Gen.Variant.Kazy.71723_6d98ba6fe2

by malwarelabrobot on September 5th, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.71723 (B) (Emsisoft), Gen:Variant.Kazy.71723 (AdAware), Backdoor.Win32.Shiz.FD, Shiz.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 6d98ba6fe2c86b6e1e9092e7125f8b21
SHA1: d1adbe8019eefc298aaf44deee20d77abcaa6e94
SHA256: 2e850d8a37d6b0791c19f622dcbcc1267790999d2667340dd294d96114277e66
SSDeep: 3072:n/w6gCmvZZ1g9nTR61F/tNnr4U7BRScmJ8Re1YBRyD 4KABiQ3AwZI9tBkPL/Z27:/wVhk8cgSVLaGD8bQNZqU/Zq7Pmyjrx
Size: 260096 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Oracle Corporation
Created at: 1991-10-09 12:49:33
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:224

The Trojan injects its code into the following process(es):

Explorer.EXE:532

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\AppPatch\dbvpfca.exe (1801 bytes)
%System%\config\software (3115 bytes)
%System%\config\SOFTWARE.LOG (5787 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 3C E2 9F C1 9D 84 72 05 C9 1C D9 FD 54 D6 D7"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\esent.dll"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\dbvpfca.exe_, \??\%WinDir%\apppatch\dbvpfca.exe"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
"EventMessageFile" = "%System%\esent.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEÃƒÂ¬XÃ‚Â£bÃƒâ‚¬Ã‚Â¸Ã‚Â¬qÃƒâ€žHFÃ¢â‚¬Â¡KÃƒÂ¶FÃƒÂ»e#Ã‚ÂµÃ‚Â¡X$YÃƒâ€°<Ã‚Â»Ã‚Â¹Ã…â€œÃ‚Â³Ã…â€™Q\Ã‚Â´ÃƒÂ²dÃ‚Â¼Ã…â€™Ã‚Â¤KÃƒÂ´1,Ã…Â $ÃƒÂ«Ã¢â‚¬ÂºÃƒâ€ºÃƒÅ’Ã‚Â«Ã¢â‚¬ÂÃ‚Â¹l}Ãƒâ€¹ {Ã…â€œzÃ…â€™ÃƒÂ´C%ÃƒÂ©[qÃƒÂ±l4ÃƒÂ¬;ÃƒÂ»Ã‚Â´[Ãƒâ€™#Ã‚Â»Ãƒâ€º:Ãƒâ€˜UÃ¢â‚¬Å¾Ã¢â‚¬Å¾Ãƒâ€Ã‚Â\Ã‚Â±Ã‚ÂªÃ‚Â²DÃ†â€™uÃ…â€œÃ‚Â¡ÃƒÅ“Ã‚Â¼);Ã‚Â¼\Ã†â€™tÃ‚Âµ2Ã¢â‚¬ÂkDÃƒÂ¹Ã¢â‚¬ÂaÃ¢â‚¬Â*Ã¢â‚¬ÂºcÃƒÂ¼$}SÃƒÂ´|ÃƒÂ«$Ã‚Â¤ÃƒÂ´{Ã‚Â¬qÃ‚Â³#sÃƒâ€¦ÃƒÂ¥\yuJÃƒâ€ºÃƒâ€¹uÃ‚Â©|ÃƒÂ¹Ã‚Â¢rKÃƒÂ£!$Ã¢â‚¬â„¢Ã¢â‚¬Â¹Ã¢â‚¬Â¹bÃ‚Â±ÃƒÆ’Ãƒâ€žÃ‚Â£ÃƒÂ£ÃƒÂÃ¢â‚¬Å¡Ã¢â‚¬Å“Ãƒâ€°UcdÃƒÂÃƒâ€žZÃ‚Â¡rÃ‚Â»ÃƒÂ´Ã¢â‚¬Â)Ãƒâ€ºÃ‚Â©Ã…Â ]Ã¢â‚¬Å“QlYÃƒâ€ºl]$$DÃ‚Â´Ã†â€™ÃƒÅ’Ã‚Â£Q$aÃ…â€™Ã¢â‚¬Å¡*Ã¢â€žÂ¢ÃƒÂ¼Ã¢â‚¬ÂºÃƒâ„¢ÃƒÂ³ÃƒÂÃƒÂ=ÃƒÂ©Ãƒâ€Ãƒâ€˜Ãƒâ€˜Ã¢â‚¬Â°Ã‚Â¬q9|ÃƒÂ¡ÃƒÂÃƒÂ¹Ã¢â‚¬â„¢Ã¢â‚¬ËœÃƒÂÃƒÂÃ‚Â©Ã…Â¡Ãƒâ€žR"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\6d98ba6fe2c86b6e1e9092e7125f8b21\DEBUG]
"Trace Level" = ""

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\6d98ba6fe2c86b6e1e9092e7125f8b21\DEBUG]
"Trace Level"

Dropped PE files

MD5	File path
6ac0f73e546e374dd98b682c4a62f1d8	c:\WINDOWS\AppPatch\dbvpfca.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in CRYPT32.dll:

CertVerifyCertificateChainPolicy

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpSendRequestA
InternetCloseHandle

The Trojan installs the following user-mode hooks in USER32.dll:

GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
recv
gethostbyname
WSARecv
send

The Trojan installs the following user-mode hooks in kernel32.dll:

CreateFileW

Propagation

VersionInfo

Company Name: Fallaciously
Product Name: Cunctatury
Product Version: 9.2.9.8
Legal Copyright: overwisdom
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 0.3.8.6
File Description: anoscope
Comments:
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.YolX	4096	28591	1536	0	53e979547d8c2ea86560ac45de08ae25
.text	32768	17811	17920	4.63219	426f185540c0be2b362fec1782d1ea88
.UrnGiP	53248	1070	1536	0	53e979547d8c2ea86560ac45de08ae25
.awBQJUL	57344	1695	2048	0	c99a74c555371a433d121f551d6c6398
.slUCrgA	61440	2023	2048	0	c99a74c555371a433d121f551d6c6398
.data	65536	63123	7168	4.94757	fcb579f5a65b5002e2052ddbe1f1c56a
.GdUqi	131072	2188	2560	3.74983	8d3efb48aaa62cbbd679fa6b4b3746be
.rdata	135168	212713	212992	5.54081	1498d94f261537a406a4eef10c2a9790
.fvTRZ	348160	790	1024	0	0f343b0931126a20f133d67c2b018a3b
.mHTN	352256	396	512	0	bf619eac0cdf3f68d496ea9344137e8b
.rsrc	356352	5072	5120	3.04187	6ad2c3a4b1fa49bb9cc2a8424a19eb3f
.GjQNcMz	364544	266	512	0	bf619eac0cdf3f68d496ea9344137e8b
.ZJhdvo	368640	1232	1536	0	53e979547d8c2ea86560ac45de08ae25
.sIVhg	372736	2338	2560	0	a371492f16c0940507435909603efe88

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 19
8a80e8fa15f54c0fa85b436d56431235
316299bf645744831eb69661f3a57861
3d9a7ba5d58084d0fd5db81622c98bea
2eda59d1cc49f8dbb617d7cfd2d39b89
b0563744611e7d55d9daadb867ac29bb
b498304896c472275eee4b586f8595d9
b03f50d97d53bede6f66f427899146df
31014e92b44e0eab99ae9716d9d38ca3
90b8b52f7079d5ef7ef88221d90083f8
735b633f9192a4139e25195b6da0a8d1
207f4d312efdb632514a88d49824b4df
43730bb278148f0afc8d9de06779a657
b0c1d60c52ffb5cd4584edf1996391fc
1a3c39d66b1036741d5d45867c227bd7
4e190b719f39287a132049c3fee72edd
263fa8e5672d010da6845ee117992b00
1cdde3d887b4bf0e15f67127a467a4fb
d2b4344f82091dbc8145e26618d9115d
04f85fb2bfca983ca449c81a4b1eebe1

URLs

URL	IP
hxxp://keraborigin.eu/login.php	95.211.174.92
hxxp://kemocujufys.eu/login.php	23.253.126.58
hxxp://digivehusyd.eu/login.php	69.195.129.70
hxxp://xuxusujenes.eu/login.php	208.100.26.234
hxxp://qekenilacap.eu/login.php
hxxp://lysovidacyx.eu/login.php	23.253.126.58
hxxp://tufecagemyl.eu/login.php	23.253.126.58
hxxp://norumikemem.eu/login.php	23.253.126.58
hxxp://lykemujebeq.eu/login.php	23.253.126.58
hxxp://foxivusozuc.eu/login.php	23.253.126.58
hxxp://vocakemenir.eu/login.php	23.253.126.58
hxxp://ryqecolijet.eu/login.php	23.253.126.58
hxxp://xuqohyxeqak.eu/login.php	23.253.126.58
hxxp://kefuwidijyp.eu/login.php	23.253.126.58
hxxp://puvybivihox.eu/login.php	23.253.126.58
hxxp://jeluganusog.eu/login.php	23.253.126.58
hxxp://nopegymozow.eu/login.php	23.253.126.58
hxxp://nozulufynax.eu/login.php	23.253.126.58
hxxp://cihunemyror.eu/login.php	23.253.126.58
hxxp://vofozymufok.eu/login.php	23.253.126.58
hxxp://ryleryqacic.eu/login.php	23.253.126.58
hxxp://lyvejujolec.eu/login.php	23.253.126.58
hxxp://rynazuqihoj.eu/login.php	23.253.126.58
hxxp://xugiqonenuz.eu/login.php	69.195.129.70
hxxp://pupujeguper.eu/login.php	23.253.126.58
hxxp://fodakyhijyv.eu/login.php	23.253.126.58
hxxp://ciliqikytec.eu/login.php	23.253.126.58
hxxp://kevedorozup.eu/login.php	23.253.126.58
hxxp://dimutobihom.eu/login.php	23.253.126.58
hxxp://mamixikusah.eu/login.php	23.253.126.58
hxxp://jewuqyjywyv.eu/login.php	23.253.126.58
hxxp://qekikyvutic.eu/login.php	23.253.126.58
hxxp://tucyguqaciq.eu/login.php	23.253.126.58
hxxp://jefapexytar.eu/login.php	23.253.126.58
hxxp://qeqinuqypoq.eu/login.php	23.253.126.58
hxxp://puregivytoh.eu/login.php	23.253.126.58
hxxp://galokusemus.eu/login.php	23.253.126.58
hxxp://gadufiwabim.eu/login.php	23.253.126.58
hxxp://qetuluvolos.eu/login.php	23.253.126.58
hxxp://ganycyhywek.eu/login.php	23.253.126.58
hxxp://qebahilojam.eu/login.php	23.253.126.58
hxxp://ryhuzilywax.eu/login.php	23.253.126.58
hxxp://fokyxazolar.eu/login.php	23.253.126.58
hxxp://qexofyqihid.eu/login.php	23.253.126.58
hxxp://lyruxyxaxaw.eu/login.php	23.253.126.58
hxxp://xukovoruput.eu/login.php	23.253.126.58
hxxp://nojejecebuw.eu/login.php	23.253.126.58
hxxp://marytymenok.eu/login.php	23.253.126.58
hxxp://gatedyhavyd.eu/login.php	23.253.126.58
xuqufyduras.eu	23.253.126.58
www.bing.com	204.79.197.200

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Win32.Shiz.fxm/Agent-TBT Checkin
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.

Traffic

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gatedyhavyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: pupujeguper.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:26 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nozulufynax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:45 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: galokusemus.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: marytymenok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:48 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jefapexytar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuxusujenes.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx/1.4.6 (Ubuntu)

Date: Sun, 04 Sep 2016 05:39:05 GMT

Content-Type: text/html

Content-Length: 579

Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.4.
6 (Ubuntu)</center>..</body>..</html>..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->..<
!-- a padding to disable MSIE and Chrome friendly error page -->..&
lt;!-- a padding to disable MSIE and Chrome friendly error page -->
..<!-- a padding to disable MSIE and Chrome friendly error page --&
gt;......


POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuxusujenes.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx/1.4.6 (Ubuntu)

Date: Sun, 04 Sep 2016 05:39:05 GMT

Content-Type: text/html

Content-Length: 579

Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.4.
6 (Ubuntu)</center>..</body>..</html>..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->..<
!-- a padding to disable MSIE and Chrome friendly error page -->..&
lt;!-- a padding to disable MSIE and Chrome friendly error page -->
..<!-- a padding to disable MSIE and Chrome friendly error page --&
gt;..HTTP/1.1 404 Not Found..Server: nginx/1.4.6 (Ubuntu)..Date: Sun, 
04 Sep 2016 05:39:05 GMT..Content-Type: text/html..Content-Length: 579
..Connection: keep-alive..<html>..<head><title>404 N
ot Found</title></head>..<body bgcolor="white">..<
;center><h1>404 Not Found</h1></center>..<hr&g
t;<center>nginx/1.4.6 (Ubuntu)</center>..</body>..&l
t;/html>..<!-- a padding to disable MSIE and Chrome friendly err
or page -->..<!-- a padding to disable MSIE and Chrome friendly 
error page -->..<!-- a padding to disable MSIE and Chrome friend
ly error page -->..<!-- a padding to disable MSIE and Chrome fri
endly error page -->..<!-- a padding to disable MSIE and Chrome 
friendly error page -->..<!-- a padding to disable MSIE and <<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ganycyhywek.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:14 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qexofyqihid.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:18 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: cihunemyror.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: dimutobihom.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:53 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gatedyhavyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:48 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyvejujolec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:13 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: puregivytoh.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kevedorozup.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:15 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: marytymenok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nopegymozow.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:48 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xukovoruput.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:16 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryhuzilywax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:33 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: norumikemem.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:23 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyruxyxaxaw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:56 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fodakyhijyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kevedorozup.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:14 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vocakemenir.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:37 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: rynazuqihoj.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryleryqacic.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:17 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ciliqikytec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tucyguqaciq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jefapexytar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xugiqonenuz.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 200 OK

Connection: close

Set-Cookie: jsessionid=02bb14d6e58270369a0be2635e2f3edd; Expires=Sun, 03 Sep 2023 05:30:42 GMT

Date: Sun, 04 Sep 2016 05:30:42 GMT

Content-Length: 0

Content-Type: text/plain; charset=utf-8

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryqecolijet.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:53 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kefuwidijyp.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: dimutobihom.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:53 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekenilacap.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Date: Sun, 04 Sep 2016 05:30:33 GMT

Server: Apache/2.2.22 (Debian)

Vary: Accept-Encoding

Content-Length: 287

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /lo
gin.php was not found on this server.</p>.<hr>.<address
>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</addres
s>.</body></html>.....


POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekenilacap.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Date: Sun, 04 Sep 2016 05:30:33 GMT

Server: Apache/2.2.22 (Debian)

Vary: Accept-Encoding

Content-Length: 287

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /lo
gin.php was not found on this server.</p>.<hr>.<address
>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</addres
s>.</body></html>.HTTP/1.1 404 Not Found..Date: Sun, 04
 Sep 2016 05:30:33 GMT..Server: Apache/2.2.22 (Debian)..Vary: Accept-E
ncoding..Content-Length: 287..Content-Type: text/html; charset=iso-885
9-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html
><head>.<title>404 Not Found</title>.</head>
;<body>.<h1>Not Found</h1>.<p>The requested UR
L /login.php was not found on this server.</p>.<hr>.<ad
dress>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</a
ddress>.</body></html>...

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kemocujufys.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: puregivytoh.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ganycyhywek.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:17 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekikyvutic.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:42 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tufecagemyl.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:17 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fodakyhijyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:48 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lysovidacyx.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:56 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: puvybivihox.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jewuqyjywyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:48 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryqecolijet.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:53 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fokyxazolar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vocakemenir.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:37 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: digivehusyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 200 OK

Connection: close

Set-Cookie: jsessionid=ce7ab289f22cebe2321038bc925a787f; Expires=Sun, 03 Sep 2023 05:29:48 GMT

Date: Sun, 04 Sep 2016 05:29:48 GMT

Content-Length: 0

Content-Type: text/plain; charset=utf-8

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: mamixikusah.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:14 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: norumikemem.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:23 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: foxivusozuc.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:53 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekikyvutic.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:43 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: mamixikusah.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:14 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: cihunemyror.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qetuluvolos.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:37 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jewuqyjywyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: galokusemus.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nojejecebuw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:44 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gadufiwabim.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vofozymufok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyruxyxaxaw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:53 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qeqinuqypoq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gadufiwabim.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kefuwidijyp.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ciliqikytec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qexofyqihid.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:14 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qetuluvolos.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:33 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nopegymozow.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lykemujebeq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:32 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: foxivusozuc.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:53 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lysovidacyx.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:56 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tufecagemyl.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:14 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryhuzilywax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:33 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: rynazuqihoj.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fokyxazolar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryleryqacic.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:17 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qebahilojam.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:15 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xukovoruput.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:14 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lykemujebeq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:32 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qeqinuqypoq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:48 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jeluganusog.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:23 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vofozymufok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:48 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kemocujufys.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:48 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: keraborigin.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 200 OK

Server: nginx

Date: Sun, 04 Sep 2016 05:29:48 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Server: sinkhole

51..sinkhole-01.sinkhole.tech - where the bots party hard and the rese
archers harder...0..HTTP/1.1 200 OK..Server: nginx..Date: Sun, 04 Sep 
2016 05:29:48 GMT..Content-Type: text/html..Transfer-Encoding: chunked
..Connection: keep-alive..Server: sinkhole..51..sinkhole-01.sinkhole.t
ech - where the bots party hard and the researchers harder...0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nojejecebuw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:45 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: puvybivihox.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqohyxeqak.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqohyxeqak.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:52 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyvejujolec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:07 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qebahilojam.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:15 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tucyguqaciq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:29:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: pupujeguper.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:27 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jeluganusog.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Sun, 04 Sep 2016 05:30:14 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

The Trojan connects to the servers at the folowing location(s):

Explorer.EXE_532_rwx_02250000_000B2000:

.text

`.data

.reloc

`.rdata

@.data

<>http

PASSu98V

PASSu08V

FTPQ

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

5`6C6Q6}6

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

Explorer.EXE_532_rwx_02AF0000_000B8000:

.text

`.rdata

@.data

.reloc

<>http

PASSu98V

PASSu08V

FTPQ

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

SYSTEM!XP7!F9BE9A8A

%WinDir%\apppatch\dbvpfca.exe

%Documents and Settings%\%current user%\Application Data\

5`6C6Q6}6

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

`.data

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:224
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%WinDir%\AppPatch\dbvpfca.exe (1801 bytes)
%System%\config\software (3115 bytes)
%System%\config\SOFTWARE.LOG (5787 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Kazy.71723_6d98ba6fe2

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Kazy.71723_6d98ba6fe2

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet