TLDR:

This ongoing campaign (See this post) of spam emails has recently been redirecting to a fake flash update page. The executable from this page installed adware with a variety of malicious behaviors.

Email

The email, received July 26, 2017 was purporting to be a Facebook notification.

The header of the email shows a source IP address of 47.90.72.49. The server is located in Hong Kong.

The link goes to a domain http://tvoypozitiv[.]ru/tab[.]php. As before, this page is a javascript re-direct page with the following URL chain:

Result Protocol Host URL Body Caching Content-Type Process Comments Custom 23 200 HTTP tvoypozitiv.ru /tab.php 478 text/html chrome:3124 24 404 HTTP tvoypozitiv.ru /favicon.ico 1,227 text/html; charset=utf-8 chrome:3124 25 302 HTTP fatdiets4tmz.world /?a=401336&c=cpcdiet&s=08082 0 chrome:3124 26 200 HTTP callfirstaid.com /d/r6t0b27039?rtb=bbf5c3c30a4a6a7b1440169be16100c4.0&h=0.19&rtc=45894_3ee488cf0a1ea2296c4bc36fbf092837_551d08dd3cab27e95e84e3211ec98adc1502321586.4804_155_845&subid=NDAxMzM2LU1EZ3dPREk9 27 302 HTTP blobar.org /d/r6t0b27039?k=ae14a67162e0f670610640e61cfe36dc.1502320870.313.1&rtb=bbf5c3c30a4a6a7b1440169be16100c4.0&h=0.19&rtc=45894_3ee488cf0a1ea2296c4bc36fbf092837_551d08dd3cab27e95e84e3211ec98adc1502321586.4804_155_845&subid=NDAxMzM2LU1EZ3dPREk9&r=http%3A%2F%2Ftvoypozitiv.ru%2Ftab.php&z=420 28 302 HTTP www.thebigandalwaysfree2updating.bid /?pcl=Ix3PFnesw9CKF7bPJJHYQcnRMpNENM07wQ9aU1-g2Dc.&sid=&subid=103085_3dd67b6da4d170dc139c3d05235f75d9 29 200 HTTP upalways.yoursafeandult2update.website /?pcl=Ix3PFnesw9CKF7bPJJHYQcnRMpNENM07wQ9aU1-g2Dc.&sid=&subid=103085_3dd67b6da4d170dc139c3d05235f75d9&v_id=RtlroAlV4UgZc4lwIb15XGsGOc89IoYbVU0VQK_QWks.

The final URL is the fraudulent flash download page:

The executable obtained from this download is on VirusTotal:

Fake Flash Installer - VirusTotal

The Malicious Sample

Static Analysis

Static analysis of the sample did not yield particularly interesting results, because it is just a downloader. Static analysis of the malicious downloads will be in a future post.

Dynamic Analysis

This sample executes full screen, as an installer. The steps to the installer are shown below Note: the process continues to execute regardless of the response to the UAC dialog:

![](/static/blog/image/post-images/aug-9-email/install confirm.PNG)

The "Thank You" page at the end of the install process is located here, and has a private WHOIS: http://upalways.yoursafeandult2update.website/thankyou.php?channel_id=8581

and contains the following link to a known PUP:

http://www.1-1ads.com/cr?b=126732&p=585&ch=&cps=&c=10981&l=US&h=3958d0ff4f7e7d10b7f9fcb7252da893&t=1502327886118&tz=-7.0&sh=975.0&sw=1920.0&ad.trans.id=htmva5h7l0jv&u=http%3A%2F%2Fwww.reimageplus.com%2Fincludes%2Frouter_land.php%3Ftracking%3DISEDEN%26banner%3Dnonet%26adgroup%3D10981%26keyword%3D585%26lpx%3Drvb%26klc%3DNTg1fDEyNjczMnxVU3wzfDF8fHxodG12YTVoN2wwanZ8fA

There are numerous files downloaded during the installation process, a complete log of the network traffic is at the bottom of this post. The installer drops an executable that begins downloading malicious files immediately. That sample is here:

Adware Installer - VirusTotal

The installer adds a chrome extension with questionable permissions, and modifies the default search provider:

![](/static/blog/image/post-images/aug-9-email/extension settings.PNG)

The extension's page is hosted on AWS here:

http://s3.amazonaws.com/jmbtml/reglp.html?v=3&ext=nahhmpbckpgdidfnmfkfgiflpjijilce,pilplloabdedfmialnfchjomjmpjcoej

In addition to that downloader, potentially legitimate programs are installed, VLC and Avast.

I was running this sample in a VM with a NAT internet connection. I still had AV running on the host machine, so a lot of the malicious activity was blocked. At the moment, I don't have a lab setup that would allow me to safely run with a truly open internet connection. The applicable alerts are here:

Category: Intrusion Prevention Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description,Category 8/9/2017 5:40:45 PM,High,An intrusion attempt by localhost was blocked.,Blocked,No Action Required,OS Attack: GNU Bash CVE-2014-6271,No Action Required,No Action Required,"localhost (127.0.0.1, 59017)",10.0.2.2:16992/cgi-bin/a2/out.cgi,"localhost (127.0.0.1, 16992)",localhost (127.0.0.1),"TCP, Port 59017",

8/9/2017 5:40:44 PM,High,An intrusion attempt by localhost was blocked.,Blocked,No Action Required,Web Attack: ZyNOS Information Disclosure,No Action Required,No Action Required,"localhost (127.0.0.1, 59013)",10.0.2.2:16992/rom-0,"localhost (127.0.0.1, 16992)",localhost (127.0.0.1),"TCP, Port 59013",

8/9/2017 5:40:44 PM,High,An intrusion attempt by localhost was blocked.,Blocked,No Action Required,Web Attack: Allegro RomPager CVE-2014-9222,No Action Required,No Action Required,"localhost (127.0.0.1, 59012)",10.0.2.2:16992/AvastUniqueURL,"localhost (127.0.0.1, 16992)",localhost (127.0.0.1),"TCP, Port 59012",

8/9/2017 5:40:44 PM,High,An intrusion attempt by localhost was blocked.,Blocked,No Action Required,OS Attack: Microsoft SMB MS17-010 Disclosure Attempt,No Action Required,No Action Required,"localhost (127.0.0.1, 59008)",,"localhost (127.0.0.1, 445)",localhost (127.0.0.1),"TCP, Port 59008",

I do not (at the time of writing) have time to fully analyze the behavior of the installer and resulting processes, so I included the Procmon log file. I expect most people won't want to trust downloading it, but it's here anyway:

SHA1 C1B1D16D742577FE1B960CB09B993457B994C985 Procmon Log

Conclusion

I am hindered by my analysis environment/time constraints, but it's obvious this is a malicious sample. Further static analysis is something I plan to do in the near future.

Network Traffic From the Installer and Related Executables

Result Protocol Host URL Body Caching Content-Type Process Comments Custom 1 502 HTTP Tunnel to tools.google.com:443 512 no-cache, must-revalidate text/html; charset=UTF-8 googleupdate:4024 2 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 3 200 HTTP info.notatolol2.com /?howeke=0 3,456 text/plain; charset=utf-8 hdsetup_1182933229:3048 4 200 HTTP info.notatolol2.com /?pujefe=1 3,456 text/plain; charset=utf-8 hdsetup_1182933229:3048 5 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 6 200 HTTP os.notatolol2.com /Dalton/ 692,457 no-cache; Expires: Thu, 01 Jan 1970 00:00:01 GMT text/plain hdsetup_1182933229:3048 7 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 8 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 9 200 HTTP instcoina38q6v9z2k.s3.amazonaws.com /meda_player_plus_32.png 1,051 application/octet-stream hdsetup_1182933229:3048 10 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 11 200 HTTP img.notatolol2.com /img/Jimomoromoj/Jimomoromoj_logo.png 2,152 image/png hdsetup_1182933229:3048 12 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 13 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 14 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 15 200 HTTP img.notatolol2.com /img/Tavasat/15Feb17/v2/EN.png 45,049 image/png hdsetup_1182933229:3048 16 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 17 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 18 200 HTTP Tunnel to tools.google.com:443 0 googleupdate:4024 19 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 20 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 21 200 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 0 application/octet-stream hdsetup_1182933229:3048 22 200 HTTP cdneu.notatolol2.com /ofr/DownloadManager/DownloadManager.cis 0 application/octet-stream hdsetup_1182933229:3048 23 200 HTTP cdneu.notatolol2.com /ofr/Gigigiyiwig/Gigigiyiwig_a.cis 0 application/octet-stream hdsetup_1182933229:3048 24 302 HTTP redirector.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe 0 no-cache, must-revalidate; Expires: Fri, 01 Jan 1990 00:00:00 GMT text/html; charset=UTF-8 svchost:916 25 200 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 24,677,393 application/octet-stream hdsetup_1182933229:3048 26 200 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 0 application/octet-stream svchost:916 27 200 HTTP cdnus.notatolol2.com /ofr/DownloadManager/DownloadManager.cis 1,279,891 application/octet-stream hdsetup_1182933229:3048 28 200 HTTP cdnus.notatolol2.com /ofr/Gigigiyiwig/Gigigiyiwig_a.cis 254,604 application/octet-stream hdsetup_1182933229:3048 29 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 12,389,393 application/octet-stream hdsetup_1182933229:3048 30 206 HTTP cdneu.notatolol2.com /ofr/DownloadManager/DownloadManager.cis 665,491 application/octet-stream hdsetup_1182933229:3048 31 200 HTTP cdneu.notatolol2.com /ofr/Solululadul/icut.cis 0 application/octet-stream hdsetup_1182933229:3048 32 200 HTTP cdnus.notatolol2.com /ofr/Solululadul/icut.cis 74,242 application/octet-stream hdsetup_1182933229:3048 33 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 34 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 35 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 36 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 37 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 38 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 39 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 40 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 41 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 42 200 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 0 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 43 200 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 5,923,577 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 44 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 45 206 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 2,953,977 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 46 206 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 1,536,000 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 47 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 1,520,377 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 48 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 6,144,000 application/octet-stream hdsetup_1182933229:3048 49 206 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 803,577 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 50 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 3,072,000 application/octet-stream hdsetup_1182933229:3048 51 206 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 716,800 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 52 200 HTTP qonosa.com / 180 no-store, no-cache, must-revalidate; Expires: Mon, 26 Jul 1997 05:00:00 GMT text/plain dumaledi:636 53 200 HTTP d2d4tyqh0a47e0.cloudfront.net /3.26.2.53.dat 2,666,004 application/octet-stream dumaledi:636 54 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 716,800 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 55 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 3,072,000 application/octet-stream hdsetup_1182933229:3048 56 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 1,536,000 application/octet-stream hdsetup_1182933229:3048 57 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 1,536,000 application/octet-stream hdsetup_1182933229:3048 58 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 409,600 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 59 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:636 60 206 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 409,600 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 61 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 1,536,000 application/octet-stream hdsetup_1182933229:3048 62 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 7,814 application/octet-stream svchost:916 63 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 204,800 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 64 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 204,800 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 65 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 819,200 application/octet-stream hdsetup_1182933229:3048 66 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 204,800 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 67 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 819,200 application/octet-stream hdsetup_1182933229:3048 68 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 102,400 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 69 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 102,400 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 70 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 102,400 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 71 206 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 102,400 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564 72 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 409,600 application/octet-stream hdsetup_1182933229:3048 73 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 409,600 application/octet-stream hdsetup_1182933229:3048 74 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 75 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 76 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 77 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 204,800 application/octet-stream hdsetup_1182933229:3048 78 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 204,800 application/octet-stream hdsetup_1182933229:3048 79 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 102,400 application/octet-stream hdsetup_1182933229:3048 80 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 102,400 application/octet-stream hdsetup_1182933229:3048 81 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 82 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 83 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 84 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 85 200 HTTP 77.234.42.246 / 9,471 text/plain instup:1640 86 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 13,767 application/octet-stream svchost:916 87 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 15,772 application/octet-stream svchost:916 88 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 21,776 application/octet-stream svchost:916 89 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 21,790 application/octet-stream svchost:916 90 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:3396 91 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 45,860 application/octet-stream svchost:916 92 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 94,514 application/octet-stream svchost:916 93 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 126,414 application/octet-stream svchost:916 94 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 255,199 application/octet-stream svchost:916 95 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 508,653 application/octet-stream svchost:916 96 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 1,014,299 application/octet-stream svchost:916 97 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 2,019,463 application/octet-stream svchost:916 98 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 4,050,532 application/octet-stream svchost:916 99 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 8,288,877 application/octet-stream svchost:916 100 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 4,652,270 application/octet-stream svchost:916 101 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048 102 200 HTTP Tunnel to translate.googleapis.com:443 1,426 chrome:1976 103 200 HTTP Tunnel to clients4.google.com:443 0 chrome:1976 104 200 HTTP upalways.yoursafeandult2update.website /thankyou.php?channel_id=8581 796 text/html; charset=UTF-8 chrome:1976 105 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:2716 106 200 HTTP www.1-1ads.com /js/show_ads_supp.js?pubId=585 4,644 max-age=600 application/javascript;charset=utf-8 chrome:1976 107 200 HTTP www.1-1ads.com /ads-sync.js?v=1&key=a497adbaf3a77c8ddf325426e8a8289c&cIds=&adsCampaignKey=1502327878474&ch=&click=&tz=-7&t=1502327880077&requestUrl=http%3A%2F%2Fupalways.yoursafeandult2update.website%2Fthankyou.php%3Fchannel_id%3D8581&flashVer=-&inDapIF=false&supp_width=320&supp_height=50&scrWidth=1920&scrHeight=975 1,214 no-cache; Expires: Thu, 01 Jan 1970 00:00:00 GMT text/javascript;charset=UTF-8 chrome:1976 108 200 HTTP www.1-1ads.com /impression.gif?b=126732&p=585&ch=&ad.trans.id=htmva5h7l0jv&ap=&wp=&cps=&c=10981&l=US&h=3958d0ff4f7e7d10b7f9fcb7252da893&t=1502327886118&s=5850dccc82a992af0b795805b852f480&tz=-7.0&sh=975&sw=1920&o= 43 no-cache; Expires: Thu, 01 Jan 1970 00:00:00 GMT image/gif chrome:1976 109 200 HTTP wac.a164.taucdn.net /80A164/n135-cdn/files135/107/10981/126732/Reimage_EN_SetSH__800x440.jpg 80,977 image/jpeg chrome:1976 110 404 HTTP upalways.yoursafeandult2update.website /favicon.ico 9 image/x-icon chrome:1976 111 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:3396 112 200 HTTP Tunnel to clients2.google.com:443 0 chrome:1976 113 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:3396 114 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:3396 115 200 HTTP Tunnel to clients2.googleusercontent.com:443 0 chrome:1976 116 301 HTTP goo.gl /BlMOL5 247 no-cache, no-store, max-age=0, must-revalidate; Expires: Mon, 01 Jan 1990 00:00:00 GMT text/html; charset=UTF-8 chrome:1976 117 200 HTTP s3.amazonaws.com /jmbtml/reglp.html?v=3&ext=nahhmpbckpgdidfnmfkfgiflpjijilce,pilplloabdedfmialnfchjomjmpjcoej 17,840 text/html chrome:1976 118 200 HTTP s3.amazonaws.com /jmbtml/img/ajax-loader.gif 3,208 image/gif chrome:1976 119 200 HTTP s3.amazonaws.com /jmbtml/img/arrow.png 2,600 image/png chrome:1976 120 403 HTTP s3.amazonaws.com /jmbtml/favicon.ico 254 application/xml chrome:1976 121 200 HTTP Tunnel to www.googleapis.com:443 0 chrome:1976 122 200 HTTP Tunnel to chrome.google.com:443 0 chrome:1976 123 502 HTTP eplfnbyo / 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976 124 502 HTTP hlsonkxlusyqqwb / 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976 125 502 HTTP iusrjkmhgunwvff / 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976 126 200 HTTP Tunnel to ssl.gstatic.com:443 0 chrome:1976 127 200 HTTP Tunnel to ssl.gstatic.com:443 0 chrome:1976 128 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 129 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 130 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 131 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 132 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:3396 135 502 HTTP Tunnel to www.gstatic.com:443 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976 136 502 HTTP Tunnel to www.google.com:443 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976 137 502 HTTP rp.notatolol2.com / 512 no-cache, must-revalidate text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 138 502 HTTP clients1.google.com /tools/pso/ping?as=chrome&brand=CHBF&pid=&hl=en&rep=2&rlz=C1:1C1CHBF_enUS747US747,C2:1C2CHBF_enUS747,C7:1C7CHBF_enUS747 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976 139 502 HTTP rp.notatolol2.com / 512 no-cache, must-revalidate text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564 140 502 HTTP Tunnel to safebrowsing.googleapis.com:443 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976 141 502 HTTP Tunnel to tools.google.com:443 512 no-cache, must-revalidate text/html; charset=UTF-8 googleupdate:572 142 502 HTTP rp.notatolol2.com / 512 no-cache, must-revalidate text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564

Get honeypotted? I like spam. Contact Us Contact Us Email Email ar.hp@outlook.com email: ar.hp@outlook.com