MD5: d8ee3f15f48d37992ae3099cb70ed925
SHA1: adba84e16a691482ca62592a5dd7b3578038b320
SHA256: f11d3778189be3023fc4fe81a86bd9037d3889553b4228fb7366d5e18aa92dc8
SSDeep: 12288:bv1rYcwfxfMMRinL94CXKaG0EBPdiYxlwH7OYDg55OLtN4glf07fZekVjjZ/:bNYNV3oeCaBBPnlwH7xDg5YLtdl879t/
Size: 675179 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Mail.Ru
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):
No processes have been created.
The Dropped injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 987 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 574
87af60575e95350381303447cd2e0d96
20c8a6ad65741678811b2c237bb16945
65a13a31dbe7e56c2134cc493f259894
43c4d3919e3fe07d39c17c9ca03c641b
f6438182f74903501b9e811c42b99729
fea809d6716d998adfb34cfd6125612a
5cdb208da7db46ceceedfb679711121c
f435c6e5cb61cb1ac44324c583699b59
d3cbde328d39a2c1e2575b40ce55c760
6f506fb1b3a93309bcf93f568918f455
5bd3aa07499281f2411854c8ab627d98
9f6f9ebf66190eabc1feec9dbd368579
ae601d0db0bd6a842c2dedd8d8114f65
69b8edb9842897dc04b75d18aaf6811f
bee38720ccf33ea09185b0827a724a33
8a0876294e5f6e01011799b1a50412cc
4f2678eacecfe5cc36188561d2e7d705
65ca91af769e1c00d27b696740e70367
3f3659b621814b1f22516b525fae1374
88d3cf75c0afef5c3e0c98f11bf6bd1a
ddd2494a579aa1d1fa9de8f99e5449d4
c8e4ff75060b812799b290eb80987ab6
02bd31dbad87c333a479dd52b95432db
029b56fa6cbc32d68bc78c95027eddc1
4e34581286b9c11db85c0f15b565402d

URLs

URL	IP
hxxp://d232tmx7gh8bfo.cloudfront.net/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=
hxxp://d232tmx7gh8bfo.cloudfront.net/jquery.min.js
hxxp://c.statcounter.com/10114910/0/757d7213/1/	104.20.2.47
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png	67.202.94.86
hxxp://ww.kittensmanageability.pw/count.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=&rnd=1505868661000	162.222.193.17
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://cocomo.tremorhub.com/itd.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=
hxxp://widgets.amung.us/draw/?w=colored&n=2375&c=000000ffffff&p=	146.185.16.146
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j62&a=80748229&t=pageview&_s=1&dl=http://www.kittensmanageability.pw/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=&ul=en-us&de=utf-8&dt=home&sd=24-bit&sr=1916x902&vp=695x408&je=1&fl=23.0 r0&_u=IEBAAEAAI~&jid=301837630&gjid=1726632960&cid=1540514881.1505868667&tid=UA-74694740-5&_gid=1020740853.1505868667&_r=1&z=1662035183
hxxp://cocomo.tremorhub.com/o.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27
hxxp://www.videojelly.com/watch-AiEKCBtBRZ.html	162.222.192.38
hxxp://www.videojelly.com/jquery.min.js	162.222.192.38
hxxp://www.videojelly.com/watch-A0PGihpySn.html	162.222.192.38
hxxp://www.videojelly.com/watch-A0PGihpySn.htm	162.222.192.38
hxxp://www.google-analytics.com/r/collect?v=1&_v=j62&a=80748229&t=pageview&_s=1&dl=http://www.kittensmanageability.pw/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=&ul=en-us&de=utf-8&dt=home&sd=24-bit&sr=1916x902&vp=695x408&je=1&fl=23.0 r0&_u=IEBAAEAAI~&jid=301837630&gjid=1726632960&cid=1540514881.1505868667&tid=UA-74694740-5&_gid=1020740853.1505868667&_r=1&z=1662035183	172.217.20.174
hxxp://www.google-analytics.com/analytics.js	172.217.20.174
hxxp://www.kittensmanageability.pw/jquery.min.js	54.230.96.124
hxxp://www.kittensmanageability.pw/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=	54.230.96.124
teredo.ipv6.microsoft.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /count.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=&rnd=1505868661000 HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Referer: hXXp://VVV.kittensmanageability.pw/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ww.kittensmanageability.pw

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 20 Sep 2017 00:51:06 GMT

Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13

X-Powered-By: PHP/5.3.13

Set-Cookie: sps=yes; expires=Thu, 20-Sep-2018 06:39:52 GMT; path=/

Set-Cookie: v_2017-09-19=yes; expires=Thu, 21-Sep-2017 00:51:06 GMT; path=/

Content-Length: 314

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
...<meta http-equiv="cache-control" content="max-age=0" /><me
ta http-equiv="cache-control" content="no-cache" /><meta http-eq
uiv="expires" content="0" /><meta http-equiv="expires" content="
Tue, 01 Jan 1980 1:00:00 GMT" /><meta http-equiv="pragma" conten
t="no-cache" /><meta http-equiv="refresh" content="60">489380
HTTP/1.1 200 OK..Date: Wed, 20 Sep 2017 00:51:06 GMT..Server: Apache/2
.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..X-Powered-By: 
PHP/5.3.13..Set-Cookie: sps=yes; expires=Thu, 20-Sep-2018 06:39:52 GMT
; path=/..Set-Cookie: v_2017-09-19=yes; expires=Thu, 21-Sep-2017 00:51
:06 GMT; path=/..Content-Length: 314..Keep-Alive: timeout=5, max=100..
Connection: Keep-Alive..Content-Type: text/html.....<meta http-equi
v="cache-control" content="max-age=0" /><meta http-equiv="cache-
control" content="no-cache" /><meta http-equiv="expires" content
="0" /><meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00
:00 GMT" /><meta http-equiv="pragma" content="no-cache" /><
;meta http-equiv="refresh" content="60">489380..

GET /default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t= HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.kittensmanageability.pw

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 917

Connection: keep-alive

Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13

Content-Encoding: gzip

Date: Wed, 20 Sep 2017 00:51:00 GMT

Vary: Accept-Encoding

X-Cache: Miss from cloudfront

Via: 1.1 13581d7aed721f7c03ffea74b6e6901c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: EWWajt2PPo_WghSVtIIBScI4oH-Zi4SPe4E3VLYOTqoOvzHcdwkp8g==
...........U[o.6.~/....a.fY.6...r.K.d..C3l...Z:..I.BR..$.}....E.t.. ..
.s...jQ..Y.j..r......6`s....W....vS...6..M.x;}...[.n..BI..]..s( ..Z...
.[..6.L.....4EK l.......^$c^kU.H...r].......';%}..l..wg.^K....9]>..
0...%..U. ..o|.?{!..u(q....G[...t....k.eIr..[.;.O a.. ...l..U.......Z.
B.j..U PJ....j4....5t./ .g4"...ke.7.8..-....}.A.a.]...P.*z......)[..Fw
bt.S...$a..c..B.h.....`j..3.....'.b...s.QR..j..>.Z...o."......T..d&
lt;p.....P....V.._..M.-......@.5.........`.......D*.".......}T.j......
........\..J_..u......xN......~u..]o..i..0.C..M..r....&.4....g..0r.[TT
`.R.nw..OX..W......d.g.r.V....M?..b!.h..6JC..s!..`dYthO.F...%.cT.k..C.
.'...A..{X]...l..!......~s2;I.....Vy....,........j..),.c....k...^oy...
.. D..H..... ^q'6.#.E..... ....@.v....b{^.8$1o{Y..I.$ .!...j@T....n..w
.:cd........Rl.... ..#...vwZ......mE..;.O.~19.9C7.x...\./.06.[.!.....,
;y..I..^.....e.%......?/?\].).8..xq..}..8.J%.s..c;..e.U........wq .#..
.5G.....L/X/....HTTP/1.1 200 OK..Content-Type: text/html..Content-Leng
th: 917..Connection: keep-alive..Server: Apache/2.2.22 (Win64) mod_ssl
/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..Content-Encoding: gzip..Date: Wed, 
20 Sep 2017 00:51:00 GMT..Vary: Accept-Encoding..X-Cache: Miss from cl
oudfront..Via: 1.1 13581d7aed721f7c03ffea74b6e6901c.cloudfront.net (Cl
oudFront)..X-Amz-Cf-Id: EWWajt2PPo_WghSVtIIBScI4oH-Zi4SPe4E3VLYOTqoOvz
Hcdwkp8g==.............U[o.6.~/....a.fY.6...r.K.d..C3l...Z:..I.BR..$.}
....E.t.. ...s...jQ..Y.j..r......6`s....W....vS...6..M.x;}...[.n..BI..
]..s( ..Z....[..6.L.....4EK l.......^$c^kU.H...r].......';%}..l..w
<<< skipped >>>

GET /jquery.min.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.kittensmanageability.pw/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.kittensmanageability.pw

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Length: 3235

Connection: keep-alive

Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13

Last-Modified: Mon, 07 Aug 2017 21:44:13 GMT

ETag: "10000000a5fd9-1586-55630bf646540"

Accept-Ranges: bytes

Content-Encoding: gzip

Date: Sat, 16 Sep 2017 19:20:08 GMT

Age: 1989

Vary: Accept-Encoding

X-Cache: Hit from cloudfront

Via: 1.1 13581d7aed721f7c03ffea74b6e6901c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: lK5a0u81s4FnCYfIcIFIZ8TLxyR8AXD3Gymju41hNvYWozPPsy7ngw==
..........MX...H.}o..../..{lR"%..\.wI\DR\D...."n.N...G..;S0p..dFf,.Dd.
u0.Q......>.}.=...,..%..........K...2ea..v .f.w.eI..F..........?.~.
.....U.gu...Q..........^..._v..>....o_q...U.....>.....[..$<.U
....V..s"$a.....Hj.a. .I.............I..z.N-.F.4(m.................d..
...|.....3.U.6.d.....g.. o.v.{.?x.......'5.....mJ..=.$#|.E.L.....l&...
..S....S......=W..%}.EY.z..o.. o..FO.<....>c..:q3V...=V...P.....
::.N.......d..V.w.......z.c....X.h..t6`orw.. t`U7.ur( ...=Z..J..S..eja
@.>.,...N.8....yK.N\.............$..t..K....V.......a.j..-..v..<
..y.r"...<...]........5......|C. FF..Q2....5~v<.B~..r.....sjw.S.
.-.'..("o^.S..g...J.....b.2..*.w.|h5*.!"....._."....7..y..Zu.i..4...-/
-x.W._./>..F;. .6xb.v.,.q..T.(...Ef..iz.a?..[.c...3ay.....$.F......
s].U.....?Ez{.......:......d|.Q..f ......C.$......:.36...Y...X.u.`.D..
`....qn`........[."..-m.....N.e"h.2Cyl ...n.z.g."..T..|../T-....0}*.).
da[...^..b..5.n.}...&.o.'<h..o[8g......%...R<..3../......S.].A..
..i.*A~R#.i.V.|.*_.Kw...n,A.B....U.X..6..'K...q..."...E;..u.^.v%[..y.:
...>...|6S.b,.....ae...L..-W.F.v..d;OL.|}...n.(~......,d..~........
.. .....4.$...d.X.H....FT.C]A..#B1M'./.E...?...MoI..xHI......n...;.K..
@l.].........E...........tb..L.......j....o.X..sa..x..5.R.n..i../....l
s.....U....\w.].....n...yBT^0>6'nc......[.r..=..n..VLz...1...raMR.|
....T.~.\.........Ms...0.l*"....}..K.....I)2.d_Z.x&....-q]..8...z.H...
.l.tY"...k.....2..I..,..j..4..6Mpqf..C.o6..-..GxMPuw.LO....;8.v......O
;...........x...7o...s.!..C....C..-U=yT.....N....[3!O.l...n.;..y..
<<< skipped >>>

GET /analytics.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.kittensmanageability.pw/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

Timing-Allow-Origin: *

Date: Wed, 20 Sep 2017 00:23:31 GMT

Expires: Wed, 20 Sep 2017 02:23:31 GMT

Last-Modified: Tue, 12 Sep 2017 04:27:56 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 13799

Cache-Control: public, max-age=7200

Age: 1651
...........}iW....w~E..p.F8.P...fQJ)-C......%..2.I..y....%.r..s.[....y
k...=.....(.........D.Ax.8j'....OO..I}I...?....*.....M~.-V.....K.9]].S
...Q...Q..o..aG.Z.v=....b|..........N.j...............1..w.s..y[o.....
}...........'.g_.~.~.c!.U..\.t....g:..o...~U..k./6^..s....6O.F>6..T
.......3.^....yA..?....s ....I..w}....V.tAj....3q,../LM...rA]P.8.sJ.J&
..`.Nea.yD...V.z>..8.~..a'.....).0E......).#....9.k^.7..A`.....Nw..
.....p.<=......iQ.PMgz..E......g7s.6.....g[i......=;[l.?..I......:.
.q.~.k..m?..*.._^^.n.<...p......`M..'......v=|..e3MU"..[<.r..=..
.S5.pX.._....=.\....R......MX.......o...Q...J.Z.7*..0..M..6Q.m..T].4Ui
#Ob..9{T`[..p.....1*....R$VV...dV...~..>...ju..........e....O..-...
..i..MS^........8.......#O.T.......%]..z..%r....j....Qr....].O..0_....
Cr..=|v......=..Y...{.7.;S80-...s.._}.lm._..L0.X0}x.!.r..j.....L.,....
.2.A.h.E...........E...#..U...x.L&.*.mtw.R ..h..E.B......r_4|.y.......
."r.....,...........d."/..wi2R..9.i2.y%Y..3.{(......5Q......5_........
.Y........-7Y.....'...$.-.8.......d...g.i.0....3=..<...!......\2..x
.....p>....(8J...0.l.3....k...`X..s.v.0......w&,V......o.......yC.S
..`0.....>b..-..7j.O.y..h.^.#,P.1.f.... Z.-=N....yqyQ.....m\\,U."..
._...|.x...j....oV/......F .Wr.....z0..y......S.;z8.....u...&..km.E.u8
./.H<=m........ J..m..2....^....\.n..b..p.:a.|n.9.......6j0s.r.w...
C.V...L.ry..@.Eiv.E?.3..fKu.....z.B.B.........<F..bm.K.&.0...>tT
.";!...q...7u..!O_.0...Dx6.Hg4.......t.0....*.'[.e.6e].A...k^]..P.P...
....Gw.Oi..'..o!V...e.....,...f.:C.LeD...P............h...0...N...
<<< skipped >>>

GET /r/collect?v=1&_v=j62&a=80748229&t=pageview&_s=1&dl=http://VVV.kittensmanageability.pw/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=&ul=en-us&de=utf-8&dt=home&sd=24-bit&sr=1916x902&vp=695x408&je=1&fl=23.0 r0&_u=IEBAAEAAI~&jid=301837630&gjid=1726632960&cid=1540514881.1505868667&tid=UA-74694740-5&_gid=1020740853.1505868667&_r=1&z=1662035183 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.kittensmanageability.pw/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Wed, 20 Sep 2017 00:51:07 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Wed, 20 Sep 2017 00:51:07 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..

GET /watch-AiEKCBtBRZ.html HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Referer: hXXp://VVV.kittensmanageability.pw/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.videojelly.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 20 Sep 2017 00:51:56 GMT

Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13

X-Powered-By: PHP/5.3.13

Cache-Control: no-store, no-cache, must-revalidate, max-age=0

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: vjc=yes; expires=Thu, 20-Sep-2018 06:40:42 GMT; path=/

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

Content-Length: 7676

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
...<!doctype html><html class="no-js" lang="en"><head&g
t;<meta charset="utf-8"><meta http-equiv="X-UA-Compatible" co
ntent="ie=edge,chrome=1"><meta http-equiv="cache-control" conten
t="max-age=0" /><meta http-equiv="cache-control" content="no-cac
he" /><meta http-equiv="expires" content="0" /><meta http-
equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /><meta h
ttp-equiv="pragma" content="no-cache" /><title>searchbox</
title>..<script language='javascript' type='text/javascript' src
='jquery.min.js'></script><script type="text/javascript"&g
t;if(window.location.protocol != 'http:') {  location.href = location.
href.replace("hXXps://", "hXXp://");}</script>..</head><
;body topmargin="0" leftmargin="0"><form action="watch-A0PGihpyS
n.html" method="get" name="redirect1"></form><div id="ab4j
8e7z5c1e7c1z5j8g7z5c1c1g7"></div>..<script language="JavaS
cript" type="text/javascript">if(location.href == top.location.href
){document.write('<p align="center"><a href="play.php?id=AiEK
CBtBRZ"> <font size="5" style="margin-left:auto;margin-right:aut
o;display:block;margin-top:22%;margin-bottom:0%">Continue to play&l
t;/font></a></p>');}</script>..<iframe framebo
rder='0' marginheight='0' marginwidth='0' scrolling='no' src='watch-Ai
EKCBtBRZ.htm' width='640' height='360'></iframe>..<script 
type="text/javascript">.. var rc = document.referrer.split('/')
<<< skipped >>>

GET /jquery.min.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.videojelly.com/watch-AiEKCBtBRZ.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.videojelly.com

Connection: Keep-Alive

Cookie: vjc=yes

HTTP/1.1 200 OK

Date: Wed, 20 Sep 2017 00:51:57 GMT

Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13

Last-Modified: Mon, 01 May 2017 01:35:52 GMT

ETag: "300000001b19c-25c8b-54e6c718c2e00"

Accept-Ranges: bytes

Content-Length: 154763

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: application/javascript
if(typeof jwplayer=="undefined"){var jwplayer=function(a){if(jwplayer.
api){return jwplayer.api.selectPlayer(a)}};var $jw=jwplayer;jwplayer.v
ersion="5.9.2156";jwplayer.vid=document.createElement("video");jwplaye
r.audio=document.createElement("audio");jwplayer.source=document.creat
eElement("source");(function(b){b.utils=function(){};b.utils.typeOf=fu
nction(d){var c=typeof d;if(c==="object"){if(d){if(d instanceof Array)
{c="array"}}else{c="null"}}return c};b.utils.extend=function(){var c=b
.utils.extend["arguments"];if(c.length>1){for(var e=1;e<c.length
;e  ){for(var d in c[e]){c[0][d]=c[e][d]}}return c[0]}return null};b.u
tils.clone=function(f){var c;var d=b.utils.clone["arguments"];if(d.len
gth==1){switch(b.utils.typeOf(d[0])){case"object":c={};for(var e in d[
0]){c[e]=b.utils.clone(d[0][e])}break;case"array":c=[];for(var e in d[
0]){c[e]=b.utils.clone(d[0][e])}break;default:return d[0];break}}retur
n c};b.utils.extension=function(c){if(!c){return""}c=c.substring(c.las
tIndexOf("/") 1,c.length);c=c.split("?")[0];if(c.lastIndexOf(".")>-
1){return c.substr(c.lastIndexOf(".") 1,c.length).toLowerCase()}return
};b.utils.html=function(c,d){c.innerHTML=d};b.utils.wrap=function(c,d)
{if(c.parentNode){c.parentNode.replaceChild(d,c)}d.appendChild(c)};b.u
tils.ajax=function(g,f,c){var e;if(window.XMLHttpRequest){e=new XMLHtt
pRequest()}else{e=new ActiveXObject("Microsoft.XMLHTTP")}e.onreadystat
echange=function(){if(e.readyState===4){if(e.status===200){if(f){if(!b
.utils.exists(e.responseXML)){try{if(window.DOMParser){var h=(new 
<<< skipped >>>

GET /watch-A0PGihpySn.html HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Referer: hXXp://VVV.videojelly.com/watch-AiEKCBtBRZ.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.videojelly.com

Connection: Keep-Alive

Cookie: vjc=yes

HTTP/1.1 200 OK

Date: Wed, 20 Sep 2017 00:52:00 GMT

Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13

X-Powered-By: PHP/5.3.13

Cache-Control: no-store, no-cache, must-revalidate, max-age=0

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

Content-Length: 7676

Keep-Alive: timeout=5, max=98

Connection: Keep-Alive

Content-Type: text/html
...<!doctype html><html class="no-js" lang="en"><head&g
t;<meta charset="utf-8"><meta http-equiv="X-UA-Compatible" co
ntent="ie=edge,chrome=1"><meta http-equiv="cache-control" conten
t="max-age=0" /><meta http-equiv="cache-control" content="no-cac
he" /><meta http-equiv="expires" content="0" /><meta http-
equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /><meta h
ttp-equiv="pragma" content="no-cache" /><title>searchbox</
title>..<script language='javascript' type='text/javascript' src
='jquery.min.js'></script><script type="text/javascript"&g
t;if(window.location.protocol != 'http:') {  location.href = location.
href.replace("hXXps://", "hXXp://");}</script>..</head><
;body topmargin="0" leftmargin="0"><form action="watch-A3hg1GxCq
U.html" method="get" name="redirect1"></form><div id="ab2j
4e3z5c6e3c6z5j4g6z5c6c6g6"></div>..<script language="JavaS
cript" type="text/javascript">if(location.href == top.location.href
){document.write('<p align="center"><a href="play.php?id=A0PG
ihpySn"> <font size="5" style="margin-left:auto;margin-right:aut
o;display:block;margin-top:22%;margin-bottom:0%">Continue to play&l
t;/font></a></p>');}</script>..<iframe framebo
rder='0' marginheight='0' marginwidth='0' scrolling='no' src='watch-A0
PGihpySn.htm' width='640' height='360'></iframe>..<script 
type="text/javascript">.. var rc = document.referrer.split('/')
<<< skipped >>>

GET /watch-A0PGihpySn.htm HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Referer: hXXp://VVV.videojelly.com/watch-A0PGihpySn.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.videojelly.com

Connection: Keep-Alive

Cookie: vjc=yes

HTTP/1.1 200 OK

Date: Wed, 20 Sep 2017 00:52:03 GMT

Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13

X-Powered-By: PHP/5.3.13

Cache-Control: no-store, no-cache, must-revalidate, max-age=0

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

Content-Length: 44

Keep-Alive: timeout=5, max=97

Connection: Keep-Alive

Content-Type: text/html
...3<meta http-equiv="refresh" content="10">HTTP/1.1 200 OK..Dat
e: Wed, 20 Sep 2017 00:52:03 GMT..Server: Apache/2.2.22 (Win64) mod_ss
l/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..X-Powered-By: PHP/5.3.13..Cache-Co
ntrol: no-store, no-cache, must-revalidate, max-age=0..Cache-Control: 
post-check=0, pre-check=0..Pragma: no-cache..Access-Control-Allow-Orig
in: *..Access-Control-Allow-Credentials: true..Content-Length: 44..Kee
p-Alive: timeout=5, max=97..Connection: Keep-Alive..Content-Type: text
/html.....3<meta http-equiv="refresh" content="10">..

GET /watch-A0PGihpySn.htm HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.videojelly.com

Connection: Keep-Alive

Cookie: vjc=yes

HTTP/1.1 200 OK

Date: Wed, 20 Sep 2017 00:52:25 GMT

Server: Apache/2.2.22 (Win64) 

GET /itd.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t= HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Referer: hXXp://VVV.kittensmanageability.pw/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cocomo.tremorhub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 20 Sep 2017 00:51:07 GMT

Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 706

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
<html>..<head>..<title>a</title>..</head>
;..<body>..<script language="JavaScript" type="text/javascrip
t">..<!--..function uapcc() {..document.cookie = "tvrg_60953=;do
main=.tremorhub.com;path=/;expires=-1";..}..setInterval(function() {..
uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 90);..setInt
erval(function() {..uapcc();..}, 50);..setInterval(function() {..uapcc
();..}, 90);..//-->..setInterval( "onl()", 120000);function onl(){i
f(document.images){document.images['onlv'].src = 'o.php?id=07A0pcr0r2G
SYF3E79DZ&date=2016-10-27&r='   Date.parse(new Date().toString());}}..
</script><div style="visibility:hidden"><img name="onlv
" src="o.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27"></div>.
.</html>HTTP/1.1 200 OK..Date: Wed, 20 Sep 2017 00:51:07 GMT..Se
rver: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..
X-Powered-By: PHP/5.3.13..Content-Length: 706..Keep-Alive: timeout=5, 
max=100..Connection: Keep-Alive..Content-Type: text/html..<html>
..<head>..<title>a</title>..</head>..<body&
gt;..<script language="JavaScript" type="text/javascript">..<
!--..function uapcc() {..document.cookie = "tvrg_60953=;domain=.tremor
hub.com;path=/;expires=-1";..}..setInterval(function() {..uapcc();..},
 90);..setInterval(function() {..uapcc();..}, 90);..setInterval(functi
on() {..uapcc();..}, 50);..setInterval(function() {..uapcc();..}, 90);
..//-->..setInterval( "onl()", 120000);function onl(){if(docume
<<< skipped >>>

GET /o.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27 HTTP/1.1

Accept: */*

Referer: hXXp://cocomo.tremorhub.com/itd.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cocomo.tremorhub.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 20 Sep 2017 00:51:11 GMT

Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 3

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: text/html
...HTTP/1.1 200 OK..Date: Wed, 20 Sep 2017 00:51:11 GMT..Server: Apach
e/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..X-Powered-B
y: PHP/5.3.13..Content-Length: 3..Keep-Alive: timeout=5, max=99..Conne
ction: Keep-Alive..Content-Type: text/html.......

GET /watch-A0PGihpySn.htm HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.videojelly.com

Connection: Keep-Alive

Cookie: vjc=yes

HTTP/1.1 200 OK

Date: Wed, 20 Sep 2017 00:52:15 GMT

Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13

X-Powered-By: PHP/5.3.13

Cache-Control: no-store, no-cache, must-revalidate, max-age=0

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

Content-Length: 44

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
...3<meta http-equiv="refresh" content="10">HTTP/1.1 200 OK..Dat
e: Wed, 20 Sep 2017 00:52:15 GMT..Server: Apache/2.2.22 (Win64) mod_ss
l/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..X-Powered-By: PHP/5.3.13..Cache-Co
ntrol: no-store, no-cache, must-revalidate, max-age=0..Cache-Control: 
post-check=0, pre-check=0..Pragma: no-cache..Access-Control-Allow-Orig
in: *..Access-Control-Allow-Credentials: true..Content-Length: 44..Kee
p-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: tex
t/html.....3<meta http-equiv="refresh" content="10">..

GET /draw/?w=colored&n=2375&c=000000ffffff&p= HTTP/1.1

Accept: */*

Referer: hXXp://VVV.kittensmanageability.pw/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Cookie: uid=CgH9H1nBu3az0zrDCmzUAg==

Connection: Keep-Alive

Host: widgets.amung.us

HTTP/1.1 200 OK

Server: nginx/1.9.6

Date: Wed, 20 Sep 2017 00:51:03 GMT

Content-Type: image/png

Transfer-Encoding: chunked

Connection: keep-alive

Content-Disposition: filename=wau-widget.png

Expires: Thu, 21 Sep 2017 00:51:03 GMT

Cache-Control: max-age=86400
651...PNG........IHDR...Q...........p.....PLTE...EEEYYY...???,,,...AAA
..................;<=$$$...............abdWXZ...444................
..GGG............'((..."""FFF......222.........uvyEFGLLL...<<<
;...kln...NNN>>>.........~~.vwx...hhi.........OPQ............
VVV...iii......uvv...opp......UVV...RRR......WWW.....................b
cc...ijj}~~......dee...~~~.........qqq............]^^PPP.........TTTaa
azzz.........{{{...HHHrss.........kllJJJDDDBBBeeeIII............CCC...
...NOO.........@@@tttkkkvvv:::...|||...........................;;;....
.....?@@666ppprrr......888...............uuu..................000...ll
l......XYZ(((&&&hhhfff   cdeZ[\788...dddccc.........nnn.........ZZZXXX
VVV[[[mmm^^^\\\]]]```gggxxxjjj).R.....tRNS.@..f...hIDATH....[.@....8.I
..E..=*....[A..h\u.B.`...B..B..(...U.....-H....i.R.}...!...K>.K..a.
...~...[...V.....5~.)J...~.. Egu.....tU...7~...7.W.../_.......>1v{i
I).........PR$0...6....[..7....&S....hk.......m.g....6>..'..y.#.>
;...G.....R........{w.m...-.....y>.j..&_....I.3...F..q..Q.rWh}....K
.w.jqq..ovx.....<LS..o.5...I..s....4%.I...N..Zx*........'$.A.26b.1{
..#.1...,.. ...V! ..z...S.^..e.`\.....r..9w.........mQ..\$S.u..f3...-.
....r....8!..-0...Y...r.r..e..$.Z..X......E..OK....V....p..l.......z.~
....4[? b&..g.$.D.75g:..u.....>3..T.l...:BX. I.%.p@..'..8a.........
`c(...Q..4..R...RE_B0v..RF...5*u..hD@.1j...2[5<V..}F..n1.:.2.......
c...P.F.V.L.....X..O8R....]4|...L. . ."6.F@..A.X..M;a.....W.s....Z.^.=
.K..A......!..b.....U3...."Uj2y9.<g...s...i..%....|q..N.....R..
<<< skipped >>>

GET /cwidget/iebrowser1/000000ffffff.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.kittensmanageability.pw/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: whos.amung.us

Connection: Keep-Alive

HTTP/1.1 303 See Other

Date: Wed, 20 Sep 2017 00:51:02 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: close

Set-Cookie: liebrowser1=2375; expires=Wed, 20-Sep-2017 00:56:02 GMT; Max-Age=300; path=/; domain=whos.amung.us

Location: hXXp://widgets.amung.us/draw/?w=colored&n=2375&c=000000ffffff&p=

Set-Cookie: uid=CgH9H1nBu3az0zrDCmzUAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.amung.us; path=/
0..

GET /10114910/0/757d7213/1/ HTTP/1.1

Accept: */*

Referer: hXXp://VVV.kittensmanageability.pw/default1.php?id=07A0pcr0r2GSYF3E79DZ&date=2016-10-27&p=none&t=

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: c.statcounter.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 20 Sep 2017 00:51:02 GMT

Content-Type: image/gif

Content-Length: 49

Connection: keep-alive

Set-Cookie: __cfduid=d65f2373ce03230b62972396a8c7000411505868662; expires=Thu, 20-Sep-18 00:51:02 GMT; path=/; domain=.statcounter.com; HttpOnly

P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Set-Cookie: is_unique=sc10114910.1505868662.0; expires=Mon, 19-Sep-2022 00:51:02 GMT; path=/; domain=.statcounter.com

Set-Cookie: is_visitor_unique=1505868662281660803; expires=Fri, 20-Sep-2019 00:51:02 GMT; path=/; domain=.statcounter.com

Server: cloudflare-nginx

CF-RAY: 3a10cb42e3968af8-KBP
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Wed, 20 Sep 2017 00:51:02 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..Set-Cookie: __cfduid=d65f2373ce03230b6
2972396a8c7000411505868662; expires=Thu, 20-Sep-18 00:51:02 GMT; path=
/; domain=.statcounter.com; HttpOnly..P3P: policyref="hXXp://VVV.statc
ounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expire
s: Mon, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.150
5868662.0; expires=Mon, 19-Sep-2022 00:51:02 GMT; path=/; domain=.stat
counter.com..Set-Cookie: is_visitor_unique=1505868662281660803; expire
s=Fri, 20-Sep-2019 00:51:02 GMT; path=/; domain=.statcounter.com..Serv
er: cloudflare-nginx..CF-RAY: 3a10cb42e3968af8-KBP..GIF89a............
.......!.......,...........T..;..

The Dropped connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

Gw2.Hw

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

ers\"%CurrentUserName%"\AppData\Local\Temp\nsj6596.tmp\ExecCmd.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj6596.tmp\ExecCmd.dll

"%Program Files%\refurnished\nymphs.exe"

p\ExecCmd.dll

.reloc

EnumWindows

ExecCmd.dll

Kernel32.DLL

e%uy%u

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj6596.tmp

nsj6596.tmp

rogram Files\refurnished\nymphs.exe"

ecCmd.dll

phs.exe" | %SystemRoot%\System32\find /I "nymphs.exe"

\Users\"%CurrentUserName%"\AppData\Local\Temp\nsj6596.tmp

"%Program Files%\overflight\cottony.exe"

%Program Files%\overflight

cottony.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nso5198.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

%Program Files%\overflight\cottony.exe

Software\Microsoft\Windows\CurrentVersion\Run

Windows\

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

flight\cottony.exe"

rnished\nymphs.exe"

taskeng.exe_1804:

.text

`.data

.rsrc

@.reloc

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-Debug-L1-1-0.dll

API-MS-Win-Core-ErrorHandling-L1-1-0.dll

API-MS-Win-Core-File-L1-1-0.dll

API-MS-Win-Core-Handle-L1-1-0.dll

API-MS-Win-Core-Heap-L1-1-0.dll

API-MS-Win-Core-Interlocked-L1-1-0.dll

API-MS-Win-Core-LibraryLoader-L1-1-0.dll

API-MS-Win-Core-Misc-L1-1-0.dll

API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Core-Profile-L1-1-0.dll

API-MS-Win-Core-Synch-L1-1-0.dll

API-MS-Win-Core-SysInfo-L1-1-0.dll

API-MS-Win-Core-ThreadPool-L1-1-0.dll

API-MS-Win-Security-Base-L1-1-0.dll

ole32.dll

OLEAUT32.dll

RPCRT4.dll

KERNEL32.dll

d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp

Session::ChannelMsgReceived

d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp

d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp

StopJobMsg

StartJobMsg

ClientPipeName

Invalid parameter passed to C runtime function.

d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp

TaskScheduler.log

j%Xf;

d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp

API-MS-WIN-Service-Management-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

ADVAPI32.dll

SHELL32.dll

SHLWAPI.dll

SspiCli.dll

XmlLite.dll

MPR.dll

RegOpenKeyTransactedW

RegCloseKey

RegOpenKeyExW

RegNotifyChangeKeyValue

RegCreateKeyExW

FindExecutableW

MsgWaitForMultipleObjects

EnumThreadWindows

EnumWindows

GetProcessWindowStation

_wcmdln

_amsg_exit

GetProcessHeap

SetProcessShutdownParameters

TaskEng.pdb

version="5.1.0.0"

name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"

<requestedExecutionLevel

8 8$8(878

3=4Z4w4

=!=(=0=4=?=>>

5 5U5_5

5b6u6

-131J1X1o1}1

=$=<=\=|=

Password

hXXp://schemas.microsoft.com/windows/2004/02/mit/task

ieframe.dll

%SystemRoot%\SYSTEM32\cmd.exe

%SystemRoot%\System32\Tasks

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake

WindowSeconds

InitializeCmdlineProcessing()

pCrimson provider registration failed for taskeng, hr=0x%x

CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]

InteractiveTokenOrPassword

%d.%d

%s, (%d)

hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout

hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate

hXXp://schemas.microsoft.com/cdo/configuration/sendusing

hXXp://schemas.microsoft.com/cdo/configuration/smtpserver

201ef99a-7fa0-444c-9399-19ba84f12a1a

C:\Windows\SYSTEM32\cmd.exe

6.1.7601.17514 (win7sp1_rtm.101119-1850)

taskeng.exe

Windows

Operating System

6.1.7601.17514

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Delete the original Dropped file.
   
2. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
3. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
4. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.