Application.Agent.RA_516401f310

by malwarelabrobot on October 9th, 2016 in Malware Descriptions.

Trojan.Win32.Agent.nexpcf (Kaspersky), Application.Agent.RA (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 516401f3104d731ca24c600b7ae68d76
SHA1: 4bf3796e13745b140cd2b6dd825fea0b5d6e5be3
SHA256: 7c3c07af862a90fa72b5289b9302b21fc5da1d442b1163302b05f8c0879ffb7b
SSDeep: 12288:NblVIlJTCtwfxfKMPoKP87 p78iqMyzvWlg9OSqwWQDqmcAc2nuaWH39lv:N5VIlJpV5P9P8O6ylgdqwWO6ACa4Nl
Size: 619150 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

64350.exe:264
65379565.exe:1336
taskkill.exe:1300
taskkill.exe:1908
tasklist.exe:1144
tasklist.exe:1124
tasklist.exe:136
tasklist.exe:1092
tasklist.exe:1856
tasklist.exe:404
tasklist.exe:324
tasklist.exe:1232
tasklist.exe:612
tasklist.exe:460
tasklist.exe:1956
tasklist.exe:1936
tasklist.exe:1880
tasklist.exe:1284
tasklist.exe:1640
tasklist.exe:1748
tasklist.exe:828
tasklist.exe:436
tasklist.exe:1760
tasklist.exe:820
tasklist.exe:1368
tasklist.exe:376
lausanne.exe:656
find.exe:740
find.exe:264
find.exe:596
find.exe:336
find.exe:492
find.exe:1632
find.exe:1940
find.exe:1548
find.exe:1112
find.exe:1752
find.exe:1312
find.exe:464
find.exe:1796
find.exe:260
find.exe:228
find.exe:1360
find.exe:248
find.exe:860
find.exe:1820
find.exe:808
find.exe:1100
find.exe:412
%original file name%.exe:188

The Application injects its code into the following process(es):

route.exe:628

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 64350.exe:264 makes changes in the file system.
The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp (0 bytes)

The process 65379565.exe:1336 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\SimpleFC.dll (5289 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\SimpleFC.dll (0 bytes)

The process route.exe:628 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\CAORQBY7.xml (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\CAJSEHW8.xml (771 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#govids.net\settings.sxx (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\CAIN8NEL.xml (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\CA4XKT0L.xml (713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\syncnoad[1].xml (803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\jwplayer1[1].js (71645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\CATS0HW2.xml (846 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\noad[1].xml (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\crossdomain[2].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\syncnoad[3].xml (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\syncnoad[5].xml (704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\CA8WU1AF.xml (777 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[4].xml (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\1[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\syncnoad[6].xml (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\ova-jw[1].swf (37761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\wau-widget[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\CA76CGXI.xml (765 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5832 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1076 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\syncnoad[2].xml (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\func[1].js (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (550 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[5].xml (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\lbg[1].png (200 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (1074 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\CAEPZPEX.xml (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\syncnoad[4].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\CAKCHJGC.xml (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\CA3PEKBK.xml (774 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[2].txt (297 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\syncnoad[6].xml (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\CANB7HN1.xml (777 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\counter[2].js (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\counter[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\page-4[1].html (710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\logo[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\css1[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[6].xml (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\analytics[1].js (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[7].xml (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\CAQV4TW9.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\player1[1].swf (19913 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\govids.net\com.jeroenwijering.sxx (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\syncnoad[1].xml (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[1].xml (704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\syncnoad[2].xml (719 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@expectionscondon[2].txt (335 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (1498 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\crossdomain[2].xml (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\CAS1QN45.xml (810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\CA27U7A5.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\page-4[1].htm (833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\CAOJJ4P4.xml (811 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\CAMN4P23.xml (815 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\syncnoad[3].xml (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\crossdomain[3].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\syncnoad[5].xml (616 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\v[1].xml (654 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[3].xml (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\CA1GDX9N.xml (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\CAAD4IPE.xml (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\count[1].htm (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\syncnoad[2].xml (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\player1[2].swf (18809 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\syncnoad[4].xml (687 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@expectionscondon[1].txt (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\syncnoad[5].xml (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[2].xml (645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\itd[1].htm (1118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\syncnoad[4].xml (628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\CAKXQFCD.xml (815 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[1].txt (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\syncnoad[3].xml (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\logo[1].png (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\page-4[2].htm (907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\CAAD8NI9.xml (737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\page-4[1].htm (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\syncnoad[1].xml (628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\index5[1].htm (1 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@expectionscondon[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\css1[1].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\CA27U7A5.gif (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\govids.net\com.jeroenwijering.sxx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\counter[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\page-4[1].html (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\player1[1].swf (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#govids.net\settings.sol (0 bytes)

The process lausanne.exe:656 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst7.tmp\ExecCmd.dll (4 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp (0 bytes)

The process %original file name%.exe:188 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Program Files%\huebner\route.exe (3259 bytes)
%Program Files%\huebner\settings.dll (11028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\ShellLink.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\65379565.exe (3101 bytes)
%System%\drivers\etc\hosts (123 bytes)
%Program Files%\warsaw\lausanne.exe (1036 bytes)
%WinDir%\settings.dll (11028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\AccessControl.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\64350.exe (1094 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\heaney.lnk (465 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\System.dll (11 bytes)
%WinDir%\route.exe (3259 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\ShellLink.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp (0 bytes)

Registry activity

The process 64350.exe:264 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 A8 A7 82 B9 EE 67 9B 51 56 5A 9F CE 8F 3A 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 65379565.exe:1336 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 8C 21 09 5F 49 72 3B 07 98 A8 2E A9 97 39 21"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process taskkill.exe:1300 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 26 D5 B1 EC AD D2 00 A5 99 08 49 3E 42 B4 22"

The process taskkill.exe:1908 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 FE 20 5A 42 0F 88 AC AB 32 49 99 35 5C 63 D2"

The process tasklist.exe:1144 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 8A 54 C3 40 C1 88 90 88 61 71 55 F4 D6 41 C9"

The process tasklist.exe:1124 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B A0 89 8A 61 9B C1 04 9B 1D 8E 09 FB A4 F3 98"

The process tasklist.exe:136 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 71 5B 73 1E 88 6F 78 11 10 AB 79 0B 8F B7 C8"

The process tasklist.exe:1092 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 28 04 15 D9 4F 75 4C 0E 0B 0C 9F BF BA E9 99"

The process tasklist.exe:1856 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 C5 7D 82 DC 3A D5 F9 39 84 5C E8 68 E0 29 D1"

The process tasklist.exe:404 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B E1 84 29 9E 75 3B C9 11 B1 55 0A FA E2 EF C5"

The process tasklist.exe:324 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 44 9E F3 08 29 C6 A2 6A 02 9D C6 A8 17 10 CE"

The process tasklist.exe:1232 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 E4 BF 3D DA D9 40 97 90 B2 D2 59 D7 F1 7D 0C"

The process tasklist.exe:612 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 64 BE 3D B4 13 B9 B4 C9 C3 01 1D AE 84 68 A3"

The process tasklist.exe:460 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 2E 05 A9 FE 89 C7 11 52 5F 86 BD BA 54 60 67"

The process tasklist.exe:1956 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 44 48 DE B0 F8 12 6A 8A 31 51 B2 A2 23 0D 63"

The process tasklist.exe:1936 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 25 E2 D1 01 56 D4 A4 DF 95 F6 A5 8A 8F CB D1"

The process tasklist.exe:1880 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 49 76 EE D4 B3 D5 10 29 79 4E 6B 66 FA 1C 11"

The process tasklist.exe:1284 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 89 11 C9 EB 1B 29 54 32 E7 B2 7F 08 52 BF FA"

The process tasklist.exe:1640 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 6C CC 54 97 EF 08 67 45 28 A2 58 09 A5 8E 3F"

The process tasklist.exe:1748 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 BB DA FC B6 72 6B E5 30 20 D3 A6 18 FF AD E6"

The process tasklist.exe:828 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 84 79 16 3A 99 8F 8C A8 66 D2 38 A1 72 48 FD"

The process tasklist.exe:436 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 76 AF 03 C6 9D B7 FA 95 B7 5D 20 16 8A 41 39"

The process tasklist.exe:1760 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C F4 75 77 9F 58 1A B6 32 43 71 9C 01 17 CF 3A"

The process tasklist.exe:820 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 5F 6A BD 3F 57 66 E3 46 53 62 39 83 5F AB 15"

The process tasklist.exe:1368 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 D1 19 1D DE 84 A2 9B FB F9 F0 71 CB 62 88 08"

The process tasklist.exe:376 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 74 15 24 F8 99 01 17 6A 93 A2 56 00 83 84 B4"

The process route.exe:628 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016100820161009]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016100820161009]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016100820161009]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 B2 C6 D7 D8 C4 7B 27 34 A3 A1 BD 04 CA A2 A4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016100820161009]
"CachePrefix" = ":2016100820161009:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016100820161009]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016100820161009\"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Application deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process lausanne.exe:656 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 92 C9 7D C3 78 14 6D 3F 9B 02 D8 5C 1F DE 76"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"symphonie" = "%Program Files%\huebner\route.exe"

"lausanne" = "%Program Files%\warsaw\lausanne.exe"

The process find.exe:740 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D E2 AC 91 C3 9C C8 E7 3F 88 06 E0 01 06 BB 8C"

The process find.exe:264 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 03 18 28 A0 A2 36 5B 3D 22 2D 69 52 EE EE F4"

The process find.exe:596 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 DF 19 61 07 CE A7 36 76 9F 24 9D DE 5A CA D3"

The process find.exe:336 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF DE CB B6 CB 7A C5 CD 15 21 DE A4 77 A5 79 E8"

The process find.exe:492 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 F5 A5 9F C6 80 0A 89 7A 45 BA 84 1A E9 1A DA"

The process find.exe:1632 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A DD 81 DF AB DC CB C3 56 D1 C2 A3 00 2A C4 D5"

The process find.exe:1940 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 17 CA D0 12 6E 8A 3B B5 BD 1B 07 8F 0E D0 4E"

The process find.exe:1548 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 75 9C 36 06 B0 6C 97 9D E5 68 D3 26 3C 63 43"

The process find.exe:1112 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 7C A3 97 7C 80 17 9E 90 8F 88 43 E9 81 90 73"

The process find.exe:1752 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 7D 51 A8 C1 C6 2C 96 DD 40 82 08 6C 2B 56 00"

The process find.exe:1312 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 77 9A 50 3A 1C D9 03 5F AC EF B7 9F 5A A7 79"

The process find.exe:464 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 46 33 3E B0 AB A5 64 C4 01 FA 1F 0C 08 3A 0F"

The process find.exe:1796 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 21 01 F0 D3 F4 D8 C7 D6 8F DE FA 90 9D 29 8F"

The process find.exe:260 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 D9 FC F9 70 9A 6B 4F 79 4E A4 D0 58 24 EC CC"

The process find.exe:228 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC B0 A3 05 78 E5 05 D6 86 12 78 87 94 FF 03 04"

The process find.exe:1360 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC F4 5B FC FE D3 93 50 78 9F 69 17 51 1B 64 13"

The process find.exe:248 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 8A 57 2C A5 6E B2 88 4E 44 E6 BD 55 28 62 5D"

The process find.exe:860 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 95 7C A8 18 A9 BD 26 01 AF E4 76 69 E5 12 AA"

The process find.exe:1820 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 79 AA 83 FD 01 00 0C 6C 3C A1 6B 5B F2 D9 45"

The process find.exe:808 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 5F D1 06 E4 E3 07 09 B9 32 94 F5 EE DE 3E 9A"

The process find.exe:1100 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 1F 37 14 66 04 5A 87 DD E0 09 0D 10 9B E6 CD"

The process find.exe:412 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 51 9F A1 9E AC F1 F9 C2 ED 1C 60 B4 C8 3E 0D"

The process %original file name%.exe:188 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD C2 7A C8 E8 13 A2 32 78 CE CD B8 AE 1C C3 80"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"unrealizable" = "%Program Files%\huebner\route.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"trespasses" = "%Program Files%\huebner\route.exe"

"chartists" = "%Program Files%\huebner\route.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"carolyn" = "%Program Files%\huebner\route.exe"

Dropped PE files

MD5 File path
4a70aa2020197bfad5237309b86ea3a7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\64350.exe
06740a333061b0180923e4099c55a250 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\65379565.exe
b9380b0bea8854fd9f93cc1fda0dfeac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst7.tmp\ExecCmd.dll
3a319cd199780e2ff3886a212e418f64 c:\Program Files\huebner\route.exe
66268335d2869de6471132189c4c5f50 c:\Program Files\huebner\settings.dll
8b439a95b34588bcb01bbad853d66108 c:\Program Files\warsaw\lausanne.exe
3a319cd199780e2ff3886a212e418f64 c:\WINDOWS\dowding.exe
66268335d2869de6471132189c4c5f50 c:\WINDOWS\settings.dll

HOSTS file anomalies

The Application modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 857 bytes in size. The following strings are added to the hosts file listed below:

162.222.194.13 cocomo.tremorhub.com
162.222.194.13 www.virustotal.com
162.222.194.13 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 86016 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 278528 2536 2560 3.13622 b9f20defc9dd650d8dcc7fc5d4708ad4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 116
7bcde813c50a0b0e20e5f9f233bc3040
f6aff0b9b146929b2c655288d5da55ed
688987076a743b6ad9a21cdf72e88aef
096cc8ec1268a7a48f4e8e9acffd275c
868d60bfcfe02d05fecfcb3e44e2ccce
a8c97fb33db997aaf9411704474278a1
5bec3c6a9950cf902e71b84dc814c3f9
29de0a3a7170f7dd71267eee2449b462
ca004345bdd1cb292744ed711de04d19
2a9af6bcab5eb49d9a62a6ea72cdd286
e4e8ea421895b321bea9afa16d8a6fb5
851b5de8d1e586ba0301b1027800dea8
54c304cd37a8ae6ce5c21d5a5240d80c
f4ae937348a591e02f7ccb79f47cdc1f
c27730e88a7e5003ff846e8f0e578968
023529d5b4f5db6fc3e123bf47ac15d6
8e38be8c510a94c0a96ee39bc32ed333
14055969428fc76bc66b28491ff90d63
2b8b2136bdf153f722ecd721fabcf1aa
9dec231998f0f3d8301aa5c1a6e0119f
0affe53e87c71d2b7f9066427a5d71e5
3f92282b316430f68d847ff93565f264
1f4ab1b0f88d2b1805bcfbdaa2c461f1
3fadc54dc0f9a4e6af4b370749973ec3
2d43a582840285217ab6adaf45ff8c22

URLs

URL IP
hxxp://d3cpqb3ouewn5u.cloudfront.net/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=
hxxp://d3cpqb3ouewn5u.cloudfront.net/func.js?r=5
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://cocomo.tremorhub.com/itd.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=&rand=
hxxp://www.clangburkitt.info/count.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=&rand= 162.222.194.132
hxxp://c.statcounter.com/10114910/0/757d7213/1/ 104.20.2.47
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.94
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=747810353&t=pageview&_s=1&dl=http://www.expectionscondon.pw/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=919314600&cid=1159737846.1475892952&tid=UA-74694740-5&_r=1&z=1664864151
hxxp://8c715ae47b.site.internapcdn.net/page-4.html?lid=937115
hxxp://109.201.148.40/report1.php?url=/govids/page-4.html?lid=937115
hxxp://widgets.amung.us/draw/?w=colored&n=1289&c=000000ffffff&p= 50.23.131.235
hxxp://govids.net/jwplayer1.js 162.222.194.11
hxxp://109.201.148.40/bck.php?1475892953000
hxxp://govids.net/1.js 162.222.194.11
hxxp://8c715ae47b.site.internapcdn.net/page-4.htm?lid=937115
hxxp://109.201.148.40/report1.php?url=/govids/page-4.htm?lid=937115
hxxp://109.201.148.40/bck.php?1475892954000
hxxp://g1.panthercdn.com/counter/counter.js
hxxp://govids.net/player1.swf 162.222.194.11
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=279FC7C3F6444F6B2C4BEEC99E8C066D&sc_random=0.8873945546328857&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.govids.net/page-4.html?lid=937115&u=http://www.govids.net/page-4.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 104.20.2.47
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=1657837861&t=pageview&_s=1&dl=http://www.govids.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1367249570&cid=927114913.1475892955&tid=UA-74694740-2&_r=1&z=1377978122
hxxp://8c715ae47b.site.internapcdn.net/css1.css
hxxp://8c715ae47b.site.internapcdn.net/img/logo.png
hxxp://8c715ae47b.site.internapcdn.net/img/lbg.png
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://govids.net/ova-jw.swf 162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 4&mediaDesc=Home videos, Funny Videos - 4&mediaId=2&mediaUrl=hxxp://www.govids.net/4.html&srcPageUrl=hxxp://www.govids.net/4.html&contentLength=300&LR_FORMAT=application/x-shockwave-flash
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=rocketfuel,dataxu,google,conversant,tremornet,TapAd,centro,SundaySky,mediamath,adapTV,thetradedesk,appnexus,_dmp_turbine,audiencescience,ignitionone,BidTheatre,TubeMogul-GP,beeswax,eyeview,dynadmic,1,Bidswitch,videoamp&uid=630c214908ba48da9c10a4472527bac9&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9
hxxp://dyhd7e8p4cqed.cloudfront.net/crossdomain.xml
hxxp://dyhd7e8p4cqed.cloudfront.net/static/noad.xml
hxxp://vi.govids.net/crossdomain.xml 109.201.148.40
hxxp://vi.govids.net/v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hxxp://www.govids.net/4.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Home videos, Funny Videos - 4&LR_FORMAT=application/x-shockwave-flash 109.201.148.40
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 4&mediaDesc=Home videos, Funny Videos - 4&mediaId=2&mediaUrl=hxxp://www.govids.net/4.html&srcPageUrl=hxxp://www.govids.net/4.html&contentLength=300&LR_FORMAT=application/x-shockwave-flash 52.206.165.47
hxxp://cdn.tremorhub.com/crossdomain.xml 52.85.184.38
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/crossdomain.xml 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=rocketfuel,dataxu,google,conversant,tremornet,TapAd,centro,SundaySky,mediamath,adapTV,thetradedesk,appnexus,_dmp_turbine,audiencescience,ignitionone,BidTheatre,TubeMogul-GP,beeswax,eyeview,dynadmic,1,Bidswitch,videoamp&uid=630c214908ba48da9c10a4472527bac9&init=true 52.203.105.70
hxxp://www.expectionscondon.pw/func.js?r=5 216.137.61.29
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=747810353&t=pageview&_s=1&dl=http://www.expectionscondon.pw/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=919314600&cid=1159737846.1475892952&tid=UA-74694740-5&_r=1&z=1664864151 173.194.113.198
hxxp://www.expectionscondon.pw/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t= 216.137.61.29
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://www.govids.net/page-4.html?lid=937115 69.88.149.136
hxxp://www.govids.net/img/logo.png 69.88.149.136
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://cdn.tremorhub.com/static/noad.xml 52.85.184.38
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://www.govids.net/img/lbg.png 69.88.149.136
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml 52.206.165.47
hxxp://www.govids.net/page-4.htm?lid=937115 69.88.149.136
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=1657837861&t=pageview&_s=1&dl=http://www.govids.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1367249570&cid=927114913.1475892955&tid=UA-74694740-2&_r=1&z=1377978122 173.194.113.198
hxxp://www.google-analytics.com/analytics.js 173.194.113.198
hxxp://www.statcounter.com/counter/counter.js 151.249.89.225
hxxp://l.longtailvideo.com/5/10/logo.png 93.184.221.48
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70
hxxp://www.govids.net/css1.css 69.88.149.136
hxxp://partners.tremorhub.com/syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 52.203.105.70


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /counter/counter.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.statcounter.com
Connection: Keep-Alive
Cookie: __cfduid=dd7f4d1b12c304dd433266b859cbb41011475892962; is_unique=sc10114910.1475892962.0; is_visitor_unique=1475892962193900952


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:16:05 GMT
Server: PWS/8.1.41.3
X-Px: ht h0-s1182.p11-fra.cdngp.net
ETag: W/"576924c5-654e"
Cache-Control: max-age=43200
Expires: Sat, 08 Oct 2016 05:43:02 GMT
Age: 30783
Content-Length: 9529
Content-Type: application/x-javascript
Content-Encoding: gzip
Vary: Accept-Encoding
Last-Modified: Tue, 21 Jun 2016 11:28:05 GMT
Connection: keep-alive
...........]{s....*....F.,.-..o..M6....$...eQ$%s,.Z..c-}..u7@..<3{u
[email protected]..............]...K.%.<L....f...U...\..i.
<..g.f.%.q........O.J.CH..v.....N.H.M..zQ-J..`.'f.*~0....sj....C...
.....l....di|..4t..H........-...;.P.f^...EM....4..I.=.~....e..e..W>
.]..Wt...v..I..Wym.;...y....'....W._;.}.f..#...'.4Lj.:...bv.....&Z.p.&
.&.5.n#sN....X'[..........5-h.n.x..G.5....h...mp.....5..[..G.}.~....&.
...d.%i..G..4....b..h......<.q..c... J....{bTZ\M.w.r.1.Bf...y.l....
v.gQ...v.e./O.....Fi..H..;.Z.Y.a{Os-.A..c.b.c.{.a.....bln|{..t.....:|.
....~......R.eEV..-:h.xwS...Zf..*cHC,...K....p..4i.9.k>..P6[.Q.....
.$|...._.;...Em..itPa......P..Gj.. .5.  G..1m.....Ee...F70..ZUU&.&.?.&
gt;..r.Opc.........MQ<....=9(.v..^.Z<.;C....{....v..v:..N..{8.V;
........a.......v'.......w:...y..... ..^v../.8....W..7...o..IBV..%e...
c.Qt...6M.k.".j.o.E[.;..(#.$...#..T*. .......K/M..S..X.;(`..v.Fx||4...
..............#_.y..]./.y...?.....U...... ..][email protected].?.H.ha8.b.*.
.EE.tx,j.....,.H..;.^...Ps....\.D.A...._..M...`.K...$k....^......j5t..
.......J.G,kt..6:}.I....v%..g.).([......Rlh.F.E..P(...h.U...:.@k>D.
..y.($V.P..B.u[n...[.@u2...;r^.E./..u....-k.......u....K....w...`U....
g^.l....*.1N.....8|.b..R.N.N..yq.s......?..m.m~..^...m.<cT. ....g.c
...E.-.?...O.|O. /Z*l...../46..;......h...8..p....m......&..MD.[.f\...
.'..e..C.*.n..#[email protected].,6<,.:..8,.OA...V.`.Pa
[..~v3.Qn...7W..^@[...../ m.t..%.......r$...>-k...{..U .h.r.._...UN
....3../....O..N.............p....5.<....2GM..C3|.q^w.....,....
<<< skipped >>>


GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.govids.net/page-4.htm?lid=937115
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 10:22:27 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Sat, 09 Sep 2017 10:22:27 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Sat, 08 Oct 2016 02:16:09 GMT
ETag: W/"144-1446243360000"
Last-Modified: Fri, 30 Oct 2015 22:16:00 GMT
Server: Apache-Coyote/1.1
Content-Length: 144
Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=rocketfuel,dataxu,google,conversant,tremornet,TapAd,centro,SundaySky,mediamath,adapTV,thetradedesk,appnexus,_dmp_turbine,audiencescience,ignitionone,BidTheatre,TubeMogul-GP,beeswax,eyeview,dynadmic,1,Bidswitch,videoamp&uid=630c214908ba48da9c10a4472527bac9&init=true HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:09 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 502
Connection: keep-alive
...........RMo.0...Wd..[..s.....vC.n f.;[email protected]..?:M.}\v0...(.....
.y.Cc........%S\.*.....3o......8..^F...\......;..2u[..j|k.7p....6..}_g
W^.g|..?.h..gyg.6iq....]..]..f.....M...\]eE.xJ..8I.....I&....<....O
.E.,...........fa0...R.z....)......m._U.>_|.#**).9W.W....]<.....
.x)Cb..jt.8r.[...N....Z...=l..N.e.....3..'..^8V..[....].......6..4...y
Q#P.DJD..............s...v.)..aK..|..0...Y......c..ix.NK`...4.....1..;
.......f)d..u[&. ....,..N..4...w.O..!ob........)..lK.z...YR..........m
.h.N.._.......4.>....HTTP/1.1 200 OK..Content-Encoding: gzip..Conte
nt-Type: text/xml..Date: Sat, 08 Oct 2016 02:16:09 GMT..P3P: CP='This 
is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Se
rver: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 502..C
onnection: keep-alive.............RMo.0...Wd..[..s.....vC.n f.;[email protected].
..IN..?:M.}\v0...(......y.Cc........%S\.*.....3o......8..^F...\......;
..2u[..j|k.7p....6..}_gW^.g|..?.h..gyg.6iq....]..]..f.....M...\]eE.xJ.
.8I.....I&....<....O.E.,...........fa0...R.z....)......m._U.>_|.
#**).9W.W....]<......x)Cb..jt.8r.[...N....Z...=l..N.e.....3..'..^8V
..[....].......6..4...yQ#P.DJD..............s...v.)..aK..|..0...Y.....
.c..ix.NK`...4.....1..;.......f)d..u[&. ....,..N..4...w.O..!ob........
)..lK.z...YR..........m.h.N.._.......4.>........
<<< skipped >>>

GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:10 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 520
Connection: keep-alive
...........RM..0...W.H...IS...Rv[..mW%.=.Vhb..".-....;.....`....o.y...
.z;4V(9.B...P2..,g.S..f...7.s......Q..S7.6..i.8..2......k..sS..5v.}...
n.4.x/M~...M.-[..N.cno.|L...Q4.9.O.......6.......$.....J&....|...!....
q<,..a.N..k...p..3.d..H..Z.M._T.T7..).....V.).i...?......8.K.......
...Blq'p..i-....6\..h.q.....E...v/...^6.C....V .........mN.|[email protected] .=..
..G......q.W.. ..BH.7.....Ea<......&,[email protected]}M..O...Q..O`._.\5E
...l.........Re. Ir'.V..V....;vA......u. ...A..c.&.CF... L..j....`[...
.9m.........'....0..H.........I.*...HTTP/1.1 200 OK..Content-Encoding:
 gzip..Content-Type: text/xml..Date: Sat, 08 Oct 2016 02:16:10 GMT..P3
P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy
-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Le
ngth: 520..Connection: keep-alive.............RM..0...W.H...IS...Rv[..
mW%.=.Vhb..".-....;.....`....o.y....z;4V(9.B...P2..,g.S..f...7.s......
Q..S7.6..i.8..2......k..sS..5v.}...n.4.x/M~...M.-[..N.cno.|L...Q4.9.O.
......6.......$.....J&....|...!....q<,..a.N..k...p..3.d..H..Z.M._T.
T7..).....V.).i...?......8.K..........Blq'p..i-....6\..h.q.....E...v/.
..^6.C....V .........mN.|[email protected] .=....G......q.W.. ..BH.7.....Ea<...
...&,[email protected]}M..O...Q..O`._.\5E...l.........Re. Ir'.V..V....;vA...
...u. ...A..c.&.CF... L..j....`[....9m.........'....0..H.........I.*..
.....
<<< skipped >>>

GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:11 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 488
Connection: keep-alive
...........RMo.0...Wd..[....'..xi7...bv.CQ....BjI..$.......e.A......xy
._.{4V(.x.h..P2...&.C.i.y..M......v4*.v...rN/|......r.T.[...[X.......:
...8..4.a@k4]...a..}. ..c.5..f......4~.......,..8I....m%......l.q.g.&A
4..S.......FQ...tR4%~Q..e...]..[)...$R.....x$....!p...:\.3....Q.-....2
.%........-./.0..(......XE8o$.6...V .........U'zQ!P......GB{.QA....3N.
..z..S..W.Y1}?fa0....&..9..0.......6.~Nc.O.o.Q...O...#V..r...........^
..q[k..[.?.W.F.{....w4...0.v..7{......._..o_...F.u.1.)@.....zIe.....HT
TP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: S
at, 08 Oct 2016 02:16:11 GMT..P3P: CP='This is not a P3P policy. See h
ttp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..V
ary: Accept-Encoding..Content-Length: 488..Connection: keep-alive.....
........RMo.0...Wd..[....'..xi7...bv.CQ....BjI..$.......e.A......xy._.
{4V(.x.h..P2...&.C.i.y..M......v4*.v...rN/|......r.T.[...[X.......:...
8..4.a@k4]...a..}. ..c.5..f......4~.......,..8I....m%......l.q.g.&A4..
S.......FQ...tR4%~Q..e...]..[)...$R.....x$....!p...:\.3....Q.-....2.%.
.......-./.0..(......XE8o$.6...V .........U'zQ!P......GB{.QA....3N...z
..S..W.Y1}?fa0....&..9..0.......6.~Nc.O.o.Q...O...#V..r...........^..q
[k..[.?.W.F.{....w4...0.v..7{......._..o_...F.u.1.)@.....zIe.....t>....
<<< skipped >>>

GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:11 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 520
Connection: keep-alive
...........R.n.0.}..`#..%$..P..B !..jB....$..E.X....wB...i.....g<.g
&..........,w0.z(..q...uv.).....)I. ..h.(..D...9s........E]9ZK.gf..itd
}..I.V.&.....H....V......K...y?<.MX....*.?>/.I.<_.IPF....u[Q.
..\q...8f.(|7....<..i.Xb.x../#.....j...pi...=.``...x. .tx.F.C.zO!.x
.x....xjt....D..y....Q5.[....bG8m..6..].V..xA.B....{.g;[email protected]"t..k.$
..d.h..JnL.r.......a...t.......;...x7.$.b........)U...V..L.......q#.#9
s.<...e9W$YE.l...]k...z.}.GK.....:.{....d.....E_d.*.Pw....B.K......
3y.....{.....A...y.\../O8..J.x.)[email protected]... ...HTTP/1.1 200 OK..Conte
nt-Encoding: gzip..Content-Type: text/xml..Date: Sat, 08 Oct 2016 02:1
6:11 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.co
m/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding
..Content-Length: 520..Connection: keep-alive.............R.n.0.}..`#.
.%$..P..B !..jB....$..E.X....wB...i.....g<.g&..........,w0.z(..q...
uv.).....)I. ..h.(..D...9s........E]9ZK.gf..itd}..I.V.&.....H....V....
..K...y?<.MX....*.?>/.I.<_.IPF....u[Q...\q...8f.(|7....<..
i.Xb.x../#.....j...pi...=.``...x. .tx.F.C.zO!.x.x....xjt....D..y....Q5
.[....bG8m..6..].V..xA.B....{.g;[email protected]"t..k.$..d.h..JnL.r.......a...
t.......;...x7.$.b........)U...V..L.......q#.#9s.<...e9W$YE.l...]k.
..z.}.GK.....:.{....d.....E_d.*.Pw....B.K......3y.....{.....A...y.\../
O8..J.x.)[email protected]... .......
<<< skipped >>>

GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=ignitionone,1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:12 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1c6.............R.n.0... \..-....lH2.$...mQ).!........AR...].n...'...;
.....z...:..,...`...B.M.<T...`..I.......F..-|.4...c..jm..c.*...F~.&
lt;..e.....6..B.....c..U.;.*...........h!*.<|....O7.EU<...X..C..
t{.u.bi....8.3.q...z....|...$......w...0.#.......L.~..z....-...N.~h3F.
.s........A7...-..R....!\vZ@_n.A.. .......|s.W..}......@h'......L!.\.e
V....x........x>Ij...s.N .g..hV..??.).3.;k[.O.'...z.....)..7.|.b...
Q.<.^..nX...7............YY.[Z.......~.....6.......^.S..e........;.
........0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text
/xml..Date: Sat, 08 Oct 2016 02:16:12 GMT..P3P: CP='This is not a P3P 
policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-
Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunked..Connect
ion: keep-alive..1c6.............R.n.0... \..-....lH2.$...mQ).!.......
.AR...].n...'...;.....z...:..,...`...B.M.<T...`..I.......F..-|.4...
c..jm..c.*...F~.<..e.....6..B.....c..U.;.*...........h!*.<|....O
7.EU<...X..C..t{.u.bi....8.3.q...z....|...$......w...0.#.......L.~.
.z....-...N.~h3F..s........A7...-..R....!\vZ@_n.A.. .......|s.W..}....
..@h'......L!.\.eV....x........x>Ij...s.N .g..hV..??.).3.;k[.O.'...
z.....)..7.|.b...Q.<.^..nX...7............YY.[Z.......~.....6......
.^.S..e........;.........0......
<<< skipped >>>

GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=1,adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:12 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 462
Connection: keep-alive
...........R.n.0... T.......dH2T'...m.).!......W.AR...]9n...'........c
......S..Lg...wB.....>...U.&}(..B.G.}Tv.2.qN/.s...4}=.].........m..
..)..<-.....h.f...:l.... ....^.L.Q....M..}\_.U.x..`............H.m.
q.... [email protected]%...x D.(<.v.....Z~:
...r.#.I.{..7..^....0z..D 9.....\.B...j......Hh/.v.j...B........R...I.
.f<..d........ ....pQ.O........1..'V.S.U.,..v.I=.M.'...Y.......,O..
..{...._.w fe..h.....%6....d...{.....X.O........$.....HTTP/1.1 200 OK.
.Content-Encoding: gzip..Content-Type: text/xml..Date: Sat, 08 Oct 201
6 02:16:12 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvi
deo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-En
coding..Content-Length: 462..Connection: keep-alive.............R.n.0.
.. T.......dH2T'...m.).!......W.AR...]9n...'........c......S..Lg...wB.
....>...U.&}(..B.G.}Tv.2.qN/.s...4}=.].........m....)..<-.....h.
f...:l.... ....^.L.Q....M..}\_.U.x..`............H.m.q.... ....B..d...
[email protected]%...x D.(<.v.....Z~:...r.#.I.{..7..^.
...0z..D 9.....\.B...j......Hh/.v.j...B........R...I..f<..d........
 ....pQ.O........1..'V.S.U.,..v.I=.M.'...Y.......,O....{...._.w fe..h.
....%6....d...{.....X.O........$.........


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=adapTV,dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:12 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1d4.................0.....4R. !!....,,......^.Vhb......N o..K..HU...}.
9>.py._.-*-*.Y.hl.P.....Y.l.!.....[.f7........Y.1..q...RE..XU:Z...,
.......y...8L. .. .kT}.v.`.g...4..:o......y.u....W.$K...jPF....};.d.|.
....8.3`....|......x. .....8.87..z}F...@..#G}..;l......s.{l...P..B;..Q
.....$. ..Fr..cG.;.....D...S......P.#....Z....&..N8.{^.{..\H.6...d.<
;..........c.........OOq.....R.. .>..p.G...K.S/.?...M..'..6.......)
{...O..oW7..V...r.p.(....a.>......v...o)mMj...s.;.<..M.M.5......
d.......r.o.......0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-
Type: text/xml..Date: Sat, 08 Oct 2016 02:16:12 GMT..P3P: CP='This is 
not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Serve
r: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunke
d..Connection: keep-alive..1d4.................0.....4R. !!....,,.....
.^.Vhb......N o..K..HU...}.9>.py._.-*-*.Y.hl.P.....Y.l.!.....[.f7..
......Y.1..q...RE..XU:Z...,.......y...8L. .. .kT}.v.`.g...4..:o......y
.u....W.$K...jPF....};.d.|.....8.3`....|......x. .....8.87..z}F...@..#
G}..;l......s.{l...P..B;..Q.....$. ..Fr..cG.;.....D...S......P.#....Z.
...&..N8.{^.{..\H.6...d.<..........c.........OOq.....R.. .>..p.G
...K.S/.?...M..'..6.......){...O..oW7..V...r.p.(....a.>......v...o)
mMj...s.;.<..M.M.5......d.......r.o.......0......
<<< skipped >>>

GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=dataxu,tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:13 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 486
Connection: keep-alive
...........R]..0.|.....[....(.J.JHm.DB[.t.6.B,.Nd;@.}..;...>X..gw..
[email protected]#...V.%......d....,~.~K..F..4J.zj".4..:.QX..l.....uc..T.0...
.wy...0..8...iP......8.....>t^./M...n.^....."...k....$...o'........
.G|..w..T.....l.....;.7.s.D...........B.. .H..J<...[.. .....CiTM...
.(. ........0.$.J0..r........$...Q..D. 8.P5.3h.N{..&7.*..~K..}.0..'...
?.0a..|....q.l.......-..._&..8.2...4..9Ic.....6Q.^~.[.U.....>...?..
...</......R..VU.P.G...."o....8.L..13.lO...2_..y.qnd.......|]......
...spv.....HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text
/xml..Date: Sat, 08 Oct 2016 02:16:13 GMT..P3P: CP='This is not a P3P 
policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-
Coyote/1.1..Vary: Accept-Encoding..Content-Length: 486..Connection: ke
ep-alive.............R]..0.|.....[....(.J.JHm.DB[.t.6.B,.Nd;@.}..;...&
gt;[email protected]#...V.%......d....,~.~K..F..4J.zj".4..:.QX..l.....
uc..T.0....wy...0..8...iP......8.....>t^./M...n.^....."...k....$...
o'.........G|..w..T.....l.....;.7.s.D...........B.. .H..J<...[.. ..
...CiTM....(. ........0.$.J0..r........$...Q..D. 8.P5.3h.N{..&7.*..~K.
.}.0..'...?.0a..|....q.l.......-..._&..8.2...4..9Ic.....6Q.^~.[.U.....
>...?.....</......R..VU.P.G...."o....8.L..13.lO...2_..y.qnd.....
..|].........spv.........
<<< skipped >>>

GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=tremornet,thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:13 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 497
Connection: keep-alive
...........R]..0.|................NmEB.p:...\,.Id;...n(=.!.}...{vg6X..
k.A.EY..3.Y=,X.E..Z....o-.w..8Io4....B.Mh..Ts.6.e..:..R.ZWV....S....i.
..(.y/..*.*T..i.A.....$...o........n....r....U..e.*h..n[....P...@..)0.
..I6..3gv@<....lP.&G..#G}..Kl..x"D%.x.u.k................$...'u..M.
-a....`.%r..L.....T2m2D}.3.Fp,AV.S.bN...joj....5.2....x.....s.1g..7u..
i.l.........*...q3..u....:(.x*..fey........n.n..;..k..L..C.J...}....w.
.d..o........k;.Y).. .Q.T..hP.`.<[email protected].;. ...K...qc...O_.o.ISx.3.&@
.........#...HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: te
xt/xml..Date: Sat, 08 Oct 2016 02:16:13 GMT..P3P: CP='This is not a P3
P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apach
e-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 497..Connection: 
keep-alive.............R]..0.|................NmEB.p:...\,.Id;...n(=.!
.}...{vg6X..k.A.EY..3.Y=,X.E..Z....o-.w..8Io4....B.Mh..Ts.6.e..:..R.ZW
V....S....i...(.y/..*.*T..i.A.....$...o........n....r....U..e.*h..n[..
..P...@..)0...I6..3gv@<....lP.&G..#G}..Kl..x"D%.x.u.k..............
..$...'u..M.-a....`.%r..L.....T2m2D}.3.Fp,AV.S.bN...joj....5.2....x...
..s.1g..7u..i.l.........*...q3..u....:(.x*..fey........n.n..;..k..L..C
.J...}....w..d..o........k;.Y).. .Q.T..hP.`.<[email protected].;. ...K...qc...O
_.o.ISx.3.&@.........#.......
<<< skipped >>>

GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=thetradedesk,eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:14 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1bf.............R.n.0... \.......lH2.$...mQ).!........AR...]9n...'..C.
.p..Q...h.lu...y0A.[!.>....o.`..J..eu.E#..j..Y.xo..y...MW.x..s&....
.;...>o.. O.1.....A;V..<..:.......l.D.Q....m..~......,g.zM.f....
....J...q!...0...."....q.I.....p.^..MtE.4.;7.NHJ..?-..Q{... .;H...e...
[email protected][email protected])..e.V`.A.V(......iG....<...<.!N..x
8.8^F..e.|[email protected];.G.P...bkH.9..Xz#.p.?)....o..
..)ayze.s....<......h.....h.....v!...`/cC#rn=.)..e..@.....&.W......
.0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml..D
ate: Sat, 08 Oct 2016 02:16:14 GMT..P3P: CP='This is not a P3P policy.
 See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyote/
1.1..Vary: Accept-Encoding..transfer-encoding: chunked..Connection: ke
ep-alive..1bf.............R.n.0... \.......lH2.$...mQ).!........AR...]
9n...'..C..p..Q...h.lu...y0A.[!.>....o.`..J..eu.E#..j..Y.xo..y...MW
.x..s&.....;...>o.. O.1.....A;V..<..:.......l.D.Q....m..~......,
g.zM.f........J...q!...0...."....q.I.....p.^..MtE.4.;7.NHJ..?-..Q{... 
.;[email protected][email protected])..e.V`.A.V(......iG....<...
<.!N..x8.8^F..e.|[email protected];.G.P...bkH.9..Xz#.p
.?)....o....)ayze.s....<......h.....h.....v!...`/cC#rn=.)..e..@....
.&.W.......0......
<<< skipped >>>

GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=eyeview,appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:15 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
19f............dRMo.0...Wd.......;..xi..(..v.CQ....B'Y.d'..c.,.....#.D
*[.......N.A8......R?..C..}...7..../[email protected]..>.Z...1oQu...)..s....t.|
.....My..Y)&E...1h.^5:..........s.8..5<?.......uY...q...$h...Qs..XY
).- ...x.&...C.M.n...$Q.^...h...]..^Hz;:~4......|.....-......e$,F.BINP
........E e.4.n.{B....2.k0. ...l|o....'...3..q:K....).g....c.h..OOE..^
.....o?..........w..e.=.9..*c.....lmI...]`...: f}.I?.f..8b...v!.?Z....
.'../...d.......Z.|.t.....0..HTTP/1.1 200 OK..Content-Encoding: gzip..
Content-Type: text/xml..Date: Sat, 08 Oct 2016 02:16:15 GMT..P3P: CP='
This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy
'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding
: chunked..Connection: keep-alive..19f............dRMo.0...Wd.......;.
.xi..(..v.CQ....B'Y.d'..c.,.....#.D*[.......N.A8......R?..C..}...7....
/[email protected]..>.Z...1oQu...)..s....t.|.....My..Y)&E...1h.^5:..........s.8
..5<?.......uY...q...$h...Qs..XY).- ...x.&...C.M.n...$Q.^...h...]..
^Hz;:~4......|.....-......e$,F.BINP........E e.4.n.{B....2.k0. ...l|o.
...'...3..q:K....).g....c.h..OOE..^.....o?..........w..e.=.9..*c.....l
mI...]`...: f}.I?.f..8b...v!.?Z.....'../...d.......Z.|.t.....0..>....


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=appnexus,audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:16 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 435
Connection: keep-alive
[email protected]@[email protected].$.X.....},../.....I.
....P......3.A.Z..>u7.....go.oEY]l..F..Y..m....g5.V7}=e....\.......
...-..,)..%.5t......E.U.[.,....plZ......,y{..*......m.....wPL..s-x...9
_...(..s........(..I.B..}....w.....%.Ip.$,kH...0...i>(.R0......y.W.
...M.h..H. 8. ;..t..u.e......IO9..f,..x...F.b.. ....`Q................
.....(.h.x.:.|..n_.1...c.s...4...xY...F..\d.... g..=..]...!........Jx/
#D.rf... ....d.......HTTP/1.1 200 OK..Content-Encoding: gzip..Content-
Type: text/xml..Date: Sat, 08 Oct 2016 02:16:16 GMT..P3P: CP='This is 
not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Serve
r: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 435..Conn
ection: [email protected]@[email protected].
$.X.....},../.....I.....P......3.A.Z..>u7.....go.oEY]l..F..Y..m....
g5.V7}=e....\..........-..,)..%.5t......E.U.[.,....plZ......,y{..*....
..m.....wPL..s-x...9_...(..s........(..I.B..}....w.....%.Ip.$,kH...0..
.i>(.R0......y.W....M.h..H. 8. ;..t..u.e......IO9..f,..x...F.b.. ..
..`Q.....................(.h.x.:.|..n_.1...c.s...4...xY...F..\d.... g.
.=..]...!........Jx/#D.rf... ....d...........


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=audiencescience,centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:15 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
1b8.............RQo.0.~..`H.m..K .".tR.n.....*:.K.:.d.4..9i...K.......
..[..og.J.N.n.....v.......|L.E...YV....h6Q......~N.Q(:...O;A..]....3..
.~.)Wn...)._.....V...(.c.SU..y.........."{..\.uy{*..2.....;J*;`..Y...)
....$.6S....-...$.S..)J.....3g....Z\...X=...Q...Z(.q.`.'z.".... .G.[..
.;...5.%....~c..p..`UM'...8.....AJ...x.}.f........./......}...w.r_.!_.
I...B.....I.-V.6.W.....Ny....Y......{..G.'.k. ...!E.T./.C}.Evi].......
t.;;.m......../.....9.V....d.. .....D........0..HTTP/1.1 200 OK..Conte
nt-Encoding: gzip..Content-Type: text/xml..Date: Sat, 08 Oct 2016 02:1
6:15 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.co
m/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding
..transfer-encoding: chunked..Connection: keep-alive..1b8.............
RQo.0.~..`H.m..K .".tR.n.....*:.K.:.d.4..9i...K.........[..og.J.N.n...
..v.......|L.E...YV....h6Q......~N.Q(:...O;A..]....3...~.)Wn...)._....
.V...(.c.SU..y.........."{..\.uy{*..2.....;J*;`..Y...)....$.6S....-...
$.S..)J.....3g....Z\...X=...Q...Z(.q.`.'z.".... .G.[...;...5.%....~c..
p..`UM'...8.....AJ...x.}.f........./......}...w.r_.!_.I...B.....I.-V.6
.W.....Ny....Y......{..G.'.k. ...!E.T./.C}.Evi].......t.;;.m......../.
....9.V....d.. .....D........0......


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=centro,Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:16 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 428
Connection: keep-alive
...........RM..0...W.H.VL......,.Vj.......M.a.X;......(].q..o.o...8...
.`...V.A8......R?..}..m...W.......D.B.f>.....c..j..kF.U.9....y..../
w..&(.R.....c....w.UQ.k.U.5c/..h)jx._......MY...9..k.h..n..nA......'b.
<..x.L .&L7..L.(L.&. .;H..o.E.i.}....^.P..T($(.'...-.iR. .........!
X.)..k...w......3y7.Q.....8...p.q<..G..x..Xd.O.Kk[..sy......o;..Mb?
....k.....z..|....S../z..Xt.U."[X. .....>.) fm....,...#6.u..d.[...{
...o.C.........o....HTTP/1.1 200 OK..Content-Encoding: gzip..Content-T
ype: text/xml..Date: Sat, 08 Oct 2016 02:16:16 GMT..P3P: CP='This is n
ot a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server
: Apache-Coyote/1.1..Vary: Accept-Encoding..Content-Length: 428..Conne
ction: keep-alive.............RM..0...W.H.VL......,.Vj.......M.a.X;...
...(].q..o.o...8....`...V.A8......R?..}..m...W.......D.B.f>.....c..
j..kF.U.9....y..../w..&(.R.....c....w.UQ.k.U.5c/..h)jx._......MY...9..
k.h..n..nA......'b.<..x.L .&L7..L.(L.&. .;H..o.E.i.}....^.P..T($(.'
...-.iR. .........!X.)..k...w......3y7.Q.....8...p.q<..G..x..Xd.O.K
k[..sy......o;..Mb?....k.....z..|....S../z..Xt.U."[X. .....>.) fm..
..,...#6.u..d.[...{...o.C.........o........


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=Bidswitch,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:17 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
18c.............._o. ....)<K..L.y..a"/..J.6...PU.5....#.i..G.....=q
..=....A}..h..t...<.P.AH.P.....E.f/...i/..h...[.*..7 B.E5.~..>(.
..#.r.......m}.3Z...o..A{.5...X{:.5.gJ..O..h....../.6Wu[....X.....r'..
.bm..v...K.yZ..n..vi.C.aQdi93U3j.S.8..6b. ..A*....>.wR.=B.....=.!..
.8.2A.`j...Pf.G.I..1\`.f..4/.E.y!.....|.........Q.'........tR.'.y.h.'.
ux..'...hOa..7.Xt.n.F76..=..d.C`..l-.........n.k.\.........g<.C..e.
.........Jmh.....0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-T
ype: text/xml..Date: Sat, 08 Oct 2016 02:16:17 GMT..P3P: CP='This is n
ot a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server
: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunked
..Connection: keep-alive..18c.............._o. ....)<K..L.y..a"/..J
.6...PU.5....#.i..G.....=q..=....A}..h..t...<.P.AH.P.....E.f/...i/.
.h...[.*..7 B.E5.~..>(...#.r.......m}.3Z...o..A{.5...X{:.5.gJ..O..h
....../.6Wu[....X.....r'...bm..v...K.yZ..n..vi.C.aQdi93U3j.S.8..6b. ..
A*....>.wR.=B.....=.!...8.2A.`j...Pf.G.I..1\`.f..4/.E.y!.....|.....
....Q.'........tR.'.y.h.'.ux..'...hOa..7.Xt.n.F76..=..d.C`..l-........
.n.k.\.........g<.C..e..........Jmh.....0......


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:18 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 399
Connection: keep-alive
...........R.n. .}.Wx.......;.D^.I...j.....k.iP.F....G.4...=q..{......
K..u..e...q...B..2^._/.x.>....>..=-4j7.e.......Uk.]3.."..8.3..w.
...XW.1.....e....j98.....h.....y..D.O..[F?>,...z8...^......4.-.....
..DL.gI.M....$..q.y.&..)..A(.?...B.........!..E..^a.P/...L.5.J.u-.Y..6
R.E.D'Wc.&Y1...r..O..e..s:m......?..X........N....p2w|.K.;._&.zG.[e,.}
......e......l@`...s..7=j......3...AN......o.........._...HTTP/1.1 200
 OK..Content-Encoding: gzip..Content-Type: text/xml..Date: Sat, 08 Oct
 2016 02:16:18 GMT..P3P: CP='This is not a P3P policy. See hXXp://trem
orvideo.com/en/privacy-policy'..Server: Apache-Coyote/1.1..Vary: Accep
t-Encoding..Content-Length: 399..Connection: keep-alive.............R.
n. .}.Wx.......;.D^.I...j.....k.iP.F....G.4...=q..{......K..u..e...q..
.B..2^._/.x.>....>..=-4j7.e.......Uk.]3.."..8.3..w....XW.1.....e
....j98.....h.....y..D.O..[F?>,...z8...^......4.-.......DL.gI.M....
$..q.y.&..)..A(.?...B.........!..E..^a.P/...L.5.J.u-.Y..6R.E.D'Wc.&Y1.
..r..O..e..s:m......?..X........N....p2w|.K.;._&.zG.[e,.}......e......
l@`...s..7=j......3...AN......o.........._.......


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:18 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
191.............RMo.0...Wx.......;..xi.....q.CQ....F&Y.d/..S.....'....
{..b'.....v...h...x'Z.X.w...Y.`...rU.a....*;wE.8...8..3M_G...Z..nn....
...uy.2Z...?..Fs.V{.P...6X.n(y.<....... F?.//...?.i0NyA........0.(6
.8.3.i...z...q.A.`.%q>..D....|I..[Q5...OjD..v>.Z..H...t)...R.]o.
V...L...'[email protected]..,...j........Kc:....z.Gb........7..F..._....rb..
I6r.G.G...Q.I.....a.....Ci.......:xde.o.o..P9....B.`...y^._.i*.....d..
.....R.........0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Typ
e: text/xml..Date: Sat, 08 Oct 2016 02:16:18 GMT..P3P: CP='This is not
 a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: 
Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunked..
Connection: keep-alive..191.............RMo.0...Wx.......;..xi.....q.C
Q....F&Y.d/..S.....'....{..b'.....v...h...x'Z.X.w...Y.`...rU.a....*;wE
.8...8..3M_G...Z..nn.......uy.2Z...?..Fs.V{.P...6X.n(y.<....... F?.
//...?.i0NyA........0.(6.8.3.i...z...q.A.`.%q>..D....|I..[Q5...OjD.
.v>.Z..H...t)...R.]o.V...L...'[email protected]..,...j........Kc:....z.Gb
........7..F..._....rb..I6r.G.G...Q.I.....a.....Ci.......:xde.o.o..P9.
...B.`...y^._.i*.....d.......R.........0......


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:18 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 422
Connection: keep-alive
...........R...0... .H.VLB..%FYX$...J.=.V.$. ...lC....(t.R....73..L2;.
....nZ..~..:(..5b..E....3.!..m..-.h6P..I..1rJ.Q.[.?T...Dk.:f....N.._.l
..$c.M..H...m^.AN.s...|M...\4c9..o .||./.<{............Z..f.a....l.
u.G...C...o...E...dz..|.`.x..B.?.d..a..... 3f..qY........>......ATA
.1.k..a8.F...:~~..y..^.V.e....`..vW.....7%.l.Q.S.......,.Ho.,V..7\x...
.,..E...t....r..B.M..d.l..#.....m.Xf..~..s.Da.e..?.F&.. .....t... ....
..i.....HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xm
l..Date: Sat, 08 Oct 2016 02:16:18 GMT..P3P: CP='This is not a P3P pol
icy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coy
ote/1.1..Vary: Accept-Encoding..Content-Length: 422..Connection: keep-
alive.............R...0... .H.VLB..%FYX$...J.=.V.$. ...lC....(t.R....7
3..L2;.....nZ..~..:(..5b..E....3.!..m..-.h6P..I..1rJ.Q.[.?T...Dk.:f...
.N.._.l..$c.M..H...m^.AN.s...|M...\4c9..o .||./.<{............Z..f.
a....l.u.G...C...o...E...dz..|.`.x..B.?.d..a..... 3f..qY........>..
....ATA.1.k..a8.F...:~~..y..^.V.e....`..vW.....7%.l.Q.S.......,.Ho.,V.
.7\x....,..E...t....r..B.M..d.l..#.....m.Xf..~..s.Da.e..?.F&.. .....t.
.. ......i.........


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:19 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
16a.............Q]O.0.}.W.%......t%.jbb....c.m{.E.5mA.......O.m.=.9t.j
^.%.[........D k.\.w..Q...../'...l`~Q.. ..szH.3..f...h.b...7.........&
lt;..-e......ln..u.....&..J..;.RV.|w{..............7...] .Z.#S.b..}9..
.Y..}H....q.Y.....8.}..A2^..[h.. ....T6z............I....C.I.E..4.$'..
.....%?m....?..pb...|..Z.9...%..........\4....D...OZ/..FF/}.....x.%.-Q
9...........j.7.M.....d.........7Q?.....0......


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:19 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 381
Connection: keep-alive
[email protected]).-....I..E[.J.0.cD.c"..$-.._.p.>6^.ug..^
:.U.....F7i....57B..&}....t.>....;...,.j?.M........q.].q...6M....;.
._......V$..t`-..i........r......i :x~|.g..jq.v..dg......|..k.b..h6.8.
S.e^..~...y.A.`U.y=.. ..P.S....".k..:.\/5.v...z.....U.e%.....rZ|..=...
.Q.7..s.... .mf..Y/...!....W.l..<.......Hu..W..?.G.]8. ...-._......
.....P............=......o......x..WW...HTTP/1.1 200 OK..Content-Encod
ing: gzip..Content-Type: text/xml..Date: Sat, 08 Oct 2016 02:16:19 GMT
..P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/pri
vacy-policy'..Server: Apache-Coyote/1.1..Vary: Accept-Encoding..Conten
t-Length: 381..Connection: [email protected]).-..
..I..E[.J.0.cD.c"..$-.._.p.>6^.ug..^:.U.....F7i....57B..&}....t.>
;....;...,.j?.M........q.].q...6M....;.._......V$..t`-..i........r....
..i :x~|.g..jq.v..dg......|..k.b..h6.8.S.e^..~...y.A.`U.y=.. ..P.S....
".k..:.\/5.v...z.....U.e%.....rZ|..=....Q.7..s.... .mf..Y/...!....W.l.
.<.......Hu..W..?.G.]8. ...-._...........P............=......o.....
.x..WW.......


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=videoamp,TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:20 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Length: 420
Connection: keep-alive
...........R]k.0.}......"[...d./i P..8.C)F.nZ.Y..l.._9$M..P..t..:...Y&
gt;w....n{...,p..M.[....r.%u.... v...'...zar....@.(.z.4.......u.B.f...
7..b.RRp....I.jz.^.....Yg..A.[.HZ..=.o..|._....?.I....f....F../U.....y
..(L.....:....HS.f..K&...U.;Y.A.......<hp.eAZ.(.,[email protected].
.R..G.0.[.=..Q...h ryZ..\8..K..K....._.o.4&...y...=...6&^o..o..o...o.U
uf.........V.vR..B.(Y)`..A_..\[?.E..5.l..F.F[4:w....}..Rb.q...........
......HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Type: text/xml.
.Date: Sat, 08 Oct 2016 02:16:20 GMT..P3P: CP='This is not a P3P polic
y. See hXXp://tremorvideo.com/en/privacy-policy'..Server: Apache-Coyot
e/1.1..Vary: Accept-Encoding..Content-Length: 420..Connection: keep-al
ive.............R]k.0.}......"[...d./i P..8.C)F.nZ.Y..l.._9$M..P..t..:
...Y>w....n{...,p..M.[....r.%u.... v...'...zar....@.(.z.4.......u.B
.f...7..b.RRp....I.jz.^.....Yg..A.[.HZ..=.o..|._....?.I....f....F../U.
....y..(L.....:....HS.f..K&...U.;Y.A.......<hp.eAZ.(.,k..EQ....fM..
@..S..R..G.0.[.=..Q...h ryZ..\8..K..K....._.o.4&...y...=...6&^o..o..o.
..o.Uuf.........V.vR..B.(Y)`..A_..\[?.E..5.l..F.F[4:w....}..Rb.q......
...............


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=TapAd,_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:21 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
199.............R[k.0.}......"..|....'`..X....#K_Z.X.....?9.I/0.z.....
.N.8v{..R.=.lo...p...?d..Z............G.!r5......#.%t.|..).;...-=W..Ae
.._u^.8........r<m....W'....N...$...<l..8.z.,.*.;.."57...t.9.=a.
..lG.B...xq.6!.............j..Z..i9L...g... q...1#..\.......B..{....VR
........&.................j...a0y938...O..P...F]..r._...|..z[V.3 .?p..
*...m.\.e.D..3..b8.^[email protected]].8.a.%.YIB.L.V..Z.4zyAW0z...t....<
;.'[email protected]/1.1 200 OK..Content-Encoding: gzip..Co
ntent-Type: text/xml..Date: Sat, 08 Oct 2016 02:16:21 GMT..P3P: CP='Th
is is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'.
.Server: Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: 
chunked..Connection: keep-alive..199.............R[k.0.}......"..|....
'`..X....#K_Z.X.....?9.I/0.z......N.8v{..R.=.lo...p...?d..Z...........
.G.!r5......#.%t.|..).;...-=W..Ae.._u^.8........r<m....W'....N...$.
..<l..8.z.,.*.;.."57...t.9.=a...lG.B...xq.6!.............j..Z..i9L.
..g... q...1#..\.......B..{....VR........&.................j...a0y938.
..O..P...F]..r._...|..z[V.3 .?p..*...m.\.e.D..3..b8.^[email protected]].8.
a.%.YIB.L.V..Z.4zyAW0z...t....<.'[email protected].....
.


GET /syncnoad?rid=faee6d7ac41846b6a2eb19feefe88219&p=_dmp_turbine&uid=630c214908ba48da9c10a4472527bac9 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partners.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/xml
Date: Sat, 08 Oct 2016 02:16:21 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
transfer-encoding: chunked
Connection: keep-alive
153............d._o.0....).......)5D]b.l.@.`.).U....#.._!N.....w..=...
..jA.R...9.mA../.Cb.........N.....f.k5..}... .%TB......)....(M..J...]:
..N.E...M...e.JCE.~...g....4.9=.^...nf.4O7g;.k....*.....Yn.%...XH).?%.
.S.q*..u4j.....'k....Q4P.9m.J-.)..... v.....1.\...?....x.A{.0.!e....bL
}(.x...(........j$..\D.L.yH..z$.....2.....,Z..24... .~H.K.&.s".K..e...
........p......0..HTTP/1.1 200 OK..Content-Encoding: gzip..Content-Typ
e: text/xml..Date: Sat, 08 Oct 2016 02:16:21 GMT..P3P: CP='This is not
 a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'..Server: 
Apache-Coyote/1.1..Vary: Accept-Encoding..transfer-encoding: chunked..
Connection: keep-alive..153............d._o.0....).......)5D]b.l.@.`.)
.U....#.._!N.....w..=.....jA.R...9.mA../.Cb.........N.....f.k5..}... .
%TB......)....(M..J...]:..N.E...M...e.JCE.~...g....4.9=.^...nf.4O7g;.k
....*.....Yn.%...XH).?%..S.q*..u4j.....'k....Q4P.9m.J-.)..... v.....1.
\...?....x.A{.0.!e....bL}(.x...(........j$..\D.L.yH..z$.....2.....,Z..
24... .~H.K.&.s".K..e...........p......0..



GET /ova-jw.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/player1.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: govids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.927114913.1475892955; _gat=1


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 10:22:29 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 14:00:26 GMT
ETag: "4403b3-39741-4fbe0551c3280"
Accept-Ranges: bytes
Content-Length: 235329
Cache-Control: max-age=2592000, public
Expires: Sat, 09 Sep 2017 10:22:29 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..A..x......U.8.!.o.{.l/[email protected]........!AQD.e.q
. ..(...?""..,2:.u.....t.....`....9w.[..u:q....}..~Uu.s.=..........b..
.k[R..l...;../K.........=...|..!O;.M..........3.m6K..[/....-...m."%...
BY..*Xk.....t W2.e.,..Y.3 .....V..h.X)..I-....).P...n.J..r=.fiJ-.T....
S.....k....Q.....jMn...B..Q..;3.9.......y..].K."PX...S....7....b..*92.
[email protected]..&...J.p...].o.L...e.Y....y.0QQ'......x.1.e}.e.|..-....l.F
..o.w.......Y......u.g......-% .#.[....:..../x.".....i..d...uuK.K.....
.tF.V.9]K.8.....9isZ/...4.KN.,.0...[...U)....i.,...o../S...,..S-]...&.
.......Q..RZ.....nm&.. ....'.ROz.J.0......_.C....~zG..... ....~C...t..
;=`...t^.....B...48.[3..Sd(.J..D4b.H.....U&&`.;..RE.../..i..X.......u@
..).......{..k.....`[email protected]...... i....rI....I]LgL/..z....H.... t...|..Nk
..`...U(..?..u.#w...X"...NK\u...7.\....7.\}...o...wvO....R.d3.&Im..f}V
.....e.T..%c|...:.pQ..j.`...l9=.Zi....q..#...5...0...iw..C..j...|..%.\
)...K..... .............u.`. E2...f.*@.6....NPmJ'......L....(m.c.r.Z.H
W....f.....Y......_...7......p1..a.zx.u...go....O......!.......GNE..J6
a........3.......Mg...........Z.>.*..s.....%..<iX.5ZKlt...0.V..F
.....Ex...Y2.5R...S....J.....q .N2..B.. ..M.Z..O....../..E............
..&`".%[email protected]..&.d....i....~....................&3p4OFb....T.
.O.J....M.....O?...jv..6.........0x.....#..;.....}..i....W....]....&.V
..a.pO...&.f:..V5}.yK.YM.e........4..:.`...].)......2.... ....uD......
p..g./.AC.....bh8.....L..'"...;;/q..-..>:Y2 ........\.D....=.......
...).0..W....69V.H.....O..N.....W.P....."hNdG"cA..........{3.;7.j&
<<< skipped >>>


GET /10114910/0/757d7213/1/ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.expectionscondon.pw/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:16:02 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
Set-Cookie: __cfduid=dd7f4d1b12c304dd433266b859cbb41011475892962; expires=Sun, 08-Oct-17 02:16:02 GMT; path=/; domain=.statcounter.com; HttpOnly
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1475892962.0; expires=Thu, 07-Oct-2021 02:16:02 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1475892962193900952; expires=Mon, 08-Oct-2018 02:16:02 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 2ee616a7f7754044-SOF
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Sat, 08 Oct 2016 02:16:02 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..Set-Cookie: __cfduid=dd7f4d1b12c304dd4
33266b859cbb41011475892962; expires=Sun, 08-Oct-17 02:16:02 GMT; path=
/; domain=.statcounter.com; HttpOnly..P3P: policyref="hXXp://VVV.statc
ounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expire
s: Mon, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.147
5892962.0; expires=Thu, 07-Oct-2021 02:16:02 GMT; path=/; domain=.stat
counter.com..Set-Cookie: is_visitor_unique=1475892962193900952; expire
s=Mon, 08-Oct-2018 02:16:02 GMT; path=/; domain=.statcounter.com..Serv
er: cloudflare-nginx..CF-RAY: 2ee616a7f7754044-SOF..GIF89a............
.......!.......,...........T..;....


GET /t.php?sc_project=10675947&java=1&security=299981d6&u1=279FC7C3F6444F6B2C4BEEC99E8C066D&sc_random=0.8873945546328857&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://VVV.govids.net/page-4.html?lid=937115&u=http://VVV.govids.net/page-4.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.statcounter.com
Connection: Keep-Alive
Cookie: __cfduid=dd7f4d1b12c304dd433266b859cbb41011475892962; is_unique=sc10114910.1475892962.0; is_visitor_unique=1475892962193900952


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:16:05 GMT
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
P3P: policyref="hXXp://VVV.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: is_unique=sc10114910.1475892962.0-10675947.1475892965.0; expires=Thu, 07-Oct-2021 02:16:05 GMT; path=/; domain=.statcounter.com
Set-Cookie: is_visitor_unique=1475892962193900952; expires=Mon, 08-Oct-2018 02:16:05 GMT; path=/; domain=.statcounter.com
Server: cloudflare-nginx
CF-RAY: 2ee616b8c2ee4044-SOF
GIF89a...................!.......,...........T..;HTTP/1.1 200 OK..Date
: Sat, 08 Oct 2016 02:16:05 GMT..Content-Type: image/gif..Content-Leng
th: 49..Connection: keep-alive..P3P: policyref="hXXp://VVV.statcounter
.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"..Expires: Mon
, 26 Jul 1997 05:00:00 GMT..Set-Cookie: is_unique=sc10114910.147589296
2.0-10675947.1475892965.0; expires=Thu, 07-Oct-2021 02:16:05 GMT; path
=/; domain=.statcounter.com..Set-Cookie: is_visitor_unique=14758929621
93900952; expires=Mon, 08-Oct-2018 02:16:05 GMT; path=/; domain=.statc
ounter.com..Server: cloudflare-nginx..CF-RAY: 2ee616b8c2ee4044-SOF..GI
F89a...................!.......,...........T..;..



GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xlf5t.ads.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Sat, 08 Oct 2016 02:16:08 GMT
ETag: W/"144-1446243360000"
Last-Modified: Fri, 30 Oct 2015 22:16:00 GMT
Server: Apache-Coyote/1.1
Content-Length: 144
Connection: keep-alive
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" secure="false"
/>.</cross-domain-policy>....


GET /ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 4&mediaDesc=Home videos, Funny Videos - 4&mediaId=2&mediaUrl=hXXp://VVV.govids.net/4.html&srcPageUrl=hXXp://VVV.govids.net/4.html&contentLength=300&LR_FORMAT=application/x-shockwave-flash HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xlf5t.ads.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Encoding: gzip
Content-Type: text/xml;charset=ISO-8859-1
Date: Sat, 08 Oct 2016 02:16:08 GMT
P3P: CP='This is not a P3P policy. See hXXp://tremorvideo.com/en/privacy-policy'
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: tvid=630c214908ba48da9c10a4472527bac9; Domain=.tremorhub.com; Expires=Sun, 08-Oct-2017 08:04:29 GMT; Path=/
Set-Cookie: tvrg_60409="1,1475892969"; Version=1; Domain=.tremorhub.com; Max-Age=60; Expires=Sat, 08-Oct-2016 02:17:09 GMT; Path=/
Vary: Accept-Encoding
x-tremorvideo-status: NO_AD
Content-Length: 527
Connection: keep-alive
...........R.n.0.}.Wd......ka;...(.K1;.CQ...$BbI.d'..Qi....'...>$..
...uZ4V(..Q..tP2..\....t=.f.U......{..J{..`....Cg.Vf.T=...Z.t..u...._.
-.. Kr......F._..:...T.)..$|..Ds^.z..!K.=.o.2.>.i0NRC..t..I.|f.OW.8
.c`.h2.U#.... ..N&q4...(.E.jp.>.spph...Z...S.O....UI..%..{.Jg......
..H.F....!..t...7..p.h.>...Cc..y...1..^..........XK.h....(x.A.n|.M.
_...].?..B.{8..#...~...^.F0z-.{..o.........F..,..........E}....0.W..]A
]..4...%.......?&y7zNp...d.=.g.-,....n.3.I}8.v.....Y.......0K..v"Z...%
[email protected]....%v. .^..o.......<mv.S.......P../...HTTP/1.1 200 OK..C
ache-Control: no-cache, no-store, must-revalidate..Content-Encoding: g
zip..Content-Type: text/xml;charset=ISO-8859-1..Date: Sat, 08 Oct 2016
 02:16:08 GMT..P3P: CP='This is not a P3P policy. See hXXp://tremorvid
eo.com/en/privacy-policy'..Pragma: no-cache..Server: Apache-Coyote/1.1
..Set-Cookie: tvid=630c214908ba48da9c10a4472527bac9; Domain=.tremorhub
.com; Expires=Sun, 08-Oct-2017 08:04:29 GMT; Path=/..Set-Cookie: tvrg_
60409="1,1475892969"; Version=1; Domain=.tremorhub.com; Max-Age=60; Ex
pires=Sat, 08-Oct-2016 02:17:09 GMT; Path=/..Vary: Accept-Encoding..x-
tremorvideo-status: NO_AD..Content-Length: 527..Connection: keep-alive
.............R.n.0.}.Wd......ka;...(.K1;.CQ...$BbI.d'..Qi....'...>$
.....uZ4V(..Q..tP2..\....t=.f.U......{..J{..`....Cg.Vf.T=...Z.t..u....
_.-.. Kr......F._..:...T.)..$|..Ds^.z..!K.=.o.2.>.i0NRC..t..I.|f.OW
.8.c`.h2.U#.... ..N&q4...(.E.jp.>.spph...Z...S.O....UI..%..{.Jg....
....H.F....!..t...7..p.h.>...Cc..y...1..^..........XK.h....(x.A
<<< skipped >>>


GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vi.govids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.927114913.1475892955; _gat=1


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:19:52 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Tue, 11 Nov 2014 03:08:25 GMT
ETag: "a1b01-52-5078c97abfc40"
Accept-Ranges: bytes
Content-Length: 82
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/xml
<cross-domain-policy>..    <allow-access-from domain="*"/>
..</cross-domain-policy>....


GET /v?LR_PUBLISHER_ID=38834&LR_SCHEMA=vast2-vpaid&LR_AUTOPLAY=1&LR_CONTENT=1&LR_VIDEO_URL=hXXp://VVV.govids.net/4.html&LR_VIDEO_ID=&LR_VIDEO_POSITION=0&LR_PARTNERS=937115&LR_TITLE=Home videos, Funny Videos - 4&LR_FORMAT=application/x-shockwave-flash HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vi.govids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.927114913.1475892955; _gat=1


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:19:53 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=h6jmv8hqkg03fcao096bmsrdh7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Content-Length: 654
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>..<VAST version="2.0"&g
t;..<Ad id="1"><Wrapper><AdSystem>1</AdSystem>
<VASTAdTagURI><![CDATA[hXXp://we1sb-wwcgk.ads.tremorhub.com/a
d/tag?adCode=we1sb-fspan&playerWidth=645&playerHeight=380&playerPositi
on=1&mediaTitle=Home videos, Funny Videos - 4&mediaDesc=Watch Home vid
eos, Funny Videos - 4&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl
=hXXp://VVV.govids.net/4.html&contentLength=[CONTENT_LENGTH]]]><
/VASTAdTagURI><Impression><![CDATA[hXXp://z.frightenedomni
scient.info/chki.php?ww=tremor&aa=hXXp://VVV.govids.net/4.html&lrp=937
115&TIMESTAMP=7520781968]]></Impression><Creatives><
/Creatives></Wrapper></Ad>..</VAST>HTTP/1.1 200 O
K..Date: Sat, 08 Oct 2016 02:19:53 GMT..Server: Apache/2.2.15 (CentOS)
..X-Powered-By: PHP/5.3.3..Set-Cookie: PHPSESSID=h6jmv8hqkg03fcao096bm
srdh7; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: 
private..Pragma: no-cache..Content-Length: 654..Keep-Alive: timeout=5.
.Connection: Keep-Alive..Content-Type: text/xml..<?xml version="1.0
" encoding="UTF-8"?>..<VAST version="2.0">..<Ad id="1">
<Wrapper><AdSystem>1</AdSystem><VASTAdTagURI>&
lt;![CDATA[hXXp://we1sb-wwcgk.ads.tremorhub.com/ad/tag?adCode=we1sb-fs
pan&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home 
videos, Funny Videos - 4&mediaDesc=Watch Home videos, Funny Videos - 4
&mediaId=&mediaUrl=[CONTENT_MEDIA_URL]&srcPageUrl=hXXp://VVV.govid
<<< skipped >>>


GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.govids.net/page-4.htm?lid=937115
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: govids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.927114913.1475892955; _gat=1


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 10:22:28 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Sat, 09 Sep 2017 10:22:28 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /report1.php?url=/govids/page-4.html?lid=937115 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:19:32 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Sat, 08 Oct 2016 02:19:32 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /bck.php?1475892953000 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:19:33 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Sat, 08 Oct 2016 02:19:33 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8......


GET /report1.php?url=/govids/page-4.htm?lid=937115 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:19:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
....


GET /bck.php?1475892954000 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 109.201.148.40
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:19:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 0
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
HTTP/1.1 200 OK..Date: Sat, 08 Oct 2016 02:19:34 GMT..Server: Apache/2
.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..Content-Length: 0..Keep-Alive
: timeout=5..Connection: Keep-Alive..Content-Type: text/html; charset=
utf-8..



GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 130
Connection: keep-alive
Date: Wed, 21 Sep 2016 06:31:31 GMT
Last-Modified: Thu, 04 Dec 2014 23:41:04 GMT
ETag: "2cf4c5e3d4c1206209355ac1065b0efc"
Accept-Ranges: bytes
Server: AmazonS3
Age: 27782
X-Cache: Hit from cloudfront
Via: 1.1 4cebe2fc1703437d8a79e556e38f6d7a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: ck7b-GtQueoonUhQVSCYOksjBgUkg0Sud3qInV_ozIA5pTSNFUex1Q==
<?xml version="1.0" ?>.<cross-domain-policy>.    <!-- V
ery Liberal -->.    <allow-access-from domain="*" />.</cro
ss-domain-policy>....


GET /static/noad.xml HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/ova-jw.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.tremorhub.com
Connection: Keep-Alive
Cookie: tvid=630c214908ba48da9c10a4472527bac9; tvrg_60409="1,1475892969"


HTTP/1.1 200 OK
Content-Type: text/xml
Content-Length: 73
Connection: keep-alive
Date: Wed, 21 Sep 2016 09:04:53 GMT
Last-Modified: Thu, 04 Dec 2014 23:38:15 GMT
ETag: "074455bdeaf186ffa7b220bc14965cd5"
Accept-Ranges: bytes
Server: AmazonS3
Age: 27785
X-Cache: Hit from cloudfront
Via: 1.1 4cebe2fc1703437d8a79e556e38f6d7a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 3tHfr9toMIgSovRJjEZPyCwIUKM3F1MrsA34dF_d_r1utkDHcQkGGQ==
<VAST version="2.0" t:status="NO_AD" xmlns:t="hXXp://tremorhub.com/
ssp"/>HTTP/1.1 200 OK..Content-Type: text/xml..Content-Length: 73..
Connection: keep-alive..Date: Wed, 21 Sep 2016 09:04:53 GMT..Last-Modi
fied: Thu, 04 Dec 2014 23:38:15 GMT..ETag: "074455bdeaf186ffa7b220bc14
965cd5"..Accept-Ranges: bytes..Server: AmazonS3..Age: 27785..X-Cache: 
Hit from cloudfront..Via: 1.1 4cebe2fc1703437d8a79e556e38f6d7a.cloudfr
ont.net (CloudFront)..X-Amz-Cf-Id: 3tHfr9toMIgSovRJjEZPyCwIUKM3F1MrsA3
4dF_d_r1utkDHcQkGGQ==..<VAST version="2.0" t:status="NO_AD" xmlns:t
="hXXp://tremorhub.com/ssp"/>..



GET /draw/?w=colored&n=1289&c=000000ffffff&p= HTTP/1.1
Accept: */*
Referer: hXXp://VVV.expectionscondon.pw/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cookie: uid=CgH9H1f4VuKs8FDD3CJiAg==
Connection: Keep-Alive
Host: widgets.amung.us


HTTP/1.1 200 OK
Server: nginx/1.9.6
Date: Sat, 08 Oct 2016 02:16:03 GMT
Content-Type: image/png
Transfer-Encoding: chunked
Connection: keep-alive
Content-Disposition: filename=wau-widget.png
Expires: Mon, 07 Nov 2016 02:16:03 GMT
Cache-Control: max-age=2592000
6d1...PNG........IHDR...Q...........p.....PLTE...EEE???AAA......"""...
;<=...***~~~......abdWXZ...........................GGG.........'((.
........222.........uvyEFGzzz...,,,<<<...kln...NNN>>>
;...............WWW...~~.vwx...hhi.........OPQooo..................iii
......uvv...opp......UVV...RRR........................bcc...ijj}~~....
..dee........................QQQ...]^^PPP.........TTTaaa............{{
{III.........___......HHHrss.........kllJJJ|||OOO......DDD......YYY...
CCC..................LLLNOO.........@@@tttkkkvvv:::............qqq....
..........................;;;.........FFF.........?@@888666ppprrr.....
....MMMSSS............BBB............111............000...lll......XYZ
(((&&&hhhfff   cdeZ[\788...dddccc.........nnn.........ZZZXXXVVV[[[mmm^
^^\\\]]]```[email protected]....[.U....$ .R..[."..bQ
..y..D..a.55.h4.......C...6&....... .J.J&....G...a..?.s..".<=<..
..}...y>.9g....a.........no.d."#.}....as...........]6........%..x[.
.Vm.................q.r.fu/..&1.kW..G]..B.?.\.sx...R..qZ.^.(.P~..?...t
.....YY>-1r.)....$..{.i.Ev..|...w..qx..Q..^;b;.......n..r..<H...
H....A.i.e......%kw..9...d....#....a. l.!M..3. ..,.....x....-)..b..M4.
|.....k........qm....&2..q\.....8......._...b.dY6....,!...5.d.."......
...,....m..pE...\K?[...h..../ZL)F*.X...O?A(........>[email protected]."
.....YQ3.Y..3H..%.X.Do....S...`...N...xK..L.'."[.$.E`.;F.q"...'...}...
.x..y...Lo...fy#&.V.X..kip,.G..l....Bx8 I.'[email protected]._%-6:.....Pe6.....
Y...FC0.i...?.W.2..F.Z.#.hDL.R.1......P..6^.Vzc.0%..Lj., mh.-.x./!
<<< skipped >>>


GET /img/logo.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.govids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1475892955.279FC7C3F6444F6B2C4BEEC99E8C066D.1.1.1.1.1.1.1.1.1; _ga=GA1.2.927114913.1475892955; _gat=1


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:16:05 GMT
Content-Type: image/png
Content-Length: 3856
Connection: keep-alive
Last-Modified: Tue, 10 Jun 2014 14:29:28 GMT
ETag: "a1bf2-f10-4fb7c27bc2200"
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-003.ams002.internap.com
Accept-Ranges: bytes
.PNG........IHDR.......L.....3.......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<....IDATx..].O....V^.....rI........c..F..M.y0..-H..
..P.KH\.-.%-....J.[...5..S.... R...c....K/O.w...........93svY..i..e..w
...}..}gvy..E?.Q..%....J...(Q.V.DaZ....JN........(.fL...cM.....Z...'..
...A.....k.x....8....E..O..;.W...f.q.X..l..=.....k................%...
fd)........,..J..G...!...m.Q...J.../..................Y,0.......%...S6
R..=..t.0..%...|(..?T.V.DaZ...i%.b>..6:.~.=..7.-*.g....y<.,4>
....W..jv.(...}...8..YdF.l. .,,~5s..X<..h~.p...'......b...[6.0.D.Ci
........ Bo.C]....g..........y.i.........]N....p$.-~}8..... .....n.z..
.$~.9.).........P.....g....!.':.J..O...X.U.?:..#.g.{ .^......L..0..I..
"H<.5.u0...n^.3.ER.<......ZI......*f..... .fN.......q.n.........
.........Z.0.A.m|@.v. .uI......u........Y...u.t..........db...L.......
T.=21...8.(......i.$......y4...t:....(.`sG.H..Q...&...u.<..2L..Wl..
5...9...<. I....d...P.._h..n....MA7Y.....'..FsZ?....kH.l.s.<.QD.
...$q>lK...`1....x.Ha ^....L..W.#.C....._1...."^..6..WRz...4..z`.Ch
|R..H....:1..C..o. ........8..8.$...;..,..N.....S..O......W":.).}...IR
!.F8`=..lc..9n...O~a.....k7^[email protected].....
.............2..NmX...&.h.......f) ....;?...b8.~.>L..../.....C.l.Pf
g..............0..4k>.f.k-....X.9!a>.0.i.b.....$h.;.b.....`.32.T
r...bx.".:5K00..9..h...a........l....U..M..Z3..v..:....<:E........ 
#./...4p.y.....b....u.f.#[*e%.%p....|RO.dP\[email protected]......
....X.{.m0.k..T.O.?<&.M....C...6o.9..C..Pd.,.......O..`5.L.xP,.
<<< skipped >>>


GET /count.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=&rand= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.expectionscondon.pw/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.clangburkitt.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:16:05 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 47
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
......<meta http-equiv="refresh" content="300">HTTP/1.1 200 OK..
Date: Sat, 08 Oct 2016 02:16:05 GMT..Server: Apache/2.2.22 (Win64) PHP
/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 47..Keep-Alive: tim
eout=5, max=100..Connection: Keep-Alive..Content-Type: text/html......
..<meta http-equiv="refresh" content="300">..



GET /itd.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=&rand= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.expectionscondon.pw/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cocomo.tremorhub.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:16:05 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 1118
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>..<head>..<title>a</title>..</head>
;..<body>..<script language="JavaScript" type="text/javascrip
t">..<!--..function reeadCookie(name) {..  var nameEQ = name   "
=";..  var ca = document.cookie.split(';');..  for(var i=0;i < ca.l
ength;i  ) {..    var c = ca[i];..    while (c.charAt(0)==' ') c = c.s
ubstring(1,c.length);..    if (c.indexOf(nameEQ) == 0) return c.substr
ing(nameEQ.length,c.length);..  }..  return null;..}..function uapcc()
 {..//var paathname = reeadCookie('tvrg_60409');..//if (paathname.subs
tring(0, 2) == '"4') {..//eraseCookie("tvrg_60409");..var date = new D
ate();..date.setTime(date.getTime()   (60 * 1000));..var times = Math.
floor(Date.now() / 1000);..//document.cookie = "tvrg_60409=1," times "
;domain=.tremorhub.com;path=/;expires=" date.toGMTString() "";..docume
nt.cookie = "tvrg_60409=;domain=.tremorhub.com;path=/;expires=-1";..//
}..}..setInterval(function() {..uapcc();..}, 90);..setInterval(functio
n() {..uapcc();..}, 90);..setInterval(function() {..uapcc();..}, 90);.
.setInterval(function() {..uapcc();..}, 90);..//-->..</script>
;..<meta http-equiv="refresh" content="300">..</html>HTTP/
1.1 200 OK..Date: Sat, 08 Oct 2016 02:16:05 GMT..Server: Apache/2.2.22
 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content-Length: 1118..K
eep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: t
ext/html..<html>..<head>..<title>a</title>..&l
t;/head>..<body>..<script language="JavaScript" type="
<<< skipped >>>


GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 10:22:27 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Sat, 08 Oct 2016 10:22:27 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /5/10/logo.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/player1.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: l.longtailvideo.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: image/png
Date: Sat, 08 Oct 2016 02:16:07 GMT
Etag: "3015243340"
Expires: Sat, 15 Oct 2016 02:16:07 GMT
Last-Modified: Fri, 22 Jun 2012 18:10:31 GMT
Server: ECAcc (arn/46B0)
X-Cache: HIT
Content-Length: 1845
.PNG........IHDR...].........9.".....IDATh..Zo..E...e...*!.......RP...
.0H.|).Y...).4C.#H..2....g{.....GO.....A...(.?H....B..wf.....{.......c
v..9sv...3g....A-.).8j......J..*[email protected] u(.....k.Nt.3..yR....~*]. 
...Y...v..........\.YO....0.....bZ.=...e..ji.g..S..Z.t.9?..N).]`.K !..
...Y..?..<.h.v.<.........%..6.O.......R..g.}.i.?.Vh.....?..[..C{
.h.-%......s.\..:.M.p.K..u.5....c...X.>..........m.........._.%.d9k
L....t..t..N...#...|..VV.2...w.....X.W:^.:.S...n6....E=...$.i......(.j
.}[email protected]./.....U.u.-.U\..../B......;[email protected]....=.'.~Jm0t<c.
]...-....D...~......<...X....&....Ky%..j...[...Nk.6.....7.._.e!h...
........T7(q..q..v.J=c.^..............--.>......=.....n."...("....0
.Z..<... .q!.`.....N...Z....b.....g.,..UjA.j..7{.H...Pa.. /...l(...
S.j.Q0.u`...LcthJ.. .BN..............P....e...BPZ...W.I...........Sc.j
.!..'..d>c.....xV..2.i#.Z...#j >wa.......[.Y.../.6.g.j'.m...y..O
.\..W.....ar.J~..B...0...........~1M....].......;f...>>$...h.{..
....>zpI/...!>........0...f..ez.....b..!.....X....R..H.l|.r9.#'.
...x..1.A.qy.......M......Y&}..I...-} ..X.....(..17(...EJ.l..T..(8;.`.
..8o.{..r@..]..Z.......^n...vy.3S....%^'....)..nDeg..'.1. $....C...x..
t...x.d#.......t...?...N.N.............%`..Kc....#4.x....#.....9.ps.a.
q........G..R..........B... .S.K$......]..2..-..Hn..t'....4UA9P..69Q.'
.......2..d.<b.....{m....).dd...d.(..G.1`*.....<..ql.zs.On......
j..$..Fnf.T.Y........}.z....N.ZS.]........U)..K...xJFf........S....&.b
i..Mv.F..r....Z...`.~_........._ y.......(.b..f..m....R..k......se
<<< skipped >>>


GET /page-4.html?lid=937115 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.expectionscondon.pw/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:16:02 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Server: CDCE
X-INAP-Cache-Status: HIT
X-INAP-Server: cdce-ams002-003.ams002.internap.com
Content-Encoding: gzip
f71.............\.S.<...........;pb'.$.t(.Wfh..m...a.[...ml......J.
c...R..9..bY...#i..*.v.K..h*..~.X.JuU/i.V...R1`..pM.-.m?p...7.........
..9o..l..{.VU.uxSQ..6..TJ..... ....B#.}N..gM.../^....JF....2.2..:f..^.
PGQf. [email protected].......[.xA.P.....h8..).#U....c.....e\!..A?.f..38.n.
~?..e.&s.L.B.......*...x....zk..C...U.3(..G....$.[..1=..c.W...Ya..b..&
...g.I.kx..4..u..B...aS.....z4.....V.u........h.. .9...CK.............
GS.....v...l.3.nN.|.F..k.I.|..R........{.....r...|"E..J..}Y.F..B.. ...
f..4......F*<ln.$..u.pl........I%..p.[..J.........;f.8.\....{l...V;
.N.m...;.....T..1Gv..N%.^.c......n....q*..t;[email protected]%?..;.....Q..^..
.w.Zu......H....0(./w........jx."m..s.d.....7.;.........6....._....Q:0
W,.R)....2..b...l.~.. .S....(b....jI.....^.i.1..}.."......r...J.J.~...
[email protected],...bE..."...;v&...{!......X..o..X)..X..C~.P....j.......
I.L.f.ER|[email protected]..,.SS9=.76.Q.$..j$..x.9m.H].
{..^h.b.I.@r...,)...N.V.X.1.Rh..R..0>.0.Q7f...'...``..'. N..%......
.....!......S......t.x6...a..E.Vp...F.....7.[......5.!...j....E.g.)...
..#.S.*tH.8....&.Y..o.y...9dZ....Vl.....|...n..=..fG.V.....jjoz.#.K.;.
...1...y.6..w.1.&.......Yh..wb6uY. .I.A)..7`o....`>..L.S..5.%9...t.
....P.,.....d@..|....}#:5.r....X.9........3;.....^2b.od...N......Wg_..
.\|<>.:y.,.j...H.8.x.....6.w.>.ML=.z......0 .............../W
_.O.c.......!...\.\.|..,a..........K.........J...V&...<y.O?.4...zH.
E...]HV.....u(.{.......t([email protected]..~....F.0..&
gt;/`.x....#.`.L.Ga....6.f..VJr........P.K..^...:xO.#l..%%d....D..
<<< skipped >>>

GET /page-4.htm?lid=937115 HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.govids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:16:04 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.3
Server: CDCE
X-INAP-Cache-Status: HIT
X-INAP-Server: cdce-ams002-003.ams002.internap.com
Content-Encoding: gzip
11d5.............\kS.J..L.......f..-...1).9..r.*!..J.(Yj...Z.ac...]...
..(.aN..........w..../......).(...u..U..M.........A.......n.n..c.u_..V
[.D.W.c...]M.V..F=Ea....=....w..........?b...=%..Q.R..I.2'D...qd...>
;...^....d.*;......0XO.Ce.1......%......^...d...L5..)l...0{..#.y......
... ...q...c...2A....n...*.Uj.....z;`.....UW.:..[......M.....G...I.D.Z
y9...&.?}aNY.6. ...?..Q...a.S.....H.l.z.....f......\..#1.l.Q...p......
w..Z.W6.4..S.)c...L1....D.. @.K.7.1.n.1..2.m...t.....M]../B.t...C....'
E.5..}...I.}......{.mz ..!...~.4TY....:[email protected]...
F........B.:..}Z.....{...n.Z.C.&.....O.N!....9hZ.$..N.A;*$.|z..suuG7..
..\c/....,....b....$.../;....[..../.I..Y.n...........$..-.a.dRQ.P.T...
F..".&....Qu.....r...._S5Z..r...b4..0{c...bT........x...P.l.!.b....3.X
.R...){y.Ek...pb)[email protected]......
a.B$A......L...bO.>....x...3)..n.,[email protected].<P...
X5U{...J.........H.1...z}..` ..ty..x..Qc... ..~.d...U.....gs.c.......F
........D.x.r..$..(.#.J&.S|7.A.t......R*...s.qM......."...H.6..pb.-.d.
..........\..[.a..~...MW.g.~P...0..B.-.....^.......4l...j.C......l.%..
.S".^d..v..HE....>....4...J7...{.......v....<.,....v..6.NZ.F.p..
...b..[?w",.o..3......#..)..|b[..d<..Q&...k&%>..Z.J.V./......7..
.S.T.....|h`ot....H.<.......,.......Fta....;.i..`......5..s1.......
.1?_.N.c..:.pq.......o>\...Z.N.............<jn.}.1).........cV..
....7........y.....z,.X...Q......'.'.....vv........`...O.O...V..fZ..ML
......hr.K.!...r..PR.b.~Lv..{.......d.t..0.-..a....,r0=..1....."oV
<<< skipped >>>

GET /css1.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.govids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1475892955.279FC7C3F6444F6B2C4BEEC99E8C066D.1.1.1.1.1.1.1.1.1; _ga=GA1.2.927114913.1475892955; _gat=1


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:16:05 GMT
Content-Type: text/css
Content-Length: 1963
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Mon, 10 Nov 2014 08:43:18 GMT
ETag: "a1af0-7ab-5077d27777580"
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-003.ams002.internap.com
Accept-Ranges: bytes
A..{..COLOR: #000000; ..TEXT-DECORATION: none;..}..A:link ..{..COLOR: 
#000000;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DE
CORATION: none;..FONT-SIZE: 13px;..}..A:visited ..{..COLOR: #000000;..
FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: 
none;..FONT-SIZE: 13px;..}..A:hover ..{..COLOR: #000000;..FONT-FAMILY:
 Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-
SIZE: 13px;..}..table ..{..FONT-SIZE: 10px;..FONT-FAMILY: verdana, Ari
al, Helvetica, sans-serif;..}..td {font-family:Verdana;font-size:8.5pt
}...body {..BACKGROUND-COLOR: #ffffff;..margin-left: 10%;..margin-righ
t: 10%; ..border: 0px solid #979696;..}...topmenu {..BACKGROUND-COLOR:
 #eeeeee;..border-bottom: 1px solid #B5B5B5;..height: 35px;..}...topme
nufont..{..COLOR: #B5B5B5; ..TEXT-DECORATION: none;..}...topmenufont:l
ink ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans
-serif;..TEXT-DECORATION: none;..FONT-SIZE: 12px;..-webkit-font-smooth
ing: antialiased !important;..text-shadow: 1px 1px 1px rgba(0,0,0,0.00
4);..}...topmenufont:visited ..{..COLOR: #B5B5B5;..FONT-FAMILY: Verdan
a, Arial, Helvetica, sans-serif;..TEXT-DECORATION: none;..FONT-SIZE: 1
2px;..-webkit-font-smoothing: antialiased !important;..text-shadow: 1p
x 1px 1px rgba(0,0,0,0.004);..}...topmenufont:hover ..{..COLOR: #B5B5B
5;..FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;..TEXT-DECORATI
ON: none;..FONT-SIZE: 12px;..-webkit-font-smoothing: antialiased !impo
rtant;..text-shadow: 1px 1px 1px rgba(0,0,0,0.004);..}...logo {..b
<<< skipped >>>

GET /img/lbg.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.govids.net
Connection: Keep-Alive
Cookie: sc_is_visitor_unique=rx10675947.1475892955.279FC7C3F6444F6B2C4BEEC99E8C066D.1.1.1.1.1.1.1.1.1; _ga=GA1.2.927114913.1475892955; _gat=1


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 02:16:05 GMT
Content-Type: image/png
Content-Length: 200
Connection: keep-alive
Last-Modified: Thu, 21 Nov 2013 20:06:42 GMT
ETag: "a1bf1-c8-4ebb56fac1880"
Server: CDCE
X-INAP-Cache-Status: EXPIRED
X-INAP-Server: cdce-ams002-003.ams002.internap.com
Accept-Ranges: bytes
.PNG........IHDR.......L......O......gAMA....7.......tEXtSoftware.Adob
e ImageReadyq.e<...ZIDATx.b.R.b .....tV.....Z&.'B..!.;......qn...h:
[email protected]#......|..-..z...D..g.f.![.....O...........IEND.B`.HTTP/1.
1 200 OK..Date: Sat, 08 Oct 2016 02:16:05 GMT..Content-Type: image/png
..Content-Length: 200..Connection: keep-alive..Last-Modified: Thu, 21 
Nov 2013 20:06:42 GMT..ETag: "a1bf1-c8-4ebb56fac1880"..Server: CDCE..X
-INAP-Cache-Status: EXPIRED..X-INAP-Server: cdce-ams002-003.ams002.int
ernap.com..Accept-Ranges: bytes...PNG........IHDR.......L......O......
gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...ZIDATx.b.R.b ..
...tV.....Z&.'B..!.;......qn...h:[email protected]#......|..-..z...D..g.f.!
[.....O...........IEND.B`...



GET /cwidget/iebrowser1/000000ffffff.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.expectionscondon.pw/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: whos.amung.us
Connection: Keep-Alive


HTTP/1.1 303 See Other
Date: Sat, 08 Oct 2016 02:16:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://widgets.amung.us/draw/?w=colored&n=1289&c=000000ffffff&p=
Set-Cookie: uid=CgH9H1f4VuKs8FDD3CJiAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=.amung.us; path=/
0..



GET /index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.expectionscondon.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 905
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Encoding: gzip
Date: Sat, 08 Oct 2016 02:16:02 GMT
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 dfa2cbb51ec90b28f03125592b887c7d.cloudfront.net (CloudFront)
X-Amz-Cf-Id: zxl1_9_HaSYUUTsXo8BbDcGlKz2_CBYFrM2pB85c79VfwCEhV5f_kQ==
...........UMo.6../....!.ZY...7.. [email protected]".rd........=...&g..
.y.....f.....E..IQsm...q=....h......b....?O&?...(V.PR(. ...S.e.qQk....
...5.5......,.'Q`.K^..t\..1..*...5.\WB2.Q..{.S....-..=...d...s...i!...
@...u....0.I.pY.z}'..!.*-T/1...X.,.=Qw..~............)9.....Iv8.....T.
v..h.KF. J...).AT5.....t..gl...F..Q.,.t..].c..%H...T..e.].i..6..q...2.
.G..*T....*]...nS........as.....k.5..aT....O...^.(..Elb.W..y.F..:8S.j.
D.f..0..n........7.}=>....|<gM.....x}.%]o...Ho..M..{g...$...E.Fs
.LRh......PE...ZG..l5_.W......:......,XnW....M|..R.`{.../.V.B...|..A.R
.q...U..U..`l..c..........' .DsWbB*..c.AL......p:.f.}g.=*.v<i@.....
6...0....g..n;`..)...>Z..N.. 2..MH.f....d7s.h.B......_@&......;.u..
.m..WB.H.".Z.........U.e"...j.u.S.f......q@~..:...o.'[email protected])6..
..H7...h.n.jQ. m .."....>I.qx....:...4\..rL.r.....<..|z.gi...g.l
7.K..Zm.qB._._.....O/...............W..7.z[u..Q..L..1....G.m.c....k.\.
.....1...:...HTTP/1.1 200 OK..Content-Type: text/html..Content-Length:
 905..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13
..X-Powered-By: PHP/5.3.13..Content-Encoding: gzip..Date: Sat, 08 Oct 
2016 02:16:02 GMT..Vary: Accept-Encoding..X-Cache: Miss from cloudfron
t..Via: 1.1 dfa2cbb51ec90b28f03125592b887c7d.cloudfront.net (CloudFron
t)..X-Amz-Cf-Id: zxl1_9_HaSYUUTsXo8BbDcGlKz2_CBYFrM2pB85c79VfwCEhV5f_k
Q==.............UMo.6../....!.ZY...7.. [email protected]".rd........=..
.&g...y.....f.....E..IQsm...q=....h......b....?O&?...(V.PR(. ...S.e.qQ
k.......5.5......,.'Q`.K^..t\..1..*...5.\WB2.Q..{.S....-..=...d...
<<< skipped >>>

GET /func.js?r=5 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.expectionscondon.pw/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.expectionscondon.pw
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Length: 597
Connection: keep-alive
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Mon, 18 Jul 2016 15:25:49 GMT
ETag: "90000001e1520-f7a-537ea953f7333"
Accept-Ranges: bytes
Content-Encoding: gzip
Date: Thu, 06 Oct 2016 23:45:39 GMT
Vary: Accept-Encoding
X-Cache: RefreshHit from cloudfront
Via: 1.1 dfa2cbb51ec90b28f03125592b887c7d.cloudfront.net (CloudFront)
X-Amz-Cf-Id: cUUH8NQv4KTYyYQsO5bRlgwXmo-X6yLDDLrYs-2FhIAUOeT0rFfxFg==
[email protected]/vJ.8....U U.R.q.z..N.......DU.{....-.G.>l&l
t;3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$........AU5^..{.]_M..:.]...
..Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.<......> .X.9...
...P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&]..~..Bz_."..:.]... o..
.T.B...q....pC..B..qM...J.<J.....c]..s>...V:.......[a=..|..x.z..
...=.9%}.t......T........'..t...g.....L.. *.V2..p...rv.....F..x?W..*..
..........3_.q.q....S.~....7_e.G..P..7w..h..R ..$.w....H.41.W.n...D...
.wZ..x.ZG....6..:a.5!....t:O..:.5MvM...([email protected].\.......SuY....:....
.....>...P..{|:.<.<...I...=........}..=...|.8.......{1z...HTT
P/1.1 200 OK..Content-Type: application/javascript..Content-Length: 59
7..Connection: keep-alive..Server: Apache/2.2.22 (Win64) PHP/5.3.13..L
ast-Modified: Mon, 18 Jul 2016 15:25:49 GMT..ETag: "90000001e1520-f7a-
537ea953f7333"..Accept-Ranges: bytes..Content-Encoding: gzip..Date: Th
u, 06 Oct 2016 23:45:39 GMT..Vary: Accept-Encoding..X-Cache: RefreshHi
t from cloudfront..Via: 1.1 dfa2cbb51ec90b28f03125592b887c7d.cloudfron
t.net (CloudFront)..X-Amz-Cf-Id: cUUH8NQv4KTYyYQsO5bRlgwXmo-X6yLDDLrYs
[email protected]/vJ.8....U U.R.q.z..N.....
..DU.{....-.G.>l<3..wVyd.Dk.b.y..d..T.D...."W.<K.n4,X.$......
..AU5^..{.]_M..:.].....Z P9.p9.F?....'...d.|..o..[e...8E...{.4.U.BrB.&
lt;......> .X.9......P.B...i.J..L....V ..jr*n... ]v..g@.. .M.u.v&].
.~..Bz_."..:.]... o...T.B...q....pC..B..qM...J.<J.....c]..s>...V
:.......[a=..|..x.z.....=.9%}.t......T........'..t...g.....L.. *.V
<<< skipped >>>


GET /analytics.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.expectionscondon.pw/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 01:07:51 GMT
Expires: Sat, 08 Oct 2016 03:07:51 GMT
Last-Modified: Wed, 28 Sep 2016 20:19:01 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 11590
Age: 4091
Cache-Control: public, max-age=7200
...........}iw..........tc.m'.a.i|B...F6 ...%.6.F.....o..JR/..{.....s'
V..VK..J.W..Hz...=....S....=$......l.j.......d....?Q...-..K...j(FR..W]
.b._..V.Ea-.6u.......D..gF.....[.<..W...../............`z.....g.l..
~.............>..........GB..N....?...?.I2.....U...o<.....W.;...
x qq......J.......zC.q...?.<.....P.."..[.|.....\P.c...[8.......FB;/
..#..N.........,.:..}.mw.....Bx..?...r=&`..,Q....)j.v..f3.._.y....<
.}..........y.5..l...fk..E.B7].X....%. h...6m...J$O.......!=.P,..$qo..
...]]..8g?....f..Oj......M..b4.$.T$...{...R..^......_.63T-.e..#h7Y.F..
~..}..Q....\..Z.2KKO...on8..%.!.n.."V<Qo.j......0. .o{2..u(uU..M.8.
E..FDs6.y.....7..\..g.....x4.7<.......yg.{f.....>.k/s..V..k....)
....s)..@...$QC.7..\.P*I..uI.E.........U..7.<.]Wy.0.....]..........
..*.2.[.0 @e.1....qXT._... .!8..IO..........L%..}.6.%.u6'"...."*.>.
........[.U]..O.k.p.........C'QwI......*..~([email protected]
..........<[email protected]..=.y.1..M....D...G..P..O..s.v)/[.....
q.......e.s*.aE3"p[..J.[Xj<}.....u...^^.=.....u.....V....sR....Z...
...Uo....P\........M.!,L..v...[....'.hBd.n.....rr....c..@=.o.N..|A....
C..-.D...ju....E.t....s.......p$.7.HT....S...!.4....]./.X.......C.C.[.
X....~..B.d.../.e.4..O.r*q`.....d.....b...t........../^6.jg:B........'
....x4...w;D...J1.._`.@].s...'*U....&.a.KFD....<[email protected].?U..a...P
..J.V..\%...O'].Q...[.7....Fn...0tgA.2S.#-....._..%....q......f..9...z
Z...l==.R [email protected]...."......[.....".".;..YBf....~.....m.$....d42?.9f..K@
........7.Q_..w.<-...;z..|..*..>...D...(?r.....@F.. ..P]...2
<<< skipped >>>

GET /r/collect?v=1&_v=j47&a=747810353&t=pageview&_s=1&dl=http://VVV.expectionscondon.pw/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=919314600&cid=1159737846.1475892952&tid=UA-74694740-5&_r=1&z=1664864151 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.expectionscondon.pw/index5.php?id=12AokbKFp4pTGJxrNqvl&date=2016-09-23&p=none&t=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Sat, 08 Oct 2016 02:16:02 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Sat, 08 Oct 2016 02:16:02 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;....


GET /r/collect?v=1&_v=j47&a=1657837861&t=pageview&_s=1&dl=http://VVV.govids.net/page-4.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1367249570&cid=927114913.1475892955&tid=UA-74694740-2&_r=1&z=1377978122 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.govids.net/page-4.htm?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Sat, 08 Oct 2016 02:16:05 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-All
ow-Origin: *..Date: Sat, 08 Oct 2016 02:16:05 GMT..Pragma: no-cache..E
xpires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-sto
re, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-C
ontent-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2.
.Content-Length: 35..GIF89a.............,...........D..;..



GET /1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 10:22:26 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.5.30
Cache-Control: max-age=0
Expires: Sat, 08 Oct 2016 10:22:26 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /jwplayer1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-4.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 08 Oct 2016 10:22:25 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT
ETag: "4403af-25d37-53444eccf91c0"
Accept-Ranges: bytes
Content-Length: 154935
Cache-Control: max-age=2592000, public
Expires: Sat, 09 Sep 2017 10:22:25 GMT
Connection: close
Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'



lausanne.exe_656:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst7.tmp\ExecCmd.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst7.tmp\ExecCmd.dll
"%Program Files%\huebner\route.exe"
ExecCmd.dll
.reloc
EnumWindows
Kernel32.DLL
e%uy%u
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst7.tmp
nst7.tmp
rogram Files\huebner\route.exe"
q route.exe" | %SystemRoot%\System32\find /I "route.exe"
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst7.tmp
"%Program Files%\warsaw\lausanne.exe"
%Program Files%\warsaw
lausanne.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Program Files%\warsaw\lausanne.exe
Software\Microsoft\Windows\CurrentVersion\Run
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
rsaw\lausanne.exe"
uebner\route.exe"






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    64350.exe:264
    65379565.exe:1336
    taskkill.exe:1300
    taskkill.exe:1908
    tasklist.exe:1144
    tasklist.exe:1124
    tasklist.exe:136
    tasklist.exe:1092
    tasklist.exe:1856
    tasklist.exe:404
    tasklist.exe:324
    tasklist.exe:1232
    tasklist.exe:612
    tasklist.exe:460
    tasklist.exe:1956
    tasklist.exe:1936
    tasklist.exe:1880
    tasklist.exe:1284
    tasklist.exe:1640
    tasklist.exe:1748
    tasklist.exe:828
    tasklist.exe:436
    tasklist.exe:1760
    tasklist.exe:820
    tasklist.exe:1368
    tasklist.exe:376
    lausanne.exe:656
    find.exe:740
    find.exe:264
    find.exe:596
    find.exe:336
    find.exe:492
    find.exe:1632
    find.exe:1940
    find.exe:1548
    find.exe:1112
    find.exe:1752
    find.exe:1312
    find.exe:464
    find.exe:1796
    find.exe:260
    find.exe:228
    find.exe:1360
    find.exe:248
    find.exe:860
    find.exe:1820
    find.exe:808
    find.exe:1100
    find.exe:412
    %original file name%.exe:188
    

    2. 

  2. Delete the original Application file.
    3. 

  3. Delete or disinfect the following files created/modified by the Application:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\SimpleFC.dll (5289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\CAORQBY7.xml (823 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\CAJSEHW8.xml (771 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#govids.net\settings.sxx (193 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\CAIN8NEL.xml (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\CA4XKT0L.xml (713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\syncnoad[1].xml (803 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\jwplayer1[1].js (71645 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\CATS0HW2.xml (846 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\noad[1].xml (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\crossdomain[2].xml (82 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\syncnoad[3].xml (599 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\syncnoad[5].xml (704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\CA8WU1AF.xml (777 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[4].xml (693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\1[1].gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\syncnoad[6].xml (645 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\ova-jw[1].swf (37761 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\wau-widget[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\CA76CGXI.xml (765 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (5832 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1076 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\syncnoad[2].xml (616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\func[1].js (3 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (550 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[5].xml (706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\lbg[1].png (200 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (1074 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\CAEPZPEX.xml (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\syncnoad[4].xml (503 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\CAKCHJGC.xml (771 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\CA3PEKBK.xml (774 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@govids[2].txt (297 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\syncnoad[6].xml (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\CANB7HN1.xml (777 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\counter[2].js (1353 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\counter[1].js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\page-4[1].html (710 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\logo[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\css1[1].css (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[6].xml (719 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\analytics[1].js (333 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[7].xml (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\CAQV4TW9.gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\player1[1].swf (19913 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\govids.net\com.jeroenwijering.sxx (80 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\syncnoad[1].xml (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[1].xml (704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\syncnoad[2].xml (719 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@expectionscondon[2].txt (335 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (1498 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (720 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\crossdomain[2].xml (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\CAS1QN45.xml (810 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\CA27U7A5.gif (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\page-4[1].htm (833 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\CAOJJ4P4.xml (811 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\CAMN4P23.xml (815 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\syncnoad[3].xml (575 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\crossdomain[3].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\syncnoad[5].xml (616 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\v[1].xml (654 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[3].xml (652 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\CA1GDX9N.xml (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\CAAD4IPE.xml (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\count[1].htm (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\syncnoad[2].xml (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\player1[2].swf (18809 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\syncnoad[4].xml (687 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@expectionscondon[1].txt (193 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\syncnoad[5].xml (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\syncnoad[2].xml (645 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\itd[1].htm (1118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\syncnoad[4].xml (628 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\CAKXQFCD.xml (815 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@govids[1].txt (173 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\syncnoad[3].xml (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8Z6HKF8L\logo[1].png (723 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0NCZYPI3\page-4[2].htm (907 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\CAAD8NI9.xml (737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\page-4[1].htm (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UPER8RMD\syncnoad[1].xml (628 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8ZS7A56H\index5[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst7.tmp\ExecCmd.dll (4 bytes)
    %Program Files%\huebner\route.exe (3259 bytes)
    %Program Files%\huebner\settings.dll (11028 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\ShellLink.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\65379565.exe (3101 bytes)
    %System%\drivers\etc\hosts (123 bytes)
    %Program Files%\warsaw\lausanne.exe (1036 bytes)
    %WinDir%\settings.dll (11028 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\AccessControl.dll (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\64350.exe (1094 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\heaney.lnk (465 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\System.dll (11 bytes)
    %WinDir%\route.exe (3259 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "symphonie" = "%Program Files%\huebner\route.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "lausanne" = "%Program Files%\warsaw\lausanne.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "unrealizable" = "%Program Files%\huebner\route.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "trespasses" = "%Program Files%\huebner\route.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "chartists" = "%Program Files%\huebner\route.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "carolyn" = "%Program Files%\huebner\route.exe"
    

    5. 

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    6. 

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now