• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Fri, 03/24/2017 - 05:19

Gen.Trojan.Heur.RP.0EWaatcOWjj_d9fff224eb

Gen:[email protected] (B) (Emsisoft), Gen:[email protected] (AdAware), Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, TrojanFlyStudio.YR (Lavasoft MAS) Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: d9fff224eb4fbccb053f2cd2f9870eb3

SHA1: 7df8aba596b625954d86de78ecc72842a697eecd

SHA256: 4619f0def72937d87cd814ef2b32701a140c72df2143e34d78d6c67d6d2f949e

SSDeep: 49152:ZXJe4uelwfgRMY8KuGAP 32y8KL3z5v8aRCPUk2qLr6k8:RJe4NCfgnAGMaXLVEaRaeq/6k8

Size: 2952704 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6

Company: no certificate found

Created at: 2017-02-19 11:39:03

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

winnet.exe:1780

The Trojan injects its code into the following process(es):

%original file name%.exe:1908
Reality.log:2932

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:1908 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\winnet.exe (72 bytes)
C:\Windows\winnet.dll (125 bytes)
C:\tbbmalloc.exe (359 bytes)

The process winnet.exe:1780 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QIXNH8A0.txt (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA63D.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XK3GIUWY.txt (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H5UXBDU3.txt (66 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FFF10234D401BC2B1190AF97E562D5D_F3D997279517A879744E962D7177C1F4 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\sogou_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\6S2AZLV9.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LGPBOI6P.txt (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA63E.tmp (2712 bytes)
C:\Windows\LSP.dll (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ZSHEDCO8.txt (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\126_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_507563B8F03B0B599FD6AB48BFCFB84A (1464 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\intl_aliyun_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sina_com_cn[1].htm (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_F4C066FA094BC754843DB99590B2CE02 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\360_cn[1].htm (184 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (2674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\intl_aliyun_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\360_cn[1].htm (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\126_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FD1DA35A7CC73400775DD44892329357 (380 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\aliyun_com[1].htm (278 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_F4C066FA094BC754843DB99590B2CE02 (2032 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_684FCCCFC824BF4B1A2F9D4C1AA422EA (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_507563B8F03B0B599FD6AB48BFCFB84A (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FD1DA35A7CC73400775DD44892329357 (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1476 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jd_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1236 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\aliyun_com[1].htm (278 bytes)
C:\Windows\winnet.dll (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FFF10234D401BC2B1190AF97E562D5D_F3D997279517A879744E962D7177C1F4 (1600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\baidu_com[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KBEB05BG.txt (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\sina_com_cn[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jd_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sogou_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\360_cn[1].htm (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_684FCCCFC824BF4B1A2F9D4C1AA422EA (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\qq_com[1].htm (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\126_com[1].htm (10 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA63E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\126_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jingdong_com[1] (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\360_cn[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA63D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KBEB05BG.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XK3GIUWY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jd_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\intl_aliyun_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sina_com_cn[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\sina_com_cn[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jd_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\baidu_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\360_cn[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\sogou_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\qq_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\qq_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\6S2AZLV9.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\126_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\baidu_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\aliyun_com[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:1908 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\D:\]
"login.exe" = "DisableNXShowUI"

The process winnet.exe:1780 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60101"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-100"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-101"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Next_Catalog_Entry_ID" = "1124"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-103"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BDC8D276-A5D8-4E4C-8EB2-2752A8E55337}] SEQPACKET 2"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Num_Catalog_Entries" = "21"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60100"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"ProtocolName" = "@%SystemRoot%\System32\wshqos.dll,-102"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] DATAGRAM 1"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60102"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FB1DE278-988C-428A-AF16-245107A1AA49}] DATAGRAM 3"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] SEQPACKET 1"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Serial_Access_Num" = "43"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
"ProtocolName" = "VMCI sockets DGRAM"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BDC8D276-A5D8-4E4C-8EB2-2752A8E55337}] DATAGRAM 2"
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] DATAGRAM 0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{FB1DE278-988C-428A-AF16-245107A1AA49}] SEQPACKET 3"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"ProtocolName" = "MSAFD NetBIOS [\Device\NetBT_Tcpip_{03967CDD-F8BD-4AC9-8369-0D2BD8F246F5}] SEQPACKET 0"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60101"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
"PackedCatalogItem" = "43 3A 5C 57 69 6E 64 6F 77 73 5C 4C 53 50 2E 64"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"ProtocolName" = "@%SystemRoot%\System32\wshtcpip.dll,-60100"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"ProtocolName" = "@%SystemRoot%\System32\wship6.dll,-60102"

[HKLM\SOFTWARE\Microsoft\Tracing\winnet_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
"ProtocolName" = "LR_LSP"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
"ProtocolName" = "VMCI sockets STREAM"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002C]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002B]
[HKLM\System\CurrentControlSet\services\WinSock2\Parameters\Protocol_Catalog9\0000002A]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
9e6bb4361ee32703cff0d82d4e5b2e34c:\Windows\LSP.dll
74fd54dafeda3b2a8bd33129dcdd3087c:\Windows\winnet.dll
9343169d6cf4ff200bf12a5b189efc4cc:\Windows\winnet.exe
0ce89ea9135afb535e047fcd5af8f14fc:\tbbmalloc.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    winnet.exe:1780

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\winnet.exe (72 bytes)
    C:\Windows\winnet.dll (125 bytes)
    C:\tbbmalloc.exe (359 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QIXNH8A0.txt (259 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA63D.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\baidu_com[1].htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XK3GIUWY.txt (301 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H5UXBDU3.txt (66 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FFF10234D401BC2B1190AF97E562D5D_F3D997279517A879744E962D7177C1F4 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\sogou_com[1].htm (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\6S2AZLV9.txt (103 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LGPBOI6P.txt (447 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\baidu_com[1].htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA63E.tmp (2712 bytes)
    C:\Windows\LSP.dll (88 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ZSHEDCO8.txt (86 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\126_com[1].htm (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_507563B8F03B0B599FD6AB48BFCFB84A (1464 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\intl_aliyun_com[1].htm (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sina_com_cn[1].htm (20 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_F4C066FA094BC754843DB99590B2CE02 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\360_cn[1].htm (184 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\qq_com[1].htm (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (2674 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\intl_aliyun_com[1].htm (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\360_cn[1].htm (194 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\126_com[1].htm (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FD1DA35A7CC73400775DD44892329357 (380 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\aliyun_com[1].htm (278 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_F4C066FA094BC754843DB99590B2CE02 (2032 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_684FCCCFC824BF4B1A2F9D4C1AA422EA (1480 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_507563B8F03B0B599FD6AB48BFCFB84A (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FD1DA35A7CC73400775DD44892329357 (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1476 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C18B7A4A1C49A0D62FB269C7C94152C2_35B10F420FD9C1E2E7FF5E9724CF167D (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jd_com[1].htm (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1F4BA66CDBFEC85A20E11BF729AF23_AA85F8F9DAFF33153B5AEC2E983B94B6 (1236 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\aliyun_com[1].htm (278 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FFF10234D401BC2B1190AF97E562D5D_F3D997279517A879744E962D7177C1F4 (1600 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\baidu_com[1].htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KBEB05BG.txt (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\sina_com_cn[1].htm (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jd_com[1].htm (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\sogou_com[1].htm (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\360_cn[1].htm (194 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_684FCCCFC824BF4B1A2F9D4C1AA422EA (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\qq_com[1].htm (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\qq_com[1].htm (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\126_com[1].htm (10 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40963115900d41d8cd98f00b204e9800998ecf8427e
.rdata368641005600d41d8cd98f00b204e9800998ecf8427e
.data491521281200d41d8cd98f00b204e9800998ecf8427e
.vmp065536298238600d41d8cd98f00b204e9800998ecf8427e
.vmp13051520266472026649605.425961f086447083577b94a21f8755a4c7f50
.reloc57180162245121.972168f958fd3e1adf85a0e51b7152ca3eb98
.rsrc57221122862052862081.88602a9bf22c4a148bad28e02ff4bea303059

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://opthw.xdwscache.speedcdns.com/
hxxp://www.taobao.com.danuoyi.tbcache.com/213.244.178.246
hxxp://a1574.b.akamai.net/
hxxp://p18077.cdnga.net/
hxxp://www.jingdong.com/211.152.123.110
hxxp://www-jp-de-intl-adns.aliyun.com.gds.alibabadns.com/
hxxp://www.360.cn/106.120.167.67
hxxp://email.163.com.lxdns.com/
hxxp://www.a.shifen.com/
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=
hxxp://cdn.globalsigncdn.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH
hxxp://ocsp-services.uzto.netdna-cdn.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEBWsfo6gTWKBdqI6VatS5Uo=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CECQ1SvQ/t8C2OzukI4M8ERw=
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw==
hxxp://ocsp-services.uzto.netdna-cdn.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf/JPbFze27kLzihDdGdfcCEQDvBRp0Gh2UCfyl5GQPjTyb
hxxp://ocsp-services.uzto.netdna-cdn.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEA2p36mqGmxaqpMIxrUTcxI=
hxxp://crl.uzto.netdna-cdn.com/wosign-ovca.crl
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://www.baidu.com/115.239.211.112
hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEBWsfo6gTWKBdqI6VatS5Uo=23.52.27.27
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon172.217.20.174
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY172.217.20.174
hxxp://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso23.111.11.211
hxxp://www.126.com/176.34.63.150
hxxp://www.sina.com.cn/87.118.248.106
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=23.52.27.27
hxxp://www.163.com/203.130.61.92
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl62.140.236.171
hxxp://www.aliyun.com/47.88.128.162
hxxp://wosign.crl.certum.pl/wosign-ovca.crl23.111.11.210
hxxp://www.taobao.com/213.244.178.246
hxxp://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH104.16.26.216
hxxp://www.qq.com/2.21.89.27
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=23.52.27.27
hxxp://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf/JPbFze27kLzihDdGdfcCEQDvBRp0Gh2UCfyl5GQPjTyb23.111.11.211
hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CECQ1SvQ/t8C2OzukI4M8ERw=23.52.27.27
hxxp://wosign-ovca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEA2p36mqGmxaqpMIxrUTcxI=23.111.11.211
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw==104.16.26.216
www.jd.com192.229.133.187
intl.aliyun.com47.88.128.161
www.sogou.com106.38.241.37
world.taobao.com213.244.178.246
www.wdcrf.net120.76.76.66

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon HTTP/1.1

Cache-Control: max-age = 345600

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}. </style>. <a href=//VVV.google.com/><span id=logo aria-label=Google></span></a>. <p><b>404.</b> <ins>That...s an error.</ins>. <p>The requested URL <code>/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon</code> was not found on this server. <ins>That...s all we know.</ins>.

..


-background-size:100% 100%}}#logo{display:inline-block;height:54px;wid
th:150px}. . id=logo aria-label=Google>.

gt;404. That...s an error..

;The requested URL /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4
Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY&
lt;/code> was not found on this server. That...s all we
know.
.

GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf/JPbFze27kLzihDdGdfcCEQDvBRp0Gh2UCfyl5GQPjTyb HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: subca.ocsp-certum.com

HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:33:00 GMT

Content-Type: application/ocsp-response

Content-Length: 1702

Connection: keep-alive

Content-transfer-encoding: binary

X-Cached: MISS

Server: NetDNA-cache/2.2

X-Cache: HIT

0..........0..... [email protected]!0...U....Asseco Data Systems S.A.1'0%..U....Certum Certification Authority1503..U...,Certum Trusted Network CA Validation Service..20170323062522Z0r0p0H0... .......:L..!..O'...Q.)..&....v....$.........7Fu.......t.......d..<.....20170323062522Z....20170330062522Z..0.0... .....0....0... .....0..0...*.H..............F.....Q\C...:....(.&........02\..$.......-..u.....l...n.[email protected]..V&i.&.OW.......}K#...*Ec.....f.O.-..I.i.....4.H..N..\.B........yr.K.hWM.):M.\0.w/.....m8j.K.35LY.._..k.....c{[email protected])Pf. 6... .I.......*0..&0.."0................]Nss1.B.../0...*.H........0~1.0...U....PL1"0 ..U....Unizeto Technologies S.A.1'0%..U....Certum Certification Authority1"0 ..U....Certum Trusted Network CA0...161220102317Z..180120102317Z0..1.0...U....PL1!0...U....Asseco Data Systems S.A.1'0%..U....Certum Certification Authority1503..U...,Certum Trusted Network CA Validation Service0.."0...*.H.............0..........AB...I....z..#U......oD.L.....UX....j.....S.K......".>w.;.r8....C...Zc...U.}%[email protected]`.&.j.`.......ci.Io........pW...........#[email protected]>su...OyH.E...v...r.]."m..7.... [email protected]>[email protected]/[email protected].Lw..l..n..n...~.0...U.#..0....v....$.........7Fu.0...U...........0...U.%..0... .......0... .....0......0...*.H...............).n......,........].).I...t-.......J.........^...M...(...D:..'..l.#6Co......

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.qq.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: squid/3.5.20

Content-Type: text/html; charset=GB2312

Cache-Control: max-age=59

Expires: Thu, 23 Mar 2017 06:33:42 GMT

Date: Thu, 23 Mar 2017 06:32:43 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Connection: Transfer-Encoding

0000C000..<!DOCTYPE html>.<html lang="zh-CN">.<head>.<meta content="text/html; charset=gb2312" http-equiv="Content-Type">.<meta http-equiv="X-UA-Compatible" content="IE=edge">.<title>........</title>.<script type="text/javascript">.if(window.location.toString().indexOf('pref=padindex') != -1){.}else{..if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))){ . if(window.location.href.indexOf("?mobile")<0){...try{....if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)){.....window.location.href="hXXp://xw.qq.com/index.htm";....}else if(/iPad/i.test(navigator.userAgent)){. //window.location.href="hXXp://VVV.qq.com/pad/"....}else{.....window.location.href="hXXp://xw.qq.com/simple/s/index/"....}...}catch(e){}..}..}.}.</script>.<script type="text/javascript">var QosSS=new Object();QosSS.t=new Array([0,0,0]);QosSS.t[0]=(new Date()).getTime();</script>.<meta name="apple-itunes-app" content="app-id=660653351">.<meta content="....,....,....,....,....,NBA,....,......,....,QQ,Tencent" name="Keywords">.<meta name="description" content="......(VVV.QQ.com)...............................................................................................................................................................................................

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.aliyun.com

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Server: Tengine

Date: Thu, 23 Mar 2017 06:33:27 GMT

Content-Type: text/html

Content-Length: 278

Connection: keep-alive

Location: hXXps://intl.aliyun.com/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<h1>301 Moved Permanently</h1>..<p>The requested resource has been assigned a new permanent URI.</p>..<hr/>Powered by Tengine</body>..</html>....

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.taobao.com

Cache-Control: no-cache

HTTP/1.1 302 Found

Server: Tengine

Date: Thu, 23 Mar 2017 06:32:43 GMT

Content-Type: text/html

Content-Length: 258

Connection: keep-alive

Location: hXXps://VVV.taobao.com/

Set-Cookie: thw=ua; Path=/; Domain=.taobao.com; Expires=Fri, 23-Mar-18 06:32:43 GMT;

Strict-Transport-Security: max-age=31536000

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<h1>302 Found</h1>..<p>The requested resource resides temporarily under a different URI.</p>..<hr/>Powered by Tengine</body>..</html>..HTTP/1.1 302 Found..Server: Tengine..Date: Thu, 23 Mar 2017 06:32:43 GMT..Content-Type: text/html..Content-Length: 258..Connection: keep-alive..Location: hXXps://VVV.taobao.com/..Set-Cookie: thw=ua; Path=/; Domain=.taobao.com; Expires=Fri, 23-Mar-18 06:32:43 GMT;..Strict-Transport-Security: max-age=31536000..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<h1>302 Found</h1>..<p>The requested resource resides temporarily under a different URI.</p>..<hr/>Powered by Tengine</body>..</html>....

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.126.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 23 Mar 2017 06:33:45 GMT

Content-Type: text/html

Content-Length: 97571

Connection: keep-alive

Vary: Accept-Encoding

Vary: Accept-Encoding

Last-Modified: Thu, 09 Mar 2017 06:51:57 GMT

Vary: Accept-Encoding

Expires: Thu, 23 Mar 2017 06:42:07 GMT

Cache-Control: max-age=3600

X-Cache: HIT from HKGM

Accept-Ranges: bytes

X-Cache: from ntes_hw

<!DOCTYPE html>..<html>..<head>..<meta charset="utf-8" />..<link rel="dns-prefetch" href="hXXp://mimg.127.net">..<link rel="dns-prefetch" href="hXXps://mail.126.com">..<link rel="dns-prefetch" href="hXXp://iplocator.mail.163.com">..<meta name="description" content="......126............--...........................14........................................................................98%..........................................3G...............................................................">..<meta name="keywords" content="...............................................................126........................mail...email.........">..<title>126...............--........................</title>..<link rel="shortcut icon" href="hXXp://VVV.126.com/favicon.ico" />..<style type="text/css">../* css reset */..body{color:#000;background:#fff;font-size:12px;line-height:166.6%;text-align:center;}..body.move{-webkit-transition:padding 0.3s ease;-moz-transition:padding 0.3s ease;-o-transition:padding 0.3s ease;-ms-transition:padding 0.3s ease;transition:padding 0.3s ease;}..body,input,select,button{font-family:verdana}..h1,h2,h3,select,input,button{font-size:100%}..body,h1,h2,h3,ul,li,form,p,img{margin:0;padding:0;border:0}..input,button,select,img{margin:0;line-height:normal}..select{padding:1px}..ul{list-style:none}..select,input,button,button img,label{vertical-align:middle}..header,footer,section,aside,nav,hgroup,figure,figcaption{disp

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.sina.com.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:33:13 GMT

Server: PWS/8.2.0.7

X-Px: ht h0-s2004.p0-mow.cdngp.net

Cache-Control: max-age=60

Expires: Thu, 23 Mar 2017 06:33:17 GMT

Age: 56

Accept-Ranges: bytes

Content-Length: 601537

Content-Type: text/html

Last-Modified: Thu, 23 Mar 2017 06:31:20 GMT

X-Via-CDN: f=TXCDN,s=87.118.248.106,c=194.242.96.218

Connection: keep-alive

<!DOCTYPE html>.<!-- [ published at 2017-03-23 14:31:17 ] -->.<html>.<head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8" />. <meta http-equiv="X-UA-Compatible" content="IE=edge" />. <title>............</title>..<meta name="keywords" content="......,.........,SINA,sina,sina.com.cn,............,......,......" />..<meta name="description" content="........................24........................................................................................................................................................................................................................30......................................................................................." />. <link rel="mask-icon" sizes="any" href="hXXp://VVV.sina.com.cn/favicon.svg" color="red">..<meta name="stencil" content="PGLS000022" />..<meta name="publishid" content="30,131,1" />..<meta name="verify-v1" content="6HtwmypggdgP1NLw7NOuQBI2TW8 CfkYCoyeB8IDbn8=" />..<meta name="360-site-verification" content="63349a2167ca11f4b9bd9a8d48354541" />..<meta name="application-name" content="............"/>..<meta name ="msapplication-TileImage" content="hXXp://i1.sinaimg.cn/dy/deco/2013/0312/logo.png"/>..<meta name="msapplication-TileColor" content="#ffbf27"/>..<meta name="sogou_site_verification" content="Otg5irx9wL"/>.<link rel="apple-touch-icon" href="hXXp://i3.sinaimg.cn/home/2013/0331/U586P30DT2

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Cache-Control: max-age = 440358

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 18 Nov 2013 13:12:21 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1454

content-transfer-encoding: binary

Cache-Control: max-age=354606, public, no-transform, must-revalidate

Last-Modified: Mon, 20 Mar 2017 08:59:30 GMT

Expires: Mon, 27 Mar 2017 08:59:30 GMT

Date: Thu, 23 Mar 2017 06:33:40 GMT

Connection: keep-alive

0..........0..... .....0......0...0........FC..&..<.0...Y......20170320085930Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20170320085930Z....20170327085930Z0...*.H..................i..b....."[email protected]=.........!...>u.rzK...Tc...d.[..p........r').[.....`o.....a=.x.`!wRY..t....~%....oC..7..:u.'..& ?..a=.^D....A.LR...w...m.....y\Mmv;.P.BC..Q.u>X.y...e1m,[email protected]$.<..r....8.Go7...4..z.2..C....5n.N.....0...0...0..4.......My_e.\....'....j0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 50.."0...*.H.............0.............4..IP.....B..h.....]..).]w.!"..a..{...="....._...~.s1.E.......;...6&/...\2..A....\..T aH:.8lH^.....l.v.$...K=sZf.*.|.%.Pb.......B..*f.T\w.:.s.... ....9..4..cV...3.qc.c..j<.f.....>1X.I...P%?.........5R-....Ca14..X.U....u.....:.z.\.k..b.E.v..,.J................0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-470...*.H.............G..\..R.P..e]...N.....m.....4f......b4"8v..b.R....`[email protected]'[email protected]

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.jingdong.com

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Content-length: 0

Location: hXXps://VVV.jd.com/

Connection: close

GET /wosign-ovca.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: wosign.crl.certum.pl

HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:33:10 GMT

Content-Type: application/x-pkcs7-crl

Content-Length: 3201

Connection: keep-alive

Last-Modified: Wed, 22 Mar 2017 18:07:06 GMT

ETag: "30032-c81-a0d26680"

X-Cached: EXPIRED

Server: NetDNA-cache/2.2

X-Cache: HIT

Accept-Ranges: bytes

0..}0..e...0...*.H........0D1.0...U....CN1.0...U....WoSign CA Limited1.0...U....WoSign OV SSL CA..170322180026Z..170401180026Z0...0/..ya.f.l...m........161224014614Z0.0...U.......0/..bR...%......7[w...170105073046Z0.0...U.......0/....,..:f...\...t...170117011138Z0.0...U.......0/..w....7z<.....J....170317005634Z0.0...U.......0/[email protected]&.#.}....170105072721Z0.0...U.......0/.....y..W.G...e.D...170222023235Z0.0...U.......0/..lK...-.n....u.....170222012928Z0.0...U.......0/..6.....h..uSc..^...161221082119Z0.0...U.......0/..w'..0.E..y.p..a...170306015736Z0.0...U.......0/..D.WH1q..\v.!......161220033538Z0.0...U.......0/..t......B.q.9......170103024430Z0.0...U.......0/..(........k.f..rq..161125025741Z0.0...U.......0/..[..V..(...d..VdA..170214004827Z0.0...U.......0/........... 1.'..P..161209070108Z0.0...U.......0/...g2.B.B.K.....T1..161223074327Z0.0...U.......0/...m$s...B..Y..n.-..170216093834Z0.0...U.......0/..eBo.... [email protected]/W.v..170105011959Z0.0...U.......0/..!..fN'....~L..f4..161207071134Z0.0...U.......0/..y.$.....7.Ne $ze..161222054457Z0.0...U.......0/..;G..Ig.AgB.C51....170110062948Z0.0...U.......0/..-.....v.?.S.0.1...170117023011Z0.0...U.......0/..t.U_..8$.j.3...=..161209061340Z0.0...U.......0/..".B.n...6..W...z..161222022305Z0.0...U.......0/...F.f......b.].....170106070454Z0.0...U.......0/..VJ...I..[.'."..L..170316063753Z0.0...U.......0/..Q........R..B.....161223064520Z0.0...U.......0/....!..?3.F...|.i...161209025712Z0.0...U.......0/[email protected]/..r...!,..$n#{.6.}..161221081

<<< skipped >>>

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 01 Oct 2013 05:02:51 GMT

If-None-Match: "8071417b63bece1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 02 Dec 2015 18:30:06 GMT

Accept-Ranges: bytes

ETag: "0cb60772f2dd11:0"

Server: Microsoft-IIS/8.5

VTag: 279498805900000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 530

Cache-Control: max-age=900

Date: Thu, 23 Mar 2017 06:33:46 GMT

Connection: keep-alive

0...0.....0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..151202080000Z..430418080000Z.A0?0...U.#..0.......p............<.J0... .....7.......0...U......90...*.H..............I...MYp.....yh..$3..F.D....Qe]....~...>.Ye.h...L.nQ..091.=.G..s.D.........g)...4.'........B....l#....c...e..U......Z .[.,.x..h:M~..mS./p..F......l.G.H<.".y.B.5.."\|.Hi`N=j.....;w.......o.*......C)....U..3Mt.}......X......H.....|d...s..`.8F.l.......R.C....HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Wed, 02 Dec 2015 18:30:06 GMT..Accept-Ranges: bytes..ETag: "0cb60772f2dd11:0"..Server: Microsoft-IIS/8.5..VTag: 279498805900000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 530..Cache-Control: max-age=900..Date: Thu, 23 Mar 2017 06:33:46 GMT..Connection: keep-alive..0...0.....0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..151202080000Z..430418080000Z.A0?0...U.#..0.......p............<.J0... .....7.......0...U......90...*.H..............I...MYp.....yh..$3..F.D....Qe]....~...>.Ye.h...L.nQ..091.=.G..s.D.........g)...4.'........B....l#....c...e..U......Z .[.,.x..h:M~..mS./p..F......l.G.H<.".y.B.5.."\|.Hi`N=j.....;w.......o.*......C)....U..3Mt.}......X......H.....|d...s..`.8F.l.......R.C......

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSD6ko+A2xkatUMVJtLDHYP3ZqccAQUoRNU3FZzLCeCysiE7+6/AP1fq1YCEA2p36mqGmxaqpMIxrUTcxI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: wosign-ovca.ocsp-certum.com

HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:33:08 GMT

Content-Type: application/ocsp-response

Content-Length: 1539

Connection: keep-alive

Content-transfer-encoding: binary

X-Cached: HIT

Server: NetDNA-cache/2.2

X-Cache: HIT

0..........0..... .....0......0...0.........`0^1.0...U....PL1!0...U....Asseco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Service..20170323063006Z0q0o0G0... ........J>.ldj..T.K.v....p....T.Vs,'........._.V........lZ......s.....20170323063006Z....20170330063006Z..0.0... .....0....0... .....0..0...*.H...........'j.hi!.H..&=.Z../......h$=...s..)GN....L.a.Y....4|.UB.a.9y6..t..p..w.6... ...'U..&...D..C}[email protected](.PO....".b.?.....X...;.Y7.......M..U..n.&....;.....%"t.b.....~.j.....p..z..{.yUQ...r...S..P..._......q. .^....<. Y.8'...'.dn.A..:.I?Y.w.D....6*X.F..~......0...0...0..........H....'9!......^.0...*.H........0D1.0...U....CN1.0...U....WoSign CA Limited1.0...U....WoSign OV SSL CA0...170104115010Z..170404115010Z0^1.0...U....PL1!0...U....Asseco Data Systems S.A.1,0*..U...#WoSign OV SSL CA Validation Service0.."0...*.H.............0..........:B!cV....&......3..' ..,.....D...G/o4.J.5.8.1>.^0..8[wXP)j..b...P......$iQ.s.4.z..........].n..bP2.....7......Z_& .....S.*[email protected]:.S.O........Q....zf.K..p_...qS..H..........."H..e.y..Ge.p.......-...F...=.o..%i.{.a........E........0..0...U.......0.0...U.#..0.....T.Vs,'........._.V0...U......`..f8..6..m..y......0...U...........0...U.%..0... .......0... .....0......0...*.H.............8.!.}G{...4...2........gH.dF..q.......loZ.[.k..0......aN.x..a%.....p*.X. [email protected]]/.#....mx...9..v....>.{.H..?X..zu... 5S..Z.i.B..c...,..U.....z0..r.......g.T.....'...CIa.Y...T.......r..c....~........UTD..iC....(.\....!..E..q.a.........P

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.126.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 23 Mar 2017 06:33:15 GMT

Content-Type: text/html

Content-Length: 97571

Connection: keep-alive

Vary: Accept-Encoding

Vary: Accept-Encoding

Last-Modified: Thu, 09 Mar 2017 06:51:57 GMT

Vary: Accept-Encoding

Expires: Thu, 23 Mar 2017 06:42:07 GMT

Cache-Control: max-age=3600

X-Cache: HIT from HKGM

Accept-Ranges: bytes

X-Cache: from ntes_hw

<!DOCTYPE html>..<html>..<head>..<meta charset="utf-8" />..<link rel="dns-prefetch" href="hXXp://mimg.127.net">..<link rel="dns-prefetch" href="hXXps://mail.126.com">..<link rel="dns-prefetch" href="hXXp://iplocator.mail.163.com">..<meta name="description" content="......126............--...........................14........................................................................98%..........................................3G...............................................................">..<meta name="keywords" content="...............................................................126........................mail...email.........">..<title>126...............--........................</title>..<link rel="shortcut icon" href="hXXp://VVV.126.com/favicon.ico" />..<style type="text/css">../* css reset */..body{color:#000;background:#fff;font-size:12px;line-height:166.6%;text-align:center;}..body.move{-webkit-transition:padding 0.3s ease;-moz-transition:padding 0.3s ease;-o-transition:padding 0.3s ease;-ms-transition:padding 0.3s ease;transition:padding 0.3s ease;}..body,input,select,button{font-family:verdana}..h1,h2,h3,select,input,button{font-size:100%}..body,h1,h2,h3,ul,li,form,p,img{margin:0;padding:0;border:0}..input,button,select,img{margin:0;line-height:normal}..select{padding:1px}..ul{list-style:none}..select,input,button,button img,label{vertical-align:middle}..header,footer,section,aside,nav,hgroup,figure,figcaption{disp

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.baidu.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:32:45 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Set-Cookie: BAIDUID=1FE0E7E4BC8E601C299EA5EE14A6305E:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BIDUPSID=1FE0E7E4BC8E601C299EA5EE14A6305E; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: PSTM=1490250765; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BDSVRTM=0; path=/

Set-Cookie: BD_HOME=0; path=/

Set-Cookie: H_PS_PSSID=1430_21108_17001_20928; path=/; domain=.baidu.com

P3P: CP=" OTI DSP COR IVA OUR IND COM "

Cache-Control: private

Cxy_all: baidu c8e00989edf39554a0508b60b12bc5b0

Expires: Thu, 23 Mar 2017 06:32:19 GMT

X-Powered-By: HPHP

Server: BWS/1.1

X-UA-Compatible: IE=Edge,chrome=1

BDPAGETYPE: 1

BDQID: 0xd0ec947b000102a5

BDUSERID: 0

18f39..<!DOCTYPE html>.<!--STATUS OK-->............................................................................................... ..... ........ ........ ........ ..... ..... ..... ........ ........ ........ ..... ..........................<html>.<head>. . <meta http-equiv="content-type" content="text/html;charset=utf-8">. <meta http-equiv="X-UA-Compatible" content="IE=Edge">..<meta content="always" name="referrer">. <meta name="theme-color" content="#2932e1">. <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />. <link rel="search" type="application/opensearchdescription xml" href="/content-search.xml" title="............" /> . <link rel="icon" sizes="any" mask href="//VVV.baidu.com/img/baidu.svg">......<link rel="dns-prefetch" href="//s1.bdstatic.com"/>..<link rel="dns-prefetch" href="//t1.baidu.com"/>..<link rel="dns-prefetch" href="//t2.baidu.com"/>..<link rel="dns-prefetch" href="//t3.baidu.com"/>..<link rel="dns-prefetch" href="//t10.baidu.com"/>..<link rel="dns-prefetch" href="//t11.baidu.com"/>..<link rel="dns-prefetch" href="//t12.baidu.com"/>..<link rel="dns-prefetch" href="//b1.bdstatic.com"/>. . <title>...........................</title>. ..<style id="css_index" index="index" type="text/css">html,body{height:100%}.html{overflow-y:auto}.body{font

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=409215, public, no-transform, must-revalidate

Last-Modified: Tue, 21 Mar 2017 00:09:19 GMT

Expires: Tue, 28 Mar 2017 00:09:19 GMT

Date: Thu, 23 Mar 2017 06:32:50 GMT

Connection: keep-alive

0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..20170321000919Z0s0q0I0... ...................B.>.I.$&[email protected]20170328000919Z0...*.H...............6..MW..f.x.....G.&5.g...A.......5uP......)...ME6.L..r5.r'....|m/.~....(..g$......52..x.l....%/....hcE.D..,f..R.DX.me.D..;.r.i^.....&I.F..F...b8.:i3s.........}.....6r..R}...(O.`.....:v~..v.*6....k~.^,R.[U..c.a ......T;.0..Q..k..\W.?\..../.DAl}.`~lU...}.......0...0...0..........^..)......<...T.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 50.."0...*.H.............0.............................m..|........1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z........ ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4.....D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://www.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..7Z0...U.#..0.....e......0..C9...3130...*.H.............<wN..g...S.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=409215, public, no-transform, must-revalidate

Last-Modified: Tue, 21 Mar 2017 00:09:19 GMT

Expires: Tue, 28 Mar 2017 00:09:19 GMT

Date: Thu, 23 Mar 2017 06:32:50 GMT

Connection: keep-alive

0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..20170321000919Z0s0q0I0... ...................B.>.I.$&[email protected]20170328000919Z0...*.H...............6..MW..f.x.....G.&5.g...A.......5uP......)...ME6.L..r5.r'....|m/.~....(..g$......52..x.l....%/....hcE.D..,f..R.DX.me.D..;.r.i^.....&I.F..F...b8.:i3s.........}.....6r..R}...(O.`.....:v~..v.*6....k~.^,R.[U..c.a ......T;.0..Q..k..\W.?\..../.DAl}.`~lU...}.......0...0...0..........^..)......<...T.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 50.."0...*.H.............0.............................m..|........1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z........ ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4.....D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://www.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..7Z0...U.#..0.....e......0..C9...3130...*.H.............<wN..g...S.

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.360.cn

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Server: nginx/1.2.9

Date: Thu, 23 Mar 2017 06:32:44 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: hXXps://VVV.360.cn

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.2.9</center>..</body>..</html>....

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.sina.com.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:33:44 GMT

Server: PWS/8.2.0.7

X-Px: ht h0-s2004.p0-mow.cdngp.net

Cache-Control: max-age=60

Expires: Thu, 23 Mar 2017 06:34:17 GMT

Age: 27

Accept-Ranges: bytes

Content-Length: 601537

Content-Type: text/html

Last-Modified: Thu, 23 Mar 2017 06:31:20 GMT

X-Via-CDN: f=TXCDN,s=87.118.248.106,c=194.242.96.218

Connection: keep-alive

<!DOCTYPE html>.<!-- [ published at 2017-03-23 14:31:17 ] -->.<html>.<head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8" />. <meta http-equiv="X-UA-Compatible" content="IE=edge" />. <title>............</title>..<meta name="keywords" content="......,.........,SINA,sina,sina.com.cn,............,......,......" />..<meta name="description" content="........................24........................................................................................................................................................................................................................30......................................................................................." />. <link rel="mask-icon" sizes="any" href="hXXp://VVV.sina.com.cn/favicon.svg" color="red">..<meta name="stencil" content="PGLS000022" />..<meta name="publishid" content="30,131,1" />..<meta name="verify-v1" content="6HtwmypggdgP1NLw7NOuQBI2TW8 CfkYCoyeB8IDbn8=" />..<meta name="360-site-verification" content="63349a2167ca11f4b9bd9a8d48354541" />..<meta name="application-name" content="............"/>..<meta name ="msapplication-TileImage" content="hXXp://i1.sinaimg.cn/dy/deco/2013/0312/logo.png"/>..<meta name="msapplication-TileColor" content="#ffbf27"/>..<meta name="sogou_site_verification" content="Otg5irx9wL"/>.<link rel="apple-touch-icon" href="hXXp://i3.sinaimg.cn/home/2013/0331/U586P30DT2

<<< skipped >>>

GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDEVLD4SzDqtMG/eBnw== HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp2.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:32:58 GMT

Content-Type: application/ocsp-response

Content-Length: 1570

Connection: keep-alive

Set-Cookie: __cfduid=d49fc2a38117f47ba398cc4839209165c1490250778; expires=Fri, 23-Mar-18 06:32:58 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Thu, 23 Mar 2017 03:29:27 GMT

Expires: Mon, 27 Mar 2017 03:29:27 GMT

ETag: "8884992b1de4c69d057ebd82700de9fc67bd5c87"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 343f5b4641a14f4a-DME

0..........0..... .....0......0...0.......M........u....%...G..20170323032927Z0o0m0E0... ..........M.=......r......{.....a....)S...};[email protected]|..EK.....L........20170323032927Z....20170327032927Z0...*.H.............0.-J.^s ....Q....A.A..A.].O....e. N.%b!"_)...wK...Z...0.`./.b7..>.e.#..(..n.._......W.0.9...E...|..D..3.m...iU..F......"L.h2cp.....1...3.......)..5.}....c.d....O..5.(.....z.UyZyB..../^..:C ...T.......gsp. :......k..().....Z~.(..*....&..OA.=o...........3......K0..G0..C0.. .......o.8...C.P=;E0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...170213071103Z..170516071103Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....2017021315051M0K..U...DGlobalSign Organization Validation CA - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G..;X.......12U.)D.E([email protected]>l......m..e;.....n.~..Wb.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.......M........u....%...G0...U.#..0.....a....)S...};[email protected]|0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...U...........0...U.%..0... .......0...*.H..............=.. {.o...../...;[...!.._..3.......i{.."...I1....... w\...&..%....2...4.....f....S.. Zz...q..{o. .e1[...X.2..F6$....'...[[email protected]".2b....~...........E..U_..Y[....b.G'}..^-.....:.mo......=........)x..k....N

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.baidu.com

Cache-Control: no-cache

Cookie: BAIDUID=1FE0E7E4BC8E601C299EA5EE14A6305E:FG=1; BIDUPSID=1FE0E7E4BC8E601C299EA5EE14A6305E; PSTM=1490250765; H_PS_PSSID=1430_21108_17001_20928; BDSVRTM=0; BD_HOME=0

HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:33:15 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Cache-Control: private

Cxy_all: baidu dda8f4b3a5e3bbe4dec65d42ded924a4

Expires: Thu, 23 Mar 2017 06:33:03 GMT

X-Powered-By: HPHP

Server: BWS/1.1

X-UA-Compatible: IE=Edge,chrome=1

BDPAGETYPE: 1

BDQID: 0xeaffe3270000f7ed

BDUSERID: 0

Set-Cookie: BDSVRTM=0; path=/

Set-Cookie: BD_HOME=0; path=/

Set-Cookie: H_PS_PSSID=1430_21108_17001_20928; path=/; domain=.baidu.com

18eee..<!DOCTYPE html>.<!--STATUS OK-->............................................................................................... ..... ........ ........ ........ ..... ..... ..... ........ ........ ........ ..... ..........................<html>.<head>. . <meta http-equiv="content-type" content="text/html;charset=utf-8">. <meta http-equiv="X-UA-Compatible" content="IE=Edge">..<meta content="always" name="referrer">. <meta name="theme-color" content="#2932e1">. <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />. <link rel="search" type="application/opensearchdescription xml" href="/content-search.xml" title="............" /> . <link rel="icon" sizes="any" mask href="//VVV.baidu.com/img/baidu.svg">......<link rel="dns-prefetch" href="//s1.bdstatic.com"/>..<link rel="dns-prefetch" href="//t1.baidu.com"/>..<link rel="dns-prefetch" href="//t2.baidu.com"/>..<link rel="dns-prefetch" href="//t3.baidu.com"/>..<link rel="dns-prefetch" href="//t10.baidu.com"/>..<link rel="dns-prefetch" href="//t11.baidu.com"/>..<link rel="dns-prefetch" href="//t12.baidu.com"/>..<link rel="dns-prefetch" href="//b1.bdstatic.com"/>. . <title>...........................</title>. ..<style id="css_index" index="index" type="text/css">html,body{height:100%}.html{overflow-y:auto}.body{font

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.360.cn

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Server: nginx/1.2.9

Date: Thu, 23 Mar 2017 06:33:07 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: hXXps://VVV.360.cn

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.2.9</center>..</body>..</html>....

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.126.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 23 Mar 2017 06:32:44 GMT

Content-Type: text/html

Content-Length: 97571

Connection: keep-alive

Vary: Accept-Encoding

Vary: Accept-Encoding

Last-Modified: Thu, 09 Mar 2017 06:51:57 GMT

Vary: Accept-Encoding

Expires: Thu, 23 Mar 2017 06:42:07 GMT

Cache-Control: max-age=3600

X-Cache: HIT from HKGM

Accept-Ranges: bytes

X-Cache: from ntes_hw

<!DOCTYPE html>..<html>..<head>..<meta charset="utf-8" />..<link rel="dns-prefetch" href="hXXp://mimg.127.net">..<link rel="dns-prefetch" href="hXXps://mail.126.com">..<link rel="dns-prefetch" href="hXXp://iplocator.mail.163.com">..<meta name="description" content="......126............--...........................14........................................................................98%..........................................3G...............................................................">..<meta name="keywords" content="...............................................................126........................mail...email.........">..<title>126...............--........................</title>..<link rel="shortcut icon" href="hXXp://VVV.126.com/favicon.ico" />..<style type="text/css">../* css reset */..body{color:#000;background:#fff;font-size:12px;line-height:166.6%;text-align:center;}..body.move{-webkit-transition:padding 0.3s ease;-moz-transition:padding 0.3s ease;-o-transition:padding 0.3s ease;-ms-transition:padding 0.3s ease;transition:padding 0.3s ease;}..body,input,select,button{font-family:verdana}..h1,h2,h3,select,input,button{font-size:100%}..body,h1,h2,h3,ul,li,form,p,img{margin:0;padding:0;border:0}..input,button,select,img{margin:0;line-height:normal}..select{padding:1px}..ul{list-style:none}..select,input,button,button img,label{vertical-align:middle}..header,footer,section,aside,nav,hgroup,figure,figcaption{disp

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.qq.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: squid/3.5.20

Content-Type: text/html; charset=GB2312

Cache-Control: max-age=60

Expires: Thu, 23 Mar 2017 06:34:19 GMT

Date: Thu, 23 Mar 2017 06:33:19 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Connection: Transfer-Encoding

0000C000..<!DOCTYPE html>.<html lang="zh-CN">.<head>.<meta content="text/html; charset=gb2312" http-equiv="Content-Type">.<meta http-equiv="X-UA-Compatible" content="IE=edge">.<title>........</title>.<script type="text/javascript">.if(window.location.toString().indexOf('pref=padindex') != -1){.}else{..if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))){ . if(window.location.href.indexOf("?mobile")<0){...try{....if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)){.....window.location.href="hXXp://xw.qq.com/index.htm";....}else if(/iPad/i.test(navigator.userAgent)){. //window.location.href="hXXp://VVV.qq.com/pad/"....}else{.....window.location.href="hXXp://xw.qq.com/simple/s/index/"....}...}catch(e){}..}..}.}.</script>.<script type="text/javascript">var QosSS=new Object();QosSS.t=new Array([0,0,0]);QosSS.t[0]=(new Date()).getTime();</script>.<meta name="apple-itunes-app" content="app-id=660653351">.<meta content="....,....,....,....,....,NBA,....,......,....,QQ,Tencent" name="Keywords">.<meta name="description" content="......(VVV.QQ.com)...............................................................................................................................................................................................

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.163.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Expires: Thu, 23 Mar 2017 06:34:03 GMT

Date: Thu, 23 Mar 2017 06:32:43 GMT

Server: nginx

Content-Type: text/html; charset=GBK

Transfer-Encoding: chunked

Vary: Accept-Encoding,User-Agent,Accept

Cache-Control: max-age=80

X-Via: 1.1 czdx87:4 (Cdn Cache Server V2.0), 1.1 kf49:4 (Cdn Cache Server V2.0)

Connection: keep-alive

8000.. <!DOCTYPE HTML>.<!--[if IE 6 ]> <html class="ne_ua_ie6 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 7 ]> <html class="ne_ua_ie7 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 8 ]> <html class="ne_ua_ie8 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 9 ]> <html class="ne_ua_ie9" id="ne_wrap"> <![endif]-->.<!--[if (gte IE 10)|!(IE)]><!--> <html phone="1" id="ne_wrap"> <!--<![endif]-->.<head>.<meta http-equiv="Content-Type" content="text/html; charset=gbk">.<meta name="model_url" content="hXXp://VVV.163.com/special/0077rt/index.html" />.<title>....</title>.<base target="_blank" />.<meta name="Keywords" content="....,....,....,....,....,....,....,....,....,....,....,....,....,....,....,...." />.<meta name="Description" content="..............................................................................................30.........................................................." />.<meta name="robots" content="index, follow" />.<meta name="googlebot" content="index, follow" />.<script type="text/javascript">.(function() {. if(/s=noRedirect/i.test(location.search)) return; . if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))) {. try {. if(/Andr

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.jingdong.com

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Content-length: 0

Location: hXXps://VVV.jd.com/

Connection: close

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.sina.com.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:32:43 GMT

Server: PWS/8.2.0.7

X-Px: rf-ms h0-s2004.p0-mow ( h0-s2001.p0-mow), ht h0-s2001.p0-mow.cdngp.net

Cache-Control: max-age=60

Expires: Thu, 23 Mar 2017 06:33:17 GMT

Age: 26

Accept-Ranges: bytes

Content-Length: 601537

Content-Type: text/html

Last-Modified: Thu, 23 Mar 2017 06:31:20 GMT

X-Via-CDN: f=TXCDN,s=87.118.248.106,c=194.242.96.218

Connection: keep-alive

<!DOCTYPE html>.<!-- [ published at 2017-03-23 14:31:17 ] -->.<html>.<head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8" />. <meta http-equiv="X-UA-Compatible" content="IE=edge" />. <title>............</title>..<meta name="keywords" content="......,.........,SINA,sina,sina.com.cn,............,......,......" />..<meta name="description" content="........................24........................................................................................................................................................................................................................30......................................................................................." />. <link rel="mask-icon" sizes="any" href="hXXp://VVV.sina.com.cn/favicon.svg" color="red">..<meta name="stencil" content="PGLS000022" />..<meta name="publishid" content="30,131,1" />..<meta name="verify-v1" content="6HtwmypggdgP1NLw7NOuQBI2TW8 CfkYCoyeB8IDbn8=" />..<meta name="360-site-verification" content="63349a2167ca11f4b9bd9a8d48354541" />..<meta name="application-name" content="............"/>..<meta name ="msapplication-TileImage" content="hXXp://i1.sinaimg.cn/dy/deco/2013/0312/logo.png"/>..<meta name="msapplication-TileColor" content="#ffbf27"/>..<meta name="sogou_site_verification" content="Otg5irx9wL"/>.<link rel="apple-touch-icon" href="hXXp://i3.sinaimg.cn/home/2013/0331/U586P30DT2

<<< skipped >>>

....

..

..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEBWsfo6gTWKBdqI6VatS5Uo= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcd.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1609

content-transfer-encoding: binary

Cache-Control: max-age=469987, public, no-transform, must-revalidate

Last-Modified: Tue, 21 Mar 2017 17:05:05 GMT

Expires: Tue, 28 Mar 2017 17:05:05 GMT

Date: Thu, 23 Mar 2017 06:32:55 GMT

Connection: keep-alive

0..E......>0..:.. .....0..... 0..'0......E ....e.u.....x..7....20170321170505Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C......~..Mb.v.:U.R.J....20170321170505Z....20170328170505Z0...*.H.............Fx<."2.........t.wU...........\.......... ,@........../=....\..W.xb....J.=.y.p......<.....j....... .W.....d....../..F..K...Z.....^o..\f...W_..T.0f{d..o...f..V.....M..Z.f.....&..1MV_.Q) ...<..q.....d.-..\?..`Y....*B.......>V..F>...r..nX.3.........X.NOS~..G....n0..j0..f0..N.......Dh.ciH.........!0...*.H........0~1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&Symantec Class 3 Secure Server CA - [email protected]>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Responder0.."0...*.H.............0......... B.}[email protected]&kg.#.c..7f#0....!....Z.G..|.o..W{2.m.l.cM...%......V.Wx6I.t....Q,U^......;.U<ie...X.{.6. .4...ep....q..OuV...F...s.f....!....K....O....Oj.?Yd6^Mlw.6.k..*./.......b..Q4...H.s.........(...toW...9...............&...D...{T{........4.;/pa<...........0...0... .....0......0"..U....0...0.1.0...U....TGV-D-38570...U.#..0..._`.a.U..C..`*..z.C..0...U......E ....e.u.....x..7..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........http://VVV.symauth.com/cps0*.. .......0... hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0...*.H.............x..b5XG.........T^2.....T..............zq.............f....#|.....P...R.....]...la.(.21{...C.....K.....R..H.b....3L..52}5.8.......%.......l=..$X$_..01.3.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CECQ1SvQ/t8C2OzukI4M8ERw= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcd.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1609

content-transfer-encoding: binary

Cache-Control: max-age=451642, public, no-transform, must-revalidate

Last-Modified: Tue, 21 Mar 2017 12:00:18 GMT

Expires: Tue, 28 Mar 2017 12:00:18 GMT

Date: Thu, 23 Mar 2017 06:32:56 GMT

Connection: keep-alive

0..E......>0..:.. .....0..... 0..'0......E ....e.u.....x..7....20170321120018Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C....$5J.?...;;.#.<......20170321120018Z....20170328120018Z0...*.H...............~."[email protected]].WD..2a.....F......A.......Ph.E........z...u........M..........5L.V6.....~.].3Z....&z...Z....... .....9...3 M..{.aU..U...- .=....A...<..... .x..t...Cuy!7 Yv'.W.yS....=...s...?6....AmW][email protected]@vwX.s.H8.nN/P ..._.TaL/>.....rFY...g..4D}.d.......n0..j0..f0..N.......Dh.ciH.........!0...*.H........0~1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&Symantec Class 3 Secure Server CA - [email protected]>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Responder0.."0...*.H.............0......... B.}[email protected]&kg.#.c..7f#0....!....Z.G..|.o..W{2.m.l.cM...%......V.Wx6I.t....Q,U^......;.U<ie...X.{.6. .4...ep....q..OuV...F...s.f....!....K....O....Oj.?Yd6^Mlw.6.k..*./.......b..Q4...H.s.........(...toW...9...............&...D...{T{........4.;/pa<...........0...0... .....0......0"..U....0...0.1.0...U....TGV-D-38570...U.#..0..._`.a.U..C..`*..z.C..0...U......E ....e.u.....x..7..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://www.symauth.com/cps0*.. .......0... hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0...*.H.............x..b5XG.........T^2.....T..............zq.............f....#|.....P...R.....]...la.(.21{...C.....K.....R..H.b....3L..52}5.8.......%.......l=..$X$_..01.3.....&l

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.360.cn

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Server: nginx/1.2.9

Date: Thu, 23 Mar 2017 06:33:44 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: hXXps://VVV.360.cn

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.2.9</center>..</body>..</html>....

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.aliyun.com

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Server: Tengine

Date: Thu, 23 Mar 2017 06:32:44 GMT

Content-Type: text/html

Content-Length: 278

Connection: keep-alive

Location: hXXps://intl.aliyun.com/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<h1>301 Moved Permanently</h1>..<p>The requested resource has been assigned a new permanent URI.</p>..<hr/>Powered by Tengine</body>..</html>....

GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w/sCEQCTkoVAAWVxX5R/KI/vyZso HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: subca.ocsp-certum.com

HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:32:54 GMT

Content-Type: application/ocsp-response

Content-Length: 1657

Connection: keep-alive

Content-transfer-encoding: binary

X-Cached: MISS

Server: NetDNA-cache/2.2

X-Cache: HIT

0..u......n0..j.. .....0.....[0..W0..0........0..1.0...U....PL1!0...U....Asseco Data Systems S.A.1'0%..U....Certum Certification Authority1%0#..U....Certum CA Validation Service..20170323061937Z0r0p0H0... ......y...bOm..(y.Y6B...}n...C..m.....i..J.`.:[email protected]_..(....(....20170323061937Z....20170330061937Z..0.0... .....0....0... .....0..0...*.H........... 1.......b.p..BV. .V&.S,......7a\..Y...g% .B#{khJ.B4I.~.N R.":..^8.5.t....)...W\...N ..(L..M.....Z..N....7)...w6r..;....Y...C..{..O.....[\.u.......TH.......\....6..e.#{.D[...$....i [email protected] 1........qx.(..)DR....fiUb;......P.A..../....v............0...0...0....................#=Xr..Q0...*.H........0>1.0...U....PL1.0...U....Unizeto Sp. z o.o.1.0...U....Certum CA0...161220101836Z..180120101836Z0..1.0...U....PL1!0...U....Asseco Data Systems S.A.1'0%..U....Certum Certification Authority1%0#..U....Certum CA Validation Service0.."0...*.H.............0..........3..>......]{7..\...$vl.....V......T...-.:.....y..'...X..}.fA\...._.Uxl6.ti %.SS..#. Z.5.G"..S.....)Q...!..P....~0..32...Bmd...%.2...D.....J.........6....O.u..vm.l..V.'.L.4.._....\.eK...MI.F.;H.;..%...KZ...H;e ..9.2..A.b......F.T..._........DY2...2Z#L.D0)........0..0...U.......0.0...U.......L.oh.....2......|.=0R..U.#[email protected]>1.0...U....PL1.0...U....Unizeto Sp. z o.o.1.0...U....Certum CA.... 0...U...........0...U.%..0... .......0... .....0......0...*.H.............,.....D...,.c...<..............G..~Uug.....q6).g&..."....B..k...{.(.S... 5...x.>......K.ks.....S...]R......n....q.Y.i&gt

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.163.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Expires: Thu, 23 Mar 2017 06:34:03 GMT

Date: Thu, 23 Mar 2017 06:32:43 GMT

Server: nginx

Content-Type: text/html; charset=GBK

Transfer-Encoding: chunked

Vary: Accept-Encoding,User-Agent,Accept

Cache-Control: max-age=80

Age: 61

X-Via: 1.1 czdx87:4 (Cdn Cache Server V2.0), 1.1 kf49:4 (Cdn Cache Server V2.0)

Connection: keep-alive

8000.. <!DOCTYPE HTML>.<!--[if IE 6 ]> <html class="ne_ua_ie6 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 7 ]> <html class="ne_ua_ie7 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 8 ]> <html class="ne_ua_ie8 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 9 ]> <html class="ne_ua_ie9" id="ne_wrap"> <![endif]-->.<!--[if (gte IE 10)|!(IE)]><!--> <html phone="1" id="ne_wrap"> <!--<![endif]-->.<head>.<meta http-equiv="Content-Type" content="text/html; charset=gbk">.<meta name="model_url" content="hXXp://VVV.163.com/special/0077rt/index.html" />.<title>....</title>.<base target="_blank" />.<meta name="Keywords" content="....,....,....,....,....,....,....,....,....,....,....,....,....,....,....,...." />.<meta name="Description" content="..............................................................................................30.........................................................." />.<meta name="robots" content="index, follow" />.<meta name="googlebot" content="index, follow" />.<script type="text/javascript">.(function() {. if(/s=noRedirect/i.test(location.search)) return; . if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))) {. try {. if(/Andr

<<< skipped >>>

GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH HTTP/1.1

Cache-Control: max-age = 10800

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 11:51:19 GMT

If-None-Match: "8958b58603e19e9b46868d4300d201ea9ae7099b"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.globalsign.com

HTTP/1.1 200 OK

Date: Thu, 23 Mar 2017 06:32:53 GMT

Content-Type: application/ocsp-response

Content-Length: 1518

Connection: keep-alive

Set-Cookie: __cfduid=d8a8484918d128d1685e7c650bee36c2b1490250773; expires=Fri, 23-Mar-18 06:32:53 GMT; path=/; domain=.globalsign.com; HttpOnly

Last-Modified: Thu, 23 Mar 2017 05:09:59 GMT

Expires: Mon, 27 Mar 2017 05:09:59 GMT

ETag: "b3ee1471b72f0ced734a0acb26041b5d1b044a55"

Cache-Control: public, no-transform, must-revalidate

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 343f5b24d4454ede-DME

0..........0..... .....0......0...0........>'...;6..9.wS..._...20170323050959Z0n0l0D0... .........W......#....*..2..1..`{f.E....P/}..4....K........DN.BG....20170323050959Z....20170327050959Z0...*.H...............K#.K6......J.S..... o..>4DW....=V=q.C...x..q.\)O...g......-}..0....\wpZ..`.T...(8.k....O.3./2.$d..N.6...e..... {[email protected]`.....M............L.........fJu../... V..vx..M^...c.P^...BS.W]..wl..."&<.......I...X.~.......#..x..4.=$x..v....Y...}......X.8o8?.......0...0...0..........H...!U,43.....0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA0...161208000000Z..170515000000Z0[1.0...U....BE1.0...U....GlobalSign nv-sa110/..U...(GlobalSign OCSP for Root R1 - Signer 1.20.."0...*[email protected]\....f.JsR.{_awn....;...-..g..8..6.|l.(....h....;[email protected]%.....7.R..O;[email protected]{}[email protected]$.<...{.h.h... ....}M}.:.........rS=.$....lE)3.o.B.x.....^.V.#N..=S^.F..U.}C2...-S...... .2....I.......].c........0..0...U...........0...U.%..0... .......0...U.......0.0...U........>'...;6..9.wS..._.0...U.#..0...`{f.E....P/}..4....K0... .....0......0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/repository/0...*.H.............>[email protected]).fox..V\.........x.[...I&.=[...u..4.\[email protected]@[email protected]~....9/}.i.<....e\.\a.'.}......}.....Cn.y.u....xZ9..x..x|h .}I-:..RD.S..Ql..2cnX.Filstf.......e.V.G......\..]hh ....W.../..x:.2I.*.....S?.Dr..A.....=..._

<<< skipped >>>

GET / HTTP/1.1

User-Agent: winnet

Host: VVV.163.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Expires: Thu, 23 Mar 2017 06:34:03 GMT

Date: Thu, 23 Mar 2017 06:32:43 GMT

Server: nginx

Content-Type: text/html; charset=GBK

Transfer-Encoding: chunked

Vary: Accept-Encoding,User-Agent,Accept

Cache-Control: max-age=80

Age: 30

X-Via: 1.1 czdx87:4 (Cdn Cache Server V2.0), 1.1 kf49:4 (Cdn Cache Server V2.0)

Connection: keep-alive

8000.. <!DOCTYPE HTML>.<!--[if IE 6 ]> <html class="ne_ua_ie6 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 7 ]> <html class="ne_ua_ie7 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 8 ]> <html class="ne_ua_ie8 ne_ua_ielte8" id="ne_wrap"> <![endif]-->.<!--[if IE 9 ]> <html class="ne_ua_ie9" id="ne_wrap"> <![endif]-->.<!--[if (gte IE 10)|!(IE)]><!--> <html phone="1" id="ne_wrap"> <!--<![endif]-->.<head>.<meta http-equiv="Content-Type" content="text/html; charset=gbk">.<meta name="model_url" content="hXXp://VVV.163.com/special/0077rt/index.html" />.<title>....</title>.<base target="_blank" />.<meta name="Keywords" content="....,....,....,....,....,....,....,....,....,....,....,....,....,....,....,...." />.<meta name="Description" content="..............................................................................................30.........................................................." />.<meta name="robots" content="index, follow" />.<meta name="googlebot" content="index, follow" />.<script type="text/javascript">.(function() {. if(/s=noRedirect/i.test(location.search)) return; . if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))) {. try {. if(/Andr

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1908:

.text

.text

`.rdata

`.rdata

@.data

@.data

.vmp0

.vmp0

.vmp1

.vmp1

.reloc

.reloc

@.rsrc

@.rsrc

GetProcessWindowStation

GetProcessWindowStation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

Reality.log

Reality.log

D:\chengzhen\

D:\chengzhen\

\StartGame\Release\StartGame.pdb

\StartGame\Release\StartGame.pdb

C:\OneRun.txt

C:\OneRun.txt

360tcpview

360tcpview

365tcpview

365tcpview

cports

cports

tcpview

tcpview

httpanalyzer

httpanalyzer

C:\tbbmalloc.exe

C:\tbbmalloc.exe

tbbmalloc.exe

tbbmalloc.exe

c:\%original file name%.exe

c:\%original file name%.exe

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

USER32.DLL

USER32.DLL

operator

operator

activation.php?code=

activation.php?code=

deactivation.php?hash=

deactivation.php?hash=

[email protected]@

[email protected]@

hVm.AG

hVm.AG

.eS~J

.eS~J

.gXSE

.gXSE

.zSKM

.zSKM

$ra.QF

$ra.QF

.mQ :

.mQ :

$6.ZP;

$6.ZP;

AjR.To

AjR.To

A*.pY,

A*.pY,

X00

X00

%C{Mwb

%C{Mwb

{ .Fra

{ .Fra

u%d!K

u%d!K

4.YQH

4.YQH

).tyO

).tyO

.SCpC

.SCpC

%%8SC

%%8SC

,.nD2

,.nD2

%.cz9I

%.cz9I

I.YU4

I.YU4

3.jmK

3.jmK

.jAdrc

.jAdrc

>c"%FS

>c"%FS

ByÎXo.

ByÎXo.

{g.zj

{g.zj

D.DRem

D.DRem

ÝZs

ÝZs

eW.eq

eW.eq

9L.KS

9L.KS

%S;f}k

%S;f}k

!=.hh

!=.hh

[email protected]

[email protected]

fQ4-p}

fQ4-p}

E=%u=]

E=%u=]

cG%up=

cG%up=

W".rJ

W".rJ

.JD5L*)k

.JD5L*)k

4k.Qju

4k.Qju

[.zCK

[.zCK

.ZqM

.ZqM

Td.lpw

Td.lpw

.BPx?

.BPx?

8M%Xx

8M%Xx

3ck.dCuJ

3ck.dCuJ

%d"sb)

%d"sb)

.od7:

.od7:

dPVI%u

dPVI%u

.FCFU

.FCFU

41%%F

41%%F

.NQ8o

.NQ8o

r.Jls)

r.Jls)

%CO4sp\

%CO4sp\

9sshM

9sshM

K.JfMq2N

K.JfMq2N

.ul7G

.ul7G

W}%fT

W}%fT

.FM

.FM

zu%Dg

zu%Dg

EDS.oV

EDS.oV

5%Scx

5%Scx

nUH.kG

nUH.kG

.yb:gUV

.yb:gUV

.mU8R

.mU8R

zÚ^

zÚ^

<_.ln>

<_.ln>

;R<.le>

;R<.le>

%X=9q

%X=9q

H<.nu>

H<.nu>

~ .Gwz

~ .Gwz

fi.FK

fi.FK

.RlqY

.RlqY

KP.bN

KP.bN

H%d$)

H%d$)

.kv^d^

.kv^d^

e*.MH

e*.MH

v.Aef

v.Aef

.ZK-)

.ZK-)

]DQ.NooL

]DQ.NooL

.kkBM

.kkBM

lJ.Qjb4

lJ.Qjb4

zn!4/.tU

zn!4/.tU

xW%Cw?

xW%Cw?

.sI04

.sI04

.EL;f

.EL;f

2.UJ=

2.UJ=

}d%X[

}d%X[

F-?%U

F-?%U

@r.nA

@r.nA

.tF#Z

.tF#Z

b7É

b7É

h].Iv

h].Iv

WuM%SQ

WuM%SQ

r.DY|

r.DY|

).Hvt>

).Hvt>

%uZ$|3

%uZ$|3

MHy-b}

MHy-b}

W:\ 0

W:\ 0

.Cc&I

.Cc&I

aP.ug

aP.ug

{A%C}

{A%C}

=~%3S}

=~%3S}

h.Xv$

h.Xv$

`h%X4

`h%X4

L.FiD

L.FiD

-j}a

-j}a

w%UPt

w%UPt

a.gUh

a.gUh

%S|ac

%S|ac

n.tiu

n.tiu

Y.Zg`

Y.Zg`

M.Dzv

M.Dzv

b%XrZf

b%XrZf

?OCRtQH

?OCRtQH

v.iR`

v.iR`

hcu.Tf

hcu.Tf

%s~Oz

%s~Oz

..rl0

..rl0

3g.yz

3g.yz

.FPh9

.FPh9

.rT3$

.rT3$

#.vU}6

#.vU}6

KEY|3

KEY|3

]{b-1}.

]{b-1}.

Z%Uk{)z

Z%Uk{)z

Wq.ZP

Wq.ZP

R#,%d

R#,%d

user32.dll

user32.dll

>=

>=

6543210/

6543210/

.-, *)('

.-, *)('

5 5$5(5,5054585

5 5$5(5,5054585

> >@>\>`>

> >@>\>`>