Dropped.Trojan.GenericKD.3853499_1944119093

by malwarelabrobot on December 16th, 2016 in Malware Descriptions.

Dropped:Trojan.GenericKD.3853499 (B) (Emsisoft), Dropped:Trojan.GenericKD.3853499 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 194411909341b5ea2e2ddac82348a3b8
SHA1: 245b8977f82a04c7e8eb16a300db2a57fa50a949
SHA256: 9a59a429ccb9f503e96d82ae8a507f357137f8f102be749cc2e56ea88790d3ee
SSDeep: 12288:bg1rVgiwnxfTMOMb4iiTzXSJVkTRKgLcMl3 xqNGGyPebG0fNTuS:bkwVoOoISJSFflQqyPeCA6S
Size: 789661 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Application soft company
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):
No processes have been created.
The Dropped injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

MD5 File path
102bb0ae405aec6784788b4f1a8843c3 c:\Program Files\Jammed\brogue.exe
c8ff52bfddc6898c202c08c4a61a3d22 c:\Program Files\Reinvents\Microsoft.Win32.TaskScheduler.dll
448ee94bf242b103fde1c14e541bcc5b c:\Program Files\Reinvents\brogue.exe
4a899c6f21da2f4412d93a9dbff95f9a c:\Program Files\Reinvents\settings.dll
0fa5bade7984f098fc55e7716c0b25b3 c:\Program Files\manchester\thirsty.exe
8749f1c8fc54d4462dd3aca5d3df367a c:\Users\"%CurrentUserName%"\AppData\Local\22483.exe
1721d24802ee7a007fb74556ec6e1678 c:\Users\"%CurrentUserName%"\AppData\Local\37249.exe
b63fdb3f8bb5dfd5e9cd40dca879c2b8 c:\Users\"%CurrentUserName%"\AppData\Local\50958.exe
34b704ab9563fbfb5ac2a7cc6624dcb3 c:\Users\"%CurrentUserName%"\AppData\Local\73558.exe
e6af745e43bb3f2023e26ff0f240a186 c:\Users\"%CurrentUserName%"\AppData\Local\91461.exe
b9380b0bea8854fd9f93cc1fda0dfeac c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp5004.tmp\ExecCmd.dll
102bb0ae405aec6784788b4f1a8843c3 c:\Windows\glared.exe

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1053 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 validation.sls.microsoft.com
162.222.193.86 aoaomo.tremorhub.com
162.222.193.86 www.howcast.com
162.222.193.86 howcast.com
192.192.3.8 www.virustotal.com
192.192.3.8 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 61440 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 253952 2536 2560 3.13983 5b5a2d9d119a78aca9bef9d54b647674

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 525
87af60575e95350381303447cd2e0d96
3ed467c0bcda41c45704150aabac1780
3c29aa8e13fdffa69ada7e6932cc65db
62508b7bf1899a015b0f61fb7486a7e6
6a719482c6246092ff759896a8a952e6
4f11bdb380dafa2518053c6d20147a05
c9c0ecad3c7691c9fb77d3e12dca89ba
eb908e35f01c51fd6c3145626da78202
dc7fd4f3cfe333cb005ce5639899f0bf
739e7f76fb545c28ae4ce1d85e176484
d00d8a9daa2e2b19d952b1b10037467c
6e2c047259d3bc583dc140202340af7e
75182bfb4dd3d1ad7e0ef5e40b70550f
2a4240cfb6b249da0c5dcff5abf3a292
a746426f5bd2a7f239e0e1bc7529897d
0f2fa5e5c2ce26f0b744d19eff724c25
723325cfdc20c18e1ca96e88c9cca948
5cc9fd6672be1ca9538237031c1382c0
f1b56fd3f82b6a0668d00b9f0d6e991f
7f4ee0d326b67cc3e4a3fec3a25dfe3c
293bbf92195165383b202fa6cd4a2ba6
b33ccbf60d223d0df5c7b0c8b376386a
5c7aaa94fa1bbced13b76e9523bde956
da7eaa6230f54eb9da8f6986b5e53c89
0f5b04d97f3e3dc672c37106fbff0b45

URLs

URL IP
hxxp://d232tmx7gh8bfo.cloudfront.net/home.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053
hxxp://d232tmx7gh8bfo.cloudfront.net/jquery.min.js
hxxp://aoaomo.tremorhub.com/wp-content/themes/howcast/images/icons/love.png
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://c.statcounter.com/10114910/0/757d7213/1/ 104.20.3.47
hxxp://aoaomo.tremorhub.com/itd.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053
hxxp://ww.worriedlyflacks.pw/a.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053&rnd=1481819854000 162.222.193.17
hxxp://d232tmx7gh8bfo.cloudfront.net/amg.php
hxxp://8c715ae47b.site.internapcdn.net/page-2.html?lid=937115
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=628801802&t=pageview&_s=1&dl=http://www.worriedlyflacks.pw/home.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053&ul=en-us&de=utf-8&dt=home&sd=24-bit&sr=1916x902&vp=679x392&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1501963183&cid=506006047.1481819860&tid=UA-74694740-5&_r=1&z=1432791642
hxxp://aoaomo.tremorhub.com/o.php
hxxp://vi.govids.net/report3.php 109.201.148.40
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.94
hxxp://govids.net/jwplayer1.js 162.222.194.11
hxxp://govids.net/1.js 162.222.194.11
hxxp://widgets.amung.us/draw/?w=colored&n=1633&c=000000ffffff&p= 146.185.16.146
hxxp://vi.govids.net/bck.php?1481819872000 109.201.148.40
hxxp://8c715ae47b.site.internapcdn.net/page-2.htm?lid=937115
hxxp://vi.govids.net/bck.php?1481819882000 109.201.148.40
hxxp://govids.net/player1.swf 162.222.194.11
hxxp://www.statcounter.com.cdnga.net/counter/counter.js 174.35.61.220
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=761A21DFE1814F1FCA8A43388FCBAC36&sc_random=0.024991977743598625&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1916&h=902&camefrom=http://www.govids.net/page-2.html?lid=937115&u=http://www.govids.net/page-2.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 104.20.3.47
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=2080254541&t=pageview&_s=1&dl=http://www.govids.net/page-2.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1916x902&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=876319079&cid=1892378973.1481819896&tid=UA-74694740-2&_r=1&z=2048592887
hxxp://8c715ae47b.site.internapcdn.net/css1.css
hxxp://8c715ae47b.site.internapcdn.net/img/logo.png
hxxp://govids.net/ova-jw.swf 162.222.194.11
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://8c715ae47b.site.internapcdn.net/img/lbg.png
hxxp://www.howcast.com/wp-content/themes/howcast/images/icons/love.png
hxxp://www.worriedlyflacks.pw/jquery.min.js 52.222.149.120
hxxp://www.govids.net/page-2.htm?lid=937115 95.172.71.40
hxxp://109.201.148.40/bck.php?1481819872000
hxxp://www.govids.net/img/logo.png 95.172.71.40
hxxp://109.201.148.40/bck.php?1481819882000
hxxp://www.govids.net/page-2.html?lid=937115 95.172.71.40
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=2080254541&t=pageview&_s=1&dl=http://www.govids.net/page-2.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1916x902&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=876319079&cid=1892378973.1481819896&tid=UA-74694740-2&_r=1&z=2048592887 216.58.209.206
hxxp://www.govids.net/css1.css 95.172.71.40
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=628801802&t=pageview&_s=1&dl=http://www.worriedlyflacks.pw/home.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053&ul=en-us&de=utf-8&dt=home&sd=24-bit&sr=1916x902&vp=679x392&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1501963183&cid=506006047.1481819860&tid=UA-74694740-5&_r=1&z=1432791642 216.58.209.206
hxxp://www.govids.net/img/lbg.png 95.172.71.40
hxxp://www.worriedlyflacks.pw/home.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053 52.222.149.120
hxxp://www.google-analytics.com/analytics.js 216.58.209.206
hxxp://www.statcounter.com/counter/counter.js 174.35.61.220
hxxp://l.longtailvideo.com/5/10/logo.png 93.184.221.48
hxxp://www.worriedlyflacks.pw/amg.php 52.222.149.120


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /wp-content/themes/howcast/images/icons/love.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.worriedlyflacks.pw/home.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.howcast.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 15 Dec 2016 16:37:13 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Thu, 17 Nov 2016 01:56:53 GMT
ETag: "5ac000000480130-7f-5417580ef28e0;5424c26f9d7dd"
Accept-Ranges: bytes
Content-Length: 127
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR................s....gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<....IDATx.b...L.`..`.>....jg.....IEND.B`.HTTP/1.
1 200 OK..Date: Thu, 15 Dec 2016 16:37:13 GMT..Server: Apache/2.2.22 (
Win64) PHP/5.3.13..Last-Modified: Thu, 17 Nov 2016 01:56:53 GMT..ETag:
 "5ac000000480130-7f-5417580ef28e0;5424c26f9d7dd"..Accept-Ranges: byte
s..Content-Length: 127..Keep-Alive: timeout=5, max=100..Connection: Ke
ep-Alive..Content-Type: image/png...PNG........IHDR................s..
..gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx.b...L.
`..`.>....jg.....IEND.B`...



GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 16 Dec 2016 00:32:21 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Fri, 16 Dec 2016 00:32:21 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /o.php HTTP/1.1
Accept: */*
Referer: hXXp://aoaomo.tremorhub.com/itd.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: aoaomo.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 15 Dec 2016 16:37:29 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 3
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
...HTTP/1.1 200 OK..Date: Thu, 15 Dec 2016 16:37:29 GMT..Server: Apach
e/2.2.22 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length:
 3..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Ty
pe: text/html.......



GET /itd.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.worriedlyflacks.pw/home.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: aoaomo.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 15 Dec 2016 16:37:13 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 1325
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>..<head>..<title>a</title>..</head>
;..<body>..<script language="JavaScript" type="text/javascrip
t">..<!--..function reeadCookie(name) {..  var nameEQ = name   "
=";..  var ca = document.cookie.split(';');..  for(var i=0;i < ca.l
ength;i  ) {..    var c = ca[i];..    while (c.charAt(0)==' ') c = c.s
ubstring(1,c.length);..    if (c.indexOf(nameEQ) == 0) return c.substr
ing(nameEQ.length,c.length);..  }..  return null;..}..function uapcc()
 {..//var paathname = reeadCookie('tvrg_60409');..//if (paathname.subs
tring(0, 2) == '"4') {..//eraseCookie("tvrg_60409");..var date = new D
ate();..date.setTime(date.getTime()   (60 * 1000));..var times = Math.
floor(Date.now() / 1000);..//document.cookie = "tvrg_60409=1," times "
;domain=.tremorhub.com;path=/;expires=" date.toGMTString() "";..docume
nt.cookie = "tvrg_60409=;domain=.tremorhub.com;path=/;expires=-1";..//
}..}..setInterval(function() {..uapcc();..}, 90);..setInterval(functio
n() {..uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 50);.
.setInterval(function() {..uapcc();..}, 90);..//-->..setInterval( "
onl()", 60000);function onl(){if(document.images){document.images['onl
v'].src = 'o.php?'   Date.parse(new Date().toString());}}..</script
><div style="visibility:hidden"><img name="onlv" src="o.ph
p"></div>..<meta http-equiv="refresh" content="300"><
;/html>..
<<< skipped >>>


GET /10114910/0/757d7213/1/ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.worriedlyflacks.pw/home.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 15 Dec 2016 16:37:13 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
Set-Cookie: __cfduid=d0680ba799d1c74f85eef7f5d754fbeb41481819833; expires=Fri, 15-Dec-17 16:37:13 GMT; path=/; domain=.statcounter.com; HttpOnly
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1481819833.0; expires=Tue, 14-Dec-2021 16:37:13 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1481819833273510971; expires=Sat, 15-Dec-2018 16:37:13 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 311b51a80598404a-SOF
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Thu, 15 Dec 2016 16:37:13 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..Set-Cookie: __cfduid=d0680ba799d1c74f8
5eef7f5d754fbeb41481819833; expires=Fri, 15-Dec-17 16:37:13 GMT; path=
/; domain=.statcounter.com; HttpOnly..P3P: policyref="hXXp://VVV.statc
ounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expire
s: Mon, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.148
1819833.0; expires=Tue, 14-Dec-2021 16:37:13 GMT; path=/; domain=.stat
counter.com..Set-Cookie: is_visitor_unique=1481819833273510971; expire
s=Sat, 15-Dec-2018 16:37:13 GMT; path=/; domain=.statcounter.com..Serv
er: cloudflare-nginx..CF-RAY: 311b51a80598404a-SOF..GIF89a............
.......!.......,...........T..;....


GET /t.php?sc_project=10675947&java=1&security=299981d6&u1=761A21DFE1814F1FCA8A43388FCBAC36&sc_random=0.024991977743598625&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1916&h=902&camefrom=http://VVV.govids.net/page-2.html?lid=937115&u=http://VVV.govids.net/page-2.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive
Cookie: __cfduid=d0680ba799d1c74f85eef7f5d754fbeb41481819833; is_unique=sc10114910.1481819833.0; is_visitor_unique=1481819833273510971


HTTP/1.1 200 OK
Date: Thu, 15 Dec 2016 16:37:53 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1481819833.0-10675947.1481819873.0; expires=Tue, 14-Dec-2021 16:37:53 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1481819833273510971; expires=Sat, 15-Dec-2018 16:37:53 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 311b52a352b4404a-SOF
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Thu, 15 Dec 2016 16:37:53 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..P3P: policyref="hXXp://VVV.statcounter
.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expires: Mon
, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.148181983
3.0-10675947.1481819873.0; expires=Tue, 14-Dec-2021 16:37:53 GMT; path
=/; domain=.statcounter.com..Set-Cookie: is_visitor_unique=14818198332
73510971; expires=Sat, 15-Dec-2018 16:37:53 GMT; path=/; domain=.statc
ounter.com..Server: cloudflare-nginx..CF-RAY: 311b52a352b4404a-SOF..GI
F89a...................!.......,...........T..;..



GET /report3.php HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.html?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: vi.govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 15 Dec 2016 16:40:57 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Thu, 15 Dec 2016 16:40:57 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8..



GET /a.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053&rnd=1481819854000 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.worriedlyflacks.pw/home.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ww.worriedlyflacks.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 15 Dec 2016 16:37:13 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 325
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
......<meta http-equiv="cache-control" content="max-age=0" />..&
lt;meta http-equiv="cache-control" content="no-cache" />..<meta 
http-equiv="expires" content="0" />..<meta http-equiv="expires" 
content="Tue, 01 Jan 1980 1:00:00 GMT" />..<meta http-equiv="pra
gma" content="no-cache" /><meta http-equiv="refresh" content="60
">249161HTTP/1.1 200 OK..Date: Thu, 15 Dec 2016 16:37:13 GMT..Serve
r: Apache/2.2.22 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content
-Length: 325..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..
Content-Type: text/html........<meta http-equiv="cache-control" con
tent="max-age=0" />..<meta http-equiv="cache-control" content="n
o-cache" />..<meta http-equiv="expires" content="0" />..<m
eta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />.
.<meta http-equiv="pragma" content="no-cache" /><meta http-eq
uiv="refresh" content="60">249161..



GET /report3.php HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: vi.govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 15 Dec 2016 16:41:06 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Thu, 15 Dec 2016 16:41:06 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8..



GET /5/10/logo.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/player1.swf
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: l.longtailvideo.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: image/png
Date: Thu, 15 Dec 2016 16:38:02 GMT
Etag: "3015243340"
Expires: Thu, 22 Dec 2016 16:38:02 GMT
Last-Modified: Fri, 22 Jun 2012 18:10:31 GMT
Server: ECAcc (arn/46B0)
X-Cache: HIT
Content-Length: 1845
.PNG........IHDR...].........9.".....IDATh..Zo..E...e...*!.......RP...
.0H.|).Y...).4C.#H..2....g{.....GO.....A...(.?H....B..wf.....{.......c
v..9sv...3g....A-.).8j......J..*.Ge9.@....Y u(.....k.Nt.3..yR....~*]. 
...Y...v..........\.YO....0.....bZ.=...e..ji.g..S..Z.t.9?..N).]`.K !..
...Y..?..<.h.v.<.........%..6.O.......R..g.}.i.?.Vh.....?..[..C{
.h.-%......s.\..:.M.p.K..u.5....c...X.>..........m.........._.%.d9k
L....t..t..N...#...|..VV.2...w.....X.W:^.:.S...n6....E=...$.i......(.j
.}S...@.EmE./.....U.u.-.U\..../B......;..Q......@.9....=.'.~Jm0t<c.
]...-....D...~......<...X....&....Ky%..j...[...Nk.6.....7.._.e!h...
........T7(q..q..v.J=c.^..............--.>......=.....n."...("....0
.Z..<... .q!.`.....N...Z....b.....g.,..UjA.j..7{.H...Pa.. /...l(...
S.j.Q0.u`...LcthJ.. .BN..............P....e...BPZ...W.I...........Sc.j
.!..'..d>c.....xV..2.i#.Z...#j >wa.......[.Y.../.6.g.j'.m...y..O
.\..W.....ar.J~..B...0...........~1M....].......;f...>>$...h.{..
....>zpI/...!>........0...f..ez.....b..!.....X....R..H.l|.r9.#'.
...x..1.A.qy.......M......Y&}..I...-} ..X.....(..17(...EJ.l..T..(8;.`.
..8o.{..r@..]..Z.......^n...vy.3S....%^'....)..nDeg..'.1. $....C...x..
t...x.d#.......t...?...N.N.............%`..Kc....#4.x....#.....9.ps.a.
q........G..R..........B... .S.K$......]..2..-..Hn..t'....4UA9P..69Q.'
.......2..d.<b.....{m....).dd...d.(..G.1`*.....<..ql.zs.On......
j..$..Fnf.T.Y........}.z....N.ZS.]........U)..K...xJFf........S....&.b
i..Mv.F..r....Z...`.~_........._ y.......(.b..f..m....R..k......se
<<< skipped >>>


GET /bck.php?1481819882000 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 15 Dec 2016 16:41:08 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Thu, 15 Dec 2016 16:41:08 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8..



GET /img/logo.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.govids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1481819895.761A21DFE1814F1FCA8A43388FCBAC36.1.1.1.1.1.1.1.1.1; _ga=GA1.2.1892378973.1481819896; _gat=1


HTTP/1.1 200 OK
Date: Thu, 15 Dec 2016 16:37:56 GMT
Content-Type: image/png
Content-Length: 3856
Connection: keep-alive
Last-Modified: Tue, 10 Jun 2014 14:29:28 GMT
ETag: "a1bf2-f10-4fb7c27bc2200"
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-fra004-005.fra004.internap.com
Accept-Ranges: bytes
.PNG........IHDR.......L.....3.......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<....IDATx..].O....V^.....rI........c..F..M.y0..-H..
..P.KH\.-.%-....J.[...5..S.... R...c....K/O.w...........93svY..i..e..w
...}..}gvy..E?.Q..%....J...(Q.V.DaZ....JN........(.fL...cM.....Z...'..
...A.....k.x....8....E..O..;.W...f.q.X..l..=.....k................%...
fd)........,..J..G...!...m.Q...J.../..................Y,0.......%...S6
R..=..t.0..%...|(..?T.V.DaZ...i%.b>..6:.~.=..7.-*.g....y<.,4>
....W..jv.(...}...8..YdF.l. .,,~5s..X<..h~.p...'......b...[6.0.D.Ci
........ Bo.C]....g..........y.i.........]N....p$.-~}8..... .....n.z..
.$~.9.).........P.....g....!.':.J..O...X.U.?:..#.g.{ .^......L..0..I..
"H<.5.u0...n^.3.ER.<......ZI......*f..... .fN.......q.n.........
.........Z.0.A.m|@.v. .uI......u........Y...u.t..........db...L.......
T.=21...8.(......i.$......y4...t:....(.`sG.H..Q...&...u.<..2L..Wl..
5...9...<. I....d...P.._h..n....MA7Y.....'..FsZ?....kH.l.s.<.QD.
...$q>lK...`1....x.Ha ^....L..W.#.C....._1...."^..6..WRz...4..z`.Ch
|R..H....:1..C..o. ........8..8.$...;..,..N.....S..O......W":.).}...IR
!.F8`=..lc..9n...O~a.....k7^-~........r........YO.C..0@I.v....7Dt.....
.............2..NmX...&.h.......f) ....;?...b8.~.>L..../.....C.l.Pf
g..............0..4k>.f.k-....X.9!a>.0.i.b.....$h.;.b.....`.32.T
r...bx.".:5K00..9..h...a........l....U..M..Z3..v..:....<:E........ 
#./...4p.y.....b....u.f.#[*e%.%p....|RO.dP\b...~.f...C......@..s......
....X.{.m0.k..T.O.?<&.M....C...6o.9..C..Pd.,.......O..`5.L.xP,.
<<< skipped >>>


GET /counter/counter.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.statcounter.com
Connection: Keep-Alive
Cookie: __cfduid=d0680ba799d1c74f85eef7f5d754fbeb41481819833; is_unique=sc10114910.1481819833.0; is_visitor_unique=1481819833273510971


HTTP/1.1 200 OK
Date: Thu, 15 Dec 2016 16:37:52 GMT
Server: PWS/8.2.0.5
X-Px: ht h0-s1211.p11-fra.cdngp.net
ETag: W/"576924c5-654e"
Cache-Control: max-age=43200
Expires: Thu, 15 Dec 2016 19:39:15 GMT
Age: 32317
Content-Length: 9529
Content-Type: application/x-javascript
Content-Encoding: gzip
Vary: Accept-Encoding
Last-Modified: Tue, 21 Jun 2016 11:28:05 GMT
Connection: keep-alive
...........]{s....*....F.,.-..o..M6....$...eQ$%s,.Z..c-}..u7@..<3{u
..?....@.h4..B.y..Z...Q..9..............]...K.%.<L....f...U...\..i.
<..g.f.%.q........O.J.CH..v.....N.H.M..zQ-J..`.'f.*~0....sj....C...
.....l....di|..4t..H........-...;.P.f^...EM....4..I.=.~....e..e..W>
.]..Wt...v..I..Wym.;...y....'....W._;.}.f..#...'.4Lj.:...bv.....&Z.p.&
.&.5.n#sN....X'[..........5-h.n.x..G.5....h...mp.....5..[..G.}.~....&.
...d.%i..G..4....b..h......<.q..c... J....{bTZ\M.w.r.1.Bf...y.l....
v.gQ...v.e./O.....Fi..H..;.Z.Y.a{Os-.A..c.b.c.{.a.....bln|{..t.....:|.
....~......R.eEV..-:h.xwS...Zf..*cHC,...K....p..4i.9.k>..P6[.Q.....
.$|...._.;...Em..itPa......P..Gj.. .5.  G..1m.....Ee...F70..ZUU&.&.?.&
gt;..r.Opc.........MQ<....=9(.v..^.Z<.;C....{....v..v:..N..{8.V;
........a.......v'.......w:...y..... ..^v../.8....W..7...o..IBV..%e...
c.Qt...6M.k.".j.o.E[.;..(#.$...#..T*. .......K/M..S..X.;(`..v.Fx||4...
..............#_.y..]./.y...?.....U...... ..].@...JX....v.?.H.ha8.b.*.
.EE.tx,j.....,.H..;.^...Ps....\.D.A...._..M...`.K...$k....^......j5t..
.......J.G,kt..6:}.I....v%..g.).([......Rlh.F.E..P(...h.U...:.@k>D.
..y.($V.P..B.u[n...[.@u2...;r^.E./..u....-k.......u....K....w...`U....
g^.l....*.1N.....8|.b..R.N.N..yq.s......?..m.m~..^...m.<cT. ....g.c
...E.-.?...O.|O. /Z*l...../46..;......h...8..p....m......&..MD.[.f\...
.'..e..C.*.n..#.....-...h.M..Lj$.....@O....h.,6<,.:..8,.OA...V.`.Pa
[..~v3.Qn...7W..^@[...../ m.t..%.......r$...>-k...{..U .h.r.._...UN
....3../....O..N.............p....5.<....2GM..C3|.q^w.....,....
<<< skipped >>>


GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 16 Dec 2016 00:32:30 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Fri, 17 Nov 2017 00:32:30 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%Y&.Y..1V6NNNV..V...h..a.W.H.........@.L../b...@...........bJ..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /home.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.worriedlyflacks.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 858
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Encoding: gzip
Date: Thu, 15 Dec 2016 16:37:00 GMT
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 44d7d28132a47c2b5760c4ec3dd7aa89.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Y217Ll24bTakBc-DHnZAoWAX7iY89itCQvMZ0rqzTicjnk00l6O_9Q==
...........U.o.6.......0..,JkZ....].&;..f.. ..z..Q.BR......%.I...l..|.
?.....Mh.f...6...Hd#...I.v...Q...-..W{N.X..v..m;..V.I.5.....r.j.d.l..|
.....o.x=.Y.h.T..i.q....M...:$.v...V...$.v.N..h...L....3.Nh. .y.d..S]H
.0u/j..W...G!b.:.Dwv...vt.a.x.d/\.Mx.....3.....y......c:.....2u:...{..
zP..C....Y.{.N6h2...;.....7$K(..o....D..-...".. .0...........|p.....9t
O......f..#..2.wM.........r:.....Q....$.....v..ZW....9.Zc.81.....6....
..6..Z..~.K.2.......1...).N....I..z#c.S...fu.2.../..~......}.J.O.k..^q
.R.......7..../J..>-...W...}.b..........|v.K .}....TC4L.,..-*j.G..w
...G......J.....%.bR.U...M?..re<...v.A...._g..a.]y2:...Q.b7.c..q..X
....G.Z.i...H...b...X..|u.<)./.@.......SEq..s.`.Uk6Q.|."..c....#.j.
......A.|G1..[.....i......iz.P...{....sH[Qq..Eh..'^......T..(b.Q..."H.
..n$Q.ey..,X../.....9 .I..xI.....3^$g.....p..A.8.2......@z?..4..?F ...
....!o..%.|.I,.....2.VWE.......


GET /jquery.min.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.worriedlyflacks.pw/home.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.worriedlyflacks.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Length: 878
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Thu, 17 Nov 2016 14:39:55 GMT
ETag: "b0000003c0a95-1d65-5418029ba830a"
Accept-Ranges: bytes
Content-Encoding: gzip
Date: Wed, 23 Nov 2016 16:10:01 GMT
Vary: Accept-Encoding
Age: 2326
X-Cache: Hit from cloudfront
Via: 1.1 44d7d28132a47c2b5760c4ec3dd7aa89.cloudfront.net (CloudFront)
X-Amz-Cf-Id: aZUxsc8K7fJReYeBfR2Z5vUz3ADZHcYnKzzp8iyfigF686Orh48ELg==
............Qo.6.....;.z....$.....6`...o} .@.'..D..e.h..w...B.u..:.0dK
...........A...H.$...<.)v...2.......v.Q.[>l.q..X.,J.............
....I...nG:% G..|.H.C.....p`.. A.<~...;....0.D...W.<.S.....v....
...fIK}.VS^.S..;C93......2%k.{..x.....].z...j.....8..@...nM3.l......f.
d.,)/.......8..=.Rr..#..8I..1..b(.{.F.a... [..Z3....%q..._S..p.%..L...
#..&.|.Qf.:{..;.,...D.YmF..P._....;.?vD}^...6]...<.....19M.2.EBSmd.
j..V..L_%(.....l<...F[L..V"M'[(..4.........K..{HW..0).}2.Z.u.6.8.l.
..I.../.~Y..>.*v.....0[..Jk.....u..............b......a.....^..e.e.
......T..F...VPZ.<,...q^....\.]4.....nn.yi........>I...k&....n.W
....r..%.......;..q2..^..`1l.Ra.D....yT..v.d.^..z.\/2..p.....c1R....*.
o.<.""....T....7............6....C..n!..........._J<.v...h...L.Q
..!...D!.=!.B..y............?...........(`..Yp......<.0.<3=3=3=3
=3=3=3Gf._0..8.L=7=7=7=7=7=7=7Gn......3.3.3.3.3.?d...7G....*._.9......
...e...HTTP/1.1 200 OK..Content-Type: application/javascript..Content-
Length: 878..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP
/5.3.13..Last-Modified: Thu, 17 Nov 2016 14:39:55 GMT..ETag: "b0000003
c0a95-1d65-5418029ba830a"..Accept-Ranges: bytes..Content-Encoding: gzi
p..Date: Wed, 23 Nov 2016 16:10:01 GMT..Vary: Accept-Encoding..Age: 23
26..X-Cache: Hit from cloudfront..Via: 1.1 44d7d28132a47c2b5760c4ec3dd
7aa89.cloudfront.net (CloudFront)..X-Amz-Cf-Id: aZUxsc8K7fJReYeBfR2Z5v
Uz3ADZHcYnKzzp8iyfigF686Orh48ELg==..............Qo.6.....;.z....$.....
6`...o} .@.'..D..e.h..w...B.u..:.0dK...........A...H.$...<.)v..
<<< skipped >>>

GET /amg.php HTTP/1.1


Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.worriedlyflacks.pw/home.php?id=21A4imXuW6oCrZRqKMR6&date=2016-11-21&p=none&t=&ca=84002053
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.worriedlyflacks.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 359
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Date: Thu, 15 Dec 2016 15:58:28 GMT
Age: 2328
X-Cache: Hit from cloudfront
Via: 1.1 44d7d28132a47c2b5760c4ec3dd7aa89.cloudfront.net (CloudFront)
X-Amz-Cf-Id: soEuP4wgkXHW-709juhnqliiKhWX7ctRmMwdpzy3aCuhR5HPFzb-Mw==
...<script type="text/javascript">setInterval( "vwu()", 200000);
function vwu(){if(document.images){document.images['viewers'].src = 'h
ttp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png?'   Date.parse
(new Date().toString());}}</script><div style="visibility:hid
den"><img name="viewers" src="hXXp://whos.amung.us/cwidget/iebro
wser1/000000ffffff.png"></div>HTTP/1.1 200 OK..Content-Type: 
text/html..Content-Length: 359..Connection: keep-alive..Server: Apache
/2.2.22 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Date: Thu, 15 De
c 2016 15:58:28 GMT..Age: 2328..X-Cache: Hit from cloudfront..Via: 1.1
 44d7d28132a47c2b5760c4ec3dd7aa89.cloudfront.net (CloudFront)..X-Amz-C
f-Id: soEuP4wgkXHW-709juhnqliiKhWX7ctRmMwdpzy3aCuhR5HPFzb-Mw==.....<
;script type="text/javascript">setInterval( "vwu()", 200000);functi
on vwu(){if(document.images){document.images['viewers'].src = 'hXXp://
whos.amung.us/cwidget/iebrowser1/000000ffffff.png?'   Date.parse(new D
ate().toString());}}</script><div style="visibility:hidden"&g
t;<img name="viewers" src="hXXp://whos.amung.us/cwidget/iebrowser1/
000000ffffff.png"></div>..



GET /jwplayer1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.html?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 16 Dec 2016 00:32:12 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT
ETag: "4403af-25d37-53444eccf91c0"
Accept-Ranges: bytes
Content-Length: 154935
Cache-Control: max-age=2592000, public
Expires: Fri, 17 Nov 2017 00:32:12 GMT
Connection: close
Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'



taskeng.exe_3996:




.text
`.data
.rsrc
@.reloc
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-Debug-L1-1-0.dll
API-MS-Win-Core-ErrorHandling-L1-1-0.dll
API-MS-Win-Core-File-L1-1-0.dll
API-MS-Win-Core-Handle-L1-1-0.dll
API-MS-Win-Core-Heap-L1-1-0.dll
API-MS-Win-Core-Interlocked-L1-1-0.dll
API-MS-Win-Core-LibraryLoader-L1-1-0.dll
API-MS-Win-Core-Misc-L1-1-0.dll
API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-Profile-L1-1-0.dll
API-MS-Win-Core-Synch-L1-1-0.dll
API-MS-Win-Core-SysInfo-L1-1-0.dll
API-MS-Win-Core-ThreadPool-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
KERNEL32.dll
d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp
Session::ChannelMsgReceived
d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp
d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp
StopJobMsg
StartJobMsg
ClientPipeName
Invalid parameter passed to C runtime function.
d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp
TaskScheduler.log
j%Xf;
d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp
API-MS-WIN-Service-Management-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
SspiCli.dll
XmlLite.dll
MPR.dll
RegOpenKeyTransactedW
RegCloseKey
RegOpenKeyExW
RegNotifyChangeKeyValue
RegCreateKeyExW
FindExecutableW
MsgWaitForMultipleObjects
EnumThreadWindows
EnumWindows
GetProcessWindowStation
_wcmdln
_amsg_exit
GetProcessHeap
SetProcessShutdownParameters
TaskEng.pdb
version="5.1.0.0"
name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"
<requestedExecutionLevel
8 8$8(878
3=4Z4w4
=!=(=0=4=?=>>
5 5U5_5
5b6u6
-131J1X1o1}1
=$=<=\=|=
Password
hXXp://schemas.microsoft.com/windows/2004/02/mit/task
ieframe.dll
%SystemRoot%\SYSTEM32\cmd.exe
%SystemRoot%\System32\Tasks
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake
WindowSeconds
InitializeCmdlineProcessing()
pCrimson provider registration failed for taskeng, hr=0x%x
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
InteractiveTokenOrPassword
%d.%d
%s, (%d)
hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout
hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate
hXXp://schemas.microsoft.com/cdo/configuration/sendusing
hXXp://schemas.microsoft.com/cdo/configuration/smtpserver
201ef99a-7fa0-444c-9399-19ba84f12a1a
C:\Windows\SYSTEM32\cmd.exe
6.1.7601.17514 (win7sp1_rtm.101119-1850)
taskeng.exe
Windows
Operating System
6.1.7601.17514

thirsty.exe_4008:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
Gw2.Hw
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ers\"%CurrentUserName%"\AppData\Local\Temp\nsp5004.tmp\ExecCmd.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp5004.tmp\ExecCmd.dll
"%Program Files%\Jammed\brogue.exe"
p\ExecCmd.dll
.reloc
EnumWindows
ExecCmd.dll
Kernel32.DLL
$$\wininit.ini
e%uy%u
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp5004.tmp
brogue.exe
rogram Files\Jammed\brogue.exe"
ecCmd.dll
gue.exe" | %SystemRoot%\System32\find /I "brogue.exe"
\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp5004.tmp
"%Program Files%\manchester\thirsty.exe"
%Program Files%\manchester
thirsty.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsz35BF.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
%Program Files%\manchester\thirsty.exe
Software\Microsoft\Windows\CurrentVersion\Run
Windows\
%Program Files%
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
hester\thirsty.exe"
ammed\brogue.exe"

svchost.exe_2416:




.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Delete the original Dropped file.
    2. 

  2. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    3. 

  3. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    4. 

  4. Reboot the computer.
    5. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now