Skip to main content

Gen.Variant.Strictor.70570_bce5185cd6


Susp_Dropper (Kaspersky), Gen:Variant.Strictor.70570 (B) (Emsisoft), Gen:Variant.Strictor.70570 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: bce5185cd6bcfb15ea413b2870904564

SHA1: fe60dcb09257e2fbc85cc08508bef11e1536bab5

SHA256: 9739e06e111c6f213e67517a0d3cf14c40695b57073d5c01814c1bcce6670c74

SSDeep: 24576:23MMjuiZd4rfbCbg2acawU9txGoF6BhBsYSUNMuITpwTZaqdiXSp0c02uFG6dAk8:2Ng7txKBPeUzBTZaqdwk0c05HGi JJ7

Size: 2351104 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171

Company: no certificate found

Created at: 2016-09-02 15:15:09

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:3404

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:3404 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G8CYUMX5.txt (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXGBCMD7.txt (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\gjgg[1].htm (3748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8ZW2X1AZ.txt (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\4473463[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxs11[1].htm (825 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxszgg1[1].htm (1380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\19059730[1].js (25 bytes)
C:\dc.dll (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ssxs13[1].htm (508 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssxs12[1].htm (1283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032220170323\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ssxsz[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KZT5IAY.txt (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mcgg456[1].htm (1461 bytes)
C:\SkinH_EL.dll (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mcgg[1].htm (75 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GZOJPSMC.txt (233 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssggd[1].htm (106 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KZT5IAY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8ZW2X1AZ.txt (0 bytes)

Registry activity

The process %original file name%.exe:3404 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CachePrefix" = ":2017032220170323:"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032220170323"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"
"fdwSupport" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101320161014]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
147127382e001f495d1842ee7a9e7912c:\SkinH_EL.dll
f803ad370a8649a143429f179af5f3abc:\dc.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G8CYUMX5.txt (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXGBCMD7.txt (99 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\gjgg[1].htm (3748 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8ZW2X1AZ.txt (77 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\4473463[1].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxs11[1].htm (825 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxszgg1[1].htm (1380 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\19059730[1].js (25 bytes)
    C:\dc.dll (122 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ssxs13[1].htm (508 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssxs12[1].htm (1283 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032220170323\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ssxsz[1].htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KZT5IAY.txt (76 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mcgg456[1].htm (1461 bytes)
    C:\SkinH_EL.dll (178 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mcgg[1].htm (75 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GZOJPSMC.txt (233 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssggd[1].htm (106 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ??????????????
Product Name: ??????????????
Product Version: 4.4.0.0
Legal Copyright: ??????????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.4.0.0
File Description: ??????????????
Comments: ??????????????
Language: Chinese (Simplified, PRC)

Company Name: ??????????????Product Name: ??????????????Product Version: 4.4.0.0Legal Copyright: ??????????????Legal Trademarks: Original Filename: Internal Name: File Version: 4.4.0.0File Description: ??????????????Comments: ??????????????Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40969702299707524.52493882e1d6a4d0017a9879d47b74c0635e7
.rdata974848124921212492805.160125fcf6c33b35812e3412d866b620faa03
.data2224128365898901123.54456e90c0ce56c63695ac986b82f08626ee2
.rsrc259276832960368643.5510837ff9cd91594fbeb59b4863ab563a374

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://ad.51pc114.cn/setup/a.html122.228.204.12
hxxp://ad.51pc114.cn/setup/ssxczgg2269.txt122.228.204.12
hxxp://ad.51pc114.cn/ad/ssggd.htm122.228.204.12
hxxp://ad.51pc114.cn/ad/ssxs11.htm122.228.204.12
hxxp://ad.51pc114.cn/ad/mcgg.htm122.228.204.12
hxxp://ad.51pc114.cn/ad/ssxs12.htm122.228.204.12
hxxp://ad.51pc114.cn/ad/ssxs13.htm122.228.204.12
hxxp://ad.51pc114.cn/ad/gjgg.htm122.228.204.12
hxxp://ad.51pc114.cn/ad/ssxszgg1.htm122.228.204.12
hxxp://ad.51pc114.cn/setup/ssxsz.htm122.228.204.12
hxxp://js.users.51.la/19059730.js42.236.74.247
hxxp://js.tongji.linezing.com.danuoyi.tbcache.com/1522895/tongji.js47.89.65.199
hxxp://ad.51pc114.cn/ad/mcgg456.htm122.228.204.12
hxxp://popup.jointreport-switch.com/close.php?uid=1130115.238.244.82
hxxp://js.tongji.linezing.com.danuoyi.tbcache.com/1435675/tongji.js47.89.65.199
hxxp://grp1.51.la/go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/ssxs11.htm&vvtime=1490144878746
hxxp://js.users.51.la/4473463.js42.236.74.247
hxxp://web.users.51.la/go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/ssxs11.htm&vvtime=149014487874642.236.74.234
hxxp://123.51pc114.cn/ad/ssxszgg1.htm122.228.204.12
hxxp://123.51pc114.cn/ad/ssxs11.htm122.228.204.12
hxxp://123.51pc114.cn/ad/ssggd.htm122.228.204.12
hxxp://123.51pc114.cn/ad/gjgg.htm122.228.204.12
hxxp://123.51pc114.cn/ad/mcgg.htm122.228.204.12
hxxp://123.51pc114.cn/setup/ssxsz.htm122.228.204.12
hxxp://js.tongji.linezing.com/1435675/tongji.js47.89.65.199
hxxp://123.51pc114.cn/ad/ssxs12.htm122.228.204.12
hxxp://ad.7532.com/ad/mcgg456.htm122.228.204.12
hxxp://123.51pc114.cn/ad/ssxs13.htm122.228.204.12
hxxp://js.tongji.linezing.com/1522895/tongji.js47.89.65.199
u291014.778669.com122.225.96.73

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ad/ssxs13.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 508

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/ssxs13.htm

Last-Modified: Thu, 26 Nov 2015 07:34:50 GMT

Accept-Ranges: bytes

ETag: "e0a720ef1c28d11:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:42 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<html>..<body>....<............................</body>..</html>..HTTP/1.1 200 OK..Content-Length: 508..Content-Type: text/html..Content-Location: hXXp://123.51pc114.cn/ad/ssxs13.htm..Last-Modified: Thu, 26 Nov 2015 07:34:50 GMT..Accept-Ranges: bytes..ETag: "e0a720ef1c28d11:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:42 GMT..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<html>..<body>....<............................</body>..</html>....

<<< skipped >>>

GET /close.php?uid=1130 HTTP/1.1

Accept: */*

Referer: hXXp://123.51pc114.cn/ad/ssxs12.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: popup.jointreport-switch.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: tengine

Date: Wed, 22 Mar 2017 01:07:57 GMT

Content-Type: text/html; charset=gb2312

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.28

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Cache-Control: no-cache, must-revalidate

Set-Cookie: lgPTN20963270664410=0; expires=Wed, 22-Mar-2017 16:00:00 GMT; path=/; domain=.jointreport-switch.com

222f..(function() {.. var popUrl = 'hXXp://popup.jointreport-switch.com/jointreport_process.php?ap=MjE2Mnw1ODhlMWM3OTA4ZWQ1YzliM2FmZmY0MGQ4Zjg2YzAwZWZkNw==';.. var lgUnionPushUrl = CrazyInitUrl(popUrl);.. function CrazyInitUrl(urls){.. var sf=0,sc=0,ol='',sd=0;.. var ae = function(p) {.. v = false;.. document.write('<SCRIPT LANGUAGE=VBScript>\n on error resume next \n v = IsObject(CreateObject("' p '"))<\/SCRIPT>\n');.. if(v){.. return '1';.. }else{.. return '0';.. }.. };.. var af = function(p) {.. var m = '';.. for (var i=0; i < navigator.mimeTypes.length; i ){.. m = navigator.mimeTypes[i].type.toLowerCase();.. }.. v = '0';.. if (m.indexOf(p) != -1){.. if (navigator.mimeTypes[p].enabledPlugin != null) v = '1';.. }.. return v;.. };.. var __dm = (navigator.appName.indexOf("Netscape") != -1);.. var __di = (navigator.userAgent.toLowerCase().indexOf("msie") != -1);.. var __dw = ((navigator.userAgent.toLowerCase().indexOf("win")!=-1) || (navigator.userAgent.toLowerCase().indexOf("32bit")!=-1));.. if(__dw && __di) sf = ae("ShockwaveFlash.ShockwaveFlash.1");.. if(!__dw || __dm) fs = af("application/x-shockwave-flash");.. if(navigator.appName=="Netscape"){.. ol = navigator.language.substr(0,2);.. }else{..

<<< skipped >>>

GET /setup/ssxczgg2269.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: ad.51pc114.cn

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Content-Length: 4435

Content-Type: text/html

Server: IIS

Date: Wed, 22 Mar 2017 01:07:39 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>................</title>..<style type="text/css">..<!--..BODY {.PADDING-RIGHT: 0px; PADDING-LEFT: 35px; BACKGROUND: url(/images/photoback.gif) repeat-x left top; PADDING-BOTTOM: 0px; MARGIN: 0px; FONT: 12px Arial, Helvetica, sans-serif; COLOR: #333; PADDING-TOP: 35px}..A {.COLOR: #007ab7; TEXT-DECORATION: none}..A:hover {COLOR: #007ab7; TEXT-DECORATION: none}..A:hover {COLOR: #de1d6a}...hidehr {DISPLAY: none}...show12 {PADDING-RIGHT: 0px; DISPLAY: block; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 5px 0px; PADDING-TOP: 0px}...show13 {PADDING-RIGHT: 0px; DISPLAY: block; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 5px 0px; PADDING-TOP: 0px}...show12 A {.BORDER-RIGHT: #bfdeed 1px solid; PADDING-RIGHT: 6px; BORDER-TOP: #bfdeed 1px solid; DISPLAY: inline-block; PADDING-LEFT: 6px; BACKGROUND: #d8ebf4; PADDING-BOTTOM: 2px; OVERFLOW: hidden; BORDER-LEFT: #bfdeed 1px solid; LINE-HEIGHT: 17px; PADDING-TOP: 2px; BORDER-BOTTOM: #bfdeed 1px solid; HEIGHT: 16px}...show13 A {.BORDER-RIGHT: #bfdeed 1px solid; PADDING-RIGHT: 6px; BORDER-TOP: #bfdeed 1px solid; DISPLAY: inline-block; PADDING-LEFT: 6px; BACKGROUND: #d8ebf4; PADDING-BOTTOM: 2px; OVERFLOW: hidden; BORDER-LEFT: #bfdeed 1px solid; LINE-HEIGHT: 17px; PADDING-TOP: 2p

<<< skipped >>>

GET /setup/a.html HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)

Host: ad.51pc114.cn

HTTP/1.1 200 OK

Content-Length: 45

Content-Type: text/html

Content-Location: hXXp://ad.51pc114.cn/setup/a.html

Last-Modified: Fri, 01 Aug 2014 03:58:28 GMT

Accept-Ranges: bytes

ETag: "3efdd9d93cadcf1:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:39 GMT

[EhXXp://ad.51pc114.cn/setup/ex.html]..[n101]HTTP/1.1 200 OK..Content-Length: 45..Content-Type: text/html..Content-Location: hXXp://ad.51pc114.cn/setup/a.html..Last-Modified: Fri, 01 Aug 2014 03:58:28 GMT..Accept-Ranges: bytes..ETag: "3efdd9d93cadcf1:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:39 GMT..[EhXXp://ad.51pc114.cn/setup/ex.html]..[n101]..

GET /go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/ssxs11.htm&vvtime=1490144878746 HTTP/1.1

Accept: */*

Referer: hXXp://123.51pc114.cn/ad/ssxs11.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: web.users.51.la

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 22 Mar 2017 01:08:00 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 0

Content-Type: text/html

Expires: Tue, 21 Mar 2017 08:28:00 GMT

Set-Cookie: ASPSESSIONIDAQDQDRCC=ICHPJKMAONIHNDIJIIFFLDJL; path=/

Cache-control: private

HTTP/1.1 200 OK..Date: Wed, 22 Mar 2017 01:08:00 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 0..Content-Type: text/html..Expires: Tue, 21 Mar 2017 08:28:00 GMT..Set-Cookie: ASPSESSIONIDAQDQDRCC=ICHPJKMAONIHNDIJIIFFLDJL; path=/..Cache-control: private..

GET /19059730.js HTTP/1.1

Accept: */*

Referer: hXXp://123.51pc114.cn/ad/ssxs11.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: js.users.51.la

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Encoding: gzip

Last-Modified: Tue, 07 Mar 2017 12:17:14 GMT

Accept-Ranges: bytes

ETag: "c1c17cc13c97d21:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/8.5

Date: Wed, 22 Mar 2017 01:07:58 GMT

Content-Length: 972

.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"f.t........<...q........m.zt...............w.?|po............Rf...w...g.Q..Y......g.w.....C....>..p...~>8}.?......N.=.....#......O~......]~|..7N..:..TK(..-....G..g....[4..........4k.j.}w..%..$...v.V...T.:.6..z..._....U.4k..;..iUV5.....2.,......j."[..}....m..*.../.^h.u./...]^>.W.....y..i.....~......Q..V..`...d:....b..j....../X...p.i...@E.vZUo.|... ......j.....g.;..._e.y....~..........nw>.s.....-..g.uY..=v..[.S..-...2g.n.fw....;w>..f..S....q..o.E.o.c.....'..|......s..3..>....G.._..'.G.....v.0..*j..|.V....u[......~Tj.3"F.J..b.*ut......e...X .;TR.>.w....WK.}d~.s.K..M4....o...........j.....=.$rt. .4D..m.Z....$. _...?.sK....JPX..H.hu~.KL.v.UK...R7.s.>..eV,.kR.....4k..x...~.1i.|2^7y..n...Y..=..b..._H..]..[a...p.....V.l>k....eN.l.l..33.....s...;w?.......1..?...u..@PeuU...'......... .5.m...p.s.....oV..%....3..M.o..v..Z.[.....".,...-..L5}8...............S..B...HTTP/1.1 200 OK..Content-Type: application/javascript..Content-Encoding: gzip..Last-Modified: Tue, 07 Mar 2017 12:17:14 GMT..Accept-Ranges: bytes..ETag: "c1c17cc13c97d21:0"..Vary: Accept-Encoding..Server: Microsoft-IIS/8.5..Date: Wed, 22 Mar 2017 01:07:58 GMT..Content-Length: 972...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"f.t........<...q........m.zt...............w.?|po............Rf...w...g.Q..Y......g.w.....C....>..p...~>8}.?......N.=.....#......O~...

<<< skipped >>>

GET /ad/ssxs12.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 1283

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/ssxs12.htm

Last-Modified: Fri, 09 Dec 2016 13:25:51 GMT

Accept-Ranges: bytes

ETag: "aa9133c31f52d21:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:42 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<html>..<body>......................<script language='javascript'>..// ..................html............var random = {...ad_num : 3,...init : function(){....n = (Math.floor(Math.random()*random.ad_num 1));....switch(n){.....case 1:......document.writeln('<script src=\"http:\/\/p.rhgw.net\/code\/popjs.asp?pid=258920\" charset=\"gb2312\"><\/script>');.....break;.....case 2:......document.writeln('<script type=\"text\/javascript\" src=\"http:\/\/popup.jointreport-switch.com\/close.php?uid=1130\"><\/script>');.....break;.....case 3:......document.writeln('<script language=\"javascript\" src=\"http:\/\/u291014.778669.com\/fclose.php?id=180495\"><\/script>');.....break;....}...}..}..random.init();..</script>....<script language="javascript" src="hXXp://u291014.778669.com/fclose.php?id=152695"></script>..........</body>..</html>..t>....

<<< skipped >>>

GET /setup/ssxsz.htm HTTP/1.1

Referer: hXXp://123.51pc114.cn/setup/ssxsz.htm

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: 123.51pc114.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 3

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/setup/ssxsz.htm

Last-Modified: Thu, 09 Mar 2017 06:09:42 GMT

Accept-Ranges: bytes

ETag: "e46a71be9b98d21:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:42 GMT

5.2HTTP/1.1 200 OK..Content-Length: 3..Content-Type: text/html..Content-Location: hXXp://123.51pc114.cn/setup/ssxsz.htm..Last-Modified: Thu, 09 Mar 2017 06:09:42 GMT..Accept-Ranges: bytes..ETag: "e46a71be9b98d21:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:42 GMT..5.2..

GET /1522895/tongji.js HTTP/1.1

Accept: */*

Referer: hXXp://123.51pc114.cn/ad/ssxszgg1.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: js.tongji.linezing.com

Connection: Keep-Alive

HTTP/1.1 503 Service Temporarily Unavailable

Server: Tengine

Content-Length: 0

Connection: keep-alive

Via: cache30.l2hk1[0,503-0,M], cache18.l2hk1[10016,0], cache8.it1[10661,503-0,M], cache7.it1[30000,10661,504001]

Age: 0

X-Cache: MISS TCP_MISS dirn:-2:-2

X-Swift-SaveTime: Wed, 22 Mar 2017 01:08:37 GMT

X-Swift-CacheTime: 1

Timing-Allow-Origin: *

EagleId: 2f59411814901448766361688e

HTTP/1.1 503 Service Temporarily Unavailable..Server: Tengine..Content-Length: 0..Connection: keep-alive..Via: cache30.l2hk1[0,503-0,M], cache18.l2hk1[10016,0], cache8.it1[10661,503-0,M], cache7.it1[30000,10661,504001]..Age: 0..X-Cache: MISS TCP_MISS dirn:-2:-2..X-Swift-SaveTime: Wed, 22 Mar 2017 01:08:37 GMT..X-Swift-CacheTime: 1..Timing-Allow-Origin: *..EagleId: 2f59411814901448766361688e..

GET /ad/ssggd.htm HTTP/1.1

Referer: hXXp://123.51pc114.cn/ad/ssggd.htm

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: 123.51pc114.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 106

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/ssggd.htm

Last-Modified: Fri, 06 Jan 2017 15:11:59 GMT

Accept-Ranges: bytes

ETag: "147f493a2f68d21:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:41 GMT

................................................4.9............................,..........................HTTP/1.1 200 OK..Content-Length: 106..Content-Type: text/html..Content-Location: hXXp://123.51pc114.cn/ad/ssggd.htm..Last-Modified: Fri, 06 Jan 2017 15:11:59 GMT..Accept-Ranges: bytes..ETag: "147f493a2f68d21:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:41 GMT..................................................4.9............................,..............................

GET /ad/ssxs11.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 825

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/ssxs11.htm

Last-Modified: Mon, 16 Jan 2017 15:57:20 GMT

Accept-Ranges: bytes

ETag: "070cb371170d21:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:41 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<html>..<body>..............................<script language="javascript" type="text/javascript" src="hXXp://js.users.51.la/19059730.js"></script>..<noscript><a href="hXXp://VVV.51.la/?19059730" target="_blank"><img alt="我要啦免费统计" src="hXXp://img.users.51.la/19059730.asp" style="border:none" /></a></noscript>....</body>..</html>......

GET /ad/mcgg.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 75

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/mcgg.htm

Last-Modified: Thu, 28 Mar 2013 03:33:01 GMT

Accept-Ranges: bytes

ETag: "8222f3642bce1:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:41 GMT

<meta HTTP-EQUIV=REFRESH CONTENT="0;URL=hXXp://ad.7532.com/ad/mcgg456.htm">....

GET /ad/ssxszgg1.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 2915

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/ssxszgg1.htm

Last-Modified: Fri, 06 Jan 2017 15:12:34 GMT

Accept-Ranges: bytes

ETag: "8c63f64e2f68d21:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:42 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<html>..<body>.. <br />..<font size="2" color="red"><a href="hXXp://url.cn/OGLodN" target="_blank">................28..................:</a></font><font size="2" color="red">..<br />..<font size="2" color="blue"><a href="hXXp://km.7532.com" target="_blank">............1-3........1........10..4..................1-10......................7532......</a></font><font size="2" color="blue"><br />..<br />..<a href="hXXp://VVV.7532.com/" target="_blank" ..style="color:#0000ff"><strong>..<br />........................................4.9............................,..........................</strong></a>..<br />..<a href="hXXp://VVV.7532.com/" target="_blank" ..style="color:#ff0000"><strong>........<br />..<br />..1........................,....................<br />..2.................................................................</strong></a>....<br />....<br />..

<<< skipped >>>

GET /1435675/tongji.js HTTP/1.1

Accept: */*

Referer: hXXp://ad.7532.com/ad/mcgg456.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: js.tongji.linezing.com

Connection: Keep-Alive

HTTP/1.1 503 Service Temporarily Unavailable

Server: Tengine

Content-Length: 0

Connection: keep-alive

Via: cache34.l2hk1[0,503-0,M], cache1.l2hk1[10023,0], cache10.it1[10679,503-0,M], cache3.it1[30000,10679,504001]

Age: 0

X-Cache: MISS TCP_MISS dirn:-2:-2

X-Swift-SaveTime: Wed, 22 Mar 2017 01:08:38 GMT

X-Swift-CacheTime: 1

Timing-Allow-Origin: *

EagleId: 2f59410314901448775867203e

HTTP/1.1 503 Service Temporarily Unavailable..Server: Tengine..Content-Length: 0..Connection: keep-alive..Via: cache34.l2hk1[0,503-0,M], cache1.l2hk1[10023,0], cache10.it1[10679,503-0,M], cache3.it1[30000,10679,504001]..Age: 0..

GET /4473463.js HTTP/1.1

Accept: */*

Referer: hXXp://ad.7532.com/ad/mcgg456.htm

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: js.users.51.la

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: max-age=300

Content-Length: 1872

Content-Type: application/x-javascript

Last-Modified: Tue, 07 Mar 2017 03:16:45 GMT

Accept-Ranges: bytes

ETag: "6cedff3ff196d21:5590"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 22 Mar 2017 01:07:36 GMT

Connection: close

document.write ('<a href="hXXp://VVV.51.la/?4473463" target="_blank" title="51.La 网站流量统计系统">网站统计</a>\n');..var a3463tf="51la";var a3463pu="";var a3463pf="51la";var a3463su=window.location;var a3463sf=document.referrer;var a3463of="";var a3463op="";var a3463ops=1;var a3463ot=1;var a3463d=new Date();var a3463color="";if (navigator.appName=="Netscape"){a3463color=screen.pixelDepth;} else {a3463color=screen.colorDepth;}..try{a3463tf=top.document.referrer;}catch(e){}..try{a3463pu =window.parent.location;}catch(e){}..try{a3463pf=window.parent.document.referrer;}catch(e){}..try{a3463ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3463ops=(a3463ops==null)?1: (parseInt(unescape((a3463ops)[2])) 1);var a3463oe =new Date();a3463oe.setTime(a3463oe.getTime() 60*60*1000);document.cookie="AJSTAT_ok_pages=" a3463ops ";path=/;expires=" a3463oe.toGMTString();a3463ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a3463ot==null){a3463ot=1;}else{a3463ot=parseInt(unescape((a3463ot)[2])); a3463ot=(a3463ops==1)?(a3463ot 1):(a3463ot);}a3463oe.setTime(a3463oe.getTime() 365*24*60*60*1000);document.cookie="AJSTAT_ok_times=" a3463ot ";path=/;expires=" a3463oe.toGMTString();}catch(e){}..try{if(document.cookie==""){a3463ops=-1;a3463ot=-1;}}catch(e){}..a3463of=a3463sf;if(a3463pf!=="51la"){a3463of=a3463pf;}if(a3463tf!=="51la"){a3463of=a3463tf;}a3463op=a3463pu;try{lainframe}catch(e){a3463op=a3463

<<< skipped >>>

GET /ad/gjgg.htm HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: 123.51pc114.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 15198

Content-Type: text/html

Content-Location: hXXp://123.51pc114.cn/ad/gjgg.htm

Last-Modified: Tue, 21 Jun 2016 02:14:19 GMT

Accept-Ranges: bytes

ETag: "8228749e62cbd11:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:42 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<meta name="keywords" content="QQ...."/>..<meta name="description" content="QQ...."/>..<title>............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>QQ..............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<html>..<body>..<body>......<table width="250" border="0">..<tr>..<tr>..<tr>..<tr>.. <td class="STYLE2"> <span class="STYLE1"><a href="hXXp://VVV.7532.com/" target="_blank" style="color:#FE0000;" onMouseOver="this.style.color='#FE0000';" onMouseOut="this.style.color='#FE0000';">......QQ......................</a></span></td>.. <td><span class="STYLE2">[<span class="STYLE1">........

<<< skipped >>>

GET /ad/mcgg456.htm HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ad.7532.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 4406

Content-Type: text/html

Content-Location: hXXp://ad.7532.com/ad/mcgg456.htm

Last-Modified: Wed, 02 Mar 2016 05:01:52 GMT

Accept-Ranges: bytes

ETag: "a8b4a0a24074d11:948"

Server: IIS

Date: Wed, 22 Mar 2017 01:07:44 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<meta name="keywords" content="QQ...."/>..<meta name="description" content="QQ...."/>..<title>............</title>..<style type="text/css">..<!--...STYLE1 {color: #0000FF}..body,td,th {...font-size: 12px;..}...STYLE2 {color: #FF0000}..-->..</style>..</head>..<html>..<body>........<table width="494" border="0" cellpadding="0" cellspacing="0">.. <!--DWLayoutTable-->.. <tr>.. <td width="494" height="708" align="left" valign="top"><table width="236" height="221">.. <tr> <tr>.... </tr>....<tr>.. <tr>.. <td height="14" align="left" valign="middle"><a href="http://shop107817006.taobao.com" target="_blank" style="color:#FF00FF;" onmouseover="this.style.color='#FF00FF';" onmouseout="this.style.color='#FF00FF';">........................</a></td>.. <td height="14"><span class="STYLE1">[........]</span></td>.. </tr>..<tr>.. <td height="14" align="left" valign="middle"><a href="hXXp://down.cncpa.net:9000/mmliao/MM-liao8869.exe" target="_blank" style="color:#2222f0;" onMouseOver="this.style.color='#2222f0F';" onMouseOut="this.style.co

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_3404:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

t%SVh

t%SVh

t$(SSh

t$(SSh

~%UVW

~%UVW

}?9\$0~9

}?9\$0~9

u$SShe

u$SShe

iu2.iu

iu2.iu

dc.dll

dc.dll

ole32.dll

ole32.dll

kernel32.dll

kernel32.dll

wininet.dll

wininet.dll

SkinH_EL.dll

SkinH_EL.dll

advapi32.dll

advapi32.dll

user32.dll

user32.dll

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

ReportError

ReportError

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

WebBrowser

WebBrowser

hXXp://VVV.7532.com/forum-49-1.html

hXXp://VVV.7532.com/forum-49-1.html

O;.lQ5"

O;.lQ5"

ytv%c]`

ytv%c]`

hXXp://VVV.7532.com

hXXp://VVV.7532.com

WinHttp.WinHttpRequest.5.1

WinHttp.WinHttpRequest.5.1

8926356713

8926356713

hXXp://api.t.qq.com/qzApp/appHomePage.php?index=1&home=1&apiType=5&g_tk=

hXXp://api.t.qq.com/qzApp/appHomePage.php?index=1&home=1&apiType=5&g_tk=

hXXp://z.t.qq.com/mb/qzone/index.html

hXXp://z.t.qq.com/mb/qzone/index.html

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)

"loginedUser"

"loginedUser"

MSXML2.ServerXMLHTTP.6.0

MSXML2.ServerXMLHTTP.6.0

MSXML2.ServerXMLHTTP.5.0

MSXML2.ServerXMLHTTP.5.0

application/x-www-form-urlencoded

application/x-www-form-urlencoded

hXXp://api.t.qq.com/old/follow.php

hXXp://api.t.qq.com/old/follow.php

hXXp://api.t.qq.com/proxy.html

hXXp://api.t.qq.com/proxy.html

hXXp://z.t.qq.com/mb/qzone/index.html#

hXXp://z.t.qq.com/mb/qzone/index.html#

&veriCode=&lieuId=&apiType=5&apiHost=http://api.t.qq.com&g_tk=

&veriCode=&lieuId=&apiType=5&apiHost=http://api.t.qq.com&g_tk=

&apiType=5&apiHost=http://api.t.qq.com&_r=

&apiType=5&apiHost=http://api.t.qq.com&_r=

hXXp://api.t.qq.com/qzApp/appUserTweets.php?filter=0&uid=

hXXp://api.t.qq.com/qzApp/appUserTweets.php?filter=0&uid=

hXXp://api.t.qq.com/old/unfollow.php

hXXp://api.t.qq.com/old/unfollow.php

hXXp://ad.51pc114.cn/setup/yinyue.html

hXXp://ad.51pc114.cn/setup/yinyue.html

.html

.html

hXXp://y.qq.com/y/static/singer/

hXXp://y.qq.com/y/static/singer/

&loginUin=

&loginUin=

hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_add.fcg?singermid=

hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_add.fcg?singermid=

hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_getnum.fcg?singermid=

hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_getnum.fcg?singermid=

hXXp://ad.51pc114.cn/setup/ssxczgg2269.txt

hXXp://ad.51pc114.cn/setup/ssxczgg2269.txt

hXXp://VVV.7532.com/thread-143613-1-1.html

hXXp://VVV.7532.com/thread-143613-1-1.html

122.228.204.12

122.228.204.12

hXXp://blog.sina.com.cn/s/blog_81b5163c0102vw7z.html

hXXp://blog.sina.com.cn/s/blog_81b5163c0102vw7z.html

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

http=

https

https

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXps://

hXXp://

hXXp://

hXXp://123.51pc114.cn/ad/ssggd.htm

hXXp://123.51pc114.cn/ad/ssggd.htm

Adodb.Stream

Adodb.Stream

fJ.WM_

fJ.WM_

CX%xm

CX%xm

Õ6m*

Õ6m*

n.BjCw

n.BjCw

%s;7*

%s;7*

0%x@w

0%x@w

%C^L:

%C^L:

%s T5

%s T5

]E4%F(

]E4%F(

.Funr

.Funr

k%UPp

k%UPp

fg.VG

fg.VG

%C',@

%C',@

>Ùd

>Ùd

0'.Ll

0'.Ll

[I(3/#N0.bd

[I(3/#N0.bd

j"%u=w

j"%u=w

q%Xn`

q%Xn`

@|H.NI

@|H.NI

.wdd!

.wdd!

S|%u4

S|%u4

*.Ea]S

*.Ea]S

Q.CGo

Q.CGo

fTpe

fTpe

.LLbX

.LLbX

-.Mdl

-.Mdl

\-A}=3K

\-A}=3K

Y:.akpS

Y:.akpS

$.Zcqn

$.Zcqn

.WE= T!N

.WE= T!N

#?%s(C(

#?%s(C(

u.Jck~

u.Jck~

zx/%FN[

zx/%FN[

%s=\RI

%s=\RI

}j%c%Y)

}j%c%Y)

Rx.GR

Rx.GR

4o#.dM

4o#.dM

IeS`%C

IeS`%C

[n 4\.UY

[n 4\.UY

,4.qO,

,4.qO,

gQ'.Io

gQ'.Io

%cLur?

%cLur?

s%DHB

s%DHB

]I%%X

]I%%X

5r.US

5r.US

:mD].tB

:mD].tB

f%fUZ

f%fUZ

.fOuV12

.fOuV12

*_.dC

*_.dC

&-N}

&-N}

({?.cQm

({?.cQm

.Cqx~c

.Cqx~c

.`.Qw

.`.Qw

**.dU

**.dU

!n]%x

!n]%x

%X,Cr

%X,Cr

&.PFy{xh

&.PFy{xh

.um ZZE7L

.um ZZE7L

/^p%u$

/^p%u$

I.NoQY

I.NoQY

zu.ew

zu.ew

D/.nT

D/.nT

b\SkinH_EL.dll

b\SkinH_EL.dll

C$%cmb

C$%cmb

.ppM|

.ppM|

aZ.mO

aZ.mO

%-^

%-^

.hk;~

.hk;~

KERNEL32.DLL

KERNEL32.DLL

COMCTL32.dll

COMCTL32.dll

GDI32.dll

GDI32.dll

MSIMG32.dll

MSIMG32.dll

MSVCRT.dll

MSVCRT.dll

MSVFW32.dll

MSVFW32.dll

USER32.dll

USER32.dll

51pc114.cn

51pc114.cn

123.51pc114.cn

123.51pc114.cn

hXXp://123.51pc114.cn/setup/ssxsz.htm

hXXp://123.51pc114.cn/setup/ssxsz.htm

Www.7532.com

Www.7532.com

hXXp://km.7532.com

hXXp://km.7532.com

hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=

hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=

/mood/

/mood/

.1&curkey=http://user.qzone.qq.com/

.1&curkey=http://user.qzone.qq.com/

&unikey=http://user.qzone.qq.com/

&unikey=http://user.qzone.qq.com/

/&opuin=

/&opuin=

qzreferrer=http://user.qzone.qq.com/

qzreferrer=http://user.qzone.qq.com/

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

mailto:shenglin_yu@126.com

mailto:shenglin_yu@126.com

hXXp://qlogo2.store.qq.com/qzone/

hXXp://qlogo2.store.qq.com/qzone/

hXXp://ad.51pc114.cn/setup/ssxczgg9976.txt

hXXp://ad.51pc114.cn/setup/ssxczgg9976.txt

hXXp://taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=

hXXp://taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=

hXXp://tjalist.photo.qzone.qq.com/fcgi-bin/fcg_list_album_v3?g_tk=

hXXp://tjalist.photo.qzone.qq.com/fcgi-bin/fcg_list_album_v3?g_tk=

hXXp://123.51pc114.cn/setup/QQssxs.html

hXXp://123.51pc114.cn/setup/QQssxs.html

&qzreferrer=http://ctc.qzs.qq.com/qzone/photo/v7/page/photo.html?init=photo.v7/module/photoList2/index&navBar=1&normal=1&aid=

&qzreferrer=http://ctc.qzs.qq.com/qzone/photo/v7/page/photo.html?init=photo.v7/module/photoList2/index&navBar=1&normal=1&aid=

/photo/

/photo/

&curkey=http://user.qzone.qq.com/

&curkey=http://user.qzone.qq.com/

unikey=http://user.qzone.qq.com/

unikey=http://user.qzone.qq.com/

\dc.dll

\dc.dll

@.reloc

@.reloc

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

inflate 1.1.3 Copyright 1995-1998 Mark Adler

MFC42.DLL

MFC42.DLL

KERNEL32.dll

KERNEL32.dll

GdiplusShutdown

GdiplusShutdown

gdiplus.dll

gdiplus.dll

WSOCK32.dll

WSOCK32.dll

MSVCP60.dll

MSVCP60.dll

ReportError_A

ReportError_A

VBYB_ReportError

VBYB_ReportError

VB_ReportError

VB_ReportError

uu_loginA

uu_loginA

uu_loginW

uu_loginW

uu_reportError

uu_reportError

debug.ini

debug.ini

ReportError:%s

ReportError:%s

Error:%s

Error:%s

%s|!|%s

%s|!|%s

\dms.pdb

\dms.pdb

%u%u,

%u%u,

dclog.txt

dclog.txt

config.ini

config.ini

port

port

settimeout:%d

settimeout:%d

[%d]%s

[%d]%s

reg2:%s

reg2:%s

checkok:%s %s

checkok:%s %s

check fail:%s %s %s

check fail:%s %s %s

check:%s %s

check:%s %s

getcjfail:%s %s

getcjfail:%s %s

getcj:%s %s

getcj:%s %s

%s%uout

%s%uout

%s%uin

%s%uin

put img ok:%s

put img ok:%s

put img fail:%s

put img fail:%s

put img:%s %s %d

put img:%s %s %d

get result ok:%s,%s

get result ok:%s,%s

get result fail:%s

get result fail:%s

get result:%s

get result:%s

notifyfail ok:%s

notifyfail ok:%s

%s\%d-%s.png

%s\%d-%s.png

notifyfail fail:%s,%s

notifyfail fail:%s,%s

notifyfail:%s

notifyfail:%s

getimgok:%s,%s

getimgok:%s,%s

getimg:%s

getimg:%s

getinfo fail:%s

getinfo fail:%s

getinfo:%s,%s

getinfo:%s,%s

setresult:%s,%s

setresult:%s,%s

HTTP/1.1 200 OK

HTTP/1.1 200 OK

recv:%d

recv:%d

send:%d

send:%d

GET /ip.txt HTTP/1.1

GET /ip.txt HTTP/1.1

Host: %s

Host: %s

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

select:%d

select:%d

ioctlsocket:%d

ioctlsocket:%d

socket:%d

socket:%d

api.qqchaoren.net

api.qqchaoren.net

14.17.65.24

14.17.65.24

14.17.65.23

14.17.65.23

dama2.qqchaoren.net

dama2.qqchaoren.net

dama1.qqchaoren.net

dama1.qqchaoren.net

connect total:%s %d

connect total:%s %d

:%s %d

:%s %d

connect discard:%s %d

connect discard:%s %d

[d-d-d d:d:d](u)

[d-d-d d:d:d](u)

recv timeout:

recv timeout:

recvfail:%d

recvfail:%d

server close:%d

server close:%d

recv:%d

recv:%d

send:%d

send:%d

sendfail:%d

sendfail:%d

connect timeout:

connect timeout:

connectok:%s %hu

connectok:%s %hu

127.0.0.1

127.0.0.1

1.1.3

1.1.3

hXXp://ad.51pc114.cn/setup/a.html

hXXp://ad.51pc114.cn/setup/a.html

regsvr32 /s winhttp.dll

regsvr32 /s winhttp.dll

WinHttp

WinHttp

&appid=549000912&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.25413458029055885

&appid=549000912&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.25413458029055885

hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=

hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=

hXXp://captcha.qq.com/cap_union_show?clientype=2&uin=

hXXp://captcha.qq.com/cap_union_show?clientype=2&uin=

hXXp://captcha.qq.com/getimgbysig?aid=549000912&uin=

hXXp://captcha.qq.com/getimgbysig?aid=549000912&uin=

&0.10107533859643092

&0.10107533859643092

hXXp://captcha.qq.com/cap_union_verify?aid=549000912&uin=

hXXp://captcha.qq.com/cap_union_verify?aid=549000912&uin=

&0.05596214901416252

&0.05596214901416252

hXXp://captcha.qq.com/getQueSig?aid=715030901&uin=

hXXp://captcha.qq.com/getQueSig?aid=715030901&uin=

&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=8-30-1445255935887&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&

&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=8-30-1445255935887&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&

hXXp://ptlogin2.qq.com/login?u=

hXXp://ptlogin2.qq.com/login?u=

hXXp://user.qzone.qq.com/

hXXp://user.qzone.qq.com/

.1^||^http://qzs.qq.com/qzone/client/&face=0&fupdate=1&g_tk=

.1^||^http://qzs.qq.com/qzone/client/&face=0&fupdate=1&g_tk=

hXXp://user.qzone.qq.com/p/r/cgi-bin/user/qz_opcnt2?_stp=

hXXp://user.qzone.qq.com/p/r/cgi-bin/user/qz_opcnt2?_stp=

function time(){return new Date().getTime()}

function time(){return new Date().getTime()}

<.>http://user.qzone.qq.com/

<.>http://user.qzone.qq.com/

&refer=qzone&plat=qzone&json_esc=1&output_type=json&unikey=http://user.qzone.qq.com/

&refer=qzone&plat=qzone&json_esc=1&output_type=json&unikey=http://user.qzone.qq.com/

hXXp://r.qzone.qq.com/cgi-bin/user/qz_opcnt2?g_tk=

hXXp://r.qzone.qq.com/cgi-bin/user/qz_opcnt2?g_tk=

skey

skey

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('Y 1O=X(){X r(){W.n=1d;W.e=0;W.4V=W.3h=W.4k=W.q=W.p=W.d=1d}X B(r,z,I){1d!=r&&("50"==2W r?W.3i(r,z,I):1d==z&&"3T"!=2W r?W.1S(r,1B):W.1S(r,z))}X z(){Z 1u B(1d)}X A(r){Y V=z();V.2c(r);Z V}X D(r){Y z=1,I;0!=(I=r>>>16)&&(r=I,z =16);0!=(I=r>>8)&&(r=I,z =8);0!=(I=r>>4)&&(r=I,z =4);0!=(I=r>>2)&&(r=I,z =2);0!=r>>1&&(z =1);Z z}X C(r){W.m=r}X E(r){W.m=r;W.2a=r.2V();W.2f=W.2a&1N;W.2U=W.2a>>15;W.2T=(1>8&1f;L[G ]^=r>>16&1f;L[G ]^=r>>24&1f;G>=U&&(G-=U)}X O(){}X N(){W.j=W.i=0;W.S=[]}r.1b.2R=X(r){Z r.2Q(W.e,W.n)};r.1b.2P=X(r,z){1d!=r&&1d!=z&&0>3;1a(z>=15;0>15,G=z*R F*E,R=E*R ((G&1N)>>30) (G>>>15) z*F (D>>>30);A[B ]=R&2L}Z D};H=30;B.1b.1e=H;B.1b.1s=(1=K; K)S[H ]=K;H=3n;19(K=10;36>K; K)S[H ]=K;H=3D;19(K=10;36>K; K)S[H ]=K;C.1b.2e=X(r){Z 0>r.s||0r.s&&0>15)*W.2f&W.2T)=r.1o;)r[A]-=r.1o,r[ A] }r.1q();r.2b(W.m.t,r);0r?-1:0;0r?W[0]=r 1o:W.t=0};B.1b.1S=X(r,z){Y A;1a(16==z)A=4;1h 1a(8==z)A=3;1h 1a(1B==z)A=8;1h 1a(2==z)A=1;1h 1a(32==z)A=5;1h 1a(4==z)A=2;1h{W.3I(r,z);Z}W.s=W.t=0;19(Y D=r.1c,C=!1,E=0;0J?"-"==r.1l(D)&&(C=!0):(C=!1,0==E?W[W.t ]=J:E A>W.1e?(W[W.t-1]|=(J&(1>W.1e-E):W[W.t-1]|=J=W.1e&&(E-=W.1e))}8==A&&0!=(r[0]&2I)&&(W.s=-1,0>B|E,E=(W[F]&D)=W.t)z.t=0;1h{Y B=r%W.1e,D=W.1e-B,C=(1>B;19(Y E=A 1;E>B;0>=W.1e;1a(r.t>=W.1e;B =W.s}1h{19(B =W.s;A>=W.1e;B-=r.s}z.s=0>B?-1:0;-1>B?z[A ]=W.1o B:0=z.1o&&(r[A z.t]-=z.1o,r[A z.t 1]=1)}0=E.t)){Y F=W.1w();1a(F.t>W.29:0),K=W.2K/H,H=(1J&&B.1x.1m(C,C)}}}};B.1b.2V=X(){1a(1>W.t)Z 0;Y r=W[0];1a(0==(r&1))Z 0;Y z=r&3,z=z*(2-(r&15)*z)&15,z=z*(2-(r&1f)*z)&1f,z=z*(2-((r&1G)*z&1G))&1G,z=z*(2-r*z%W.1o)%W.1o;Z 0r)Z B.1U;Y C=z(),E=z(),F=A.2e(W),G=D(r)-1;19(F.1I(C);0W.s)Z"-" W.1Z().1F(r);1a(16==r)r=4;1h 1a(8==r)r=3;1h 1a(2==r)r=1;1h 1a(32==r)r=5;1h 1a(4==r)r=2;1h Z W.3o(r);Y z=(1>E)&&(B=!0,C="2A".1l(A));0>(E =W.1e-r)):(A=W[D]>>(E-=r)&z,0>=E&&(E =W.1e,--D)),0W.s?W.1Z():W};B.1b.1H=X(r){Y z=W.s-r.s;1a(0!=z)Z z;Y A=W.t,z=A-r.t;1a(0!=z)Z z;19(;0=W.t?0:W.1e*(W.t-1) D(W[W.t-1]^W.s&W.1s)};B.1b.2J=X(r){Y A=z();W.1w().1Q(r,1d,A);0>W.s&&0r||z.2G()?1u C(z):1u E(z);Z W.2E(r,A)};B.1x=A(0);B.1U=A(1);Y T,L,G;1a(1d==L){L=[];19(G=0;G>>8,L[G ]=H&1f;G=0;F()}O.1b.2M=X(r){Y z;19(z=0;zz; z)W.S[z]=z;19(z=A=0;1B>z; z)A=A W.S[z] r[z%r.1c]&1f,B=W.S[z],W.S[z]=W.S[A],W.S[A]=B;W.j=W.i=0};N.1b.2x=X(){Y r;W.i=W.i 1&1f;W.j=W.j W.S[W.i]&1f;r=W.S[W.i];W.S[W.i]=W.S[W.j];W.S[W.j]=r;Z W.S[r W.S[W.i]&1f]};Y U=1B;Z{2r:X(z,A,B){A="41";B="3";Y C=1u r;C.2P(A,B);Z C.26(z)}}}(),s="",a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=!0;X e(){Z 1p.35(1r*1p.2z())}X j(r,B,z){1a(!z||4>>0}X b(r,B,z){r[B 3]=z>>0&1f;r[B 2]=z>>8&1f;r[B 1]=z>>16&1f;r[B 0]=z>>24&1f}X w(r){1a(!r)Z"";19(Y B="",z=0;zz;z )x[z]=0;19(z=1;2>=z;)8>a&&(g[a ]=e()&1f,z ),8==a&&p();19(z=0;0a&&(g[a ]=r[z ],B--),8==a&&p();19(z=1;7>=z;)8>a&&(g[a ]=0,z ),8==a&&p();Z m}X q(r){Y B=0,z=1t(8),B=r.1c;t=r;1a(0!=B%8||16>B)Z 1d;x=l(r);a=x[0]&7;B=B-a-10;1a(0>B)Z 1d;19(Y A=0;A=A;)1a(8>a&&(a ,A ),8==a&&(z=r,!f()))Z 1d;19(A=0;0!=B;)1a(8>a&&(m[A]=(z[u a]^x[a])&1f,A ,B--,a ),8==a&&(z=r,u=y-8,!f()))Z 1d;19(A=1;8>A;A ){1a(8>a){1a(0!=(z[u a]^x[a]))Z 1d;a }1a(8==a&&(z=r,u=y,!f()))Z 1d}Z m}X p(){19(Y r=0;8>r;r )g[r]=n?g[r]^x[r]:g[r]^m[u r];19(Y B=k(g),r=0;8>r;r )m[y r]=B[r]^x[r],x[r]=g[r];u=y;y =8;a=0;n=!1}X k(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=0;0>>0,z =(r>>5) D,z=(z&1r)>>>0,r =(z>>5) E,r=(r&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X l(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=3y;0>>5) E,r=(r&1r)>>>0,z-=(r>>5) D,z=(z&1r)>>>0,F-=2o,F=(F&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X f(){19(Y r=0;8>r;r )x[r]^=t[y r];x=l(x);y =8;a=0;Z!0}X o(r,B){Y z=[];1a(B)19(Y A=0;A>18)),E.1y(z.1l(C>>12&1J)),E.1y(z.1l(C>>6&1J)),E.1y(z.1l(C&1J));3e(r.1c-F){2B 1:C=A(r,D)>18) z.1l(C>>12&1J) B B);3g;2B 2:C=A(r,D)>18) z.1l(C>>12&1J) z.1l(C>>6&1J) B)}Z E.2C("")}},2D=1,3j="",1n=8,2F=32;X 1W(r){Z 2H(r)}X 2H(r){Z 2l(1E(1K(r),r.1c*1n))}X 3q(r){Z 2d(1E(1K(r),r.1c*1n))}X 3s(r,B){Z 2l(1R(r,B))}X 3u(r,B){Z 3v(1R(r,B))}X 3w(r,B){Z 2d(1R(r,B))}X 1E(r,B){r[B>>5]|=2I>>9C;C )A[C]=z[C]^4T,D[C]=z[C]^4U;z=1E(A.2Y(1K(B)),4W B.1c*1n);Z 1E(D.2Y(z),4X)}X 1v(r,B){Y z=(r&1G) (B&1G);Z(r>>16) (B>>16) (z>>16)>>32-B}X 1K(r){19(Y B=[],z=(1>5]|=(r.1C(A/1n)&z)>5]>>>A2&z);Z B}X 2l(r){19(Y B=2D?"4Y":"4Z",z="",A=0;A>2]>>A%4*8 4&15) B.1l(r[A>>2]>>A%4*8&15);Z z}X 2Z(r){19(Y B=[],z=0;zD.1c;)D="0" D;1D.2g(r);B=1D.2p(D A 1D.28(B) z C);1D.2g("");Z B.57(/[\\/\\ =]/g,X(r){Z{"/":"-"," ":"*","=":"58"}[r]})}X 4Q(r,B,z){Z 33(r,B,z,!1)};',62,320,'||||||||||||||||||||||||||||||||||||||||||||||||||||||||||this|function|var|return||||||||||for|if|prototype|length|null|DB|255|md5_gg|else|md5_hh|md5_ff|md5_ii|charAt|subTo|chrsz|DV|Math|clamp|4294967295|DM|Array|new|safe_add|abs|ZERO|push|am|reduce|256|charCodeAt|TEA|core_md5|toString|65535|compareTo|copyTo|63|str2binl|dlShiftTo|md5_cmn|32767|RSA|floor|divRemTo|core_hmac_md5|fromString|parseInt|ONE|mulTo|md5|multiplyTo|sqrTo|negate||||||squareTo|encrypt|F1|strToBytes|F2|mp|drShiftTo|fromInt|binl2str|convert|mpl|initkey|String|fromCharCode|substr|lShiftTo|binl2hex|revert|rShiftTo|2654435769|enAsBase64|encode|rsa_encrypt|PADCHAR|ALPHA|getbyte|throw|arguments|next|init|random|0123456789abcdefghijklmnopqrstuvwxyz|case|join|hexcase|exp|mode|isEven|hex_md5|128|mod|FV|1073741823|nextBytes|bitLength|uv_alert|setPublic|modPowInt|doPublic|mt2|um|mph|invDigit|typeof|bit_rol|concat|hexchar2bin||temp||getEncryption|Exception|round||SyntaxError|Not|enough|Message|min|too|pow|switch|long|break|dmq1|fromNumber|b64pad|Date|Invalid|248|97|toRadix|public|str_md5|key|hex_hmac_md5|65536|b64_hmac_md5|binl2b64|str_hmac_md5|64|3816266640|1732584193|271733879|1732584194|271733878|65|680876936|389564586|getTime|606105819|fromRadix|1044525330|176418897|1200080426|1473231341|45705983|1770035416|1958414417|42063|1990404162|1804603682|string|40341101|1502002290|1236535329|decrypt|165796510|1069501632|643717713|F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7|373897302|701558691|38016083|660478335|405537848|568446438||1019803690|187363961|1163531501|1444681467|51403784|1735328473|1926607734|bytesToStr|378558|2022574463|1839030562|dmp1|35309556|1530992060|1272893353|155497632|1094730640|681279174|358537222|722521979|76029189|640364487|421815835|530742520|995338651|bytesInStr|198630844|1126891415|1416354905|dataFromStr|57434055|1700485571|1894986606|1051523|2054922799|1873313359|30611744|1560198380|1309151649|145523070|1120210379|718787259|343485551|Hs|max|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|909522486|1549556828|coeff|512|640|0123456789ABCDEF|0123456789abcdef|number|eval||INVALID_CHARACTER_ERR|DOM|toUpperCase|000|replace|_|Number'.split('|'),0,{}))

eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('Y 1O=X(){X r(){W.n=1d;W.e=0;W.4V=W.3h=W.4k=W.q=W.p=W.d=1d}X B(r,z,I){1d!=r&&("50"==2W r?W.3i(r,z,I):1d==z&&"3T"!=2W r?W.1S(r,1B):W.1S(r,z))}X z(){Z 1u B(1d)}X A(r){Y V=z();V.2c(r);Z V}X D(r){Y z=1,I;0!=(I=r>>>16)&&(r=I,z =16);0!=(I=r>>8)&&(r=I,z =8);0!=(I=r>>4)&&(r=I,z =4);0!=(I=r>>2)&&(r=I,z =2);0!=r>>1&&(z =1);Z z}X C(r){W.m=r}X E(r){W.m=r;W.2a=r.2V();W.2f=W.2a&1N;W.2U=W.2a>>15;W.2T=(1>8&1f;L[G ]^=r>>16&1f;L[G ]^=r>>24&1f;G>=U&&(G-=U)}X O(){}X N(){W.j=W.i=0;W.S=[]}r.1b.2R=X(r){Z r.2Q(W.e,W.n)};r.1b.2P=X(r,z){1d!=r&&1d!=z&&0>3;1a(z>=15;0>15,G=z*R F*E,R=E*R ((G&1N)>>30) (G>>>15) z*F (D>>>30);A[B ]=R&2L}Z D};H=30;B.1b.1e=H;B.1b.1s=(1=K; K)S[H ]=K;H=3n;19(K=10;36>K; K)S[H ]=K;H=3D;19(K=10;36>K; K)S[H ]=K;C.1b.2e=X(r){Z 0>r.s||0r.s&&0>15)*W.2f&W.2T)=r.1o;)r[A]-=r.1o,r[ A] }r.1q();r.2b(W.m.t,r);0r?-1:0;0r?W[0]=r 1o:W.t=0};B.1b.1S=X(r,z){Y A;1a(16==z)A=4;1h 1a(8==z)A=3;1h 1a(1B==z)A=8;1h 1a(2==z)A=1;1h 1a(32==z)A=5;1h 1a(4==z)A=2;1h{W.3I(r,z);Z}W.s=W.t=0;19(Y D=r.1c,C=!1,E=0;0J?"-"==r.1l(D)&&(C=!0):(C=!1,0==E?W[W.t ]=J:E A>W.1e?(W[W.t-1]|=(J&(1>W.1e-E):W[W.t-1]|=J=W.1e&&(E-=W.1e))}8==A&&0!=(r[0]&2I)&&(W.s=-1,0>B|E,E=(W[F]&D)=W.t)z.t=0;1h{Y B=r%W.1e,D=W.1e-B,C=(1>B;19(Y E=A 1;E>B;0>=W.1e;1a(r.t>=W.1e;B =W.s}1h{19(B =W.s;A>=W.1e;B-=r.s}z.s=0>B?-1:0;-1>B?z[A ]=W.1o B:0=z.1o&&(r[A z.t]-=z.1o,r[A z.t 1]=1)}0=E.t)){Y F=W.1w();1a(F.t>W.29:0),K=W.2K/H,H=(1J&&B.1x.1m(C,C)}}}};B.1b.2V=X(){1a(1>W.t)Z 0;Y r=W[0];1a(0==(r&1))Z 0;Y z=r&3,z=z*(2-(r&15)*z)&15,z=z*(2-(r&1f)*z)&1f,z=z*(2-((r&1G)*z&1G))&1G,z=z*(2-r*z%W.1o)%W.1o;Z 0r)Z B.1U;Y C=z(),E=z(),F=A.2e(W),G=D(r)-1;19(F.1I(C);0W.s)Z"-" W.1Z().1F(r);1a(16==r)r=4;1h 1a(8==r)r=3;1h 1a(2==r)r=1;1h 1a(32==r)r=5;1h 1a(4==r)r=2;1h Z W.3o(r);Y z=(1>E)&&(B=!0,C="2A".1l(A));0>(E =W.1e-r)):(A=W[D]>>(E-=r)&z,0>=E&&(E =W.1e,--D)),0W.s?W.1Z():W};B.1b.1H=X(r){Y z=W.s-r.s;1a(0!=z)Z z;Y A=W.t,z=A-r.t;1a(0!=z)Z z;19(;0=W.t?0:W.1e*(W.t-1) D(W[W.t-1]^W.s&W.1s)};B.1b.2J=X(r){Y A=z();W.1w().1Q(r,1d,A);0>W.s&&0r||z.2G()?1u C(z):1u E(z);Z W.2E(r,A)};B.1x=A(0);B.1U=A(1);Y T,L,G;1a(1d==L){L=[];19(G=0;G>>8,L[G ]=H&1f;G=0;F()}O.1b.2M=X(r){Y z;19(z=0;zz; z)W.S[z]=z;19(z=A=0;1B>z; z)A=A W.S[z] r[z%r.1c]&1f,B=W.S[z],W.S[z]=W.S[A],W.S[A]=B;W.j=W.i=0};N.1b.2x=X(){Y r;W.i=W.i 1&1f;W.j=W.j W.S[W.i]&1f;r=W.S[W.i];W.S[W.i]=W.S[W.j];W.S[W.j]=r;Z W.S[r W.S[W.i]&1f]};Y U=1B;Z{2r:X(z,A,B){A="41";B="3";Y C=1u r;C.2P(A,B);Z C.26(z)}}}(),s="",a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=!0;X e(){Z 1p.35(1r*1p.2z())}X j(r,B,z){1a(!z||4>>0}X b(r,B,z){r[B 3]=z>>0&1f;r[B 2]=z>>8&1f;r[B 1]=z>>16&1f;r[B 0]=z>>24&1f}X w(r){1a(!r)Z"";19(Y B="",z=0;zz;z )x[z]=0;19(z=1;2>=z;)8>a&&(g[a ]=e()&1f,z ),8==a&&p();19(z=0;0a&&(g[a ]=r[z ],B--),8==a&&p();19(z=1;7>=z;)8>a&&(g[a ]=0,z ),8==a&&p();Z m}X q(r){Y B=0,z=1t(8),B=r.1c;t=r;1a(0!=B%8||16>B)Z 1d;x=l(r);a=x[0]&7;B=B-a-10;1a(0>B)Z 1d;19(Y A=0;A=A;)1a(8>a&&(a ,A ),8==a&&(z=r,!f()))Z 1d;19(A=0;0!=B;)1a(8>a&&(m[A]=(z[u a]^x[a])&1f,A ,B--,a ),8==a&&(z=r,u=y-8,!f()))Z 1d;19(A=1;8>A;A ){1a(8>a){1a(0!=(z[u a]^x[a]))Z 1d;a }1a(8==a&&(z=r,u=y,!f()))Z 1d}Z m}X p(){19(Y r=0;8>r;r )g[r]=n?g[r]^x[r]:g[r]^m[u r];19(Y B=k(g),r=0;8>r;r )m[y r]=B[r]^x[r],x[r]=g[r];u=y;y =8;a=0;n=!1}X k(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=0;0>>0,z =(r>>5) D,z=(z&1r)>>>0,r =(z>>5) E,r=(r&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X l(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=3y;0>>5) E,r=(r&1r)>>>0,z-=(r>>5) D,z=(z&1r)>>>0,F-=2o,F=(F&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X f(){19(Y r=0;8>r;r )x[r]^=t[y r];x=l(x);y =8;a=0;Z!0}X o(r,B){Y z=[];1a(B)19(Y A=0;A>18)),E.1y(z.1l(C>>12&1J)),E.1y(z.1l(C>>6&1J)),E.1y(z.1l(C&1J));3e(r.1c-F){2B 1:C=A(r,D)>18) z.1l(C>>12&1J) B B);3g;2B 2:C=A(r,D)>18) z.1l(C>>12&1J) z.1l(C>>6&1J) B)}Z E.2C("")}},2D=1,3j="",1n=8,2F=32;X 1W(r){Z 2H(r)}X 2H(r){Z 2l(1E(1K(r),r.1c*1n))}X 3q(r){Z 2d(1E(1K(r),r.1c*1n))}X 3s(r,B){Z 2l(1R(r,B))}X 3u(r,B){Z 3v(1R(r,B))}X 3w(r,B){Z 2d(1R(r,B))}X 1E(r,B){r[B>>5]|=2I>>9C;C )A[C]=z[C]^4T,D[C]=z[C]^4U;z=1E(A.2Y(1K(B)),4W B.1c*1n);Z 1E(D.2Y(z),4X)}X 1v(r,B){Y z=(r&1G) (B&1G);Z(r>>16) (B>>16) (z>>16)>>32-B}X 1K(r){19(Y B=[],z=(1>5]|=(r.1C(A/1n)&z)>5]>>>A2&z);Z B}X 2l(r){19(Y B=2D?"4Y":"4Z",z="",A=0;A>2]>>A%4*8 4&15) B.1l(r[A>>2]>>A%4*8&15);Z z}X 2Z(r){19(Y B=[],z=0;zD.1c;)D="0" D;1D.2g(r);B=1D.2p(D A 1D.28(B) z C);1D.2g("");Z B.57(/[\\/\\ =]/g,X(r){Z{"/":"-"," ":"*","=":"58"}[r]})}X 4Q(r,B,z){Z 33(r,B,z,!1)};',62,320,'||||||||||||||||||||||||||||||||||||||||||||||||||||||||||this|function|var|return||||||||||for|if|prototype|length|null|DB|255|md5_gg|else|md5_hh|md5_ff|md5_ii|charAt|subTo|chrsz|DV|Math|clamp|4294967295|DM|Array|new|safe_add|abs|ZERO|push|am|reduce|256|charCodeAt|TEA|core_md5|toString|65535|compareTo|copyTo|63|str2binl|dlShiftTo|md5_cmn|32767|RSA|floor|divRemTo|core_hmac_md5|fromString|parseInt|ONE|mulTo|md5|multiplyTo|sqrTo|negate||||||squareTo|encrypt|F1|strToBytes|F2|mp|drShiftTo|fromInt|binl2str|convert|mpl|initkey|String|fromCharCode|substr|lShiftTo|binl2hex|revert|rShiftTo|2654435769|enAsBase64|encode|rsa_encrypt|PADCHAR|ALPHA|getbyte|throw|arguments|next|init|random|0123456789abcdefghijklmnopqrstuvwxyz|case|join|hexcase|exp|mode|isEven|hex_md5|128|mod|FV|1073741823|nextBytes|bitLength|uv_alert|setPublic|modPowInt|doPublic|mt2|um|mph|invDigit|typeof|bit_rol|concat|hexchar2bin||temp||getEncryption|Exception|round||SyntaxError|Not|enough|Message|min|too|pow|switch|long|break|dmq1|fromNumber|b64pad|Date|Invalid|248|97|toRadix|public|str_md5|key|hex_hmac_md5|65536|b64_hmac_md5|binl2b64|str_hmac_md5|64|3816266640|1732584193|271733879|1732584194|271733878|65|680876936|389564586|getTime|606105819|fromRadix|1044525330|176418897|1200080426|1473231341|45705983|1770035416|1958414417|42063|1990404162|1804603682|string|40341101|1502002290|1236535329|decrypt|165796510|1069501632|643717713|F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7|373897302|701558691|38016083|660478335|405537848|568446438||1019803690|187363961|1163531501|1444681467|51403784|1735328473|1926607734|bytesToStr|378558|2022574463|1839030562|dmp1|35309556|1530992060|1272893353|155497632|1094730640|681279174|358537222|722521979|76029189|640364487|421815835|530742520|995338651|bytesInStr|198630844|1126891415|1416354905|dataFromStr|57434055|1700485571|1894986606|1051523|2054922799|1873313359|30611744|1560198380|1309151649|145523070|1120210379|718787259|343485551|Hs|max|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|909522486|1549556828|coeff|512|640|0123456789ABCDEF|0123456789abcdef|number|eval||INVALID_CHARACTER_ERR|DOM|toUpperCase|000|replace|_|Number'.split('|'),0,{}))

p_skey=;

p_skey=;

airkey=;

airkey=;

&appid=549000912&js_ver=10135&js_type=1&login_sig=&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.

&appid=549000912&js_ver=10135&js_type=1&login_sig=&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.

hXXp://captcha.qq.com/getimgbysig?clientype=2&uin=

hXXp://captcha.qq.com/getimgbysig?clientype=2&uin=

var window=window||{};$=window.$||{};$pt=window.$pt||{};$pt.RSA=function(){function g(z,t){return new ar(z,t)}

var window=window||{};$=window.$||{};$pt=window.$pt||{};$pt.RSA=function(){function g(z,t){return new ar(z,t)}

function ah(aA,aB){var t='';var z=0;while(z aB

function ah(aA,aB){var t='';var z=0;while(z aB

return t aA.substring(z,aA.length)}

return t aA.substring(z,aA.length)}

function r(t){if(t

function r(t){if(t

function af(aB,aE){if(aE

function af(aB,aE){if(aE

var aD=new Array();var aA=aB.length-1;while(aA>=0&&aE>0){var aC=aB.charCodeAt(aA--);aD[--aE]=aC}

var aD=new Array();var aA=aB.length-1;while(aA>=0&&aE>0){var aC=aB.charCodeAt(aA--);aD[--aE]=aC}

aD[--aE]=0;var z=new ad();var t=new Array();while(aE>2){t[0]=0;while(t[0]==0){z.nextBytes(t)}

aD[--aE]=0;var z=new ad();var t=new Array();while(aE>2){t[0]=0;while(t[0]==0){z.nextBytes(t)}

function L(){this.n=null;this.e=0;this.d=null;this.p=null;this.q=null;this.dmp1=null;this.dmq1=null;this.coeff=null}

function L(){this.n=null;this.e=0;this.d=null;this.p=null;this.q=null;this.dmp1=null;this.dmq1=null;this.coeff=null}

function o(z,t){if(z!=null&&t!=null&&z.length>0&&t.length>0){this.n=g(z,16);this.e=parseInt(t,16)}else{uv_alert('Invalid RSA public key')}}

function o(z,t){if(z!=null&&t!=null&&z.length>0&&t.length>0){this.n=g(z,16);this.e=parseInt(t,16)}else{uv_alert('Invalid RSA public key')}}

function W(t){return t.modPowInt(this.e,this.n)}

function W(t){return t.modPowInt(this.e,this.n)}

function p(aA){var t=af(aA,(this.n.bitLength() 7)>>3);if(t==null){return null}

function p(aA){var t=af(aA,(this.n.bitLength() 7)>>3);if(t==null){return null}

var aB=this.doPublic(t);if(aB==null){return null}

var aB=this.doPublic(t);if(aB==null){return null}

var z=aB.toString(16);if((z.length&1)==0){return z}else{return'0' z}}

var z=aB.toString(16);if((z.length&1)==0){return z}else{return'0' z}}

L.prototype.doPublic=W;L.prototype.setPublic=o;L.prototype.encrypt=p;var aw;var ai=244837814094590;var Z=((ai&16777215)==15715070);function ar(z,t,aA){if(z!=null){if('number'==typeof z){this.fromNumber(z,t,aA)}else{if(t==null&&'string'!=typeof z){this.fromString(z,256)}else{this.fromString(z,t)}}}}

L.prototype.doPublic=W;L.prototype.setPublic=o;L.prototype.encrypt=p;var aw;var ai=244837814094590;var Z=((ai&16777215)==15715070);function ar(z,t,aA){if(z!=null){if('number'==typeof z){this.fromNumber(z,t,aA)}else{if(t==null&&'string'!=typeof z){this.fromString(z,256)}else{this.fromString(z,t)}}}}

function b(aC,t,z,aB,aE,aD){while(--aD>=0){var aA=t*this[aC ] z[aB] aE;aE=Math.floor(aA/67108864);z[aB ]=aA&67108863}

function b(aC,t,z,aB,aE,aD){while(--aD>=0){var aA=t*this[aC ] z[aB] aE;aE=Math.floor(aA/67108864);z[aB ]=aA&67108863}

var navigator=navigator||{};if(Z&&(navigator.appName=='Microsoft Internet Explorer')){ar.prototype.am=ay;aw=30}else{if(Z&&(navigator.appName!='Netscape')){ar.prototype.am=b;aw=26}else{ar.prototype.am=ax;aw=28}}

var navigator=navigator||{};if(Z&&(navigator.appName=='Microsoft Internet Explorer')){ar.prototype.am=ay;aw=30}else{if(Z&&(navigator.appName!='Netscape')){ar.prototype.am=b;aw=26}else{ar.prototype.am=ax;aw=28}}

ar.prototype.DB=aw;ar.prototype.DM=((1

ar.prototype.DB=aw;ar.prototype.DM=((1

ap='a'.charCodeAt(0);for(v=10;v

ap='a'.charCodeAt(0);for(v=10;v

ap='A'.charCodeAt(0);for(v=10;v

ap='A'.charCodeAt(0);for(v=10;v

function az(t){return ae.charAt(t)}

function az(t){return ae.charAt(t)}

function A(z,t){var aA=ag[z.charCodeAt(t)];return(aA==null)?-1:aA}

function A(z,t){var aA=ag[z.charCodeAt(t)];return(aA==null)?-1:aA}

function c(t){var z=h();z.fromInt(t);return z}

function c(t){var z=h();z.fromInt(t);return z}

function w(aE,z){var aB;if(z==16){aB=4}else{if(z==8){aB=3}else{if(z==256){aB=8}else{if(z==2){aB=1}else{if(z==32){aB=5}else{if(z==4){aB=2}else{this.fromRadix(aE,z);return}}}}}}

function w(aE,z){var aB;if(z==16){aB=4}else{if(z==8){aB=3}else{if(z==256){aB=8}else{if(z==2){aB=1}else{if(z==32){aB=5}else{if(z==4){aB=2}else{this.fromRadix(aE,z);return}}}}}}

this.t=0;this.s=0;var aD=aE.length,aA=false,aC=0;while(--aD>=0){var t=(aB==8)?aE[aD]&255:A(aE,aD);if(t

this.t=0;this.s=0;var aD=aE.length,aA=false,aC=0;while(--aD>=0){var t=(aB==8)?aE[aD]&255:A(aE,aD);if(t

aA=false;if(aC==0){this[this.t ]=t}else{if(aC aB>this.DB){this[this.t-1]|=(t&((1>(this.DB-aC))}else{this[this.t-1]|=t

aA=false;if(aC==0){this[this.t ]=t}else{if(aC aB>this.DB){this[this.t-1]|=(t&((1>(this.DB-aC))}else{this[this.t-1]|=t

aC =aB;if(aC>=this.DB){aC-=this.DB}}

aC =aB;if(aC>=this.DB){aC-=this.DB}}

if(aB==8&&(aE[0]&128)!=0){this.s=-1;if(aC>0){this[this.t-1]|=((1

if(aB==8&&(aE[0]&128)!=0){this.s=-1;if(aC>0){this[this.t-1]|=((1

this.clamp();if(aA){ar.ZERO.subTo(this,this)}}

this.clamp();if(aA){ar.ZERO.subTo(this,this)}}

function O(){var t=this.s&this.DM;while(this.t>0&&this[this.t-1]==t){--this.t}}

function O(){var t=this.s&this.DM;while(this.t>0&&this[this.t-1]==t){--this.t}}

function q(z){if(this.s

function q(z){if(this.s

var aA;if(z==16){aA=4}else{if(z==8){aA=3}else{if(z==2){aA=1}else{if(z==32){aA=5}else{if(z==4){aA=2}else{return this.toRadix(z)}}}}}

var aA;if(z==16){aA=4}else{if(z==8){aA=3}else{if(z==2){aA=1}else{if(z==32){aA=5}else{if(z==4){aA=2}else{return this.toRadix(z)}}}}}

var aC=(10){if(aE>aE)>0){t=true;aD=az(aF)}

var aC=(10){if(aE>aE)>0){t=true;aD=az(aF)}

while(aB>=0){if(aE>(aE =this.DB-aA)}else{aF=(this[aB]>>(aE-=aA))&aC;if(aE

while(aB>=0){if(aE>(aE =this.DB-aA)}else{aF=(this[aB]>>(aE-=aA))&aC;if(aE

function R(){var t=h();ar.ZERO.subTo(this,t);return t}

function R(){var t=h();ar.ZERO.subTo(this,t);return t}

function al(){return(this.s

function al(){return(this.s

return this.DB*(this.t-1) j(this[this.t-1]^(this.s&this.DM))}

return this.DB*(this.t-1) j(this[this.t-1]^(this.s&this.DM))}

z.t=Math.max(this.t-aA,0);z.s=this.s}

z.t=Math.max(this.t-aA,0);z.s=this.s}

function s(aF,aB){var z=aF%this.DB;var t=this.DB-z;var aD=(1=0;--aA){aB[aA aC 1]=(this[aA]>>t)|aE;aE=(this[aA]&aD)

function s(aF,aB){var z=aF%this.DB;var t=this.DB-z;var aD=(1=0;--aA){aB[aA aC 1]=(this[aA]>>t)|aE;aE=(this[aA]&aD)

aB[aC]=aE;aB.t=this.t aC 1;aB.s=this.s;aB.clamp()}

aB[aC]=aE;aB.t=this.t aC 1;aB.s=this.s;aB.clamp()}

function l(aE,aB){aB.s=this.s;var aC=Math.floor(aE/this.DB);if(aC>=this.t){aB.t=0;return}

function l(aE,aB){aB.s=this.s;var aC=Math.floor(aE/this.DB);if(aC>=this.t){aB.t=0;return}

var z=aE%this.DB;var t=this.DB-z;var aD=(1>z;for(var aA=aC 1;aA>z}

var z=aE%this.DB;var t=this.DB-z;var aD=(1>z;for(var aA=aC 1;aA>z}

aB.t=this.t-aC;aB.clamp()}

aB.t=this.t-aC;aB.clamp()}

function ab(z,aB){var aA=0,aC=0,t=Math.min(z.t,this.t);while(aA>=this.DB}

function ab(z,aB){var aA=0,aC=0,t=Math.min(z.t,this.t);while(aA>=this.DB}

if(z.t>=this.DB}

if(z.t>=this.DB}

aC =this.s}else{aC =this.s;while(aA>=this.DB}

aC =this.s}else{aC =this.s;while(aA>=this.DB}

aB.s=(aC0){aB[aA ]=aC}}

aB.s=(aC0){aB[aA ]=aC}}

aB.t=aA;aB.clamp()}

aB.t=aA;aB.clamp()}

function D(z,aB){var t=this.abs(),aC=z.abs();var aA=t.t;aB.t=aA aC.t;while(--aA>=0){aB[aA]=0}

function D(z,aB){var t=this.abs(),aC=z.abs();var aA=t.t;aB.t=aA aC.t;while(--aA>=0){aB[aA]=0}

for(aA=0;aA

for(aA=0;aA

aB.s=0;aB.clamp();if(this.s!=z.s){ar.ZERO.subTo(aB,aB)}}

aB.s=0;aB.clamp();if(this.s!=z.s){ar.ZERO.subTo(aB,aB)}}

function Q(aA){var t=this.abs();var z=aA.t=2*t.t;while(--z>=0){aA[z]=0}

function Q(aA){var t=this.abs();var z=aA.t=2*t.t;while(--z>=0){aA[z]=0}

for(z=0;z=t.DV){aA[z t.t]-=t.DV;aA[z t.t 1]=1}}

for(z=0;z=t.DV){aA[z t.t]-=t.DV;aA[z t.t 1]=1}}

if(aA.t>0){aA[aA.t-1] =t.am(z,t[z],aA,2*z,0,1)}

if(aA.t>0){aA[aA.t-1] =t.am(z,t[z],aA,2*z,0,1)}

aA.s=0;aA.clamp()}

aA.s=0;aA.clamp()}

function E(aI,aF,aE){var aO=aI.abs();if(aO.t

function E(aI,aF,aE){var aO=aI.abs();if(aO.t

var aG=this.abs();if(aG.t

var aG=this.abs();if(aG.t

if(aE!=null){this.copyTo(aE)}

if(aE!=null){this.copyTo(aE)}

var aC=h(),z=this.s,aH=aI.s;var aN=this.DB-j(aO[aO.t-1]);if(aN>0){aO.lShiftTo(aN,aC);aG.lShiftTo(aN,aE)}else{aO.copyTo(aC);aG.copyTo(aE)}

var aC=h(),z=this.s,aH=aI.s;var aN=this.DB-j(aO[aO.t-1]);if(aN>0){aO.lShiftTo(aN,aC);aG.lShiftTo(aN,aE)}else{aO.copyTo(aC);aG.copyTo(aE)}

var aJ=aA*(11)?aC[aK-2]>>this.F2:0);var aR=this.FV/aJ,aQ=(1=0){aE[aE.t ]=1;aE.subTo(aD,aE)}

var aJ=aA*(11)?aC[aK-2]>>this.F2:0);var aR=this.FV/aJ,aQ=(1=0){aE[aE.t ]=1;aE.subTo(aD,aE)}

ar.ONE.dlShiftTo(aK,aD);aD.subTo(aC,aC);while(aC.t

ar.ONE.dlShiftTo(aK,aD);aD.subTo(aC,aC);while(aC.t

while(--aL>=0){var aB=(aE[--aM]==aA)?this.DM:Math.floor(aE[aM]*aR (aE[aM-1] aP)*aQ);if((aE[aM] =aC.am(0,aB,aE,aL,0,aK))

while(--aL>=0){var aB=(aE[--aM]==aA)?this.DM:Math.floor(aE[aM]*aR (aE[aM-1] aP)*aQ);if((aE[aM] =aC.am(0,aB,aE,aL,0,aK))

if(aF!=null){aE.drShiftTo(aK,aF);if(z!=aH){ar.ZERO.subTo(aF,aF)}}

if(aF!=null){aE.drShiftTo(aK,aF);if(z!=aH){ar.ZERO.subTo(aF,aF)}}

aE.t=aK;aE.clamp();if(aN>0){aE.rShiftTo(aN,aE)}

aE.t=aK;aE.clamp();if(aN>0){aE.rShiftTo(aN,aE)}

if(z

if(z

function N(t){var z=h();this.abs().divRemTo(t,null,z);if(this.s0){t.subTo(z,z)}

function N(t){var z=h();this.abs().divRemTo(t,null,z);if(this.s0){t.subTo(z,z)}

function V(t){if(t.s=0){return t.mod(this.m)}else{return t}}

function V(t){if(t.s=0){return t.mod(this.m)}else{return t}}

function J(t){t.divRemTo(this.m,null,t)}

function J(t){t.divRemTo(this.m,null,t)}

function H(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}

function H(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}

function au(t,z){t.squareTo(z);this.reduce(z)}

function au(t,z){t.squareTo(z);this.reduce(z)}

K.prototype.convert=V;K.prototype.revert=ak;K.prototype.reduce=J;K.prototype.mulTo=H;K.prototype.sqrTo=au;function B(){if(this.t

K.prototype.convert=V;K.prototype.revert=ak;K.prototype.reduce=J;K.prototype.mulTo=H;K.prototype.sqrTo=au;function B(){if(this.t

var z=t&3;z=(z*(2-(t&15)*z))&15;z=(z*(2-(t&255)*z))&255;z=(z*(2-(((t&65535)*z)&65535)))&65535;z=(z*(2-t*z%this.DV))%this.DV;return(z>0)?this.DV-z:-z}

var z=t&3;z=(z*(2-(t&15)*z))&15;z=(z*(2-(t&255)*z))&255;z=(z*(2-(((t&65535)*z)&65535)))&65535;z=(z*(2-t*z%this.DV))%this.DV;return(z>0)?this.DV-z:-z}

function f(t){this.m=t;this.mp=t.invDigit();this.mpl=this.mp&32767;this.mph=this.mp>>15;this.um=(1

function f(t){this.m=t;this.mp=t.invDigit();this.mpl=this.mp&32767;this.mph=this.mp>>15;this.um=(1

function aj(t){var z=h();t.abs().dlShiftTo(this.m.t,z);z.divRemTo(this.m,null,z);if(t.s0){this.m.subTo(z,z)}

function aj(t){var z=h();t.abs().dlShiftTo(this.m.t,z);z.divRemTo(this.m,null,z);if(t.s0){this.m.subTo(z,z)}

function at(t){var z=h();t.copyTo(z);this.reduce(z);return z}

function at(t){var z=h();t.copyTo(z);this.reduce(z);return z}

function P(t){while(t.t

function P(t){while(t.t

for(var aA=0;aA>15)*this.mpl)&this.um)=t.DV){t[z]-=t.DV;t[ z] }}

for(var aA=0;aA>15)*this.mpl)&this.um)=t.DV){t[z]-=t.DV;t[ z] }}

t.clamp();t.drShiftTo(this.m.t,t);if(t.compareTo(this.m)>=0){t.subTo(this.m,t)}}

t.clamp();t.drShiftTo(this.m.t,t);if(t.compareTo(this.m)>=0){t.subTo(this.m,t)}}

function am(t,z){t.squareTo(z);this.reduce(z)}

function am(t,z){t.squareTo(z);this.reduce(z)}

function y(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}

function y(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}

f.prototype.convert=aj;f.prototype.revert=at;f.prototype.reduce=P;f.prototype.mulTo=y;f.prototype.sqrTo=am;function i(){return((this.t>0)?(this[0]&1):this.s)==0}

f.prototype.convert=aj;f.prototype.revert=at;f.prototype.reduce=P;f.prototype.mulTo=y;f.prototype.sqrTo=am;function i(){return((this.t>0)?(this[0]&1):this.s)==0}

function x(aF,aG){if(aF>4294967295||aF

function x(aF,aG){if(aF>4294967295||aF

var aE=h(),aA=h(),aD=aG.convert(this),aC=j(aF)-1;aD.copyTo(aE);while(--aC>=0){aG.sqrTo(aE,aA);if((aF&(10){aG.mulTo(aA,aD,aE)}else{var aB=aE;aE=aA;aA=aB}}

var aE=h(),aA=h(),aD=aG.convert(this),aC=j(aF)-1;aD.copyTo(aE);while(--aC>=0){aG.sqrTo(aE,aA);if((aF&(10){aG.mulTo(aA,aD,aE)}else{var aB=aE;aE=aA;aA=aB}}

return aG.revert(aE)}

return aG.revert(aE)}

function an(aA,t){var aB;if(aA

function an(aA,t){var aB;if(aA

return this.exp(aA,aB)}

return this.exp(aA,aB)}

ar.prototype.copyTo=Y;ar.prototype.fromInt=n;ar.prototype.fromString=w;ar.prototype.clamp=O;ar.prototype.dlShiftTo=aq;ar.prototype.drShiftTo=X;ar.prototype.lShiftTo=s;ar.prototype.rShiftTo=l;ar.prototype.subTo=ab;ar.prototype.multiplyTo=D;ar.prototype.squareTo=Q;ar.prototype.divRemTo=E;ar.prototype.invDigit=B;ar.prototype.isEven=i;ar.prototype.exp=x;ar.prototype.toString=q;ar.prototype.negate=R;ar.prototype.abs=al;ar.prototype.compareTo=G;ar.prototype.bitLength=u;ar.prototype.mod=N;ar.prototype.modPowInt=an;ar.ZERO=c(0);ar.ONE=c(1);var m;var U;var ac;function d(t){U[ac ]^=t&255;U[ac ]^=(t>>8)&255;U[ac ]^=(t>>16)&255;U[ac ]^=(t>>24)&255;if(ac>=M){ac-=M}}

ar.prototype.copyTo=Y;ar.prototype.fromInt=n;ar.prototype.fromString=w;ar.prototype.clamp=O;ar.prototype.dlShiftTo=aq;ar.prototype.drShiftTo=X;ar.prototype.lShiftTo=s;ar.prototype.rShiftTo=l;ar.prototype.subTo=ab;ar.prototype.multiplyTo=D;ar.prototype.squareTo=Q;ar.prototype.divRemTo=E;ar.prototype.invDigit=B;ar.prototype.isEven=i;ar.prototype.exp=x;ar.prototype.toString=q;ar.prototype.negate=R;ar.prototype.abs=al;ar.prototype.compareTo=G;ar.prototype.bitLength=u;ar.prototype.mod=N;ar.prototype.modPowInt=an;ar.ZERO=c(0);ar.ONE=c(1);var m;var U;var ac;function d(t){U[ac ]^=t&255;U[ac ]^=(t>>8)&255;U[ac ]^=(t>>16)&255;U[ac ]^=(t>>24)&255;if(ac>=M){ac-=M}}

function T(){d(new Date().getTime())}

function T(){d(new Date().getTime())}

if(U==null){U=new Array();ac=0;var I;if(navigator.appName=='Netscape'&&navigator.appVersion

if(U==null){U=new Array();ac=0;var I;if(navigator.appName=='Netscape'&&navigator.appVersion

while(ac>>8;U[ac ]=I&255}

while(ac>>8;U[ac ]=I&255}

function C(){if(m==null){T();m=ao();m.init(U);for(ac=0;ac

function C(){if(m==null){T();m=ao();m.init(U);for(ac=0;ac

return m.next()}

return m.next()}

function av(z){var t;for(t=0;t

function av(z){var t;for(t=0;t

ad.prototype.nextBytes=av;function k(){this.i=0;this.j=0;this.S=new Array()}

ad.prototype.nextBytes=av;function k(){this.i=0;this.j=0;this.S=new Array()}

z=0;for(aB=0;aB

z=0;for(aB=0;aB

k.prototype.init=e;k.prototype.next=a;function ao(){return new k()}

k.prototype.init=e;k.prototype.next=a;function ao(){return new k()}

var M=256;function S(aB,aA,z){aA='F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7';z='3';var t=new L();t.setPublic(aA,z);return t.encrypt(aB)}

var M=256;function S(aB,aA,z){aA='F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7';z='3';var t=new L();t.setPublic(aA,z);return t.encrypt(aB)}

return{rsa_encrypt:S}}();var r=window||{};(function(r){var s='',a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=true;function e(){return Math.round(Math.random()*4294967295)}

return{rsa_encrypt:S}}();var r=window||{};(function(r){var s='',a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=true;function e(){return Math.round(Math.random()*4294967295)}

var z='';for(var A=0;A

var z='';for(var A=0;A

function v(A){var B='';for(var z=0;z

function v(A){var B='';for(var z=0;z

var B=[];for(var A=0;A

var B=[];for(var A=0;A

function k(C){var B,D,A=[],z=C.length;for(B=0;B0&&D=128&&D>6)&31)),String.fromCharCode(128|(D&63)))}else{if(D>=2048&&D>12)&15)),String.fromCharCode(128|((D>>6)&63)),String.fromCharCode(128|(D&63)))}}}}

function k(C){var B,D,A=[],z=C.length;for(B=0;B0&&D=128&&D>6)&31)),String.fromCharCode(128|(D&63)))}else{if(D>=2048&&D>12)&15)),String.fromCharCode(128|((D>>6)&63)),String.fromCharCode(128|(D&63)))}}}}

return A.join('')}

return A.join('')}

function h(B){g=new Array(8);x=new Array(8);y=u=0;n=true;a=0;var z=B.length;var C=0;a=(z 10)%8;if(a!=0){a=8-a}

function h(B){g=new Array(8);x=new Array(8);y=u=0;n=true;a=0;var z=B.length;var C=0;a=(z 10)%8;if(a!=0){a=8-a}

function q(D){var C=0;var A=new Array(8);var z=D.length;t=D;if(z%8!=0||z

function q(D){var C=0;var A=new Array(8);var z=D.length;t=D;if(z%8!=0||z

for(var B=0;B

for(var B=0;B

function f(){var z=t.length;for(var A=0;A

function f(){var z=t.length;for(var A=0;A

function o(D,C){var B=[];if(C){for(var A=0;A

function o(D,C){var B=[];if(C){for(var A=0;A

r.TEA={encrypt:function(C,B){var A=o(C,B);var z=h(A);return w(z)},enAsBase64:function(E,D){var C=o(E,D);var B=h(C);var z='';for(var A=0;A

r.TEA={encrypt:function(C,B){var A=o(C,B);var z=h(A);return w(z)},enAsBase64:function(E,D){var C=o(E,D);var B=h(C);var z='';for(var A=0;A

return d.encode(z)},decrypt:function(B){var A=o(B,false);var z=q(A);return w(z)},initkey:function(z,A){s=o(z,A)},bytesToStr:v,strToBytes:c,bytesInStr:w,dataFromStr:o};var d={};d.PADCHAR='=';d.ALPHA='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';d.getbyte=function(B,A){var z=B.charCodeAt(A);if(z>255){throw'INVALID_CHARACTER_ERR: DOM Exception 5'}

return d.encode(z)},decrypt:function(B){var A=o(B,false);var z=q(A);return w(z)},initkey:function(z,A){s=o(z,A)},bytesToStr:v,strToBytes:c,bytesInStr:w,dataFromStr:o};var d={};d.PADCHAR='=';d.ALPHA='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';d.getbyte=function(B,A){var z=B.charCodeAt(A);if(z>255){throw'INVALID_CHARACTER_ERR: DOM Exception 5'}

return z};d.encode=function(D){if(arguments.length!=1){throw'SyntaxError: Not enough arguments'}

return z};d.encode=function(D){if(arguments.length!=1){throw'SyntaxError: Not enough arguments'}

var A=d.PADCHAR;var F=d.ALPHA;var E=d.getbyte;var C,G;var z=[];D='' D;var B=D.length-D.length%3;if(D.length==0){return D}

var A=d.PADCHAR;var F=d.ALPHA;var E=d.getbyte;var C,G;var z=[];D='' D;var B=D.length-D.length%3;if(D.length==0){return D}

for(C=0;C>18));z.push(F.charAt((G>>12)&63));z.push(F.charAt((G>>6)&63));z.push(F.charAt(G&63))}

for(C=0;C>18));z.push(F.charAt((G>>12)&63));z.push(F.charAt((G>>6)&63));z.push(F.charAt(G&63))}

switch(D.length-B){case 1:G=E(D,C)>18) F.charAt((G>>12)&63) A A);break;case 2:G=(E(D,C)>18) F.charAt((G>>12)&63) F.charAt((G>>6)&63) A);break}

switch(D.length-B){case 1:G=E(D,C)>18) F.charAt((G>>12)&63) A A);break;case 2:G=(E(D,C)>18) F.charAt((G>>12)&63) F.charAt((G>>6)&63) A);break}

return z.join('')};if(!window.btoa){window.btoa=d.encode}})(window);var hexcase=1;var b64pad='';var chrsz=8;var mode=32;function md5(s){return hex_md5(s)}

return z.join('')};if(!window.btoa){window.btoa=d.encode}})(window);var hexcase=1;var b64pad='';var chrsz=8;var mode=32;function md5(s){return hex_md5(s)}

function hex_md5(s){return binl2hex(core_md5(str2binl(s),s.length*chrsz))}

function hex_md5(s){return binl2hex(core_md5(str2binl(s),s.length*chrsz))}

function str_md5(s){return binl2str(core_md5(str2binl(s),s.length*chrsz))}

function str_md5(s){return binl2str(core_md5(str2binl(s),s.length*chrsz))}

function hex_hmac_md5(key,data){return binl2hex(core_hmac_md5(key,data))}

function hex_hmac_md5(key,data){return binl2hex(core_hmac_md5(key,data))}

function b64_hmac_md5(key,data){return binl2b64(core_hmac_md5(key,data))}

function b64_hmac_md5(key,data){return binl2b64(core_hmac_md5(key,data))}

function str_hmac_md5(key,data){return binl2str(core_hmac_md5(key,data))}

function str_hmac_md5(key,data){return binl2str(core_hmac_md5(key,data))}

function core_md5(x,len){x[len>>5]|=128>>9)

function core_md5(x,len){x[len>>5]|=128>>9)

function core_hmac_md5(key,data){var bkey=str2binl(key);if(bkey.length>16){bkey=core_md5(bkey,key.length*chrsz)}

function core_hmac_md5(key,data){var bkey=str2binl(key);if(bkey.length>16){bkey=core_md5(bkey,key.length*chrsz)}

var ipad=Array(16),opad=Array(16);for(var i=0;i

var ipad=Array(16),opad=Array(16);for(var i=0;i

var hash=core_md5(ipad.concat(str2binl(data)),512 data.length*chrsz);return core_md5(opad.concat(hash),512 128)}

var hash=core_md5(ipad.concat(str2binl(data)),512 data.length*chrsz);return core_md5(opad.concat(hash),512 128)}

function str2binl(str){var bin=Array();var mask=(1>5]|=(str.charCodeAt(i/chrsz)&mask)

function str2binl(str){var bin=Array();var mask=(1>5]|=(str.charCodeAt(i/chrsz)&mask)

function binl2str(bin){var str='';var mask=(1>5]>>>(i2))&mask)}

function binl2str(bin){var str='';var mask=(1>5]>>>(i2))&mask)}

function binl2hex(binarray){var hex_tab=hexcase?'0123456789ABCDEF':'0123456789abcdef';var str='';for(var i=0;i>2]>>((i%4)*8 4))&15) hex_tab.charAt((binarray[i>>2]>>((i%4)*8))&15)}

function binl2hex(binarray){var hex_tab=hexcase?'0123456789ABCDEF':'0123456789abcdef';var str='';for(var i=0;i>2]>>((i%4)*8 4))&15) hex_tab.charAt((binarray[i>>2]>>((i%4)*8))&15)}

function binl2b64(binarray){var tab='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';var str='';for(var i=0;i>2]>>8*(i%4))&255)>2]>>8*((i 1)%4))&255)>2]>>8*((i 2)%4))&255);for(var j=0;jbinarray.length*32){str =b64pad}else{str =tab.charAt((triplet>>6*(3-j))&63)}}}

function binl2b64(binarray){var tab='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';var str='';for(var i=0;i>2]>>8*(i%4))&255)>2]>>8*((i 1)%4))&255)>2]>>8*((i 2)%4))&255);for(var j=0;jbinarray.length*32){str =b64pad}else{str =tab.charAt((triplet>>6*(3-j))&63)}}}

function hexchar2bin(str){var arr=[];for(var i=0;i

function hexchar2bin(str){var arr=[];for(var i=0;i

arr=arr.join('');eval('var temp = \'' arr '\'');return temp}

arr=arr.join('');eval('var temp = \'' arr '\'');return temp}

function __monitor(mid,probability){if(Math.random()>(probability||1)){return}

function __monitor(mid,probability){if(Math.random()>(probability||1)){return}

try{var url=location.protocol '//ui.ptlogin2.qq.com/cgi-bin/report?id=' mid;var s=document.createElement('img');s.src=url}catch(e){}}

try{var url=location.protocol '//ui.ptlogin2.qq.com/cgi-bin/report?id=' mid;var s=document.createElement('img');s.src=url}catch(e){}}

function getEncryption(password,salt,vcode){salt=uin2hex(salt);vcode=vcode||'';password=password||'';var md5Pwd=md5(password),h1=hexchar2bin(md5Pwd),s2=md5(h1 salt),rsaH1=$pt.RSA.rsa_encrypt(h1),rsaH1Len=(rsaH1.length/2).toString(16),hexVcode=r.TEA.strToBytes(vcode.toUpperCase(),true),vcodeLen=Number(hexVcode.length/2).toString(16);while(vcodeLen.length

function getEncryption(password,salt,vcode){salt=uin2hex(salt);vcode=vcode||'';password=password||'';var md5Pwd=md5(password),h1=hexchar2bin(md5Pwd),s2=md5(h1 salt),rsaH1=$pt.RSA.rsa_encrypt(h1),rsaH1Len=(rsaH1.length/2).toString(16),hexVcode=r.TEA.strToBytes(vcode.toUpperCase(),true),vcodeLen=Number(hexVcode.length/2).toString(16);while(vcodeLen.length

while(rsaH1Len.length

while(rsaH1Len.length

r.TEA.initkey(s2);var saltPwd=r.TEA.enAsBase64(rsaH1Len rsaH1 r.TEA.strToBytes(salt) vcodeLen hexVcode);r.TEA.initkey('');return saltPwd.replace(/[\/\ =]/g,function(a){return{'/':'-',' ':'*','=':'_'}[a]})}

r.TEA.initkey(s2);var saltPwd=r.TEA.enAsBase64(rsaH1Len rsaH1 r.TEA.strToBytes(salt) vcodeLen hexVcode);r.TEA.initkey('');return saltPwd.replace(/[\/\ =]/g,function(a){return{'/':'-',' ':'*','=':'_'}[a]})}

function uin2hex(str){var maxLength=16;var hex=parseInt(str).toString(16);var len=hex.length;for(var i=len;i

function uin2hex(str){var maxLength=16;var hex=parseInt(str).toString(16);var len=hex.length;for(var i=len;i

var arr=[];for(var j=0;j

var arr=[];for(var j=0;j

var result=arr.join("");eval('result="' result '"');return result}getEncryption

var result=arr.join("");eval('result="' result '"');return result}getEncryption

&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=21-43-1443602837456&js_ver=10135&js_type=1&login_sig=bX2vEC1My7mgtm3kIVH0UY57UQiklmQQaaq2BdbCVtd39fDjGGywlyInOnozDIje&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&

&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=21-43-1443602837456&js_ver=10135&js_type=1&login_sig=bX2vEC1My7mgtm3kIVH0UY57UQiklmQQaaq2BdbCVtd39fDjGGywlyInOnozDIje&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&

&js_ver=10135&js_type=1&login_sig=&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&

&js_ver=10135&js_type=1&login_sig=&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&

&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=5-23-

&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=5-23-

function time(){return Math.random()}

function time(){return Math.random()}

VBScript.RegExp

VBScript.RegExp

km.7532.com

km.7532.com

shenglin_yu@126.com

shenglin_yu@126.com

VVV.7532.com

VVV.7532.com

VVV.7532.comt

VVV.7532.comt

7532.com

7532.com

|*.txt

|*.txt

%d&&'

%d&&'

123456789

123456789

00003333

00003333

%*.*f

%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CCmdTarget

CCmdTarget

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

windows

windows

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

MPR.dll

MPR.dll

WINMM.dll

WINMM.dll

WS2_32.dll

WS2_32.dll

VERSION.dll

VERSION.dll

RASAPI32.dll

RASAPI32.dll

GetProcessHeap

GetProcessHeap

WinExec

WinExec

GetKeyState

GetKeyState

GetViewportOrgEx

GetViewportOrgEx

WINSPOOL.DRV

WINSPOOL.DRV

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyExA

RegCreateKeyExA

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

OLEAUT32.dll

OLEAUT32.dll

oledlg.dll

oledlg.dll

InternetCrackUrlA

InternetCrackUrlA

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

CreateDialogIndirectParamA

CreateDialogIndirectParamA

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GetViewportExtEx

comdlg32.dll

comdlg32.dll

.PAVCException@@

.PAVCException@@

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

User32.dll

User32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

.PAVCFileException@@

.PAVCFileException@@

: %d]

: %d]

(*.*)|*.*||

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

out.prn

out.prn

(*.prn)|*.prn|

(*.prn)|*.prn|

%d.%d

%d.%d

%d/%d

%d/%d

1.6.9

1.6.9

unsupported zlib version

unsupported zlib version

png_read_image: unsupported transformation

png_read_image: unsupported transformation

%d / %d

%d / %d

Bogus message code %d

Bogus message code %d

libpng error: %s

libpng error: %s

libpng warning: %s

libpng warning: %s

bad keyword

bad keyword

libpng does not support gamma background rgb_to_gray

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

Palette is NULL in indexed image

(%d-%d):

(%d-%d):

%ld%c

%ld%c

;3 #>6.&

;3 #>6.&

'2, / 0&7!4-)1#

'2, / 0&7!4-)1#

VVV.dywt.com.cn

VVV.dywt.com.cn

(*.htm;*.html)|*.htm;*.html

(*.htm;*.html)|*.htm;*.html

its:%s::%s

its:%s::%s

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

HTTP/1.0

%s

%s

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

SMTP

SMTP

.PAVCResourceException@@

.PAVCResourceException@@

%d-%d-%d

%d-%d-%d

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.jpg;*.bmp;*.gif;*.ico;*.cur|JPG

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.jpg;*.bmp;*.gif;*.ico;*.cur|JPG

(*.JPG)|*.jpg|BMP

(*.JPG)|*.jpg|BMP

(*.BMP)|*.bmp|GIF

(*.BMP)|*.bmp|GIF

(*.GIF)|*.gif|

(*.GIF)|*.gif|

(*.ICO)|*.ico|

(*.ICO)|*.ico|

(*.CUR)|*.cur||

(*.CUR)|*.cur||

.PAVCOleException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCUserException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

.PAVCArchiveException@@

zcÁ

zcÁ

3 ,,25%!4

3 ,,25%!4

c:\%original file name%.exe

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

1, 0, 6, 6

!"#$%&'()* ,-

!"#$%&'()* ,-

25, 0, 0, 1

25, 0, 0, 1

Windows

Windows

Grid.Document

Grid.Document

(*.*)

(*.*)

4.4.0.0

4.4.0.0

%original file name%.exe_3404_rwx_10001000_00039000:

L$(h%f

L$(h%f

SSh0j

SSh0j

hu2.iu

hu2.iu

msctls_hotkey32

msctls_hotkey32

TVCLHotKey

TVCLHotKey

THotKey

THotKey

\skinh.she

\skinh.she

}uo,x6l5k%x-l h

}uo,x6l5k%x-l h

9p%s m)t4`#b

9p%s m)t4`#b

e"m?c&y1`Ð

e"m?c&y1`Ð

SetViewportOrgEx

SetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

SetWindowsHookExA

SetWindowsHookExA

UnhookWindowsHookEx

UnhookWindowsHookEx

EnumThreadWindows

EnumThreadWindows

EnumChildWindows

EnumChildWindows

`c%US.4/

`c%US.4/

!#$

!#$

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.UPX0

@.UPX0

`.UPX1

`.UPX1

`.reloc

`.reloc