Trojan.Win32.FlyStudio_0d9a0429ce

by malwarelabrobot on September 13th, 2017 in Malware Descriptions.

Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 0d9a0429cec4833bedd47e57863863db
SHA1: 05d5bf5cafac959c0a236b4de9989caba54abd4e
SHA256: 33901ab2976275978067d25e68597c1e7615a3f39f24483c65eac8a5e67ac723
SSDeep: 24576:NQxhapwRy/9PluYQgQZtTRJ31kF6IN1XmbsGdq:/my9P8gKtTDFkF/1wseq
Size: 1330176 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2017-08-21 21:01:05
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1672

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\stat[1].js (1321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\stat[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\core[1].js (763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\W12I9I1I.txt (116 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QSZVYOH5.txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ARGXHHQO.txt (377 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\pc[1].htm (327 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QSZVYOH5.txt (0 bytes)

Registry activity

The process %original file name%.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\0d9a0429cec4833bedd47e57863863db_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0d9a0429cec4833bedd47e57863863db_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\0d9a0429cec4833bedd47e57863863db_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0d9a0429cec4833bedd47e57863863db_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\0d9a0429cec4833bedd47e57863863db_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\0d9a0429cec4833bedd47e57863863db_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0d9a0429cec4833bedd47e57863863db_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: 123xpg
Product Name: ???????
Product Version: 1.2.1.0
Legal Copyright: 123xpg.com ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.2.1.0
File Description: ???????????!
?????:www.123xpg.com
Comments: ???????????!
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	3584000	661504	5.54488	2e1e51af4ecbcdd7f13244a43b2af43b
.rdata	3588096	684032	365056	5.5446	a915fdc9792feb3b65d5680977885c3d
.data	4272128	1024000	181760	5.54383	0d6f3bed1f8e30ac21f6cf0c39208691
.rsrc	5296128	126976	13824	4.90439	1d969dd6f0875391bc861530b9f7808d
.aspack	5423104	110592	107008	3.00202	47bb72b4755063958ba2370a0a05fe10
.adata	5533696	4096	0	0	d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://122.114.124.88/ver.css
hxxp://www.123xpg.com/pc.html	162.159.228.73
hxxp://122.114.124.88/cfxpg.css
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=1261403577
hxxp://z.gds.cnzz.com/stat.htm?id=1261403577&r=&lg=en-us&ntime=none&cnzz_eid=1785653847-1505227000-&showp=1276x846&t=&umuuid=15e76c3b52f1f5-01f2faec2a35a98-44703d1f-1078c8-15e76c3b5302de&h=1&rnd=944880366
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1261403577&t=z
hxxp://z4.cnzz.com/stat.htm?id=1261403577&r=&lg=en-us&ntime=none&cnzz_eid=1785653847-1505227000-&showp=1276x846&t=&umuuid=15e76c3b52f1f5-01f2faec2a35a98-44703d1f-1078c8-15e76c3b5302de&h=1&rnd=944880366	1.122.192.15
hxxp://s95.cnzz.com/stat.php?id=1261403577	1.99.192.16
hxxp://c.cnzz.com/core.php?web_id=1261403577&t=z	122.227.164.215

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /ver.css HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded

Accept: text/html, application/xhtml xml, */*

Accept-Encoding: gbk, GB2312

Accept-Language: zh-cn

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Host: 122.114.124.88


HTTP/1.1 200 OK

Content-Length: 15729

Content-Type: text/css

Last-Modified: Tue, 12 Sep 2017 13:22:09 GMT

Accept-Ranges: bytes

ETag: "b411423ca2bd31:afd"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Tue, 12 Sep 2017 15:44:42 GMT
..V-1.22-..........[..............]..........1.22-....-..1.21-....-..1
.22-....-....By:....................................QQ......QQ........
..................................................=hXXp://VVV.123xpg.c
om/-..........HD=hXXp://bbs.houdao.com/r13789792-..........XD=-.......
...IQ=-..........YW=-..........[1]........  ..0=..  1=..  ..=.........
...[]  ..0=..  1=..  ..=....QQ..........[1]QQ..........  ..0=..  1=.. 
 ..=................[1]............  ..0=..  1=..  ..=................
=hXXp://VVV.123xpg.com/taobao/?0617_1|..............[1]............  .
.0=..  1=..  ..=................=hXXp://VVV.123xpg.com/dianying6666...
.....Ss/|..Name=........15..........-url=hXXp://pan.lanzou.com/1221889
-......-....1=16777215-....2=16777215-....3=16777215-....4=255-.......
...1=Tencent Game 401=..................2=Welcome Tencent Game 401=...
...............3=Tencent Game 401=..................=3=...............
...[Name=..........:......2..1....-url=hXXp://VVV.supergod.vip/-......
-....1=16711680-....2=16711680-....3=12615935-....4=- ........1......2
017/04/29-2017/05/30..Name=................-........-url=hXXp://VVV.ye
kepay.com/links/4E2E1E5D78B5DEFD-......-....1=65535-....2=65535-....3=
65535-....4=8388608-..Name=CF............[........]-url=tencent://AddC
ontact/?fromId=50&fromSubId=1&subcmd=all&uin=1376586561-......-....1=1
6777215-....2=16777215-....3=16777215-....4=255- ......2017/05/07-2017
/06/07..Name=....K../..../QQ....<....>-url=hXXp://qili99.cn-....
..-....1=12615935-....2=12615935-....3=12615935-....4=-..Name=....<<< skipped >>>

GET /stat.htm?id=1261403577&r=&lg=en-us&ntime=none&cnzz_eid=1785653847-1505227000-&showp=1276x846&t=&umuuid=15e76c3b52f1f5-01f2faec2a35a98-44703d1f-1078c8-15e76c3b5302de&h=1&rnd=944880366 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.123xpg.com/pc.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: z4.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Date: Tue, 12 Sep 2017 15:44:47 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

Content-Encoding: gzip

16................G..y......0..

GET /pc.html HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.123xpg.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Tue, 12 Sep 2017 15:44:44 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d64e73a4ef39144f8e907e59d1a0fd5241505231083; expires=Wed, 12-Sep-18 15:44:43 GMT; path=/; domain=.123xpg.com; HttpOnly

Last-Modified: Sun, 12 Mar 2017 05:59:02 GMT

Server: yunjiasu-nginx

CF-RAY: 39d3fd6220338ae6-KBP

Content-Encoding: gzip
df............\P]k.1.|..X...!$.........#..L.$$.G.......v....yZ..>1.
Or..]X}...X\.l...k.r.Hq....w..,.........}$.>..'m.....R.....Y.......
.....(..$..w..E...z.....M_..l>.....Q.r..?J&S!L........II..zO.vI./..
...y..z...xCBo.i............a.....g..G.....0..HTTP/1.1 200 OK..Date: T
ue, 12 Sep 2017 15:44:44 GMT..Content-Type: text/html..Transfer-Encodi
ng: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d64e73a4ef39
144f8e907e59d1a0fd5241505231083; expires=Wed, 12-Sep-18 15:44:43 GMT; 
path=/; domain=.123xpg.com; HttpOnly..Last-Modified: Sun, 12 Mar 2017 
05:59:02 GMT..Server: yunjiasu-nginx..CF-RAY: 39d3fd6220338ae6-KBP..Co
ntent-Encoding: gzip..df............\P]k.1.|..X...!$.........#..L.$$.G
.......v....yZ..>1.Or..]X}...X\.l...k.r.Hq....w..,.........}$.>.
.'m.....R.....Y............(..$..w..E...z.....M_..l>.....Q.r..?J&S!
L........II..zO.vI./.....y..z...xCBo.i............a.....g..G.....0..

GET /stat.php?id=1261403577 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.123xpg.com/pc.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: s95.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 10987

Connection: keep-alive

Date: Tue, 12 Sep 2017 14:36:40 GMT

Last-Modified: Tue, 12 Sep 2017 14:36:40 GMT

Cache-Control: max-age=5400,s-maxage=5400

Via: cache15.l2et15[50,200-0,M], cache17.l2et15[51,0], kunlun4.cn116[0,200-0,H], kunlun6.cn116[0,0]

Age: 4086

X-Cache: HIT TCP_MEM_HIT dirn:10:114795264

X-Swift-SaveTime: Tue, 12 Sep 2017 14:36:40 GMT

X-Swift-CacheTime: 5400

Timing-Allow-Origin: *

EagleId: 7793970615052310864067983e
(function(){function k(){this.c="1261403577";this.ca="z";this.Z="";thi
s.W="";this.Y="";this.C="1505227000";this.aa="z4.cnzz.com";this.X="";t
his.G="CNZZDATA" this.c;this.F="_CNZZDbridge_" this.c;this.P="_cnzz_CV
" this.c;this.R="CZ_UUID" this.c;this.L="UM_distinctid";this.H="0";thi
s.K={};this.a={};this.Aa()}function g(a,.b){try{var c=[];c.push("sitei
d=1261403577");c.push("name=" f(a.name));c.push("msg=" f(a.message));c
.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("a
gent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math
.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.c
om/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeUR
IComponent,m=decodeURIComponent,r=unescape;k.prototype={Aa:function(){
try{this.ja(),this.V(),this.wa(),this.T(),this.za(),.this.w(),this.ua(
),this.ta(),this.xa(),this.o(),this.sa(),this.va(),this.ya(),this.qa()
,this.oa(),this.ra(),this.Ea(),e[this.F]=e[this.F]||{},this.pa("_cnzz_
CV")}catch(a){g(a,"i failed")}},Ca:function(){try{var a=this;e._czc={p
ush:function(){return a.M.apply(a,arguments)}}}catch(b){g(b,"oP failed
")}},oa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.
call(a))for(var b=0;b<a.length;b  ){var c=a[b];switch(c[0]){case "_
setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?.
c[1]:String(c[1]);break;case "_setAutoPageview":"boolean"===typeof c[1
]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},Ea:function
(){try{if("undefined"===typeof e._cz_account||e._cz_account===this<<< skipped >>>

GET /core.php?web_id=1261403577&t=z HTTP/1.1

Accept: */*

Referer: hXXp://VVV.123xpg.com/pc.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 763

Connection: keep-alive

Date: Tue, 12 Sep 2017 15:40:15 GMT

Last-Modified: Tue, 12 Sep 2017 15:40:15 GMT

Expires: Tue, 12 Sep 2017 15:55:15 GMT

Via: cache2.l2et15[0,200-0,H], cache19.l2et15[0,0], kunlun9.cn198[0,200-0,H], kunlun8.cn198[0,0]

Age: 272

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2

X-Swift-SaveTime: Tue, 12 Sep 2017 15:40:39 GMT

X-Swift-CacheTime: 876

Timing-Allow-Origin: *

EagleId: 7ae3a4a815052310876774452e
!function(){var p,q,r,a=encodeURIComponent,b="1261403577",c="",d="",e=
"online_v3.php",f="z4.cnzz.com",g="1",h="text",i="z",j="站໳
1;统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m
="1",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=
" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&
k["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k["cr
eateScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/websit
e.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnz
z.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'
><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="
<a href='" q "' target=_blank title='" j "'>" j "</a>",k["
createIcon"]([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type:
 application/javascript..Content-Length: 763..Connection: keep-alive..
Date: Tue, 12 Sep 2017 15:40:15 GMT..Last-Modified: Tue, 12 Sep 2017 1
5:40:15 GMT..Expires: Tue, 12 Sep 2017 15:55:15 GMT..Via: cache2.l2et1
5[0,200-0,H], cache19.l2et15[0,0], kunlun9.cn198[0,200-0,H], kunlun8.c
n198[0,0]..Age: 272..X-Cache: HIT TCP_MEM_HIT dirn:-2:-2..X-Swift-Save
Time: Tue, 12 Sep 2017 15:40:39 GMT..X-Swift-CacheTime: 876..Timing-Al
low-Origin: *..EagleId: 7ae3a4a815052310876774452e..!function(){var p,
q,r,a=encodeURIComponent,b="1261403577",c="",d="",e="online_v3.php",f=
"z4.cnzz.com",g="1",h="text",i="z",j="站长统计
",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m="1",n=l "//on<<< skipped >>>

GET /cfxpg.css HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded

Accept: text/html, application/xhtml xml, */*

Accept-Encoding: gbk, GB2312

Accept-Language: zh-cn

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Host: 122.114.124.88


HTTP/1.1 200 OK

Content-Length: 64039

Content-Type: text/css

Last-Modified: Tue, 12 Sep 2017 13:48:36 GMT

Accept-Ranges: bytes

ETag: "26e6e9d4cd2bd31:afd"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Tue, 12 Sep 2017 15:44:44 GMT

..V-3.1.0-..........[..............]..................==..V-3.1.0-....
-..CFHDZSURL=hXXp://VVV.123xpg.com/-......=16711680..........[..].....
.........=........CF..........-....1=255-....2=-......=CF..........www
.cfhuodongzhushou.com-....=VVV.cfhuodongzhushou.com/-....1=255-....2=-
........|....|....|..Q|....|....|PK......|....|....|........|....|....
|........1.12-....-..1.13-....-..1.14-....-..1.15-....-.......... 2017
-09-12 8:59:00 ..........=hXXp://VVV.123xpg.com/-..........1[A0F6A1AEA
AD52D213E203D1D1AA8ECC0D2A5C8C6A72D786464602A3F3F6767673E72717974653E7
37F7D3D1D1AD7AFC6D6A8ECC0D22DACC93D1D1AA5BFA4A0AFBAA9C82D203D1D1AA5BFA
4A0DDE8C6A72D786464602A3F3F6365607562777F743E6679603E6A6578717F67717E3
E7E75643F3D1D1ADED4C7C6A1FADCF22DA3BCD9E1C7F2AAD5A8B3D0EBAAFCA0EC4141D
8AAB3AA2120212429212726293D1D1ADED4C7C6D1BCADC32D78646460632A3F3F7A613
E61613E737F7D3F2F4F67662D21202227367B2D2455795E5745773D1D1ADDACD6BC212
D786464602A3F3F79243E7579797D773E737F7D3F2529242127223F262128712875247
625222626747325243E7A60773D1D1ADDACD6BC21D1BCADC32D64757E73757E642A3F3
F517474537F7E647173643F2F636572737D742D717C7C3665797E2D222426212124262
121213D1D1ADDACD6BC222D786464602A3F3F79243E7579797D773E737F7D3F2529242
127223F262128712875247625222626747325243E7A60773D1D1ADDACD6BC22D1BCADC
32D64757E73757E642A3F3F517474537F7E647173643F2F636572737D742D717C7C366
5797E2D222426212124262121213D1D1ADDACD6BC232D786464602A3F3F79243E75797
97D773E737F7D3F2529242127223F262128712875247625222626747325243E7A60773
D1D1ADDACD6BC23D1BCADC32D64757E73757E642A3F3F517474537F7E647173643

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1672:

.text

`.rdata

@.data

.rsrc

.aspack

.adata

t$(SSh

~%UVW

u.hdk

u$SShe

Winhttp.dll

ole32.dll

kernel32.dll

ntdll.dll

user32.dll

oleaut32.dll

psapi.dll

gdiplus.dll

Ole32.dll

GdiPlus.dll

shlwapi.dll

advapi32.dll

wininet.dll

OLEACC.DLL

gdi32.dll

Advapi32.dll

WinHttpCheckPlatform

WinHttpCrackUrl

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpSetCredentials

WinHttpCloseHandle

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpQueryHeaders

MsgWaitForMultipleObjects

GdiplusShutdown

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

RegCreateKeyA

RegOpenKeyA

RegEnumKeyA

RegCloseKey

RegQueryInfoKeyA

RegFlushKey

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

{84A90340-1CE7-4C96-8FFC-FB0124DE9AD7}

hXXp://court.gamesafe.qq.com/cgi-bin/commit_user_info

%22%2C%22s_role_id%22%3A0%7D%7D

%22%2C%22s_partition%22%3A%22

%22%2C%22role_level%22%3A%221%22%2C%22role_name%22%3A%22

%22%2C%22role_id%22%3A%22

%22%2C%22role_area_id%22%3A%22

*%22%2C%22md5_str%22%3A%22

%7C

%22%2C%22check_param%22%3A%22cf%7Cyes%7C

%22%2C%22area_name%22%3A%22

%22%2C%22area_id%22%3A%22

param=%7B%22game_id%22%3A3%2C%22op_type%22%3A1%2C%22ip%22%3A%220.0.0.0%22%2C%22data%22%3A%7B%22src_type%22%3A1%2C%22uin%22%3A%22

hXXp://court.gamesafe.qq.com/cgi-bin/get_one_judge_case?timestamp=

%22%7D%7D

%22%2C%22data%22%3A%7B%22src_type%22%3A1%2C%22uin%22%3A%22

param=%7B%22game_id%22%3A3%2C%22op_type%22%3A0%2C%22ip%22%3A%220.0.0.0_

video_url": "

hXXp://court.gamesafe.qq.com/cgi-bin/get_judge_info

param=%7B%22game_id%22%3A3%2C%22op_type%22%3A1%2C%22ip%22%3A%220.0.0.0_

@hXXp://court.gamesafe.qq.com/cgi-bin/commit_judge_result

%22%2C%22is_guilty%22%3A%220%22%7D%7D

%22%2C%22access_id%22%3A%22

%22%2C%22case_id%22%3A%22

msg": "

http=

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Content-Type: application/x-www-form-urlencoded

Adodb.Stream

WinHttp

hXXps://chushou.tv/gamezone/cfm.htm

jq.qq.com

hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=

User-Agent:t: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

X-Requested-With: XMLHttpRequest

_webplat_msg=

webplat_msg=

hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=

web200712/class/sclass_

hXXp://cf.qq.com/web201105/actions.shtml

hXXp://helper.qq.com/v2/tool-list.shtml?from=46&gid=cf

hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=

&e_code=0&g_code=0&eas_url=http%3A%2F%2Fcf.qq.com%2Fcp%2Fa20160919gwg%2Fpage01.htm&eas_refer=&sServiceDepartment=group_f&sServiceType=

hXXp://gamesafe.qq.com/json.php?mod=Interface&act=getAllPunishData&game_id=3&callback=gsInquiry.getAllPunishDataCallback&_=1500100331323

Referer: hXXp://gamesafe.qq.com/number_inquiry.shtml

1970-01-01 00:00:00

hXXp://court.gamesafe.qq.com/judge.htm

hXXp://VVV.zhanqi.tv/games/CrossFire

hXXp://VVV.quanmin.tv/game/cfpc

QQ.exe

@OPMiscDll.dll

@.reloc

QQBrowserUrl

RegOpenKeyTransactedW

SogouIMEUrl

%u86c4fd4c3310e823684a04ec667059e0

V%.8X%s

QQMusicUrl

{8CEFC9E6-A2B4-4c2a-823C-6903A31139FA}

R:\TempView\Output\BinFinal\MedalWall.pdb

?GetExeDir@Sys@Util@@YA?AVCTXStringW@@XZ

?IsInitAsyncMsgLoop@Misc@Util@@YAHXZ

Common.dll

GF.dll

RenderService.dll

AsyncTask.dll

KERNEL32.dll

USER32.dll

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteExW

ShellExecuteW

SHELL32.dll

OLEAUT32.dll

ATL100.DLL

SHLWAPI.dll

MSVCP100.dll

MSVCR100.dll

_malloc_crt

_amsg_exit

_crt_debugger_hook

OPMiscDll.dll

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

3 3$3(3,3034383<3

7 8%8,838~8

>4>:>@>~>

4$5(5,5054585

2,282@2`2

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

hXXp://sf.symcb.com/sf.crl0a

hXXps://d.symcb.com/cps0%

hXXps://d.symcb.com/rpa0

hXXp://sf.symcd.com0&

hXXp://sf.symcb.com/sf.crt0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXps://VVV.verisign.com/cps0*

hXXps://VVV.verisign.com/rpa0

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

hXXp://sv.symcb.com/sv.crl0a

hXXp://sv.symcd.com0&

hXXp://sv.symcb.com/sv.crt0

hXXp://s2.symcb.com0

hXXp://VVV.symauth.com/cps0(

hXXp://VVV.symauth.com/rpa00

hXXp://s1.symcb.com/pca3-g5.crl0

&hXXps://VVV.globalsign.com/repository/0

5hXXp://crl.globalsign.com/gs/gstimestampingsha2g2.crl0X

<hXXp://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0

&hXXps://VVV.globalsign.com/repository/06

%hXXp://crl.globalsign.net/root-r3.crl0

hXXp://VVV.huya.com/g/4

hXXp://cf.qq.com/web201105/cdkey.shtml

hXXp://bang.qq.com/actcenter/index/cf

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.59 QQ/8.1.17255.201 Safari/537.36

&appid=710032918&js_ver=10034&js_type=1&login_sig=&u1=http://codol.qq.com/cp/a20150910coddjs/&r=

hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=

hXXps://ssl.captcha.qq.com/getimage?uin=

$=window.$||{},pt=window.pt||{},RSA=pt.RSA=function(){

if(e<t.length 11)return uv_alert("Message too long for RSA"),null;

for(var i=new Array,n=t.length-1;

var o=t.charCodeAt(n--);

)p.nextBytes(s);

this.n=null,this.e=0,this.d=null,this.p=null,this.q=null,this.dmp1=null,this.dmq1=null,this.coeff=null

null!=e&&null!=i&&e.length>0&&i.length>0?(this.n=t(e,16),this.e=parseInt(i,16)):uv_alert("Invalid RSA public key")

return t.modPowInt(this.e,this.n)

var i=e(t,this.n.bitLength() 7>>3);

var n=this.doPublic(i);

var o=n.toString(16);

return 0==(1&o.length)?o:"0" o

null!=t&&("number"==typeof t?this.fromNumber(t,e,i):null==e&&"string"!=typeof t?this.fromString(t,256):this.fromString(t,e))

o=Math.floor(r/67108864),i[n  ]=67108863&r

return ut.charAt(t)

var i=gt[t.charCodeAt(e)];

return e.fromInt(t),e

if(4!=e)return void this.fromRadix(t,e);

for(var n=t.length,o=!1,p=0;

0>s?"-"==t.charAt(n)&&(o=!0):(o=!1,0==p?this[this.t  ]=s:p i>this.DB?(this[this.t-1]|=(s&(1<<this.DB-p)-1)<<p,this[this.t  ]=s>>this.DB-p):this[this.t-1]|=s<<p,p =i,p>=this.DB&&(p-=this.DB))

8==i&&0!=(128&t[0])&&(this.s=-1,p>0&&(this[this.t-1]|=(1<<this.DB-p)-1<<p)),this.clamp(),o&&r.ZERO.subTo(this,this)

for(var t=this.s&this.DM;

if(this.s<0)return"-" this.negate().toString(t);

if(4!=t)return this.toRadix(t);

var i,n=(1<<e)-1,o=!1,p="",r=this.t,s=this.DB-r*this.DB%e;

if(r-->0)for(s<this.DB&&(i=this[r]>>s)>0&&(o=!0,p=u(i));

)e>s?(i=(this[r]&(1<<s)-1)<<e-s,i|=this[--r]>>(s =this.DB-e)):(i=this[r]>>(s-=e)&n,0>=s&&(s =this.DB,--r)),i>0&&(o=!0),o&&(p =u(i));

return r.ZERO.subTo(this,t),t

return this.s<0?this.negate():this

return this.t<=0?0:this.DB*(this.t-1) k(this[this.t-1]^this.s&this.DM)

e.t=Math.max(this.t-t,0),e.s=this.s

var i,n=t%this.DB,o=this.DB-n,p=(1<<o)-1,r=Math.floor(t/this.DB),s=this.s<<n&this.DM;

e[r]=s,e.t=this.t r 1,e.s=this.s,e.clamp()

var i=Math.floor(t/this.DB);

var n=t%this.DB,o=this.DB-n,p=(1<<n)-1;

n>0&&(e[this.t-i-1]|=(this.s&p)<<o),e.t=this.t-i,e.clamp()

for(var i=0,n=0,o=Math.min(t.t,this.t);

)n =this[i]-t[i],e[i  ]=n&this.DM,n>>=this.DB;

)n =this[i],e[i  ]=n&this.DM,n>>=this.DB;

)n-=t[i],e[i  ]=n&this.DM,n>>=this.DB;

e.s=0>n?-1:0,-1>n?e[i  ]=this.DV n:n>0&&(e[i  ]=n),e.t=i,e.clamp()

var i=this.abs(),n=t.abs(),o=i.t;

  o)e[o i.t]=i.am(0,n[o],e,o,0,i.t);

e.s=0,e.clamp(),this.s!=t.s&&r.ZERO.subTo(e,e)

for(var e=this.abs(),i=t.t=2*e.t;

var n=e.am(i,e[i],t,2*i,0,1);

(t[i e.t] =e.am(i 1,2*e[i],t,2*i 1,n,e.t-i-1))>=e.DV&&(t[i e.t]-=e.DV,t[i e.t 1]=1)

t.t>0&&(t[t.t-1] =e.am(i,e[i],t,2*i,0,1)),t.s=0,t.clamp()

var n=t.abs();

var o=this.abs();

if(o.t<n.t)return null!=e&&e.fromInt(0),void(null!=i&&this.copyTo(i));

var p=s(),l=this.s,a=t.s,c=this.DB-k(n[n.t-1]);

c>0?(n.lShiftTo(c,p),o.lShiftTo(c,i)):(n.copyTo(p),o.copyTo(i));

var d=g*(1<<this.F1) (u>1?p[u-2]>>this.F2:0),h=this.FV/d,f=(1<<this.F1)/d,m=1<<this.F2,_=i.t,$=_-u,v=null==e?s():e;

for(p.dlShiftTo($,v),i.compareTo(v)>=0&&(i[i.t  ]=1,i.subTo(v,i)),r.ONE.dlShiftTo(u,v),v.subTo(p,p);

var w=i[--_]==g?this.DM:Math.floor(i[_]*h (i[_-1] m)*f);

if((i[_] =p.am(0,w,i,$,0,u))<w)for(p.dlShiftTo($,v),i.subTo(v,i);

)i.subTo(v,i)

null!=e&&(i.drShiftTo(u,e),l!=a&&r.ZERO.subTo(e,e)),i.t=u,i.clamp(),c>0&&i.rShiftTo(c,i),0>l&&r.ZERO.subTo(i,i)

return this.abs().divRemTo(t,null,e),this.s<0&&e.compareTo(r.ZERO)>0&&t.subTo(e,e),e

return t.s<0||t.compareTo(this.m)>=0?t.mod(this.m):t

t.divRemTo(this.m,null,t)

t.multiplyTo(e,i),this.reduce(i)

t.squareTo(e),this.reduce(e)

return e=e*(2-(15&t)*e)&15,e=e*(2-(255&t)*e)&255,e=e*(2-((65535&t)*e&65535))&65535,e=e*(2-t*e%this.DV)%this.DV,e>0?this.DV-e:-e

this.m=t,this.mp=t.invDigit(),this.mpl=32767&this.mp,this.mph=this.mp>>15,this.um=(1<<t.DB-15)-1,this.mt2=2*t.t

return t.abs().dlShiftTo(this.m.t,e),e.divRemTo(this.m,null,e),t.s<0&&e.compareTo(r.ZERO)>0&&this.m.subTo(e,e),e

return t.copyTo(e),this.reduce(e),e

t.t<=this.mt2;

var i=32767&t[e],n=i*this.mpl ((i*this.mph (t[e]>>15)*this.mpl&this.um)<<15)&t.DM;

for(i=e this.m.t,t[i] =this.m.am(0,n,t,e,0,this.m.t);

t[i]>=t.DV;

)t[i]-=t.DV,t[  i]

t.clamp(),t.drShiftTo(this.m.t,t),t.compareTo(this.m)>=0&&t.subTo(this.m,t)

if(t>4294967295||1>t)return r.ONE;

var i=s(),n=s(),o=e.convert(this),p=k(t)-1;

for(o.copyTo(i);

)if(e.sqrTo(i,n),(t&1<<p)>0)e.mulTo(n,o,i);

return e.revert(i)

return i=256>t||e.isEven()?new P(e):new j(e),this.exp(t,i)

X((new Date).getTime())

for(Z(),dt=nt(),dt.init(ht),ft=0;

ft<ht.length;

return dt.next()

e<t.length;

  e)i=i this.S[e] t[e%t.length]&255,n=this.S[e],this.S[e]=this.S[i],this.S[i]=n;

return o.setPublic(e,n),o.encrypt(t)

i.prototype.doPublic=o,i.prototype.setPublic=n,i.prototype.encrypt=p;

st&&"Microsoft Internet Explorer"==navigator.appName?(r.prototype.am=a,pt=30):st&&"Netscape"!=navigator.appName?(r.prototype.am=l,pt=26):(r.prototype.am=c,pt=28),r.prototype.DB=pt,r.prototype.DM=(1<<pt)-1,r.prototype.DV=1<<pt;

r.prototype.FV=Math.pow(2,lt),r.prototype.F1=lt-pt,r.prototype.F2=2*pt-lt;

for(at="0".charCodeAt(0),ct=0;

for(at="a".charCodeAt(0),ct=10;

for(at="A".charCodeAt(0),ct=10;

P.prototype.convert=I,P.prototype.revert=H,P.prototype.reduce=M,P.prototype.mulTo=Q,P.prototype.sqrTo=D,j.prototype.convert=U,j.prototype.revert=O,j.prototype.reduce=B,j.prototype.mulTo=F,j.prototype.sqrTo=R,r.prototype.copyTo=d,r.prototype.fromInt=h,r.prototype.fromString=m,r.prototype.clamp=_,r.prototype.dlShiftTo=q,r.prototype.drShiftTo=S,r.prototype.lShiftTo=T,r.prototype.rShiftTo=C,r.prototype.subTo=x,r.prototype.multiplyTo=L,r.prototype.squareTo=N,r.prototype.divRemTo=E,r.prototype.invDigit=V,r.prototype.isEven=z,r.prototype.exp=G,r.prototype.toString=$,r.prototype.negate=v,r.prototype.abs=w,r.prototype.compareTo=y,r.prototype.bitLength=b,r.prototype.mod=A,r.prototype.modPowInt=W,r.ZERO=f(0),r.ONE=f(1);

if("Netscape"==navigator.appName&&navigator.appVersion<"5"&&window.crypto&&window.crypto.random){

var _t=window.crypto.random(32);

mt<_t.length;

  mt)ht[ft  ]=255&_t.charCodeAt(mt)

)mt=Math.floor(65536*Math.random()),ht[ft  ]=mt>>>8,ht[ft  ]=255&mt;

Y.prototype.nextBytes=J,tt.prototype.init=et,tt.prototype.next=it;

return Math.round(4294967295*Math.random())

i<t.length;

var n=Number(t[i]).toString(16);

1==n.length&&(n="0" n),e =n

i =2)e =String.fromCharCode(parseInt(t.substr(i,2),16));

n<t.length;

n  )i[n]=t.charCodeAt(n);

var e,i,n=[],o=t.length;

e  )i=t.charCodeAt(e),i>0&&127>=i?n.push(t.charAt(e)):i>=128&&2047>=i?n.push(String.fromCharCode(192|i>>6&31),String.fromCharCode(128|63&i)):i>=2048&&65535>=i&&n.push(String.fromCharCode(224|i>>12&15),String.fromCharCode(128|i>>6&63),String.fromCharCode(128|63&i));

return n.join("")

var i=t.length,n=0;

var e=0,i=new Array(8),n=t.length;

o<i.length;

for(var t=(k.length,0);

n  )i[n]=255&t.charCodeAt(n);

n =2)i[o  ]=parseInt(t.substr(n,2),16);

t.TEA={

p<n.length;

p  )o =String.fromCharCode(n[p]);

,initkey:function(t,e){

q.PADCHAR="=",q.ALPHA="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /",q.getbyte=function(t,e){

var i=t.charCodeAt(e);

,q.encode=function(t){

if(1!=arguments.length)throw"SyntaxError: Not enough arguments";

var e,i,n=q.PADCHAR,o=q.ALPHA,p=q.getbyte,r=[];

var s=t.length-t.length%3;

if(0==t.length)return t;

e =3)i=p(t,e)<<16|p(t,e 1)<<8|p(t,e 2),r.push(o.charAt(i>>18)),r.push(o.charAt(i>>12&63)),r.push(o.charAt(i>>6&63)),r.push(o.charAt(63&i));

switch(t.length-s){

case 1:i=p(t,e)<<16,r.push(o.charAt(i>>18) o.charAt(i>>12&63) n n);

case 2:i=p(t,e)<<16|p(t,e 1)<<8,r.push(o.charAt(i>>18) o.charAt(i>>12&63) o.charAt(i>>6&63) n)

return r.join("")

,window.btoa||(window.btoa=q.encode)

(window),$=window.$||{},$pt=window.$pt||{},$.Encryption=$pt.Encryption=function(){

return u(i(c(t),t.length*_))

u<t.length;

n<t.length*_;

n =_)e[n>>5]|=(t.charCodeAt(n/_)&i)<<n2;

n<4*t.length;

n  )i =e.charAt(t[n>>2]>>n%4*8 4&15) e.charAt(t[n>>2]>>n%4*8&15);

for (var hex = str.toString(16), len = hex.length, i = len; maxLength > i; i  ) hex = "0"   hex;

for (var arr = [], j = 0; maxLength > j; j  = 2) arr.push("\\x"   hex.substr(j, 2));

var result = arr.join("");

i =2) e.push(String.fromCharCode(parseInt(t.substr(i,2),16)));

return e.join("")

for(var p=o?e:t(e),r=g(p),s=t(r i),l=window.TEA.strToBytes(n.toUpperCase(),!0),a=Number(l.length/2).toString(16);

a.length<4;

window.TEA.initkey(s);

var c=window.TEA.encrypt(p window.TEA.strToBytes(i) a l);

window.TEA.initkey("");

for(var u=Number(c.length/2).toString(16);

u.length<4;

var h=pt.RSA.rsa_encrypt(g(u c));

return window.btoa(g(h)).replace(/[\/\ =]/g,function(t){

"/":"-"," ":"*","=":"_"

var o=n?e:t(e),p=o i.toUpperCase(),r=RSA.rsa_encrypt(p);

var p = $.Encryption.getEncryption(e, i, n);

&pt_randsalt=2&u1=https://guanjia.qq.com/main.html&ptredirect=1&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=1-23-1487180456872&js_ver=10034&js_type=1&login_sig=&pt_uistyle=40&aid=710032918&

hXXps://ssl.ptlogin2.qq.com/login?u=

https

p_skey=

skey=@

hXXp://apps.game.qq.com/

'hXXp://aq.qq.com/007'

function time(){return Math.random()}

hXXps://

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

HTTP/1.1

hXXp://

for (var i = 0,len = str.length; i < len;   i) {

hash  = (hash << 5)   str.charCodeAt(i);

hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=21000124&s_url=hXXp://apps.game.qq.com&style=34

act.gamesafe.qq.com

apps.game.qq.com

hXXp://localhost.ptlogin2.qq.com:4300/pt_get_st?clientuin=

&keyindex=9&pt_aid=549000912&daid=5&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_local_tk=

hXXp://ptlogin2.qq.com/jump?clientuin=

hXXp://r.pengyou.com/fcg-bin/cgi_get_portrait.fcg?uins=

@WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

var sAMEStr = 'skey' || 'a1b2c3';

for (var i = 0, len = sAMEStr.length; i < len;   i) {

hash  = (hash << 5)   sAMEStr.charAt(i).charCodeAt();

skey

var CONST_MD5_KEY = "tencentQQVIP123443safde&!%^82";

return binl2hex(core_md5(str2binl(s), s.length * chrsz));

return binl2b64(core_md5(str2binl(s), s.length * chrsz));

return binl2str(core_md5(str2binl(s), s.length * chrsz));

function hex_hmac_md5(key, data) {

return binl2hex(core_hmac_md5(key, data));

function b64_hmac_md5(key, data) {

return binl2b64(core_hmac_md5(key, data));

function str_hmac_md5(key, data) {

return binl2str(core_hmac_md5(key, data));

for (var i = 0; i < x.length; i  = 16) {

function core_hmac_md5(key, data) {

var bkey = str2binl(key);

if (bkey.length > 16) bkey = core_md5(bkey, key.length * chrsz);

ipad[i] = bkey[i] ^ 0x36363636;

opad[i] = bkey[i] ^ 0x5C5C5C5C;

var hash = core_md5(ipad.concat(str2binl(data)), 512   data.length * chrsz);

return core_md5(opad.concat(hash), 512   128);

for (var i = 0; i < str.length * chrsz; i  = chrsz) bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (i % 32);

for (var i = 0; i < bin.length * 32; i  = chrsz) str  = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask);

for (var i = 0; i < binarray.length * 4; i  ) {

str  = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8   4)) & 0xF)   hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 0xF);

for (var i = 0; i < binarray.length * 4; i  = 3) {

if (i * 8   j * 6 > binarray.length * 32) str  = b64pad;

else str  = tab.charAt((triplet >> 6 * (3 - j)) & 0x3F);

function _getAntiCSRFToken(skey) {

var skey = "

var md5key = CONST_MD5_KEY;

hash.push((salt << 5));

len = skey.length; i < len;   i) {

ASCIICode = skey.charAt(i).charCodeAt();

hash.push((salt << 5)   ASCIICode);

var md5str = _md5(hash.join('')   md5key);

&spec=100&url_enc=0&referer=bu_interface&term_type=PC

hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=

&iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:865B673BDCD111E4AFB4EDD04AC8729C" xmpMM:DocumentID="xmp.did:865B673CDCD111E4AFB4EDD04AC8729C"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:865B6739DCD111E4AFB4EDD04AC8729C" stRef:documentID="xmp.did:865B673ADCD111E4AFB4EDD04AC8729C"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

xpg.css

hXXp://117.21.173.211:3322/

VVV.123xpg.com

hXXp://122.114.124.88/

hXXp://103.214.143.177:3322/

hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=

sMsg":"

HttpOpenRequestA

ADODB.Stream

%Program Files%\Internet Explorer\iexplore.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE\PATH

\iexplore.exe

hXXp://apps.game.qq.com/cf/a20170210information/getCfHxbInfo.php?action=getMyHxbInfo

hXXp://cf.qq.com/web201105/game.shtml

&area_name=

&area_id=

&server_id=81&server_name=

&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=

hXXp://kf.qq.com/cgi-bin/common?rand=

Referer: hXXp://kf.qq.com/game/consume_records.html?code=cf

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

%2F

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=

&e_code=0&g_code=0&eas_url=

%7Cyes%7C

error g_tk VVV.123xpg.com (

&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=

sMsg":"MODULE OK

sMsg"

"sMsg":"

msg":"

msg:"

xpgurl=

Get_url

skey2

skey1

"msg":"

hXXp://comm.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=113862&sServiceDepartment=group_1

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc

gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?callback=jQuery20135597344180178212_1493750760060&actid=79968&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?callback=jQuery19187992091848031079_1493750760195&actid=27754&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&rand=0.630482421065218485&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=53284&rand=0.773774800031175212&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=82221&g_tk=

hXXp://cgi.vip.qq.com/online/set?p_tk=&g_tk_type=1&g_tk=

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_feedback_send_lottery.fcg?activeid=110&rnd=

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_dmrp_get_present.fcg?activeid=73&rnd=

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_dmrp_send_lottery.fcg?activeid=128&format=jsonp&inCharset=GB2312&outCharset=gb2312¬ice=0&platform=activity&jsonpCallback=MusicJsonCallback&needNewCode=1&rnd=

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_dmrp_send_lottery.fcg?activeid=130&format=jsonp&inCharset=GB2312&outCharset=gb2312¬ice=0&platform=activity&jsonpCallback=MusicJsonCallback&needNewCode=1&rnd=

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_dmrp_send_lottery.fcg?activeid=138&format=jsonp&inCharset=GB2312&outCharset=gb2312¬ice=0&platform=activity&jsonpCallback=MusicJsonCallback&needNewCode=1&rnd=

&pvsrc=102&s_p=1|http|&s_v=0&ozid=511022&vipid=&actid=133339&sid=&cache=3654

hXXps://iyouxi3.vip.qq.com/ams3.0.php?g_tk=

hXXps://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=

&data={"10975":{"sIn":{"uin":0}}}&pt4_token=

hXXp://cgi.baobao.qq.com/cgi-bin/pets_speedup

cmd=3&seq=110&from=baobao

hXXp://cgi.bbly.qq.com/cgi-bin/PetHome?

petID=110&cmd=22

hXXp://actc.minigame.qq.com/cgi-bin/vip/mobilehall_vip_freshman_gift?cmd=2&g_tk=

&low_login=1&uin=

hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_

hXXp://vip.qzone.qq.com/fcg-bin/v2/fcg_mobile_vip_site_checkin?t=

hXXp://starvip.qq.com/fcg-bin/v2/fcg_mobile_starvip_site_checkin?g_tk=

hXXp://p.guanjia.qq.com/bin/user/qrycheckin.php?op=checkin&emotionId=86&Uin=785111567&skey=

hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&callback=jQuery1494078710217&_=

hXXps://growth.video.qq.com/fcgi-bin/query_growth_task_status?platform=2&taskid=[]&otype=json&g_tk=

hXXps://growth.video.qq.com/fcgi-bin/query_growth_task_status?platform=8&taskid=[]&otype=json&g_tk=

hXXps://growth.video.qq.com/fcgi-bin/query_growth_task_status?platform=5&taskid=[]&otype=json&g_tk=

hXXp://sweet.snsapp.qq.com/v2/cgi-bin/sweet_signlove_get?cmd=0&startts=1495555200&endts=1499356800&opuin=

hXXps://h5.qzone.qq.com/proxy/domain/flower.qzone.qq.com/cgi-bin/cgi_use_mallprop?r=86316&g_tk=

&qzreferrer=hXXp://ctc.qzs.qq.com/qzone/flower/tool.html#&subapp=1&format=json

hXXps://h5.qzone.qq.com/proxy/domain/flower.qzone.qq.com/cgi-bin/fg_raise_flower?g_tk=

hXXps://h5.qzone.qq.com/proxy/domain/flower.qzone.qq.com/cgi-bin/fg_plant?r=78177&g_tk=

hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1496595692416&low_login=1&uin=845552757&otype=json&_t=2&g_tk=

hXXp://apps.game.qq.com/cf/a20170210information/getCfcashInfo.php?action=getMycashInfo

hXXp://VVV.panda.tv/cate/cf

hXXp://cf.qq.com/cfvip/

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:91AA740BDCD111E4B9C9E847340E7B53" xmpMM:DocumentID="xmp.did:91AA740CDCD111E4B9C9E847340E7B53"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:91AA7409DCD111E4B9C9E847340E7B53" stRef:documentID="xmp.did:91AA740ADCD111E4B9C9E847340E7B53"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

, #&')*)

-0-(0%()(

W-Ý_C,

Ack.XZ

M&.gk{|

>H.fTh

mfe%S

^.rV=HO

X%UR}

hXXp://cf.qq.com/act/a20150805tyf/

hXXp://daoju.qq.com/cf/

&areaId=379&isMainRole=0&isapp=1&userId=375660580&token=Veq73zbu&env=&isother=0&openid=&toOpenid=&appOpenid=false&openType=1&uniqueRoleId=1308961606&gameId=10012&roleJob=åˆé˜¶å†›å£«é•¿ä¸€çº§&platid=false&from=false&game=nz

&roleLevel=10&roleId=QQ&uin=QQ&nickname=&toUin=QQ&areaName=

hXXp://bang.qq.com/app/gift/sign/doSign/month?roleName=

hXXp://bang.qq.com/app/gift/sign/doSign/month?roleName=å·…å³°æµªäºº*&roleLevel=10&roleId=26686978&uin=26686978&nickname=&toUin=26686978&areaName=ç”µä¿¡åŒº&serverName=ç”µä¿¡åŒº&serverId=1&areaId=379&isMainRole=0&isapp=1&userId=375660580&token=Veq73zbu&env=&isother=0&openid=&toOpenid=&appOpenid=false&openType=1&uniqueRoleId=1308961606&gameId=10012&roleJob=åˆé˜¶å†›å£«é•¿ä¸€çº§&platid=false&from=false&game=nz

crossfire.exe

TGame.exe

GameApp.exe

\xpg.ini

\123xpg.ini

ver.css

VVV.123xpg.com

hXXp://VVV.123xpg.com/?gengxin

hXXp://pan.lanzou.com/u/123xpg

hXXp://pan.baidu.com/s/1dEYHmO5

hXXp://pan.baidu.com/s/1dEYHmO5?123xpg

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:927F9E5BDCD111E49031C9D716A35A6D" xmpMM:DocumentID="xmp.did:927F9E5CDCD111E49031C9D716A35A6D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:927F9E59DCD111E49031C9D716A35A6D" stRef:documentID="xmp.did:927F9E5ADCD111E49031C9D716A35A6D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

%c*1u

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:7B305D2BDCD111E4AD42A938DDDD3E4D" xmpMM:DocumentID="xmp.did:7B305D2CDCD111E4AD42A938DDDD3E4D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7B305D29DCD111E4AD42A938DDDD3E4D" stRef:documentID="xmp.did:7B305D2ADCD111E4AD42A938DDDD3E4D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>w

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:9356C47BDCD111E4B85EA4579292CC49" xmpMM:DocumentID="xmp.did:9356C47CDCD111E4B85EA4579292CC49"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9356C479DCD111E4B85EA4579292CC49" stRef:documentID="xmp.did:9356C47ADCD111E4B85EA4579292CC49"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:8E46135BDCD111E4A49795053047A60C" xmpMM:DocumentID="xmp.did:8E46135CDCD111E4A49795053047A60C"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8E461359DCD111E4A49795053047A60C" stRef:documentID="xmp.did:8E46135ADCD111E4A49795053047A60C"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

h.BtF

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)" xmpMM:InstanceID="xmp.iid:734BCB8BDCD111E4A6DAEE60074678EC" xmpMM:DocumentID="xmp.did:734BCB8CDCD111E4A6DAEE60074678EC"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:734BCB89DCD111E4A6DAEE60074678EC" stRef:documentID="xmp.did:734BCB8ADCD111E4A6DAEE60074678EC"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>Am

hXXp://igame.qq.com/center/index.php?gid=2

hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=queryRoleInfo&gamename=cf&area=

nick":"

&e_code=0&g_code=0&eas_url=&eas_refer=&sServiceDepartment=group_f&sServiceType=

hXXp://comm.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=

hXXp://VVV.ruokuai.com/home/register

{25336920-03F9-11CF-8FD0-00AA00686F13}

document.all.retjs.innerText=

hXXp://VVV.youshixiu.com/live/game/7944.html

hXXps://VVV.douyu.com/directory/game/CF

hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=

1970.01.01 08:00:00

function timea(){var d,s;d=new Date();d.setTime('

hXXp://cf.qq.com/clan/

hXXps://act.gamesafe.qq.com/activities/19/index.htm

hXXp://cf.qq.com/main.shtml

hXXp://bbs.cf.qq.com//forum.php

hXXp://cf.qq.com/web201105/gameinfo.shtml

hXXp://comm.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=bb&iActivityId=116094&sServiceDepartment=xinyue&sSDID=1c379d74e9faaef66f22368e978982b7&_=1499617874344

&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fm%2Fact%2Fa20170703nz%2F&eas_refer=&sServiceDepartment=xinyue

&md5str=&ams_checkparam=&checkparam=&xhr=1&sServiceType=bb&objCustomMsg=&rolelevel=&iActivityId=116094&iFlowId=378269&g_tk=

TStdHttpAnalyzerForm

WindowsForms10.Window.8.app.0.141b42a_r27_ad1

Telerik Fiddler Web Debugger

Fiddler.exe

HttpAnalyzerStdV3.exe

HttpAnalyzerStdV4.exe

SRSniffer.exe

hXXp://VVV.immomo.com/login?action=captcha

hXXp://tgp.qq.com/cf.shtml

hXXp://kf.qq.com/game/business.html?code=cf

hXXp://longzhu.com/channels/cf

hXXps://pay.qq.com/ipay/index.shtml?c=cfdq&aid=pay.index.cf

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

SkinH_EL.dll

hXXp://api.ruokuai.com/register.xml

hXXp://api.ruokuai.com/info.xml

hXXp://api.ruokuai.com/recharge.xml

hXXp://api.ruokuai.com/create.xml

hXXp://api.ruokuai.com/reporterror.xml

VBScript.RegExp

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

application/x-www-form-urlencoded

SetClientCertificate

XMLHttpRequest

return(date.getTime() t);}

Math.random()

new Date().getTime()

javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}

javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};

window.location.reload()

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

text|password|file

comdlg32.dll

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

.tiff

{557CF406-1A04-11D3-9A73-0000F81EF32E}

WarnOnHTTPSToHTTPRedirect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

&password=

&softkey=

Content-Disposition: form-data; name="password"

{pass}

Content-Disposition: form-data; name="softkey"

{softkey}

Content-Disposition: form-data; name="image"; filename="System.Byte[]"

21000124

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=https://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=https://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=æ‰‹æœºQQç©ºé—´&pt_qr_link=https://z.qzone.com/download.html&self_regurl=https://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=https://z.qzone.com/download.html&pt_no_auth=0

pt_login_sig

&u1=http://game.qq.com/comm-htdocs/login/loginSuccess.html?s_url=http%3A%2F%2Fgame.qq.com%2F&r=

&js_ver=10227&js_type=1&login_sig=

ptui_loginuin=

&asig=&captype=&protocol=http&clientype=2&disturblevel=&apptype=2&curenv=inner&uid=

hXXps://ssl.captcha.qq.com/cap_union_prehandle?aid=

&asig=&captype=&protocol=http&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

hXXps://ssl.captcha.qq.com/cap_union_new_show?aid=

websig:"

hXXp://captcha.qq.com/cap_union_new_getcapbysig?aid=

&websig=

hXXps://ssl.captcha.qq.com/cap_union_new_verify

&captype=&protocol=https&clientype=1&disturblevel=&apptype=2&noheader=0&uid=

hXXps://ssl.captcha.qq.com/cap_union_new_getsig

&pt_jstoken=4268007794&u1=https://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=4-26-

eval(function(p,a,c,k,e,r){e=function(c){return(c<62?'':e(parseInt(c/62))) ((c=cb)>35?String.fromCharCode(c 29):c.toString(36))};if('0'.replace(0,e)==0){while(c--)r[e(c)]=k[c];k=[function(e){return r[e]||e}];e=function(){return'([RT-Z]|[12]\\w)'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('U 1C=T(){T t(){R.n=19;R.e=0;R.coeff=R.dmq1=R.dmp1=R.q=R.p=R.d=19}T B(A,x,H){19!=A&&("number"==2d A?R.fromNumber(A,x,H):19==x&&"string"!=2d A?R.1J(A,1x):R.1J(A,x))}T z(){V 1f B(19)}T I(A){U x=z();V x.1K(A),x}T J(A){U x,H=1;V 0!=(x=A>>>16)&&(A=x,H =16),0!=(x=A>>8)&&(A=x,H =8),0!=(x=A>>4)&&(A=x,H =4),0!=(x=A>>2)&&(A=x,H =2),0!=A>>1&&(H =1),H}T K(A){R.m=A}T L(A){R.m=A;R.mp=A.2e();R.1M=1D&R.mp;R.2f=R.mp>>15;R.um=(1<<A.DB-15)-1;R.2h=2*A.t}T M(A){F[N  ]^=1b&A;F[N  ]^=A>>8&1b;F[N  ]^=A>>16&1b;F[N  ]^=A>>24&1b;N>=P&&(N-=P)}T O(){}T Q(){R.j=R.i=0;R.S=[]}t.X.2i=T(A){V A.2j(R.e,R.n)};t.X.2k=T(A,x){19!=A&&19!=x&&0<A.Z&&0<x.Z?(R.n=1f B(A,16),R.e=1F(x,16)):2l("Invalid 1C public key")};t.X.1G=T(A){U x;x=R.n.2m() 7>>3;Y(x<A.Z 11)x=(2l("Message too long W 1C"),19);1d{W(U H=[],C=A.Z-1;0<=C&&0<x;){U t=A.1r(C--);H[--x]=t}H[--x]=0;A=1f O;W(C=[];2<x;){W(C[0]=0;0==C[0];)A.2n(C);H[--x]=C[0]}x=(H[--x]=2,H[--x]=0,1f B(H))}Y(19==x)V 19;x=R.2i(x);Y(19==x)V 19;x=x.1s(16);V 0==(1&x.Z)?x:"0" x};B.X.am=T(A,x,H,C,B,t){U z=1D&x;W(x>>=15;0<=--t;){U D=1D&R[A],E=R[A  ]>>15,G=x*D E*z,D=z*D ((1D&G)<<15) H[C] (1N&B);B=(D>>>30) (G>>>15) x*E (B>>>30);H[C  ]=1N&D}V B};B.X.DB=30;B.X.DM=1N;B.X.DV=1073741824;B.X.FV=1h.pow(2,52);B.X.F1=22;B.X.F2=8;U C,G,D=[];C=48;W(G=0;9>=G;  G)D[C  ]=G;C=97;W(G=10;36>G;  G)D[C  ]=G;C=65;W(G=10;36>G;  G)D[C  ]=G;K.X.1Q=T(A){V 0>A.s||0<=A.1y(R.m)?A.2p(R.m):A};K.X.1R=T(A){V A};K.X.1u=T(A){A.1H(R.m,19,A)};K.X.1S=T(A,x,H){A.1T(x,H);R.1u(H)};K.X.1U=T(A,x){A.1V(x);R.1u(x)};L.X.1Q=T(A){U x=z();V A.1n().1E(R.m.t,x),x.1H(R.m,19,x),0>A.s&&0<x.1y(B.1o)&&R.m.1e(x,x),x};L.X.1R=T(A){U x=z();V A.1z(x),R.1u(x),x};L.X.1u=T(A){W(;A.t<=R.2h;)A[A.t  ]=0;W(U x=0;x<R.m.t;  x){U H=1D&A[x],B=H*R.1M ((H*R.2f (A[x]>>15)*R.1M&R.um)<<15)&A.DM,H=x R.m.t;W(A[H] =R.m.am(0,B,A,x,0,R.m.t);A[H]>=A.DV;)A[H]-=A.DV,A[  H]  }A.1k();A.1W(R.m.t,A);0<=A.1y(R.m)&&A.1e(R.m,A)};L.X.1S=T(A,x,H){A.1T(x,H);R.1u(H)};L.X.1U=T(A,x){A.1V(x);R.1u(x)};B.X.1z=T(A){W(U x=R.t-1;0<=x;--x)A[x]=R[x];A.t=R.t;A.s=R.s};B.X.1K=T(A){R.t=1;R.s=0>A?-1:0;0<A?R[0]=A:-1>A?R[0]=A DV:R.t=0};B.X.1J=T(A,x){Y(16==x)x=4;1d Y(8==x)x=3;1d Y(1x==x)x=8;1d Y(2==x)x=1;1d Y(32==x)x=5;1d{Y(4!=x)V 1X R.fromRadix(A,x);x=2}R.s=R.t=0;W(U H=A.Z,C=!1,t=0;0<=--H;){U z;8==x?z=1b&A[H]:(z=D[A.1r(H)],z=19==z?-1:z);0>z?"-"==A.1c(H)&&(C=!0):(C=!1,0==t?R[R.t  ]=z:t x>R.DB?(R[R.t-1]|=(z&(1<<R.DB-t)-1)<<t,R[R.t  ]=z>>R.DB-t):R[R.t-1]|=z<<t,t =x,t>=R.DB&&(t-=R.DB))}8==x&&0!=(1A&A[0])&&(R.s=-1,0<t&&(R[R.t-1]|=(1<<R.DB-t)-1<<t));R.1k();C&&B.1o.1e(R,R)};B.X.1k=T(){W(U A=R.s&R.DM;0<R.t&&R[R.t-1]==A;)--R.t};B.X.1E=T(A,x){U H;W(H=R.t-1;0<=H;--H)x[H A]=R[H];W(H=A-1;0<=H;--H)x[H]=0;x.t=R.t A;/*Hs*/x.s=R.s};B.X.1W=T(A,x){W(U H=A;H<R.t;  H)x[H-A]=R[H];x.t=1h.max(R.t-A,0);x.s=R.s};B.X.1Y=T(A,x){U H=A%R.DB,C=R.DB-H,B=(1<<C)-1,t=1h.1I(A/R.DB),z=R.s<<H&R.DM;/*Hs*/W(A=R.t-1;0<=A;--A)x[A t 1]=R[A]>>C|z,z=(R[A]&B)<<H;W(A=t-1;0<=A;--A)x[A]=0;x[t]=z;x.t=R.t t 1;x.s=R.s;x.1k()};B.X.2q=T(A,x){x.s=R.s;U H=1h.1I(A/R.DB);Y(H>=R.t)V 1X(x.t=0);A$=R.DB;U C=R.DB-A,B=(1<<A)-1;x[0]=R[H]>>A;W(U t=H 1;t<R.t;  t)x[t-H-1]|=(R[t]&B)<<C,x[t-H]=R[t]>>A;0<A&&(x[R.t-H-1]|=(R.s&B)<<C);x.t=R.t-H;x.1k()};B.X.1e=T(A,x){W(U H=0,t=0,C=1h.min(A.t,R.t);C>H;)t =R[H]-A[H],x[H  ]=t&R.DM,t>>=R.DB;Y(A.t<R.t){W(t-=A.s;H<R.t;)t =R[H],x[H  ]=t&R.DM,t>>=R.DB;t =R.s}1d{W(t =R.s;H<A.t;)t-=A[H],x[H  ]=t&R.DM,t>>=R.DB;t-=A.s}x.s=0>t?-1:0;-1>t?x[H  ]=R.DV t:0<t&&(x[H  ]=t);x.t=H;x.1k()};B.X.1T=T(A,x){U t=R.1n(),C=A.1n(),z=t.t;W(x.t=z C.t;0<=--z;)x[z]=0;W(z=0;z<C.t;  z)x[z t.t]=t.am(0,C[z],x,z,0,t.t);x.s=0;x.1k();R.s!=A.s&&B.1o.1e(x,x)};B.X.1V=T(A){W(U x=R.1n(),t=A.t=2*x.t;0<=--t;)A[t]=0;W(t=0;t<x.t-1;  t){U C=x.am(t,x[t],A,2*t,0,1);(A[t x.t] =x.am(t 1,2*x[t],A,2*t 1,C,x.t-t-1))>=x.DV&&(A[t x.t]-=x.DV,A[t x.t 1]=1)}0<A.t&&(A[A.t-1] =x.am(t,x[t],A,2*t,0,1));A.s=0;A.1k()};B.X.1H=T(A,x,t){U C=A.1n();Y(!(0>=C.t)){U D=R.1n();Y(D.t<C.t)V 19!=x&&x.1K(0),1X(19!=t&&R.1z(t));19==t&&(t=z());U E=z(),G=R.s;A=A.s;U F=R.DB-J(C[C.t-1]);0<F?(C.1Y(F,E),D.1Y(F,t)):(C.1z(E),D.1z(t));C=E.t;D=E[C-1];Y(0!=D){U H=D*(1<<R.F1) (1<C?E[C-2]>>R.F2:0),N=R.FV/H,H=(1<<R.F1)/H,I=1<<R.F2,K=t.t,L=K-C,M=19==x?z():x;E.1E(L,M);0<=t.1y(M)&&(t[t.t  ]=1,t.1e(M,t));/*Hs*/B.1Z.1E(C,M);W(M.1e(E,E);E.t<C;)E[E.t  ]=0;W(;0<=--L;){U P=t[--K]==D?R.DM:1h.1I(t[K]*N (t[K-1] I)*H);Y((t[K] =E.am(0,P,t,L,0,C))<P)W(E.1E(L,M),t.1e(M,t);t[K]<--P;)t.1e(M,t)}19!=x&&(t.1W(C,x),G!=A&&B.1o.1e(x,x));t.t=C;t.1k();0<F&&t.2q(F,t);0>G&&B.1o.1e(t,t)}}};B.X.2e=T(){Y(1>R.t)V 0;U t=R[0];Y(0==(1&t))V 0;U x=3&t;V x=x*(2-(15&t)*x)&15,x=x*(2-(1b&t)*x)&1b,x=x*(2-((1v&t)*x&1v))&1v,x=x*(2-t*x%R.DV)%R.DV,0<x?R.DV-x:-x};B.X.2r=T(){V 0==(0<R.t?1&R[0]:R.s)};B.X.2s=T(t,x){Y(1l<t||1>t)V B.1Z;U A=z(),C=z(),D=x.1Q(R),E=J(t)-1;W(D.1z(A);0<=--E;)Y(x.1U(A,C),0<(t&1<<E))x.1S(C,D,A);1d U G=A,A=C,C=G;V x.1R(A)};B.X.1s=T(t){Y(0>R.s)V"-" R.25().1s(t);Y(16==t)t=4;1d Y(8==t)t=3;1d Y(2==t)t=1;1d Y(32==t)t=5;1d{Y(4!=t)V R.toRadix(t);t=2}U x,A=(1<<t)-1,C=!1,B="",z=R.t,D=R.DB-z*R.DB%t;Y(0<z--)W(D<R.DB&&0<(x=R[z]>>D)&&(C=!0,B="2t".1c(x));0<=z;)t>D?(x=(R[z]&(1<<D)-1)<<t-D,x|=R[--z]>>(D =R.DB-t)):(x=R[z]>>(D-=t)&A,0>=D&&(D =R.DB,--z)),0<x&&(C=!0),C&&(B ="2t".1c(x));V C?B:"0"};B.X.25=T(){U t=z();V B.1o.1e(R,t),t};B.X.1n=T(){V 0>R.s?R.25():R};B.X.1y=T(t){U x=R.s-t.s;Y(0!=x)V x;U A=R.t;Y(x=A-t.t,0!=x)V x;W(;0<=--A;)Y(0!=(x=R[A]-t[A]))V x;V 0};B.X.2m=T(){V 0>=R.t?0:R.DB*(R.t-1) J(R[R.t-1]^R.s&R.DM)};B.X.2p=T(t){U x=z();V R.1n().1H(t,19,x),0>R.s&&0<x.1y(B.1o)&&t.1e(x,x),x};B.X.2j=T(t,x){U A;V A=1x>t||x.2r()?1f K(x):1f L(x),R.2s(t,A)};B.1o=I(0);B.1Z=I(1);U E,F,N;Y(19==F){F=[];W(N=0;P>N;)C=1h.1I(65536*1h.2u()),F[N  ]=C>>>8,F[N  ]=1b&C;N=0;M((1f 2v).2w())}O.X.2n=T(t){U x;W(x=0;x<t.Z;  x){U A=x,C;Y(19==E){M((1f 2v).2w());E=1f Q;E.2x(F);W(N=0;N<F.Z;  N)F[N]=0;N=0}C=E.2y();t[A]=C}};Q.X.2x=T(t){U x,C,A;W(x=0;1x>x;  x)R.S[x]=x;W(x=C=0;1x>x;  x)C=C R.S[x] t[x%t.Z]&1b,A=R.S[x],R.S[x]=R.S[C],R.S[C]=A;R.j=R.i=0};Q.X.2y=T(){U t;V R.i=R.i 1&1b,R.j=R.j R.S[R.i]&1b,t=R.S[R.i],R.S[R.i]=R.S[R.j],R.S[R.j]=t,R.S[t R.S[R.i]&1b]};U P=1x;V{26:T(C,x,z){x="e9a815ab9d6e86abbf33a4ac64e9196d5be44a09bd0ed6ae052914e1a865ac8331fed863de8ea697e9a7f63329e5e23cda09c72570f46775b7e39ea9670086f847d3c9c51963b131409b1e04265d9747419c635404ca651bbcbc87f99b8008f7f5824653e3658be4ba73e4480156b390bb73bc1f8b33578e7a4e12440e9396f2552c1aff1c92e797ebacdc37c109ab7bce2367a19c56a033ee04534723cc2558cb27368f5b9d32c04d12dbd86bbd68b1d99b7c349a8453ea75d1b2e94491ab30acf6c46a36a75b721b312bedf4e7aad21e54e9bcbcf8144c79b6e3c05eb4a1547750d224c0085d80e6da3907c3d945051c13c7c1dcefd6520ee8379c4f5231ed";z="10001";U A=1f t;V A.2k(x,z),A.1G(C)}}}();T e(){V 1h.round(1l*1h.2u())}T i(t,B,z){(!z||4<z)&&(z=4);W(U I=0,J=B;B z>J;J  )I<<=8,I|=t[J];V(1l&I)>>>0}T n(t,B,z){t[B 3]=z>>0&1b;t[B 2]=z>>8&1b;t[B 1]=z>>16&1b;t[B 0]=z>>24&1b}T o(t){Y(!t)V"";W(U B="",z=0;z<t.Z;z  ){U I=27(t[z]).1s(16);1==I.Z&&(I="0" I);B =I}V B}T p(t){W(U B="",z=0;z<t.Z;z =2)B =1p.1q(1F(t.28(z,2),16));V B}T r(t,B){Y(!t)V"";B&&(t=s(t));B=[];W(U z=0;z<t.Z;z  )B[z]=t.1r(z);V o(B)}T s(t){U B,z,I=[],J=t.Z;W(B=0;J>B;B  )z=t.1r(B),0<z&&127>=z?I.1i(t.1c(B)):1A<=z&&2047>=z?I.1i(1p.1q(192|z>>6&31),1p.1q(1A|63&z)):2048<=z&&1v>=z&&I.1i(1p.1q(224|z>>12&15),1p.1q(1A|z>>6&63),1p.1q(1A|63&z));V I.29("")}T a(t){_=1w(8);$=1w(8);v=y=0;b=!0;m=0;U B=t.Z,z;m=(B 10)%8;0!=m&&(m=8-m);w=1w(B m 10);_[0]=1b&(248&e()|m);W(z=1;m>=z;z  )_[z]=1b&e();m  ;W(z=0;8>z;z  )$[z]=0;W(z=1;2>=z;)8>m&&(_[m  ]=1b&e(),z  ),8==m&&c();W(z=0;0<B;)8>m&&(_[m  ]=t[z  ],B--),8==m&&c();W(z=1;7>=z;)8>m&&(_[m  ]=0,z  ),8==m&&c();V w}T l(t){U B=0,z=1w(8),I=t.Z;Y((k=t,0!=I%8||16>I)||($=g(t),m=7&$[0],B=I-m-10,0>B))V 19;W(I=0;I<z.Z;I  )z[I]=0;w=1w(B);y=0;v=8;m  ;W(I=1;2>=I;)Y(8>m&&(m  ,I  ),8==m&&(z=t,!d()))V 19;W(I=0;0!=B;)Y(8>m&&(w[I]=1b&(z[y m]^$[m]),I  ,B--,m  ),8==m&&(z=t,y=v-8,!d()))V 19;W(I=1;8>I;I  ){Y(8>m){Y(0!=(z[y m]^$[m]))V 19;m  }Y(8==m&&(z=t,y=v,!d()))V 19}V w}T c(){W(U t=0;8>t;t  )_[t]^=b?$[t]:w[y t];W(U B=u(_),t=0;8>t;t  )w[v t]=B[t]^$[t],$[t]=_[t];y=v;v =8;m=0;b=!1}T u(t){U B=16,z=i(t,0,4);t=i(t,4,4);W(U I=i(f,0,4),J=i(f,4,4),K=i(f,8,4),L=i(f,12,4),M=0;0<B--;)M =2z,M=(1l&M)>>>0,z =(t<<4) I^t M^(t>>>5) J,z=(1l&z)>>>0,t =(z<<4) K^z M^(z>>>5) L,t=(1l&t)>>>0;B=1w(8);V n(B,0,z),n(B,4,t),B}T g(t){U B=16,z=i(t,0,4);t=i(t,4,4);W(U I=i(f,0,4),J=i(f,4,4),K=i(f,8,4),L=i(f,12,4),M=3816266640;0<B--;)t-=(z<<4) K^z M^(z>>>5) L,t=(1l&t)>>>0,z-=(t<<4) I^t M^(t>>>5) J,z=(1l&z)>>>0,M-=2z,M=(1l&M)>>>0;B=1w(8);V n(B,0,z),n(B,4,t),B}T d(){W(U t=(k.Z,0);8>t;t  )$[t]^=k[v t];V $=g($),v =8,m=0,!0}T h(t,B){U z=[];Y(B)W(B=0;B<t.Z;B  )z[B]=1b&t.1r(B);1d{U I=0;W(B=0;B<t.Z;B =2)z[I  ]=1F(t.28(B,2),16)}V z}U f="",m=0,_=[],$=[],v=0,y=0,w=[],k=[],b=!0,1B={1G:T(t,B){t=h(t,B);t=a(t);V o(t)},enAsBase64:T(t,B){t=h(t,B);t=a(t);B="";W(U z=0;z<t.Z;z  )B =1p.1q(t[z]);V btoa(B)},decrypt:T(t){t=h(t,!1);t=l(t);V o(t)},2a:T(t,B){f=h(t,B)},bytesToStr:p,2b:r,bytesInStr:o,dataFromStr:h},q={2A:"=",2B:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /",2C:T(t,B){t=t.1r(B);Y(1b<t)2D"INVALID_CHARACTER_ERR: DOM Exception 5";V t},2E:T(t){Y(1!=2F.Z)2D"SyntaxError: Not enough 2F";U B,z,I=q.2A,J=q.2B,K=q.2C,L=[];t="" t;U M=t.Z-t.Z%3;Y(0==t.Z)V t;W(B=0;M>B;B =3)z=K(t,B)<<16|K(t,B 1)<<8|K(t,B 2),L.1i(J.1c(z>>18)),L.1i(J.1c(z>>12&63)),L.1i(J.1c(z>>6&63)),L.1i(J.1c(63&z));switch(t.Z-M){2G 1:z=K(t,B)<<16;L.1i(J.1c(z>>18) J.1c(z>>12&63) I I);2H;2G 2:z=K(t,B)<<16|K(t,B 1)<<8,L.1i(J.1c(z>>18) J.1c(z>>12&63) J.1c(z>>6&63) I)}V L.29("")}};2c=T(){T t(t){W(U G=[],D=(1<<O)-1,E=0;E<t.Z*O;E =O)G[E>>5]|=(t.1r(E/O)&D)<<E2;t=t.Z*O;G[t>>5]|=1A<<t2;G[(t 64>>>9<<4) 14]=t;t=1732584193;W(U D=-271733879,E=-1732584194,F=271733878,C=0;C<G.Z;C =16){U L=t,A=D,x=E,H=F;t=z(t,D,E,F,G[C 0],7,-680876936);F=z(F,t,D,E,G[C 1],12,-389564586);E=z(E,F,t,D,G[C 2],17,606105819);D=z(D,E,F,t,G[C 3],22,-1044525330);t=z(t,D,E,F,G[C 4],7,-176418897);F=z(F,t,D,E,G[C 5],12,1200080426);E=z(E,F,t,D,G[C 6],17,-1473231341);D=z(D,E,F,t,G[C 7],22,-45705983);t=z(t,D,E,F,G[C 8],7,1770035416);F=z(F,t,D,E,G[C 9],12,-1958414417);E=z(E,F,t,D,G[C 10],17,-42063);D=z(D,E,F,t,G[C 11],22,-1990404162);t=z(t,D,E,F,G[C 12],7,1804603682);F=z(F,t,D,E,G[C 13],12,-40341101);E=z(E,F,t,D,G[C 14],17,-1502002290);D=z(D,E,F,t,G[C 15],22,1236535329);t=I(t,D,E,F,G[C 1],5,-165796510);F=I(F,t,D,E,G[C 6],9,-1069501632);E=I(E,F,t,D,G[C 11],14,643717713);D=I(D,E,F,t,G[C 0],20,-373897302);t=I(t,D,E,F,G[C 5],5,-701558691);F=I(F,t,D,E,G[C 10],9,38016083);E=I(E,F,t,D,G[C 15],14,-660478335);D=I(D,E,F,t,G[C 4],20,-405537848);t=I(t,D,E,F,G[C 9],5,568446438);F=I(F,t,D,E,G[C 14],9,-1019803690);E=I(E,F,t,D,G[C 3],14,-187363961);D=I(D,E,F,t,G[C 8],20,1163531501);t=I(t,D,E,F,G[C 13],5,-1444681467);F=I(F,t,D,E,G[C 2],9,-51403784);E=I(E,F,t,D,G[C 7],14,1735328473);D=I(D,E,F,t,G[C 12],20,-1926607734);t=B(D^E^F,t,D,G[C 5],4,-378558);F=B(t^D^E,F,t,G[C 8],11,-2022574463);E=B(F^t^D,E,F,G[C 11],16,1839030562);D=B(E^F^t,D,E,G[C 14],23,-35309556);t=B(D^E^F,t,D,G[C 1],4,-1530992060);F=B(t^D^E,F,t,G[C 4],11,1272893353);E=B(F^t^D,E,F,G[C 7],16,-155497632);D=B(E^F^t,D,E,G[C 10],23,-1094730640);t=B(D^E^F,t,D,G[C 13],4,681279174);F=B(t^D^E,F,t,G[C 0],11,-358537222);E=B(F^t^D,E,F,G[C 3],16,-722521979);D=B(E^F^t,D,E,G[C 6],23,76029189);t=B(D^E^F,t,D,G[C 9],4,-640364487);F=B(t^D^E,F,t,G[C 12],11,-421815835);E=B(F^t^D,E,F,G[C 15],16,530742520);D=B(E^F^t,D,E,G[C 2],23,-995338651);t=J(t,D,E,F,G[C 0],6,-198630844);F=J(F,t,D,E,G[C 7],10,1126891415);E=J(E,F,t,D,G[C 14],15,-1416354905);D=J(D,E,F,t,G[C 5],21,-57434055);t=J(t,D,E,F,G[C 12],6,1700485571);F=J(F,t,D,E,G[C 3],10,-1894986606);E=J(E,F,t,D,G[C 10],15,-1051523);D=J(D,E,F,t,G[C 1],21,-2054922799);t=J(t,D,E,F,G[C 8],6,1873313359);F=J(F,t,D,E,G[C 15],10,-30611744);E=J(E,F,t,D,G[C 6],15,-1560198380);D=J(D,E,F,t,G[C 13],21,1309151649);t=J(t,D,E,F,G[C 4],6,-145523070);F=J(F,t,D,E,G[C 11],10,-1120210379);E=J(E,F,t,D,G[C 2],15,718787259);D=J(D,E,F,t,G[C 9],21,-343485551);t=K(t,L);D=K(D,A);E=K(E,x);F=K(F,H)}G=16==Q?[D,E]:[t,D,E,F];t=M?"0123456789ABCDEF":"0123456789abcdef";D="";W(E=0;E<4*G.Z;E  )D =t.1c(G[E>>2]>>E%4*8 4&15) t.1c(G[E>>2]>>E%4*8&15);V D}T B(t,z,B,E,F,I){t=K(K(z,t),K(E,I));V K(t<<F|t>>>32-F,B)}T z(t,z,D,E,F,I,J){V B(z&D|~z&E,t,z,F,I,J)}T I(t,z,D,E,F,I,J){V B(z&E|D&~E,t,z,F,I,J)}T J(t,z,D,E,F,I,J){V B(D^(z|~E),t,z,F,I,J)}T K(t,z){U B=(1v&t) (1v&z);V(t>>16) (z>>16) (B>>16)<<16|1v&B}T L(t){W(U z=[],B=0;B<t.Z;B =2)z.1i(1p.1q(1F(t.28(B,2),16)));V z.29("")}U M=1,O=8,Q=32;V{2I:T(z,B,D,E){D=D||"";z=z||"";z=E?z:t(z);E=L(z);E=t(E B);D=1B.2b(D.2J(),!0);W(U C=27(D.Z/2).1s(16);4>C.Z;)C="0" C;1B.2a(E);B=1B.1G(z 1B.2b(B) C D);1B.2a("");W(D=27(B.Z/2).1s(16);4>D.Z;)D="0" D;B=1C.26(L(D B));V q.2E(L(B)).replace(/[\\/\\ =]/g,T(t){V{"/":"-"," ":"*","=":"_"}[t]})},getRSAEncryption:T(z,B,D){z=(D?z:t(z)) B.2J();V 1C.26(z)},2K:T(z){V t(z)}}}();T Hs(t,B,z){V 2c.2I(t,B,z,!1)}T cdata(t,B,z){W(U I=0,J=0;J<B&&1E3>J;J  ){U K=2c.2K(z J),K=K.2L();Y(t.2L()==K){I=J;2H}}V I.1s()};',[],172,'|||||||||||||||||||||||||||||||||||||||||||||||||||||this||function|var|return|for|prototype|if|length||||||||||null||255|charAt|else|subTo|new||Math|push||clamp|4294967295||abs|ZERO|String|fromCharCode|charCodeAt|toString||reduce|65535|Array|256|compareTo|copyTo|128|TEA|RSA|32767|dlShiftTo|parseInt|encrypt|divRemTo|floor|fromString|fromInt||mpl|1073741823|||convert|revert|mulTo|multiplyTo|sqrTo|squareTo|drShiftTo|void|lShiftTo|ONE||||||negate|rsa_encrypt|Number|substr|join|initkey|strToBytes|Encryption|typeof|invDigit|mph||mt2|doPublic|modPowInt|setPublic|uv_alert|bitLength|nextBytes||mod|rShiftTo|isEven|exp|0123456789abcdefghijklmnopqrstuvwxyz|random|Date|getTime|init|next|2654435769|PADCHAR|ALPHA|getbyte|throw|encode|arguments|case|break|getEncryption|toUpperCase|md5|toLowerCase'.split('|'),0,{}))

eval(function(p,a,c,k,e,r){e=function(c){return(c<62?'':e(parseInt(c/62))) ((c=cb)>35?String.fromCharCode(c 29):c.toString(36))};if('0'.replace(0,e)==0){while(c--)r[e(c)]=k[c];k=[function(e){return r[e]||e}];e=function(){return'([7joB-EG-SU-Y]|[1-3]\\w)'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('o 1A=1e.1B((V 1C).2l()/2m);"17"!==G Y&&(Y={});(j(){j a(b){B 10>b?"0" b:b}j k(b){q.2n=0;B q.1R(b)?\'"\' b.1m(q,j(b){o a=f[b];B"14"===G a?a:"\\\\u" ("2o" b.1S(0).N(16)).18(-4)}) \'"\':\'"\' b \'"\'}j b(a,g){o r,f,c=l,p,d=g[a];d&&"17"===G d&&"j"===G d.19&&(d=d.19(a));"j"===G n&&(d=n.O(g,a,d));switch(G d){1n"14":B k(d);1n"1T":B 2p(d)?1o(d):"1a";1n"boolean":1n"1a":B 1o(d);1n"17":K(!d)B"1a";l =m;p=[];K("[17 Array]"===1U.W.N.1D(d)){g=d.Q;D(a=0;a<g;a =1)p[a]=b(a,d)||"1a";f=0===p.Q?"[]":l?"[\\n" l p.1b(",\\n" l) "\\n" c "]":"[" p.1b(",") "]";l=c;B f}K(n&&"17"===G n)D(g=n.Q,a=0;a<g;a =1)"14"===G n[a]&&(r=n[a],(f=b(r,d))&&p.S(k(r) (l?": ":":") f));1c D(r in d)1U.W.1p.O(d,r)&&(f=b(r,d))&&p.S(k(r) (l?": ":":") f);f=0===p.Q?"{}":l?"{\\n" l p.1b(",\\n" l) "\\n" c "}":"{" p.1b(",") "}";l=c;B f}}"j"!==G 1C.W.19&&(1C.W.19=j(){B 2p(7.2q())?7.getUTCFullYear() "-" a(7.getUTCMonth() 1) "-" a(7.getUTCDate()) "T" a(7.getUTCHours()) ":" a(7.getUTCMinutes()) ":" a(7.getUTCSeconds()) "Z":1a},1o.W.19=Number.W.19=Boolean.W.19=j(){B 7.2q()});o g,q,l,m,f,n;"j"!==G Y.U&&(q=/[\\\\\\"\\x00-\\x1f\\x7f-\\x9f\\2r\\2s-\\2t\\2u\\2v\\2w\\2x-\\2y\\2z-\\2A\\2B-\\2C\\2D\\2E-\\2F]/g,f={"\\b":"\\\\b","\\t":"\\\\t","\\n":"\\\\n","\\f":"\\\\f","\\r":"\\\\r",\'"\':\'\\\\"\',"\\\\":"\\\\\\\\"},Y.U=j(a,g,f){o k;m=l="";K("1T"===G f)D(k=0;k<f;k =1)m =" ";1c"14"===G f&&(m=f);K((n=g)&&"j"!==G g&&("17"!==G g||"1T"!==G g.Q))1V 2G("Y.U");B b("",{"":a})});"j"!==G Y.R&&(g=/[\\u0000\\2r\\2s-\\2t\\2u\\2v\\2w\\2x-\\2y\\2z-\\2A\\2B-\\2C\\2D\\2E-\\2F]/g,Y.R=j(a,b){j f(c,a){o d,e,h=c[a];K(h&&"17"===G h)D(d in h)1U.W.1p.O(h,d)&&(e=f(h,d),void 0!==e?h[d]=e:delete h[d]);B b.O(c,a,h)}o k;a=1o(a);g.2n=0;g.1R(a)&&(a=a.1m(g,j(c){B"\\\\u" ("2o" c.1S(0).N(16)).18(-4)}));K(/^[\\],:{}\\s]*$/.1R(a.1m(/\\\\(?:["\\\\\\/bfnrt]|u[0-9a-fA-F]{4})/g,"@").1m(/"[^"\\\\\\n\\r]*"|true|false|1a|-?\\d (?:\\.\\d*)?(?:[eE][ \\-]?\\d )?/g,"]").1m(/(?:^|:|,)(?:\\s*\\[) /g,"")))B k=eval("(" a ")"),"j"===G b?f({"":k},""):k;1V V SyntaxError("Y.R");})})();j L(a,k){B a 1e.1B(1e.1F()*(k-a))}j 1W(b,a){D(o k=[],g=0;g<(a?a:L(4,6));g  )b=L(b,b 1),k.S(b);B k}o 1f=j(a){o k=X.1f.2H.R("0123456789abcdef");B X.1X.1g(a,k,{iv:k,1d:X.1d.2I,1q:X.1G.2J}).N()},1r=j(a){o k=[];a =1;D(o b=0;b<a;b  )0!==b&&a-1!==b&&b!==L(b,a-1)||k.S({t:1==a?L(1,10):b,x:L(123,345),y:L(135,246)});B k},X=X||j(a,k){o b={},g=b.1s={},q=j(){},l=g.2K={E:j(c){q.W=7;o a=V q;c&&a.1H(c);a.1p("H")||(a.H=j(){a.$2L.H.1D(7,2M)});a.H.W=a;a.$2L=7;B a},P:j(){o c=7.E();c.H.1D(c,2M);B c},H:j(){},1H:j(c){D(o a in c)c.1p(a)&&(7[a]=c[a]);c.1p("N")&&(7.N=c.N)},1h:j(){B 7.H.W.E(7)}},m=g.1Y=l.E({H:j(c,a){c=7.M=c||[];7.J=a!=k?a:4*c.Q},N:j(c){B(c||n).U(7)},1t:j(c){o a=7.M,d=c.M,e=7.J;c=c.J;7.1Z();K(e%4)D(o h=0;h<c;h  )a[e h>>>2]|=(d[h>>>2]>>>24-h%4*8&C)<<24-(e h)%4*8;1c K(65535<d.Q)D(h=0;h<c;h =4)a[e h>>>2]=d[h>>>2];1c a.S.1D(a,d);7.J =c;B 7},1Z:j(){o c=7.M,b=7.J;c[b>>>2]&=4294967295<<32-b%4*8;c.Q=a.2N(b/4)},1h:j(){o c=l.1h.O(7);c.M=7.M.18(0);B c},1F:j(c){D(o b=[],d=0;d<c;d =4)b.S(4294967296*a.1F()|0);B V m.H(b,c)}}),f=b.1f={},n=f.Hex={U:j(c){o a=c.M;c=c.J;D(o d=[],e=0;e<c;e  ){o h=a[e>>>2]>>>24-e%4*8&C;d.S((h>>>4).N(16));d.S((h&15).N(16))}B d.1b("")},R:j(c){D(o a=c.Q,d=[],e=0;e<a;e =2)d[e>>>3]|=2O(c.substr(e,2),16)<<24-e%8*4;/*Hs*/B V m.H(d,a/2)}},u=f.Latin1={U:j(c){o a=c.M;c=c.J;D(o d=[],e=0;e<c;e  )d.S(1o.fromCharCode(a[e>>>2]>>>24-e%4*8&C));B d.1b("")},R:j(a){D(o c=a.Q,d=[],e=0;e<c;e  )d[e>>>2]|=(a.1S(e)&C)<<24-e%4*8;B V m.H(d,c)}},w=f.2H={U:j(a){try{B decodeURIComponent(escape(u.U(a)))}catch(p){1V 2G("Malformed UTF-8 data");}},R:j(a){B u.R(unescape(2P(a)))}},r=g.2Q=l.E({12:j(){7.1i=V m.H;7.2R=0},1u:j(a){"14"==G a&&(a=w.R(a));7.1i.1t(a);7.2R =a.J},1j:j(c){o b=7.1i,d=b.M,e=b.J,h=7.13,g=e/(4*h),g=c?a.2N(g):a.max((g|0)-7.20,0);c=g*h;e=a.min(4*c,e);K(c){D(o f=0;f<c;f =h)7.2S(d,f);f=d.2T(0,c);b.J-=e}B V m.H(f,e)},1h:j(){o a=l.1h.O(7);a.1i=7.1i.1h();B a},20:0});g.Hasher=r.E({I:l.E(),H:j(a){7.I=7.I.E(a);7.12()},12:j(){r.12.O(7);7.21()},update:j(a){7.1u(a);7.1j();B 7},1k:j(a){a&&7.1u(a);B 7.1I()},13:16,22:j(a){B j(c,d){B(V a.H(d)).1k(c)}},_createHmacHelper:j(a){B j(c,d){B(V v.HMAC.H(a,d)).1k(c)}}});o v=b.25={};B b}(1e);(j(){o a=X,k=a.1s.1Y;a.1f.2U={U:j(a){o b=a.M,k=a.J,l=7.26;a.1Z();a=[];D(o m=0;m<k;m =3)D(o f=(b[m>>>2]>>>24-m%4*8&C)<<16|(b[m 1>>>2]>>>24-(m 1)%4*8&C)<<8|b[m 2>>>2]>>>24-(m 2)%4*8&C,n=0;4>n&&m .75*n<k;n  )a.S(l.1v(f>>>6*(3-n)&63));K(b=l.1v(64))D(;a.Q%4;)a.S(b);B a.1b("")},R:j(a){o b=a.Q,q=7.26,l=q.1v(64);l&&(l=a.29(l),-1!=l&&(b=l));D(o l=[],m=0,f=0;f<b;f  )K(f%4){o n=q.29(a.1v(f-1))<<f%4*2,u=q.29(a.1v(f))>>>6-f%4*2;l[m>>>2]|=(n|u)<<24-m%4*8;m  }B k.P(l,m)},26:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /="}})();X.1s.2V||j(a){o k=X,b=k.1s,g=b.2K,q=b.1Y,l=b.2Q,m=k.1f.2U,f=k.25.EvpKDF,n=b.2V=l.E({I:g.E(),1J:j(d,a){B 7.P(7.1K,d,a)},1L:j(d,a){B 7.P(7.2W,d,a)},H:j(d,a,c){7.I=7.I.E(c);7.2a=d;7.2X=a;7.12()},12:j(){l.12.O(7);7.21()},process:j(d){7.1u(d);B 7.1j()},1k:j(d){d&&7.1u(d);B 7.1I()},1w:4,2b:4,1K:1,2W:2,22:j(d){B{1g:j(a,h,b){B("14"==G h?p:c).1g(d,a,h,b)},1x:j(a,b,g){B("14"==G b?p:c).1x(d,a,b,g)}}}});b.StreamCipher=n.E({1I:j(){B 7.1j(!0)},13:1});o u=k.1d={},w=j(d,e,c){o b=7.2c;b?7.2c=a:b=7.2d;D(o h=0;h<c;h  )d[e h]^=b[h]},r=(b.BlockCipherMode=g.E({1J:j(d,a){B 7.2Y.P(d,a)},1L:j(a,e){B 7.2Z.P(a,e)},H:j(a,e){7.2e=a;7.2c=e}})).E();r.2Y=r.E({2f:j(a,e){o d=7.2e,c=d.13;w.O(7,a,e,c);d.30(a,e);7.2d=a.18(e,e c)}});r.2Z=r.E({2f:j(a,e){o d=7.2e,c=d.13,b=a.18(e,e c);d.31(a,e);w.O(7,a,e,c);7.2d=b}});u=u.2I=r;r=(k.1G={}).2J={1G:j(a,e){e*=4;e-=a.J%e;D(o d=e<<24|e<<16|e<<8|e,c=[],b=0;b<e;b =4)c.S(d);e=q.P(c,e);a.1t(e)},33:j(a){a.J-=a.M[a.J-1>>>2]&C}};b.34=n.E({I:n.I.E({1d:u,1q:r}),12:j(){n.12.O(7);o a=7.I,e=a.iv,a=a.1d;K(7.2a==7.1K)o c=a.1J;1c c=a.1L,7.20=1;7.35=c.O(a,7,e&&e.M)},2S:j(a,e){7.35.2f(a,e)},1I:j(){o a=7.I.1q;K(7.2a==7.1K){a.1G(7.1i,7.13);o e=7.1j(!0)}1c e=7.1j(!0),a.33(e);B e},13:4});o v=b.CipherParams=g.E({H:j(a){7.1H(a)},N:j(a){B(a||7.36).U(7)}}),u=(k.1y={}).37={U:j(a){o d=a.1M;a=a.1l;B(a?q.P([38,39]).1t(a).1t(d):d).N(m)},R:j(a){a=m.R(a);o d=a.M;K(38==d[0]&&39==d[1]){o c=q.P(d.18(2,4));d.2T(0,4);a.J-=16}B v.P({1M:a,1l:c})}},c=b.SerializableCipher=g.E({I:g.E({1y:u}),1g:j(a,c,b,g){g=7.I.E(g);o d=a.1J(b,g);c=d.1k(c);d=d.I;B v.P({1M:c,1N:b,iv:d.iv,algorithm:a,1d:d.1d,1q:d.1q,13:a.13,36:g.1y})},1x:j(a,c,b,g){g=7.I.E(g);c=7.2g(c,g.1y);B a.1L(b,g).1k(c.1M)},2g:j(a,c){B"14"==G a?c.R(a,7):a}}),k=(k.1O={}).37={2h:j(a,c,b,g){g||(g=q.1F(8));a=f.P({1w:c b}).compute(a,g);b=q.P(a.M.18(c),4*b);a.J=4*c;B v.P({1N:a,iv:b,1l:g})}},p=b.PasswordBasedCipher=c.E({I:c.I.E({1O:k}),1g:j(a,b,g,f){f=7.I.E(f);g=f.1O.2h(g,a.1w,a.2b);f.iv=g.iv;a=c.1g.O(7,a,b,g.1N,f);a.1H(g);B a},1x:j(a,b,g,f){f=7.I.E(f);b=7.2g(b,f.1y);g=f.1O.2h(g,a.1w,a.2b,b.1l);f.iv=g.iv;B c.1x.O(7,a,b,g.1N,f)}})}();(j(){D(o a=X,k=a.1s.34,b=a.25,g=[],q=[],l=[],m=[],f=[],n=[],u=[],w=[],r=[],v=[],c=[],p=0;3a>p;p  )c[p]=3b>p?p<<1:p<<1^283;D(o d=0,e=0,p=0;3a>p;p  ){o h=e^e<<1^e<<2^e<<3^e<<4,h=h>>>8^h&C^99;g[d]=h;q[h]=d;o x=c[d],y=c[x],z=c[y],t=3c*c[h]^3d*h;l[d]=t<<24|t>>>8;m[d]=t<<16|t>>>16;f[d]=t<<8|t>>>24;n[d]=t;t=16843009*z^65537*y^3c*x^3d*d;u[h]=t<<24|t>>>8;w[h]=t<<16|t>>>16;r[h]=t<<8|t>>>24;v[h]=t;d?(d=x^c[c[c[z^x]]],e^=c[c[e]]):d=e=1}o A=[0,1,2,4,8,16,32,64,3b,27,54],b=b.1X=k.E({21:j(){D(o a=7.2X,c=a.M,b=a.J/4,a=4*((7.3e=b 6) 1),d=7.3f=[],e=0;e<a;e  )K(e<b)d[e]=c[e];1c{o f=d[e-1];e%b?6<b&&4==e%b&&(f=g[f>>>24]<<24|g[f>>>16&C]<<16|g[f>>>8&C]<<8|g[f&C]):(f=f<<8|f>>>24,f=g[f>>>24]<<24|g[f>>>16&C]<<16|g[f>>>8&C]<<8|g[f&C],f^=A[e/b|0]<<24);d[e]=d[e-b]^f}c=7.3g=[];D(b=0;b<a;b  )e=a-b,f=b%4?d[e]:d[e-4],c[b]=4>b||4>=e?f:u[g[f>>>24]]^w[g[f>>>16&C]]^r[g[f>>>8&C]]^v[g[f&C]]},30:j(a,b){7.2i(a,b,7.3f,l,m,f,n,g)},31:j(a,b){o c=a[b 1];a[b 1]=a[b 3];a[b 3]=c;7.2i(a,b,7.3g,u,w,r,v,q);c=a[b 1];a[b 1]=a[b 3];a[b 3]=c},2i:j(a,b,c,d,e,f,g,h){D(o k=7.3e,l=a[b]^c[0],m=a[b 1]^c[1],n=a[b 2]^c[2],p=a[b 3]^c[3],q=4,r=1;r<k;r  )o t=d[l>>>24]^e[m>>>16&C]^f[n>>>8&C]^g[p&C]^c[q  ],u=d[m>>>24]^e[n>>>16&C]^f[p>>>8&C]^g[l&C]^c[q  ],v=d[n>>>24]^e[p>>>16&C]^f[l>>>8&C]^g[m&C]^c[q  ],p=d[p>>>24]^e[l>>>16&C]^f[m>>>8&C]^g[n&C]^c[q  ],l=t,m=u,n=v;t=(h[l>>>24]<<24|h[m>>>16&C]<<16|h[n>>>8&C]<<8|h[p&C])^c[q  ];u=(h[m>>>24]<<24|h[n>>>16&C]<<16|h[p>>>8&C]<<8|h[l&C])^c[q  ];v=(h[n>>>24]<<24|h[p>>>16&C]<<16|h[l>>>8&C]<<8|h[m&C])^c[q  ];p=(h[p>>>24]<<24|h[l>>>16&C]<<16|h[m>>>8&C]<<8|h[n&C])^c[q  ];a[b]=t;a[b 1]=u;a[b 2]=v;a[b 3]=p},1w:8});a.1X=k.22(b)})();o Hs=j(a,k,b,g){o q=1e.1B((V 1C).2l()),l=L(5,10),m=L(4,6),f=[[3h,600],[1P,2j],[1z,720],[1z,2j],[1z,3h],[1z,960],[1z,1P],[3i,2j],[3i,1P],[1Q,3j],[3k,1P],[3k,3l],[1800,1Q],[2k,1080],[2k,3l],[2k,1Q]],f=[1Q,3j],n=j(){o d=L(1,9).N();D(o x=0;x<9;x  )d =L(0,9).N();B 2O(d)},k=L(4,10);a={mousemove:1r(l),mouseclick:1r(0),keyvalue:1W(m),user_Agent:b?b:"chrome/53.0.2785.104;",resolutionx:f[0],resolutiony:f[1],winSize:[300,152],url:a?a:"3m://ssl.captcha.qq.3o/cap_union_new_show",refer:k?k:"3m://xui.ptlogin2.qq.3o/cgi-bin/xlogin",1A:1A,endtime:1e.1B(q/2m) L(5,10),platform:1,os:g?g:"Win7",keyboards:m,flash:1,pluginNum:L(1,50),index:1,ptcz:"",tokenid:n(),btokenid:1a,tokents:(1A)-L(631084,666666),ips:{},colorDepth:24,cookieEnabled:!0,timezone:8,wDelta:0,keyUpCnt:k,keyUpValue:1W(k),mouseUpValue:1r(1),mouseUpCnt:1,mouseDownValue:1r(1),mouseDownCnt:1,orientation:[],bSimutor:0,focusBlur:{"in":[q L(4,5)],out:[],t:[]},fVersion:23.9,charSet:"utf-8",resizeCnt:0,errors:[],screenInfo:f[0] "-" f[1] "-818-24-*-*-*",elapsed:0,ft:"qf_7P_n_H",clientType:"2",trycnt:1,refreshcnt:0};a=Y.U(a);o 1l=15-a["Q"];D(i=0;i<1l;i  ){a =" "};B 2P(1f(a))};',[],211,'|||||||this||||||||||||function|||||var|||||||||||||return|255|for|extend||typeof|init|cfg|sigBytes|if|Rnd|words|toString|call|create|length|parse|push||stringify|new|prototype|CryptoJS|JSON||||reset|blockSize|string|||object|slice|toJSON|null|join|else|mode|Math|enc|encrypt|clone|_data|_process|finalize|salt|replace|case|String|hasOwnProperty|padding|GetMonseMove|lib|concat|_append|charAt|keySize|decrypt|format|1280|begintime|round|Date|apply||random|pad|mixIn|_doFinalize|createEncryptor|_ENC_XFORM_MODE|createDecryptor|ciphertext|key|kdf|1024|1440|test|charCodeAt|number|Object|throw|RndKey|AES|WordArray|clamp|_minBufferSize|_doReset|_createHelper|||algo|_map|||indexOf|_xformMode|ivSize|_iv|_prevBlock|_cipher|processBlock|_parse|execute|_doCryptBlock|768|1920|getTime|1000|lastIndex|0000|isFinite|valueOf|u00ad|u0600|u0604|u070f|u17b4|u17b5|u200c|u200f|u2028|u202f|u2060|u206f|ufeff|ufff0|uffff|Error|Utf8|CBC|Pkcs7|Base|super|arguments|ceil|parseInt|encodeURIComponent|BufferedBlockAlgorithm|_nDataBytes|_doProcessBlock|splice|Base64|Cipher|_DEC_XFORM_MODE|_key|Encryptor|Decryptor|encryptBlock|decryptBlock||unpad|BlockCipher|_mode|formatter|OpenSSL|1398893684|1701076831|256|128|257|16843008|_nRounds|_keySchedule|_invKeySchedule|800|1360|900|1600|1200|https||com'.split('|'),0,{}))

p_skey

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

hXXp://VVV.123xpg.com

hXXp://VVV.123xpg.com/pc.html

.comment {color:green}

3485431.

415693934

(cf.qq.com)

(nz.qq.com)

(x5.qq.com)

(lol.qq.com)

(speed.qq.com)

(codol.qq.com)

(dnf.qq.com)

(5s.qq.com)

(wuxia.qq.com)

(yl.qq.com)

cdkey

(ruokuai.com)

8.9.4

tencent://groupwpa/?subcmd=all¶m=7B2267726F757055696E223A3133303135303935302C2274696D655374616D70223A313439323837383231327D0A

0000-00-00 00:00:00

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

1.2.18

CCmdTarget

CNotSupportedException

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

EnumChildWindows

EnumWindows

GetProcessHeap

IMM32.dll

ShellExecuteA

WINSPOOL.DRV

WINMM.dll

SetWindowsHookExA

GetKeyState

UnhookWindowsHookEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetCPInfo

exui.dll

exui_yuansukeyouziji_kuozhanjiekou

?456789:;<=

!"#$%&'()* ,-./0123

%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

MSWHEEL_ROLLMSG

Broken pipe

Inappropriate I/O control operation

Operation not permitted

F%D,3

imm32.dll

shell32.dll

winspool.drv

comctl32.dll

winmm.dll

RASAPI32.dll

iphlpapi.dll

MPR.dll

WS2_32.dll

VERSION.dll

AVIFIL32.dll

WinExec

GetWindowsDirectoryA

CreateDialogIndirectParamA

GetViewportOrgEx

GetViewportExtEx

oledlg.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

.PAVCException@@

Shell32.dll

Mpr.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

VVV.dywt.com.cn

<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>

<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0xX</td></tr>

<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0xX</td></tr>

<table><tr><td><icon handle=0x%X></td><td>%s</td></tr></table>

burlywood

\winhlp32.exe

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

operator

keywords

(*.htm;*.html)|*.htm;*.html

eapi.fne

(link.ini)

extra_args=/NODEFAULTLIB:"LIBC.LIB"

extra_args=/NODEFAULTLIB:"EAPI_STATIC.LIB"

extra_args=/NODEFAULTLIB:"mysql_static.lib"

2:33544711

VVV.exui.cc

bbs.exui.cc =====

ryxzxzw@163.com

2014. 08.30.1

\lib\ex_ui\AttributeEditorexui.dll

.pi]\L}L

/.rE*L)k

ex_ui keye

msimg32.dll

keye

.pK>NG`

P>f%S9e

.qn{\

.mkBT

.qc]b

diTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:DDD122E7A584E2118FF1FE0FC3DAB2B7" xmpMM:DocumentID="xmp.did:A0B65855870011E2AFB69C04A7201614" xmpMM:InstanceID="xmp.iid:A0B65854870011E2AFB69C04A7201614" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:22F24EC22D86E211815A8FDDD6268239" stRef:documentID="xmp.did:DDD122E7A584E2118FF1FE0FC3DAB2B7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

11/15/11

pz?F%F

VVV.meitu.com

[m.tT

4@{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0B7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0A7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>w

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0F7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0E7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695B87A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695B77A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>p

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695BC7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BB7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695C07A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BF7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>G

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C8A76F497A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C8A76F487A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>]

{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}

N.trB&#

.cqn$

lib\ex_ui\AttributeEditorexui.dll

GetAsyncKeyState

program internal error number is %d.

%s%x.tmp

:"%s"

:"%s".

.?AVCCmdTarget@@

.?AVCCmdUI@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

zcÁ

c:\%original file name%.exe

.PAVCOleException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

#include "l.chs\afxres.rc" // Standard components

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

rasapi32.dll

ws2_32.dll

msvfw32.dll

avifil32.dll

MedalWall.tpc

CBrowserMedal::GetQQBrowserInstallURL

MedalWall_QQBrowser_Url

\QQBrowser.exe

:%d, ptrBrowserProtect->LockBrowser

,GetLastErrror=%d

-module=Assistant.dll -installandsetdefaultbrowser

QQBrowser.exe

\QBUtils.dll

SogouExplorer.exe

Recv Notify ID= %d

Error: export function is null

Msg: call QCK.dll ok

Error: m_bckLoad.InitLoad Error

CIMEMedal::GetSogouIMEInstallURL

lMedalWall_SogouIME_Url

OpenQQMusicExe

{9DE67FD1-3C5E-4A79-888D-38EE0D7B4FCD}

QQPCMgr.exe

MedalWall_PCMgr_URL

CMedalWall::GetMedalWallURL

IMedalWall_Default_Url

CMedalWall::NotifyMedalDataChangeToWebAndCheckMedalSituation

CMedalWall::OnDocumentComplete bMainPage=%d

CMedalWall::OnNavigateComplete %d

webkit

MedalWall.xml|MedalWall

OnReport(L"0X8006857")

:%s, GetLastErrror:%x

QMInterface.dll

, hr:%x

, GetLastErrror:%x

, return:%d

:nResult:%d

, result:%d

:%d ms

UserKey_%d

\QQPCDetectorEx.dll

\QQPCDetector.dll

CPCMGRServer::OnCall_PCMGR_Detect:%d, %d

CQQMusicMedal::GetQQMusicInstallURL

MedalWall_QQMusic_Url

QQMusic.exe

QQNav_Url

QQNav_Domain_Url_Https

QQNav_Domain_Url

:%d,ptrMainPageProtect->QueryLockedMainPage

:%d,ptrMainPageProtect->LockMainPage

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\

sogouexplorer.exe

QQPCTray.exe

QMPacket.dat

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360

8.9.4.21593

1, 0, 6, 6

- Skin.dll

(*.*)

1.2.1.0

123xpg.com

%original file name%.exe_1672_rwx_0092C000_00002000:

kernel32.dll

user32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

gdi32.dll

ole32.dll

gdiplus.dll

imm32.dll

shell32.dll

winspool.drv

advapi32.dll

comctl32.dll

shlwapi.dll

winmm.dll

rasapi32.dll

ws2_32.dll

msvfw32.dll

avifil32.dll

comdlg32.dll

oleaut32.dll

oledlg.dll

wininet.dll

ShellExecuteA

RegCloseKey

1.2.1.0

VVV.123xpg.com

123xpg.com

%original file name%.exe_1672_rwx_10000000_0003E000:

`.rsrc

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

1, 0, 6, 6

- Skin.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\stat[1].js (1321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\stat[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\core[1].js (763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\W12I9I1I.txt (116 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QSZVYOH5.txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ARGXHHQO.txt (377 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\pc[1].htm (327 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.FlyStudio_0d9a0429ce

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.FlyStudio_0d9a0429ce

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet