Gen.Variant.Zusy.273674_12992858e4

by malwarelabrobot on April 15th, 2018 in Malware Descriptions.

Gen:Variant.Zusy.273674 (BitDefender), SoftwareBundler:Win32/Prepscram (Microsoft), not-a-virus:HEUR:AdWare.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Siggen7.36232 (DrWeb), Gen:Variant.Zusy.273674 (B) (Emsisoft), PUP-XDW-GW!12992858E462 (McAfee), Trojan.Gen.2 (Symantec), PUA.Bundler (Ikarus), Gen:Variant.Zusy.273674 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R00AC0PAS18 (TrendMicro), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, PUP, Adware, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 12992858e462779101d730b4420efbec
SHA1: 4f89b89f3643b69cc62695e51ad84a35d0c149c6
SHA256: c7d1f8315d8cc9749d28efbd53f71d820d75283f1bd4ef2555056d68d9818d82
SSDeep: 49152:0mbTmnk77YErNW6KnsTWrS1NzToW6KnsTWrS1NzT:3Tm0frNzTKCvozTKCv
Size: 2058752 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2018-01-25 18:13:32
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2788

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5074072\download.php (203 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\normal_bg4[1].png (9824 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (1440 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\imgburn_logo[1].png (772 bytes)

Registry activity

The process %original file name%.exe:2788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\12992858e462779101d730b4420efbec_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\12992858e462779101d730b4420efbec_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\12992858e462779101d730b4420efbec_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\12992858e462779101d730b4420efbec_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\12992858e462779101d730b4420efbec_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\12992858e462779101d730b4420efbec_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1516896812"

[HKLM\SOFTWARE\Microsoft\Tracing\12992858e462779101d730b4420efbec_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\12992858e462779101d730b4420efbec_RASAPI32]
"EnableConsoleTracing" = "0"

"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
4bf2b8f4b46385bfda4d65e423cfb868 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\5074072\download.php

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 651134 651264 5.07338 bcc391b7e97d324df2c7794ddd356b1a
.rdata 655360 23148 23552 3.3286 51209f2ec0d577ea2dee31a2910b071b
.data 679936 4872 2048 1.58133 a3b0fcae795191a66d5c24e94fa13e45
.gfids 688128 208 512 1.11946 d5c97fb6163a79ed387fe87f291b8b8f
.rsrc 692224 1380136 1380352 5.51694 354cb7081974759f57f3b285dc5dc6d8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 171
015094c3630e678862a33852b335344a
68620b246faf20227ec3aa85e9560d32
aab7dc3608cae605c99fbdf1487506e2
3769a71586f4e8c181cd62120d6f66b6
6cf5e01a697262a8a2e4799aa6a48988
8888f60a3ec12c947630e9a8e05a444b
0b06bbcd1d4b147b55b55eb959064f48
d05c022f9cac610d67c6eec5b0e491ed
b4258d9c951a645b7fdffea9a9467dd2
28ce9a02da3a223acc65e438dc2c712d
cfaadfcaf7fe7e61e592ac64d4a661f8
12191e4de56805287d2a31b6107ea680
04fdb52fe4f72f764f00c2e7bd8c395e
656ef87d616925db945479b13c7a4116
a82728e24c3dc3ea1474564eb49c57dd
a0dbfe28dcd2a50392ecc2eda59f9265
cbd475bbfc91c0dc695250b31f404919
c6276fc85b18d6de2cee0c61681d8b79
b79346dc161c2349ce660d323a0ae394
b2becb285674e3bef1af103e3c8cc43f
2b7056b385dbd99529ee7e44b329a8dc
a4aaad540474d947e0212be99a7fa508
7618402e78adb82dfe63c9e32dc20b4c
1b5694eeefeb8b75c1c2c1716ff11624
9029b51753f9a63d47a7a425feeafde7
178d48f9f2a5cdb3e22af627c05fcd5e

URLs

URL IP
hxxp://lamp.troublerifle.bid/h_redir.php?offer_id=4&aff_id=4478&source=7054&aff_sub=imgburn&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1014203620&url=http://lamp.troublerifle.bid/offer.php?affId={aff_id}&trackingId=313995699&instId=7054&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&osd=1606&res=1276x846&v=3 13.32.8.115
hxxp://lamp.troublerifle.bid/offer.php?affId=4478&trackingId=313995699&instId=7054&ho_trackingid=HO5ad1ea0b7b637&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&osd=1606&res=1276x846&v=3 13.32.8.115
hxxp://lip.healthcakes.men/installer.php?affId=4478&instId=7054&ho_trackingid=HO5ad1ea0b7b6375ad1ea0bad978&trackingId=313995699&cc=UA&untracked=&uac=1&osd=1606&net=4.5.50709&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 13.32.8.19
hxxp://kiss.oatmealscene.loan/installer.php?affId=4478&instId=7054&ho_trackingid=HO5ad1ea0b7b6375ad1ea0bad978&trackingId=313995699&cc=UA&untracked=&uac=1&osd=1606&net=4.5.50709&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 54.88.21.193
hxxp://d2adi7hu49xk5t.cloudfront.net/normal_bg4.png 13.32.8.236
hxxp://freeburningtools.com/images/imgburn_logo.png 167.114.153.25
hxxp://kiss.oatmealscene.loan/report.php?typ=conversion&transId=313995699&affId=4478&instId=7054&ho_transId=HO5ad1ea0b7b6375ad1ea0bad978&s1=imgburn&s2=&s3=&s4=LP_DEF&s5=1014203620&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.022398741734922234 54.88.21.193
hxxp://kiss.oatmealscene.loan/report.php?typ=sys&affId=4478&instId=7054&ho_transId=HO5ad1ea0b7b6375ad1ea0bad978&transId=313995699&chk_s_b=VMware-56 4d a7 48 b6 81 1f 90-3f 36 cc ce af 92 9a d2&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:3C:AC:7120:41:53:59:4E:FF&randid=0.08483448649192299 54.88.21.193
hxxp://freeburningtools.com/download.php?file=imgburn 167.114.153.25
hxxp://downloads.ddigest.com/software/getdownload.php?sid=470&did=1&code=nras4nl2fc&decode=magic 67.228.82.80
hxxp://downloads.ddigest.com/static/Setup_ImgBurn_2.5.8.0.exe 67.228.82.80
hxxp://1jptv.voluumtrk2.com/08e0b779-c1db-404a-b9a2-b4657d709f22
hxxp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html 13.32.8.92
hxxp://ic-dc.bundlessafevault.com/pr/public/css/style.css 13.32.8.92
hxxp://ic-dc.bundlessafevault.com/pr/public/js/jquery.min.js 13.32.8.92
hxxp://ic-dc.bundlessafevault.com/pr/public/js/detector.js 13.32.8.92
hxxp://s3-1-w.amazonaws.com/ads.js?stam=err
hxxp://s3-1-w.amazonaws.com/pr/public/js/adframe.js
hxxp://n135adserv.com/ads?key=3a71f57f6d976f956c5f61dbdd4adf7b&ch=&cp.chan=&cp.vtl=&cp.crr=&cp.exld=
hxxp://n135adserv.com/impression.gif?b=120492&p=5103&c=10390&h=177a937b0d9a7a39eee4f1dd260ad305&l=UA&sh=800&sw=1280&ad.trans.id=2rakyiepfujf&cps=Y2hhbg*~dnRs*~Y3Jy*~ZXhsZA*&s=34a9b2c73f3d59c9b9a7d27308159d6f&t=1523706396404
hxxp://1049256531.rsc.cdn77.org/files135/65/10390/120492/FB_RU_800_Icons2.jpg
hxxp://ic-dc.bundlessafevault.com/favicon.ico 13.32.8.92
ic-dc.s3.amazonaws.com 52.216.98.227
trk.railquince.bid 52.58.112.6
files2.dddload.net 67.228.82.80
www.1-1ads.com 212.124.115.196
downloads.ddigest-dl.com 67.228.82.80


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Backdoor User-Agent (InstallCapital)
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /download.php?file=imgburn HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: InstallCapital
Host: freeburningtools.com


HTTP/1.1 301 Moved Permanently
Date: Sat, 14 Apr 2018 11:46:22 GMT
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.6.22
Location: hXXp://downloads.ddigest.com/software/getdownload.php?sid=470&did=1&code=nras4nl2fc&decode=magic
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
HTTP/1.1 301 Moved Permanently..Date: Sat, 14 Apr 2018 11:46:22 GMT..S
erver: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwl
imited/1.4..X-Powered-By: PHP/5.6.22..Location: hXXp://downloads.ddige
st.com/software/getdownload.php?sid=470&did=1&code=nras4nl2fc&decode=m
agic..Content-Length: 0..Keep-Alive: timeout=5, max=100..Connection: K
eep-Alive..Content-Type: text/html; charset=UTF-8..



POST hXXp://kiss.oatmealscene.loan/installer.php?affId=4478&instId=7054&ho_trackingid=HO5ad1ea0b7b6375ad1ea0bad978&trackingId=313995699&cc=UA&untracked=&uac=1&osd=1606&net=4.5.50709&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1
Host: kiss.oatmealscene.loan
Connection: close
Accept: */*
User-Agent: InstallCapital
Content-Type: application/x-www-form-urlencoded
Content-Length: 177

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=1274019&id[]=453683&id[]=453684&id[]=453685&id[]=453686&id[]=686787&id[]=686788&id[]=686789&id[]=686790&id[]=1607978&id[]=1607979
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Set-Cookie: PHPSESSID=oqe85qj3bgc206cefdpadtma05; path=/
Set-Cookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMVwiOjE1MjM3MDYzODB9LFwidGltZVwiOjE1MjM3MDYzODB9In0.mHeN6UAKdxPciGv1kh9F89g_15QzAo-EsbOG6I-2lTA; expires=Tue, 15-May-2018 11:46:20 GMT; path=/; domain=.kiss.oatmealscene.loan
Date: Sat, 14 Apr 2018 11:46:20 GMT
Connection: close
Content-Length: 44848
...)7...8..>f!M..@e..*Z.n....D.02@/...\."..z.o.[.2..A.....>...^N
 .(.Y.....`..2..YW.*...X....\............&...K.32..O..F.Q.eg.......i._
.F...f^=.).}P..l..7..?..irn..@`(.._...4..<.)1.aA3b..{.....G.....YF.
Un.~.K...k.6..A.].Y...,..:i{A-.y.Q...A2..,.>(..*s.....r...1O.9.....
q.L.Zy..W........(N.....m...f....#`..[.d.D....4X.m..U1)..n.^..d.D.....
c.....6...!..@o$.....M..{4..ryo..$d...q..).@.A.X ....a.7......V.jn..ga
..z.Q$.C4k...|.C........'x6N/.n...~=a.V.Pf.VhD.MSc...k...y..Wx?.0~./cZ
U..~..q..E.8.{[.........mw)J.^...X..D.a.....].....2. .v.....,H.J..r...
|.7.. %?H...o.(OE.9..,.B....._6...q........e....4N...$.... ..;#......m
...DaG.....{E...3.......!&..q6.O}.....?...._.a'...T../......9..tV..DB&
lt;..s.Zm\%j..!F._./...Z.EC....*..}..O)........8..!.S..c5.i.Y..53.6..v
.{<....N(.L...'..`..6.o..w....../>x.i..Q...l..R.......<..Ym.\
2....Q.0..*..e........GV..l..sbA.[.]...X.}O.....5....ixoc..lu...D.r..g
r....E.Rt..f9.k.y.)...M.....{..V.7.A.|....e...i...gtF.B?-.....VF..S)..
.t9hg...v.=>..}e.|.N.5.?.. .....ld:'..C....~.u..e.Q..L.k}.l..r.7r`.
.R.t.. ..Lp....!..........{wgr..(...r.s..G.o.....wH.........oK>.5!r
..ram...%.H.tt...H.......C..I.gA51VU8[.......µ9?.i.o..FQ....... ...p
.V.mL....s.fM..A...GC8..H........68%l.S...H.....e..P%J..L..... ......9
....[9..1>P......M.".Gh....p3..iv.*......W.4.\6..].D7.Pl.!.V.`.`..g
...,R...[.oI.G............v.h....:.2....VQ......S<o....h<s....^.
..A?...l5..>...]g.....*......."F.K.x..j...x..>.......t...>..l
..y.,...C?.g.6a^.......w.n'..>..BQ...eX.ofb..K.0F..........W...
<<< skipped >>>


GET /pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.bundlessafevault.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1041
Connection: keep-alive
Date: Sun, 07 Jan 2018 06:31:08 GMT
Last-Modified: Tue, 20 Jun 2017 11:04:26 GMT
ETag: "1a020086610d48a917b9d08a84026ad5"
Accept-Ranges: bytes
Server: AmazonS3
Age: 17236
X-Cache: Hit from cloudfront
Via: 1.1 bba86be8367d25c316a5c8f0eafe4d7b.cloudfront.net (CloudFront)
X-Amz-Cf-Id: CetRnpYuhcPvDTYCRXon4fNlOqPvCatcVnz5cc1cQWFR53RbmHLLug==
<!doctype html>.<html>..<head lang="en">..<title&
gt;Thank you page</title>..<meta http-equiv="Content-Type" co
ntent="text/html; charset=UTF-8">..<meta name="viewport" content
="width=device-width, initial-scale=1">..<link rel="stylesheet" 
href="../public/css/style.css">..<script src="../public/js/jquer
y.min.js" type="text/javascript"></script>.</head>..<
;body>..<div class="wrapper">...<div class="header">...
.<div class="title">.....<div class="title-caption">Thank 
you for downloading!</div>....</div>...</div>...<
div class="content">....<div class="inner">.....<div class
="adnl_zone">.....</div>....</div>...</div>..<
/div>..<script type="text/javascript">...window.tagUrl = 'htt
p://VVV.1-1ads.com/ads?key=3a71f57f6d976f956c5f61dbdd4adf7b&ch=';..<
;/script>..<script src="hXXp://ic-dc.s3.amazonaws.com/pr/public/
js/adframe.js" type="text/javascript"></script>..<script s
rc="hXXp://ic-dc.s3.amazonaws.com/ads.js?stam=err" type="text/javascri
pt"></script>..<script src="../public/js/detector.js" type
="text/javascript"></script>.</body>..</html>.ont>....
<<< skipped >>>


GET /pr/public/js/detector.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.bundlessafevault.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 2194
Connection: keep-alive
Date: Mon, 26 Mar 2018 06:45:31 GMT
Last-Modified: Mon, 26 Mar 2018 06:44:30 GMT
ETag: "4e3b3271a30d8939350ace1584358785"
x-amz-meta-cb-modifiedtime: Tue, 06 Mar 2018 13:48:43 GMT
Accept-Ranges: bytes
Server: AmazonS3
Age: 18006
X-Cache: Hit from cloudfront
Via: 1.1 c205f1b841011a5b4b893843ca879e5a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: RlhfgMQSy69PAtmlbUmZvnwY1Bfrf-SKYQ9W_R5XVAQTUE64rgBh4g==
$(document).ready(function() {...if (!window.adsAreOk || !window.adsAr
eOk2) {...console.log("no ads for us");....var link = window.link || "
hXXps://freecoolapps.com/v2/?ac=ds";....$(".content").    ..find("[cla
ss^=inner]").    ..css({.      ..display: "block".    .}).    ..append
(.      ..'<div class="blocked_box">'  .        .'<a href="' 
 .        .link  .        .'"><img src="../public/img/recommende
d_chromium.jpg"></a> '  .        ."</div>".    .);..../
/ Stylizing the newly created box...var box = $(".blocked_box");...  .
box.css({..    .position: "absolute",..    .top: "0",..    .left: "0",
..    .width: "100%",..    .height: "100%"..  .});...  .box.find("a im
g").css({..    .maxHeight: "100%"..  .});..} else {..    var QueryStri
ng = (function() {..    .var query_string = {};..    .var query = wind
ow.location.search.substring(1);..    .var vars = query.split("&");.. 
   .for (var i = 0; i < vars.length; i  ) {..      ..var pair = var
s[i].split("=");...      ..if (typeof query_string[pair[0]] === "undef
ined") {..        ..query_string[pair[0]] = decodeURIComponent(pair[1]
);..      ..} else if (typeof query_string[pair[0]] === "string") {.. 
       ..var arr = [query_string[pair[0]], decodeURIComponent(pair[1])
];..        ..query_string[pair[0]] = arr;..      ..} else {..        
..query_string[pair[0]].push(decodeURIComponent(pair[1]));..      ..}.
.    .}..    .return query_string;..  .})();...    var isExlgG = funct
ion (str) {....var g = 10-(str[0]/str[2])==str[1];....return g;.. 
<<< skipped >>>


GET /images/imgburn_logo.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: freeburningtools.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 14 Apr 2018 11:46:21 GMT
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Last-Modified: Sat, 30 Jan 2016 03:23:54 GMT
ETag: "8157d-3e13-52a84ae777d3e"
Accept-Ranges: bytes
Content-Length: 15891
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR...d...d.....p..T...,tEXtCreation Time.Tue 18 Aug 2015
 17:12:00  1000.,G.....tIME.......(M!.....pHYs...........~.....gAMA...
...a...=jIDATx..\i.%iY~k?..s.]z.{z.....CL..E!...K0*1(....I.?.B....a...
.[.?$.........:.B.a.g....w.....*....{.V.9..Y.A....S.W..>..}u.y..y..
WVV..Ap.q..K.T.....3Q.K....q?....s].<Ol...4....K..........g.^...K.n
.....@}.q...A.g..>...p=..Y.i7U..:.o.X....C........L.$..-.p...,...2y
...o....t:.O.:.9.....]_^R@ (. |..../@@...........Zn..#...`.aR.&q..-.F.
ak..:.r..H&._.8...zo..o...^^^.,......^r..$.\.r...~.... ._S......LB.-.)
.....4.W........}.$pb4.......c............../^.................q.....&
....i.yj.h]........&k..e.E..P...-...pcaa.........3......../.'|..{?...y
.S.d4..;...f............F_C`..T..!....daon._.....)..........?m=.......
..c/Sh..D...j:..j....M ..H.q|v.H..b...1...........k.............?.....
.i....p. p...Ga..}G.d...`.........-s..dqq.ckkk.{.k_....r....... ...u=3
.}Y_[..........o.3.-.....6.....r....Q .l..(....W....EN.............e&g
t;......... rkee...q.........}.b..r}]..3.Zu. ...$A..(............;.._.
.......P..... ..y..........5....[.......o.....X;...f.....FcQ.J..Ch....
..A...........t.>.........7...[........M.....9GY*VT.U..~5[.7....;L.
...H....f...Br.y.....?._.e....,.!3....0.e.....hdR.....b&. .YU.?..6 ...
...~.....i..`G.HZ....a....S.?....W...D..k/. .s.....w...&...,G\.v.@bW.o
?;>.=.d......g...M..oX`.8..&V?V.K`.:..|O6.n9....-..Y.s....s..sb.:..
.}.0.w..'....n..3...7.........A....#......;X.i.Q.N....].0.Gc......c.. 
........?n....W<.0......75.0.O........m...F.a.xf......>T...!
<<< skipped >>>


GET hXXp://lamp.troublerifle.bid/h_redir.php?offer_id=4&aff_id=4478&source=7054&aff_sub=imgburn&aff_sub2=&aff_sub3=&aff_sub4=LP_DEF&aff_sub5=1014203620&url=http://lamp.troublerifle.bid/offer.php?affId={aff_id}&trackingId=313995699&instId=7054&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&osd=1606&res=1276x846&v=3 HTTP/1.1
Host: lamp.troublerifle.bid
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Content-Length: 447
Connection: close
Location: hXXp://lamp.troublerifle.bid/offer.php?affId=4478&trackingId=313995699&instId=7054&ho_trackingid=HO5ad1ea0b7b637&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&osd=1606&res=1276x846&v=3
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sat, 14 Apr 2018 11:46:19 GMT
X-Cache: Miss from cloudfront
Via: 1.1 8bb61b9edbf505e93106681693bb993a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: rWLy4vke0XYreeaTpXc2pV_Rq840BQcnZWTCfBOhkCtLA6gdYfPi7w==
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://lamp.troublerifle.bid/offer.php?affId=4478&track
ingId=313995699&instId=7054&ho_trackingid=HO5ad1ea0b7b637&
cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421
&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca242
94ae7d8d45ce8d028&osd=1606&res=1276x846&v=3">here</a
></body>..



GET /static/Setup_ImgBurn_2.5.8.0.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: InstallCapital
Host: files2.dddload.net


HTTP/1.1 200 OK
Server: nginx admin
Date: Sat, 14 Apr 2018 11:46:23 GMT
Content-Type: application/octet-stream
Content-Length: 3101913
Last-Modified: Tue, 21 Jun 2016 13:42:47 GMT
Connection: keep-alive
ETag: "57694457-2f54d9"
Expires: Mon, 14 May 2018 11:46:23 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........0(..QF..QF.
.QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...i:
.V.................^..........l2.......p....@.........................
.p...............................................t...........t........
...................................................................p..
|............................text...t\.......^.................. ..`.r
data.......p.......b..............@..@.data...X............t..........
....@....ndata.......P...........................rsrc....t.......v...z
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h?B..H.P.u..u..u....q@..B...SV.5p?B..E.WP.u....q@..e...E..E.P.u....q@
..}..e...].t)j......Wh..B...F..W..tp@.....|....E..t...j..F...S.....P..
I...5...j......j........j........WV..pp@...t.j......9].......V..I.....
.....WV..C..j......S.p......E.PWh....V..lp@...t#.E.;.v%8.t!V.;I..;.t..
.,P.u..0F.....E.......9].......h....WW..hp@......j.......M.QVh....SPS.
..p@..........%...j......PV..B...U...j1........E....V.u..E...A..V.0.@.
..t.V..E....h..B.V..E..P..@..P..E..V..G...0.@..}..|1V.pH..3.;.t..M
<<< skipped >>>


GET /ads?key=3a71f57f6d976f956c5f61dbdd4adf7b&ch=&cp.chan=&cp.vtl=&cp.crr=&cp.exld= HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.1-1ads.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="CAO PSA OUR"
Set-Cookie: UUID=7c7fbf00-3fd9-11e8-a939-9c8e99200000; Domain=.VVV.1-1ads.com; Expires=Mon, 13-Apr-2020 11:46:36 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 1307
Date: Sat, 14 Apr 2018 11:46:35 GMT
<!DOCTYPE html><html><head><!--120492:5103-->&
lt;/head><body leftmargin='0' topmargin='0' marginwidth='0' marg
inheight='0' style='background-color:transparent; width: 100%; text-al
ign: center;'><script type="text/javascript">new Image().src 
= "hXXp://VVV.1-1ads.com/impression.gif?b=120492&p=5103&c=10390&h=177a
937b0d9a7a39eee4f1dd260ad305&l=UA&sh=800&sw=1280&ad.trans.id=2rakyiepf
ujf&cps=Y2hhbg*~dnRs*~Y3Jy*~ZXhsZA*&s=34a9b2c73f3d59c9b9a7d27308159d6f
&t=1523706396404";</script><a href="hXXps://VVV.facebook.com/
campaign/landing.php?campaign_id=450270011836003&extra_1=10390&placeme
nt=5103&creative=120492&keyword=&partner_id=ironsource&extra_2=UA" onm
ousedown="(function(a){a&&a.href&&(a.onmousedown='',a.href='hXXp://www
.1-1ads.com/cr?b=120492&p=5103&c=10390&h=177a937b0d9a7a39eee4f1dd260ad
305&l=UA&sh=800.0&sw=1280.0&ad.trans.id=2rakyiepfujf&cps=Y2hhbg*~dnRs*
~Y3Jy*~ZXhsZA*&UUID=7c7fbf00-3fd9-11e8-a939-9c8e99200000&t=15237063964
04&u=https://VVV.facebook.com/campaign/landing.php?campaig
n_id=450270011836003&extra_1=10390&placement=5103&creative
=120492&keyword=&partner_id=ironsource&extra_2=UA')})(th
is);return!1;"  target="_blank"><img border="0" alt="" src="http
://irncdn.com/files135/65/10390/120492/FB_RU_800_Icons2.jpg" width="80
0" height="440"></a></body></html>..
<<< skipped >>>


GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: ic-dc.bundlessafevault.com
Connection: Keep-Alive


HTTP/1.1 403 Forbidden
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
Date: Sat, 14 Apr 2018 11:43:39 GMT
Server: AmazonS3
Age: 176
X-Cache: Error from cloudfront
Via: 1.1 5f052d343a62bd6caba7b69406b066fc.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 9FWp82ENfX6A9WLbsUl9NSc4-UA8UqixbxHxTscZfMCWl-vhwDr9Jw==
f3..<?xml version="1.0" encoding="UTF-8"?>.<Error><Code
>AccessDenied</Code><Message>Access Denied</Message&
gt;<RequestId>57744675E4371EB1</RequestId><HostId>R7
/UdrDqyoHtWmzk3 anu ztedK ypP/gkRjPVIR2mM5zHcxcwPXzkpzyacYg0rzfyYXPt5K
CBU=</HostId></Error>..0..HTTP/1.1 403 Forbidden..Content-
Type: application/xml..Transfer-Encoding: chunked..Connection: keep-al
ive..Date: Sat, 14 Apr 2018 11:43:39 GMT..Server: AmazonS3..Age: 176..
X-Cache: Error from cloudfront..Via: 1.1 5f052d343a62bd6caba7b69406b06
6fc.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 9FWp82ENfX6A9WLbsUl9NSc4
-UA8UqixbxHxTscZfMCWl-vhwDr9Jw==..f3..<?xml version="1.0" encoding=
"UTF-8"?>.<Error><Code>AccessDenied</Code><Mes
sage>Access Denied</Message><RequestId>57744675E4371EB1
</RequestId><HostId>R7/UdrDqyoHtWmzk3 anu ztedK ypP/gkRjPV
IR2mM5zHcxcwPXzkpzyacYg0rzfyYXPt5KCBU=</HostId></Error>..0
..



GET /software/getdownload.php?sid=470&did=1&code=nras4nl2fc&decode=magic HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: InstallCapital
Host: downloads.ddigest-dl.com


HTTP/1.1 301 Moved Permanently
Server: nginx admin
Date: Sat, 14 Apr 2018 11:46:22 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.5.30
Set-Cookie: PHPSESSID=9e7d7377a3e1075d520c4fcff4f33547; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: hXXp://files2.dddload.net/static/Setup_ImgBurn_2.5.8.0.exe
HTTP/1.1 301 Moved Permanently..Server: nginx admin..Date: Sat, 14 Apr
 2018 11:46:22 GMT..Content-Type: text/html..Content-Length: 0..Connec
tion: keep-alive..X-Powered-By: PHP/5.5.30..Set-Cookie: PHPSESSID=9e7d
7377a3e1075d520c4fcff4f33547; path=/..Expires: Thu, 19 Nov 1981 08:52:
00 GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check
=0, pre-check=0..Pragma: no-cache..Location: hXXp://files2.dddload.net
/static/Setup_ImgBurn_2.5.8.0.exe..



GET /pr/public/css/style.css HTTP/1.1
Accept: text/css
Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.bundlessafevault.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/css
Content-Length: 1472
Connection: keep-alive
Date: Mon, 10 Apr 2017 06:34:10 GMT
Last-Modified: Thu, 21 Jul 2016 07:28:41 GMT
ETag: "d87938f58e3b40da8272e3eb0c1b47d3"
Accept-Ranges: bytes
Server: AmazonS3
Age: 15753
X-Cache: Hit from cloudfront
Via: 1.1 70a661a3c69742fa526d6acf28935513.cloudfront.net (CloudFront)
X-Amz-Cf-Id: DE6wRxNetU0G_NcBHeRF4RxQX9ieNjFW9BjPo6nrD1UOJQpctJdGKA==
body {.  padding: 0;.  margin: 0;.  background-color: white;.  font-fa
mily: arial, sans-serif;.  color: #0b0b0b; }...wrapper {.  position: a
bsolute;.  top: 0;.  bottom: 0;.  left: 0;.  right: 0; }.  .wrapper .h
eader {.    height: 294px;.    margin: 0 auto;.    background-color: #
0b0b0b; }.    .wrapper .header .title {.      color: white;.      text
-align: center; }.      .wrapper .header .title .title-caption, .wrapp
er .header .title .title-caption-inter {.        text-align: center;. 
       font-style: italic;.        font-weight: 600;.        font-size
: 38px;.        line-height: 103px; }.      .wrapper .header .title .t
itle-caption-inter {.        line-height: 40px;.        padding-top: 3
0px; }.      .wrapper .header .title .title-description {.        font
-size: 20px;.        padding-top: 10px;.        width: 615px;.        
margin: 0 auto;.        font-style: italic; }.  .wrapper .content {.  
  text-align: center;.    margin: 0 auto;.    height: 654px;.    backg
round-color: white; }.    .wrapper .conten..



GET /pr/public/js/jquery.min.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.bundlessafevault.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Length: 86351
Connection: keep-alive
Date: Thu, 17 Aug 2017 06:33:51 GMT
Last-Modified: Sun, 07 Aug 2016 11:30:34 GMT
ETag: "05e51b1db558320f1939f9789ccf5c8f"
Accept-Ranges: bytes
Server: AmazonS3
Age: 22968
X-Cache: Hit from cloudfront
Via: 1.1 d7859aa4a1668ee00f571950f32695a1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: I8dfZPQEsf7yCyy37LNY4xw7_Eus-WqbHzhhG_Zq8LOjbG1QPMnypQ==
/*! jQuery v3.1.0 | (c) jQuery Foundation | jquery.org/license */.!fun
ction(a,b){"use strict";"object"==typeof module&&"object"==typeof modu
le.exports?module.exports=a.document?b(a,!0):function(a){if(!a.documen
t)throw new Error("jQuery requires a window with a document");return b
(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){"use s
trict";var c=[],d=a.document,e=Object.getPrototypeOf,f=c.slice,g=c.con
cat,h=c.push,i=c.indexOf,j={},k=j.toString,l=j.hasOwnProperty,m=l.toSt
ring,n=m.call(Object),o={};function p(a,b){b=b||d;var c=b.createElemen
t("script");c.text=a,b.head.appendChild(c).parentNode.removeChild(c)}v
ar q="3.1.0",r=function(a,b){return new r.fn.init(a,b)},s=/^[\s\uFEFF\
xA0] |[\s\uFEFF\xA0] $/g,t=/^-ms-/,u=/-([a-z])/g,v=function(a,b){retur
n b.toUpperCase()};r.fn=r.prototype={jquery:q,constructor:r,length:0,t
oArray:function(){return f.call(this)},get:function(a){return null!=a?
a<0?this[a this.length]:this[a]:f.call(this)},pushStack:function(a)
{var b=r.merge(this.constructor(),a);return b.prevObject=this,b},each:
function(a){return r.each(this,a)},map:function(a){return this.pushSta
ck(r.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){
return this.pushStack(f.apply(this,arguments))},first:function(){retur
n this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b
=this.length,c= a (a<0?b:0);return this.pushStack(c>=0&&c<b?[
this[c]]:[])},end:function(){return this.prevObject||this.constructor(
)},push:h,sort:c.sort,splice:c.splice},r.extend=r.fn.extend=functi
<<< skipped >>>


GET /report.php?typ=conversion&transId=313995699&affId=4478&instId=7054&ho_transId=HO5ad1ea0b7b6375ad1ea0bad978&s1=imgburn&s2=&s3=&s4=LP_DEF&s5=1014203620&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.022398741734922234 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: InstallCapital
Host: kiss.oatmealscene.loan


HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Set-Cookie: PHPSESSID=re3a5jm20vdur0ge8u8cat77e6; path=/
Set-Cookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMVwiOjE1MjM3MDYzODJ9LFwidGltZVwiOjE1MjM3MDYzODJ9In0.CmIVZppY4vMqWyCBNOxt66wND4ozFEF0Yn4ZV1bxj_c; expires=Tue, 15-May-2018 11:46:22 GMT; path=/; domain=.kiss.oatmealscene.loan
Date: Sat, 14 Apr 2018 11:46:22 GMT
Content-Length: 0
HTTP/1.1 200 OK..Cache-Control: no-store, no-cache, must-revalidate, p
ost-check=0, pre-check=0..Pragma: no-cache..Content-Type: text/html; c
harset=utf-8..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Server: Microsof
t-IIS/8.5..X-Powered-By: PHP/5.3.28..Set-Cookie: PHPSESSID=re3a5jm20vd
ur0ge8u8cat77e6; path=/..Set-Cookie: a862a6096792e35ad3375e3a94312fe4b
a1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ
25zXCI6e1wiMVwiOjE1MjM3MDYzODJ9LFwidGltZVwiOjE1MjM3MDYzODJ9In0.CmIVZpp
Y4vMqWyCBNOxt66wND4ozFEF0Yn4ZV1bxj_c; expires=Tue, 15-May-2018 11:46:2
2 GMT; path=/; domain=.kiss.oatmealscene.loan..Date: Sat, 14 Apr 2018 
11:46:22 GMT..Content-Length: 0..



GET /software/getdownload.php?sid=470&did=1&code=nras4nl2fc&decode=magic HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: InstallCapital
Host: downloads.ddigest.com


HTTP/1.1 301 Moved Permanently
Server: nginx admin
Date: Sat, 14 Apr 2018 11:46:22 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 319
Connection: keep-alive
Location: hXXp://downloads.ddigest-dl.com/software/getdownload.php?sid=470&did=1&code=nras4nl2fc&decode=magic
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://downloads.ddigest-dl.com/software
/getdownload.php?sid=470&did=1&code=nras4nl2fc&decode=magi
c">here</a>.</p>.</body></html>.HTTP/1.1 30
1 Moved Permanently..Server: nginx admin..Date: Sat, 14 Apr 2018 11:46
:22 GMT..Content-Type: text/html; charset=iso-8859-1..Content-Length: 
319..Connection: keep-alive..Location: hXXp://downloads.ddigest-dl.com
/software/getdownload.php?sid=470&did=1&code=nras4nl2fc&decode=magic..
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://downloads.ddigest-dl.com/software
/getdownload.php?sid=470&did=1&code=nras4nl2fc&decode=magi
c">here</a>.</p>.</body></html>...



GET /ads.js?stam=err HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.s3.amazonaws.com
Connection: Keep-Alive


HTTP/1.1 200 OK
x-amz-id-2: 7R6e6T 2i8nIZnsKbePLGwnYKzDsCzBrj8bm1T7XxA52Uinq2 kKzcZGFro0uxVpgSdlNGkLzzA=
x-amz-request-id: EC16FFB1251195BF
Date: Sat, 14 Apr 2018 11:46:37 GMT
Last-Modified: Thu, 12 Jan 2017 15:34:57 GMT
ETag: "bebd18b90969d9319e931acf4d682aa4"
x-amz-meta-cb-modifiedtime: Mon, 09 Jan 2017 12:15:17 GMT
Accept-Ranges: bytes
Content-Type: application/x-javascript
Content-Length: 24
Server: AmazonS3
window.adsAreOk2 = true.HTTP/1.1 200 OK..x-amz-id-2: 7R6e6T 2i8nIZnsKb
ePLGwnYKzDsCzBrj8bm1T7XxA52Uinq2 kKzcZGFro0uxVpgSdlNGkLzzA=..x-amz-req
uest-id: EC16FFB1251195BF..Date: Sat, 14 Apr 2018 11:46:37 GMT..Last-M
odified: Thu, 12 Jan 2017 15:34:57 GMT..ETag: "bebd18b90969d9319e931ac
f4d682aa4"..x-amz-meta-cb-modifiedtime: Mon, 09 Jan 2017 12:15:17 GMT.
.Accept-Ranges: bytes..Content-Type: application/x-javascript..Content
-Length: 24..Server: AmazonS3..window.adsAreOk2 = true...



GET /pr/public/js/adframe.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.s3.amazonaws.com
Connection: Keep-Alive


HTTP/1.1 200 OK
x-amz-id-2: HuVlZ20DkCtFnK69zdvgPRADub2By ytq8jwXz994 /bYKIbHjX h2VFtRMs6ZJNuOYlb9fGO88=
x-amz-request-id: CA46D995A0CE64ED
Date: Sat, 14 Apr 2018 11:46:37 GMT
Last-Modified: Mon, 09 Jan 2017 12:15:17 GMT
ETag: "0d5ff84418e11098019c392f6c85729e"
Accept-Ranges: bytes
Content-Type: application/javascript
Content-Length: 23
Server: AmazonS3
window.adsAreOk = true.HTTP/1.1 200 OK..x-amz-id-2: HuVlZ20DkCtFnK69zd
vgPRADub2By ytq8jwXz994 /bYKIbHjX h2VFtRMs6ZJNuOYlb9fGO88=..x-amz-requ
est-id: CA46D995A0CE64ED..Date: Sat, 14 Apr 2018 11:46:37 GMT..Last-Mo
dified: Mon, 09 Jan 2017 12:15:17 GMT..ETag: "0d5ff84418e11098019c392f
6c85729e"..Accept-Ranges: bytes..Content-Type: application/javascript.
.Content-Length: 23..Server: AmazonS3..window.adsAreOk = true...



GET hXXp://lamp.troublerifle.bid/offer.php?affId=4478&trackingId=313995699&instId=7054&ho_trackingid=HO5ad1ea0b7b637&cc=UA&cc_typ=ho&sb=x86&net=4.5.50709&ie=9.0.8112.16421&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&osd=1606&res=1276x846&v=3 HTTP/1.1
Host: lamp.troublerifle.bid
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 1688
Connection: close
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Set-Cookie: PHPSESSID=d0lm2pa5m76jrlmb66gkehus41; path=/
Set-Cookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMVwiOjE1MjM3MDYzNzl9LFwidGltZVwiOjE1MjM3MDYzNzl9In0.Q7RTR233SWL_MngOIL_4rNhKHUxmbyF0X5STpRP9Oiw; expires=Tue, 15-May-2018 11:46:19 GMT; path=/; domain=.lamp.troublerifle.bid
Date: Sat, 14 Apr 2018 11:46:19 GMT
X-Cache: Miss from cloudfront
Via: 1.1 9fb6a718a030ca4eb2a5aed16dc7d9d0.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 0gt5IdUhHN-9So7ssJWN7Znc3To-SHkTYlv5gb2TBjeDrfkRdlFEbQ==
........H....4.k..#:....T`)....@.%....}....m...r.....F'..p.'....#.....
S.R..x...T.VT.xnU%.......yX.r..........[0-....?.;ui... oO..!..........
...<h.7.khS..a...J.....`....c..RK\....(.E[....k.2..B..8.....k.(.7..
.w.....`.R......:....~F.D......9.$Z,..%.=..'...U.6..P^X} ..,...jKm;..9
.[_.m..dK..s!..$v.....]..B.....C.q...Gb.q..Y.).k..=...R....cl ...n.U..
.^us...z........0.!.....-(....b.@...>._.w..tY...Q...)9-.^...5......
.pFV....Z.....Ml$.(P..4-......<dq.3...<..s....SH.H. ...5.#`.!...
........U.^....N1._.....2.....2H....q.t..0.-_..x...c.......l.Z.....L}.
N..T..0..J.f......A.D$/......%..n..^)dB..'...%.4g.> 2S.2B..\3...Cw.
!QvX5.......E.-%..y.....X..!......v.)r..a.......0..lr. c./Z....o....3.
Y.._D.D...,AGp..). .,|>...dt..h\=[..\"..Ck.l..#7f...r .../........L
P.I.!..{0... ...A..X.y.u.A...T@b.{!.k..<.... $.~.4p.9.v......"S.Wgi
E..4X.W.iO\.....J...7..._tm).I'......U..S....xJ....P....:.!...p......,
w.(......./......)..C.d...*.)G..w.....3.PlG.H...oV*u._..?.jy..J....(..
...(.w<..h..th.X....y}v....8.Lr.O.yl{.<6.....y.........%.M.>.
 .......DWO...$...-.e.hXX..M..f...-....=.q.A.-0w...I<...YW7;..&...D
e......}Wj%....p...?.'&.I.... ..VzS....'........<.yr.....>7..L..
g.!.C..L7P...x....).^L.*.....M...G.~........(:1[xC.....:..A6.{:=._&...
...g.... "......>$P...sl..:.F.u^KI......|.........]...MJ....-m.3A..
...2..{ ...TN...8T......%..DN..((....n~....6...j<..IP.*Y.N.xQE.....
.Bl0.3.....V..zIv....P2?...~....4..dAy.>j.d2......~%wF.pO2B.9~.g...
.......~.3p<...*y.c.......n...j.^..@..nP?/-~...e.m6.&V.s.T....,
<<< skipped >>>


GET /08e0b779-c1db-404a-b9a2-b4657d709f22 HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: trk.railquince.bid
Connection: Keep-Alive


HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, pre-check=0, post-check=0
Date: Sat, 14 Apr 2018 11:46:35 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html
Pragma: no-cache
Server: nginx
Set-Cookie: 08e0b779-c1db-404a-b9a2-b4657d709f22-v4=08e0b779-c1db-404a-b9a2-b4657d709f22;domain=trk.railquince.bid;path=/;HttpOnly
Set-Cookie: voluum-cid-v4={
  "cid" : "wGB461QI7SNMB37DHH08KON6",
  "caid" : "08e0b779-c1db-404a-b9a2-b4657d709f22"
};Max-Age=31536000;Expires=Sun, 14-Apr-2019 11:46:35 GMT;domain=trk.railquince.bid;path=/;HttpOnly
Content-Length: 0
Connection: keep-alive
HTTP/1.1 302 Found..Cache-Control: no-store, no-cache, pre-check=0, po
st-check=0..Date: Sat, 14 Apr 2018 11:46:35 GMT..Expires: Thu, 01 Jan 
1970 00:00:00 GMT..Location: hXXp://ic-dc.bundlessafevault.com/pr/3e07
b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html..Pragma: no-cache..Server:
 nginx..Set-Cookie: 08e0b779-c1db-404a-b9a2-b4657d709f22-v4=08e0b779-c
1db-404a-b9a2-b4657d709f22;domain=trk.railquince.bid;path=/;HttpOnly..
Set-Cookie: voluum-cid-v4={
  "cid" : "wGB461QI7SN
MB37DHH08KON6",
  "caid" : "08e0b779-c1db-404a-b
9a2-b4657d709f22"
};Max-Age=31536000;Expires=Sun, 14-Apr-2019 11
:46:35 GMT;domain=trk.railquince.bid;path=/;HttpOnly..Content-Length: 
0..Connection: keep-alive..



GET /files135/65/10390/120492/FB_RU_800_Icons2.jpg HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.1-1ads.com/ads?key=3a71f57f6d976f956c5f61dbdd4adf7b&ch=&cp.chan=&cp.vtl=&cp.crr=&cp.exld=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: irncdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 14 Apr 2018 11:46:36 GMT
Content-Type: image/jpeg
Content-Length: 97369
Connection: keep-alive
Access-Control-Allow-Origin: *
Last-Modified: Tue, 28 Feb 2017 14:24:48 GMT
Server: CDN77-Turbo
X-Edge-IP: 185.180.12.10
X-Edge-Location: viennaAT
X-Cache: HIT
X-Age: 657365
......Exif..II*.................Ducky.......P...../hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c11
1 79.158325, 2015/09/10-01:10:20        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"
 xmpMM:InstanceID="xmp.iid:F65B7BCC06FC11E69887BD153D44D083" xmpMM:Doc
umentID="xmp.did:F65B7BCD06FC11E69887BD153D44D083"> <xmpMM:Deriv
edFrom stRef:instanceID="xmp.iid:F65B7BCA06FC11E69887BD153D44D083" stR
ef:documentID="xmp.did:F65B7BCB06FC11E69887BD153D44D083"/> </rdf
:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end=
"r"?>....Adobe.d...................................................
......................................................................
.......................... ...........................................
....................................................!1..A.Qa".q.2.S...
BR.#..V....b3.$...7Wr..u...Cs4Tt%6v...5Ue..F...c.&G8.Dd...............
.........!1AQ..q...a."2R.....3S...Br#4.b$......CT5.s..D%ct............
.?......L..k.TG.........B...../..Q.....L..iD*;..2.q..........B...../..
Q.....L..iD*;..2.q..........B...../..Q.....L..iD*;..2.q..........B....
./..Q.....L..iD*;..2.q..........B...../..Q.....L..iD*;..2.q.......
<<< skipped >>>


GET /pr/public/css/style.css HTTP/1.1
Accept: text/css
Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ic-dc.bundlessafevault.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/css
Content-Length: 1472
Connection: keep-alive
Date: Mon, 10 Apr 2017 06:34:10 GMT
Last-Modified: Thu, 21 Jul 2016 07:28:41 GMT
ETag: "d87938f58e3b40da8272e3eb0c1b47d3"
Accept-Ranges: bytes
Server: AmazonS3
Age: 15753
X-Cache: Hit from cloudfront
Via: 1.1 22ff6ff8279fd244b5f1cbe2c37af792.cloudfront.net (CloudFront)
X-Amz-Cf-Id: MaOduAGG2qa_hDb22g6_BZ8FiqhKLRxXPmJemJ8BiQtSjlGvODlU8g==
body {.  padding: 0;.  margin: 0;.  background-color: white;.  font-fa
mily: arial, sans-serif;.  color: #0b0b0b; }...wrapper {.  position: a
bsolute;.  top: 0;.  bottom: 0;.  left: 0;.  right: 0; }.  .wrapper .h
eader {.    height: 294px;.    margin: 0 auto;.    background-color: #
0b0b0b; }.    .wrapper .header .title {.      color: white;.      text
-align: center; }.      .wrapper .header .title .title-caption, .wrapp
er .header .title .title-caption-inter {.        text-align: center;. 
       font-style: italic;.        font-weight: 600;.        font-size
: 38px;.        line-height: 103px; }.      .wrapper .header .title .t
itle-caption-inter {.        line-height: 40px;.        padding-top: 3
0px; }.      .wrapper .header .title .title-description {.        font
-size: 20px;.        padding-top: 10px;.        width: 615px;.        
margin: 0 auto;.        font-style: italic; }.  .wrapper .content {.  
  text-align: center;.    margin: 0 auto;.    height: 654px;.    backg
round-color: white; }.    .wrapper .content .inner, .wrapper .content 
.inner-typ {.      top: -191px;.      margin: 0 auto;.      position: 
relative;.      width: 800px;.      height: 440px;.      border: 20px 
solid #bfccd2;.      background-color: white; }.    .wrapper .content 
.inner-typ {.      top: -140px; }.    .wrapper .content .adnl_zone {. 
     position: absolute;.      background-color: #bfccd2;.      margin
: auto;.      top: 0;.      right: 0;.      left: 0;.      bottom: 0; 
}...
<<< skipped >>>


POST hXXp://lip.healthcakes.men/installer.php?affId=4478&instId=7054&ho_trackingid=HO5ad1ea0b7b6375ad1ea0bad978&trackingId=313995699&cc=UA&untracked=&uac=1&osd=1606&net=4.5.50709&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1
Host: lip.healthcakes.men
Connection: close
Accept: */*
User-Agent: InstallCapital
Content-Type: application/x-www-form-urlencoded
Content-Length: 177

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=1274019&id[]=453683&id[]=453684&id[]=453685&id[]=453686&id[]=686787&id[]=686788&id[]=686789&id[]=686790&id[]=1607978&id[]=1607979
HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Sat, 14 Apr 2018 11:46:20 GMT
Content-Type: text/html
Content-Length: 694
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 66989defd22dfd98507029da63296ebd.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 4z1H9iHr5jV6PjOqzvX_E5sca0OoVsU1iHB2gnepAVGgPHNAxirWog==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><MET
A HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
;.<TITLE>ERROR: The request could not be satisfied</TITLE>
.</HEAD><BODY>.<H1>403 ERROR</H1>.<H2>Th
e request could not be satisfied.</H2>.<HR noshade size="1px"
>.This distribution is not configured to allow the HTTP request met
hod that was used for this request. The distribution supports only cac
hable requests...<BR clear="all">.<HR noshade size="1px">.
<PRE>.Generated by cloudfront (CloudFront).Request ID: 4z1H9iHr5
jV6PjOqzvX_E5sca0OoVsU1iHB2gnepAVGgPHNAxirWog==.</PRE>.<ADDRE
SS>.</ADDRESS>.</BODY></HTML>..



GET /impression.gif?b=120492&p=5103&c=10390&h=177a937b0d9a7a39eee4f1dd260ad305&l=UA&sh=800&sw=1280&ad.trans.id=2rakyiepfujf&cps=Y2hhbg*~dnRs*~Y3Jy*~ZXhsZA*&s=34a9b2c73f3d59c9b9a7d27308159d6f&t=1523706396404 HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://VVV.1-1ads.com/ads?key=3a71f57f6d976f956c5f61dbdd4adf7b&ch=&cp.chan=&cp.vtl=&cp.crr=&cp.exld=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.1-1ads.com
Connection: Keep-Alive
Cookie: UUID=7c7fbf00-3fd9-11e8-a939-9c8e99200000


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="CAO PSA OUR"
Set-Cookie: ucv=10390-UA-1523792796549-24--; Domain=.VVV.1-1ads.com; Expires=Sun, 14-Apr-2019 11:46:36 GMT; Path=/
Accept-Ranges: bytes
Content-Type: image/gif
Content-Length: 43
Date: Sat, 14 Apr 2018 11:46:35 GMT
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Server: Ap
ache-Coyote/1.1..Cache-Control: no-cache..Pragma: no-cache..Expires: T
hu, 01 Jan 1970 00:00:00 GMT..P3P: CP="CAO PSA OUR"..Set-Cookie: ucv=1
0390-UA-1523792796549-24--; Domain=.VVV.1-1ads.com; Expires=Sun, 14-Ap
r-2019 11:46:36 GMT; Path=/..Accept-Ranges: bytes..Content-Type: image
/gif..Content-Length: 43..Date: Sat, 14 Apr 2018 11:46:35 GMT..GIF89a.
............!.......,...........D..;..



GET /normal_bg4.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: d2adi7hu49xk5t.cloudfront.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 63855
Connection: keep-alive
Date: Wed, 25 Oct 2017 08:43:53 GMT
Last-Modified: Wed, 25 Oct 2017 07:20:00 GMT
ETag: "0f4f3c2685f4c75717b342a34fe59423"
Accept-Ranges: bytes
Server: AmazonS3
Age: 25368
X-Cache: Hit from cloudfront
Via: 1.1 5f052d343a62bd6caba7b69406b066fc.cloudfront.net (CloudFront)
X-Amz-Cf-Id: R0jdqOKPVkPxFEXueHatZL0leMsOUCZ5_de2CBDCwgAfN-PI2qJtHg==
.PNG........IHDR...E.................PLTE.............................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.....................g.....Z.................q...........O............
.._............................................d......................
......................l.....t........>........|........a.....B.....
j..U.....D.................G..5y..........ClP=...*IDATx...A..0....pn.3
t?..u...l..!....ofQh...R..`..T......I..&..dIO3......].....La.!..0E..X.
T..@.&.JVC.|...V.E.SV.K.^.V......"....T=f.3I ..Z.n~O...]..T...6..<.
....ze|1.r*..../:.....Nje6.1..>.#.9..p.. \!.......,.(..[..5a-F..Z..
...!......0...=..R...'...W.....(.H...:..9.h..$G.....f.D>1G8.@....V4
P.Z..A...Y{JR..........G..1".H...BsI.2G..3%......".L....c....}H..(.."U
>.....w.Z.k.q....k.p<.Q$bi..i.*.......x....l...SCv.....<.0D.5
)>...r..2ERo..>=?...c..~.b...F//._.k....~.~g..~d....0c.G...R....
.t..y'.....e....K.k..?t..k.p..q...M..<. R.Sm.9...R.A.X..tY...*...FL
..>.. .0D..:V..-.L.2....X.c0.&~...Y.}7O.........j. .E..E?[Q.'...;w.
....#T......W.#..... 3.t.......T*u..#.r..c*......a..n.y]WU]7T5..;.
<<< skipped >>>


GET /report.php?typ=sys&affId=4478&instId=7054&ho_transId=HO5ad1ea0b7b6375ad1ea0bad978&transId=313995699&chk_s_b=VMware-56 4d a7 48 b6 81 1f 90-3f 36 cc ce af 92 9a d2&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:3C:AC:7120:41:53:59:4E:FF&randid=0.08483448649192299 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: InstallCapital
Host: kiss.oatmealscene.loan


HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Set-Cookie: PHPSESSID=0e86jqb7o9td02ke3r3hjio5h2; path=/
Set-Cookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMVwiOjE1MjM3MDYzODJ9LFwidGltZVwiOjE1MjM3MDYzODJ9In0.CmIVZppY4vMqWyCBNOxt66wND4ozFEF0Yn4ZV1bxj_c; expires=Tue, 15-May-2018 11:46:22 GMT; path=/; domain=.kiss.oatmealscene.loan
Date: Sat, 14 Apr 2018 11:46:22 GMT
Content-Length: 0
HTTP/1.1 200 OK..Cache-Control: no-store, no-cache, must-revalidate, p
ost-check=0, pre-check=0..Pragma: no-cache..Content-Type: text/html; c
harset=utf-8..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Server: Microsof
t-IIS/8.5..X-Powered-By: PHP/5.3.28..Set-Cookie: PHPSESSID=0e86jqb7o9t
d02ke3r3hjio5h2; path=/..Set-Cookie: a862a6096792e35ad3375e3a94312fe4b
a1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ
25zXCI6e1wiMVwiOjE1MjM3MDYzODJ9LFwidGltZVwiOjE1MjM3MDYzODJ9In0.CmIVZpp
Y4vMqWyCBNOxt66wND4ozFEF0Yn4ZV1bxj_c; expires=Tue, 15-May-2018 11:46:2
2 GMT; path=/; domain=.kiss.oatmealscene.loan..Date: Sat, 14 Apr 2018 
11:46:22 GMT..Content-Length: 0..

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_4020:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_3152:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

SearchProtocolHost.exe_1952:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_1120:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2788

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5074072\download.php (203 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\normal_bg4[1].png (9824 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (1440 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\imgburn_logo[1].png (772 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now