Trojan.NSIS.StartPage_72f7bc3fb6

by malwarelabrobot on September 14th, 2017 in Malware Descriptions.

Trojan.Win32.Agent.nfaswx (Kaspersky), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 72f7bc3fb627300c1d83714d838b275f
SHA1: 5493b91b6c55e2183e569de28dfe3a092486e51c
SHA256: 7647c90c7b0d177b151f53ad8945166ac2e4568f6c5713b2e4cbf39d24c65b8e
SSDeep: 12288:Q9Yf3EKPBQlHVuZqvhv7lrmy4E1pU3WSAHK9mnebbcjybdxB:Q9YfUaBHZqpvpU3THgebYupv
Size: 653863 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SystemHealer
Created at: 2017-08-01 03:34:02
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

hollingworth.exe:3720
hollingworth.exe:4000
hollingworth.exe:1524
hollingworth.exe:4076
hollingworth.exe:3732

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

MD5 File path
f82324b52e8e592d8a1656475e83e80f c:\Program Files\Bass\Bass.exe
f82324b52e8e592d8a1656475e83e80f c:\Program Files\Bass\hollingworth.dll
f82324b52e8e592d8a1656475e83e80f c:\Program Files\Bass\hollingworth.exe
f82324b52e8e592d8a1656475e83e80f c:\Program Files\Hightower\hollingworth.exe
c91f758056c6990112f3d637c3274645 c:\Program Files\applauding\applauding.exe
e43000d2ffc15560e81f40375ba822d7 c:\Program Files\undersides\mortenson.exe
ea6850e2625815f6c03563d2e714be95 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF641.tmp\119832.exe
cd91f6160728f3b8941e4de69dba77af c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF641.tmp\13521.exe
3eb70058c7957aa4057abd2b96a8f24d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF641.tmp\31498.exe
d9b22b333c95e1d327067410bcd88b29 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF641.tmp\60049.exe
f82324b52e8e592d8a1656475e83e80f c:\Users\"%CurrentUserName%"\AppData\Local\hollingworth.exe
f82324b52e8e592d8a1656475e83e80f c:\Windows\tips.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1322 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 validation.sls.microsoft.com
162.222.193.86 aoaomo.tremorhub.com
188.95.50.62 bobomo.tremorhub.com
162.222.193.86 www.howcast.com
162.222.193.86 howcast.com
162.222.193.86 www.ustream.tv
162.222.193.86 ustream.tv
162.222.193.86 www.livestream.com
162.222.193.86 livestream.com
162.222.193.86 www.dailymotion.com
162.222.193.86 dailymotion.com
192.192.3.8 www.virustotal.com
192.192.3.8 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: n19n86
Product Version: 1.0.0.1
Legal Copyright: Copyright (C) 2017
Legal Trademarks:
Original Filename: setup.exe
Internal Name:
File Version: 1.0.0.1
File Description: n86n19
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 25172 25600 4.45962 d550b03059038df9bf82548da8080ff6
.rdata 32768 4948 5120 3.62951 5143a41b917c20afc11d259fd85b6ffc
.data 40960 152856 1536 2.80352 4c97d95c0fc95b712d16eb7b0ee5a871
.ndata 196608 36864 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 233472 3288 3584 2.92167 610c158db387011f9dfaa71bc4a0cfe4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
3fed811a25e587fbb4f9de2155ac06f0
9742cb08575e6159803ae497aed45a38
492de69388cc16941b47b3d8b9c829b3

URLs

URL IP
hxxp://d3h046tak93335.cloudfront.net/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
hxxp://d3h046tak93335.cloudfront.net/jquery.min.js
hxxp://d3h046tak93335.cloudfront.net/amg.php
hxxp://ww.dunstoncarol.pw/a.png?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24&gif=yes&rnd=1505287911000 162.222.193.17
hxxp://ww1.dunstoncarol.pw/a.png?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24&gif=yes&rnd=1505287911000 188.95.50.96
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.94
hxxp://www.videojelly.com/watch-ATQ4Shh1x1.html 162.222.192.38
hxxp://widgets.amung.us/draw/?w=colored&n=1277&c=000000ffffff&p= 173.192.200.70
hxxp://www.videojelly.com/jquery.min.js 162.222.192.38
hxxp://ww1.dunstoncarol.pw/a.png?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24&gif=yes&rnd=1505287916000 188.95.50.96
hxxp://ww.dunstoncarol.pw/a.png?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24&gif=yes&rnd=1505287916000 162.222.193.17
hxxp://www.videojelly.com/watch-A1SUIpqVxR.html 162.222.192.38
hxxp://widgets.amung.us/draw/?w=colored&n=1263&c=000000ffffff&p= 173.192.200.70
hxxp://www.videojelly.com/watch-A1SUIpqVxR.htm 162.222.192.38
hxxp://www.videojelly.com/watch-AKFNqffzyi.html 162.222.192.38
hxxp://www.videojelly.com/watch-A0w5zIoE1H.html 162.222.192.38
hxxp://ww1.dunstoncarol.pw/a.png?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24&gif=yes&rnd=1505287920000 188.95.50.96
hxxp://widgets.amung.us/draw/?w=colored&n=1282&c=000000ffffff&p= 173.192.200.70
hxxp://www.videojelly.com/watch-ApditszZfL.html 162.222.192.38
hxxp://www.videojelly.com/watch-A0tm9RmoQO.html 162.222.192.38
hxxp://ww.dunstoncarol.pw/a.png?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24&gif=yes&rnd=1505287920000 162.222.193.17
hxxp://www.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24 52.85.173.99
hxxp://www.dunstoncarol.pw/amg.php 52.85.173.99
hxxp://www.dunstoncarol.pw/jquery.min.js 52.85.173.99
www.google-analytics.com 172.217.16.110
teredo.ipv6.microsoft.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /draw/?w=colored&n=1263&c=000000ffffff&p= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.dunstoncarol.pw/amg.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: widgets.amung.us
Connection: Keep-Alive
Cookie: uid=CgH9Ilm43ukCOUFnIyBUAg==


HTTP/1.1 200 OK
Server: nginx/1.9.6
Date: Wed, 13 Sep 2017 07:31:58 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: filename=wau-widget.png
Expires: Thu, 14 Sep 2017 07:31:58 GMT
Cache-Control: max-age=86400
670...PNG........IHDR...Q...........p.....PLTE...EEEYYY...???,,,...AAA
...............;<=zzz~~~...abdWXZ..............................GGG.
........'((......222.........uvyEFG..."""......<<<......kln..
.NNN.........WWW.........~~.vwx...hhi.........OPQ......VVV............
...iii.........uvv...opp......UVV...RRR.....................bcc...ijj}
~~......dee..................QQQ...]^^PPP.........TTTaaa......yyy...{{
{III......___......HHHrss.........kllJJJDDD|||BBB..................CCC
..................LLLNOO.........@@@tttkkkvvv:::......................
..;;;..................?@@888666ppprrr.........uuu>>>FFF.....
.......111............000...lll......XYZ(((&&&hhhfff   cdeZ[\788...ddd
ccc.........nnn.........ZZZXXXVVV[[[mmm^^^\\\]]]```gggxxxjjj.<>s
....tRNS.@..f...iIDATH....W.P.......E...E\..]...u/.....G].D.X.:. n....
..:..De..-H...M.......|x..}...&.ICQ..W...t6.G...)...*......e^.. y[y...
.,q....5~Uq...H............W.j..................~xo.X.................
....}...9.qy.....D.<.(> .l.x.....A....H.}...5.w...{...W.7.q.o...
]..d...Q..M&.. ..M....$`.x!..ySM.......w..x6....i.%-...c.N{...8[y...N.
....>.a.jj..w.W;....}{..=p........s.vL,...........[i..B.fs...7.$. .
n....(d..~.ZL......Z ..$.V.Z..X.P......p.b'.N....!.p.|...s.y..Y$...J$.
d=.q}..e...iS..H...&..F.#....0^.V....tc.c.....(..3R.....p}...!zf.k:..u
...6..F.!"...T... 1..<.2.H..O.@...e...SI.F#.}..*.(..b....@^...H..xi
..pO..E@.2*.......b/..".....P .\/.l....IF.R.,D%.0. ."..A...N..q../"...
....9.H72....?..2VC.N4G....{\......i0..b....L.6&b#..U..._.I..m..?.
<<< skipped >>>


GET /hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.dunstoncarol.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 680
Connection: keep-alive
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
X-Pad: avoid browser bug
Content-Encoding: gzip
Date: Wed, 13 Sep 2017 07:31:49 GMT
Age: 6
Vary: Accept-Encoding
X-Cache: Hit from cloudfront
Via: 1.1 09393f32f516ce23b0b6bbd4b022977b.cloudfront.net (CloudFront)
X-Amz-Cf-Id: GrBcGeNrPLLgpfRIFeAZcdJZYmjZ4RbjRFgO4ktFx1AqT7fqZssifA==
...........TQO.0.~G.?.?.T!v.".FR.....64..4..I.$,...4T...sR......9...w.
;.;.o....)JM......'c.=.~...Mf.t.i....h....E...W.pjL....ih3.J'l...X..u[
m.........&X..G~!.GQ.u%L.k3....j.=q]g.._z....*Jn.0..EJ.!..d..8.{Q.U!..
&o-.ZT.........L.F..:JCu.....N\..%....\'..p.#...?%[..S.Y.@....y^.#<
....Hg.A9.I.....|..[#p-K.Xwv......x....k.e..4.F......i...5.^.L.^..C.:.
t..X54W.TKI......V.E..H8...!B..SU.d...K^...-.H.}...`.........A..UTC..m
t.I.? .dC...9|...JG.}.......i).c.B2..M.y....T  ....w#.V:..%rzp!..<.
..o...6.%z.9.ed..VR.-zP...../..K~S..u#..../..t.....Q.=zB.3ex..........
s......s..`<.}[.....u.._...Tc....g.D..l..~.{.EB......I.<.(.Y..v.
.C.c....... =.R...:.M.M.g.t.M..m.* W...KZd.^Ud. .*n...X\.>....HTTP/
1.1 200 OK..Content-Type: text/html..Content-Length: 680..Connection: 
keep-alive..Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1
c PHP/5.3.13..X-Powered-By: PHP/5.3.13..X-Pad: avoid browser bug..Cont
ent-Encoding: gzip..Date: Wed, 13 Sep 2017 07:31:49 GMT..Age: 6..Vary:
 Accept-Encoding..X-Cache: Hit from cloudfront..Via: 1.1 09393f32f516c
e23b0b6bbd4b022977b.cloudfront.net (CloudFront)..X-Amz-Cf-Id: GrBcGeNr
PLLgpfRIFeAZcdJZYmjZ4RbjRFgO4ktFx1AqT7fqZssifA==.............TQO.0.~G.
?.?.T!v.".FR.....64..4..I.$,...4T...sR......9...w.;.;.o....)JM......'c
.=.~...Mf.t.i....h....E...W.pjL....ih3.J'l...X..u[m.........&X..G~!.GQ
.u%L.k3....j.=q]g.._z....*Jn.0..EJ.!..d..8.{Q.U!..&o-.ZT.........L.F..
:JCu.....N\..%....\'..p.#...?%[..S.Y.@....y^.#<....Hg.A9.I.....|..[
#p-K.Xwv......x....k.e..4.F......i...5.^.L.^..C.:.t..X54W.TKI.....
<<< skipped >>>

GET /amg.php HTTP/1.1


Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.dunstoncarol.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 359
Connection: keep-alive
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Date: Wed, 13 Sep 2017 07:03:47 GMT
Age: 1690
X-Cache: Hit from cloudfront
Via: 1.1 09393f32f516ce23b0b6bbd4b022977b.cloudfront.net (CloudFront)
X-Amz-Cf-Id: B72BmqGkDnD4uW0LBGnqZFV2fzMq_X8tICnUMMaK3urxQnO3RmIm4Q==
...<script type="text/javascript">setInterval( "vwu()", 200000);
function vwu(){if(document.images){document.images['viewers'].src = 'h
ttp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png?'   Date.parse
(new Date().toString());}}</script><div style="visibility:hid
den"><img name="viewers" src="hXXp://whos.amung.us/cwidget/iebro
wser1/000000ffffff.png"></div>HTTP/1.1 200 OK..Content-Type: 
text/html..Content-Length: 359..Connection: keep-alive..Server: Apache
/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..X-Powered-By
: PHP/5.3.13..Date: Wed, 13 Sep 2017 07:03:47 GMT..Age: 1690..X-Cache:
 Hit from cloudfront..Via: 1.1 09393f32f516ce23b0b6bbd4b022977b.cloudf
ront.net (CloudFront)..X-Amz-Cf-Id: B72BmqGkDnD4uW0LBGnqZFV2fzMq_X8tIC
nUMMaK3urxQnO3RmIm4Q==.....<script type="text/javascript">setInt
erval( "vwu()", 200000);function vwu(){if(document.images){document.im
ages['viewers'].src = 'hXXp://whos.amung.us/cwidget/iebrowser1/000000f
fffff.png?'   Date.parse(new Date().toString());}}</script><d
iv style="visibility:hidden"><img name="viewers" src="hXXp://who
s.amung.us/cwidget/iebrowser1/000000ffffff.png"></div>..
<<< skipped >>>


GET /a.png?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24&gif=yes&rnd=1505287916000 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ww.dunstoncarol.pw
Connection: Keep-Alive
Cookie: sps=yes; v_2017-09-13=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:32:02 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 119
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR..............wS.....sRGB.........gAMA......a.....pHYs
..........o.d....IDAT.Wc...?......5......IEND.B`.HTTP/1.1 200 OK..Date
: Wed, 13 Sep 2017 07:32:02 GMT..Server: Apache/2.2.22 (Win64) mod_ssl
/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-L
ength: 119..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Co
ntent-Type: image/png...PNG........IHDR..............wS.....sRGB......
...gAMA......a.....pHYs..........o.d....IDAT.Wc...?......5......IEND.B
`...



GET /draw/?w=colored&n=1282&c=000000ffffff&p= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.dunstoncarol.pw/amg.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: widgets.amung.us
Connection: Keep-Alive
Cookie: uid=CgH9Ilm43ukCOUFnIyBUAg==


HTTP/1.1 200 OK
Server: nginx/1.9.6
Date: Wed, 13 Sep 2017 07:32:01 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: filename=wau-widget.png
Expires: Thu, 14 Sep 2017 07:32:01 GMT
Cache-Control: max-age=86400
633...PNG........IHDR...Q...........p.....PLTE...EEE......???AAA......
"""......;<=...***zzz~~~......abdWXZ...........................GGG.
.....'((......222.........uvyEFG...,,,...<<<...kln...NNN>&
gt;>......WWW...~~.vwx...hhi.........OPQ..................iii......
uvv...opp......UVV...RRR..................bcc...ijj}~~......dee.......
..............QQQ...]^^PPP.........TTTaaa......{{{III.........___.....
.HHHrss.........kllJJJDDD|||......YYY...CCC..................LLLNOO...
......@@@tttkkkvvv:::qqq..............................;;;.........FFF.
........?@@888666ppprrrSSS............BBB............111............00
0...lll......XYZ(((&&&hhhfff   cdeZ[\788...dddccc.........nnn.........
ZZZXXXVVV[[[mmm^^^\\\]]]```gggxxxjjj.=.~....tRNS.@..f...DIDATH....[LQ.
..}.P.h.f.L#;c..S(..B.2.`P..c.r.J.8.F..l#.........[.s...6.xz.......{..
y..3..e.....mnj............I.........J......]V7T...4~7..O.R........n..
.7.j- -.|.....kY7(-..k.'..R.....{\.UXZy[........^..PT..EA~..b...{.s.9'
....9.....H......<...3.........i.w....r[`n..8..u.5.*..8J....R/rrL..
..O.h.......%.3. :..x....K8.7...S.).......1...1Gq..G..ud].!...xl<dM
.>x......l...D....,...vdwd#...........\.A..;..aB.mEhKh.%.I....To..P
......A..5.7.L ......].._.._I.ukx........Yy....Y.."y..UH`X....j......y
...s.B;.(./4:2K7....!3...by.P..q.6j....Lj5Y,...&..U?..`?_.|....2.6&#.M
../.RN....'..i.4..". .Dc<..V..M9...)E.5...!m...0K.......d..U.tT....
.1t..Q ^H.5....~.e.h.B@z...X........0.<t...k^....M...yy&..c#.gUM...
lR.l3z4.6p..>7S$$.....O....>..>...........|v..?.|;.......
<<< skipped >>>


GET /cwidget/iebrowser1/000000ffffff.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.dunstoncarol.pw/amg.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: whos.amung.us
Connection: Keep-Alive


HTTP/1.1 303 See Other
Date: Wed, 13 Sep 2017 07:31:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Location: hXXp://widgets.amung.us/draw/?w=colored&n=1277&c=000000ffffff&p=
Set-Cookie: uid=CgH9Ilm43ukCOUFnIyBUAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.amung.us; path=/
0..



GET /watch-ApditszZfL.html HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.videojelly.com
Connection: Keep-Alive
Cookie: vjc=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:32:40 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Content-Length: 1441
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
...<!doctype html><html class="no-js" lang="en"><head&g
t;<meta charset="utf-8"><meta http-equiv="X-UA-Compatible" co
ntent="ie=edge,chrome=1"><meta http-equiv="cache-control" conten
t="max-age=0" /><meta http-equiv="cache-control" content="no-cac
he" /><meta http-equiv="expires" content="0" /><meta http-
equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /><meta h
ttp-equiv="pragma" content="no-cache" /><title>searchbox</
title>..<script type="text/javascript">if(window.location.pro
tocol != 'http:') {  location.href = location.href.replace("hXXps://",
 "hXXp://");}</script>..</head><body topmargin="0" left
margin="0"><form action="watch-A0tm9RmoQO.html" method="get" nam
e="redirect1"></form><div id="a"></div>..<scri
pt language="JavaScript" type="text/javascript">if(location.href ==
 top.location.href){document.write('<p align="center"><a href
="play.php?id=ApditszZfL"> <font size="5" style="margin-left:aut
o;margin-right:auto;display:block;margin-top:22%;margin-bottom:0%">
Continue to play</font></a></p>');}</script>..
<script type="text/javascript">.. var rc = document.referrer.spl
it('/')[2];.. if (rc == window.location.hostname) { .. document.write(
'<div id="my-video" style="width: 640px;height: 360px;"></div
>');.. }else{document.forms['redirect1'].submit();}.. </script&g
t;..<script type='text/javascript'>..setTimeout(function () 
<<< skipped >>>

GET /watch-A0tm9RmoQO.html HTTP/1.1


Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.videojelly.com/watch-ApditszZfL.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.videojelly.com
Connection: Keep-Alive
Cookie: vjc=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:32:40 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Content-Length: 1441
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html
...<!doctype html><html class="no-js" lang="en"><head&g
t;<meta charset="utf-8"><meta http-equiv="X-UA-Compatible" co
ntent="ie=edge,chrome=1"><meta http-equiv="cache-control" conten
t="max-age=0" /><meta http-equiv="cache-control" content="no-cac
he" /><meta http-equiv="expires" content="0" /><meta http-
equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /><meta h
ttp-equiv="pragma" content="no-cache" /><title>searchbox</
title>..<script type="text/javascript">if(window.location.pro
tocol != 'http:') {  location.href = location.href.replace("hXXps://",
 "hXXp://");}</script>..</head><body topmargin="0" left
margin="0"><form action="watch-A10KqhhkY4.html" method="get" nam
e="redirect1"></form><div id="a"></div>..<scri
pt language="JavaScript" type="text/javascript">if(location.href ==
 top.location.href){document.write('<p align="center"><a href
="play.php?id=A0tm9RmoQO"> <font size="5" style="margin-left:aut
o;margin-right:auto;display:block;margin-top:22%;margin-bottom:0%">
Continue to play</font></a></p>');}</script>..
<script type="text/javascript">.. var rc = document.referrer.spl
it('/')[2];.. if (rc == window.location.hostname) { .. document.write(
'<div id="my-video" style="width: 640px;height: 360px;"></div
>');.. }else{document.forms['redirect1'].submit();}.. </script&g
t;..<script type='text/javascript'>..setTimeout(function () 
<<< skipped >>>


GET /watch-A1SUIpqVxR.htm HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.videojelly.com
Connection: Keep-Alive
Cookie: vjc=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:32:58 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Content-Length: 44
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
...3<meta http-equiv="refresh" content="10">HTTP/1.1 200 OK..Dat
e: Wed, 13 Sep 2017 07:32:58 GMT..Server: Apache/2.2.22 (Win64) mod_ss
l/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..X-Powered-By: PHP/5.3.13..Cache-Co
ntrol: no-store, no-cache, must-revalidate, max-age=0..Cache-Control: 
post-check=0, pre-check=0..Pragma: no-cache..Access-Control-Allow-Orig
in: *..Access-Control-Allow-Credentials: true..Content-Length: 44..Kee
p-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: tex
t/html.....3<meta http-equiv="refresh" content="10">..



GET /a.png?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24&gif=yes&rnd=1505287911000 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ww.dunstoncarol.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:31:56 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Set-Cookie: sps=yes; expires=Thu, 13-Sep-2018 13:20:42 GMT; path=/
Set-Cookie: v_2017-09-13=yes; expires=Thu, 14-Sep-2017 07:31:56 GMT; path=/
Content-Length: 125
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR..............wS.....sRGB.........gAMA......a.....pHYs
..........o.d....IDAT.Wc...?......5......IEND.B`.855494HTTP/1.1 200 OK
..Date: Wed, 13 Sep 2017 07:31:56 GMT..Server: Apache/2.2.22 (Win64) m
od_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..X-Powered-By: PHP/5.3.13..Set
-Cookie: sps=yes; expires=Thu, 13-Sep-2018 13:20:42 GMT; path=/..Set-C
ookie: v_2017-09-13=yes; expires=Thu, 14-Sep-2017 07:31:56 GMT; path=/
..Content-Length: 125..Keep-Alive: timeout=5, max=100..Connection: Kee
p-Alive..Content-Type: image/png...PNG........IHDR..............wS....
.sRGB.........gAMA......a.....pHYs..........o.d....IDAT.Wc...?......5.
.....IEND.B`.855494..



GET /watch-A1SUIpqVxR.htm HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.videojelly.com
Connection: Keep-Alive
Cookie: vjc=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:33:08 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Content-Length: 44
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
...3<meta http-equiv="refresh" cont..



GET /watch-ATQ4Shh1x1.html HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.videojelly.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:32:32 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: vjc=yes; expires=Thu, 13-Sep-2018 13:21:18 GMT; path=/
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Content-Length: 7676
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
...<!doctype html><html class="no-js" lang="en"><head&g
t;<meta charset="utf-8"><meta http-equiv="X-UA-Compatible" co
ntent="ie=edge,chrome=1"><meta http-equiv="cache-control" conten
t="max-age=0" /><meta http-equiv="cache-control" content="no-cac
he" /><meta http-equiv="expires" content="0" /><meta http-
equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /><meta h
ttp-equiv="pragma" content="no-cache" /><title>searchbox</
title>..<script language='javascript' type='text/javascript' src
='jquery.min.js'></script><script type="text/javascript"&g
t;if(window.location.protocol != 'http:') {  location.href = location.
href.replace("hXXps://", "hXXp://");}</script>..</head><
;body topmargin="0" leftmargin="0"><form action="watch-A1SUIpqVx
R.html" method="get" name="redirect1"></form><div id="ab2j
5e4z2c8e4c8z2j5g6z2c8b2i4"></div>..<script language="JavaS
cript" type="text/javascript">if(location.href == top.location.href
){document.write('<p align="center"><a href="play.php?id=ATQ4
Shh1x1"> <font size="5" style="margin-left:auto;margin-right:aut
o;display:block;margin-top:22%;margin-bottom:0%">Continue to play&l
t;/font></a></p>');}</script>..<iframe framebo
rder='0' marginheight='0' marginwidth='0' scrolling='no' src='watch-AT
Q4Shh1x1.htm' width='640' height='360'></iframe>..<script 
type="text/javascript">.. var rc = document.referrer.split('/')
<<< skipped >>>

GET /jquery.min.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.videojelly.com/watch-ATQ4Shh1x1.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.videojelly.com
Connection: Keep-Alive
Cookie: vjc=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:32:33 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
Last-Modified: Mon, 01 May 2017 01:35:52 GMT
ETag: "300000001b19c-25c8b-54e6c718c2e00"
Accept-Ranges: bytes
Content-Length: 154763
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/javascript
if(typeof jwplayer=="undefined"){var jwplayer=function(a){if(jwplayer.
api){return jwplayer.api.selectPlayer(a)}};var $jw=jwplayer;jwplayer.v
ersion="5.9.2156";jwplayer.vid=document.createElement("video");jwplaye
r.audio=document.createElement("audio");jwplayer.source=document.creat
eElement("source");(function(b){b.utils=function(){};b.utils.typeOf=fu
nction(d){var c=typeof d;if(c==="object"){if(d){if(d instanceof Array)
{c="array"}}else{c="null"}}return c};b.utils.extend=function(){var c=b
.utils.extend["arguments"];if(c.length>1){for(var e=1;e<c.length
;e  ){for(var d in c[e]){c[0][d]=c[e][d]}}return c[0]}return null};b.u
tils.clone=function(f){var c;var d=b.utils.clone["arguments"];if(d.len
gth==1){switch(b.utils.typeOf(d[0])){case"object":c={};for(var e in d[
0]){c[e]=b.utils.clone(d[0][e])}break;case"array":c=[];for(var e in d[
0]){c[e]=b.utils.clone(d[0][e])}break;default:return d[0];break}}retur
n c};b.utils.extension=function(c){if(!c){return""}c=c.substring(c.las
tIndexOf("/") 1,c.length);c=c.split("?")[0];if(c.lastIndexOf(".")>-
1){return c.substr(c.lastIndexOf(".") 1,c.length).toLowerCase()}return
};b.utils.html=function(c,d){c.innerHTML=d};b.utils.wrap=function(c,d)
{if(c.parentNode){c.parentNode.replaceChild(d,c)}d.appendChild(c)};b.u
tils.ajax=function(g,f,c){var e;if(window.XMLHttpRequest){e=new XMLHtt
pRequest()}else{e=new ActiveXObject("Microsoft.XMLHTTP")}e.onreadystat
echange=function(){if(e.readyState===4){if(e.status===200){if(f){if(!b
.utils.exists(e.responseXML)){try{if(window.DOMParser){var h=(new 
<<< skipped >>>

GET /watch-A1SUIpqVxR.html HTTP/1.1


Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.videojelly.com/watch-ATQ4Shh1x1.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.videojelly.com
Connection: Keep-Alive
Cookie: vjc=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:32:36 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Content-Length: 7662
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html
...<!doctype html><html class="no-js" lang="en"><head&g
t;<meta charset="utf-8"><meta http-equiv="X-UA-Compatible" co
ntent="ie=edge,chrome=1"><meta http-equiv="cache-control" conten
t="max-age=0" /><meta http-equiv="cache-control" content="no-cac
he" /><meta http-equiv="expires" content="0" /><meta http-
equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /><meta h
ttp-equiv="pragma" content="no-cache" /><title>searchbox</
title>..<script language='javascript' type='text/javascript' src
='jquery.min.js'></script><script type="text/javascript"&g
t;if(window.location.protocol != 'http:') {  location.href = location.
href.replace("hXXps://", "hXXp://");}</script>..</head><
;body topmargin="0" leftmargin="0"><form action="watch-AV5ywGdIN
8.html" method="get" name="redirect1"></form><div id="ab4j
4e4z6c3e4c3z6j4g7z6c3b4i8"></div>..<script language="JavaS
cript" type="text/javascript">if(location.href == top.location.href
){document.write('<p align="center"><a href="play.php?id=A1SU
IpqVxR"> <font size="5" style="margin-left:auto;margin-right:aut
o;display:block;margin-top:22%;margin-bottom:0%">Continue to play&l
t;/font></a></p>');}</script>..<iframe framebo
rder='0' marginheight='0' marginwidth='0' scrolling='no' src='watch-A1
SUIpqVxR.htm' width='640' height='360'></iframe>..<script 
type="text/javascript">.. var rc = document.referrer.split('/')
<<< skipped >>>

GET /watch-A1SUIpqVxR.htm HTTP/1.1


Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.videojelly.com/watch-A1SUIpqVxR.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.videojelly.com
Connection: Keep-Alive
Cookie: vjc=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:32:37 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Content-Length: 44
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html
...3<meta http-equiv="refresh" content="10">HTTP/1.1 200 OK..Dat
e: Wed, 13 Sep 2017 07:32:37 GMT..Server: Apache/2.2.22 (Win64) mod_ss
l/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..X-Powered-By: PHP/5.3.13..Cache-Co
ntrol: no-store, no-cache, must-revalidate, max-age=0..Cache-Control: 
post-check=0, pre-check=0..Pragma: no-cache..Access-Control-Allow-Orig
in: *..Access-Control-Allow-Credentials: true..Content-Length: 44..Kee
p-Alive: timeout=5, max=97..Connection: Keep-Alive..Content-Type: text
/html.....3<meta http-equiv="refresh" content="10">..



GET /cwidget/iebrowser1/000000ffffff.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.dunstoncarol.pw/amg.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: whos.amung.us
Connection: Keep-Alive
Cookie: uid=CgH9Ilm43ukCOUFnIyBUAg==


HTTP/1.1 303 See Other
Date: Wed, 13 Sep 2017 07:32:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Location: hXXp://widgets.amung.us/draw/?w=colored&n=1282&c=000000ffffff&p=
0..



GET /cwidget/iebrowser1/000000ffffff.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.dunstoncarol.pw/amg.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: whos.amung.us
Connection: Keep-Alive
Cookie: uid=CgH9Ilm43ukCOUFnIyBUAg==


HTTP/1.1 303 See Other
Date: Wed, 13 Sep 2017 07:31:58 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Location: hXXp://widgets.amung.us/draw/?w=colored&n=1263&c=000000ffffff&p=
0..



GET /a.png?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24&gif=yes&rnd=1505287911000 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ww1.dunstoncarol.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:31:44 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Set-Cookie: sps=yes; expires=Thu, 13-Sep-2018 13:20:30 GMT; path=/
Set-Cookie: v_2017-09-13=yes; expires=Thu, 14-Sep-2017 07:31:44 GMT; path=/
Content-Length: 125
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR..............wS.....sRGB.........gAMA......a.....pHYs
..........o.d....IDAT.Wc...?......5......IEND.B`.650684HTTP/1.1 200 OK
..Date: Wed, 13 Sep 2017 07:31:44 GMT..Server: Apache/2.2.22 (Win64) P
HP/5.3.13..X-Powered-By: PHP/5.3.13..Set-Cookie: sps=yes; expires=Thu,
 13-Sep-2018 13:20:30 GMT; path=/..Set-Cookie: v_2017-09-13=yes; expir
es=Thu, 14-Sep-2017 07:31:44 GMT; path=/..Content-Length: 125..Keep-Al
ive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: image/p
ng...PNG........IHDR..............wS.....sRGB.........gAMA......a.....
pHYs..........o.d....IDAT.Wc...?......5......IEND.B`.650684..



GET /draw/?w=colored&n=1277&c=000000ffffff&p= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.dunstoncarol.pw/amg.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Cookie: uid=CgH9Ilm43ukCOUFnIyBUAg==
Connection: Keep-Alive
Host: widgets.amung.us


HTTP/1.1 200 OK
Server: nginx/1.9.6
Date: Wed, 13 Sep 2017 07:31:54 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: filename=wau-widget.png
Expires: Thu, 14 Sep 2017 07:31:54 GMT
Cache-Control: max-age=86400
5be...PNG........IHDR...Q...........p....jPLTE...EEEYYY...............
???,,,...AAA............;<=zzz~~~......abdWXZ..................GGG.
...........'((222.........uvyEFG<<<...kln...NNN>>>..
....~~.vwx...hhi.........OPQ......iii.........uvv...opp......UVV...RRR
WWW..................bcc...ijj}~~......dee......qqq......QQQ...]^^PPP.
........TTTaaa...{{{.........___......HHHrss.........kllJJJDDDBBBIII..
.......CCC.....................LLLNOO.........@@@tttkkkvvv:::|||......
...............;;;.........FFF.........?@@888666ppprrr................
..111............000...lll......XYZ(((&&&hhhfff   cdeZ[\788...dddccc..
.......nnn.........ZZZXXXVVV[[[mmm^^^\\\]]]```gggxxxjjj.6I.....tRNS.@.
.f....IDATH....W.A......4K*5AC.N.N.F.....V..**.5..;.< k.tSS........
.D....].._......o`..f..,.a.}r.6n.-...c.X..yT$.v.82,..0i7....<..e...
h............k....]]......io.....9.:Z............?..d.;...q\/d......ou
,.6...2... EUW}A|...TUMqT~"... .*.......U^.(%K\......M!A.._..$^.s..R..
..'..W..G...,.......,....H...D.7.g.c-...q..-.......9p.#....k..ia1.P.~5
..._.q<.iZ..H....K.'..VN...p..5.F...;..I<s..O%&...<.'i..O...X
|...Z .......Ht.aS.!.A.1Q&...&w...3p6..4.......A.^.J.G....V.......:..v
.;..q......6.`q ,*.aa..B....'7..aPoqh]...b..B..2..e.....9...Jr..`QK...
.p&...-..<....o...a....@.....?...V4..zV...8...[.a.XI..F..T..\..8I.k
..jo.DR;..........."`.U.../tH..Y.......p4.'....t.....)C.e.(........0.v
....%./N.,.FE .*.^...6....(...l..|....G6.....fX...4.2/....P.i7..7. :..
(.4.{...=....If..1.`.{...<.....u....IEND.B`...0..
<<< skipped >>>


GET /a.png?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24&gif=yes&rnd=1505287920000 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ww.dunstoncarol.pw
Connection: Keep-Alive
Cookie: sps=yes; v_2017-09-13=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:32:08 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 119
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR..............wS.....sRGB.........gAMA......a.....pHYs
..........o.d....IDAT.Wc...?......5......IEND.B`.HTTP/1.1 200 OK..Date
: Wed, 13 Sep 2017 07:32:08 GMT..Server: Apache/2.2.22 (Win64) mod_ssl
/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-L
ength: 119..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Co
ntent-Type: image/png...PNG........IHDR..............wS.....sRGB......
...gAMA......a.....pHYs..........o.d....IDAT.Wc...?......5......IEND.B
`...



GET /watch-A1SUIpqVxR.htm HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.videojelly.com
Connection: Keep-Alive
Cookie: vjc=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:32:47 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Content-Length: 44
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
...3<meta http-equiv="refresh" content="10">HTTP/1.1 200 OK..Dat
e: Wed, 13 Sep 2017 07:32:47 GMT..Server: Apache/2.2.22 (Win64) mod_ss
l/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..X-Powered-By: PHP/5.3.13..Cache-Co
ntrol: no-store, no-cache, must-revalidate, max-age=0..Cache-Control: 
post-check=0, pre-check=0..Pragma: no-cache..Access-Control-Allow-Orig
in: *..Access-Control-Allow-Credentials: true..Content-Length: 44..Kee
p-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: tex
t/html.....3<meta http-equiv="refresh" content="10">..



GET /hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.dunstoncarol.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 680
Connection: keep-alive
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
X-Pad: avoid browser bug
Content-Encoding: gzip
Date: Wed, 13 Sep 2017 07:31:49 GMT
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 d2fa707728d9947a31db9f8dc3e9e56c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: KLCs9KS7cKkz1EhiVO6DkNkJ40bQ0KQcmyZ-Mhc-ex7ZK27pteQNrw==
...........TQO.0.~G.?.?.T!v.".FR.....64..4..I.$,...4T...sR......9...w.
;.;.o....)JM......'c.=.~...Mf.t.i....h....E...W.pjL....ih3.J'l...X..u[
m.........&X..G~!.GQ.u%L.k3....j.=q]g.._z....*Jn.0..EJ.!..d..8.{Q.U!..
&o-.ZT.........L.F..:JCu.....N\..%....\'..p.#...?%[..S.Y.@....y^.#<
....Hg.A9.I.....|..[#p-K.Xwv......x....k.e..4.F......i...5.^.L.^..C.:.
t..X54W.TKI......V.E..H8...!B..SU.d...K^...-.H.}...`.........A..UTC..m
t.I.? .dC...9|...JG.}.......i).c.B2..M.y....T  ....w#.V:..%rzp!..<.
..o...6.%z.9.ed..VR.-zP...../..K~S..u#..../..t.....Q.=zB.3ex..........
s......s..`<.}[.....u.._...Tc....g.D..l..~.{.EB......I.<.(.Y..v.
.C.c....... =.R...:.M.M.g.t.M..m.* W...KZd.^Ud. .*n...X\.>....HTTP/
1.1 200 OK..Content-Type: text/html..Content-Length: 680..Connection: 
keep-alive..Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1
c PHP/5.3.13..X-Powered-By: PHP/5.3.13..X-Pad: avoid browser bug..Cont
ent-Encoding: gzip..Date: Wed, 13 Sep 2017 07:31:49 GMT..Vary: Accept-
Encoding..X-Cache: Miss from cloudfront..Via: 1.1 d2fa707728d9947a31db
9f8dc3e9e56c.cloudfront.net (CloudFront)..X-Amz-Cf-Id: KLCs9KS7cKkz1Eh
iVO6DkNkJ40bQ0KQcmyZ-Mhc-ex7ZK27pteQNrw==.............TQO.0.~G.?.?.T!v
.".FR.....64..4..I.$,...4T...sR......9...w.;.;.o....)JM......'c.=.~...
Mf.t.i....h....E...W.pjL....ih3.J'l...X..u[m.........&X..G~!.GQ.u%L.k3
....j.=q]g.._z....*Jn.0..EJ.!..d..8.{Q.U!..&o-.ZT.........L.F..:JCu...
..N\..%....\'..p.#...?%[..S.Y.@....y^.#<....Hg.A9.I.....|..[#p-K.Xw
v......x....k.e..4.F......i...5.^.L.^..C.:.t..X54W.TKI......V.E..H
<<< skipped >>>

GET /jquery.min.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.dunstoncarol.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Length: 3235
Connection: keep-alive
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
Last-Modified: Mon, 07 Aug 2017 21:44:13 GMT
ETag: "10000000a5fd9-1586-55630bf646540"
Accept-Ranges: bytes
Content-Encoding: gzip
Date: Wed, 16 Aug 2017 02:35:02 GMT
Vary: Accept-Encoding
Age: 1895
X-Cache: Hit from cloudfront
Via: 1.1 d2fa707728d9947a31db9f8dc3e9e56c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: eFJgqKkdx4_mUBj1OKbIkV0lnqJM2Yp8a5LeclcGltRdYKddXdkHAg==
..........MX...H.}o..../..{lR"%..\.wI\DR\D...."n.N...G..;S0p..dFf,.Dd.
u0.Q......>.}.=...,..%..........K...2ea..v .f.w.eI..F..........?.~.
.....U.gu...Q..........^..._v..>....o_q...U.....>.....[..$<.U
....V..s"$a.....Hj.a. .I.............I..z.N-.F.4(m.................d..
...|.....3.U.6.d.....g.. o.v.{.?x.......'5.....mJ..=.$#|.E.L.....l&...
..S....S......=W..%}.EY.z..o.. o..FO.<....>c..:q3V...=V...P.....
::.N.......d..V.w.......z.c....X.h..t6`orw.. t`U7.ur( ...=Z..J..S..eja
@.>.,...N.8....yK.N\.............$..t..K....V.......a.j..-..v..<
..y.r"...<...]........5......|C. FF..Q2....5~v<.B~..r.....sjw.S.
.-.'..("o^.S..g...J.....b.2..*.w.|h5*.!"....._."....7..y..Zu.i..4...-/
-x.W._./>..F;. .6xb.v.,.q..T.(...Ef..iz.a?..[.c...3ay.....$.F......
s].U.....?Ez{.......:......d|.Q..f ......C.$......:.36...Y...X.u.`.D..
`....qn`........[."..-m.....N.e"h.2Cyl ...n.z.g."..T..|../T-....0}*.).
da[...^..b..5.n.}...&.o.'<h..o[8g......%...R<..3../......S.].A..
..i.*A~R#.i.V.|.*_.Kw...n,A.B....U.X..6..'K...q..."...E;..u.^.v%[..y.:
...>...|6S.b,.....ae...L..-W.F.v..d;OL.|}...n.(~......,d..~........
.. .....4.$...d.X.H....FT.C]A..#B1M'./.E...?...MoI..xHI......n...;.K..
@l.].........E...........tb..L.......j....o.X..sa..x..5.R.n..i../....l
s.....U....\w.].....n...yBT^0>6'nc......[.r..=..n..VLz...1...raMR.|
....T.~.\.........Ms...0.l*"....}..K.....I)2.d_Z.x&....-q]..8...z.H...
.l.tY"...k.....2..I..,..j..4..6Mpqf..C.o6..-..GxMPuw.LO....;8.v......O
;...........x...7o...s.!..C....C..-U=yT.....N....[3!O.l...n.;..y..
<<< skipped >>>

GET /amg.php HTTP/1.1


Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.dunstoncarol.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 359
Connection: keep-alive
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Date: Wed, 13 Sep 2017 07:03:47 GMT
Age: 1684
X-Cache: Hit from cloudfront
Via: 1.1 d2fa707728d9947a31db9f8dc3e9e56c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: IQAQgk0CjenBKf12jkjT5IV2TrXnGMQZVJ6aINwZhV7EnkRdFk90wQ==
...<script type="text/javascript">setInterval( "vwu()", 200000);
function vwu(){if(document.images){document.images['viewers'].src = 'h
ttp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png?'   Date.parse
(new Date().toString());}}</script><div style="visibility:hid
den"><img name="viewers" src="hXXp://whos.amung.us/cwidget/iebro
wser1/000000ffffff.png"></div>HTTP/1.1 200 OK..Content-Type: 
text/html..Content-Length: 359..Connection: keep-alive..Server: Apache
/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..X-Powered-By
: PHP/5.3.13..Date: Wed, 13 Sep 2017 07:03:47 GMT..Age: 1684..X-Cache:
 Hit from cloudfront..Via: 1.1 d2fa707728d9947a31db9f8dc3e9e56c.cloudf
ront.net (CloudFront)..X-Amz-Cf-Id: IQAQgk0CjenBKf12jkjT5IV2TrXnGMQZVJ
6aINwZhV7EnkRdFk90wQ==.....<script type="text/javascript">setInt
erval( "vwu()", 200000);function vwu(){if(document.images){document.im
ages['viewers'].src = 'hXXp://whos.amung.us/cwidget/iebrowser1/000000f
fffff.png?'   Date.parse(new Date().toString());}}</script><d
iv style="visibility:hidden"><img name="viewers" src="hXXp://who
s.amung.us/cwidget/iebrowser1/000000ffffff.png"></div>..
<<< skipped >>>


GET /hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.dunstoncarol.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 680
Connection: keep-alive
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
X-Pad: avoid browser bug
Content-Encoding: gzip
Date: Wed, 13 Sep 2017 07:31:49 GMT
Vary: Accept-Encoding
Age: 11
X-Cache: Hit from cloudfront
Via: 1.1 7b6339693d82ec593824b8c6ad776117.cloudfront.net (CloudFront)
X-Amz-Cf-Id: SjfTyutJokZlpNgUvby121JN-UL74TFi1X6N8PLLpHPGB_p3SIcaqg==
...........TQO.0.~G.?.?.T!v.".FR.....64..4..I.$,...4T...sR......9...w.
;.;.o....)JM......'c.=.~...Mf.t.i....h....E...W.pjL....ih3.J'l...X..u[
m.........&X..G~!.GQ.u%L.k3....j.=q]g.._z....*Jn.0..EJ.!..d..8.{Q.U!..
&o-.ZT.........L.F..:JCu.....N\..%....\'..p.#...?%[..S.Y.@....y^.#<
....Hg.A9.I.....|..[#p-K.Xwv......x....k.e..4.F......i...5.^.L.^..C.:.
t..X54W.TKI......V.E..H8...!B..SU.d...K^...-.H.}...`.........A..UTC..m
t.I.? .dC...9|...JG.}.......i).c.B2..M.y....T  ....w#.V:..%rzp!..<.
..o...6.%z.9.ed..VR.-zP...../..K~S..u#..../..t.....Q.=zB.3ex..........
s......s..`<.}[.....u.._...Tc....g.D..l..~.{.EB......I.<.(.Y..v.
.C.c....... =.R...:.M.M.g.t.M..m.* W...KZd.^Ud. .*n...X\.>....t>....


GET /amg.php HTTP/1.1


Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.dunstoncarol.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 359
Connection: keep-alive
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Date: Wed, 13 Sep 2017 07:03:47 GMT
Age: 1693
X-Cache: Hit from cloudfront
Via: 1.1 7b6339693d82ec593824b8c6ad776117.cloudfront.net (CloudFront)
X-Amz-Cf-Id: yV_dsMSOJeNjXHMIaMkw26S1KQownij87DwVtr0rKMSC9XN3aDSvDg==
...<script type="text/javascript">setInterval( "vwu()", 200000);
function vwu(){if(document.images){document.images['viewers'].src = 'h
ttp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png?'   Date.parse
(new Date().toString());}}</script><div style="visibility:hid
den"><img name="viewers" src="hXXp://whos.amung.us/cwidget/iebro
wser1/000000ffffff.png"></div>HTTP/1.1 200 OK..Content-Type: 
text/html..Content-Length: 359..Connection: keep-alive..Server: Apache
/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13..X-Powered-By
: PHP/5.3.13..Date: Wed, 13 Sep 2017 07:03:47 GMT..Age: 1693..X-Cache:
 Hit from cloudfront..Via: 1.1 7b6339693d82ec593824b8c6ad776117.cloudf
ront.net (CloudFront)..X-Amz-Cf-Id: yV_dsMSOJeNjXHMIaMkw26S1KQownij87D
wVtr0rKMSC9XN3aDSvDg==.....<script type="text/javascript">setInt
erval( "vwu()", 200000);function vwu(){if(document.images){document.im
ages['viewers'].src = 'hXXp://whos.amung.us/cwidget/iebrowser1/000000f
fffff.png?'   Date.parse(new Date().toString());}}</script><d
iv style="visibility:hidden"><img name="viewers" src="hXXp://who
s.amung.us/cwidget/iebrowser1/000000ffffff.png"></div>..
<<< skipped >>>


GET /watch-AKFNqffzyi.html HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.videojelly.com
Connection: Keep-Alive
Cookie: vjc=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:32:37 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Content-Length: 2374
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
...<!doctype html><html class="no-js" lang="en"><head&g
t;<meta charset="utf-8"><meta http-equiv="X-UA-Compatible" co
ntent="ie=edge,chrome=1"><meta http-equiv="cache-control" conten
t="max-age=0" /><meta http-equiv="cache-control" content="no-cac
he" /><meta http-equiv="expires" content="0" /><meta http-
equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /><meta h
ttp-equiv="pragma" content="no-cache" /><title>searchbox</
title>..<script type="text/javascript">if(window.location.pro
tocol != 'http:') {  location.href = location.href.replace("hXXps://",
 "hXXp://");}</script>..</head><body topmargin="0" left
margin="0"><form action="watch-A0w5zIoE1H.html" method="get" nam
e="redirect1"></form><div id="a"></div>..<scri
pt language="JavaScript" type="text/javascript">if(location.href ==
 top.location.href){document.write('<p align="center"><a href
="play.php?id=AKFNqffzyi"> <font size="5" style="margin-left:aut
o;margin-right:auto;display:block;margin-top:22%;margin-bottom:0%">
Continue to play</font></a></p>');}</script>..
<script type="text/javascript">.. var rc = document.referrer.spl
it('/')[2];.. if (rc == window.location.hostname) { .. document.write(
'<div id="my-video" style="width: 640px;height: 360px;"></div
>');.. }else{document.forms['redirect1'].submit();}.. </script&g
t;..<script type='text/javascript'>..setTimeout(function () 
<<< skipped >>>

GET /watch-A0w5zIoE1H.html HTTP/1.1


Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.videojelly.com/watch-AKFNqffzyi.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.videojelly.com
Connection: Keep-Alive
Cookie: vjc=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:32:37 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Content-Length: 1441
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html
...<!doctype html><html class="no-js" lang="en"><head&g
t;<meta charset="utf-8"><meta http-equiv="X-UA-Compatible" co
ntent="ie=edge,chrome=1"><meta http-equiv="cache-control" conten
t="max-age=0" /><meta http-equiv="cache-control" content="no-cac
he" /><meta http-equiv="expires" content="0" /><meta http-
equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /><meta h
ttp-equiv="pragma" content="no-cache" /><title>searchbox</
title>..<script type="text/javascript">if(window.location.pro
tocol != 'http:') {  location.href = location.href.replace("hXXps://",
 "hXXp://");}</script>..</head><body topmargin="0" left
margin="0"><form action="watch-A0hUlvZ7Xk.html" method="get" nam
e="redirect1"></form><div id="a"></div>..<scri
pt language="JavaScript" type="text/javascript">if(location.href ==
 top.location.href){document.write('<p align="center"><a href
="play.php?id=A0w5zIoE1H"> <font size="5" style="margin-left:aut
o;margin-right:auto;display:block;margin-top:22%;margin-bottom:0%">
Continue to play</font></a></p>');}</script>..
<script type="text/javascript">.. var rc = document.referrer.spl
it('/')[2];.. if (rc == window.location.hostname) { .. document.write(
'<div id="my-video" style="width: 640px;height: 360px;"></div
>');.. }else{document.forms['redirect1'].submit();}.. </script&g
t;..<script type='text/javascript'>..setTimeout(function () 
<<< skipped >>>


GET /a.png?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24&gif=yes&rnd=1505287920000 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ww1.dunstoncarol.pw
Connection: Keep-Alive
Cookie: sps=yes; v_2017-09-13=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:31:53 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 119
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR..............wS.....sRGB.........gAMA......a.....pHYs
..........o.d....IDAT.Wc...?......5......IEND.B`.HTTP/1.1 200 OK..Date
: Wed, 13 Sep 2017 07:31:53 GMT..Server: Apache/2.2.22 (Win64) PHP/5.3
.13..X-Powered-By: PHP/5.3.13..Content-Length: 119..Keep-Alive: timeou
t=5, max=100..Connection: Keep-Alive..Content-Type: image/png...PNG...
.....IHDR..............wS.....sRGB.........gAMA......a.....pHYs.......
...o.d....IDAT.Wc...?......5......IEND.B`...



GET /a.png?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24&gif=yes&rnd=1505287916000 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.dunstoncarol.pw/hjtKl2PXNk0PXNk1PXNk70mnJ82hjtKl4PXNk.html?huddleston=11Ad550I82paCcxEEyqD&respectability=2017-08-24
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ww1.dunstoncarol.pw
Connection: Keep-Alive
Cookie: sps=yes; v_2017-09-13=yes


HTTP/1.1 200 OK
Date: Wed, 13 Sep 2017 07:31:49 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 119
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR..............wS.....sRGB.........gAMA......a.....pHYs
..........o.d....IDAT.Wc...?......5......IEND.B`.HTTP/1.1 200 OK..Date
: Wed, 13 Sep 2017 07:31:49 GMT..Server: Apache/2.2.22 (Win64) PHP/5.3
.13..X-Powered-By: PHP/5.3.13..Content-Length: 119..Keep-Alive: timeou
t=5, max=100..Connection: Keep-Alive..Content-Type: image/png...PNG...
.....IHDR..............wS.....sRGB.........gAMA......a.....pHYs.......
...o.d....IDAT.Wc...?......5......IEND.B`...

The Trojan connects to the servers at the folowing location(s):

hollingworth.exe_3720_rwx_00132000_00005000:

.hP9)h

mortenson.exe_2056:

.text
`.rdata
@.data
.ndata
.rsrc
Vj%SSS
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteExA
SHELL32.dll
RegEnumKeyA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
%s%s.dll
Files\Bass\hollingworth.exe"
Software\Microsoft\Windows\CurrentVersion\Run
"%Program Files%\Bass\hollingworth.exe"
%Program Files%
\Bass\hollingworth.exe"
\Bass\hollingworth.exe
#\hollingworth.exe"
Nullsoft Install System v3.02.1
$$\wininit.ini
hollingworth.exe
HOLLIN~1.EXE
re\Microsoft\Windows\CurrentVersion\Run
"%Program Files%\undersides\mortenson.exe"
%Program Files%\undersides
mortenson.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsd1A15.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
%Program Files%\undersides\mortenson.exe
Windows\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.02.1</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
"rsides\mortenson.exe"
s\hollingworth.exe"
1.0.0.1

taskeng.exe_2600:

.text
`.data
.rsrc
@.reloc
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-Debug-L1-1-0.dll
API-MS-Win-Core-ErrorHandling-L1-1-0.dll
API-MS-Win-Core-File-L1-1-0.dll
API-MS-Win-Core-Handle-L1-1-0.dll
API-MS-Win-Core-Heap-L1-1-0.dll
API-MS-Win-Core-Interlocked-L1-1-0.dll
API-MS-Win-Core-LibraryLoader-L1-1-0.dll
API-MS-Win-Core-Misc-L1-1-0.dll
API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-Profile-L1-1-0.dll
API-MS-Win-Core-Synch-L1-1-0.dll
API-MS-Win-Core-SysInfo-L1-1-0.dll
API-MS-Win-Core-ThreadPool-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
KERNEL32.dll
d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp
Session::ChannelMsgReceived
d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp
d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp
StopJobMsg
StartJobMsg
ClientPipeName
Invalid parameter passed to C runtime function.
d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp
TaskScheduler.log
j%Xf;
d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp
API-MS-WIN-Service-Management-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
SspiCli.dll
XmlLite.dll
MPR.dll
RegOpenKeyTransactedW
RegCloseKey
RegOpenKeyExW
RegNotifyChangeKeyValue
RegCreateKeyExW
FindExecutableW
MsgWaitForMultipleObjects
EnumThreadWindows
EnumWindows
GetProcessWindowStation
_wcmdln
_amsg_exit
GetProcessHeap
SetProcessShutdownParameters
TaskEng.pdb
version="5.1.0.0"
name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"
<requestedExecutionLevel
8 8$8(878
3=4Z4w4
=!=(=0=4=?=>>
5 5U5_5
5b6u6
-131J1X1o1}1
=$=<=\=|=
Password
hXXp://schemas.microsoft.com/windows/2004/02/mit/task
zieframe.dll
%SystemRoot%\SYSTEM32\cmd.exe
%SystemRoot%\System32\Tasks
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake
WindowSeconds
InitializeCmdlineProcessing()
pCrimson provider registration failed for taskeng, hr=0x%x
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
InteractiveTokenOrPassword
zurl
%d.%d
%s, (%d)
hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout
hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate
hXXp://schemas.microsoft.com/cdo/configuration/sendusing
hXXp://schemas.microsoft.com/cdo/configuration/smtpserver
201ef99a-7fa0-444c-9399-19ba84f12a1a
C:\Windows\SYSTEM32\cmd.exe
6.1.7601.17514 (win7sp1_rtm.101119-1850)
taskeng.exe
Windows
Operating System
6.1.7601.17514

hollingworth.exe_4000_rwx_00302000_00005000:

.hP9)h

hollingworth.exe_1524_rwx_00232000_00005000:

.hP9)h

hollingworth.exe_4076_rwx_00232000_00005000:

.hP9)h

hollingworth.exe_3732_rwx_00252000_00005000:

.hP9)h


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now