Gen.Variant.Symmi.52543_83338f2f54

by malwarelabrobot on October 3rd, 2017 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Symmi.52543 (B) (Emsisoft), Gen:Variant.Symmi.52543 (AdAware)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 83338f2f546765c8fa80fea2d0528394
SHA1: 774536c8d7ec8f144913af236a2efe6a212aa876
SHA256: e2e2ecad9cd0cd33216f3a9ca9e66404a0582450d49d930fbf806c28d23476cb
SSDeep: 12288:6EyEA kzIKiu4wAX npXzf7RpJ2CPGZuPDHzHN:4ViHspTwCPGZuPDHzH
Size: 571904 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2017-03-27 00:10:16
Analyzed on: Windows7 SP1 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

Wakwwrf.exe:2620
Wakwwrf.exe:2924
WerFault.exe:1916
%original file name%.exe:2920
wermgr.exe:2968

The Malware injects its code into the following process(es):

Wakwwrf.exe:2788

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Wakwwrf.exe:2788 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_C37EB0A02CA707BDA9677EF4ED9290A5 (1 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_E5B7C247DD374C9617609A1C278E5E26 (1 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1856 bytes)
C:\Windows\Temp\Tar3F70.tmp (2712 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
C:\Windows\Temp\Cab3F60.tmp (48 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_E5B7C247DD374C9617609A1C278E5E26 (2016 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_C37EB0A02CA707BDA9677EF4ED9290A5 (1464 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)

The Malware deletes the following file(s):

C:\Windows\Temp\Tar3F70.tmp (0 bytes)
C:\%original file name%.exe (0 bytes)
C:\Windows\Temp\Cab3F60.tmp (0 bytes)

The process WerFault.exe:1916 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Windows\Temp\WERBD37.tmp.WERInternalMetadata.xml (51864 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d\WERBD38.tmp.hdmp (38249 bytes)
C:\Windows\Temp\WERBDF4.tmp.mdmp (153216 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d\Report.wer (184144 bytes)
C:\Windows\Temp\WERBD17.tmp.appcompat.txt (3888 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d\WERBDF4.tmp.mdmp (4545 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d\WERBD37.tmp.WERInternalMetadata.xml (3 bytes)
C:\Windows\Temp\WERBD38.tmp.hdmp (633402 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d\WERBD17.tmp.appcompat.txt (3 bytes)

The Malware deletes the following file(s):

C:\Windows\Temp\WERBD17.tmp (0 bytes)
C:\Windows\Temp\WERBD37.tmp.WERInternalMetadata.xml (0 bytes)
C:\Windows\Temp\WERBD37.tmp (0 bytes)
C:\Windows\Temp\WERBDF4.tmp.mdmp (0 bytes)
C:\Windows\Temp\WERBDF4.tmp (0 bytes)
C:\Windows\Temp\WERBD38.tmp (0 bytes)
C:\Windows\Temp\WERBD17.tmp.appcompat.txt (0 bytes)
C:\Windows\Temp\WERBD38.tmp.hdmp (0 bytes)

The process %original file name%.exe:2920 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files%\Microsoft Mqammw\Wakwwrf.exe (5175905 bytes)

The process wermgr.exe:2968 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d\Report.wer.tmp (192696 bytes)

Registry activity

The process Wakwwrf.exe:2924 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\Wsvhwr pjwvimtd]
"ConnectGroup" = "ĬÈÏ·Ö×é"
"Description" = "Windowes ·þÎñÖ÷½ø³Ì"

The process Wakwwrf.exe:2788 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKLM\SOFTWARE\Microsoft\Tracing\Wakwwrf_RASAPI32]
"FileTracingMask" = "4294901760"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30\52C64B7E\@%SystemRoot%\system32]
"fveui.dll,-843" = "BitLocker Drive Encryption"

[HKLM\SOFTWARE\Microsoft\Tracing\Wakwwrf_RASMANCS]
"MaxFileSize" = "1048576"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKLM\SOFTWARE\Microsoft\Tracing\Wakwwrf_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Wakwwrf_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30\52C64B7E\@%SystemRoot%\system32]
"qagentrt.dll,-10" = "System Health Authentication"

[HKLM\System\CurrentControlSet\services\Wsvhwr pjwvimtd]
"MarkTime" = "2017-10-02 06:03"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30\52C64B7E\@%SystemRoot%\system32]
"fveui.dll,-844" = "BitLocker Data Recovery Agent"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Wakwwrf_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Wakwwrf_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Wakwwrf_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Wakwwrf_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Wakwwrf_RASAPI32]
"EnableConsoleTracing" = "0"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\System\CurrentControlSet\services\Wsvhwr pjwvimtd]
"DeleteFiles"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process WerFault.exe:1916 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore]
"_CurrentObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\144]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\144\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\144]
"_Usn_" = "Type: REG_QWORD, Length: 8"
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000570]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\144]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d"
"ExceptionRecord" = "05 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000570]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList]
"CurrentLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E1]
"144" = "Type: REG_QWORD, Length: 8"

The process %original file name%.exe:2920 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\System\CurrentControlSet\services\Wsvhwr pjwvimtd]
"DeleteFiles" = "c:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process wermgr.exe:2968 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d"

Dropped PE files

MD5 File path
0bad5080bfe9a51b16420c1bf460315d c:\Program Files\Microsoft Mqammw\Wakwwrf.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Borland ????
Product Name: ???
Product Version: 7.0
Legal Copyright: ???? ? 1996-2002 Borland ????
Legal Trademarks:
Original Filename: DELPHI32.EXE
Internal Name: DELPHI32
File Version: 7.0.4.453
File Description: Delphi-32 ????
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 2566 3072 3.99625 60acd2f753d533121d5ba4fa89be15aa
.rdata 8192 794 1024 2.79106 93ccb4bd49a8a3407137108501f0a393
.data 12288 245916 246272 5.54298 485f88e94e964acade17a5c9de28db83
.rsrc 262144 323584 320512 4.00957 e294b277ca1efd74d0274f2d662ac41a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://nds.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=10115536
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFkLoIvOqXUlJdYHL2zDUkA=
hxxp://nds.qzone.qq.com/?s_url=http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=10115536
hxxp://cdn.globalsigncdn.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH
hxxp://cdn.globalsigncdn.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBoUmNA06OTrFrDalw==
hxxp://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=10115536 203.205.151.50
hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFkLoIvOqXUlJdYHL2zDUkA= 23.46.123.27
hxxp://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBoUmNA06OTrFrDalw== 104.31.74.124
hxxp://i.qq.com/?s_url=http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=10115536 203.205.151.50
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= 23.46.123.27
hxxp://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH 104.31.74.124
dns.msftncsi.com 131.107.255.255
520hack.f3322.net 115.215.219.80


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /fcg-bin/cgi_get_portrait.fcg?uins=10115536 HTTP/1.1
Host: users.qzone.qq.com


HTTP/1.1 301 Moved Permanently
Server: stgw/1.3.2.1_1.11.1
Date: Mon, 02 Oct 2017 03:04:07 GMT
Content-Type: text/html
Content-Length: 192
Connection: keep-alive
Location: hXXps://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=10115536
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>stgw/1.3.2.1_1.11.1</center>..</body>..</html>
..HTTP/1.1 301 Moved Permanently..Server: stgw/1.3.2.1_1.11.1..Date: M
on, 02 Oct 2017 03:04:07 GMT..Content-Type: text/html..Content-Length:
 192..Connection: keep-alive..Location: hXXps://users.qzone.qq.com/fcg
-bin/cgi_get_portrait.fcg?uins=10115536..<html>..<head><
;title>301 Moved Permanently</title></head>..<body b
gcolor="white">..<center><h1>301 Moved Permanently</
h1></center>..<hr><center>stgw/1.3.2.1_1.11.1<
/center>..</body>..</html>....



GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBoUmNA06OTrFrDalw== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com


HTTP/1.1 200 OK
Date: Mon, 02 Oct 2017 03:04:32 GMT
Content-Type: application/ocsp-response
Content-Length: 1570
Connection: keep-alive
Set-Cookie: __cfduid=d18f2fbead3f4db8a6f8608cbbc0172391506913472; expires=Tue, 02-Oct-18 03:04:32 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Mon, 02 Oct 2017 03:04:32 GMT
Expires: Fri, 06 Oct 2017 03:04:32 GMT
ETag: "b257a7380ec1787524bb2ce7ca604f9eb2984ee8"
Cache-Control: public, no-transform, must-revalidate
CF-Cache-Status: EXPIRED
Server: cloudflare-nginx
CF-RAY: 3a746f5290848b70-KBP
0..........0..... .....0......0...0.......M........u....%...G..2017100
2030432Z0o0m0E0... ..........M.=......r......{.....a....)S...};..@..|.
.....4...........20171002030432Z....20171006030432Z0...*.H............
.-Z..W......l...D......wpe.....1....0.X..y..)*......bA.,l..g."$l`.i.t"
..d.~ Vx.v..E..T...;.PFG.K.4Wv.}'..#B{w..}...[.Zx.q.......2...D...:.6.
...pz{...3.........!Tj..^`wYQ...........Oy-|...&..{b....%Y....p.K.....
?L3.......V:.G....m..3.j....{..J.n/0..S...,C. ....K0..G0..C0.. .......
z.^U.=['...'0...*.H........0f1.0...U....BE1.0...U....GlobalSign nv-sa1
<0:..U...3GlobalSign Organization Validation CA - SHA256 - G20...17
0717091254Z..171017091254Z0..1.0...U....BE1.0...U....GlobalSign nv-sa1
.0...U....2017071700181M0K..U...DGlobalSign Organization Validation CA
 - SHA256 - G2 - OCSP Responder0.."0...*.H.............0.........C..0j
..R........0.".e.&.6'.d..._.....8...Y..../..z..-hi.k.......D.........u
..>h....T2..~..*;...v.^.!d.......8.p.e..me...>..V...l...P.6.V..G
..;X.......12U.)D.E(ldQ...67..@......l...A.>l......m..e;.....n.~..W
b.?..gE.......a.KM.F...}.qo;S...`/..s....6....G.a........0..0...U.....
..M........u....%...G0...U.#..0.....a....)S...};..@..|0... .....0.....
.0L..U. .E0C0A.. .....2._0402.. ........&hXXps://VVV.globalsign.com/re
pository/0...U...........0...U.%..0... .......0...*.H.................
u.KAJ...=sw.&.!.1..v.a78?...=h]0l...-C3.;@../..a%vf..YP.J...!...Q..L..
..|..4.J'4.Y.x.zC.(=..P....u'.......V#Lwi... .~.B ..z..^@.<.H..-6..
u..=.r...#K....0.........]O4...3Z....dP......&'...3../.TZ.m..y.`|.
<<< skipped >>>


GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6+MgGqMQQUYHtmGkUNl8qJUC99BM00qP/8/UsCCwQAAAAAAURO8EJH HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.globalsign.com


HTTP/1.1 200 OK
Date: Mon, 02 Oct 2017 03:04:27 GMT
Content-Type: application/ocsp-response
Content-Length: 1518
Connection: keep-alive
Set-Cookie: __cfduid=dc73a32bf8d6323498439066b2aa1d1741506913467; expires=Tue, 02-Oct-18 03:04:27 GMT; path=/; domain=.globalsign.com; HttpOnly
Last-Modified: Mon, 02 Oct 2017 00:56:48 GMT
Expires: Fri, 06 Oct 2017 00:56:48 GMT
ETag: "8ad12c47864c432163466cf254b3822edeb8f8c8"
Cache-Control: public, no-transform, must-revalidate
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 3a746f31259b8ae6-KBP
0..........0..... .....0......0...0.............Uz.|....J..$...2017100
2005648Z0n0l0D0... .........W......#....*..2..1..`{f.E....P/}..4....K.
.......DN.BG....20171002005648Z....20171006005648Z0...*.H.............
?...p1..eA.... .l....?..7....:.....X........Y......V.w....W>.4p..$.
.q5.....v.......[U?....QD1SI.hWU..*.4.......Q..R..`fU*.._NE._..X.H..G}
..3T!..9.. }....}1...CH....P....Y..0E!........'P..l..Px{$. )....[...z.
.`.sQ...Sd.j.=ho....D0G...a..eh#|./....i.*..B..d.....0...0...0........
..H...-T.(Gi..YC0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv
-sa1.0...U....Root CA1.0...U....GlobalSign Root CA0...170807000000Z..1
71115000000Z0[1.0...U....BE1.0...U....GlobalSign nv-sa110/..U...(Globa
lSign OCSP for Root R1 - Signer 1.20.."0...*.H.............0..........
2$.h...B..r-?...wO:..E..C..2..-..N...[@.....q.......-i....@......kjH5.
n?3 |.T...7?.S.y...s.2..sa7.......2v.........@d....{....`.{..$i.H..7..
xL.....Y............\.uHM.ib...5m.R..1....RD.?..d2_.i$H.;..R4.iA.IA...
Q..k...Q. a*..........,.....).W.7}j.................0..0...U..........
.0...U.%..0... .......0...U.......0.0...U.............Uz.|....J..$.0..
.U.#..0...`{f.E....P/}..4....K0... .....0......0L..U. .E0C0A.. .....2.
_0402.. ........&hXXps://VVV.globalsign.com/repository/0...*.H........
.....V.6#.....y>;......5...S........q..1/.h."...]....i...:.........
.i......u...*......=h....sy..[6....P.....,}.f%.<eJd.CyO.....O...x.Z
..?.`>`.g....O..^D.^..j......A....o.....<Y%...D.\Y`..d.... .....
<.....C.M.kx0..N^YdI`.<?......J....iA8.{..".~t.....Hc....B..
<<< skipped >>>


GET /?s_url=http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=10115536 HTTP/1.1
Connection: Keep-Alive
Host: i.qq.com
Cookie: uin=; skey=


HTTP/1.1 302 Found
Date: Mon, 02 Oct 2017 03:04:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: TSW/Node.js
Cache-Control: no-cache
Vary: Origin, Accept
Mod-Map: platform_loginQzone:hybrid/app/platform/loginQzone/sync/sync.js
location: hXXps://i.qq.com/?s_url=http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=10115536&rd=1
0..HTTP/1.1 302 Found..Date: Mon, 02 Oct 2017 03:04:20 GMT..Content-Ty
pe: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: 
keep-alive..X-Powered-By: TSW/Node.js..Cache-Control: no-cache..Vary: 
Origin, Accept..Mod-Map: platform_loginQzone:hybrid/app/platform/login
Qzone/sync/sync.js..location: hXXps://i.qq.com/?s_url=http://use
rs.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=10115536&rd=
1..0..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFkLoIvOqXUlJdYHL2zDUkA= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ss.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1609
content-transfer-encoding: binary
Cache-Control: max-age=396554, public, no-transform, must-revalidate
Last-Modified: Fri, 29 Sep 2017 17:10:02 GMT
Expires: Fri, 6 Oct 2017 17:10:02 GMT
Date: Mon, 02 Oct 2017 03:04:19 GMT
Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0........{.*.s....p...D .P...2017
0929171002Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C
....Y.....u%%../l.R@....20170929171002Z....20171006171002Z0...*.H.....
........].t.x...{}..!Z.....aK..\.f2......'.......ir..yN.....&...Q...M.
.D...M..&..P..x<q.....l.'g.\-zV\..P....8..5.qa.i"O6l!......k.....W(
.. .Y.....[).X....Cm......k...c...C.U\...,.k....d90....m...@..JQ\..9..
..6......T..z.#..|.=.0..=Z.......L.$I.....a-.(y...p.........n0..j0..f0
..N.......c.qD....b..Y$X..0...*.H........0~1.0...U....US1.0...U....Sym
antec Corporation1.0...U....Symantec Trust Network1/0-..U...&Symantec 
Class 3 Secure Server CA - G40...170716000000Z..171014235959Z0@1>0&
lt;..U...5Symantec Class 3 Secure Server CA - G4 OCSP Responder0.."0..
.*.H.............0........."..>.d(c.!.. ...P!.4.O.>.-s.^..e.{...
D....."e."......z.5.}.q..m&...x.7.S8.?h..M3a...ryH.K..J46..h......fh.|
].........d..Y.@.Z>...........?...q.....k.....H...cv.F.j.j...}.....
.H...W..9......%.I.......u....#.M.....".\.(v.!.~.?..Z.=.7.......;...p.
&H|.V.[.............0...0... .....0......0"..U....0...0.1.0...U....TGV
-E-21150...U.#..0..._`.a.U..C..`*..z.C..0...U........{.*.s....p...D .P
.0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://VVV.sy
mauth.com/cps0*.. .......0...  hXXp://VVV.symauth.com/rpa0...U.%..0...
 .......0...U...........0...*.H..................~b....)..5..1.p..J...
^...\..%.niK.........S.....j[...b...o......3#.U[........4^...p...i..=.
.....fO..-D.^...q.......(.f..:"4.."7z...1".Y.F..yyv.....x.ii..4...
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s2.symcb.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1763
content-transfer-encoding: binary
Cache-Control: max-age=382258, public, no-transform, must-revalidate
Last-Modified: Fri, 29 Sep 2017 13:14:27 GMT
Expires: Fri, 6 Oct 2017 13:14:27 GMT
Date: Mon, 02 Oct 2017 03:04:13 GMT
Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..2017092
9131427Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..Q?.t8p.4@A.0........20170929131427Z....20171006131427Z0...*.H.....
........1...%..Sv......U..|&........s..6$6k...N.dT!P.LH.V?>...A..xU
...H).}SChq.SH........,]...#..........G...z.&.....X..p,..I/<'.W*...
..8..c.3~..00..V....%....n..ac...8.:.,.1...e.A]G8rD..(...(@h.....a....
...<..~............ ..i...h. ...~...%./.:t..;...]>........Q.....
0...0...0..........^..)......<...T.0...*.H........0..1.0...U....US1
.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c
) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign 
Class 3 Public Primary Certification Authority - G50...161122000000Z..
171214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U...
.Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Respo
nder Certificate 50.."0...*.H.............0...........................
..m..|........1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7..
.0C.j.)Z........ ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(.
..1...#..H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...
5.e.4.....D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0..
. .....0......0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L
.c=...r..7Z0...U.#..0.....e......0..C9...3130...*.H.............&l
<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

Wakwwrf.exe_2788:

.text
`.rdata
@.data
.rsrc
MSVCRT.dll
_acmdln
GetProcessHeap
KERNEL32.dll
*.cS(\z
.bUla{_
%uPr^)u
8@?<84(;
%XPS6p
.QP9.;J
webL"
.CR" Q
Wx$.FCD
.vkH`te
%0s(T
Q(4-%f
URLLr
]N|.Qx
.HUtSQP
vV#.Mu
l4%u$P#XE
.sPRE
n.oP]
z*..mid
5t.Jm(<
pa.MB
%Cv)|H
GR%D<`
SN.Rg
(y.PX
co>c (1.3.0).
\Windows\Cur.nt~
Aexe
R%d *
&hXXp://
.IE5\46
HTTP/
.ms-L
%X_kaspky
#gCMD
.uk`o{
%Sys.mRoot%Fl
im cmdE
PCRTP
d%c
.hutNtup5
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
imagehlp.dll
iphlpapi.dll
MFC42.DLL
MPRAPI.dll
MSVCP60.dll
NETAPI32.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
SHLWAPI.dll
USER32.dll
USERENV.dll
VERSION.dll
WININET.dll
WINMM.dll
WS2_32.dll
WTSAPI32.dll
ShellExecuteA
NetSyst96.dll
3tftp
48514644
Hx
8.sM5
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
.ldUnS
t..mMy
.gR9yyN
na.kt-
.lk%o
HorzScrollBar.Increment
VertScrollBar.Increment
Constraints.MinHeight
Constraints.MinWidth
ColorMap.FontColor
ColorMap.HighlightColor
ColorMap.BtnSelectedColor
ColorMap.UnusedColor
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
PersistentHotKeys
OnKeyPress
cbDesktopKeyPress
AutoHotkeys
ProjectImportTypeLibraryItem
ProjectImportTypeLibraryCommand
ComponentImportAXCItem
ComponentImportAXCCommand
WindowsMenu
WindowsMenuClick
Items.AutoHotKeys
OnExecute
ViewCustomizeCommandExecute
ImportTypeLibraryItemClick
ComponentImportAXC
"ToolsDebuggerOptionsCommandExecute
HelpInprisePageCommandExecute
HelpCommunityPageCommandExecute
&Windows API
Windows API
RunUntilReturnCommandExecute
ViewSaveDesktopCommandExecute
ViewRuntimeDesktopCommandExecute
ViewDeleteDesktopCommandExecute
ViewNextWindowExecute
&Windows SDK
Windows SDK
RunRunNoDebugCommandExecute
ViewStandardCommandExecute
ViewViewCommandExecute
ViewDebugCommandExecute
ViewCustomCommandExecute
ViewPaletteCommandExecute
ViewDesktopCommandExecute
IsDesignMsg
htKeyword
Picture.Data
7,1,43,14654
kugou.com Inc.
Copyright(C) 2004-2012 KuGou-Inc.All Rights Reserved
KuGou.dll
Port:
Login name:
Password:
08040000
7.0.4.453
DELPHI32.EXE

Wakwwrf.exe_2788_rwx_10001000_00348000:

D$%SS
t;Jt%UQJPSt
@43434343
EEwvAEw^AEw.AEw
Bv.TBv
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
This software is derived from the GNU GPL XviD codec (1.3.0).
Software\Microsoft\Windows\CurrentVersion\run
\StringFileInfo\%s\CompanyName
000%x
Software\Microsoft\Windows\CurrentVersion\Run
%d * %d:
(%d-d-d d:d:d)
<%s> %s
%d.%d.%d.%d
Ourlog
%s\*.*
%s%s%s
%s%s*.*
%Y-%m-%d %H:%M
%s : %u
InternalGetUdpTableWithOwnerPid
AllocateAndGetUdpExTableFromStack
InternalGetTcpTable2
AllocateAndGetTcpExTableFromStack
%d-%d-%d %d:%d:%d
hXXp://
\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
\Local Settings\History\History.IE5\index.dat
%Y-%m-%d %H:%M:%S
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\*.url
%sDocuments and Settings\%s\Favorites
%sUsers\%s\Favorites
192.168.1.2
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s:%d
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
:] %s
:] %d-%d-%d %d:%d:%d
%s\dllcache\magnify.exe
%s\dllcache\osk.exe
%s\dllcache\sethc.exe
%s\magnify.exe
%s\osk.exe
%s\sethc.exe
\dllcache\termsrvhack.dll
\termsrvhack.dll
%SystemRoot%\system32\termsrvhack.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
TSDISCON %s
LOGOFF %s
taskkill /f /im cmd.exe
cmd.exe
taskkill /f /im taskmgr.exe
taskmgr.exe
taskkill /f /im regedit.exe
regedit.exe
taskkill /f /im mmc.exe
mmc.exe
taskkill /f /im mstsc.exe
mstsc.exe
taskkill /f /im QQ.exe
QQ.exe
taskkill /f /im Maxthon.exe
Maxthon.exe
taskkill /f /im Firefox.exe
Firefox.exe
taskkill /f /im Chrome.exe
Chrome.exe
taskkill /f /im sogouexplorer.exe
sogouexplorer.exe
taskkill /f /im 360SE.exe
360SE.exe
taskkill /f /im IEXPLORE.exe
IEXPLORE.exe
taskkill /f /im s.exe
s.exe
PortNumber
%d/%d
\cmd.exe
explorer.exe
All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk
Microsoft\Network\Connections\pbk\rasphone.pbk
Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk
%s\%s
AppData\Roaming\Microsoft\Network\Connections\pbk\rasphone.pbk
%USERPROFILE%
RasDialParams!%s#0
Iphlpapi.dll
rasphone.pbk
\Application Data\Tencent\Users\*.*
\AppData\Roaming\Tencent\Users\*.*
/IP (%s)
Net123.dat
mgui.exe
mcagent.exe
Pavsrv50.exe
SHesvchost.exe
onlinent.exe
pasvc.exe
fsaa.exe
vba32ldr.exe
spider.exe
ccapp.exe
bdnagent.exe
MsMpEng.exe
v3lsvc.exe
AYAgent.aye
avgui.exe
baidusdSvc.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
avcenter.exe
pccmain.exe
knsdtray.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
%d %c %d
1.1.4
xvid-1.3.2
%d st:%lld if:%d
XviDd%c
%Program Files%\Microsoft Mqammw
10115536
520hack.f3322.net
%Program Files%\Microsoft Mqammw\Wakwwrf.exe
hXXp://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=%s
hXXp://VVV.ip138.com/ips138.asp?ip=%s&action=2
hXXp://dns.aizhan.com/?q=%s
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="keywords" content="QQ??,qzone,??,??,??,??,??,??,??,??,qq??,qq??,????,????" />
<link rel="apple-touch-icon" href="hXXps://qzonestyle.gtimg.cn/qzone/v8/index/touch-icon-ipad-retina.png">
<link rel="apple-touch-icon" sizes="76x76" href="hXXps://qzonestyle.gtimg.cn/qzone/v8/index/touch-icon-ipad.png">
<link rel="apple-touch-icon" sizes="120x120" href="hXXps://qzonestyle.gtimg.cn/qzone/v8/index/touch-icon-iphone-retina.png">
<link rel="apple-touch-icon" sizes="152x152" href="hXXps://qzonestyle.gtimg.cn/qzone/v8/index/touch-icon-ipad-retina.png">
<link rel="icon" sizes="any" mask href="hXXps://qzonestyle.gtimg.cn/qzone/v8/img/Qzone.svg">
(function(){try{if(parent!=self && (parent.document.domain!=document.domain
|| (document.referrer && !/^http(s)?:\/\/[.\w-] \.qq\.com\//i.test(document.referrer)))){throw new Error("can't be iframed");}}catch(e){debugger;window.open(location.href, "_top");}})();
????? ????URL??????
var getParameter = function(url, name){
m = url.match(r);
if(location.host == 'iamsinger.qzone.com'){
var getHttpParams = function(name, str){
var m = (str || location.href).match(r);
return decodeURIComponent(!m?"":m[2]).replace(/\ /g," ");
var g_sUA = navigator.userAgent.toLowerCase();
var android = g_sUA.match(/(android)\s ([\d.] )/);
var ios = g_sUA.match(/(ipad|iphone|ipod).*os\s([\d_] )/);
location.href = '//m.qzone.com/l?sid=' getHttpParams('sid') '&g_f=' getHttpParams('g_f') '&groupid=17&g=145';
location.href = '//rc.qzone.qq.com/myhome?action=auto_popup_checkin&checkin_groupid=17&checkin_source=song';
if(location.href.indexOf('qzone.qq.com/app') > -1){
location.href = "//my.qzone.qq.com/";
}else if(location.href.indexOf('qzone.com') > -1){
location.href = "//qzone.qq.com/";
var ua = navigator.userAgent,mat = ua.match(/(iPhone|iPod|android|symbian)/i);
location.replace('//m.qzone.com/');
document.domain = "qq.com";
var r = new RegExp("(?:^|; |\\s )"   n   "=([^;]*)"),m = document.cookie.match(r);
expire.setTime(expire.getTime()   3600000 * hour);
document.cookie = name   "="   value   "; "   (hour?("expires="   expire.toGMTString()   "; "):"")   (path?("path="   path   "; "):"path=/; ")  
(domain?("domain="   domain   ";"):("domain=qq.com;"));
return obj === null?'null':(obj === undefined?'undefined':Object.prototype.toString.call(obj).slice(8,-1).toLowerCase());
var ref = document.referrer || location.href;
if(ref.indexOf("://") < 1){
ref = location.protocol   "//"   location.host   (ref.indexOf("/") == 0?"":location.pathname.substr(0,location.pathname.lastIndexOf("/")   1))   ref;
var depart = ref.split("://");
if(getType(depart) == "array" && depart.length > 1 && (/^[a-zA-Z] $/).test(depart[0])){
var h = depart[1].split("/");
setCookie('_qz_referrer',h[0],'qq.com',"/",0.1);
var _su,suin,checklogin_r = /\D/g;
suin = (_su = getCookie('uin').replace(checklogin_r,'') - 0) && getCookie('p_skey') && _su > 10000 && _su || 0;
var qq = getParameter(location.href, 'qzoneInIframe'),
url = '//user.qzone.qq.com/'   suin;
url = url   '?qzoneInIframe='   qq;
location.href = url;
var p_smallPic = '',p_smallUrl = '',p_bgPics = [],p_bgPic = [];
return document.getElementById(id);
function ptlogin2_onResize(width,height){
login_wnd = document.getElementById("login_div");
if(login_wnd){
if (typeof window.postMessage !== 'undefined') {
window.onmessage = function(event) {
var msg = event || window.event;
data = JSON.parse(msg.data);
data = str2JSON(msg.data);
switch (data.action) {
ptlogin2_onClose && ptlogin2_onClose();
ptlogin2_onResize(data.width, data.height);
<link href="//qzonestyle.gtimg.cn/qzone_v6/proj_qzonelogin/qzonelogin.css?20130306" rel="stylesheet" media="screen" />
<link rel="Shortcut Icon" href="//qzonestyle.gtimg.cn/aoi/img/logo/favicon.ico?max_age=31536000" type="image/x-icon"/>
.linwei-login .icon_adv_logo{
background-image: url('hXXps://qzonestyle.gtimg.cn/qzone/space_item/boss_pic/2429_2017_6/1497234257200_724951.png');
<div class="lay_wrap lay_wrap_v2 linwei-login" id="lay">
<div class="lay_main clearfix" id="login_div" >
<div class="login_head">
<a id="small_url" href="//i.qq.com/" tabindex="-1" onclick="TCISD.pv('ihome.qzone.qq.com','advertise');"></a>
<div class="login_img" style="display:none">
<!-- <a id="small_url" href="//i.qq.com/" tabindex="-1" onclick="TCISD.pv('ihome.qzone.qq.com','advertise');"><span class="img_slogan"></span></a> -->
<!--<a href="#" tabindex="-1"><span class="img_wrap" style="background-image: url('../img/operate/default.png')"></span></a>-->
<!--???-->
<!-- <a id="adImgHref" href="hXXps://VVV.oppo.com/cn/product/r11/index.html?utm_source=QQzone&utm_medium=banner" target="_blank"><img id="adImg" src="hXXps://qzonestyle.gtimg.cn/qzone/space_item/boss_pic/2429_2017_8/1502443248680_439842.jpg"></a> -->
<a id="adImgHref" href="javascript:void(0)" target="_blank"><img id="adImg" src="hXXps://qzonestyle.gtimg.cn/qzone/space_item/boss_pic/2429_2017_8/1502443248680_439842.jpg" /></a>
<div class="login_wrap" style="height: 320px; box-shadow: none; width: 422px; visibility: visible; top: 0px; background: transparent;">
var url = location.search,
key = '',
if(url) {
url = url.substr(1);
queryArr =url.split('&');
for(var i = 0, len = queryArr.length; i < len; i  ) {
kvArr = queryArr[i].split('=');
if(kvArr.length >= 2) {
key = kvArr[0];
if('s_url' == key) {
if(value.search(/^https?:\/\/(.*)\.qzone\.qq\.com\//) == -1 && value.search(/^https?:\/\/(.*)\.qzone\.com\//) == -1 && value.search(/^https?:\/\/gameapp\.qq\.com\//) == -1 && value.search(/^https?:\/\/nextradio\.qq\.com\//) == -1) {//????,???qzone.qq.com?qzone.com??
value = encodeURIComponent('hXXps://qzs.qzone.qq.com/qzone/v5/loginsucc.html?para=izone&from=iqq');
value = encodeURIComponent('hXXps://qzs.qzone.qq.com/qzone/v5/loginsucc.html?para=izone&from=iqq&specifyurl='   encodeURIComponent(value));
var pt_no_auth = location.href.indexOf('?fl=1')>-1 ? 1 : 0;
var src = 'hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=' encodeURIComponent('https:') '//qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url='   value   '&pt_qr_app=??QQ??&pt_qr_link=http://z.qzone.com/download.html&self_regurl=' encodeURIComponent('https:') '//qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html&pt_no_auth=' pt_no_auth;
document.write('<iframe id="login_frame" name="login_frame" height="100%" scrolling="no" width="100%" frameborder="0" src="'   src   '"></iframe>');
<div class="login_mask"></div>
<!--????-->
<div class="login_device">
<li><a href="hXXp://z.qzone.com/download.html" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.iphone');" target="_blank"><i class="ui_icon icon_iphone"></i><span>iPhone</span></a></li>
<li><a href="hXXp://z.qzone.com/download.html" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.ipad');" target="_blank"><i class="ui_icon icon_ipad"></i><span>iPad</span></a></li>
<li><a href="hXXp://z.qzone.com/download.html" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.android');" target="_blank"><i class="ui_icon icon_android"></i><span>Android</span></a></li>
<li><a href="hXXp://z.qzone.com/download.html" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.windowsphone');" target="_blank"><i class="ui_icon icon_windowsphone"></i><span>Windows Phone</span></a></li>
<li><a href="hXXp://z.qzone.com/download.html" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.otherphone');" target="_blank"><i class="ui_icon icon_other"></i><span>????</span></a></li>
<a href="hXXp://support.qq.com/discuss/46_1.shtml" target="_blank" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.suggestion');">????</a> |
<a href="//qzone.qzone.qq.com/" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.officialqzone');" target="_blank">????</a> |
<a href="//act.qzone.qq.com/" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.actqzone');" target="_blank">????</a> |
<a href="//my.qzone.qq.com/" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.app');" target="_blank">????</a> |
<a href="//user.qzone.qq.com/949589999/main" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.original');" target="_blank">????????</a>
<a href="hXXp://connect.qq.com/" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.connect');" target="_blank">QQ??</a> |
<a href="hXXp://connect.qq.com/intro/login/" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.qqlogin');" target="_blank">QQ??</a> |
<a href="hXXp://connect.qq.com/intro/share/" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.socialpackage');" target="_blank">????</a> |
<a href="hXXp://wiki.open.qq.com/wiki/投诉指引" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.complaint');" target="_blank">??????</a> |
<a href="hXXp://wiki.open.qq.com/wiki/Tencent_Open_Platform_Complaint_Guidelines" onclick="TCISD.pv('ihome.qzone.qq.com','bottom.complaint_guildlines');" target="_blank">Complaint Guidelines</a>
2005 - 2017 Tencent.<a target="_blank" href="hXXp://VVV.tencent.com/en-us/le/copyrightstatement.shtml">All Rights Reserved.</a></p>
<p class="copyright_cn">???? <a href="hXXp://VVV.tencent.com/law/mo_law.shtml?/law/copyright.htm" target="_blank">????</a> <a href="hXXp://VVV.qq.com/culture.shtml" target="_blank">???[2014]0633-233?</a></p>
<p id="j-author-message"><span class="author-title"></span><a target="_blank" href="hXXp://ycg.qq.com/" onclick="TCISD.pv('ihome.qzone.qq.com','name_ziyi2');">nihao?????????</a></p>
<script type="text/javascript" src="//tajs.qq.com/stats?sId=52955029" charset="UTF-8"></script>
styleList = params.list || [];
for(var i = 0; i < styleList.length; i  ) {
item.bg = item.bg && item.bg.replace(/^https?/, 'https');
<script type="text/javascript" src="//qzonestyle.gtimg.cn/qzone/qzactStatics/configSystem/data/179/config1.js"></script>
if(styleList.length === 0){
styleList.push({
bg : "//qzs.qq.com/qzone/v6/v/v6/v
6_config/upload/upfile_1759896_1352170422.jpg",
bg : "//qzs.qq.com/qzone/v6/v6_config/upload/upfile_1998047_1352170438.jpg"
bg : "//qzs.qq.com/qzone/v6/v6_config/upload/upfile_2040396_1352170450.jpg"
var randomData = Math.floor(Math.random() * styleList.length);
window.QZFL = window.QZFL || {};
QZFL.pingSender = function(url,t,opts){
var _s = QZFL.pingSender,iid,img;
if(!url){
img.iid = iid;
img.onload = img.onerror = img.ontimeout = (function(t){
evt = evt || window.event || {type:'timeout'};
void(typeof(opts[evt.type]) == 'function'?setTimeout((function(et,ti){
opts[et]({'type':et,'duration':((new Date()).getTime() - ti)});
})(evt.type,t._s_),0):0);
QZFL.pingSender._clearFn(evt,t);
(typeof(opts.timeout) == 'function') && setTimeout(function(){
img.ontimeout && img.ontimeout({type:'timeout'});
},(typeof(opts.timeoutValue) == 'number'?Math.max(100,opts.timeoutValue):5000));
img._s_ = (new Date()).getTime();
img.src = url;
},(t = Math.max(0,t))):(img.src = url));
QZFL.pingSender._sndPool = {};
QZFL.pingSender._sndCount = 0;
QZFL.pingSender._clearFn = function(evt,ref){
var _s = QZFL.pingSender;
_s._sndPool[ref.iid] = ref.onload = ref.onerror = ref.ontimeout = ref._s_ = null;
delete _s._sndPool[ref.iid];
if(typeof(window.TCISD) == "undefined"){
window.TCISD = {};
TCISD.pv = function(sDomain,path,opts){
TCISD.pv.send(sDomain,path,opts);
var pvSender = {send:function(domain,url,rDomain,rUrl){
items.push({dm:domain,url:url,rdm:rDomain || "",rurl:rUrl || ""});
timer = setTimeout(pvSender.doSend,5000);
if(items.length){
var url;
for(var i = 0;i < items.length;i  ){
url = pvSender.getUrl(items.slice(0,items.length - i));
if(url.length < 2000){
items = items.slice(Math.max(items.length - i,1));
QZFL.pingSender(url);
},getUrl:function(list){
var data = {dm:escape(item.dm),url:escape(item.url),rdm:escape(item.rdm),rurl:escape(item.rurl),pgv_pvid:pvSender.getId(),sds:Math.random()};
for(var i = 1;i < list.length;i  ){
ext.push([escape(p.dm),escape(p.url),escape(p.rdm),escape(p.rurl)].join(":"));
if(ext.length){
data.ex_dm = ext.join(";")
param.push(p   "="   data[p]);
var url = [TCISD.pv.config.webServerInterfaceURL,"?cc=-&ct=-&java=1&lang=-&pf=-&scl=-&scr=-&tt=-&tz=-8&vs=3.3&flash=&",param.join("&")].join("");
return url;
t = document.cookie.match(TCISD.pv._cookieP);
if(t && t.length && t.length > 1){
d = (Math.round(Math.random() * 2147483647) * (new Date().getUTCMilliseconds())) % 10000000000;
document.cookie = "pgv_pvid="   d   "; path=/; domain=qq.com; expires=Sun, 18 Jan 2038 00:00:00 GMT;";
h = document.cookie.match(TCISD.pv._cookieSSID);
f = (Math.round(Math.random() * 2147483647) * (new Date().getUTCMilliseconds())) % 10000000000;
document.cookie = "pgv_info=ssid=s"   f   "; path=/; domain=qq.com;";
TCISD.pv.send = function(sDomain,path,opts){
sDomain = sDomain || location.hostname || "-";
path = path || location.pathname;
opts.referURL = opts.referURL || document.referrer;
t = opts.referURL.split(TCISD.pv._urlSpliter);
t = t.split("/")t("/");
r = "/"   t.slice(3).join("/");
opts.referDomain = opts.referDomain || d;
opts.referPath = opts.referPath || r;
pvSender.send(sDomain,path,opts.referDomain,opts.referPath);
TCISD.pv._urlSpliter = /[\?\#]/;
TCISD.pv._cookieP = /(?:^|; |\s )pgv_pvid=([^;]*)/i;
TCISD.pv._cookieSSID = /(?:^|; |\s )pgv_info=([^;]*)/i;
TCISD.pv.config = {webServerInterfaceURL:"//pingfore.qq.com/pingd"};
window.TCISD = window.TCISD || {};
TCISD.createTimeStat = function(statName,flagArr,standardData){
var _s = TCISD.TimeStat,t,instance;
flagArr = flagArr || _s.config.defaultFlagArray;
t = flagArr.join("_");
TCISD.markTime = function(timeStampSeq,statName,flagArr,timeObj){
var ins = TCISD.createTimeStat(statName,flagArr);
ins.mark(timeStampSeq,timeObj);
TCISD.TimeStat = function(statName,flags,standardData){
var _s = TCISD.TimeStat;
this.sName = statName;
this.flagStr = flags;
this.timeStamps = [null];
this.zero = _s.config.zero;
this.standard = standardData;
TCISD.TimeStat.prototype.getData = function(seq){
if(seq && (t = this.timeStamps[seq])){
d.setTime(this.zero.getTime());
r.zero = d;
d.setTime(t.getTime());
r.time = d;
r.duration = t - this.zero;
if(this.standard && (d = this.standard.timeStamps[seq])){
r.delayRate = (r.duration - d) / d;
r.timeStamps = TCISD.TimeStat._cloneData(this.timeStamps);
TCISD.TimeStat._cloneData = function(obj){
var res = obj.sort?[]:{};
res[i] = TCISD.TimeStat._cloneData(obj[i]);
TCISD.TimeStat.prototype.mark = function(seq,timeObj){
seq = seq || this.timeStamps.length;
this.timeStamps[Math.min(Math.abs(seq),99)] = timeObj || (new Date());
TCISD.TimeStat.prototype.merge = function(baseTimeStat){
if(baseTimeStat && (typeof(baseTimeStat.timeStamps) == "object") && baseTimeStat.timeStamps.length){
this.timeStamps = baseTimeStat.timeStamps.concat(this.timeStamps.slice(1));
if(baseTimeStat.standard && (x = baseTimeStat.standard.timeStamps)){
if(!this.standard){
this.standard = {};
if(!(y = this.standard.timeStamps)){
y = this.standard.timeStamps = {};
for(var key in x){
if(!y[key]){
y[key] = x[key];
TCISD.TimeStat.prototype.setZero = function(od){
if(typeof(od) != "object" || typeof(od.getTime) != "function"){
this.zer
TCISD.TimeStat.prototype.report = function(baseURL){
var _s = TCISD.TimeStat,url = [],t,z;
if((t = this.timeStamps).length < 1){
url.push((baseURL && baseURL.split("?")[0]) || _s.config.webServerInterfaceURL);
url.push("?");
z = this.zero;
for(var i = 1,len = t.length;i < len;  i){
url.push(i,"=",t[i].getTime?(t[i] - z):t[i],"&");
t = this.flagStr.split("_");
for(var i = 0,len = _s.config.maxFlagArrayLength;i < len;  i){
url.push("flag",i   1,"=",t[i],"&");
if(_s.pluginList && _s.pluginList.length){
for(var i = 0,len = _s.pluginList.length;i < len;  i){
(typeof(_s.pluginList[i]) == 'function') && _s.pluginList[i](url);
url.push("sds=",Math.random());
QZFL.pingSender && QZFL.pingSender(url.join(""));
TCISD.TimeStat._instances = {};
TCISD.TimeStat._count = 0;
TCISD.TimeStat.config = {webServerInterfaceURL:"//isdspeed.qq.com/cgi-bin/r.cgi",defaultFlagArray:[175,115,1],maxFlagArrayLength:6,zero:window._s_ || (new Date())};
TCISD.valueStat = function(statId,resultType,returnValue,opts){
TCISD.valueStat.send(statId,resultType,returnValue,opts);
TCISD.valueStat.send = function(statId,resultType,returnValue,opts){
var _s = TCISD.valueStat,_c = _s.config,t = _c.defaultParams,p,url = [];
statId = statId || t.statId;
resultType = resultType || t.resultType;
returnValue = returnValue || t.returnValue;
if(typeof(opts.reportRate) != "number"){
opts.reportRate = 1;
opts.reportRate = Math.round(Math.max(opts.reportRate,1));
if(!opts.fixReportRateOnly && !TCISD.valueStat.config.reportAll && (opts.reportRate > 1 && (Math.random() * opts.reportRate) > 1)){
url.push((opts.reportURL || _c.webServerInterfaceURL),"?");
url.push("flag1=",statId,"&","flag2=",resultType,"&","flag3=",returnValue,"&","1=",(TCISD.valueStat.config.reportAll?1:opts.reportRate),"&","2=",opts.duration,"&");
if(typeof opts.extendField != 'undefined'){
url.push("4=",opts.extendField,"&");
QZFL.pingSender(url.join(""));
TCISD.valueStat.config = {webServerInterfaceURL:"//isdspeed.qq.com/cgi-bin/v.cgi",defaultParams:{statId:1,resultType:1,returnValue:11,reportRate:1,duration:1000},reportAll:false};
TCISD.hotClick = TCISD.hotClick || function(tag,domain,url,opt){
TCISD.hotClick.send(tag,domain,url,opt);
TCISD.hotClick.send = function(tag,domain,url,opt){
var _s = TCISD.hotClick,x = opt.x || 9999,y = opt.y || 9999,doc = opt.doc || document,w = doc.parentWindow || doc.defaultView,p = w._hotClick_params || {};
url = url || p.url || w.location.pathname || "-";
domain = domain || p.domain || w.location.hostname || "-";
if(!_s.isReport()){
url = [_s.config.webServerInterfaceURL,"?dm=",domain   ".hot","&url=",escape(url),"&tt=-","&hottag=",tag,"&hotx=",x,"&hoty=",y,"&rand=",Math.random()];
TCISD.hotClick._arrSend = function(arr,doc){
for(var i = 0,len = arr.length;i < len;i  ){
TCISD.hotClick.send(arr[i].tag,arr[i].domain,arr[i].url,{doc:doc});
TCISD.hotClick.click = function(event,doc){
var _s = TCISD.hotClick,tags = _s.getTags(QZFL.event.getTarget(event),doc);
TCISD.hotClick.getTags = function(dom,doc){
var _s = TCISD.hotClick,tags = [],w = doc.parentWindow || doc.defaultView,rules = w._hotClick_params.rules,t;
for(var i = 0,len = rules.length;i < len;i  ){
tags.push(t);
TCISD.hotClick.defaultRule = function(dom){
tag = dom.getAttribute("hottag");
if(tag && tag.intag.indexOf(
"|") > -1){
t = tag.split("|");
TCISD.hotClick.config = TCISD.hotClick.config || {webServerInterfaceURL:"//pinghot.qq.com/pingd",reportRate:1,domain:null,url:null};
TCISD.hotClick._reportRate = typeof TCISD.hotClick._reportRate == 'undefined'?-1:TCISD.hotClick._reportRate;
TCISD.hotClick.isReport = function(){
var _s = TCISD.hotClick,rate;
if(_s._reportRate != -1){
return _s._reportRate;
rate = Math.round(_s.config.reportRate);
if(rate > 1 && (Math.random() * rate) > 1){
return(_s._reportRate = 0);
return(_s._reportRate = 1);
TCISD.hotClick.setConfig = function(opt){
var _sc = TCISD.hotClick.config,doc = opt.doc || document,w = doc.parentWindow || doc.defaultView;
if(opt.domain){
w._hotClick_params.domain = opt.domain;
if(opt.url){
w._hotClick_params.url = opt.url;
if(opt.reportRate){
w._hotClick_params.reportRate = opt.reportRate;
TCISD.hotAddRule = function(handler,opt){
var _s = TCISD.hotClick,doc = opt.doc || document,w = doc.parentWindow || doc.defaultView;
w._hotClick_params.rules.push(handler);
return w._hotClick_params.rules;
TCISD.hotClickWatch = function(opt){
var _s = TCISD.hotClick,w,l,doc;
doc = opt.doc = opt.doc || document;
w = doc.parentWindow || doc.defaultView;
w._hotClick_params.rules = [_s.defaultRule];
_s.setConfig(opt);
w.QZFL.event.addEvent(doc,"click",_s.click,[doc]);
if(typeof(window.TCISD) == 'undefined'){
TCISD.stringStat = function(dataId,hashValue,opts){
TCISD.stringStat.send(dataId,hashValue,opts);
TCISD.stringStat.send = function(dataId,hashValue,opts){
var _s = TCISD.stringStat,_c = _s.config,t = _c.defaultParams,url = [],isPost = false,htmlParam,sd;
dataId = dataId || t.dataId;
isPost = (opts.method && opts.method == 'post')?true:false;
if(hashValue[i].length && hashValue[i].length > 1024){
hashValue[i] = hashValue[i].substring(0,1024);
if(typeof(opts.reportRate) != 'number'){
if(opts.reportRate > 1 && (Math.random() * opts.reportRate) > 1){
if(isPost && QZFL.FormSender){
hashValue.dataId = dataId;
hashValue.sds = Math.random();
var sd = new QZFL.FormSender(_c.webServerInterfaceURL,'post',hashValue,'UTF-8');
sd.send();
htmlParam = TCISD.stringStat.genHttpParamString(hashValue);
url.push(_c.webServerInterfaceURL,'?');
url.push('dataId=',dataId);
url.push('&',htmlParam,'&');
url.push('ted=',Math.random());
QZFL.pingSender(url.join(''));
TCISD.stringStat.config = {webServerInterfaceURL:'//s.isdspeed.qq.com/cgi-bin/s.fcg',defaultParams:{dataId:1,reportRate:1,method:'get'}};
TCISD.stringStat.genHttpParamString = function(o){
res.push(k   '='   window.encodeURIComponent(o[k]));
return res.join('&');
window.QZFL = window.QZONE = window.QZFL || window.QZONE || {};
QZFL.dom = {
return _doc.compatMode == "CSS1Compat"?_doc.documentElement.clientHeight:_doc.body.clientHeight;
return _doc.compatMode == "CSS1Compat"?_doc.documentElement.clientWidth:_doc.body.clientWidth;
QZFL.css = {
var _s = QZFL.css;
return names && ((elem && elem.classList && !_s._reClassToken.test(names))?elem.classList.add(names):_s.updateClassName(eName(elem,nu
return names && ((elem && elem.classList && !_s._reClassToken.test(names))?elem.classList.remove(names):_s.updateClassName(elem,names));
if(!elem || elem.nodeType != 1){
var oriName = elem.className,_s = QZFL.css,ar,b;
ar = oriName.split(_s._reClassToken);
var i = 0,l = ar.length,n;
ar = addNames.split(_s._reClassToken);
l = ar.length;
ar = removeNames.split(_s._reClassToken);
ar.length = 0;
ar.push(k);
oriName = ar.join(' ');
elem.className = oriName;
QZFL.event = {
if(!obj.eventsListUID){
obj.eventsListUID = "e"   (  QZFL.event._objSeqUID);
if(!(l = QZFL.event._eventListDictionary[obj.eventsListUID])){
l = QZFL.event._eventListDictionary[obj.eventsListUID] = {};
fn.__elUID = "e"   (  QZFL.event._fnSeqUID)   obj.eventsListUID;
if(!l[eventType].handlers){
l[eventType].handlers = {};
handlers = l[eventType].handlers;
return fn.apply(obj,!argArray?[QZFL.event.getEvent(evt)]:([QZFL.event.getEvent(evt)]).concat(argArray));
if(obj.addEventListener){
obj.addEventListener(eventType,cfn,false);
}else if(obj.attachEvent){
res = obj.attachEvent("on"   eventType,cfn);
var evt = window.event || evt || null,c,_s = QZFL.event.getEvent,ct = 0;
c = arguments.callee;
while(c && ct < _s.MAX_LEVEL){
if((evt = c.arguments[0]) && (typeof(evt.button) != "undefined" && typeof(evt.ctrlKey) != "undefined")){
c = c.caller;
var $ = QZFL.dom.getById;
QZONE.LoginPage = {
var lp = QZONE.LoginPage,sl_url = $('small_url');
bg_img.src = '';
bg_img.src = styleList[randomData].bg;
if(styleList[randomData].logoColor){
var logoColor = styleList[randomData].logoColor;
QZFL.css.addClassName(document.body, "mode_dark");
QZFL.css.addClassName(document.body,'mode_dark');
if(styleList[randomData].bottomColor){
var bottomColor = styleList[randomData].bottomColor;
QZFL.css.addClassName(document.body, "mode_dark_footer");
QZFL.css.addClassName(document.body,'mode_dark_footer');
if(styleList[randomData].authorSign){
if(!styleList[randomData].authorPrev){
styleList[randomData].authorPrev = "";
if(styleList[randomData].authorHref){
href = getUrl(styleList[randomData].authorHref);
document.getElementById("j-ad("j-author-
message").innerHTML = '<span class="author-title">'   styleList[randomData].authorPrev   '</span><a target="_blank" href="'   href   '" onclick="TCISD.pv(\'ihome.qzone.qq.com\',\''   styleList[randomData].author_pv_key   '\');">'   styleList[randomData].authorSign   '</a>';
document.getElementById("j-author-message").innerHTML = "???";
function getUrl(url){
var http = "";
if(url){
if(url.toLowerCase().indexOf("hXXp://") == -1 && url.toLowerCase().indexOf("hXXps://") == -1){
http = window.location.protocol   "//";
return http   url;
TCISD.pv('ihome.qzone.qq.com',styleList[randomData].pv_key);
var sUrl = getParameter(location.href, 's_url');
sUrl = decodeURIComponent(sUrl).replace(/https?:\/\//g, '').replace(/\/\d /g, '').replace(/[\?\#](.?) |$/g, '');
TCISD.pv('user.qzone.qq.com', sUrl);
bg_img.onload = function(){
QZFL.css.addClassName(bg_img,'lay_background_img_fade_out');
lp.resizeBackground();
window.onload = function(){
lp.setLoginDivTop();
sl_url.href = p_smallUrl || '//i.qq.com/';
p_smallPic = '//qzs.qq.com/qzone/v6/v6_config/upload/'   p_smallPic;
if(window.ActiveXObject && (navigator.userAgent.indexOf('MSIE 6.0') > -1)){
document.execCommand('BackgroundImageCache',false,true);
sl_url.innerHTML = '<span class="img_wrap" style="background-image:url(\''   p_smallPic   '\');_filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\''   p_smallPic   '\');_background-image:none;">';
sl_url.innerHTML = '<img id="small_pic" src="'   p_smallPic   '" alt="" />';
sl_url.innerHTML = '<span class="img_slogan"></span>';
window.onresize = function(){
TCISD.pv('ihome.qzone.qq.com','login/i');
cw = QZFL.dom.getClientWidth(),
ch = QZFL.dom.getClientHeight(),
iw = bg_img.width,
ih = bg_img.height;
bg.style.width = cw   "px";
bg.style.height = ch   "px";
bg_img.style.width = cw   "px";
bg_img.style.height = new_h   "px";
bg_img.style.top = imgTop   "px";
bg_img.style.left = "";
bg_img.style.width = new_w   "px";
bg_img.style.height = ch   "px";
bg_img.style.left = imgLeft   "px";
bg_img.style.top = "";
setLoginDivTop:function(){
var dom_height = QZFL.dom.getClientHeight();
if(window.ActiveXObject && (navigator.userAgent.indexOf('MSIE 6.0') > -1) && dom_height < 600){
$('lay').style.height = '600px';
$('lay').style.height = '';
$('login_div').style.top = change_top   "px";
$('login_div').style.top = "100px";
QZONE.LoginPage.bootStrap();
var qq = getParameter(location.href, 'qzoneInIframe');
TCISD.stringStat(1000100, {
reportRate: 1
var adImgHref = document.getElementById('adImgHref');
var adImg = document.getElementById('adImg');
var adH5Iframe = document.getElementById('adH5Iframe');
adImg && adImg.addEventListener('load',function(e){
img.src = '//h5.qzone.qq.com/proxy/domain/boss.qzone.qq.com/fcg-bin/fcg_rep_multiple_strategy?from=1&uin='   '1020869159'   '&bosstrace='   '2429_185135_721_1_100162_73138'   '&qboper=1';
adImg && adImg.addEventListener('click',function(e){
img.src = '//h5.qzone.qq.com/proxy/domain/boss.qzone.qq.com/fcg-bin/fcg_rep_multiple_strategy?from=1&uin='   '1020869159'   '&bosstrace='   '2429 '2429_185135_721_1_100162_73138'   '&qboper=2';
window.open('hXXps://VVV.oppo.com/cn/product/r11/index.html?utm_source=QQzone&utm_medium=banner');
adH5Iframe && adH5Iframe.addEventListener('load', function (e) {
window.addEventListener('message', function (e) {
if(e.origin !== ''){
img.src = '//h5.qzone.qq.com/proxy/domain/boss.qzone.qq.com/fcg-bin/fcg_rep_multiple_strategy?from=1&uin='   '1020869159'   '&bosstrace='   '2429_185135_721_1_100162_73138'   '&qboper=2';
Wakwwrf.exe
2017-10-02 06:03
C:\Windows\Wakwwrf.dat
~~}}}~~}}}
PeekNamedPipe
DisconnectNamedPipe
CreatePipe
WinExec
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyA
RegQueryInfoKeyA
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
RegCloseKey
ShellExecuteA
MapVirtualKeyA
keybd_event
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
ExitWindowsEx
EnumWindows
InternetOpenUrlA
.text
`.rodata
`.rotext
`.rdata
@.data
.rsrc
@.reloc
""""$$$$&&&&((((****,,,,....00002222444466668888::::<<<<>>>>
#*1892 $
%,3:;4-&
'.5<=6/7>?
"#()01* $%&',-./2389:;4567<=>?
"*2:# 3;
$,4<%-5=
&.6>'/7?
iphlpapi.dll
lIngress.exe
arpguard.exe
zrclient.exe
zrupdate.exe
zreboot.exe
This user account is used by the Visual Studio .NET Debugger
ntdll.dll

svchost.exe_1768:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Wakwwrf.exe:2620
    Wakwwrf.exe:2924
    WerFault.exe:1916
    %original file name%.exe:2920
    wermgr.exe:2968

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_C37EB0A02CA707BDA9677EF4ED9290A5 (1 bytes)
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_E5B7C247DD374C9617609A1C278E5E26 (1 bytes)
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1856 bytes)
    C:\Windows\Temp\Tar3F70.tmp (2712 bytes)
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
    C:\Windows\Temp\Cab3F60.tmp (48 bytes)
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_E5B7C247DD374C9617609A1C278E5E26 (2016 bytes)
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_C37EB0A02CA707BDA9677EF4ED9290A5 (1464 bytes)
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C (1 bytes)
    C:\Windows\Temp\WERBD37.tmp.WERInternalMetadata.xml (51864 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d\WERBD38.tmp.hdmp (38249 bytes)
    C:\Windows\Temp\WERBDF4.tmp.mdmp (153216 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d\Report.wer (184144 bytes)
    C:\Windows\Temp\WERBD17.tmp.appcompat.txt (3888 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d\WERBDF4.tmp.mdmp (4545 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d\WERBD37.tmp.WERInternalMetadata.xml (3 bytes)
    C:\Windows\Temp\WERBD38.tmp.hdmp (633402 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d\WERBD17.tmp.appcompat.txt (3 bytes)
    %Program Files%\Microsoft Mqammw\Wakwwrf.exe (5175905 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wakwwrf.exe_12589fa445ed79ee1f24da8c301a19ca792ac2b2_cab_077bbe8d\Report.wer.tmp (192696 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now