Analysis Date2015-10-04 21:22:27
MD53ff6433f99096ddefa1c293beb63254c
SHA1f52674cce79d55a002e0d29b7ca986166a3b0d35

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 48d75b97ac85091a1e4ffeff62ccccc4 sha1: 6757551c11ae084e40ec0d634cc60abf32b95f39 size: 413696
Section.rdata md5: 2217730a5b238b678e1e2e208dd15991 sha1: 9a18ddfdfcb8c7f2e01940500d0b0feafe4d79c4 size: 4206592
Section.data md5: 833120d514c7ea40c08e27494d54ec2a sha1: 2aaba68ee1fd7c025042f3ec5859cd7c13a75060 size: 61440
Section.rsrc md5: e258ae677000a86e595735203a3a4cee sha1: 6e08cf00ff53d9a73f50fbef9ccfe4aab36002c9 size: 159744
Timestamp2015-09-21 06:35:33
PackerMicrosoft Visual C++ v6.0
PEhash40ed59d7a57ac619f6741c0eb93066852b983a55
IMPhashdac68328f6f655663cd04f19b3f19269
AVSymantecno_virus
AVMicroWorld (escan)Gen:Variant.Graftor.243940
AVAvira (antivir)TR/Agent.4845568.10
AVEset (nod32)no_virus
AVMicrosoft Security Essentialsno_virus
AVIkarusPUA.RiskWare.BlueSoft
AVBitDefenderGen:Variant.Graftor.243940
AVTwisterTrojan.33C0C390558BEC@24.mg
AVVirusBlokAda (vba32)no_virus
AVAlwil (avast)Malware-gen:GenMaliciousA-NGK [Trj]:Win32:Malware-gen
AVFortinetRiskware/FlyStudio
AVPadvishno_virus
AVTrend Microno_virus
AVEmsisoftGen:Variant.Graftor.243940
AVMalwareBytesBackdoor.Bot
AVK7Adware ( 004b897b1 )
AVGrisoft (avg)Win32/DH{QQEAZzaBEzU}
AVAd-AwareGen:Variant.Graftor.243940
AVRisingno_virus
AVArcabit (arcavir)Gen:Variant.Graftor.243940
AVMcafeeno_virus
AVCA (E-Trust Ino)no_virus
AVFrisk (f-prot)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoader16.36982
AVBullGuardGen:Variant.Graftor.243940
AVCAT (quickheal)Trojan.Generic.01798
AVKasperskyTrojan.Win32.Jorik.Farfli.pyr
AVZillya!Trojan.Jorik.Win32.401360
AVF-SecureGen:Variant.Graftor.243940
AVAuthentiumW32/A-b0178058!Eldorado

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\plk
Creates FileC:\Program Files\BLDBaseService\2.txt
Creates FileC:\Program Files\BLDBaseService\1.txt
Creates Filec:\js.bat
Creates Filec:\cy86.exe
Creates FileC:\Program Files\BLDBaseService\BLDService.sys
Creates FileC:\Program Files\BLDBaseService\BLDBaseService.exe
Deletes Filec:\js.bat
Deletes FileC:\Program Files\BLDBaseService\BLDService.sys
Creates Processc:\js.bat
Creates ProcessCMD /C c:\cy86.exe /S

Process
↳ c:\js.bat

Creates Processreg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BLDBaseService /v DisplayName /f

Process
↳ reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BLDBaseService /v DisplayName /f

Process
↳ c:\cy86.exe /S

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\BLDBaseService\ ➝
C:\Program Files\BLDBaseService\BLDBaseService.dll\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BLDBaseService\DisplayName ➝
Mini Bld Base Service\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\setupplugins.dll
Creates FileC:\Program Files\BLDBaseService\BLDBaseService.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF949.tmp
Creates FileC:\Program Files\BLDBaseService\uninst.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu2.tmp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Program Files\BLDBaseService\Configuration.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FilePipe\{FA6A5BDA-E027-4bb9-BFA3-932D4FF2C899}
Creates FileC:\Program Files\BLDBaseService\uninst.exe
Creates FileC:\Program Files\BLDBaseService\bldfixer.exe
Creates FileC:\Program Files\BLDBaseService\setupplugins.dll
Creates FileC:\Documents and Settings\All Users\Application Data\BLDBaseService\SoftUpdate.xml
Creates FileC:\Documents and Settings\All Users\Application Data\BLDBaseService\config_update.bak
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsz3.tmp\System.dll
Creates FileC:\Program Files\BLDBaseService\BLDService.sys
Creates FileC:\Program Files\BLDBaseService\bbhelper.dll
Creates FileC:\Program Files\BLDBaseService\bbcomm.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\BLDInstall.log
Creates FileC:\Program Files\BLDBaseService\setting.ini
Creates FileC:\Program Files\BLDBaseService\Setting.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsz3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsp1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\setupplugins.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsz3.tmp\System.dll
Creates ProcessC:\Program Files\BLDBaseService\Configuration.exe "-act=ar" "-file=C:\Documents and Settings\All Users\Application Data\BLDBaseService"
Creates ProcessC:\Program Files\BLDBaseService\Configuration.exe "-act=uninstall" "-proc=***all_processes***" "-dll=C:\Program Files\BLDBaseService\BLDBaseService.dll"
Creates ProcessC:\Program Files\BLDBaseService\Configuration.exe "-act=install" "-proc=winlogon.exe" "-dll=C:\Program Files\BLDBaseService\BLDBaseService.dll"
Creates ProcessC:\Program Files\BLDBaseService\Configuration.exe "-act=install" "-proc=explorer.exe" "-dll=C:\Program Files\BLDBaseService\BLDBaseService.dll"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexWebClientClass
Creates MutexDBWinMutex
Creates MutexBLD Base Service_Install_Mutex_{B92A5258-D4F1-4AB5-A21B-CAFD78FF001C}
Creates ServiceBLDBaseService - C:\Program Files\BLDBaseService\BLDService.sys
Winsock DNS12306.iboluo.cc

Process
↳ CMD /C c:\cy86.exe /S

Creates Processc:\cy86.exe /S

Process
↳ C:\Program Files\BLDBaseService\Configuration.exe "-act=uninstall" "-proc=***all_processes***" "-dll=C:\Program Files\BLDBaseService\BLDBaseService.dll"

Process
↳ C:\Program Files\BLDBaseService\Configuration.exe "-act=ar" "-file=C:\Documents and Settings\All Users\Application Data\BLDBaseService"

Creates FilePIPE\lsarpc

Process
↳ C:\Program Files\BLDBaseService\Configuration.exe "-act=install" "-proc=explorer.exe" "-dll=C:\Program Files\BLDBaseService\BLDBaseService.dll"

Process
↳ C:\Program Files\BLDBaseService\Configuration.exe "-act=install" "-proc=winlogon.exe" "-dll=C:\Program Files\BLDBaseService\BLDBaseService.dll"

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemcore.log
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates FileC:\Documents and Settings\All Users\Application Data\BLDBaseService\soft_installed.xml
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File\Device\Netbios
Creates FilePhysicalDrive0
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Application Data\BLDBaseService\statconfig.ini
Creates FilePipe\{FA6A5BDA-E027-4bb9-BFA3-932D4FF2C899}
Winsock DNSwww.baidu.com

Process
↳ \??\C:\WINDOWS\system32\winlogon.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePhysicalDrive0
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Application Data\BLDBaseService\config_update.xml
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Winsock DNSapi.gsie.cn

Network Details:

DNS12306.iboluo.cc
Type: A
117.79.226.247
DNSapi.gsie.cn
Type: A
180.150.177.72
DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSupdate.u.gsie.cn
Type: A
117.79.226.242
DNSwww.baidu.com
Type: A
HTTP GEThttp://12306.iboluo.cc/bluebox.html?action=install&ver=4.0.3.281&mode=new&corp=cy86&osbit=32&safelist=&sys=success
User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; WOW32; C:\Documents and Settings\Administrator\Local Settings\Temp\nsz3.tmp\System.dll)Accept-Encoding: gzip, deflate
HTTP GEThttp://api.gsie.cn/bldservice/upver?uid=cy86&hid=QM00001&mac=XX-XX-XX-XX-XX-XX&ip=192.168.41.1&ver=4.0.3.281&date=2015-10-04-19:27:49&sid=0&xmlver=2013/12/09_2039_1
User-Agent: IEhook
HTTP GEThttp://api.gsie.cn/bldservice/checkupver?uid=cy86&hid=QM00001&mac=XX-XX-XX-XX-XX-XX&ip=192.168.41.1&ver=4.0.3.281&date=2015-10-04-19:27:49&sid=0&xmlver=
User-Agent: IEhook
HTTP GEThttp://api.gsie.cn/bldservice/upver?uid=cy86&hid=QM00001&mac=XX-XX-XX-XX-XX-XX&ip=192.168.41.1&ver=4.0.3.281&date=2015-10-04-19:27:49&sid=0&xmlver=2013/12/09_2039_1
User-Agent: IEhook
HTTP GEThttp://api.gsie.cn/bldservice/checkupver?uid=cy86&hid=QM00001&mac=XX-XX-XX-XX-XX-XX&ip=192.168.41.1&ver=4.0.3.281&date=2015-10-04-19:27:49&sid=0&xmlver=
User-Agent: IEhook
HTTP GEThttp://api.gsie.cn/bldservice/upver?uid=cy86&hid=QM00001&mac=XX-XX-XX-XX-XX-XX&ip=192.168.41.1&ver=4.0.3.281&date=2015-10-04-19:27:49&sid=0&xmlver=2013/12/09_2039_1
User-Agent: IEhook
HTTP GEThttp://api.gsie.cn/bldservice/checkupver?uid=cy86&hid=QM00001&mac=XX-XX-XX-XX-XX-XX&ip=192.168.41.1&ver=4.0.3.281&date=2015-10-04-19:27:49&sid=0&xmlver=
User-Agent: IEhook
HTTP GEThttp://update.u.gsie.cn/?ver=4.0.3.281&corp=cy86&os=5.1&softid=0&hid=QM00001&macadd=&md5=B67B09C6EDC1D8D1A1CAAE10AFCD57E8&rand=119437&subid=000000
User-Agent: IEhook
HTTP GEThttp://update.u.gsie.cn/install/?ver=4.0.3.281&corp=cy86&os=5.1&softid=0&hid=QM00001&macadd=&md5=B67B09C6EDC1D8D1A1CAAE10AFCD57E8&rand=103609&subid=000000&from%3D0%26from_ver%3D4.0.3.281%26from_ps_name%3DCMD.exe%26from_ps_path%3DC%3A%5CWINDOWS%5Csystem32%5CCMD.exe%3BC%3A%5Cmalware.exe%3BC%3A%5CWINDOWS%5Csystem32%5Cmonitor.exe%3BC%3A%5CWINDOWS%5Csystem32%5Csvchost.exe%3BC%3A%5CWINDOWS%5Csystem32%5Cservices.exe%3B%5C%3F%3F%5CC%3A%5CWINDOWS%5Csystem32%5Cwinlogon.exe%3B%5CSystemRoot%5CSystem32%5Csmss.exe
User-Agent: IEhook
Flows TCP192.168.1.1:1031 ➝ 117.79.226.247:80
Flows TCP192.168.1.1:1033 ➝ 117.79.226.247:80
Flows TCP192.168.1.1:1034 ➝ 180.150.177.72:80
Flows TCP192.168.1.1:1035 ➝ 180.150.177.72:80
Flows TCP192.168.1.1:1036 ➝ 180.150.177.72:80
Flows TCP192.168.1.1:1037 ➝ 180.150.177.72:80
Flows TCP192.168.1.1:1038 ➝ 180.150.177.72:80
Flows TCP192.168.1.1:1039 ➝ 180.150.177.72:80
Flows TCP192.168.1.1:1040 ➝ 180.150.177.72:80
Flows TCP192.168.1.1:1041 ➝ 180.150.177.72:80
Flows TCP192.168.1.1:1042 ➝ 103.235.46.39:80
Flows TCP192.168.1.1:1043 ➝ 103.235.46.39:80
Flows TCP192.168.1.1:1044 ➝ 117.79.226.242:80
Flows TCP192.168.1.1:1045 ➝ 117.79.226.242:80

Raw Pcap
0x00000000 (00000)   47455420 2f626c75 65626f78 2e68746d   GET /bluebox.htm
0x00000010 (00016)   6c3f6163 74696f6e 3d696e73 74616c6c   l?action=install
0x00000020 (00032)   26766572 3d342e30 2e332e32 3831266d   &ver=4.0.3.281&m
0x00000030 (00048)   6f64653d 6e657726 636f7270 3d637938   ode=new&corp=cy8
0x00000040 (00064)   36266f73 6269743d 33322673 6166656c   6&osbit=32&safel
0x00000050 (00080)   6973743d 26737973 3d737563 63657373   ist=&sys=success
0x00000060 (00096)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000070 (00112)   743a202a 2f2a0d0a 41636365 70742d4c   t: */*..Accept-L
0x00000080 (00128)   616e6775 6167653a 20656e2d 75730d0a   anguage: en-us..
0x00000090 (00144)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x000000a0 (00160)   6c6c612f 352e3020 28636f6d 70617469   lla/5.0 (compati
0x000000b0 (00176)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x000000c0 (00192)   696e646f 7773204e 5420352e 313b2057   indows NT 5.1; W
0x000000d0 (00208)   4f573332 3b20433a 5c444f43 554d457e   OW32; C:\DOCUME~
0x000000e0 (00224)   315c4144 4d494e49 7e315c4c 4f43414c   1\ADMINI~1\LOCAL
0x000000f0 (00240)   537e315c 54656d70 5c6e737a 332e746d   S~1\Temp\nsz3.tm
0x00000100 (00256)   705c5379 7374656d 2e646c6c 29416363   p\System.dll)Acc
0x00000110 (00272)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000120 (00288)   69702c20 6465666c 6174650d 0a486f73   ip, deflate..Hos
0x00000130 (00304)   743a2031 32333036 2e69626f 6c756f2e   t: 12306.iboluo.
0x00000140 (00320)   63630d0a 436f6e6e 65637469 6f6e3a20   cc..Connection: 
0x00000150 (00336)   4b656570 2d416c69 76650d0a 0d0a       Keep-Alive....

0x00000000 (00000)   47455420 2f626c64 73657276 6963652f   GET /bldservice/
0x00000010 (00016)   75707665 723f7569 643d6379 38362668   upver?uid=cy86&h
0x00000020 (00032)   69643d51 4d303030 3031266d 61633d58   id=QM00001&mac=X
0x00000030 (00048)   582d5858 2d58582d 58582d58 582d5858   X-XX-XX-XX-XX-XX
0x00000040 (00064)   2669703d 3139322e 3136382e 34312e31   &ip=192.168.41.1
0x00000050 (00080)   26766572 3d342e30 2e332e32 38312664   &ver=4.0.3.281&d
0x00000060 (00096)   6174653d 32303135 2d31302d 30342d31   ate=2015-10-04-1
0x00000070 (00112)   393a3237 3a343926 7369643d 3026786d   9:27:49&sid=0&xm
0x00000080 (00128)   6c766572 3d323031 332f3132 2f30395f   lver=2013/12/09_
0x00000090 (00144)   32303339 5f312048 5454502f 312e310d   2039_1 HTTP/1.1.
0x000000a0 (00160)   0a416363 6570743a 20416363 6570743a   .Accept: Accept:
0x000000b0 (00176)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000000c0 (00192)   3a204945 686f6f6b 0d0a486f 73743a20   : IEhook..Host: 
0x000000d0 (00208)   6170692e 67736965 2e636e0d 0a0d0a7e   api.gsie.cn....~
0x000000e0 (00224)   315c4144 4d494e49 7e315c4c 4f43414c   1\ADMINI~1\LOCAL
0x000000f0 (00240)   537e315c 54656d70 5c6e737a 332e746d   S~1\Temp\nsz3.tm
0x00000100 (00256)   705c5379 7374656d 2e646c6c 29416363   p\System.dll)Acc
0x00000110 (00272)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000120 (00288)   69702c20 6465666c 6174650d 0a486f73   ip, deflate..Hos
0x00000130 (00304)   743a2031 32333036 2e69626f 6c756f2e   t: 12306.iboluo.
0x00000140 (00320)   63630d0a 436f6e6e 65637469 6f6e3a20   cc..Connection: 
0x00000150 (00336)   4b656570 2d416c69 76650d0a 0d0a       Keep-Alive....

0x00000000 (00000)   47455420 2f626c64 73657276 6963652f   GET /bldservice/
0x00000010 (00016)   63686563 6b757076 65723f75 69643d63   checkupver?uid=c
0x00000020 (00032)   79383626 6869643d 514d3030 30303126   y86&hid=QM00001&
0x00000030 (00048)   6d61633d 58582d58 582d5858 2d58582d   mac=XX-XX-XX-XX-
0x00000040 (00064)   58582d58 58266970 3d313932 2e313638   XX-XX&ip=192.168
0x00000050 (00080)   2e34312e 31267665 723d342e 302e332e   .41.1&ver=4.0.3.
0x00000060 (00096)   32383126 64617465 3d323031 352d3130   281&date=2015-10
0x00000070 (00112)   2d30342d 31393a32 373a3439 26736964   -04-19:27:49&sid
0x00000080 (00128)   3d302678 6d6c7665 723d2048 5454502f   =0&xmlver= HTTP/
0x00000090 (00144)   312e310d 0a416363 6570743a 20416363   1.1..Accept: Acc
0x000000a0 (00160)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000b0 (00176)   67656e74 3a204945 686f6f6b 0d0a486f   gent: IEhook..Ho
0x000000c0 (00192)   73743a20 6170692e 67736965 2e636e0d   st: api.gsie.cn.
0x000000d0 (00208)   0a0d0a6f 7420466f 756e643c 2f68313e   ...ot Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f626c64 73657276 6963652f   GET /bldservice/
0x00000010 (00016)   75707665 723f7569 643d6379 38362668   upver?uid=cy86&h
0x00000020 (00032)   69643d51 4d303030 3031266d 61633d58   id=QM00001&mac=X
0x00000030 (00048)   582d5858 2d58582d 58582d58 582d5858   X-XX-XX-XX-XX-XX
0x00000040 (00064)   2669703d 3139322e 3136382e 34312e31   &ip=192.168.41.1
0x00000050 (00080)   26766572 3d342e30 2e332e32 38312664   &ver=4.0.3.281&d
0x00000060 (00096)   6174653d 32303135 2d31302d 30342d31   ate=2015-10-04-1
0x00000070 (00112)   393a3237 3a343926 7369643d 3026786d   9:27:49&sid=0&xm
0x00000080 (00128)   6c766572 3d323031 332f3132 2f30395f   lver=2013/12/09_
0x00000090 (00144)   32303339 5f312048 5454502f 312e310d   2039_1 HTTP/1.1.
0x000000a0 (00160)   0a416363 6570743a 20416363 6570743a   .Accept: Accept:
0x000000b0 (00176)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000000c0 (00192)   3a204945 686f6f6b 0d0a486f 73743a20   : IEhook..Host: 
0x000000d0 (00208)   6170692e 67736965 2e636e0d 0a0d0a3e   api.gsie.cn....>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   a001                                  ..

0x00000000 (00000)   47455420 2f626c64 73657276 6963652f   GET /bldservice/
0x00000010 (00016)   63686563 6b757076 65723f75 69643d63   checkupver?uid=c
0x00000020 (00032)   79383626 6869643d 514d3030 30303126   y86&hid=QM00001&
0x00000030 (00048)   6d61633d 58582d58 582d5858 2d58582d   mac=XX-XX-XX-XX-
0x00000040 (00064)   58582d58 58266970 3d313932 2e313638   XX-XX&ip=192.168
0x00000050 (00080)   2e34312e 31267665 723d342e 302e332e   .41.1&ver=4.0.3.
0x00000060 (00096)   32383126 64617465 3d323031 352d3130   281&date=2015-10
0x00000070 (00112)   2d30342d 31393a32 373a3439 26736964   -04-19:27:49&sid
0x00000080 (00128)   3d302678 6d6c7665 723d2048 5454502f   =0&xmlver= HTTP/
0x00000090 (00144)   312e310d 0a416363 6570743a 20416363   1.1..Accept: Acc
0x000000a0 (00160)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000b0 (00176)   67656e74 3a204945 686f6f6b 0d0a486f   gent: IEhook..Ho
0x000000c0 (00192)   73743a20 6170692e 67736965 2e636e0d   st: api.gsie.cn.
0x000000d0 (00208)   0a0d0a6f 7420466f 756e643c 2f68313e   ...ot Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f626c64 73657276 6963652f   GET /bldservice/
0x00000010 (00016)   75707665 723f7569 643d6379 38362668   upver?uid=cy86&h
0x00000020 (00032)   69643d51 4d303030 3031266d 61633d58   id=QM00001&mac=X
0x00000030 (00048)   582d5858 2d58582d 58582d58 582d5858   X-XX-XX-XX-XX-XX
0x00000040 (00064)   2669703d 3139322e 3136382e 34312e31   &ip=192.168.41.1
0x00000050 (00080)   26766572 3d342e30 2e332e32 38312664   &ver=4.0.3.281&d
0x00000060 (00096)   6174653d 32303135 2d31302d 30342d31   ate=2015-10-04-1
0x00000070 (00112)   393a3237 3a343926 7369643d 3026786d   9:27:49&sid=0&xm
0x00000080 (00128)   6c766572 3d323031 332f3132 2f30395f   lver=2013/12/09_
0x00000090 (00144)   32303339 5f312048 5454502f 312e310d   2039_1 HTTP/1.1.
0x000000a0 (00160)   0a416363 6570743a 20416363 6570743a   .Accept: Accept:
0x000000b0 (00176)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000000c0 (00192)   3a204945 686f6f6b 0d0a486f 73743a20   : IEhook..Host: 
0x000000d0 (00208)   6170692e 67736965 2e636e0d 0a0d0a     api.gsie.cn....

0x00000000 (00000)   47455420 2f626c64 73657276 6963652f   GET /bldservice/
0x00000010 (00016)   63686563 6b757076 65723f75 69643d63   checkupver?uid=c
0x00000020 (00032)   79383626 6869643d 514d3030 30303126   y86&hid=QM00001&
0x00000030 (00048)   6d61633d 58582d58 582d5858 2d58582d   mac=XX-XX-XX-XX-
0x00000040 (00064)   58582d58 58266970 3d313932 2e313638   XX-XX&ip=192.168
0x00000050 (00080)   2e34312e 31267665 723d342e 302e332e   .41.1&ver=4.0.3.
0x00000060 (00096)   32383126 64617465 3d323031 352d3130   281&date=2015-10
0x00000070 (00112)   2d30342d 31393a32 373a3439 26736964   -04-19:27:49&sid
0x00000080 (00128)   3d302678 6d6c7665 723d2048 5454502f   =0&xmlver= HTTP/
0x00000090 (00144)   312e310d 0a416363 6570743a 20416363   1.1..Accept: Acc
0x000000a0 (00160)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000b0 (00176)   67656e74 3a204945 686f6f6b 0d0a486f   gent: IEhook..Ho
0x000000c0 (00192)   73743a20 6170692e 67736965 2e636e0d   st: api.gsie.cn.
0x000000d0 (00208)   0a0d0a6f 7420466f 756e643c 2f68313e   ...ot Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f3f7665 723d342e 302e332e   GET /?ver=4.0.3.
0x00000010 (00016)   32383126 636f7270 3d637938 36266f73   281&corp=cy86&os
0x00000020 (00032)   3d352e31 26736f66 7469643d 30266869   =5.1&softid=0&hi
0x00000030 (00048)   643d514d 30303030 31266d61 63616464   d=QM00001&macadd
0x00000040 (00064)   3d266d64 353d4236 37423039 43364544   =&md5=B67B09C6ED
0x00000050 (00080)   43314438 44314131 43414145 31304146   C1D8D1A1CAAE10AF
0x00000060 (00096)   43443537 45382672 616e643d 31313934   CD57E8&rand=1194
0x00000070 (00112)   33372673 75626964 3d303030 30303020   37&subid=000000 
0x00000080 (00128)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000090 (00144)   3a204163 63657074 3a202a2f 2a0d0a55   : Accept: */*..U
0x000000a0 (00160)   7365722d 4167656e 743a2049 45686f6f   ser-Agent: IEhoo
0x000000b0 (00176)   6b0d0a48 6f73743a 20757064 6174652e   k..Host: update.
0x000000c0 (00192)   752e6773 69652e63 6e0d0a0d 0a         u.gsie.cn....

0x00000000 (00000)   47455420 2f696e73 74616c6c 2f3f7665   GET /install/?ve
0x00000010 (00016)   723d342e 302e332e 32383126 636f7270   r=4.0.3.281&corp
0x00000020 (00032)   3d637938 36266f73 3d352e31 26736f66   =cy86&os=5.1&sof
0x00000030 (00048)   7469643d 30266869 643d514d 30303030   tid=0&hid=QM0000
0x00000040 (00064)   31266d61 63616464 3d266d64 353d4236   1&macadd=&md5=B6
0x00000050 (00080)   37423039 43364544 43314438 44314131   7B09C6EDC1D8D1A1
0x00000060 (00096)   43414145 31304146 43443537 45382672   CAAE10AFCD57E8&r
0x00000070 (00112)   616e643d 31303336 30392673 75626964   and=103609&subid
0x00000080 (00128)   3d303030 30303026 66726f6d 25334430   =000000&from%3D0
0x00000090 (00144)   25323666 726f6d5f 76657225 3344342e   %26from_ver%3D4.
0x000000a0 (00160)   302e332e 32383125 32366672 6f6d5f70   0.3.281%26from_p
0x000000b0 (00176)   735f6e61 6d652533 44434d44 2e657865   s_name%3DCMD.exe
0x000000c0 (00192)   25323666 726f6d5f 70735f70 61746825   %26from_ps_path%
0x000000d0 (00208)   33444325 33412535 4357494e 444f5753   3DC%3A%5CWINDOWS
0x000000e0 (00224)   25354373 79737465 6d333225 3543434d   %5Csystem32%5CCM
0x000000f0 (00240)   442e6578 65253342 43253341 25354366   D.exe%3BC%3A%5Cf
0x00000100 (00256)   35323637 34636365 37396435 35613030   52674cce79d55a00
0x00000110 (00272)   32653064 32396237 63613938 36313636   2e0d29b7ca986166
0x00000120 (00288)   61336230 6433352e 65786525 33424325   a3b0d35.exe%3BC%
0x00000130 (00304)   33412535 4357494e 444f5753 25354373   3A%5CWINDOWS%5Cs
0x00000140 (00320)   79737465 6d333225 35436d6f 6e69746f   ystem32%5Cmonito
0x00000150 (00336)   722e6578 65253342 43253341 25354357   r.exe%3BC%3A%5CW
0x00000160 (00352)   494e444f 57532535 43737973 74656d33   INDOWS%5Csystem3
0x00000170 (00368)   32253543 73766368 6f73742e 65786525   2%5Csvchost.exe%
0x00000180 (00384)   33424325 33412535 4357494e 444f5753   3BC%3A%5CWINDOWS
0x00000190 (00400)   25354373 79737465 6d333225 35437365   %5Csystem32%5Cse
0x000001a0 (00416)   72766963 65732e65 78652533 42253543   rvices.exe%3B%5C
0x000001b0 (00432)   25334625 33462535 43432533 41253543   %3F%3F%5CC%3A%5C
0x000001c0 (00448)   57494e44 4f575325 35437379 7374656d   WINDOWS%5Csystem
0x000001d0 (00464)   33322535 4377696e 6c6f676f 6e2e6578   32%5Cwinlogon.ex
0x000001e0 (00480)   65253342 25354353 79737465 6d526f6f   e%3B%5CSystemRoo
0x000001f0 (00496)   74253543 53797374 656d3332 25354373   t%5CSystem32%5Cs
0x00000200 (00512)   6d73732e 65786520 48545450 2f312e31   mss.exe HTTP/1.1
0x00000210 (00528)   0d0a4163 63657074 3a204163 63657074   ..Accept: Accept
0x00000220 (00544)   3a202a2f 2a0d0a55 7365722d 4167656e   : */*..User-Agen
0x00000230 (00560)   743a2049 45686f6f 6b0d0a48 6f73743a   t: IEhook..Host:
0x00000240 (00576)   20757064 6174652e 752e6773 69652e63    update.u.gsie.c
0x00000250 (00592)   6e0d0a0d 0a                           n....


Strings