Gen:Variant.Strictor.56002 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.IEDummy.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 52ddeb2f6f10044b710a210078609a97
SHA1: 378d3435569f63cd05bc19870791ea7d8b658daf
SHA256: ece6ea8fc1c0431085bea0d8e444f96393e5843692416516cce3beddd50456fa
SSDeep: 12288:B1NcR8MGmg3eduPDAk9i 04lx2R0dzFldWG6txK x9j5oM1RbkkkqbvaaGqe9Xhf:qv1fdynjbldWG6txKooSzoZhb/L
Size: 782476 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MEW11SEv12, MEW11SEv11, UPolyXv05_v6, Mew11SEv12Eng
Company: no certificate found
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1856
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\promimg[1].htm (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAU9ALEH.htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (372 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAGBKRY7.htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AClick[1].aspx (372 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@p.okm918[2].txt (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[2] (619 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (330 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[1].txt (478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\novoice-270-200[1].swf (6789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (19376 bytes)
%System%\drivers\etc\hosts (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@p.okm918[1].txt (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pic1[1].gif (428 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[2].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[1].txt (247 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\novoice-270-200[1].swf (15394 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[2].txt (668 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\novoice-270-200[1].swf (7697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (744 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[3] (619 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[2].txt (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA5X76IW.htm (976 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\promimg[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\base_MIN_11.19[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AClick[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@p.okm918[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[2] (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\novoice-270-200[1].swf (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@p.okm918[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pic1[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\LAB_0.1[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\novoice-270-200[1].swf (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[3] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\novoice-270-200[1].swf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\base_MIN_11.19[2].css (0 bytes)
Registry activity
The process %original file name%.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 83 F6 21 EF CD A9 37 7B 0C BA 11 C5 D6 FE 84"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\MediaPlayer\Health\{75451200-3571-4A62-9708-2C6998D2FB8F}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 1290 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.cfyuanji.com |
127.0.0.1 | www.cfyuanji.net |
127.0.0.1 | www.cfyuanji.cc |
127.0.0.1 | cfyuanji.com |
127.0.0.1 | cfyuanji.net |
127.0.0.1 | cfyuanji.cc |
127.0.0.1 | www.cfyalan.com |
127.0.0.1 | www.cfyalan.net |
127.0.0.1 | www.cfyalan.cc |
127.0.0.1 | yy.cfyalan.com |
127.0.0.1 | cc.cfyalan.com |
127.0.0.1 | cfyalan.com |
127.0.0.1 | cfyalan.net |
127.0.0.1 | cfyalan.cc |
127.0.0.1 | www.cftianyue.com |
127.0.0.1 | www.cftianyue.net |
127.0.0.1 | www.cftianyue.cc |
127.0.0.1 | cftianyue.com |
127.0.0.1 | cftianyue.net |
127.0.0.1 | cftianyue.cc |
127.0.0.1 | www.cfty.cc |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\promimg[1].htm (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAU9ALEH.htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (372 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAGBKRY7.htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AClick[1].aspx (372 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@p.okm918[2].txt (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[2] (619 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (330 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[1].txt (478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\novoice-270-200[1].swf (6789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (19376 bytes)
%System%\drivers\etc\hosts (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@p.okm918[1].txt (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pic1[1].gif (428 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[2].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[1].txt (247 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\novoice-270-200[1].swf (15394 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[2].txt (668 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\novoice-270-200[1].swf (7697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (744 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[3] (619 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[2].txt (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA5X76IW.htm (976 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
MEW | 4096 | 3145728 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://115.236.16.240/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3E93C28C20555F6D3950211B08CB2C4F57&Url=&referer=http://www.cfmogu.com/ | |
hxxp://115.236.16.240/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A607F4996FA0E0A707E3EDC15C0529F3E2BF0D5AD113A674B7B&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393 | |
hxxp://61.130.108.34/acpa/webgame/cy.html?from=tgly_14516 | |
hxxp://115.236.16.240/AShow.aspx?AID=9756 | |
hxxp://42.156.140.23/stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1570658577 | |
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1222734529 | |
hxxp://42.156.162.7/img/pic1.gif | |
hxxp://pcookie.split.cnzz.com/app.gif?&cna= RtlDGPZslwCAbhrJiZ/6hAT | |
hxxp://115.236.16.240/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3E7136586F99B9B7E73C90B1A205C1D7CF&Url=&referer=http://www.cfmogu.com/ | |
hxxp://42.156.140.23/stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1435798481 | |
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=811241341 | |
hxxp://115.236.16.240/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3EEE93164D10FA9E02A75B0DFE9AC2B853&Url=&referer=http://www.cfmogu.com/ | |
&ck&cl&ds&et&fl&ja&ln&lo&nv&rnd&si&st&v&lv&tt &r&lg&ntime&cnzz_eid&showp&t&h&rnd &<&><>><><><<<><& <<<>>> &height&SCUrl&gourl &><<&<&&><> <<<>>> <><><><><><><><><><><><><><><><><><><><><><><><><><>< <<<>>> <<<>>> &F..><><&&>&&K..Lqkp.&&>>>& <<<>>> &>>> <<<>>> &&D.TdE..t6..U.e.....u..F&&&><><<&> <<<>>> &&a.nodeType&&a.type<<<&& <<<>>> <<<>>> &F..><><&&>&&K..Lqkp.&&>>>& <<<>>> &&D.TdE..t6..U.e.....u..F&<>>&:wH <<<>>> &js_type&callback &WebID&DomainID&APID&Auth&Url&referer &>> &WebID&DomainID&APID&Auth&Url&referer &>> &s <&o2&<&<>&eX><>><><<& <<<>>> &><<< <<<>>> >>>&<><&<> <<<>>> >>>&<><&<> <<<>>> &<&><>><><><<<><& <<<>>> &<<<><&>>><>&><<>>&>><>> <<<>>> &Auth&referer&utz <><><><><><><><><><><><> <><><><><><><><><><><><><><<><><><><><><><><> <<<>>> <>>>>&T.....><>&>&><&&>& <<<>>> &<&><>><><><<<><& <<<>>> &r&lg&ntime&cnzz_eid&showp&t&h&rnd & &r&lg&ntime&cnzz_eid&showp&t&h&rnd &s &&vF...v6&ag..&R.v6.T....l.<><><&<&><><< <<<>>> &s <&&FN.n&FF.....tS<&>>>>><<& <<<>>> >>>&<><&<> <<<>>> >><><&<&&&><&x-.K>&&<< <<<>>> &r &&&&&f&& &r &r &r &&&&&f&< &WebID&DomainID&APID&Auth&Url&referer &>> &WebID&DomainID&APID&Auth&Url&referer &>> &r&lg&ntime&cnzz_eid&showp&t&h&rnd &Auth&referer&utz <><><><><><><><><><><><> &cna &cna &cssurl&jsurl&returntype <><<<><>&&>> <<<>>> &cssurl&jsurl&returntype <>&<&<<>><<<&&<>><<>&&& <<<>>> &cssurl&jsurl&returntype <><<<><>&&>> <<<>>> &cssurl&jsurl&returntype <<<>>> <><><><><><><><><><><><><><><><><><><><><><><><><><>< <<<>>> >&&OnwCc..........7<&>&&<>>>>&>&&O..... <<<>>> >>>&<><&<> <<<>>> &&>&&&>>&&AH.<<<&< <<<>>> &rnd &cna &rnd &cna &cna &rnd &cna &rnd &cna &cna &cna &s <<&<&&><&v...........n...C.e.Z.......V.l9....m...><<>>&<<<< <<<>>> &s ><>>&&N..&>><>>><<<&>&<> <<<>>> <>>>>&T.....><>&>&><&&>& <<<>>> &height&SCUrl&gourl &><<&<&&><> <<<>>> &height&SCUrl&gourl &><<&<&&><> <<<>>> &height&SCUrl&gourl &><<&<&&><> <<<>>> &height&SCUrl&gourl&PID&Auth&Url &<<>&<&&<<>>&><> <<<>>> <>>>>&T.....><>&>&><&&>& <<<>>> &ntime <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><>< <<<>>> &ntime <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><>< <<<>>> &ntime <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><>< <<<>>> &ntime &height&SCUrl&gourl&PID&Auth&Url &<<>&<&&<<>>&><> <<<>>> &height&SCUrl&gourl&PID&Auth&Url &<<>&<&&<<>>&><> <<<>>> <<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>"<><><><>><><><><><><><><><><><><><><><><><><><><><><><><><><><><><<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>&<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>Á<><>""<><><><>"<><>&<><><>>><><><><><><><><>"<><>>">&>>><><><><><><>&<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>""<><><><><><><><><><><><><><>""""<><>""<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>>&<><>Ü<><><><><""""><><><><><><><><<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>û<><><><><><><><><><><><><><><><><><><><><><><><><><>"<><><><>"<><><><><><><><><><><><><><><><><><><><>&<><>&<><><><>&<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>"<><>"<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> |