Trojan.NSIS.Androm.3_f1b56fd3f8

Trojan-Dropper.Win32.Dapato.opgd (Kaspersky), Trojan.NSIS.Androm.3 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS) Behaviour: Trojan-Dropper, Trojan The description has been automatically generate...
Blog rating:5 out of5 with1 ratings

Trojan.NSIS.Androm.3_f1b56fd3f8

by malwarelabrobot on December 3rd, 2016 in Malware Descriptions.

Trojan-Dropper.Win32.Dapato.opgd (Kaspersky), Trojan.NSIS.Androm.3 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f1b56fd3f82b6a0668d00b9f0d6e991f
SHA1: 746706284d73d5aa51ed9d8bbb66183585a31d24
SHA256: 7ef6c81f3e84c8c5143d3b335e5672115d04772160d79500a0ac688f40ae0140
SSDeep: 12288:bp1rbxDwnxfTMbMbXKHSPxZhwNbjXfeMQYlMfBVS5nyW/34T31fNTuza5y:bDbxAVobo3ZeZDfpQ8Mf7dWi36zJ
Size: 781535 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

insight.exe:260

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

MD5 File path
c8ff52bfddc6898c202c08c4a61a3d22 c:\Program Files\Cigna\Microsoft.Win32.TaskScheduler.dll
b868313c73faa9a6a04774171777ad1f c:\Program Files\Cigna\insight.exe
cbd36976f3d63a7643b3a48f2e431d2b c:\Program Files\Cigna\settings.dll
b55a422f81b798459f38d95346e2e6ef c:\Program Files\Mozilla Firefox\firefox334.exe
76c17f5c767ca9e068ec615ec66ab840 c:\Program Files\Reams\insight.exe
1a7ab6b5a166f7caa9b2404ab7a7cb2b c:\Program Files\vent\veen.exe
446ec4b5827a859f122c80ce957781b5 c:\Users\"%CurrentUserName%"\AppData\Local\101492.exe
8749f1c8fc54d4462dd3aca5d3df367a c:\Users\"%CurrentUserName%"\AppData\Local\22858.exe
05cce4a81dbd803b3172822c1c2e4e5e c:\Users\"%CurrentUserName%"\AppData\Local\33570.exe
b63fdb3f8bb5dfd5e9cd40dca879c2b8 c:\Users\"%CurrentUserName%"\AppData\Local\68363.exe
2fe725045049ab95629075e833aee292 c:\Users\"%CurrentUserName%"\AppData\Local\86786.exe
b9380b0bea8854fd9f93cc1fda0dfeac c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy5735.tmp\ExecCmd.dll
76c17f5c767ca9e068ec615ec66ab840 c:\Windows\graydon.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1053 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 validation.sls.microsoft.com
162.222.193.86 aoaomo.tremorhub.com
162.222.193.86 www.howcast.com
162.222.193.86 howcast.com
192.192.3.8 www.virustotal.com
192.192.3.8 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 61440 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 253952 2536 2560 3.13983 5b5a2d9d119a78aca9bef9d54b647674

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 515
87af60575e95350381303447cd2e0d96
d00d8a9daa2e2b19d952b1b10037467c
6e2c047259d3bc583dc140202340af7e
75182bfb4dd3d1ad7e0ef5e40b70550f
2a4240cfb6b249da0c5dcff5abf3a292
a746426f5bd2a7f239e0e1bc7529897d
0f2fa5e5c2ce26f0b744d19eff724c25
723325cfdc20c18e1ca96e88c9cca948
5cc9fd6672be1ca9538237031c1382c0
7f4ee0d326b67cc3e4a3fec3a25dfe3c
293bbf92195165383b202fa6cd4a2ba6
b33ccbf60d223d0df5c7b0c8b376386a
5c7aaa94fa1bbced13b76e9523bde956
da7eaa6230f54eb9da8f6986b5e53c89
0f5b04d97f3e3dc672c37106fbff0b45
9b0f84c736f2651c17fa4592c98ca6f0
10cdbd65f189a3a3a25eec73396c07d1
3642ef122aa6382d10aaf85824e1d78b
ca68f7598e334d1805d20eb245bebded
4684fab20680d9d8b202a59b822e633a
57f41da1ea05d30f6707060f00876d07
1b2bfbbbca773cdb33d6da3b213f8ce7
2530acdcdc7ecc5f66ce4c84f00c16dd
ddd76f91d11e7721e59ad2452476ba21
91d216dab486680090f9e408480f984f

URLs

URL IP
hxxp://d232tmx7gh8bfo.cloudfront.net/homepage.php?id=18A1JUCMV3eakRBtqXG7&date=2016-11-26&p=none&t=&ca=83746763
hxxp://d232tmx7gh8bfo.cloudfront.net/jquery.min.js
hxxp://d232tmx7gh8bfo.cloudfront.net/amg.php
hxxp://c.statcounter.com/10114910/0/757d7213/1/ 104.20.2.47
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://aoaomo.tremorhub.com/wp-content/themes/howcast/images/icons/love.png
hxxp://aoaomo.tremorhub.com/itd.php?id=18A1JUCMV3eakRBtqXG7&date=2016-11-26&p=none&t=&ca=83746763
hxxp://b770b459a2.site.internapcdn.net/page-4.html?lid=937115
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=1967908665&t=pageview&_s=1&dl=http://www.hikeemissivity.pw/homepage.php?id=18A1JUCMV3eakRBtqXG7&date=2016-11-26&p=none&t=&ca=83746763&ul=en-us&de=utf-8&dt=searchbox&sd=24-bit&sr=1276x846&vp=679x392&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1447227842&cid=579808345.1480685360&tid=UA-74694740-5&_r=1&z=1616553851
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.86
hxxp://ww.hikeemissivity.pw/a.php?id=18A1JUCMV3eakRBtqXG7&date=2016-11-26&p=none&t=&ca=83746763&rnd=1480685359000 162.222.193.17
hxxp://vi.everclips.net/report3.php 109.201.148.40
hxxp://everclips.net/1.js 162.222.194.11
hxxp://everclips.net/jwplayer1.js 162.222.194.11
hxxp://aoaomo.tremorhub.com/o.php
hxxp://widgets.amung.us/draw/?w=colored&n=1215&c=000000ffffff&p= 173.192.200.70
hxxp://vi.everclips.net/bck.php?1480685361000 109.201.148.40
hxxp://b770b459a2.site.internapcdn.net/page-4.htm?lid=937115
hxxp://www.statcounter.com.cdnga.net/counter/counter.js 174.35.61.226
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=C455A74C5DC64FE1B159613A57DF19D5&sc_random=0.7505999462717157&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.everclips.net/page-4.html?lid=937115&u=http://www.everclips.net/page-4.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 104.20.2.47
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=1165869715&t=pageview&_s=1&dl=http://www.everclips.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1276x846&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1846596207&cid=662050412.1480685363&tid=UA-74694740-2&_r=1&z=1860945308
hxxp://b770b459a2.site.internapcdn.net/style.css
hxxp://b770b459a2.site.internapcdn.net/img/bgg.png
hxxp://everclips.net/player1.swf 162.222.194.11
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://everclips.net/ova-jw.swf 162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 4&mediaDesc=Entertainment videos at everclips.net - 4&mediaId=2&mediaUrl=hxxp://www.everclips.net/4.html&srcPageUrl=hxxp://www.everclips.net/4.html&contentLength=300
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=dynadmic,SundaySky,appnexus,Bidswitch,Videology,BidTheatre,google,adapTV,TubeMogul-GP,Pulsepoint,1,conversant,_dmp_turbine,audiencescience,mediamath,eyeview,dataxu,ignitionone,tremornet,thetradedesk,videoamp,rocketfuel,adgear,beeswax,TapAd&uid=9cfee02f439a4c4c83cb2aab18452d95&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://b770b459a2.site.internapcdn.net/img/logo.png
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://dyhd7e8p4cqed.cloudfront.net/crossdomain.xml
hxxp://dyhd7e8p4cqed.cloudfront.net/static/noad.xml
hxxp://vi.everclips.net/crossdomain.xml 109.201.148.40
hxxp://vi.everclips.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.everclips.net/4.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos at everclips.net - 4&LR_FORMAT=application/x-shockwave-flash 109.201.148.40
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 4&mediaDesc=Watch Entertainment videos at everclips.net - 4&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hxxp://www.everclips.net/4.html&contentLength=[CONTENT_LENGTH]
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=ignitionone,BidTheatre,beeswax,dataxu,Videology,TubeMogul-GP,conversant,SundaySky,eyeview,dynadmic,thetradedesk,Pulsepoint,mediamath,TapAd,adgear,videoamp,google,Bidswitch,1,adapTV,audiencescience,_dmp_turbine,appnexus,tremornet,rocketfuel&uid=9cfee02f439a4c4c83cb2aab18452d95&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95
hxxp://thumb.none1366649718.netdna-cdn.com/crossdomain.xml
hxxp://thumb.none1366649718.netdna-cdn.com/abcd.mp4
hxxp://www.everclips.net/page-4.html?lid=937115 69.88.149.137
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://we1sb-wwcgk.ads.tremorhub.com/ad/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 4&mediaDesc=Watch Entertainment videos at everclips.net - 4&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hxxp://www.everclips.net/4.html&contentLength=[CONTENT_LENGTH] 52.87.42.156
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://www.everclips.net/img/logo.png 69.88.149.137
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://109.201.148.40/bck.php?1480685361000
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://www.everclips.net/style.css 69.88.149.137
hxxp://www.google-analytics.com/analytics.js 173.194.32.161
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=ignitionone,BidTheatre,beeswax,dataxu,Videology,TubeMogul-GP,conversant,SundaySky,eyeview,dynadmic,thetradedesk,Pulsepoint,mediamath,TapAd,adgear,videoamp,google,Bidswitch,1,adapTV,audiencescience,_dmp_turbine,appnexus,tremornet,rocketfuel&uid=9cfee02f439a4c4c83cb2aab18452d95&init=true 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://www.everclips.net/page-4.htm?lid=937115 69.88.149.137
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/crossdomain.xml 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://www.hikeemissivity.pw/homepage.php?id=18A1JUCMV3eakRBtqXG7&date=2016-11-26&p=none&t=&ca=83746763 52.222.174.181
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://thm.vidvib.com/abcd.mp4 94.31.29.128
hxxp://www.hikeemissivity.pw/amg.php 52.222.174.181
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://www.hikeemissivity.pw/jquery.min.js 52.222.174.181
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://l.longtailvideo.com/5/10/logo.png 93.184.221.48
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=1967908665&t=pageview&_s=1&dl=http://www.hikeemissivity.pw/homepage.php?id=18A1JUCMV3eakRBtqXG7&date=2016-11-26&p=none&t=&ca=83746763&ul=en-us&de=utf-8&dt=searchbox&sd=24-bit&sr=1276x846&vp=679x392&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1447227842&cid=579808345.1480685360&tid=UA-74694740-5&_r=1&z=1616553851 173.194.32.161
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://www.howcast.com/wp-content/themes/howcast/images/icons/love.png
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://www.statcounter.com/counter/counter.js 174.35.61.226
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://cdn.tremorhub.com/static/noad.xml 52.222.171.127
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Entertainment videos at everclips.net - 4&mediaDesc=Entertainment videos at everclips.net - 4&mediaId=2&mediaUrl=hxxp://www.everclips.net/4.html&srcPageUrl=hxxp://www.everclips.net/4.html&contentLength=300 54.164.191.235
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://thm.vidvib.com/crossdomain.xml 94.31.29.128
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://cdn.tremorhub.com/crossdomain.xml 52.222.171.127
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=dynadmic,SundaySky,appnexus,Bidswitch,Videology,BidTheatre,google,adapTV,TubeMogul-GP,Pulsepoint,1,conversant,_dmp_turbine,audiencescience,mediamath,eyeview,dataxu,ignitionone,tremornet,thetradedesk,videoamp,rocketfuel,adgear,beeswax,TapAd&uid=9cfee02f439a4c4c83cb2aab18452d95&init=true 107.23.35.51
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=1165869715&t=pageview&_s=1&dl=http://www.everclips.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=24-bit&sr=1276x846&vp=850x480&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=1846596207&cid=662050412.1480685363&tid=UA-74694740-2&_r=1&z=1860945308 173.194.32.161
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://we1sb-wwcgk.ads.tremorhub.com/crossdomain.xml 52.87.42.156
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml 54.164.191.235
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=f5acf67524fd495e9b9f65741c76182e&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://partners.tremorhub.com/syncnoad?rid=7d453f8f68f44b70a2603c3562c2dd33&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,adgear,Pulsepoint,_dmp_turbine&uid=9cfee02f439a4c4c83cb2aab18452d95 107.23.35.51
hxxp://www.everclips.net/img/bgg.png 69.88.149.137


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: vi.everclips.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.662050412.1480685363; _gat=1


HTTP/1.1 200 OK
Date: Fri, 02 Dec 2016 13:33:02 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Tue, 11 Nov 2014 03:08:25 GMT
ETag: "a1b01-52-5078c97abfc40"
Accept-Ranges: bytes
Content-Length: 82
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/xml
<cross-domain-policy>..    <allow-access-from domain="*"/>
..</cross-domain-policy>....


GET /v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hXXp://VVV.everclips.net/4.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Entertainment videos at everclips.net - 4&LR_FORMAT=application/x-shockwave-flash HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/ova-jw.swf
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: vi.everclips.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.662050412.1480685363; _gat=1


HTTP/1.1 200 OK
Date: Fri, 02 Dec 2016 13:33:02 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=be44f95hgl7u8n5p83og5k8r04; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Content-Length: 540
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>..<VAST version="2.0"&g
t;..<Ad id="1"><Wrapper><AdSystem>1</AdSystem>
<VASTAdTagURI><![CDATA[hXXp://we1sb-wwcgk.ads.tremorhub.com/a
d/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPositi
on=1&mediaTitle=Entertainment videos at everclips.net - 4&mediaDesc=Wa
tch Entertainment videos at everclips.net - 4&mediaId=&mediaUrl=[CONTE
NT_MEDIA_URL]&srcPageUrl=hXXp://VVV.everclips.net/4.html&contentLength
=[CONTENT_LENGTH]]]></VASTAdTagURI><Impression/><Cre
atives></Creatives></Wrapper></Ad>..</VAST>
HTTP/1.1 200 OK..Date: Fri, 02 Dec 2016 13:33:02 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Set-Cookie: PHPSESSID=be44f95
hgl7u8n5p83og5k8r04; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..C
ache-Control: private..Pragma: no-cache..Content-Length: 540..Keep-Ali
ve: timeout=5..Connection: Keep-Alive..Content-Type: text/xml..<?xm
l version="1.0" encoding="UTF-8"?>..<VAST version="2.0">..<
;Ad id="1"><Wrapper><AdSystem>1</AdSystem><VAS
TAdTagURI><![CDATA[hXXp://we1sb-wwcgk.ads.tremorhub.com/ad/tag?a
dCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPosition=1&me
diaTitle=Entertainment videos at everclips.net - 4&mediaDesc=Watch Ent
ertainment videos at everclips.net - 4&mediaId=&mediaUrl=[CONTENT_MEDI
A_URL]&srcPageUrl=hXXp://VVV.everclips.net/4.html&contentLength=[CONTE
NT_LENGTH]]]></VASTAdTagURI><Impression/><Creati
<<< skipped >>>


GET /itd.php?id=18A1JUCMV3eakRBtqXG7&date=2016-11-26&p=none&t=&ca=83746763 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Referer: hXXp://VVV.hikeemissivity.pw/homepage.php?id=18A1JUCMV3eakRBtqXG7&date=2016-11-26&p=none&t=&ca=83746763
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: aoaomo.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 02 Dec 2016 13:29:22 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 1325
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>..<head>..<title>a</title>..</head>
;..<body>..<script language="JavaScript" type="text/javascrip
t">..<!--..function reeadCookie(name) {..  var nameEQ = name   "
=";..  var ca = document.cookie.split(';');..  for(var i=0;i < ca.l
ength;i  ) {..    var c = ca[i];..    while (c.charAt(0)==' ') c = c.s
ubstring(1,c.length);..    if (c.indexOf(nameEQ) == 0) return c.substr
ing(nameEQ.length,c.length);..  }..  return null;..}..function uapcc()
 {..//var paathname = reeadCookie('tvrg_60409');..//if (paathname.subs
tring(0, 2) == '"4') {..//eraseCookie("tvrg_60409");..var date = new D
ate();..date.setTime(date.getTime()   (60 * 1000));..var times = Math.
floor(Date.now() / 1000);..//document.cookie = "tvrg_60409=1," times "
;domain=.tremorhub.com;path=/;expires=" date.toGMTString() "";..docume
nt.cookie = "tvrg_60409=;domain=.tremorhub.com;path=/;expires=-1";..//
}..}..setInterval(function() {..uapcc();..}, 90);..setInterval(functio
n() {..uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 50);.
.setInterval(function() {..uapcc();..}, 90);..//-->..setInterval( "
onl()", 60000);function onl(){if(document.images){document.images['onl
v'].src = 'o.php?'   Date.parse(new Date().toString());}}..</script
><div style="visibility:hidden"><img name="onlv" src="o.ph
p"></div>..<meta http-equiv="refresh" content="300"><
;/html>....
<<< skipped >>>

GET /o.php HTTP/1.1


Accept: */*
Referer: hXXp://aoaomo.tremorhub.com/itd.php?id=18A1JUCMV3eakRBtqXG7&date=2016-11-26&p=none&t=&ca=83746763
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: aoaomo.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 02 Dec 2016 13:29:22 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 3
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html
...HTTP/1.1 200 OK..Date: Fri, 02 Dec 2016 13:29:22 GMT..Server: Apach
e/2.2.22 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length:
 3..Keep-Alive: timeout=5, max=99..Connection: Keep-Alive..Content-Typ
e: text/html.......



GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.everclips.net/page-4.html?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 02 Dec 2016 21:37:07 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Fri, 02 Dec 2016 21:37:07 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /cwidget/iebrowser1/000000ffffff.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.hikeemissivity.pw/amg.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: whos.amung.us
Connection: Keep-Alive


HTTP/1.1 303 See Other
Date: Fri, 02 Dec 2016 13:29:20 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://widgets.amung.us/draw/?w=colored&n=1215&c=000000ffffff&p=
Set-Cookie: uid=CgH9I1hBdzA64XhdD1cvAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.amung.us; path=/
0..



GET /10114910/0/757d7213/1/ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.hikeemissivity.pw/homepage.php?id=18A1JUCMV3eakRBtqXG7&date=2016-11-26&p=none&t=&ca=83746763
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 02 Dec 2016 13:29:20 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
Set-Cookie: __cfduid=d28be76477c1f89e70cfffd8c39a1b4b71480685359; expires=Sat, 02-Dec-17 13:29:19 GMT; path=/; domain=.statcounter.com; HttpOnly
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1480685360.0; expires=Wed, 01-Dec-2021 13:29:20 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1480685360595884582; expires=Sun, 02-Dec-2018 13:29:20 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 30af208bc751405c-SOF
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Fri, 02 Dec 2016 13:29:20 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..Set-Cookie: __cfduid=d28be76477c1f89e7
0cfffd8c39a1b4b71480685359; expires=Sat, 02-Dec-17 13:29:19 GMT; path=
/; domain=.statcounter.com; HttpOnly..P3P: policyref="hXXp://VVV.statc
ounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expire
s: Mon, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.148
0685360.0; expires=Wed, 01-Dec-2021 13:29:20 GMT; path=/; domain=.stat
counter.com..Set-Cookie: is_visitor_unique=1480685360595884582; expire
s=Sun, 02-Dec-2018 13:29:20 GMT; path=/; domain=.statcounter.com..Serv
er: cloudflare-nginx..CF-RAY: 30af208bc751405c-SOF..GIF89a............
.......!.......,...........T..;....


GET /t.php?sc_project=10675947&java=1&security=299981d6&u1=C455A74C5DC64FE1B159613A57DF19D5&sc_random=0.7505999462717157&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://VVV.everclips.net/page-4.html?lid=937115&u=http://VVV.everclips.net/page-4.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.everclips.net/page-4.htm?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive
Cookie: __cfduid=d28be76477c1f89e70cfffd8c39a1b4b71480685359; is_unique=sc10114910.1480685360.0; is_visitor_unique=1480685360595884582


HTTP/1.1 200 OK
Date: Fri, 02 Dec 2016 13:29:23 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1480685360.0-10675947.1480685363.0; expires=Wed, 01-Dec-2021 13:29:23 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1480685360595884582; expires=Sun, 02-Dec-2018 13:29:23 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 30af209ea25a405c-SOF
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Fri, 02 Dec 2016 13:29:23 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..P3P: policyref="hXXp://VVV.statcounter
.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expires: Mon
, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.148068536
0.0-10675947.1480685363.0; expires=Wed, 01-Dec-2021 13:29:23 GMT; path
=/; domain=.statcounter.com..Set-Cookie: is_visitor_unique=14806853605
95884582; expires=Sun, 02-Dec-2018 13:29:23 GMT; path=/; domain=.statc
ounter.com..Server: cloudflare-nginx..CF-RAY: 30af209ea25a405c-SOF..GI
F89a...................!.......,...........T..;..



GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: thm.vidvib.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 02 Dec 2016 13:29:40 GMT
Content-Type: application/xml
Content-Length: 82
Connection: keep-alive
Last-Modified: Fri, 20 Jun 2014 22:54:54 GMT
ETag: "1000000015848-52-4fc4c61b7eb80"
Server: NetDNA-cache/2.2
Expires: Mon, 27 Nov 2017 13:29:40 GMT
Cache-Control: max-age=31104000
X-Cache: HIT
Accept-Ranges: bytes
<cross-domain-policy>..    <allow-access-from domain="*"/>
..</cross-domain-policy>....


GET /abcd.mp4 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://everclips.net/player1.swf
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: thm.vidvib.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 02 Dec 2016 13:29:40 GMT
Content-Type: video/mp4
Content-Length: 5784
Connection: keep-alive
Last-Modified: Sun, 04 May 2014 13:45:24 GMT
ETag: "10000000157fb-1698-4f8933a030500"
Server: NetDNA-cache/2.2
Expires: Mon, 27 Nov 2017 13:29:40 GMT
Cache-Control: max-age=31104000
X-Cache: HIT
Accept-Ranges: bytes
....ftypmp42....mp41isom....mdat.................3../..aP.pAr.2H..*=4M
icrosoft H.264 Encoder V1.5.3..............sC....B.5l.src:3 h:480 w:85
4 fps:29.970 pf:66 lvl:9 b:0 bqp:3 gop:60 idr:60 slc:1 cmp:0 rc:1 qp:2
4 rate:5500000 peak:0 buff:2062500 ref:1 srch:32 asrch:1 subp:1 par:6 
3 3 rnd:0 cabac:0 lp:2 ctnt:0 aud:1 lat:0 wrk:4 vui:1 lyr:1 <<..
....e..K....P..#...}..}..}..}..}..}..}..}..}..}..}..}..}..".."........
......................................................................
...;...c..[.o.......?....{m....?....{e........Y.}z~...?}..}....[...}..
..[......?..5.....M<4....=4.}..}.._...:.../.._......Z.Sd..t...ET...
..3...1..........u...t..u.M......\.<....B.u....:......`.5.U..\..U/.
.D.y..Dj..).(=......:.Q.o.?...o...8 ...6....C..]..?..DJ.U. y.e. .v.M..
..D&No..W.....Y...Q*RU... ._...n....x(.....eU*.........Z.j..........B.
...kU..H..&U..x.'..~.>....!yI..^^U..Iv..''!-p.?Dd.....7..P..d`.j.Z.
......d.....x&..'V.WW..say]....R..u....JXd~........u.}k_p...Z.U.jl..F.
.K...GY?:.:d)-........!^U......B.O.?......'....!.G.......>.w."..".N
.k*.....\NN..........U........R....~R..Cz...%...\.Z.W.j.r..R*..UV...;.
..*.W.._NJo.H....LG.........l.....W...u'....?...!2..'' ....,.//'OZ.W..
"......{.R.W..y........)4H......._^..,.;XS../...O.^.....j....O...EUU..
E..y.g.Uw_Y........B....!:.(..../.... F.....W..w\.NN^]JMjG....G.....O.
.....`.....BuiI.e$..Il../....}k.~_...yTu...i.{..RC.b....]._.,.....kA..
.a.Z.[{e.{X.m....._{s.Z.. .].'...^..Z..ZHZ..S........DK.tL'.9./}D.....
......'.xF....2.......?.p..a......p.X....X..y?..`.%y..k.>......
<<< skipped >>>


GET /jwplayer1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.everclips.net/page-4.html?lid=937115
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: everclips.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 02 Dec 2016 21:37:07 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT
ETag: "4403af-25d37-53444eccf91c0"
Accept-Ranges: bytes
Content-Length: 154935
Cache-Control: max-age=2592000, public
Expires: Fri, 03 Nov 2017 21:37:07 GMT
Connection: close
Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'



insight.exe_260_rwx_00272000_00009000:




.hP9)h

veen.exe_3828:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ers\"%CurrentUserName%"\AppData\Local\Temp\nsy5735.tmp\ExecCmd.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy5735.tmp\ExecCmd.dll
"%Program Files%\Reams\insight.exe"
35.tmp\ExecCmd.dll
.reloc
EnumWindows
ExecCmd.dll
Kernel32.DLL
insight.exe"
\ExecCmd.dll
%SystemRoot%\
eq insight.exe" | %SystemRoot%\
\find /I "insight.exe"
\Reams\insight.exe
\insight.exe"
$$\wininit.ini
e%uy%u
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy5735.tmp
nsy5735.tmp
rogram Files\Reams\insight.exe"
ecCmd.dll
ight.exe" | %SystemRoot%\System32\find /I "insight.exe"
\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy5735.tmp
"%Program Files%\vent\veen.exe"
%Program Files%\vent
veen.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsd4337.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
%Program Files%\vent\veen.exe
Software\Microsoft\Windows\CurrentVersion\Run
Windows\
%Program Files%
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
\vent\veen.exe"
eams\insight.exe"

taskeng.exe_3736:




.text
`.data
.rsrc
@.reloc
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-Debug-L1-1-0.dll
API-MS-Win-Core-ErrorHandling-L1-1-0.dll
API-MS-Win-Core-File-L1-1-0.dll
API-MS-Win-Core-Handle-L1-1-0.dll
API-MS-Win-Core-Heap-L1-1-0.dll
API-MS-Win-Core-Interlocked-L1-1-0.dll
API-MS-Win-Core-LibraryLoader-L1-1-0.dll
API-MS-Win-Core-Misc-L1-1-0.dll
API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-Profile-L1-1-0.dll
API-MS-Win-Core-Synch-L1-1-0.dll
API-MS-Win-Core-SysInfo-L1-1-0.dll
API-MS-Win-Core-ThreadPool-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
KERNEL32.dll
d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp
Session::ChannelMsgReceived
d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp
d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp
StopJobMsg
StartJobMsg
ClientPipeName
Invalid parameter passed to C runtime function.
d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp
TaskScheduler.log
j%Xf;
d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp
API-MS-WIN-Service-Management-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
SspiCli.dll
XmlLite.dll
MPR.dll
RegOpenKeyTransactedW
RegCloseKey
RegOpenKeyExW
RegNotifyChangeKeyValue
RegCreateKeyExW
FindExecutableW
MsgWaitForMultipleObjects
EnumThreadWindows
EnumWindows
GetProcessWindowStation
_wcmdln
_amsg_exit
GetProcessHeap
SetProcessShutdownParameters
TaskEng.pdb
version="5.1.0.0"
name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"
<requestedExecutionLevel
8 8$8(878
3=4Z4w4
=!=(=0=4=?=>>
5 5U5_5
5b6u6
-131J1X1o1}1
=$=<=\=|=
Password
hXXp://schemas.microsoft.com/windows/2004/02/mit/task
#ieframe.dll
%SystemRoot%\SYSTEM32\cmd.exe
%SystemRoot%\System32\Tasks
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake
WindowSeconds
InitializeCmdlineProcessing()
pCrimson provider registration failed for taskeng, hr=0x%x
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
InteractiveTokenOrPassword
%d.%d
%s, (%d)
hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout
hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate
hXXp://schemas.microsoft.com/cdo/configuration/sendusing
hXXp://schemas.microsoft.com/cdo/configuration/smtpserver
201ef99a-7fa0-444c-9399-19ba84f12a1a
C:\Windows\SYSTEM32\cmd.exe
6.1.7601.17514 (win7sp1_rtm.101119-1850)
taskeng.exe
Windows
Operating System
6.1.7601.17514






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Trojan file.
    3. 

  3. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
Average: 5 (1 vote)












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now