Trojan.NSIS.Androm.3_4f11bdb380

by malwarelabrobot on December 10th, 2016 in Malware Descriptions.

Trojan.NSIS.Androm.3 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4f11bdb380dafa2518053c6d20147a05
SHA1: 0de61c550a355e78874703f6f0aaf5d6f79f5eb6
SHA256: 9a9012840295bc2c62fd9cbe3d3dda692f43536861a40464f4e073d22bff179f
SSDeep: 12288:bl1rDWJwrxfAMvMbNlR74MVVFeoXfQ8ms3tiqexrc40VNEvdxVSM8qfNTuYMvR9k:bPDFVbvoR74MtemfQ8r9luc4009SMz6Q
Size: 782044 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Inbox.com, Inc.
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

MD5 File path
c8ff52bfddc6898c202c08c4a61a3d22 c:\Program Files\Chatterley\Microsoft.Win32.TaskScheduler.dll
54f759786ca961f4b1ce8021085fe12e c:\Program Files\Chatterley\muse.exe
fec0684cda5b62962c4ba4f0fd8e07be c:\Program Files\Chatterley\settings.dll
b55a422f81b798459f38d95346e2e6ef c:\Program Files\Mozilla Firefox\firefox334.exe
ea4a13e3ff6f4ad1c1ef028276763641 c:\Program Files\Politburo\muse.exe
02638c9eb8aebda7769f5e02bf059280 c:\Program Files\klutzy\daiquiris.exe
8749f1c8fc54d4462dd3aca5d3df367a c:\Users\"%CurrentUserName%"\AppData\Local\17513.exe
78f6bf2745b434022dc2293d9d830087 c:\Users\"%CurrentUserName%"\AppData\Local\44758.exe
b63fdb3f8bb5dfd5e9cd40dca879c2b8 c:\Users\"%CurrentUserName%"\AppData\Local\52254.exe
02d9acc78104f89673de7bf362985e7d c:\Users\"%CurrentUserName%"\AppData\Local\82600.exe
d444bca927e6736b3df925b536e80a72 c:\Users\"%CurrentUserName%"\AppData\Local\98975.exe
b9380b0bea8854fd9f93cc1fda0dfeac c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE215.tmp\ExecCmd.dll
ea4a13e3ff6f4ad1c1ef028276763641 c:\Windows\surya.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1053 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 validation.sls.microsoft.com
162.222.193.86 aoaomo.tremorhub.com
162.222.193.86 www.howcast.com
162.222.193.86 howcast.com
192.192.3.8 www.virustotal.com
192.192.3.8 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 61440 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 253952 2536 2560 3.13983 5b5a2d9d119a78aca9bef9d54b647674

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 521
87af60575e95350381303447cd2e0d96
6a719482c6246092ff759896a8a952e6
c9c0ecad3c7691c9fb77d3e12dca89ba
eb908e35f01c51fd6c3145626da78202
dc7fd4f3cfe333cb005ce5639899f0bf
739e7f76fb545c28ae4ce1d85e176484
d00d8a9daa2e2b19d952b1b10037467c
6e2c047259d3bc583dc140202340af7e
75182bfb4dd3d1ad7e0ef5e40b70550f
2a4240cfb6b249da0c5dcff5abf3a292
a746426f5bd2a7f239e0e1bc7529897d
0f2fa5e5c2ce26f0b744d19eff724c25
723325cfdc20c18e1ca96e88c9cca948
5cc9fd6672be1ca9538237031c1382c0
f1b56fd3f82b6a0668d00b9f0d6e991f
7f4ee0d326b67cc3e4a3fec3a25dfe3c
293bbf92195165383b202fa6cd4a2ba6
b33ccbf60d223d0df5c7b0c8b376386a
5c7aaa94fa1bbced13b76e9523bde956
da7eaa6230f54eb9da8f6986b5e53c89
0f5b04d97f3e3dc672c37106fbff0b45
9b0f84c736f2651c17fa4592c98ca6f0
10cdbd65f189a3a3a25eec73396c07d1
3642ef122aa6382d10aaf85824e1d78b
ca68f7598e334d1805d20eb245bebded

URLs

URL IP
hxxp://d232tmx7gh8bfo.cloudfront.net/homepage.php?id=00ADpy5bCmr8xpKNvrgS&date=2016-11-24&p=none&t=&ca=57105992
hxxp://d232tmx7gh8bfo.cloudfront.net/jquery.min.js
hxxp://aoaomo.tremorhub.com/wp-content/themes/howcast/images/icons/love.png
hxxp://c.statcounter.com/10114910/0/757d7213/1/ 104.20.3.47
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://aoaomo.tremorhub.com/itd.php?id=00ADpy5bCmr8xpKNvrgS&date=2016-11-24&p=none&t=&ca=57105992
hxxp://ww.unpardonablebonk.pw/a.php?id=00ADpy5bCmr8xpKNvrgS&date=2016-11-24&p=none&t=&ca=57105992&rnd=1481262683000 162.222.193.17
hxxp://d232tmx7gh8bfo.cloudfront.net/amg.php
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=977917116&t=pageview&_s=1&dl=http://www.unpardonablebonk.pw/homepage.php?id=00ADpy5bCmr8xpKNvrgS&date=2016-11-24&p=none&t=&ca=57105992&ul=en-us&de=utf-8&dt=searchbox&sd=24-bit&sr=1276x846&vp=679x392&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1375099114&cid=1454907980.1481262684&tid=UA-74694740-5&_r=1&z=647649178
hxxp://aoaomo.tremorhub.com/o.php
hxxp://8c715ae47b.site.internapcdn.net/page-3.html?lid=937115
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.86
hxxp://vi.govids.net/report3.php 109.201.148.40
hxxp://widgets.amung.us/draw/?w=colored&n=1700&c=000000ffffff&p= 50.23.131.235
hxxp://govids.net/jwplayer1.js 162.222.194.11
hxxp://govids.net/1.js 162.222.194.11
hxxp://vi.govids.net/bck.php?1481262687000 109.201.148.40
hxxp://8c715ae47b.site.internapcdn.net/page-3.htm?lid=937115
hxxp://vi.govids.net/bck.php?1481262688000 109.201.148.40
hxxp://www.statcounter.com.cdnga.net/counter/counter.js 151.249.90.5
hxxp://govids.net/player1.swf 162.222.194.11
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=A2708E2476D74FA4AF4A901395C08BFD&sc_random=0.06924211924596024&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.govids.net/page-3.html?lid=937115&u=http://www.govids.net/page-3.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 104.20.3.47
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=1594978997&t=pageview&_s=1&dl=http://www.govids.net/page-3.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1276x846&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1303326681&cid=200823402.1481262689&tid=UA-74694740-2&_r=1&z=233603044
hxxp://8c715ae47b.site.internapcdn.net/css1.css
hxxp://8c715ae47b.site.internapcdn.net/img/logo.png
hxxp://8c715ae47b.site.internapcdn.net/img/lbg.png
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://govids.net/ova-jw.swf 162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 3&mediaDesc=Home videos, Funny Videos - 3&mediaId=2&mediaUrl=hxxp://www.govids.net/3.html&srcPageUrl=hxxp://www.govids.net/3.html&contentLength=300&LR_FORMAT=application/x-shockwave-flash
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=centro,TubeMogul-GP,Bidswitch,dynadmic,conversant,tremornet,thetradedesk,rocketfuel,dataxu,_dmp_turbine,ignitionone,videoamp,google,SundaySky,1,beeswax,adgear,appnexus,TapAd,eyeview,mediamath,adapTV,Pulsepoint,Videology,BidTheatre&uid=35aa4591987f4da8a59b09874788dd97&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://dyhd7e8p4cqed.cloudfront.net/crossdomain.xml
hxxp://dyhd7e8p4cqed.cloudfront.net/static/noad.xml
hxxp://vi.govids.net/crossdomain.xml 109.201.148.40
hxxp://vi.govids.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.govids.net/3.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Home videos, Funny Videos - 3&LR_FORMAT=application/x-shockwave-flash 109.201.148.40
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 3&mediaDesc=Watch Home videos, Funny Videos - 3&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hxxp://www.govids.net/3.html&contentLength=[CONTENT_LENGTH]
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=dataxu,TapAd,videoamp,tremornet,BidTheatre,adapTV,thetradedesk,mediamath,dynadmic,Videology,1,rocketfuel,centro,beeswax,adgear,Bidswitch,SundaySky,conversant,audiencescience,ignitionone,_dmp_turbine,google,TubeMogul-GP,appnexus,Pulsepoint&uid=35aa4591987f4da8a59b09874788dd97&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97
hxxp://thumb.none1366649718.netdna-cdn.com/crossdomain.xml
hxxp://thumb.none1366649718.netdna-cdn.com/abcd.mp4
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=977917116&t=pageview&_s=1&dl=http://www.unpardonablebonk.pw/homepage.php?id=00ADpy5bCmr8xpKNvrgS&date=2016-11-24&p=none&t=&ca=57105992&ul=en-us&de=utf-8&dt=searchbox&sd=24-bit&sr=1276x846&vp=679x392&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1375099114&cid=1454907980.1481262684&tid=UA-74694740-5&_r=1&z=647649178 173.194.113.198
hxxp://www.unpardonablebonk.pw/amg.php 52.222.149.222
hxxp://www.unpardonablebonk.pw/jquery.min.js 52.222.149.222
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=1594978997&t=pageview&_s=1&dl=http://www.govids.net/page-3.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1276x846&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1303326681&cid=200823402.1481262689&tid=UA-74694740-2&_r=1&z=233603044 173.194.113.198
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://www.govids.net/img/lbg.png 69.88.149.142
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/crossdomain.xml 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://thm.vidvib.com/abcd.mp4 94.31.29.128
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 3&mediaDesc=Home videos, Funny Videos - 3&mediaId=2&mediaUrl=hxxp://www.govids.net/3.html&srcPageUrl=hxxp://www.govids.net/3.html&contentLength=300&LR_FORMAT=application/x-shockwave-flash 52.206.165.47
hxxp://www.unpardonablebonk.pw/homepage.php?id=00ADpy5bCmr8xpKNvrgS&date=2016-11-24&p=none&t=&ca=57105992 52.222.149.222
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://l.longtailvideo.com/5/10/logo.png 93.184.221.48
hxxp://www.govids.net/css1.css 69.88.149.142
hxxp://www.howcast.com/wp-content/themes/howcast/images/icons/love.png
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://www.govids.net/page-3.html?lid=937115 69.88.149.142
hxxp://cdn.tremorhub.com/static/noad.xml 52.222.157.98
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://www.google-analytics.com/analytics.js 173.194.113.198
hxxp://www.govids.net/page-3.htm?lid=937115 69.88.149.142
hxxp://www.statcounter.com/counter/counter.js 151.249.90.5
hxxp://109.201.148.40/bck.php?1481262688000
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=dataxu,TapAd,videoamp,tremornet,BidTheatre,adapTV,thetradedesk,mediamath,dynadmic,Videology,1,rocketfuel,centro,beeswax,adgear,Bidswitch,SundaySky,conversant,audiencescience,ignitionone,_dmp_turbine,google,TubeMogul-GP,appnexus,Pulsepoint&uid=35aa4591987f4da8a59b09874788dd97&init=true 52.204.77.173
hxxp://we1sb-wwcgk.ads.tremorhub.com/ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 3&mediaDesc=Watch Home videos, Funny Videos - 3&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hxxp://www.govids.net/3.html&contentLength=[CONTENT_LENGTH] 52.204.51.212
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=centro,TubeMogul-GP,Bidswitch,dynadmic,conversant,tremornet,thetradedesk,rocketfuel,dataxu,_dmp_turbine,ignitionone,videoamp,google,SundaySky,1,beeswax,adgear,appnexus,TapAd,eyeview,mediamath,adapTV,Pulsepoint,Videology,BidTheatre&uid=35aa4591987f4da8a59b09874788dd97&init=true 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://cdn.tremorhub.com/crossdomain.xml 52.222.157.98
hxxp://www.govids.net/img/logo.png 69.88.149.142
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://we1sb-wwcgk.ads.tremorhub.com/crossdomain.xml 52.204.51.212
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://thm.vidvib.com/crossdomain.xml 94.31.29.128
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml 52.206.165.47
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=f9f9f693294d4dda9d88796e65a7e792&p=Videology,thetradedesk,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173
hxxp://109.201.148.40/bck.php?1481262687000
hxxp://partners.tremorhub.com/syncnoad?rid=4c08cc70abf642318f10d01e2fea2beb&p=eyeview,appnexus,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=35aa4591987f4da8a59b09874788dd97 52.204.77.173


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: thm.vidvib.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 05:51:43 GMT
Content-Type: application/xml
Content-Length: 82
Connection: keep-alive
Last-Modified: Fri, 20 Jun 2014 22:54:54 GMT
ETag: "1000000015848-52-4fc4c61b7eb80"
Server: NetDNA-cache/2.2
Expires: Mon, 04 Dec 2017 05:51:43 GMT
Cache-Control: max-age=31104000
X-Cache: HIT
Accept-Ranges: bytes
<cross-domain-policy>..    <allow-access-from domain="*"/>
..</cross-domain-policy>....


GET /abcd.mp4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/player1.swf
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: thm.vidvib.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 05:51:43 GMT
Content-Type: video/mp4
Content-Length: 5784
Connection: keep-alive
Last-Modified: Sun, 04 May 2014 13:45:24 GMT
ETag: "10000000157fb-1698-4f8933a030500"
Server: NetDNA-cache/2.2
Expires: Mon, 04 Dec 2017 05:51:43 GMT
Cache-Control: max-age=31104000
X-Cache: HIT
Accept-Ranges: bytes
....ftypmp42....mp41isom....mdat.................3../..aP.pAr.2H..*=4M
icrosoft H.264 Encoder V1.5.3..............sC....B.5l.src:3 h:480 w:85
4 fps:29.970 pf:66 lvl:9 b:0 bqp:3 gop:60 idr:60 slc:1 cmp:0 rc:1 qp:2
4 rate:5500000 peak:0 buff:2062500 ref:1 srch:32 asrch:1 subp:1 par:6 
3 3 rnd:0 cabac:0 lp:2 ctnt:0 aud:1 lat:0 wrk:4 vui:1 lyr:1 <<..
....e..K....P..#...}..}..}..}..}..}..}..}..}..}..}..}..}..".."........
......................................................................
...;...c..[.o.......?....{m....?....{e........Y.}z~...?}..}....[...}..
..[......?..5.....M<4....=4.}..}.._...:.../.._......Z.Sd..t...ET...
..3...1..........u...t..u.M......\.<....B.u....:......`.5.U..\..U/.
.D.y..Dj..).(=......:.Q.o.?...o...8 ...6....C..]..?..DJ.U. y.e. .v.M..
..D&No..W.....Y...Q*RU... ._...n....x(.....eU*.........Z.j..........B.
...kU..H..&U..x.'..~.>....!yI..^^U..Iv..''!-p.?Dd.....7..P..d`.j.Z.
......d.....x&..'V.WW..say]....R..u....JXd~........u.}k_p...Z.U.jl..F.
.K...GY?:.:d)-........!^U......B.O.?......'....!.G.......>.w."..".N
.k*.....\NN..........U........R....~R..Cz...%...\.Z.W.j.r..R*..UV...;.
..*.W.._NJo.H....LG.........l.....W...u'....?...!2..'' ....,.//'OZ.W..
"......{.R.W..y........)4H......._^..,.;XS../...O.^.....j....O...EUU..
E..y.g.Uw_Y........B....!:.(..../.... F.....W..w\.NN^]JMjG....G.....O.
.....`.....BuiI.e$..Il../....}k.~_...yTu...i.{..RC.b....]._.,.....kA..
.a.Z.[{e.{X.m....._{s.Z.. .].'...^..Z..ZHZ..S........DK.tL'.9./}D.....
......'.xF....2.......?.p..a......p.X....X..y?..`.%y..k.>......
<<< skipped >>>


GET /10114910/0/757d7213/1/ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.unpardonablebonk.pw/homepage.php?id=00ADpy5bCmr8xpKNvrgS&date=2016-11-24&p=none&t=&ca=57105992
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 05:51:24 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
Set-Cookie: __cfduid=d31d7dd25d6c97e3580e66fea40a063221481262684; expires=Sat, 09-Dec-17 05:51:24 GMT; path=/; domain=.statcounter.com; HttpOnly
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1481262684.0; expires=Wed, 08-Dec-2021 05:51:24 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1481262684270201944; expires=Sun, 09-Dec-2018 05:51:24 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 30e62f6077c54020-SOF
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Fri, 09 Dec 2016 05:51:24 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..Set-Cookie: __cfduid=d31d7dd25d6c97e35
80e66fea40a063221481262684; expires=Sat, 09-Dec-17 05:51:24 GMT; path=
/; domain=.statcounter.com; HttpOnly..P3P: policyref="hXXp://VVV.statc
ounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expire
s: Mon, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.148
1262684.0; expires=Wed, 08-Dec-2021 05:51:24 GMT; path=/; domain=.stat
counter.com..Set-Cookie: is_visitor_unique=1481262684270201944; expire
s=Sun, 09-Dec-2018 05:51:24 GMT; path=/; domain=.statcounter.com..Serv
er: cloudflare-nginx..CF-RAY: 30e62f6077c54020-SOF..GIF89a............
.......!.......,...........T..;....


GET /t.php?sc_project=10675947&java=1&security=299981d6&u1=A2708E2476D74FA4AF4A901395C08BFD&sc_random=0.06924211924596024&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://VVV.govids.net/page-3.html?lid=937115&u=http://VVV.govids.net/page-3.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-3.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive
Cookie: __cfduid=d31d7dd25d6c97e3580e66fea40a063221481262684; is_unique=sc10114910.1481262684.0; is_visitor_unique=1481262684270201944


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 05:51:28 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1481262684.0-10675947.1481262688.0; expires=Wed, 08-Dec-2021 05:51:28 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1481262684270201944; expires=Sun, 09-Dec-2018 05:51:28 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 30e62f7cc1d74020-SOF
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Fri, 09 Dec 2016 05:51:28 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..P3P: policyref="hXXp://VVV.statcounter
.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expires: Mon
, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.148126268
4.0-10675947.1481262688.0; expires=Wed, 08-Dec-2021 05:51:28 GMT; path
=/; domain=.statcounter.com..Set-Cookie: is_visitor_unique=14812626842
70201944; expires=Sun, 09-Dec-2018 05:51:28 GMT; path=/; domain=.statc
ounter.com..Server: cloudflare-nginx..CF-RAY: 30e62f7cc1d74020-SOF..GI
F89a...................!.......,...........T..;..



GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.govids.net/page-3.htm?lid=937115
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: govids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.200823402.1481262689; _gat=1


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 13:46:02 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Fri, 10 Nov 2017 13:46:02 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%Y&.Y..1V6NNNV..V...h..a.W.H.........@.L../b...@...........bJ..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /page-3.html?lid=937115 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.unpardonablebonk.pw/homepage.php?id=00ADpy5bCmr8xpKNvrgS&date=2016-11-24&p=none&t=&ca=57105992
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 05:51:25 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-001.ams002.internap.com
e5b..<meta charset="utf-8"><meta http-equiv="X-UA-Compatible"
 content="IE=edge,chrome=1"><img src="hXXp://vi.govids.net/repor
t3.php" border="0" alt="" width="0" height="0"><script type="tex
t/javascript" src="hXXp://govids.net/jwplayer1.js"></script>&
lt;script>var thecc ="ok";</script><script type="text/java
script" src="hXXp://govids.net/1.js"></script><form action
="hXXp://VVV.govids.net/page-4.php" method="get" name="redirect">&l
t;input type="hidden" name="lid" value="937115"></form>..<
script type="text/javascript"> if (top.location!= self.location) { 
setTimeout(function () { document.forms['redirect'].submit();}, 60 * 1
000); document.write('<head></head><body bgcolor="#ffff
ff" class="body" topmargin="0" leftmargin="0">');}</script>..
<form action="hXXp://VVV.govids.net/page-3.htm" method="get" name="
redirect1"><input type="hidden" name="lid" value="937115"><
;/form><script type="text/javascript"> if (top.location!= sel
f.location) { document.forms['redirect1'].submit();}</script>..&
lt;script type='text/javascript'>..var cb = Math.round(new Date().g
etTime() / 1000);..var items = Array('mp4:lqbyul0x.mp4','mp4:hc6lawyi.
mp4','mp4:iblsdh2f.mp4','mp4:nbsyph4t.mp4','mp4:peyjpa0x.mp4','mp4:9mz
ecklt.mp4','mp4:vnt9ciyd.mp4','mp4:q5fufgnb.mp4','mp4:lzcpj8vr.mp4','m
p4:pfdxi3pj.mp4','mp4:romfc7uu.mp4','mp4:qgmcib5y.mp4','mp4:ifgfn0gh.m
p4');..var item = items[Math.floor(Math.random()*items.length)];..
<<< skipped >>>

GET /page-3.htm?lid=937115 HTTP/1.1


Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.govids.net/page-3.html?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 05:51:28 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-001.ams002.internap.com
e5c..<meta charset="utf-8"><meta http-equiv="X-UA-Compatible"
 content="IE=edge,chrome=1"><img src="hXXp://vi.govids.net/repor
t3.php" border="0" alt="" width="0" height="0"><script type="tex
t/javascript" src="hXXp://govids.net/jwplayer1.js"></script>&
lt;script>var thecc ="ok";</script><script type="text/java
script" src="hXXp://govids.net/1.js"></script><form action
="hXXp://VVV.govids.net/page-4.php" method="get" name="redirect">&l
t;input type="hidden" name="lid" value="937115"></form>..<
script type="text/javascript"> if (top.location!= self.location) { 
setTimeout(function () { document.forms['redirect'].submit();}, 60 * 1
000); document.write('<head></head><body bgcolor="#ffff
ff" class="body" topmargin="0" leftmargin="0">');}</script>..
<script type="text/javascript"> if (top.location!= self.location
) { var rc = document.referrer.split('/')[2];if (rc == window.location
.hostname) {document.write('<div id="ova-jwplayer-container" style=
"position:absolute; top:0px; left:0px;width:300px;height:250px;">&l
t;/div>');}}</script>..<script type='text/javascript'>.
.var cb = Math.round(new Date().getTime() / 1000);..var items = Array(
'mp4:lqbyul0x.mp4','mp4:hc6lawyi.mp4','mp4:iblsdh2f.mp4','mp4:nbsyph4t
.mp4','mp4:peyjpa0x.mp4','mp4:9mzecklt.mp4','mp4:vnt9ciyd.mp4','mp4:q5
fufgnb.mp4','mp4:lzcpj8vr.mp4','mp4:pfdxi3pj.mp4','mp4:romfc7uu.mp4','
mp4:qgmcib5y.mp4','mp4:ifgfn0gh.mp4');..var item = items[Math.floo
<<< skipped >>>

GET /css1.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-3.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.govids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1481262689.A2708E2476D74FA4AF4A901395C08BFD.1.1.1.1.1.1.1.1.1; _ga=GA1.2.200823402.1481262689; _gat=1


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 05:51:28 GMT
Content-Type: text/css
Content-Length: 1963
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Mon, 10 Nov 2014 08:43:18 GMT
ETag: "a1af0-7ab-5077d27777580"
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-001.ams002.internap.com
Accept-Ranges: bytes
A..{..COLOR: #000000; ..TEXT-DECORATION: none;..}..A:link ..{..COLOR: 
#000000;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DE
CORATION: none;..FONT-SIZE: 13px;..}..A:visited ..{..COLOR: #000000;..
FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: 
none;..FONT-SIZE: 13px;..}..A:hover ..{..COLOR: #000000;..FONT-FAMILY:
 Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-
SIZE: 13px;..}..table ..{..FONT-SIZE: 10px;..FONT-FAMILY: verdana, Ari
al, Helvetica, sans-serif;..}..td {font-family:Verdana;font-size:8.5pt
}...body {..BACKGROUND-COLOR: #ffffff;..margin-left: 10%;..margin-righ
t: 10%; ..border: 0px solid #979696;..}...topmenu {..BACKGROUND-COLOR:
 #eeeeee;..border-bottom: 1px solid #B5B5B5;..height: 35px;..}...topme
nufont..{..COLOR: #B5B5B5; ..TEXT-DECORATION: none;..}...topmenufont:l
ink ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans
-serif;..TEXT-DECORATION: none;..FONT-SIZE: 12px;..-webkit-font-smooth
ing: antialiased !important;..text-shadow: 1px 1px 1px rgba(0,0,0,0.00
4);..}...topmenufont:visited ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdan
a, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-SIZE: 1
2px;..-webkit-font-smoothing: antialiased !important;..text-shadow: 1p
x 1px 1px rgba(0,0,0,0.004);..}...topmenufont:hover ..{..COLOR: #B5B5B
5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATI
ON: none;..FONT-SIZE: 12px;..-webkit-font-smoothing: antialiased !impo
rtant;..text-shadow: 1px 1px 1px rgba(0,0,0,0.004);..}...logo {..b
<<< skipped >>>

GET /img/lbg.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-3.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.govids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1481262689.A2708E2476D74FA4AF4A901395C08BFD.1.1.1.1.1.1.1.1.1; _ga=GA1.2.200823402.1481262689; _gat=1


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 05:51:28 GMT
Content-Type: image/png
Content-Length: 200
Connection: keep-alive
Last-Modified: Thu, 21 Nov 2013 20:06:42 GMT
ETag: "a1bf1-c8-4ebb56fac1880"
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-001.ams002.internap.com
Accept-Ranges: bytes
.PNG........IHDR.......L......O......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<...ZIDATx.b.R.b .....tV.....Z&.'B..!.;......qn...h:
.z!N.T@.l..4#......|..-..z...D..g.f.![.....O...........IEND.B`.HTTP/1.
1 200 OK..Date: Fri, 09 Dec 2016 05:51:28 GMT..Content-Type: image/png
..Content-Length: 200..Connection: keep-alive..Last-Modified: Thu, 21 
Nov 2013 20:06:42 GMT..ETag: "a1bf1-c8-4ebb56fac1880"..Server: CDCE..X
-INAP-Cache-Status: EXPIRED..X-INAP-Server: cdce-ams002-001.ams002.int
ernap.com..Accept-Ranges: bytes...PNG........IHDR.......L......O......
gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...ZIDATx.b.R.b ..
...tV.....Z&.'B..!.;......qn...h:.z!N.T@.l..4#......|..-..z...D..g.f.!
[.....O...........IEND.B`...



GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: we1sb-wwcgk.ads.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=35aa4591987f4da8a59b09874788dd97


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Fri, 09 Dec 2016 05:51:38 GMT
ETag: W/"144-1446243360000"
Last-Modified: Fri, 30 Oct 2015 22:16:00 GMT
Server: Apache-Coyote/1.1
Content-Length: 144
Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 3&mediaDesc=Watch Home videos, Funny Videos - 3&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hXXp://VVV.govids.net/3.html&contentLength=[CONTENT_LENGTH] HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: we1sb-wwcgk.ads.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=35aa4591987f4da8a59b09874788dd97


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Encoding: gzip
Content-Type: text/xml;charset=ISO-8859-1
Date: Fri, 09 Dec 2016 05:51:38 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: tvid=35aa4591987f4da8a59b09874788dd97; Domain=.tremorhub.com; Expires=Sat, 09-Dec-2017 11:39:58 GMT; Path=/
Set-Cookie: tvrg_60409="1,1481262698"; Version=1; Domain=.tremorhub.com; Max-Age=60; Expires=Fri, 09-Dec-2016 05:52:38 GMT; Path=/
Vary: Accept-Encoding
x-tremorvideo-status: NO_AD
transfer-encoding: chunked
Connection: keep-alive
209............dR.n.0.}.Wd....m..va...n(.m..f.EQ0&...%A.\.~T.%...t.D..
:..7..."c..Et.?.z$..B.E.T.>K...$.V...6.a.(.. ..s.*...N.............
..m.}..Z.Fe^a......L`..u.....7.<...pW.......e........}9..In..O..l..
.6.....qv9..8D...4..4.ABI68......8..AW..J ).4.weI..'..........!bN....]
0...t...q .;.0....j../x..,..yZ2iH:......6;......k...7..a;Y..F......x.l
..f...h.pl....b._.73...R.2.....j....c..Z..[..~iI !...W....G.E.&oC..F..
..0IS.,9.\.p...K....vg.2.....,.....5.=X.7......;m.........bE.......8..
.<.w ~Q.........!....gn.xy.K......D.........0..HTTP/1.1 200 OK..Cac
he-Control: no-cache, no-store, must-revalidate..Content-Encoding: gzi
p..Content-Type: text/xml;charset=ISO-8859-1..Date: Fri, 09 Dec 2016 0
5:51:38 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo
.com/en/privacy-policy'..Pragma: no-cache..Server: Apache-Coyote/1.1..
Set-Cookie: tvid=35aa4591987f4da8a59b09874788dd97; Domain=.tremorhub.c
om; Expires=Sat, 09-Dec-2017 11:39:58 GMT; Path=/..Set-Cookie: tvrg_60
409="1,1481262698"; Version=1; Domain=.tremorhub.com; Max-Age=60; Expi
res=Fri, 09-Dec-2016 05:52:38 GMT; Path=/..Vary: Accept-Encoding..x-tr
emorvideo-status: NO_AD..transfer-encoding: chunked..Connection: keep-
alive..209............dR.n.0.}.Wd....m..va...n(.m..f.EQ0&...%A.\.~T.%.
..t.D..:..7..."c..Et.?.z$..B.E.T.>K...$.V...6.a.(.. ..s.*...N......
.........m.}..Z.Fe^a......L`..u.....7.<...pW.......e........}9..In.
.O..l...6.....qv9..8D...4..4.ABI68......8..AW..J ).4.weI..'..........!
bN....]0...t...q .;.0....j../x..,..yZ2iH:......6;......k...7..a;Y.
<<< skipped >>>


GET /wp-content/themes/howcast/images/icons/love.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.unpardonablebonk.pw/homepage.php?id=00ADpy5bCmr8xpKNvrgS&date=2016-11-24&p=none&t=&ca=57105992
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.howcast.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 05:51:24 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Thu, 17 Nov 2016 01:56:53 GMT
ETag: "5ac000000480130-7f-5417580ef28e0;5424c26f9d7dd"
Accept-Ranges: bytes
Content-Length: 127
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR................s....gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<....IDATx.b...L.`..`.>....jg.....IEND.B`.HTTP/1.
1 200 OK..Date: Fri, 09 Dec 2016 05:51:24 GMT..Server: Apache/2.2.22 (
Win64) PHP/5.3.13..Last-Modified: Thu, 17 Nov 2016 01:56:53 GMT..ETag:
 "5ac000000480130-7f-5417580ef28e0;5424c26f9d7dd"..Accept-Ranges: byte
s..Content-Length: 127..Keep-Alive: timeout=5, max=100..Connection: Ke
ep-Alive..Content-Type: image/png...PNG........IHDR................s..
..gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx.b...L.
`..`.>....jg.....IEND.B`...



GET /5/10/logo.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/player1.swf
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: l.longtailvideo.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: image/png
Date: Fri, 09 Dec 2016 05:51:30 GMT
Etag: "3015243340"
Expires: Fri, 16 Dec 2016 05:51:30 GMT
Last-Modified: Fri, 22 Jun 2012 18:10:31 GMT
Server: ECAcc (arn/46B0)
X-Cache: HIT
Content-Length: 1845
.PNG........IHDR...].........9.".....IDATh..Zo..E...e...*!.......RP...
.0H.|).Y...).4C.#H..2....g{.....GO.....A...(.?H....B..wf.....{.......c
v..9sv...3g....A-.).8j......J..*.Ge9.@....Y u(.....k.Nt.3..yR....~*]. 
...Y...v..........\.YO....0.....bZ.=...e..ji.g..S..Z.t.9?..N).]`.K !..
...Y..?..<.h.v.<.........%..6.O.......R..g.}.i.?.Vh.....?..[..C{
.h.-%......s.\..:.M.p.K..u.5....c...X.>..........m.........._.%.d9k
L....t..t..N...#...|..VV.2...w.....X.W:^.:.S...n6....E=...$.i......(.j
.}S...@.EmE./.....U.u.-.U\..../B......;..Q......@.9....=.'.~Jm0t<c.
]...-....D...~......<...X....&....Ky%..j...[...Nk.6.....7.._.e!h...
........T7(q..q..v.J=c.^..............--.>......=.....n."...("....0
.Z..<... .q!.`.....N...Z....b.....g.,..UjA.j..7{.H...Pa.. /...l(...
S.j.Q0.u`...LcthJ.. .BN..............P....e...BPZ...W.I...........Sc.j
.!..'..d>c.....xV..2.i#.Z...#j >wa.......[.Y.../.6.g.j'.m...y..O
.\..W.....ar.J~..B...0...........~1M....].......;f...>>$...h.{..
....>zpI/...!>........0...f..ez.....b..!.....X....R..H.l|.r9.#'.
...x..1.A.qy.......M......Y&}..I...-} ..X.....(..17(...EJ.l..T..(8;.`.
..8o.{..r@..]..Z.......^n...vy.3S....%^'....)..nDeg..'.1. $....C...x..
t...x.d#.......t...?...N.N.............%`..Kc....#4.x....#.....9.ps.a.
q........G..R..........B... .S.K$......]..2..-..Hn..t'....4UA9P..69Q.'
.......2..d.<b.....{m....).dd...d.(..G.1`*.....<..ql.zs.On......
j..$..Fnf.T.Y........}.z....N.ZS.]........U)..K...xJFf........S....&.b
i..Mv.F..r....Z...`.~_........._ y.......(.b..f..m....R..k......se
<<< skipped >>>


GET /img/logo.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-3.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.govids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1481262689.A2708E2476D74FA4AF4A901395C08BFD.1.1.1.1.1.1.1.1.1; _ga=GA1.2.200823402.1481262689; _gat=1


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 05:51:28 GMT
Content-Type: image/png
Content-Length: 3856
Connection: keep-alive
Last-Modified: Tue, 10 Jun 2014 14:29:28 GMT
ETag: "a1bf2-f10-4fb7c27bc2200"
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-001.ams002.internap.com
Accept-Ranges: bytes
.PNG........IHDR.......L.....3.......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<....IDATx..].O....V^.....rI........c..F..M.y0..-H..
..P.KH\.-.%-....J.[...5..S.... R...c....K/O.w...........93svY..i..e..w
...}..}gvy..E?.Q..%....J...(Q.V.DaZ....JN........(.fL...cM.....Z...'..
...A.....k.x....8....E..O..;.W...f.q.X..l..=.....k................%...
fd)........,..J..G...!...m.Q...J.../..................Y,0.......%...S6
R..=..t.0..%...|(..?T.V.DaZ...i%.b>..6:.~.=..7.-*.g....y<.,4>
....W..jv.(...}...8..YdF.l. .,,~5s..X<..h~.p...'......b...[6.0.D.Ci
........ Bo.C]....g..........y.i.........]N....p$.-~}8..... .....n.z..
.$~.9.).........P.....g....!.':.J..O...X.U.?:..#.g.{ .^......L..0..I..
"H<.5.u0...n^.3.ER.<......ZI......*f..... .fN.......q.n.........
.........Z.0.A.m|@.v. .uI......u........Y...u.t..........db...L.......
T.=21...8.(......i.$......y4...t:....(.`sG.H..Q...&...u.<..2L..Wl..
5...9...<. I....d...P.._h..n....MA7Y.....'..FsZ?....kH.l.s.<.QD.
...$q>lK...`1....x.Ha ^....L..W.#.C....._1...."^..6..WRz...4..z`.Ch
|R..H....:1..C..o. ........8..8.$...;..,..N.....S..O......W":.).}...IR
!.F8`=..lc..9n...O~a.....k7^-~........r........YO.C..0@I.v....7Dt.....
.............2..NmX...&.h.......f) ....;?...b8.~.>L..../.....C.l.Pf
g..............0..4k>.f.k-....X.9!a>.0.i.b.....$h.;.b.....`.32.T
r...bx.".:5K00..9..h...a........l....U..M..Z3..v..:....<:E........ 
#./...4p.y.....b....u.f.#[*e%.%p....|RO.dP\b...~.f...C......@..s......
....X.{.m0.k..T.O.?<&.M....C...6o.9..C..Pd.,.......O..`5.L.xP,.
<<< skipped >>>


GET /counter/counter.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-3.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.statcounter.com
Connection: Keep-Alive
Cookie: __cfduid=d31d7dd25d6c97e3580e66fea40a063221481262684; is_unique=sc10114910.1481262684.0; is_visitor_unique=1481262684270201944


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 05:51:28 GMT
Server: PWS/8.1.41.3
X-Px: ht h0-s1150.p11-fra.cdngp.net
ETag: W/"576924c5-654e"
Cache-Control: max-age=43200
Expires: Fri, 09 Dec 2016 11:56:17 GMT
Age: 21311
Content-Length: 9529
Content-Type: application/x-javascript
Content-Encoding: gzip
Vary: Accept-Encoding
Last-Modified: Tue, 21 Jun 2016 11:28:05 GMT
Connection: keep-alive
...........]{s....*....F.,.-..o..M6....$...eQ$%s,.Z..c-}..u7@..<3{u
..?....@.h4..B.y..Z...Q..9..............]...K.%.<L....f...U...\..i.
<..g.f.%.q........O.J.CH..v.....N.H.M..zQ-J..`.'f.*~0....sj....C...
.....l....di|..4t..H........-...;.P.f^...EM....4..I.=.~....e..e..W>
.]..Wt...v..I..Wym.;...y....'....W._;.}.f..#...'.4Lj.:...bv.....&Z.p.&
.&.5.n#sN....X'[..........5-h.n.x..G.5....h...mp.....5..[..G.}.~....&.
...d.%i..G..4....b..h......<.q..c... J....{bTZ\M.w.r.1.Bf...y.l....
v.gQ...v.e./O.....Fi..H..;.Z.Y.a{Os-.A..c.b.c.{.a.....bln|{..t.....:|.
....~......R.eEV..-:h.xwS...Zf..*cHC,...K....p..4i.9.k>..P6[.Q.....
.$|...._.;...Em..itPa......P..Gj.. .5.  G..1m.....Ee...F70..ZUU&.&.?.&
gt;..r.Opc.........MQ<....=9(.v..^.Z<.;C....{....v..v:..N..{8.V;
........a.......v'.......w:...y..... ..^v../.8....W..7...o..IBV..%e...
c.Qt...6M.k.".j.o.E[.;..(#.$...#..T*. .......K/M..S..X.;(`..v.Fx||4...
..............#_.y..]./.y...?.....U...... ..].@...JX....v.?.H.ha8.b.*.
.EE.tx,j.....,.H..;.^...Ps....\.D.A...._..M...`.K...$k....^......j5t..
.......J.G,kt..6:}.I....v%..g.).([......Rlh.F.E..P(...h.U...:.@k>D.
..y.($V.P..B.u[n...[.@u2...;r^.E./..u....-k.......u....K....w...`U....
g^.l....*.1N.....8|.b..R.N.N..yq.s......?..m.m~..^...m.<cT. ....g.c
...E.-.?...O.|O. /Z*l...../46..;......h...8..p....m......&..MD.[.f\...
.'..e..C.*.n..#.....-...h.M..Lj$.....@O....h.,6<,.:..8,.OA...V.`.Pa
[..~v3.Qn...7W..^@[...../ m.t..%.......r$...>-k...{..U .h.r.._...UN
....3../....O..N.............p....5.<....2GM..C3|.q^w.....,....
<<< skipped >>>


GET /draw/?w=colored&n=1700&c=000000ffffff&p= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.unpardonablebonk.pw/amg.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Cookie: uid=CgH9JlhKRl2ej3Y1P3/PAg==
Connection: Keep-Alive
Host: widgets.amung.us


HTTP/1.1 200 OK
Server: nginx/1.9.6
Date: Fri, 09 Dec 2016 05:51:26 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: filename=wau-widget.png
Expires: Sun, 08 Jan 2017 05:51:26 GMT
Cache-Control: max-age=2592000
5ed...PNG........IHDR...Q...........p....|PLTE...EEEYYY............???
,,,...AAA...............~~~......;<=CCC............abdWXZ..........
.....GGG<<<......'((............uvyEFGzzz......kln...NNN>&
gt;>......~~.vwx...hhi.........OPQ...{{{...............uvv...opp...
...UVV...ooo...WWW............bcc...ijj}~~......dee.........qqq...QQQ.
..]^^PPP.........TTTaaaVVV...............___......HHHrss.........kllJJ
JDDDBBB...RRR...III..................LLLNOO.........@@@tttkkkvvv:::...
............|||..................FFF.........?@@888666ppprrr..........
.....KKK............111............000...lll......XYZ(((&&&hhhfff   cd
eZ[\788...dddccc.........nnn.........ZZZXXXVVV[[[mmm^^^\\\]]]```gggxxx
jjjq ......tRNS.@..f....IDATH....WLQ...}..Qh,.L1..Q........jdPMB"..D. 
.)%). ...>..L.?...^y.t..i>?|...3.s.2g.Q.EY..........[(..2....E.v
w.......;..>.....?v...S....-.MM.-.............T........U<U_U.q\K
.OB..<.[.a....pr.....9.k.....d..q\.OY.?.l^.G..6.,.y.H.{...r.....,..
...U.|...e..x..s.a.=.x.<..rF 5......-...1.w...II...$f.sL3$...n...o.
.wSO..{].....].._.J..L..^...Q....#0..%....F.....4..@.p...........h....
2.9}*..r..B.CB...D.1dCP.Q.....a..P.B?O%!p.`........q...?.D.^.5..=x...w
A_...v.S4.>;.Z..C...].-i >.n1H.6.....x.l.f.If....n.E.....S......
..XS.M&\Gf.L....S.....O.Rz...b..".{......XL@@5\T.$......;k...%0.L....X
\..PHE.Z.*..X.M...7..W.kPl...u.2..9.H7..........A.L.(.o.0,uJ^....&..."
..U...#9I.r...OX...|...N.EI.7wN...(...IQ..........v...@.....c..3H.....
.x;.......$.D......F......ES.Y...Hr..........t.2. 9...}@....E....A
<<< skipped >>>


GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-3.html?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 13:45:59 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Fri, 09 Dec 2016 13:45:59 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /ova-jw.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/player1.swf
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: govids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.200823402.1481262689; _gat=1


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 13:46:03 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 14:00:26 GMT
ETag: "4403b3-39741-4fbe0551c3280"
Accept-Ranges: bytes
Content-Length: 235329
Cache-Control: max-age=2592000, public
Expires: Fri, 10 Nov 2017 13:46:03 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..A..x......U.8.!.o.{.l/.B...$.@....Nx......A...Uuw........!AQD.e.q
. ..(...?""..,2:.u.....t.....`....9w.[..u:q....}..~Uu.s.=..........b..
.k[R..l...;../K.........=...|..!O;.M..........3.m6K..[/....-...m."%...
BY..*Xk.....t W2.e.,..Y.3 .....V..h.X)..I-....).P...n.J..r=.fiJ-.T....
S.....k....Q.....jMn...B..Q..;3.9.......y..].K."PX...S....7....b..*92.
q..V..@...X..&...J.p...].o.L...e.Y....y.0QQ'......x.1.e}.e.|..-....l.F
..o.w.......Y......u.g......-% .#.[....:..../x.".....i..d...uuK.K.....
.tF.V.9]K.8.....9isZ/...4.KN.,.0...[...U)....i.,...o../S...,..S-]...&.
.......Q..RZ.....nm&.. ....'.ROz.J.0......_.C....~zG..... ....~C...t..
;=`...t^.....B...48.[3..Sd(.J..D4b.H.....U&&`.;..RE.../..i..X.......u@
..).......{..k.....`.@.7...... i....rI....I]LgL/..z....H.... t...|..Nk
..`...U(..?..u.#w...X"...NK\u...7.\....7.\}...o...wvO....R.d3.&Im..f}V
.....e.T..%c|...:.pQ..j.`...l9=.Zi....q..#...5...0...iw..C..j...|..%.\
)...K..... .............u.`. E2...f.*@.6....NPmJ'......L....(m.c.r.Z.H
W....f.....Y......_...7......p1..a.zx.u...go....O......!.......GNE..J6
a........3.......Mg...........Z.>.*..s.....%..<iX.5ZKlt...0.V..F
.....Ex...Y2.5R...S....J.....q .N2..B.. ..M.Z..O....../..E............
..&`".%.AZ..g3p..$.@.0..&.d....i....~....................&3p4OFb....T.
.O.J....M.....O?...jv..6.........0x.....#..;.....}..i....W....]....&.V
..a.pO...&.f:..V5}.yK.YM.e........4..:.`...].)......2.... ....uD......
p..g./.AC.....bh8.....L..'"...;;/q..-..>:Y2 ........\.D....=.......
...).0..W....69V.H.....O..N.....W.P....."hNdG"cA..........{3.;7.j&
<<< skipped >>>


GET /jwplayer1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-3.html?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 09 Dec 2016 13:45:59 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT
ETag: "4403af-25d37-53444eccf91c0"
Accept-Ranges: bytes
Content-Length: 154935
Cache-Control: max-age=2592000, public
Expires: Fri, 10 Nov 2017 13:45:59 GMT
Connection: close
Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'



daiquiris.exe_3468:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ers\"%CurrentUserName%"\AppData\Local\Temp\nssE215.tmp\ExecCmd.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE215.tmp\ExecCmd.dll
"%Program Files%\Politburo\muse.exe"
tmp\ExecCmd.dll
.reloc
EnumWindows
ExecCmd.dll
Kernel32.DLL
$$\wininit.ini
e%uy%u
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE215.tmp
nssE215.tmp
rogram Files\Politburo\muse.exe"
ecCmd.dll
e.exe" | %SystemRoot%\System32\find /I "muse.exe"
\Users\"%CurrentUserName%"\AppData\Local\Temp\nssE215.tmp
"%Program Files%\klutzy\daiquiris.exe"
%Program Files%\klutzy
daiquiris.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsxCE17.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
%Program Files%\klutzy\daiquiris.exe
Software\Microsoft\Windows\CurrentVersion\Run
Windows\
%Program Files%
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
tzy\daiquiris.exe"
litburo\muse.exe"

taskeng.exe_2844:




.text
`.data
.rsrc
@.reloc
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-Debug-L1-1-0.dll
API-MS-Win-Core-ErrorHandling-L1-1-0.dll
API-MS-Win-Core-File-L1-1-0.dll
API-MS-Win-Core-Handle-L1-1-0.dll
API-MS-Win-Core-Heap-L1-1-0.dll
API-MS-Win-Core-Interlocked-L1-1-0.dll
API-MS-Win-Core-LibraryLoader-L1-1-0.dll
API-MS-Win-Core-Misc-L1-1-0.dll
API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-Profile-L1-1-0.dll
API-MS-Win-Core-Synch-L1-1-0.dll
API-MS-Win-Core-SysInfo-L1-1-0.dll
API-MS-Win-Core-ThreadPool-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
KERNEL32.dll
.TBvf
d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp
Session::ChannelMsgReceived
d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp
d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp
StopJobMsg
StartJobMsg
ClientPipeName
Invalid parameter passed to C runtime function.
d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp
TaskScheduler.log
j%Xf;
d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp
API-MS-WIN-Service-Management-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
SspiCli.dll
XmlLite.dll
MPR.dll
RegOpenKeyTransactedW
RegCloseKey
RegOpenKeyExW
RegNotifyChangeKeyValue
RegCreateKeyExW
FindExecutableW
MsgWaitForMultipleObjects
EnumThreadWindows
EnumWindows
GetProcessWindowStation
_wcmdln
_amsg_exit
GetProcessHeap
SetProcessShutdownParameters
TaskEng.pdb
version="5.1.0.0"
name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"
<requestedExecutionLevel
8 8$8(878
3=4Z4w4
=!=(=0=4=?=>>
5 5U5_5
5b6u6
-131J1X1o1}1
=$=<=\=|=
Password
hXXp://schemas.microsoft.com/windows/2004/02/mit/task
Mieframe.dll
%SystemRoot%\SYSTEM32\cmd.exe
%SystemRoot%\System32\Tasks
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake
WindowSeconds
InitializeCmdlineProcessing()
pCrimson provider registration failed for taskeng, hr=0x%x
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
InteractiveTokenOrPassword
Murl
%d.%d
%s, (%d)
hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout
hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate
hXXp://schemas.microsoft.com/cdo/configuration/sendusing
hXXp://schemas.microsoft.com/cdo/configuration/smtpserver
201ef99a-7fa0-444c-9399-19ba84f12a1a
C:\Windows\SYSTEM32\cmd.exe
6.1.7601.17514 (win7sp1_rtm.101119-1850)
taskeng.exe
Windows
Operating System
6.1.7601.17514






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Delete the original Trojan file.
    2. 

  2. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    3. 

  3. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    4. 

  4. Reboot the computer.
    5. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now