Trojan.Win32.FlyStudio_8610d33899

Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS) Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm The description has been automaticall...
Blog rating:5 out of5 with2 ratings

Trojan.Win32.FlyStudio_8610d33899

by malwarelabrobot on March 20th, 2017 in Malware Descriptions.

Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8610d3389910f888de0d0ebe1a3ce061
SHA1: c00bb493133dff19eb9abfd3578772635475c7c8
SHA256: a96ecede8c9e45e5ee537ef6bfe369cca50f73b089750755a12e9dc72a4b2bd7
SSDeep: 24576:hnaFZnMf5AJt57zCOrG/RN6RG 7ZzHD20WYyb60asfs uBYTO:henMaXra5N6Rv1cW/svjTO
Size: 1888256 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2016-05-22 09:11:00
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2928

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\taskMgr[1].js (193 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_util[1].js (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S99OLKTL.txt (91 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\xf.faxuan[1].xml (199 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\views[1].js (69642 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\login_1_s[1].js (742 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.min[2].js (54106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QB2Y37I3.txt (83 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_serv[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\public[1].css (3973 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\switch[1].png (363 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\orhon-U2M[1].js (865 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_validatebox_customtooltip[1].js (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg_pwd[1].png (737 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\up[1].png (347 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jsrender[1].js (6568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\topnav_bg[1].jpg (5206 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bg_user[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_cookies[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\form-validate[1].js (14936 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\login[1].css (1132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\map[1].png (31018 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\orhonmclib.min[1].js (8142 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\gc[1].jpg (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\id[1].gif (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_popwin[1].js (441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\xf_faxuan_net[1].htm (628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\E2YBQL3V.txt (119 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\comm_validatebox_rules[1].js (606 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVU3JNLU.txt (229 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\popwin_style[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\easyui[1].css (24032 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bg_login[1].jpg (19558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\json2.min[1].js (616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\icon_qq[1].png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\contains[1].js (4806 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\i[1].js (20032 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\login_1_v[1].js (3405 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jquery.cookie[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\popwin[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\icon_phone[1].png (625 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\r[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\id[1].htm (434 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TCH2R76M.txt (229 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\comm_customFuncTip[1].js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\icon[1].css (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\base[1].js (2093 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7RZVBA01.txt (399 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\userpoint_1_s[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\orhonmatrixfont[1].css (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\tooltipster_style[1].css (486 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logo[1].png (5173 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_resources[1].js (73 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVU3JNLU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\id[1].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TCH2R76M.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QB2Y37I3.txt (0 bytes)

Registry activity

The process %original file name%.exe:2928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Total]
"(Default)" = "91293"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1463897460"
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\faxuan.net]
"(Default)" = "20"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

[HKLM\SOFTWARE\Microsoft\Tracing\8610d3389910f888de0d0ebe1a3ce061_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 866263 868352 4.47758 16c6a569d59ac444f71f7ffd2453ab39
CODE 872448 338768 339968 4.57896 2acdb705e40e5832b663b1ab65dbe92c
.rdata 1212416 373196 376832 4.4531 badc389810e59620b12f03e6900a883d
.data 1589248 475147 69632 3.66069 924848d6abe71110bd3dcdf413b4a045
DATA 2068480 69260 69632 5.14555 fb3673f94b0b6aa3d257c6a5fb6cabba
BSS 2138112 25785 28672 0 cf845a781c107ec1346e849c9dd1b7e8
.rsrc 2166784 127432 131072 2.28929 0871a8f30e7e4e72f9412b5986185fd1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://xf.faxuan.net/ 27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/easyui14/themes/easyui.css 27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/json2.min.js 27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/jquery/jquery.min.js 27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/jquery/jquery.cookie.js 27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/easyui14/themes/icon.css 27.221.53.18
hxxp://xf.faxuan.net/baseui/js/comm_util.js 27.221.53.18
hxxp://xf.faxuan.net/baseui/js/comm_cookies.js 27.221.53.18
hxxp://xf.faxuan.net/baseui/js/comm_serv.js 27.221.53.18
hxxp://xf.faxuan.net/baseui/style/common/tooltipster_style.css 27.221.53.18
hxxp://xf.faxuan.net/baseui/style/common/popwin_style.css 27.221.53.18
hxxp://xf.faxuan.net/bps/common/comm_resources.js 27.221.53.18
hxxp://xf.faxuan.net/bps/userpoint/s/userpoint_1_s.js 27.221.53.18
hxxp://xf.faxuan.net/bps/login/s/login_1_s.js 27.221.53.18
hxxp://xf.faxuan.net/bps/login/v/login_1_v.js 27.221.53.18
hxxp://wpa.b.qq.com/cgi/wpa.php 14.17.43.53
hxxp://xf.faxuan.net/baseui/js/index/orhonmclib.min.js 27.221.53.18
hxxp://xf.faxuan.net/baseui/js/index/orhon-U2M.js 27.221.53.18
hxxp://xf.faxuan.net/baseui/style/newcss/public.css?v=20160911 27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/jsrender.js 27.221.53.18
hxxp://xf.faxuan.net/baseui/style/newcss/login.css?v=20160911 27.221.53.18
hxxp://xf.faxuan.net/baseui/style/popwin.css 27.221.53.18
hxxp://xf.faxuan.net/baseui/style/orhonmatrixfont.css 27.221.53.18
hxxp://xf.faxuan.net/baseui/images/up.png 27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/easyui14/lib/base.js 27.221.53.18
hxxp://xf.faxuan.net/baseui/vendor/easyui14/lib/form-validate.js 27.221.53.18
hxxp://xf.faxuan.net/baseui/js/widget/comm_validatebox_customtooltip.js?_=1489883499423 27.221.53.18
hxxp://xf.faxuan.net/baseui/js/widget/comm_validatebox_rules.js?_=1489883499424 27.221.53.18
hxxp://xf.faxuan.net/baseui/js/widget/comm_customFuncTip.js?_=1489883499425 27.221.53.18
hxxp://xf.faxuan.net/baseui/js/widget/comm_popwin.js?_=1489883499426 27.221.53.18
hxxp://xf.faxuan.net/baseui/images/topnav_bg.jpg 27.221.53.18
hxxp://xf.faxuan.net/baseui/images/login/bg_login.jpg 27.221.53.18
hxxp://xf.faxuan.net/baseui/images/login/logo.png 27.221.53.18
hxxp://xf.faxuan.net/baseui/images/login/map.png 27.221.53.18
hxxp://p21.tcdn.qq.com/c/=/crm/wpa/release/3.3.7/wpa/ta.js,/crm/wpa/release/3.3.7/wpa/kfuin.js,/crm/wpa/release/3.3.7/wpa/sid.js,/crm/wpa/release/3.3.7/util/titleFlash.js,/crm/wpa/release/3.3.7/util/className.js,/crm/wpa/release/3.3.7/util/Style.js,/crm/wpa/release/3.3.7/util/taskMgr.js?v=3.3.7.20160126
hxxp://p21.tcdn.qq.com/c/=/crm/wpa/release/3.3.7/wpa/APIs/addCustom.js,/crm/wpa/release/3.3.7/lang/extend.js,/crm/wpa/release/3.3.7/util/domain.js,/crm/wpa/release/3.3.7/wpa/WPA.js,/crm/wpa/release/3.3.7/wpa/wpaMgr.js,/crm/wpa/release/3.3.7/lang/browser.js,/crm/wpa/release/3.3.7/util/proxy.js,/crm/wpa/release/3.3.7/util/pad.js,/crm/wpa/release/3.3.7/util/Bits.js,/crm/wpa/release/3.3.7/util/getJSONP.js,/crm/wpa/release/3.3.7/util/cookie.js,/crm/wpa/release/3.3.7/util/events.js,/crm/wpa/release/3.3.7/util/onLoad.js,/crm/wpa/release/3.3.7/util/offset.js,/crm/wpa/release/3.3.7/util/Panel.js,/crm/wpa/release/3.3.7/util/onIframeLoaded.js,/crm/wpa/release/3.3.7/util/GUID.js,/crm/wpa/release/3.3.7/wpa/getQQVersion.js,/crm/wpa/release/3.3.7/wpa/ViewHelper.js,/crm/wpa/release/3.3.7/wpa/views.js?v=3.3.7.20160126
hxxp://p21.tcdn.qq.com/c/=/crm/wpa/release/3.3.7/util/localStorage.js,/crm/wpa/release/3.3.7/wpa/SelectPanel.js,/crm/wpa/release/3.3.7/util/css.js,/crm/wpa/release/3.3.7/util/contains.js?v=3.3.7.20160126
hxxp://xf.faxuan.net/baseui/images/login/switch.png 27.221.53.18
hxxp://prom.b.qq.com/se/r.gif?na=4006570518&ref=&1489883516357 183.232.88.153
hxxp://xf.faxuan.net/baseui/images/login/bg_user.png 27.221.53.18
hxxp://report.b.qq.com/crmReport/accesslog?FUID=&FKFUin=&FNa=4006570518&FRurl=&1489883516356 183.232.119.175
hxxp://wpl.b.qq.com/cgi/conv.php?num=4006570518&cb=JSONP_CALLBACK_1_77 120.198.199.200
hxxp://wpl.b.qq.com/cgi/ta.php?na=4006570518&dm=faxuan.net&cb=JSONP_CALLBACK_2_28 120.198.199.200
hxxp://isdspeed.qq.com/cgi-bin/r.cgi?flag1=7818&flag2=21&flag3=1&3=2067&&1489883516356 125.39.133.14
hxxp://xf.faxuan.net/baseui/images/login/bg_pwd.png 27.221.53.18
hxxp://prom.b.qq.com/wpadisplay/r.gif?version=3.3.7.20160126&wty=3&type=&nameAccount=4006570518&kfuin=&ws=xf.faxuan.net&aty=0&a=0&title=&wording=&wording2=&tencentSig=5898714112&1489883517376 183.232.88.153
hxxp://xf.faxuan.net/baseui/images/login/icon_phone.png 27.221.53.18
hxxp://p21.tcdn.qq.com/da/i.js
hxxp://xf.faxuan.net/baseui/images/login/icon_qq.png 27.221.53.18
hxxp://da.qidian.qq.com/ping/pv?v=0.6.6&tid=4006570518&aid=&pid=i9b1v3.3fir2g.j0fy6ges&qid=sjoq3o.t0e4l5.j0fy6ges&src=12&cid=1940917248&sid=1.1.sdyr8n.j0fy6get&r=&pt=国家工作人员学法用法及考试平台_登录&sw=1276&sh=846&dpr=1&saw=1276&sah=802&scd=32&so=&bw=390&bh=310&tz=-2&hasf=23.0.0&hasadb=1&hasc=1&hastc=0&hasls=1&hasss=1&hasid=0&t=j0fy6gfy&z=bsg424 121.51.132.119
hxxp://da.qidian.qq.com/jsonp/mta?v=0.6.6&tid=4006570518&aid=&pid=i9b1v3.3fir2g.j0fy6ges&qid=sjoq3o.t0e4l5.j0fy6ges&src=12&cid=1940917248&sid=1.1.sdyr8n.j0fy6get&t=j0fy6gev&callback=S3JSONPPREFIXyi7ym0 121.51.132.119
hxxp://xf.faxuan.net/service/gc.html?timestamp=1489883514000 27.221.53.18
hxxp://p21.tcdn.qq.com/da/id.html?q=sjoq3o.t0e4l5.j0fy6ges&p=i9b1v3.3fir2g.j0fy6ges&t=4006570518&a=&c=1940917248&s=1.1.sdyr8n.j0fy6get&src=12&pgv_pvi=&v=0.6.6&ts=http://da.qidian.qq.com/ping/id
hxxp://da.qidian.qq.com/ping/id?v=0.6.6&tid=4006570518&aid=&sid=1.1.sdyr8n.j0fy6get&qid=sjoq3o.t0e4l5.j0fy6ges&pid=i9b1v3.3fir2g.j0fy6ges&qqm=3&t=j0fy6ia5&cid=1940917248&src=12&z=ngke5u 121.51.132.119
hxxp://bqq.gtimg.com/da/i.js 203.205.158.37
hxxp://combo.b.qq.com/da/id.html?q=sjoq3o.t0e4l5.j0fy6ges&p=i9b1v3.3fir2g.j0fy6ges&t=4006570518&a=&c=1940917248&s=1.1.sdyr8n.j0fy6get&src=12&pgv_pvi=&v=0.6.6&ts=http://da.qidian.qq.com/ping/id 203.205.158.38
hxxp://combo.b.qq.com/c/=/crm/wpa/release/3.3.7/wpa/ta.js,/crm/wpa/release/3.3.7/wpa/kfuin.js,/crm/wpa/release/3.3.7/wpa/sid.js,/crm/wpa/release/3.3.7/util/titleFlash.js,/crm/wpa/release/3.3.7/util/className.js,/crm/wpa/release/3.3.7/util/Style.js,/crm/wpa/release/3.3.7/util/taskMgr.js?v=3.3.7.20160126 203.205.158.38
hxxp://combo.b.qq.com/c/=/crm/wpa/release/3.3.7/wpa/APIs/addCustom.js,/crm/wpa/release/3.3.7/lang/extend.js,/crm/wpa/release/3.3.7/util/domain.js,/crm/wpa/release/3.3.7/wpa/WPA.js,/crm/wpa/release/3.3.7/wpa/wpaMgr.js,/crm/wpa/release/3.3.7/lang/browser.js,/crm/wpa/release/3.3.7/util/proxy.js,/crm/wpa/release/3.3.7/util/pad.js,/crm/wpa/release/3.3.7/util/Bits.js,/crm/wpa/release/3.3.7/util/getJSONP.js,/crm/wpa/release/3.3.7/util/cookie.js,/crm/wpa/release/3.3.7/util/events.js,/crm/wpa/release/3.3.7/util/onLoad.js,/crm/wpa/release/3.3.7/util/offset.js,/crm/wpa/release/3.3.7/util/Panel.js,/crm/wpa/release/3.3.7/util/onIframeLoaded.js,/crm/wpa/release/3.3.7/util/GUID.js,/crm/wpa/release/3.3.7/wpa/getQQVersion.js,/crm/wpa/release/3.3.7/wpa/ViewHelper.js,/crm/wpa/release/3.3.7/wpa/views.js?v=3.3.7.20160126 203.205.158.38
hxxp://combo.b.qq.com/c/=/crm/wpa/release/3.3.7/util/localStorage.js,/crm/wpa/release/3.3.7/wpa/SelectPanel.js,/crm/wpa/release/3.3.7/util/css.js,/crm/wpa/release/3.3.7/util/contains.js?v=3.3.7.20160126 203.205.158.38


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /da/i.js HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: bqq.gtimg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: X2S_Platform
Connection: keep-alive
Date: Sun, 19 Mar 2017 00:31:57 GMT
Cache-Control: max-age=600
Expires: Sun, 19 Mar 2017 00:41:57 GMT
Last-Modified: Tue, 17 Jan 2017 07:54:50 GMT
Content-Type: application/x-javascript
Content-Length: 13195
Content-Encoding: gzip
X-NWS-LOG-UUID: b02c8cbd-b014-4a17-9697-ca12e767fa91
Keep-Alive: timeout=60 
X-Cache-Lookup: Hit From Disktank Gz
...........}.W...._..\G..cC.I,..IH.L..$...p..`%Fr.6.`...UU/j.6....w.Y@
.n.R]{W5.g.4.I....~\..`........4....0_K.s.{~..,O...)4b.....Y.r.F.Hg..z
.;{y.^...$....w.N6.....]l....aN...0...9y}.X..[-W....g.a....x ..Y8.....
...d..<......U..s.'.....;.Y|....,..'.......\.wvw6.~.n{.c4...M....Wz
,-.x8...I..4H5..l>_..!...^R.(.jq.f...5....,.(.....:O....?.b..^.....
.j..j.[.A.c..r.....u...#.;.E..A.~..7%...8....N..DYz..)...Y......q.....
...i..|...,./.4...4.Y._..eYa...^....H.v&Y.N.........9..._.G.y....X..."
0{.e...w.B..]..{~..}.:...y.......m'p;....b....x.7.....8.P.=Y2Y/.O..s.5
.....|>).B..[..3.........N.:..s...).B?.g........N...J..y..N..:....v
.....b....n2.:.$.....u.dIJ.F.S....&V..5.. @.6o;.4..`.W$..........&9/.
..{e...1.AA,.W^..m..n..b.....X..........=...y4....B.n............16...
....M.0`x|.1j.w.6."J.....7p.7............q.gwt........P~.../(......7.L
.[.#.$..Nq.5....G8.....3]....#.(6.Ss..w..;......9.....d.".. ...r<..
]V.zk.p...v...n...l..:.;.....[.IPG..l&..~wY......=.O..Q...E....C...@..
S....P.........}W.......m'.fi.n...r.......seq.{~..,;.<.^...Y(..{...
z.].>A."8n..>..1.L..XA?g...q.,...<....x..4..f).......4.u.....
.5..f.a.z.y&./. ......9.;.:..#.a.D........9..l..h..0]..n?Z.v......G>
;..(qY.b..Ec<..).3V.CU=. .]......cX>`'......|.p._...'..OQNb....f
..k.E..x.s..._j...6M.M.q....|.N.[v*...3`_g......\.BUx^.>..V.}....UN
..B...&.k...er....E.Q.9..7WI.t..7...X.S.M....R9....Z.d.i... |.5 ".....
.q...M.A.u&az>....OgV...z.:"{.]..i....?..&..%.Qr........<r......
.%...)K..U...Z-...Y.0oPr<B..W.....\\.....0...~x..a...{....9.E..

<<< skipped >>>

GET /wpadisplay/r.gif?version=3.3.7.20160126&wty=3&type=&nameAccount=4006570518&kfuin=&ws=xf.faxuan.net&aty=0&a=0&title=&wording=&wording2=&tencentSig=5898714112&1489883517376 HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: prom.b.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 19 Mar 2017 00:31:57 GMT
Content-Type: image/gif
Content-Length: 0
Last-Modified: Mon, 25 Jul 2016 09:54:54 GMT
Connection: close
ETag: "5795e1ee-0"
Accept-Ranges: bytes


GET /cgi/ta.php?na=4006570518&dm=faxuan.net&cb=JSONP_CALLBACK_2_28 HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: wpl.b.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 19 Mar 2017 00:31:57 GMT
Content-Type: text/javascript
Content-Length: 53
Connection: close
X-Powered-By: PHP/5.3.13
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
JSONP_CALLBACK_2_28({"r":0,"data":{"sid":"2385419"}})..


GET /c/=/crm/wpa/release/3.3.7/wpa/ta.js,/crm/wpa/release/3.3.7/wpa/kfuin.js,/crm/wpa/release/3.3.7/wpa/sid.js,/crm/wpa/release/3.3.7/util/titleFlash.js,/crm/wpa/release/3.3.7/util/className.js,/crm/wpa/release/3.3.7/util/Style.js,/crm/wpa/release/3.3.7/util/taskMgr.js?v=3.3.7.20160126 HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: combo.b.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: X2S_Platform
Connection: keep-alive
Date: Sun, 19 Mar 2017 00:31:54 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Mar 2017 00:36:54 GMT
Last-Modified: Fri, 22 Jul 2016 19:07:42 GMT
Content-Type: application/x-javascript
Content-Length: 1695
Content-Encoding: gzip
X-NWS-LOG-UUID: fdd522da-a684-47ce-9e8a-845c391e5952
Keep-Alive: timeout=60 
Access-Control-Allow-Origin: * 
X-Cache-Lookup: Hit From Disktank Gz
...........X[S.6.. ..2.Dk...!^u......$L.X&#l%qql.$s....G..v..v.3.,.\..
......./.]..1.'...CA.I.F.L.`.. .I!.^....&..YFy~.0..e..$.<....g.....
.....R...mI....o.1......i................!A..~T.'(T..sb.z.m!..`.c...&.
....k.iNc..1M......EFgl/..2.8.g4.pD...Fw&.D.y2.0.L$cO..Lb.^...a[Z..U .
i.0..B..d.....Y...p.S......sYzV.#......>.(4u..6a._.....s&K.U&^bpR..
....K.b..\09Lf,/.G....L.@.2......~...-...&,.L....hz7.....?..g./..>.
p.h.J...G.?].....}(...1w.lGyv....t.P..F;....Dj.T?..a.h..R o.4......w..
..........r..V...{....n!(.........o...r.... .!..Si..v.....&......2...
.%n.$^f..Y.../,...9.......k.. 8.@..8.....1nl.n.......j....<.9......
.N....gA...At.....A.l....J`..i8_.C.7...}J...|.T..N.K....O.G.N.........
.;vBi..~....8..<.n.X;UK.. Qb...=...k.C.o.C.Dd .[!...e..l".~.m..].o)
b.un.:..Y..LL.y...=.....C.j.K....x.o....Z..$h..>..!.0.......}.h..T.
-..1..*...Z/..v...6.......k...%%9MD0.B;n.........z.......Z.[[z...`..M.
...}.zk.....H&...U_.t*..,.g?...s..W.......F...0B.R.......'...z...\...H
...vH/.l ....R7.nw.S.....s.-..bag.\0${.z3....~...P..=."..d.)S..J...z..
.2....Y.......#H............2&....J..T...K$.......qQ..6D..4..U00.h....
....0....l.C..n.=.'\...$...Q.M=.......n.Ia@.0..K.. ....V.}.@\]..No..6.
..=t..`..>......N`1!....k)Z.,..5....<....Z.{w..k.d=.........qo.y
tyuF......b.j..=..`..../..y._3O../F.c.......A3I.?3G...Mf....GP...P/.\.
...w...{.zZ_wt.%.</|..._..S...u..v.6..gxB.z...lF...[....SO6..&c....
.s..b..3U...k=(...U..V......i....5.X..Hd/.XH.%..T.....zE. ...k.....D..
e....-..N.y_.......e.%...9!..."..L..."..J.b%...H.h.*.]?.?..U*v....

<<< skipped >>>

GET /c/=/crm/wpa/release/3.3.7/util/localStorage.js,/crm/wpa/release/3.3.7/wpa/SelectPanel.js,/crm/wpa/release/3.3.7/util/css.js,/crm/wpa/release/3.3.7/util/contains.js?v=3.3.7.20160126 HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: combo.b.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: X2S_Platform
Connection: keep-alive
Date: Sun, 19 Mar 2017 00:31:55 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Mar 2017 00:36:55 GMT
Last-Modified: Fri, 22 Jul 2016 19:07:15 GMT
Content-Type: application/x-javascript
Content-Length: 3583
Content-Encoding: gzip
X-NWS-LOG-UUID: 504e67e3-a4d4-46f6-9e81-f502c822746f
Keep-Alive: timeout=60 
Access-Control-Allow-Origin: * 
X-Cache-Lookup: Hit From Disktank Gz
.............r...W`.e...HI....G..XSY..M.r..H...@...%..g...!.L..>..}
.K..I;..~.S....s...")Ki&....={n{n{..m.......r..hD,s...... l.1...t$....
.8a...).C....NJ..b...2bO..f..<_..".i;H....lO....t.~r.....O|s...0.B.
.......^...I..X7...w4$Q.t..0...4%,.#rn<'..Eb......-.;..... f.S.x..Z
.zwa.vN.Xs...0{.H:b..z .2u.E.....`...tN.1....QJ8...P.IHS..@$. NH.~:.s.
..84%C....a.v......bfy.......=.u.....L.H.............@..........tJBN.I
...Ri...T.U,N=5;.Q7>.......[S..lm pA-.<P...W.nK..//.Q.N.>IwAb
m.......cA`.S./.t..p.....<..pP.c....d...0>#..Q..$.....I.r${.7...
...bR...6..[....}j{.W..<.....Nz.D$.....f.9'..Y.H.!..N.p......A.r9.{
=..B.....b,...HI.]V>...B.).I&/_.@.,..kr..R.|A.aAm,_Q.....`. .~..S.
.R. .&......I..a...W.V.o....%.....x....$`X.hWU.$A1.. ....4.e.QT...Z.iz
..a.!..>\mA.b......b..vA./eYPt..e...w......s0.9.....@P.>..w.h...
G.`O.zF..(.!j.\*G.Os...z.t. .R....@.y..k.eR0...h4.B!ymF........-..[.;m
$.o*|..7....6|.P...jX.A.zH..|{......Sqw,...LL. %..............n.6..t..
..{.....1........]...w.......o.....a4Ik.....y.p5....U.....M.m..KU..H..
l..p~..........Wo>....}....y..........?.|.......j....I...o...;O...5
....p.2y.D.Y..-`pt.<..H|..{[...GGo.......2j.}d^.........r~.........
w.|..... ......A.y.L.O.0.Z.<i..t.m5H....J..W.._.^c...Fsk....go.....
......1.,S.-M8$j-.<.....].......7..on...#.B.....\x.... ..}...!..F.
.g$A.K.>..1.BQ.&...C.5..n..X.....Q.u;1....z..&pY..#^.........tb..Q1
....L.....1..5...U.i.....'...g.q.F!..j.......i<T..o9V...ap.....C.i.
.........l..8"8.Z..p.....'#.H ....x.8L$A...qT...yp.....`..A......!

<<< skipped >>>

GET /cgi-bin/r.cgi?flag1=7818&flag2=21&flag3=1&3=2067&&1489883516356 HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: isdspeed.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 19 Mar 2017 00:31:57 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: Apache
Cache-Control: max-age=0
Expires: Sun, 19 Mar 2017 00:31:57 GMT
1.....0..


GET /jsonp/mta?v=0.6.6&tid=4006570518&aid=&pid=i9b1v3.3fir2g.j0fy6ges&qid=sjoq3o.t0e4l5.j0fy6ges&src=12&cid=1940917248&sid=1.1.sdyr8n.j0fy6get&t=j0fy6gev&callback=S3JSONPPREFIXyi7ym0 HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: da.qidian.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 19 Mar 2017 00:31:59 GMT
Content-Type: application/javascript; charset=utf-8
Content-Length: 22
Connection: close
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
P3P: IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT
S3JSONPPREFIXyi7ym0();..


GET /ping/id?v=0.6.6&tid=4006570518&aid=&sid=1.1.sdyr8n.j0fy6get&qid=sjoq3o.t0e4l5.j0fy6ges&pid=i9b1v3.3fir2g.j0fy6ges&qqm=3&t=j0fy6ia5&cid=1940917248&src=12&z=ngke5u HTTP/1.1
Accept: */*
Referer: hXXp://combo.b.qq.com/da/id.html?q=sjoq3o.t0e4l5.j0fy6ges&p=i9b1v3.3fir2g.j0fy6ges&t=4006570518&a=&c=1940917248&s=1.1.sdyr8n.j0fy6get&src=12&pgv_pvi=&v=0.6.6&ts=http://da.qidian.qq.com/ping/id
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: da.qidian.qq.com
Connection: Keep-Alive
Cookie: __qidianid=87af85c63adaa7058ecd29406314a27e0b85c26a


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 19 Mar 2017 00:32:01 GMT
Content-Type: image/gif
Content-Length: 35
Connection: close
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
P3P: IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT
GIF87a.............,...........D..;..


GET / HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Set-Cookie: rid=32a0cb241a97f8ecaba3339c887081d6;expires=31 GMT;path=/;domain=faxuan.net 
Location: hXXp://xf.faxuan.net/
Access-Control-Allow-Origin: *
a7..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>openresty/1.7.
10.1</center>..</body>..</html>..0..
....



GET / HTTP/1.1

Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
Content-Encoding: gzip
13e6.............;ks.G..M....."9H.....-..C*d.....[...I#i.hf23....!!...
...b.H...`.......R.1........=..=l... .t.>.>}......../......z....
]$o.d....Ov............? ..h._?!.H......LIU...w}...o.Z.....#.........C
. ...f....d....yS7.8T..#..O....Mg......h......Ei ....)*fx..&r$....)..&
lt;.."......,..p.G..h..>.#...4..R....]I1..)..d.b....5....UZ..-.Z./[
.f........u.te....E..C......%k.b7..n....%.../Z'o...o....=}.Z.6d..]Zz..
...z....).k..DD...J$m..U.,).D..$g...h.E.....s......b6..)....? *.U....6
.....p.#8..c.@.*^.B .d).B.&...34.1......f.Y'.... ..(..p.~p.../.....X
.NY....ml...%.$..n..Mv~".I.....y6..f.\.f...e?:[.=f].S..../..)-L.......
......3T....o.O%......J... .$~.=:r........D..MJ..k.....c.q....]4......
.......%......G.....'8^3.....).zw...B..P4..guUf.....i.PP.>#........
h./.j.#.... .......E..}w.&..aK[..*...[..yB...h....S...V..._O.........W
~.......<g..)...V//.k...|yrm.re.fia.V..=_.....L...G..s..6v...Z.....
...........LX....~e}.C......`.M.E.. .>...8...ua.VH...m.[...U!..A%.E
%..8.L.Q.B.#...h...$....sf...H. .O&..,..... ."..%..A.,%.]R7L...n.(qf..
......C.F.my;"....#.>.P.N...x...t..P..J....L...(.n4-....9.....'..."
.Pg...US/...e..R...G5..h2I.....t.....l...f[o........Y.p.......a.._|\Z.
.} K.kW.v....0H.e.4..|...I"..]..Mc..~!..P.........C8u.E.n`./ ."`eTAed
......5..*...."...):......T[....@T.a...*.....@......0..B.Qc#X.'...T.t5
..4.<so^.3A...(.......Kb.......X..b...j.>s..[6x0P..jb.C.~3.j.t.5
..._YJ.!.:.B.F9.C....~.f....W.}..-d....w..=.h.=........fN.?L..S...0...
...........*}ES._i..a....F.MX7.; ........T.....\5u..(4..^.^.....a.

<<< skipped >>>

GET /baseui/vendor/easyui14/themes/easyui.css HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:35 GMT
Content-Type: text/css
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-9f0d"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
1bc6.............=]o.H..E..0.....{&Q0/;...aq..>.[@K.ED.u..'c..o.G7.
..I..&/7A&..U]]]....C..w.........m.^...]...W..v......]u.m.............
.sN...j.....C}........s.v........../....Yw....s.=u_v........<T.u..]
^.....tM._..].5....k.].xS.>.....zy....ssW......U............X...3..
.-..i\...@.....#q....8..=D...j..:.Qe .....'5zh...Y....9.....@..#....=&
.V7...].6P..^.........m..n.._.g ?..#.......4 .....-.e...z\7.....l..f_.
ov...D..9T....<.....uA^..a[.....u..$.3.s.....fU.X..0...-..1"..q_,..
^...v...?...r....U.....C....H...`...\......n!.......rC..l...I.8C..,_$.
Pb.LE.g......j%Q..S.3_..SQ....hw:?.o..9..P_.v....k...>?..R.q..S.._0
F.g..]ux&.^]...?./....4.........~..i/z...-.....P.e.30'.q~..T.._.......
....g.3....K.^.&?..}.d..T........%.3.......6.....?a..q...M{.;.{.L...t.
..SW..?.....;wyV....v~...../...`.....f.....?.....v..O.....Ls.0t..%~} S
t........].W~.=.|...Z..<...Y.i.H......:a.......;..>0..!.."......
6S....F..YI-?T.c....2.=.a.2.......\(.....Ofg..a...{.=....zW..Z.*.R_...
..9Sz!....C._...P.Py...........q..A.{.../2. ....5?.!..l4bvG.YG..`..Q.
...).)...X...Z......../NPo.C.......r#.........T..D.0.X..."H.M..\-DGW.I
.......;?m...C.............~....H._.V....~........$".m..Mv......94....
.P~.<.{...........3.._<5..Kp.....[.JM...........k...p...P.h....`
MY..:....:m....'.F.7T. ._..M.ko.,..g..2Iz.....K; ..D.A....T!'z.(...T.v
.....h.g.Y....Fk..A$..,tJv.;......-:QQ(CT...<......F*.....>$.._.
....0.S.8}...k9....)Z...$..y..C.R.......Xc.T.L...w.O8..W5.6....v....6.
.@:Ob.wBsKM`b..S^Q.@.[L...x.'.H..d...m....T..V.[...n.E.,Y.=...A..=

<<< skipped >>>

GET /baseui/vendor/jquery/jquery.cookie.js HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:38 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-5e1"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
333............}TM..6...Whyp...Z.......E..h.&....-.$..).......R.l'...&
lt;.yo4.......A._...< ...|..\.`?.Ot......GQ.l.nh..(....VQ......:..?
...E^.....w.{.... .../O...P.7...LA....../A%...'.......JbNN".......2!.1
..8.L.'.uJN...h...CN:...$..Fik|..)!...8..k..<2....0!.u......\..E.i.
..?H. '...2.P...1.....~~...FI.....%..%....7..ohi.\|..._j..2...!._...n.
...Y.*.._?f.-zK.,....j...,|......;E......o}..s".#..G..Y....Q..._:...pm
..,.....%9u........e...y.@c.......A..o.|.y..et.'..n.6.....y[.2..@...}6
..}..!.....Z.)>u..:.....%....;L....J...4.........$..?..L..../..<
m....wO..G..C.../t.e.....Ca.J./9.(.......M....|...#...........!.......
...s..HZ..0X....TBb./....v....}L....N.~.d.............8S.{.b.a..=...:V
..0_..R.G&C..U.r,.)Df1.\[&.Ez.[.n2..u9....m..x..o;..sA..nB.......r...y
7.....`...i.V{.>.W..*v.GE:.....r....]Q.....Ex:.u.0..W..&q....k.....
....0..
....



GET /baseui/js/index/orhonmclib.min.js HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:38 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-3d44"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
146a.............[.s....  ....G.......%S..[rd)Jj..@P$H...A.l'.xy......
:..K.d..u9.~...v...;....i&.W..........@.|0aU.....T...K..].kv=s..k<.
\n..sMY.^.I..k.t....5f...R&............F..6..Z..959:.4G.*......`.?;E..
..dZC....N.7.....Z......3...c......-s.~.f.g...3.g.........T.Lp.uv..]u.
.....tkh..-Sr.....c..6.......]..-.VJ...>...Z:c#K..J.Z...S.`..T0.O..
.>......z,.E.......X.{3#=.`.hM....Rv.U...\...t......|7..n!..1...!.e
...#C.9.}.....0l.sF..Q....Q.1...X. sMQ.Q_...o.{.H.I...."M.....R.3..%..
..|>........nS..l(46..$...l. .M..7.0..7.....d.j../.T'.:.3Z.(s.{G.1.
.8.w.N...{.${..=..=..}V .a.:K.....p..q..D.....Roo......\..e.....MBu ..
.........?...C.|..s.|....................%.? `.......#..o2..U..R."..J.
...#....o..Z..2pM.O.XS.O.....3.G..b.?....?).........Y......WW..V.....R
..a...h.z..3...K...T.-...-....D..$.f$.0#...I..H"..|..zz.h.Xrc.....eG.k
......k.....\........B[..f.......1..6.UM....n#.@...."..F.s..p....4....
5d..U.@..@..;....Z[.j.73\...B....f..0.......p!.....hA...g...a..U.=.B/X
a....y.G...j.OY.8..(...`.{....e=k.x..RlD...x..9...u.Q@..m.#y^t.YK..#.&
F.5G..#..G.V.Z.......C1.%...i.K.Il..bS..).a......NS.^X.l...Q........./
....b...q.......M...u@.<c..1...s....dVR.].O...p.Vw.....;]....Sw@..i
..m.}.S..y..zY.. ....'......`.Sy@...8..x.@..O.-..a...q........V.q.2.U.
..............=$..s...{.y......v.2......!....g..Cp....>.t..).4.c...
T...U...\..|.Un.9....~.Un....Fq?."... .^.\q?.*.1.V.<Z...v.dh...?]..
.e.u..gM.<....J...;.x...O[.....:........?7.&$.........x.|...:...)&.
.X.T.......P..QC...C.....;.).W[..y..=T.^o.........*7....... w.SCyC

<<< skipped >>>

GET /baseui/js/index/orhon-U2M.js HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:39 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-361"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
1c0............}Q.k.0..WR=...Q.=..e..>..!.:......S.L>'....$;..J.
'.ww..;]$....,2.B.W(.8'..m.J...S0..N.i...V(u..Xr.V.CJ....Ec%jg.7.i7v-.
,".SI[]...X..k.............h..D!...8K.....'S..........Q.?Qo/.B.W...F./
. x.z.......Nmc..T.)r~..*m.......S.*&...s...(.O.ex.~K^.C.>b.,.d2P.X
.77..@y..z..d6...]8.;..._.40......*Q.>3G.%/Y.}.=<x.P....\ ..mK&g
t;.W\..;1..%F..4.........6.. 0 ..O.$D.]........m..au.?k..<.....A...
AxYm.....h....c.......K.....}.../'.....J.Z.X....G.a.....0..
....



GET /baseui/vendor/jsrender.js HTTP/1.1

x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: hXXp://xf.faxuan.net/
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:42 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-4506"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
20fe.............\i{.H..>.....R.1N.MD...`.....O.d...A.......=UZ....
....%.z..9.Y...W...(...i.q.T..W.0V^.&.'.... .y.J....... ......m4.]....
.....S$M........^...iX8......b<.Fq8........e_=.z.`<.kn.6........
..f>.....l......QM......r..U.w...\..U7.5C..<.}ka.G.W...w..._.n/.
.:v..=...x.....0...~../u_..v...nq.)..6...7..$u..!.Z.....K..........k..
..fwl4.;. ....n....o....w.........1.N....)v...Ug..|yy.........O..O...?
o..._..jg.;.}....sP=s.T..~...N.#d...r.@...Ut..m........cw0..Ts.*{u....
.._k.:q....vFs.o../.Z.c.W..4...V.N... 0..>.?..;.x.N......7....E ...
.|.n....~....:.....}.;OE....u.\..9........e....t...G.........{o<z..
.....9....._=..~.}....Y..g-..I.r.O|..|...ky........y}... ...o...R..].Z
..2~...!...5.n.^l.g..W.Z.R.......34...8...Co.U.........u..[.7.p..C..*.
X.w....w.Fa..F...*..9.......F..t...w....@a..Q.'.........a4O=....;uIlc.
=.......5.B....c(....~.b...{.xt..lH..pt...{..D....W...^.F.E...SxBT<
..*........3...D..(.F.U/M..I$8s_..(.U.qf..V.....c.X.....@#PA.....T.4.2
V..VQ_..j......U0....D.....x..(,.v..-....@ ...a[..r.Kx...~..M....<.
...AT.......4.....V...0Z...S..uj.U...a..kR9..Cdc.......Z.|U5.S...V5...
E..F...gS.s...0...JHTTP/1.1 200 OK..Server: openresty/1.7.10.1..Date:
Sun, 19 Mar 2017 00:31:42 GMT..Content-Type: application/javascript..L
ast-Modified: Thu, 22 Sep 2016 02:16:41 GMT..Transfer-Encoding: chunke
d..Connection: keep-alive..Keep-Alive: timeout=60..Vary: Accept-Encodi
ng..ETag: W/"57e33f09-4506"..Access-Control-Allow-Origin: *..Content-E
ncoding: gzip..20fe.............\i{.H..>.....R.1N.MD...`.....O.

<<< skipped >>>

GET /baseui/js/widget/comm_validatebox_rules.js?_=1489883499424 HTTP/1.1

x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: hXXp://xf.faxuan.net/
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:49 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-1136"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
6a1.............WmS.F.. ..*.0.y3.A.......$.tj.T/.. d*.I.....$.h.{.@(..
.%@2.6.L./`....B.t~...n&.r..;.>.........H..z....$..,.H.]q.hL..F..GT
.f..'....`P...D.'Cz.XD..%.Q........Q...w_..>U.@..M--......:?...Gc.=
.\r. q-.|..X.O..KN.>..[.%gr...........A.Nn..A..Ab6.\.O<.O,.v...S
#.......0.g&P8,.P.3.5oNOe7....3.W33..7n...2/....8cgQ..S.Me....'H..A.M.
.MF,Xu...:.......0...Wv..(.O.....}0....}....6......*..\M...L..[.R.....
.sn.\XKm%R[...=K?x.F..&..p.n....Jb..H.#....;......(:$.!H ..0...W7b..?.
.us-......#.e..#...qd......!6...n.....)L....*O.... D/$D....0.U..]...A$
.W......c)@p../S[...7..\...k2Oo..2...s..Y.....^.....DDB.......n...,...
....}[#0..Z@U.......G..".".k.y..|*..O.DEEU.B"]. ...Q...6Kw...1.k./:..O
qA7...'N..z..)....56...Xv.7......l. k....k.e.....M/n...f~.*a....."....
..T4..i'z...1..~..b<....Mg....\....Z.H. ......r.J...9f..g......Uer0
$...c.q...uT.c.yxm#.|H.......:k&...M0..M.t-.yP...PU....P.... .R.\...r.
k.....T)........Z=..b..Q".kp&. ....T...5w:..BAZ..p\..'s|....K.ML.::...
....C.X.g..,..Z...Mq{.ZH.._.......g!.c..P..P...GP....?p....s...|...hH.
..T..VV.,?n....O..{zO.q#D.{}....K/-....}?..j>.......|1.Bg....NU4I..
.....Wu..z.._G.~..A..?..F..z..Iw;..l^....$'.....I.......W.#3..2*.....l
A&.. ..!z...........>H.......)g.._.j.9i..I...w.b%.N.......e. .B.T.&
lt;67.P........&.[o.8.-..^t$R.E^C.....|Ku1...2...ig...t2mL............
Q.Y.7h............P...:..Fk.)]..|c!.R@....Js3...SF.q.~ ...B[:....:c1&l
t;.sv;.B..vU*,\B....6<4.0...JC.... 2X.GD...:......q.y .<oi=.4.EP
.......<.nQ.8.....R...Q...... .....u$.{....[&q..#.......q...''.

<<< skipped >>>

GET /baseui/images/login/bg_login.jpg HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:54 GMT
Content-Type: image/jpeg
Content-Length: 126290
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "57e33f09-1ed52"
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
......JFIF.....H.H.....C..............................................
......... ...C................
...................................................G
........................!1A..Qa."q..2BR....#3b..CS...$r....4D.Tc5Us...
..............................1..........................!Q..1Aa"Rq#B.
.2...br.............?....q.r......2.....X....pC....p..XC..........`;..
........`;.v...,.,.p..X.....,..,...p....n...X......`.......,....; ,..v
.`.....X.......`"...(...6...`..7..........,.Y.e..Y.....Ad.......X..XQa
..V.X..V.`. ..l.V......0.....,(.`.......X...X..,.V.`......*.....X....X
.....,)X..X..X.....,!...X..X..X..X..,..V.`..a.......X..X..V.`.........
.......X..X....7.n...`.@XR.....7...-.Q..q.`-...7.n.........p..........
..`;.v.YC.... ...v.`;..A`..`..`..L..C...X.....Y.X..X..YPXQd..X....,..,
..AaE.. ....e.......v.d.......a@C....,..7.U........`....`...E...V.`..`
;........v.`....`;.X..6....YC...VP.(...,......`....a...............,..
`......V....` ..V.....X.. ,.....e......P..... ...Y...*....,..@........
..,.`.....X..X...X..,..,....,..V.`..`..X....V.`..d......YA`.@X..X..X..
X..Y..m.`....a..........v..PX.pA`;..............=.U.X..X..X..X..X..,.`
..`..........;........ j@U.;.......`;.....,.`;....,.........v.a.......
...,..,..........Y...P.L!XQ`;*.(...............X..YAd............. ...
.........,.@.X...........` ........X...(......V....,...,..V.`....p..XC
....X..VP.....,..,..V.` .X..Y...`.....X..Y.e..X...(,.`..d..X....n..(..
.......,)Y...p.....(....p..Y.`..`..`..,..Vm.a.....,.......YC...v..

<<< skipped >>>

GET /ping/pv?v=0.6.6&tid=4006570518&aid=&pid=i9b1v3.3fir2g.j0fy6ges&qid=sjoq3o.t0e4l5.j0fy6ges&src=12&cid=1940917248&sid=1.1.sdyr8n.j0fy6get&r=&pt=国家工作人员学法用法及考试平台_登录&sw=1276&sh=846&dpr=1&saw=1276&sah=802&scd=32&so=&bw=390&bh=310&tz=-2&hasf=23.0.0&hasadb=1&hasc=1&hastc=0&hasls=1&hasss=1&hasid=0&t=j0fy6gfy&z=bsg424 HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: da.qidian.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 19 Mar 2017 00:31:59 GMT
Content-Type: image/gif
Content-Length: 35
Connection: close
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
P3P: IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT
Set-Cookie: __qidianid=87af85c63adaa7058ecd29406314a27e0b85c26a; expires=Mon, 19-Mar-2018 00:31:59 GMT; path=/; domain=.qidian.qq.com
GIF87a.............,...........D..;..


GET /cgi/conv.php?num=4006570518&cb=JSONP_CALLBACK_1_77 HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: wpl.b.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 19 Mar 2017 00:31:57 GMT
Content-Type: text/javascript
Content-Length: 93
Connection: close
X-Powered-By: PHP/5.3.13
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
JSONP_CALLBACK_1_77({"r":0,"data":{"kfuin":938032293,"nameAccount":"40
06570518","envId":11}})..


GET /baseui/vendor/easyui14/themes/icon.css HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:35 GMT
Content-Type: text/css
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-8a6"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
155..............Kr.0....d.v..o..Q...F...M.w..t).....7`.........^..(a.
.s..v/)}...n...8<.".zC..d....*.}. ....s.y<w...Ebt...'......-....
.X..i.Tkp.J.A.ik.....3.......l..#y.i..........J...I.Z.AQ.kO.6.3...R...
'jO.$."."%..r....mH.....F.N[.\lD.\....h..`E..F...kI6dq......{x..6...~.
.....qVq....d.Gt.n.m.u...\a.....~c.. l. R:T..%t.Wqv..CW`...:qF..m.)...
....0..
....



GET /baseui/js/comm_cookies.js HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:36 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-7d4"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
256.............TM..0.. T...E(w.K{...#.v<6$,D|D.....`l.G..Co...7..c
.o!.....k.L... .......<^....X...4..M......A.....":G.U\.y2.h.......p
...14.:....>..... ^%.:.cU_.....P..g..0(2P.di...9...E.@....o.#.<.
.)C.{...%W.L.u#.6"_5b!.o....o.t..K......S.....Q.....,..."....../.../..
..iX|...P(.....".U.ev..A$M%.Q@Y....B..J.V. q>&-....g1@Di5.."..."j.Q
.....4..u*....}.s..iD..G."r .?|.....J. .<......[.Q.;....u......\.P
.....x..F.jgC........Q.7..].!..._...y.47..6.1~8.o,'Nd..&f/....D.C.#.].
.....q,..#.X&".....6/3:Oc....a.4]]..(l....3vI.L}....6..........,...C..
;...[\..Q.-..I.-...8......i......5.n|/... ...7..T^.._F.........0..nt>....



GET /baseui/style/common/tooltipster_style.css HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:36 GMT
Content-Type: text/css
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-1e6"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
104..............Mn. .F.b..b.qZ........{T`,............b.x.f.yU".... 0
.FN6...:?..8E.8..'...\D.....kq....4y...Z.Pd)...#../..oP.O..l...th/|.P.
.(}d...q.......(.=.....o.2....{....:.:B0.N|@....`.:.)..s.;.'C..Y0./...
.05.D...........Z..t].v.].s{ ....F6k#....v......U.?......0..
...
.



GET /baseui/style/common/popwin_style.css HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:37 GMT
Content-Type: text/css
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-555"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
209.............T... ...HV.V.#.8......7".......&.V......VT..13....5..U
`..Z.#.}..'.F.9I...Z.....G..fgz......Q....K...KD..........IFUN.<j.J
.....Gk.9...%...-.G.1Z......b4.....X....y..I..8../rK..z.......h..y..2.
g......s.3....Q.....:.q.@.rv..c .!O.D..8g.%yw18k6.<..D9z1.a.....\.c
..\.|..]../.E..........e..;.d..=...9.."Tg.,UU..-...:.m]..C.....1.-W}.&
lt;....r.vT31.j...r.v..:...hj ".t~...R,T.|qY...L.o......Q..*..i......y
.u.n..V..5......3r.|....l..{..2.|.`.p....mlq....7#.@..x..D..|...N....L
...[...o.....i.H].P..]....c...w.(&.._....U.....0..
....



GET /bps/common/comm_resources.js HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:37 GMT
Content-Type: application/javascript
Last-Modified: Wed, 08 Mar 2017 04:56:52 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"58bf8f14-906"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
2de.............V.N.0.=._Q.......B-Y.J.U.,.....KbG..RA.}glGq.4."AR..y3
.3.;R..........~./QUf...s..C.&....f..LT....q.q..C..>Ne.K.S.I.....".
. .J.b...).!......:B?...T..0.... <g........(.....M.......j.#..._Q..
.#*.\U@..E."..`..nY.~.w..eY..i...4...u.....6.1..'...g.....M.4..@.*.{.}
...F.m...;.q\~....}X.t8....-...v..L........EM.^..JP#|.u.YR.s"zCCOy...=
...z.]K_.I.,.(N=....g...8m.\...f..|.HW.......b....)5%.N...$..*....b..y
..9-.......$....&de........=.m7....?V.t....N3....s..T...l....,.SV...F.
.....D1.....g:......5..}2.P.}E1...........6.`{U........_.r.9...!.$...;
'.V.^a.."2.,.=.,...d.a.?..%.6.U{.^...&M.KrA.H.G.I"..B.l.-..K...-...{..
6k.....%.........f4?. ..f..f...d.O.m8.T.w....hOF..mun...F.>...o..[.
.*2..Y..4w.....<...%j..^L...|TDD........H..M......0..
....



GET /bps/login/s/login_1_s.js HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:37 GMT
Content-Type: application/javascript
Last-Modified: Mon, 27 Feb 2017 02:03:59 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"58b3890f-2e6"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
1c7............}R.n.0.......V.H. .9@%..QmU...&.dc.cG.. ........#.n...V
./.&lwU..8.y.....m..[h{.~.%.Uge....K.\.^W...'.....aY..JV`......|.s.y.(
........j).....O.....WR..FQ....BX;....)...Vb...x..R.L JR.0.......rMR..
...m...L....t..._....#. *.:)1.s0.........k.S.u._....y..W)"pk....8*....
.{O..FY('..m....Bkt.$....E.q.i.....].:...c5.....J.T.....yQ$~...v.Y..ZL
.g.....Q.-..............7...|......._.n.?tx...Z.Z.8=.5.E......\i]...}.
....{.......Fx...*........=M.....z.c......0..
....



GET /bps/login/v/login_1_v.js HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:40 GMT
Content-Type: application/javascript
Last-Modified: Mon, 27 Feb 2017 02:03:59 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"58b3890f-1f13"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
a18..............i......YC"#.%..H.-....;6l.h.U.!9$.K..I......Z.i..E..(
P.......G..@.L..|._.{3.S..@Z....7o.}...S#.<....=...v..P...M..R...j.
...6.%..1.......&...a.w. .C.t.....^.87....@..2'.C].R....R,.V &IJ...J..
^...&p.HJ..8..h.QU...k...}}....(]Ew.1a.@q....FH3e..P...4<..4.......
.P.p...L....\.K..M...Fa...cc*...WHF......5\......z....w.........jU94.j
.4.#..=...ix-Jn...t.z..................gG..<.........../~=..../...?
.4......|.k%[...5.....||..O..>.../_>.2..../.&.......G...........
CE.X...r.._.|.........,...K..I.X......v..&G.M...,...BSw.].T.F*.....e.4
1.'c..a.UaI....."..C...H.S.."{.Z@.*.$.4O.zMY...M.R..._R....e.N......M7
...X...._B0. .<4&1..hU.h.....].V....._-.K.,H6.6...!.H.f:F...*...:a.
.<.....LSA..6.M.q3.e$).T~.l..J....q@.I....*E...,.....r...We..{...1.
`uF.0.`uv.....s#..].....c../..<.auq.....w.s.C.7..........1.S..bT#.A
..,F....0n.&.%.C..dA.R.nv.E.* .....&Z@..2$oG,...d..T..S..a.(......!...
.\.Y..........6=.......\..>......\.$...p.l1...r.zW.c......i.7;.....
...W.K?...C......X..^a.m?...-.9.......hJ.oliB...jG.Q..j..E...n......I.
...'.....w5G...Wx.........0"............CP...SS..\]7.b..._....w.....T:
.pe..%..$....c....a....H.._.6...^4.......J.8'........Vx...~.$..7f...7.
....f.j;X.Y..P.Z.&..].~.._..ca..6RL1.V.0...R.3...l..t....4....t.x.lA..
....x'..^.'-....Q.j...F:.....Z...P.7..V{.[......b...s...M}aS..?hX...V.
k10O.d..o...)q.:..]..(.....4..x..A.4..a..TugIT\(.^\..G..8.Jx.....gDQ.n
....EsEN.m..l...]..j.xU.NENEC.....Hy..a.@m.D.dL.....P.|....*I..a.....B
y.......*4&........zZ...[\=.m..h.e.z.d.$...g.o..b...z..$e...~6.Xi.

<<< skipped >>>

GET /baseui/style/orhonmatrixfont.css HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:41 GMT
Content-Type: text/css
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-554"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
da..............A..0.....vQhz.CB.<.A....t....I..S...i...{......3...
..{....WQqv.p.YJ...y.......j....\....}z;.E...@}.........p..R..d:....M.
..!.d........zK/..!c.;..r.Ulf..m.......H...S)1Tjw.F.H..Ui.Ou....<V.
C.V5bG....i.b.T.....0..HTTP/1.1 200 OK..Server: openresty/1.7.10.1..Da
te: Sun, 19 Mar 2017 00:31:41 GMT..Content-Type: text/css..Last-Modifi
ed: Thu, 22 Sep 2016 02:16:41 GMT..Transfer-Encoding: chunked..Connect
ion: keep-alive..Keep-Alive: timeout=60..Vary: Accept-Encoding..ETag:
W/"57e33f09-554"..Access-Control-Allow-Origin: *..Content-Encoding: gz
ip..da..............A..0.....vQhz.CB.<.A....t....I..S...i...{......
3.....{....WQqv.p.YJ...y.......j....\....}z;.E...@}.........p..R..d:..
..M...!.d........zK/..!c.;..r.Ulf..m.......H...S)1Tjw.F.H..Ui.Ou....&l
t;V.C.V5bG....i.b.T.....0..
....



GET /baseui/vendor/easyui14/lib/form-validate.js HTTP/1.1

x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: hXXp://xf.faxuan.net/
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:46 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-11921"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
4f10.............}y..F..W.0...A....&.q})q.;...;.I..........Lq?...O.)K.
d...f~..>........6.d..s?...w-... .{......6.b......zy..Z.t>Z...zy
M..h.J..:..W~p.>o-.xx..:^..q..m..<_..4....(.......t.2^.~P.....|.
.....;.v.K.u2..`....n.p.|..Qk3........*....sj.....7(..^...ik..M}.....z
....[.....[...r.C.k..p....:..{.a.0ZE........*%D&..b.B..(]...h"..~ *...
j.$.j.......H..#..Y..h.cr..E....:.a..b9..V....^...S.[.W77..So.....,Z..
ty.S..g ..A. *Z....`..[I<...E.Ct.yi.....eP#..k...c..pE..q.. ..#y.S.
Z>.`L.^m._....!g....b.../...>...z.{.e........s.....?...d......*Y
..u7.a......v..4.O.F.t...U....U1..S/\..n.(...i...;.A...E<...$@'..^.
.,...D*...BJf...d&0...X..J..u.D... ............|^[0.g...(./6...z.....a
:..|.x.x..?........z~..y4o...?.v0.{.q".hd...]at....}....2./..G......5c
"....6&w...1wf...............r$...uK......L...y..[.4.7...HZ..U.#......
...!$my.....1.&.Aq...@}.2....l.h........x0M..G. K......"'.|N_X......Z.
........I6 ..v... ...u_2 .(..i ......h....0.|.F}Od...".t.t^J.vj."%..C.
..Z/....22v...}.=.W.4..h....a..Q...q1\...)....[*...l...r...2....@.\..B
.../..z.29.'......b<..r..J...: r2L6..Y.W.d..^..`Z.m.....BFRW.k....R
....E.R.h..8.TD.^0e.z..9.......=.o.Q...Mt}..<.B.s..L.. t...... ....
vx..z....^..7.A... ._...."j...K..W4..X.].......|OR..k.....0..az. .....
...0...X{.....F$..;@}....AP3D).?.0..$.7....iP.Zh.NA..-....s.yI1..@...X
/...........N.|1u9.k..S..^.CH. .N)_.b-ha.>8$0........i.......y.n...
.i....}3...].^...g...@L..i..'.H..P..UegP..H7..q7....`....b3.".u=......
.<,..1.j.U.}=%....9pJmo.d.&..&..o.e.`.H.`.....q..0.X......Q.3.A

<<< skipped >>>

GET /baseui/js/widget/comm_popwin.js?_=1489883499426 HTTP/1.1

x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: hXXp://xf.faxuan.net/
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:54 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-1715"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
606.............X.o.D.?._.&.m.q.T..]o%B...Z.".S5...n........... N....\
.UBp......r..../{.....'zI..~......7D.v.R....v.. ....$...H...4......2{.
^.?..........4.3.9=m^=....<O g8..h.U.. _v.{.CTn..1....(CU........R.
.i..*hs..'....v.....o..U...?'9...|cK..e..#...MD[..l.2'.(.Z..>O...g{
.f..n.c.1 q....!..2-..H...l...GY.=..P/.~F*l...j.V..?.w.d..f.;.X.A.u...
.m....IF.|TSr~.M.".q...WS...X.tHsV..y.........G....\_.U...9.....O~d...
....g.n..r^....o....W........i.!.O..E..........4........*......]...ChB
..[n8.zR`.s".e!......r_J....j.w......1....E .=...k|^....f...."..c.Ep..
..e................umc.jE%F.........Q'.............&.5....5.'.{.CR.AS.
.U..*.d......:..........)..S........"\U~. ....E..6.....&o?...o.^.....8
.,I..h.LX..y.xy...._<...._~~..kx...o^.}...#.i...e..C....2i[....J4..
.UX,.u...o.....b..s.n...f....'.`...hC...<<G.W.$....19.E$...!.G.I
..... .`.Y.....@.fu)Vi....PA......M.f....<u.8.AHP.oA.G%..../.......
I..A..$:Q.9...X.........?...3b..$....MK...}k....#A.u.hi...9.N..l......
J.zf...........gvCX...i.....C-W...af..9....r....eI=k..Rz..B... ...(..6
.?E.'...<...Y.....~.=.fW...e.v.}..p.#..G..4?`t.....-.!.0B.;W.J.l_b.
.......n......O.Y...Q...t.IM-c.2..i.%...m8..78}.......fuX..|..j`.r..8.
...RkN..[.......P..K...l....\$..<..m.X|...v...Ma..q..\4..O........0
_..P.t.E..B;{..........d..8.KX...{......=,..N..p..]RH..q.n.U...... H..
.... .....mRII..N.A.Q.F{$n......Txt1......2. .zET.Lf)`.mk`.$... B.~...
..........}A..^....\.t....N....^..r{.^..K.nb*a.(J .P.q...j`.d.......[.
`...A8.nx~..&....(..,bO.t...n.......4..6\..c.....j.AA.&....h...H(.

<<< skipped >>>

GET /baseui/images/login/map.png HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:54 GMT
Content-Type: image/png
Content-Length: 123144
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "57e33f09-1e108"
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR..............;......sBIT....|.d.....pHYs...........~.
....tEXtCreation Time.05/04/163.......tEXtSoftware.Adobe Fireworks CS6
...... .IDATx...{T...........|..C.1.;Mb(icw-.o...o..k..|7.....{....9..
I...n...wN.K.....q..v..n....6.ly...Ev.5..CH....@B.......xtE...?.st...3
.H.y....P.(.@H..(.@ ..................f....c6......./.m...B.!E[Y.7.k".
}..5..5.......\g....r.'.."..!.*Qp..7. ......l...>I7.t.......{.6....
.%..9M.q. .F?...?.@......Kw>i......\.}&!......L}.....q..y..C..}.s..
.._3.L.&f.K."..)Q....X...b..b............._.....088.......d:.z`....r.b
.(m..f*q..n...4F9......tD.......Dsss.}.q.......Mq~i...>...A.;v....p
8.3.Kn....MMMI..\......|...VLuuu..p....}U....G..ESS......UWW.\.]]]hjjR
..0. .3..q.......P...l?w...>.|.2.L9.I..G[............Z........'O.._
.....c...ikk..bQ..'.w....Mgg'.(..<...qV*..N.tvv...)n....../.(.....!
..$. ....1t..!455...2`.....ZF,..v.....j`.....C..e.....OT.L..^..n......
.3u..H........S..u.X.Emmm.F........_GG.........B]].r-.....v........H..
..S...V.k....^x....hnnF__...:..J[.@.c)..........>tuuA...Y....z..s..
....N.....=.....j......#..|.W.2...BZb...i0onnFKKK.0..g..|.I..K...n7..9
....S..Ah...[.c../..B...n...566.......Cmm.2h8.N.....g.../.(.JI.%...f.:
t(i ;...l..f.Y..).AGG.2p&..MMMp:..............v..I...y@.$....O....---.
.....s....Vm.........b...*i0GL........UUU.....l...R[...... B....hll...
.].p....._%...$....n..f.9..L.......8..<..?.Qp........eee.Zp..)D..2.
.......=....&.p8....ws...D[[..........p:.hkkCkk v...7...............Hy
...T......;..;w...-..rN..Y.~:........~..cccIm....s..^...K..\P..~..

<<< skipped >>>

GET /crmReport/accesslog?FUID=&FKFUin=&FNa=4006570518&FRurl=&1489883516356 HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: report.b.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 19 Mar 2017 00:31:56 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip
14........................0..HTTP/1.1 200 OK..Server: nginx..Date: Sun
, 19 Mar 2017 00:31:56 GMT..Content-Type: text/html..Transfer-Encoding
: chunked..Connection: keep-alive..Vary: Accept-Encoding..Content-Enco
ding: gzip..14........................0..


GET /se/r.gif?na=4006570518&ref=&1489883516357 HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: prom.b.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 19 Mar 2017 00:31:57 GMT
Content-Type: image/gif
Content-Length: 0
Last-Modified: Mon, 25 Jul 2016 09:54:55 GMT
Connection: close
ETag: "5795e1ef-0"
Accept-Ranges: bytes


GET /baseui/vendor/json2.min.js HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:35 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-d39"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
539.............Vmo.6.. .1$b$;v.%.\......5..}.$..e*V.P.E96d.....l'....
.A.......Y.....i....Oo....G.(Bk$.u.8i%.....u..........'....2$..E.u..d.
...P....h-.J..Q..3....JV.d"S.Q....X^....t.........*...L:.%}..F..~-...c
t..n.*.|~....d.9.Ku...?...I!f..'..x........`?UOS._..(..3..q4;.Ii....d.
..Q5...l......?.....Q5..^...Qu1.&}.I.}.....?W..>.....i.$........-.4
.h4.H.FS.Q...SX.M..'........=q...DS(O.o.DJ/...^.\.z..R..$.)9.O!.S F...
..|9.Z..............T?...`8...1.2..3. .Y.@s...t.^WfFk]..#.Y.*.m...RF..
$.jE\.`...........W...........2..d..6...w..o.E.4..7/......[x /..A..'.y
.._2.2.{.....ak<....''.o#..8...........M.7t .G..}..<w.O...9.).3.
.[..X'..mV}.pSp#0..B.n'..(#3..6.>.9@...in.[5.h..l2.6C>....g....2
....c[. .)..;.f..Cl..7..f,4Fz..d...fJk.m~.i!..`......F..6.,..*...vk.[.
V...{p`.1..sX@...C .Xd.!.%....b.%.....$....p.bm....P..Z....g.Ap.{....8
w=G..*..x.._..5.....U9w....ut.~..........y.k.`..D..cU....Y.&.%.jc.....
.......U7.\.......h..c..kdl..Iq.n^\.........R..K..q...26m.W.--.%..Lu..
.4.E.....Gl....`a-iF. .Z..t....&..zr....m......z.H....\..=..{.....a..m
l..4.x5!..cC_...X.c...].._ (.*[......|f.bo..>.&......R_.......B.../
....#$\...T}.s....d...C..?.5....x\.|_....6P.%A..|.._..!Y....I...},..}.
.._7Q..}s...Y<."g..x.:..B.x[...[.O..o....p."....B.{......V..oS.....
..O...:.A4;....?....c............z.w.gQH].....1..`.8.E.]B.}qK..9..Lt..
...j...Y.6B..~.h....p......*.9.....0..
....

<<< skipped >>>

GET /baseui/js/comm_util.js HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:36 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-95f"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
3e7.............V...6.~./k4$...IOV...O.......p|...Z.L9$....C{*..(.k..F
...ts. tH...I.....p..o.o.N@..B.oT...l..J.u)S..........L...(/R..H.P.&..
..t.jn..qN..V..H..6*..t.B..ya6.V..J...s.J.>%.V.n..<-v.. ...).h..
....2....$B...lM-%...I...fO..)...J=..n..y..V..*..<3.|L.B./...x](...
....=.8..{r."].`..b...r.a1]...u....P.)..ND......_iEN.23.L.c=-..P.LC...
-.e!..l_.%....0>.......g"-..._....&Z...I.3.c'.X.l..........z....Mm.
.FMJ.rH..Z\<..E.i.!?)..[.#...As............Q&G).0.......J.$ .).p.}l
....M....(%.........<.V...VTR.......8G!.. .....\=.....:\.6.!.a.Va..
...m.hW...c.....}...v..s..`.D..F.K]...m.v.(.....w............1...x...a
..}4.Y......O...l.z.C..H< wBRw>.10......apR3...x.9.f?..:.. .~...
?8...t....{A.T...v.!.......$...I7..O.{..;3$.U...D..........P.i*..u.MCA
..Gb.H.!.y..w....9... ....\..h....Dx......j/.Ic.V.>....<n.......
$.....8.-B(.*..........q..T...Vr.......J.,qn.,....r.......{......r....
...Z.....XGpk...... .Z .....t.X...l'..(...bF.........._n~...7..p..a!..
...*E.....O.7o~.y.. .m......NNZ.hc.9..9..\.....$.._.....0..
....



GET /baseui/js/comm_serv.js HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:37 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-726"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
354.............U]K.@.. 2....u-..]..}.PiA}.>.&...q&L&....R.P.O.....
.IK[...5...._.L>.......7..{..'.:.p.Q.P<OV.<..k.....F....Gf..E
!k.[..y,...IE....Z.0.!=*.R.a......"O....j.).........M..G .;......@...X
..M. ..q..4Z HU(.d....h<..{.@z.!V......(Z..Lzl.V*.=.A..".K.#.`.....
3.."......._@d...P.Y..`~.5zdy.q...k`....W1oM..,ZO.}.......*....5..."&g
t;d.$..b..e.5.1....s`...l.i.yi......ZY................................
w._...::?<.|=:....j.%m.<:{.%...<..._......G...,.:.`$i'1..h...
..c.r..v,h.C...e.....B(x.K..J.r.....W......i$.K..HO5..`W..4.r.....^..(
?.........a\S..!B..% ...6J%..\...:YD>.......q.H.JK.C.u...=.L.H..a..
.|..8.J2`4j.j@.n.`^.`Y.b=..m.......Od..h.....1........(..u...D<..B.
.-...M...o...{.s.v...}......I....*.....-...="....)n]...&..T.5....:U...
LIPE...R.....e4.-uEU..e*P3.O.l...L.X.?....dN....e......to.{Dh....vs...
.w....h.\..#y..>...]b...p..%.<X.....4.........&.....0..
..
..



GET /bps/userpoint/s/userpoint_1_s.js HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:40 GMT
Content-Type: application/javascript
Last-Modified: Mon, 27 Feb 2017 02:03:59 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"58b3890f-40f"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
25b............}SMo.0.. ..h.F.R.Kv..*G*AiO.U.3.z...?..to...#....U...&.
.[h.m<~~3o..hm.-.wZ(.....@ ...Z.I..LT.~..q..ry.,d5.}.O..D.Z.c..$P.q
.)ty...=d.........d9.x.}..d-3.b...p..d......{...(...pH1.O.C...P;.?"..h
.:....XZ2.."..s.6..U..q..(s...o..#.p.{...1._.~..*..*/..%....*D.du&I...
.a/...?.9B.I...gM.....52....Kf-%N8.d............_.h:.....=.Ex?.N......
EU.&..@E...1..h].....0.C/q.$.D..J......FfS...5... ...hX.v,.V'..ZU.h<
;...l;Y...P....[.....d]N.V@..r..1.l>.?9.2..hUc.u@.-:..Km......FE...
.Jjm........Y.......y.~.._>y.cS..3..gX....K..b............;6rD^...6
1....... 4x.3.ZL...|.7..{..{.;.[&)...y...V..x!......QG.C......0..t>....



GET /baseui/style/newcss/login.css?v=20160911 HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:40 GMT
Content-Type: text/css
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-11ea"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
514.............W[..6.. hGUf.@.$..4.......Rw..62`.;...L.h.{mc.Cn..PEJ.
>>..;....5.%d...%..S`a....A..RR.._Q|?.A. 4A.Ha9.2.0}............
[....`. .2@...........b[F......\./(..._..C..FA^&.f..E..$a..0... .y.. .
}r. ........Q.. [..i.*F..-@.....'.k5.."...a....a........[|..s..W....O$
..!.Th..wgd.m.g.....QC..z.Q.f..x.h..Y.............6..A1[..m...m.6..AAJ
...}.1`..v=1.. .......J.LOh..q5....OG......,......"....<......7$8..
n.A,Z..X...q..f...3?...&o.....x3o...$.h.o..`...&.......R...5HA.......)
.8.(.f..Hj......r..b..v.....;m.UFs.7...ByQ1@!....s!:$....c.rIy>..8G
...F.7L.7S.m._>.M..p.;.)@....f.jF..kp..?.x...1..I..}.Q.....x.....X'
...Ki.lo...<...-$.........e.X.Z.......<$...Y..sO.Ul.....m..0....
....:0.7.. .....@.B.C.e....../.J..|.......W.T....!5).QU...DM...[.....3
..."~l.o...F.?....P..~smU....F.0...wD.".M.Q....c...7......@.....q..d.v
.!.T.fp...F..YX.O....)..3.'=1..>R....*u.=.....FF.q.......8..{b.L'?.
.).....th....u.K.....%.q.p..o.....!M.......Ri....qz....O..@.ljH..:-..'
.h!..8.....v.i..LB...h.E.......|.....;U....n#......R.a..g.yT.........1
.ug..&=..~gg...........0.\....x..=.....l.?..t.5.N5.&.p..F.........}...
.3..!......?-k. ;P...M}.;..W.R......CT.A..2..L.9u.lSFz......aZ....<
...RT.'$=......w..m`.G....z....%.d.....B.D*. a...K..;....=.......f!.c.
...1..8z._..!I..m./.3.K3Z.[..... O.. .......TS..x..!....{l..a.....Sk..
....0..
....

<<< skipped >>>

GET /baseui/images/up.png HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:42 GMT
Content-Type: image/png
Content-Length: 347
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "57e33f09-15b"
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR..............K......sBIT....|.d.....pHYs...........~.
....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.03/30/16
...Y....IDAT(...M.. ...7Y..3...O...\@.......i.C........w3......{..Hk..
....t%2....*....e.........cDD..RJ../e'.].c$.p8sw...9...H..U=E.D..#...l
.=.........R.A6....!...7..u..5RJ_E....o.s....<n............IEND.B`.
HTTP/1.1 200 OK..Server: openresty/1.7.10.1..Date: Sun, 19 Mar 2017 00
:31:42 GMT..Content-Type: image/png..Content-Length: 347..Last-Modifie
d: Thu, 22 Sep 2016 02:16:41 GMT..Connection: keep-alive..Keep-Alive:
timeout=60..ETag: "57e33f09-15b"..Access-Control-Allow-Origin: *..Acce
pt-Ranges: bytes...PNG........IHDR..............K......sBIT....|.d....
.pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6........tEXtCrea
tion Time.03/30/16...Y....IDAT(...M.. ...7Y..3...O...\@.......i.C.....
...w3......{..Hk......t%2....*....e.........cDD..RJ../e'.].c$.p8sw...9
...H..U=E.D..#...l.=.........R.A6....!...7..u..5RJ_E....o.s....<n..
..........IEND.B`.
....



GET /baseui/js/widget/comm_validatebox_customtooltip.js?_=1489883499423 HTTP/1.1

x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: hXXp://xf.faxuan.net/
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:47 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-12ee"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
23a.............W.j.0.~..9H....[3ri..e.:.]..D...$wm..{..v.......mZ....
.Uf[..K{.....}.~.>P..r6U.3.V=.(.r5 X^.....4..L..@.k.W.f.3c&. .>-
....Dg....J4X`9N...X....W.m..{..F..*.-.y... ..-.W~...M0.|.)....T...p..
1.).C.?^........9K.?.x.{...P.LK.hl....=........4...\..E..P.Z.8.....QT.
...$.........XC !R.~.PQ.9;......]J. % .....9......3"s.c...*..h..9~w...
_=..6....F..y d54<.^.i.I.../qt.I......U@.gX....gE.Ts..........o.]..
.........S..W#.!......?.)..xz.t.8.2......w..\.z........1.u...e........
).;!..S..r.(..L7e..... ^.W.w.z......N...;..@..i..s53!.....E........{]t
O....F.I4.' e....uw.......0..HTTP/1.1 200 OK..Server: openresty/1.7.10
.1..Date: Sun, 19 Mar 2017 00:31:47 GMT..Content-Type: application/jav
ascript..Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT..Transfer-Encodi
ng: chunked..Connection: keep-alive..Keep-Alive: timeout=60..Vary: Acc
ept-Encoding..ETag: W/"57e33f09-12ee"..Access-Control-Allow-Origin: *.
.Content-Encoding: gzip..23a.............W.j.0.~..9H....[3ri..e.:.]..D
...$wm..{..v.......mZ.....Uf[..K{.....}.~.>P..r6U.3.V=.(.r5 X^.....
4..L..@.k.W.f.3c&. .>-....Dg....J4X`9N...X....W.m..{..F..*.-.y... .
.-.W~...M0.|.)....T...p..1.).C.?^........9K.?.x.{...P.LK.hl....=......
..4...\..E..P.Z.8.....QT....$.........XC !R.~.PQ.9;......]J. % .....9.
.....3"s.c...*..h..9~w..._=..6....F..y d54<.^.i.I.../qt.I......U@.g
X....gE.Ts..........o.]...........S..W#.!......?.)..xz.t.8.2......w..\
.z........1.u...e........).;!..S..r.(..L7e..... ^.W.w.z......N...;..@.
.i..s53!.....E........{]tO....F.I4.' e....uw.......0..
....

<<< skipped >>>

GET /baseui/images/topnav_bg.jpg HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:54 GMT
Content-Type: image/jpeg
Content-Length: 21507
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "57e33f09-5403"
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
......JFIF.....H.H.....C..............................................
......................C...............................................
........................T.............................................
.A...................Q....a.....A..........1q.!$4.Db.T..%Ut.5ERde.....
...........................1......................Qa.......!Rq..1Ab.."
.2...............?...`...................(.x..................6.>.d
......u...<.=A?.<.S.........s.8....Q>....._...1....../.nl..}5
....H...z.....x.Xm.............8.Xm......w....`.-a.3.-.4..9.v...F.}..L
.>......|...s.....yR.z...:g........F.wN..K.N..y....:.......)......T
N.:...O...............7.^s&].f0....G.....`|....:g9...t<.Ts.........
............Q9W=~...../..._...?.`.k.b.L..$...?i...|...K.0N...."c......
|?....1...,.X8.Xm....O.2.......C.....P.....;...|G...CE......{>W...5
z.4....K.s...@.M......>>..~F>....s...-.......>.;..As.S....
..Z....3...3.*j.{..-......I..G>........B.x..........<5....|.K.z.
..>.s$_.{Z.._...#....j~.....T..B..5?...:.y.......^....*=.....$.o..t
<}....D......0.....B.D.9.)....hr.>......(s....L...~.K.9....}.. .
... _1..............('...t.z.z.._1..(_1....P.y...........O............
.. ...[.....yz.s...AC..OPP......@.....A<OP....O.............O..M...
.?..{....|)..E.?.......&wt./.......@..<..%/..h.|.H..Q)|.;E<O.j'*
...........'........................x.............'...................
(.<5......>.aAA<O..>........g}c...6.....B.D.9. .....'.s.R.
\...........&.A..O*QOh......>...?....yC.........'.1..|={.\...l.

<<< skipped >>>

GET /cgi/wpa.php HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: wpa.b.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 19 Mar 2017 00:31:38 GMT
Content-Type: text/javascript
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.13
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Encoding: gzip
1139.............Z.n.H......\...../.L7.f.[v..I'..{..V......"..........
c.i_a.SU$K.g....X.....w.......q..U.g^....d........6..I6...M.../..|.=o.
.X.......U.<z...C.v.`........w....<.%..3..\H..a.........__~..)._
.\u.T..sv6.g.y....!......v..P...E|.'g...q.yf.J.p..O..>~f...~(.B....
"........3"....<S.z.W.g....I..N.....w.4...2.i>|.W..'.ZLrI|VO....
.{#.y..p..H..!no.........f.X>.<.....W...M...:..Y.....CY.........
JT.....VKT[.......k... ..K.......o..y%x..}U.W.|.Z\~.........;.....P...
.....3....=..S...4i....1....x,.e.e5.'f.,8.}q..9.xZ-.~,..'{...w....b.].
..7.X.............n..R..y...&]..to^.3.1...F..l....kNv.......5fikP.0.'s
2...T...."...;....8....99...b.r..p.ju......3.U..Z....<.#...M-U..&.9
..0.Hd..S.|..^...|./.....].1.utq`@..{......bt..|NK...7..;..(d.idn....F
z....0....).h...H/cV..H.#..Z].K...9._.W..=.....#..H...z.2...B,.Vs..4..
.. l.R..e...%.t..5.P.>.....i2C.......C9...T.`"..^.r..........].T.i.
.N.".$cf..(.!..L........S....o<s.'.l.5..u.......S..q?....W..5...L.
.:G..H..7...oO..*7.x~...x.."`..n=_#..aB..@.N.....2.nx6Q....(.......p5.
.j..c...z@..Ew.......[...\x.V...~....H........h...........NO........n.
.e.......p.......S.@a..}d...Z..I.M.H6..M..<.Z......2j........X...&g
t;.[.-#w.."M..Z..j.KR[..e.....l....C....K..[..y... KM...r.....bD......
jO.'..re..J.5}.3..b1)g.p..s. .. .E..*Xj-c.%....r.-..o...g...%.........
.I....-(...i.....(..Y..~.....u....0c.l.$...c.$..c.......e... .m6.T.JvV
.i...w]...R...pz..Dhj%..9.D5.m..F..fc.)..Pj..l.0.G.W.@#.m..Q.....k....
....2.,r.=...D..I..!.....0.-..<g..........*^~..}...X.....jh%;.]

<<< skipped >>>

GET /c/=/crm/wpa/release/3.3.7/wpa/APIs/addCustom.js,/crm/wpa/release/3.3.7/lang/extend.js,/crm/wpa/release/3.3.7/util/domain.js,/crm/wpa/release/3.3.7/wpa/WPA.js,/crm/wpa/release/3.3.7/wpa/wpaMgr.js,/crm/wpa/release/3.3.7/lang/browser.js,/crm/wpa/release/3.3.7/util/proxy.js,/crm/wpa/release/3.3.7/util/pad.js,/crm/wpa/release/3.3.7/util/Bits.js,/crm/wpa/release/3.3.7/util/getJSONP.js,/crm/wpa/release/3.3.7/util/cookie.js,/crm/wpa/release/3.3.7/util/events.js,/crm/wpa/release/3.3.7/util/onLoad.js,/crm/wpa/release/3.3.7/util/offset.js,/crm/wpa/release/3.3.7/util/Panel.js,/crm/wpa/release/3.3.7/util/onIframeLoaded.js,/crm/wpa/release/3.3.7/util/GUID.js,/crm/wpa/release/3.3.7/wpa/getQQVersion.js,/crm/wpa/release/3.3.7/wpa/ViewHelper.js,/crm/wpa/release/3.3.7/wpa/views.js?v=3.3.7.20160126 HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: combo.b.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: X2S_Platform
Connection: keep-alive
Date: Sun, 19 Mar 2017 00:31:54 GMT
Cache-Control: max-age=300
Expires: Sun, 19 Mar 2017 00:36:54 GMT
Last-Modified: Fri, 12 Aug 2016 09:00:23 GMT
Content-Type: application/x-javascript
Content-Length: 48165
Content-Encoding: gzip
X-NWS-LOG-UUID: ac008d89-bb76-4556-9406-2036b987d4c8
Keep-Alive: timeout=60 
Access-Control-Allow-Origin: * 
X-Cache-Lookup: Hit From Disktank Gz
...........|.r.....xi.vC##.........;.l...!...I....qf..m.e..e..m...c...
........;.>q:za.* 3 K7......aQ......:....f........ES.E..JW.,Y.
........S.dmu..NyU....%."..d%<...n.."o...e.F........R.,YS......)...
....9..pB.....^5z.B.E^.....4.Z.w. $z...*..^.=.`...,|.=.J/..n.Y...EwK.n
..x..:./G.):.j5...........JK.V...`.0%.R.L.mmm.'=..*{.......h>{..^.Y
2&{6.9...1...5gH..Pm.O28w.4.2.o....9,.y.......f...s.M....?.&.._..l.U~!
..A[..~...c.2....3%E.,........\.%.}....\x..9..Q...5a..T.ItI.....*z..'4
......:"6aUZ........4...).....!..9]..................d!l..k.OqX74KCm..
".C.^Q.P.yf...$....).#..8.4lN......J2..M.oJ.3.`>aXER'...}.r.G.4M.x.
..u....Y..q.w.q...Q...c.]..........!"p.&.oXX....L..7..$?s:.U.....hh...
F....T....r...>.Q....a. ...l.}.b=...F3.[.7.....d...$$.z..3....D. ..
S....\.....Ug.U.........T.....ec...K\p.^!.9.....yi(...<j.........A?
.E..7K....I..4a9.G8p...%q..h...-..1.......T(..Vw..344.r..Ol..........3
..k..!.=a..dZ.q....e.F. ...:,..aSWd @.. ....O0<.d........:3H...e.~0
.o....~<........._.#W.....P..\&.,D .TI.xLu...\..'.y...Yq.M.K....Z.l
R....y...ojdhkS2..$h.\..3.......H..-...d^.w. h...~.m/.F.K..c]..u....?K
......4..6......t...B'69.$.*.5h.]l.[.*).......pJ6...j.C.A.v_....?./K.
........W.?Y<.3./m....sf.)..Kh...L."-...`_.]..!..d...ebN..CPaa..0tP
X..*M...7...}..7..8..~.EN..{.xs.U.@.l....N&.C....B.......I.H.]......(.
qh...dI{W.2d..v.[.a.^^RNs..l.,../......t...%x............g.Hc.|......b
.^.A{..."b. ../..l.W.)..WE....X..z..s..g.p..5.6.. Z<.ww...b4T..-.YS
>...C.Y`^.y..wm{un.T.j.....J.N}(.;&.-M........c..k.8}@h.h.z....

<<< skipped >>>

GET /da/id.html?q=sjoq3o.t0e4l5.j0fy6ges&p=i9b1v3.3fir2g.j0fy6ges&t=4006570518&a=&c=1940917248&s=1.1.sdyr8n.j0fy6get&src=12&pgv_pvi=&v=0.6.6&ts=http://da.qidian.qq.com/ping/id HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: combo.b.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: X2S_Platform
Connection: keep-alive
Date: Sun, 19 Mar 2017 00:31:58 GMT
Cache-Control: max-age=600
Expires: Sun, 19 Mar 2017 00:41:58 GMT
Last-Modified: Tue, 17 Jan 2017 07:54:50 GMT
Content-Type: text/html
Content-Length: 5261
Content-Encoding: gzip
X-NWS-LOG-UUID: ee30b696-64af-4905-89b8-95cf831a9839
Keep-Alive: timeout=60 
Access-Control-Allow-Origin: * 
X-Cache-Lookup: Hit From Disktank Gz
...........Zk[....~~.hw.v#......1y(..3-e..t&.<&Q....l....o?.....t..
..K....k......N.<>...Y..M.7.XN"&$C]........p.g....t.f...t.S.s...
.....}.F.;..0K.zgs\..N......!=....#}.........lCD...0......'0.O........
.F."M7#..fY|..R......D..BzL....#1.21O..`~p..<..*k4<=M.`.fq".....
i...H..D\....y....0[..V.Ep.%Zx..Ss..%S.."6R.b......`X.p.i...f."..*....
>...=....%cOD.../..7.4bT.."*F.FC{.uVJoq........../....#../...B.....
z........k.!.u.g.G..#y....a..3.....&......v.W....4..:z&..X.?V.G.t.hf.y
...d."i[......A*.DOC.l.......c..:6."3.\_X......U...?...C.]..[G.:....$O
...z..S.....?..u......C"ji.:.....}....../..........?..~....?../....4..
=.I5..r]\].....<...??......Y@...........e.M%P..7..YidB.p........j0T
2W..Y!..D.....ojL...y,Z..v!.....yz......../K.D.c..0?L.I..95....k:..E .
.K....d.?y....Hy.mS.....,..v.c...........*Z..*..e.j...V.4..q.M...FE...
/Y1xu!.....7...S....w.=.^f....1O.....%r....L..........~.....mv......?;
.....5.aeqE...=.0.)........T..N..3.kq..j.X2....u%."..a...W..,.q.~2._.}
"F.LQi...Db#dh5.^.l$.........y.............\....y~....*O.\7..l.Z...HO.
.p*..T.pa.@...|.....uv..@...H...q]^.. ..n.Z...?.h.}..B.W.2z.y...W/~z.3
T.=(...NI.eT.!.Q......!.S.w.G ..i...Z......o........N........|<a..,
...J.3.l....U.V.......^.S.....vX.4S.w.Zd{19C..x4:..M.Kr-..z..<.3...
...:.NMo..R......v'I$....._....8..V.0..ppi....8"|..... ..x.c^.e.y.....
.y....**... \.fD.hs.h.~.j.......1.1~.cgXz...:..i.he...XaR.j...>/.|n
.e.;..!..Q.H..KU.Xi.R..^.H:y[x...K..B.....!....d..&.k...$.|1...3.q....
4..i.`.....i..7.....^.X..p1.R..6..f.V.)[.px.,}(..2.l4.cd.g...G..?.

<<< skipped >>>

GET /baseui/vendor/jquery/jquery.min.js HTTP/1.1
Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:35 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-178cf"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
871d..............{w.F./....".....%:..7d....I2y...d.b.."..$(......~.W.
.h...9..s..Y..4.........'......'.......dw.......O...|b..Q.-.x[.Ku..2.S
..[|......H..&?yz..t&w....L...W&.y...h..........y.{.C?..*......e..L...
r;L...y..........f....uy....O^......0...]..7'..}..(.}....)...u..[/OR.w
.Rc...h...X...1...C....b.l.bE}z..O.h4VY..7."..SZ..x.&..............5..
...f.m.f...SuM/.x.....u.....u.L......"....../..%U^l..^-.._FW.../^.....
........l.J.v.....Utv.......qp6-.m{c.......e...`....E....%&,z.p...&`.]
...r...&....yj./..Yx.....:~...6...x>.1.4.i.........N.../.!r...~.R..
.k...zeX.7.8..U.ULh$.|=.9 V....T.\.IX..w.3\G....n...j^T.Wy...v..\...[R
.j.x.6J..v.... )V..lA.=..R.*..^...9nT....j..{...>...I..8.P. ...).&l
t;.`.....o[..Y1.F...c9....w...et..&..p......h......T.....-.H.E8Q..C!md
.Q..O....-.!.-......N...-&.}.r5.Mo'rt>..hG...m}.l.~.u......,.y..0..
....i............v.~....k..v...I@.GQA.M.pg...Eq9.@E.......T.<.g.I.&
lt;...8...1-V..i'.R.......a..K.n.2.66V...N.A0....FL.1.v..q0....Mw...4j
4.....i....]Yd'..7..R.{.......Dnb.....^...........?...|5...?.zE....Ul.
...C.9W9.M....(...KgG...vQZv.g.h%ixXL.FON...T.v-...rP.'!].....v.(..B.P
.;Z.u......E.OW.z..1/c.Oo@..5.^....l.{..<.49...Bu..g.[*....v..;..w.
..,..-..>...'............\......{...-P.=.Q...........B....4j.._./.!
.)..1!.'....w3O.....n.fV.B..a.i..q.......t....g.BW......w...2.......Q"
s../17.z.......7..Xm.......:.....4^.s..mC...,.G..W.........Q.Na.....;A
.}&......6..zJ.5...D.......:.F@......T..br._...f....x..>.....).....
.PW>..\..k..JI..4*S.....a.......:.0..m.g.....,Vk....#t.7.C..&p.

<<< skipped >>>

GET /baseui/style/newcss/public.css?v=20160911 HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:40 GMT
Content-Type: text/css
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-14f1"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
638.............XMn.6....`.I!9..{2..t."....:...J.$&4.R....e..u....hoS.
s....C[.3....p$.......e^#.b..t.......w~..u..S.>..._.../._.~G}N.F`..
b...t..x)...../.....r.@.",.....a.. 9.A....%o.A.?..._.............{.Xk.
V.Q.0......kJ..U..{...A.s..$..u.......f.=........%.7..D..V*.9..iq...}.
.Z....G.,...&..\...t.S..z..".......u..1...QZ......(.oR#.qY.....U..-&U-
7...U..:C.M%x......I.Z....@.nOT.......uS.{.7..`..*.,<....e.I0X&5)..
T.5F.F..8...ezK.Y'Q..P.L.dO.'*. .Q:.Hy.1.....8..QK.h..<]`...v)a8p.L
...PH.r\$.y..d.(.%..v.'...;..SCmxK4.P.r.I...)./R..nL....:(........M...
..H..W.... .:..N..>m... Q.S....g0......Z;F.V...08a.3.`[.*.J.P.Z.%7
...7.{H.A9.BX...X/8....~.(...a....u....O`.2y.......U.].Sg.#j`EU{..]<
;{.....w$..C2.9W..S...ug.......]...R.:..a..n.FcZ.k..>.Rt.1.$.\....d
......Wpo.......F/R..A9.w..,-.Uh$.65zi....c.]..=..9.....L...v..7....M.
gg.!....ft...w....o..B........X.,.....".s4N.B..U...=..A.O..1.l.....%..
.<.q..?....."...G.i........f.]gT.$...9..F.b.H....h..N.%..F..2..V.w.
?.36..j*3x.....RD.....4......_.....J.]W..rz..3R.)\....A.......Ri8....&
gt;.....Al.= ..V.Z s.b.....3;R.............w..h......sWxR.o.#8........
.........cD........J.iCz..?N([...~......y.U.)S.M.}..;.#.....9 .7.>.
...}&.0..Z..._.a.oB..:...k5......L.}...a9.K..Iv..".C(..?....F}I<}W
..V.b..z.s:v.D.A....b^{......$R}.:..a..eh.....V'..,.F.......5......X.9
LT.~KU?.9NA....8.?wa8.....D....P...pZz.m.C.#0<.Pw5...tn@.....:....e
....e.t&..r......UW ......~..^uqq1...}.........d.)N...9...wb.....C/v..
.........[...~.......K$U.1.n#xE......x...Z.G.........K..._^F.y._F.

<<< skipped >>>

GET /baseui/style/popwin.css HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:41 GMT
Content-Type: text/css
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-41f"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
1df............mS...0.....R[.#'...V..!...Vgl.^..t.^.p)\.}a.zgv..(L...K
.. .e9.n....E.;$....a4.=Z^Z/.g;7d.j..F.T...BB..!^,E..x...6u].......Z..
;J..R..xQ.Qd.b.]ZD.=.^2.....v.........;!%..$.w.|.5H.\....VV[.6.J.....;
.W=a..m.O...'..].~..K.:F..."y..o.9.#.....OY..g:X...qn*..%..W&'a..h...i
T...Z.R...J4#......V)......e...cP$......D..V..q...y.....=..:...2.sR...
*....:.<U.p] .......e.F..q..j......x..Py....O...@...2..G.o1..H...k.
..0R.,_......Gn.../l{.5.h..............W.h..D.g0...h.j......b!.......0
..HTTP/1.1 200 OK..Server: openresty/1.7.10.1..Date: Sun, 19 Mar 2017
00:31:41 GMT..Content-Type: text/css..Last-Modified: Thu, 22 Sep 2016
02:16:41 GMT..Transfer-Encoding: chunked..Connection: keep-alive..Keep
-Alive: timeout=60..Vary: Accept-Encoding..ETag: W/"57e33f09-41f"..Acc
ess-Control-Allow-Origin: *..Content-Encoding: gzip..1df............mS
...0.....R[.#'...V..!...Vgl.^..t.^.p)\.}a.zgv..(L...K.. .e9.n....E.;$.
...a4.=Z^Z/.g;7d.j..F.T...BB..!^,E..x...6u].......Z..;J..R..xQ.Qd.b.]Z
D.=.^2.....v.........;!%..$.w.|.5H.\....VV[.6.J.....;.W=a..m.O...'..].
~..K.:F..."y..o.9.#.....OY..g:X...qn*..%..W&'a..h...iT...Z.R...J4#....
..V)......e...cP$......D..V..q...y.....=..:...2.sR...*....:.<U.p] .
......e.F..q..j......x..Py....O...@...2..G.o1..H...k...0R.,_......Gn..
./l{.5.h..............W.h..D.g0...h.j......b!.......0..
....

<<< skipped >>>

GET /baseui/vendor/easyui14/lib/base.js HTTP/1.1

x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: hXXp://xf.faxuan.net/
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:44 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-4978"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
16c5.............<ks.6..Ef.z..f....'.G....^.$....].....E..)...s....
..A..(.......4.F......U..u.F.!.wQ..&<D..^^.E]....Rvri...Q........6.
z.....M..Q..m....E....YW.eW.feQ=...........nwe.......N.G..k..u.....YV.
...z.....$@j..".U.m,..}..".:....Irj......._]....s..$*e.F<.Kh.Z....2
.T.;8z%K....8.N6.'.@<....,J..I.F..*.?.."*..,.....Q\g.x.........>
.:qxw/d8..[.C_.....]........p.r'.E.F....../n...(....LM...q...=._.;....
.....=T.V.7b......x..X....S..e.........y.Y.2..^4..|\..2S}.q7..FM...J..
.\*.K.......Z..9~/.>0.t......x...9..Q.....XH....p..2.b.{..[.o.o.v..
..............k..n.b...8.....\.2.=...8...3..?..e.>j...@r..C.:.....o
.]..~V.@,W...z.k.....|.-...,.yg.xK.............M5...~......;.... `;O&l
t;.`=.....up"......H........p......E........9:..[...?......x.. E.6.)2.
.X.Rf....l[T.E...Y5.....]....9W..J.Iv~.}*.]zOl....v..I...9.~..11d....0
..C.kz.."..@...6Z...*.as.p.3...HR.i'.lV{..]}.*..J.........G}W..N..ZF.J
.j.=zn.....K.0=K.{....9.....m..|I...(n..]y...ZD>.v.....zG....1.\K..
..}.6-.fD....m..K0.u..d.|]....w..q}..6.^}..4.r-..{v.....|.........v...
'....0....,C.x.j..]6$ ...~#...(\pub.....@oj}.............y.....t.IZuy.
.......o..//i....v>".'e.mZtIp6.`....p.R....gc....(i.1../k!...X.26Zm
..e.....*>.*f,z`..ue...DE.v{6d.._........>.....(..#.........I7.9
:.e(..@*..9.<.`o.z_u..@... ...]'...W7C..4|.p.........2j[..h....(`..
?...O.........@......O...`u.....6b..Js..g..x...U3x.,<.......0Z.u...
....{..]-.......b..JO..c.I..8.... .yc.....H.8x........S.{.~.:..=kXj.,.
.S.G.z...zt.%`.y...Y]..W..h...w..'.Ji......Q.....L...Cr...r#zv....

<<< skipped >>>

GET /baseui/js/widget/comm_customFuncTip.js?_=1489883499425 HTTP/1.1

x-requested-with: XMLHttpRequest
Accept-Language: en-us
Referer: hXXp://xf.faxuan.net/
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:49 GMT
Content-Type: application/javascript
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
ETag: W/"57e33f09-5ee"
Access-Control-Allow-Origin: *
Content-Encoding: gzip
248...............n.0.._.a:H.,....R.......$A. ...,".h..cC...C..];....M
.l}...lX..z.&Q<.....q.Q.E....b:6. >. 0..9.....<v^8.....'X.S..
..8..k b1.Y.B.[H........t.............I.........0.z.3...N...._9...6]..
].3GXN.)dZ...u....._.}........??>.r.e.E..).......r..o$..W.......k..
..g......b...[....".|f-W{.Zi.PAi)...\..\.`.........=......[..i...8....
.......A...X..NB...)d..............XW.3t7....\.1...><.C.n..Nl.*.
..EJ.v1@..{1N..e........N..M.......LdmY.S>..WI=#...-......AA.d .".2
@.o_....F...n"E.....zP..o{. ..d.........s.b<:.d.$f......X...l...rP.
<.. o&....$.$...............<{...Ow]......,...E'.......0..HTTP/1
.1 200 OK..Server: openresty/1.7.10.1..Date: Sun, 19 Mar 2017 00:31:49
GMT..Content-Type: application/javascript..Last-Modified: Thu, 22 Sep
2016 02:16:41 GMT..Transfer-Encoding: chunked..Connection: keep-alive
..Keep-Alive: timeout=60..Vary: Accept-Encoding..ETag: W/"57e33f09-5ee
"..Access-Control-Allow-Origin: *..Content-Encoding: gzip..248........
.......n.0.._.a:H.,....R.......$A. ...,".h..cC...C..];....M.l}...lX..z
.&Q<.....q.Q.E....b:6. >. 0..9.....<v^8.....'X.S....8..k b1.Y
.B.[H........t.............I.........0.z.3...N...._9...6]..].3GXN.)dZ.
..u....._.}........??>.r.e.E..).......r..o$..W.......k....g......b.
..[....".|f-W{.Zi.PAi)...\..\.`.........=......[..i...8...........A...
X..NB...)d..............XW.3t7....\.1...><.C.n..Nl.*...EJ.v1@..{
1N..e........N..M.......LdmY.S>..WI=#...-......AA.d .".2@.o_....F..
.n"E.....zP..o{. ..d.........s.b<:.d.$f......X...l...rP.<..

<<< skipped >>>

GET /baseui/images/login/logo.png HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:54 GMT
Content-Type: image/png
Content-Length: 29795
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "57e33f09-7463"
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR...4...L........F....sBIT....|.d.....pHYs...........~.
....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.05/04/16
3..... .IDATx...}.]W].....L...)d.)..... >t.z.y.i...?.....6.zQA.N..(
W.)(.x..(?.{....^;9.\!.'<.(...`.LN..&..Lh.4.9...c...:{.y......t..g.
..{....~..a...!C..........(C7.......`v..K.3.t'.l!.. T..V.z..Y..my...{0
.{9.......Z1.X...../C.(...(`.cl%.I.6R.....F...s...._.!...".R.R.....Gn.
...d..!....R_.n.ni...a..,-..FiKb.(...P"F..B..c.H..c..Wh.{...C...Z.?.0.
]ae.$.g...v........-7^6.K.X.So.Y.Na....JeC..6................e.....m..
{0cdAY{. .s;.C,....B.......?..8*.s.%}....A#..Q....M.<.11fIu........
...!..2\.h{.S.a... .P-.....^..>.a......C.l.qh..f.4.....2dX..b^.G..&
....2.o.......bZ.eo.....L.-Y.`.x..w.J.%..b.h.O....C.....B3l.puV0}.....
\.^q..)...@...,f.0h..../cX%.^.=....A.].....;... ..b........(...AC.K..S
...U...\.X.AK|1..`..a.G0..fl...$.s......8a.{...0..p.^>G.F.....\.}.c
...L.....u....%..1.]H.Q.........g.(q...}4@.B....E.|...#..3\...M...2,.v
.w.x...y1W.0.du..b..o.@.@9t......0..V.#./v.,.0b....9w.....fe.N>.J0.
(...S....t.}:Bl..M..q...S...&]..z... ......5Vh}.Fh.%.l......Xk....K..0
F.u...Q.K~}.....,..(&W...i....o.....2....!..0h...yF....9....X.....}..)
`.....xCI.Lb|c.r.z.#.......0.`..."..&...Bi..O....{S....&7..s..:...~.'.
M.....4w.")..f.d.12...........AFh2d..a../.1.....<.g...).%..aZ...U..
v.x..........VI./...K..7f....g..t...!.....9..m..5&..:ce.%E.).?.6.."q..
......oJ..Rn.K6.RUN.......tc.i.{.\-..-.k.~.8.H.M!@.`............G..Y..
....-...1.P...J.{.....[YG0cv..[..|.....r.4...b..a...3:.......j.m..

<<< skipped >>>

GET /baseui/images/login/switch.png HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:56 GMT
Content-Type: image/png
Content-Length: 363
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "57e33f09-16b"
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR...............7.....sBIT....|.d.....pHYs...........~.
....tEXtCreation Time.08/25/16.T.!....tEXtSoftware.Adobe Fireworks CS6
........IDAT(......0.D......#.p..,.:....;..,A..y..D.Z.. q.E...$.......
.o.X7*......6M........I^...*.....3]..j...t..K.|..j...I.....h....a.y.z.
.=z...ne.......h.*.. .{.@4tX.u..s!..z.d..g...f..3./.h\2....X../.5w(.@.
.....IEND.B`.
....



GET /baseui/images/login/bg_user.png HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:57 GMT
Content-Type: image/png
Content-Length: 1006
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "57e33f09-3ee"
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR...2...(......r.L....sBIT....|.d.....pHYs...........~.
....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.04/06/16
?......FIDATX..Y[..0.=.........L......l.K.R..n.;..f._...-....*...".H..
L......."..{......n......7._.|..b.../...l.(..|.....D.\..)0....9.S.s]..
RPJ..>..9Y.ZC).)%....z2.....wc.....r.J..9)%.<.Rj...o$.c.a8...=!.
.,.e.`"..`.Z...Q..@.. ..1... ..!....Z.,K.e.i..yX.V.../..H.....9GQ.'..A
.(.....s.L...6Y.....DUU`..q.$Ir0..K.....<.q.[......[.[k....!.......
.6...cx||lt.0.Q..U6....r..n\)I..=f...lu..7.S.. ....5`.....R.VY...X...D
....,.X,:.-...e9.N.I....}......;..B:]... !d......)TQ.A).!D.......&.i0y
.kj...a....ZC...yg-..I..8..,..9?....1Mf...Zm....s..>n>s.....j...
...g..X..PJ5.T.M..CJ....N.}..F...C"I..........RX...t..7...j^yq.#..NYA.
.c(.Z..O*7.MDk..v.B.U....v.mt.7!R..E.R.C..E...Z7...NXe.Kn`..v.p|.R,.f
6 "...|>G.EVJ..E.....)....X..,.@.9Tf.w.9..WU5h.2. 2.PU....0..!.D.&l
t;i.$cH..8...I......!..4.L...i...EQ.....g..fs.!..m|]..BL.n......Z..3.?
.m..0.!.....1{zz...3...a7...I.Z9.2.....IEND.B`.
....



GET /baseui/images/login/bg_pwd.png HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:57 GMT
Content-Type: image/png
Content-Length: 737
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "57e33f09-2e1"
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR...2...(......r.L....sBIT....|.d.....pHYs...........~.
....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.04/06/16
?......9IDATX...Q..@.........@ ....B..t.]J..-tG].B_..,...H......^K..k.
..z.'3L..?s..Q.v......|.....C..M..>.X..-..wn..F>.Z..Z.iM.....S&l
t;....E..(..t:...(....,..4jD)E..(.......jE.e.b.3....}...J).R..k.....F.
..}<.;<WUE...iJUU..!p]..u.B...>B......m#a..L.y.l6;Y.i.".d8...
v..<..,Y..Z:......Ny..E..b...(....0..3:h.QJ..,..C*....Zm.!^m...e.q.
.s..t<.x..<M&....o....q.\.5...7..f....F\.e0.4.t)A...1i.6z.q.....
..si|.#Vn....H......^O..{.k;.....@.$.ql .=#..G...c......1SX3..A.B..>
;A...g.k.....m.0.......R"..}......R2..l.8.~Sk.......qj..k.....7S.EQ..\
.U5rM ....y..._..a....."L.........5....'.;w.f......vB......IEND.B`.ont>....



GET /baseui/images/login/icon_phone.png HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:58 GMT
Content-Type: image/png
Content-Length: 625
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "57e33f09-271"
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR................c....sBIT....|.d.....pHYs...........~.
....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.04/06/16
?.......IDATH....M.@...Fy'.. .;..B...\.W....U.S....U......\RAx.q.6c>
;...i.d=3.....~..qvr.`............x.U.@...vn..z.>.f.k..J/.}CR;w....
..]......$.s%p.......c.6zf..'=../.'.i...{.....\........=6n.T...p..>
E.k5...W...}.z]..s.v.e..e.w/@.wP...P..A...Wt.j...c.1&."U.E...cM~..H...
......X.....M...../b...;..a6..XZ....%0%d#..#/.l......... ."Ys..]....w1
f.]...D..5Ty.\jY..[.M4 m.Bm,..Km.. %..o....w.......=c.....I.$.........
TM........51.....5..v^........ ......)..}. .2_....|....)..'o4.....IEND
.B`.
....



GET /baseui/images/login/icon_qq.png HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:59 GMT
Content-Type: image/png
Content-Length: 1786
Last-Modified: Thu, 22 Sep 2016 02:16:41 GMT
Connection: keep-alive
Keep-Alive: timeout=60
ETag: "57e33f09-6fa"
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
.PNG........IHDR................c....sBIT....|.d.....pHYs...........~.
....tEXtSoftware.Adobe Fireworks CS6........tEXtCreation Time.04/06/16
?......RIDATH...{p........_~......B.....I.&J.d.@. ...I]:)P.1.h..P.Z.g.
)f|u.Zf.k.H-.Z.B.).I.$.h".....a7......8..q.4D{f......3.~.=.2"......w{
..M.........}.._..E..Z.(.......BEo..V.........&.....dDa..........5.l6{
..."..[ZZ6.|...Z..q<Y,6...d.;.b..c:.Z.TSSs...s.......K..V?.@UR.D2..
...FN.Md.;..q.Of..22.T]..x8<.....v..u..j'Q.$..E......Z.E.9..z......
v.(.(3.D6......9..~....c.JJ.....1...v.$I..~..-.PU.&..B.H$i....1F......
...... .L.......a.......N......y...aAn..~?.i.^..D...B......f6.gB,.H4?.
JA.E....'N..........{.s.2|>..6 N.:..q....D..H..@.L.?cl.L%M.........
...8..<....Wg......]..8y...h..1.....v.p.....2TM?...3.w....".K..`I..
..:.J2B...qs.u.....]....0...6g&.g.KjS.7.........a}..H...f0@.......@&..
.4l.WQ.8......mK.OY......}..^..\...'T>%..R..u<r8..W..F.8.\.2...2
....O&P.I(........S.< .h......~o$..]V..*....5.8r....9.#..0...|1.[H.
...5.B>..H .s.z........_.}.v..C.?...g.....x.YSq<=.p.G..)...d...!
. .K[.8.d.W....p..!.Lc_B.-...&......BD...wn.x.$..."...N......=]]a..;.F
.2....r.Oc....."y....4.h5=V......h.o....X.......twO..l2.....U....&M!.V
0..B*_..x@.=H..!^........../....R@...h........'.i..y.<69.)........{
.t.Z,....a.P.%......`.u.D.]*..H...U.?........i".:.b1..ndgg.\W.(... (A@
............AQ...$I...wc....\7!...1.M....................|z..._^..6?..
..< ..Pey.;.c.CCChmm..].vp..755.p.o..4...ymm.......o.[X.|..;DD..2.e
....4.$..E!"..;v........{b.X..cMOD...9....z.....t..N.M.%..k....._}

<<< skipped >>>

GET /service/gc.html?timestamp=1489883514000 HTTP/1.1

Accept: */*
Referer: hXXp://xf.faxuan.net/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xf.faxuan.net
Connection: Keep-Alive
Cookie: rid=32a0cb241a97f8ecaba3339c887081d6


HTTP/1.1 200 OK
Server: openresty/1.7.10.1
Date: Sun, 19 Mar 2017 00:31:59 GMT
Content-Type: image/jpeg
Content-Length: 1240
Connection: keep-alive
Keep-Alive: timeout=60
Last-Modified: Wed, 02 Dec 2015 10:19:41 GMT
ETag: "565ec5bd-4d8"
Accept-Ranges: bytes
Age: 26507
X-Cache: HIT from 192.168.1.51
X-Cache-Lookup: HIT from 192.168.1.51:80
Via: 1.0 192.168.1.51 (squid/3.1.10)
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *
......JFIF.............C................................... $.' ",#..(
7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222
222222222222222222222........<.."..................................
..........................}........!1A..Qa."q.2....#B...R..$3br.......
.%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz........................
......................................................................
................................w.......!1..AQ.aq."2...B.....#3R..br..
.$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.................
...................................................................?..
9n.H]..Ba....q...8.q...ZW.,5k.b..V.m.F.....X(lpr1.SksC.....2...!^.e.r.
.....<../m..^..q..[.....yF.._%.P.!W..$s.F:\..8...o.Agj.-...Y#}..pTg
..y.....|..j.._.M....!.......q...|G=.z..ssl...1..]......r.8...xsu....[
@d.....m.2...z....'.p..........<e.x.{.E.-..@I!...3.0y..j.......W...
(...B....<.a.J.|'5..X.&........._..mn..8..>...\..e.fF'dJz`."`t..
?... ...R.......T..MF?...eb.`(...c?{<...HTTP/1.1 200 OK..Server: op
enresty/1.7.10.1..Date: Sun, 19 Mar 2017 00:31:59 GMT..Content-Type: i
mage/jpeg..Content-Length: 1240..Connection: keep-alive..Keep-Alive: t
imeout=60..Last-Modified: Wed, 02 Dec 2015 10:19:41 GMT..ETag: "565ec5
bd-4d8"..Accept-Ranges: bytes..Age: 26507..X-Cache: HIT from 192.168.1
.51..X-Cache-Lookup: HIT from 192.168.1.51:80..Via: 1.0 192.168.1.51 (
squid/3.1.10)..Access-Control-Allow-Origin: *..Access-Control-Allow-Or
igin: *........JFIF.............C.................................

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2928:

.text
`.rdata
@.data
.rsrc
t$(SSh
|$D.tm
~%UVW
u$SShe
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
u%CNu
Uh.bN
MaxKeySize
Invalid key size
%UUUU1E
%UUUU3
5 passes)
1.2.3
DB00735E-CFFB-47E6-B060-BB0D74008B7A
94-401@163.com
Bv.SCv=kAv
odbccp32.dll
wininet.dll
yzmsb.dll
ole32.dll
user32.dll
OLEACC.DLL
Kernel32.dll
SQLConfigDataSource
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
{B6F7542F-B8FE-46a8-9605-98856A687097}
42305932-06E6-47a5-AC79-8BDCDC58DF61
WebBrowser
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
\zjspfz.tqs
?Microsoft Access Driver (*.mdb)
xf.faxuan.net
hXXp://
hXXps://
id=userpassword
hXXp://xf.faxuan.net/service/gc.html?timestamp=
function time(){return new Date().getTime()}
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
hXXp://xf.faxuan.net
000000000
122149519
VVV.t7soft.com
P@&key=13
hXXp://xf.faxuan.net/pss/service/getpoint?type=mypoint&userAccount=
hXXp://xf.faxuan.net/sss/service/getcourse?dateType=1&targetDomainCode=
hXXp://xf.faxuan.net/sps/courseware/t/courseware_1_t.html?courseId=
hXXp://xf.faxuan.net/sps/exercises/t/exercies_1_t.html?courseId=
&key=
hXXp://xf.faxuan.net/sps/service/getcoursestudy?courseId=
(.*?)_(.*?)_(.*?)
hXXp://xf.faxuan.net/sps/exercises/t/exercies_3_t.html?id=
hXXp://xf.faxuan.net/pss/service/postPoint?operateType=epoint&userAccount=
hXXp://xf.faxuan.net/sss/service/getcourseware?courseId=
hXXp://xf.faxuan.net/sps/courseware/t/courseware_4_t.html?id=
hXXp://xf.faxuan.net/pss/service/postPoint?operateType=spoint&userAccount=
hXXp://VVV.t7soft.com
YPG>5md[RI@7.hR/O,LkHhEe=]
>yÛ
1979717
shell32.dll
sql.a6.dns-dns.net
hXXp://VVV.t7soft.com/zy4.asp
hXXp://news.qq.com
{626FC520-A41E-11CF-A731-00A0C9082637}
{0002DF05-0000-0000-C000-000000000046}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{6D5140C1-7436-11CE-8034-00AA006009FA}
{D30C1661-CDAF-11d0-8A3E-00C04FC9E26E}
document.all.resultjs.innerText=
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
VBScript.RegExp
@odbccp32.dll
'8%&(#&=1
Lx.mya
Adobe Photoshop CS5 Windows
2015:11:23 23:56:09
urlTEXT
MsgeTEXT
#hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2015-11-23T23:47:14 08:00" xmp:ModifyDate="2015-11-23T23:56:09 08:00" xmp:MetadataDate="2015-11-23T23:56:09 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:9A8F461EFA91E511B6F9B03DCA6BA9B3" xmpMM:DocumentID="xmp.did:998F461EFA91E511B6F9B03DCA6BA9B3" xmpMM:OriginalDocumentID="xmp.did:998F461EFA91E511B6F9B03DCA6BA9B3"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:998F461EFA91E511B6F9B03DCA6BA9B3" stEvt:when="2015-11-23T23:47:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/png to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:9A8F461EFA91E511B6F9B03DCA6BA9B3" stEvt:when="2015-11-23T23:56:09 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
wxg717@21cn.com
1683596352
1683596352
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
RASAPI32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
GetProcessHeap
WinExec
GetCPInfo
GetWindowsDirectoryA
KERNEL32.dll
GetKeyState
SetWindowsHookExA
UnhookWindowsHookEx
EnumChildWindows
GetKeyboardType
RegisterHotKey
UnregisterHotKey
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
oledlg.dll
WSOCK32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
%Y-%m-%d %H:%M:%S
FADODB.Connection
DRIVER=SQL Server;SERVER=
;Jet OLEDB:Database Password=
Provider=Microsoft.Jet.OLEDB.4.0; Data Source=
Description: %s
State: %s, Native: %d, Source: %s
FADODB.Recordset
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
%d%d%d
rundll32.exe shell32.dll,
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
c:\%original file name%.exe
*.yUW
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
#include "l.chs\afxres.rc" // Standard components
Skin.dll
1, 0, 6, 6
2015-11-23-2347144232
(*.*)

%original file name%.exe_2928_rwx_10000000_0003E000:

`.rsrc
L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
Skin.dll
1, 0, 6, 6


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\taskMgr[1].js (193 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_util[1].js (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S99OLKTL.txt (91 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\xf.faxuan[1].xml (199 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\views[1].js (69642 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\login_1_s[1].js (742 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.min[2].js (54106 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QB2Y37I3.txt (83 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_serv[1].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\public[1].css (3973 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\switch[1].png (363 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\orhon-U2M[1].js (865 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_validatebox_customtooltip[1].js (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg_pwd[1].png (737 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\up[1].png (347 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\jsrender[1].js (6568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\topnav_bg[1].jpg (5206 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bg_user[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_cookies[1].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\form-validate[1].js (14936 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\login[1].css (1132 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\map[1].png (31018 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\orhonmclib.min[1].js (8142 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\gc[1].jpg (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\id[1].gif (35 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\comm_popwin[1].js (441 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\xf_faxuan_net[1].htm (628 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\E2YBQL3V.txt (119 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\comm_validatebox_rules[1].js (606 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVU3JNLU.txt (229 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\popwin_style[1].css (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\easyui[1].css (24032 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bg_login[1].jpg (19558 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\json2.min[1].js (616 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\icon_qq[1].png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\contains[1].js (4806 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\i[1].js (20032 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\login_1_v[1].js (3405 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\jquery.cookie[1].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\popwin[1].css (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\icon_phone[1].png (625 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\r[1].htm (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\id[1].htm (434 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TCH2R76M.txt (229 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\comm_customFuncTip[1].js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\icon[1].css (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\base[1].js (2093 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7RZVBA01.txt (399 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\userpoint_1_s[1].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\orhonmatrixfont[1].css (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\tooltipster_style[1].css (486 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logo[1].png (5173 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\comm_resources[1].js (73 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 5 (2 votes)

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now