sjoq3o.t0e4l5.j0fy6ges&src=12&cid=1940917248&sid=1.1.sdyr8n.j0fy6get&t=j0fy6gev&callback=S3JSONPPREFIXyi7ym0	121.51.132.119
hxxp://xf.faxuan.net/service/gc.html?timestamp=1489883514000	27.221.53.18
hxxp://p21.tcdn.qq.com/da/id.html?q=sjoq3o.t0e4l5.j0fy6ges&p=i9b1v3.3fir2g.j0fy6ges&t=4006570518&a=&c=1940917248&s=1.1.sdyr8n.j0fy6get&src=12&pgv_pvi=&v=0.6.6&ts=http://da.qidian.qq.com/ping/id
hxxp://da.qidian.qq.com/ping/id?v=0.6.6&tid=4006570518&aid=&sid=1.1.sdyr8n.j0fy6get&qid=sjoq3o.t0e4l5.j0fy6ges&pid=i9b1v3.3fir2g.j0fy6ges&qqm=3&t=j0fy6ia5&cid=1940917248&src=12&z=ngke5u	121.51.132.119
hxxp://bqq.gtimg.com/da/i.js	203.205.158.37
hxxp://combo.b.qq.com/da/id.html?q=sjoq3o.t0e4l5.j0fy6ges&p=i9b1v3.3fir2g.j0fy6ges&t=4006570518&a=&c=1940917248&s=1.1.sdyr8n.j0fy6get&src=12&pgv_pvi=&v=0.6.6&ts=http://da.qidian.qq.com/ping/id	203.205.158.38
hxxp://combo.b.qq.com/c/=/crm/wpa/release/3.3.7/wpa/ta.js,/crm/wpa/release/3.3.7/wpa/kfuin.js,/crm/wpa/release/3.3.7/wpa/sid.js,/crm/wpa/release/3.3.7/util/titleFlash.js,/crm/wpa/release/3.3.7/util/className.js,/crm/wpa/release/3.3.7/util/Style.js,/crm/wpa/release/3.3.7/util/taskMgr.js?v=3.3.7.20160126	203.205.158.38
hxxp://combo.b.qq.com/c/=/crm/wpa/release/3.3.7/wpa/APIs/addCustom.js,/crm/wpa/release/3.3.7/lang/extend.js,/crm/wpa/release/3.3.7/util/domain.js,/crm/wpa/release/3.3.7/wpa/WPA.js,/crm/wpa/release/3.3.7/wpa/wpaMgr.js,/crm/wpa/release/3.3.7/lang/browser.js,/crm/wpa/release/3.3.7/util/proxy.js,/crm/wpa/release/3.3.7/util/pad.js,/crm/wpa/release/3.3.7/util/Bits.js,/crm/wpa/release/3.3.7/util/getJSONP.js,/crm/wpa/release/3.3.7/util/cookie.js,/crm/wpa/release/3.3.7/util/events.js,/crm/wpa/release/3.3.7/util/onLoad.js,/crm/wpa/release/3.3.7/util/offset.js,/crm/wpa/release/3.3.7/util/Panel.js,/crm/wpa/release/3.3.7/util/onIframeLoaded.js,/crm/wpa/release/3.3.7/util/GUID.js,/crm/wpa/release/3.3.7/wpa/getQQVersion.js,/crm/wpa/release/3.3.7/wpa/ViewHelper.js,/crm/wpa/release/3.3.7/wpa/views.js?v=3.3.7.20160126	203.205.158.38
hxxp://combo.b.qq.com/c/=/crm/wpa/release/3.3.7/util/localStorage.js,/crm/wpa/release/3.3.7/wpa/SelectPanel.js,/crm/wpa/release/3.3.7/util/css.js,/crm/wpa/release/3.3.7/util/contains.js?v=3.3.7.20160126	203.205.158.38

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /da/i.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: bqq.gtimg.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sun, 19 Mar 2017 00:31:57 GMT

Cache-Control: max-age=600

Expires: Sun, 19 Mar 2017 00:41:57 GMT

Last-Modified: Tue, 17 Jan 2017 07:54:50 GMT

Content-Type: application/x-javascript

Content-Length: 13195

Content-Encoding: gzip

X-NWS-LOG-UUID: b02c8cbd-b014-4a17-9697-ca12e767fa91

Keep-Alive: timeout=60

X-Cache-Lookup: Hit From Disktank Gz
...........}.W...._..\G..cC.I,..IH.L..$...p..`%Fr.6.`...UU/j.6....w.Y@
.n.R]{W5.g.4.I....~\..`........4....0_K.s.{~..,O...)4b.....Y.r.F.Hg..z
.;{y.^...$....w.N6.....]l....aN...0...9y}.X..[-W....g.a....x ..Y8.....
...d..<......U..s.'.....;.Y|....,..'.......\.wvw6.~.n{.c4...M....Wz
,-.x8...I..4H5..l>_..!...^R.(.jq.f...5....,.(.....:O....?.b..^.....
.j..j.[.A.c..r.....u...#.;.E..A.~..7%...8....N..DYz..)...Y......q.....
...i..|...,./.4...4.Y._..eYa...^....H.v&Y.N.........9..._.G.y....X..."
0{.e...w.B..]..{~..}.:...y.......m'p;....b....x.7.....8.P.=Y2Y/.O..s.5
.....|>).B..[..3.........N.:..s...).B?.g........N...J..y..N..:....v
.....b....n2.:.$.....u.dIJ.F.S....&V..5.. @.6o;.4..`.W$..........&9/. 
..{e...1.AA,.W^..m..n..b.....X..........=...y4....B.n............16...
....M.0`x|.1j.w.6."J.....7p.7............q.gwt........P~.../(......7.L
.[.#.$..Nq.5....G8.....3]....#.(6.Ss..w..;......9.....d.".. ...r<..
]V.zk.p...v...n...l..:.;.....[.IPG..l&..~wY......=.O..Q...E....C...@..
S....P.........}W.......m'.fi.n...r.......seq.{~..,;.<.^...Y(..{...
z.].>A."8n..>..1.L..XA?g...q.,...<....x..4..f).......4.u.....
.5..f.a.z.y&./. ......9.;.:..#.a.D........9..l..h..0]..n?Z.v......G>
;..(qY.b..Ec<..).3V.CU=. .]......cX>`'......|.p._...'..OQNb....f
..k.E..x.s..._j...6M.M.q....|.N.[v*...3`_g......\.BUx^.>..V.}....UN
..B...&.k...er....E.Q.9..7WI.t..7...X.S.M....R9....Z.d.i... |.5 ".....
.q...M.A.u&az>....OgV...z.:"{.]..i....?..&..%.Qr........<r......
.%...)K..U...Z-...Y.0oPr<B..W.....\\.....0...~x..a...{....9.E..<<< skipped >>>

GET /wpadisplay/r.gif?version=3.3.7.20160126&wty=3&type=&nameAccount=4006570518&kfuin=&ws=xf.faxuan.net&aty=0&a=0&title=&wording=&wording2=&tencentSig=5898714112&1489883517376 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: prom.b.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: image/gif

Content-Length: 0

Last-Modified: Mon, 25 Jul 2016 09:54:54 GMT

Connection: close

ETag: "5795e1ee-0"

Accept-Ranges: bytes

GET /cgi/ta.php?na=4006570518&dm=faxuan.net&cb=JSONP_CALLBACK_2_28 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: wpl.b.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: text/javascript

Content-Length: 53

Connection: close

X-Powered-By: PHP/5.3.13

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache
JSONP_CALLBACK_2_28({"r":0,"data":{"sid":"2385419"}})..

GET /c/=/crm/wpa/release/3.3.7/wpa/ta.js,/crm/wpa/release/3.3.7/wpa/kfuin.js,/crm/wpa/release/3.3.7/wpa/sid.js,/crm/wpa/release/3.3.7/util/titleFlash.js,/crm/wpa/release/3.3.7/util/className.js,/crm/wpa/release/3.3.7/util/Style.js,/crm/wpa/release/3.3.7/util/taskMgr.js?v=3.3.7.20160126 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: combo.b.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sun, 19 Mar 2017 00:31:54 GMT

Cache-Control: max-age=300

Expires: Sun, 19 Mar 2017 00:36:54 GMT

Last-Modified: Fri, 22 Jul 2016 19:07:42 GMT

Content-Type: application/x-javascript

Content-Length: 1695

Content-Encoding: gzip

X-NWS-LOG-UUID: fdd522da-a684-47ce-9e8a-845c391e5952

Keep-Alive: timeout=60

Access-Control-Allow-Origin: *

X-Cache-Lookup: Hit From Disktank Gz
...........X[S.6.. ..2.Dk...!^u......$L.X&#l%qql.$s....G..v..v.3.,.\..
......./.]..1.'...CA.I.F.L.`.. .I!.^....&..YFy~.0..e..$.<....g.....
.....R...mI....o.1......i................!A..~T.'(T..sb.z.m!..`.c...&.
....k.iNc..1M......EFgl/..2.8.g4.pD...Fw&.D.y2.0.L$cO..Lb.^...a[Z..U .
i.0..B..d.....Y...p.S......sYzV.#......>.(4u..6a._.....s&K.U&^bpR..
....K.b..\09Lf,/.G....L.@.2......~...-...&,.L....hz7.....?..g./..>.
p.h.J...G.?].....}(...1w.lGyv....t.P..F;....Dj.T?..a.h..R o.4......w..
..........r..V...{....n!(.........o...r....  .!..Si..v.....&......2...
.%n.$^f..Y.../,...9.......k.. 8.@..8.....1nl.n.......j....<.9......
.N....gA...At.....A.l....J`..i8_.C.7...}J...|.T..N.K....O.G.N.........
.;vBi..~....8..<.n.X;UK.. Qb...=...k.C.o.C.Dd .[!...e..l".~.m..].o)
b.un.:..Y..LL.y...=.....C.j.K....x.o....Z..$h..>..!.0.......}.h..T.
-..1..*...Z/..v...6.......k...%%9MD0.B;n.........z.......Z.[[z...`..M.
...}.zk.....H&...U_.t*..,.g?...s..W.......F...0B.R.......'...z...\...H
...vH/.l ....R7.nw.S.....s.-..bag.\0${.z3....~...P..=."..d.)S..J...z..
.2....Y.......#H............2&....J..T...K$.......qQ..6D..4..U00.h....
....0....l.C..n.=.'\...$...Q.M=.......n.Ia@.0..K.. ....V.}.@\]..No..6.
..=t..`..>......N`1!....k)Z.,..5....<....Z.{w..k.d=.........qo.y
tyuF......b.j..=..`..../..y._3O../F.c.......A3I.?3G...Mf....GP...P/.\.
...w...{.zZ_wt.%.</|..._..S...u..v.6..gxB.z...lF...[....SO6..&c....
.s..b..3U...k=(...U..V......i....5.X..Hd/.XH.%..T.....zE. ...k.....D..
e....-..N.y_.......e.%...9!..."..L..."..J.b%...H.h.*.]?.?..U*v....<<< skipped >>>

GET /c/=/crm/wpa/release/3.3.7/util/localStorage.js,/crm/wpa/release/3.3.7/wpa/SelectPanel.js,/crm/wpa/release/3.3.7/util/css.js,/crm/wpa/release/3.3.7/util/contains.js?v=3.3.7.20160126 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: combo.b.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sun, 19 Mar 2017 00:31:55 GMT

Cache-Control: max-age=300

Expires: Sun, 19 Mar 2017 00:36:55 GMT

Last-Modified: Fri, 22 Jul 2016 19:07:15 GMT

Content-Type: application/x-javascript

Content-Length: 3583

Content-Encoding: gzip

X-NWS-LOG-UUID: 504e67e3-a4d4-46f6-9e81-f502c822746f

Keep-Alive: timeout=60

Access-Control-Allow-Origin: *

X-Cache-Lookup: Hit From Disktank Gz
.............r...W`.e...HI....G..XSY..M.r..H...@...%..g...!.L..>..}
.K..I;..~.S....s...")Ki&....={n{n{..m.......r..hD,s...... l.1...t$....
.8a...).C....NJ..b...2bO..f..<_..".i;H....lO....t.~r.....O|s...0.B.
.......^...I..X7...w4$Q.t..0...4%,.#rn<'..Eb......-.;..... f.S.x..Z
.zwa.vN.Xs...0{.H:b..z .2u.E.....`...tN.1....QJ8...P.IHS..@$. NH.~:.s.
..84%C....a.v......bfy.......=.u.....L.H.............@..........tJBN.I
...Ri...T.U,N=5;.Q7>.......[S..lm pA-.<P...W.nK..//.Q.N.>IwAb
m.......cA`.S./.t..p.....<..pP.c....d...0>#..Q..$.....I.r${.7...
...bR...6..[....}j{.W..<.....Nz.D$.....f.9'..Y.H.!..N.p......A.r9.{
=..B.....b,...HI.]V>...B.).I&/_.@.,..kr..R.|A.aAm,_Q.....`. .~..S. 
.R. .&......I..a...W.V.o....%.....x....$`X.hWU.$A1.. ....4.e.QT...Z.iz
..a.!..>\mA.b......b..vA./eYPt..e...w......s0.9.....@P.>..w.h...
G.`O.zF..(.!j.\*G.Os...z.t. .R....@.y..k.eR0...h4.B!ymF........-..[.;m
$.o*|..7....6|.P...jX.A.zH..|{......Sqw,...LL. %..............n.6..t..
..{.....1........]...w.......o.....a4Ik.....y.p5....U.....M.m..KU..H..
l..p~..........Wo>....}....y..........?.|.......j....I...o...;O...5
....p.2y.D.Y..-`pt.<..H|..{[...GGo.......2j.}d^.........r~.........
w.|..... ......A.y.L.O.0.Z.<i..t.m5H....J..W.._.^c...Fsk....go.....
 ......1.,S.-M8$j-.<.....].......7..on...#.B.....\x.... ..}...!..F.
.g$A.K.>..1.BQ.&...C.5..n..X.....Q.u;1....z..&pY..#^.........tb..Q1
....L.....1..5...U.i.....'...g.q.F!..j.......i<T..o9V...ap.....C.i.
.........l..8"8.Z..p.....'#.H ....x.8L$A...qT...yp.....`..A......!<<< skipped >>>

GET /cgi-bin/r.cgi?flag1=7818&flag2=21&flag3=1&3=2067&&1489883516356 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: isdspeed.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Server: Apache

Cache-Control: max-age=0

Expires: Sun, 19 Mar 2017 00:31:57 GMT

1.....0..

GET /jsonp/mta?v=0.6.6&tid=4006570518&aid=&pid=i9b1v3.3fir2g.j0fy6ges&qid=sjoq3o.t0e4l5.j0fy6ges&src=12&cid=1940917248&sid=1.1.sdyr8n.j0fy6get&t=j0fy6gev&callback=S3JSONPPREFIXyi7ym0 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: da.qidian.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:59 GMT

Content-Type: application/javascript; charset=utf-8

Content-Length: 22

Connection: close

Cache-Control: no-cache,no-store,must-revalidate

Pragma: no-cache

P3P: IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT
S3JSONPPREFIXyi7ym0();..

GET /ping/id?v=0.6.6&tid=4006570518&aid=&sid=1.1.sdyr8n.j0fy6get&qid=sjoq3o.t0e4l5.j0fy6ges&pid=i9b1v3.3fir2g.j0fy6ges&qqm=3&t=j0fy6ia5&cid=1940917248&src=12&z=ngke5u HTTP/1.1

Accept: */*

Referer: hXXp://combo.b.qq.com/da/id.html?q=sjoq3o.t0e4l5.j0fy6ges&p=i9b1v3.3fir2g.j0fy6ges&t=4006570518&a=&c=1940917248&s=1.1.sdyr8n.j0fy6get&src=12&pgv_pvi=&v=0.6.6&ts=http://da.qidian.qq.com/ping/id

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: da.qidian.qq.com

Connection: Keep-Alive

Cookie: __qidianid=87af85c63adaa7058ecd29406314a27e0b85c26a


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:32:01 GMT

Content-Type: image/gif

Content-Length: 35

Connection: close

Cache-Control: no-cache,no-store,must-revalidate

Pragma: no-cache

P3P: IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT

GIF87a.............,...........D..;..

GET / HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:34 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Set-Cookie: rid=32a0cb241a97f8ecaba3339c887081d6;expires=31 GMT;path=/;domain=faxuan.net

Location: hXXp://xf.faxuan.net/

Access-Control-Allow-Origin: *
a7..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>openresty/1.7.
10.1</center>..</body>..</html>..0......


GET / HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:34 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

Access-Control-Allow-Origin: *

Content-Encoding: gzip
13e6.............;ks.G..M....."9H.....-..C*d.....[...I#i.hf23....!!...
...b.H...`.......R.1........=..=l... .t.>.>}......../......z....
]$o.d....Ov............? ..h._?!.H......LIU...w}...o.Z.....#.........C
. ...f....d....yS7.8T..#..O....Mg......h......Ei ....)*fx..&r$....)..&
lt;.."......,..p.G..h..>.#...4..R....]I1..)..d.b....5....UZ..-.Z./[
.f........u.te....E..C......%k.b7..n....%.../Z'o...o....=}.Z.6d..]Zz..
...z....).k..DD...J$m..U.,).D..$g...h.E.....s......b6..)....? *.U....6
.....p.#8..c.@.*^.B .d).B.&...34.1......f.Y'....   ..(..p.~p.../.....X
.NY....ml...%.$..n..Mv~".I.....y6..f.\.f...e?:[.=f].S..../..)-L.......
......3T....o.O%......J... .$~.=:r........D..MJ..k.....c.q....]4......
.......%......G.....'8^3.....).zw...B..P4..guUf.....i.PP.>#........
h./.j.#.... .......E..}w.&..aK[..*...[..yB...h....S...V..._O.........W
~.......<g..)...V//.k...|yrm.re.fia.V..=_.....L...G..s..6v...Z.....
...........LX....~e}.C......`.M.E.. .>...8...ua.VH...m.[...U!..A%.E
%..8.L.Q.B.#...h...$....sf...H. .O&..,..... ."..%..A.,%.]R7L...n.(qf..
......C.F.my;"....#.>.P.N...x...t..P..J....L...(.n4-....9.....'..."
.Pg...US/...e..R...G5..h2I.....t.....l...f[o........Y.p.......a.._|\Z.
.} K.kW.v....0H.e.4..|...I"..]..Mc..~!..P.........C8u.E.n`./ ."`eTAed 
......5..*...."...):......T[....@T.a...*.....@......0..B.Qc#X.'...T.t5
..4.<so^.3A...(.......Kb.......X..b...j.>s..[6x0P..jb.C.~3.j.t.5
..._YJ.!.:.B.F9.C....~.f....W.}..-d....w..=.h.=........fN.?L..S...0...
...........*}ES._i..a....F.MX7.; ........T.....\5u..(4..^.^.....a.<<< skipped >>>

GET /baseui/vendor/easyui14/themes/easyui.css HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:35 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-9f0d"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
1bc6.............=]o.H..E..0.....{&Q0/;...aq..>.[@K.ED.u..'c..o.G7.
..I..&/7A&..U]]]....C..w.........m.^...]...W..v......]u.m.............
.sN...j.....C}........s.v........../....Yw....s.=u_v........<T.u..]
^.....tM._..].5....k.].xS.>.....zy....ssW......U............X...3..
.-..i\...@.....#q....8..=D...j..:.Qe .....'5zh...Y....9.....@..#....=&
.V7...].6P..^.........m..n.._.g ?..#.......4 .....-.e...z\7.....l..f_.
ov...D..9T....<.....uA^..a[.....u..$.3.s.....fU.X..0...-..1"..q_,..
^...v...?...r....U.....C....H...`...\......n!.......rC..l...I.8C..,_$.
Pb.LE.g......j%Q..S.3_..SQ....hw:?.o..9..P_.v....k...>?..R.q..S.._0
F.g..]ux&.^]...?./....4.........~..i/z...-.....P.e.30'.q~..T.._.......
....g.3....K.^.&?..}.d..T........%.3.......6.....?a..q...M{.;.{.L...t.
..SW..?.....;wyV....v~...../...`.....f.....?.....v..O.....Ls.0t..%~} S
t........].W~.=.|...Z..<...Y.i.H......:a.......;..>0..!.."......
6S....F..YI-?T.c....2.=.a.2.......\(.....Ofg..a...{.=....zW..Z.*.R_...
..9Sz!....C._...P.Py...........q..A.{.../2. ....5?.!..l4bvG.YG..`..Q. 
...).)...X...Z......../NPo.C.......r#.........T..D.0.X..."H.M..\-DGW.I
.......;?m...C.............~....H._.V....~........$".m..Mv......94....
.P~.<.{...........3.._<5..Kp.....[.JM...........k...p...P.h....`
MY..:....:m....'.F.7T. ._..M.ko.,..g..2Iz.....K; ..D.A....T!'z.(...T.v
.....h.g.Y....Fk..A$..,tJv.;......-:QQ(CT...<......F*.....>$.._.
....0.S.8}...k9....)Z...$..y..C.R.......Xc.T.L...w.O8..W5.6....v....6.
.@:Ob.wBsKM`b..S^Q.@.[L...x.'.H..d...m....T..V.[...n.E.,Y.=...A..=<<< skipped >>>

GET /baseui/vendor/jquery/jquery.cookie.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:38 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-5e1"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
333............}TM..6...Whyp...Z.......E..h.&....-.$..).......R.l'...&
lt;.yo4.......A._...< ...|..\.`?.Ot......GQ.l.nh..(....VQ......:..?
...E^.....w.{.... .../O...P.7...LA....../A%...'.......JbNN".......2!.1
..8.L.'.uJN...h...CN:...$..Fik|..)!...8..k..<2....0!.u......\..E.i.
..?H. '...2.P...1.....~~...FI.....%..%....7..ohi.\|..._j..2...!._...n.
...Y.*.._?f.-zK.,....j...,|......;E......o}..s".#..G..Y....Q..._:...pm
..,.....%9u........e...y.@c.......A..o.|.y..et.'..n.6.....y[.2..@...}6
..}..!.....Z.)>u..:.....%....;L....J...4.........$..?..L..../..<
m....wO..G..C.../t.e.....Ca.J./9.(.......M....|...#...........!.......
...s..HZ..0X....TBb./....v....}L....N.~.d.............8S.{.b.a..=...:V
..0_..R.G&C..U.r,.)Df1.\[&.Ez.[.n2..u9....m..x..o;..sA..nB.......r...y
7.....`...i.V{.>.W..*v.GE:.....r....]Q.....Ex:.u.0..W..&q....k.....
....0......


GET /baseui/js/index/orhonmclib.min.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:38 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-3d44"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
146a.............[.s....  ....G.......%S..[rd)Jj..@P$H...A.l'.xy......
:..K.d..u9.~...v...;....i&.W..........@.|0aU.....T...K..].kv=s..k<.
\n..sMY.^.I..k.t....5f...R&............F..6..Z..959:.4G.*......`.?;E..
..dZC....N.7.....Z......3...c......-s.~.f.g...3.g.........T.Lp.uv..]u.
.....tkh..-Sr.....c..6.......]..-.VJ...>...Z:c#K..J.Z...S.`..T0.O..
.>......z,.E.......X.{3#=.`.hM....Rv.U...\...t......|7..n!..1...!.e
...#C.9.}.....0l.sF..Q....Q.1...X. sMQ.Q_...o.{.H.I...."M.....R.3..%..
..|>........nS..l(46..$...l. .M..7.0..7.....d.j../.T'.:.3Z.(s.{G.1.
.8.w.N...{.${..=..=..}V .a.:K.....p..q..D.....Roo......\..e.....MBu ..
.........?...C.|..s.|....................%.? `.......#..o2..U..R."..J.
...#....o..Z..2pM.O.XS.O.....3.G..b.?....?).........Y......WW..V.....R
..a...h.z..3...K...T.-...-....D..$.f$.0#...I..H"..|..zz.h.Xrc.....eG.k
......k.....\........B[..f.......1..6.UM....n#.@...."..F.s..p....4....
5d..U.@..@..;....Z[.j.73\...B....f..0.......p!.....hA...g...a..U.=.B/X
a....y.G...j.OY.8..(...`.{....e=k.x..RlD...x..9...u.Q@..m.#y^t.YK..#.&
F.5G..#..G.V.Z.......C1.%...i.K.Il..bS..).a......NS.^X.l...Q........./
....b...q.......M...u@.<c..1...s....dVR.].O...p.Vw.....;]....Sw@..i
..m.}.S..y..zY.. ....'......`.Sy@...8..x.@..O.-..a...q........V.q.2.U.
..............=$..s...{.y......v.2......!....g..Cp....>.t..).4.c...
T...U...\..|.Un.9....~.Un....Fq?."... .^.\q?.*.1.V.<Z...v.dh...?]..
.e.u..gM.<....J...;.x...O[.....:........?7.&$.........x.|...:...)&.
.X.T.......P..QC...C.....;.).W[..y..=T.^o.........*7....... w.SCyC<<< skipped >>>

GET /baseui/js/index/orhon-U2M.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:39 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-361"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
1c0............}Q.k.0..WR=...Q.=..e..>..!.:......S.L>'....$;..J.
'.ww..;]$....,2.B.W(.8'..m.J...S0..N.i...V(u..Xr.V.CJ....Ec%jg.7.i7v-.
,".SI[]...X..k.............h..D!...8K.....'S..........Q.?Qo/.B.W...F./
. x.z.......Nmc..T.)r~..*m.......S.*&...s...(.O.ex.~K^.C.>b.,.d2P.X
.77..@y..z..d6...]8.;..._.40......*Q.>3G.%/Y.}.=<x.P....\ ..mK&g
t;.W\..;1..%F..4.........6.. 0 ..O.$D.]........m..au.?k..<.....A...
AxYm.....h....c.......K.....}.../'.....J.Z.X....G.a.....0......


GET /baseui/vendor/jsrender.js HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:42 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-4506"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
20fe.............\i{.H..>.....R.1N.MD...`.....O.d...A.......=UZ....
....%.z..9.Y...W...(...i.q.T..W.0V^.&.'.... .y.J....... ......m4.]....
.....S$M........^...iX8......b<.Fq8........e_=.z.`<.kn.6........
..f>.....l......QM......r..U.w...\..U7.5C..<.}ka.G.W...w..._.n/.
.:v..=...x.....0...~../u_..v...nq.)..6...7..$u..!.Z.....K..........k..
..fwl4.;. ....n....o....w.........1.N....)v...Ug..|yy.........O..O...?
o..._..jg.;.}....sP=s.T..~...N.#d...r.@...Ut..m........cw0..Ts.*{u....
.._k.:q....vFs.o../.Z.c.W..4...V.N... 0..>.?..;.x.N......7....E ...
.|.n....~....:.....}.;OE....u.\..9........e....t...G.........{o<z..
.....9....._=..~.}....Y..g-..I.r.O|..|...ky........y}... ...o...R..].Z
..2~...!...5.n.^l.g..W.Z.R.......34...8...Co.U.........u..[.7.p..C..*.
X.w....w.Fa..F...*..9.......F..t...w....@a..Q.'.........a4O=....;uIlc.
=.......5.B....c(....~.b...{.xt..lH..pt...{..D....W...^.F.E...SxBT<
..*........3...D..(.F.U/M..I$8s_..(.U.qf..V.....c.X.....@#PA.....T.4.2
V..VQ_..j......U0....D.....x..(,.v..-....@ ...a[..r.Kx...~..M....<.
...AT.......4.....V...0Z...S..uj.U...a..kR9..Cdc.......Z.|U5.S...V5...
E..F...gS.s...0...JHTTP/1.1 200 OK..Server: openresty/1.7.10.1..Date: 
Sun, 19 Mar 2017 00:31:42 GMT..Content-Type: application/javascript..L
ast-Modified: Thu, 22 Sep 2016 02:16:41 GMT..Transfer-Encoding: chunke
d..Connection: keep-alive..Keep-Alive: timeout=60..Vary: Accept-Encodi
ng..ETag: W/"57e33f09-4506"..Access-Control-Allow-Origin: *..Content-E
ncoding: gzip..20fe.............\i{.H..>.....R.1N.MD...`.....O.<<< skipped >>>

GET /baseui/js/widget/comm_validatebox_rules.js?_=1489883499424 HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:49 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-1136"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
6a1.............WmS.F.. ..*.0.y3.A.......$.tj.T/.. d*.I.....$.h.{.@(..
.%@2.6.L./`....B.t~...n&.r..;.>.........H..z....$..,.H.]q.hL..F..GT
.f..'....`P...D.'Cz.XD..%.Q........Q...w_..>U.@..M--......:?...Gc.=
.\r. q-.|..X.O..KN.>..[.%gr...........A.Nn..A..Ab6.\.O<.O,.v...S
#.......0.g&P8,.P.3.5oNOe7....3.W33..7n...2/....8cgQ..S.Me....'H..A.M.
.MF,Xu...:.......0...Wv..(.O.....}0....}....6......*..\M...L..[.R.....
.sn.\XKm%R[...=K?x.F..&..p.n....Jb..H.#....;......(:$.!H ..0...W7b..?.
.us-......#.e..#...qd......!6...n.....)L....*O.... D/$D....0.U..]...A$
.W......c)@p../S[...7..\...k2Oo..2...s..Y.....^.....DDB.......n...,...
....}[#0..Z@U.......G..".".k.y..|*..O.DEEU.B"]. ...Q...6Kw...1.k./:..O
qA7...'N..z..)....56...Xv.7......l. k....k.e.....M/n...f~.*a....."....
..T4..i'z...1..~..b<....Mg....\....Z.H. ......r.J...9f..g......Uer0
$...c.q...uT.c.yxm#.|H.......:k&...M0..M.t-.yP...PU....P.... .R.\...r.
k.....T)........Z=..b..Q".kp&. ....T...5w:..BAZ..p\..'s|....K.ML.::...
....C.X.g..,..Z...Mq{.ZH.._.......g!.c..P..P...GP....?p....s...|...hH.
..T..VV.,?n....O..{zO.q#D.{}....K/-....}?..j>.......|1.Bg....NU4I..
.....Wu..z.._G.~..A..?..F..z..Iw;..l^....$'.....I.......W.#3..2*.....l
A&.. ..!z...........>H.......)g.._.j.9i..I...w.b%.N.......e. .B.T.&
lt;67.P........&.[o.8.-..^t$R.E^C.....|Ku1...2...ig...t2mL............
Q.Y.7h............P...:..Fk.)]..|c!.R@....Js3...SF.q.~ ...B[:....:c1&l
t;.sv;.B..vU*,\B....6<4.0...JC.... 2X.GD...:......q.y .<oi=.4.EP
.......<.nQ.8.....R...Q...... .....u$.{....[&q..#.......q...''.<<< skipped >>>

GET /baseui/images/login/bg_login.jpg HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:54 GMT

Content-Type: image/jpeg

Content-Length: 126290

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-1ed52"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

......JFIF.....H.H.....C..............................................
.........          ...C................                               
                  ...................................................G
........................!1A..Qa."q..2BR....#3b..CS...$r....4D.Tc5Us...
..............................1..........................!Q..1Aa"Rq#B.
.2...br.............?....q.r......2.....X....pC....p..XC..........`;..
........`;.v...,.,.p..X.....,..,...p....n...X......`.......,....; ,..v
.`.....X.......`"...(...6...`..7..........,.Y.e..Y.....Ad.......X..XQa
..V.X..V.`. ..l.V......0.....,(.`.......X...X..,.V.`......*.....X....X
.....,)X..X..X.....,!...X..X..X..X..,..V.`..a.......X..X..V.`.........
.......X..X....7.n...`.@XR.....7...-.Q..q.`-...7.n.........p..........
..`;.v.YC.... ...v.`;..A`..`..`..L..C...X.....Y.X..X..YPXQd..X....,..,
..AaE.. ....e.......v.d.......a@C....,..7.U........`....`...E...V.`..`
;........v.`....`;.X..6....YC...VP.(...,......`....a...............,..
`......V....` ..V.....X.. ,.....e......P..... ...Y...*....,..@........
..,.`.....X..X...X..,..,....,..V.`..`..X....V.`..d......YA`.@X..X..X..
X..Y..m.`....a..........v..PX.pA`;..............=.U.X..X..X..X..X..,.`
..`..........;........ j@U.;.......`;.....,.`;....,.........v.a.......
...,..,..........Y...P.L!XQ`;*.(...............X..YAd............. ...
.........,.@.X...........` ........X...(......V....,...,..V.`....p..XC
....X..VP.....,..,..V.` .X..Y...`.....X..Y.e..X...(,.`..d..X....n..(..
.......,)Y...p.....(....p..Y.`..`..`..,..Vm.a.....,.......YC...v..

<<< skipped >>>

GET /ping/pv?v=0.6.6&tid=4006570518&aid=&pid=i9b1v3.3fir2g.j0fy6ges&qid=sjoq3o.t0e4l5.j0fy6ges&src=12&cid=1940917248&sid=1.1.sdyr8n.j0fy6get&r=&pt=å›½å®¶å·¥ä½œäººå‘˜å¦æ³•ç”¨æ³•åŠè€ƒè¯•å¹³å°_ç™»å½•&sw=1276&sh=846&dpr=1&saw=1276&sah=802&scd=32&so=&bw=390&bh=310&tz=-2&hasf=23.0.0&hasadb=1&hasc=1&hastc=0&hasls=1&hasss=1&hasid=0&t=j0fy6gfy&z=bsg424 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: da.qidian.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:59 GMT

Content-Type: image/gif

Content-Length: 35

Connection: close

Cache-Control: no-cache,no-store,must-revalidate

Pragma: no-cache

P3P: IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT

Set-Cookie: __qidianid=87af85c63adaa7058ecd29406314a27e0b85c26a; expires=Mon, 19-Mar-2018 00:31:59 GMT; path=/; domain=.qidian.qq.com
GIF87a.............,...........D..;..

GET /cgi/conv.php?num=4006570518&cb=JSONP_CALLBACK_1_77 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: wpl.b.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: text/javascript

Content-Length: 93

Connection: close

X-Powered-By: PHP/5.3.13

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache
JSONP_CALLBACK_1_77({"r":0,"data":{"kfuin":938032293,"nameAccount":"40
06570518","envId":11}})..

GET /baseui/vendor/easyui14/themes/icon.css HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:35 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-8a6"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
155..............Kr.0....d.v..o..Q...F...M.w..t).....7`.........^..(a.
.s..v/)}...n...8<.".zC..d....*.}. ....s.y<w...Ebt...'......-....
.X..i.Tkp.J.A.ik.....3.......l..#y.i..........J...I.Z.AQ.kO.6.3...R...
'jO.$."."%..r....mH.....F.N[.\lD.\....h..`E..F...kI6dq......{x..6...~.
.....qVq....d.Gt.n.m.u...\a.....~c.. l. R:T..%t.Wqv..CW`...:qF..m.)...
....0......


GET /baseui/js/comm_cookies.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:36 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-7d4"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
256.............TM..0.. T...E(w.K{...#.v<6$,D|D.....`l.G..Co...7..c
.o!.....k.L... .......<^....X...4..M......A.....":G.U\.y2.h.......p
...14.:....>..... ^%.:.cU_.....P..g..0(2P.di...9...E.@....o.#.<.
.)C.{...%W.L.u#.6"_5b!.o....o.t..K......S.....Q.....,..."....../.../..
..iX|...P(.....".U.ev..A$M%.Q@Y....B..J.V. q>&-....g1@Di5.."..."j.Q
.....4..u*....}.s..iD..G."r .?|.....J.  .<......[.Q.;....u......\.P
.....x..F.jgC........Q.7..].!..._...y.47..6.1~8.o,'Nd..&f/....D.C.#.].
.....q,..#.X&".....6/3:Oc....a.4]]..(l....3vI.L}....6..........,...C..
;...[\..Q.-..I.-...8......i......5.n|/... ...7..T^.._F.........0..nt>....

GET /baseui/style/common/tooltipster_style.css HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:36 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-1e6"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
104..............Mn. .F.b..b.qZ........{T`,............b.x.f.yU".... 0
.FN6...:?..8E.8..'...\D.....kq....4y...Z.Pd)...#../..oP.O..l...th/|.P.
.(}d...q.......(.=.....o.2....{....:.:B0.N|@....`.:.)..s.;.'C..Y0./...
.05.D...........Z..t].v.].s{ ....F6k#....v......U.?......0.....
.


GET /baseui/style/common/popwin_style.css HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:37 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-555"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
209.............T... ...HV.V.#.8......7".......&.V......VT..13....5..U
`..Z.#.}..'.F.9I...Z.....G..fgz......Q....K...KD..........IFUN.<j.J
.....Gk.9...%...-.G.1Z......b4.....X....y..I..8../rK..z.......h..y..2.
g......s.3....Q.....:.q.@.rv..c .!O.D..8g.%yw18k6.<..D9z1.a.....\.c
..\.|..]../.E..........e..;.d..=...9.."Tg.,UU..-...:.m]..C.....1.-W}.&
lt;....r.vT31.j...r.v..:...hj ".t~...R,T.|qY...L.o......Q..*..i......y
.u.n..V..5......3r.|....l..{..2.|.`.p....mlq....7#.@..x..D..|...N....L
...[...o.....i.H].P..]....c...w.(&.._....U.....0......


GET /bps/common/comm_resources.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:37 GMT

Content-Type: application/javascript

Last-Modified: Wed, 08 Mar 2017 04:56:52 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"58bf8f14-906"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
2de.............V.N.0.=._Q.......B-Y.J.U.,.....KbG..RA.}glGq.4."AR..y3
.3.;R..........~./QUf...s..C.&....f..LT....q.q..C..>Ne.K.S.I.....".
. .J.b...).!......:B?...T..0.... <g........(.....M.......j.#..._Q..
.#*.\U@..E."..`..nY.~.w..eY..i...4...u.....6.1..'...g.....M.4..@.*.{.}
...F.m...;.q\~....}X.t8....-...v..L........EM.^..JP#|.u.YR.s"zCCOy...=
...z.]K_.I.,.(N=....g...8m.\...f..|.HW.......b....)5%.N...$..*....b..y
..9-.......$....&de........=.m7....?V.t....N3....s..T...l....,.SV...F.
.....D1.....g:......5..}2.P.}E1...........6.`{U........_.r.9...!.$...;
'.V.^a.."2.,.=.,...d.a.?..%.6.U{.^...&M.KrA.H.G.I"..B.l.-..K...-...{..
6k.....%.........f4?. ..f..f...d.O.m8.T.w....hOF..mun...F.>...o..[.
.*2..Y..4w.....<...%j..^L...|TDD........H..M......0......


GET /bps/login/s/login_1_s.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:37 GMT

Content-Type: application/javascript

Last-Modified: Mon, 27 Feb 2017 02:03:59 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"58b3890f-2e6"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
1c7............}R.n.0.......V.H. .9@%..QmU...&.dc.cG.. ........#.n...V
./.&lwU..8.y.....m..[h{.~.%.Uge....K.\.^W...'.....aY..JV`......|.s.y.(
........j).....O.....WR..FQ....BX;....)...Vb...x..R.L JR.0.......rMR..
...m...L....t..._....#. *.:)1.s0.........k.S.u._....y..W)"pk....8*....
.{O..FY('..m....Bkt.$....E.q.i.....].:...c5.....J.T.....yQ$~...v.Y..ZL
.g.....Q.-..............7...|......._.n.?tx...Z.Z.8=.5.E......\i]...}.
....{.......Fx...*........=M.....z.c......0......


GET /bps/login/v/login_1_v.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:40 GMT

Content-Type: application/javascript

Last-Modified: Mon, 27 Feb 2017 02:03:59 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"58b3890f-1f13"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
a18..............i......YC"#.%..H.-....;6l.h.U.!9$.K..I......Z.i..E..(
P.......G..@.L..|._.{3.S..@Z....7o.}...S#.<....=...v..P...M..R...j.
...6.%..1.......&...a.w. .C.t.....^.87....@..2'.C].R....R,.V &IJ...J..
^...&p.HJ..8..h.QU...k...}}....(]Ew.1a.@q....FH3e..P...4<..4.......
.P.p...L....\.K..M...Fa...cc*...WHF......5\......z....w.........jU94.j
.4.#..=...ix-Jn...t.z..................gG..<.........../~=..../...?
.4......|.k%[...5.....||..O..>.../_>.2..../.&.......G...........
CE.X...r.._.|.........,...K..I.X......v..&G.M...,...BSw.].T.F*.....e.4
1.'c..a.UaI....."..C...H.S.."{.Z@.*.$.4O.zMY...M.R..._R....e.N......M7
...X...._B0. .<4&1..hU.h.....].V....._-.K.,H6.6...!.H.f:F...*...:a.
.<.....LSA..6.M.q3.e$).T~.l..J....q@.I....*E...,.....r...We..{...1.
`uF.0.`uv.....s#..].....c../..<.auq.....w.s.C.7..........1.S..bT#.A
..,F....0n.&.%.C..dA.R.nv.E.* .....&Z@..2$oG,...d..T..S..a.(......!...
.\.Y..........6=.......\..>......\.$...p.l1...r.zW.c......i.7;.....
...W.K?...C......X..^a.m?...-.9.......hJ.oliB...jG.Q..j..E...n......I.
...'.....w5G...Wx.........0"............CP...SS..\]7.b..._....w.....T:
.pe..%..$....c....a....H.._.6...^4.......J.8'........Vx...~.$..7f...7.
....f.j;X.Y..P.Z.&..].~.._..ca..6RL1.V.0...R.3...l..t....4....t.x.lA..
....x'..^.'-....Q.j...F:.....Z...P.7..V{.[......b...s...M}aS..?hX...V.
k10O.d..o...)q.:..]..(.....4..x..A.4..a..TugIT\(.^\..G..8.Jx.....gDQ.n
....EsEN.m..l...]..j.xU.NENEC.....Hy..a.@m.D.dL.....P.|....*I..a.....B
y.......*4&........zZ...[\=.m..h.e.z.d.$...g.o..b...z..$e...~6.Xi.<<< skipped >>>

GET /baseui/style/orhonmatrixfont.css HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:41 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-554"

Access-Control-Allow-Origin: *

Content-Encoding: gzip

da..............A..0.....vQhz.CB.<.A....t....I..S...i...{......3...
..{....WQqv.p.YJ...y.......j....\....}z;.E...@}.........p..R..d:....M.
..!.d........zK/..!c.;..r.Ulf..m.......H...S)1Tjw.F.H..Ui.Ou....<V.
C.V5bG....i.b.T.....0..HTTP/1.1 200 OK..Server: openresty/1.7.10.1..Da
te: Sun, 19 Mar 2017 00:31:41 GMT..Content-Type: text/css..Last-Modifi
ed: Thu, 22 Sep 2016 02:16:41 GMT..Transfer-Encoding: chunked..Connect
ion: keep-alive..Keep-Alive: timeout=60..Vary: Accept-Encoding..ETag: 
W/"57e33f09-554"..Access-Control-Allow-Origin: *..Content-Encoding: gz
ip..da..............A..0.....vQhz.CB.<.A....t....I..S...i...{......
3.....{....WQqv.p.YJ...y.......j....\....}z;.E...@}.........p..R..d:..
..M...!.d........zK/..!c.;..r.Ulf..m.......H...S)1Tjw.F.H..Ui.Ou....&l
t;V.C.V5bG....i.b.T.....0......

GET /baseui/vendor/easyui14/lib/form-validate.js HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:46 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-11921"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
4f10.............}y..F..W.0...A....&.q})q.;...;.I..........Lq?...O.)K.
d...f~..>........6.d..s?...w-... .{......6.b......zy..Z.t>Z...zy
M..h.J..:..W~p.>o-.xx..:^..q..m..<_..4....(.......t.2^.~P.....|.
.....;.v.K.u2..`....n.p.|..Qk3........*....sj.....7(..^...ik..M}.....z
....[.....[...r.C.k..p....:..{.a.0ZE........*%D&..b.B..(]...h"..~ *...
j.$.j.......H..#..Y..h.cr..E....:.a..b9..V....^...S.[.W77..So.....,Z..
ty.S..g ..A. *Z....`..[I<...E.Ct.yi.....eP#..k...c..pE..q.. ..#y.S.
Z>.`L.^m._....!g....b.../...>...z.{.e........s.....?...d......*Y
..u7.a......v..4.O.F.t...U....U1..S/\..n.(...i...;.A...E<...$@'..^.
.,...D*...BJf...d&0...X..J..u.D... ............|^[0.g...(./6...z.....a
:..|.x.x..?........z~..y4o...?.v0.{.q".hd...]at....}....2./..G......5c
"....6&w...1wf...............r$...uK......L...y..[.4.7...HZ..U.#......
...!$my.....1.&.Aq...@}.2....l.h........x0M..G. K......"'.|N_X......Z.
........I6 ..v... ...u_2 .(..i ......h....0.|.F}Od...".t.t^J.vj."%..C.
..Z/....22v...}.=.W.4..h....a..Q...q1\...)....[*...l...r...2....@.\..B
.../..z.29.'......b<..r..J...: r2L6..Y.W.d..^..`Z.m.....BFRW.k....R
....E.R.h..8.TD.^0e.z..9.......=.o.Q...Mt}..<.B.s..L.. t...... ....
vx..z....^..7.A... ._...."j...K..W4..X.].......|OR..k.....0..az. .....
...0...X{.....F$..;@}....AP3D).?.0..$.7....iP.Zh.NA..-....s.yI1..@...X
/...........N.|1u9.k..S..^.CH. .N)_.b-ha.>8$0........i.......y.n...
.i....}3...].^...g...@L..i..'.H..P..UegP..H7..q7....`....b3.".u=......
.<,..1.j.U.}=%....9pJmo.d.&..&..o.e.`.H.`.....q..0.X......Q.3.A<<< skipped >>>

GET /baseui/js/widget/comm_popwin.js?_=1489883499426 HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:54 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-1715"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
606.............X.o.D.?._.&.m.q.T..]o%B...Z.".S5...n........... N....\
.UBp......r..../{.....'zI..~......7D.v.R....v.. ....$...H...4......2{.
^.?..........4.3.9=m^=....<O g8..h.U.. _v.{.CTn..1....(CU........R.
.i..*hs..'....v.....o..U...?'9...|cK..e..#...MD[..l.2'.(.Z..>O...g{
.f..n.c.1 q....!..2-..H...l...GY.=..P/.~F*l...j.V..?.w.d..f.;.X.A.u...
.m....IF.|TSr~.M.".q...WS...X.tHsV..y.........G....\_.U...9.....O~d...
....g.n..r^....o....W........i.!.O..E..........4........*......]...ChB
..[n8.zR`.s".e!......r_J....j.w......1....E .=...k|^....f...."..c.Ep..
..e................umc.jE%F.........Q'.............&.5....5.'.{.CR.AS.
.U..*.d......:..........)..S........"\U~. ....E..6.....&o?...o.^.....8
.,I..h.LX..y.xy...._<...._~~..kx...o^.}...#.i...e..C....2i[....J4..
.UX,.u...o.....b..s.n...f....'.`...hC...<<G.W.$....19.E$...!.G.I
..... .`.Y.....@.fu)Vi....PA......M.f....<u.8.AHP.oA.G%..../.......
I..A..$:Q.9...X.........?...3b..$....MK...}k....#A.u.hi...9.N..l......
J.zf...........gvCX...i.....C-W...af..9....r....eI=k..Rz..B... ...(..6
.?E.'...<...Y.....~.=.fW...e.v.}..p.#..G..4?`t.....-.!.0B.;W.J.l_b.
.......n......O.Y...Q...t.IM-c.2..i.%...m8..78}.......fuX..|..j`.r..8.
...RkN..[.......P..K...l....\$..<..m.X|...v...Ma..q..\4..O........0
_..P.t.E..B;{..........d..8.KX...{......=,..N..p..]RH..q.n.U...... H..
.... .....mRII..N.A.Q.F{$n......Txt1......2. .zET.Lf)`.mk`.$... B.~...
..........}A..^....\.t....N....^..r{.^..K.nb*a.(J .P.q...j`.d.......[.
`...A8.nx~..&....(..,bO.t...n.......4..6\..c.....j.AA.&....h...H(.<<< skipped >>>

GET /baseui/images/login/map.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:54 GMT

Content-Type: image/png

Content-Length: 123144

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-1e108"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes
.PNG........IHDR..............;......sBIT....|.d.....pHYs...........~.
....tEXtCreation Time.05/04/163.......tEXtSoftware.Adobe Fireworks CS6
...... .IDATx...{T...........|..C.1.;Mb(icw-.o...o..k..|7.....{....9..
I...n...wN.K.....q..v..n....6.ly...Ev.5..CH....@B.......xtE...?.st...3
.H.y....P.(.@H..(.@ ..................f....c6......./.m...B.!E[Y.7.k".
}..5..5.......\g....r.'.."..!.*Qp..7. ......l...>I7.t.......{.6....
.%..9M.q. .F?...?.@......Kw>i......\.}&!......L}.....q..y..C..}.s..
.._3.L.&f.K."..)Q....X...b..b............._.....088.......d:.z`....r.b
.(m..f*q..n...4F9......tD.......Dsss.}.q.......Mq~i...>...A.;v....p
8.3.Kn....MMMI..\......|...VLuuu..p....}U....G..ESS......UWW.\.]]]hjjR
..0. .3..q.......P...l?w...>.|.2.L9.I..G[............Z........'O.._
.....c...ikk..bQ..'.w....Mgg'.(..<...qV*..N.tvv...)n....../.(.....!
..$. ....1t..!455...2`.....ZF,..v.....j`.....C..e.....OT.L..^..n......
.3u..H........S..u.X.Emmm.F........_GG.........B]].r-.....v........H..
..S...V.k....^x....hnnF__...:..J[.@.c)..........>tuuA...Y....z..s..
....N.....=.....j......#..|.W.2...BZb...i0onnFKKK.0..g..|.I..K...n7..9
....S..Ah...[.c../..B...n...566.......Cmm.2h8.N.....g.../.(.JI.%...f.:
t(i ;...l..f.Y..).AGG.2p&..MMMp:..............v..I...y@.$....O....---.
.....s....Vm.........b...*i0GL........UUU.....l...R[...... B....hll...
.].p....._%...$....n..f.9..L.......8..<..?.Qp........eee.Zp..)D..2.
.......=....&.p8....ws...D[[..........p:.hkkCkk v...7...............Hy
...T......;..;w...-..rN..Y.~:........~..cccIm....s..^...K..\P..~..<<< skipped >>>

GET /crmReport/accesslog?FUID=&FKFUin=&FNa=4006570518&FRurl=&1489883516356 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: report.b.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:56 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Content-Encoding: gzip

14........................0..HTTP/1.1 200 OK..Server: nginx..Date: Sun
, 19 Mar 2017 00:31:56 GMT..Content-Type: text/html..Transfer-Encoding
: chunked..Connection: keep-alive..Vary: Accept-Encoding..Content-Enco
ding: gzip..14........................0..

GET /se/r.gif?na=4006570518&ref=&1489883516357 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: prom.b.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: image/gif

Content-Length: 0

Last-Modified: Mon, 25 Jul 2016 09:54:55 GMT

Connection: close

ETag: "5795e1ef-0"

Accept-Ranges: bytes

GET /baseui/vendor/json2.min.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:35 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-d39"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
539.............Vmo.6.. .1$b$;v.%.\......5..}.$..e*V.P.E96d.....l'....
.A.......Y.....i....Oo....G.(Bk$.u.8i%.....u..........'....2$..E.u..d.
...P....h-.J..Q..3....JV.d"S.Q....X^....t.........*...L:.%}..F..~-...c
t..n.*.|~....d.9.Ku...?...I!f..'..x........`?UOS._..(..3..q4;.Ii....d.
..Q5...l......?.....Q5..^...Qu1.&}.I.}.....?W..>.....i.$........-.4
.h4.H.FS.Q...SX.M..'........=q...DS(O.o.DJ/...^.\.z..R..$.)9.O!.S F...
..|9.Z..............T?...`8...1.2..3. .Y.@s...t.^WfFk]..#.Y.*.m...RF..
$.jE\.`...........W...........2..d..6...w..o.E.4..7/......[x /..A..'.y
.._2.2.{.....ak<....''.o#..8...........M.7t .G..}..<w.O...9.).3.
.[..X'..mV}.pSp#0..B.n'..(#3..6.>.9@...in.[5.h..l2.6C>....g....2
....c[. .)..;.f..Cl..7..f,4Fz..d...fJk.m~.i!..`......F..6.,..*...vk.[.
V...{p`.1..sX@...C .Xd.!.%....b.%.....$....p.bm....P..Z....g.Ap.{....8
w=G..*..x.._..5.....U9w....ut.~..........y.k.`..D..cU....Y.&.%.jc.....
.......U7.\.......h..c..kdl..Iq.n^\.........R..K..q...26m.W.--.%..Lu..
.4.E.....Gl....`a-iF. .Z..t....&..zr....m......z.H....\..=..{.....a..m
l..4.x5!..cC_...X.c...].._ (.*[......|f.bo..>.&......R_.......B.../
....#$\...T}.s....d...C..?.5....x\.|_....6P.%A..|.._..!Y....I...},..}.
.._7Q..}s...Y<."g..x.:..B.x[...[.O..o....p."....B.{......V..oS.....
..O...:.A4;....?....c............z.w.gQH].....1..`.8.E.]B.}qK..9..Lt..
...j...Y.6B..~.h....p......*.9.....0......
<<< skipped >>>

GET /baseui/js/comm_util.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:36 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-95f"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
3e7.............V...6.~./k4$...IOV...O.......p|...Z.L9$....C{*..(.k..F
...ts. tH...I.....p..o.o.N@..B.oT...l..J.u)S..........L...(/R..H.P.&..
..t.jn..qN..V..H..6*..t.B..ya6.V..J...s.J.>%.V.n..<-v.. ...).h..
....2....$B...lM-%...I...fO..)...J=..n..y..V..*..<3.|L.B./...x](...
....=.8..{r."].`..b...r.a1]...u....P.)..ND......_iEN.23.L.c=-..P.LC...
-.e!..l_.%....0>.......g"-..._....&Z...I.3.c'.X.l..........z....Mm.
.FMJ.rH..Z\<..E.i.!?)..[.#...As............Q&G).0.......J.$ .).p.}l
....M....(%.........<.V...VTR.......8G!.. .....\=.....:\.6.!.a.Va..
...m.hW...c.....}...v..s..`.D..F.K]...m.v.(.....w............1...x...a
..}4.Y......O...l.z.C..H< wBRw>.10......apR3...x.9.f?..:.. .~...
?8...t....{A.T...v.!.......$...I7..O.{..;3$.U...D..........P.i*..u.MCA
..Gb.H.!.y..w....9... ....\..h....Dx......j/.Ic.V.>....<n.......
$.....8.-B(.*..........q..T...Vr.......J.,qn.,....r.......{......r....
...Z.....XGpk...... .Z .....t.X...l'..(...bF.........._n~...7..p..a!..
...*E.....O.7o~.y.. .m......NNZ.hc.9..9..\.....$.._.....0......


GET /baseui/js/comm_serv.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:37 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-726"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
354.............U]K.@.. 2....u-..]..}.PiA}.>.&...q&L&....R.P.O.....
.IK[...5...._.L>.......7..{..'.:.p.Q.P<OV.<..k.....F....Gf..E
!k.[..y,...IE....Z.0.!=*.R.a......"O....j.).........M..G .;......@...X
..M. ..q..4Z HU(.d....h<..{.@z.!V......(Z..Lzl.V*.=.A..".K.#.`.....
3.."......._@d...P.Y..`~.5zdy.q...k`....W1oM..,ZO.}.......*....5..."&g
t;d.$..b..e.5.1....s`...l.i.yi......ZY................................
w._...::?<.|=:....j.%m.<:{.%...<..._......G...,.:.`$i'1..h...
..c.r..v,h.C...e.....B(x.K..J.r.....W......i$.K..HO5..`W..4.r.....^..(
?.........a\S..!B..% ...6J%..\...:YD>.......q.H.JK.C.u...=.L.H..a..
.|..8.J2`4j.j@.n.`^.`Y.b=..m.......Od..h.....1........(..u...D<..B.
.-...M...o...{.s.v...}......I....*.....-...="....)n]...&..T.5....:U...
LIPE...R.....e4.-uEU..e*P3.O.l...L.X.?....dN....e......to.{Dh....vs...
.w....h.\..#y..>...]b...p..%.<X.....4.........&.....0....
..


GET /bps/userpoint/s/userpoint_1_s.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:40 GMT

Content-Type: application/javascript

Last-Modified: Mon, 27 Feb 2017 02:03:59 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"58b3890f-40f"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
25b............}SMo.0.. ..h.F.R.Kv..*G*AiO.U.3.z...?..to...#....U...&.
.[h.m<~~3o..hm.-.wZ(.....@ ...Z.I..LT.~..q..ry.,d5.}.O..D.Z.c..$P.q
.)ty...=d.........d9.x.}..d-3.b...p..d......{...(...pH1.O.C...P;.?"..h
.:....XZ2.."..s.6..U..q..(s...o..#.p.{...1._.~..*..*/..%....*D.du&I...
.a/...?.9B.I...gM.....52....Kf-%N8.d............_.h:.....=.Ex?.N......
EU.&..@E...1..h].....0.C/q.$.D..J......FfS...5... ...hX.v,.V'..ZU.h<
;...l;Y...P....[.....d]N.V@..r..1.l>.?9.2..hUc.u@.-:..Km......FE...
.Jjm........Y.......y.~.._>y.cS..3..gX....K..b............;6rD^...6
1....... 4x.3.ZL...|.7..{..{.;.[&)...y...V..x!......QG.C......0..t>....

GET /baseui/style/newcss/login.css?v=20160911 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:40 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-11ea"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
514.............W[..6.. hGUf.@.$..4.......Rw..62`.;...L.h.{mc.Cn..PEJ.
>>..;....5.%d...%..S`a....A..RR.._Q|?.A. 4A.Ha9.2.0}............
[....`. .2@...........b[F......\./(..._..C..FA^&.f..E..$a..0... .y.. .
}r. ........Q.. [..i.*F..-@.....'.k5.."...a....a........[|..s..W....O$
..!.Th..wgd.m.g.....QC..z.Q.f..x.h..Y.............6..A1[..m...m.6..AAJ
...}.1`..v=1.. .......J.LOh..q5....OG......,......"....<......7$8..
n.A,Z..X...q..f...3?...&o.....x3o...$.h.o..`...&.......R...5HA.......)
.8.(.f..Hj......r..b..v.....;m.UFs.7...ByQ1@!....s!:$....c.rIy>..8G
...F.7L.7S.m._>.M..p.;.)@....f.jF..kp..?.x...1..I..}.Q.....x.....X'
...Ki.lo...<...-$.........e.X.Z.......<$...Y..sO.Ul.....m..0....
....:0.7.. .....@.B.C.e....../.J..|.......W.T....!5).QU...DM...[.....3
..."~l.o...F.?....P..~smU....F.0...wD.".M.Q....c...7......@.....q..d.v
.!.T.fp...F..YX.O....)..3.'=1..>R....*u.=.....FF.q.......8..{b.L'?.
.).....th....u.K.....%.q.p..o.....!M.......Ri....qz....O..@.ljH..:-..'
.h!..8.....v.i..LB...h.E.......|.....;U....n#......R.a..g.yT.........1
.ug..&=..~gg...........0.\....x..=.....l.?..t.5.N5.&.p..F.........}...
.3..!......?-k. ;P...M}.;..W.R......CT.A..2..L.9u.lSFz......aZ....<
...RT.'$=......w..m`.G....z....%.d.....B.D*. a...K..;....=.......f!.c.
...1..8z._..!I..m./.3.K3Z.[..... O.. .......TS..x..!....{l..a.....Sk..
....0......
<<< skipped >>>

GET /baseui/images/up.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:42 GMT

Content-Type: image/png

Content-Length: 347

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-15b"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

.PNG........IHDR..............K......sBIT....|.d.....pHYs...........~.
....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.03/30/16
...Y....IDAT(...M.. ...7Y..3...O...\@.......i.C........w3......{..Hk..
....t%2....*....e.........cDD..RJ../e'.].c$.p8sw...9...H..U=E.D..#...l
.=.........R.A6....!...7..u..5RJ_E....o.s....<n............IEND.B`.
HTTP/1.1 200 OK..Server: openresty/1.7.10.1..Date: Sun, 19 Mar 2017 00
:31:42 GMT..Content-Type: image/png..Content-Length: 347..Last-Modifie
d: Thu, 22 Sep 2016 02:16:41 GMT..Connection: keep-alive..Keep-Alive: 
timeout=60..ETag: "57e33f09-15b"..Access-Control-Allow-Origin: *..Acce
pt-Ranges: bytes...PNG........IHDR..............K......sBIT....|.d....
.pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6........tEXtCrea
tion Time.03/30/16...Y....IDAT(...M.. ...7Y..3...O...\@.......i.C.....
...w3......{..Hk......t%2....*....e.........cDD..RJ../e'.].c$.p8sw...9
...H..U=E.D..#...l.=.........R.A6....!...7..u..5RJ_E....o.s....<n..
..........IEND.B`.....

GET /baseui/js/widget/comm_validatebox_customtooltip.js?_=1489883499423 HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:47 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-12ee"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
23a.............W.j.0.~..9H....[3ri..e.:.]..D...$wm..{..v.......mZ....
.Uf[..K{.....}.~.>P..r6U.3.V=.(.r5 X^.....4..L..@.k.W.f.3c&. .>-
....Dg....J4X`9N...X....W.m..{..F..*.-.y... ..-.W~...M0.|.)....T...p..
1.).C.?^........9K.?.x.{...P.LK.hl....=........4...\..E..P.Z.8.....QT.
...$.........XC !R.~.PQ.9;......]J. % .....9......3"s.c...*..h..9~w...
_=..6....F..y d54<.^.i.I.../qt.I......U@.gX....gE.Ts..........o.]..
.........S..W#.!......?.)..xz.t.8.2......w..\.z........1.u...e........
).;!..S..r.(..L7e..... ^.W.w.z......N...;..@..i..s53!.....E........{]t
O....F.I4.' e....uw.......0..HTTP/1.1 200 OK..Server: openresty/1.7.10
.1..Date: Sun, 19 Mar 2017 00:31:47 GMT..Content-Type: application/jav
ascript..Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT..Transfer-Encodi
ng: chunked..Connection: keep-alive..Keep-Alive: timeout=60..Vary: Acc
ept-Encoding..ETag: W/"57e33f09-12ee"..Access-Control-Allow-Origin: *.
.Content-Encoding: gzip..23a.............W.j.0.~..9H....[3ri..e.:.]..D
...$wm..{..v.......mZ.....Uf[..K{.....}.~.>P..r6U.3.V=.(.r5 X^.....
4..L..@.k.W.f.3c&. .>-....Dg....J4X`9N...X....W.m..{..F..*.-.y... .
.-.W~...M0.|.)....T...p..1.).C.?^........9K.?.x.{...P.LK.hl....=......
..4...\..E..P.Z.8.....QT....$.........XC !R.~.PQ.9;......]J. % .....9.
.....3"s.c...*..h..9~w..._=..6....F..y d54<.^.i.I.../qt.I......U@.g
X....gE.Ts..........o.]...........S..W#.!......?.)..xz.t.8.2......w..\
.z........1.u...e........).;!..S..r.(..L7e..... ^.W.w.z......N...;..@.
.i..s53!.....E........{]tO....F.I4.' e....uw.......0......
<<< skipped >>>

GET /baseui/images/topnav_bg.jpg HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:54 GMT

Content-Type: image/jpeg

Content-Length: 21507

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-5403"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes
......JFIF.....H.H.....C..............................................
......................C...............................................
........................T.............................................
.A...................Q....a.....A..........1q.!$4.Db.T..%Ut.5ERde.....
...........................1......................Qa.......!Rq..1Ab.."
.2...............?...`...................(.x..................6.>.d
......u...<.=A?.<.S.........s.8....Q>....._...1....../.nl..}5
....H...z.....x.Xm.............8.Xm......w....`.-a.3.-.4..9.v...F.}..L
.>......|...s.....yR.z...:g........F.wN..K.N..y....:.......)......T
N.:...O...............7.^s&].f0....G.....`|....:g9...t<.Ts.........
............Q9W=~...../..._...?.`.k.b.L..$...?i...|...K.0N...."c......
|?....1...,.X8.Xm....O.2.......C.....P.....;...|G...CE......{>W...5
z.4....K.s...@.M......>>..~F>....s...-.......>.;..As.S....
..Z....3...3.*j.{..-......I..G>........B.x..........<5....|.K.z.
..>.s$_.{Z.._...#....j~.....T..B..5?...:.y.......^....*=.....$.o..t
<}....D......0.....B.D.9.)....hr.>......(s....L...~.K.9....}.. .
... _1..............('...t.z.z.._1..(_1....P.y...........O............
.. ...[.....yz.s...AC..OPP......@.....A<OP....O.............O..M...
.?..{....|)..E.?.......&wt./.......@..<..%/..h.|.H..Q)|.;E<O.j'*
...........'........................x.............'...................
(.<5......>.aAA<O..>........g}c...6.....B.D.9. .....'.s.R.
\...........&.A..O*QOh......>...?....yC.........'.1..|={.\...l.<<< skipped >>>

GET /cgi/wpa.php HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: wpa.b.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 19 Mar 2017 00:31:38 GMT

Content-Type: text/javascript

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.13

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache

Content-Encoding: gzip
1139.............Z.n.H......\...../.L7.f.[v..I'..{..V......"..........
c.i_a.SU$K.g....X.....w.......q..U.g^....d........6..I6...M.../..|.=o.
.X.......U.<z...C.v.`........w....<.%..3..\H..a.........__~..)._
.\u.T..sv6.g.y....!......v..P...E|.'g...q.yf.J.p..O..>~f...~(.B....
"........3"....<S.z.W.g....I..N.....w.4...2.i>|.W..'.ZLrI|VO....
.{#.y..p..H..!no.........f.X>.<.....W...M...:..Y.....CY.........
JT.....VKT[.......k... ..K.......o..y%x..}U.W.|.Z\~.........;.....P...
.....3....=..S...4i....1....x,.e.e5.'f.,8.}q..9.xZ-.~,..'{...w....b.].
..7.X.............n..R..y...&]..to^.3.1...F..l....kNv.......5fikP.0.'s
2...T...."...;....8....99...b.r..p.ju......3.U..Z....<.#...M-U..&.9
..0.Hd..S.|..^...|./.....].1.utq`@..{......bt..|NK...7..;..(d.idn....F
z....0....).h...H/cV..H.#..Z].K...9._.W..=.....#..H...z.2...B,.Vs..4..
.. l.R..e...%.t..5.P.>.....i2C.......C9...T.`"..^.r..........].T.i.
.N.".$cf..(.!..L........S....o<s.'.l.5..u.......S..q?....W..5...L. 
.:G..H..7...oO..*7.x~...x.."`..n=_#..aB..@.N.....2.nx6Q....(.......p5.
.j..c...z@..Ew.......[...\x.V...~....H........h...........NO........n.
.e.......p.......S.@a..}d...Z..I.M.H6..M..<.Z......2j........X...&g
t;.[.-#w.."M..Z..j.KR[..e.....l....C....K..[..y... KM...r.....bD......
jO.'..re..J.5}.3..b1)g.p..s. .. .E..*Xj-c.%....r.-..o...g...%.........
.I....-(...i.....(..Y..~.....u....0c.l.$...c.$..c.......e... .m6.T.JvV
.i...w]...R...pz..Dhj%..9.D5.m..F..fc.)..Pj..l.0.G.W.@#.m..Q.....k....
....2.,r.=...D..I..!.....0.-..<g..........*^~..}...X.....jh%;.]<<< skipped >>>

GET /c/=/crm/wpa/release/3.3.7/wpa/APIs/addCustom.js,/crm/wpa/release/3.3.7/lang/extend.js,/crm/wpa/release/3.3.7/util/domain.js,/crm/wpa/release/3.3.7/wpa/WPA.js,/crm/wpa/release/3.3.7/wpa/wpaMgr.js,/crm/wpa/release/3.3.7/lang/browser.js,/crm/wpa/release/3.3.7/util/proxy.js,/crm/wpa/release/3.3.7/util/pad.js,/crm/wpa/release/3.3.7/util/Bits.js,/crm/wpa/release/3.3.7/util/getJSONP.js,/crm/wpa/release/3.3.7/util/cookie.js,/crm/wpa/release/3.3.7/util/events.js,/crm/wpa/release/3.3.7/util/onLoad.js,/crm/wpa/release/3.3.7/util/offset.js,/crm/wpa/release/3.3.7/util/Panel.js,/crm/wpa/release/3.3.7/util/onIframeLoaded.js,/crm/wpa/release/3.3.7/util/GUID.js,/crm/wpa/release/3.3.7/wpa/getQQVersion.js,/crm/wpa/release/3.3.7/wpa/ViewHelper.js,/crm/wpa/release/3.3.7/wpa/views.js?v=3.3.7.20160126 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: combo.b.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sun, 19 Mar 2017 00:31:54 GMT

Cache-Control: max-age=300

Expires: Sun, 19 Mar 2017 00:36:54 GMT

Last-Modified: Fri, 12 Aug 2016 09:00:23 GMT

Content-Type: application/x-javascript

Content-Length: 48165

Content-Encoding: gzip

X-NWS-LOG-UUID: ac008d89-bb76-4556-9406-2036b987d4c8

Keep-Alive: timeout=60

Access-Control-Allow-Origin: *

X-Cache-Lookup: Hit From Disktank Gz
...........|.r.....xi.vC##.........;.l...!...I....qf..m.e..e..m...c...
........;.>q:za.*     3  K7......aQ......:....f........ES.E..JW.,Y.
........S.dmu..NyU....%."..d%<...n.."o...e.F........R.,YS......)...
....9..pB.....^5z.B.E^.....4.Z.w. $z...*..^.=.`...,|.=.J/..n.Y...EwK.n
..x..:./G.):.j5...........JK.V...`.0%.R.L.mmm.'=..*{.......h>{..^.Y
2&{6.9...1...5gH..Pm.O28w.4.2.o....9,.y.......f...s.M....?.&.._..l.U~!
..A[..~...c.2....3%E.,........\.%.}....\x..9..Q...5a..T.ItI.....*z..'4
......:"6aUZ........4...).....!..9]..................d!l..k.OqX74KCm..
".C.^Q.P.yf...$....).#..8.4lN......J2..M.oJ.3.`>aXER'...}.r.G.4M.x.
..u....Y..q.w.q...Q...c.]..........!"p.&.oXX....L..7..$?s:.U.....hh...
F....T....r...>.Q....a. ...l.}.b=...F3.[.7.....d...$$.z..3....D. ..
S....\.....Ug.U.........T.....ec...K\p.^!.9.....yi(...<j.........A?
.E..7K....I..4a9.G8p...%q..h...-..1.......T(..Vw..344.r..Ol..........3
..k..!.=a..dZ.q....e.F. ...:,..aSWd @.. ....O0<.d........:3H...e.~0
.o....~<........._.#W.....P..\&.,D .TI.xLu...\..'.y...Yq.M.K....Z.l
R....y...ojdhkS2..$h.\..3.......H..-...d^.w. h...~.m/.F.K..c]..u....?K
 ......4..6......t...B'69.$.*.5h.]l.[.*).......pJ6...j.C.A.v_....?./K.
........W.?Y<.3./m....sf.)..Kh...L."-...`_.]..!..d...ebN..CPaa..0tP
X..*M...7...}..7..8..~.EN..{.xs.U.@.l....N&.C....B.......I.H.]......(.
qh...dI{W.2d..v.[.a.^^RNs..l.,../......t...%x............g.Hc.|......b
.^.A{..."b. ../..l.W.)..WE....X..z..s..g.p..5.6.. Z<.ww...b4T..-.YS
>...C.Y`^.y..wm{un.T.j.....J.N}(.;&.-M........c..k.8}@h.h.z....<<< skipped >>>

GET /da/id.html?q=sjoq3o.t0e4l5.j0fy6ges&p=i9b1v3.3fir2g.j0fy6ges&t=4006570518&a=&c=1940917248&s=1.1.sdyr8n.j0fy6get&src=12&pgv_pvi=&v=0.6.6&ts=http://da.qidian.qq.com/ping/id HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: combo.b.qq.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sun, 19 Mar 2017 00:31:58 GMT

Cache-Control: max-age=600

Expires: Sun, 19 Mar 2017 00:41:58 GMT

Last-Modified: Tue, 17 Jan 2017 07:54:50 GMT

Content-Type: text/html

Content-Length: 5261

Content-Encoding: gzip

X-NWS-LOG-UUID: ee30b696-64af-4905-89b8-95cf831a9839

Keep-Alive: timeout=60

Access-Control-Allow-Origin: *

X-Cache-Lookup: Hit From Disktank Gz
...........Zk[....~~.hw.v#......1y(..3-e..t&.<&Q....l....o?.....t..
..K....k......N.<>...Y..M.7.XN"&$C]........p.g....t.f...t.S.s...
.....}.F.;..0K.zgs\..N......!=....#}.........lCD...0......'0.O........
.F."M7#..fY|..R......D..BzL....#1.21O..`~p..<..*k4<=M.`.fq".....
i...H..D\....y....0[..V.Ep.%Zx..Ss..%S.."6R.b......`X.p.i...f."..*....
>...=....%cOD.../..7.4bT.."*F.FC{.uVJoq........../....#../...B.....
z........k.!.u.g.G..#y....a..3.....&......v.W....4..:z&..X.?V.G.t.hf.y
...d."i[......A*.DOC.l.......c..:6."3.\_X......U...?...C.]..[G.:....$O
...z..S.....?..u......C"ji.:.....}....../..........?..~....?../....4..
=.I5..r]\].....<...??......Y@...........e.M%P..7..YidB.p........j0T
2W..Y!..D.....ojL...y,Z..v!.....yz......../K.D.c..0?L.I..95....k:..E .
.K....d.?y....Hy.mS.....,..v.c...........*Z..*..e.j...V.4..q.M...FE...
/Y1xu!.....7...S....w.=.^f....1O.....%r....L..........~.....mv......?;
.....5.aeqE...=.0.)........T..N..3.kq..j.X2....u%."..a...W..,.q.~2._.}
"F.LQi...Db#dh5.^.l$.........y.............\....y~....*O.\7..l.Z...HO.
.p*..T.pa.@...|.....uv..@...H...q]^.. ..n.Z...?.h.}..B.W.2z.y...W/~z.3
T.=(...NI.eT.!.Q......!.S.w.G ..i...Z......o........N........|<a..,
...J.3.l....U.V.......^.S.....vX.4S.w.Zd{19C..x4:..M.Kr-..z..<.3...
...:.NMo..R......v'I$....._....8..V.0..ppi....8"|..... ..x.c^.e.y.....
.y....**... \.fD.hs.h.~.j.......1.1~.cgXz...:..i.he...XaR.j...>/.|n
.e.;..!..Q.H..KU.Xi.R..^.H:y[x...K..B.....!....d..&.k...$.|1...3.q....
4..i.`.....i..7.....^.X..p1.R..6..f.V.)[.px.,}(..2.l4.cd.g...G..?.<<< skipped >>>

GET /baseui/vendor/jquery/jquery.min.js HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:35 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-178cf"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
871d..............{w.F./....".....%:..7d....I2y...d.b.."..$(......~.W.
.h...9..s..Y..4.........'......'.......dw.......O...|b..Q.-.x[.Ku..2.S
..[|......H..&?yz..t&w....L...W&.y...h..........y.{.C?..*......e..L...
r;L...y..........f....uy....O^......0...]..7'..}..(.}....)...u..[/OR.w
.Rc...h...X...1...C....b.l.bE}z..O.h4VY..7."..SZ..x.&..............5..
...f.m.f...SuM/.x.....u.....u.L......"....../..%U^l..^-.._FW.../^.....
........l.J.v.....Utv.......qp6-.m{c.......e...`....E....%&,z.p...&`.]
...r...&....yj./..Yx.....:~...6...x>.1.4.i.........N.../.!r...~.R..
.k...zeX.7.8..U.ULh$.|=.9 V....T.\.IX..w.3\G....n...j^T.Wy...v..\...[R
.j.x.6J..v.... )V..lA.=..R.*..^...9nT....j..{...>...I..8.P. ...).&l
t;.`.....o[..Y1.F...c9....w...et..&..p......h......T.....-.H.E8Q..C!md
.Q..O....-.!.-......N...-&.}.r5.Mo'rt>..hG...m}.l.~.u......,.y..0..
....i............v.~....k..v...I@.GQA.M.pg...Eq9.@E.......T.<.g.I.&
lt;...8...1-V..i'.R.......a..K.n.2.66V...N.A0....FL.1.v..q0....Mw...4j
4.....i....]Yd'..7..R.{.......Dnb.....^...........?...|5...?.zE....Ul.
...C.9W9.M....(...KgG...vQZv.g.h%ixXL.FON...T.v-...rP.'!].....v.(..B.P
.;Z.u......E.OW.z..1/c.Oo@..5.^....l.{..<.49...Bu..g.[*....v..;..w.
..,..-..>...'............\......{...-P.=.Q...........B....4j.._./.!
.)..1!.'....w3O.....n.fV.B..a.i..q.......t....g.BW......w...2.......Q"
s../17.z.......7..Xm.......:.....4^.s..mC...,.G..W.........Q.Na.....;A
.}&......6..zJ.5...D.......:.F@......T..br._...f....x..>.....).....
.PW>..\..k..JI..4*S.....a.......:.0..m.g.....,Vk....#t.7.C..&p.<<< skipped >>>

GET /baseui/style/newcss/public.css?v=20160911 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:40 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-14f1"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
638.............XMn.6....`.I!9..{2..t."....:...J.$&4.R....e..u....hoS.
s....C[.3....p$.......e^#.b..t.......w~..u..S.>..._.../._.~G}N.F`..
b...t..x)...../.....r.@.",.....a.. 9.A....%o.A.?..._.............{.Xk.
V.Q.0......kJ..U..{...A.s..$..u.......f.=........%.7..D..V*.9..iq...}.
.Z....G.,...&..\...t.S..z..".......u..1...QZ......(.oR#.qY.....U..-&U-
7...U..:C.M%x......I.Z....@.nOT.......uS.{.7..`..*.,<....e.I0X&5)..
T.5F.F..8...ezK.Y'Q..P.L.dO.'*. .Q:.Hy.1.....8..QK.h..<]`...v)a8p.L
...PH.r\$.y..d.(.%..v.'...;..SCmxK4.P.r.I...)./R..nL....:(........M...
..H..W.... .:..N..>m... Q.S....g0......Z;F.V...08a.3.`[.*.J.P.Z.%7 
...7.{H.A9.BX...X/8....~.(...a....u....O`.2y.......U.].Sg.#j`EU{..]<
;{.....w$..C2.9W..S...ug.......]...R.:..a..n.FcZ.k..>.Rt.1.$.\....d
......Wpo.......F/R..A9.w..,-.Uh$.65zi....c.]..=..9.....L...v..7....M.
gg.!....ft...w....o..B........X.,.....".s4N.B..U...=..A.O..1.l.....%..
.<.q..?....."...G.i........f.]gT.$...9..F.b.H....h..N.%..F..2..V.w.
?.36..j*3x.....RD.....4......_.....J.]W..rz..3R.)\....A.......Ri8....&
gt;.....Al.= ..V.Z s.b.....3;R.............w..h......sWxR.o.#8........
.........cD........J.iCz..?N([...~......y.U.)S.M.}..;.#.....9 .7.>.
...}&.0..Z..._.a.oB..:...k5......L.}...a9.K..Iv..".C(..?....F}I<}W 
..V.b..z.s:v.D.A....b^{......$R}.:..a..eh.....V'..,.F.......5......X.9
LT.~KU?.9NA....8.?wa8.....D....P...pZz.m.C.#0<.Pw5...tn@.....:....e
....e.t&..r......UW ......~..^uqq1...}.........d.)N...9...wb.....C/v..
.........[...~.......K$U.1.n#xE......x...Z.G.........K..._^F.y._F.<<< skipped >>>

GET /baseui/style/popwin.css HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:41 GMT

Content-Type: text/css

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-41f"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
1df............mS...0.....R[.#'...V..!...Vgl.^..t.^.p)\.}a.zgv..(L...K
.. .e9.n....E.;$....a4.=Z^Z/.g;7d.j..F.T...BB..!^,E..x...6u].......Z..
;J..R..xQ.Qd.b.]ZD.=.^2.....v.........;!%..$.w.|.5H.\....VV[.6.J.....;
.W=a..m.O...'..].~..K.:F..."y..o.9.#.....OY..g:X...qn*..%..W&'a..h...i
T...Z.R...J4#......V)......e...cP$......D..V..q...y.....=..:...2.sR...
*....:.<U.p] .......e.F..q..j......x..Py....O...@...2..G.o1..H...k.
..0R.,_......Gn.../l{.5.h..............W.h..D.g0...h.j......b!.......0
..HTTP/1.1 200 OK..Server: openresty/1.7.10.1..Date: Sun, 19 Mar 2017 
00:31:41 GMT..Content-Type: text/css..Last-Modified: Thu, 22 Sep 2016 
02:16:41 GMT..Transfer-Encoding: chunked..Connection: keep-alive..Keep
-Alive: timeout=60..Vary: Accept-Encoding..ETag: W/"57e33f09-41f"..Acc
ess-Control-Allow-Origin: *..Content-Encoding: gzip..1df............mS
...0.....R[.#'...V..!...Vgl.^..t.^.p)\.}a.zgv..(L...K.. .e9.n....E.;$.
...a4.=Z^Z/.g;7d.j..F.T...BB..!^,E..x...6u].......Z..;J..R..xQ.Qd.b.]Z
D.=.^2.....v.........;!%..$.w.|.5H.\....VV[.6.J.....;.W=a..m.O...'..].
~..K.:F..."y..o.9.#.....OY..g:X...qn*..%..W&'a..h...iT...Z.R...J4#....
..V)......e...cP$......D..V..q...y.....=..:...2.sR...*....:.<U.p] .
......e.F..q..j......x..Py....O...@...2..G.o1..H...k...0R.,_......Gn..
./l{.5.h..............W.h..D.g0...h.j......b!.......0......
<<< skipped >>>

GET /baseui/vendor/easyui14/lib/base.js HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:44 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-4978"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
16c5.............<ks.6..Ef.z..f....'.G....^.$....].....E..)...s....
..A..(.......4.F......U..u.F.!.wQ..&<D..^^.E]....Rvri...Q........6.
z.....M..Q..m....E....YW.eW.feQ=...........nwe.......N.G..k..u.....YV.
...z.....$@j..".U.m,..}..".:....Irj......._]....s..$*e.F<.Kh.Z....2
.T.;8z%K....8.N6.'.@<....,J..I.F..*.?.."*..,.....Q\g.x.........>
.:qxw/d8..[.C_.....]........p.r'.E.F....../n...(....LM...q...=._.;....
.....=T.V.7b......x..X....S..e.........y.Y.2..^4..|\..2S}.q7..FM...J..
.\*.K.......Z..9~/.>0.t......x...9..Q.....XH....p..2.b.{..[.o.o.v..
..............k..n.b...8.....\.2.=...8...3..?..e.>j...@r..C.:.....o
.]..~V.@,W...z.k.....|.-...,.yg.xK.............M5...~......;.... `;O&l
t;.`=.....up"......H........p......E........9:..[...?......x.. E.6.)2.
.X.Rf....l[T.E...Y5.....]....9W..J.Iv~.}*.]zOl....v..I...9.~..11d....0
..C.kz.."..@...6Z...*.as.p.3...HR.i'.lV{..]}.*..J.........G}W..N..ZF.J
.j.=zn.....K.0=K.{....9.....m..|I...(n..]y...ZD>.v.....zG....1.\K..
..}.6-.fD....m..K0.u..d.|]....w..q}..6.^}..4.r-..{v.....|.........v...
'....0....,C.x.j..]6$ ...~#...(\pub.....@oj}.............y.....t.IZuy.
.......o..//i....v>".'e.mZtIp6.`....p.R....gc....(i.1../k!...X.26Zm
..e.....*>.*f,z`..ue...DE.v{6d.._........>.....(..#.........I7.9
:.e(..@*..9.<.`o.z_u..@... ...]'...W7C..4|.p.........2j[..h....(`..
?...O.........@......O...`u.....6b..Js..g..x...U3x.,<.......0Z.u...
....{..]-.......b..JO..c.I..8.... .yc.....H.8x........S.{.~.:..=kXj.,.
.S.G.z...zt.%`.y...Y]..W..h...w..'.Ji......Q.....L...Cr...r#zv....<<< skipped >>>

GET /baseui/js/widget/comm_customFuncTip.js?_=1489883499425 HTTP/1.1

x-requested-with: XMLHttpRequest

Accept-Language: en-us

Referer: hXXp://xf.faxuan.net/

Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:49 GMT

Content-Type: application/javascript

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=60

Vary: Accept-Encoding

ETag: W/"57e33f09-5ee"

Access-Control-Allow-Origin: *

Content-Encoding: gzip
248...............n.0.._.a:H.,....R.......$A. ...,".h..cC...C..];....M
.l}...lX..z.&Q<.....q.Q.E....b:6. >. 0..9.....<v^8.....'X.S..
..8..k b1.Y.B.[H........t.............I.........0.z.3...N...._9...6]..
].3GXN.)dZ...u....._.}........??>.r.e.E..).......r..o$..W.......k..
..g......b...[....".|f-W{.Zi.PAi)...\..\.`.........=......[..i...8....
.......A...X..NB...)d..............XW.3t7....\.1...><.C.n..Nl.*.
..EJ.v1@..{1N..e........N..M.......LdmY.S>..WI=#...-......AA.d .".2
@.o_....F...n"E.....zP..o{. ..d.........s.b<:.d.$f......X...l...rP.
<.. o&....$.$...............<{...Ow]......,...E'.......0..HTTP/1
.1 200 OK..Server: openresty/1.7.10.1..Date: Sun, 19 Mar 2017 00:31:49
 GMT..Content-Type: application/javascript..Last-Modified: Thu, 22 Sep
 2016 02:16:41 GMT..Transfer-Encoding: chunked..Connection: keep-alive
..Keep-Alive: timeout=60..Vary: Accept-Encoding..ETag: W/"57e33f09-5ee
"..Access-Control-Allow-Origin: *..Content-Encoding: gzip..248........
.......n.0.._.a:H.,....R.......$A. ...,".h..cC...C..];....M.l}...lX..z
.&Q<.....q.Q.E....b:6. >. 0..9.....<v^8.....'X.S....8..k b1.Y
.B.[H........t.............I.........0.z.3...N...._9...6]..].3GXN.)dZ.
..u....._.}........??>.r.e.E..).......r..o$..W.......k....g......b.
..[....".|f-W{.Zi.PAi)...\..\.`.........=......[..i...8...........A...
X..NB...)d..............XW.3t7....\.1...><.C.n..Nl.*...EJ.v1@..{
1N..e........N..M.......LdmY.S>..WI=#...-......AA.d .".2@.o_....F..
.n"E.....zP..o{. ..d.........s.b<:.d.$f......X...l...rP.<.. <<< skipped >>>

GET /baseui/images/login/logo.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:54 GMT

Content-Type: image/png

Content-Length: 29795

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-7463"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes
.PNG........IHDR...4...L........F....sBIT....|.d.....pHYs...........~.
....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.05/04/16
3..... .IDATx...}.]W].....L...)d.)..... >t.z.y.i...?.....6.zQA.N..(
W.)(.x..(?.{....^;9.\!.'<.(...`.LN..&..Lh.4.9...c...:{.y......t..g.
..{....~..a...!C..........(C7.......`v..K.3.t'.l!.. T..V.z..Y..my...{0
.{9.......Z1.X...../C.(...(`.cl%.I.6R.....F...s...._.!...".R.R.....Gn.
...d..!....R_.n.ni...a..,-..FiKb.(...P"F..B..c.H..c..Wh.{...C...Z.?.0.
]ae.$.g...v........-7^6.K.X.So.Y.Na....JeC..6................e.....m..
{0cdAY{. .s;.C,....B.......?..8*.s.%}....A#..Q....M.<.11fIu........
...!..2\.h{.S.a... .P-.....^..>.a......C.l.qh..f.4.....2dX..b^.G..&
....2.o.......bZ.eo.....L.-Y.`.x..w.J.%..b.h.O....C.....B3l.puV0}.....
\.^q..)...@...,f.0h..../cX%.^.=....A.].....;... ..b........(...AC.K..S
...U...\.X.AK|1..`..a.G0..fl...$.s......8a.{...0..p.^>G.F.....\.}.c
...L.....u....%..1.]H.Q.........g.(q...}4@.B....E.|...#..3\...M...2,.v
.w.x...y1W.0.du..b..o.@.@9t......0..V.#./v.,.0b....9w.....fe.N>.J0.
(...S....t.}:Bl..M..q...S...&]..z... ......5Vh}.Fh.%.l......Xk....K..0
F.u...Q.K~}.....,..(&W...i....o.....2....!..0h...yF....9....X.....}..)
`.....xCI.Lb|c.r.z.#.......0.`..."..&...Bi..O....{S....&7..s..:...~.'.
M.....4w.")..f.d.12...........AFh2d..a../.1.....<.g...).%..aZ...U..
v.x..........VI./...K..7f....g..t...!.....9..m..5&..:ce.%E.).?.6.."q..
......oJ..Rn.K6.RUN.......tc.i.{.\-..-.k.~.8.H.M!@.`............G..Y..
....-...1.P...J.{.....[YG0cv..[..|.....r.4...b..a...3:.......j.m..<<< skipped >>>

GET /baseui/images/login/switch.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:56 GMT

Content-Type: image/png

Content-Length: 363

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-16b"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes

.PNG........IHDR...............7.....sBIT....|.d.....pHYs...........~.
....tEXtCreation Time.08/25/16.T.!....tEXtSoftware.Adobe Fireworks CS6
........IDAT(......0.D......#.p..,.:....;..,A..y..D.Z.. q.E...$.......
.o.X7*......6M........I^...*.....3]..j...t..K.|..j...I.....h....a.y.z.
.=z...ne.......h.*.. .{.@4tX.u..s!..z.d..g...f..3./.h\2....X../.5w(.@.
.....IEND.B`.....

GET /baseui/images/login/bg_user.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: image/png

Content-Length: 1006

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-3ee"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes
.PNG........IHDR...2...(......r.L....sBIT....|.d.....pHYs...........~.
....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.04/06/16
?......FIDATX..Y[..0.=.........L......l.K.R..n.;..f._...-....*...".H..
L......."..{......n......7._.|..b.../...l.(..|.....D.\..)0....9.S.s]..
RPJ..>..9Y.ZC).)%....z2.....wc.....r.J..9)%.<.Rj...o$.c.a8...=!.
.,.e.`"..`.Z...Q..@.. ..1... ..!....Z.,K.e.i..yX.V.../..H.....9GQ.'..A
.(.....s.L...6Y.....DUU`..q.$Ir0..K.....<.q.[......[.[k....!.......
.6...cx||lt.0.Q..U6....r..n\)I..=f...lu..7.S.. ....5`.....R.VY...X...D
....,.X,:.-...e9.N.I....}......;..B:]... !d......)TQ.A).!D.......&.i0y
.kj...a....ZC...yg-..I..8..,..9?....1Mf...Zm....s..>n>s.....j...
...g..X..PJ5.T.M..CJ....N.}..F...C"I..........RX...t..7...j^yq.#..NYA.
 .c(.Z..O*7.MDk..v.B.U....v.mt.7!R..E.R.C..E...Z7...NXe.Kn`..v.p|.R,.f
6 "...|>G.EVJ..E.....)....X..,.@.9Tf.w.9..WU5h.2. 2.PU....0..!.D.&l
t;i.$cH..8...I......!..4.L...i...EQ.....g..fs.!..m|]..BL.n......Z..3.?
.m..0.!.....1{zz...3...a7...I.Z9.2.....IEND.B`.....


GET /baseui/images/login/bg_pwd.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:57 GMT

Content-Type: image/png

Content-Length: 737

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-2e1"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes
.PNG........IHDR...2...(......r.L....sBIT....|.d.....pHYs...........~.
....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.04/06/16
?......9IDATX...Q..@.........@ ....B..t.]J..-tG].B_..,...H......^K..k.
..z.'3L..?s..Q.v......|.....C..M..>.X..-..wn..F>.Z..Z.iM.....S&l
t;....E..(..t:...(....,..4jD)E..(.......jE.e.b.3....}...J).R..k.....F.
..}<.;<WUE...iJUU..!p]..u.B...>B......m#a..L.y.l6;Y.i.".d8...
v..<..,Y..Z:......Ny..E..b...(....0..3:h.QJ..,..C*....Zm.!^m...e.q.
.s..t<.x..<M&....o....q.\.5...7..f....F\.e0.4.t)A...1i.6z.q.....
..si|.#Vn....H......^O..{.k;.....@.$.ql .=#..G...c......1SX3..A.B..>
;A...g.k.....m.0.......R"..}......R2..l.8.~Sk.......qj..k.....7S.EQ..\
.U5rM ....y..._..a....."L.........5....'.;w.f......vB......IEND.B`.ont>....

GET /baseui/images/login/icon_phone.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:58 GMT

Content-Type: image/png

Content-Length: 625

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-271"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes
.PNG........IHDR................c....sBIT....|.d.....pHYs...........~.
....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.04/06/16
?.......IDATH....M.@...Fy'.. .;..B...\.W....U.S....U......\RAx.q.6c>
;...i.d=3.....~..qvr.`............x.U.@...vn..z.>.f.k..J/.}CR;w....
..]......$.s%p.......c.6zf..'=../.'.i...{.....\........=6n.T...p..>
E.k5...W...}.z]..s.v.e..e.w/@.wP...P..A...Wt.j...c.1&."U.E...cM~..H...
......X.....M...../b...;..a6..XZ....%0%d#..#/.l......... ."Ys..]....w1
f.]...D..5Ty.\jY..[.M4 m.Bm,..Km.. %..o....w.......=c.....I.$.........
TM........51.....5..v^........ ......)..}. .2_....|....)..'o4.....IEND
.B`.....


GET /baseui/images/login/icon_qq.png HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:59 GMT

Content-Type: image/png

Content-Length: 1786

Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT

Connection: keep-alive

Keep-Alive: timeout=60

ETag: "57e33f09-6fa"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes
.PNG........IHDR................c....sBIT....|.d.....pHYs...........~.
....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.04/06/16
?......RIDATH...{p........_~......B.....I.&J.d.@. ...I]:)P.1.h..P.Z.g.
)f|u.Zf.k.H-.Z.B.).I.$.h".....a7......8..q.4D{f......3.~.=.2"......w{ 
..M.........}.._..E..Z.(.......BEo..V.........&.....dDa..........5.l6{
..."..[ZZ6.|...Z..q<Y,6...d.;.b..c:.Z.TSSs...s.......K..V?.@UR.D2..
...FN.Md.;..q.Of..22.T]..x8<.....v..u..j'Q.$..E......Z.E.9..z......
v.(.(3.D6......9..~....c.JJ.....1...v.$I..~..-.PU.&..B.H$i....1F......
...... .L.......a.......N......y...aAn..~?.i.^..D...B......f6.gB,.H4?.
JA.E....'N..........{.s.2|>..6 N.:..q....D..H..@.L.?cl.L%M.........
...8..<....Wg......]..8y...h..1.....v.p.....2TM?...3.w....".K..`I..
..:.J2B...qs.u.....]....0...6g&.g.KjS.7.........a}..H...f0@.......@&..
.4l.WQ.8......mK.OY......}..^..\...'T>%..R..u<r8..W..F.8.\.2...2
....O&P.I(........S.< .h......~o$..]V..*....5.8r....9.#..0...|1.[H.
...5.B>..H .s.z........_.}.v..C.?...g.....x.YSq<=.p.G..)...d...!
. .K[.8.d.W....p..!.Lc_B.-...&......BD...wn.x.$..."...N......=]]a..;.F
.2....r.Oc....."y....4.h5=V......h.o....X.......twO..l2.....U....&M!.V
0..B*_..x@.=H..!^........../....R@...h........'.i..y.<69.)........{
.t.Z,....a.P.%......`.u.D.]*..H...U.?........i".:.b1..ndgg.\W.(... (A@
............AQ...$I...wc....\7!...1.M....................|z..._^..6?..
..< ..Pey.;.c.CCChmm..].vp..755.p.o..4...ymm.......o.[X.|..;DD..2.e
....4.$..E!"..;v........{b.X..cMOD...9....z.....t..N.M.%..k....._}<<< skipped >>>

GET /service/gc.html?timestamp=1489883514000 HTTP/1.1

Accept: */*

Referer: hXXp://xf.faxuan.net/

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xf.faxuan.net

Connection: Keep-Alive

Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK

Server: openresty/1.7.10.1

Date: Sun, 19 Mar 2017 00:31:59 GMT

Content-Type: image/jpeg

Content-Length: 1240

Connection: keep-alive

Keep-Alive: timeout=60

Last-Modified: Wed, 02 Dec 2015 10:19:41 GMT

ETag: "565ec5bd-4d8"

Accept-Ranges: bytes

Age: 26507

X-Cache: HIT from 192.168.1.51

X-Cache-Lookup: HIT from 192.168.1.51:80

Via: 1.0 192.168.1.51 (squid/3.1.10)

Access-Control-Allow-Origin: *

Access-Control-Allow-Origin: *
......JFIF.............C................................... $.' ",#..(
7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222
222222222222222222222........<.."..................................
..........................}........!1A..Qa."q.2....#B...R..$3br.......
.%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz........................
......................................................................
................................w.......!1..AQ.aq."2...B.....#3R..br..
.$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.................
...................................................................?..
9n.H]..Ba....q...8.q...ZW.,5k.b..V.m.F.....X(lpr1.SksC.....2...!^.e.r.
.....<../m..^..q..[.....yF.._%.P.!W..$s.F:\..8...o.Agj.-...Y#}..pTg
..y.....|..j.._.M....!.......q...|G=.z..ssl...1..]......r.8...xsu....[
@d.....m.2...z....'.p..........<e.x.{.E.-..@I!...3.0y..j.......W...
(...B....<.a.J.|'5..X.&........._..mn..8..>...\..e.fF'dJz`."`t..
?... ...R.......T..MF?...eb.`(...c?{<...HTTP/1.1 200 OK..Server: op
enresty/1.7.10.1..Date: Sun, 19 Mar 2017 00:31:59 GMT..Content-Type: i
mage/jpeg..Content-Length: 1240..Connection: keep-alive..Keep-Alive: t
imeout=60..Last-Modified: Wed, 02 Dec 2015 10:19:41 GMT..ETag: "565ec5
bd-4d8"..Accept-Ranges: bytes..Age: 26507..X-Cache: HIT from 192.168.1
.51..X-Cache-Lookup: HIT from 192.168.1.51:80..Via: 1.0 192.168.1.51 (
squid/3.1.10)..Access-Control-Allow-Origin: *..Access-Control-Allow-Or
igin: *........JFIF.............C.................................<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2928:

.text

`.rdata

@.data

.rsrc

t$(SSh

|$D.tm

~%UVW

u$SShe

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

u%CNu

Uh.bN

MaxKeySize

Invalid key size

%UUUU1E

%UUUU3

5 passes)

1.2.3

DB00735E-CFFB-47E6-B060-BB0D74008B7A

94-401@163.com

Bv.SCv=kAv

odbccp32.dll

wininet.dll

yzmsb.dll

ole32.dll

user32.dll

OLEACC.DLL

Kernel32.dll

SQLConfigDataSource

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

MsgWaitForMultipleObjects

{B6F7542F-B8FE-46a8-9605-98856A687097}

42305932-06E6-47a5-AC79-8BDCDC58DF61

WebBrowser

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

\zjspfz.tqs

?Microsoft Access Driver (*.mdb)

xf.faxuan.net

hXXp://

hXXps://

id=userpassword

hXXp://xf.faxuan.net/service/gc.html?timestamp=

function time(){return new Date().getTime()}

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

hXXp://xf.faxuan.net

000000000

122149519

VVV.t7soft.com

P@&key=13

hXXp://xf.faxuan.net/pss/service/getpoint?type=mypoint&userAccount=

hXXp://xf.faxuan.net/sss/service/getcourse?dateType=1&targetDomainCode=

hXXp://xf.faxuan.net/sps/courseware/t/courseware_1_t.html?courseId=

hXXp://xf.faxuan.net/sps/exercises/t/exercies_1_t.html?courseId=

&key=

hXXp://xf.faxuan.net/sps/service/getcoursestudy?courseId=

(.*?)_(.*?)_(.*?)

hXXp://xf.faxuan.net/sps/exercises/t/exercies_3_t.html?id=

hXXp://xf.faxuan.net/pss/service/postPoint?operateType=epoint&userAccount=

hXXp://xf.faxuan.net/sss/service/getcourseware?courseId=

hXXp://xf.faxuan.net/sps/courseware/t/courseware_4_t.html?id=

hXXp://xf.faxuan.net/pss/service/postPoint?operateType=spoint&userAccount=

hXXp://VVV.t7soft.com

YPG>5md[RI@7.hR/O,LkHhEe=]

>yÛ

shell32.dll

sql.a6.dns-dns.net

hXXp://VVV.t7soft.com/zy4.asp

hXXp://news.qq.com

{626FC520-A41E-11CF-A731-00A0C9082637}

{0002DF05-0000-0000-C000-000000000046}

{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}

{6D5140C1-7436-11CE-8034-00AA006009FA}

{D30C1661-CDAF-11d0-8A3E-00C04FC9E26E}

document.all.resultjs.innerText=

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

VBScript.RegExp

@odbccp32.dll

'8%&(#&=1

Lx.mya

Adobe Photoshop CS5 Windows

2015:11:23 23:56:09

urlTEXT

MsgeTEXT

#hXXp://ns.adobe.com/xap/1.0/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2015-11-23T23:47:14 08:00" xmp:ModifyDate="2015-11-23T23:56:09 08:00" xmp:MetadataDate="2015-11-23T23:56:09 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:9A8F461EFA91E511B6F9B03DCA6BA9B3" xmpMM:DocumentID="xmp.did:998F461EFA91E511B6F9B03DCA6BA9B3" xmpMM:OriginalDocumentID="xmp.did:998F461EFA91E511B6F9B03DCA6BA9B3"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:998F461EFA91E511B6F9B03DCA6BA9B3" stEvt:when="2015-11-23T23:47:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/png to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:9A8F461EFA91E511B6F9B03DCA6BA9B3" stEvt:when="2015-11-23T23:56:09 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>

IEC hXXp://VVV.iec.ch

.IEC 61966-2.1 Default RGB colour space - sRGB

CRT curv

wxg717@21cn.com

1683596352

1683596352

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

GetCPInfo

GetWindowsDirectoryA

KERNEL32.dll

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

EnumChildWindows

GetKeyboardType

RegisterHotKey

UnregisterHotKey

GetViewportOrgEx

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

oledlg.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

CreateDialogIndirectParamA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

%Y-%m-%d %H:%M:%S

FADODB.Connection

DRIVER=SQL Server;SERVER=

;Jet OLEDB:Database Password=

Provider=Microsoft.Jet.OLEDB.4.0; Data Source=

Description: %s

State: %s, Native: %d, Source: %s

FADODB.Recordset

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

%d%d%d

rundll32.exe shell32.dll,

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

right-curly-bracket

left-curly-bracket

c:\%original file name%.exe

*.yUW

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

#include "l.chs\afxres.rc" // Standard components

Skin.dll

1, 0, 6, 6

2015-11-23-2347144232

(*.*)

%original file name%.exe_2928_rwx_10000000_0003E000:

`.rsrc

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

Skin.dll

1, 0, 6, 6

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\taskMgr[1].js (193 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_util[1].js (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S99OLKTL.txt (91 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\xf.faxuan[1].xml (199 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\views[1].js (69642 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\login_1_s[1].js (742 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.min[2].js (54106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QB2Y37I3.txt (83 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_serv[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\public[1].css (3973 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\switch[1].png (363 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\orhon-U2M[1].js (865 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_validatebox_customtooltip[1].js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg_pwd[1].png (737 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\up[1].png (347 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jsrender[1].js (6568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\topnav_bg[1].jpg (5206 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bg_user[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_cookies[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\form-validate[1].js (14936 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\login[1].css (1132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\map[1].png (31018 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\orhonmclib.min[1].js (8142 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\gc[1].jpg (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\id[1].gif (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_popwin[1].js (441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\xf_faxuan_net[1].htm (628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\E2YBQL3V.txt (119 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\comm_validatebox_rules[1].js (606 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVU3JNLU.txt (229 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\popwin_style[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\easyui[1].css (24032 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bg_login[1].jpg (19558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\json2.min[1].js (616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\icon_qq[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\contains[1].js (4806 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\i[1].js (20032 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\login_1_v[1].js (3405 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jquery.cookie[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\popwin[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\icon_phone[1].png (625 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\r[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\id[1].htm (434 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TCH2R76M.txt (229 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\comm_customFuncTip[1].js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\icon[1].css (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\base[1].js (2093 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7RZVBA01.txt (399 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\userpoint_1_s[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\orhonmatrixfont[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\tooltipster_style[1].css (486 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logo[1].png (5173 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_resources[1].js (73 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.