This ongoing campaign (See this post) of spam emails has recently been redirecting to a fake flash update page. The executable from this page installed adware with a variety of malicious behaviors.
The email, received July 26, 2017 was purporting to be a Facebook notification.
The header of the email shows a source IP address of 47.90.72.49. The server is located in Hong Kong.
The link goes to a domain http://tvoypozitiv[.]ru/tab[.]php. As before, this page is a javascript re-direct page with the following URL chain:
Result Protocol Host URL Body Caching Content-Type Process Comments Custom
23 200 HTTP tvoypozitiv.ru /tab.php 478 text/html chrome:3124
24 404 HTTP tvoypozitiv.ru /favicon.ico 1,227 text/html; charset=utf-8 chrome:3124
25 302 HTTP fatdiets4tmz.world /?a=401336&c=cpcdiet&s=08082 0 chrome:3124
26 200 HTTP callfirstaid.com /d/r6t0b27039?rtb=bbf5c3c30a4a6a7b1440169be16100c4.0&h=0.19&rtc=45894_3ee488cf0a1ea2296c4bc36fbf092837_551d08dd3cab27e95e84e3211ec98adc1502321586.4804_155_845&subid=NDAxMzM2LU1EZ3dPREk9
27 302 HTTP blobar.org /d/r6t0b27039?k=ae14a67162e0f670610640e61cfe36dc.1502320870.313.1&rtb=bbf5c3c30a4a6a7b1440169be16100c4.0&h=0.19&rtc=45894_3ee488cf0a1ea2296c4bc36fbf092837_551d08dd3cab27e95e84e3211ec98adc1502321586.4804_155_845&subid=NDAxMzM2LU1EZ3dPREk9&r=http%3A%2F%2Ftvoypozitiv.ru%2Ftab.php&z=420
28 302 HTTP www.thebigandalwaysfree2updating.bid /?pcl=Ix3PFnesw9CKF7bPJJHYQcnRMpNENM07wQ9aU1-g2Dc.&sid=&subid=103085_3dd67b6da4d170dc139c3d05235f75d9
29 200 HTTP upalways.yoursafeandult2update.website /?pcl=Ix3PFnesw9CKF7bPJJHYQcnRMpNENM07wQ9aU1-g2Dc.&sid=&subid=103085_3dd67b6da4d170dc139c3d05235f75d9&v_id=RtlroAlV4UgZc4lwIb15XGsGOc89IoYbVU0VQK_QWks.
The final URL is the fraudulent flash download page:
The executable obtained from this download is on VirusTotal:
Fake Flash Installer - VirusTotal
Static analysis of the sample did not yield particularly interesting results, because it is just a downloader. Static analysis of the malicious downloads will be in a future post.
This sample executes full screen, as an installer. The steps to the installer are shown below Note: the process continues to execute regardless of the response to the UAC dialog:
The "Thank You" page at the end of the install process is located here, and has a private WHOIS:
http://upalways.yoursafeandult2update.website/thankyou.php?channel_id=8581
and contains the following link to a known PUP:
http://www.1-1ads.com/cr?b=126732&p=585&ch=&cps=&c=10981&l=US&h=3958d0ff4f7e7d10b7f9fcb7252da893&t=1502327886118&tz=-7.0&sh=975.0&sw=1920.0&ad.trans.id=htmva5h7l0jv&u=http%3A%2F%2Fwww.reimageplus.com%2Fincludes%2Frouter_land.php%3Ftracking%3DISEDEN%26banner%3Dnonet%26adgroup%3D10981%26keyword%3D585%26lpx%3Drvb%26klc%3DNTg1fDEyNjczMnxVU3wzfDF8fHxodG12YTVoN2wwanZ8fA
There are numerous files downloaded during the installation process, a complete log of the network traffic is at the bottom of this post. The installer drops an executable that begins downloading malicious files immediately. That sample is here:
The installer adds a chrome extension with questionable permissions, and modifies the default search provider:
The extension's page is hosted on AWS here:
http://s3.amazonaws.com/jmbtml/reglp.html?v=3&ext=nahhmpbckpgdidfnmfkfgiflpjijilce,pilplloabdedfmialnfchjomjmpjcoej
In addition to that downloader, potentially legitimate programs are installed, VLC and Avast.
I was running this sample in a VM with a NAT internet connection. I still had AV running on the host machine, so a lot of the malicious activity was blocked. At the moment, I don't have a lab setup that would allow me to safely run with a truly open internet connection. The applicable alerts are here:
Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description,Category
8/9/2017 5:40:45 PM,High,An intrusion attempt by localhost was blocked.,Blocked,No Action Required,OS Attack: GNU Bash CVE-2014-6271,No Action Required,No Action Required,"localhost (127.0.0.1, 59017)",10.0.2.2:16992/cgi-bin/a2/out.cgi,"localhost (127.0.0.1, 16992)",localhost (127.0.0.1),"TCP, Port 59017",
8/9/2017 5:40:44 PM,High,An intrusion attempt by localhost was blocked.,Blocked,No Action Required,Web Attack: ZyNOS Information Disclosure,No Action Required,No Action Required,"localhost (127.0.0.1, 59013)",10.0.2.2:16992/rom-0,"localhost (127.0.0.1, 16992)",localhost (127.0.0.1),"TCP, Port 59013",
8/9/2017 5:40:44 PM,High,An intrusion attempt by localhost was blocked.,Blocked,No Action Required,Web Attack: Allegro RomPager CVE-2014-9222,No Action Required,No Action Required,"localhost (127.0.0.1, 59012)",10.0.2.2:16992/AvastUniqueURL,"localhost (127.0.0.1, 16992)",localhost (127.0.0.1),"TCP, Port 59012",
8/9/2017 5:40:44 PM,High,An intrusion attempt by localhost was blocked.,Blocked,No Action Required,OS Attack: Microsoft SMB MS17-010 Disclosure Attempt,No Action Required,No Action Required,"localhost (127.0.0.1, 59008)",,"localhost (127.0.0.1, 445)",localhost (127.0.0.1),"TCP, Port 59008",
I do not (at the time of writing) have time to fully analyze the behavior of the installer and resulting processes, so I included the Procmon log file. I expect most people won't want to trust downloading it, but it's here anyway:
SHA1 C1B1D16D742577FE1B960CB09B993457B994C985 Procmon Log
I am hindered by my analysis environment/time constraints, but it's obvious this is a malicious sample. Further static analysis is something I plan to do in the near future.
Result Protocol Host URL Body Caching Content-Type Process Comments Custom
1 502 HTTP Tunnel to tools.google.com:443 512 no-cache, must-revalidate text/html; charset=UTF-8 googleupdate:4024
2 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
3 200 HTTP info.notatolol2.com /?howeke=0 3,456 text/plain; charset=utf-8 hdsetup_1182933229:3048
4 200 HTTP info.notatolol2.com /?pujefe=1 3,456 text/plain; charset=utf-8 hdsetup_1182933229:3048
5 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
6 200 HTTP os.notatolol2.com /Dalton/ 692,457 no-cache; Expires: Thu, 01 Jan 1970 00:00:01 GMT text/plain hdsetup_1182933229:3048
7 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
8 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
9 200 HTTP instcoina38q6v9z2k.s3.amazonaws.com /meda_player_plus_32.png 1,051 application/octet-stream hdsetup_1182933229:3048
10 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
11 200 HTTP img.notatolol2.com /img/Jimomoromoj/Jimomoromoj_logo.png 2,152 image/png hdsetup_1182933229:3048
12 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
13 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
14 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
15 200 HTTP img.notatolol2.com /img/Tavasat/15Feb17/v2/EN.png 45,049 image/png hdsetup_1182933229:3048
16 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
17 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
18 200 HTTP Tunnel to tools.google.com:443 0 googleupdate:4024
19 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
20 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
21 200 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 0 application/octet-stream hdsetup_1182933229:3048
22 200 HTTP cdneu.notatolol2.com /ofr/DownloadManager/DownloadManager.cis 0 application/octet-stream hdsetup_1182933229:3048
23 200 HTTP cdneu.notatolol2.com /ofr/Gigigiyiwig/Gigigiyiwig_a.cis 0 application/octet-stream hdsetup_1182933229:3048
24 302 HTTP redirector.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe 0 no-cache, must-revalidate; Expires: Fri, 01 Jan 1990 00:00:00 GMT text/html; charset=UTF-8 svchost:916
25 200 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 24,677,393 application/octet-stream hdsetup_1182933229:3048
26 200 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 0 application/octet-stream svchost:916
27 200 HTTP cdnus.notatolol2.com /ofr/DownloadManager/DownloadManager.cis 1,279,891 application/octet-stream hdsetup_1182933229:3048
28 200 HTTP cdnus.notatolol2.com /ofr/Gigigiyiwig/Gigigiyiwig_a.cis 254,604 application/octet-stream hdsetup_1182933229:3048
29 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 12,389,393 application/octet-stream hdsetup_1182933229:3048
30 206 HTTP cdneu.notatolol2.com /ofr/DownloadManager/DownloadManager.cis 665,491 application/octet-stream hdsetup_1182933229:3048
31 200 HTTP cdneu.notatolol2.com /ofr/Solululadul/icut.cis 0 application/octet-stream hdsetup_1182933229:3048
32 200 HTTP cdnus.notatolol2.com /ofr/Solululadul/icut.cis 74,242 application/octet-stream hdsetup_1182933229:3048
33 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
34 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
35 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
36 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
37 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
38 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
39 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
40 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
41 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
42 200 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 0 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
43 200 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 5,923,577 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
44 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
45 206 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 2,953,977 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
46 206 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 1,536,000 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
47 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 1,520,377 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
48 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 6,144,000 application/octet-stream hdsetup_1182933229:3048
49 206 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 803,577 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
50 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 3,072,000 application/octet-stream hdsetup_1182933229:3048
51 206 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 716,800 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
52 200 HTTP qonosa.com / 180 no-store, no-cache, must-revalidate; Expires: Mon, 26 Jul 1997 05:00:00 GMT text/plain dumaledi:636
53 200 HTTP d2d4tyqh0a47e0.cloudfront.net /3.26.2.53.dat 2,666,004 application/octet-stream dumaledi:636
54 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 716,800 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
55 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 3,072,000 application/octet-stream hdsetup_1182933229:3048
56 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 1,536,000 application/octet-stream hdsetup_1182933229:3048
57 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 1,536,000 application/octet-stream hdsetup_1182933229:3048
58 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 409,600 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
59 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:636
60 206 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 409,600 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
61 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 1,536,000 application/octet-stream hdsetup_1182933229:3048
62 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 7,814 application/octet-stream svchost:916
63 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 204,800 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
64 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 204,800 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
65 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 819,200 application/octet-stream hdsetup_1182933229:3048
66 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 204,800 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
67 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 819,200 application/octet-stream hdsetup_1182933229:3048
68 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 102,400 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
69 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 102,400 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
70 206 HTTP cdnus.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 102,400 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
71 206 HTTP cdneu.notatolol2.com /ofr/Tavasat/Tavasat_09Feb17.cis 102,400 application/octet-stream dmgr1.25_0d1t1i2z1f1g1.25:2564
72 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 409,600 application/octet-stream hdsetup_1182933229:3048
73 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 409,600 application/octet-stream hdsetup_1182933229:3048
74 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
75 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
76 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
77 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 204,800 application/octet-stream hdsetup_1182933229:3048
78 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 204,800 application/octet-stream hdsetup_1182933229:3048
79 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 102,400 application/octet-stream hdsetup_1182933229:3048
80 206 HTTP dxdyitswch3z7.cloudfront.net /vlc-2.1.3-win32.exe 102,400 application/octet-stream hdsetup_1182933229:3048
81 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
82 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
83 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
84 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
85 200 HTTP 77.234.42.246 / 9,471 text/plain instup:1640
86 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 13,767 application/octet-stream svchost:916
87 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 15,772 application/octet-stream svchost:916
88 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 21,776 application/octet-stream svchost:916
89 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 21,790 application/octet-stream svchost:916
90 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:3396
91 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 45,860 application/octet-stream svchost:916
92 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 94,514 application/octet-stream svchost:916
93 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 126,414 application/octet-stream svchost:916
94 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 255,199 application/octet-stream svchost:916
95 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 508,653 application/octet-stream svchost:916
96 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 1,014,299 application/octet-stream svchost:916
97 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 2,019,463 application/octet-stream svchost:916
98 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 4,050,532 application/octet-stream svchost:916
99 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 8,288,877 application/octet-stream svchost:916
100 206 HTTP r5---sn-q4fl6n7l.gvt1.com /edgedl/release2/SeBLUz8Xd2I_60.0.3112.90/60.0.3112.90_58.0.3029.110_chrome_updater.exe?cms_redirect=yes&expire=1502342217&ip=173.239.232.67&ipbits=0&mm=28&mn=sn-q4fl6n7l&ms=nvh&mt=1502327615&mv=m&pl=22&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,pl,shardbypass&signature=7E940B8A44F276C7CDEC43390F6C4886CEA7BE16.7292678DD29194585CFD180E9563C5A0EDEED1A8&key=cms1 4,652,270 application/octet-stream svchost:916
101 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 hdsetup_1182933229:3048
102 200 HTTP Tunnel to translate.googleapis.com:443 1,426 chrome:1976
103 200 HTTP Tunnel to clients4.google.com:443 0 chrome:1976
104 200 HTTP upalways.yoursafeandult2update.website /thankyou.php?channel_id=8581 796 text/html; charset=UTF-8 chrome:1976
105 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:2716
106 200 HTTP www.1-1ads.com /js/show_ads_supp.js?pubId=585 4,644 max-age=600 application/javascript;charset=utf-8 chrome:1976
107 200 HTTP www.1-1ads.com /ads-sync.js?v=1&key=a497adbaf3a77c8ddf325426e8a8289c&cIds=&adsCampaignKey=1502327878474&ch=&click=&tz=-7&t=1502327880077&requestUrl=http%3A%2F%2Fupalways.yoursafeandult2update.website%2Fthankyou.php%3Fchannel_id%3D8581&flashVer=-&inDapIF=false&supp_width=320&supp_height=50&scrWidth=1920&scrHeight=975 1,214 no-cache; Expires: Thu, 01 Jan 1970 00:00:00 GMT text/javascript;charset=UTF-8 chrome:1976
108 200 HTTP www.1-1ads.com /impression.gif?b=126732&p=585&ch=&ad.trans.id=htmva5h7l0jv&ap=&wp=&cps=&c=10981&l=US&h=3958d0ff4f7e7d10b7f9fcb7252da893&t=1502327886118&s=5850dccc82a992af0b795805b852f480&tz=-7.0&sh=975&sw=1920&o= 43 no-cache; Expires: Thu, 01 Jan 1970 00:00:00 GMT image/gif chrome:1976
109 200 HTTP wac.a164.taucdn.net /80A164/n135-cdn/files135/107/10981/126732/Reimage_EN_SetSH__800x440.jpg 80,977 image/jpeg chrome:1976
110 404 HTTP upalways.yoursafeandult2update.website /favicon.ico 9 image/x-icon chrome:1976
111 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:3396
112 200 HTTP Tunnel to clients2.google.com:443 0 chrome:1976
113 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:3396
114 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:3396
115 200 HTTP Tunnel to clients2.googleusercontent.com:443 0 chrome:1976
116 301 HTTP goo.gl /BlMOL5 247 no-cache, no-store, max-age=0, must-revalidate; Expires: Mon, 01 Jan 1990 00:00:00 GMT text/html; charset=UTF-8 chrome:1976
117 200 HTTP s3.amazonaws.com /jmbtml/reglp.html?v=3&ext=nahhmpbckpgdidfnmfkfgiflpjijilce,pilplloabdedfmialnfchjomjmpjcoej 17,840 text/html chrome:1976
118 200 HTTP s3.amazonaws.com /jmbtml/img/ajax-loader.gif 3,208 image/gif chrome:1976
119 200 HTTP s3.amazonaws.com /jmbtml/img/arrow.png 2,600 image/png chrome:1976
120 403 HTTP s3.amazonaws.com /jmbtml/favicon.ico 254 application/xml chrome:1976
121 200 HTTP Tunnel to www.googleapis.com:443 0 chrome:1976
122 200 HTTP Tunnel to chrome.google.com:443 0 chrome:1976
123 502 HTTP eplfnbyo / 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976
124 502 HTTP hlsonkxlusyqqwb / 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976
125 502 HTTP iusrjkmhgunwvff / 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976
126 200 HTTP Tunnel to ssl.gstatic.com:443 0 chrome:1976
127 200 HTTP Tunnel to ssl.gstatic.com:443 0 chrome:1976
128 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
129 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
130 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
131 200 HTTP rp.notatolol2.com / 0 text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
132 200 HTTP duqaq.com / 4 text/html; charset=UTF-8 dumaledi:3396
135 502 HTTP Tunnel to www.gstatic.com:443 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976
136 502 HTTP Tunnel to www.google.com:443 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976
137 502 HTTP rp.notatolol2.com / 512 no-cache, must-revalidate text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
138 502 HTTP clients1.google.com /tools/pso/ping?as=chrome&brand=CHBF&pid=&hl=en&rep=2&rlz=C1:1C1CHBF_enUS747US747,C2:1C2CHBF_enUS747,C7:1C7CHBF_enUS747 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976
139 502 HTTP rp.notatolol2.com / 512 no-cache, must-revalidate text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564
140 502 HTTP Tunnel to safebrowsing.googleapis.com:443 512 no-cache, must-revalidate text/html; charset=UTF-8 chrome:1976
141 502 HTTP Tunnel to tools.google.com:443 512 no-cache, must-revalidate text/html; charset=UTF-8 googleupdate:572
142 502 HTTP rp.notatolol2.com / 512 no-cache, must-revalidate text/html; charset=UTF-8 dmgr1.25_0d1t1i2z1f1g1.25:2564