Dropped.Trojan.Generic.17338822_9ee71cc1c0

by malwarelabrobot on September 15th, 2016 in Malware Descriptions.

Dropped:Trojan.Generic.17338822 (B) (Emsisoft), Dropped:Trojan.Generic.17338822 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 9ee71cc1c041d515cf6606b5a62b0fb4
SHA1: 90c054273458e1480ac628ecee2491015cdc9058
SHA256: d13281c433248a167b313ea76b61b210a1712f2ac734c61232dcdd33132222f6
SSDeep: 24576:NT4BV2FrWJUP6aKbXRlgdKcWO6ACa4KBOh:BGV2FrW06aKbsUcWOCyY
Size: 790481 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

taskkill.exe:1304
taskkill.exe:1980
%original file name%.exe:1188
antiviral.exe:268
tasklist.exe:868
tasklist.exe:776
tasklist.exe:1432
tasklist.exe:2040
tasklist.exe:1996
tasklist.exe:1780
tasklist.exe:1976
tasklist.exe:440
tasklist.exe:616
tasklist.exe:456
tasklist.exe:1492
tasklist.exe:1476
tasklist.exe:1532
tasklist.exe:1396
tasklist.exe:1516
tasklist.exe:528
tasklist.exe:1012
56942271.exe:1476
65344.exe:820
find.exe:964
find.exe:1532
find.exe:1488
find.exe:1772
find.exe:1340
find.exe:1940
find.exe:1044
find.exe:1660
find.exe:1992
find.exe:492
find.exe:1476
find.exe:240
find.exe:1032
find.exe:236
find.exe:1664
find.exe:1036
find.exe:1724
find.exe:816
find.exe:376

The Dropped injects its code into the following process(es):

shinjuku.exe:1184

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1188 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\ShellLink.dll (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\tamarisk.lnk (491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\System.dll (11 bytes)
%Program Files%\knowingly\shinjuku.exe (4524 bytes)
%WinDir%\settings.dll (10945 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\65344.exe (1082 bytes)
%Program Files%\knowingly\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\56942271.exe (3136 bytes)
%Program Files%\knowingly\settings.dll (10945 bytes)
%WinDir%\shinjuku.exe (4524 bytes)
%System%\drivers\etc\hosts (123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\AccessControl.dll (13 bytes)
%Program Files%\lice\antiviral.exe (1040 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\ShellLink.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\System.dll (0 bytes)

The process shinjuku.exe:1184 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\page-2[1].htm (3942 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\collect[1].gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA09CZSX.xml (813 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\counter[2].js (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[3].xml (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAFHHU2T.xml (815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\player1[1].swf (13081 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (556 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CANB1RIB.xml (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[1].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[2].xml (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\css1[1].css (659 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\player1[1].swf (11257 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (608 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[2].txt (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAIZCDMB.xml (814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\page-2[1].htm (3108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAEEF0LN.xml (777 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[2].xml (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[5].xml (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\itd[1].htm (1118 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\css1[2].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[2].txt (295 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (728 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[1].txt (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[2].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[4].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAW2Z3B4.xml (815 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#govids.net\settings.sxx (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\count[1].htm (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[1].xml (704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[1].xml (628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lbg[1].png (200 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[4].xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CABI33J0.xml (797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CASVEDCL.xml (777 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAE705YB.xml (850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\analytics[1].js (353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[2].xml (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[4].xml (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\func[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[3].xml (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v[1].xml (654 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\wau-widget[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo[1].png (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CASRY3GD.xml (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAOA0CTW.xml (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ova-jw[1].swf (18153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\counter[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAWZ016L.xml (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA4V2H0P.xml (728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[4].xml (628 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\govids.net\com.jeroenwijering.sxx (80 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jwplayer1[1].js (77495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[5].xml (704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[1].xml (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\noad[1].xml (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[1].xml (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAGDU349.xml (737 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1076 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[3].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAE6ADNN.xml (762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA6HF6BN.xml (823 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (14552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAJ6CJR9.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[3].xml (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CASGMQ2Z.xml (822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[2].xml (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAU0HYN7.xml (777 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\collect[1].gif (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\player1[1].swf (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\css1[1].css (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\govids.net\com.jeroenwijering.sxx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\page-2[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\counter[1].js (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#govids.net\settings.sol (0 bytes)

The process antiviral.exe:268 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp\ExecCmd.dll (4 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz6.tmp (0 bytes)

The process 56942271.exe:1476 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\SimpleFC.dll (5289 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\SimpleFC.dll (0 bytes)

The process 65344.exe:820 makes changes in the file system.
The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp (0 bytes)

Registry activity

The process taskkill.exe:1304 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 B0 E9 6A 2B 4C AB B3 2A 01 CC 8A 2C C0 43 DD"

The process taskkill.exe:1980 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 D9 17 95 39 B7 B8 AA 6E 64 CE FA EC 1E 06 6B"

The process %original file name%.exe:1188 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 20 7C 89 0B 3D 7F 7C B2 18 14 28 0A 39 24 D0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"grown" = "%Program Files%\knowingly\shinjuku.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amelia" = "%Program Files%\knowingly\shinjuku.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"sachs" = "%Program Files%\knowingly\shinjuku.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"physiotherapy" = "%Program Files%\knowingly\shinjuku.exe"

The process shinjuku.exe:1184 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091420160915]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091420160915]
"CacheRepair" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091420160915]
"CacheLimit" = "8192"

"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016091420160915\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 69 D3 64 45 9E 54 04 AF AE 58 4D A9 0B 2A 35"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091420160915]
"CachePrefix" = ":2016091420160915:"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014040920140410]

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process antiviral.exe:268 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 A7 7B 4C A8 81 B3 6B 75 33 BE 75 5C 19 EF FC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"reaps" = "%Program Files%\knowingly\shinjuku.exe"

"antiviral" = "%Program Files%\lice\antiviral.exe"

The process tasklist.exe:868 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 6C 24 30 55 DD 32 33 CB D9 B3 9E DE 6B 4D 91"

The process tasklist.exe:776 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 F3 CB A4 D9 5E 12 03 92 A2 C4 72 F5 C3 1E 67"

The process tasklist.exe:1432 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF A2 1F 59 A9 8A 73 6D B1 43 50 56 29 88 C8 AE"

The process tasklist.exe:2040 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 7C 79 CC 73 CC 0F 0A 21 15 37 13 37 25 65 B8"

The process tasklist.exe:1996 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 DF E8 D7 F2 93 9A EE B6 A9 65 E0 51 E9 26 55"

The process tasklist.exe:1780 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 3D F6 63 A4 1D B6 21 35 1D A9 FD 09 94 2A A3"

The process tasklist.exe:1976 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD D2 94 54 F0 A3 1E 49 CA 50 33 F4 AF 8A FE FB"

The process tasklist.exe:440 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 9C 73 95 1C 0A 76 83 98 77 B8 F2 90 5E C2 B2"

The process tasklist.exe:616 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 41 04 EB 3F 5A C1 79 F0 84 29 74 56 C8 72 60"

The process tasklist.exe:456 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 8C 8B A2 EC 78 39 AE A8 A2 FC 4A 77 26 3B 2B"

The process tasklist.exe:1492 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 76 3A 6A 4C E5 63 85 0C 39 E2 79 71 F7 A0 59"

The process tasklist.exe:1476 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 CA 9A D3 A9 8C 9A 0A 36 CB 2C 21 05 FE 74 75"

The process tasklist.exe:1532 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC F5 FE 2D ED 63 A5 68 89 AB B3 13 28 9B A0 FA"

The process tasklist.exe:1396 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 E3 5A C9 BA D4 38 64 63 24 38 F9 CE 40 B7 61"

The process tasklist.exe:1516 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 52 16 48 2A 84 77 86 B2 EC 9B 7D 2B 93 43 A6"

The process tasklist.exe:528 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF B3 91 CC 75 F0 93 44 4C C5 68 A8 2A F2 A0 19"

The process tasklist.exe:1012 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 18 7A E9 9C ED 3A 75 44 DC C5 83 D1 5B 47 BB"

The process 56942271.exe:1476 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 9C 91 EE 79 34 3C 56 74 31 F9 DC 06 BD E1 28"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 65344.exe:820 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 F3 4D 02 B6 2B 9B 5C 0E 1A 20 65 01 8D ED 5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process find.exe:964 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 01 26 FA 49 8B 35 3F F3 76 E1 67 40 C0 0B BB"

The process find.exe:1532 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 C1 E2 FB AA 99 54 54 27 42 5C 58 0A F0 BA 3A"

The process find.exe:1488 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE D8 18 06 7D 72 A1 97 F5 63 D8 26 3E 09 E7 B5"

The process find.exe:1772 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 E8 2F F5 F2 1F 8C BA 65 D8 99 A8 A2 8F 4A 21"

The process find.exe:1340 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 F4 5D D9 0A C4 C3 F2 B7 1E 80 1C B3 27 FD 7F"

The process find.exe:1940 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 D2 42 42 D4 8A 50 36 22 7A 2A 29 F4 5F D4 D0"

The process find.exe:1044 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 7B 62 D9 8D 6D DB 97 1A B2 0C 5B 5E 19 43 56"

The process find.exe:1660 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 ED C9 18 75 FF 3F 2F 69 FB 26 F7 1D 65 A7 9B"

The process find.exe:1992 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 8D 10 AE 59 E8 18 A9 2B A0 51 AB 75 F5 EB 99"

The process find.exe:492 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 51 F4 A8 00 4E CE D4 E0 9C 6D AD 40 E0 36 48"

The process find.exe:1476 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 40 94 B0 CE 5A 87 D6 E7 6A 34 20 50 9B B1 F6"

The process find.exe:240 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B DD B7 C8 E6 56 B9 74 FD F3 BF 65 5C DE 5A A7"

The process find.exe:1032 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 9B 91 34 19 5E 55 66 99 A0 4E 35 09 30 7F 55"

The process find.exe:236 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 28 A6 7F 2C 35 EA 77 52 A5 05 EF BD 43 3B B4"

The process find.exe:1664 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 74 3B C5 13 1B 5A 4D 0C 9D 34 31 30 2D 2F 16"

The process find.exe:1036 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 89 D1 D1 B0 0B E8 BC D5 C3 33 06 C6 90 CD 91"

The process find.exe:1724 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 FC 9F E2 6C AE 45 8F E8 A0 F5 6A 92 0E 0F 29"

The process find.exe:816 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 28 2C 5E 98 83 2D CD 22 9D 88 47 4E 49 B0 58"

The process find.exe:376 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 86 6A 87 30 00 BC 65 6F 6E 3B 4C B2 0B 86 05"

Dropped PE files

MD5 File path
ff362ccb92acb79d377d7e8d9799c4fb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\56942271.exe
6351426f5922b23dd580621eee7b681c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\65344.exe
b9380b0bea8854fd9f93cc1fda0dfeac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw7.tmp\ExecCmd.dll
c8ff52bfddc6898c202c08c4a61a3d22 c:\Program Files\knowingly\Microsoft.Win32.TaskScheduler.dll
e03799f0738d97bdae3fc689764fe7ff c:\Program Files\knowingly\settings.dll
ea7ec2acddb32056a3f4e2c20d9c05bf c:\Program Files\knowingly\shinjuku.exe
bb107330096cc9f7f1c82dd981e65ddc c:\Program Files\lice\antiviral.exe
c8ff52bfddc6898c202c08c4a61a3d22 c:\WINDOWS\Microsoft.Win32.TaskScheduler.dll
ea7ec2acddb32056a3f4e2c20d9c05bf c:\WINDOWS\harmoniously.exe
e03799f0738d97bdae3fc689764fe7ff c:\WINDOWS\settings.dll

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 857 bytes in size. The following strings are added to the hosts file listed below:

162.222.194.13 cocomo.tremorhub.com
162.222.194.13 www.virustotal.com
162.222.194.13 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 86016 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 278528 2536 2560 3.13622 b9f20defc9dd650d8dcc7fc5d4708ad4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 108
7bcde813c50a0b0e20e5f9f233bc3040
ca004345bdd1cb292744ed711de04d19
2a9af6bcab5eb49d9a62a6ea72cdd286
e4e8ea421895b321bea9afa16d8a6fb5
851b5de8d1e586ba0301b1027800dea8
54c304cd37a8ae6ce5c21d5a5240d80c
f4ae937348a591e02f7ccb79f47cdc1f
c27730e88a7e5003ff846e8f0e578968
023529d5b4f5db6fc3e123bf47ac15d6
8e38be8c510a94c0a96ee39bc32ed333
14055969428fc76bc66b28491ff90d63
2b8b2136bdf153f722ecd721fabcf1aa
9dec231998f0f3d8301aa5c1a6e0119f
0affe53e87c71d2b7f9066427a5d71e5
3f92282b316430f68d847ff93565f264
1f4ab1b0f88d2b1805bcfbdaa2c461f1
3fadc54dc0f9a4e6af4b370749973ec3
2d43a582840285217ab6adaf45ff8c22
4ad98fe1fd6a020f491e31eb4aa16205
562254cc7ac0f92876c4964400fb6cd7
a261aa83665bed04243da16ecade0df0
bea91233ff3a67b260b02a18d7cb54c2
b1a5b5b97ab40559c62f27923a7322c1
830674c88d54f6aa3c6f1bcf72147f75
fb9b2e8e0616dc9aecab4078c571a0f8
f3636d03e448990429c0cd25a2f93345

URLs

URL IP
hxxp://d3cpqb3ouewn5u.cloudfront.net/index5.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t=
hxxp://cocomo.tremorhub.com/itd.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t=&rand=
hxxp://www.clangburkitt.info/count.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t=&rand= 162.222.194.132
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://d3cpqb3ouewn5u.cloudfront.net/func.js?r=5
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.94
hxxp://c.statcounter.com/10114910/0/757d7213/1/ 216.59.38.123
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=1808993939&t=pageview&_s=1&dl=http://www.bruindorsett.pw/index5.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1916x902&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1599001368&cid=249469312.1473801269&tid=UA-74694740-5&_r=1&z=1505709779
hxxp://widgets.amung.us/draw/?w=colored&n=1573&c=000000ffffff&p= 173.192.200.70
hxxp://8c715ae47b.site.internapcdn.net/page-2.html?lid=937115
hxxp://109.201.148.40/report1.php?url=/govids/page-2.html?lid=937115
hxxp://govids.net/jwplayer1.js 162.222.194.11
hxxp://109.201.148.40/bck.php?1473801270000
hxxp://govids.net/1.js 162.222.194.11
hxxp://8c715ae47b.site.internapcdn.net/page-2.htm?lid=937115
hxxp://109.201.148.40/report1.php?url=/govids/page-2.htm?lid=937115
hxxp://109.201.148.40/bck.php?1473801272000
hxxp://govids.net/player1.swf 162.222.194.11
hxxp://g1.panthercdn.com/counter/counter.js
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=752885944&t=pageview&_s=1&dl=http://www.govids.net/page-2.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1916x902&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1195345239&cid=262329171.1473801273&tid=UA-74694740-2&_r=1&z=1636700244
hxxp://8c715ae47b.site.internapcdn.net/css1.css
hxxp://8c715ae47b.site.internapcdn.net/img/logo.png
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=659D1AAC5EDE4F7778A89EBDB102E380&sc_random=0.20449616123269593&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1916&h=902&camefrom=http://www.govids.net/page-2.html?lid=937115&u=http://www.govids.net/page-2.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 216.59.38.123
hxxp://8c715ae47b.site.internapcdn.net/img/lbg.png
hxxp://govids.net/ova-jw.swf 162.222.194.11
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://www.google-analytics.com/analytics.js 216.58.214.238
hxxp://www.bruindorsett.pw/index5.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t= 54.230.45.35
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=1808993939&t=pageview&_s=1&dl=http://www.bruindorsett.pw/index5.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1916x902&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1599001368&cid=249469312.1473801269&tid=UA-74694740-5&_r=1&z=1505709779 216.58.214.238
hxxp://www.govids.net/img/logo.png 69.88.149.137
hxxp://www.govids.net/css1.css 69.88.149.137
hxxp://www.govids.net/img/lbg.png 69.88.149.137
hxxp://www.bruindorsett.pw/func.js?r=5 54.230.45.35
hxxp://www.govids.net/page-2.html?lid=937115 69.88.149.137
hxxp://www.statcounter.com/counter/counter.js 151.249.89.12
hxxp://l.longtailvideo.com/5/10/logo.png 93.184.221.48
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=752885944&t=pageview&_s=1&dl=http://www.govids.net/page-2.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1916x902&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1195345239&cid=262329171.1473801273&tid=UA-74694740-2&_r=1&z=1636700244 216.58.214.238
hxxp://www.govids.net/page-2.htm?lid=937115 69.88.149.137


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 14 Sep 2016 05:20:09 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Wed, 14 Sep 2016 05:20:09 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /ova-jw.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/player1.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: govids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.262329171.1473801273; _gat=1


HTTP/1.1 200 OK
Date: Wed, 14 Sep 2016 05:20:12 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 14:00:26 GMT
ETag: "4403b3-39741-4fbe0551c3280"
Accept-Ranges: bytes
Content-Length: 235329
Cache-Control: max-age=2592000, public
Expires: Wed, 16 Aug 2017 05:20:12 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..A..x......U.8.!.o.{.l/[email protected]........!AQD.e.q
. ..(...?""..,2:.u.....t.....`....9w.[..u:q....}..~Uu.s.=..........b..
.k[R..l...;../K.........=...|..!O;.M..........3.m6K..[/....-...m."%...
BY..*Xk.....t W2.e.,..Y.3 .....V..h.X)..I-....).P...n.J..r=.fiJ-.T....
S.....k....Q.....jMn...B..Q..;3.9.......y..].K."PX...S....7....b..*92.
[email protected]..&...J.p...].o.L...e.Y....y.0QQ'......x.1.e}.e.|..-....l.F
..o.w.......Y......u.g......-% .#.[....:..../x.".....i..d...uuK.K.....
.tF.V.9]K.8.....9isZ/...4.KN.,.0...[...U)....i.,...o../S...,..S-]...&.
.......Q..RZ.....nm&.. ....'.ROz.J.0......_.C....~zG..... ....~C...t..
;=`...t^.....B...48.[3..Sd(.J..D4b.H.....U&&`.;..RE.../..i..X.......u@
..).......{..k.....`[email protected]...... i....rI....I]LgL/..z....H.... t...|..Nk
..`...U(..?..u.#w...X"...NK\u...7.\....7.\}...o...wvO....R.d3.&Im..f}V
.....e.T..%c|...:.pQ..j.`...l9=.Zi....q..#...5...0...iw..C..j...|..%.\
)...K..... .............u.`. E2...f.*@.6....NPmJ'......L....(m.c.r.Z.H
W....f.....Y......_...7......p1..a.zx.u...go....O......!.......GNE..J6
a........3.......Mg...........Z.>.*..s.....%..<iX.5ZKlt...0.V..F
.....Ex...Y2.5R...S....J.....q .N2..B.. ..M.Z..O....../..E............
..&`".%[email protected]..&.d....i....~....................&3p4OFb....T.
.O.J....M.....O?...jv..6.........0x.....#..;.....}..i....W....]....&.V
..a.pO...&.f:..V5}.yK.YM.e........4..:.`...].)......2.... ....uD......
p..g./.AC.....bh8.....L..'"...;;/q..-..>:Y2 ........\.D....=.......
...).0..W....69V.H.....O..N.....W.P....."hNdG"cA..........{3.;7.j&
<<< skipped >>>


GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 14 Sep 2016 05:20:08 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Wed, 14 Sep 2016 05:20:08 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /index5.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.bruindorsett.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 905
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Encoding: gzip
Date: Tue, 13 Sep 2016 21:14:19 GMT
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 002c7dd628aeaafbb16627d6bb5046c9.cloudfront.net (CloudFront)
X-Amz-Cf-Id: miHDYVi-8gJ3lK7XV_LxTHMYLr3uAHj5Uom1GHNk7-RIz66A6Zne4A==
...........UMo.8..... x.......7.. m.&.v...b..hi,1.H..Yk$..KRq>....`
.3.p..y.E.m.\..........6......N.d4....~.b....og....8.U...J"H{...AYA\.Z
..r...m.k..~q..(..I......"...t.k..-i`.-....f...^.......d...^K....9].}.
.k.[ F...dN.t...h..V..!..!.*-T/1...T.l..,.....]...G.|.Z..^...~..M..I6.
..T....i.KF. J...).AT5.....t..gl...F..Q.,.t..E.c.|.$.qE.W.....4j@.....
Yl...5.B..U.jh...Ub...........9...z.5....0.~...7...^.(..Elb.W..y.Fw.:.
.T......Ea..n........7.}..?...|<gM~......&J.......6...!.....$...E.F
s.LRh......PE...ZG..h5..W..l.Y.uv3..7[Y...\e.y..r.gU..%....Zi..0..!..!
K5..*|Vq0V)...! .}.w.=1..[cOV<.....T<......V.....t6.&...{T..x..,
....l...a..#U....v...Sz.7|......Vdz..........~.>.|G...;..w ....Mt..
.:pI.6.. !a$.I.V&.m/..7ia.`.H....l]......'.du...<.....3......2.(.?&
lt;<c-....6..F......I-...me.VDZ...'I_.....S.}r....J..A.~.....Y.O..,
.........i.R.m;N(.~..............#.q .8]...$C..]o...gJ........[....w..
a.|..k.......`K:...HTTP/1.1 200 OK..Content-Type: text/html..Content-L
ength: 905..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/
5.3.13..X-Powered-By: PHP/5.3.13..Content-Encoding: gzip..Date: Tue, 1
3 Sep 2016 21:14:19 GMT..Vary: Accept-Encoding..X-Cache: Miss from clo
udfront..Via: 1.1 002c7dd628aeaafbb16627d6bb5046c9.cloudfront.net (Clo
udFront)..X-Amz-Cf-Id: miHDYVi-8gJ3lK7XV_LxTHMYLr3uAHj5Uom1GHNk7-RIz66
A6Zne4A==.............UMo.8..... x.......7.. m.&.v...b..hi,1.H..Yk$..K
Rq>....`.3.p..y.E.m.\..........6......N.d4....~.b....og....8.U...J"
H{...AYA\.Z..r...m.k..~q..(..I......"...t.k..-i`.-....f...^.......
<<< skipped >>>

GET /func.js?r=5 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.bruindorsett.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Length: 597
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Mon, 18 Jul 2016 15:25:49 GMT
ETag: "90000001e1520-f7a-537ea953f7333"
Accept-Ranges: bytes
Content-Encoding: gzip
Date: Fri, 19 Aug 2016 01:35:05 GMT
Vary: Accept-Encoding
X-Cache: RefreshHit from cloudfront
Via: 1.1 002c7dd628aeaafbb16627d6bb5046c9.cloudfront.net (CloudFront)
X-Amz-Cf-Id: FpsYX1Nt2MG4IgqW6EXyAzj9AKBI18DbKG946FD5KgVgYAB310F_qg==
[email protected]/vJ.8....U U.R.q.z..N.......DU.{....-.G.>l&l
t;3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$........AU5^..{.]_M..:.]...
..Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.<......> .X.9...
...P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&]..~..Bz_."..:.]... o..
.T.B...q....pC..B..qM...J.<J.....c]..s>...V:.......[a=..|..x.z..
...=.9%}.t......T........'..t...g.....L.. *.V2..p...rv.....F..x?W..*..
..........3_.q.q....S.~....7_e.G..P..7w..h..R ..$.w....H.41.W.n...D...
.wZ..x.ZG....6..:a.5!....t:O..:.5MvM...([email protected].\.......SuY....:....
.....>...P..{|:.<.<...I...=........}..=...|.8.......{1z...HTT
P/1.1 200 OK..Content-Type: application/javascript..Content-Length: 59
7..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13..L
ast-Modified: Mon, 18 Jul 2016 15:25:49 GMT..ETag: "90000001e1520-f7a-
537ea953f7333"..Accept-Ranges: bytes..Content-Encoding: gzip..Date: Fr
i, 19 Aug 2016 01:35:05 GMT..Vary: Accept-Encoding..X-Cache: RefreshHi
t from cloudfront..Via: 1.1 002c7dd628aeaafbb16627d6bb5046c9.cloudfron
t.net (CloudFront)..X-Amz-Cf-Id: FpsYX1Nt2MG4IgqW6EXyAzj9AKBI18DbKG946
[email protected]/vJ.8....U U.R.q.z..N.....
..DU.{....-.G.>l<3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$......
..AU5^..{.]_M..:.].....Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.&
lt;......> .X.9......P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&].
.~..Bz_."..:.]... o...T.B...q....pC..B..qM...J.<J.....c]..s>...V
:.......[a=..|..x.z.....=.9%}.t......T........'..t...g.....L.. *.V
<<< skipped >>>


GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: govids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.262329171.1473801273; _gat=1


HTTP/1.1 200 OK
Date: Wed, 14 Sep 2016 05:20:10 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Wed, 16 Aug 2017 05:20:10 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /report1.php?url=/govids/page-2.html?lid=937115 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 21:17:52 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Tue, 13 Sep 2016 21:17:52 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /bck.php?1473801270000 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-2.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 21:17:53 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Tue, 13 Sep 2016 21:17:53 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /report1.php?url=/govids/page-2.htm?lid=937115 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 21:17:54 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Tue, 13 Sep 2016 21:17:54 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /bck.php?1473801272000 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 21:17:54 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Tue, 13 Sep 2016 21:17:54 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8..



GET /count.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t=&rand= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.clangburkitt.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 21:14:21 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 47
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
......<meta http-equiv="refresh" content="300">HTTP/1.1 200 OK..
Date: Tue, 13 Sep 2016 21:14:21 GMT..Server: Apache/2.2.22 (Win64) PHP
/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 47..Keep-Alive: tim
eout=5, max=100..Connection: Keep-Alive..Content-Type: text/html......
..<meta http-equiv="refresh" content="300">..



GET /5/10/logo.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/player1.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: l.longtailvideo.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: image/png
Date: Tue, 13 Sep 2016 21:14:27 GMT
Etag: "3015243340"
Expires: Tue, 20 Sep 2016 21:14:27 GMT
Last-Modified: Fri, 22 Jun 2012 18:10:31 GMT
Server: ECAcc (arn/46B0)
X-Cache: HIT
Content-Length: 1845
.PNG........IHDR...].........9.".....IDATh..Zo..E...e...*!.......RP...
.0H.|).Y...).4C.#H..2....g{.....GO.....A...(.?H....B..wf.....{.......c
v..9sv...3g....A-.).8j......J..*[email protected] u(.....k.Nt.3..yR....~*]. 
...Y...v..........\.YO....0.....bZ.=...e..ji.g..S..Z.t.9?..N).]`.K !..
...Y..?..<.h.v.<.........%..6.O.......R..g.}.i.?.Vh.....?..[..C{
.h.-%......s.\..:.M.p.K..u.5....c...X.>..........m.........._.%.d9k
L....t..t..N...#...|..VV.2...w.....X.W:^.:.S...n6....E=...$.i......(.j
.}[email protected]./.....U.u.-.U\..../B......;[email protected]....=.'.~Jm0t<c.
]...-....D...~......<...X....&....Ky%..j...[...Nk.6.....7.._.e!h...
........T7(q..q..v.J=c.^..............--.>......=.....n."...("....0
.Z..<... .q!.`.....N...Z....b.....g.,..UjA.j..7{.H...Pa.. /...l(...
S.j.Q0.u`...LcthJ.. .BN..............P....e...BPZ...W.I...........Sc.j
.!..'..d>c.....xV..2.i#.Z...#j >wa.......[.Y.../.6.g.j'.m...y..O
.\..W.....ar.J~..B...0...........~1M....].......;f...>>$...h.{..
....>zpI/...!>........0...f..ez.....b..!.....X....R..H.l|.r9.#'.
...x..1.A.qy.......M......Y&}..I...-} ..X.....(..17(...EJ.l..T..(8;.`.
..8o.{..r@..]..Z.......^n...vy.3S....%^'....)..nDeg..'.1. $....C...x..
t...x.d#.......t...?...N.N.............%`..Kc....#4.x....#.....9.ps.a.
q........G..R..........B... .S.K$......]..2..-..Hn..t'....4UA9P..69Q.'
.......2..d.<b.....{m....).dd...d.(..G.1`*.....<..ql.zs.On......
j..$..Fnf.T.Y........}.z....N.ZS.]........U)..K...xJFf........S....&.b
i..Mv.F..r....Z...`.~_........._ y.......(.b..f..m....R..k......se
<<< skipped >>>


GET /10114910/0/757d7213/1/ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 21:14:20 GMT
Server: Apache/2.2.3 (CentOS)
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1473801260.0; expires=Sun, 12-Sep-2021 21:14:20 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1473801260149679279; expires=Thu, 13-Sep-2018 21:14:20 GMT; path=/; domain=.statcounter.com
Content-Length: 49
Connection: close
Content-Type: image/gif
GIF89a...................!.......,...........T..;..



GET /img/logo.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.govids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1473801273.659D1AAC5EDE4F7778A89EBDB102E380.1.1.1.1.1.1.1.1.1; _ga=GA1.2.262329171.1473801273; _gat=1


HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 21:14:25 GMT
Content-Type: image/png
Content-Length: 3856
Connection: keep-alive
Last-Modified: Tue, 10 Jun 2014 14:29:28 GMT
ETag: "a1bf2-f10-4fb7c27bc2200"
Server: CDCE
X-INAP-Cache-Status: HIT
X-INAP-Server: cdce-ams002-003.ams002.internap.com
Accept-Ranges: bytes
.PNG........IHDR.......L.....3.......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<....IDATx..].O....V^.....rI........c..F..M.y0..-H..
..P.KH\.-.%-....J.[...5..S.... R...c....K/O.w...........93svY..i..e..w
...}..}gvy..E?.Q..%....J...(Q.V.DaZ....JN........(.fL...cM.....Z...'..
...A.....k.x....8....E..O..;.W...f.q.X..l..=.....k................%...
fd)........,..J..G...!...m.Q...J.../..................Y,0.......%...S6
R..=..t.0..%...|(..?T.V.DaZ...i%.b>..6:.~.=..7.-*.g....y<.,4>
....W..jv.(...}...8..YdF.l. .,,~5s..X<..h~.p...'......b...[6.0.D.Ci
........ Bo.C]....g..........y.i.........]N....p$.-~}8..... .....n.z..
.$~.9.).........P.....g....!.':.J..O...X.U.?:..#.g.{ .^......L..0..I..
"H<.5.u0...n^.3.ER.<......ZI......*f..... .fN.......q.n.........
.........Z.0.A.m|@.v. .uI......u........Y...u.t..........db...L.......
T.=21...8.(......i.$......y4...t:....(.`sG.H..Q...&...u.<..2L..Wl..
5...9...<. I....d...P.._h..n....MA7Y.....'..FsZ?....kH.l.s.<.QD.
...$q>lK...`1....x.Ha ^....L..W.#.C....._1...."^..6..WRz...4..z`.Ch
|R..H....:1..C..o. ........8..8.$...;..,..N.....S..O......W":.).}...IR
!.F8`=..lc..9n...O~a.....k7^[email protected].....
.............2..NmX...&.h.......f) ....;?...b8.~.>L..../.....C.l.Pf
g..............0..4k>.f.k-....X.9!a>.0.i.b.....$h.;.b.....`.32.T
r...bx.".:5K00..9..h...a........l....U..M..Z3..v..:....<:E........ 
#./...4p.y.....b....u.f.#[*e%.%p....|RO.dP\[email protected]......
....X.{.m0.k..T.O.?<&.M....C...6o.9..C..Pd.,.......O..`5.L.xP,.
<<< skipped >>>


GET /counter/counter.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.statcounter.com
Connection: Keep-Alive
Cookie: is_unique=sc10114910.1473801260.0; is_visitor_unique=1473801260149679279


HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 21:14:24 GMT
Server: PWS/8.1.38
X-Px: ht h0-s1087.p11-fra.cdngp.net
ETag: W/"576924c5-654e"
Cache-Control: max-age=43200
Expires: Wed, 14 Sep 2016 04:00:03 GMT
Age: 18861
Content-Length: 9529
Content-Type: application/x-javascript
Content-Encoding: gzip
Vary: Accept-Encoding
Last-Modified: Tue, 21 Jun 2016 11:28:05 GMT
Connection: keep-alive
...........]{s....*....F.,.-..o..M6....$...eQ$%s,.Z..c-}..u7@..<3{u
[email protected]..............]...K.%.<L....f...U...\..i.
<..g.f.%.q........O.J.CH..v.....N.H.M..zQ-J..`.'f.*~0....sj....C...
.....l....di|..4t..H........-...;.P.f^...EM....4..I.=.~....e..e..W>
.]..Wt...v..I..Wym.;...y....'....W._;.}.f..#...'.4Lj.:...bv.....&Z.p.&
.&.5.n#sN....X'[..........5-h.n.x..G.5....h...mp.....5..[..G.}.~....&.
...d.%i..G..4....b..h......<.q..c... J....{bTZ\M.w.r.1.Bf...y.l....
v.gQ...v.e./O.....Fi..H..;.Z.Y.a{Os-.A..c.b.c.{.a.....bln|{..t.....:|.
....~......R.eEV..-:h.xwS...Zf..*cHC,...K....p..4i.9.k>..P6[.Q.....
.$|...._.;...Em..itPa......P..Gj.. .5.  G..1m.....Ee...F70..ZUU&.&.?.&
gt;..r.Opc.........MQ<....=9(.v..^.Z<.;C....{....v..v:..N..{8.V;
........a.......v'.......w:...y..... ..^v../.8....W..7...o..IBV..%e...
c.Qt...6M.k.".j.o.E[.;..(#.$...#..T*. .......K/M..S..X.;(`..v.Fx||4...
..............#_.y..]./.y...?.....U...... ..][email protected].?.H.ha8.b.*.
.EE.tx,j.....,.H..;.^...Ps....\.D.A...._..M...`.K...$k....^......j5t..
.......J.G,kt..6:}.I....v%..g.).([......Rlh.F.E..P(...h.U...:.@k>D.
..y.($V.P..B.u[n...[.@u2...;r^.E./..u....-k.......u....K....w...`U....
g^.l....*.1N.....8|.b..R.N.N..yq.s......?..m.m~..^...m.<cT. ....g.c
...E.-.?...O.|O. /Z*l...../46..;......h...8..p....m......&..MD.[.f\...
.'..e..C.*.n..#[email protected].,6<,.:..8,.OA...V.`.Pa
[..~v3.Qn...7W..^@[...../ m.t..%.......r$...>-k...{..U .h.r.._...UN
....3../....O..N.............p....5.<....2GM..C3|.q^w.....,....
<<< skipped >>>


GET /t.php?sc_project=10675947&java=1&security=299981d6&u1=659D1AAC5EDE4F7778A89EBDB102E380&sc_random=0.20449616123269593&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1916&h=902&camefrom=http://VVV.govids.net/page-2.html?lid=937115&u=http://VVV.govids.net/page-2.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive
Cookie: is_unique=sc10114910.1473801260.0; is_visitor_unique=1473801260149679279


HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 21:14:25 GMT
Server: Apache/2.2.3 (CentOS)
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1473801260.0-10675947.1473801265.0; expires=Sun, 12-Sep-2021 21:14:25 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1473801260149679279; expires=Thu, 13-Sep-2018 21:14:25 GMT; path=/; domain=.statcounter.com
Content-Length: 49
Connection: close
Content-Type: image/gif
GIF89a...................!.......,...........T..;..



GET /cwidget/iebrowser1/000000ffffff.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: whos.amung.us
Connection: Keep-Alive


HTTP/1.1 303 See Other
Date: Tue, 13 Sep 2016 21:14:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://widgets.amung.us/draw/?w=colored&n=1573&c=000000ffffff&p=
Set-Cookie: uid=CgH9I1fYbCwfAxOxBJI3Ag==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.amung.us; path=/
0..



GET /itd.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t=&rand= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cocomo.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 21:14:21 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 1118
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>..<head>..<title>a</title>..</head>
;..<body>..<script language="JavaScript" type="text/javascrip
t">..<!--..function reeadCookie(name) {..  var nameEQ = name   "
=";..  var ca = document.cookie.split(';');..  for(var i=0;i < ca.l
ength;i  ) {..    var c = ca[i];..    while (c.charAt(0)==' ') c = c.s
ubstring(1,c.length);..    if (c.indexOf(nameEQ) == 0) return c.substr
ing(nameEQ.length,c.length);..  }..  return null;..}..function uapcc()
 {..//var paathname = reeadCookie('tvrg_60409');..//if (paathname.subs
tring(0, 2) == '"4') {..//eraseCookie("tvrg_60409");..var date = new D
ate();..date.setTime(date.getTime()   (60 * 1000));..var times = Math.
floor(Date.now() / 1000);..//document.cookie = "tvrg_60409=1," times "
;domain=.tremorhub.com;path=/;expires=" date.toGMTString() "";..docume
nt.cookie = "tvrg_60409=;domain=.tremorhub.com;path=/;expires=-1";..//
}..}..setInterval(function() {..uapcc();..}, 90);..setInterval(functio
n() {..uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 90);.
.setInterval(function() {..uapcc();..}, 90);..//-->..</script>
;..<meta http-equiv="refresh" content="300">..</html>HTTP/
1.1 200 OK..Date: Tue, 13 Sep 2016 21:14:21 GMT..Server: Apache/2.2.22
 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 1118..K
eep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: t
ext/html..<html>..<head>..<title>a</title>..&l
t;/head>..<body>..<script language="JavaScript" type="
<<< skipped >>>


GET /draw/?w=colored&n=1573&c=000000ffffff&p= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.bruindorsett.pw/index5.php?id=23A02WlAAIZtj6PUScs4&date=2016-09-04&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cookie: uid=CgH9I1fYbCwfAxOxBJI3Ag==
Connection: Keep-Alive
Host: widgets.amung.us


HTTP/1.1 200 OK
Server: nginx/1.9.6
Date: Tue, 13 Sep 2016 21:14:21 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: filename=wau-widget.png
Expires: Thu, 13 Oct 2016 21:14:21 GMT
Cache-Control: max-age=2592000
629...PNG........IHDR...Q...........p.....PLTE...EEEYYY...???,,,...AAA
........................;<=CCC......$$$...abdWXZ.........444......G
GG............'((.........""".........uvyEFG.........kln...NNN>>
>.........~~.vwx...hhi.........OPQ......VVV...iii.........uvv...opp
......UVV...RRR...............WWW............bcc...ijj}~~......dee....
.....qqq~~~............QQQ...]^^PPP.........TTTaaa.........zzz...___..
....HHHrss.........kllJJJDDDBBB...III......eee...............LLLNOO...
......@@@tttkkkvvv:::......|||........................FFF.........?@@6
66ppprrr......uuu............888......111............000...lll......XY
Z(((&&&hhhfff   cdeZ[\788...dddccc.........nnn.........ZZZXXXVVV[[[mmm
^^^\\\]]]```gggxxxjjj..][email protected]...@IDATH....[.A........)R;@....
.2k:..J........$.,;(1Kk...",K4.,..2..A.c..]....G>?...w..3..,EQ....f
m.)../.N.....K....g..hCJ..../.v........fc./.f.c...M.......2...zD}.GB].
..4.....F....?`...K.Q....J.......5J.4.J..e.../..r....j.%..1..%...h9..B
.D...>.,,,@.Q!.!..........,u..J..{.p[u..*.!......T.\..<.Y.W..Fi.
%#..1W!O...d.._$...4...si..i...3....\=.O.*G...:.D.".>N..1.......4.&
lt;B.S....:.....I.....S.R.y......];.fG\<.....a.1m..m[...h.m..6....o
g...X....6r.i.j.*.."M<. M..V......].... X.....a).....d...D.b.l..yh 
...Q.Qt%..W#`..7..R.j..8.....p..D....O......\...zf....s..F..P .M....S3
..Z.;]...!.Q....(q*..4....m...J.$.Dg. [email protected] .........3^3.....u.
................qh...B?\...a.hn.....L...-.N.Hd....`t.........{.?.. .aC
-...C..:h..e p..`..}....e....A.Z...e`H.).../6..@*..ng.Bp...*.1...(
<<< skipped >>>


GET /jwplayer1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-2.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 14 Sep 2016 05:20:06 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT
ETag: "4403af-25d37-53444eccf91c0"
Accept-Ranges: bytes
Content-Length: 154935
Cache-Control: max-age=2592000, public
Expires: Wed, 16 Aug 2017 05:20:06 GMT
Connection: close
Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'



antiviral.exe_268:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw7.tmp\ExecCmd.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw7.tmp\ExecCmd.dll
"%Program Files%\knowingly\shinjuku.exe"
cCmd.dll
.reloc
EnumWindows
ExecCmd.dll
Kernel32.DLL
e%uy%u
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw7.tmp
nsw7.tmp
rogram Files\knowingly\shinjuku.exe"
q shinjuku.exe" | %SystemRoot%\System32\find /I "shinjuku.exe"
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw7.tmp
"%Program Files%\lice\antiviral.exe"
%Program Files%\lice
antiviral.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Program Files%\lice\antiviral.exe
Software\Microsoft\Windows\CurrentVersion\Run
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
ce\antiviral.exe"
ingly\shinjuku.exe"






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    taskkill.exe:1304
    taskkill.exe:1980
    %original file name%.exe:1188
    antiviral.exe:268
    tasklist.exe:868
    tasklist.exe:776
    tasklist.exe:1432
    tasklist.exe:2040
    tasklist.exe:1996
    tasklist.exe:1780
    tasklist.exe:1976
    tasklist.exe:440
    tasklist.exe:616
    tasklist.exe:456
    tasklist.exe:1492
    tasklist.exe:1476
    tasklist.exe:1532
    tasklist.exe:1396
    tasklist.exe:1516
    tasklist.exe:528
    tasklist.exe:1012
    56942271.exe:1476
    65344.exe:820
    find.exe:964
    find.exe:1532
    find.exe:1488
    find.exe:1772
    find.exe:1340
    find.exe:1940
    find.exe:1044
    find.exe:1660
    find.exe:1992
    find.exe:492
    find.exe:1476
    find.exe:240
    find.exe:1032
    find.exe:236
    find.exe:1664
    find.exe:1036
    find.exe:1724
    find.exe:816
    find.exe:376
    

    2. 

  2. Delete the original Dropped file.
    3. 

  3. Delete or disinfect the following files created/modified by the Dropped:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\ShellLink.dll (4 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\tamarisk.lnk (491 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\System.dll (11 bytes)
    %Program Files%\knowingly\shinjuku.exe (4524 bytes)
    %WinDir%\settings.dll (10945 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\65344.exe (1082 bytes)
    %Program Files%\knowingly\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\56942271.exe (3136 bytes)
    %Program Files%\knowingly\settings.dll (10945 bytes)
    %WinDir%\shinjuku.exe (4524 bytes)
    %System%\drivers\etc\hosts (123 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl2.tmp\AccessControl.dll (13 bytes)
    %Program Files%\lice\antiviral.exe (1040 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\page-2[1].htm (3942 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\collect[1].gif (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CA09CZSX.xml (813 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\counter[2].js (1353 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[3].xml (575 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAFHHU2T.xml (815 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\player1[1].swf (13081 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (556 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CANB1RIB.xml (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[1].xml (82 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[2].xml (645 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\css1[1].css (659 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\player1[1].swf (11257 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (608 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[2].txt (318 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAIZCDMB.xml (814 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\page-2[1].htm (3108 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAEEF0LN.xml (777 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[2].xml (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[5].xml (706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\itd[1].htm (1118 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (183 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\css1[2].css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index5[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@govids[2].txt (295 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (728 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@govids[1].txt (173 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[2].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[4].xml (503 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAW2Z3B4.xml (815 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#govids.net\settings.sxx (193 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\count[1].htm (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[1].xml (704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[1].xml (628 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lbg[1].png (200 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[4].xml (687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CABI33J0.xml (797 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CASVEDCL.xml (777 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAE705YB.xml (850 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\analytics[1].js (353 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[2].xml (616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[4].xml (693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\func[1].js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[3].xml (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v[1].xml (654 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\wau-widget[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo[1].png (723 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CASRY3GD.xml (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAOA0CTW.xml (771 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ova-jw[1].swf (18153 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\counter[1].js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAWZ016L.xml (771 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CA4V2H0P.xml (728 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[4].xml (628 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\govids.net\com.jeroenwijering.sxx (80 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jwplayer1[1].js (77495 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\syncnoad[5].xml (704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[1].xml (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\noad[1].xml (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[1].xml (706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAGDU349.xml (737 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1076 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\syncnoad[3].xml (599 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAE6ADNN.xml (762 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CA6HF6BN.xml (823 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (14552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAJ6CJR9.gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\syncnoad[3].xml (652 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CASGMQ2Z.xml (822 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\syncnoad[2].xml (719 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1[1].gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CAU0HYN7.xml (777 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp\ExecCmd.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\SimpleFC.dll (5289 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "grown" = "%Program Files%\knowingly\shinjuku.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "amelia" = "%Program Files%\knowingly\shinjuku.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "sachs" = "%Program Files%\knowingly\shinjuku.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "physiotherapy" = "%Program Files%\knowingly\shinjuku.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "reaps" = "%Program Files%\knowingly\shinjuku.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "antiviral" = "%Program Files%\lice\antiviral.exe"
    

    5. 

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    6. 

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now