Sun, 03/19/2017 - 15:07

Gen.Variant.Strictor.30813_2f66caa17a

Susp_Dropper (Kaspersky), Gen:Variant.Strictor.30813 (B) (Emsisoft), Gen:Variant.Strictor.30813 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS) Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

Summary

MD5: 2f66caa17a0593efb1a256375a3498f0

SHA1: 43b4be4a346d7f36924c23169972461b16920310

SHA256: 45c78ff131caf4f7c3a314bf30682e0315a92d1b6445cc260c6378cef61d7c18

SSDeep: 24576:VcP21rCcC ePtSidsAMg1wiokaRa2Nd5mDHk/I0 JLu /fq x0 Q 2 Zib8y:VcE3wPcg1yk72NdqS

Size: 1150976 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171

Company: no certificate found

Created at: 2017-03-05 06:40:58

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es): No processes have been created. The Trojan injects its code into the following process(es):

%original file name%.exe:2948

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:2948 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\json2[1].js (7098 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\TCapIframe[1].js (3389 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\53P3XZXY.txt (521 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\TCapIframeApi[1].js (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\pt_fetch_dev_uin[1].js (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ptlogin_report[1].bmp (66 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ptqrshow[1].png (443 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\TCapMsg[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ptui_ver[1].js (227 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\xlogin[1].htm (4057 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SWUMN0R8.txt (141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\xver[1].htm (99 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SWUMN0R8.txt (0 bytes)

Registry activity

The process %original file name%.exe:2948 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASMANCS]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1488688858"

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\json2[1].js (7098 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\TCapIframe[1].js (3389 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\53P3XZXY.txt (521 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\TCapIframeApi[1].js (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\pt_fetch_dev_uin[1].js (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ptlogin_report[1].bmp (66 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ptqrshow[1].png (443 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\TCapMsg[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ptui_ver[1].js (227 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\xlogin[1].htm (4057 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SWUMN0R8.txt (141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\xver[1].htm (99 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

Company Name: Product Name: ????? Product Version: 1.0.0.0 Legal Copyright: ?????? ???????? Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0 File Description: ????? Comments: ??????????(http://www.eyuyan.com) Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	795859	798720	4.51169	5761d83ff1599b96f8d3fa7eea1bc7b1
.rdata	802816	135718	139264	3.03499	aaa813473c8ebb85dd40208a7dc13a8d
.data	942080	332104	81920	3.74431	059f7ca78fb815ba1dc4769d0ed620e7
.rsrc	1277952	125404	126976	3.49971	0b2037f2a37a97501a893d4195a6d44c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://xui.ptlogin2.tencent-cloud.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=312326273372QQ277325274344&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html
hxxp://p21.tcdn.qq.com/ptlogin/v4/style/40/images/icon_3_tiny.png
hxxp://p21.tcdn.qq.com/ptlogin/ver/10202/js/c_login_2.js?max_age=604800&ptui_identifier=000D23D5992EA4F87FE009A76A8597E442DFB25655F76190B41C7DFE
hxxp://p21.tcdn.qq.com/ptlogin/v4/style/0/images/load.gif
hxxp://xui.ptlogin2.tencent-cloud.com/cgi-bin/xver?t=0.490436319051
hxxp://p21.tcdn.qq.com/ptlogin/v4/style/20/images/shouQ_v2/small_8.png
hxxp://a1574.b.akamai.net/ptqrshow?appid=549000912&e=2&l=M&s=3&d=72&v=4&t=0.6017620177549429&daid=5
hxxp://a1574.b.akamai.net/pt_fetch_dev_uin?r=0.1144178000241039&pt_guid_token=1251078382
hxxp://captcha.qq.com/template/TCapIframeApi.js?aid=549000912&rand=0.2165467144450235&clientype=2&lang=2052&apptype=2	112.90.83.73
hxxp://xui.ptlogin2.tencent-cloud.com/cgi-bin/report?id=455847
hxxp://xui.ptlogin2.tencent-cloud.com/cgi-bin/report?id=492804
hxxp://xui.ptlogin2.tencent-cloud.com/ptui_ver.js?v=0.3508854457222641&ptui_identifier=000E0129A00FE67B9531D473EAF1292E75EDCF49FD44439FCA2ADCB556
hxxp://xui.ptlogin2.tencent-cloud.com/cgi-bin/report?id=358342&t=0.046202841897111435
hxxp://log.ptlogin2.tencent-cloud.com/cgi-bin/ptlogin_report?id=462348&msg=gzipæŽ¢æµ‹å¼‚å¸¸ï¼Œè¿”å›žå†…å®¹ï¼švar _gz=!0,img=new Image;img.src=location.protocol+"//ui.ptlogin2.qq.com/cgi-bin/report?id=455848";è¿”å›žç ï¼š200uin=\|_\|http://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http%3A//qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http%3A%2F%2Fqzs.qq.com%2Fqzone%2Fv5%2Floginsucc.html%3Fpara%3Dizone&pt_qr_app=ÃŠÃ–Â»ÃºQQÂ¿Ã•Â¼Ã¤&pt_qr_link=http%3A//z.qzone.com/download.html&self_regurl=http%3A//qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http%3A//z.qzone.com/download.html\|_\|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)&v=0.35947195415446303
hxxp://p21.tcdn.qq.com/1/TCapMsg.js
hxxp://p21.tcdn.qq.com/1/json2.js
hxxp://p21.tcdn.qq.com/1/TCapIframe.js?v=1.0
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796263979&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796266990&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796270000&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796273012&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796276022&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796279035&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796282044&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796285054&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796288065&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796291076&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796294087&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://imgcache.qq.com/ptlogin/v4/style/40/images/icon_3_tiny.png	203.205.158.37
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796276022&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796285054&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=....QQ....&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html	203.205.142.186
hxxp://ptlogin2.qq.com/ptqrshow?appid=549000912&e=2&l=M&s=3&d=72&v=4&t=0.6017620177549429&daid=5	2.21.89.43
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796270000&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://imgcache.qq.com/ptlogin/ver/10202/js/c_login_2.js?max_age=604800&ptui_identifier=000D23D5992EA4F87FE009A76A8597E442DFB25655F76190B41C7DFE	203.205.158.37
hxxp://ui.ptlogin2.qq.com/cgi-bin/report?id=492804	203.205.142.186
hxxp://imgcache.qq.com/ptlogin/v4/style/20/images/shouQ_v2/small_8.png	203.205.158.37
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796273012&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/load.gif	203.205.158.37
hxxp://xui.ptlogin2.qq.com/cgi-bin/xver?t=0.490436319051	203.205.142.186
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796263979&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796282044&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796288065&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://captcha.gtimg.com/1/TCapIframe.js?v=1.0	203.205.158.38
hxxp://xui.ptlogin2.qq.com/ptui_ver.js?v=0.3508854457222641&ptui_identifier=000E0129A00FE67B9531D473EAF1292E75EDCF49FD44439FCA2ADCB556	203.205.142.186
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796266990&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://ui.ptlogin2.qq.com/cgi-bin/report?id=455847	203.205.142.186
hxxp://captcha.gtimg.com/1/json2.js	203.205.158.38
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796294087&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://ptlogin2.qq.com/pt_fetch_dev_uin?r=0.1144178000241039&pt_guid_token=1251078382	2.21.89.43
hxxp://ui.ptlogin2.qq.com/cgi-bin/report?id=358342&t=0.046202841897111435	203.205.142.186
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796291076&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://captcha.gtimg.com/1/TCapMsg.js	203.205.158.38
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796279035&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
www.xiaoqianyl.com	170.159.173.53
log.wtlogin.qq.com	183.61.38.241

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /template/TCapIframeApi.js?aid=549000912&rand=0.2165467144450235&clientype=2&lang=2052&apptype=2 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: captcha.qq.com

Connection: Keep-Alive

Cookie: _qpsvr_localtk=0.3517042217588793

HTTP/1.1 200 OK

Server: tencent http server

Accept-Ranges: bytes

Pragma: No-cache

P3P: CP=CAO PSA OUR

Content-Length: 2743

Connection: close

Content-Type: application/x-javascript

<<< skipped >>>

GET /pt_fetch_dev_uin?r=0.1144178000241039&pt_guid_token=1251078382 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

P3P: CP="CAO PSA OUR"

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 53

Date: Sat, 18 Mar 2017 00:17:41 GMT

Connection: keep-alive

Set-Cookie: pt_recent_uins=e75ea3177331630f090d49f30908786aa22763ff34ebc51bb1364959fa5ed026a3f9102a1e6b288c0e7f1b7de6848b7b27b7add7f3c99c30; EXPIRES=Mon, 17-Apr-2017 00:17:40 GMT; PATH=/; DOMAIN=ptlogin2.qq.com; HttpOnly

ptui_fetch_dev_uin_CB({"errcode":22027,"data":[]});..HTTP/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..P3P: CP="CAO PSA OUR"..Content-Type: application/x-javascript; charset=utf-8..Content-Length: 53..Date: Sat, 18 Mar 2017 00:17:41 GMT..Connection: keep-alive..Set-Cookie: pt_recent_uins=e75ea3177331630f090d49f30908786aa22763ff34ebc51bb1364959fa5ed026a3f9102a1e6b288c0e7f1b7de6848b7b27b7add7f3c99c30; EXPIRES=Mon, 17-Apr-2017 00:17:40 GMT; PATH=/; DOMAIN=ptlogin2.qq.com; HttpOnly..ptui_fetch_dev_uin_CB({"errcode":22027,"data":[]});......

GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796266990&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; pt_recent_uins=e75ea317

HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:17:47 GMT

Connection: keep-alive

ptuiCB('66','0','','0','.....................(1758464724)', '');..HTTP/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..Expires: -1..Content-Type: application/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18 Mar 2017 00:17:47 GMT..Connection: keep-alive..ptuiCB('66','0','','0','.....................(1758464724)', '');......

GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796273012&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:17:53 GMT

Connection: keep-alive

ptuiCB('66','0','','0','.....................(2489323120)', '');..HTTP/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..Expires: -1..Content-Type: application/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18 Mar 2017 00:17:53 GMT..Connection: keep-alive..ptuiCB('66','0','','0','.....................(2489323120)', '');......

GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796279035&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:17:59 GMT

Connection: keep-alive

ptuiCB('66','0','','0','.....................(1045447828)', '');..HTTP/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..Expires: -1..Content-Type: application/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18 Mar 2017 00:17:59 GMT..Connection: keep-alive..ptuiCB('66','0','','0','.....................(1045447828)', '');......

GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796285054&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 65

Date: Sat, 18 Mar 2017 00:18:05 GMT

Connection: keep-alive

ptuiCB('66','0','','0','.....................(136340752)', '');..HTTP/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..Expires: -1..Content-Type: application/x-javascript; charset=utf-8..Content-Length: 65..Date: Sat, 18 Mar 2017 00:18:05 GMT..Connection: keep-alive..ptuiCB('66','0','','0','.....................(136340752)', '');......

GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796291076&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:18:11 GMT

Connection: keep-alive

ptuiCB('66','0','','0','.....................(2356178916)', '');..HTTP/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..Expires: -1..Content-Type: application/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18 Mar 2017 00:18:11 GMT..Connection: keep-alive..ptuiCB('66','0','','0','.....................(2356178916)', '');....

GET /cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=....QQ....&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xui.ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 00:17:15 GMT

Content-Type: text/html

Content-Length: 10177

Connection: keep-alive

Server: QZHTTP-2.38.41

P3P: CP="CAO PSA OUR"

Cache-Control: max-age=86400

Set-Cookie: pt_user_id=5155553559719578009; EXPIRES=Tue, 16-Mar-2027 00:17:15 GMT; PATH=/; DOMAIN=ui.ptlogin2.qq.com;

Set-Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; PATH=/; DOMAIN=ptlogin2.qq.com;

Set-Cookie: pt_clientip=9ca9c2f260dae245; PATH=/; DOMAIN=ptlogin2.qq.com;

Set-Cookie: pt_serverip=a80a0ab19b5d9f37; PATH=/; DOMAIN=ptlogin2.qq.com;

Set-Cookie: pt_local_token=-2070306734; PATH=/; DOMAIN=ptlogin2.qq.com;

Set-Cookie: uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; PATH=/; DOMAIN=ptlogin2.qq.com;

Set-Cookie: pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; EXPIRES=Mon, 17-Apr-2017 00:17:15 GMT; PATH=/; DOMAIN=ptlogin2.qq.com;

Last-Modified: Thu, 08 Mar 2012 02:04:00 GMT

Content-Encoding: gzip

...........}y........wHRa.=..zoU..Z=..m023...".*.;...T...MGH.......`.{..f.. ./...>.{_`T.._...;..ys....v.QCw.w9........x.;....................|....S....U...;....r.d..;...=........-{3.{K....va.Z......-.P[e.,/..Q......q.o......V.....2.u......:.2.....o.f.......gw{.m5.].....H./[.M...am......u<h..^.b=..t.4....m.....~....~M.....;.....P..,..Z.o8T.........2............).....u.../......w{~?|.^RcF...(........~c...........KwS.....s^..6......9.wz...u.......... ..aw.-o...~a......2.\/..F-<f{.Zyq.2.x..l..c.1.(0..[N.Y.M.~gjz..jz...Qo4..g.z.......^X.._... ....~}.u......|........t..../.fx....O.r...C..v3.......EUh...U....zp..*.u.D..W?.}.>...._.....N..lP..^yu...Q...y.k...y}.....[...^.7......y........O.......>...._...OG.ra..o...&Uv..............?........v..7.~..]...7.....7..f......I.=W=.^..D..D.........}P...7...?.K..Xd;. d.....^P....y..TO.........$..;..]l..o.=.4...JT[.9}..W..P..A.vv...9j.D.A.....y;.....:.w)C.lHI.[w.z#...h.-g...G.j. .......=C.VB#.}..F.....x....R....~.8P.&D.Z....ct..Q}..xMj..N..6..[.......>.*....-x.....dkg........r.^k.:&j..>[..........}..qz=...b.TZ,W.i.........F......D|*...,..~........9...<.TJ....3...r._....._.....'.....:....1H<.....\.<q.iz._....}.)..... P.Y..(/L]T.Va......|.m.._...dX.z.m.[7..T...k(~"1_.".u[. .r.T--.K...(.....e.V.T)U.......%h...........Nc.UvN...."sHq.d.`Q.H[V.....V..<E<e.%..E.~.....Nb....vV1,J..72.UJ.4F.6..F..J.2.P......x..w. t..%P..:..h!.Kv.....!........v.=..Y....C..T...?.J.:....*..G....$ ...id. .v...o.G.z&..w..g...'v'....q.A....y..as].*....6.....R.4Xw.D..vzn...l..

<<< skipped >>>

GET /cgi-bin/xver?t=0.490436319051 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xui.ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 00:17:40 GMT

Content-Type: text/html

Content-Length: 114

Connection: keep-alive

Server: QZHTTP-2.38.41

P3P: CP="CAO PSA OUR"

Content-Encoding: gzip

............Q..0.......TF.A...B...@..X7....{...N?...'r9|.-y...p*.(. K..R.%..1.C.Q.....P.A.....PD..og.i.s...3..c...HTTP/1.1 200 OK..Date: Sat, 18 Mar 2017 00:17:40 GMT..Content-Type: text/html..Content-Length: 114..Connection: keep-alive..Server: QZHTTP-2.38.41..P3P: CP="CAO PSA OUR"..Content-Encoding: gzip..............Q..0.......TF.A...B...@..X7....{...N?...'r9|.-y...p*.(. K..R.%..1.C.Q.....P.A.....PD..og.i.s...3..c.......

GET /ptui_ver.js?v=0.3508854457222641&ptui_identifier=000E0129A00FE67B9531D473EAF1292E75EDCF49FD44439FCA2ADCB556 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xui.ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 00:17:41 GMT

Content-Type: application/x-javascript

Content-Length: 177

Connection: keep-alive

Server: QZHTTP-2.38.41

Last-Modified: Mon, 13 Mar 2017 08:20:18 GMT

Content-Encoding: gzip

Cache-Control: public; max-age=86400

Expires: Sun, 19 Mar 2017 00:17:41 GMT

..........U....0.._%v....,.ex.E....C...9.....aW....|...g.X....]e..7.W.{...WR."#.bX."..%...!....}7.|...i.K...0...<S..........D.. ...>.=.R.$N4J?...v ".~..N...b.D%....)Y....'V/....HTTP/1.1 200 OK..Date: Sat, 18 Mar 2017 00:17:41 GMT..Content-Type: application/x-javascript..Content-Length: 177..Connection: keep-alive..Server: QZHTTP-2.38.41..Last-Modified: Mon, 13 Mar 2017 08:20:18 GMT..Content-Encoding: gzip..Cache-Control: public; max-age=86400..Expires: Sun, 19 Mar 2017 00:17:41 GMT............U....0.._%v....,.ex.E....C...9.....aW....|...g.X....]e..7.W.{...WR."#.bX."..%...!....}7.|...i.K...0...<S..........D.. ...>.=.R.$N4J?...v ".~..N...b.D%....)Y....'V/......

GET /cgi-bin/report?id=492804 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ui.ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 00:17:41 GMT

Content-Type: image/bmp;

Content-Length: 66

Connection: keep-alive

Server: QZHTTP-2.38.41

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

BMB.......>...(...................................................HTTP/1.1 200 OK..Date: Sat, 18 Mar 2017 00:17:41 GMT..Content-Type: image/bmp;..Content-Length: 66..Connection: keep-alive..Server: QZHTTP-2.38.41..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..BMB.......>...(.....................................................

GET /cgi-bin/report?id=455847 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ui.ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 00:17:41 GMT

Content-Type: image/bmp;

Content-Length: 66

Connection: keep-alive

Server: QZHTTP-2.38.41

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

GET /cgi-bin/report?id=358342&t=0.046202841897111435 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ui.ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 00:17:42 GMT

Content-Type: image/bmp;

Content-Length: 66

Connection: keep-alive

Server: QZHTTP-2.38.41

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

BMB.......>...(...................................................HTTP/1.1 200 OK..Date: Sat, 18 Mar 2017 00:17:42 GMT..Content-Type: image/bmp;..Content-Length: 66..Connection: keep-alive..Server: QZHTTP-2.38.41..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..BMB.......>...(.....................................................

GET /cgi-bin/ptlogin_report?id=462348&msg=gzipæŽ¢æµ‹å¼‚å¸¸ï¼Œè¿”å›žå†…å®¹ï¼švar _gz=!0,img=new Image;img.src=location.protocol+"//ui.ptlogin2.qq.com/cgi-bin/report?id=455848";è¿”å›žç ï¼š200uin=|_|http://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http%3A//qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http%3A%2F%2Fqzs.qq.com%2Fqzone%2Fv5%2Floginsucc.html%3Fpara%3Dizone&pt_qr_app=ÃŠÃ–Â»ÃºQQÂ¿Ã•Â¼Ã¤&pt_qr_link=http%3A//z.qzone.com/download.html&self_regurl=http%3A//qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http%3A//z.qzone.com/download.html|_|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)&v=0.35947195415446303 HTTP/1.1

Accept: */*

HTTP/1.1 200 OK

Connection: close

Server: QZHTTP-2.38.20

Date: Sat, 18 Mar 2017 00:17:41 GMT

Content-Type: image/bmp;

Content-Length: 66

BMB.......>...(.....................................................

GET /ptlogin/v4/style/20/images/shouQ_v2/small_8.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

Cookie: _qpsvr_localtk=0.3517042217588793

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:40 GMT

Cache-Control: max-age=259200

Expires: Tue, 21 Mar 2017 00:17:40 GMT

Last-Modified: Mon, 06 Jun 2016 09:14:56 GMT

Content-Type: image/png

Content-Length: 8566

X-NWS-LOG-UUID: 55c232d7-04c3-4f94-82a3-6e2dfabdc148

Keep-Alive: timeout=60

Vary: Accept

X-Cache-Lookup: Hit From Disktank

.PNG........IHDR.............b.{X....gAMA......a.....sRGB.........PLTELiq....................................^^^............................................................zzzccc......................................................................................................................................................fff......7............................................................................................{yx...............ONP.........bba>>>&..$$(stsYXZ......mml...U..[.................ppp...v.....D.....z........k....K`>,......p[Q...Q. ...2........C.....Q..}..A........r....u.~...?......qr.l..=&......~eP>......=..,...ka....a@...[....q.......b.......<{...w.............~^...&m......O......,..O....`..H...ck{....|*.kZ......>...q9.PY.....B......*h~.Bq.J'yJC|...BY.kk...3....Gu.V...&...%.Y.....x...z...l[.&...8.......6....0tRNS..%....0.. I7U>..z.e....U.....\...xI.............?-.....IDATx...mL......1..(I.4.M.Vj.I~sv...g|G.........1..cc.Mx.v0.......b..4.....R..i...:.......)..-...E.v.....c'.a.ot._...>....p...m.J.r)..;.[..).y.HI^nV...G..wI.O..*."...Rp..e".......e...2..]Y;3.{..e...2,...rA..k.%..0. ..lr.r3Y...P.s /..de...d.).....%s...$..gg..........w.I..wd....-....Z...B.......-.....F..p......C....~..`(...B......;.......lW......q.b0......CC...p(..W...&..-...D<..`4..x...C.^......F.....p....c.cC..1...p.......#....b...P..k>|h...b...%...E{4@.P.....'h.D...#j.2R..t.5.{.6.....&. ..@`)...I. .D....]......x..uW,..J.~p.x=.$.^.D...U{=.E/.........]....I.......c5.......c$..=..v........v4

<<< skipped >>>

GET /ptqrshow?appid=549000912&e=2&l=M&s=3&d=72&v=4&t=0.6017620177549429&daid=5 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: tencent http server

Accept-Ranges: bytes

Pragma: No-cache

P3P: CP="CAO PSA OUR"

Content-Type: image/png

Content-Length: 443

Date: Sat, 18 Mar 2017 00:17:40 GMT

Connection: keep-alive

Set-Cookie: qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; PATH=/; DOMAIN=ptlogin2.qq.com;

.PNG........IHDR...o...o.............pHYs................mIDAT8...An. ...1,...@.5.y%.......q...Pw,&..^.&].y.....D...$.....D.,............`...{..........$.W......&..86......X.....)....Vd......`..k.....z`...5...............g........5......v.....FN.F.......T..h.*9e..W......z.c...K.[)....3.[.P8..g..s.;...X.'#.i.%.W.Q..4.,.(f.F.A.........zK....v ....7..0...#.......d.X.2..Km.T.J9...^. KIg...\.K...YFx6.-..Y..A..4.z.Hb......M|.....,Z>)....IEND.B`.HTTP/1.1 200 OK..Server: tencent http server..Accept-Ranges: bytes..Pragma: No-cache..P3P: CP="CAO PSA OUR"..Content-Type: image/png..Content-Length: 443..Date: Sat, 18 Mar 2017 00:17:40 GMT..Connection: keep-alive..Set-Cookie: qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; PATH=/; DOMAIN=ptlogin2.qq.com;...PNG........IHDR...o...o.............pHYs................mIDAT8...An. ...1,...@.5.y%.......q...Pw,&..^.&].y.....D...$.....D.,............`...{..........$.W......&..86......X.....)....Vd......`..k.....z`...5...............g........5......v.....FN.F.......T..h.*9e..W......z.c...K.[)....3.[.P8..g..s.;...X.'#.i.%.W.Q..4.,.(f.F.A.........zK....v ....7..0...#.......d.X.2..Km.T.J9...^. KIg...\.K...YFx6.-..Y..A..4.z.Hb......M|.....,Z>)....IEND.B`.....

<<< skipped >>>

GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796263979&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:17:44 GMT

Connection: keep-alive

ptuiCB('66','0','','0','.....................(3484442688)', '');..HTTP/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..Expires: -1..Content-Type: application/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18 Mar 2017 00:17:44 GMT..Connection: keep-alive..ptuiCB('66','0','','0','.....................(3484442688)', '');......

GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796270000&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:17:50 GMT

Connection: keep-alive

ptuiCB('66','0','','0','.....................(3165664804)', '');..HTTP/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..Expires: -1..Content-Type: application/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18 Mar 2017 00:17:50 GMT..Connection: keep-alive..ptuiCB('66','0','','0','.....................(3165664804)', '');......

GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796276022&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:17:56 GMT

Connection: keep-alive

ptuiCB('66','0','','0','.....................(3046127756)', '');..HTTP/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..Expires: -1..Content-Type: application/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18 Mar 2017 00:17:56 GMT..Connection: keep-alive..ptuiCB('66','0','','0','.....................(3046127756)', '');......

GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796282044&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:18:02 GMT

Connection: keep-alive

ptuiCB('66','0','','0','.....................(4017122992)', '');..HTTP/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..Expires: -1..Content-Type: application/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18 Mar 2017 00:18:02 GMT..Connection: keep-alive..ptuiCB('66','0','','0','.....................(4017122992)', '');......

GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796288065&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:18:08 GMT

Connection: keep-alive

ptuiCB('66','0','','0','.....................(1108371936)', '');..HTTP/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..Expires: -1..Content-Type: application/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18 Mar 2017 00:18:08 GMT..Connection: keep-alive..ptuiCB('66','0','','0','.....................(1108371936)', '');......

GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796294087&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 65

Date: Sat, 18 Mar 2017 00:18:14 GMT

Connection: keep-alive

ptuiCB('66','0','','0','..........

GET /1/json2.js HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: captcha.gtimg.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:41 GMT

Cache-Control: max-age=600

Expires: Sat, 18 Mar 2017 00:27:41 GMT

Last-Modified: Tue, 28 Feb 2017 02:22:34 GMT

Content-Type: application/x-javascript

Content-Length: 5426

Content-Encoding: gzip

X-NWS-LOG-UUID: e2cfa8f9-83e0-41fc-b99b-8653572b7836

Keep-Alive: timeout=60

p3p: CP="CAO PSA OUR"

X-Cache-Lookup: Hit From Disktank Gz

...........<ks.8... 0..PJdY.e27..|.....$N........@..Ej...........l';u....D.h4...fv.o....$~9.....h............fQ..w.J.....t,.....~:.&.........;q|">|.....wC...H...o._N...O........J.E.......f.....a.^.^f.E...x..".......I...L.U..A..{..J..:JnV*..u...Jf~.....&.....~..U..^.. ..........3....uvr....o.....`.........zw$......G'.?:9..........tvr....I.FJ........Q2.....dv......@.0...&. ./.y6.Y..oapC.d<.k.fJ../......Q.."..H_......o..Ec.w.....\.D....Y!.......T.4.7..x.u..H.y...7.R.&.A..9.....a..d.aV.5..B.......E=3.6..`A....'(b..!.c._$.....B..T..J.V>.....a<...8...X.6...`....T.......#Y.9<...\].b.FQ'4.1 ..h......LI..,B.....[..X.@.:.......!.s.R..v.... .....\..TTA..-zY./...7.=d..,.e.}.. nZ/....X..'2.P @.-.|.....Pb.&..'%$.#r.i...jZP..u.bG.X.P..".....XUg\'Op..(F....~l.#V..}.>. .;B..)..<.Jm. CqX.7O`.q.B..PF...1.5U .L....*...U..j......k..E...B.Wy.\.....~...L.(.m3..'UE...Pf-3b=.^*0PY.....:....1..Cmd.!.P...*.....Z....h(..EX.cc...8..(x..!.]..7k5..|S...l./n[....zq...vw...0%..]......J.fDJf9..yx.27....!b..bo$..7......x.u.}s......B._.../....i..._.o..w...u.~.]Z...b...S...~......O.[R....S...p.. .<....*...r.?.&....D.....A..B..\.e.3k....&U..V.n.... ..R.F...>T4.._....!.6.#...YB......b.L`..9f.\.;..2kh.....#.t..yu.G.........k..!.fXS.....5#..C.n....T.......f..a.=.. =AV..zV"l.C.f`......B.>........N.R...9,...!.B&.,...D?......H..8c...S...6..0t4....n..i.^..>.....n...]k7..9.Z...T`..F...g...7.....3.U.Z..-..M.m. .._.IKqs...'_r..t.s.r F.......$$.....cq. .........1.F:.:.ZA..r...;j..o4.VA1....MCIK0.wp.>..........[. .V..q.[.

<<< skipped >>>

GET /ptlogin/v4/style/40/images/icon_3_tiny.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:38 GMT

Cache-Control: max-age=259200

Expires: Tue, 21 Mar 2017 00:17:38 GMT

Last-Modified: Wed, 18 May 2016 07:00:15 GMT

Content-Type: image/png

Content-Length: 10711

X-NWS-LOG-UUID: 6e820b82-af6e-42dc-b0d9-faf76fda3cb5

Keep-Alive: timeout=60

Vary: Accept

X-Cache-Lookup: Hit From Disktank

.PNG........IHDR.............D.Q.....PLTE.....................r..q..r....................342JOE.......-..*..*..&..$.....%..&.|.........Y........$..$.. .. .....%..%..'.................$......................................................W..........................e............../n.%...../l.$.......................}../..}../...<..u.)u.)......[..B...................................t.(...x.)}. ......!.(.................-.. ../..................r....#n.....k...........A.....Z....#..!u..w..{..~....%...................................}../........%.......*...B%"-........"z....0.....A.#..........**6....&....9:I......12AN....%.................................BDW.....b.....z.....Njlp..............3...= ....TV`..........;5......R3 .=...S.qri.....wP.z|........C,.tr.....9....J*....g..s.....:'.|..TH....i.sEJ..........ltRNS.n2I..,.2.....&.......)....}..C.'#..WA<l`6..iO.L..v.=RV.....^....3........3......SVX.dqT.~..........H.............&.IDATx....j"Q....0.h5..4..$w.:..$..I#.H!.$..n`....*..^Q..6{...h>.k....8.../........C.9...92.G..y.......3,.HB....$.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I...0k.0.}F.J..mA{.C0i....$i.I.<.A.E.fp..h.(.H......j..51W...Dps..X..^.........U..JZ..Kk.a.....d5IfY.$K.:IHB.....$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$b.I.S.....Nn.V..*Y.*.|..Z%....kR...4,.S`..A..'.'...........T.<7.sq.....K......gD...p......l..[......../Q.;..gf....b..}...>$.v..^mU.)2..[d.I..t.nw.8...$....?&I.#.I.GV%q.gc5..z......y..$."[$.....H....&....}dSw.sdSI..c#....$...M....z.A..N2...#...&..,$.j.$.w

<<< skipped >>>

GET /ptlogin/ver/10202/js/c_login_2.js?max_age=604800&ptui_identifier=000D23D5992EA4F87FE009A76A8597E442DFB25655F76190B41C7DFE HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:39 GMT

Cache-Control: max-age=604800

Expires: Sat, 25 Mar 2017 00:17:39 GMT

Last-Modified: Mon, 13 Mar 2017 08:35:13 GMT

Content-Type: application/x-javascript

Content-Length: 34017

Content-Encoding: gzip

X-NWS-LOG-UUID: 0676e8a0-3cd0-49ed-939a-3e2342a409cf

Keep-Alive: timeout=60

Vary: Origin

X-Cache-Lookup: Hit From Disktank Gz

...........}ks.Hr......... ..z...~.L...Z....8..,R.M.h..Z#.....].}..[......../..8G.............*...T..^.L.P.....|.C..7........{.....7|....G.......?.&,fF.^..........#j..........Y,7q.-.N=d......'.c.#.{.~.....h..M..i........U}..S>e.a.W...W..s.Y..$..j.......uk.X...4..t...._O|.x.......Mt.q0.....a.g..E.z...E...?xe.y@..;..!..(2p#.YZ....m..<d...-....4...........,kGm6.......K.N.......0...n%@.l..&..@.,p..{~.y'1..~D............e.&)G..W*....s...m....7..~..k.2.n.....L......O.7./.^.j.`-.a]....`.].7.....;e-..8..........8...._q...kA.....V..c>..../...@...kY&V.. !.Ak".)B.......]....c.e.....<.uN..E.3>.~...g.c..:..P.R...GO\>..Q.W...........Q6U.q5..|.3.^. ...).G.....CFld.3>...0.. N..'..9q...L.~........`...X.ZQ,.w......a..7b..:. .1..FH..)=..r...)..RD..>hb...........h.m...{.m........,b..1.........;8;..F......hnom#.~?.......Dm......n..... ......2.....@...RQ....b6.5....Z..!..H..7W.....Z.....N.G..)...'.......6.......7...&....]/.....v...;[..!cbX`.fA..M4.0.q.R...........;g......Z5kS..4.Md.,.......d....vQ.A...H..$.%.W.r.$.=.hf..r...#...>.....3.c_..G1..........._..Oy...y.....*0..&..r2...b..;A._. ..d.f6.~0Z..Q..............y..^In]G].....]yG...0.......P..(......:B......da.R..\...,.u.aE........8...d.<#....w.......Xmi=)S].A.i..h.n..K$a...`.[QX.&..ls|..c......I...V...F....AD.-_J....@..l.X.....).w. ...*.#4y..,.K...?SF.P.94.E.....V{f..V..f*.)........H....lJ.u.3}.1."].T<.O......t^u.J._O........V.B..u..N...I...G...|.2C=.f...#!..B6....0T1....x..d.....G3..Y....n..V.|.....3FVYZ!...#.p... .\..vQ*........D)q..A......4._X.'

<<< skipped >>>

GET /ptlogin/v4/style/0/images/load.gif HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

Cookie: _qpsvr_localtk=0.3517042217588793

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:39 GMT

Cache-Control: max-age=2592000

Expires: Mon, 17 Apr 2017 00:17:39 GMT

Last-Modified: Mon, 16 Mar 2015 08:46:52 GMT

Content-Type: image/gif

Content-Length: 817

X-NWS-LOG-UUID: 083e3276-b515-49ca-8bb6-92d19b60fcbd

Keep-Alive: timeout=60

Vary: Origin

X-Cache-Lookup: Hit From Disktank

GIF89a.....................................wul..y............!..NETSCAPE2.0.....!.......,..........O.......{....Y..`....I.D8.. S.....(.......D..(.I~.. .H`....Z.f....k.N..q...;'.L..!.......,..........N.......{..@.1....Q]AiN.:..)S.T...,........b....$?...Q(0.).j.f....{....n.-~N....!.......,..........M.........,Eeu......%5..E...f3. ......g(..<...L...D".X`.RJ.J.N..........9...=..!.......,..........N...J..Z.'B. ..q`.....P)8./,S&.$.$.......y....D...."..`.R.ak.b.........m..^S....!.......,..........M......Z.gJ.....}.H..I...b$.(.t..}.......~9..@Y,2..........i00......|......t;..!.......,..........M...R..Z..R.. ..}.H..I.l....t.P0....B....v>.CG1.2...i.P....J.0.R-.....J....t;..!.......,..........M......Z..Z..$..}.H..I.l...at..0..........8..B d..L.I.B)...q80...&..t.......3..;/* |xGv00|a0977a7e1f04529fe4ad7ac9aebd6177 */..

GET /1/TCapMsg.js HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: captcha.gtimg.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:41 GMT

Cache-Control: max-age=600

Expires: Sat, 18 Mar 2017 00:27:41 GMT

Last-Modified: Tue, 28 Feb 2017 02:22:34 GMT

Content-Type: application/x-javascript

Content-Length: 636

Content-Encoding: gzip

X-NWS-LOG-UUID: 285d82b6-58a2-486a-b054-3462a4ebfc41

Keep-Alive: timeout=60

p3p: CP="CAO PSA OUR"

X-Cache-Lookup: Hit From Disktank Gz

..........}S]o.0.. ..*X......-.L..i.&MQ49`.7bg......^0.N.....s|.......!."..j#....*..*...nPF...>c...o.._ ..P........I..#.9B.]T$..s.1.u..f.......\s.1.....pH...z..%W.R| .7...k............B....F...z.G...A(..m..{..ZL...wN...:#..-...#.......=p.q....(q@l..V..iSO@.2......M...;...xR.HE.i..o...."..w8.}..3.~ ........N.ev5W."....#..`Q.xh..:..(T..v...h...Hi.*QK.3.Z....hO.....mr..J....F. .Q.....f.4.ZF.....2.d.J..#....2....G2k..w.....5....=.y^..g!...%^..l...[................y.tA?..:....D.. 0kp.,V.B...,.bh.=@.}.....t9.3.&_....v.z......91.;..f.......k.B5.`.y....S..3.......m........s..T.........Hr2.&..g..,m..?..F..q..:..2_.t..M.#.....8..3I.RL........

GET /1/TCapIframe.js?v=1.0 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: captcha.gtimg.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:41 GMT

Cache-Control: max-age=600

Expires: Sat, 18 Mar 2017 00:27:41 GMT

Last-Modified: Tue, 28 Feb 2017 02:22:34 GMT

Content-Type: application/x-javascript

Content-Length: 3252

Content-Encoding: gzip

X-NWS-LOG-UUID: ac2ee52e-92be-4cf2-8065-93dfde8457da

Keep-Alive: timeout=60

p3p: CP="CAO PSA OUR"

X-Cache-Lookup: Hit From Disktank Gz

...........Zms.6.. 2.N% D'...RE=.....i<..z3..CQ..3M....H.....$..$..}.....b.,...e.V.4V\...v.....0..._.j..%{z...s/8./...C..$M...g...).=.._..Co.F^@....|..3E.X1.@....,K....x.:......yf....H6P....q.3....*..q..lm%r_.c...(.7..b......q......A....M..H...K.../..p.:.x..f..Sc.....b..E..w.Q.,.a..`............d...S....4.&I-9..T.P..H..6....NS..&..Q5.N..~....%.......m.WHx.{.&....a,..d.....V..7."_.4R8.8.51..].."....=......p........X..n.....E.......w.$..].....Y~)x.B.9..d.6.....C..y.Y...]=...o.J='..9......[E.D......)4..bK.."...`/HF]...T.zas.q..%.s..J\....q.%.0R...f.x#....(...W..^@...`e.x.:#..ph.. .v.....0T}N~C.Oi....K-..]5N...-....l..u....t)V ...6.z1F'...L...yL..u......d .._..D.I.p(.H.=y.7/.. K.h..d.RRW...J!)M...#BR#........3....~F.....G......M...O...`...u...qw.fS..=.0...MZ..[.\.9.A.s..u(.|.?:..=..Y.....<..MofpiN|..U .5..W/.*....SX....<........:Z...3..q.38.|rCdgN.3..vZ.LRP1.."...{.|.HN....[o..R..*....../.0.@....D...9.i,.q.....C......o.....*...pg.HEp.1}.c;.y......"..|Nc...A...a.......2`......p/q.:....O%..w...S#. y.;.{..B......W..1........dR..r]...Y.z...d....:d.DW....W. ........g.Y.....YALV(Y.g.Gdc).j.I5.dzx.g#rC!'/'...tw..7....._...P..-..N\.]Vt\..8..Wt.!.2.I4..XY.B,...B.yd.S...,^....u.M'/...T.....a.,].H.L.I...a.=.E...).&{E =..@.%&y.!..-).R.........\k...\...C!0j...1?.y......QA...#hVP....##.}.&.....*S.4....R..X.....N....{)...U.!.b.rW<..!.F..|... .oSh..@..3.v..QPi..|.*...L....H2k(.....X.....w3.....G.G...).$kwr...n..a......m.....s..8....0tA.I.....$..c b.....Z.....#./..QU...n.v..O..%.A5.<@...Xw..N...K............[.U......

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2948:

.text

`.rdata

@.data

.rsrc

t%SVh

t$(SSh

~%UVW

u$SShe

Bv.SCv=kAv

wininet.dll

ole32.dll

kernel32.dll

user32.dll

ShellExecuteA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

EnumWindows

CreateIoCompletionPort

{B6F7542F-B8FE-46a8-9605-98856A687097}

hXXp://VVV.xiaoqianyl.com/txzshc20170305.txt

hXXp://VVV.xiaoqianyl.com/

qzone.qq.com

hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=

&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

hXXp://

hXXps://

user.qzone.qq.com/

p_skey=(.*?);

(*.txt)|*.txt|

(*.*)|*.*

social.show.qq.com/cgi-bin/qqshow_camera_noname?g_tk=

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

https

QQ.exe

hXXp://r.cnc.qzone.qq.com/cgi-bin/tfriend/friend_mngfrd_get.cgi?uin=

tencent://ContactInfo/?subcmd=ViewInfo&puin=0&uin=

VBScript.RegExp

z>wininet.dll

%d&&'

123456789

00003333

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

EnumChildWindows

USER32.dll

GetViewportOrgEx

GDI32.dll

WINMM.dll

MSIMG32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

oledlg.dll

WS2_32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

w7D666D666D888D

(*.*)

1.0.0.0

(hXXp://VVV.eyuyan.com)