Analysis Date2014-12-09 10:34:45
MD52cc4dc5f0726f917a48e78008df0d4e2
SHA1b949f6ec4dcb8dcf15313191c03f3873adefc429

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 4a4ca239b678bb1d0e5af2a31a2ee40c sha1: 099c452448fdc22753e54e5c7aeae673b35ead77 size: 20480
Section.rsrc md5: 43671f2c850324bb10a0c4d8013e2e40 sha1: 87c997cba88b578ffc099967752421cb970151ec size: 1536
Timestamp2009-02-07 06:33:08
PackerUPX -> www.upx.sourceforge.net
PEhash8c945a2f530fe8a4583534d68886566aa3f7d09c
IMPhash26d3c4cf36a46cd980f89d55afb73146
AV360 SafeTrojan.GenericKD.1940578
AVAd-AwareTrojan.GenericKD.1940578
AVAlwil (avast)ADODB-BM [Expl]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.CCGO-0054
AVAvira (antivir)TR/Rogue.22528.32
AVBullGuardTrojan.GenericKD.1940578
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.1940578
AVEset (nod32)no_virus
AVFortinetVBS/Agent.AHK!tr.dldr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.1940578
AVGrisoft (avg)VBS/Psyme.dropper
AVIkarusTrojan-Downloader.VBS.Agent
AVK7Riskware ( 0040eff71 )
AVKasperskyTrojan-Downloader.VBS.Agent.ahk
AVMalwareBytesno_virus
AVMcafeeRDN/Generic Downloader.x!lg
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.GenericKD.1940578
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File123.VBS
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.tmp\setup.bat
Creates Filesetup.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.tmp

Process
↳ C:\WINDOWS\system32\cmd.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates Process"C:\WINDOWS\System32\WScript.exe" "C:\WINDOWS\system32\123.VBS"
Creates Processping -n 3 127.0.0.1
Creates Process123.VBS

Process
↳ ping -n 3 127.0.0.1

Winsock DNS127.0.0.1

Process
↳ 123.VBS

Process
↳ "C:\WINDOWS\System32\WScript.exe" "C:\WINDOWS\system32\123.VBS"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\qqpcmgr_silent_52000.exe
Creates FileC:\2345explorer_k84520262.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\2345pcsafe_k84520262.exe
Creates FileC:\pps_silent_52000.exe
Creates FileC:\2144cycs_k84520262_147221.exe
Creates FileC:\QQBrowser_silent_52000.exe
Creates FileC:\2345pic_k84520262.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\2345haozip_k84520262.exe
Creates FileC:\2144game_k84520262_147221.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\2345pinyin_k84520262.exe
Creates FileC:\yuyuset_53_34648.exe
Creates FileC:\gm_5_34648_01.exe
Creates FileC:\2345wd_147221.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\kugou_k84520262_564722.exe
Creates FileC:\apples_9_34648.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdownload.58611.net
Winsock DNSdown.2529.com
Winsock DNSdown.fridaycard.com
Winsock DNSdown.9vh.net
Winsock DNSjifendownload.2345.cn

Network Details:

DNSdown.9vh.net
Type: A
222.186.60.3
DNSdown.2529.com
Type: A
61.164.183.253
DNSc02ct01.zhdns.net
Type: A
122.225.96.132
DNSc02ct01.zhdns.net
Type: A
122.225.98.220
DNSc02ct01.zhdns.net
Type: A
122.226.102.76
DNSc02ct01.zhdns.net
Type: A
122.226.181.102
DNSc02ct01.zhdns.net
Type: A
58.218.211.249
DNSc02ct01.zhdns.net
Type: A
115.238.246.235
DNSc02ct01.zhdns.net
Type: A
117.21.225.17
DNSdownload.2345.com
Type: A
60.191.223.2
DNSdownload.2345.com
Type: A
60.191.223.4
DNSdownload.2345.com
Type: A
60.191.223.15
DNSdownload.2345.com
Type: A
61.147.127.202
DNSdownload.2345.com
Type: A
61.147.127.203
DNSdownload.2345.com
Type: A
61.160.245.8
DNSdownload.2345.com
Type: A
61.160.245.11
DNSdownload.2345.com
Type: A
61.160.245.14
DNSdownload.2345.com
Type: A
122.228.248.3
DNSdownload.2345.com
Type: A
218.75.155.244
DNSdownload.2345.com
Type: A
60.191.187.15
DNSdownload.58611.net
Type: A
218.241.29.215
DNSdown.fridaycard.com
Type: A
DNSjifendownload.2345.cn
Type: A
HTTP GEThttp://down.9vh.net/apples_9_34648.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://down.2529.com/gm_5_34648_01.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://down.fridaycard.com/w3/yuyuset_53_34648.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/2144cycs_k84520262_147221.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/2345wd_147221.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/2144game_k84520262_147221.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/2345haozip_k84520262.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/2345explorer_k84520262.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/2345pic_k84520262.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/2345pcsafe_k84520262.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/kugou_k84520262_564722.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://jifendownload.2345.cn/jifen_2345/2345pinyin_k84520262.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/QQBrowser/QQBrowser_silent_52000.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/qqPCTray_silent/qqpcmgr_silent_52000.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.58611.net:8181/pps/pps_silent_52000.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 222.186.60.3:80
Flows TCP192.168.1.1:1033 ➝ 61.164.183.253:80
Flows TCP192.168.1.1:1034 ➝ 122.225.96.132:80
Flows TCP192.168.1.1:1035 ➝ 60.191.223.2:80
Flows TCP192.168.1.1:1036 ➝ 60.191.223.2:80
Flows TCP192.168.1.1:1037 ➝ 60.191.223.2:80
Flows TCP192.168.1.1:1038 ➝ 60.191.223.2:80
Flows TCP192.168.1.1:1039 ➝ 60.191.223.2:80
Flows TCP192.168.1.1:1040 ➝ 60.191.223.2:80
Flows TCP192.168.1.1:1041 ➝ 60.191.223.2:80
Flows TCP192.168.1.1:1042 ➝ 60.191.223.2:80
Flows TCP192.168.1.1:1043 ➝ 60.191.223.2:80
Flows TCP192.168.1.1:1044 ➝ 218.241.29.215:8181
Flows TCP192.168.1.1:1045 ➝ 218.241.29.215:8181
Flows TCP192.168.1.1:1046 ➝ 218.241.29.215:8181

Raw Pcap
0x00000000 (00000)   47455420 2f617070 6c65735f 395f3334   GET /apples_9_34
0x00000010 (00016)   3634382e 65786520 48545450 2f312e31   648.exe HTTP/1.1
0x00000020 (00032)   0d0a4163 63657074 3a202a2f 2a0d0a41   ..Accept: */*..A
0x00000030 (00048)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000040 (00064)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000050 (00080)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000060 (00096)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000070 (00112)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000080 (00128)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000090 (00144)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x000000a0 (00160)   35303732 37290d0a 486f7374 3a20646f   50727)..Host: do
0x000000b0 (00176)   776e2e39 76682e6e 65740d0a 436f6e6e   wn.9vh.net..Conn
0x000000c0 (00192)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000d0 (00208)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f676d5f 355f3334 3634385f   GET /gm_5_34648_
0x00000010 (00016)   30312e65 78652048 5454502f 312e310d   01.exe HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000030 (00048)   63657074 2d456e63 6f64696e 673a2067   cept-Encoding: g
0x00000040 (00064)   7a69702c 20646566 6c617465 0d0a5573   zip, deflate..Us
0x00000050 (00080)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000060 (00096)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000070 (00112)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000080 (00128)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000090 (00144)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000a0 (00160)   30373237 290d0a48 6f73743a 20646f77   0727)..Host: dow
0x000000b0 (00176)   6e2e3235 32392e63 6f6d0d0a 436f6e6e   n.2529.com..Conn
0x000000c0 (00192)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000d0 (00208)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f77332f 79757975 7365745f   GET /w3/yuyuset_
0x00000010 (00016)   35335f33 34363438 2e657865 20485454   53_34648.exe HTT
0x00000020 (00032)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000030 (00048)   2f2a0d0a 41636365 70742d45 6e636f64   /*..Accept-Encod
0x00000040 (00064)   696e673a 20677a69 702c2064 65666c61   ing: gzip, defla
0x00000050 (00080)   74650d0a 55736572 2d416765 6e743a20   te..User-Agent: 
0x00000060 (00096)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x00000070 (00112)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x00000080 (00128)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x00000090 (00144)   313b2053 56313b20 2e4e4554 20434c52   1; SV1; .NET CLR
0x000000a0 (00160)   20322e30 2e353037 3237290d 0a486f73    2.0.50727)..Hos
0x000000b0 (00176)   743a2064 6f776e2e 66726964 61796361   t: down.fridayca
0x000000c0 (00192)   72642e63 6f6d0d0a 436f6e6e 65637469   rd.com..Connecti
0x000000d0 (00208)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000e0 (00224)   0d0a                                  ..

0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   32313434 63796373 5f6b3834 35323032   2144cycs_k845202
0x00000020 (00032)   36325f31 34373232 312e6578 65204854   62_147221.exe HT
0x00000030 (00048)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000040 (00064)   2a2f2a0d 0a416363 6570742d 456e636f   */*..Accept-Enco
0x00000050 (00080)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000060 (00096)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000070 (00112)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000080 (00128)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000090 (00144)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x000000a0 (00160)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000b0 (00176)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000c0 (00192)   73743a20 6a696665 6e646f77 6e6c6f61   st: jifendownloa
0x000000d0 (00208)   642e3233 34352e63 6e0d0a43 6f6e6e65   d.2345.cn..Conne
0x000000e0 (00224)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000f0 (00240)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   32333435 77645f31 34373232 312e6578   2345wd_147221.ex
0x00000020 (00032)   65204854 54502f31 2e310d0a 41636365   e HTTP/1.1..Acce
0x00000030 (00048)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000040 (00064)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000050 (00080)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000060 (00096)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000070 (00112)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000080 (00128)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000090 (00144)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x000000a0 (00160)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000b0 (00176)   0d0a486f 73743a20 6a696665 6e646f77   ..Host: jifendow
0x000000c0 (00192)   6e6c6f61 642e3233 34352e63 6e0d0a43   nload.2345.cn..C
0x000000d0 (00208)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000e0 (00224)   416c6976 650d0a0d 0a65702d 416c6976   Alive....ep-Aliv
0x000000f0 (00240)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   32313434 67616d65 5f6b3834 35323032   2144game_k845202
0x00000020 (00032)   36325f31 34373232 312e6578 65204854   62_147221.exe HT
0x00000030 (00048)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000040 (00064)   2a2f2a0d 0a416363 6570742d 456e636f   */*..Accept-Enco
0x00000050 (00080)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000060 (00096)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000070 (00112)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000080 (00128)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000090 (00144)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x000000a0 (00160)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000b0 (00176)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000c0 (00192)   73743a20 6a696665 6e646f77 6e6c6f61   st: jifendownloa
0x000000d0 (00208)   642e3233 34352e63 6e0d0a43 6f6e6e65   d.2345.cn..Conne
0x000000e0 (00224)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000f0 (00240)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   32333435 68616f7a 69705f6b 38343532   2345haozip_k8452
0x00000020 (00032)   30323632 2e657865 20485454 502f312e   0262.exe HTTP/1.
0x00000030 (00048)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000040 (00064)   41636365 70742d45 6e636f64 696e673a   Accept-Encoding:
0x00000050 (00080)   20677a69 702c2064 65666c61 74650d0a    gzip, deflate..
0x00000060 (00096)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000070 (00112)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000080 (00128)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000090 (00144)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x000000a0 (00160)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x000000b0 (00176)   2e353037 3237290d 0a486f73 743a206a   .50727)..Host: j
0x000000c0 (00192)   6966656e 646f776e 6c6f6164 2e323334   ifendownload.234
0x000000d0 (00208)   352e636e 0d0a436f 6e6e6563 74696f6e   5.cn..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   32333435 6578706c 6f726572 5f6b3834   2345explorer_k84
0x00000020 (00032)   35323032 36322e65 78652048 5454502f   520262.exe HTTP/
0x00000030 (00048)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000040 (00064)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x00000050 (00080)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x00000060 (00096)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000070 (00112)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000080 (00128)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000090 (00144)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x000000a0 (00160)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x000000b0 (00176)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000c0 (00192)   206a6966 656e646f 776e6c6f 61642e32    jifendownload.2
0x000000d0 (00208)   3334352e 636e0d0a 436f6e6e 65637469   345.cn..Connecti
0x000000e0 (00224)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000f0 (00240)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   32333435 7069635f 6b383435 32303236   2345pic_k8452026
0x00000020 (00032)   322e6578 65204854 54502f31 2e310d0a   2.exe HTTP/1.1..
0x00000030 (00048)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000040 (00064)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000050 (00080)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000060 (00096)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000070 (00112)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000080 (00128)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000090 (00144)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x000000a0 (00160)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000b0 (00176)   37323729 0d0a486f 73743a20 6a696665   727)..Host: jife
0x000000c0 (00192)   6e646f77 6e6c6f61 642e3233 34352e63   ndownload.2345.c
0x000000d0 (00208)   6e0d0a43 6f6e6e65 6374696f 6e3a204b   n..Connection: K
0x000000e0 (00224)   6565702d 416c6976 650d0a0d 0a650d0a   eep-Alive....e..
0x000000f0 (00240)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   32333435 70637361 66655f6b 38343532   2345pcsafe_k8452
0x00000020 (00032)   30323632 2e657865 20485454 502f312e   0262.exe HTTP/1.
0x00000030 (00048)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000040 (00064)   41636365 70742d45 6e636f64 696e673a   Accept-Encoding:
0x00000050 (00080)   20677a69 702c2064 65666c61 74650d0a    gzip, deflate..
0x00000060 (00096)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000070 (00112)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000080 (00128)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000090 (00144)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x000000a0 (00160)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x000000b0 (00176)   2e353037 3237290d 0a486f73 743a206a   .50727)..Host: j
0x000000c0 (00192)   6966656e 646f776e 6c6f6164 2e323334   ifendownload.234
0x000000d0 (00208)   352e636e 0d0a436f 6e6e6563 74696f6e   5.cn..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   6b75676f 755f6b38 34353230 3236325f   kugou_k84520262_
0x00000020 (00032)   35363437 32322e65 78652048 5454502f   564722.exe HTTP/
0x00000030 (00048)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000040 (00064)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x00000050 (00080)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x00000060 (00096)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000070 (00112)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000080 (00128)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000090 (00144)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x000000a0 (00160)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x000000b0 (00176)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000c0 (00192)   206a6966 656e646f 776e6c6f 61642e32    jifendownload.2
0x000000d0 (00208)   3334352e 636e0d0a 436f6e6e 65637469   345.cn..Connecti
0x000000e0 (00224)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000f0 (00240)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f6a6966 656e5f32 3334352f   GET /jifen_2345/
0x00000010 (00016)   32333435 70696e79 696e5f6b 38343532   2345pinyin_k8452
0x00000020 (00032)   30323632 2e657865 20485454 502f312e   0262.exe HTTP/1.
0x00000030 (00048)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000040 (00064)   41636365 70742d45 6e636f64 696e673a   Accept-Encoding:
0x00000050 (00080)   20677a69 702c2064 65666c61 74650d0a    gzip, deflate..
0x00000060 (00096)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000070 (00112)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000080 (00128)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000090 (00144)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x000000a0 (00160)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x000000b0 (00176)   2e353037 3237290d 0a486f73 743a206a   .50727)..Host: j
0x000000c0 (00192)   6966656e 646f776e 6c6f6164 2e323334   ifendownload.234
0x000000d0 (00208)   352e636e 0d0a436f 6e6e6563 74696f6e   5.cn..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f515142 726f7773 65722f51   GET /QQBrowser/Q
0x00000010 (00016)   5142726f 77736572 5f73696c 656e745f   QBrowser_silent_
0x00000020 (00032)   35323030 302e6578 65204854 54502f31   52000.exe HTTP/1
0x00000030 (00048)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000040 (00064)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000050 (00080)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000080 (00128)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000090 (00144)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x000000a0 (00160)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000b0 (00176)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000c0 (00192)   646f776e 6c6f6164 2e353836 31312e6e   download.58611.n
0x000000d0 (00208)   65743a38 3138310d 0a436f6e 6e656374   et:8181..Connect
0x000000e0 (00224)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000f0 (00240)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f717150 43547261 795f7369   GET /qqPCTray_si
0x00000010 (00016)   6c656e74 2f717170 636d6772 5f73696c   lent/qqpcmgr_sil
0x00000020 (00032)   656e745f 35323030 302e6578 65204854   ent_52000.exe HT
0x00000030 (00048)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000040 (00064)   2a2f2a0d 0a416363 6570742d 456e636f   */*..Accept-Enco
0x00000050 (00080)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000060 (00096)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000070 (00112)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000080 (00128)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000090 (00144)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x000000a0 (00160)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000b0 (00176)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000c0 (00192)   73743a20 646f776e 6c6f6164 2e353836   st: download.586
0x000000d0 (00208)   31312e6e 65743a38 3138310d 0a436f6e   11.net:8181..Con
0x000000e0 (00224)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000f0 (00240)   6976650d 0a0d0a                       ive....

0x00000000 (00000)   47455420 2f707073 2f707073 5f73696c   GET /pps/pps_sil
0x00000010 (00016)   656e745f 35323030 302e6578 65204854   ent_52000.exe HT
0x00000020 (00032)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000030 (00048)   2a2f2a0d 0a416363 6570742d 456e636f   */*..Accept-Enco
0x00000040 (00064)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000050 (00080)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000060 (00096)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000070 (00112)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000080 (00128)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000090 (00144)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000a0 (00160)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000b0 (00176)   73743a20 646f776e 6c6f6164 2e353836   st: download.586
0x000000c0 (00192)   31312e6e 65743a38 3138310d 0a436f6e   11.net:8181..Con
0x000000d0 (00208)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000e0 (00224)   6976650d 0a0d0a3a 204b6565 702d416c   ive....: Keep-Al
0x000000f0 (00240)   6976650d 0a0d0a                       ive....


Strings
&
.
&
.

>:0'd/F
22cyHrR
24m|9x
8c{/H?
9l$\w_
9{*T/rg.
  <assemblyIdentity
      <assemblyIdentity
</assembly>P
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
"b]JHV
~-#>b#N
?c1:aG
 c|_lf
CoInitialize
COMCTL32.dll
/cT4i1
dCl]o`
  </dependency>
  <dependency>
    </dependentAssembly>
    <dependentAssembly>
  <description></description>
.)D$H)
D$t+D$\
D$t#D$h
 EhWAl
%ew#l}
ExitProcess
GDI32.dll
GetProcAddress
$g&i0,
h*SphZ;	
InitCommonControls
IsChild
KERNEL32.DLL
(Kn(8B
kt#y7\
        language="*" />
LoadLibraryA
\LwLc\F
memset
MSVCRT.dll
    name="CompanyName.ProductName.YourApp"
        name="Microsoft.Windows.Common-Controls"
|O]"6|33
OLE32.dll
oRdl%^
        processorArchitecture="X86"
    processorArchitecture="X86"
        publicKeyToken="6595b64144ccf1df"
pUK&Vq^
,&->qY
r6/&K;hJ
SetBkColor
SHELL32.dll
ShellExecuteExA
s`)L$4
|smm #
.S.OZ>4
!This program cannot be run in DOS mode.
t$t#t$l
        type="win32"
    type="win32" />
=U'1V+
ug7$sw
USER32.dll
    version="1.0.0.0"
        version="6.0.0.0"
VEzQm6
V.^~F	
VirtualAlloc
VirtualFree
VirtualProtect
(vlr,kf|
^ wkxS
$Wn4Q.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XPTPSW
@*zU!2>M