Dropped.Trojan.Agent.37016_bd2c880c27

by malwarelabrobot on November 9th, 2016 in Malware Descriptions.

Trojan.MSIL.Inject.ablai (Kaspersky), Dropped:Trojan.Agent.37016 (B) (Emsisoft), Dropped:Trojan.Agent.37016 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: bd2c880c2779ac15aad00ada1b04cd0b
SHA1: d91fce68dcea8dd22799d0de1a20da47998e2af7
SHA256: 99687c81810f823a5950d366931fbb584706e5b95d6ebfa6540b54c0f1f08605
SSDeep: 12288:bN1r4wwrxfRM1zHRKy9e aGjEUme0o i7X30skNNTl6TYGU0YG8GKH:bX4tVSJRK9 4lnox3lKN y0Yd9
Size: 649201 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):
No processes have been created.
The Dropped injects its code into the following process(es):

natural.exe:260
natural.exe:3100

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

MD5 File path
b55a422f81b798459f38d95346e2e6ef c:\Program Files\Mozilla Firefox\firefox334.exe
fa8555760bd65c55c25ff34945bbdad9 c:\Program Files\jesse\expensively.exe
8be6c20a688a00ae9301fca6e5229a73 c:\Program Files\sluttish\natural.exe
32d4bc53263835b0e4cf900714a57741 c:\Users\"%CurrentUserName%"\AppData\Local\100724.exe
8749f1c8fc54d4462dd3aca5d3df367a c:\Users\"%CurrentUserName%"\AppData\Local\13740.exe
7a5f1283b52628c3863f7964867782b8 c:\Users\"%CurrentUserName%"\AppData\Local\30714.exe
84b852f1a69ef29539ea473ec7eceb63 c:\Users\"%CurrentUserName%"\AppData\Local\61458.exe
c58c90999978ef3e7c02fac4bc4c736b c:\Users\"%CurrentUserName%"\AppData\Local\83382.exe
b9380b0bea8854fd9f93cc1fda0dfeac c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy5A8F.tmp\ExecCmd.dll
8be6c20a688a00ae9301fca6e5229a73 c:\Windows\reno.exe

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 987 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 validation.sls.microsoft.com
162.222.194.13 cocomo.tremorhub.com
162.222.194.13 www.virustotal.com
162.222.194.13 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 61440 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 253952 2536 2560 3.13983 5b5a2d9d119a78aca9bef9d54b647674

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 477
87af60575e95350381303447cd2e0d96
39f1a43ddb6a47ab9ed5c5790fe0053c
851f652e88b118cedb92395bf9cb1abe
9fbf0e78e968d4999b9daacfaa4c43d5
55a7db10fd9eb579f55d531f8b54beaa
cade489e0f1690f6b13773d75f220663
61a4e4369f9a8b18839635607456c842
4c3e238bd437b649bc04bbdf1af32944
fffe24bc33eca54cf03d824195d52754
066f39836f411ea32528fcfb6190732d
60c9244eaf0ab4a4b27f7b20ad37d60f
f943df62e5ec6f5254a1517a3e739baa
3b59c9c06351fe2dc7ab07fbec5cf3f4
c1efdf1d2f9d814dbdd620eadccd7ec2
e20c2ee024fb4a3ea1b3416c7e39b340
a9efe494b8b83d12f5e17908c7efb634
786b1a641feab64bdb3604994a1555a7
e60a88037b13ef389b0883e46f245a1c
3f51c8788642751530132a9f3d027551
36f36ac1d61e3d88c9e20b1124209453
0dfa63e653b8e42ef88dfe0b87e0e998
4c59bb5c4cbbe5c13b67a5824b8d866e
17632b5c3594c6040fb5b2223b5c3c28
28a81e67c867325cea1f0383247d88aa
bd9726e2c29e002d07c80b3eb1dc880f

URLs

URL IP
hxxp://d232tmx7gh8bfo.cloudfront.net/default1.php?id=14ASuOantM5EdWhenu8i&date=2016-10-28&p=none&t=
hxxp://d232tmx7gh8bfo.cloudfront.net/func.js?r=5
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.86
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://cocomo.tremorhub.com/itd.php?id=14ASuOantM5EdWhenu8i&date=2016-10-28&p=none&t=
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=2138643529&t=pageview&_s=1&dl=http://www.chevallemma.pw/default1.php?id=14ASuOantM5EdWhenu8i&date=2016-10-28&p=none&t=&ul=en-us&de=utf-8&dt=home&sd=24-bit&sr=1276x846&vp=695x408&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=66857684&cid=212621649.1478557136&tid=UA-74694740-5&_r=1&z=1180830552
hxxp://widgets.amung.us/draw/?w=colored&n=1558&c=000000ffffff&p= 50.23.131.235
hxxp://c.statcounter.com/10114910/0/757d7213/1/ 104.20.3.47
hxxp://ww.chevallemma.pw/count.php?id=14ASuOantM5EdWhenu8i&date=2016-10-28&p=none&t=&rnd=1478557134000 162.222.193.17
hxxp://a5f50dedef.site.internapcdn.net/page-5.html?lid=937115
hxxp://109.201.148.40/report1.php?url=/ivids/page-5.html?lid=937115
hxxp://ivids.net/1.js 162.222.194.11
hxxp://ivids.net/jwplayer1.js 162.222.194.11
hxxp://109.201.148.40/bck.php?1478557142000
hxxp://a5f50dedef.site.internapcdn.net/page-5.htm?lid=937115
hxxp://109.201.148.40/report1.php?url=/ivids/page-5.htm?lid=937115
hxxp://www.statcounter.com.cdnga.net/counter/counter.js 174.35.61.213
hxxp://ivids.net/player1.swf 162.222.194.11
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=E5493D25C24B4F4A54DA27D7611DD4BD&sc_random=0.6212423037842605&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.ivids.net/page-5.html?lid=937115&u=http://www.ivids.net/page-5.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 104.20.3.47
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=935247025&t=pageview&_s=1&dl=http://www.ivids.net/page-5.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1276x846&vp=850x497&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1162591881&cid=1900959323.1478557144&tid=UA-74694740-2&_r=1&z=989024687
hxxp://a5f50dedef.site.internapcdn.net/css1.css
hxxp://a5f50dedef.site.internapcdn.net/img/logo.png
hxxp://a5f50dedef.site.internapcdn.net/img/lbg.png
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://ivids.net/ova-jw.swf 162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 5&mediaDesc=Entertainment videos ivids.net - 5&mediaId=2&mediaUrl=hxxp://www.ivids.net/5.html&srcPageUrl=hxxp://www.ivids.net/5.html&contentLength=300
hxxp://vi.ivids.net/crossdomain.xml 109.201.148.40
hxxp://vi.ivids.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.ivids.net/5.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos ivids.net&LR_FORMAT=application/x-shockwave-flash 109.201.148.40
hxxp://thumb.none1366649718.netdna-cdn.com/crossdomain.xml
hxxp://thumb.none1366649718.netdna-cdn.com/abcd.mp4
hxxp://www.ivids.net/img/lbg.png 69.88.149.141
hxxp://www.ivids.net/page-5.htm?lid=937115 69.88.149.141
hxxp://www.chevallemma.pw/default1.php?id=14ASuOantM5EdWhenu8i&date=2016-10-28&p=none&t= 54.192.46.232
hxxp://www.google-analytics.com/analytics.js 173.194.44.65
hxxp://www.ivids.net/css1.css 69.88.149.141
hxxp://www.ivids.net/page-5.html?lid=937115 69.88.149.141
hxxp://thm.vidvib.com/abcd.mp4 108.161.189.160
hxxp://thm.vidvib.com/crossdomain.xml 108.161.189.160
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 5&mediaDesc=Entertainment videos ivids.net - 5&mediaId=2&mediaUrl=hxxp://www.ivids.net/5.html&srcPageUrl=hxxp://www.ivids.net/5.html&contentLength=300 52.201.72.235
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml 52.201.72.235
hxxp://www.ivids.net/img/logo.png 69.88.149.141
hxxp://www.statcounter.com/counter/counter.js 174.35.61.213
hxxp://l.longtailvideo.com/5/10/logo.png 93.184.221.48
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=2138643529&t=pageview&_s=1&dl=http://www.chevallemma.pw/default1.php?id=14ASuOantM5EdWhenu8i&date=2016-10-28&p=none&t=&ul=en-us&de=utf-8&dt=home&sd=24-bit&sr=1276x846&vp=695x408&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=66857684&cid=212621649.1478557136&tid=UA-74694740-5&_r=1&z=1180830552 173.194.44.65
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=935247025&t=pageview&_s=1&dl=http://www.ivids.net/page-5.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1276x846&vp=850x497&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1162591881&cid=1900959323.1478557144&tid=UA-74694740-2&_r=1&z=989024687 173.194.44.65
hxxp://www.chevallemma.pw/func.js?r=5 54.192.46.232
dns.msftncsi.com 131.107.255.255
we1sb-wwcgk.ads.tremorhub.com
partners.tremorhub.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /bck.php?1478557142000 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-5.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 07 Nov 2016 22:22:29 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Mon, 07 Nov 2016 22:22:29 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8..



GET /img/logo.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-5.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.ivids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1478557144.E5493D25C24B4F4A54DA27D7611DD4BD.1.1.1.1.1.1.1.1.1; _ga=GA1.2.1900959323.1478557144; _gat=1


HTTP/1.1 200 OK
Date: Mon, 07 Nov 2016 22:19:02 GMT
Content-Type: image/png
Content-Length: 2536
Connection: keep-alive
Last-Modified: Thu, 10 Jul 2014 23:39:15 GMT
ETag: "a1c81-9e8-4fddf55270ec0"
Server: CDCE
X-INAP-Cache-Status: HIT
X-INAP-Server: cdce-ams002-001.ams002.internap.com
Accept-Ranges: bytes
.PNG........IHDR.......L.....3.......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<...zIDATx..]]S.W..N.......7.NE.........(...H.8S..V.
....H;j.v..%.3...^.`...3...3....7.6......>..r..n...$....a`M.ys.9.y.
.,..U.[..a.a9M..8M .....4.`..8..4...i...:M2MXd.&J..{..K....=.?........
m.....!sX...M!.5.}...){.....].r..l.U..Vv9.afH.......Wr.i[FEX..v...;...
. Y.=."d.bjy..L,.......Ph..$..I.B...]W...}.3*.B.....-..&....!..gT..{.q
.`...hv.........i..8M ....#~z.|]......}a.......5y..!..&...NzV........&
gt;1....wb..A.E.|g..j....J7m./.w].Df.v.N.FN.}.%...#........g.7...G.wW.
.8"............SGe...x...M..%kV.%.B...7........gz.....K.....d.Da......
../........=).....G?. ..<...Q...k0...v.B.....fn4.:._a...|...J7.g.(:
...&..k.1.i......&.;........@....y.z..|[....w-....}.......c5....I=..J.
..j...5...."MV..[..8.Qw....w..........Ec}..~J.9m...A..v.?...m...FvU.; 
....~...r...g..x=....... .....>V....9...~.....!.u.J.FZ.iB.L.T..S./L
..*.q1..|..8.2.z1..5{....kdg....h.S..k...8.K.v.....Y..-.o.E@S..F.oo|. 
o.2.6.B...6..)m.T..Y........).O..........Q.'`.M.*J..p.tGW.....FO.C.=..
....b...*O..@....p*].h..Z.}.~....*G.....n$...D.....Q..4Y..8L..;...K...
Z..H1...ai.t.*yL...`-)2E..ip..C.d.&$*....p..[{.......4Ez..Gf.V..T.D[..
..g....Rm......u(Y.o@HT.*>?;}..D2ks...6>-\.)}Rb..ky......Pc.....
.-.\..?..s......319....^..D.i.C.....s.z.[..\...GJ...'8...Hi.s......-.S
.#...1...)..._S.V.ocE.\..cB.*Y.Z..B..%..r..73.8..p....P.U..\......2.2u
....S.....iQ.............P.y...{ 7i......v.s..N..-....K]\v.%..Vo$.P..&
lt;....}....Wb..9..7.p..$4=N Mj..0..4gj..Hie..5;-......6...8..m.(.
<<< skipped >>>


GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-5.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 08 Nov 2016 06:26:11 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Tue, 08 Nov 2016 06:26:11 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-5.html?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 08 Nov 2016 06:26:10 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Tue, 08 Nov 2016 06:26:10 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: thm.vidvib.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 07 Nov 2016 22:19:34 GMT
Content-Type: application/xml
Content-Length: 82
Connection: keep-alive
Last-Modified: Fri, 20 Jun 2014 22:54:54 GMT
ETag: "1000000015848-52-4fc4c61b7eb80"
Server: NetDNA-cache/2.2
Expires: Thu, 02 Nov 2017 22:19:34 GMT
Cache-Control: max-age=31104000
X-Cache: HIT
Accept-Ranges: bytes
<cross-domain-policy>..    <allow-access-from domain="*"/>
..</cross-domain-policy>....


GET /abcd.mp4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://ivids.net/player1.swf
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: thm.vidvib.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 07 Nov 2016 22:19:34 GMT
Content-Type: video/mp4
Content-Length: 5784
Connection: keep-alive
Last-Modified: Sun, 04 May 2014 13:45:24 GMT
ETag: "10000000157fb-1698-4f8933a030500"
Server: NetDNA-cache/2.2
Expires: Thu, 02 Nov 2017 22:19:34 GMT
Cache-Control: max-age=31104000
X-Cache: HIT
Accept-Ranges: bytes
....ftypmp42....mp41isom....mdat.................3../..aP.pAr.2H..*=4M
icrosoft H.264 Encoder V1.5.3..............sC....B.5l.src:3 h:480 w:85
4 fps:29.970 pf:66 lvl:9 b:0 bqp:3 gop:60 idr:60 slc:1 cmp:0 rc:1 qp:2
4 rate:5500000 peak:0 buff:2062500 ref:1 srch:32 asrch:1 subp:1 par:6 
3 3 rnd:0 cabac:0 lp:2 ctnt:0 aud:1 lat:0 wrk:4 vui:1 lyr:1 <<..
....e..K....P..#...}..}..}..}..}..}..}..}..}..}..}..}..}..".."........
......................................................................
...;...c..[.o.......?....{m....?....{e........Y.}z~...?}..}....[...}..
..[......?..5.....M<4....=4.}..}.._...:.../.._......Z.Sd..t...ET...
..3...1..........u...t..u.M......\.<....B.u....:......`.5.U..\..U/.
.D.y..Dj..).(=......:.Q.o.?...o...8 ...6....C..]..?..DJ.U. y.e. .v.M..
..D&No..W.....Y...Q*RU... ._...n....x(.....eU*.........Z.j..........B.
...kU..H..&U..x.'..~.>....!yI..^^U..Iv..''!-p.?Dd.....7..P..d`.j.Z.
......d.....x&..'V.WW..say]....R..u....JXd~........u.}k_p...Z.U.jl..F.
.K...GY?:.:d)-........!^U......B.O.?......'....!.G.......>.w."..".N
.k*.....\NN..........U........R....~R..Cz...%...\.Z.W.j.r..R*..UV...;.
..*.W.._NJo.H....LG.........l.....W...u'....?...!2..'' ....,.//'OZ.W..
"......{.R.W..y........)4H......._^..,.;XS../...O.^.....j....O...EUU..
E..y.g.Uw_Y........B....!:.(..../.... F.....W..w\.NN^]JMjG....G.....O.
.....`.....BuiI.e$..Il../....}k.~_...yTu...i.{..RC.b....]._.,.....kA..
.a.Z.[{e.{X.m....._{s.Z.. .].'...^..Z..ZHZ..S........DK.tL'.9./}D.....
......'.xF....2.......?.p..a......p.X....X..y?..`.%y..k.>......
<<< skipped >>>


GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.ivids.net/page-5.htm?lid=937115
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 08 Nov 2016 06:26:12 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Tue, 10 Oct 2017 06:26:12 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%Y&.Y..1V6NNNV..V...h..a.W.H.........@.L../b...@...........bJ..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /10114910/0/757d7213/1/ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.chevallemma.pw/default1.php?id=14ASuOantM5EdWhenu8i&date=2016-10-28&p=none&t=
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 07 Nov 2016 22:18:55 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
Set-Cookie: __cfduid=d329072cef8e35c782d4df421c85c8f271478557134; expires=Tue, 07-Nov-17 22:18:54 GMT; path=/; domain=.statcounter.com; HttpOnly
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1478557135.0; expires=Sat, 06-Nov-2021 22:18:55 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1478557135348244617; expires=Wed, 07-Nov-2018 22:18:55 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 2fe429eda0f74ecc-DME
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Mon, 07 Nov 2016 22:18:55 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..Set-Cookie: __cfduid=d329072cef8e35c78
2d4df421c85c8f271478557134; expires=Tue, 07-Nov-17 22:18:54 GMT; path=
/; domain=.statcounter.com; HttpOnly..P3P: policyref="hXXp://VVV.statc
ounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expire
s: Mon, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.147
8557135.0; expires=Sat, 06-Nov-2021 22:18:55 GMT; path=/; domain=.stat
counter.com..Set-Cookie: is_visitor_unique=1478557135348244617; expire
s=Wed, 07-Nov-2018 22:18:55 GMT; path=/; domain=.statcounter.com..Serv
er: cloudflare-nginx..CF-RAY: 2fe429eda0f74ecc-DME..GIF89a............
.......!.......,...........T..;....


GET /t.php?sc_project=10675947&java=1&security=299981d6&u1=E5493D25C24B4F4A54DA27D7611DD4BD&sc_random=0.6212423037842605&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://VVV.ivids.net/page-5.html?lid=937115&u=http://VVV.ivids.net/page-5.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.ivids.net/page-5.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive
Cookie: __cfduid=d329072cef8e35c782d4df421c85c8f271478557134; is_unique=sc10114910.1478557135.0; is_visitor_unique=1478557135348244617


HTTP/1.1 200 OK
Date: Mon, 07 Nov 2016 22:19:02 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1478557135.0-10675947.1478557142.0; expires=Sat, 06-Nov-2021 22:19:02 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1478557135348244617; expires=Wed, 07-Nov-2018 22:19:02 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 2fe42a1be41c4ecc-DME
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Mon, 07 Nov 2016 22:19:02 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..P3P: policyref="hXXp://VVV.statcounter
.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expires: Mon
, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.147855713
5.0-10675947.1478557142.0; expires=Sat, 06-Nov-2021 22:19:02 GMT; path
=/; domain=.statcounter.com..Set-Cookie: is_visitor_unique=14785571353
48244617; expires=Wed, 07-Nov-2018 22:19:02 GMT; path=/; domain=.statc
ounter.com..Server: cloudflare-nginx..CF-RAY: 2fe42a1be41c4ecc-DME..GI
F89a...................!.......,...........T..;..



GET /draw/?w=colored&n=1558&c=000000ffffff&p= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.chevallemma.pw/default1.php?id=14ASuOantM5EdWhenu8i&date=2016-10-28&p=none&t=
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Cookie: uid=CgH9IFgg/c24DxxpE2TuAg==
Connection: Keep-Alive
Host: widgets.amung.us


HTTP/1.1 200 OK
Server: nginx/1.9.6
Date: Mon, 07 Nov 2016 22:18:55 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: filename=wau-widget.png
Expires: Wed, 07 Dec 2016 22:18:55 GMT
Cache-Control: max-age=2592000
60a...PNG........IHDR...Q...........p.....PLTE...EEE...???...AAA......
...............;<=CCC......***$$$...abdWXZ............444......GGG.
.....'((.........""".........uvyEFG...,,,......kln...NNN>>>..
.......~~.vwx...hhi.........OPQ............iii......uvv...opp......UVV
...RRR...WWW............bcc...ijj}~~......dee............~~~..........
..QQQ...]^^PPP.........TTTaaa......zzz......___......HHHrss.........kl
lJJJDDD|||......YYY...eee............LLLNOO.........@@@tttkkkvvv:::qqq
.................................FFF.........?@@666ppprrrSSS..........
..BBB.........888......111............000...lll......XYZ(((&&&hhhfff  
 cdeZ[\788...dddccc.........nnn.........ZZZXXXVVV[[[mmm^^^\\\]]]```ggg
xxxjjj...h....tRNS.@..f...0IDATH....W.A.....N....@-$...Pk..J;..c3.....
0 ;.4..& S)..F..<..b6D..ifYh....|?.|{...,<X..(...n[W_.v......Y~.
.......g..I...W..W..j...g|.....N........>....2.[.[0M..y..Z.@s.G....
.C....wo.........6....:.373..<}..v.P.Q...z}.......2=..;(...=......j
5nV~..T[R|.\/*..[.,....s.....Y...W....b......\..x.<..sx..L..3..&..S
..9.M8q.Xv..l1.....V.QWF..\<d,.<..9@..iz...}4!s/Mg...TAU..]...Z.
....Q%G!....R0.[. .99....$%"1.....Ql..fA..U.rWN.G.#.~].&6f.)v.i5....@.
...qU........X..2|.6#...X.D.T.f.0.".....@9....a<9>Ol=eIsU..%.D..
...E.!2......R ...<Q..[b.,."T......#....a@&.....CSg.-d:.Z.%.s..9.rW
rZ.b}. h.V..[.T.Q.\(NA.H..B...U.z.-.:.5..B..i'M.`.6a.P,G@x...T..6.,..p
..[..e.c.m.Z=}.(h.Bq$..~..ix.'..H]E? ?....?-.aC......!.....Y.D.2..K@ .
...{..4..."........\.@.@&QH....k..k....k.".....E......#.......R...
<<< skipped >>>


GET /default1.php?id=14ASuOantM5EdWhenu8i&date=2016-10-28&p=none&t= HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.chevallemma.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 915
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Encoding: gzip
Date: Mon, 07 Nov 2016 22:00:25 GMT
Vary: Accept-Encoding
Age: 1107
X-Cache: Hit from cloudfront
Via: 1.1 6fd049110ebc3ac6deddab8b0bf5d686.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 4934D_E2Qd9ohKLYVZetiUJYqpECxhizeaD2Ek4xOVdsfrnjdkKezg==
...........U[o.6.~/....a.fY.6...r.K.d..C3l...Z:..I.JR..$.}....E.t.. ..
.s...jQ..Y.j..r......6`s....W....vS...mN....f.N...b..%...$.\].PV...V-.
...5l4.....Wi..V...5:..q.H.......6....2.)%VuOvJ.h...d.....d...s.|.la.-
:K....W.......B...P...[..........-.D....=..w..@...A.[..j!. ...u.....,.
.7.@....p].h2...k..^@@.iD.;....o.pb.[@..........8...JU.....-0S......."
..'gI.&...%......s6..&.g.9g.|O..\J[.4...Q../}...%h..DN5.B.S....x....)T
.Z.[...u..q..[>......lk(..S.7E.!.....9...TTE:.Q......T.........}}..
e7...........?....4.......M.w..........W6y...Os.........a...ElQQ..K...
5.>bM._.7s.s..E....Z.[GV4..J..4..[.(.. ..|...e..=....".$.Q..}......
w..- .au. ..1{.T..bv.....$..:........Y:q.C..0x.".SX...;.....N...& t;.A
.....'...A..Nl.G....3..W..s).6.........pHb....{..H@.C"`....f.?3..'.du.
.......c....cw.V..F.E#....e... ....wZ.$.br.s.n$.Hw..._Lal,..B.....Yv.:
K.4.......e.%......?..__.)....py..}..8.I%.s..c;..e.U.....f"..u~....9..
....(.m....HTTP/1.1 200 OK..Content-Type: text/html..Content-Length: 9
15..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13..
X-Powered-By: PHP/5.3.13..Content-Encoding: gzip..Date: Mon, 07 Nov 20
16 22:00:25 GMT..Vary: Accept-Encoding..Age: 1107..X-Cache: Hit from c
loudfront..Via: 1.1 6fd049110ebc3ac6deddab8b0bf5d686.cloudfront.net (C
loudFront)..X-Amz-Cf-Id: 4934D_E2Qd9ohKLYVZetiUJYqpECxhizeaD2Ek4xOVdsf
rnjdkKezg==.............U[o.6.~/....a.fY.6...r.K.d..C3l...Z:..I.JR..$.
}....E.t.. ...s...jQ..Y.j..r......6`s....W....vS...mN....f.N...b..%...
$.\].PV...V-....5l4.....Wi..V...5:..q.H.......6....2.)%VuOvJ.h...d
<<< skipped >>>

GET /func.js?r=5 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.chevallemma.pw/default1.php?id=14ASuOantM5EdWhenu8i&date=2016-10-28&p=none&t=
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.chevallemma.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Length: 597
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Mon, 18 Jul 2016 15:25:49 GMT
ETag: "90000001e1520-f7a-537ea953f7333"
Accept-Ranges: bytes
Content-Encoding: gzip
Date: Thu, 13 Oct 2016 00:18:15 GMT
Vary: Accept-Encoding
Age: 1108
X-Cache: Hit from cloudfront
Via: 1.1 6fd049110ebc3ac6deddab8b0bf5d686.cloudfront.net (CloudFront)
X-Amz-Cf-Id: pbEK__N-MxdjjNLf3A9d6NQwCZq5K70zm8z7zWz4BnM7slUptQapgQ==
............MO.@...H..k/vJ.8....U U.R.q.z..N.......DU.{....-.G.>l&l
t;3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$........AU5^..{.]_M..:.]...
..Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.<......> .X.9...
...P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&]..~..Bz_."..:.]... o..
.T.B...q....pC..B..qM...J.<J.....c]..s>...V:.......[a=..|..x.z..
...=.9%}.t......T........'..t...g.....L.. *.V2..p...rv.....F..x?W..*..
..........3_.q.q....S.~....7_e.G..P..7w..h..R ..$.w....H.41.W.n...D...
.wZ..x.ZG....6..:a.5!....t:O..:.5MvM...(...f.@..S.\.......SuY....:....
.....>...P..{|:.<.<...I...=........}..=...|.8.......{1z...HTT
P/1.1 200 OK..Content-Type: application/javascript..Content-Length: 59
7..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13..L
ast-Modified: Mon, 18 Jul 2016 15:25:49 GMT..ETag: "90000001e1520-f7a-
537ea953f7333"..Accept-Ranges: bytes..Content-Encoding: gzip..Date: Th
u, 13 Oct 2016 00:18:15 GMT..Vary: Accept-Encoding..Age: 1108..X-Cache
: Hit from cloudfront..Via: 1.1 6fd049110ebc3ac6deddab8b0bf5d686.cloud
front.net (CloudFront)..X-Amz-Cf-Id: pbEK__N-MxdjjNLf3A9d6NQwCZq5K70zm
8z7zWz4BnM7slUptQapgQ==..............MO.@...H..k/vJ.8....U U.R.q.z..N.
......DU.{....-.G.>l<3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$..
......AU5^..{.]_M..:.].....Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.B
rB.<......> .X.9......P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.
v&]..~..Bz_."..:.]... o...T.B...q....pC..B..qM...J.<J.....c]..s>
...V:.......[a=..|..x.z.....=.9%}.t......T........'..t...g.....L..
<<< skipped >>>


GET /jwplayer1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.ivids.net/page-5.html?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ivids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 08 Nov 2016 06:26:10 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT
ETag: "4403af-25d37-53444eccf91c0"
Accept-Ranges: bytes
Content-Length: 154935
Cache-Control: max-age=2592000, public
Expires: Tue, 10 Oct 2017 06:26:10 GMT
Connection: close
Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'



natural.exe_260_rwx_00332000_00009000:




.hP9)h

expensively.exe_3740:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ers\"%CurrentUserName%"\AppData\Local\Temp\nsy5A8F.tmp\ExecCmd.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy5A8F.tmp\ExecCmd.dll
"%Program Files%\sluttish\natural.exe"
mp\ExecCmd.dll
.reloc
EnumWindows
ExecCmd.dll
Kernel32.DLL
e%uy%u
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy5A8F.tmp
nsy5A8F.tmp
rogram Files\sluttish\natural.exe"
ecCmd.dll
ural.exe" | %SystemRoot%\System32\find /I "natural.exe"
\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy5A8F.tmp
"%Program Files%\jesse\expensively.exe"
%Program Files%\jesse
expensively.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsn46CF.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
%Program Files%\jesse\expensively.exe
Software\Microsoft\Windows\CurrentVersion\Run
Windows\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
se\expensively.exe"
ttish\natural.exe"

taskeng.exe_644:




.text
`.data
.rsrc
@.reloc
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-Debug-L1-1-0.dll
API-MS-Win-Core-ErrorHandling-L1-1-0.dll
API-MS-Win-Core-File-L1-1-0.dll
API-MS-Win-Core-Handle-L1-1-0.dll
API-MS-Win-Core-Heap-L1-1-0.dll
API-MS-Win-Core-Interlocked-L1-1-0.dll
API-MS-Win-Core-LibraryLoader-L1-1-0.dll
API-MS-Win-Core-Misc-L1-1-0.dll
API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-Profile-L1-1-0.dll
API-MS-Win-Core-Synch-L1-1-0.dll
API-MS-Win-Core-SysInfo-L1-1-0.dll
API-MS-Win-Core-ThreadPool-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
KERNEL32.dll
d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp
Session::ChannelMsgReceived
d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp
d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp
StopJobMsg
StartJobMsg
ClientPipeName
Invalid parameter passed to C runtime function.
d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp
TaskScheduler.log
j%Xf;
d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp
API-MS-WIN-Service-Management-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
SspiCli.dll
XmlLite.dll
MPR.dll
RegOpenKeyTransactedW
RegCloseKey
RegOpenKeyExW
RegNotifyChangeKeyValue
RegCreateKeyExW
FindExecutableW
MsgWaitForMultipleObjects
EnumThreadWindows
EnumWindows
GetProcessWindowStation
_wcmdln
_amsg_exit
GetProcessHeap
SetProcessShutdownParameters
TaskEng.pdb
version="5.1.0.0"
name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"
<requestedExecutionLevel
8 8$8(878
3=4Z4w4
=!=(=0=4=?=>>
5 5U5_5
5b6u6
-131J1X1o1}1
=$=<=\=|=
Password
hXXp://schemas.microsoft.com/windows/2004/02/mit/task
ieframe.dll
%SystemRoot%\SYSTEM32\cmd.exe
%SystemRoot%\System32\Tasks
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake
WindowSeconds
InitializeCmdlineProcessing()
pCrimson provider registration failed for taskeng, hr=0x%x
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
InteractiveTokenOrPassword
%d.%d
%s, (%d)
hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout
hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate
hXXp://schemas.microsoft.com/cdo/configuration/sendusing
hXXp://schemas.microsoft.com/cdo/configuration/smtpserver
201ef99a-7fa0-444c-9399-19ba84f12a1a
C:\Windows\SYSTEM32\cmd.exe
6.1.7601.17514 (win7sp1_rtm.101119-1850)
taskeng.exe
Windows
Operating System
6.1.7601.17514

natural.exe_3100_rwx_00402000_00009000:




.hP9)h






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Dropped file.
    3. 

  3. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now