Dropped.Trojan.GenericKD.3703194_739e7f76fb

by malwarelabrobot on December 7th, 2016 in Malware Descriptions.

Trojan.MSIL.Inject.ablgt (Kaspersky), Dropped:Trojan.GenericKD.3703194 (B) (Emsisoft), Dropped:Trojan.GenericKD.3703194 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 739e7f76fb545c28ae4ce1d85e176484
SHA1: b955ce2eadc64fcbc2612be4193e201ed8af134e
SHA256: 3ec42fe0215adf706ac2658d1967654b072fbeda1aa067a9c2910250bce9ee95
SSDeep: 12288:bt1rRiz1wxxf/M7NhGkNaGUEpUijh9QFBH9mU3T2BP5Ue:b3fVESkNhpOT/D2BP5Ue
Size: 638874 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):
No processes have been created.
The Dropped injects its code into the following process(es):

bigoted.exe:3400

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

MD5 File path
b55a422f81b798459f38d95346e2e6ef c:\Program Files\Mozilla Firefox\firefox334.exe
eddb44c36b5a252b62ae64059adc6d79 c:\Program Files\contagion\donnan.exe
a6ff248073cc2908aee09b5fb37321c5 c:\Program Files\inquisitive\bigoted.exe
8749f1c8fc54d4462dd3aca5d3df367a c:\Users\"%CurrentUserName%"\AppData\Local\14770.exe
ce990a27e042eb1b3c27dd760a88f87c c:\Users\"%CurrentUserName%"\AppData\Local\42947.exe
35890d45292b6d80ac7ef1636871dfb7 c:\Users\"%CurrentUserName%"\AppData\Local\62971.exe
a9fffbcb128bb575bf5aa2a671f58535 c:\Users\"%CurrentUserName%"\AppData\Local\85326.exe
db793827e133e3205aa5604c27195517 c:\Users\"%CurrentUserName%"\AppData\Local\94786.exe
b9380b0bea8854fd9f93cc1fda0dfeac c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn5C24.tmp\ExecCmd.dll
a6ff248073cc2908aee09b5fb37321c5 c:\Windows\cardboard.exe

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 987 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 validation.sls.microsoft.com
162.222.194.13 cocomo.tremorhub.com
162.222.194.13 www.virustotal.com
162.222.194.13 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 61440 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 253952 2536 2560 3.13983 5b5a2d9d119a78aca9bef9d54b647674

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 519
87af60575e95350381303447cd2e0d96
c9c0ecad3c7691c9fb77d3e12dca89ba
eb908e35f01c51fd6c3145626da78202
dc7fd4f3cfe333cb005ce5639899f0bf
d00d8a9daa2e2b19d952b1b10037467c
6e2c047259d3bc583dc140202340af7e
75182bfb4dd3d1ad7e0ef5e40b70550f
2a4240cfb6b249da0c5dcff5abf3a292
a746426f5bd2a7f239e0e1bc7529897d
0f2fa5e5c2ce26f0b744d19eff724c25
723325cfdc20c18e1ca96e88c9cca948
5cc9fd6672be1ca9538237031c1382c0
f1b56fd3f82b6a0668d00b9f0d6e991f
7f4ee0d326b67cc3e4a3fec3a25dfe3c
293bbf92195165383b202fa6cd4a2ba6
b33ccbf60d223d0df5c7b0c8b376386a
5c7aaa94fa1bbced13b76e9523bde956
da7eaa6230f54eb9da8f6986b5e53c89
0f5b04d97f3e3dc672c37106fbff0b45
9b0f84c736f2651c17fa4592c98ca6f0
10cdbd65f189a3a3a25eec73396c07d1
3642ef122aa6382d10aaf85824e1d78b
ca68f7598e334d1805d20eb245bebded
4684fab20680d9d8b202a59b822e633a
57f41da1ea05d30f6707060f00876d07

URLs

URL IP
hxxp://d232tmx7gh8bfo.cloudfront.net/default1.php?id=05Asy01jrrFEGqdbp9Fc&date=2016-11-01&p=none&t=
hxxp://d232tmx7gh8bfo.cloudfront.net/jquery.min.js
hxxp://c.statcounter.com/10114910/0/757d7213/1/ 104.20.2.47
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.86
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://cocomo.tremorhub.com/itd.php?id=05Asy01jrrFEGqdbp9Fc&date=2016-11-01&p=none&t=
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=1006936948&t=pageview&_s=1&dl=http://www.stewardtransgressed.pw/default1.php?id=05Asy01jrrFEGqdbp9Fc&date=2016-11-01&p=none&t=&ul=en-us&de=utf-8&dt=home&sd=24-bit&sr=1276x846&vp=679x392&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1026149183&cid=2009772494.1481006203&tid=UA-74694740-5&_r=1&z=1948118866
hxxp://b770b459a2.site.internapcdn.net/page-4.html?lid=937115
hxxp://ww.stewardtransgressed.pw/count.php?id=05Asy01jrrFEGqdbp9Fc&date=2016-11-01&p=none&t=&rnd=1481006203000 162.222.193.17
hxxp://widgets.amung.us/draw/?w=colored&n=1649&c=000000ffffff&p= 173.192.200.70
hxxp://vi.everclips.net/report3.php 109.201.148.40
hxxp://cocomo.tremorhub.com/o.php
hxxp://everclips.net/jwplayer1.js 162.222.194.11
hxxp://everclips.net/1.js 162.222.194.11
hxxp://vi.everclips.net/bck.php?1481006204000 109.201.148.40
hxxp://b770b459a2.site.internapcdn.net/page-4.htm?lid=937115
hxxp://vi.everclips.net/bck.php?1481006205000 109.201.148.40
hxxp://everclips.net/player1.swf 162.222.194.11
hxxp://www.statcounter.com.cdnga.net/counter/counter.js 151.249.90.141
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=720936A531E14FEA255BF182D0AD0AF9&sc_random=0.31840971384322886&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.everclips.net/page-4.html?lid=937115&u=http://www.everclips.net/page-4.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 104.20.2.47
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=1755192544&t=pageview&_s=1&dl=http://www.everclips.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1276x846&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=405683972&cid=1915764195.1481006206&tid=UA-74694740-2&_r=1&z=1934561124
hxxp://b770b459a2.site.internapcdn.net/style.css
hxxp://b770b459a2.site.internapcdn.net/img/logo.png
hxxp://b770b459a2.site.internapcdn.net/img/bgg.png
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://everclips.net/ova-jw.swf 162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 4&mediaDesc=Entertainment videos at everclips.net - 4&mediaId=2&mediaUrl=hxxp://www.everclips.net/4.html&srcPageUrl=hxxp://www.everclips.net/4.html&contentLength=300
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=google,TubeMogul-GP,adapTV,tremornet,dataxu,Bidswitch,_dmp_turbine,adgear,ignitionone,SundaySky,Videology,TapAd,Pulsepoint,eyeview,appnexus,1,beeswax,thetradedesk,videoamp,audiencescience,mediamath,rocketfuel,conversant,BidTheatre,dynadmic&uid=7164aabb55754ea797e66fe48434ab48&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://dyhd7e8p4cqed.cloudfront.net/crossdomain.xml
hxxp://dyhd7e8p4cqed.cloudfront.net/static/noad.xml
hxxp://vi.everclips.net/crossdomain.xml 109.201.148.40
hxxp://vi.everclips.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.everclips.net/4.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos at everclips.net - 4&LR_FORMAT=application/x-shockwave-flash 109.201.148.40
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 4&mediaDesc=Watch Entertainment videos at everclips.net - 4&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hxxp://www.everclips.net/4.html&contentLength=[CONTENT_LENGTH]
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=1,BidTheatre,ignitionone,TapAd,audiencescience,rocketfuel,videoamp,eyeview,_dmp_turbine,conversant,centro,dynadmic,thetradedesk,tremornet,adapTV,Pulsepoint,adgear,appnexus,TubeMogul-GP,mediamath,google,Bidswitch,SundaySky,dataxu,beeswax&uid=7164aabb55754ea797e66fe48434ab48&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48
hxxp://thumb.none1366649718.netdna-cdn.com/crossdomain.xml
hxxp://thumb.none1366649718.netdna-cdn.com/abcd.mp4
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://www.everclips.net/img/logo.png 69.88.149.142
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=1006936948&t=pageview&_s=1&dl=http://www.stewardtransgressed.pw/default1.php?id=05Asy01jrrFEGqdbp9Fc&date=2016-11-01&p=none&t=&ul=en-us&de=utf-8&dt=home&sd=24-bit&sr=1276x846&vp=679x392&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1026149183&cid=2009772494.1481006203&tid=UA-74694740-5&_r=1&z=1948118866 74.125.232.238
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://109.201.148.40/bck.php?1481006204000
hxxp://www.google-analytics.com/analytics.js 74.125.232.238
hxxp://thm.vidvib.com/abcd.mp4 94.31.29.128
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://www.everclips.net/page-4.htm?lid=937115 69.88.149.142
hxxp://partners.tremorhub.com/crossdomain.xml 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=1,BidTheatre,ignitionone,TapAd,audiencescience,rocketfuel,videoamp,eyeview,_dmp_turbine,conversant,centro,dynadmic,thetradedesk,tremornet,adapTV,Pulsepoint,adgear,appnexus,TubeMogul-GP,mediamath,google,Bidswitch,SundaySky,dataxu,beeswax&uid=7164aabb55754ea797e66fe48434ab48&init=true 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://www.stewardtransgressed.pw/default1.php?id=05Asy01jrrFEGqdbp9Fc&date=2016-11-01&p=none&t= 52.222.174.194
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://l.longtailvideo.com/5/10/logo.png 93.184.221.48
hxxp://www.stewardtransgressed.pw/jquery.min.js 52.222.174.194
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=1755192544&t=pageview&_s=1&dl=http://www.everclips.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1276x846&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=405683972&cid=1915764195.1481006206&tid=UA-74694740-2&_r=1&z=1934561124 74.125.232.238
hxxp://cdn.tremorhub.com/static/noad.xml 52.222.171.99
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://we1sb-wwcgk.ads.tremorhub.com/ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 4&mediaDesc=Watch Entertainment videos at everclips.net - 4&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hxxp://www.everclips.net/4.html&contentLength=[CONTENT_LENGTH] 52.201.72.235
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://www.statcounter.com/counter/counter.js 151.249.90.141
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 4&mediaDesc=Entertainment videos at everclips.net - 4&mediaId=2&mediaUrl=hxxp://www.everclips.net/4.html&srcPageUrl=hxxp://www.everclips.net/4.html&contentLength=300 54.164.191.235
hxxp://cdn.tremorhub.com/crossdomain.xml 52.222.171.99
hxxp://www.everclips.net/page-4.html?lid=937115 69.88.149.142
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://we1sb-wwcgk.ads.tremorhub.com/crossdomain.xml 52.201.72.235
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://109.201.148.40/bck.php?1481006205000
hxxp://thm.vidvib.com/crossdomain.xml 94.31.29.128
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml 54.164.191.235
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=google,TubeMogul-GP,adapTV,tremornet,dataxu,Bidswitch,_dmp_turbine,adgear,ignitionone,SundaySky,Videology,TapAd,Pulsepoint,eyeview,appnexus,1,beeswax,thetradedesk,videoamp,audiencescience,mediamath,rocketfuel,conversant,BidTheatre,dynadmic&uid=7164aabb55754ea797e66fe48434ab48&init=true 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://partners.tremorhub.com/syncnoad?rid=5099423d11b34d5181cb506a7051cf6f&p=TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19
hxxp://www.everclips.net/style.css 69.88.149.142
hxxp://www.everclips.net/img/bgg.png 69.88.149.142
hxxp://partners.tremorhub.com/syncnoad?rid=8f52e468bab3489e8d4a0e2159d40795&p=BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=7164aabb55754ea797e66fe48434ab48 52.206.231.19


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xlf5t.ads.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Tue, 06 Dec 2016 06:36:49 GMT
ETag: W/"144-1446501138000"
Last-Modified: Mon, 02 Nov 2015 21:52:18 GMT
Server: Apache-Coyote/1.1
Content-Length: 144
Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 4&mediaDesc=Entertainment videos at everclips.net - 4&mediaId=2&mediaUrl=hXXp://VVV.everclips.net/4.html&srcPageUrl=hXXp://VVV.everclips.net/4.html&contentLength=300 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: xlf5t.ads.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Encoding: gzip
Content-Type: text/xml;charset=ISO-8859-1
Date: Tue, 06 Dec 2016 06:36:49 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: tvid=7164aabb55754ea797e66fe48434ab48; Domain=.tremorhub.com; Expires=Wed, 06-Dec-2017 12:25:10 GMT; Path=/
Set-Cookie: tvrg_60409="1,1481006210"; Version=1; Domain=.tremorhub.com; Max-Age=60; Expires=Tue, 06-Dec-2016 06:37:50 GMT; Path=/
Vary: Accept-Encoding
x-tremorvideo-status: NO_AD
Content-Length: 544
Connection: keep-alive
...........R.n.@... \..-.....H2.$-.$M`).!..J...K3.Y..})...\z...".H>
F.}S.....".F...CQJ.E.{O....[$g.s....q.F..\..[[..}.jl.^.bP..7Fy={i,Xgb.
..*...(e.$..A)......&...^.=F...#MY....6.>.\].y.r.S........D)$...,..
&c..a..E..1d..q<..Y0..'}.WRV5~._...{Y....#..@.........X.;._83;n.5..
k..:]p.]b....JpK...;s..!...?s...U.sP)...........n9..jJ..;CpD_.hv.o.Z..
......mKB....8I.....4.84`.n.,7h...d.R..BGJ3.k..... .5..;Z.l4...b2.M...
|.....ap.@..}N..V;|}M".O.n..._..........v......i...........a...9;.#.m.
4..\.$..4...9.$.#.."s.....f........O..o%....[=...........Q.J...HTTP/1.
1 200 OK..Cache-Control: no-cache, no-store, must-revalidate..Content-
Encoding: gzip..Content-Type: text/xml;charset=ISO-8859-1..Date: Tue, 
06 Dec 2016 06:36:49 GMT..P3P: CP='This is not a P3P policy. See http:
//tremorvideo.com/en/privacy-policy'..Pragma: no-cache..Server: Apache
-Coyote/1.1..Set-Cookie: tvid=7164aabb55754ea797e66fe48434ab48; Domain
=.tremorhub.com; Expires=Wed, 06-Dec-2017 12:25:10 GMT; Path=/..Set-Co
okie: tvrg_60409="1,1481006210"; Version=1; Domain=.tremorhub.com; Max
-Age=60; Expires=Tue, 06-Dec-2016 06:37:50 GMT; Path=/..Vary: Accept-E
ncoding..x-tremorvideo-status: NO_AD..Content-Length: 544..Connection:
 keep-alive.............R.n.@... \..-.....H2.$-.$M`).!..J...K3.Y..})..
.\z...".H>F.}S.....".F...CQJ.E.{O....[$g.s....q.F..\..[[..}.jl.^.bP
..7Fy={i,Xgb...*...(e.$..A)......&...^.=F...#MY....6.>.\].y.r.S....
....D)$...,..&c..a..E..1d..q<..Y0..'}.WRV5~._...{Y....#..@.........
X.;._83;n.5..k..:]p.]b....JpK...;s..!...?s...U.sP)...........n9..j
<<< skipped >>>


GET /10114910/0/757d7213/1/ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.stewardtransgressed.pw/default1.php?id=05Asy01jrrFEGqdbp9Fc&date=2016-11-01&p=none&t=
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 06 Dec 2016 06:36:43 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
Set-Cookie: __cfduid=d0d961a58002f07f41909eedb4c1831cf1481006203; expires=Wed, 06-Dec-17 06:36:43 GMT; path=/; domain=.statcounter.com; HttpOnly
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1481006204.0; expires=Sun, 05-Dec-2021 06:36:44 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1481006204266229261; expires=Thu, 06-Dec-2018 06:36:44 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 30cdb9a276d63ff0-SOF
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Tue, 06 Dec 2016 06:36:43 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..Set-Cookie: __cfduid=d0d961a58002f07f4
1909eedb4c1831cf1481006203; expires=Wed, 06-Dec-17 06:36:43 GMT; path=
/; domain=.statcounter.com; HttpOnly..P3P: policyref="hXXp://VVV.statc
ounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expire
s: Mon, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.148
1006204.0; expires=Sun, 05-Dec-2021 06:36:44 GMT; path=/; domain=.stat
counter.com..Set-Cookie: is_visitor_unique=1481006204266229261; expire
s=Thu, 06-Dec-2018 06:36:44 GMT; path=/; domain=.statcounter.com..Serv
er: cloudflare-nginx..CF-RAY: 30cdb9a276d63ff0-SOF..GIF89a............
.......!.......,...........T..;....


GET /t.php?sc_project=10675947&java=1&security=299981d6&u1=720936A531E14FEA255BF182D0AD0AF9&sc_random=0.31840971384322886&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://VVV.everclips.net/page-4.html?lid=937115&u=http://VVV.everclips.net/page-4.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.everclips.net/page-4.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive
Cookie: __cfduid=d0d961a58002f07f41909eedb4c1831cf1481006203; is_unique=sc10114910.1481006204.0; is_visitor_unique=1481006204266229261


HTTP/1.1 200 OK
Date: Tue, 06 Dec 2016 06:36:45 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1481006204.0-10675947.1481006205.0; expires=Sun, 05-Dec-2021 06:36:45 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1481006204266229261; expires=Thu, 06-Dec-2018 06:36:45 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 30cdb9b2450a3ff0-SOF
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Tue, 06 Dec 2016 06:36:45 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..P3P: policyref="hXXp://VVV.statcounter
.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expires: Mon
, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.148100620
4.0-10675947.1481006205.0; expires=Sun, 05-Dec-2021 06:36:45 GMT; path
=/; domain=.statcounter.com..Set-Cookie: is_visitor_unique=14810062042
66229261; expires=Thu, 06-Dec-2018 06:36:45 GMT; path=/; domain=.statc
ounter.com..Server: cloudflare-nginx..CF-RAY: 30cdb9b2450a3ff0-SOF..GI
F89a...................!.......,...........T..;..



GET /cwidget/iebrowser1/000000ffffff.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.stewardtransgressed.pw/default1.php?id=05Asy01jrrFEGqdbp9Fc&date=2016-11-01&p=none&t=
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: whos.amung.us
Connection: Keep-Alive


HTTP/1.1 303 See Other
Date: Tue, 06 Dec 2016 06:36:43 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://widgets.amung.us/draw/?w=colored&n=1649&c=000000ffffff&p=
Set-Cookie: uid=CgH9JlhGXHuej3Y1z dfAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.amung.us; path=/
0..



GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.everclips.net/page-4.html?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 06 Dec 2016 14:44:36 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Tue, 06 Dec 2016 14:44:36 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /jwplayer1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.everclips.net/page-4.html?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 06 Dec 2016 14:44:36 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT
ETag: "4403af-25d37-53444eccf91c0"
Accept-Ranges: bytes
Content-Length: 154935
Cache-Control: max-age=2592000, public
Expires: Tue, 07 Nov 2017 14:44:36 GMT
Connection: close
Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'



bigoted.exe_3400_rwx_00232000_00009000:




.hP9)h

donnan.exe_1376:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ers\"%CurrentUserName%"\AppData\Local\Temp\nsn5C24.tmp\ExecCmd.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn5C24.tmp\ExecCmd.dll
"%Program Files%\inquisitive\bigoted.exe"
\ExecCmd.dll
.reloc
EnumWindows
ExecCmd.dll
Kernel32.DLL
e%uy%u
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn5C24.tmp
nsn5C24.tmp
rogram Files\inquisitive\bigoted.exe"
ecCmd.dll
oted.exe" | %SystemRoot%\System32\find /I "bigoted.exe"
\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn5C24.tmp
"%Program Files%\contagion\donnan.exe"
%Program Files%\contagion
donnan.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nss4826.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
%Program Files%\contagion\donnan.exe
Software\Microsoft\Windows\CurrentVersion\Run
Windows\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
tagion\donnan.exe"
isitive\bigoted.exe"

taskeng.exe_3296:




.text
`.data
.rsrc
@.reloc
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-Debug-L1-1-0.dll
API-MS-Win-Core-ErrorHandling-L1-1-0.dll
API-MS-Win-Core-File-L1-1-0.dll
API-MS-Win-Core-Handle-L1-1-0.dll
API-MS-Win-Core-Heap-L1-1-0.dll
API-MS-Win-Core-Interlocked-L1-1-0.dll
API-MS-Win-Core-LibraryLoader-L1-1-0.dll
API-MS-Win-Core-Misc-L1-1-0.dll
API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-Profile-L1-1-0.dll
API-MS-Win-Core-Synch-L1-1-0.dll
API-MS-Win-Core-SysInfo-L1-1-0.dll
API-MS-Win-Core-ThreadPool-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
KERNEL32.dll
d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp
Session::ChannelMsgReceived
d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp
d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp
StopJobMsg
StartJobMsg
ClientPipeName
Invalid parameter passed to C runtime function.
d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp
TaskScheduler.log
j%Xf;
d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp
API-MS-WIN-Service-Management-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
SspiCli.dll
XmlLite.dll
MPR.dll
RegOpenKeyTransactedW
RegCloseKey
RegOpenKeyExW
RegNotifyChangeKeyValue
RegCreateKeyExW
FindExecutableW
MsgWaitForMultipleObjects
EnumThreadWindows
EnumWindows
GetProcessWindowStation
_wcmdln
_amsg_exit
GetProcessHeap
SetProcessShutdownParameters
TaskEng.pdb
version="5.1.0.0"
name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"
<requestedExecutionLevel
8 8$8(878
3=4Z4w4
=!=(=0=4=?=>>
5 5U5_5
5b6u6
-131J1X1o1}1
=$=<=\=|=
Password
hXXp://schemas.microsoft.com/windows/2004/02/mit/task
eieframe.dll
%SystemRoot%\SYSTEM32\cmd.exe
%SystemRoot%\System32\Tasks
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake
WindowSeconds
InitializeCmdlineProcessing()
pCrimson provider registration failed for taskeng, hr=0x%x
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
InteractiveTokenOrPassword
eurl
%d.%d
%s, (%d)
hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout
hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate
hXXp://schemas.microsoft.com/cdo/configuration/sendusing
hXXp://schemas.microsoft.com/cdo/configuration/smtpserver
201ef99a-7fa0-444c-9399-19ba84f12a1a
C:\Windows\SYSTEM32\cmd.exe
6.1.7601.17514 (win7sp1_rtm.101119-1850)
taskeng.exe
Windows
Operating System
6.1.7601.17514






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Dropped file.
    3. 

  3. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now