Trojan.NSIS.Androm.3_18284f0f50

by malwarelabrobot on December 1st, 2016 in Malware Descriptions.

Trojan-Dropper.Win32.Dapato.opco (Kaspersky), Trojan.NSIS.Androm.3 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 18284f0f5042cd7d5a7a5a3afe6c3e49
SHA1: f8faa087e2374743ccf20455d0e81040bc0952aa
SHA256: 6ed477a3d4ada9b9e745deb9f7bf02f7840fcefcb8e875991d77d05f8cb0c2c6
SSDeep: 12288:bM1rmjBwvxfNMgMbO4FaQ0FWUGXaZNBQlA 9aB6wrG2j viOHqHh4fNTuc6XCp:bQ7V goO4FP0F18aZ4lA 9OOHqHhc6cP
Size: 788112 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

allegro.exe:3288

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

MD5	File path
8a3069cc809fd0f46bbc45cf8333bd73	c:\Program Files\Dendritic\allegro.exe
c8ff52bfddc6898c202c08c4a61a3d22	c:\Program Files\Mausoleums\Microsoft.Win32.TaskScheduler.dll
270fbf9c5065f195aeff4fb8a5bb5b60	c:\Program Files\Mausoleums\allegro.exe
d04c8544a6ffa7c516d06ddcde8895b8	c:\Program Files\Mausoleums\settings.dll
b55a422f81b798459f38d95346e2e6ef	c:\Program Files\Mozilla Firefox\firefox334.exe
46206119b2c9bdd1fbc5a5d1e4cc49df	c:\Program Files\enormities\inferno.exe
61d79c117b5049360e722d55728264b7	c:\Users\"%CurrentUserName%"\AppData\Local\109052.exe
8749f1c8fc54d4462dd3aca5d3df367a	c:\Users\"%CurrentUserName%"\AppData\Local\16550.exe
6272891cb21b1f7fdfd0c0e6d0b28e28	c:\Users\"%CurrentUserName%"\AppData\Local\35875.exe
b63fdb3f8bb5dfd5e9cd40dca879c2b8	c:\Users\"%CurrentUserName%"\AppData\Local\56270.exe
9fbea86c1454a608a1131a73029337ae	c:\Users\"%CurrentUserName%"\AppData\Local\84976.exe
b9380b0bea8854fd9f93cc1fda0dfeac	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss5457.tmp\ExecCmd.dll
8a3069cc809fd0f46bbc45cf8333bd73	c:\Windows\bisbee.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1053 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	validation.sls.microsoft.com
162.222.193.86	aoaomo.tremorhub.com
162.222.193.86	www.howcast.com
162.222.193.86	howcast.com
192.192.3.8	www.virustotal.com
192.192.3.8	virustotal.com

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	61440	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	253952	2536	2560	3.13983	5b5a2d9d119a78aca9bef9d54b647674

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 506
87af60575e95350381303447cd2e0d96
7f4ee0d326b67cc3e4a3fec3a25dfe3c
293bbf92195165383b202fa6cd4a2ba6
b33ccbf60d223d0df5c7b0c8b376386a
5c7aaa94fa1bbced13b76e9523bde956
da7eaa6230f54eb9da8f6986b5e53c89
0f5b04d97f3e3dc672c37106fbff0b45
9b0f84c736f2651c17fa4592c98ca6f0
10cdbd65f189a3a3a25eec73396c07d1
3642ef122aa6382d10aaf85824e1d78b
ca68f7598e334d1805d20eb245bebded
4684fab20680d9d8b202a59b822e633a
57f41da1ea05d30f6707060f00876d07
1b2bfbbbca773cdb33d6da3b213f8ce7
2530acdcdc7ecc5f66ce4c84f00c16dd
ddd76f91d11e7721e59ad2452476ba21
91d216dab486680090f9e408480f984f
0d20acfa48e8979c1469531204ca1968
99694dd84a6be2f345b9f6700efd6b44
e4172945272ff2f0c8e57d2ef3a90236
6d10dc27bb05455779a4020400cd6218
d48596e9c6655369a1702009153f2549
143736e701565a0d0b41822c321d767f
d08279dabcb13c2c97e36726ff0230eb
135789a839ca94c62aa0ff02a71ec03e

URLs

URL	IP
hxxp://d232tmx7gh8bfo.cloudfront.net/homepage.php?id=21ACea9xB5LGdPdyy8go&date=2016-11-26&p=none&t=&ca=73996323
hxxp://d232tmx7gh8bfo.cloudfront.net/jquery.min.js
hxxp://d232tmx7gh8bfo.cloudfront.net/amg.php
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://aoaomo.tremorhub.com/wp-content/themes/howcast/images/icons/love.png
hxxp://aoaomo.tremorhub.com/itd.php?id=21ACea9xB5LGdPdyy8go&date=2016-11-26&p=none&t=&ca=73996323
hxxp://ww.hikeemissivity.pw/a.php?id=21ACea9xB5LGdPdyy8go&date=2016-11-26&p=none&t=&ca=73996323&rnd=1480466600000	162.222.193.17
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=105673728&t=pageview&_s=1&dl=http://www.hikeemissivity.pw/homepage.php?id=21ACea9xB5LGdPdyy8go&date=2016-11-26&p=none&t=&ca=73996323&ul=en-us&de=utf-8&dt=searchbox&sd=24-bit&sr=1276x846&vp=679x392&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=495422830&cid=2093138924.1480466601&tid=UA-74694740-5&_r=1&z=1103281923
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png	67.202.94.86
hxxp://a5f50dedef.site.internapcdn.net/page-1.html?lid=937115
hxxp://aoaomo.tremorhub.com/o.php
hxxp://vi.ivids.net/report3.php	109.201.148.40
hxxp://ivids.net/1.js	162.222.194.11
hxxp://ivids.net/jwplayer1.js	162.222.194.11
hxxp://widgets.amung.us/draw/?w=colored&n=2470&c=000000ffffff&p=	50.23.131.235
hxxp://vi.ivids.net/bck.php?1480466602000	109.201.148.40
hxxp://a5f50dedef.site.internapcdn.net/page-1.htm?lid=937115
hxxp://www.statcounter.com.cdnga.net/counter/counter.js	151.249.90.5
hxxp://ivids.net/player1.swf	162.222.194.11
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=1085413297&t=pageview&_s=1&dl=http://www.ivids.net/page-1.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1276x846&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1777473885&cid=763910521.1480466603&tid=UA-74694740-2&_r=1&z=1229294853
hxxp://a5f50dedef.site.internapcdn.net/css1.css
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=4768EC11B3054F99C2BAA38B65E80AD8&sc_random=0.6264624061063745&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.ivids.net/page-1.html?lid=937115&u=http://www.ivids.net/page-1.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1	104.20.2.47
hxxp://a5f50dedef.site.internapcdn.net/img/logo.png
hxxp://a5f50dedef.site.internapcdn.net/img/lbg.png
hxxp://c.statcounter.com/10114910/0/757d7213/1/	104.20.2.47
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://ivids.net/ova-jw.swf	162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 1&mediaDesc=Entertainment videos ivids.net - 1&mediaId=2&mediaUrl=hxxp://www.ivids.net/1.html&srcPageUrl=hxxp://www.ivids.net/1.html&contentLength=300
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=SundaySky,centro,_dmp_turbine,Pulsepoint,TubeMogul-GP,adapTV,TapAd,rocketfuel,1,thetradedesk,Bidswitch,beeswax,appnexus,tremornet,audiencescience,BidTheatre,videoamp,dynadmic,ignitionone,conversant,mediamath,eyeview,google,Videology,dataxu&uid=69be0537b12244c29476d5cd69b6ece4&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://dyhd7e8p4cqed.cloudfront.net/crossdomain.xml
hxxp://dyhd7e8p4cqed.cloudfront.net/static/noad.xml
hxxp://vi.ivids.net/crossdomain.xml	109.201.148.40
hxxp://vi.ivids.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.ivids.net/1.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos ivids.net&LR_FORMAT=application/x-shockwave-flash	109.201.148.40
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net&mediaDesc=Watch Entertainment videos ivids.net&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hxxp://www.ivids.net/1.html&contentLength=[CONTENT_LENGTH]
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=beeswax,conversant,appnexus,TubeMogul-GP,adgear,dataxu,SundaySky,dynadmic,videoamp,Videology,rocketfuel,thetradedesk,1,google,BidTheatre,centro,mediamath,_dmp_turbine,audiencescience,Pulsepoint,ignitionone,Bidswitch,eyeview,adapTV,tremornet&uid=69be0537b12244c29476d5cd69b6ece4&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4
hxxp://thumb.none1366649718.netdna-cdn.com/crossdomain.xml
hxxp://thumb.none1366649718.netdna-cdn.com/abcd.mp4
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://www.ivids.net/page-1.html?lid=937115	69.88.149.139
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://www.ivids.net/img/logo.png	69.88.149.139
hxxp://www.google-analytics.com/analytics.js	173.194.113.192
hxxp://www.hikeemissivity.pw/amg.php	52.222.174.193
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=1085413297&t=pageview&_s=1&dl=http://www.ivids.net/page-1.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1276x846&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1777473885&cid=763910521.1480466603&tid=UA-74694740-2&_r=1&z=1229294853	173.194.113.192
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/crossdomain.xml	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=105673728&t=pageview&_s=1&dl=http://www.hikeemissivity.pw/homepage.php?id=21ACea9xB5LGdPdyy8go&date=2016-11-26&p=none&t=&ca=73996323&ul=en-us&de=utf-8&dt=searchbox&sd=24-bit&sr=1276x846&vp=679x392&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=495422830&cid=2093138924.1480466601&tid=UA-74694740-5&_r=1&z=1103281923	173.194.113.192
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://www.hikeemissivity.pw/jquery.min.js	52.222.174.193
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://l.longtailvideo.com/5/10/logo.png	93.184.221.48
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://www.howcast.com/wp-content/themes/howcast/images/icons/love.png
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 1&mediaDesc=Entertainment videos ivids.net - 1&mediaId=2&mediaUrl=hxxp://www.ivids.net/1.html&srcPageUrl=hxxp://www.ivids.net/1.html&contentLength=300	52.21.182.111
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://www.ivids.net/css1.css	69.88.149.139
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://thm.vidvib.com/abcd.mp4	94.31.29.128
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://cdn.tremorhub.com/static/noad.xml	52.222.171.29
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=beeswax,conversant,appnexus,TubeMogul-GP,adgear,dataxu,SundaySky,dynadmic,videoamp,Videology,rocketfuel,thetradedesk,1,google,BidTheatre,centro,mediamath,_dmp_turbine,audiencescience,Pulsepoint,ignitionone,Bidswitch,eyeview,adapTV,tremornet&uid=69be0537b12244c29476d5cd69b6ece4&init=true	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=SundaySky,centro,_dmp_turbine,Pulsepoint,TubeMogul-GP,adapTV,TapAd,rocketfuel,1,thetradedesk,Bidswitch,beeswax,appnexus,tremornet,audiencescience,BidTheatre,videoamp,dynadmic,ignitionone,conversant,mediamath,eyeview,google,Videology,dataxu&uid=69be0537b12244c29476d5cd69b6ece4&init=true	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://www.hikeemissivity.pw/homepage.php?id=21ACea9xB5LGdPdyy8go&date=2016-11-26&p=none&t=&ca=73996323	52.222.174.193
hxxp://www.ivids.net/img/lbg.png	69.88.149.139
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://cdn.tremorhub.com/crossdomain.xml	52.222.171.29
hxxp://www.statcounter.com/counter/counter.js	151.249.90.5
hxxp://we1sb-wwcgk.ads.tremorhub.com/crossdomain.xml	52.20.16.82
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://thm.vidvib.com/crossdomain.xml	94.31.29.128
hxxp://www.ivids.net/page-1.htm?lid=937115	69.88.149.139
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml	52.21.182.111
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://we1sb-wwcgk.ads.tremorhub.com/ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net&mediaDesc=Watch Entertainment videos ivids.net&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hxxp://www.ivids.net/1.html&contentLength=[CONTENT_LENGTH]	52.20.16.82
hxxp://partners.tremorhub.com/syncnoad?rid=495dc957019e4aa586aabd72e8413d05&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191
hxxp://109.201.148.40/bck.php?1480466602000
hxxp://partners.tremorhub.com/syncnoad?rid=6ea770fc1f59433bb667c6047a05261c&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,adgear,Pulsepoint,_dmp_turbine&uid=69be0537b12244c29476d5cd69b6ece4	52.20.69.191

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: vi.ivids.net

Connection: Keep-Alive

Cookie: _ga=GA1.2.763910521.1480466603; _gat=1


HTTP/1.1 200 OK

Date: Wed, 30 Nov 2016 00:47:03 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Tue, 11 Nov 2014 03:08:25 GMT

ETag: "a1b01-52-5078c97abfc40"

Accept-Ranges: bytes

Content-Length: 82

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/xml
<cross-domain-policy>..    <allow-access-from domain="*"/>
..</cross-domain-policy>....


GET /v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hXXp://VVV.ivids.net/1.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos ivids.net&LR_FORMAT=application/x-shockwave-flash HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: vi.ivids.net

Connection: Keep-Alive

Cookie: _ga=GA1.2.763910521.1480466603; _gat=1


HTTP/1.1 200 OK

Date: Wed, 30 Nov 2016 00:47:03 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Set-Cookie: PHPSESSID=6or4a519r4tp1eoeotmth65b26; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: private

Pragma: no-cache

Content-Length: 514

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>..<VAST version="2.0"&g
t;..<Ad id="1"><Wrapper><AdSystem>1</AdSystem>
<VASTAdTagURI><![CDATA[hXXp://we1sb-wwcgk.ads.tremorhub.com/a
d/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPositi
on=1&mediaTitle=Entertainment videos ivids.net&mediaDesc=Watch Enterta
inment videos ivids.net&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageU
rl=hXXp://VVV.ivids.net/1.html&contentLength=[CONTENT_LENGTH]]]><
;/VASTAdTagURI><Impression/><Creatives></Creatives&g
t;</Wrapper></Ad>..</VAST>HTTP/1.1 200 OK..Date: Wed
, 30 Nov 2016 00:47:03 GMT..Server: Apache/2.2.15 (CentOS)..X-Powered-
By: PHP/5.3.3..Set-Cookie: PHPSESSID=6or4a519r4tp1eoeotmth65b26; path=
/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: private..Pra
gma: no-cache..Content-Length: 514..Keep-Alive: timeout=5..Connection:
 Keep-Alive..Content-Type: text/xml..<?xml version="1.0" encoding="
UTF-8"?>..<VAST version="2.0">..<Ad id="1"><Wrapper&
gt;<AdSystem>1</AdSystem><VASTAdTagURI><![CDATA[h
ttp://we1sb-wwcgk.ads.tremorhub.com/ad/tag?adCode=we1sb-fspan&playerWi
dth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment vid
eos ivids.net&mediaDesc=Watch Entertainment videos ivids.net&mediaId=&
mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hXXp://VVV.ivids.net/1.html&co
ntentLength=[CONTENT_LENGTH]]]></VASTAdTagURI><Impression/
><Creatives></Creatives></Wrapper></Ad><<< skipped >>>

GET /crossdomain.xml HTTP/1.1

Accept: */*

Accept-Language: en-US

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xlf5t.ads.tremorhub.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/xml

Date: Wed, 30 Nov 2016 00:43:28 GMT

ETag: W/"144-1446243360000"

Last-Modified: Fri, 30 Oct 2015 22:16:00 GMT

Server: Apache-Coyote/1.1

Content-Length: 144

Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos ivids.net - 1&mediaDesc=Entertainment videos ivids.net - 1&mediaId=2&mediaUrl=hXXp://VVV.ivids.net/1.html&srcPageUrl=hXXp://VVV.ivids.net/1.html&contentLength=300 HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/ova-jw.swf

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xlf5t.ads.tremorhub.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: no-cache, no-store, must-revalidate

Content-Encoding: gzip

Content-Type: text/xml;charset=ISO-8859-1

Date: Wed, 30 Nov 2016 00:43:29 GMT

P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'

Pragma: no-cache

Server: Apache-Coyote/1.1

Set-Cookie: tvid=69be0537b12244c29476d5cd69b6ece4; Domain=.tremorhub.com; Expires=Thu, 30-Nov-2017 06:31:49 GMT; Path=/

Set-Cookie: tvrg_60409="1,1480466609"; Version=1; Domain=.tremorhub.com; Max-Age=60; Expires=Wed, 30-Nov-2016 00:44:29 GMT; Path=/

Vary: Accept-Encoding

x-tremorvideo-status: NO_AD

Content-Length: 544

Connection: keep-alive
...........R]o.0.}..`..[....J.2.*...%......w....?(.......e...q.......P
.:{4V(...^?..d..Y%.C...:....c..g...Q..7..6...0t.ke6..1U.....n...m.|._g
.A.g.....h..a..:.......*..6[...P=|[.....mVdO';..I:P./..dR.....h:.l:...
S..F.c..O.x...x...I.%.c.=....Jg..5...yS..DW~gQ !.....EU~wy."..t.....8.
F.-...wD....:..9.-........p.h_....Z...F..Gbc.....-k...b.@""{.QA.....^.
FPTR8.I..gJ6.A{.....\c.G..|!T)U...c.o...1888...g.OK...&.`8."6.F.1.1N.c
d.u..&.x|~N......(.Oz..........*.ew...6y...X.(..........z....6h.a..xn.
.......g..HY.`[......................n.^......d...H...HTTP/1.1 200 OK.
.Cache-Control: no-cache, no-store, must-revalidate..Content-Encoding:
 gzip..Content-Type: text/xml;charset=ISO-8859-1..Date: Wed, 30 Nov 20
16 00:43:29 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorv
ideo.com/en/privacy-policy'..Pragma: no-cache..Server: Apache-Coyote/1
.1..Set-Cookie: tvid=69be0537b12244c29476d5cd69b6ece4; Domain=.tremorh
ub.com; Expires=Thu, 30-Nov-2017 06:31:49 GMT; Path=/..Set-Cookie: tvr
g_60409="1,1480466609"; Version=1; Domain=.tremorhub.com; Max-Age=60; 
Expires=Wed, 30-Nov-2016 00:44:29 GMT; Path=/..Vary: Accept-Encoding..
x-tremorvideo-status: NO_AD..Content-Length: 544..Connection: keep-ali
ve.............R]o.0.}..`..[....J.2.*...%......w....?(.......e...q....
...P.:{4V(...^?..d..Y%.C...:....c..g...Q..7..6...0t.ke6..1U.....n...m.
|._g.A.g.....h..a..:.......*..6[...P=|[.....mVdO';..I:P./..dR.....h:.l
:...S..F.c..O.x...x...I.%.c.=....Jg..5...yS..DW~gQ !.....EU~wy."..t...
..8.F.-...wD....:..9.-........p.h_....Z...F..Gbc.....-k...b.@""{.Q<<< skipped >>>

GET /report3.php HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-1.html?lid=937115

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: vi.ivids.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 30 Nov 2016 00:46:49 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

HTTP/1.1 200 OK..Date: Wed, 30 Nov 2016 00:46:49 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......

GET /report3.php HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-1.htm?lid=937115

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: vi.ivids.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 30 Nov 2016 00:46:50 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 0

Keep-Alive: timeout=5

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Wed, 30 Nov 2016 00:46:50 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8..

GET /5/10/logo.png HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://ivids.net/player1.swf

x-flash-version: 23,0,0,185

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: l.longtailvideo.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=604800

Content-Type: image/png

Date: Wed, 30 Nov 2016 00:43:25 GMT

Etag: "3015243340"

Expires: Wed, 07 Dec 2016 00:43:25 GMT

Last-Modified: Fri, 22 Jun 2012 18:10:31 GMT

Server: ECAcc (arn/46B0)

X-Cache: HIT

Content-Length: 1845
.PNG........IHDR...].........9.".....IDATh..Zo..E...e...*!.......RP...
.0H.|).Y...).4C.#H..2....g{.....GO.....A...(.?H....B..wf.....{.......c
v..9sv...3g....A-.).8j......J..*.Ge9.@....Y u(.....k.Nt.3..yR....~*]. 
...Y...v..........\.YO....0.....bZ.=...e..ji.g..S..Z.t.9?..N).]`.K !..
...Y..?..<.h.v.<.........%..6.O.......R..g.}.i.?.Vh.....?..[..C{
.h.-%......s.\..:.M.p.K..u.5....c...X.>..........m.........._.%.d9k
L....t..t..N...#...|..VV.2...w.....X.W:^.:.S...n6....E=...$.i......(.j
.}S...@.EmE./.....U.u.-.U\..../B......;..Q......@.9....=.'.~Jm0t<c.
]...-....D...~......<...X....&....Ky%..j...[...Nk.6.....7.._.e!h...
........T7(q..q..v.J=c.^..............--.>......=.....n."...("....0
.Z..<... .q!.`.....N...Z....b.....g.,..UjA.j..7{.H...Pa.. /...l(...
S.j.Q0.u`...LcthJ.. .BN..............P....e...BPZ...W.I...........Sc.j
.!..'..d>c.....xV..2.i#.Z...#j >wa.......[.Y.../.6.g.j'.m...y..O
.\..W.....ar.J~..B...0...........~1M....].......;f...>>$...h.{..
....>zpI/...!>........0...f..ez.....b..!.....X....R..H.l|.r9.#'.
...x..1.A.qy.......M......Y&}..I...-} ..X.....(..17(...EJ.l..T..(8;.`.
..8o.{..r@..]..Z.......^n...vy.3S....%^'....)..nDeg..'.1. $....C...x..
t...x.d#.......t...?...N.N.............%`..Kc....#4.x....#.....9.ps.a.
q........G..R..........B... .S.K$......]..2..-..Hn..t'....4UA9P..69Q.'
.......2..d.<b.....{m....).dd...d.(..G.1`*.....<..ql.zs.On......
j..$..Fnf.T.Y........}.z....N.ZS.]........U)..K...xJFf........S....&.b
i..Mv.F..r....Z...`.~_........._ y.......(.b..f..m....R..k......se<<< skipped >>>

GET /counter/counter.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-1.htm?lid=937115

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.statcounter.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 30 Nov 2016 00:43:23 GMT

Server: PWS/8.1.41.3

X-Px: ht h0-s1150.p11-fra.cdngp.net

ETag: W/"576924c5-654e"

Cache-Control: max-age=43200

Expires: Wed, 30 Nov 2016 10:14:08 GMT

Age: 8955

Content-Length: 9529

Content-Type: application/x-javascript

Content-Encoding: gzip

Vary: Accept-Encoding

Last-Modified: Tue, 21 Jun 2016 11:28:05 GMT

Connection: keep-alive
...........]{s....*....F.,.-..o..M6....$...eQ$%s,.Z..c-}..u7@..<3{u
..?....@.h4..B.y..Z...Q..9..............]...K.%.<L....f...U...\..i.
<..g.f.%.q........O.J.CH..v.....N.H.M..zQ-J..`.'f.*~0....sj....C...
.....l....di|..4t..H........-...;.P.f^...EM....4..I.=.~....e..e..W>
.]..Wt...v..I..Wym.;...y....'....W._;.}.f..#...'.4Lj.:...bv.....&Z.p.&
.&.5.n#sN....X'[..........5-h.n.x..G.5....h...mp.....5..[..G.}.~....&.
...d.%i..G..4....b..h......<.q..c... J....{bTZ\M.w.r.1.Bf...y.l....
v.gQ...v.e./O.....Fi..H..;.Z.Y.a{Os-.A..c.b.c.{.a.....bln|{..t.....:|.
....~......R.eEV..-:h.xwS...Zf..*cHC,...K....p..4i.9.k>..P6[.Q.....
.$|...._.;...Em..itPa......P..Gj.. .5.  G..1m.....Ee...F70..ZUU&.&.?.&
gt;..r.Opc.........MQ<....=9(.v..^.Z<.;C....{....v..v:..N..{8.V;
........a.......v'.......w:...y..... ..^v../.8....W..7...o..IBV..%e...
c.Qt...6M.k.".j.o.E[.;..(#.$...#..T*. .......K/M..S..X.;(`..v.Fx||4...
..............#_.y..]./.y...?.....U...... ..].@...JX....v.?.H.ha8.b.*.
.EE.tx,j.....,.H..;.^...Ps....\.D.A...._..M...`.K...$k....^......j5t..
.......J.G,kt..6:}.I....v%..g.).([......Rlh.F.E..P(...h.U...:.@k>D.
..y.($V.P..B.u[n...[.@u2...;r^.E./..u....-k.......u....K....w...`U....
g^.l....*.1N.....8|.b..R.N.N..yq.s......?..m.m~..^...m.<cT. ....g.c
...E.-.?...O.|O. /Z*l...../46..;......h...8..p....m......&..MD.[.f\...
.'..e..C.*.n..#.....-...h.M..Lj$.....@O....h.,6<,.:..8,.OA...V.`.Pa
[..~v3.Qn...7W..^@[...../ m.t..%.......r$...>-k...{..U .h.r.._...UN
....3../....O..N.............p....5.<....2GM..C3|.q^w.....,....<<< skipped >>>

GET /1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-1.html?lid=937115

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 30 Nov 2016 08:51:05 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.5.30

Cache-Control: max-age=0

Expires: Wed, 30 Nov 2016 08:51:05 GMT

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

GET /page-1.html?lid=937115 HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Referer: hXXp://VVV.hikeemissivity.pw/homepage.php?id=21ACea9xB5LGdPdyy8go&date=2016-11-26&p=none&t=&ca=73996323

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 30 Nov 2016 00:43:21 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Server: CDCE

X-INAP-Cache-Status: HIT

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Content-Encoding: gzip
f45.............\.S.H..9.....[.`.l....3..L..I....[S).-.,aYR......}..zX
~...l..T.j.....O..u...Brf.<...j..v....J...v....u....t.s...... 4f...
.D......m.......v.}..FW......SqF..U<!....P6*..h......ZMc.Ea..;..U.-
.....J....$..@t5)nd...x....5..z..|"B.r...j.; .h.C&ma......`>..U6_..
.C....^...x\.C..b......}........F-....C.:. ..n;.).,.....q7.@....-.(.}.
..z..1.b...*.o`P}.....k..[.....3.~,7..S.a........_...?6..n|.Dqo.......
l..~fz.V.:...CG...C[p..M..|s.z}.w}...,....<...}.1.v......0.....h...
c..9._r...-..[3...w.....U..gT..|.......X......... ..{..'.....lU.A.q.r5
..D.C6. u..|..1......$vk7.<ll.$..u.x...`."..[.$..M..).I..\.|.....0.
n1........./- ..^...~5...(,$..y.4..B...e..q!.K.h8.....X}...m..u0..T.T.
.R...~..h.{.?...Y}]q......T...W@63...V`.GN.b..*...s..g.ks.....i../w<
;.nlU0=.`....L.0Q...i.y.Sk...hli./.k..dT..3c...$.n..m$.X.....D.......f
Jl.....g....DHB[.1..>`nO..Y.e4B.9_....H......4...QPM...?.(..N$..J.P
.h..l.f...3(.l.}...Vf(.......U,D..qn.1f...z.....Av..-..g.}']f.I.L...}.
..D...i..9d...3(.?.H2Q...1.a...U.aO.S.Q..."...ER.P...(.M.Ax0.z.]..E.-.
X...D...[.a..A(v.IW........D.i..y.l..% I........|.......R...Y....&9}..
...Z...U$.{h...3....7O}St.B.z;.~.._&..w...6[....Gi.ki.E:Z]... 8.t. .g.
.B...d2.w.G,.$.....Dd..|nv.I%.B....jis_.....q[...{.,V.QK.v2B.w\...t,B.
...O.fn.._...7.s...T.=..K.j#.....A......4`...:...~y.........o.>\...
6..F.%R?..9.....\.wF.wLJ=.t.....?1..t..........._.......Z.B*..........
......5J.8.p.....n..R......[....Y.....<}...s...Rx...............)..
.....<.,...M.......E.............]...K U...;.:EO..e...]s..`...D<<< skipped >>>

GET /page-1.htm?lid=937115 HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Referer: hXXp://VVV.ivids.net/page-1.html?lid=937115

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 30 Nov 2016 00:43:22 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.3

Server: CDCE

X-INAP-Cache-Status: HIT

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Content-Encoding: gzip
117f.............\kS.H...T.?.hkb{...m...)B....*!;..JQm.e.dIH.....{n...
F..............=}.O.".... ...L"k...?...(..........>.l.zc.G....3<
7..........1....5...C....P.....V..m.. .F |/...?..6..S...T.wP..f...d.H.
.....14...X4...D.2j..).S......f..."....U4..i].S..h$....w..-g.......`..
.....a6.......j.b..G.. C.)...........8]...}d..p.L.m*l......;..M.....=.
,.}f[..y..x.&.s..Y(. {...H.N...&Q...r8.J/L...1.*5.~....|V..`lG....:.6.
oLk6.....,.#Q.<..n.....g..`hx..<...?....PW.....1..6D..8.........
.nFO........D..@.}.c.4*.O..{$J.......2..#/.hB!.Ld..M{.l..7.[)X.h]q...`
...L...6......3....b.._.I..Or....../...6=. .......,-...C.7...k......f.
.3..c.j*.J.......E0.............u......T.P.....u.ln...VBs...I. ...NTH.
.....u.._.q..sM..o.s.P.b..XCwPHr...Yo...|.....Y!.Z.2v&.B..pl...y!.....
..dRm/..D!E.I..r</....@..Z.M.V....Q.sR..lG.l.B..X.........>0...d
O.S...R..b.O...G..baA.b...f..Z3....R...*..d...3c.....m7.:..$..y.Qb.L..
Dz.CJ.........Bg.HB_.0.s.C....j..\..._.;....]VG.)i)3.#...,...(.p.0:.*.
Z...=...&...A....EV.ja.b.M.|...X^...j%...R.PU(....*..c.I..o."SHG..3.A,
I.g..@..e.yc.J..S|g...J>EU>.1tT.uL.4..Y.....[.....~........(.1..
D..S\.~....4.?.[..#...~P......>.....$.d........l..1j.C(....v.(K`],.
D.^...t..H.....=.M..g6..)7.=S.3.....a.......i.t;......i..I..D....1vz~b
G..G...R...2.w..,.$.....Eh..|l................6.;X%.eKL.WRc..s.).z....
...E@8X..|b..>.......Mg<Q..|.*9...Nd..N...L'...S.$.........w...:
.......s....;...........{.....6).....w.........oN......:~~.....W.q.RqF
.EU....~8>9~.FoR....'o....c;..N.O^.]....M.....r..O.........K.5.<<< skipped >>>

GET /css1.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-1.htm?lid=937115

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

Cookie: sc_is_visitor_unique=rx10675947.1480466603.4768EC11B3054F99C2BAA38B65E80AD8.1.1.1.1.1.1.1.1.1; _ga=GA1.2.763910521.1480466603; _gat=1


HTTP/1.1 200 OK

Date: Wed, 30 Nov 2016 00:43:23 GMT

Content-Type: text/css

Content-Length: 1963

Connection: keep-alive

Vary: Accept-Encoding

Last-Modified: Mon, 10 Nov 2014 09:13:53 GMT

ETag: "a1af7-7ab-5077d94d75640"

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Accept-Ranges: bytes
A..{..COLOR: #000000; ..TEXT-DECORATION: none;..}..A:link ..{..COLOR: 
#000000;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DE
CORATION: none;..FONT-SIZE: 13px;..}..A:visited ..{..COLOR: #000000;..
FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: 
none;..FONT-SIZE: 13px;..}..A:hover ..{..COLOR: #000000;..FONT-FAMILY:
 Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-
SIZE: 13px;..}..table ..{..FONT-SIZE: 10px;..FONT-FAMILY: verdana, Ari
al, Helvetica, sans-serif;..}..td {font-family:Verdana;font-size:8.5pt
}...body {..BACKGROUND-COLOR: #ffffff;..margin-left: 10%;..margin-righ
t: 10%; ..border: 0px solid #979696;..}...topmenu {..BACKGROUND-COLOR:
 #eeeeee;..border-bottom: 1px solid #B5B5B5;..height: 35px;..}...topme
nufont..{..COLOR: #B5B5B5; ..TEXT-DECORATION: none;..}...topmenufont:l
ink ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans
-serif;..TEXT-DECORATION: none;..FONT-SIZE: 12px;..-webkit-font-smooth
ing: antialiased !important;..text-shadow: 1px 1px 1px rgba(0,0,0,0.00
4);..}...topmenufont:visited ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdan
a, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-SIZE: 1
2px;..-webkit-font-smoothing: antialiased !important;..text-shadow: 1p
x 1px 1px rgba(0,0,0,0.004);..}...topmenufont:hover ..{..COLOR: #B5B5B
5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATI
ON: none;..FONT-SIZE: 12px;..-webkit-font-smoothing: antialiased !impo
rtant;..text-shadow: 1px 1px 1px rgba(0,0,0,0.004);..}...logo {..b<<< skipped >>>

GET /img/lbg.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-1.htm?lid=937115

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.ivids.net

Connection: Keep-Alive

Cookie: sc_is_visitor_unique=rx10675947.1480466603.4768EC11B3054F99C2BAA38B65E80AD8.1.1.1.1.1.1.1.1.1; _ga=GA1.2.763910521.1480466603; _gat=1


HTTP/1.1 200 OK

Date: Wed, 30 Nov 2016 00:43:23 GMT

Content-Type: image/png

Content-Length: 200

Connection: keep-alive

Last-Modified: Thu, 21 Nov 2013 20:06:42 GMT

ETag: "a1c85-c8-4ebb56fac1880"

Server: CDCE

X-INAP-Cache-Status: EXPIRED

X-INAP-Server: cdce-ams002-001.ams002.internap.com

Accept-Ranges: bytes

.PNG........IHDR.......L......O......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<...ZIDATx.b.R.b .....tV.....Z&.'B..!.;......qn...h:
.z!N.T@.l..4#......|..-..z...D..g.f.![.....O...........IEND.B`.HTTP/1.
1 200 OK..Date: Wed, 30 Nov 2016 00:43:23 GMT..Content-Type: image/png
..Content-Length: 200..Connection: keep-alive..Last-Modified: Thu, 21 
Nov 2013 20:06:42 GMT..ETag: "a1c85-c8-4ebb56fac1880"..Server: CDCE..X
-INAP-Cache-Status: EXPIRED..X-INAP-Server: cdce-ams002-001.ams002.int
ernap.com..Accept-Ranges: bytes...PNG........IHDR.......L......O......
gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...ZIDATx.b.R.b ..
...tV.....Z&.'B..!.;......qn...h:.z!N.T@.l..4#......|..-..z...D..g.f.!
[.....O...........IEND.B`...

GET /jwplayer1.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.ivids.net/page-1.html?lid=937115

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ivids.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 30 Nov 2016 08:51:05 GMT

Server: Apache/2.2.15 (CentOS)

Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT

ETag: "4403af-25d37-53444eccf91c0"

Accept-Ranges: bytes

Content-Length: 154935

Cache-Control: max-age=2592000, public

Expires: Wed, 01 Nov 2017 08:51:05 GMT

Connection: close

Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'

inferno.exe_1596:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

ers\"%CurrentUserName%"\AppData\Local\Temp\nss5457.tmp\ExecCmd.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss5457.tmp\ExecCmd.dll

"%Program Files%\Dendritic\allegro.exe"

p\ExecCmd.dll

.reloc

EnumWindows

ExecCmd.dll

Kernel32.DLL

%Program Files%

\Dendritic\allegro.exe"

\ExecCmd.dll

%SystemRoot%\

eq allegro.exe" | %SystemRoot%\

\find /I "allegro.exe"

\Dendritic\allegro.exe

\allegro.exe"

$$\wininit.ini

e%uy%u

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss5457.tmp

nss5457.tmp

rogram Files\Dendritic\allegro.exe"

ecCmd.dll

egro.exe" | %SystemRoot%\System32\find /I "allegro.exe"

\Users\"%CurrentUserName%"\AppData\Local\Temp\nss5457.tmp

"%Program Files%\enormities\inferno.exe"

%Program Files%\enormities

inferno.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsd402B.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

%Program Files%\enormities\inferno.exe

Software\Microsoft\Windows\CurrentVersion\Run

Windows\

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

mities\inferno.exe"

dritic\allegro.exe"

taskeng.exe_2992:

.text

`.data

.rsrc

@.reloc

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-Debug-L1-1-0.dll

API-MS-Win-Core-ErrorHandling-L1-1-0.dll

API-MS-Win-Core-File-L1-1-0.dll

API-MS-Win-Core-Handle-L1-1-0.dll

API-MS-Win-Core-Heap-L1-1-0.dll

API-MS-Win-Core-Interlocked-L1-1-0.dll

API-MS-Win-Core-LibraryLoader-L1-1-0.dll

API-MS-Win-Core-Misc-L1-1-0.dll

API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Core-Profile-L1-1-0.dll

API-MS-Win-Core-Synch-L1-1-0.dll

API-MS-Win-Core-SysInfo-L1-1-0.dll

API-MS-Win-Core-ThreadPool-L1-1-0.dll

API-MS-Win-Security-Base-L1-1-0.dll

ole32.dll

OLEAUT32.dll

RPCRT4.dll

KERNEL32.dll

d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp

Session::ChannelMsgReceived

d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp

d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp

StopJobMsg

StartJobMsg

ClientPipeName

Invalid parameter passed to C runtime function.

d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp

TaskScheduler.log

j%Xf;

d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp

API-MS-WIN-Service-Management-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

ADVAPI32.dll

SHELL32.dll

SHLWAPI.dll

SspiCli.dll

XmlLite.dll

MPR.dll

RegOpenKeyTransactedW

RegCloseKey

RegOpenKeyExW

RegNotifyChangeKeyValue

RegCreateKeyExW

FindExecutableW

MsgWaitForMultipleObjects

EnumThreadWindows

EnumWindows

GetProcessWindowStation

_wcmdln

_amsg_exit

GetProcessHeap

SetProcessShutdownParameters

TaskEng.pdb

version="5.1.0.0"

name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"

<requestedExecutionLevel

8 8$8(878

3=4Z4w4

=!=(=0=4=?=>>

5 5U5_5

5b6u6

-131J1X1o1}1

=$=<=\=|=

Password

hXXp://schemas.microsoft.com/windows/2004/02/mit/task

-ieframe.dll

%SystemRoot%\SYSTEM32\cmd.exe

%SystemRoot%\System32\Tasks

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake

WindowSeconds

InitializeCmdlineProcessing()

pCrimson provider registration failed for taskeng, hr=0x%x

CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]

InteractiveTokenOrPassword

%d.%d

%s, (%d)

hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout

hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate

hXXp://schemas.microsoft.com/cdo/configuration/sendusing

hXXp://schemas.microsoft.com/cdo/configuration/smtpserver

201ef99a-7fa0-444c-9399-19ba84f12a1a

C:\Windows\SYSTEM32\cmd.exe

6.1.7601.17514 (win7sp1_rtm.101119-1850)

taskeng.exe

Windows

Operating System

6.1.7601.17514

allegro.exe_3288_rwx_00232000_00009000:

.hP9)h

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.NSIS.Androm.3_18284f0f50

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.NSIS.Androm.3_18284f0f50

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet