Analysis Date2018-04-19 14:07:13
MD5a206a9c3e933e47c7547ad06e0cf930c
SHA173a5514063ed284ca1438a1b591a8c9b59df75f0

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AVArcabit (arcavir)Trojan.Generic.11739707
AVAuthentiumNo Virus
AVGrisoft (avg)Dropper.Generic_c.ABKW
AVAvira (antivir)No Virus
AVAlwil (avast)Downloader-VRF [Trj]
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVAd-AwareTrojan.Generic.11739707
AVBitDefenderTrojan.Generic.11739707
AVBullGuardError Scanning File
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader11.31360
AVEmsisoftTrojan.Generic.11739707
AVMicroWorld (escan)Trojan.Generic.11739707
AVCA (E-Trust Ino)Error Scanning File
AVFortinetW32/Chindo.B!tr.dldr
AVFrisk (f-prot)No Virus
AVF-SecureTrojan.Generic.11739707
AVIkarusTrojan.Downloader.Chindo
AVK7No Virus
AVKasperskyError Scanning File
AVMalwareBytesNo Virus
AVMcafeeGeneric StartPage.at
AVMicrosoft Security EssentialsSoftwareBundler:Win32/Chindo
AVNANOError Scanning File
AVEset (nod32)NSIS/TrojanDownloader.Chindo.C
AVPadvishNo Virus
AVCAT (quickheal)No Virus
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecTrojan.Gen
AVTrend MicroNo Virus
AVTwisterNo Virus
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderSoftwareBundler:Win32/Chindo
AVZillya!Error Scanning File

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\73a5514063ed284ca1438a1b591a8c9b59df75f0.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
Creates FileC:\Users\desktop.ini
Creates FileC:\Users
Creates FileC:\Users\Phil
Creates FileC:\Users\Phil\AppData
Creates FileC:\Users\Phil\AppData\Local
Creates FileC:\Users\Phil\Desktop\desktop.ini

Process
↳ C:\Windows\explorer.exe

Creates FileC:\
Creates FileC:\Users\desktop.ini
Creates FileC:\Users
Creates FileC:\Users\Phil
Creates FileC:\Users\Phil\AppData
Creates FileC:\Users\Phil\AppData\Roaming
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\desktop.ini
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowserSetup
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Creates FileC:\
Creates FileC:\
Creates FileC:\ProgramData
Creates FileC:\Users
Creates FileC:\Users\Phil
Creates FileC:\Users\Phil\Desktop\desktop.ini
Creates FileC:\ProgramData\Microsoft\desktop.ini
Creates FileC:\ProgramData\Microsoft
Creates FileC:\ProgramData\Microsoft\Windows
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
Creates FileC:\
Creates FileC:\Users
Creates FileC:\Users\Public\desktop.ini
Creates FileC:\Users\Public
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini
Creates FileC:\Users\Public\Desktop\desktop.ini
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\BrowserSetup
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\BrowserSetup\uninst.lnk
Creates FileC:\
Creates FileC:\Program Files (x86)\desktop.ini
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7
Creates FileC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Process
↳ C:\Users\Phil\AppData\Local\Temp\nsu4467.tmp\BaiduPlayerNetSetup_461.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\nsu4467.tmp\setup_3386.exe

Process
↳ C:\Program Files (x86)\Internet Explorer\iexplore.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Windows\System32\oleaccrc.dll
Creates File\??\Nsi
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\Cookies\Low
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\History\Low
Creates FileC:\Users\Phil\Favorites
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Windows\IETldCache\Low
Creates FileC:\Users\Phil\AppData\Local\Temp\Low
Creates MutexLocal\!BrowserEmulation!SharedMemory!Mutex
Creates Mutex
Creates MutexRasPbFile
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VerCache ➝
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags ➝
0

Process
↳ C:\Users\Phil\AppData\Local\Temp\nsu4467.tmp\SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\nsu4467.tmp\9377chiyue_Y_mgaz.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\nsu4467.tmp\2345Explorer_329242_silence.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\nsu4467.tmp\ins1256858.exe

Process
↳ C:\Program Files (x86)\Internet Explorer\iexplore.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Windows\System32\oleaccrc.dll
Creates Mutex

Process
↳ C:\Users\Phil\AppData\Local\Temp\nsu4467.tmp\IQIYIsetup_l_spl004@kb010.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\nsu4467.tmp\WanDouJiaSetup_runk4_kb.exe

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f69706c 6f6f6b75 702f6970   GET /iplookup/ip
0x00000010 (00016)   6c6f6f6b 75702e70 68702048 5454502f   lookup.php HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   204e5349 535f496e 65746320 284d6f7a    NSIS_Inetc (Moz
0x00000040 (00064)   696c6c61 290d0a48 6f73743a 20696e74   illa)..Host: int
0x00000050 (00080)   2e64706f 6f6c2e73 696e612e 636f6d2e   .dpool.sina.com.
0x00000060 (00096)   636e0d0a 436f6e6e 65637469 6f6e3a20   cn..Connection: 
0x00000070 (00112)   4b656570 2d416c69 76650d0a 43616368   Keep-Alive..Cach
0x00000080 (00128)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x00000090 (00144)   6368650d 0a0d0a                       che....

0x00000000 (00000)   47455420 2f676f2f 66756c6c 2f312f37   GET /go/full/1/7
0x00000010 (00016)   30383836 20485454 502f312e 310d0a55   0886 HTTP/1.1..U
0x00000020 (00032)   7365722d 4167656e 743a204e 5349535f   ser-Agent: NSIS_
0x00000030 (00048)   496e6574 6320284d 6f7a696c 6c61290d   Inetc (Mozilla).
0x00000040 (00064)   0a486f73 743a2077 2e782e62 61696475   .Host: w.x.baidu
0x00000050 (00080)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x00000060 (00096)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x00000070 (00112)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000080 (00128)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f676f2f 6d696e69 2f322f33   GET /go/mini/2/3
0x00000010 (00016)   30383633 20485454 502f312e 310d0a55   0863 HTTP/1.1..U
0x00000020 (00032)   7365722d 4167656e 743a204e 5349535f   ser-Agent: NSIS_
0x00000030 (00048)   496e6574 6320284d 6f7a696c 6c61290d   Inetc (Mozilla).
0x00000040 (00064)   0a486f73 743a2077 2e782e62 61696475   .Host: w.x.baidu
0x00000050 (00080)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x00000060 (00096)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x00000070 (00112)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000080 (00128)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f636c69 636b2f36 36393437   GET /click/66947
0x00000010 (00016)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000020 (00032)   4167656e 743a204e 5349535f 496e6574   Agent: NSIS_Inet
0x00000030 (00048)   6320284d 6f7a696c 6c61290d 0a486f73   c (Mozilla)..Hos
0x00000040 (00064)   743a2073 2e6c6c6c 736f6f2e 636f6d0d   t: s.lllsoo.com.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000060 (00096)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x00000070 (00112)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f676f2f 6d696e69 2f382f33   GET /go/mini/8/3
0x00000010 (00016)   30303030 30343620 48545450 2f312e31   0000046 HTTP/1.1
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204e53   ..User-Agent: NS
0x00000030 (00048)   49535f49 6e657463 20284d6f 7a696c6c   IS_Inetc (Mozill
0x00000040 (00064)   61290d0a 486f7374 3a20772e 782e6261   a)..Host: w.x.ba
0x00000050 (00080)   6964752e 636f6d0d 0a436f6e 6e656374   idu.com..Connect
0x00000060 (00096)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f666176 69636f6e 2e69636f   GET /favicon.ico
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d45   t: */*..Accept-E
0x00000030 (00048)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000040 (00064)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000050 (00080)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000060 (00096)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000070 (00112)   4520382e 303b2057 696e646f 7773204e   E 8.0; Windows N
0x00000080 (00128)   5420362e 313b2057 4f573634 3b205472   T 6.1; WOW64; Tr
0x00000090 (00144)   6964656e 742f342e 303b2053 4c434332   ident/4.0; SLCC2
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 3b202e4e 45542043 4c522033   0727; .NET CLR 3
0x000000c0 (00192)   2e352e33 30373239 3b202e4e 45542043   .5.30729; .NET C
0x000000d0 (00208)   4c522033 2e302e33 30373239 3b204d65   LR 3.0.30729; Me
0x000000e0 (00224)   64696120 43656e74 65722050 4320362e   dia Center PC 6.
0x000000f0 (00240)   30290d0a 486f7374 3a206b2e 64657969   0)..Host: k.deyi
0x00000100 (00256)   77656978 69752e63 6e0d0a43 6f6e6e65   weixiu.cn..Conne
0x00000110 (00272)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000120 (00288)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f687a2f 49514959 49736574   GET /hz/IQIYIset
0x00000010 (00016)   75705f6c 5f73706c 30303440 6b623031   up_l_spl004@kb01
0x00000020 (00032)   302e6578 65204854 54502f31 2e310d0a   0.exe HTTP/1.1..
0x00000030 (00048)   55736572 2d416765 6e743a20 4e534953   User-Agent: NSIS
0x00000040 (00064)   5f496e65 74632028 4d6f7a69 6c6c6129   _Inetc (Mozilla)
0x00000050 (00080)   0d0a486f 73743a20 646c2e73 74617469   ..Host: dl.stati
0x00000060 (00096)   632e6971 6979692e 636f6d0d 0a436f6e   c.iqiyi.com..Con
0x00000070 (00112)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000080 (00128)   6976650d 0a436163 68652d43 6f6e7472   ive..Cache-Contr
0x00000090 (00144)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x000000a0 (00160)                                         

0x00000000 (00000)   47455420 2f373361 35353134 30363365   GET /73a5514063e
0x00000010 (00016)   64323834 63613134 33386131 62353931   d284ca1438a1b591
0x00000020 (00032)   61386339 62353964 66373566 302e6578   a8c9b59df75f0.ex
0x00000030 (00048)   652f3430 2e6a7067 20485454 502f312e   e/40.jpg HTTP/1.
0x00000040 (00064)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000050 (00080)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000060 (00096)   20656e2d 75730d0a 55736572 2d416765    en-us..User-Age
0x00000070 (00112)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000080 (00128)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000090 (00144)   4520382e 303b2057 696e646f 7773204e   E 8.0; Windows N
0x000000a0 (00160)   5420362e 313b2057 4f573634 3b205472   T 6.1; WOW64; Tr
0x000000b0 (00176)   6964656e 742f342e 303b2053 4c434332   ident/4.0; SLCC2
0x000000c0 (00192)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000d0 (00208)   30373237 3b202e4e 45542043 4c522033   0727; .NET CLR 3
0x000000e0 (00224)   2e352e33 30373239 3b202e4e 45542043   .5.30729; .NET C
0x000000f0 (00240)   4c522033 2e302e33 30373239 3b204d65   LR 3.0.30729; Me
0x00000100 (00256)   64696120 43656e74 65722050 4320362e   dia Center PC 6.
0x00000110 (00272)   30290d0a 41636365 70742d45 6e636f64   0)..Accept-Encod
0x00000120 (00288)   696e673a 20677a69 702c2064 65666c61   ing: gzip, defla
0x00000130 (00304)   74650d0a 486f7374 3a206b2e 64657969   te..Host: k.deyi
0x00000140 (00320)   77656978 69752e63 6e0d0a43 6f6e6e65   weixiu.cn..Conne
0x00000150 (00336)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000160 (00352)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f323031 34303430 312f3933   GET /20140401/93
0x00000010 (00016)   37376368 69797565 5f595f6d 67617a2e   77chiyue_Y_mgaz.
0x00000020 (00032)   65786520 48545450 2f312e31 0d0a5573   exe HTTP/1.1..Us
0x00000030 (00048)   65722d41 67656e74 3a204e53 49535f49   er-Agent: NSIS_I
0x00000040 (00064)   6e657463 20284d6f 7a696c6c 61290d0a   netc (Mozilla)..
0x00000050 (00080)   486f7374 3a207869 617a6169 2e393337   Host: xiazai.937
0x00000060 (00096)   372e636f 6d0d0a43 6f6e6e65 6374696f   7.com..Connectio
0x00000070 (00112)   6e3a204b 6565702d 416c6976 650d0a43   n: Keep-Alive..C
0x00000080 (00128)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x00000090 (00144)   2d636163 68650d0a 0d0a                -cache....

0x00000000 (00000)   47455420 2f426169 6475506c 61796572   GET /BaiduPlayer
0x00000010 (00016)   436f6e74 656e742f 42616964 75506c61   Content/BaiduPla
0x00000020 (00032)   7965724e 65745365 7475705f 3436312e   yerNetSetup_461.
0x00000030 (00048)   65786520 48545450 2f312e31 0d0a5573   exe HTTP/1.1..Us
0x00000040 (00064)   65722d41 67656e74 3a204e53 49535f49   er-Agent: NSIS_I
0x00000050 (00080)   6e657463 20284d6f 7a696c6c 61290d0a   netc (Mozilla)..
0x00000060 (00096)   486f7374 3a20646c 2e703273 702e6261   Host: dl.p2sp.ba
0x00000070 (00112)   6964752e 636f6d0d 0a436f6e 6e656374   idu.com..Connect
0x00000080 (00128)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000090 (00144)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x000000a0 (00160)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 33323a35 3335370d 0a0d0a3c   00.132:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a653937 39366231 352d6637 38632d34   :e9796b15-f78c-4
0x00000280 (00640)   3937612d 62666464 2d353663 32613961   97a-bfdd-56c2a9a
0x00000290 (00656)   39646164 663c2f77 73613a4d 65737361   9dadf</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3239 39336536   >urn:uuid:2993e6
0x00000340 (00832)   63372d38 3137332d 34623462 2d613233   c7-8173-4b4b-a23
0x00000350 (00848)   382d6139 31343564 62626131 32613c2f   8-a9145dbba12a</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   47455420 2f642f69 6e733132 35363835   GET /d/ins125685
0x00000010 (00016)   382e6578 65204854 54502f31 2e310d0a   8.exe HTTP/1.1..
0x00000020 (00032)   55736572 2d416765 6e743a20 4e534953   User-Agent: NSIS
0x00000030 (00048)   5f496e65 74632028 4d6f7a69 6c6c6129   _Inetc (Mozilla)
0x00000040 (00064)   0d0a486f 73743a20 672e7175 77656e33   ..Host: g.quwen3
0x00000050 (00080)   32302e63 6f6d0d0a 436f6e6e 65637469   20.com..Connecti
0x00000060 (00096)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000070 (00112)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000080 (00128)   6f2d6361 6368650d 0a0d0a              o-cache....

0x00000000 (00000)   47455420 2f66696c 65732f74 68697264   GET /files/third
0x00000010 (00016)   2f57616e 446f754a 69615365 7475705f   /WanDouJiaSetup_
0x00000020 (00032)   72756e6b 345f6b62 2e657865 20485454   runk4_kb.exe HTT
0x00000030 (00048)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000040 (00064)   743a204e 5349535f 496e6574 6320284d   t: NSIS_Inetc (M
0x00000050 (00080)   6f7a696c 6c61290d 0a486f73 743a2064   ozilla)..Host: d
0x00000060 (00096)   6c2e7761 6e646f75 6a69612e 636f6d0d   l.wandoujia.com.
0x00000070 (00112)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000080 (00128)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x00000090 (00144)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000a0 (00160)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f73696c 656e6365 2f323334   GET /silence/234
0x00000010 (00016)   35457870 6c6f7265 725f3332 39323432   5Explorer_329242
0x00000020 (00032)   5f73696c 656e6365 2e657865 20485454   _silence.exe HTT
0x00000030 (00048)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000040 (00064)   743a204e 5349535f 496e6574 6320284d   t: NSIS_Inetc (M
0x00000050 (00080)   6f7a696c 6c61290d 0a486f73 743a2064   ozilla)..Host: d
0x00000060 (00096)   6f776e6c 6f61642e 32333435 2e636e0d   ownload.2345.cn.
0x00000070 (00112)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000080 (00128)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x00000090 (00144)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000a0 (00160)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f536f48 7556415f 342e332e   GET /SoHuVA_4.3.
0x00000010 (00016)   302e312d 63323034 39303030 30332d6e   0.1-c204900003-n
0x00000020 (00032)   672d6e74 692d732d 782e6578 65204854   g-nti-s-x.exe HT
0x00000030 (00048)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000040 (00064)   6e743a20 4e534953 5f496e65 74632028   nt: NSIS_Inetc (
0x00000050 (00080)   4d6f7a69 6c6c6129 0d0a486f 73743a20   Mozilla)..Host: 
0x00000060 (00096)   736f6875 74762e7a 796a6b77 65616c74   sohutv.zyjkwealt
0x00000070 (00112)   682e636f 6d0d0a43 6f6e6e65 6374696f   h.com..Connectio
0x00000080 (00128)   6e3a204b 6565702d 416c6976 650d0a43   n: Keep-Alive..C
0x00000090 (00144)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x000000a0 (00160)   2d636163 68650d0a 0d0a                -cache....

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 33373a35 3335370d 0a0d0a3c   00.137:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a303132 31313066 372d6236 31632d34   :012110f7-b61c-4
0x00000280 (00640)   3866382d 62393862 2d663038 35613336   8f8-b98b-f085a36
0x00000290 (00656)   33356532 303c2f77 73613a4d 65737361   35e20</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a6563 34663366   >urn:uuid:ec4f3f
0x00000340 (00832)   35662d65 6237612d 34313866 2d613233   5f-eb7a-418f-a23
0x00000350 (00848)   382d6533 65323262 66306234 65613c2f   8-e3e22bf0b4ea</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>

0x00000000 (00000)   47455420 2f6f7065 6e2f7365 7475705f   GET /open/setup_
0x00000010 (00016)   33333836 2e657865 20485454 502f312e   3386.exe HTTP/1.
0x00000020 (00032)   310d0a55 7365722d 4167656e 743a204e   1..User-Agent: N
0x00000030 (00048)   5349535f 496e6574 6320284d 6f7a696c   SIS_Inetc (Mozil
0x00000040 (00064)   6c61290d 0a486f73 743a2064 6f776e2e   la)..Host: down.
0x00000050 (00080)   79696e79 75652e66 6d0d0a43 6f6e6e65   yinyue.fm..Conne
0x00000060 (00096)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000070 (00112)   650d0a43 61636865 2d436f6e 74726f6c   e..Cache-Control
0x00000080 (00128)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....


Strings