Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: eb0ca9362f4363e89a0d8d952a96c391
SHA1: 6d31178527baffcd96b338b5c80fdad9c774418e
SHA256: 7aef27978e9764d29fb889a2a559a4757d78ed46f1018a857e24dbedb46a4115
SSDeep: 12288:1sd5uSQbW3ofQ7ofAGw7nXglK/uyY6ZXBWJ W41deQTloS:Cd5uSOW4frAjD/s6ZXk WmEQT
Size: 537088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-01-24 15:22:13
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:800
Mutexes
The following mutexes were created/opened:
c:!documents and settings!adm!local settings!history!history.ie5!mshist012015060320150604!_!SHMSFTHISTORY!_CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003HGFSMUTEX00000000000240eeZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex
File activity
The process %original file name%.exe:800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A9WRW5GJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
C:\Ƥ·ô.she (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\CAOVI5A7.htm (10 bytes)
C:\jedata.dll (88 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\CAR2KVN1 (123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GBE3DABB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PW0KY8DE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ui.ptlogin2.qq[1].txt (180 bytes)
Registry activity
The process %original file name%.exe:800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CacheLimit" = "8192"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CachePrefix" = ":2015060320150604:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015060320150604\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 3A ED BD 98 07 43 B9 3A 80 14 FC 13 56 3C 9C"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?k56330"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060320150604]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
114054313070472cd1a6d7d28f7c5002 | c:\jedata.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A9WRW5GJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
C:\Ƥ·ô.she (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\CAOVI5A7.htm (10 bytes)
C:\jedata.dll (88 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OR5MZNZI\CAR2KVN1 (123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GBE3DABB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PW0KY8DE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ui.ptlogin2.qq[1].txt (180 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: ?????
Product Name: ??V8????1.5
Product Version: 1.3.0.0
Legal Copyright: ????? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.3.0.0
File Description: V8.0??????-????????
Comments: V8.0??????-????????
Language: Language Neutral
Company Name: ?????Product Name: ??V8????1.5Product Version: 1.3.0.0Legal Copyright: ????? ????Legal Trademarks: Original Filename: Internal Name: File Version: 1.3.0.0File Description: V8.0??????-????????Comments: V8.0??????-????????Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 1224704 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 1228800 | 466944 | 463872 | 5.54474 | bb5fb09f867f7ad0b3f8c9d88ed3304f |
.rsrc | 1695744 | 73728 | 72192 | 1.60111 | df070ca39aeed1d9da24c39021c5a6a8 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44 | 112.90.83.106 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ui.ptlogin2.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: timeout=50, max=1024
Server: QZHTTP-2.38.20
Date: Tue, 02 Jun 2015 23:30:25 GMT
P3P: CP="CAO PSA OUR"
Cache-Control: max-age=86400
Set-Cookie: pt_user_id=9571227474957132143; EXPIRES=Fri, 30-May-2025 23:30:25 GMT; PATH=/; DOMAIN=ui.ptlogin2.qq.com;
Set-Cookie: pt_login_sig=1wwnglu-xtFLJACb1cmHXbTn*lznPQ3ojGXliU3-Otn*EI7GHzjCKv5jE98eRd0S; PATH=/; DOMAIN=ptlogin2.qq.com;
Set-Cookie: pt_clientip=90b0c18af4e71c53; PATH=/; DOMAIN=qq.com;
Set-Cookie: pt_serverip=0a940a85030cbd2d; PATH=/; DOMAIN=qq.com;
Set-Cookie: login_param=link_target=blank&appid=15000101&s_url=http%3A//php.qzone.qq.com/index.php%3Fmod%3Dportal%26act%3Dlogin&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1%3Dhttp%3A//php.qzone.qq.com/index.php%3Fmod%3Dportal%26act%3Dlogin&r=2010-10-31%200:03:44; PATH=/; DOMAIN=ui.ptlogin2.qq.com;
Set-Cookie: uikey=bfa7ba82c4f1036bc6ed4e7d3044e759c921a524698327a61990af015fccfea6; PATH=/; DOMAIN=ptlog
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_800:
`.rsrc
`.rsrc
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
wininet.dll
wininet.dll
kernel32.dll
kernel32.dll
shlwapi.dll
shlwapi.dll
jedata.dll
jedata.dll
user32.dll
user32.dll
gdiplus.dll
gdiplus.dll
ole32.dll
ole32.dll
GdiPlus.dll
GdiPlus.dll
Psapi.dll
Psapi.dll
advapi32.dll
advapi32.dll
ntdll.dll
ntdll.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
GdiplusShutdown
GdiplusShutdown
EnumChildWindows
EnumChildWindows
WEBUI
WEBUI
WebUIControl
WebUIControl
hXXp://qun.qzone.qq.com/cgi-bin/get_group_member?uin=
hXXp://qun.qzone.qq.com/cgi-bin/get_group_member?uin=
"nick":"
"nick":"
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
http=
https
https
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
HTTP/1.1
hXXps://
hXXps://
hXXp://
hXXp://
hXXp://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44
hXXp://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44
.qzone.qq.com/jjb
.qzone.qq.com/jjb
hXXp://wenwen.qq.com/z/QzoneAppQuestionAndAnswer.htm
hXXp://wenwen.qq.com/z/QzoneAppQuestionAndAnswer.htm
skey=
skey=
; skey=
; skey=
VVV.baidu.com
VVV.baidu.com
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?uin=
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?uin=
hXXp://VVV.2345.com/?k56330
hXXp://VVV.2345.com/?k56330
pei.jjb
pei.jjb
\jedata.dll
\jedata.dll
.rsrc
.rsrc
%S4WD
%S4WD
hg%fpM
hg%fpM
S.Ac9SR
S.Ac9SR
0.I%3s
0.I%3s
,wAe.kI
,wAe.kI
aiUy'4xu
aiUy'4xu
%c*@j
%c*@j
.eH'y
.eH'y
{&%U)
{&%U)
lj%4U
lj%4U
xe%CNs
xe%CNs
9F.cLe
9F.cLe
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
_y.qzone.qq.com
_y.qzone.qq.com
hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
&zb_url=http://i.gtimg.cn/qzone/space_item/pre/14/94110_1.gif
&zb_url=http://i.gtimg.cn/qzone/space_item/pre/14/94110_1.gif
&curkey=http://user.qzone.qq.com/
&curkey=http://user.qzone.qq.com/
&unikey=http://user.qzone.qq.com/
&unikey=http://user.qzone.qq.com/
/main&appid=7030&face=0&fupdate=1&from=1&query_count=200&opuin=
/main&appid=7030&face=0&fupdate=1&from=1&query_count=200&opuin=
qzreferrer=http://user.qzone.qq.com/
qzreferrer=http://user.qzone.qq.com/
hXXp://user.qzone.qq.com/
hXXp://user.qzone.qq.com/
:hXXp://VVV.tmd.la
:hXXp://VVV.tmd.la
hXXp://users.qzone.qq.com/cgi-bin/likes/get_like_list_app?uin=
hXXp://users.qzone.qq.com/cgi-bin/likes/get_like_list_app?uin=
VVV.29523472.cn/
VVV.29523472.cn/
2000-4000
2000-4000
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
application/x-www-form-urlencoded
application/x-www-form-urlencoded
Adodb.Stream
Adodb.Stream
MSScriptControl.ScriptControl
MSScriptControl.ScriptControl
Scripting.Encoder
Scripting.Encoder
1, 2, 0, 1, 2, 0, 2, 0, 0, 2, 0, 2, 1, 0, 2, 0,
1, 2, 0, 1, 2, 0, 2, 0, 0, 2, 0, 2, 1, 0, 2, 0,
1, 0, 2, 0, 1, 1, 2, 0, 0, 2, 1, 0, 2, 0, 0, 2,
1, 0, 2, 0, 1, 1, 2, 0, 0, 2, 1, 0, 2, 0, 0, 2,
1, 1, 0, 2, 0, 2, 0, 1, 0, 1, 1, 2, 0, 1, 0, 2,
1, 1, 0, 2, 0, 2, 0, 1, 0, 1, 1, 2, 0, 1, 0, 2,
1, 0, 2, 0, 1, 1, 2, 0, 0, 1, 1, 2, 0, 1, 0, 2
1, 0, 2, 0, 1, 1, 2, 0, 0, 1, 1, 2, 0, 1, 0, 2
digits["A".charCodeAt(0) i] = i
digits["A".charCodeAt(0) i] = i
digits["a".charCodeAt(0) i] = i 26
digits["a".charCodeAt(0) i] = i 26
for (var i=0; i
for (var i=0; i
if (char.charCodeAt(0) > 126) return char
if (char.charCodeAt(0) > 126) return char
if (escapes.indexOf(char) != -1) return escaped.substr(escapes.indexOf(char), 1)
if (escapes.indexOf(char) != -1) return escaped.substr(escapes.indexOf(char), 1)
val = (digits[string.substr(0,1).charCodeAt(0)]
val = (digits[string.substr(0,1).charCodeAt(0)]
val = (digits[string.substr(1,1).charCodeAt(0)] >> 4)
val = (digits[string.substr(1,1).charCodeAt(0)] >> 4)
val = (digits[string.substr(1,1).charCodeAt(0)] & 0xf)
val = (digits[string.substr(1,1).charCodeAt(0)] & 0xf)
val = ((digits[string.substr(2,1).charCodeAt(0)] >> 2)
val = ((digits[string.substr(2,1).charCodeAt(0)] >> 2)
val = ((digits[string.substr(2,1).charCodeAt(0)] & 0x3)
val = ((digits[string.substr(2,1).charCodeAt(0)] & 0x3)
val = (digits[string.substr(3,1).charCodeAt(0)]
val = (digits[string.substr(3,1).charCodeAt(0)]
scriptIndex = encodingString.indexOf(marker, stringIndex)
scriptIndex = encodingString.indexOf(marker, stringIndex)
unEncodingString = encodingString.substring(stringIndex, scriptIndex)
unEncodingString = encodingString.substring(stringIndex, scriptIndex)
scriptIndex = marker.length
scriptIndex = marker.length
unEncodingString = encodingString.substr(stringIndex, encodingString.length)
unEncodingString = encodingString.substr(stringIndex, encodingString.length)
encodingLength = encodingString.substr(scriptIndex, 6)
encodingLength = encodingString.substr(scriptIndex, 6)
scriptIndex = (6 "==".length)
scriptIndex = (6 "==".length)
stringIndex = scriptIndex "DQgAAA==^#~@".length
stringIndex = scriptIndex "DQgAAA==^#~@".length
char = encodingString.substr(scriptIndex, 1)
char = encodingString.substr(scriptIndex, 1)
if (char.charCodeAt(0)
if (char.charCodeAt(0)
unEncodingString = String.fromCharCode(transformed[pick_encoding[unEncodingIndexd]][char.charCodeAt(0)])
unEncodingString = String.fromCharCode(transformed[pick_encoding[unEncodingIndexd]][char.charCodeAt(0)])
unEncodingString = unescape(encodingString.substr( scriptIndex, 1))
unEncodingString = unescape(encodingString.substr( scriptIndex, 1))
re = new RegExp("(JScript|VBscript).encode", "gmi")
re = new RegExp("(JScript|VBscript).encode", "gmi")
while(arr = re.exec(unEncodingString)) unEncodingString = RegExp.leftContext RegExp.$1 RegExp.rightContext
while(arr = re.exec(unEncodingString)) unEncodingString = RegExp.leftContext RegExp.$1 RegExp.rightContext
strdec(AdodbStream.ReadText);
strdec(AdodbStream.ReadText);
0.0.0.0
0.0.0.0
0000000000
0000000000
function encrypt(str,pass){
function encrypt(str,pass){
data = m_xxtea.encrypt(str, pass);
data = m_xxtea.encrypt(str, pass);
function decrypt(str,pass){
function decrypt(str,pass){
data = m_xxtea.decrypt(str, pass);
data = m_xxtea.decrypt(str, pass);
if (str.match(/^[\x00-\x7f]*$/) != null) {
if (str.match(/^[\x00-\x7f]*$/) != null) {
return str.toString();
return str.toString();
len = str.length;
len = str.length;
c = str.charCodeAt(i);
c = str.charCodeAt(i);
out[j] = str.charAt(i);
out[j] = str.charAt(i);
out[j] = String.fromCharCode(0xc0 | (c >>> 6),
out[j] = String.fromCharCode(0xc0 | (c >>> 6),
out[j] = String.fromCharCode(0xe0 | (c >>> 12),
out[j] = String.fromCharCode(0xe0 | (c >>> 12),
c2 = str.charCodeAt(i);
c2 = str.charCodeAt(i);
out[j] = String.fromCharCode(0xf0 | ((c >>> 18) & 0x3f),
out[j] = String.fromCharCode(0xf0 | ((c >>> 18) & 0x3f),
return out.join('');
return out.join('');
if ((str.match(/^[\x00-\x7f]*$/) != null) ||
if ((str.match(/^[\x00-\x7f]*$/) != null) ||
(str.match(/^[\x00-\xff]*$/) == null)) {
(str.match(/^[\x00-\xff]*$/) == null)) {
c = str.charCodeAt(i );
c = str.charCodeAt(i );
out[j ] = str.charAt(i - 1);
out[j ] = str.charAt(i - 1);
c2 = str.charCodeAt(i );
c2 = str.charCodeAt(i );
out[j ] = String.fromCharCode(((c & 0x1f)
out[j ] = String.fromCharCode(((c & 0x1f)
c3 = str.charCodeAt(i );
c3 = str.charCodeAt(i );
out[j ] = String.fromCharCode(((c & 0x0f)
out[j ] = String.fromCharCode(((c & 0x0f)
c4 = str.charCodeAt(i );
c4 = str.charCodeAt(i );
out[j ] = String.fromCharCode(((s >>> 10) & 0x03ff) | 0xd800,
out[j ] = String.fromCharCode(((s >>> 10) & 0x03ff) | 0xd800,
var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /'.split('');
var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /'.split('');
len = str.length;
len = str.length;
c = str.charCodeAt(i )
c = str.charCodeAt(i )
str.charCodeAt(i )
str.charCodeAt(i )
str.charCodeAt(i );
str.charCodeAt(i );
c = str.charCodeAt(i );
c = str.charCodeAt(i );
c = str.charCodeAt(i )
c = str.charCodeAt(i )
return out.join('');
return out.join('');
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,
if (/[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\ \/\=]/.test(str)) {
if (/[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\ \/\=]/.test(str)) {
if (str.charAt(len - 2) == '=') {
if (str.charAt(len - 2) == '=') {
else if (str.charAt(len - 1) == '=') {
else if (str.charAt(len - 1) == '=') {
c1 = base64DecodeChars[str.charCodeAt(i )];
c1 = base64DecodeChars[str.charCodeAt(i )];
c2 = base64DecodeChars[str.charCodeAt(i )];
c2 = base64DecodeChars[str.charCodeAt(i )];
out[j ] = String.fromCharCode((c1 > 4));
out[j ] = String.fromCharCode((c1 > 4));
c3 = base64DecodeChars[str.charCodeAt(i )];
c3 = base64DecodeChars[str.charCodeAt(i )];
out[j ] = String.fromCharCode(((c2 & 0x0f) > 2));
out[j ] = String.fromCharCode(((c2 & 0x0f) > 2));
c4 = base64DecodeChars[str.charCodeAt(i )];
c4 = base64DecodeChars[str.charCodeAt(i )];
out[j ] = String.fromCharCode(((c3 & 0x03)
out[j ] = String.fromCharCode(((c3 & 0x03)
var length = data.length;
var length = data.length;
data[i] = String.fromCharCode(
data[i] = String.fromCharCode(
return data.join('').substring(0, n);
return data.join('').substring(0, n);
return data.join('');
return data.join('');
var length = string.length;
var length = string.length;
result[i >> 2] = string.charCodeAt(i) |
result[i >> 2] = string.charCodeAt(i) |
string.charCodeAt(i 1)
string.charCodeAt(i 1)
string.charCodeAt(i 2)
string.charCodeAt(i 2)
string.charCodeAt(i 3)
string.charCodeAt(i 3)
result[result.length] = length;
result[result.length] = length;
this.encrypt = function(string, key) {
this.encrypt = function(string, key) {
var k = stringToLongArray(key, false);
var k = stringToLongArray(key, false);
if (k.length
if (k.length
k.length = 4;
k.length = 4;
var n = v.length - 1;
var n = v.length - 1;
var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = 0;
var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = 0;
this.decrypt = function(string, key) {
this.decrypt = function(string, key) {
var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = q * delta & 0xffffffff;
var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = q * delta & 0xffffffff;
* See hXXp://pajhome.org.uk/crypt/md5 for details.
* See hXXp://pajhome.org.uk/crypt/md5 for details.
function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
for(var i = 0; i
for(var i = 0; i
* Calculate the HMAC-SHA1 of a key and some data
* Calculate the HMAC-SHA1 of a key and some data
function core_hmac_sha1(key, data)
function core_hmac_sha1(key, data)
var bkey = str2binb(key);
var bkey = str2binb(key);
if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);
if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);
ipad[i] = bkey[i] ^ 0x36363636;
ipad[i] = bkey[i] ^ 0x36363636;
opad[i] = bkey[i] ^ 0x5C5C5C5C;
opad[i] = bkey[i] ^ 0x5C5C5C5C;
var hash = core_sha1(ipad.concat(str2binb(data)), 512 data.length * chrsz);
var hash = core_sha1(ipad.concat(str2binb(data)), 512 data.length * chrsz);
return core_sha1(opad.concat(hash), 512 160);
return core_sha1(opad.concat(hash), 512 160);
* Add integers, wrapping at 2^32. This uses 16-bit operations internally
* Add integers, wrapping at 2^32. This uses 16-bit operations internally
for(var i = 0; i
for(var i = 0; i
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask)
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask)
for(var i = 0; i
for(var i = 0; i
str = String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i2)) & mask);
str = String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i2)) & mask);
for(var i = 0; i
for(var i = 0; i
str = hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 4)) & 0xF)
str = hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 4)) & 0xF)
hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
for(var i = 0; i
for(var i = 0; i
if(i * 8 j * 6 > binarray.length * 32) str = b64pad;
if(i * 8 j * 6 > binarray.length * 32) str = b64pad;
else str = tab.charAt((triplet >> 6*(3-j)) & 0x3F);
else str = tab.charAt((triplet >> 6*(3-j)) & 0x3F);
TempObj=JSON.parse(str);
TempObj=JSON.parse(str);
var obj=JSON.parse(str);
var obj=JSON.parse(str);
Lobj.push(obj);
Lobj.push(obj);
return Lobj.length;
return Lobj.length;
function GetAllKey(){
function GetAllKey(){
Lobj = JSON.parse(str);
Lobj = JSON.parse(str);
var str=JSON.stringify(Lobj);
var str=JSON.stringify(Lobj);
return Lobj.str;
return Lobj.str;
if (typeof Date.prototype.toJSON !== 'function') {
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf())
return isFinite(this.valueOf())
? this.getUTCFullYear() '-'
? this.getUTCFullYear() '-'
f(this.getUTCMonth() 1) '-'
f(this.getUTCMonth() 1) '-'
f(this.getUTCDate()) 'T'
f(this.getUTCDate()) 'T'
f(this.getUTCHours()) ':'
f(this.getUTCHours()) ':'
f(this.getUTCMinutes()) ':'
f(this.getUTCMinutes()) ':'
f(this.getUTCSeconds()) 'Z'
f(this.getUTCSeconds()) 'Z'
String.prototype.toJSON =
String.prototype.toJSON =
Number.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
return this.valueOf();
'"' : '\\"',
'"' : '\\"',
'\\': '\\\\'
'\\': '\\\\'
escapable.lastIndex = 0;
escapable.lastIndex = 0;
return escapable.test(string) ? '"' string.replace(escapable, function (a) {
return escapable.test(string) ? '"' string.replace(escapable, function (a) {
: '\\u' ('0000' a.charCodeAt(0).toString(16)).slice(-4);
: '\\u' ('0000' a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
function str(key, holder) {
k, // The member key.
k, // The member key.
value = holder[key];
value = holder[key];
typeof value.toJSON === 'function') {
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = value.toJSON(key);
value = rep.call(holder, key, value);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
length = value.length;
v = partial.length === 0
v = partial.length === 0
? '[\n' gap partial.join(',\n' gap) '\n' mind ']'
? '[\n' gap partial.join(',\n' gap) '\n' mind ']'
: '[' partial.join(',') ']';
: '[' partial.join(',') ']';
length = rep.length;
length = rep.length;
partial.push(quote(k) (gap ? ': ' : ':') v);
partial.push(quote(k) (gap ? ': ' : ':') v);
if (Object.prototype.hasOwnProperty.call(value, k)) {
if (Object.prototype.hasOwnProperty.call(value, k)) {
v = partial.length === 0
v = partial.length === 0
? '{\n' gap partial.join(',\n' gap) '\n' mind '}'
? '{\n' gap partial.join(',\n' gap) '\n' mind '}'
: '{' partial.join(',') '}';
: '{' partial.join(',') '}';
if (typeof JSON.stringify !== 'function') {
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
JSON.stringify = function (value, replacer, space) {
typeof replacer.length !== 'number')) {
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
throw new Error('JSON.stringify');
if (typeof JSON.parse !== 'function') {
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
function walk(holder, key) {
var k, v, value = holder[key];
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
return reviver.call(holder, key, value);
cx.lastIndex = 0;
cx.lastIndex = 0;
if (cx.test(text)) {
if (cx.test(text)) {
text = text.replace(cx, function (a) {
text = text.replace(cx, function (a) {
('0000' a.charCodeAt(0).toString(16)).slice(-4);
('0000' a.charCodeAt(0).toString(16)).slice(-4);
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
throw new SyntaxError('JSON.parse');
throw new SyntaxError('JSON.parse');
JSON.stringify(Lobj['
JSON.stringify(Lobj['
Lobj.push("
Lobj.push("
Lobj.push(
Lobj.push(
Lobj.push('
Lobj.push('
Lobj.length
Lobj.length
JSON.stringify(Lobj[
JSON.stringify(Lobj[
Lobj.splice(
Lobj.splice(
GetAllKey
GetAllKey
Math.round(new Date().getTime()/1000)
Math.round(new Date().getTime()/1000)
Math.round(new Date().getTime())
Math.round(new Date().getTime())
Math.round(new Date().getTime() * 100)
Math.round(new Date().getTime() * 100)
7 9 10 5 8 4 2 1 6 3 7 9 10 5 8 4 2
7 9 10 5 8 4 2 1 6 3 7 9 10 5 8 4 2
WScript.Shell
WScript.Shell
rundll32.exe url.dll,FileProtocolHandler
rundll32.exe url.dll,FileProtocolHandler
function trim_output() {while (output.length && (output[output.length - 1] === " " || output[output.length - 1] === indent_string)) {output.pop();}}
function trim_output() {while (output.length && (output[output.length - 1] === " " || output[output.length - 1] === indent_string)) {output.pop();}}
function print_newline(ignore_repeated) {ignore_repeated = typeof ignore_repeated === "undefined" ? true : ignore_repeated;trim_output();if (!output.length) {return;}if (output[output.length - 1] !== "\n" || !ignore_repeated) {output.push("\n");}for (var i = 0; i
function print_newline(ignore_repeated) {ignore_repeated = typeof ignore_repeated === "undefined" ? true : ignore_repeated;trim_output();if (!output.length) {return;}if (output[output.length - 1] !== "\n" || !ignore_repeated) {output.push("\n");}for (var i = 0; i
function print_space() {var last_output = output.length ? output[output.length - 1] : " ";if (last_output !== " " && last_output !== "\n" && last_output !== indent_string) {output.push(" ");}}
function print_space() {var last_output = output.length ? output[output.length - 1] : " ";if (last_output !== " " && last_output !== "\n" && last_output !== indent_string) {output.push(" ");}}
function print_token() {output.push(token_text);}
function print_token() {output.push(token_text);}
function remove_indent() {if (output.length && output[output.length - 1] === indent_string) {output.pop();}}
function remove_indent() {if (output.length && output[output.length - 1] === indent_string) {output.pop();}}
function set_mode(mode) {modes.push(current_mode);current_mode = mode;}
function set_mode(mode) {modes.push(current_mode);current_mode = mode;}
function restore_mode() {do_block_just_closed = current_mode === "DO_BLOCK";current_mode = modes.pop();}
function restore_mode() {do_block_just_closed = current_mode === "DO_BLOCK";current_mode = modes.pop();}
function in_array(what, arr) {for (var i = 0; i
function in_array(what, arr) {for (var i = 0; i
function get_next_token() {var n_newlines = 0;var c = "";do {if (parser_pos >= input.length) {return ["", "TK_EOF"];}c = input.charAt(parser_pos);parser_pos = 1;if (c === "\n") {n_newlines = 1;}} while (in_array(c, whitespace));if (n_newlines > 1) {for (var i = 0; i = input.length) {break;}}}parser_pos = 2;return ["/*" comment "*/", "TK_BLOCK_COMMENT"];}if (input.charAt(parser_pos) === "/") {comment = c;while (input.charAt(parser_pos) !== "\r" && input.charAt(parser_pos) !== "\n") {comment = input.charAt(parser_pos);parser_pos = 1;if (parser_pos >= input.length) {break;}}parser_pos = 1;if (wanted_newline) {print_newline();}return [comment, "TK_COMMENT"];}}if (c === "'" || c === "\"" || c === "/" && (last_type === "TK_WORD" && last_text === "return" || last_type === "TK_START_EXPR" || last_type === "TK_END_BLOCK" || last_type === "TK_OPERATOR" || last_type === "TK_EOF" || last_type === "TK_END_COMMAND")) {var sep = c;var esc = false;c = "";if (parser_pos = input.length) {break;}}}parser_pos = 1;if (last_type === "TK_END_COMMAND") {print_newline();}return [sep c sep, "TK_STRING"];}if (in_array(c, punct)) {while (parser_pos = input.length) {break;}}return [c, "TK_OPERATOR"];}return [c, "TK_UNKNOWN"];}
function get_next_token() {var n_newlines = 0;var c = "";do {if (parser_pos >= input.length) {return ["", "TK_EOF"];}c = input.charAt(parser_pos);parser_pos = 1;if (c === "\n") {n_newlines = 1;}} while (in_array(c, whitespace));if (n_newlines > 1) {for (var i = 0; i = input.length) {break;}}}parser_pos = 2;return ["/*" comment "*/", "TK_BLOCK_COMMENT"];}if (input.charAt(parser_pos) === "/") {comment = c;while (input.charAt(parser_pos) !== "\r" && input.charAt(parser_pos) !== "\n") {comment = input.charAt(parser_pos);parser_pos = 1;if (parser_pos >= input.length) {break;}}parser_pos = 1;if (wanted_newline) {print_newline();}return [comment, "TK_COMMENT"];}}if (c === "'" || c === "\"" || c === "/" && (last_type === "TK_WORD" && last_text === "return" || last_type === "TK_START_EXPR" || last_type === "TK_END_BLOCK" || last_type === "TK_OPERATOR" || last_type === "TK_EOF" || last_type === "TK_END_COMMAND")) {var sep = c;var esc = false;c = "";if (parser_pos = input.length) {break;}}}parser_pos = 1;if (last_type === "TK_END_COMMAND") {print_newline();}return [sep c sep, "TK_STRING"];}if (in_array(c, punct)) {while (parser_pos = input.length) {break;}}return [c, "TK_OPERATOR"];}return [c, "TK_UNKNOWN"];}
indent_character = indent_character || " ";indent_size = indent_size || 4;indent_string = "";while (indent_size--) {indent_string = indent_character;}input = js_source_text;last_word = "";last_type = "TK_START_EXPR";last_text = "";output = [];do_block_just_closed = false;var_line = false;var_line_tainted = false;whitespace = "\n\r\t ".split("");wordchar = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$".split("");punct = " - * / % & -- = = -= *= /= $= == === != !== > = > >> >>>= >>=
indent_character = indent_character || " ";indent_size = indent_size || 4;indent_string = "";while (indent_size--) {indent_string = indent_character;}input = js_source_text;last_word = "";last_type = "TK_START_EXPR";last_text = "";output = [];do_block_just_closed = false;var_line = false;var_line_tainted = false;whitespace = "\n\r\t ".split("");wordchar = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$".split("");punct = " - * / % & -- = = -= *= /= $= == === != !== > = > >> >>>= >>=
x =a.replace(/^\s /, '')
x =a.replace(/^\s /, '')
1970/01/01 00:00:00
1970/01/01 00:00:00
.htmlt
.htmlt
VVV.29523472.cn
VVV.29523472.cn
287306383
287306383
VVV.29523472.cn
VVV.29523472.cn
287306383
287306383
29523472
29523472
CCmdTarget
CCmdTarget
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CNotSupportedException
CNotSupportedException
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
oledlg.dll
oledlg.dll
OLEPRO32.DLL
OLEPRO32.DLL
OLEAUT32.dll
OLEAUT32.dll
WEBUI.fne
WEBUI.fne
F%D,3
F%D,3
%*.*f
%*.*f
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
VERSION.dll
VERSION.dll
WSOCK32.dll
WSOCK32.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
icmp.dll
icmp.dll
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
VVV.dywt.com.cn
VVV.dywt.com.cn
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
window.event
window.event
its:%s::%s
its:%s::%s
:bywayboy@126.com
:bywayboy@126.com
:6225 8841 1439 1173
:6225 8841 1439 1173
:6222 0234 0000 1901908
:6222 0234 0000 1901908
:95599 8137 08198 36418
:95599 8137 08198 36418
hXXp://VVV.lifepj.cn
hXXp://VVV.lifepj.cn
bywayboy@126.com
bywayboy@126.com
(0730)6672620
(0730)6672620
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
WinExec
WinExec
GetProcessHeap
GetProcessHeap
RegCreateKeyA
RegCreateKeyA
GetViewportOrgEx
GetViewportOrgEx
ShellExecuteA
ShellExecuteA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
.text
.text
`.rdata
`.rdata
@.data
@.data
RASAPI32.dll
RASAPI32.dll
WININET.dll
WININET.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
1, 0, 6, 6
1, 0, 6, 6
- Skin.dll
- Skin.dll
(*.*)
(*.*)
1.3.0.0
1.3.0.0
%original file name%.exe_800_rwx_00401000_0019B000:
t%SVh
t%SVh
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
wininet.dll
wininet.dll
kernel32.dll
kernel32.dll
shlwapi.dll
shlwapi.dll
jedata.dll
jedata.dll
user32.dll
user32.dll
gdiplus.dll
gdiplus.dll
ole32.dll
ole32.dll
GdiPlus.dll
GdiPlus.dll
Psapi.dll
Psapi.dll
advapi32.dll
advapi32.dll
ntdll.dll
ntdll.dll
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
GdiplusShutdown
GdiplusShutdown
EnumChildWindows
EnumChildWindows
WEBUI
WEBUI
WebUIControl
WebUIControl
hXXp://qun.qzone.qq.com/cgi-bin/get_group_member?uin=
hXXp://qun.qzone.qq.com/cgi-bin/get_group_member?uin=
"nick":"
"nick":"
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
http=
https
https
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
HTTP/1.1
hXXps://
hXXps://
hXXp://
hXXp://
hXXp://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44
hXXp://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&s_url=http://php.qzone.qq.com/index.php?mod=portal&act=login&f_url=loginerroralert&target=top&qlogin_jumpname=jump&qlogin_param=u1=http://php.qzone.qq.com/index.php?mod=portal&act=login&r=2010-10-31 0:03:44
.qzone.qq.com/jjb
.qzone.qq.com/jjb
hXXp://wenwen.qq.com/z/QzoneAppQuestionAndAnswer.htm
hXXp://wenwen.qq.com/z/QzoneAppQuestionAndAnswer.htm
skey=
skey=
; skey=
; skey=
VVV.baidu.com
VVV.baidu.com
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?uin=
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?uin=
hXXp://VVV.2345.com/?k56330
hXXp://VVV.2345.com/?k56330
pei.jjb
pei.jjb
\jedata.dll
\jedata.dll
.rsrc
.rsrc
%S4WD
%S4WD
hg%fpM
hg%fpM
S.Ac9SR
S.Ac9SR
0.I%3s
0.I%3s
,wAe.kI
,wAe.kI
aiUy'4xu
aiUy'4xu
%c*@j
%c*@j
.eH'y
.eH'y
{&%U)
{&%U)
lj%4U
lj%4U
xe%CNs
xe%CNs
9F.cLe
9F.cLe
hJK.ZH
hJK.ZH
O.qt0
O.qt0
KERNEL32.DLL
KERNEL32.DLL
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
MSVCRT.dll
MSVCRT.dll
MSVFW32.dll
MSVFW32.dll
USER32.dll
USER32.dll
SkinH_EL.dll
SkinH_EL.dll
_y.qzone.qq.com
_y.qzone.qq.com
hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
&zb_url=http://i.gtimg.cn/qzone/space_item/pre/14/94110_1.gif
&zb_url=http://i.gtimg.cn/qzone/space_item/pre/14/94110_1.gif
&curkey=http://user.qzone.qq.com/
&curkey=http://user.qzone.qq.com/
&unikey=http://user.qzone.qq.com/
&unikey=http://user.qzone.qq.com/
/main&appid=7030&face=0&fupdate=1&from=1&query_count=200&opuin=
/main&appid=7030&face=0&fupdate=1&from=1&query_count=200&opuin=
qzreferrer=http://user.qzone.qq.com/
qzreferrer=http://user.qzone.qq.com/
hXXp://user.qzone.qq.com/
hXXp://user.qzone.qq.com/
:hXXp://VVV.tmd.la
:hXXp://VVV.tmd.la
hXXp://users.qzone.qq.com/cgi-bin/likes/get_like_list_app?uin=
hXXp://users.qzone.qq.com/cgi-bin/likes/get_like_list_app?uin=
VVV.29523472.cn/
VVV.29523472.cn/
2000-4000
2000-4000
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
application/x-www-form-urlencoded
application/x-www-form-urlencoded
Adodb.Stream
Adodb.Stream
MSScriptControl.ScriptControl
MSScriptControl.ScriptControl
Scripting.Encoder
Scripting.Encoder
1, 2, 0, 1, 2, 0, 2, 0, 0, 2, 0, 2, 1, 0, 2, 0,
1, 2, 0, 1, 2, 0, 2, 0, 0, 2, 0, 2, 1, 0, 2, 0,
1, 0, 2, 0, 1, 1, 2, 0, 0, 2, 1, 0, 2, 0, 0, 2,
1, 0, 2, 0, 1, 1, 2, 0, 0, 2, 1, 0, 2, 0, 0, 2,
1, 1, 0, 2, 0, 2, 0, 1, 0, 1, 1, 2, 0, 1, 0, 2,
1, 1, 0, 2, 0, 2, 0, 1, 0, 1, 1, 2, 0, 1, 0, 2,
1, 0, 2, 0, 1, 1, 2, 0, 0, 1, 1, 2, 0, 1, 0, 2
1, 0, 2, 0, 1, 1, 2, 0, 0, 1, 1, 2, 0, 1, 0, 2
digits["A".charCodeAt(0) i] = i
digits["A".charCodeAt(0) i] = i
digits["a".charCodeAt(0) i] = i 26
digits["a".charCodeAt(0) i] = i 26
for (var i=0; i
for (var i=0; i
if (char.charCodeAt(0) > 126) return char
if (char.charCodeAt(0) > 126) return char
if (escapes.indexOf(char) != -1) return escaped.substr(escapes.indexOf(char), 1)
if (escapes.indexOf(char) != -1) return escaped.substr(escapes.indexOf(char), 1)
val = (digits[string.substr(0,1).charCodeAt(0)]
val = (digits[string.substr(0,1).charCodeAt(0)]
val = (digits[string.substr(1,1).charCodeAt(0)] >> 4)
val = (digits[string.substr(1,1).charCodeAt(0)] >> 4)
val = (digits[string.substr(1,1).charCodeAt(0)] & 0xf)
val = (digits[string.substr(1,1).charCodeAt(0)] & 0xf)
val = ((digits[string.substr(2,1).charCodeAt(0)] >> 2)
val = ((digits[string.substr(2,1).charCodeAt(0)] >> 2)
val = ((digits[string.substr(2,1).charCodeAt(0)] & 0x3)
val = ((digits[string.substr(2,1).charCodeAt(0)] & 0x3)
val = (digits[string.substr(3,1).charCodeAt(0)]
val = (digits[string.substr(3,1).charCodeAt(0)]
scriptIndex = encodingString.indexOf(marker, stringIndex)
scriptIndex = encodingString.indexOf(marker, stringIndex)
unEncodingString = encodingString.substring(stringIndex, scriptIndex)
unEncodingString = encodingString.substring(stringIndex, scriptIndex)
scriptIndex = marker.length
scriptIndex = marker.length
unEncodingString = encodingString.substr(stringIndex, encodingString.length)
unEncodingString = encodingString.substr(stringIndex, encodingString.length)
encodingLength = encodingString.substr(scriptIndex, 6)
encodingLength = encodingString.substr(scriptIndex, 6)
scriptIndex = (6 "==".length)
scriptIndex = (6 "==".length)
stringIndex = scriptIndex "DQgAAA==^#~@".length
stringIndex = scriptIndex "DQgAAA==^#~@".length
char = encodingString.substr(scriptIndex, 1)
char = encodingString.substr(scriptIndex, 1)
if (char.charCodeAt(0)
if (char.charCodeAt(0)
unEncodingString = String.fromCharCode(transformed[pick_encoding[unEncodingIndexd]][char.charCodeAt(0)])
unEncodingString = String.fromCharCode(transformed[pick_encoding[unEncodingIndexd]][char.charCodeAt(0)])
unEncodingString = unescape(encodingString.substr( scriptIndex, 1))
unEncodingString = unescape(encodingString.substr( scriptIndex, 1))
re = new RegExp("(JScript|VBscript).encode", "gmi")
re = new RegExp("(JScript|VBscript).encode", "gmi")
while(arr = re.exec(unEncodingString)) unEncodingString = RegExp.leftContext RegExp.$1 RegExp.rightContext
while(arr = re.exec(unEncodingString)) unEncodingString = RegExp.leftContext RegExp.$1 RegExp.rightContext
strdec(AdodbStream.ReadText);
strdec(AdodbStream.ReadText);
0.0.0.0
0.0.0.0
0000000000
0000000000
function encrypt(str,pass){
function encrypt(str,pass){
data = m_xxtea.encrypt(str, pass);
data = m_xxtea.encrypt(str, pass);
function decrypt(str,pass){
function decrypt(str,pass){
data = m_xxtea.decrypt(str, pass);
data = m_xxtea.decrypt(str, pass);
if (str.match(/^[\x00-\x7f]*$/) != null) {
if (str.match(/^[\x00-\x7f]*$/) != null) {
return str.toString();
return str.toString();
len = str.length;
len = str.length;
c = str.charCodeAt(i);
c = str.charCodeAt(i);
out[j] = str.charAt(i);
out[j] = str.charAt(i);
out[j] = String.fromCharCode(0xc0 | (c >>> 6),
out[j] = String.fromCharCode(0xc0 | (c >>> 6),
out[j] = String.fromCharCode(0xe0 | (c >>> 12),
out[j] = String.fromCharCode(0xe0 | (c >>> 12),
c2 = str.charCodeAt(i);
c2 = str.charCodeAt(i);
out[j] = String.fromCharCode(0xf0 | ((c >>> 18) & 0x3f),
out[j] = String.fromCharCode(0xf0 | ((c >>> 18) & 0x3f),
return out.join('');
return out.join('');
if ((str.match(/^[\x00-\x7f]*$/) != null) ||
if ((str.match(/^[\x00-\x7f]*$/) != null) ||
(str.match(/^[\x00-\xff]*$/) == null)) {
(str.match(/^[\x00-\xff]*$/) == null)) {
c = str.charCodeAt(i );
c = str.charCodeAt(i );
out[j ] = str.charAt(i - 1);
out[j ] = str.charAt(i - 1);
c2 = str.charCodeAt(i );
c2 = str.charCodeAt(i );
out[j ] = String.fromCharCode(((c & 0x1f)
out[j ] = String.fromCharCode(((c & 0x1f)
c3 = str.charCodeAt(i );
c3 = str.charCodeAt(i );
out[j ] = String.fromCharCode(((c & 0x0f)
out[j ] = String.fromCharCode(((c & 0x0f)
c4 = str.charCodeAt(i );
c4 = str.charCodeAt(i );
out[j ] = String.fromCharCode(((s >>> 10) & 0x03ff) | 0xd800,
out[j ] = String.fromCharCode(((s >>> 10) & 0x03ff) | 0xd800,
var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /'.split('');
var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /'.split('');
len = str.length;
len = str.length;
c = str.charCodeAt(i )
c = str.charCodeAt(i )
str.charCodeAt(i )
str.charCodeAt(i )
str.charCodeAt(i );
str.charCodeAt(i );
c = str.charCodeAt(i );
c = str.charCodeAt(i );
c = str.charCodeAt(i )
c = str.charCodeAt(i )
return out.join('');
return out.join('');
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,
if (/[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\ \/\=]/.test(str)) {
if (/[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\ \/\=]/.test(str)) {
if (str.charAt(len - 2) == '=') {
if (str.charAt(len - 2) == '=') {
else if (str.charAt(len - 1) == '=') {
else if (str.charAt(len - 1) == '=') {
c1 = base64DecodeChars[str.charCodeAt(i )];
c1 = base64DecodeChars[str.charCodeAt(i )];
c2 = base64DecodeChars[str.charCodeAt(i )];
c2 = base64DecodeChars[str.charCodeAt(i )];
out[j ] = String.fromCharCode((c1 > 4));
out[j ] = String.fromCharCode((c1 > 4));
c3 = base64DecodeChars[str.charCodeAt(i )];
c3 = base64DecodeChars[str.charCodeAt(i )];
out[j ] = String.fromCharCode(((c2 & 0x0f) > 2));
out[j ] = String.fromCharCode(((c2 & 0x0f) > 2));
c4 = base64DecodeChars[str.charCodeAt(i )];
c4 = base64DecodeChars[str.charCodeAt(i )];
out[j ] = String.fromCharCode(((c3 & 0x03)
out[j ] = String.fromCharCode(((c3 & 0x03)
var length = data.length;
var length = data.length;
data[i] = String.fromCharCode(
data[i] = String.fromCharCode(
return data.join('').substring(0, n);
return data.join('').substring(0, n);
return data.join('');
return data.join('');
var length = string.length;
var length = string.length;
result[i >> 2] = string.charCodeAt(i) |
result[i >> 2] = string.charCodeAt(i) |
string.charCodeAt(i 1)
string.charCodeAt(i 1)
string.charCodeAt(i 2)
string.charCodeAt(i 2)
string.charCodeAt(i 3)
string.charCodeAt(i 3)
result[result.length] = length;
result[result.length] = length;
this.encrypt = function(string, key) {
this.encrypt = function(string, key) {
var k = stringToLongArray(key, false);
var k = stringToLongArray(key, false);
if (k.length
if (k.length
k.length = 4;
k.length = 4;
var n = v.length - 1;
var n = v.length - 1;
var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = 0;
var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = 0;
this.decrypt = function(string, key) {
this.decrypt = function(string, key) {
var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = q * delta & 0xffffffff;
var mx, e, p, q = Math.floor(6 52 / (n 1)), sum = q * delta & 0xffffffff;
* See hXXp://pajhome.org.uk/crypt/md5 for details.
* See hXXp://pajhome.org.uk/crypt/md5 for details.
function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
for(var i = 0; i
for(var i = 0; i
* Calculate the HMAC-SHA1 of a key and some data
* Calculate the HMAC-SHA1 of a key and some data
function core_hmac_sha1(key, data)
function core_hmac_sha1(key, data)
var bkey = str2binb(key);
var bkey = str2binb(key);
if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);
if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);
ipad[i] = bkey[i] ^ 0x36363636;
ipad[i] = bkey[i] ^ 0x36363636;
opad[i] = bkey[i] ^ 0x5C5C5C5C;
opad[i] = bkey[i] ^ 0x5C5C5C5C;
var hash = core_sha1(ipad.concat(str2binb(data)), 512 data.length * chrsz);
var hash = core_sha1(ipad.concat(str2binb(data)), 512 data.length * chrsz);
return core_sha1(opad.concat(hash), 512 160);
return core_sha1(opad.concat(hash), 512 160);
* Add integers, wrapping at 2^32. This uses 16-bit operations internally
* Add integers, wrapping at 2^32. This uses 16-bit operations internally
for(var i = 0; i
for(var i = 0; i
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask)
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask)
for(var i = 0; i
for(var i = 0; i
str = String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i2)) & mask);
str = String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i2)) & mask);
for(var i = 0; i
for(var i = 0; i
str = hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 4)) & 0xF)
str = hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 4)) & 0xF)
hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
for(var i = 0; i
for(var i = 0; i
if(i * 8 j * 6 > binarray.length * 32) str = b64pad;
if(i * 8 j * 6 > binarray.length * 32) str = b64pad;
else str = tab.charAt((triplet >> 6*(3-j)) & 0x3F);
else str = tab.charAt((triplet >> 6*(3-j)) & 0x3F);
TempObj=JSON.parse(str);
TempObj=JSON.parse(str);
var obj=JSON.parse(str);
var obj=JSON.parse(str);
Lobj.push(obj);
Lobj.push(obj);
return Lobj.length;
return Lobj.length;
function GetAllKey(){
function GetAllKey(){
Lobj = JSON.parse(str);
Lobj = JSON.parse(str);
var str=JSON.stringify(Lobj);
var str=JSON.stringify(Lobj);
return Lobj.str;
return Lobj.str;
if (typeof Date.prototype.toJSON !== 'function') {
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf())
return isFinite(this.valueOf())
? this.getUTCFullYear() '-'
? this.getUTCFullYear() '-'
f(this.getUTCMonth() 1) '-'
f(this.getUTCMonth() 1) '-'
f(this.getUTCDate()) 'T'
f(this.getUTCDate()) 'T'
f(this.getUTCHours()) ':'
f(this.getUTCHours()) ':'
f(this.getUTCMinutes()) ':'
f(this.getUTCMinutes()) ':'
f(this.getUTCSeconds()) 'Z'
f(this.getUTCSeconds()) 'Z'
String.prototype.toJSON =
String.prototype.toJSON =
Number.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
return this.valueOf();
'"' : '\\"',
'"' : '\\"',
'\\': '\\\\'
'\\': '\\\\'
escapable.lastIndex = 0;
escapable.lastIndex = 0;
return escapable.test(string) ? '"' string.replace(escapable, function (a) {
return escapable.test(string) ? '"' string.replace(escapable, function (a) {
: '\\u' ('0000' a.charCodeAt(0).toString(16)).slice(-4);
: '\\u' ('0000' a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
function str(key, holder) {
k, // The member key.
k, // The member key.
value = holder[key];
value = holder[key];
typeof value.toJSON === 'function') {
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = value.toJSON(key);
value = rep.call(holder, key, value);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
length = value.length;
v = partial.length === 0
v = partial.length === 0
? '[\n' gap partial.join(',\n' gap) '\n' mind ']'
? '[\n' gap partial.join(',\n' gap) '\n' mind ']'
: '[' partial.join(',') ']';
: '[' partial.join(',') ']';
length = rep.length;
length = rep.length;
partial.push(quote(k) (gap ? ': ' : ':') v);
partial.push(quote(k) (gap ? ': ' : ':') v);
if (Object.prototype.hasOwnProperty.call(value, k)) {
if (Object.prototype.hasOwnProperty.call(value, k)) {
v = partial.length === 0
v = partial.length === 0
? '{\n' gap partial.join(',\n' gap) '\n' mind '}'
? '{\n' gap partial.join(',\n' gap) '\n' mind '}'
: '{' partial.join(',') '}';
: '{' partial.join(',') '}';
if (typeof JSON.stringify !== 'function') {
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
JSON.stringify = function (value, replacer, space) {
typeof replacer.length !== 'number')) {
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
throw new Error('JSON.stringify');
if (typeof JSON.parse !== 'function') {
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
function walk(holder, key) {
var k, v, value = holder[key];
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
return reviver.call(holder, key, value);
cx.lastIndex = 0;
cx.lastIndex = 0;
if (cx.test(text)) {
if (cx.test(text)) {
text = text.replace(cx, function (a) {
text = text.replace(cx, function (a) {
('0000' a.charCodeAt(0).toString(16)).slice(-4);
('0000' a.charCodeAt(0).toString(16)).slice(-4);
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
throw new SyntaxError('JSON.parse');
throw new SyntaxError('JSON.parse');
JSON.stringify(Lobj['
JSON.stringify(Lobj['
Lobj.push("
Lobj.push("
Lobj.push(
Lobj.push(
Lobj.push('
Lobj.push('
Lobj.length
Lobj.length
JSON.stringify(Lobj[
JSON.stringify(Lobj[
Lobj.splice(
Lobj.splice(
GetAllKey
GetAllKey
Math.round(new Date().getTime()/1000)
Math.round(new Date().getTime()/1000)
Math.round(new Date().getTime())
Math.round(new Date().getTime())
Math.round(new Date().getTime() * 100)
Math.round(new Date().getTime() * 100)
7 9 10 5 8 4 2 1 6 3 7 9 10 5 8 4 2
7 9 10 5 8 4 2 1 6 3 7 9 10 5 8 4 2
WScript.Shell
WScript.Shell
rundll32.exe url.dll,FileProtocolHandler
rundll32.exe url.dll,FileProtocolHandler
function trim_output() {while (output.length && (output[output.length - 1] === " " || output[output.length - 1] === indent_string)) {output.pop();}}
function trim_output() {while (output.length && (output[output.length - 1] === " " || output[output.length - 1] === indent_string)) {output.pop();}}
function print_newline(ignore_repeated) {ignore_repeated = typeof ignore_repeated === "undefined" ? true : ignore_repeated;trim_output();if (!output.length) {return;}if (output[output.length - 1] !== "\n" || !ignore_repeated) {output.push("\n");}for (var i = 0; i
function print_newline(ignore_repeated) {ignore_repeated = typeof ignore_repeated === "undefined" ? true : ignore_repeated;trim_output();if (!output.length) {return;}if (output[output.length - 1] !== "\n" || !ignore_repeated) {output.push("\n");}for (var i = 0; i
function print_space() {var last_output = output.length ? output[output.length - 1] : " ";if (last_output !== " " && last_output !== "\n" && last_output !== indent_string) {output.push(" ");}}
function print_space() {var last_output = output.length ? output[output.length - 1] : " ";if (last_output !== " " && last_output !== "\n" && last_output !== indent_string) {output.push(" ");}}
function print_token() {output.push(token_text);}
function print_token() {output.push(token_text);}
function remove_indent() {if (output.length && output[output.length - 1] === indent_string) {output.pop();}}
function remove_indent() {if (output.length && output[output.length - 1] === indent_string) {output.pop();}}
function set_mode(mode) {modes.push(current_mode);current_mode = mode;}
function set_mode(mode) {modes.push(current_mode);current_mode = mode;}
function restore_mode() {do_block_just_closed = current_mode === "DO_BLOCK";current_mode = modes.pop();}
function restore_mode() {do_block_just_closed = current_mode === "DO_BLOCK";current_mode = modes.pop();}
function in_array(what, arr) {for (var i = 0; i
function in_array(what, arr) {for (var i = 0; i
function get_next_token() {var n_newlines = 0;var c = "";do {if (parser_pos >= input.length) {return ["", "TK_EOF"];}c = input.charAt(parser_pos);parser_pos = 1;if (c === "\n") {n_newlines = 1;}} while (in_array(c, whitespace));if (n_newlines > 1) {for (var i = 0; i = input.length) {break;}}}parser_pos = 2;return ["/*" comment "*/", "TK_BLOCK_COMMENT"];}if (input.charAt(parser_pos) === "/") {comment = c;while (input.charAt(parser_pos) !== "\r" && input.charAt(parser_pos) !== "\n") {comment = input.charAt(parser_pos);parser_pos = 1;if (parser_pos >= input.length) {break;}}parser_pos = 1;if (wanted_newline) {print_newline();}return [comment, "TK_COMMENT"];}}if (c === "'" || c === "\"" || c === "/" && (last_type === "TK_WORD" && last_text === "return" || last_type === "TK_START_EXPR" || last_type === "TK_END_BLOCK" || last_type === "TK_OPERATOR" || last_type === "TK_EOF" || last_type === "TK_END_COMMAND")) {var sep = c;var esc = false;c = "";if (parser_pos = input.length) {break;}}}parser_pos = 1;if (last_type === "TK_END_COMMAND") {print_newline();}return [sep c sep, "TK_STRING"];}if (in_array(c, punct)) {while (parser_pos = input.length) {break;}}return [c, "TK_OPERATOR"];}return [c, "TK_UNKNOWN"];}
function get_next_token() {var n_newlines = 0;var c = "";do {if (parser_pos >= input.length) {return ["", "TK_EOF"];}c = input.charAt(parser_pos);parser_pos = 1;if (c === "\n") {n_newlines = 1;}} while (in_array(c, whitespace));if (n_newlines > 1) {for (var i = 0; i = input.length) {break;}}}parser_pos = 2;return ["/*" comment "*/", "TK_BLOCK_COMMENT"];}if (input.charAt(parser_pos) === "/") {comment = c;while (input.charAt(parser_pos) !== "\r" && input.charAt(parser_pos) !== "\n") {comment = input.charAt(parser_pos);parser_pos = 1;if (parser_pos >= input.length) {break;}}parser_pos = 1;if (wanted_newline) {print_newline();}return [comment, "TK_COMMENT"];}}if (c === "'" || c === "\"" || c === "/" && (last_type === "TK_WORD" && last_text === "return" || last_type === "TK_START_EXPR" || last_type === "TK_END_BLOCK" || last_type === "TK_OPERATOR" || last_type === "TK_EOF" || last_type === "TK_END_COMMAND")) {var sep = c;var esc = false;c = "";if (parser_pos = input.length) {break;}}}parser_pos = 1;if (last_type === "TK_END_COMMAND") {print_newline();}return [sep c sep, "TK_STRING"];}if (in_array(c, punct)) {while (parser_pos = input.length) {break;}}return [c, "TK_OPERATOR"];}return [c, "TK_UNKNOWN"];}
indent_character = indent_character || " ";indent_size = indent_size || 4;indent_string = "";while (indent_size--) {indent_string = indent_character;}input = js_source_text;last_word = "";last_type = "TK_START_EXPR";last_text = "";output = [];do_block_just_closed = false;var_line = false;var_line_tainted = false;whitespace = "\n\r\t ".split("");wordchar = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$".split("");punct = " - * / % & -- = = -= *= /= $= == === != !== > = > >> >>>= >>=
indent_character = indent_character || " ";indent_size = indent_size || 4;indent_string = "";while (indent_size--) {indent_string = indent_character;}input = js_source_text;last_word = "";last_type = "TK_START_EXPR";last_text = "";output = [];do_block_just_closed = false;var_line = false;var_line_tainted = false;whitespace = "\n\r\t ".split("");wordchar = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$".split("");punct = " - * / % & -- = = -= *= /= $= == === != !== > = > >> >>>= >>=
x =a.replace(/^\s /, '')
x =a.replace(/^\s /, '')
1970/01/01 00:00:00
1970/01/01 00:00:00
.htmlt
.htmlt
VVV.29523472.cn
VVV.29523472.cn
287306383
287306383
VVV.29523472.cn
VVV.29523472.cn
287306383
287306383
29523472
29523472
CCmdTarget
CCmdTarget
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CNotSupportedException
CNotSupportedException
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
oledlg.dll
oledlg.dll
OLEPRO32.DLL
OLEPRO32.DLL
OLEAUT32.dll
OLEAUT32.dll
WEBUI.fne
WEBUI.fne
F%D,3
F%D,3
%*.*f
%*.*f
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
VERSION.dll
VERSION.dll
WSOCK32.dll
WSOCK32.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
icmp.dll
icmp.dll
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
VVV.dywt.com.cn
VVV.dywt.com.cn
(*.htm;*.html)|*.htm;*.html
(*.htm;*.html)|*.htm;*.html
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
window.event
window.event
its:%s::%s
its:%s::%s
:bywayboy@126.com
:bywayboy@126.com
:6225 8841 1439 1173
:6225 8841 1439 1173
:6222 0234 0000 1901908
:6222 0234 0000 1901908
:95599 8137 08198 36418
:95599 8137 08198 36418
hXXp://VVV.lifepj.cn
hXXp://VVV.lifepj.cn
bywayboy@126.com
bywayboy@126.com
(0730)6672620
(0730)6672620
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
WinExec
WinExec
GetProcessHeap
GetProcessHeap
RegCreateKeyA
RegCreateKeyA
GetViewportOrgEx
GetViewportOrgEx
ShellExecuteA
ShellExecuteA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
.text
.text
`.rdata
`.rdata
@.data
@.data
1, 0, 6, 6
1, 0, 6, 6
- Skin.dll
- Skin.dll
(*.*)
(*.*)
%original file name%.exe_800_rwx_10001000_00039000:
L$(h%f
L$(h%f
SSh0j
SSh0j
msctls_hotkey32
msctls_hotkey32
TVCLHotKey
TVCLHotKey
THotKey
THotKey
\skinh.she
\skinh.she
}uo,x6l5k%x-l h
}uo,x6l5k%x-l h
9p%s m)t4`#b
9p%s m)t4`#b
e"m?c&y1`Ã
e"m?c&y1`Ã
SetViewportOrgEx
SetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
EnumThreadWindows
EnumThreadWindows
EnumChildWindows
EnumChildWindows
`c%US.4/
`c%US.4/
!#$
!#$
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.UPX0
@.UPX0
`.UPX1
`.UPX1
`.reloc
`.reloc