MD5: ee7e30b265ac501ac0631223000817b0
SHA1: 9b6be88c4df15423b8ca43c95e63af6e80f688bf
SHA256: 95b831e6a3d20e18ae04bfba93e293aa3aee120861acc31f2ee1fc90c77b6fba
SSDeep: 6144:d56Ulpb1FKg0PqQBOr5ENq/9QoT6ieTOtaNOb3vMQ4EoWgy:d56WF30P19CzrUObf0zW5
Size: 290816 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1999-06-09 06:23:57
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3676

The Trojan injects its code into the following process(es):

taskhost.exe:252
Explorer.EXE:284
Dwm.exe:528
TPAutoConnect.exe:2068
conhost.exe:2076
conhost.exe:3440

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\config\SOFTWARE.LOG1 (13239 bytes)
C:\Windows\AppPatch\vmbtrl.exe (2005 bytes)
C:\Windows\System32\config\SOFTWARE (15561 bytes)
C:\Windows (4 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\463.tmp (0 bytes)

Registry activity

The process %original file name%.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"10f5f7ed" = "YM3&}=—ZîÚ¹ªáZfhÆi?—[üþ{ò:Ã’㬓š²©#ú;³³Ñšqr{¬´3A#jÆ’2r Ù9².²Ãt‚¾súžÂ2¡D’*ŒÛDö¶¬ƒj~ž2›©š’ ’î#nN¬dLRÛ«j¢avÃœd~›Å Cò6ÂË‹S±ãR«9±iù,©ÖŠÉŠÁV‚B‚Žž¹êÊ~Ê|[뺛AC‹ùéì>aÆ⑤Ù{²âƒi ™ÒRKf‹¾ûÌúB™Š‚cN¾;ğÁÑDZ©4Fd1“[ŒËʱù«i A’ãƒjË ‰†üÓásñQÆ¡"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Windows\apppatch\vmbtrl.exe_, \??\C:\Windows\apppatch\vmbtrl.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in CRYPT32.dll:

CertVerifyCertificateChainPolicy

The Trojan installs the following user-mode hooks in USER32.dll:

SendInput
GetClipboardData
GetMessageW
TranslateMessage
GetMessageA
GetWindowTextA

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExW
InternetReadFileExA
InternetReadFileExW
InternetQueryDataAvailable
InternetReadFile
InternetCloseHandle

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Trojan installs the following user-mode hooks in WS2_32.dll:

gethostbyname
WSARecv
send
recv
WSASend

The Trojan installs the following user-mode hooks in kernel32.dll:

CreateFileW

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://fodakyhijyv.eu/login.php	23.253.126.58
hxxp://mamixikusah.eu/login.php	104.27.137.34
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEBaH1oht4jAGhSM9vxG/ZZc=
hxxp://gpla1.wac.v2cdn.net/CRL/Omniroot2025.crl
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=
hxxp://cs9.wpc.v0cdn.net/pki/mscorp/crl/MSIT Machine Auth CA 2(1).crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://crl.comodoca.com.cdn.cloudflare.net/AddTrustExternalCARoot.crl	104.16.91.188
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBEqAG035RBv1sp8w++6zBg=
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc=	23.43.139.27
hxxp://foxivusozuc.eu/login.php	23.253.126.58
hxxp://ryqecolijet.eu/login.php	23.253.126.58
hxxp://xuqohyxeqak.eu/login.php	23.253.126.58
hxxp://kefuwidijyp.eu/login.php	23.253.126.58
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	2.20.254.201
hxxp://nopegymozow.eu/login.php	23.253.126.58
hxxp://crl.comodoca.com/AddTrustExternalCARoot.crl	104.16.91.188
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl	2.20.254.201
hxxp://cihunemyror.eu/login.php	23.253.126.58
hxxp://lyvejujolec.eu/login.php	23.253.126.58
hxxp://t2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEBaH1oht4jAGhSM9vxG/ZZc=	23.43.139.27
hxxp://cdp1.public-trust.com/CRL/Omniroot2025.crl	93.184.220.20
hxxp://rynazuqihoj.eu/login.php	23.253.126.58
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0=	23.43.139.27
hxxp://ciliqikytec.eu/login.php	23.253.126.58
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	2.20.254.201
hxxp://jewuqyjywyv.eu/login.php	23.253.126.58
hxxp://tucyguqaciq.eu/login.php	23.253.126.58
hxxp://jefapexytar.eu/login.php	23.253.126.58
hxxp://evsecure-ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBEqAG035RBv1sp8w++6zBg=	23.46.123.27
hxxp://qeqinuqypoq.eu/login.php	23.253.126.58
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	2.20.254.201
hxxp://gadufiwabim.eu/login.php	23.253.126.58
hxxp://fokyxazolar.eu/login.php	23.253.126.58
hxxp://lyruxyxaxaw.eu/login.php	23.253.126.58
hxxp://mscrl.microsoft.com/pki/mscorp/crl/MSIT Machine Auth CA 2(1).crl	93.184.221.200
hxxp://xukovoruput.eu/login.php	23.253.126.58
hxxp://nojejecebuw.eu/login.php	23.253.126.58
hxxp://marytymenok.eu/login.php	23.253.126.58
hxxp://kemocujufys.eu/login.php	23.253.126.58
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	96.17.196.83
hxxp://gatedyhavyd.eu/login.php	23.253.126.58
www.betitall.com	104.20.32.171
puzutuqeqij.eu	95.211.174.92
www.bing.com	204.79.197.200
citapytakic.eu
nojycutalop.eu
foqotihalun.eu
nofagoteveg.eu
pumugoviwod.eu
nomocykyqiq.eu
rynovaqidef.eu
kefobojexyl.eu
tupycegubej.eu
makolacynyd.eu
xugokixofen.eu
qexeholagav.eu
disojawogaw.eu
nomedefajys.eu
xubysaxywil.eu
puvomegagep.eu
tucipipumig.eu
kevedorozup.eu
jenokirifux.eu
kericoxojil.eu
tufecagemyl.eu
masawocipel.eu
gadinubidyp.eu
cidyrecavok.eu
fobuvohevor.eu
disovyhityp.eu
novacofebyz.eu
pumawuqahun.eu
fodutazenaf.eu
cihakotihuz.eu
digumihurit.eu
xubehuxunag.eu
qetohiqyvoz.eu
novewecoliv.eu
vocuzikubal.eu
ganudasajov.eu
tuporupajun.eu
vowuqykecij.eu
nofemumodoz.eu
gacucuhumeg.eu
cihaqokiwel.eu
lysygyjytad.eu
vonokutuwah.eu
lyxesyrecoj.eu
kejepujajeg.eu
tuwyjyvymuq.eu
rydurevohed.eu
qebifopalaz.eu
masisokemep.eu
lyxonadituw.eu
lysenenyxis.eu
rylodoqakal.eu
xudevunymex.eu
nozubacezyb.eu
nofexekakuk.eu
ryqanylofuq.eu
nopolomojen.eu
nofyjikoxex.eu
nopuputyboh.eu
jefejurenyp.eu
vocoqafajyw.eu
tunyzylazuj.eu
nofoletezup.eu
pujibylityp.eu
digusebyvad.eu
galupehudev.eu
norowetunuj.eu
dimevuwevuj.eu
pumocelexec.eu
puzecypigyw.eu
gatequsiryg.eu
xudutoxakur.eu
dirutewaled.eu
pupatololoz.eu
xuxanexusov.eu
ryteqipogoz.eu
rylunupumit.eu
xubifaremin.eu
dikofuhybym.eu
fobirybakes.eu
tulojigakit.eu
voniqofolyt.eu
rynudepebur.eu
galerywogej.eu
ryqyqequsud.eu
foqinywenec.eu
jecumenunoq.eu
cicafykemaj.eu
qeguhapyrer.eu
dikatahyqar.eu
qedixogazen.eu
cicynefogic.eu
qeqekepokul.eu
pupodylahej.eu
puvugulynum.eu
gaturuzuqyx.eu
gaqyqewymow.eu
dixesywyruc.eu
rynikulokop.eu
maganomojer.eu
maravatudur.eu
pujepigeviz.eu
lykujedofod.eu
marugofazez.eu
qederepuduf.eu
qetityluruj.eu
digijusekyg.eu
divejezumes.eu
divulewybek.eu
tulyrylynyc.eu
xudiherodos.eu
tucumyvipys.eu
kepatixidyg.eu
jejedudupuc.eu
novugukupap.eu
jejecyxyvex.eu
volebatijub.eu
dimulisuqun.eu
vofozymufok.eu
pumytugofup.eu
qedefulywoh.eu
lyrefanyril.eu
keraborigin.eu
pupucuvymup.eu
pujejavakav.eu
fotoxysupyd.eu
disugezejac.eu
gadoposuwif.eu
kejywajazok.eu
galokusemus.eu
vocebufazap.eu
vofubimipeg.eu
mamitumyvig.eu
citonocebyl.eu
kezapyjolek.eu
ryqepiqiror.eu
lykonurymex.eu
rynyhipexon.eu
rynoryguwuh.eu
fodylowahif.eu
jelojujopen.eu
masafytunux.eu
nozulufynax.eu
maxemocexar.eu
qeqyvulidox.eu
norebituwez.eu
nopiwatyqul.eu
puvopalywet.eu
fobexawumov.eu
xutufojisyl.eu
mamunekuryd.eu
makanytezih.eu
pupymavyvow.eu
nopodykecoc.eu
maxyvycebid.eu
xugelurisep.eu
xuderadezuv.eu
volocecaluk.eu
divywysigud.eu
gadedozymiz.eu
jewokedokaw.eu
qedutivosob.eu
foqaqehacew.eu
xukuqyruwoq.eu
qeqeqalitek.eu
jefogixuqyn.eu
xuxorixurez.eu
fobyqyhezem.eu
ciqivutevam.eu
qedevuqelug.eu
jewemurutyj.eu
mavaxokitad.eu
divesosisor.eu
norygumekon.eu
xuquranifir.eu
marefomecef.eu
rytuvepokuv.eu
lykiwaryvuk.eu
kemimojitir.eu
dixilibaxop.eu
gahunawahik.eu
fokikebyvaj.eu
novomyfexij.eu
tujomalumav.eu
nopujokelek.eu
lygumujycen.eu
qetunopifef.eu
pufyjulogih.eu
magusecutuk.eu
rylefogohan.eu
foxofewuteq.eu
tufamugevih.eu
cicokokyvyf.eu
ryturilidom.eu
vofirefumuj.eu
gatifowyciv.eu
rycypolavag.eu
volyrukupoq.eu
jenegodelur.eu
gatykibojig.eu
kefyjuxiwap.eu
qedylaqecel.eu
marosokubew.eu
kemipynunap.eu
qekuxovuqal.eu
masovufohoh.eu
tujaculurim.eu
xukyhudokex.eu
qeqohevazud.eu
fodavibusim.eu
fotitezycas.eu
qekusagigyz.eu
lyvesiduneb.eu
fogeliwokih.eu
fokafobeqix.eu
rynucalagew.eu
lykegynahom.eu
gacokahurol.eu
foqyvyzuqeh.eu
kevutodybuk.eu
xubolyjazaq.eu
tuwiqelages.eu
lyruterodiq.eu
foxehehywef.eu
cilakyfaloq.eu
puvacigakog.eu
fogokozazit.eu
lymoxuxelam.eu
qekikyvutic.eu
ganycyhywek.eu
rynepevymuc.eu
ryciqavuqav.eu
maxyjofytyt.eu
tuwobiloloh.eu
gaqaneziwoc.eu
gacypizohut.eu
cinazetybiq.eu
jewujenezac.eu
vofukykojos.eu
marynicosol.eu
nozydemutik.eu
makexotevyl.eu
vowokafopyv.eu
vowypikelaf.eu
pumadypyruv.eu
jeluganusog.eu
xudoxijiwef.eu
kemybarodiv.eu
makiwemihiw.eu
noveditifan.eu
makymykakic.eu
lyvularekud.eu
kemadedevak.eu
puzulugelyh.eu
fodyfuzexyp.eu
cilupakuquk.eu
qegynolyzow.eu
dixyjohevon.eu
digenowipib.eu
kepabydokas.eu
purumulazux.eu
tucebygodym.eu
gatonazytab.eu
lyvoxajohul.eu
cihipifebep.eu
lymyfenumij.eu
ryqudigyqog.eu
lyrosajupid.eu
qebequgyqip.eu
tuwypagupeb.eu
makagucyraj.eu
vowidimajaz.eu
rylyzevipyw.eu
gatecebofas.eu
tuwiduqotug.eu
divoxehaceb.eu
qedoqyvoguq.eu
digalyzohyx.eu
jeloperajov.eu
fodihywalyj.eu
cicezomaxyz.eu
marylefajuj.eu
lygegoxidul.eu
xubeqidudyh.eu
fotyriwavix.eu
cileretirus.eu
pupiwopexof.eu
tufozequwyd.eu
purodogidot.eu
fotekuhagyx.eu
cihevykupoc.eu
tucakaqalav.eu
kemawonywig.eu
jecocinywut.eu
jeceraxaxol.eu
xugosedaloc.eu
direfiwahur.eu
lyxilunogem.eu
jewezexigaf.eu
nojudymiwuh.eu
lysowaxojib.eu
qetaseqyquv.eu
lyrojunynah.eu
gahocuwalyc.eu
dixagowunol.eu
foxalihynut.eu
mavasatokyf.eu
dimoxuzynup.eu
jelybodybuf.eu
jecuzojitub.eu
tupazivenom.eu
lymajaxecir.eu
xutohonutyn.eu
citahikodab.eu
norupamaxur.eu
kevajerajoq.eu
ciqycicunaz.eu
cidufitojex.eu
pumumagojef.eu
rytecyvaxuj.eu
kepyxujycaz.eu
xuxukanoluf.eu
xudosorihug.eu
cinenikekar.eu
direwyzexem.eu
xutaquxelat.eu
vocijekyqiv.eu
lyvamynipox.eu
cinorufifac.eu
kefilyrymaj.eu
galyzabunoc.eu
tufigolidat.eu
nofuwufutom.eu
tupamapazer.eu
masytoturen.eu
vocumucokaj.eu
ryhyruqeliz.eu
cilynitiseg.eu
puzydaqybad.eu
ciqofymosip.eu
qegefavipev.eu
kepymexihak.eu
qexanevymyk.eu
cidacomutur.eu
tufapovakak.eu
maxifakofyk.eu
jecoqedevod.eu
cilyzycojod.eu
jefozaryciw.eu
dimyfebidec.eu
citifemifif.eu
ryqukavecek.eu
citykimipat.eu
lykuvuxureg.eu
puzoxyvojyc.eu
cidinymuqom.eu
xuxuqodopef.eu
qegelupumum.eu
xutityjigac.eu
qetyrypopup.eu
tunupegirec.eu
dixemazufel.eu
noretekyvuv.eu
citydekohiw.eu
disisizazim.eu
keralanyxiq.eu
vopogakakud.eu
gaqozosodul.eu
novixamymyf.eu
ciqirokajyr.eu
digivehusyd.eu
tujizipipiz.eu
puvewevodek.eu
dirosehijel.eu
tuwezovyvov.eu
citizufurah.eu
qeqaxupogog.eu
dixuwusodut.eu
lygananavof.eu
jenoqujumez.eu
xutevexecif.eu
pufexalopas.eu
xuguxujytej.eu
lyselojumyr.eu
magowymafum.eu
nozapekidis.eu
dikiwewutav.eu
vojopumuqot.eu
ciqukecywiv.eu
qegovyqaxuk.eu
qebolelofyc.eu
jejajaduwok.eu
vonabakyvyk.eu
tucijalexaj.eu
qedosiputot.eu
tuwaguguwux.eu
vofogucyxoz.eu
kefidaxupif.eu
divinuheluz.eu
xuqonerekij.eu
cilodamenub.eu
qegytuvufoq.eu
jepazunalyx.eu
pumebeqalew.eu
qebysovexaf.eu
vojomekisuw.eu
volaqutodox.eu
pupegeqifev.eu
vonujicitat.eu
qexusulakiq.eu
xutyrurojah.eu
nofotycywos.eu
cihyfafexuw.eu
marixecoguv.eu
vofapacebuv.eu
dimomawezod.eu
puzomipipin.eu
nomojatudyn.eu
jepycudijyq.eu
lyvevonifun.eu
tulekuvigij.eu
rydohyluruc.eu
vonerymekix.eu
lymevyrajas.eu
qekafuqafit.eu
xuqiloxyvyf.eu
tulugiqezib.eu
gaduzehokar.eu
cinidofopyk.eu
puzapelumaq.eu
kemuxurohym.eu
tufydopogab.eu
vopuqicyneb.eu
ryhadyvigis.eu
vococumecan.eu
dikuvizigiz.eu
fokalesaxav.eu
foxyxubecuh.eu
puralevuqes.eu
jewararuqid.eu
ryhoqagoxyr.eu
ryqofuvenoc.eu
ryhuzilywax.eu
gacarisekub.eu
nozejimuqag.eu
kepypirutyx.eu
foxusyzosex.eu
jewucidafyb.eu
jefamyjejat.eu
pumojopymol.eu
gaqirahebof.eu
gatahohalir.eu
novubymyvip.eu
rydufupipug.eu
mavogutogip.eu
xudakejupok.eu
disytisycil.eu
lykatojexub.eu
vonodecidid.eu
tulimolywan.eu
lyxemoxyquf.eu
puvixoqezor.eu
nozomotokyt.eu
vofecokoder.eu
digyxywifyq.eu
tulyboputal.eu
jewidonevin.eu
fogisysemyq.eu
gahekisybyr.eu
xuboninogyt.eu
teredo.ipv6.microsoft.com
masenucifoc.eu
mavulymupiv.eu
tunodavuqew.eu
jefyqynofaj.eu
rydeqegekeq.eu
tufyquvaxic.eu
qekorelelyq.eu
keretejuraw.eu
rytozygyvup.eu
lyrynixakyn.eu
jepuderymas.eu
pufobogyqan.eu
citeqotacyn.eu
xubuvojajyb.eu
fodoqebirac.eu
lyvoguraxeh.eu
xugiqonenuz.eu
qebukypahyh.eu
vojeqamutuf.eu
fokuquwifys.eu
qebonuqirin.eu
kevacijopet.eu
dixonesohed.eu
xuqufyduras.eu
kezituraxep.eu
nomimokubab.eu
ryqozapaleb.eu
jepemadodiv.eu
nozecafycyk.eu
mamajocahab.eu
ryhohovosar.eu
lygyxeruqoc.eu
vocakemenir.eu
qexofyqihid.eu
purupoqogob.eu
nojepofyren.eu
magygicumof.eu
divotabofov.eu
ciqapomogyg.eu
kejilodirub.eu
qekyhugisih.eu
ryhevelynyj.eu
lyxyjijajel.eu
magivakelev.eu
lyrimirohyp.eu
divyviwyxuf.eu
pufepepazyd.eu
rylakegodyc.eu
tupepulofup.eu
fotinosuwir.eu
gahihezenal.eu
puregivytoh.eu
dimasyhageh.eu
dixexehyzex.eu
cilavocofer.eu
rycaropynar.eu
jenabejurov.eu
cinycekecid.eu
vojacikigep.eu
fodixohofiz.eu
cihuzucagot.eu
dirojubusux.eu
kepiwodagyr.eu
volekymyvum.eu
puzewilurip.eu
ryloqulebih.eu
nozoxucavaq.eu
qekenilacap.eu
masygekevuq.eu
dirixabirok.eu
jeluzydyqej.eu
qexoligupag.eu
kejogydideq.eu
jepogejebak.eu
xutekidywyp.eu
dikoniwudim.eu
gacezobeqon.eu
vocerocofyf.eu
qegosegodej.eu
mavejykidij.eu
qexetupezix.eu
vojizitoken.eu
norijyfohop.eu
rydinivoloh.eu
kezoxenitoj.eu
xukeladoguk.eu
pufucaqurak.eu
jenujoxojug.eu
pujulapohar.eu
jenerunybem.eu
nomugacogyk.eu
rytifaquwer.eu
masimafoded.eu
mamylotifat.eu
xudunudeveq.eu
ganepebeloj.eu
tujydygelyp.eu
rylupalyxad.eu
diravasymob.eu
tujurogacag.eu
qexiveguwys.eu
keradijumyn.eu
jefubonokiz.eu
cicucifokym.eu
makatokagal.eu
qequroquweb.eu
fogixezajaq.eu
rynenogupez.eu
xuxyxynahop.eu
tujigevojyj.eu
lyrelydevac.eu
kevopoxecun.eu
xuxusujenes.eu
vopazumosoh.eu
jepororyrih.eu
puvedupuquz.eu
pujuduvaxim.eu
dimutobihom.eu
nojogefumuc.eu
jeniceripoj.eu
cidizakisuv.eu
tupyjoqirof.eu
nomytifazah.eu
rycucugisix.eu
vonupyfogiq.eu
jejykaxymob.eu
tupikogyqoz.eu
keryxadalid.eu
xudylenyrob.eu
ganuqibevux.eu
kemygexaxab.eu
cilicofahev.eu
jejopiniduh.eu
xukorejymod.eu
ganazywutes.eu
lysuxinebyg.eu
rynafivyvol.eu
dikymezosaj.eu
tujeqoqybar.eu
cidediceleg.eu
gaquviwyrup.eu
vojugycavov.eu
foqykasisof.eu
cidaqyfynos.eu
ciqanukaxas.eu
kefaxyjebav.eu
ryqivypahux.eu
foqurowyxul.eu
fokovisekyz.eu
kezubaxemor.eu
vowezacuryr.eu
foguhosecib.eu
ryceziqofig.eu
rycovuvutiq.eu
kemojidezyf.eu
xubateditid.eu
purijygirem.eu
jelimixecuz.eu
xukenyxitox.eu
puvutaputeb.eu
kejitanokon.eu
cihocytodoh.eu
tunicyqokuv.eu
puzigagacal.eu
noralycifok.eu
xuqykodumyw.eu
qegarigohox.eu
xubirenosiq.eu
tunarivutop.eu
kemelixakyz.eu
fokisohurif.eu
tunujolavez.eu
mavinifenam.eu
dirugihofug.eu
lykysonalut.eu
tujajepifyv.eu
xuqotujodaz.eu
lysovidacyx.eu
gaqofubakeh.eu
puryxepenek.eu
digegazolan.eu
kerijudacyj.eu
gahoqohofib.eu
nomebemenid.eu
disafuwokis.eu
ryqehegubes.eu
lymunyjigak.eu
maxotikojax.eu
nopexifigep.eu
vofomifyrex.eu
digowibymih.eu
rydacoqybob.eu
galodiwosuf.eu
makujafiqyq.eu
qetekugexom.eu
tunakupycut.eu
gadohyzyvah.eu
jelekynurep.eu
divamubojum.eu
tupibevecev.eu
xuxoferyvuc.eu
kejudunogex.eu
lyravodezyl.eu
purowuqokuq.eu
tulaqypiqyh.eu
vojedufynoj.eu
jejigenitos.eu
vonezukemac.eu
pujotiqunif.eu
qebexequsyw.eu
fogavewogad.eu
kezigojohuf.eu
volugomymet.eu
rycodypycym.eu
mamomamymyl.eu
vopudetezuq.eu
xuxivydifoj.eu
tunymoqofol.eu
gahipyhopax.eu
maxilumiriz.eu
lysumedalik.eu
nozitytogim.eu
gahyfesyqad.eu
nofucemihub.eu
lysafurisam.eu
xuqaxiraxyx.eu
magalukacom.eu
lymewijosyf.eu
masijemaxud.eu
cinyhotyqyt.eu
ganikuzosem.eu
vocygytirij.eu
rycuheqojyk.eu
gadurabotiw.eu
novylakuwyw.eu
vofydatacut.eu
cidykatafuj.eu
lyxuworenuz.eu
vowucotyqyg.eu
foqahabofoq.eu
fokyhyhumap.eu
tucoqepyryk.eu
qetoxagekec.eu
maxagamisyb.eu
cinepycusaw.eu
vojubetafuc.eu
jecijyjudew.eu
pufotyvecyq.eu
marawukyqos.eu
dirynozebot.eu
fokenuzohym.eu
gacuhawipod.eu
gahuzuzecyg.eu
jepikijexyg.eu
cidohukigeq.eu
ciciqacidir.eu
voporitevet.eu
foqilozutoz.eu
gahadyburaq.eu
kepegaruqik.eu
xuqesunipam.eu
galicasevor.eu
cinafocuryb.eu
masuximakot.eu
tucadilebix.eu
pujycupodyn.eu
ryhekoputag.eu
gaquduhexet.eu
nojibukojoj.eu
jecygyrogec.eu
kefatenahic.eu
xuxetiryqem.eu
tucyroviwir.eu
volimucagog.eu
vowagufifam.eu
jepuqoxupit.eu
galavozaxog.eu
kejycirenuh.eu
lymigadybiv.eu
fobonobaxog.eu
fotaqizymig.eu
dikolobeliw.eu
magofetequb.eu
fogynahidal.eu
magymofigeg.eu
vojykocezel.eu
lygofodagud.eu
pupexuguwun.eu
foderasyqaw.eu
nomuxytirix.eu
nofidocyner.eu
lygujirupum.eu
makififupap.eu
rylicepyryf.eu
kepicynezam.eu
disenybuqyj.eu
tucyzogojat.eu
cihyrimymen.eu
gacenysacew.eu
lygetudokej.eu
qequfygycuq.eu
qeketaqojyf.eu
pufiluqudic.eu
fogytubuwyx.eu
cicypucitan.eu
tupudyqusuj.eu
galefihituz.eu
jenyzexodop.eu
lymosudyqym.eu
maxuwitalag.eu
jelaqirozum.eu
galuhubywum.eu
xutoxedyniq.eu
jecekorosuk.eu
xukisijycer.eu
qeqilivejor.eu
nojotomipel.eu
cituvafumyd.eu
vopepukaxej.eu
tuwikypabud.eu
lyvitexemod.eu
xutulenuqix.eu
puvybivihox.eu
lysisuxofaz.eu
qedakalyned.eu
rydyvigecot.eu
purebupycug.eu
lymylorozig.eu
xubukyrecax.eu
magetyfisus.eu
dixotuzipuh.eu
qekovipynan.eu
voledokuwev.eu
fobahizipux.eu
cicavemejih.eu
rydopapifel.eu
tunegapenef.eu
qetuluvolos.eu
nomawimecat.eu
ciqehefitij.eu
gacovybybec.eu
pumelilebon.eu
disumesenyv.eu
qebahilojam.eu
jenupydaces.eu
divufozutog.eu
kevybunureh.eu
novopicahal.eu
qeqotogemet.eu
qedunygajux.eu
kerowyripac.eu
vojajofyced.eu
ryleryqacic.eu
nojuletacuf.eu
makysimodan.eu
rycefelelys.eu
foxyqosajol.eu
puvojyqevus.eu
vonymomaxyb.eu
pufagipajit.eu
keryginebyp.eu
voworemoziv.eu
xukafinezeg.eu
pumipuvupuj.eu
jefecajazif.eu
mavywefycyc.eu
kejamerecos.eu
tulacavosad.eu
tufibiqunit.eu
maxaxyfumim.eu
mamasufexix.eu
cinivamolil.eu
mamyfycoliq.eu
gaciduwifuh.eu
mavitacazyw.eu
pupoliqotul.eu
fobatesohek.eu
marimutitom.eu
lyvufixyvet.eu
vopejamogul.eu
kefucoruvyd.eu
lymutinutyz.eu
ganofazigor.eu
fobifisoduf.eu
vowemytybip.eu
dimewohokol.eu
nopetucumot.eu
lygivejynow.eu
qetevavahew.eu
puzubovafik.eu
qexukoqodar.eu
qegiqiqakof.eu
jewypojynil.eu
kezeceduwov.eu
vofejutalom.eu
qeburuvenij.eu
gaqecizupun.eu
xugutynyxoh.eu
jejubyrexeq.eu
ryhuneqevyv.eu
jejomejoled.eu
lyxufejazov.eu
fobykuwyruq.eu
gaqehysohec.eu
lygowunezep.eu
kezydorekuw.eu
gadekewexac.eu
ryhipugajim.eu
gatuvesisak.eu
fokytowipiw.eu
foxirozigon.eu
foxikiwiqub.eu
nojaxicyxon.eu
pufuwygybyx.eu
kepolonavit.eu
lykemujebeq.eu
ganovowuqur.eu
rytahagemeg.eu
dikexosajif.eu
kerumyxofah.eu
nofypafiqev.eu
kezajonifuz.eu
kefeminalyn.eu
cicidutuwap.eu
fogefobunik.eu
kefypadofiw.eu
dikegybecys.eu
tuwucopexot.eu
vopibycywow.eu
xuxehajexuw.eu
qetoqolusex.eu
mamevetopym.eu
volojifebeh.eu
qeguxylevus.eu
kezywuxyven.eu
gaherobusit.eu
xugefexojow.eu
rytukuqunun.eu
rytonovejof.eu
kevigyxelox.eu
kepujajynib.eu
gatopuwenyq.eu
cicaratupig.eu
pupujeguper.eu
dikujysozyk.eu
rydekyqyquw.eu
kevimudyqec.eu
jepobanagij.eu
jewobuxisyt.eu
dixuvebakeq.eu
ganenihynug.eu
xukuxaxidub.eu
jefudidiryl.eu
magijityboz.eu
cihihacakuf.eu
jefiredisav.eu
jejeqorekuv.eu
jejurijogut.eu
tuwaraqidek.eu
fogaruhityg.eu
xugavariruq.eu
diselahidaf.eu
fodasusuvyn.eu
voluzefexus.eu
gadyvuhagyn.eu
jecaduxakeh.eu
xuqeqejohiv.eu
digofasexal.eu
tujybuqeqis.eu
fotasawezak.eu
xugynajuquf.eu
fotulybidyq.eu
pujamyqywyk.eu
mavyvomuqal.eu
norumikemem.eu
cinuqumahag.eu
lykolexusol.eu
lyxaxududes.eu
nojuwakofed.eu
qexyqapevyb.eu
foqesibojup.eu
tufukelityq.eu
lyvywyduroq.eu
vocupotusyz.eu
norococitef.eu
nozogikirar.eu
rytydelitec.eu
galoqyzajep.eu
dimigesupew.eu
ciqydofudyx.eu
nopymecurud.eu
kevylejigod.eu
vopycyfutoc.eu
foxanabelod.eu
cilihumecox.eu
kejaxoxuqut.eu
pujoxolufag.eu
jeledajifor.eu
tulipeqevyw.eu
tuniqigison.eu
lyrugujiqat.eu
gadaqusupyj.eu
jepepyxiwam.eu
nopabefipuq.eu
lyxotyxubop.eu
fotyfahokab.eu

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CNC Ransomware Tracker Reported CnC Server group 198
ET TROJAN Win32.Shiz.fxm/Agent-TBT Checkin
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tucyguqaciq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ciliqikytec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:13 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jefapexytar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: marytymenok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jewuqyjywyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:51 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD/yl6nWPkczAQUe1tFz6/Oy3r9MZIaarbzRutXSFACEBaH1oht4jAGhSM9vxG/ZZc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: t2.symcb.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1504

content-transfer-encoding: binary

Cache-Control: max-age=569610, public, no-transform, must-revalidate

Last-Modified: Thu, 28 Sep 2017 05:46:29 GMT

Expires: Thu, 5 Oct 2017 05:46:29 GMT

Date: Thu, 28 Sep 2017 15:35:18 GMT

Connection: keep-alive
0..........0..... .....0......0...0.........@e!.t.....4...,.#..2017092
8054629Z0s0q0I0... ........0..k....&..p..^.X.....{[E....z.1..j..F.WHP.
.....m.0..#=...e.....20170928054629Z....20171005054629Z0...*.H........
.....V$......02.....M|&...K...b.\D$D..hf.........,^,'.P7.%.]-...k..3..
.G...w...<..82~.e9-..zi7=.......").y.G..O.......W.....|PHS.}.8.C...
..~.E9.2..Z8.....Q......t.......!......r..D...WV.....b....c...~t.S..`.
.....$p..fA. 8.4.~...9..@..w..#......xp. ..1...m..........0...0...0...
.......j!.....&.....t.T0...*.H........0..1.0...U....US1.0...U....thawt
e, Inc.1(0&..U....Certification Services Division1806..U.../(c) 2006 t
hawte, Inc. - For authorized use only1.0...U....thawte Primary Root CA
0...161122000000Z..171214235959Z0_1.0...U....US1.0...U....thawte, Inc.
1907..U...0thawte Primary Root OCSP Responder Certificate 50.."0...*.H
.............0..........s..O..W>.....2......n..z...U.......i..Ie...
].O..._.{q.`;..........C.S.....W.1.....|.Y}....2..s.H..q....*z:|2..]..
.F.j.....jq...#.."[.9..4-k...r....Y.?......f.K.......73...v.].......y.
...N_......0.b..:.a...'G..".(.x...;8d#>j.}......j..Bu....3.@..h...Z
..........j0h0...U.%..0... .......0... .....0......0...U.......0.0...U
...........0"..U....0...0.1.0...U....TGV-OFF-510...*.H.............1..
.....9...4...;.xC%:W.J.....c...o..J.E.]%{j......^).~..qX.....iK..1vv..
..R._....&.O.%.(.|........S;5. ..A.&....)....D*uwKz1..V.....n....>.
..a..|......W..1:....Rl..s/.......\n.e...%E.. ...G.PIP.$.8.p.."...$?e.
.....\...u.;...-......D".|h...>6rO. ......Hd~...
<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nopegymozow.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:52 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kefuwidijyp.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:13 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nojejecebuw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:27 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: marytymenok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:51 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qeqinuqypoq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:52 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: cihunemyror.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:52 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fodakyhijyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ciliqikytec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gatedyhavyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gatedyhavyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:51 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /pki/mscorp/crl/MSIT Machine Auth CA 2(1).crl HTTP/1.1

Cache-Control: max-age = 6793

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 18 Nov 2013 23:37:31 GMT

If-None-Match: "b61f5b26b7e4ce1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: mscrl.microsoft.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-MD5: PC/LpWf3m7ZNoFodP8tYfA==

Content-Type: application/octet-stream

Date: Thu, 28 Sep 2017 15:35:51 GMT

Etag: 0x8D48E5CB3E8E42A

Last-Modified: Fri, 28 Apr 2017 17:33:37 GMT

Server: ECAcc (vie/4424)

X-Cache: HIT

x-ms-blob-type: BlockBlob

x-ms-lease-status: unlocked

x-ms-request-id: 715ae7c5-001e-001b-676d-3869e2000000

x-ms-version: 2009-09-19

Content-Length: 163018
0..|.0..{....0...*.H........0..1.0.....&...,d....com1.0.....&...,d....
microsoft1.0.....&...,d....corp1.0.....&...,d....redmond1.0...U....MSI
T Machine Auth CA 2..160608162453Z..160616164453Z0..z.0)....=.........
130522112904Z0.0...U.......0).....3........130522112904Z0.0...U.......
0)..M.\.........130522100146Z0.0...U.......0)....K.........13052210014
5Z0.0...U.......0)...........Z..130522100145Z0.0...U.......0).....j...
..I..130522100145Z0.0...U.......0)....q.....q...130522094611Z0.0...U..
.....0).....C....q=..130522055646Z0.0...U.......0)..P.......j...130522
055646Z0.0...U.......0)..c.......:...130522053344Z0.0...U.......0)..[.
.x....F0..130521142635Z0.0...U.......0)..[.......F...130521142635Z0.0.
..U.......0)..`.ii....9...130521142635Z0.0...U.......0)..`.X.....9...1
30521142635Z0.0...U.......0)..[.......F/..130521142143Z0.0...U.......0
).....9....p...130520132837Z0.0...U.......0)..Q.4u....]...130520115050
Z0.0...U.......0).....p....p...130520110806Z0.0...U.......0)...z......
fQ..130520094526Z0.0...U.......0)..........e...130520094526Z0.0...U...
....0)..........e...130520094526Z0.0...U.......0)... K.....p...1305200
94519Z0.0...U.......0)... H.....p...130520094519Z0.0...U.......0)...zF
,....o...130520070955Z0.0...U.......0)..f..E....P...130518074816Z0.0..
.U.......0...\,jN....FD..130402211200Z0...../w....U...130328232900Z0..
.p.R.....G1..130226223400Z0....e......?...130220163500Z0....[......*..
.121221223500Z0...A......."...121206221900Z0...A......."...12120622190
0Z0...A......."...121206221800Z0...A..\...."...121206221700Z0...A.
<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gadufiwabim.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fokyxazolar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:52 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ciliqikytec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: marytymenok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:52 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: foxivusozuc.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kemocujufys.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: marytymenok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Cache-Control: max-age = 86400

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT

If-None-Match: "8017f9a85f10d21:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.download.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/vnd.ms-cab-compressed

Last-Modified: Fri, 22 Sep 2017 22:03:52 GMT

Accept-Ranges: bytes

ETag: "014e8acee33d31:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Content-Length: 53978

Date: Thu, 28 Sep 2017 15:35:17 GMT

Connection: keep-alive

X-CCC: PL

X-CID: 2
MSCF............,...................I.................6K.u .authroot.s
tl.~.F..6..CK...8........i.g.B.A....%.k..5d.NI..RR".nTB.i/.].DQJ.,..".
X.g....N.......u...<.....{ .."'=..x..16...q.;.&'.4....a...e....#M..
.3..c`L.*3..|1.&_L ..._.i.h....J7.k..x.p..jEE....8d#......`....Mo.9AE.
...r<B.v'R....p"....e...f..g.t.<. Bs.x.8a.9;P..AD.._...9..h...g.
..<..!wj..........E1Nx ..^..S...-.l_.!..U.81X$..o.2..iz.a.Ez..S....
^._.<3}.S...l......x.....B..?....P0$....?y....w.`.f.:g0v..ZP..y.U.`
>... ..Z.cy..LU2..N..(......i........ ..`..y..c.Y.fzF0CG.@..Fe2.j.0
......{...]..4;dX..........a...T.0..]....Utv..!..p.M...'T_ b.;.#.\-..]
.T*......d.....`..#_2..........xKB.E.B...y...d.s..lP.;..?#._..#./.L|..
h!......R.....e_o."V..v.......Js.../E..1......3..3..G.8...........lZ.?
.B.)dW...7....?..MhZm.k......iO.....5.....{l.....t}...g..h.C.....v...{
..F.C)vO.3y...wX.M....V.....T......#..q..B.........V...r..H.B .x.tX`l.
<.P...JY...h).e...Z...Z...ku.B.....^.=.`D..|.-...U/l;r.......{-h..g
._B.Y.a.[l..l..'.h.[2.4.\u.....(R8..,.....i....x....w..z..%.=.@#a....!
./....>...g...-.,>..6!.K..e..z..kh.0.n4....9.l2u.C..'.]Nh..c<
.......KM...k.....e......./...F4hn:....u.\.C.M....OI.ZmT..co......C.).
....c...v.r.u....5./...\.....l....7=.`..{....`..>.bUQ..I.........n.
.f.hf..*......M.:[S.W....e_.........c'..A'.$..9.,p..0...... .b0.....k1
.Z.........u4d.....]..p.f......Vk.'z:....f9}8.6...].D6P.....z.).C.-BF.
.F...P.......$..d....c0Z0.......3..K........... .. k....._.:..x.F.C...
.7.P.l..1.%.lCJ.N.."...w... .%?;xT.&_Ew.s.......e.k&..^#.. ..U?.9.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBEqAG035RBv1sp8w++6zBg= HTTP/1.1

Cache-Control: max-age = 471678

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 28 Nov 2013 01:44:29 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: evsecure-ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=548380, public, no-transform, must-revalidate

Last-Modified: Wed, 27 Sep 2017 23:50:45 GMT

Expires: Wed, 4 Oct 2017 23:50:45 GMT

Date: Thu, 28 Sep 2017 15:35:58 GMT

Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..2017092
7235045Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13...*.m7..o..|.........20170927235045Z....20171004235045Z0...*.H.....
........E......5s..7.nC.~.....N .c.vKs.l.B."v{..Qg[.....e./..9 i.>.
n.:BX.'w$...rL...G..y5.!D..1F..O.E...V. ......!...N........{W.}...&N..
B^..T...........b<C.:......:q>.{..A.).Hq. C.b..&9...?y.i../%...B
%.QM..p.......0....2'...w3.9..9{.. .Eh..`W\Z.....V.$].b.._T:A#<....
0...0...0..........^..)......<...T.0...*.H........0..1.0...U....US1
.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c
) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign 
Class 3 Public Primary Certification Authority - G50...161122000000Z..
171214235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U...
.Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Respo
nder Certificate 50.."0...*.H.............0...........................
..m..|........1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7..
.0C.j.)Z........ ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(.
..1...#..H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...
5.e.4.....D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0..
. .....0......0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L
.c=...r..7Z0...U.#..0.....e......0..C9...3130...*.H.............&l
<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jefapexytar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:51 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryqecolijet.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:13 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyvejujolec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tucyguqaciq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:51 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 20 Sep 2013 05:02:11 GMT

If-None-Match: "96d8890beb5ce1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Length: 550

Content-Type: application/pkix-crl

Content-MD5: SCIDPj1 uAajgaJ7G6JUVg==

Last-Modified: Sat, 02 Sep 2017 02:02:30 GMT

ETag: 0x8D4F1A6AAF5F76D

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

x-ms-request-id: e6a93b18-001e-00c9-46b3-37d7ba000000

x-ms-version: 2009-09-19

x-ms-lease-status: unlocked

x-ms-blob-type: BlockBlob

Date: Thu, 28 Sep 2017 15:35:52 GMT

Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..170901211733Z..171201093733Z._0]0...U.#..0...#4..RFp..@.v.. .
.5..0... .....7.......0...U......>0... .....7......171130212733Z0..
.*.H.............h..V.cgm?../P...k...Q...%bT..6..#.O.j.u...........].L
....$].hH..^b.3,m@..#..4...|f"4v..".\{.)...K..|....1.......>1..7.2.
9..$/#B=y.c.y?.;b?..7......Gc.Dq......f..L........!%vo....z.nt:.Ws..a.
.M.oy`....SI. .?t...Q...k.....[.[t....'.Q.j.....!.Qm-........G..?.HTTP
/1.1 200 OK..Content-Length: 550..Content-Type: application/pkix-crl..
Content-MD5: SCIDPj1 uAajgaJ7G6JUVg==..Last-Modified: Sat, 02 Sep 2017
 02:02:30 GMT..ETag: 0x8D4F1A6AAF5F76D..Server: Windows-Azure-Blob/1.0
 Microsoft-HTTPAPI/2.0..x-ms-request-id: e6a93b18-001e-00c9-46b3-37d7b
a000000..x-ms-version: 2009-09-19..x-ms-lease-status: unlocked..x-ms-b
lob-type: BlockBlob..Date: Thu, 28 Sep 2017 15:35:52 GMT..Connection: 
keep-alive..0.."0......0...*.H........0w1.0...U....US1.0...U....Washin
gton1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Micro
soft Time-Stamp PCA..170901211733Z..171201093733Z._0]0...U.#..0...#4..
RFp..@.v.. ..5..0... .....7.......0...U......>0... .....7......1711
30212733Z0...*.H.............h..V.cgm?../P...k...Q...%bT..6..#.O.j.u..
.........].L....$].hH..^b.3,m@..#..4...|f"4v..".\{.)...K..|....1......
.>1..7.2.9..$/#B=y.c.y?.;b?..7......Gc.Dq......f..L........!%vo....
z.nt:.Ws..a..M.oy`....SI. .?t...Q...k.....[.[t....'.Q.j.....!.Qm-.
<<< skipped >>>

GET /pki/crl/products/WinPCA.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 01 Oct 2013 05:02:51 GMT

If-None-Match: "8071417b63bece1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Length: 530

Content-Type: application/pkix-crl

Content-MD5: Xiddt2GqWiOsZRr49sSgAA==

Last-Modified: Wed, 23 Aug 2017 20:46:54 GMT

ETag: 0x8D4EA6816A484B9

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

x-ms-request-id: 41792c98-001e-006a-2eb5-371bdb000000

x-ms-version: 2009-09-19

x-ms-lease-status: unlocked

x-ms-blob-type: BlockBlob

Date: Thu, 28 Sep 2017 15:36:02 GMT

Connection: keep-alive
0...0.....0...*.H........0..1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows
 Verification PCA..151202080000Z..430418080000Z.A0?0...U.#..0.......p.
...........<.J0... .....7.......0...U......90...*.H..............I.
..MYp.....yh..$3..F.D....Qe]....~...>.Ye.h...L.nQ..091.=.G..s.D....
.....g)...4.'........B....l#....c...e..U......Z .[.,.x..h:M~..mS./p..F
......l.G.H<.".y.B.5.."\|.Hi`N=j.....;w.......o.*......C)....U..3Mt
.}......X......H.....|d...s..`.8F.l.......R.C....HTTP/1.1 200 OK..Cont
ent-Length: 530..Content-Type: application/pkix-crl..Content-MD5: Xidd
t2GqWiOsZRr49sSgAA==..Last-Modified: Wed, 23 Aug 2017 20:46:54 GMT..ET
ag: 0x8D4EA6816A484B9..Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAP
I/2.0..x-ms-request-id: 41792c98-001e-006a-2eb5-371bdb000000..x-ms-ver
sion: 2009-09-19..x-ms-lease-status: unlocked..x-ms-blob-type: BlockBl
ob..Date: Thu, 28 Sep 2017 15:36:02 GMT..Connection: keep-alive..0...0
.....0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Re
dmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Veri
fication PCA..151202080000Z..430418080000Z.A0?0...U.#..0.......p......
......<.J0... .....7.......0...U......90...*.H..............I...MYp
.....yh..$3..F.D....Qe]....~...>.Ye.h...L.nQ..091.=.G..s.D.........
g)...4.'........B....l#....c...e..U......Z .[.,.x..h:M~..mS./p..F.....
.l.G.H<.".y.B.5.."\|.Hi`N=j.....;w.......o.*......C)....U..3Mt.}...
...X......H.....|d...s..`.8F.l.......R.C........
<<< skipped >>>

GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1

Cache-Control: max-age = 900

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 29 Oct 2013 05:02:50 GMT

If-None-Match: "b8b5df1d64d4ce1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Length: 554

Content-Type: application/pkix-crl

Content-MD5: r2YfvVy1jCaOMergg4WRGw==

Last-Modified: Fri, 28 Jul 2017 02:01:24 GMT

ETag: 0x8D4D55C8D18B94E

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

x-ms-request-id: 58fdf8e1-001e-00c5-26b3-37394b000000

x-ms-version: 2009-09-19

x-ms-lease-status: unlocked

x-ms-blob-type: BlockBlob

Date: Thu, 28 Sep 2017 15:36:02 GMT

Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..170727163346Z..171026045346Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......e0... .....7......171025164346Z0.
..*.H.............?..|.!.>..v..... ....h..=.n.|....A.gx.$=...Q...j.
(.R.^l..(7...9i.X...,v../.s...v.#._H2.......;...{...w.......B<.8.@.
.Ut...H...].. .s?MS.v...~{.5..:.wf..dz..... ....,.^x....;.4.V.X...U..8
..fQt..wAI;.=Y...C.~..s%(...._....7j.."M..yU,..^L.tG.<L...'.&.p....
6..HTTP/1.1 200 OK..Content-Length: 554..Content-Type: application/pki
x-crl..Content-MD5: r2YfvVy1jCaOMergg4WRGw==..Last-Modified: Fri, 28 J
ul 2017 02:01:24 GMT..ETag: 0x8D4D55C8D18B94E..Server: Windows-Azure-B
lob/1.0 Microsoft-HTTPAPI/2.0..x-ms-request-id: 58fdf8e1-001e-00c5-26b
3-37394b000000..x-ms-version: 2009-09-19..x-ms-lease-status: unlocked.
.x-ms-blob-type: BlockBlob..Date: Thu, 28 Sep 2017 15:36:02 GMT..Conne
ction: keep-alive..0..&0......0...*.H........0y1.0...U....US1.0...U...
.Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U..
..Microsoft Code Signing PCA..170727163346Z..171026045346Z.a0_0...U.#.
.0..........X..7.3...L...0... .....7.........0...U......e0... .....7..
....171025164346Z0...*.H.............?..|.!.>..v..... ....h..=.n.|.
...A.gx.$=...Q...j.(.R.^l..(7...9i.X...,v../.s...v.#._H2.......;...{..
.w.......B<.8.@..Ut...H...].. .s?MS.v...~{.5..:.wf..dz..... ....,.^
x....;.4.V.X...U..8..fQt..wAI;.=Y...C.~..s%(...._....7j.."M..yU,..
<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Cache-Control: max-age = 808

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 09 Oct 2013 05:02:17 GMT

If-None-Match: "9c3f3dbaacc4ce1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Length: 781

Content-Type: application/pkix-crl

Content-MD5: DuKntoQbuxCJhzNgbW8ahQ==

Last-Modified: Thu, 21 Sep 2017 05:01:19 GMT

ETag: 0x8D500ADCBF4659D

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

x-ms-request-id: e6a93a89-001e-00c9-45b3-37d7ba000000

x-ms-version: 2009-09-19

x-ms-lease-status: unlocked

x-ms-blob-type: BlockBlob

Date: Thu, 28 Sep 2017 15:36:05 GMT

Connection: keep-alive
0...0.....0...*.H........0_1.0.....&...,d....com1.0.....&...,d....micr
osoft1-0 ..U...$Microsoft Root Certificate Authority..170920204901Z..1
71220090901Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0..
.U......50... .....7......171219205901Z0...*.H..............R.....x..p
Gc_.;.......X).cw.`3......C.HH.X .n...V/..B. ....A.._.-L.........Yk...
0..!.F..%.1..U...II.....$g.2Rj.g..{^..D8p.a....,..2... ..t.S.rin...7.\
._......!..........._.J.V..c,..<.X.f.*.}........Y.XT.D\........Q\..
.r.H............oH?.4|5:.sH...-*J...X. .dD........l..........W...@\.]=
....;...)....A...!...'..].........h..../..k.o.....Y%..B..al$ki....X...
.D...U.N.fN.$...}.xLS.@....Y....CC....wd..1... ."...].X9..f..&..\6..!}
......%X{.00-...6F.....2\?.rU}S.wy.vW5A. .J......_....^.a...F.k.......
..N..3,x...#.VHTTP/1.1 200 OK..Content-Length: 781..Content-Type: appl
ication/pkix-crl..Content-MD5: DuKntoQbuxCJhzNgbW8ahQ==..Last-Modified
: Thu, 21 Sep 2017 05:01:19 GMT..ETag: 0x8D500ADCBF4659D..Server: Wind
ows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0..x-ms-request-id: e6a93a89-00
1e-00c9-45b3-37d7ba000000..x-ms-version: 2009-09-19..x-ms-lease-status
: unlocked..x-ms-blob-type: BlockBlob..Date: Thu, 28 Sep 2017 15:36:05
 GMT..Connection: keep-alive..0...0.....0...*.H........0_1.0.....&...,
d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certifica
te Authority..170920204901Z..171220090901Z._0]0...U.#..0......`@V'..%.
.*..S.Y..0... .....7.......0...U......50... .....7......171219205901Z0
...*.H..............R.....x..pGc_.;.......X).cw.`3......C.HH.X .n.
<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xukovoruput.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:17 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nojejecebuw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:36:07 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qeqinuqypoq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:51 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyruxyxaxaw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tucyguqaciq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kefuwidijyp.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:51 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqohyxeqak.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: cihunemyror.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:51 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyvejujolec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryqecolijet.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:51 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gatedyhavyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:52 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqohyxeqak.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:51 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kefuwidijyp.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:13 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nopegymozow.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:16 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gadufiwabim.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:52 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xukovoruput.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:17 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jefapexytar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jewuqyjywyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:14 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyruxyxaxaw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:52 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryqecolijet.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:52 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAKQll6RM0DNpmNM7zH3/Qc= HTTP/1.1

Cache-Control: max-age = 547348

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Tue, 19 Nov 2013 21:12:41 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1664

content-transfer-encoding: binary

Cache-Control: max-age=375974, public, no-transform, must-revalidate

Last-Modified: Mon, 25 Sep 2017 23:56:27 GMT

Expires: Mon, 2 Oct 2017 23:56:27 GMT

Date: Thu, 28 Sep 2017 15:35:50 GMT

Connection: keep-alive
0..|......u0..q.. .....0.....b0..^0.............V.m......E!....2017092
5235627Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
....^.3@..cL.1.......20170925235627Z....20171002235627Z0...*.H........
........d.S5...q)Z.....DG).......Pk)T_}.'..=...5$l(..O.).....%.(t].h.&
lt;........y@/.f...B...{...X..6]?.H..W.x].....@;3#.8,.KE... ....f..L..
.,2T...n...yp.{H.j ....D...P~...}...s>..=2..`9...prx$..$;.9...G....
......2,g.X...,.l....e.....oF.rz..i....Mf..z.v.W.?^.....K....0...0...0
..................[Df..{.,0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...161213000000Z..211231235959Z0F1D0B..U...;Symantec 
Class 3 Code Signing 2009-2 CA SHA1 OCSP Responder0.."0...*.H.........
....0.............2q..J..:...3....X.?.....9K.G....,......e.c,..9YI...z
.qA 0....9...CG......6.qX>.Xo.....g..=..B.E.......qB..W.|..>.qT.
4Z|....H. m...m..qy]Gi...0N.T.....N,.U.WJ5.f...r..@..8.b.......=..G.0.
....y4N"mK.J...."..".......ju.....k...x........P.]S=t....*..'.........
....0...0...U.......0.0f..U. ._0]0[..`.H...E....0L0#.. .........https:
//d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0...U.%..0... 
.......0...U...........0... .....0......0"..U....0...0.1.0...U....TGV-
OFF-640...U.............V.m......E!..0...U.#..0.....k.&p..?...-.5.....
0...*.H.............C.....S>F ..u.=KA5..@...`........a0s.M......JH.
X.Y..E........CX../......f5j..a......k...:.r/.J5..G...h...~.".A.].
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0= HTTP/1.1

Cache-Control: max-age = 363986

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sun, 17 Nov 2013 16:06:48 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1454

content-transfer-encoding: binary

Cache-Control: max-age=385436, public, no-transform, must-revalidate

Last-Modified: Tue, 26 Sep 2017 02:36:28 GMT

Expires: Tue, 3 Oct 2017 02:36:28 GMT

Date: Thu, 28 Sep 2017 15:35:53 GMT

Connection: keep-alive
0..........0..... .....0......0...0........FC..&..<.0...Y......2017
0926023628Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._).
.a..%...0a.. ...M|......20170926023628Z....20171003023628Z0...*.H.....
.........G...ABR...j=.45i...IL.x...a....=.}-....].....L.8.Y.ij..a.!jf0
...71...d........=..x$o.#..;.&.rL].nc.}..mu.h.. ...<..z.Y...Q......
...$..>..Kd<Z..S.F.9.a....:...........Ka.Y..^Q ~}#..........F,.G
,qOC.1<L...h:..q..o.A.!..TMmay...rL.6.\.q...O[.Z8......R.H.........
0...0...0..4.......My_e.\....'....j0...*.H........0_1.0...U....US1.0..
.U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Au
thority0...161122000000Z..171214235959Z0..1.0...U....US1.0...U....Syma
ntec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec C
lass 3 PCA - G1 OCSP Responder Certificate 50.."0...*.H.............0.
............4..IP.....B..h.....]..).]w.!"..a..{...="....._...~.s1.E...
....;...6&/...\2..A....\..T aH:.8lH^.....l.v.$...K=sZf.*.|.%.Pb.......
B..*f.T\w.:.s.... ....9..4..cV...3.qc.c..j<.f.....>1X.I...P%?...
......5R-....Ca14..X.U....u.....:.z.\.k..b.E.v..,.J................0..
0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symaut
h.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .....
..0...U........0... .....0......0"..U....0...0.1.0...U....TGV-OFF-470.
..*.H.............G..\..R.P..e]...N.....m.....4f......b4"8v..b.R....`.
Auz..........2=...@..........5..cWh....J......r...g.h......Kw'...j.@..
.x.....
<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kefuwidijyp.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:52 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nojejecebuw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:28 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jewuqyjywyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:52 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyruxyxaxaw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nopegymozow.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:16 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kemocujufys.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:12 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gadufiwabim.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:51 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kemocujufys.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:52 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xukovoruput.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Thu, 28 Sep 2017 15:35:56 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: rynazuqihoj.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found