Skip to main content

Gen.Variant.Strictor.56002_52ddeb2f6f


Gen:Variant.Strictor.56002 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.IEDummy.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 52ddeb2f6f10044b710a210078609a97

SHA1: 378d3435569f63cd05bc19870791ea7d8b658daf

SHA256: ece6ea8fc1c0431085bea0d8e444f96393e5843692416516cce3beddd50456fa

SSDeep: 12288:B1NcR8MGmg3eduPDAk9i 04lx2R0dzFldWG6txK x9j5oM1RbkkkqbvaaGqe9Xhf:qv1fdynjbldWG6txKooSzoZhb/L

Size: 782476 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MEW11SEv12, MEW11SEv11, UPolyXv05_v6, Mew11SEv12Eng

Company: no certificate found

Created at: 1970-01-01 03:00:00

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:1856

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1856 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\promimg[1].htm (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAU9ALEH.htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (372 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAGBKRY7.htm (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AClick[1].aspx (372 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@p.okm918[2].txt (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[2] (619 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (330 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[1].txt (478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\novoice-270-200[1].swf (6789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (19376 bytes)
%System%\drivers\etc\hosts (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@p.okm918[1].txt (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pic1[1].gif (428 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[2].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[1].txt (247 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\novoice-270-200[1].swf (15394 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[2].txt (668 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\novoice-270-200[1].swf (7697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (744 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[3] (619 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[2].txt (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA5X76IW.htm (976 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\promimg[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\base_MIN_11.19[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AClick[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@p.okm918[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[2] (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\novoice-270-200[1].swf (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@p.okm918[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pic1[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\LAB_0.1[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\novoice-270-200[1].swf (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[3] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\novoice-270-200[1].swf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\base_MIN_11.19[2].css (0 bytes)

Registry activity

The process %original file name%.exe:1856 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 83 F6 21 EF CD A9 37 7B 0C BA 11 C5 D6 FE 84"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\MediaPlayer\Health\{75451200-3571-4A62-9708-2C6998D2FB8F}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 1290 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1www.cfyuanji.com
127.0.0.1www.cfyuanji.net
127.0.0.1www.cfyuanji.cc
127.0.0.1cfyuanji.com
127.0.0.1cfyuanji.net
127.0.0.1cfyuanji.cc
127.0.0.1www.cfyalan.com
127.0.0.1www.cfyalan.net
127.0.0.1www.cfyalan.cc
127.0.0.1yy.cfyalan.com
127.0.0.1cc.cfyalan.com
127.0.0.1cfyalan.com
127.0.0.1cfyalan.net
127.0.0.1cfyalan.cc
127.0.0.1www.cftianyue.com
127.0.0.1www.cftianyue.net
127.0.0.1www.cftianyue.cc
127.0.0.1cftianyue.com
127.0.0.1cftianyue.net
127.0.0.1cftianyue.cc
127.0.0.1www.cfty.cc


Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\promimg[1].htm (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[3].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAU9ALEH.htm (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AClick[1].aspx (372 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAGBKRY7.htm (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AClick[1].aspx (372 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@p.okm918[2].txt (153 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[2] (619 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (330 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[1].txt (478 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\novoice-270-200[1].swf (6789 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (19376 bytes)
    %System%\drivers\etc\hosts (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@p.okm918[1].txt (288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pic1[1].gif (428 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[2].txt (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[1].txt (247 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (410 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\novoice-270-200[1].swf (15394 bytes)
    %Documents and Settings%\%current user%\Application Data\E_UIEngine\90afea1eeb37be7a93471c36152ab43a\90afea1eeb37be7a93471c36152ab43a.jpg.data (28 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@c.myzwqwe12[2].txt (668 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\novoice-270-200[1].swf (7697 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\AClick[1].aspx (744 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (330 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\promimg[3] (619 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@www.cfmogu[2].txt (247 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA5X76IW.htm (976 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
MEW4096314572800d41d8cd98f00b204e9800998ecf8427e
31498248437767819645.43219c255c36dd687ac57990ac37ea1aebb46

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://115.236.16.240/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3E93C28C20555F6D3950211B08CB2C4F57&Url=&referer=http://www.cfmogu.com/
hxxp://115.236.16.240/showcpm.htm?width=270&height=200&SCUrl=http://115.236.19.58/xm/novoice-270-200.swf&gourl=http://p.okm918.com/CPVClick.aspx?AID=1805&PID=9756&Auth=6848383803FF6A607F4996FA0E0A707E3EDC15C0529F3E2BF0D5AD113A674B7B&Url=http%3a%2f%2fv.6.cn%2fevent%2fpromimg%2f%3fsrc%3dpming393
hxxp://61.130.108.34/acpa/webgame/cy.html?from=tgly_14516
hxxp://115.236.16.240/AShow.aspx?AID=9756
hxxp://42.156.140.23/stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1570658577
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1222734529
hxxp://42.156.162.7/img/pic1.gif
hxxp://pcookie.split.cnzz.com/app.gif?&cna= RtlDGPZslwCAbhrJiZ/6hAT
hxxp://115.236.16.240/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3E7136586F99B9B7E73C90B1A205C1D7CF&Url=&referer=http://www.cfmogu.com/
hxxp://42.156.140.23/stat.htm?id=4693566&r=&lg=en-us&ntime=1407069686&cnzz_eid=402806039-1407069686-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1435798481
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=811241341
hxxp://115.236.16.240/AClick.aspx?AID=1805&WebID=14516&DomainID=7292&APID=9756&Auth=090A76F473308619192FEA7C7C1C6A3EEE93164D10FA9E02A75B0DFE9AC2B853&Url=&referer=http://www.cfmogu.com/
&ck&cl&ds&et&fl&ja&ln&lo&nv&rnd&si&st&v&lv&tt

&r&lg&ntime&cnzz_eid&showp&t&h&rnd

&<&><>><><><<<><&

<<<>>>

&height&SCUrl&gourl

&><<&<&&><>

<<<>>>

<><><><><><><><><><><><><><><><><><><><><><><><><><><

<<<>>>

<<<>>>

&F..><><&&>&&K..Lqkp.&&>>>&

<<<>>>

&>>>

<<<>>>

&&D.TdE..t6..U.e.....u..F&&&><><<&>

<<<>>>

&&a.nodeType&&a.type<<<&&

<<<>>>

<<<>>>

&F..><><&&>&&K..Lqkp.&&>>>&

<<<>>>

&&D.TdE..t6..U.e.....u..F&<>>&:wH

<<<>>>

&js_type&callback

&WebID&DomainID&APID&Auth&Url&referer

&>>

&WebID&DomainID&APID&Auth&Url&referer

&>>

&s

<&o2&<&<>&eX><>><><<&

<<<>>>

&><<<

<<<>>>

>>>&<><&<>

<<<>>>

>>>&<><&<>

<<<>>>

&<&><>><><><<<><&

<<<>>>

&<<<><&>>><>&><<>>&>><>>

<<<>>>

&Auth&referer&utz

<><><><><><><><><><><><>

<><><><><><><><><><><><><><<><><><><><><><><>

<<<>>>

<>>>>&T.....><>&>&><&&>&

<<<>>>

&<&><>><><><<<><&

<<<>>>

&r&lg&ntime&cnzz_eid&showp&t&h&rnd

&

&r&lg&ntime&cnzz_eid&showp&t&h&rnd

&s

&&vF...v6&ag..&R.v6.T....l.<><><&<&><><<

<<<>>>

&s

<&&FN.n&FF.....tS<&>>>>><<&

<<<>>>

>>>&<><&<>

<<<>>>

>><><&<&&&><&x-.K>&&<<

<<<>>>

&r

&&&&&f&&

&r

&r

&r

&&&&&f&<

&WebID&DomainID&APID&Auth&Url&referer

&>>

&WebID&DomainID&APID&Auth&Url&referer

&>>

&r&lg&ntime&cnzz_eid&showp&t&h&rnd

&Auth&referer&utz

<><><><><><><><><><><><>

&cna

&cna

&cssurl&jsurl&returntype

<><<<><>&&>>

<<<>>>

&cssurl&jsurl&returntype

<>&<&<<>><<<&&<>><<>&&&

<<<>>>

&cssurl&jsurl&returntype

<><<<><>&&>>

<<<>>>

&cssurl&jsurl&returntype

<<<>>>

<><><><><><><><><><><><><><><><><><><><><><><><><><><

<<<>>>

>&&OnwCc..........7<&>&&<>>>>&>&&O.....

<<<>>>

>>>&<><&<>

<<<>>>

&&>&&&>>&&AH.<<<&<

<<<>>>

&rnd

&cna

&rnd

&cna

&cna

&rnd

&cna

&rnd

&cna

&cna

&cna

&s

<<&<&&><&v...........n...C.e.Z.......V.l9....m...><<>>&<<<<

<<<>>>

&s

><>>&&N..&>><>>><<<&>&<>

<<<>>>

<>>>>&T.....><>&>&><&&>&

<<<>>>

&height&SCUrl&gourl

&><<&<&&><>

<<<>>>

&height&SCUrl&gourl

&><<&<&&><>

<<<>>>

&height&SCUrl&gourl

&><<&<&&><>

<<<>>>

&height&SCUrl&gourl&PID&Auth&Url

&<<>&<&&<<>>&><>

<<<>>>

<>>>>&T.....><>&>&><&&>&

<<<>>>

&ntime

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><>&lt

<<<>>>

&ntime

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><>&lt

<<<>>>

&ntime

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><>&lt

<<<>>>

&ntime

&height&SCUrl&gourl&PID&Auth&Url

&<<>&<&&<<>>&><>

<<<>>>

&height&SCUrl&gourl&PID&Auth&Url

&<<>&<&&<<>>&><>

<<<>>>

<<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>"<><><><>><><><><><><><><><><><><><><><><><><><><><><><><><><><><><<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>&<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>Á<><>""<><><><>"<><>&<><><>>><><><><><><><><>"<><>>">&>>><><><><><><>&<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>""<><><><><><><><><><><><><><>""""<><>""<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>>&<><>Ü<><><><><""""><><><><><><><><<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>û<><><><><><><><><><><><><><><><><><><><><><><><><><>"<><><><>"<><><><><><><><><><><><><><><><><><><><>&<><>&<><><><>&<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>"<><>"<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>